scanning
Download
Skip this Video
Download Presentation
Scanning

Loading in 2 Seconds...

play fullscreen
1 / 40

Scanning - PowerPoint PPT Presentation


  • 251 Views
  • Uploaded on

Scanning. BAI514 – Security I. Scanning. The goal of scanning is to discover open ports and find applications vulnerable to hacking. Scanning. The Information Gathering Process 1 – Gathering information 2 – Locating the network range 3 – Identifying active machines

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Scanning' - marci


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
scanning

Scanning

BAI514 – Security I

scanning1
Scanning
  • The goal of scanning is to discover open ports and find applications vulnerable to hacking
scanning2
Scanning
  • The Information Gathering Process
    • 1 – Gathering information
    • 2 – Locating the network range
    • 3 – Identifying active machines
    • 4 – Finding open ports and applications
    • 5 – Detecting operating systems
    • 6 – Fingerprinting services
    • 7 – Mapping the network
  • Scanning comprises the last five steps
identifying active machines
Identifying Active Machines
  • Primary reasons
    • Fill in details of the target network map
    • Identify perimeter and outer boundary of target network
    • Create an inventory of accessible systems in the target network
identifying active machines1
Identifying Active Machines
  • Ping
    • Useful ICMP utility
      • Measures speed at which packets traverse network
      • Can provide other details of target
        • TTL
        • Sequence number
        • Other?
identifying active machines2
Identifying Active Machines
  • Ping (cont.)
    • Ping nnn.nnn.nnn.nnn
    • Options
      • -t Ping host until stopped-a Resolve address to hostname-n n Number of requests to send-l n Send buffer size-in TTL-v n TOS-r n Record router for n hops-s n Timestamp for n hops-j list Loose source route along host-list-k list Strict source route along host-list-w n Timeout in ms to wait for each reply
identifying active machines3
Identifying Active Machines
  • Ping Sweeps
    • Automatically pinging a range of IP addresses
      • Script
      • Batch file
      • Utility
    • Ping Tools
      • WS_PingProPack – www.ipswitch.com
      • NetScan Tools – www.nwpsw.com
      • Hping – www.hping.org/download.html
      • Icmpenum – www.nmrc.org
identifying active machines4
Identifying Active Machines
  • Ping Sweeps (cont.)
    • Ping Sweep Detection Tools
      • Network-based IDS – www.snort.org
      • Genius – www.indiesoft.com
      • Scanlogd – www.openwall.com/scanlogd
identifying open ports and available service
Identifying Open Ports and Available Service
  • Next step after finding active hosts is to locate any open ports and services on the hosts
  • Techniques include
    • Port scanning
    • Banner grabbing
    • War dialing
    • War walking/driving
identifying open ports and available service1
Identifying Open Ports and Available Service
  • Reasons for identifying listening services on the target
    • Determine live hosts if ICMP is blocked
    • Identify potential ports for creating attack vectors
    • Obtain OS information
    • Identify specific applications
identifying open ports and available service2
Identifying Open Ports and Available Service
  • Port Scanning
    • The process of connecting to, or attempting to connect to, TCP or UDP ports for the purpose of finding what services and applications are running on the target system.
      • Email
      • http
      • TCP 53
      • UDP 161
      • UDP/TCP 4
identifying open ports and available service3
Identifying Open Ports and Available Service
  • Types of information gathered from scanning
    • Details of target DNS
    • Available services
    • Types and versions of operating systems
identifying open ports and available service4
Identifying Open Ports and Available Service
  • Ports have three states
    • Open – accepting communications
    • Closed – not accepting connectivity
    • Filtered – has some type of network device (e.g. Firewall) preventing the port from being probed
  • Nmap can be used to determine the state of a port
identifying open ports and available service5
Identifying Open Ports and Available Service
  • TCP/UDP scanning types
    • Some are simple and easy to detect
    • Some are complicated and difficult to detect
    • Most intended to be stealthy
    • TCP provides connection based communication
    • UDP provides best effort communication
identifying open ports and available service6
Identifying Open Ports and Available Service
