cit 380 securing computer systems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CIT 380: Securing Computer Systems PowerPoint Presentation
Download Presentation
CIT 380: Securing Computer Systems

Loading in 2 Seconds...

play fullscreen
1 / 17

CIT 380: Securing Computer Systems - PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on

CIT 380: Securing Computer Systems. Scanning. FTP Bounce Scan. FTP protocol supports proxy ftp Client requests server send file to another IP, port. If server can open connection, port is open. Advantages: Hide identity of scanning host.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIT 380: Securing Computer Systems' - brad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cit 380 securing computer systems

CIT 380: Securing Computer Systems

Scanning

CIT 380: Securing Computer Systems

ftp bounce scan
FTP Bounce Scan

FTP protocol supports proxy ftp

  • Client requests server send file to another IP, port.
  • If server can open connection, port is open.

Advantages:

  • Hide identity of scanning host.
  • Bypass firewalls by using ftp server behind firewall.

Disadvantages:

  • Most ftp servers no longer support proxying.
  • Printer ftp servers often do still support.

CIT 380: Securing Computer Systems

idle scan
Idle Scan

Use intermediate idle host to do scan.

  • Idle host must increment IP ID for each packet.
  • Idle host must not receive traffic from anyone other than attacker.

Scan Process

  • Attacker connects to idle host to obtain initial IP ID X.
  • Send SYN packet to port Y of target with spoofed IP of idle host.
  • If port is open, target host will send SYN+ACK to idle host.
  • Idle host with send RST packet with IP ID X+1 to target.
  • Attacker connects with SYN to idle host to obtain updated IP ID.
  • Idle host sends back SYN+ACK to attacker.
    • Note that this action will increment IP ID by 1.
    • If IP ID is X+2, then port Y on target is open.

Advantages: hides attacker IP address from target.

CIT 380: Securing Computer Systems

udp scans
UDP Scans

Send 0-byte UDP packet to each UDP port

UDP packet returned

    • Port is open

ICMP port unreachable

    • Port is closed

Nothing

    • Port listed as open|filtered
    • Could be that packet was lost.
    • Could be that server only returns UDP on valid input.

Disadvantages:

  • ICMP error rate throttled to a few packets/second (RFC 1812), making UDP scans of all 65535 ports very slow.
  • MS Windows doesn’t implement rate limiting.

CIT 380: Securing Computer Systems

version scanning
Version Scanning
  • Port scanning reveals which ports are open
    • Guess services on well-known ports.
  • How can we do better?
    • Find what server: vendor and version
    • telnet/netcat to port and check for banner
    • Version scanning

CIT 380: Securing Computer Systems

banner checking
Banner Checking

> nc www.nku.edu 80

GET / HTTP/1.1

HTTP/1.1 400 Bad Request

Date: Sun, 07 Oct 2007 19:27:08 GMT

Server: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7a

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

127

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<HTML><HEAD>

<TITLE>400 Bad Request</TITLE>

</HEAD><BODY>

<H1>Bad Request</H1>

Your browser sent a request that this server could not understand.<P>

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /<P>

</BODY></HTML>

CIT 380: Securing Computer Systems

version scanning7
Version Scanning
  • If port is TCP, open connection.
  • Wait for service to identify self with banner.
  • If no identification or port is UDP,
    • Send probe string based on well-known service.
    • Check response against db of known results.
  • If no match, test all probe strings in list.

CIT 380: Securing Computer Systems

nmap version scan
nmap version scan

> nmap -sV at204m02

(The 1645 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99)

80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)

111/tcp open rpcbind 2-4 (rpc #100000)

443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)

515/tcp open printer?

2049/tcp open nfs 2-3 (rpc #100003)

4045/tcp open nlockmgr 1-4 (rpc #100021)

5432/tcp open postgres?

5901/tcp open vnc VNC (protocol 3.3)

6000/tcp open X11?

32775/tcp open status 1 (rpc #100024)

CIT 380: Securing Computer Systems

more nmap tools
More nmap Tools

Set source port

  • Bypass firewall by using allowed source port.
  • Use port 80 for TCP, port 53 for UDP scans.

Decoys

  • Send additional scans from list of decoys.
  • Spoof IP addresses of decoy hosts.
  • Defender has to investigate decoys + attacker.

CIT 380: Securing Computer Systems

defenses
Defenses

Prevention

  • Disable unnecessary services.
  • Block ports at firewall.
  • Use a stateful firewall instead of packet filter.

Detection

  • Network Intrusion Detection Systems.
  • Port scans often have distinct signatures.
  • IPS can react to scan by blocking IP address.

CIT 380: Securing Computer Systems

os fingerprinting
OS Fingerprinting

Identify OS by specific features of its TCP/IP network stack implementation.

  • Explore TCP/IP differences between OSes.
  • Build database of OS TCP/IP fingerprints.
  • Send set of specially tailored packets to host
  • Match results to identical fingerprint in db to identify operating system type and version.

CIT 380: Securing Computer Systems

nmap os fingerprint examples
nmap OS fingerprint examples

> nmap –O at204m02

...

Device type: general purpose

Running: Sun Solaris 8

OS details: Sun Solaris 8

Uptime 10.035 days (since Sat Mar 27 08:59:38 2004)

> nmap –O 10.17.0.1

Device type: router

Running: Bay Networks embedded

OS details: Bay Networks BLN-2 Network Router or ASN Processor revision 9

CIT 380: Securing Computer Systems

os fingerprinting techniques
OS Fingerprinting Techniques

FIN probe

  • RFC 793 requires no response
  • MS Windows, BSDI, Cisco IOS send RST

Bogus flag probe

  • Bit 7 of TCP flags unused
  • Linux <2.0.35 keeps flag set in response

TCP ISN sampling

  • Different algorithms for TCP ISNs

IP Identification

  • Different algorithms for incrementing IPID

CIT 380: Securing Computer Systems

passive fingerprinting
Passive Fingerprinting
  • Identify OSes of hosts on network by sniffing packets sent by each host.
  • Use similar characteristics as active technique:
    • TTL
    • MSS
    • Initial Window Size
    • Don’t Fragment bit
  • Tools: p0f

CIT 380: Securing Computer Systems

fingerprinting defenses
Fingerprinting Defenses
  • Detection
    • NIDS
  • Blocking
    • Firewalling
    • Some probes can’t be blocked.
  • Deception
    • IPpersonality changes Linux TCP/IP stack signature to that of another OS in nmap db.

CIT 380: Securing Computer Systems

os mapping
OS Mapping
  • www.netcraft.com

CIT 380: Securing Computer Systems

references
References
  • William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003.
  • Fyodor, “The Art of Port Scanning,” http://www.insecure.org/nmap/nmap_doc.html
  • Fyodor, NMAP man page, http://www.insecure.org/nmap/data/nmap_manpage.html
  • Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting-article.html
  • Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
  • Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004.
  • Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 5th edition, McGraw-Hill, 2003.
  • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

CIT 380: Securing Computer Systems