• No results found

Detecting Active Systems

In document Build Your Own Security Lab (Page 122-128)

Detecting active systems can involve more than just port scanning. Alternative techniques include wardialing, wardriving, and using Internet Control Mes-sage Protocol (ICMP). Wardialing was discussed in some detail in Chapter 3,

‘‘Passive Information Gathering’’ so let’s start our conversation here with wardriving.

105

Wardriving

Wardriving is, in many ways, an updated form of wardialing. Wardialing is the act of driving around looking for open wireless access points. Besides wardialing, there can be war walking, war flying, and so on. The usual result of wardriving is to find and identify wireless access points. If you are employed by an organization, the goal may be to identify the signal strength of approved access points and pinpoint rogue access points. Even if the organization has secured its wireless access points, there is always the possibility that employees have installed their own access points without the company’s permission. Unsecured wireless access points can be a danger to organizations because, much like the modems of yesteryear, they offer an attacker a potential entryway onto the network. Most modern networks should have a variety of controls, including the following:

Firewalls— A type of network security barrier that is typically used to shield an organization’s users and assets from specific types of traffic.

VPNs— VPNs (virtual private networks) provide a secure channel of communications over a public network such as the Internet.

IDS— Intrusion detection systems provide a detective type of control of intrusion. An IDS can be designed to filter on anomalies or on specific patterns.

Encryption— The enciphering of clear text to prevent unauthorized eavesdropping of information to be transmitted or in storage.

Although most networks have firewalls, VPNs, IDSs, encryption, and more, all these controls can be negated by the simple act of an unknowing user installing a single wireless access point.

It’s not that wireless access points don’t have the ability to implement secu-rity, it’s just that the user may not implement security or may implement only weak security. One early wireless security measure for 802.11 networks was Wired Equivalent Privacy (WEP). The problem was that a flaw in the specification was discovered that allowed attackers to derive the secret key used to protect traffic. While updates were made, it did take some time.

Eventually, Wi-Fi Protected Access (WPA) was created to address issues with WEP. Other security mechanisms are being developed or have been deployed for various wireless protocols. I’ll cover these more in Chapter 9, ‘‘Securing Wireless Systems.’’

Individuals wishing to discover wireless networks and measure their effec-tive strength against intrusion can use a host of security tools released for Windows and Linux. The value of these tools to you is that they offer a way to find and identify systems. Attackers must identify that a system is live and online before any type of attack is carried out.

Now, let’s turn our attention to a more basic method that can be used to deter-mine whether a system is active. This is the process of using and ICMP ping.

ICMP (Ping)

ICMP is short for Internet Control Message Protocol. ICMP is part of the Department of Defense (DoD) TCP/IP protocol suite. It is defined in RFC 792.

RFCs are Requests for Comments. An RFC can be thought of as a series of notes that define how a specific protocol or application functions. These are managed by the Internet Engineering Task Force (IETF). You can access an index of all RFCs atwww.ietf.org/rfc.html. ICMP was designed to aid in network diagnostics and to send error messages. Let’s spend a little some time discussing how ICMP works and what it was designed to do.

ICMP gives TCP/IP a way to handle errors. Any network device that is using TCP/IP has the capability to send, receive, or process ICMP messages.

For ICMP to work efficiently in a networked environment, some rules of operation must govern how ICMP works. As an example, to make sure that ICMP messages won’t flood the network, they are given no special priority.

ICMP messages are treated as normal traffic. Some devices might even see them as interruptions, so they can be lost or discarded. In addition, ICMP messages cannot be sent in response to other ICMP messages. This is another good design concept because otherwise you could have the situation where one error message creates another, and another, and another. Even if traffic is fragmented, ICMP messages are only sent for errors on the first fragment.

ICMP messages cannot be sent in response to multicast or broadcast traffic, nor can they be sent for traffic that is from an invalid address. By invalid, I mean zero, loopback, or multicast.

As mentioned earlier, the most common type of ICMP message is the ping.

Ping is a type of ICMP message that was designed to verify connectivity.

