Чем мы занимались на прошлых лекциях? Мы занимались footprinting-ом, но footprinting не ставит перед собой целью получить доступ к целевой системе напрямую. Поэтому рассмотрим в финальной части цикла методы прямого исследование целевой системы:
- жива ли система (проверка сетевого пинга)
- перечень запущенных сервисов
- тип/версия ОС
- версия стека протоколов.
Purpose: find out which IP addresses have live hosts on them. No point in detailed examination of empty address!
Network Ping sweep:
- ARP Host discovery
- ICMP Host discovery
- OS Utilities
- Network discovery tools
- TCP/UDP Host discovery
ARP Host discovery - 1
Address Resolution Protocol:
- Works on top of layer 2, in parallel with network layer
- Has its own ethertype value
- Needed for “plug-and-play” autoconfiguration and mobility
- Request is broadcast to all hosts on LAN
- Host with matching address is required to respond
- Attacker needs to be on same LAN
ARP Host discovery - 2
Nmap by Fyodor (nmap.org):
- De facto tool of choice
- Works on Linux, Windows, Mac
- Does much more than ARP scanning
- ARP scan through -PR <CIDR address> option
- Turn off port scan using -sn option
- Reports IP address, MAC address, OUI's name, and latency
CAIN (oxid.it/cain.html):
- Windows tool
- Does much more than ARP scanning
- GUI-based tool
Limitations of ARP scanning: targets on distant network segments.
ICMP Host discovery - 1
Internet Control Message Protocol (ICMP) intended uses:
- Diagnostics and trouble shooting needed on internet
- ICMP used for diagnostics, error reporting, management, etc.
Some ICMP messages:
- Echo request/reply (ping)
- Destination unreachable
- Source quench
- Redirect
- Time exceeded (TTL reached 0)
- Timestamp/reply (used in enumeration)
- Information request/reply
- Address mask request/reply (used in enumeration)
ICMP Host discovery - 2
OS ping utility uses ICMP echo request/reply messages:
- If receive request, must reply
- Can also be used in smurf attack (using broadcast)
Host may be configured not to respond to echo requests:
may still respond to other messages.
Network discovery tools - 1
Nmap:
- Beside ICMP ping sweep also does ARP sweep and TCP pings
- Limit activity (to avoid detection by IDS) using -sn (no port scan), -PE (use echo request), and --send-ip (no ARP scan)
- If on different subnet, --send-ip not needed
- Individual and CIDR subnet addressing
- Gives responding host IP, MAC, OUI name, latency
- Has -PM option for address mask and -PP option for timestamp
- In case host configured to ignore ECHO REQUEST messages
Network discovery tools - 2
- Select flags, message types
- Spoof source address (IP and MAC)
- Set number of messages to send
- nping ships with nmap
Superscan:
- Windows tool
- Free from Foundstone
- Fast ping sweep
- GUI with options for echo request, timestamp, address mask, and information request messages
- Also supports UDP and TCP port scans and more
- Can give HTML output
TCP/UDP Host discovery - 1
Especially useful when ICMP responses are limited.
Servers provide services over network:
- Must be able to take clients
- May be open through firewall
May have to probe multiple ports to find open service:
- Any response indicates host is alive
- More probing = higher visibility to IDS
Local hosts (not servers) may also have services:
- File sharing
- Remote desktop
- Management tools
- Often have local firewall
TCP/UDP Host discovery - 2
nmap:
- -sn option also include port 80 (www)
- -Pn option for 1000 common ports
- -p <portnumber> option to specify one particular port
- --open option to suppress IP addresses that don't respond
nping:
- Also provides port scan option
- Output noisier
superscan:
- Also provides options to probe particular ports or port ranges
- Can take file with list of IP addresses to scan
Determining services that are up
Port scanning:
- Send packets to TCP and UDP ports to find listening servers
- Find live hosts
- Determine which services are open
- Help identify OS type, version
- Identify specific applications/versions of particular service.
