1 reconnaissance, network mapping, and vulnerability assessment ece4112 – internetwork security...
TRANSCRIPT
1
Reconnaissance, Network Mapping, and Vulnerability Assessment
ECE4112 – Internetwork Security
Georgia Institute of Technology
2
Agenda
• Reconnaissance
• Scanning
• Network Mapping
• Port Scanning
•OS detection
• Vulnerability assessment
3
Reconnaissance
• Internet Network Information Center who-is
database www.internic.net/whois.html
• Registrar’s database i.e. www.networksolutions.com
• American Registry for Internet Numbers (ARIN)
http://ww2.arin.net/whois/
• Domain Name System (DNS) nslookup
4
Reconnaissance
• After Recon, it is possible to know detailed information about a potential target
• This information includes specific IP addresses and ranges of addresses that may be further probed.
5
Scanning
Objective 1: Network Mapping
Why: To determine what the network looks like logically.
How: Manually using tools like ping, traceroute, tracert, or with tools like Cheops network mapping tool
6
Scanning
Objective 2: Port Scanning
Why: To find open ports in order to exploit them.
How:
• TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan
• TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan
• TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)
7
Scanning
• TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall
• FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service)
• UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open
• Ping Sweep -- can use ICMP or TCP packets
8
Scanning
Additional objectives:
• Decoys -- insert false IP addresses in scan packets
• Ping Sweeps -- identify active hosts on a target network
• Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)
9
Scanning
Objective 3: Operating System Detection
Why: To determine what Operating System is in use in order to exploit known vulnerabilities.
• Also known as TCP stack fingerprinting.
• Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs.
• Each OS responds to illegal combinations in different ways.
• Determine OS by system responses.
10
OS detection
Window Size: Most Unix Operating Systems keep the windowSize the same throughout a session. Windows Operating Systems tend to change the window size during a session.
Time to Live: FreeBsd or Linux typically use 64, Windows Typically uses 128.
Do Not Fragment Flag: Most OS leave set, OpenBSD leaves it unset.
11
Nmap: Network Exploration Tool
Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.”
Available at: http://www.insecure.org/nmap/
13
Nmap: How does it work?
• UDP • FIN
• TCP connect() • ACK sweep
• TCP SYN (half open) • Xmas Tree
• ftp proxy (bounce attack) • SYN sweep
• Reverse-Identification • IP Protocol
• ICMP (ping sweep) • Null Scan
Use the following Scan techniques :
14
Nmap: How does it work?
• Uses the following OS detection techniques• TCP/IP fingerprinting• stealth scanning• dynamic delay and retransmission calculations• parallel scanning• detection of down hosts via parallel pings• decoy scanning• port filtering detection• direct (non-port mapper) RPC scanning• fragmentation scanning• flexible target and port specification.
15
Scanning Vulnerability Assessment (1)
Objective 4: Vulnerability Assessment
Why: To determine what known (or unknown?) vulnerabilities exist on a given network
Vulnerabilities come from:
• Default configuration weakness
• Configuration errors
• Security holes in applications and protocols
• Failure to implement patches!
16
Vulnerability Assessment
Vulnerability checkers use:
• Database of known vulnerabilities
• Configuration tool
• Scanning engine
• Knowledge base of current scan
• Report generation tool
17
Scanning tool: Nessus
Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.”
Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.”
Available platforms: UNIX for client and serverWindows for client only
Available at: http://www.nessus.org/
18
Nessus: What does it do?
• Iteratively tests a target system (or systems) for known exploitation vulnerabilities
• Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test
• Can test multiple hosts concurrently
• Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan
19
What does Nessus check for?
• Backdoors
• CGI abuses
• Denial of Service
• Finger abuses
• FTP
• Gain a shell remotely
• Gain root remotely
• Port scanners
• Remote file access
• RPC
• SMTP problems
• Useless services
• Windows
• and more...
20
Scanning tool: Superscan4 (windows XP)
Purpose: “To provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.”
Security Scanner: “Superior scanning speed, Support for unlimited IP ranges, Improved host detection using multiple ICMP methods , TCP SYN scanning , UDP scanning (two methods), IP address import supporting ranges and CIDR formats, Simple HTML report generation, Source port scanning, Fast hostname resolving, Extensive banner grabbing , Massive built-in port list description database , IP and port scan order randomization , A selection of useful tools (ping, traceroute, Whois etc) ,Extensive Windows host enumeration capability .”
21
Lab Enhancements
What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements.
