The Attack and Defense of Computers Dr.許 富 皓
Tracerouting • After identifying potential networks, we can attempt to determine their • network topology • potential access paths into the network
Tools • Unix: traceroute. • Windows: tracert.
Traceroute - Function • Allow a user to view the route that an IP packet follows form one host to the next.
traceroute - Principle • traceroute uses the TTL option in the IP packet to elicit an ICMPTIME_EXCEEDED message from each router (TTL field is also a hop counter). • The first packet sent by traceroute has a TTL value 1, the second packet sent has a TTL value 2, … and so on. • When a UDP packet is used as a probing packet, usually it uses port number greater than 30000 as it destination port number which is rarely used by applications; hence, when the probed host receives the probing packet, an ICMPport unreachable packet will be sent back to the traceroute.
traceroute - Interference • Access control devices (such as an application-based firewall or packet-filtering routers) may filter out traffic.
traceroute – Where Is the Router? • Generally, once you hit a live system on a network, the system before it is a device performing routing functions (for example, a router or a firewall.)
traceroute – Multiple Routing Paths • In a complex environment: • There may be multiple routing paths– that is, routing devices with multiple interfaces or load balancers. • Each interface may have different access control list (ACLs) applied. • In many cases, some interfaces will pass your traceroute requests, whereas others will deny them because of the ACL.
traceroute – Build an Access Path Diagram • After you traceroute to multiple systems on the network, you can begin to create a network diagram that depicts • the architecture of the Internet gateway • the location of devices that are providing access control functionality • The diagram is referred to as access path diagram.
traceroute Exploring Packets • Most flavors of traceroute in UNIX default to sending UDP packets, with the option of using ICMP packets with –I switch. • In Windows, however, the default behavior is to use ICMPecho request packet. • Therefore, your mileage may vary using each tool, if the site blocks UDP verses ICMP and vice verse.
Bypassing Access Control Device • -P n option. • -S switch • UDP port 53 is a good starting port number, because many sites allow inbound DNS queries (using UDP port 53), there is high probability that the access control device will allow the probes through. • However, it the target really is listening on UDP port 53, you will not receive a normal ICMPunreachable message back. Therefore, you will not see a host displayed when the packet reaches its ultimate destination.
Using TCP Packets to Find the Routes • Because the TTL value used in tracerouting is in the IP header, we are not limited to UDP or ICMP packets. Literally any IP packet could be sent. • Some tools are developed to provide alternate traccerouting techniques to get probes through firewalls that are blocking UDP and ICMP packets • Two tools that allow for TCP tracerouting to specific ports are the : • tcptraceroute • Cain & Abel
tcptraceroute - Bypass Firewall Filters • tcptraceroute is a traceroute implementation using TCP packets. • As mentioned in the previous slide, many firewalls filter out UDP and ICMP packets. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.
tcptraceroute - • It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host. • If the host is not listening for incoming connections, it will respond with an RST indicating that the port is closed. • If the host instead responds with a SYN|ACK, the port is known to be open, and an RST is sent by the kernel tcptraceroute is running on to tear down the connection without completing three-way handshake.
tracerouting Countermeasure – IDS and IPS • Depending on your site’s security paradigm, an administrator may be able to configure her/his border routers to limit ICMP and UDP traffic systems, thus minimizing your exposure. • Deploy Network Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) that will detect this type of network reconnaissance. • One of the best free NIDS programs – Snort, by Marty Roesch – can detect this activity.
tracerouting Countermeasure - RotoRouter • Humble from Rhino9 developed a program called RotoRouter. This utility is used to log incoming traceroute requests and generate fake responses.
Intelligence Gathering Techniques (IGT) • IGTs help an attacker to understand the characteristics and potential vulnerabilities of her/his targets. • Through intelligence gathering techniques an attacker can launch a more accurate and efficient attack to her/his targets.
IGT Steps • In the computer hacking world, intelligence gathering can be roughly divided into three major steps: • Footprinting • Scanning • Enumeration
Footprinting • collect information to make a unique footprintor a profileof an organization security posture. • With footprinting, using rather simple tools, we gather information such as: • Administrative, technical, and billing contacts, which include employee names, email addresses, and phone & fax numbers. • IP address range • DNS servers • Mail servers • And we can also identify some of the systems that are directly connected to the Internet.
Scanning • The art of detecting • which systems are alive and reachable via the Internet • what services they offer • using techniques such as ping sweeps, port scans, and operating system identification (OS fingerprinting) is called scanning
Information Collected by Scanning • The kind of information collected here has to do with the following: • TCP/UDP services running on each system identified. • System architecture (Sparc, Alpha, x86). • Specific IP addresses of systems reachable via the Internet. • Operating system type.
Enumeration • Enumerationis the process of extracting valid accounts or exported resource names from systems. The information is gathered using active connections to systems and queries, which is more intrusive in nature than footprinting and scanning. • The techniques are mostly operating system specific, and can gather information such as: • User & group names. • System banners • Routing tables • SNMP information
Internet Footprinting • The fine art of gathering target information • Domain name • Specific IP addresses of systems reachable via the Internet. • Access control mechanisms and related access control lists. • Intrusion-detection systems (IDSs) • DNS hostnames
Where Can We Find the Information? • Company Web pages. • Related organizations. • Location details. • Phone numbers, contact names, e-mail addresses, and personal details. • Privacy or security policies, and technical details indicating the types of security mechanisms in place. • Archived Information • Search engines and resumes
Company Web Pages • Some organizations will list their security configuration details directly on their Internet web servers. • Trying reviewing the HTML source code.
