Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is to figure out the rest of the network and its vulnerabilities. Network Scanning and Enumeration The process of collecting information about computers (assets) available on a network by either by listening to network traffic, or probing the network by sending traffic and
observing what traffic is returned as a result. E.g. scan looking for IP addresses (ping) Once you figure out what is there, then you can attack it appropriately Scan for ports to see what services are available, and then apply appropriate exploits Scan for user names and passwords, unused accounts, etc. 2 Port and Vulnerability Scanning Once you know a device is present, what are its vulnerabilities? Apply some programs to check all ports, looking for open ports Some services running on certain ports have
known vulnerabilities http://www.faqs.org/faqs/computer-security/most-com mon-qs/section-21.html http://en.wikipedia.org/wiki/Portscanning Or you can apply some programs that specifically look for vulnerabilities (combo of network, port and vulnerability scan) 3 Scanning Programs Tools used to identify what computers are active on a network, and which ports and services are available on each computer. Verify which IP addresses are active on a network ping sweep
Determine what services are available from each system port scan Note: port scanning may be illegal in some states Examples: nmap (http://nmap.org/) unicornscan (http://www.unicornscan.org/) superscan (http://www.snapfiles.com/get/superscan.html) nessus (http://www.nessus.org/nessus/) fping (http://fping.sourceforge.net/), hping ( http://www.hping.org/) 4 Caveat: tools have their own footprints - but not always
While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as they should to Nmap probes. FIN, NULL, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries. Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scanflags option allows you to design your own scan by specifying arbitrary
TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules! 5 Different kinds of scans explained http://nmap.org/book/man-port-s canning-techniques.html 6 Internet Control Message Protocol (ICMP) Allow servers to communicate with each other
and report errors to ensure that network paths are working properly. The PING utility is based on the use of ICMP echo requests and echo replies. PING is used to verify whether another network host is accessible. 7 UDP Scanning (UDP Protocol) Sending UDP packets to a target host to determine what UDP ports are open. A sequence of packets is sent to a series of different UDP port numbers to test the availability of each port.
If the UDP port is OPEN on the target host, no reply is sent. If the UDP port is NOT OPEN, an ICMP Destination Unreachable packet is sent in response to the probe. 8 TCP Scanning (TCP Protocol) Based on various features of TCP. Some of the features used for scanning and enumeration include: Opening a TCP connection (3-way handshake) Closing a TCP connection TCP connection reset
TCP null scan 9 TCP 3-way handshake Used to establish a TCP connection. Packet sequence for 3-way handshake SYN segment - requests a connection (e.g., with a server) SYN-ACK - acknowledges the (client's) SYN information and provides the (server's) information for establishing the connection. ACK - acknowledges the (server's) information This process can be used to determine which
TCP ports are open on a server. 10 Closing a TCP Connection Uses a modified 3-way handshake FIN - indicates that either host (e.g., Host B) has finished sending data and is ready to close the connection. ACK Host A acknowledges receipt of the FIN. Connection is "half-closed" at this point. Host B transmits no more data. FIN Host A indicates itis now ready to close the connection.
ACK Host B acknowledge's A's FIN. The connection is closed when Host A receives the final ACK from Host B. 11 TCP Connection Reset Allows an application to disconnect from a connection in abnormal circumstances. Either host initiates by sending a TCP segment with the RST bit set. Receiving host immediately aborts the connection and informs the application program that a reset has occurred. 12
Some Types of TCP Port Scans SYN scan Send SYN packet If port closed, target responds with RST/ACK If port open, target responds with SYN/ACK Sender sends RST/ACK to close connection Connect scan Similar to SYN scan completes 3-way handshake Connection is established NULL
scan Send packet will all flags OFF If destination port open, no response sent If destination port closed, RST packet sent 13 Enumeration The process of extracting information from a network: Resources or shares available on the network Determine OS using fingerprinting/scanning User names or groups assigned on the network The last time a user logged on as well as his/her password
http://en.wikipedia.org/wiki/Network_Scanner Tools NBTscan (http://www.inetcat.net/software/nbtscan.html) NetScanTools Pro (http://www.netscantools.com/ ) Hyena (http://www.systemtools.com/hyena/? source=google3D) Finger (http://en.wikipedia.org/wiki/Finger_protocol) IKE-Scan (http://www.nta-monitor.com/tools/ike-scan/ ) 14 Vulnerability Scanners Programs designed to search for and map systems to look for weaknesses in an application,
computer or network. http://en.wikipedia.org/wiki/Vulnerability_scanner http://en.wikipedia.org/wiki/ Web_Application_Security_Scanner Tools nessus (http://www.nessus.org/nessus/ ) SAINT (http://www.eeye.com/html/Products/Retina/index.html) Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx) 15
Sensation and Perception * ... awhile you don't sense it. * Subliminal Perception sensing without awareness is it possible? can it be used for persuasion? * RED SOX TICKETS * Senses The sense of touch is a mix of four...
Cite evidence from the text in your response. Unit 1 Lesson 2. Bell Ringer: Go back to the Stage 1 epigraph and the first full paragraph of "St. Lucy's Home for Girls Raised by Wolves" and summarize what the reader...
Proxy server Summary: Repeaters, Bridges, Routers, Gateways The distinction lies mainly in the "highest" layer at which each operates. Although this terminology is fairly standard, and the preferred common usage, the term "gateway" is sometimes used in the Internet community...
Marilyn's selection as Prom Queen made her the envy of every senior. My parents taught me not to envy anyone else's wealth. Our envy of Nora's skating ability is foolish because with practice all of us could do as well....
Scope. Based on the literature and direct observation in the PRC and ROC, this is an introduction to Chinese philosophies, religion, basic beliefs, and values with a special meaning for health and nursing. Chinese philosophies and religion include Confucian principles,...
Dr Denise Jackson. Dr . V. ahri. McKenzie. Teaching and Learning. Professor Ross Dowling OAM. Dr Steven Richardson. Ms Susan Peacock. Associate Professor Trevor Cullen. Teaching and Learning. Congratulations to all nominees in the following category: Inspirational Staff Individual Nominations.
Ready to download the document? Go ahead and hit continue!