  • Manipulation of TCP’s three-way handshake is the basis for most TCP-based scanning.
  • TCP-based scanning techniques
    • TCP connect() scanning
      • Full connection attempted
      • Easiest to detect
identifying open ports and available service7
Identifying Open Ports and Available Service
  • TCP-based scanning techniques (cont.)
    • TCP SYN (half open) scanning
      • Full connection never opened
        • Scanning machine sends a SYN packet
        • If a SYN/ACK is received, the port is listening
        • The scanner breaks the connection by sending a RST packet
        • If a RST is received, the port is closed
identifying open ports and available service8
Identifying Open Ports and Available Service
  • TCP-based scanning techniques (cont.)
    • TCP SYN/ACK scanning
      • Scanner sends a SYN/ACK
      • If the port is closed, a RST will be sent
      • If the port is open, the packet will be ignored and dropped by the port
identifying open ports and available service9
Identifying Open Ports and Available Service
  • TCP-based scanning techniques (cont.)
    • TCP FIN scanning
      • Scanner sends a FIN packet
      • If the port is closed, it replies with a RST
      • If the port is open, it ignores the FIN
      • NOTE... Windows will send a RST regardless of the state of the port
identifying open ports and available service10
Identifying Open Ports and Available Service
  • TCP-based scanning techniques (cont.)
    • TCP FTP
      • Very stealthy
      • Scanner connects to an FTP server and requests that the server initiate a data transfer process to a third system
      • Scanner uses the PORT FTP command to declare the data transfer process is listening on the target box at a certain port number
      • Scanner then uses the LIST FTP command to try to list the current directory.
        • The result is sent over the server data transfer process channel.
        • If the transfer is successful, the target host is listening on the specified port.
        • If the transfer is unsuccessful, the port is not listening.
identifying open ports and available service11
Identifying Open Ports and Available Service
  • TCP-based scanning techniques (cont.)
    • RPC scan
      • A remote program call (RPC) is used to identify RPC applications
    • IDLE scan
      • Considered the only totally stealth scan
      • Scans a remote system, but the results are sent to a third system
      • All scans will appear to come from the third system
identifying open ports and available service12
Identifying Open Ports and Available Service
  • TCP-based scanning techniques (cont.)
    • XMAS Tree scan
      • Scanner sends a TCP packet with the URG, PSH, and FIN flags set
      • Different OS’s will react differently to this
identifying open ports and available service13
Identifying Open Ports and Available Service
  • Determining the operating system
    • Helps to determine which attack to use
    • Can be easily found sometimes
      • Telnet banner
      • FTP banner
    • TCP Stack fingerprinting / Passive OS fingerprinting
      • Different OS and device vendors implement TCP/IP slightly different. These differences can be used to determine the OS
      • TCP Initial sequence number sampling
        • The pattern for sequence numbers can give away the OS
identifying open ports and available service14
Identifying Open Ports and Available Service
  • Scanning Tools
    • Can be used by hackers and administrators alike
    • Hping
      • Can send packets with non-traditional IP stack parameters
    • Legion
      • Scans for shared folders
    • Nessus
      • Free security auditing tool
    • Nmap
      • Very common, very good port scanner
identifying open ports and available service15
Identifying Open Ports and Available Service
  • Scanning Tools (cont.)
    • Security Administrator’s Integrated Network Tool (SAINT)
      • Examines network services (ex. Finger, NFS, FTP, TFTP, statd, etc.)
    • System Administrator Tool for Analyzing Networks (SATAN)
      • Scans for well-known vulnerabilities
    • Tcpview
      • Displays what applications are using what ports
identifying open ports and available service16
Identifying Open Ports and Available Service
  • Scanning Tools (cont.)
    • Snort
      • Very powerful Intrusion Detection System (IDS)
      • Can be used as a sniffer
    • SuperScan
      • TCP/UDP port scanner
      • Newer version can perform enumeration
    • THC-Amap
      • TCP/UDP scanner
      • Can find services on ports that have been redirected
identifying open ports and available service17
