Главная

Sunday, 26 June 2022

More on scanning and more.

Всем привет.

Чем мы занимались на прошлых лекциях? Мы занимались footprinting-ом, но footprinting не ставит перед собой целью получить доступ к целевой системе напрямую. Поэтому рассмотрим в финальной части цикла методы прямого исследование целевой системы:


  • жива ли система (проверка сетевого пинга)
  • перечень запущенных сервисов
  • тип/версия ОС
  • версия стека протоколов.


Determining if system is alive

Purpose: find out which IP addresses have live hosts on them. No point in detailed examination of empty address!

Network Ping sweep:

  • ARP Host discovery
  • ICMP Host discovery
  • OS Utilities
  • Network discovery tools
  • TCP/UDP Host discovery


ARP Host discovery - 1

Address Resolution Protocol:

  • Works on top of layer 2, in parallel with network layer
  • Has its own ethertype value
  • Needed for “plug-and-play” autoconfiguration and mobility
  • Request is broadcast to all hosts on LAN
  • Host with matching address is required to respond
  • Attacker needs to be on same LAN


ARP Host discovery - 2

Nmap by Fyodor (nmap.org):

  • De facto tool of choice 
  • Works on Linux, Windows, Mac
  • Does much more than ARP scanning
  • ARP scan through -PR <CIDR address> option
  • Turn off port scan using -sn option
  • Reports IP address, MAC address, OUI's name, and latency

CAIN (oxid.it/cain.html):

  • Windows tool
  • Does much more than ARP scanning
  • GUI-based tool

Limitations of ARP scanning: targets on distant network segments.


ICMP Host discovery - 1

Internet Control Message Protocol (ICMP) intended uses:

  • Diagnostics and trouble shooting needed on internet
  • ICMP used for diagnostics, error reporting, management, etc.

Some ICMP messages:

  • Echo request/reply (ping)
  • Destination unreachable
  • Source quench
  • Redirect
  • Time exceeded (TTL reached 0)
  • Timestamp/reply (used in enumeration) 
  • Information request/reply
  • Address mask request/reply (used in enumeration)


ICMP Host discovery - 2

OS ping utility uses ICMP echo request/reply messages:

  • If receive request, must reply
  • Can also be used in smurf attack (using broadcast)

Host may be configured not to respond to echo requests:

may still respond to other messages.


Network discovery tools - 1

Nmap:

  • Beside ICMP ping sweep also does ARP sweep and TCP pings
  • Limit activity (to avoid detection by IDS) using -sn (no port scan),  -PE (use echo request), and --send-ip (no ARP scan)
  • If on different subnet, --send-ip not needed
  • Individual and CIDR subnet addressing
  • Gives responding host IP, MAC, OUI name, latency
  • Has -PM option for address mask and -PP option for timestamp
  • In case host configured to ignore ECHO REQUEST messages


Network discovery tools - 2

hping3 and nping:

  • Select flags, message types
  • Spoof source address (IP and MAC) 
  • Set number of messages to send
  • nping ships with nmap

Superscan:

  • Windows tool
  • Free from Foundstone
  • Fast ping sweep
  • GUI with options for echo request, timestamp, address mask, and information request messages
  • Also supports UDP and TCP port scans and more
  • Can give HTML output


TCP/UDP Host discovery - 1

Especially useful when ICMP responses are limited.

Servers provide services over network:

  • Must be able to take clients
  • May be open through firewall

May have to probe multiple ports to find open service:

  • Any response indicates host is alive
  • More probing = higher visibility to IDS

Local hosts (not servers) may also have services:

  • File sharing
  • Remote desktop
  • Management tools
  • Often have local firewall


TCP/UDP Host discovery - 2

nmap:

  • -sn option also include port 80 (www)
  • -Pn option for 1000 common ports
  • -p <portnumber> option to specify one particular port
  • --open option to suppress IP addresses that don't respond

nping:

  • Also provides port scan option
  • Output noisier

superscan:

  • Also provides options to probe particular ports or port ranges
  • Can take file with list of IP addresses to scan


Determining services that are up

Port scanning: 

  • Send packets to TCP and UDP ports to find listening servers
  • Find live hosts
  • Determine which services are open
  • Help identify OS type, version
  • Identify specific applications/versions of particular service.


