Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology 1 Agenda • Reconnaissance • Scanning • Network Mapping • Port Scanning •OS detection • Vulnerability assessment 2 Reconnaissance • Internet Network Information Center who-is database www.internic.net/whois.html • Registrar’s database i.e. www.networksolutions.com • American Registry for Internet Numbers (ARIN) http://ww2.arin.net/whois/ • Domain Name System (DNS) nslookup 3 Reconnaissance • After Recon, it is possible to know detailed information about a potential target • This information includes specific IP addresses and ranges of addresses that may be further probed. 4 Scanning Objective 1: Network Mapping Why: To determine what the network looks like logically. How: Manually using tools like ping, traceroute, tracert, or with tools like Cheops network mapping tool 5 Cheops-ng Created by Mark Spencer for Linux systems, available at http://www.marko.net/cheops/ Purpose: “To provide system administrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem.” This tool automates ping and traceroute. 6 Cheops-ng: What does it do? • Finds active hosts in a network • Determines the names of active hosts • Discovers host operating systems • Detects open ports • Maps the complete network in a graphical format 7 Cheops-ng: How does it work? • Utilizes ICMP “ping” packets to search a network for live hosts • Domain Name Transfers (nslookup) are used to list hosts • Invalid flags on TCP packets are used to detect the OS • Half-open TCP connections are used to detect ports • UDP packets with small TTL values are used to map network 8 Scanning Objective 2: Port Scanning Why: To find open ports in order to exploit them. How: • TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan • TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan • TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans) 9 Scanning • TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall • FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service) • UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open • Ping Sweep -- can use ICMP or TCP packets 10 Scanning Additional objectives: • Decoys -- insert false IP addresses in scan packets • Ping Sweeps -- identify active hosts on a target network • Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands) 11 Scanning Objective 3: Operating System Detection Why: To determine what Operating System is in use in order to exploit known vulnerabilities. • Also known as TCP stack fingerprinting. • Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs. • Each OS responds to illegal combinations in different ways. • Determine OS by system responses. 12 OS detection Window Size: Most Unix Operating Systems keep the window Size the same throughout a session. Windows Operating Systems tend to change the window size during a session. Time to Live: FreeBsd or Linux typically use 64, Windows Typically uses 128. Do Not Fragment Flag: Most OS leave set, OpenBSD leaves it unset. 13 Nmap: Network Exploration Tool Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.” Available at: http://www.insecure.org/nmap/ 14 Nmap: What does it do? • Port scanning • OS detection • Ping sweeps 15 Nmap: How does it work? Use the following Scan techniques : • UDP • FIN • TCP connect() • ACK sweep • TCP SYN (half open) • Xmas Tree • ftp proxy (bounce attack) • SYN sweep • Reverse-Identification • IP Protocol • ICMP (ping sweep) • Null Scan 16 Nmap: How does it work? • Uses the following OS detection techniques • TCP/IP fingerprinting • stealth scanning • dynamic delay and retransmission calculations • parallel scanning • detection of down hosts via parallel pings • decoy scanning • port filtering detection • direct (non-port mapper) RPC scanning • fragmentation scanning • flexible target and port specification. 17 Scanning Vulnerability Assessment (1) Objective 4: Vulnerability Assessment Why: To determine what known (or unknown?) vulnerabilities exist on a given network Vulnerabilities come from: • Default configuration weakness • Configuration errors • Security holes in applications and protocols • Failure to implement patches! 18 Vulnerability Assessment Vulnerability checkers use: • Database of known vulnerabilities • Configuration tool • Scanning engine • Knowledge base of current scan • Report generation tool 19 Scanning tool: Nessus Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.” Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.” Available platforms: UNIX for client and server Windows for client only Available at: http://www.nessus.org/ 20 Nessus: What does it do? • Iteratively tests a target system (or systems) for known exploitation vulnerabilities • Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test • Can test multiple hosts concurrently • Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan 21 What does Nessus check for? • Backdoors • Port scanners • CGI abuses • Remote file access • Denial of Service • RPC • Finger abuses • SMTP problems • FTP • Useless services • Gain a shell remotely • Windows • Gain root remotely • and more... 22 Scanning tool: Superscan4 (windows XP) Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.” Security Scanner: “Superior scanning speed, Support for unlimited IP ranges, Improved host detection using multiple ICMP methods , TCP SYN scanning , UDP scanning (two methods), IP address import supporting ranges and CIDR formats, Simple HTML report generation, Source port scanning, Fast hostname resolving, Extensive banner grabbing , Massive built-in port list description database , IP and port scan order randomization , A selection of useful tools (ping, traceroute, Whois etc) ,Extensive Windows host enumeration capability .” 23 Summary • Reconnaissance • Scanning • Network Mapping • Port Scanning • OS detection • Vulnerability assessment 25