Table 4-1 shows some other basic types of ICMP messages.

Table 4-1 ICMP Common Types and Codes

TYPE CODE FUNCTION

0/8 N/A Echo request/response

3 0-15 Destination unreachable

4 0 Source quench

5 0-3 Redirect

11 0-1 Time exceeded

12 0 Parameter fault

13/14 0 Time stamp request/response

17/18 0 Subnet mask request/response

Ping is found on just about every system running TCP/IP. While Ping is a basic connectivity tool it is useful at identifying active machines. Ping works by sending an echo request to a system and waiting for the target to send an echo reply back. An example of this is as follows:

C:\>ping 192.168.1.254

Pinging 192.168.1.254 with 32 bytes of data:

Reply from 192.168.1.254: bytes=32 time<10ms TTL=64 Reply from 192.168.1.254: bytes=32 time<10ms TTL=64 Reply from 192.168.1.254: bytes=32 time<10ms TTL=64 Reply from 192.168.1.254: bytes=32 time<10ms TTL=64

Ping statistics for 192.168.1.254:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

If the target device is unreachable, a request timeout is returned. You can see an example of this here where I pinged a firewalled host at 192.168.1.250:

C:\>ping 192.168.1.250

Pinging 192.168.1.250 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.1.250:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Therefore, what we can see is that ping is a useful tool to identify active machines and to measure the speed at which packets are moved from one host to another when the service is not blocked or filtered.

N O T E What’s in a ping packet? The contents of a ping packet vary. If you were to use a sniffer to examine the contents of a ping packet from a Windows computer, you would notice that the data in the ping packet is composed of the alphabet, which is unlike a Linux ping, which would contain numeric values. This is because the RFC that governs ping doesn’t specify what’s carried in the packet as payload.

Vendors fill in this padding as they see fit.

Figure 4-1 Angry IP Scanner configuration.

To ping a large number of hosts, a ping sweep is usually performed.

Programs that perform ping sweeps typically sweep through a range of devices to determine which ones are active. Angry IP Scanner is an example of one of the programs that can scan ranges of IP addresses. After you open the program, you will want to first configure the type of scan. Figure 4-1 shows the configurable options.

After configuring Angry IP Scanner, click the Start button to start the scan.

Figure 4-2 shows a completed scan.

Some other programs that will perform ping sweeps include the following:

Friendly Pingerwww.shareup.com/Friendly Pinger-download-5295.html

WS Ping ProPackwww.ipswitch.com/products/ws ping/index.asp Pingerhttp://packetstormsecurity.org/groups/rhino9

SuperScanwww.snapfiles.com/get/superscan.html

Figure 4-2 Angry IP Scanner completed scan.

Ping does have a couple of drawbacks. First, it only identifies that a particular system is active on the network. Ping does not identify which services are running. Second, many network administrators have now blocked ping and no longer allow it to pass the border (gateway) device. Finally, if ping is used from the command line, only one system at a time is pinged. Although ping may offer only limited information, there is still one other method that is considered the most reliable, and that is port scanning.

IN THE LAB

The risks of attack grow once an attacker can identify an active system. As a security professional, your job is to balance access with the need to disable unneeded services and applications.

You can mitigate these risks by disabling services and by observing what an attacker can detect as open on any specific system. One way to get a good idea as to what is open on each of your systems is to check out Shields Up. This website can give you a report about services and applications.

In your lab, you will want to make sure that you have an active Internet connection. Next, go to www.grc.com/x/ne.dll?bh0bkyd2, the home of Shields Up. You will be prompted to proceed at this point to see what the

Shields Up program can detect as open on your local machine. This examination can be completed on any of your active systems. Although the system I was using came back with no open services, the program was still able to pick up my IP and the provider. That information is shown here: Your Internet

connection’s IP address is adsl-72-153-149-120.dsl.hstntx.swbell.net.

In document Build Your Own Security Lab (Page 122-128)
Download now "Build Your Own Securit..."

Outline

Related documents