Scanning Scanning 1 Attack Phases Phase 1: Reconnaissance Phase 2: Scanning Phase 3: Gaining access o Application/OS attacks o Network attacks/DoS attacks Phase 4: Maintaining access Phase 5: Covering tracks and hiding

Scanning 2 Scanning After recon phase attacker has o Phone numbers, contact info o Domain names, IP addresses o Maybe some details about infrastructure Next, scanning

o Like burglar trying doors and windows Scanning 3 Scanning Good guys o Must secure every entry point o Must work in a dynamic environment o Must deal with those pesky users Attacker

o Only needs to find one hole o Can take as long as necessary Sadly unfair (all-too-common in security) Scanning 4 Scanning Techniques War driving War dialing Network mapping

Port scanning Vulnerability scanning IDS and IPS Scanning 5 War Driving Scan for wireless access points o Preferably, not secured WLANs War driving started by Peter Shipley o Drove around Bay Area in 2001

Now a very popular activity o Defcon has a WarDriving contest (including map of open access points) Scanning 6 War Driving Must be within 100 yards or so to reliably send/receive WLAN But, detectable from a mile or more War driver wants to find ESSID of WLAN

o o o o o ESSID == Extended Service Set Identifier ESSID is WLANs name ESSID acts like a password (almost) By default, ESSID is sent in the clear Can configure access point to not send ESSID Scanning 7

War Driving 802.11 probe message o Required to send ESSID in probe msg o But send any for ESSID and o some access points respond with ESSID! So, Trudy simply asks for ESSID o And sometimes she gets it Can configure to require BSSID (Basic

SSID) o I.e., the MAC address must be on approved list o This helps, but only a little Scanning 8 War Driving Many tools available Three basic techniques o Active scanning o Passive scanning o Forced de-authentication Tools

Scanning 9 use one (or more) of these NetStumbler Active 802.11 scanning tool o Sends probe packets with any ESSID o Access point within range might respond o Like running down the street shouting For Windows 2k, also version for PDAs Optionally uses GPS to locate access pts

One hour in NYC: found 455 access pts Scanning 10 NetStumbler Gathers MAC address, ESSID, channel, and signal strength o Also, IP address (using DHCP) o Whether it is using WEP or not Limitations o Many access pts ignore any ESSID o Highly unstealthy

Scanning 11 Wellenreiter Passive scanning tool Puts wireless card in rfmon mode o o o o Aka monitor mode Better than promiscuous mode Gets everything---no connection needed

Even if encrypted, ESSID still sent in clear Can dump packets into Wireshark Also interfaces with GPS Scanning 12 Wellenreiter Gets ESSID, MAC, IP addresses o Entirely passive If

access pt not sending ESSID o Non-broadcasting, name is unknown o until user authenticates to access pt Related tool: Kismet o Detailed packet analysis, not war driving Scanning 13 Wellenreiter Scanning 14

Forced De-authentication Suppose that a particular access pt o o o o Does not accept any Does not broadcast ESSID Clients have previously authenticated No clients currently communicating Invisible to NetStumber, nonbroadcasting to Wellenreiter What can Trudy do?

Scanning 15 ESSID-Jack Assuming Trudy has access pt MAC address o Get MAC from Wellenreiter, Kismet De-authentication requires no authentication o That is, the ESSID is not required

o Only need access points MAC address ESSID-Jack sends de-authentication msg Then what happens? Scanning 16 ESSID-Jack Client(s) automatically reauthenticate o ESSID-Jack

gets ESSID o So Trudy gets ESSID Scanning 17 War Driving Defenses Set ESSID to nondescript name o 1234 instead of BankOfAmerica Do not broadcast ESSID Require authentication

