Reconnaissance network mapping and vulnerability assessment
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

Reconnaissance, Network Mapping, and Vulnerability Assessment PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on
  • Presentation posted in: General

Reconnaissance, Network Mapping, and Vulnerability Assessment. ECE4112 – Internetwork Security Georgia Institute of Technology. Agenda. Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability assessment. Reconnaissance.

Download Presentation

Reconnaissance, Network Mapping, and Vulnerability Assessment

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Reconnaissance network mapping and vulnerability assessment

Reconnaissance, Network Mapping, and Vulnerability Assessment

ECE4112 – Internetwork Security

Georgia Institute of Technology


Agenda

Agenda

  • Reconnaissance

  • Scanning

    • Network Mapping

    • Port Scanning

    • OS detection

    • Vulnerability assessment


Reconnaissance

Reconnaissance

  • Internet Network Information Center who-is

    database www.internic.net/whois.html

  • Registrar’s database i.e. www.networksolutions.com

  • American Registry for Internet Numbers (ARIN)

    http://ww2.arin.net/whois/

  • Domain Name System (DNS) nslookup


Reconnaissance network mapping and vulnerability assessment

Reconnaissance

  • After Recon, it is possible to know detailed information about a potential target

  • This information includes specific IP addresses and ranges of addresses that may be further probed.


Scanning

Scanning

Objective 1: Network Mapping

Why: To determine what the network looks like logically.

How: Manually using tools like ping, traceroute, tracert, or with tools like Cheops network mapping tool


Cheops ng

Cheops-ng

Created by Mark Spencer for Linux systems, available at

http://www.marko.net/cheops/

Purpose: “To provide system administrators and users with

a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem.” This tool automates ping and traceroute.


Cheops ng what does it do

Cheops-ng: What does it do?

  • Finds active hosts in a network

  • Determines the names of active hosts

  • Discovers host operating systems

  • Detects open ports

  • Maps the complete network in a graphical format


Cheops ng how does it work

Cheops-ng: How does it work?

  • Utilizes ICMP “ping” packets to search a network for live hosts

  • Domain Name Transfers (nslookup) are used to list hosts

  • Invalid flags on TCP packets are used to detect the OS

  • Half-open TCP connections are used to detect ports

  • UDP packets with small TTL values are used to map network


Scanning1

Scanning

  • Objective 2: Port Scanning

  • Why: To find open ports in order to exploit them.

  • How:

    • TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan

    • TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan

    • TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)


Scanning2

Scanning

  • TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall

  • FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service)

  • UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open

  • Ping Sweep -- can use ICMP or TCP packets


Scanning3

Scanning

  • Additional objectives:

    • Decoys -- insert false IP addresses in scan packets

    • Ping Sweeps -- identify active hosts on a target network

    • Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)


Scanning4

Scanning

  • Objective 3: Operating System Detection

  • Why: To determine what Operating System is in use in order to exploit known vulnerabilities.

  • Also known as TCP stack fingerprinting.

  • Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs.

  • Each OS responds to illegal combinations in different ways.

  • Determine OS by system responses.


Reconnaissance network mapping and vulnerability assessment

OS detection

Window Size: Most Unix Operating Systems keep the window

Size the same throughout a session. Windows Operating

Systems tend to change the window size during a session.

Time to Live: FreeBsd or Linux typically use 64, Windows

Typically uses 128.

Do Not Fragment Flag: Most OS leave set, OpenBSD leaves

it unset.


Nmap network exploration tool

Nmap: Network Exploration Tool

Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.”

Available at: http://www.insecure.org/nmap/


Nmap what does it do

Nmap: What does it do?

  • Port scanning

  • OS detection

  • Ping sweeps


Nmap how does it work

Nmap: How does it work?

Use the following Scan techniques :


Nmap how does it work1

Nmap: How does it work?

  • Uses the following OS detection techniques

    • TCP/IP fingerprinting

    • stealth scanning

    • dynamic delay and retransmission calculations

    • parallel scanning

    • detection of down hosts via parallel pings

    • decoy scanning

    • port filtering detection

    • direct (non-port mapper) RPC scanning

    • fragmentation scanning

    • flexible target and port specification.


Scanning vulnerability assessment 1

Scanning Vulnerability Assessment (1)

  • Objective 4: Vulnerability Assessment

  • Why: To determine what known (or unknown?) vulnerabilities exist on a given network

  • Vulnerabilities come from:

    • Default configuration weakness

    • Configuration errors

    • Security holes in applications and protocols

    • Failure to implement patches!


Vulnerability assessment

Vulnerability Assessment

  • Vulnerability checkers use:

    • Database of known vulnerabilities

    • Configuration tool

    • Scanning engine

    • Knowledge base of current scan

    • Report generation tool


Scanning tool nessus

Scanning tool: Nessus

Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.”

Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.”

Available platforms: UNIX for client and serverWindows for client only

Available at: http://www.nessus.org/


Nessus what does it do

Nessus: What does it do?

  • Iteratively tests a target system (or systems) for known exploitation vulnerabilities

  • Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test

  • Can test multiple hosts concurrently

  • Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan


What does nessus check for

What does Nessus check for?

  • Backdoors

  • CGI abuses

  • Denial of Service

  • Finger abuses

  • FTP

  • Gain a shell remotely

  • Gain root remotely

  • Port scanners

  • Remote file access

  • RPC

  • SMTP problems

  • Useless services

  • Windows

  • and more...


Reconnaissance network mapping and vulnerability assessment

Scanning tool: Superscan4 (windows XP)

Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.”

Security Scanner: “Superior scanning speed, Support for unlimited IP ranges, Improved host detection using multiple ICMP methods , TCP SYN scanning , UDP scanning (two methods), IP address import supporting ranges and CIDR formats, Simple HTML report generation, Source port scanning, Fast hostname resolving, Extensive banner grabbing , Massive built-in port list description database , IP and port scan order randomization , A selection of useful tools (ping, traceroute, Whois etc) ,Extensive Windows host enumeration capability .”


Lab enhancements

Lab Enhancements

What corrections and orimprovements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements.


Summary

Summary

  • Reconnaissance

  • Scanning

    • Network Mapping

    • Port Scanning

    • OS detection

    • Vulnerability assessment


  • Login