1 / 29

Xmas Tree Scan Detection with Snort

Xmas Tree Scan Detection with Snort. Presented by: Aqila Dissanayake University of Windsor dissanaa@uwindsor.ca Olalekan Kadri University of Windsor kadrio@uwindsor.ca. Presentation Outline. Definition of Port Scan History of Port Scanning Well known Port Scanning Technique

karah
Download Presentation

Xmas Tree Scan Detection with Snort

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Xmas Tree Scan Detection with Snort Presented by: Aqila Dissanayake University of Windsor dissanaa@uwindsor.ca Olalekan Kadri University of Windsor kadrio@uwindsor.ca

  2. Presentation Outline • Definition of Port Scan • History of Port Scanning • Well known Port Scanning Technique • Why Study Port Scanning Technique? • Ports • TCP And TCP flags • Xmas Tree Scan • Packet Design for Xmas Tree Scan • The Experiment • References

  3. Port Scanning • “A port scan is a method used by intruders to discover the services running on a target machine” [1]. • By simply checking whether a given port is opened or closed an attacker can determine whether to attack that machine on that specific port or not. • “For example, if the intruder finds that port 143 (the IMAP port) is open; she may proceed to find out what version of IMAP is running on the target machine. If the version is vulnerable, she may be able to gain super user access to the machine using an exploit” [1].

  4. History of Port Scanning • In the early days of computing port scanning was not widely used. • Even after powerful port scanners such as the Network Mapper (Nmap) came into use port scanning did not receive wide usage. • The reason for this was that even with Nmap people needed root privileges to construct and receive raw network packets that were used to do port scanning on Unix/Linux systems. (Open source software like Nmap first came into use in Linux based systems.) • In those days people did not have their own Unix/Linux box; most people had a shared shell account [2]. • These days not only is Nmap available for Windows systems, computers are much cheaper than they used to be. So people can use Nmap in their Windows box or use it in their own Linux box.

  5. Also, these days various scanning tools are widely available over the internet and the internet itself has become much faster because of increasing bandwidth. • This has led to a tremendous increase in network activities including port scanning. • Search engines like Google only add fuel to the scenario by providing a simple and easy way to look for tools to conduct network reconnaissance and locate advanced knowledge about network protocols and the internet which makes port scans much more successful and stealthy. • Nowadays port scans have become much easier to perform because of various software tools available over the internet. • One can simply download such a tool from the internet and run it to scan whole networks in a matter of minutes.

  6. The most well known port scanning techniques • TCP connect scan • TCP SYN scan • TCP FIN scan • TCP null scan • TCP window scan • TCP ACK scan • TCP Maimon scan • Xmas tree scan • UDP scan • IP protocol scan • FTP bounce scan • Idle scan

  7. Why study port scanning techniques? • Since port scanning techniques are used to conduct reconnaissance in networks, these can be considered as the early steps an intruder takes before the actual attack. • So, if we can catch network reconnaissance attacks, it will be much easier to prevent the actual attack from taking place.

  8. Port • “A software port is a virtual data connection that can be used by programs to exchange data directly, instead of going through a file or other temporary storage location” [3]. • Examples are TCP and UDP ports which are used to exchange data between computers on a network. • Port numbers are unique within a computer system [4].  • A Port number is a 16-bit unsigned integer. Therefore the number of available ports will be 2^16 which is 65536 ports or from port 0 to 65535.

  9. Normally, ports can be divided into three distinct categories. They are • Well Known Ports – Port 0 – 1023 [4] • Registered Ports – Port 1024 – 49151 [4] • Dynamic and/or Private Ports – Port 49152 -65535 [4]

  10. Well Known Ports • “The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users” [5]. • An attempt by an underprivileged user to open a port in the range of 0 to 1023 will fail [4]. • A list of commonly used well known ports are [7]. • Port 20 – FTP, data • Port 21 – FTP, control • Port 22 – SSH • Port 23 – Telnet • Port 25 – SMTP • Port 53 – DNS • Port 80 - HTTP

  11. TCP & TCP Flags • “The Transmission Control Protocol (TCP) is one of the core protocols of the internet protocol suite” [8]. • “TCP is a connection-oriented, end-to-end reliable protocol designed to fit into a layered hierarchy of protocols which support multi-network applications” [9]. • In TCP 8 bits are allocated for flags. • Most of the scanning techniques listed earlier in this document make use of these flags to carry out port scanning. • Mostly, each TCP based scan set these flags to different values or combination of values in order to do the scanning.