MAC address for authentication? o Easily spoofed o Unix/Linus tool: SirMACsAlot Scanning 18 WEP WEP == Wired Equivalent Privacy WEP uses RC4 for confidentiality o Considered a strong cipher o But WEP introduces a subtle flaw WEP uses CRC for integrity

o Should have used a crypto hash instead o CRC is for error detection, not integrity Scanning 19 WEP Integrity Problems WEP integrity does not provide integrity o CRC is linear, so is stream cipher XOR o Can change ciphertext and CRC so that checksum remains correct --- undetected

o This requires no knowledge of the plaintext! o Even worse if plaintext is known CRC is not a cryptographic integrity check! o CRC designed to detect random errors o Not designed to detect intelligent changes Scanning 20 WEP Key WEP encryption: long-term secret key, K RC4 is a stream cipher, so each packet must be encrypted using a different key

o Initialization Vector (IV) sent with packet o Sent in the clear (IV is not secret) Actual RC4 key for packet is (IV,K) o That is, IV is pre-pended to K Scanning 21 Initialization Vector Issue WEP uses 24-bit (3 byte) IV

o Each packet gets a new IV o RC4 packet key: IV pre-pended to long-term key, K Long term key K seldom (if ever) changes If long-term key and IV are same, then same keystream is used o This is bad! o It is at least as bad as reuse of one-time pad Scanning 22

Initialization Vector Issue Assume 1500 byte packets, 11 Mbps link Suppose IVs generated in sequence o Then 1500 8/(11 106) 224 = 18,000 seconds o Implies IV must repeat in about 5 hours Suppose IVs generated at random o By birthday problem, some IV repeats in seconds

Again, repeated IV (with same K) is bad! Scanning 23 WEP Active Attacks WEP: Swiss cheese of security protocols If Trudy can insert traffic and observe corresponding ciphertext o Then she will know keystream for that IV o And she can decrypt next msg that uses that IV

If Trudy knows destination IP address o She can change IP address in ciphertext o And modify CRC so it is correct o Then access point will decrypt and forward packet to Trudys selected IP address! o Requires no knowledge of the key K Scanning 24 War Driving Defenses WEP is of limited value WPA (Wi-Fi Protected Access)

o RC4, 48 bit IV, MIC (named Michael) for integrity, replay protection, etc. o Works with same hardware as WEP 802.11i (or WPA2) o Like WPA but crypto is better (AES) o Requires different hardware than WEP Can try to detect unusual activity Turn down the volume Scanning 25

Wireless Security VPN == Virtual Private Network o Secure tunnel between endpoints o Not wireless-specific o But can be used to secure wireless VPN provides extra layer of security o On top of WEP or WPA o Author says, do not use IKE pre-shared keys in aggressive mode

Scanning 26 War Dialing Dial lots of phone numbers o Looking for unprotected modems o One PC can scan 1k numbers/night The movie War Games (circa 1983) o Kid tries to break into game company o and accidentally starts WWIII

o Plot (such as it is) hinges on war dialing Scanning 27 War Dialing Can this possibly still be an issue? o User might want to bypass annoying VPN o Admin might want remote access User might install remote access tool

o pcAnywhere, for example o Only protection from war dialer is pwd? Scanning 28 War Dialing How to find phone numbers to try? o Internet, Whois database, organizations Web site, social engineering, Maybe

try numbers with same prefix Easy to test 1,000s of numbers Scanning 29 THC-Scan Free Scanning 30 war dialing tool THC-Scan

Can dial sequence, random, or list o Random to avoid detection Parallel process on multiple machines Nudging o Try to determine useful info Can randomize interval between dialing Detect jamming (based on busy signals) If human answers, hangs up (click) Scanning

31 THC-Scan Not too user-friendly o User must look at logs Some numbers o Might not require any password o Might require special software (pcAnywhere) o Such info gathered via nudging

If password is required, o Trudy can try password cracking Scanning 32 War Dialing Defenses Modem policy o When possible, use VPN If possible, allow dial-out only War dial against yourself

o Find modems before attacker does o For Windows, can use Windows Management Instrumentation (WMI) scripts Visual inspection Scanning 33 Network Mapping At this point, attacker is either On the outside looking in

o I.e., on Internet looking at target DMZ Has inside access o Attached to WLAN found war driving o Connected via a modem found war dialing Next, step is to analyze target network o Looking for potential targets o Critical hosts, routers, firewalls, Scanning 34 Network Mapping

Mapping tools will be aimed wherever attacker can reach o If outside, map DMZ, Web server, etc. o If inside, map internal network In either case, same tools o Similar methods Scanning 35 Sweeping

Want an inventory of accessible systems Could ping every possible address o But often blocked by firewall Send TCP packets to common port(s) o Look for SYN-ACK to come back Send UDP packets with unusual port o If closed, may get port unreachable o But, maybe nothing is sent back

