defcon: network mapping techniques simple nomad nomad mobile research centre bindview corporation
TRANSCRIPT
![Page 1: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/1.jpg)
DefCon:Network Mapping Techniques
Simple Nomad
Nomad Mobile Research Centre
BindView Corporation
![Page 2: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/2.jpg)
About This Presentation
Assume basics– Understand IP addressing– Understand basic system administration
Tools– Where to find them– Basic usage
A “Network” point of view
![Page 3: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/3.jpg)
About Me
NMRC: http://www.nmrc.org/ BindView: http://razor.bindview.com/
![Page 4: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/4.jpg)
Know Your Target
Public information Network enumeration Network mapping
![Page 5: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/5.jpg)
Public Information
Public records WHOIS DNS Public postings
![Page 6: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/6.jpg)
Network Enumeration
Goals of network enumeration ICMP Scanning TCP Fingerprinting Additional Probes
![Page 7: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/7.jpg)
ICMP
Sweeping a network with Echo Typical alternates to ping
– Timestamp– Info Request
Advanced ICMP enumeration– Host or port unreachable with illegal header
length
![Page 8: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/8.jpg)
Scanning
Why scan? Nmap – defacto standard
– Ping sweeps– Port scanning– Additional features
![Page 9: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/9.jpg)
TCP Fingerprinting
Several different type of packets sent Various responses come back Differences can determine OS of remote
system Using just ICMP is possible
![Page 10: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/10.jpg)
Addition Probes
Possible security devices Sweep for promiscuous devices
![Page 11: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/11.jpg)
Network Mapping
Determine network layout Traceroute Firewalk
![Page 12: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/12.jpg)
Bypassing the Firewall
Tools– Firewalk– Nmap
Common ports State table manipulation
![Page 13: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/13.jpg)
Avoiding Intrusion Detection
Manipulation of “detected” data Use of fragmented packets Triggering false positive, or distraction
![Page 14: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/14.jpg)
Connecting the Dots
View each step as a small part of a big picture
Each step is important Data could be stored for later use
![Page 15: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/15.jpg)
Example Intrusion
WHOIS– DNS server names
Traceroute DNS zone dump Host enumeration Public systems Initial port scanning
![Page 16: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/16.jpg)
WHOIS# whois [email protected]
Whois Server Version 1.1
Domain names in the .com, .net, and .org domains can now be registeredwith many different competing registrars. Go to http://www.internic.netfor detailed information.
Domain Name: TARGET-COMPANY.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NS1.TARGET-COMPANY.COM Name Server: NS2.TARGET-COMPANY.COM Updated Date: 06-dec-1999
>>> Last update of whois database: Mon, 20 Mar 00 03:35:14 EST <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains andRegistrars.
![Page 17: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/17.jpg)
Traceroute# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms
2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms
3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms
4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms
5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms
6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms
7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms
8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms
17.173 ms
9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms
248.838 ms
10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms
11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms
12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306
ms 17.248 ms
13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms
![Page 18: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/18.jpg)
Traceroute# traceroute ns2.target-company.com
traceroute to ns2.target-company.com (xxx.xx.x.x), 30 hops max, 40 byte packets
1 fw-gw (209.197.192.1) 1.770 ms 2.993 ms 0.892 ms
2 s1-0-17-access (209.197.224.73) 15.440 ms 13.571 ms s1-0-1-access (209.197
.224.69) 4.896 ms
3 dallas.tx.core1.fastlane.net (209.197.224.1) 3.929 ms 6.251 ms 15.821 ms
4 FE-0.core2.fastlane.net (209.197.224.66) 20.674 ms 15.367 ms 16.170 ms
5 hs-9-0.a09.dllstx01.us.ra.verio.net (204.214.10.113) 5.514 ms 14.367 ms 8
.203 ms
6 ge-5-0-0.a10.dllstx01.us.ra.verio.net (199.1.141.10) 8.019 ms 20.183 ms 1
6.466 ms
7 g6-0.dfw2.verio.net (129.250.31.49) 16.513 ms 17.351 ms 6.854 ms
8 core4-atm-uni0-0-0.Dallas.cw.net (204.70.10.77) 24.335 ms 16.087 ms 17.60
5 ms
9 core2-fddi-0.Dallas.cw.net (204.70.114.49) 6.875 ms 14.039 ms 14.483 ms
10 border6-fddi-0.Dallas.cw.net (204.70.114.66) 146.605 ms 21.045 ms 110.419
ms
11 target-company-inet.Dallas.cw.net (204.70.xxx.xxx) 83.331 ms 34.530 ms 21
.363 ms
12 ns1.target-company.com (xxx.xx.x.x) 18.105 ms 13.290 ms 29.042 ms
![Page 19: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/19.jpg)
DNS Zone Dump# nslookupDefault Server: vortex.fastlane.netAddress: 209.197.192.7
> server ns1.target-company.comDefault Server: ns1.target-company.comAddress: xxx.xx.xx.xx