Scan Types - 1

TCP connect scan: 

  • Completes 3-way handshake
  • Takes longer
  • Can be run as regular user

TCP SYN scan (half-open scan):

  • Sends SYN, waits for SYN-ACK
  • SYN-ACK = open, RST = not open (usually)
  • Stealthier 
  • Can produce DOS attack on target

TCP FIN scan:

  • Sends FIN
  • Should receive RST (see RFC 793)
  • Usually works on Unix-based stacks


Scan Types - 2

TCP Xmas tree scan:

  • Sends FIN, URG, and PUSH TCP packet
  • Should receive RST on closed ports

TCP Null scan:

  • Sends TCP segment with no flags set
  • Should receive RST on closed ports

TCP ACK scan:

  • Sends packet with ACK set
  • Helps determine firewall policies, capabilities

TCP Windows scan: looks at how rwnd is handled with RST to ACK segment.

TCP RPC scan

UDP scan


Scan Types - 3

TCP RPC scan:

  • Many Unix systems implement portmapper
  • Used with RPC/RMI to find services 
  • Server registers service with portmapper (with pgm/version)
  • Client contacts portmapper to request service, gets port

UDP scan:

  • Connectionless
  • Send ICMP “port unreachable” message if not listening
  • May be up if error message not received


Identifying Services - 1

TCP SYN port scan using nmap:

  • Use -sS option
  • Use -oN <file> to save human readable output
  • Use -oG <file> to save tab-delimited version
  • Use -oX <file> to save XML
  • -oA saves in all formats
  • Lists open ports with nominal services
  • -f option to fragment packets
  • Some firewalls will not reassemble fragments, just pass packet
  • May make it harder for IDS to detect scan
  • -D option provides for decoy source addresses
  • Burdens target with having to track down all scans
  • Take care to use real IP addresses to avoid SYN attack DOS
  • -b option to use FTP bounce scanning
  • Uses older FTP servers to reflect packets

Identifying Services - 2

SuperScan (Foundstone.com): 

  • Windows/GUI-based alternative to nmap
  • Port scans in addition to ICMP and ARP scans
  • Select port or port range to scan, and protocol
  • Select special techniques for TCP, UDP
  • UDP data+ICMP method
  • Multiple UDP packets to a port
  • May overwhelm ICMP response capability
  • Very accurate, but slow

ScanLine:

  • Windows/command-line tool (also Foundstone)
  • Single executable
  • Easier to load onto compromised system
  • Many options


Netcat (http://netcat.sourceforge.net/):

Older, command-line tool - reads and writes data across network connections, using the TCP/IP protocol 


Detecting the OS - 1

Banner grabbing:

banner grabber which connects to an open TCP port and prints out anything sent by the listening service 

nmap -sS -sV -p 80 -v -n -Pn --script banner dst-IP 

Available ports signature: some systems use particular ports for services.

Active Stack Fingerprinting:

  • Responses to probes is implementation dependent
  • Multiple types of probes used to narrow field
  • See https://nmap.org/book/osdetect.html
  • https://nmap.org/nmap-fingerprinting-article.txt
  • https://nmap.org/misc/defeat-nmap-osdetect.html


Detecting the OS - 2

Active Stack Fingerprinting Probes

FIN probe: correct not to respond, but some send FIN/ACK

Bogus flag probe (in SYN packet): correct to ignore, but some set flag in SYN-ACK

Initial Sequence Number (ISN) sampling: patterns may be found in ISNs for connections that depend on OS

DF bit monitoring: some OS's may set DF in IP header to improve performance

TCP initial window size: some systems have characteristic initial rwnd size 

Note that rwnd is indication of buffer space at receiver, set by OS.


ACK value:

May use last SN (less common) or last SN+1 (usual)


Detecting the OS - 3

ICMP error message quenching:

  • Systems may limit the number of ICMP error messages (RFC 1812)
  • Send UDP packets to random port, determine rate of ICMP unreachable port messages

ICMP message quoting:

  • ICMP error messages include some initial portion of the offending datagram
  • Amount of data included varies according to system

ICMP error message-echoing integrity:

some systems change IP headers quoted in ICMP error messages

TOS on ICMP port unreachable message:

usually TOS=0, but may vary.

Fragmentation handling: observe how probe packets with overlapping fragments are reassembled

TCP options: which options set (e.g., RFC 793, or 1323 also) varies


Detecting the OS - 4

Passive OS Detection

- Less obtrusive than active OS fingerprinting

Monitor traffic to/from target: requires favorable position

Passive signatures:

  • TTL on outbound datagrams
  • Initial window size (rwnd)
  • DF (don't fragment) bit set?
  • Siphon tool (packetstormsecurity.org)

That's all. Good luck.

No comments:

Post a Comment

А что вы думаете по этому поводу?