Scanning
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Scanning PowerPoint PPT Presentation


  • 183 Views
  • Uploaded on
  • Presentation posted in: General

Scanning. BAI514 – Security I. Scanning. The goal of scanning is to discover open ports and find applications vulnerable to hacking. Scanning. The Information Gathering Process 1 – Gathering information 2 – Locating the network range 3 – Identifying active machines

Download Presentation

Scanning

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Scanning

Scanning

BAI514 – Security I


Scanning1

Scanning

  • The goal of scanning is to discover open ports and find applications vulnerable to hacking


Scanning2

Scanning

  • The Information Gathering Process

    • 1 – Gathering information

    • 2 – Locating the network range

    • 3 – Identifying active machines

    • 4 – Finding open ports and applications

    • 5 – Detecting operating systems

    • 6 – Fingerprinting services

    • 7 – Mapping the network

  • Scanning comprises the last five steps


Identifying active machines

Identifying Active Machines

  • Primary reasons

    • Fill in details of the target network map

    • Identify perimeter and outer boundary of target network

    • Create an inventory of accessible systems in the target network


Identifying active machines1

Identifying Active Machines

  • Ping

    • Useful ICMP utility

      • Measures speed at which packets traverse network

      • Can provide other details of target

        • TTL

        • Sequence number

        • Other?


Identifying active machines2

Identifying Active Machines

  • Ping (cont.)

    • Ping nnn.nnn.nnn.nnn

    • Options

      • -tPing host until stopped-aResolve address to hostname-n nNumber of requests to send-l nSend buffer size-inTTL-v nTOS-r nRecord router for n hops-s nTimestamp for n hops-j listLoose source route along host-list-k listStrict source route along host-list-w nTimeout in ms to wait for each reply


Identifying active machines3

Identifying Active Machines

  • Ping Sweeps

    • Automatically pinging a range of IP addresses

      • Script

      • Batch file

      • Utility

    • Ping Tools

      • WS_PingProPack – www.ipswitch.com

      • NetScan Tools – www.nwpsw.com

      • Hping – www.hping.org/download.html

      • Icmpenum – www.nmrc.org


Identifying active machines4

Identifying Active Machines

  • Ping Sweeps (cont.)

    • Ping Sweep Detection Tools

      • Network-based IDS – www.snort.org

      • Genius – www.indiesoft.com

      • Scanlogd – www.openwall.com/scanlogd


Identifying open ports and available service

Identifying Open Ports and Available Service

  • Next step after finding active hosts is to locate any open ports and services on the hosts

  • Techniques include

    • Port scanning

    • Banner grabbing

    • War dialing

    • War walking/driving


Identifying open ports and available service1

Identifying Open Ports and Available Service

  • Reasons for identifying listening services on the target

    • Determine live hosts if ICMP is blocked

    • Identify potential ports for creating attack vectors

    • Obtain OS information

    • Identify specific applications


Identifying open ports and available service2

Identifying Open Ports and Available Service

  • Port Scanning

    • The process of connecting to, or attempting to connect to, TCP or UDP ports for the purpose of finding what services and applications are running on the target system.

      • Email

      • http

      • TCP 53

      • UDP 161

      • UDP/TCP 4


Identifying open ports and available service3

Identifying Open Ports and Available Service

  • Types of information gathered from scanning

    • Details of target DNS

    • Available services

    • Types and versions of operating systems


Identifying open ports and available service4

Identifying Open Ports and Available Service

  • Ports have three states

    • Open – accepting communications

    • Closed – not accepting connectivity

    • Filtered – has some type of network device (e.g. Firewall) preventing the port from being probed

  • Nmap can be used to determine the state of a port


Identifying open ports and available service5

Identifying Open Ports and Available Service

  • TCP/UDP scanning types

    • Some are simple and easy to detect

    • Some are complicated and difficult to detect

    • Most intended to be stealthy

    • TCP provides connection based communication

    • UDP provides best effort communication


Identifying open ports and available service6

Identifying Open Ports and Available Service

  • Manipulation of TCP’s three-way handshake is the basis for most TCP-based scanning.