Scanning 36 Traceroute TTL field in IP header o Usually decremented by each router When TTL reaches 0 o Router kills packet o Sends ICMP time exceeded msg to source

Traceroute o UNIX: traceroute uses UDP packets o Windows: tracert uses ICMP packets Scanning 37 Traceroute Map dest Scanning 38 routers from source to

tracert In Windows Scanning 39 Ping and Traceroute Might find, for example : Scanning 40

Automated Tool Cheops-ng o Free o Pretty pictures o Lots of info (type of OS ) o Useful for admins too Scanning 41

Network Mapping Defenses Block incoming ICMP packets o Except those you want outsiders to ping Block outgoing ICMP time exceeded o Except for specific addresses o Then (***) responses in traceroute Limits attackers ability to map

network o Also limits good uses of these features Scanning 42 Port Scanning At this point, attacker knows o Addresses of live systems o Basic network topology Now what? Assume Trudy is outsider Trudy wants to determine open ports

o 65k TCP ports and 65k UPD ports o Well-known ports correspond to services o Open port is a doorway into machine Scanning 43 Port Scanning Port scanning o Knock on doors (ports) to see which are open

Why not simply try all TCP and UDP ports? o Not stealthy Instead can try limited range o More stealthy, but might miss something Could instead just go slow o Maybe too slow (or Trudy is too impatient) Distributed port scan?

Scanning 44 Nmap Nmap tool --- most popular port scan o Developed by Fydor o Free at o Unix, Linux and Windows versions o Command line and GUI o Appeared in The Matrix Reloaded Many Scanning

45 many options Nmapfe Nmap front end Scanning 46 TCP 3-Way Handshake Recall Scanning

47 the 3-way handshake TCP Connect Scan Polite scan Complete the TCP 3-way handshake o Nmap sends SYN, wait for SYN-ACK o If port is open, Nmap sends ACK, then FIN o If closed, no reply, RESET, ICMP unreachable Plusses? o Should not cause problem for target

Minuses? o Not stealthy, Trudys IP address in logs, etc. Scanning 48 TCP SYN Scans Nmap sends SYN o Gets SYN-ACK, ICMP unreachable, etc. o In any case, Nmap sends RESET o I.e., only 2/3rds of 3-way handshake completed

Plusses? o Stealthier (may not be logged by host) o Faster, fewer packets Minuses? o Accidental DoS attack? Scanning 49 FIN Scan FIN

scan o Send FIN for non-existent connection o Port closed, protocol says send RESET o Port open, protocol says nothing o No reply may indicate port is open Scanning 50 Xmas Tree and Null Scans Xmas tree scan o All flag bits set: URG,ACK,PSH,RST,SYN,FIN

Null scan o Send packet with no flag bits set Both of these violate protocol Expect same behavior as FIN scan Note: These do not work against Windows o Since Windows does not follow the RFCs Scanning 51 TCP ACK Scan

Simpleminded packet filter might o Allow outbound, established connections o Block incoming if ACK bit not set Scanning 52 TCP ACK Scan Packet filter assumes o ACK bit set established connection How can Trudy take advantage of

this? Send packets with ACK bit set! o These pass thru open ports o Allows for simple port scan of firewall Scanning 53 TCP ACK Scan No response/unreachable: filtered RESET if port is not filtered Scanning 54

TCP ACK Scan Trudy learns o Kinds of established connections that are allowed thru packet filter ACK scan used to determining filtering rules ACK scan not so useful for scanning open ports on a host o Different OSs respond differently o Some RESET if port is open, some if port

closed Scanning 55 FTP Bounce Scan Obscures source of scan o So Trudys address not logged o Stealthy Relies on FTP forwarding o User can request that a file be

forwarded to another machine o Mostly disabled today Scanning 56 FTP Bounce Scan FTP Scanning 57 server informs attacker of result Idle Scanning Suppose

no forwarding FTP server Another way to obscure source of scan IP header has ID field o Used to group fragments together o ID must be unique per packet o Often just increment a counter (Windows) Scanning 58 Idle Scanning Pick a machine to blame for scan Blamed machine

o Attacker must be able to send/receive o Must have predictable IP IDs o Mostly idle, does not send much traffic (why?) o So IP IDs are predictable Make it look like this machine scans o See next slide Scanning 59 Idle Scanning Prepare

