The UNIX operating system - University of Hawaii

The UNIX operating system - University of Hawaii

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is to figure out the rest of the network and its vulnerabilities. Network Scanning and Enumeration The process of collecting information about computers (assets) available on a network by either by listening to network traffic, or probing the network by sending traffic and

observing what traffic is returned as a result. E.g. scan looking for IP addresses (ping) Once you figure out what is there, then you can attack it appropriately Scan for ports to see what services are available, and then apply appropriate exploits Scan for user names and passwords, unused accounts, etc. 2 Port and Vulnerability Scanning Once you know a device is present, what are its vulnerabilities? Apply some programs to check all ports, looking for open ports Some services running on certain ports have

known vulnerabilities http://www.faqs.org/faqs/computer-security/most-com mon-qs/section-21.html http://en.wikipedia.org/wiki/Portscanning Or you can apply some programs that specifically look for vulnerabilities (combo of network, port and vulnerability scan) 3 Scanning Programs Tools used to identify what computers are active on a network, and which ports and services are available on each computer. Verify which IP addresses are active on a network ping sweep

Determine what services are available from each system port scan Note: port scanning may be illegal in some states Examples: nmap (http://nmap.org/) unicornscan (http://www.unicornscan.org/) superscan (http://www.snapfiles.com/get/superscan.html) nessus (http://www.nessus.org/nessus/) fping (http://fping.sourceforge.net/), hping ( http://www.hping.org/) 4 Caveat: tools have their own footprints - but not always

While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as they should to Nmap probes. FIN, NULL, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries. Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scanflags option allows you to design your own scan by specifying arbitrary

TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules! 5 Different kinds of scans explained http://nmap.org/book/man-port-s canning-techniques.html 6 Internet Control Message Protocol (ICMP) Allow servers to communicate with each other

and report errors to ensure that network paths are working properly. The PING utility is based on the use of ICMP echo requests and echo replies. PING is used to verify whether another network host is accessible. 7 UDP Scanning (UDP Protocol) Sending UDP packets to a target host to determine what UDP ports are open. A sequence of packets is sent to a series of different UDP port numbers to test the availability of each port.

If the UDP port is OPEN on the target host, no reply is sent. If the UDP port is NOT OPEN, an ICMP Destination Unreachable packet is sent in response to the probe. 8 TCP Scanning (TCP Protocol) Based on various features of TCP. Some of the features used for scanning and enumeration include: Opening a TCP connection (3-way handshake) Closing a TCP connection TCP connection reset

TCP null scan 9 TCP 3-way handshake Used to establish a TCP connection. Packet sequence for 3-way handshake SYN segment - requests a connection (e.g., with a server) SYN-ACK - acknowledges the (client's) SYN information and provides the (server's) information for establishing the connection. ACK - acknowledges the (server's) information This process can be used to determine which

TCP ports are open on a server. 10 Closing a TCP Connection Uses a modified 3-way handshake FIN - indicates that either host (e.g., Host B) has finished sending data and is ready to close the connection. ACK Host A acknowledges receipt of the FIN. Connection is "half-closed" at this point. Host B transmits no more data. FIN Host A indicates itis now ready to close the connection.

ACK Host B acknowledge's A's FIN. The connection is closed when Host A receives the final ACK from Host B. 11 TCP Connection Reset Allows an application to disconnect from a connection in abnormal circumstances. Either host initiates by sending a TCP segment with the RST bit set. Receiving host immediately aborts the connection and informs the application program that a reset has occurred. 12

Some Types of TCP Port Scans SYN scan Send SYN packet If port closed, target responds with RST/ACK If port open, target responds with SYN/ACK Sender sends RST/ACK to close connection Connect scan Similar to SYN scan completes 3-way handshake Connection is established NULL

scan Send packet will all flags OFF If destination port open, no response sent If destination port closed, RST packet sent 13 Enumeration The process of extracting information from a network: Resources or shares available on the network Determine OS using fingerprinting/scanning User names or groups assigned on the network The last time a user logged on as well as his/her password

http://en.wikipedia.org/wiki/Network_Scanner Tools NBTscan (http://www.inetcat.net/software/nbtscan.html) NetScanTools Pro (http://www.netscantools.com/ ) Hyena (http://www.systemtools.com/hyena/? source=google3D) Finger (http://en.wikipedia.org/wiki/Finger_protocol) IKE-Scan (http://www.nta-monitor.com/tools/ike-scan/ ) 14 Vulnerability Scanners Programs designed to search for and map systems to look for weaknesses in an application,

computer or network. http://en.wikipedia.org/wiki/Vulnerability_scanner http://en.wikipedia.org/wiki/ Web_Application_Security_Scanner Tools nessus (http://www.nessus.org/nessus/ ) SAINT (http://www.eeye.com/html/Products/Retina/index.html) Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx) 15

Recently Viewed Presentations

  • PSYCHOLOGY (8th Edition) David Myers

    PSYCHOLOGY (8th Edition) David Myers

    Sensation and Perception * ... awhile you don't sense it. * Subliminal Perception sensing without awareness is it possible? can it be used for persuasion? * RED SOX TICKETS * Senses The sense of touch is a mix of four...
  • 1. 2. 3. 4. St. Lucys Home for

    1. 2. 3. 4. St. Lucys Home for

    Cite evidence from the text in your response. Unit 1 Lesson 2. Bell Ringer: Go back to the Stage 1 epigraph and the first full paragraph of "St. Lucy's Home for Girls Raised by Wolves" and summarize what the reader...
  • Five Goals as a Christian 1. To be

    Five Goals as a Christian 1. To be

    There are four different types of hearers Matthew 13:1 - 23 On the same day Jesus went out of the house and sat by the sea. 2 And great multitudes were gathered together to Him, so that He got into...
  • The Medium Access Sublayer - unisi.it

    The Medium Access Sublayer - unisi.it

    Proxy server Summary: Repeaters, Bridges, Routers, Gateways The distinction lies mainly in the "highest" layer at which each operates. Although this terminology is fairly standard, and the preferred common usage, the term "gateway" is sometimes used in the Internet community...
  • LESSON 5 Architect Noun A person who makes

    LESSON 5 Architect Noun A person who makes

    Marilyn's selection as Prom Queen made her the envy of every senior. My parents taught me not to envy anyone else's wealth. Our envy of Nora's skating ability is foolish because with practice all of us could do as well....
  • WHERE ARE THE JOBS? A Summary of Cook

    WHERE ARE THE JOBS? A Summary of Cook

    This report analyzes online job postings, not job openings.Jobs and employers who do not advertise online are underrepresented here.
  • Chinese History and health care beliefs

    Chinese History and health care beliefs

    Scope. Based on the literature and direct observation in the PRC and ROC, this is an introduction to Chinese philosophies, religion, basic beliefs, and values with a special meaning for health and nursing. Chinese philosophies and religion include Confucian principles,...
  • CEREMONY 2 - Edith Cowan University

    CEREMONY 2 - Edith Cowan University

    Dr Denise Jackson. Dr . V. ahri. McKenzie. Teaching and Learning. Professor Ross Dowling OAM. Dr Steven Richardson. Ms Susan Peacock. Associate Professor Trevor Cullen. Teaching and Learning. Congratulations to all nominees in the following category: Inspirational Staff Individual Nominations.