Gathering Network & Host Information: Scanning & Enumeration Port Scanning Well known ports http://www.t1shopper.com/tools/port-scan/ Network Scanning Not designed to do testing through a firewall Only as smart as their database Vulnerability Scanning 1. Check for live systems 2. Check for open ports 3. Service identification 4. Banner Grabbing / OS Fingerprinting 5. Vulnerability scanning 6. Network Diagram 7. Prepare Proxies 8. Attack! Ping Sweeps using an IP Ping Flood Tool Pinger, Friendly Pinger, WS_Ping_Pro, AngryIP Detecting Use an IDS or IPS nmap: Free; Open Source (Zenmap: GUI) Ping sweeps: sends ICMP ECHO_REQUEST & TCP ACK Port scanning, service identification, IP address & OS detection Port states: Open, Closed, Unfiltered http://www.youtube.com/watch?v=4WuglJA9H6o http://www.youtube.com/watch?v=XaCzpqIU5-A (10 min) www.nmap.org Fport: identify unknown open ports and their associated applications Lsof: (list open files): Linux command -report a list of all open files and the processes that opened them Switches: -i: display the list of all network sockets -r: display the routing table -g: display multicast group membership information for IPv4 and IPv6 -i: display a table of all network interfaces Netstat Displays protocol-related statistics and the state of current TCP/IP connections Switches: -a: show both listening and non-listening sockets -an: reported in numerical form -l: show only listening sockets -c: print routing information from the route cache -s: display summary statistics for each protocol nmap scan types: TCP Connect: -sT XMAS tree scan: -sX SYN stealth scan: -sS Null scan: -sN Does not work on Windows systems ACK scan: -sA UDP scan: -sU Ex: Scan first 1024 ports: Nmap -sU -p 1-1024 <hosts> Scan protocols in use: -vO Control timing: -T Paranoid, Sneaky, Polite, Normal, Aggressive, Insane Full / Connect: Noisy; Most easily caught by IDS/IPS SYN: ½ Open; stealth; sends SYN, then RST XMAS: FIN, URG, PSH flags set - Doesn’t work on Windows FIN: FIN flag set NULL: no flags set; doesn’t work on Windows IDLE: uses a spoofed IP address Bounce Attack scanning: connect to an FTP server and request that server to start data transfer to the third system SYN ACK PSH URG the system is forwarding the buffered data data in the packet must be processed quickly FIN data packet transaction has completed; no more transmission is required Uses reverse mapping: closed ports reply with RST, open ports ignore the probe RST the connection is being reset NetScan Tools Pro Hping2 Icmpenum enumerate networks that have blocked ICMP Echo packets but failed to block timestamp or information packet supports spoofing and promiscuous listening for reply packets SNMP Scanner P0f : passive OS fingerprinting tool NetCat (nc) Provides outbound and inbound connections for TCP and UDP ports. Provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters. A good port scanner. Contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data. NetCat (nc) common switches nc –d: detach Netcat from the console. nc -l -p [port]: create a simple listening TCP port; adding u will put it in UDP mode. nc -e [program]: redirect stdin/stdout from a program. nc -z: port scanning. nc -g or nc -G: specify source routing flags. nc -t: Telnet negotiation nc -w [timeout]: set a timeout before Netcat automatically quits. nc -v: put Netcat into verbose mode Bypasses normal network detection devices Tools ToneLoc THC-Scan PhoneSweep TeleSweep Banner Grabbing (Windows) "HEAD / HTTP/1.0" Pressing enter twice, Adam gets the following results: C:\> cmd Microsoft Windows XP [Version 5.1.2600] (C) Copyright Microsoft Corp. C:\>pwdump pwd.txt http://www.youtube.com/watch?v=1_ATtFGG2BA Banner Grabbing (Linux) OS Fingerprinting for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 < request.txt done [where, hostlist.txt file contains the list of IP addresses and request.txt is the output file] Nmap & Queso Netcraft Web site that periodically polls Web servers to determine the operating system version and the Web-server software version; toolbar would notify a phishing attack Additional Tools: Traceroute: measuring the route path and transit times of packets across an (IP) network Cheops: host/network discovery functionality as well as OS detection of hosts NeoTrace: shows you how packets get from your computer to another computer on the Internet by displaying all nodes between your computer and the trace target Anonymizers Limitations of anonymizers Linux Proxy Server (IPChains, IPTables) www.anonymizer.com, www.anonymize.com, www.ipriv.com, www.mutemail.com, www.rewebber.de, www.silentfurf.com, www.surfola.com Secure protocols (HTTPS), JavaScript, Plugins, ActiveX controls, Java applications Tunneling: Using a protocol for other than its intended purpose Ptunnel & Itunnel: use ICMP WinTunnel: uses TCP HTTPort, Tunneld, BackStealth Gathering Usernames: hack SAM file; GetAcct Machine names: use null sessions Network resources: SuperScan Shares: net view command Services: SNMP port scanning Tools PsPasswd PsFile UserInfo “Null” user has no username/password C:\> net use \\192.21.7.1 \IPC$ “ “ /u: “ “ Admin SID: S-1-5-21….-500 Guest SID: S-1-5-21…..-501 Port 135, 137, 139, 445 Countermeasure Disable SMB; Disable TCP port 139/445 Editing the registry key HKLM\SYSTEM\CurrentControlSet\Control \ LSA and adding the value RestrictAnonymous http://www.youtube.com/watch?v=4S_GCSBWSCs Gathering information about host, routers, devices etc. by querying ‘Management Information Base’ (MIB). Used for remote monitoring and managing hosts, routers, and devices on a network SNMP version 3 provides data encryption for community strings http://www.youtube.com/watch?v=MWIWuqouOEE Tools: SNMPUtil, IP Network Browser, snmpwalk snmpwalk example: sysDescr.0 = STRING: "SunOS zeus.net.cmu.edu 4.1.3_U1 1 sun4m" sysObjectID.0 = OID: enterprises.hp.nm.hpsystem.10.1.1 sysUpTime.0 = Timeticks: (155274552) 17 days, 23:19:05 sysContact.0 = STRING: "" sysName.0 = STRING: "zeus.net.cmu.edu" sysLocation.0 = STRING: "" sysServices.0 = INTEGER: 72 Countermeasures: Disable SNMP Service Change default passwords (Public & Private) Implementing Access control list filtering Tools Sam Spade, Host, Dis NSLOOKUP nslookup > server <ipaddress> > set type = any > ls -d <target.com> Windows Service Identifiers User2SID, SID2User, DumpSec, Enum SOCKS: Optional proxy server protocol that uses sockets to keep track of individual connections Port 1080 IRC servers uses TCP, hence are a frequent target Port Redirection: Used to bypass port filtering rules at routers and firewalls Linux: Datapipe Windows: Fpipe 0 Echo Reply 3 Destination Unreachable 8 Echo Request 11 Time Exceeded 13 Timestamp Request 14 Timestamp Reply 15 Address mask request 17 Information request (obsolete) http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol TYPE 3 & CODE 13 ICMP TYPE 3 and CODE 3 port unreachable message ICMP TYPE 3 and CODE 0 a Network Administrator has prohibited communication with the server by using a firewall network unreachable error message ICMP TYPE 0 and CODE 0 ICMP echo reply message Gathering information about a remote network protected by a firewall Requirements ICMP packets leaving the network should be allowed An attacker should know the IP address of a host located behind the firewall An attacker should know the IP address of the last known gateway before the firewall http://www.ethicalhacker.net/component/option,com_smf/Ite mid,54/topic,4062.msg19362/ http://www.techrepublic.com/article/use-firewalk-in-linuxunix-toverify-acls-and-check-firewall-rule-sets/5055357