  • TCP-based scanning techniques

    • TCP connect() scanning

      • Full connection attempted

      • Easiest to detect


Identifying open ports and available service7

Identifying Open Ports and Available Service

  • TCP-based scanning techniques (cont.)

    • TCP SYN (half open) scanning

      • Full connection never opened

        • Scanning machine sends a SYN packet

        • If a SYN/ACK is received, the port is listening

        • The scanner breaks the connection by sending a RST packet

        • If a RST is received, the port is closed


Identifying open ports and available service8

Identifying Open Ports and Available Service

  • TCP-based scanning techniques (cont.)

    • TCP SYN/ACK scanning

      • Scanner sends a SYN/ACK

      • If the port is closed, a RST will be sent

      • If the port is open, the packet will be ignored and dropped by the port


Identifying open ports and available service9

Identifying Open Ports and Available Service

  • TCP-based scanning techniques (cont.)

    • TCP FIN scanning

      • Scanner sends a FIN packet

      • If the port is closed, it replies with a RST

      • If the port is open, it ignores the FIN

      • NOTE... Windows will send a RST regardless of the state of the port


Identifying open ports and available service10

Identifying Open Ports and Available Service

  • TCP-based scanning techniques (cont.)

    • TCP FTP

      • Very stealthy

      • Scanner connects to an FTP server and requests that the server initiate a data transfer process to a third system

      • Scanner uses the PORT FTP command to declare the data transfer process is listening on the target box at a certain port number

      • Scanner then uses the LIST FTP command to try to list the current directory.

        • The result is sent over the server data transfer process channel.

        • If the transfer is successful, the target host is listening on the specified port.

        • If the transfer is unsuccessful, the port is not listening.


Identifying open ports and available service11

Identifying Open Ports and Available Service

  • TCP-based scanning techniques (cont.)

    • RPC scan

      • A remote program call (RPC) is used to identify RPC applications

    • IDLE scan

      • Considered the only totally stealth scan

      • Scans a remote system, but the results are sent to a third system

      • All scans will appear to come from the third system


Identifying open ports and available service12

Identifying Open Ports and Available Service

  • TCP-based scanning techniques (cont.)

    • XMAS Tree scan

      • Scanner sends a TCP packet with the URG, PSH, and FIN flags set

      • Different OS’s will react differently to this


Identifying open ports and available service13

Identifying Open Ports and Available Service

  • Determining the operating system

    • Helps to determine which attack to use

    • Can be easily found sometimes

      • Telnet banner

      • FTP banner

    • TCP Stack fingerprinting / Passive OS fingerprinting

      • Different OS and device vendors implement TCP/IP slightly different. These differences can be used to determine the OS

      • TCP Initial sequence number sampling

        • The pattern for sequence numbers can give away the OS


Identifying open ports and available service14

Identifying Open Ports and Available Service

  • Scanning Tools

    • Can be used by hackers and administrators alike

    • Hping

      • Can send packets with non-traditional IP stack parameters

    • Legion

      • Scans for shared folders

    • Nessus

      • Free security auditing tool

    • Nmap

      • Very common, very good port scanner


Identifying open ports and available service15

Identifying Open Ports and Available Service

  • Scanning Tools (cont.)

    • Security Administrator’s Integrated Network Tool (SAINT)

      • Examines network services (ex. Finger, NFS, FTP, TFTP, statd, etc.)

    • System Administrator Tool for Analyzing Networks (SATAN)

      • Scans for well-known vulnerabilities

    • Tcpview

      • Displays what applications are using what ports


Identifying open ports and available service16

Identifying Open Ports and Available Service

  • Scanning Tools (cont.)