Scan Types - 1
TCP connect scan:
- Completes 3-way handshake
- Takes longer
- Can be run as regular user
TCP SYN scan (half-open scan):
- Sends SYN, waits for SYN-ACK
- SYN-ACK = open, RST = not open (usually)
- Stealthier
- Can produce DOS attack on target
TCP FIN scan:
- Sends FIN
- Should receive RST (see RFC 793)
- Usually works on Unix-based stacks
Scan Types - 2
TCP Xmas tree scan:
- Sends FIN, URG, and PUSH TCP packet
- Should receive RST on closed ports
TCP Null scan:
- Sends TCP segment with no flags set
- Should receive RST on closed ports
TCP ACK scan:
- Sends packet with ACK set
- Helps determine firewall policies, capabilities
TCP Windows scan: looks at how rwnd is handled with RST to ACK segment.
TCP RPC scan
UDP scan
Scan Types - 3
TCP RPC scan:
- Many Unix systems implement portmapper
- Used with RPC/RMI to find services
- Server registers service with portmapper (with pgm/version)
- Client contacts portmapper to request service, gets port
UDP scan:
- Connectionless
- Send ICMP “port unreachable” message if not listening
- May be up if error message not received
Identifying Services - 1
TCP SYN port scan using nmap:
- Use -sS option
- Use -oN <file> to save human readable output
- Use -oG <file> to save tab-delimited version
- Use -oX <file> to save XML
- -oA saves in all formats
- Lists open ports with nominal services
- -f option to fragment packets
- Some firewalls will not reassemble fragments, just pass packet
- May make it harder for IDS to detect scan
- -D option provides for decoy source addresses
- Burdens target with having to track down all scans
- Take care to use real IP addresses to avoid SYN attack DOS
- -b option to use FTP bounce scanning
- Uses older FTP servers to reflect packets
Identifying Services - 2
SuperScan (Foundstone.com):
- Windows/GUI-based alternative to nmap
- Port scans in addition to ICMP and ARP scans
- Select port or port range to scan, and protocol
- Select special techniques for TCP, UDP
- UDP data+ICMP method
- Multiple UDP packets to a port
- May overwhelm ICMP response capability
- Very accurate, but slow
ScanLine:
- Windows/command-line tool (also Foundstone)
- Single executable
- Easier to load onto compromised system
- Many options
Netcat (http://netcat.sourceforge.net/):
Older, command-line tool - reads and writes data across network connections, using the TCP/IP protocol
Detecting the OS - 1
Banner grabbing:
banner grabber which connects to an open TCP port and prints out anything sent by the listening service
nmap -sS -sV -p 80 -v -n -Pn --script banner dst-IP
Available ports signature: some systems use particular ports for services.
Active Stack Fingerprinting:
- Responses to probes is implementation dependent
- Multiple types of probes used to narrow field
- See https://nmap.org/book/osdetect.html
- https://nmap.org/nmap-fingerprinting-article.txt
- https://nmap.org/misc/defeat-nmap-osdetect.html
Detecting the OS - 2
Active Stack Fingerprinting Probes
FIN probe: correct not to respond, but some send FIN/ACK
Bogus flag probe (in SYN packet): correct to ignore, but some set flag in SYN-ACK
Initial Sequence Number (ISN) sampling: patterns may be found in ISNs for connections that depend on OS
DF bit monitoring: some OS's may set DF in IP header to improve performance
TCP initial window size: some systems have characteristic initial rwnd size
Note that rwnd is indication of buffer space at receiver, set by OS.
ACK value:
May use last SN (less common) or last SN+1 (usual)
Detecting the OS - 3
ICMP error message quenching:
- Systems may limit the number of ICMP error messages (RFC 1812)
- Send UDP packets to random port, determine rate of ICMP unreachable port messages
ICMP message quoting:
- ICMP error messages include some initial portion of the offending datagram
- Amount of data included varies according to system
ICMP error message-echoing integrity:
some systems change IP headers quoted in ICMP error messages
TOS on ICMP port unreachable message:
usually TOS=0, but may vary.
Fragmentation handling: observe how probe packets with overlapping fragments are reassembled
TCP options: which options set (e.g., RFC 793, or 1323 also) varies
Detecting the OS - 4
Passive OS Detection
- Less obtrusive than active OS fingerprinting
Monitor traffic to/from target: requires favorable position
Passive signatures:
- TTL on outbound datagrams
- Initial window size (rwnd)
- DF (don't fragment) bit set?
- Siphon tool (packetstormsecurity.org)
No comments:
Post a Comment
А что вы думаете по этому поводу?