What Info Can We Find in a Web Page Source Code (1)? • check the comment part: those parts included between <!-- and --> . • Using Wget (for Unix) and Teleport Pro (for Windows) you can mirror the entire web pages on a web server. • Other sites with none-www prefix name. • Many organizations have sites to handle remote access to internal resources via a web browser: • E.g. Through Microsoft’s Outlook Web Access, a person can access the contents stored in a Microsoft Exchange server, such as e-mails, address books, a calendar, public folders. Typical URL for this kind of resource is http://owa.company.com or http://outlook.company.com.
What Info Can We Find in a Web Page Source Code (2)? • Sites like http://vpn.company.com or http://www.company.com/vpn will often reveal sites designed to help end users connect to their companies’ VPNs. • You can also find detailed instructions on how to download and configure the VPN client software. • These sites may even include a phone number to call for assistance if someone (usually this person is supposed to be an employee, however, an attacker may also use this channel to connect the VPN) get troubles to connect to the VPN.
Related Organizations • Other related organizations’ web site may also leak sensitive information about the target organization.
Phone Numbers, Contact Names, E-mail Addresses, and Personal Details • Contact names and e-mail addresses may reveal an organization’s employees name or account name. • E.g. If an organization has an employee named John Smith than it is very possible that some of the organization’s hosts’ has an account name jsmith, johnsmith or smithj and vice verse. • From an employee’s name, an attack may find her/his home phone number or home computer which probably has some sort of remote access to the target organization. • A keystroke logger on an employee’s home machine or laptop may very well give a hacker a free ride to the organization’s inner hosts.
Search Engines and Resumes • A lot of sensitive information could be obtained through a search engine by using appropriate searching key words. • If an organization is posting for a security professional with five or more years’ experience work with CheckPoint firewalls and Snort IDS, then what kind of firewall and IDS do you think they use?.
Comparison between Footprintng And Scanning • If footprinting is the equivalent of casing a place for information, then scanning is equivalent to knocking on the walls to find all the doors and windows. • During footprinting, malicious users can obtain • a list of IP network blocks • a list of IP addresses • Scanning wants to determine • what systems are listening for inbound network traffic (a.k.a. alive) • What systems are reachable from the Internet • …
Purposes of Scanning and Corresponding Tools • Determining if the system is alive: • Ping sweeps • ICMP sweeps (ICMP ECHO requests) • Broadcast ICMP • Non-ECHO ICMP • TCP/UDP Sweeps • Determining which services are running or listening: • Port Scanning. • Detecting the Operating System: • Active OS fingerprinting. • Passive OS fingerprinting.
ICMP ECHO Requests • One of the most basic steps in mapping out a network is performing an automated ping sweepon a range of IP addresses and network blocks to determine if individual devices or systems are alive. • One of the ping sweep tools used by malicious users for the above purpose is “ping” . • Ping sends ICMP ECHOrequest (Type 8) packets to a target system in an attempt to elicit an ICMP ECHOreply (Type 0) indicating the target system is alive.
fping • One of the techniques of performing ping sweeps in the UNIX world. • fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. • fping is different from ping in that you can • specify any number of hosts on the command line or • specify a file containing the lists of hosts to ping
fping - Example • Example: [root]cat in.tex 192.168.51.1 192.168.51.2 192.168.51.3 : 192.168.51.253 192.168.51.254 [root]$ fping –a –f in.txt 192.168.1.254 is alive 192.168.1.227 is alive 192.168.1.224 is alive : 192.168.1.3 is alive 192.168.1.2 is alive 192.168.1.1 is alive 192.168.1.190 is alive
fping – Increase Scanning Rate • Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. • If a host replies, it is noted and removed from the list of hosts to check. • If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable. • Unlike ping, fping is meant to be used in scripts and its output is easy to parse.
SuperScan • For the Windows-inclined.
Other Tools • Ping Sweep • WS_Ping ProPack • NetScan Tools
Broadcast ICMP - Principle • Sending ICMP ECHOrequest to the network broadcast addresses will produce all the information you need for mapping a targeted network in even a simpler way. • The request will be broadcast to all alive hosts on the target network, and they will send ICMP ECHO reply to the attacker source IP after only one or two packets have been sent by him.
Broadcast ICMP – Unix vs. Windows Platforms • Here we can first distinguish between Unix and Windows machines. • While Unix machines often still answer to requests directed to the network address (the answer will be the fully qualified network address) • Windows machines will ignore it.
Using Non-ECHO ICMP Packets for Ping Sweep • Non-ECHO ICMP packets can also be used to perform ping sweeps. • Examples • ICMP type 13 messages (TIMESTAMP) • ICMP type 17 messages (ADDRESS MASK REQUEST)
Functions of Non-ECHO ICMP Packets • ICMPtimestamp request and reply allow a system to query another for the current time. • The ICMPaddress mask request (and reply) is intended for diskless systems to obtain its subnet mask at bootstrap time. • People can use it to request the netmask of a particular device.
Non-ECHOICMP Ping Sweep Tools • We can use the icmpush& icmpquerytools to perform this kind of scanning. • Many firewalls are configured to block only ICMP ECHO traffic, and in this case it makes the non-ECHO requests a valid form of host identification.
What Will Happen, If ICMP Is Blocked by Target Site? (1) • It is not uncommon to come across a security-conscious site that has blocked ICMP at the border router or firewall. • Although ICMP may be blocked, some addition tools and techniques can be used to determine if systems are actually alive. However, they are not as accurate or as efficient as a normal ping sweep.
What Will Happen, If ICMP Is Blocked by Target Site? (2) • Typically, pinging heavily utilizes ICMP (Internet Control Message Protocol) packets, even though they are not the only packet types available for network pinging. • Either TCP or UDP provides alternative approach to perform ping sweeps to find if a host is alive on the network. • When ICMP traffic is blocked, TCP/UDP sweep is the first alternate technique to determine live hosts.