  12. Xmas Tree Scan • The Xmas tree scan exploits a subtle loophole in the TCP RFC to differentiate between open and closed ports [2]. • “If the [destination] port state is CLOSED, an incoming segment not containing a RST causes a RST to be sent in response” [2]. • When scanning systems compliant with the TCP RFC text, any packet not containing SYN, RST, or ACK bits will result • in a returned RST if the port is closed • and no response at all if the port is open [2]. • “As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK” [2]. • Nmap exploits this with the Xmas tree scan.

  13. Closed Port • In a Xmas tree scan, if a RST packet is received, the port is considered closed. This is illustrated by the diagram below. • Adapted from http://www.networkuptime.com/nmap/page3-5.shtml

  14. Open/Filtered Port • A no response means it is open or filtered. The port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received. This scenario of not receiving a response is displayed below. • Adapted from http://www.networkuptime.com/nmap/page3-5.shtml

  15. “The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers” [2]. • Furthermore the Xmas tree scan is stealthier than a regular SYN scan [2]. • Luckily though, intrusion detection products can be configured to detect these types of reconnaissance scans. • Snort intrusion detection system will alert on a Xmas tree scan which we tested.

  16. Since there are systems that do not follow RFC 793, some systems send RST responses to the probes regardless of whether the port is open or not [2]. • This will result in all ports being labeled as closed. • This behavior is shown by Microsoft Windows and many Cisco devices [2]. • However, this scan will work against most UNIX based system [2]. • Also, these scans can't distinguish open ports from certain filtered ones, leaving one with the response open or filtered [2].

  17. Packet Design for the Xmas Tree Scan • In the project we used Nmap to do the actual scan. • But, the packets required for the Xmas tree scan be easily constructed using a packet making tool such as CommView. • A TCP packet contains certain flags which should be activated to do a Xmas tree scan. • A Xmas tree scan sends a TCP packet to a remote device with the URG, PUSH, and FIN flags set [10]. • “This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree” [10].

  18. So in CommView we need to set the flags of a TCP packet to match 00101001. • CommView provides the packet information in hexa-Decimal, so we needed to calculate the hexa-decimal value of the binary value 00101001 which came to be 29.

  19. Conducting the actual Xmas Tree Scan

  20. 200 packets/s, 10000 total

  21. 400 packets/s, 10000 total

  22. 600 packets/s, 10000 total

  23. 800 packets/s, 10000 total

  24. 1000 packets/s, 10000 total

  25. References • Network Probes Explained: Understanding Port Scans and Ping Sweeps, Linux Journal, December 1st 2000, “http://www.linuxjournal.com/article/4234” • Port scanning techniques, Insecure.org,  “http://insecure.org/nmap/man/man-port-scanning-techniques.html” • Computer port, Wikipedia.com, “http://en.wikipedia.org/wiki/Computer_port_%28software%29“ • Port scanning, www.cs.wright.edu, “http://www.cs.wright.edu/~pmateti/Courses/499/Probing/“ • Port numbers, Iana.org, “http://www.iana.org/assignments/port-numbers” • Registered Port, Wikipedia.com, “http://en.wikipedia.org/wiki/Registered_port” • Well known IP ports , 0 through 999, www.networksorcery.com, “http://www.networksorcery.com/enp/protocol/ip/ports00000.htm” • Transmission Control Protocol, Wikipedia.com, “http://en.wikipedia.org/wiki/Transmission_Control_Protocol” • RFC 793, Faqs.org, “http://www.faqs.org/rfcs/rfc793.html” • Xmas tree scan, www.networkuptime.com, “http://www.networkuptime.com/nmap/page3-5.shtml”

More Related