    • Snort

      • Very powerful Intrusion Detection System (IDS)

      • Can be used as a sniffer

    • SuperScan

      • TCP/UDP port scanner

      • Newer version can perform enumeration

    • THC-Amap

      • TCP/UDP scanner

      • Can find services on ports that have been redirected


Identifying open ports and available service17

Identifying Open Ports and Available Service

  • Vulnerable Ports

    • 65,535 TCP and UDP ports

    • Most common include

      • 21 - ftp

      • 23 - telnet

      • 25, 109, 110, 143 - smtp, pop3, imap

      • 53 - dns

      • 80, 8080 – http

      • 161 – snmp

      • 5631 - PCAnywhere


Identifying open ports and available service18

Identifying Open Ports and Available Service

  • Port Scanning Issues

    • False positives

      • Applications can use ports normally associated with other services

    • Heavy traffic

      • Can cause network performance issues

    • False negatives

      • Can exhaust system resources, causing a false negative

    • System crash

    • Unregistered port numbers

      • Ports may be listening, but what service is unknown


Identifying open ports and available service19

Identifying Open Ports and Available Service

  • Banner Grabbing

    • Can provide important information

      • Type of software

      • Version of software

    • Telnet can be used to grab HTTP, FTP, and SMTP server information

      • Telnet [ipaddr] [port #]


Identifying open ports and available service20

Identifying Open Ports and Available Service

  • Banner Grabbing (cont.)

    • Netcat

      • Nc –v –n [ipaddr] [port #]

      • Features

        • Creating outbound and inbound connections

          • UDP or TCP

        • Providing a tunnelling mode

        • Randomized port scanning

        • File transfers

        • Remote shell


War dialing

War Dialing

  • Accessing a network by using a modem and software to scan for target systems with attached modems

  • Modems have very weak authentication

  • Modems are often left unchecked on workstations and laptops


War dialing1

War Dialing

  • War dialer

    • A tool used to scan a large pool of telephone numbers to try to detect vulnerable modems

      • THC-Scan – DOS application that dials ranges of numbers to search for a modem or fax

      • ToneLoc – dials from a file of area codes and number banks

      • PhoneSweep – Heavy duty war dialing application that supports simultaneous multiple phone lines


War driving and war walking

War Driving and War Walking

  • Sniffing for WLANs while travelling via some means of transport such as car, train, bus, even planes

  • War Walking is the same as war driving, but walking instead of driving


War driving and war walking1

War Driving and War Walking

  • Wireless Scanners

    • NetStumbler – GUI, displays wireless access points, SSIDs, channels, encryption, and signal strength

    • MiniStumbler – Similar to NetStumbler, but designed to work with Pocket PC

    • AirSnort – Wireless LAN tool that cracks WEP encryption keys

    • Kismet – Wireless network detector, sniffer, and IDS

    • SSID Sniff – Used to discover access points and save captured data

    • WifiScanner – Analyzes traffic and detects 802.11b Aps


War driving and war walking2

War Driving and War Walking

  • Wireless Packet Sniffers

    • AirMagnet – developed for wireless inventory management, but can be used for security assessment

    • AiroPeek – packet analyzer for 802.11b wireless LANS

    • Wireshark – Complete packet analyzer, requires a WiFinic capable of monitor mode (promisuous)


Fingerprinting

Fingerprinting

  • The process of determining the operating system on the target computer.

    • Exploits the fact that various OS vendors implement the TCP/IP stack differently.

    • Packets returned to the sender are logged and compared to a database to determine the target’s operating system


Fingerprinting1

Fingerprinting

  • Two types

    • Passive

      • Less accurate than Active fingerprinting, but less detectable

      • Passively captures packets on the network

      • Compares many packet fields

        • TTL

        • Initial TCP Windows Size

        • Don’t Fragment bit

        • Type of Service

        • Sequence #


Fingerprinting2

Fingerprinting

  • Type types (cont.)

    • Active

      • More accurate than passive fingerprinting, but not as stealthy

      • Works similarly to passive, but sends altered packets to compare the results


Fingerprinting3

Fingerprinting

  • Tools

    • p0f – passive fingerprinting tool

      • Lcamtuf.coredump.cx/p0f.shtml

    • Nmap – active fingerprinting

    • Xprobe – active fingerprinting

      • xprobe.sourceforge.net

    • Winfingerprint – active fingerprinting

      • winfingerprint.com


Mapping the network

Mapping the Network

  • Taking all gathered information and creating a detailed map or maps of the organization

    • Network information

    • Network diagram/layout

      • Cheops – www.marko.net/cheops/

    • Company information


Scanning

FIN


  • Login