Scanning 60 to scan Idle Scan For the scan Attacker sends spoofed SYN to target o Source is the blamed machine o Selected port Port listening: SYN-ACK to blamed machine

o Blamed machine sends RESET to target Port closed: RESET/nothing to blamed o Blamed machine sends nothing So what??? Scanning 61 Idle Scanning Recall,

Scanning 62 last IP ID is X (next is X + 1) Idle Scan Very clever! Nmap automates this May need to repeat multiple times o If blamed guy is not idle enough May want to use several blamed guys

Other improvements? Scanning 63 UDP? Much simpler, so fewer scan options Not so easy to violate protocol Nmap provides polite scan o Not stealthy If ICMP unreachable, port is closed If UDP packet sent back, then port is open If nothing comes back dont know

Scanning 64 Version Scanning Nmap detect service/software on a port o In case service does not use official port o And to determine software version o Can determine services that use SSL After 3-way handshake, service usually identifies itself o If not, Nmap sends some probing packets

o UDP services are similarly easy to ID Scanning 65 Ping Sweeps Nmap provides ping sweeps too If incoming ICMP blocked, Nmap does sweep using TCP packets o To find live hosts, not as a port scan Scanning 66 RPC Scans

Nmap can scan for RPC applications o RPC is for distributed apps o Makes distributed app easy to program Scanning 67 RPC Scans

Familiar RPC services (Linux/UNIX) o o o o o Rpc.rstatd: performance stats from kernel Rwalld: msgs to logged in users Rup: up time and load avg of a service Sadmind: older service for Solaris admin Rpc.statd: used with NFS

Many vulnerabilities in RPC o RPC scan may provide useful info to attacker Scanning 68 Source Port Nmap can set source port o To avoid filtering at target Might set source port to 80 or 25

o Looks like Web traffic, email Source port 20 also useful o Looks like FTP data connection o Why FTP? Scanning 69 FTP Difficult for simple packet filter

o Due to control connection (port 21) and data connection (port 20) UDP port 53 (DNS) also a good choice Scanning 70 Decoys Spoofed source addresses If attacker uses n decoys o Then n + 1 packets sent to each port

o One with correct source address (except for FTP bounce or idle scans) o and n with specified spoofed sources What Scanning 71 good does this do? Active OS Fingerprinting Attacker wants to know the OS How to do this? RFCs do not specify everything

o E.g., how to respond to illegal combinations of TCP control bits o Nmap knows the inconsistencies Scanning 72 Active OS Fingerprinting Nmap uses the following o SYN packet to open port o NULL packet to open port o SYN|FIN|URG|PSH to open port o ACK to open port

o FIN|PSH|URG to closed port o UDP packet to closed port Scanning 73 Active OS Fingerprinting Predictability of initial sequence numbers also used by Nmap o Nmap has database of > 1000 platforms Xprobe2 --- active OS fingerprinting tool o Stealthier and more accurate than Nmap

Passive OS fingerprinting is possible o No traffic sent to target o Sniff packets sent by target o This is covered in Chapter 8 Scanning 74 Nmap Timing Options Paranoid --- one packet per 5 minutes Sneaky --- one packet per 15 seconds Polite --- one packet per 0.4 seconds Normal --- as quickly as possible Aggressive --- wait max of 1.25 sec for

reply Insane --- Wait max of 0.3 sec for reply o Will lose packets, resulting in false negatives Timing also customizable Scanning 75 Fragmentation Nmap also allows fragmentation Helps against some IDS systems

o Discuss later Scanning 76 Port Scanning Defenses Harden the system o Close unused ports o Minimize services/tools o Check ports in use

Scanning 77 Port Scanning Defenses Scan yourself using Nmap o But this can cause problems Use more intelligent firewalls o Stateful packet filters or proxies o instead of packet filters

Scanning 78 Firewalk Determines what gets thru firewall o Assuming a packet filter firewall Nmap vs Firewalk o Nmap does port scan of hosts o What happens if you Nmap a firewall? o Tells you ports firewall is listening on o But, you want to know filtered ports

