Network Mapping Techniques - Nomad Mobile Research Centre
advertisement
DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation About This Presentation Assume basics – Understand IP addressing – Understand basic system administration Tools – Where to find them – Basic usage A “Network” point of view About Me NMRC: http://www.nmrc.org/ BindView: http://razor.bindview.com/ Know Your Target Public information Network enumeration Network mapping Public Information Public records WHOIS DNS Public postings Network Enumeration Goals of network enumeration ICMP Scanning TCP Fingerprinting Additional Probes ICMP Sweeping a network with Echo Typical alternates to ping – Timestamp – Info Request Advanced ICMP enumeration – Host or port unreachable with illegal header length Scanning Why scan? Nmap – defacto standard – Ping sweeps – Port scanning – Additional features TCP Fingerprinting Several different type of packets sent Various responses come back Differences can determine OS of remote system Using just ICMP is possible Addition Probes Possible security devices Sweep for promiscuous devices Network Mapping Determine network layout Traceroute Firewalk Bypassing the Firewall Tools – Firewalk – Nmap Common ports State table manipulation Avoiding Intrusion Detection Manipulation of “detected” data Use of fragmented packets Triggering false positive, or distraction Connecting the Dots View each step as a small part of a big picture Each step is important Data could be stored for later use Example Intrusion WHOIS – DNS server names Traceroute DNS zone dump Host enumeration Public systems Initial port scanning WHOIS # whois target-company.com@internic.net Whois Server Version 1.1 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: TARGET-COMPANY.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NS1.TARGET-COMPANY.COM Name Server: NS2.TARGET-COMPANY.COM Updated Date: 06-dec-1999 >>> Last update of whois database: Mon, 20 Mar 00 03:35:14 EST <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms 2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms 3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms 4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms 6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms 7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms 8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms 17.173 ms 9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms 248.838 ms 10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms 11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms 12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306 ms 17.248 ms 13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms Traceroute # traceroute ns2.target-company.com traceroute to ns2.target-company.com (xxx.xx.x.x), 30 hops max, 40 byte packets 1 fw-gw (209.197.192.1) 1.770 ms 2.993 ms 0.892 ms 2 s1-0-17-access (209.197.224.73) 15.440 ms 13.571 ms s1-0-1-access (209.197 .224.69) 4.896 ms 3 dallas.tx.core1.fastlane.net (209.197.224.1) 3.929 ms 6.251 ms 15.821 ms 4 FE-0.core2.fastlane.net (209.197.224.66) 20.674 ms 15.367 ms 16.170 ms 5 hs-9-0.a09.dllstx01.us.ra.verio.net (204.214.10.113) 5.514 ms 14.367 ms 8 .203 ms 6 ge-5-0-0.a10.dllstx01.us.ra.verio.net (199.1.141.10) 8.019 ms 20.183 ms 1 6.466 ms 7 g6-0.dfw2.verio.net (129.250.31.49) 16.513 ms 17.351 ms 6.854 ms 8 core4-atm-uni0-0-0.Dallas.cw.net (204.70.10.77) 24.335 ms 16.087 ms 17.60 5 ms 9 core2-fddi-0.Dallas.cw.net (204.70.114.49) 6.875 ms 14.039 ms 14.483 ms 10 border6-fddi-0.Dallas.cw.net (204.70.114.66) 146.605 ms 21.045 ms 110.419 ms 11 target-company-inet.Dallas.cw.net (204.70.xxx.xxx) 83.331 ms 34.530 ms 21 .363 ms 12 ns1.target-company.com (xxx.xx.x.x) 18.105 ms 13.290 ms 29.042 ms DNS Zone Dump # nslookup Default Server: vortex.fastlane.net Address: 209.197.192.7 > server ns1.target-company.com Default Server: ns1.target-company.com Address: xxx.xx.xx.xx > ls -a TARGET-COMPANY.COM > dump.txt [ns1.target-company.com] ################################################################################ ################################################################################ ################################################################################ ################################################################################ ################################################################################ ################################################################################ ################################################################################ ################################################################################ ################################################################################ ###################################################################### Received 40773 answers (0 records). > Host Enumeration # ./icmpenum -i 2 -c xxx.xx.218.0 xxx.xx.218.23 is up xxx.xx.218.26 is up xxx.xx.218.52 is up xxx.xx.218.53 is up xxx.xx.218.58 is up xxx.xx.218.63 is up xxx.xx.218.82 is up xxx.xx.218.90 is up xxx.xx.218.92 is up xxx.xx.218.96 is up xxx.xx.218.118 is up xxx.xx.218.123 is up xxx.xx.218.126 is up xxx.xx.218.130 is up xxx.xx.218.187 is up xxx.xx.218.189 is up xxx.xx.218.215 is up xxx.xx.218.253 is up Public Systems www.target-system.com – www2, www3 ftp.target-system.com mail.target-system.com Scanning # nmap -O -T Polite -n xxx.xx.17.11 Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (xxx.xx.17.11): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 79 open tcp finger 110 open tcp pop-3 113 open tcp auth 143 open tcp imap2 TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-37 Nmap run completed -- 1 IP address (1 host up) scanned in 625 seconds # nmap -O xxx.xx.17.11 Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ ) No ports open for host (xxx.xx.17.11) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds More Scanning # nmap -F -sS -v -v -n firewall.target-system.com Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host (xxx.xx.49.17) appears to be up ... good. Initiating SYN half-open stealth scan against (xxx.xx.49.17) Adding TCP port 189 (state Firewalled). The SYN scan took 270 seconds to scan 1047 ports. Interesting ports on (xxx.xx.49.17): Port State Protocol Service 139 filtered tcp netbios-ssn 161 filtered tcp snmp 189 filtered tcp qft 256 filtered tcp rap 257 filtered tcp set 258 filtered tcp yak-chat Nmap run completed -- 1 IP address (1 host up) scanned in 273 seconds Network Mapping cw swb Internet Routers Network Mapping cw swb Internet Routers Network Mapping VPN cw Firewall swb DMZ Internet Routers Network Mapping VPN cw Firewall www swb ftp DMZ Internet Routers Network Mapping VPN cw Firewall www swb ftp DMZ Internet Routers Network Mapping VPN NT cw Firewall Linux www Sun swb ftp Hosts Inside DMZ Internet Routers Network Mapping VPN Checkpoint Firewall-1 Nortel VPN xxx.xx.22. 7 NT cw Nortel CVX1800 151.164.x.xxx Firewall Linux www Sun Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 AIX 4.2.1 xxx.xx.48.1 IDS? swb Cisco 7206 204.70.xxx.xxx ftp Linux 2.0.38 xxx.xx.48.2 Hosts Inside DMZ Internet Routers Basic Distributed Attack Models Attacks that do not require direct observation of the results Attacks that require the attacker to directly observe the results Basic Model Client Server Agent Issue commands Processes commands to agents Carries out commands More Advanced Model Attacker Sniffed Replies Forged ICMP Timestamp Requests ICMP Timestamp Replies Target Even More Advanced Model F i r e w a l l Target Even More Advanced Model F i r e w a l l Upstream Host Target Even More Advanced Model Attack Node Attack Node Master Node Attack Node Upstream Host F i r e w a l l Target Even More Advanced Model Attack Node Attack Node Master Node Attacks or Probes Attack Node Upstream Host F i r e w a l l Target Even More Advanced Model Attack Node Attack Node Master Node Replies Attacks or Probes Attack Node Upstream Host F i r e w a l l Target Even More Advanced Model Attack Node Attack Node Master Node Attacks or Probes Attack Node Sniffed Replies Replies Upstream Host F i r e w a l l Target Even More Advanced Model Attack Node Attack Node Master Node Attacks or Probes Attack Node Sniffed Replies Replies Upstream Host F i r e w a l l Target (Mostly) Free Stuff HackerShield RapidFire Update 208 – With SANS Top Ten checks, including comprehensive CGI scanner – http://www.bindview.com/products/hackershield/index.html VLAD the Scanner – Freeware open-source security scanner, including same CGI checks as HackerShield – Focuses only on SANS Top Ten – http://razor.bindview.com/tools/index.shtml Despoof – Detects possible spoofed packets through active queries against suspected spoofed IP address – http://razor.bindview.com/tools/index.shtml Questions, etc. Thanks to: – Ofin Arkin – Donald McLachlan For followup: – http://www.nmrc.org/ – http://razor.bindview.com/ – thegnome@nmrc.org – thegnome@razor.bindview.com