> ls -a TARGET-COMPANY.COM > dump.txt[ns1.target-company.com]######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################Received 40773 answers (0 records).>
![Page 20: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/20.jpg)
Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0
xxx.xx.218.23 is up
xxx.xx.218.26 is up
xxx.xx.218.52 is up
xxx.xx.218.53 is up
xxx.xx.218.58 is up
xxx.xx.218.63 is up
xxx.xx.218.82 is up
xxx.xx.218.90 is up
xxx.xx.218.92 is up
xxx.xx.218.96 is up
xxx.xx.218.118 is up
xxx.xx.218.123 is up
xxx.xx.218.126 is up
xxx.xx.218.130 is up
xxx.xx.218.187 is up
xxx.xx.218.189 is up
xxx.xx.218.215 is up
xxx.xx.218.253 is up
![Page 21: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/21.jpg)
Public Systems
www.target-system.com– www2, www3
ftp.target-system.com mail.target-system.com
![Page 22: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/22.jpg)
Scanning# nmap -O -T Polite -n xxx.xx.17.11
Starting nmap V. 2.3BETA14 by [email protected] ( www.insecure.org/nmap/ )Interesting ports on (xxx.xx.17.11):Port State Protocol Service21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 79 open tcp finger 110 open tcp pop-3 113 open tcp auth 143 open tcp imap2
TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!)Remote operating system guess: Linux 2.0.35-37
Nmap run completed -- 1 IP address (1 host up) scanned in 625 seconds
# nmap -O xxx.xx.17.11
Starting nmap V. 2.3BETA14 by [email protected] ( www.insecure.org/nmap/ )No ports open for host (xxx.xx.17.11)Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
![Page 23: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/23.jpg)
More Scanning# nmap -F -sS -v -v -n firewall.target-system.com
Starting nmap V. 2.3BETA14 by [email protected] ( www.insecure.org/nmap/ )
Host (xxx.xx.49.17) appears to be up ... good.
Initiating SYN half-open stealth scan against (xxx.xx.49.17)
Adding TCP port 189 (state Firewalled).
The SYN scan took 270 seconds to scan 1047 ports.
Interesting ports on (xxx.xx.49.17):
Port State Protocol Service
139 filtered tcp netbios-ssn
161 filtered tcp snmp
189 filtered tcp qft
256 filtered tcp rap
257 filtered tcp set
258 filtered tcp yak-chat
Nmap run completed -- 1 IP address (1 host up) scanned in 273 seconds
![Page 24: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/24.jpg)
Network Mapping
cw
swb
Internet Routers
![Page 25: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/25.jpg)
Network Mapping
cw
swb
Internet Routers
![Page 26: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/26.jpg)
Network Mapping
Firewall
DMZ
cw
swb
VPN
Internet Routers
![Page 27: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/27.jpg)
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
![Page 28: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/28.jpg)
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
![Page 29: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/29.jpg)
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
![Page 30: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/30.jpg)
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel VPNxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
![Page 31: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/31.jpg)
Basic Distributed Attack Models
Attacks that do not require direct observation of the results
Attacks that require the attacker to directly observe the results
![Page 32: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/32.jpg)
Basic Model
Server AgentClient
Issuecommands
Processescommandsto agents
Carriesout
commands
![Page 33: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/33.jpg)
More Advanced Model
TargetAttacker
Forged ICMPTimestamp Requests
ICMP TimestampReplies
SniffedReplies
![Page 34: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/34.jpg)
Even More Advanced Model
Target
Firewall
![Page 35: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/35.jpg)
Even More Advanced Model
Target
Firewall
UpstreamHost
![Page 36: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/36.jpg)
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Master Node
![Page 37: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/37.jpg)
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Master Node
![Page 38: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/38.jpg)
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
![Page 39: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/39.jpg)
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
![Page 40: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/40.jpg)
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
![Page 41: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/41.jpg)
(Mostly) Free Stuff
HackerShield RapidFire Update 208– With SANS Top Ten checks, including comprehensive CGI scanner– http://www.bindview.com/products/hackershield/index.html
VLAD the Scanner– Freeware open-source security scanner, including same CGI checks as
HackerShield– Focuses only on SANS Top Ten– http://razor.bindview.com/tools/index.shtml
Despoof– Detects possible spoofed packets through active queries against suspected
spoofed IP address– http://razor.bindview.com/tools/index.shtml
![Page 42: DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation](https://reader037.vdocuments.mx/reader037/viewer/2022110320/56649cce5503460f9499a031/html5/thumbnails/42.jpg)
Questions, etc.
Thanks to:– Ofin Arkin– Donald McLachlan
For followup:– http://www.nmrc.org/– http://razor.bindview.com/– [email protected] – [email protected]