Scanning 79 Firewalk Nmap vs Firewalk But what about Nmap ACK scan? o Attacker learns which ports firewall allows established connections o But SYN packets might be dropped Firewalk tells attacker ports that firewall allows new connections on

o More useful info to attacker Scanning 80 Firewalk Requires 2 IP addresses o Address before filtering takes place (i.e., external address of firewall) o Destination on other side of firewall Firewalk has 2 phases

o Network discovery (like traceroute) o Actual scanning Scanning 81 Firewalk Network discovery phase o Use TTL to find hops to firewall Scanning 82

Firewalk Scanning phase o Packet sent to host behind firewall o Note: this works even if NAT is used Scanning 83 Firewalk TTL field crucial to Firewalk Packet filter and stateful packet filters both decrement TTL field

o So Firewalk can work against these Application proxy firewall? o Proxy does not forward packet o Instead, creates a new packet so what? Scanning 84 Firewalk How can Trudy use Firewalk

results? To install software, must know which ports can be used Scan for new services on open ports o Example: SSH (TCP port 22) open, but no SSH not available o SSH temporarily activated by admin Scanning 85 Firewalk Defenses Learn to live with it o Since based on TCP/IP fundamentals

o Focus on better firewall rules/mgmt Use proxy-based firewall o Might create problems o Likely to be much slower Scanning 86 Attack So Far Trudy knows o Addresses of live hosts (ping, Cheops-

ng) o Network topology (Traceroute, Cheopsng) o Open ports on live hosts (Nmap) o Services & version numbers (Nmap) o OS types (Nmap, Xprobe2) o Ports open thru firewall (Firewalk) Scanning 87 Vulnerability Scanning Now what? Trudy want to know vulnerabilities Tools automate process o Connect to host, test for vulnerabilities

Types of vulnerabilities o Configuration errors o Default configuration weaknesses o Well-known (published) vulnerabilities 100s to 1000s of vulnerabilities Scanning 88 Vulnerability Scanning Tools Tools

typically employ the following o Vulnerability database o User configuration o Scanning engine o Knowledge base of current scan o Results/report/repository Scanning 89 Vulnerability Scanning Tools Scanning 90

Vulnerability Scanning Tools Commercial tools include o Harris STAT Scanner o ISSa Internet Scanner o CFI LANguard Scanner o E-eyes Retina Scanner o Qualyss QualysGuard (subscription based) o McAfees Foundstone Foundscan (also subscription based) Scanning 91

Nessus Nessus --- the most popular free vulnerability scanning tool o Can write your own vulnerability checks and lots of people have already done so Nessus plug-ins o More than 1,000 plug-ins in categories

Scanning 92 Nessus Plug-Ins Categories of plug-ins are o Backdoors, CGI abuses, Cisco, Default UNIX accounts, DoS, Finger abuses, Firewalls, FTP, Gain shell remotely, Gain root remotely, General, Misc, Netware, NIS, P2P file sharing, Remote file access, RPC, SMTP, SNMP, Windows, Useless services Each category: 2 to 100s of

vulnerabilities Scanning 93 Nessus Architecture Client-server architecture o Client-server authentication, encryption, etc. Scanning 94 Nessus Attacker

selects o Plug-ins, target system, port range/type of scanning, port for Nessus client-server communication, encryption alg, email address for report Attacker Scanning 95 can also write scripts Nessus Report Nessus

report format Other tools make Nessus report more readable and informative Scanning 96 Vulnerability Scan Defenses Close unused ports Install latest patches Run tools against your network

o Be careful of DoS Scanning 97 Nessus DoS Options Some risky, some not Pwd guess could also be problem

Scanning 98 Limitations of Vulnerability Scanning Tools Only detect known vulnerabilities Tools dont understand network architecture o Attacker might Only gives a snapshot in time

o Environment is dynamic Scanning 99 IDS (and IPS) Scanning tools are noisy Port scan may use 10,000s of packets Vulnerability scan may send 100,000s or millions of packets IDS likely to notice such activity Attacker must try to evade IDS Scanning 100