Identifying Open Ports and Available Service
  • Vulnerable Ports
    • 65,535 TCP and UDP ports
    • Most common include
      • 21 - ftp
      • 23 - telnet
      • 25, 109, 110, 143 - smtp, pop3, imap
      • 53 - dns
      • 80, 8080 – http
      • 161 – snmp
      • 5631 - PCAnywhere
identifying open ports and available service18
Identifying Open Ports and Available Service
  • Port Scanning Issues
    • False positives
      • Applications can use ports normally associated with other services
    • Heavy traffic
      • Can cause network performance issues
    • False negatives
      • Can exhaust system resources, causing a false negative
    • System crash
    • Unregistered port numbers
      • Ports may be listening, but what service is unknown
identifying open ports and available service19
Identifying Open Ports and Available Service
  • Banner Grabbing
    • Can provide important information
      • Type of software
      • Version of software
    • Telnet can be used to grab HTTP, FTP, and SMTP server information
      • Telnet [ipaddr] [port #]
identifying open ports and available service20
Identifying Open Ports and Available Service
  • Banner Grabbing (cont.)
    • Netcat
      • Nc –v –n [ipaddr] [port #]
      • Features
        • Creating outbound and inbound connections
          • UDP or TCP
        • Providing a tunnelling mode
        • Randomized port scanning
        • File transfers
        • Remote shell
war dialing
War Dialing
  • Accessing a network by using a modem and software to scan for target systems with attached modems
  • Modems have very weak authentication
  • Modems are often left unchecked on workstations and laptops
war dialing1
War Dialing
  • War dialer
    • A tool used to scan a large pool of telephone numbers to try to detect vulnerable modems
      • THC-Scan – DOS application that dials ranges of numbers to search for a modem or fax
      • ToneLoc – dials from a file of area codes and number banks
      • PhoneSweep – Heavy duty war dialing application that supports simultaneous multiple phone lines
war driving and war walking
War Driving and War Walking
  • Sniffing for WLANs while travelling via some means of transport such as car, train, bus, even planes
  • War Walking is the same as war driving, but walking instead of driving
war driving and war walking1
War Driving and War Walking
  • Wireless Scanners
    • NetStumbler – GUI, displays wireless access points, SSIDs, channels, encryption, and signal strength
    • MiniStumbler – Similar to NetStumbler, but designed to work with Pocket PC
    • AirSnort – Wireless LAN tool that cracks WEP encryption keys
    • Kismet – Wireless network detector, sniffer, and IDS
    • SSID Sniff – Used to discover access points and save captured data
    • WifiScanner – Analyzes traffic and detects 802.11b Aps
war driving and war walking2
War Driving and War Walking
  • Wireless Packet Sniffers
    • AirMagnet – developed for wireless inventory management, but can be used for security assessment
    • AiroPeek – packet analyzer for 802.11b wireless LANS
    • Wireshark – Complete packet analyzer, requires a WiFinic capable of monitor mode (promisuous)
fingerprinting
Fingerprinting
  • The process of determining the operating system on the target computer.
    • Exploits the fact that various OS vendors implement the TCP/IP stack differently.
    • Packets returned to the sender are logged and compared to a database to determine the target’s operating system
fingerprinting1
Fingerprinting
  • Two types
    • Passive
      • Less accurate than Active fingerprinting, but less detectable
      • Passively captures packets on the network
      • Compares many packet fields
        • TTL
        • Initial TCP Windows Size
        • Don’t Fragment bit
        • Type of Service
        • Sequence #
fingerprinting2
Fingerprinting
  • Type types (cont.)
    • Active
      • More accurate than passive fingerprinting, but not as stealthy
      • Works similarly to passive, but sends altered packets to compare the results
fingerprinting3
Fingerprinting
  • Tools
    • p0f – passive fingerprinting tool
      • Lcamtuf.coredump.cx/p0f.shtml
    • Nmap – active fingerprinting
    • Xprobe – active fingerprinting
      • xprobe.sourceforge.net
    • Winfingerprint – active fingerprinting
      • winfingerprint.com
mapping the network
Mapping the Network
  • Taking all gathered information and creating a detailed map or maps of the organization
    • Network information
    • Network diagram/layout
      • Cheops – www.marko.net/cheops/
    • Company information
ad