“BAD ISP”AS 64700
“UNIVERSITY”AS 64900
“ENTERPRISE”AS 64800
“GOOD ISP”AS 64600
Version 11August 6, 2004GTISC Mini-Net
“TIER 1 - Sigma”AS 64515
“TIER 1 - omega”AS 64514 Omega-rtr
Cisco 2621-XM
Sigma1-rtrCisco 2621-XM
Sigma2-rtrCisco 3550
Badisp-rtrCisco 3550-24-EMI (L3)
StorageRus-rtr1760-K9
Cust2-rtrCisco 1720
Joe-travel-rtrCisco 1720
Gateway2-rtrCisco 3550-24-EMI (L3)
Admin-rtrCisco 1760-K9
CS2-rtrCisco 1720
CS-rtrCisco 1720
NASDell Network
Attached Storage
PWR
OK
WIC0ACT/ CH0
ACT/CH1
WIC0ACT /CH0
ACT /CH1
ETHACT
COL
Admin-vpnCisco VPNConc. 3005
Edge-fwallCisco PIX-515E
Edge1-rtrCisco 1760-K9
Edge2-rtrCisco 1760-K9
Gateway-rtrCisco 1760-K9
Accounting-rtrCisco 1720
Engineering-rtrCisco 1720
172.16.7.0/24:107
Goodisp-rtrCisco 3550-24-EMI (L3)
Cust1-site1-rtrCisco 1760-K9+NAT
Cust1-site2-rtrCisco 1760-K9+NAT
Cust1-hq-rtrCisco 1760-K9+NAT
Cust1-intr1-rtrCisco 1720
Cust1-intr2-rtrCisco 1720
Enterprise Web ServerRedhat Apache
http://www.enterprise.com
StorageRus WebserverMS IIS
http://www.storagerus.com
Cust1 WebserverRedhat Apache
http://www.cust1.com
CS WebserverRedhat Apache
http://www.cc.university.edu
Admin WebserverMS IIS
http://www.admin.university.edu
University WebserverRedhat Apache
http://www.university.edu
University-dnsDell Poweredge
Root1-dnsDell Poweredge
Badisp-dnsDell Poweredge
Goodisp-dnsDell Poweredge
NETWORK/MASK:VLAN Autonomous System
172.16.5.0/24:105
172.16.4.0/24:104
212.43.0.0/24:100
172.16.2.0/24:102
192.168.0.0/24:101
62.7.245.252/30:308
199.77.32.0/30:300
62.7.200.32/30:309
199.77.33.0/30:303
199.77.31.0/30:301
199.77.250.240/30:302
199.110.254.40/30:307
199.107.254.252/30:304
199.107.12.0/24:305
138.210.251.0/24:200
192.168.110.0/24:209
138.210.237.0/24:207
138.210.238.0/24:208
138.210.235.0/24:205
138.210.236.0/24:206
138.210.232.0/24:202
138.210.233.0/24:203
138.210.234.0/24:204
138.210.231.0/24:201
138.210.240.0/24:210
57.35.0.16/30:252
57.35.10.0/24:260
57.35.5.0/24:258
57.35.6.0/24:259 57.35.4.0/24:257
57.35.3.0/24:256
57.35.2.0/24:255
57.35.1.0/24:254
57.35.0.0/30:253
57.35.0.128/30:251
57.35.7.0/24:250
64.0.1.32/28:151
64.0.1.16/28:152
64.0.2.0/24:153
192.168.10.0/24:161
192.168.20.0/24:162
192.168.10.0/24:163
192.168.20.0/24:164
75.196.18.0/24:160
75.196.17.0/24:159
75.196.15.0/30:157
75.196.14.0/30:156
75.196.10.0/24:155
64.0.1.48/30:150
199.77.30.16/30:306
172.16.8.0/24:108
172.16.6.0/24:106
192.168.30.0/24:154
75.196.16.0/24:158
172.16.3.0/24:103
.1
.2
.4
.1
.10
.2
.1
.1
.1
.1
.1
.2
.2
.1
.1
.2
.254
.2
.253 .1
.241.33
.1
.1
.242 .17
.18
.41
.2
.1 .253
.254
.34
.2
.1
.1
.1
.5
.2
.3
.4
.1
.1.1
.100
.1
.1
.1
.1
.2.42
.1
.254
.151
.1
.1.1
.1.17
.129
.1
.1
.1
.1
.1
.10
.16
.254
.130
.18
.2
.42
.254
.1
.13
.49
.33.17
.50
.1
.99
.1.1 .2
.1.1
.2
.1 .1
.34.18
.1.1
.1
.1
EBGP
EBGP
EBGP
EBGP
EBGP EBGP
EBGP
IBGP
EBGP
RIPOSPF 0
OSPF 0OSPF 0
OSPF 1
RIP OSPF BGP
#23
#22
#24
#25
#4
#2
#20
#21
#19
#18
#1
#11
#8
#10
#7
#6
#12
#14 #15
#13
#17
#16
#26
9
R5
R4
R3
R1
R2
R6
R10
R11
R10
R10
Printer
.20
…W1 W20
R10
CS Ftp ServerRedhat
.43
R7
Enterprise-dnsDell Poweredge
.3R10
OSPF 0
Virtual IPAddresses
Bridge
XP honeypot
Redhat honeypot
138.210.228.0/24:211HUB
Honeynet
Honeynet
H3
H2
H1.1
.11
.10