IDS Mostly Scanning 101 signature based IDS Evasion To avoid signature detection Change traffic o Change packet structure or syntax Change

the context o IDS might not know full context Scanning 102 IDS Evasion at Network Level Fragments create problem for IDS Must reassemble fragments Attacker could o Use fragments --- IDS may not handle

it o Fragment flood --- overwhelm IDS o Fragment in unusual ways --- to exploit weakness in IDS handling of fragments Scanning 103 Fragmentation Tiny fragments o Not too effective vs modern IDS Scanning 104

Fragmentation Fragment overlap o Handled differently by different OSs o Which makes IDSs job is more difficult Scanning 105 FragRouter and FragRoute FragRouter --- fragmentation tool Options include o Various sized fragments o Various overlapping schemes

Separates fragmentation from the attack Scanning 106 IDS Evasion at App Level Nitko --- CGI scanner (IDS evasion) CGI scripts run on server, activated by user on the network Large number of CGI scripts vulnerable Nessus does some CGI scanning Nitko much more sophisticated

o For attacks, makes subtle changes in HTTP to evade signature detection Scanning 107 Nikto IDS evasion strategies o Hex equivalents of characters, Change to current directory, URL does not include CGI script info (instead, placed in HTTP header), Long (nonexistent but ignored) directory name, Fake parameter(s), TAB separations

(instead of spaces), Case, Windows delimiters (backslash), NULL method, Session splicing (separate TPC packets, not fragments) Scanning 108 IDS Evasion Defenses Use IDS, regardless of attacks Keep signatures up to date Use host-based & network-based IDS o For example, fragmentation attack easier to detect with host-based

defense Scanning 109 Conclusion Scanning 110 Summary Scanning 111

Recently Viewed Presentations

  • The Symphony of Hormones

    The Symphony of Hormones

    Jessica Joslyn, PA-C: A graduate of Stanford University School of Medicine, Jessica is a Certified Physician Assistant, able to provide primary care, family medicine, as well as homeopathy. ... genetic risk for Alzheimer's and Parkinson's. 25-(OH)D. 3 (70-90mg/dL) our most...
  • The Elevator Pitch - KIT - Technology Entrepreneurship

    The Elevator Pitch - KIT - Technology Entrepreneurship

    create and present an elevator pitch using structural models. Practice presenting. yourself, (parts of) a business plan, project prosalor related company presentation. Endless articles, books, and blogs have been written on the topic of business plan presentations and pitching to...
  • Holy Spirit Rain Down Holy Spirit rain down,

    Holy Spirit Rain Down Holy Spirit rain down,

    Holy Spirit Rain Down No eye has seen, no ear has heard No mind can know what God has in store So open up heaven, open it wide Over our church and over our lives Words and music by Russell...
  • Akira Toriyama Akira Toriyama, born on April 5,

    Akira Toriyama Akira Toriyama, born on April 5,

    Akira Toriyama, born on April 5, 1955, in Kiyosu, Aichi, Japan, is a widely known and acclaimed Japanese manga artist known mostly for his creation of Dragon Ball in 1984. He admires Osamu Tezuka's Astro Boy and was impressed by...
  • To Be a Panther

    To Be a Panther

    Student-Athlete Eligibility. All students are eligible for sports if they have: Minimum 2.0 GPA (Yes, this 8. th. grade term counts!) CIF approval (only applicable if a transfer from another high school)
  • Insights from Daniel -

    Insights from Daniel -

    Daniel's vision (Daniel 7) four beasts from the sea. dominion given to "one like the son of man" (vss. 14-18, 27) Because GOD RULES THE KINGDOM OF MEN, it is within his PLAN and POWER to establish his own ETERNAL...
  • Unit 1.5 - External Environment

    Unit 1.5 - External Environment

    To what degree are businesses limited in how much they can "know" about the external environment. Look at STEEPLE analysis for Cat's Store - p. 63. Student Workpoint 1.8. Choose a type of business (some located on page 63); prepare...
  • Alloantibodies and pregnancy Lab Matters 26th June 2019

    Alloantibodies and pregnancy Lab Matters 26th June 2019

    Anti-K titration. Anti-K often present as a result of previous. transfusion. Severity not correlated with antibody titre. Affected pregnancies usually titre of 32+ Paternal sample K negative. Alloantibodies and pregnancy. Other antibodies. Many other specificities.