• No results found

CIT 380: Securing Computer Systems

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "CIT 380: Securing Computer Systems"

Copied!
30
0
0

Loading.... (view fulltext now)

Download now ( 30 Page )

Full text

(1)

CIT 380: Securing Computer

Systems

(2)
(3)

Port Scanning

Port scanning is a method of discovering

potential input channels on a host by proving

the TCP and UDP ports on which services

(4)

nmap TCP connect() scan

> nmap -sT scanme.nmap.org

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.11s latency).

Not shown: 996 closed ports

PORT STATE SERVICE 22/tcp open ssh

80/tcp open http

1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo

(5)
(6)

TCP connect() scan

• Use

connect()

system call on each port,

following normal TCP connection protocol

(3-way handshake).

• connect()

will succeed if port is listening.

• Advantages: fast, requires no privileges

• Disadvantages: easily detectable and

(7)

TCP SYN Scan

• Send SYN packet and wait for response

– SYN+ACK

• Port is open

• Send RST to tear down connection – RST

• Port is closed

(8)

TCP FIN scan

• Send TCP FIN packet and wait for response

– No response • Port is open – RST

• Port is closed.

• Advantages: more stealthy than SYN scan • Disadvantages: MS Windows doesn’t follow

(9)

Xmas and Null Scans

• Similar to FIN scan with different flag

settings.

• Xmas Scan: Sets FIN, URG, and PUSH

flags.

(10)

TCP ACK Scan

• Does not identify open ports

• Used to determine firewall type

– Packet filter (identifies responses by ACK bit) – Stateful

• Send TCP ACK packet to specified port

– RST

• Port is unfiltered (packet got through)

– No response or ICMP unreachable

(11)

Fragmentation Scan

• Modify TCP stealth scan (SYN, FIN, Xmas,

NULL) to use tiny fragmented IP datagrams.

• Advantages: increases difficulty of scan

detection and blocking.

(12)

FTP Bounce Scan

FTP protocol supports proxy ftp

– Client requests server send file to another IP, port. – If server can open connection, port is open.

Advantages:

– Hide identity of scanning host.

– Bypass firewalls by using ftp server behind firewall.

Disadvantages:

(13)

Idle Scan

Use intermediate idle host to do scan.

– Idle host must increment IP ID for each packet.

– Idle host must not receive traffic from anyone other than attacker.

Scan Process

1. Attacker connects to idle host to obtain initial IP ID X.

2. Send SYN packet to port Y of target with spoofed IP of idle host. 3. If port is open, target host will send SYN+ACK to idle host.

4. Idle host with send RST packet with IP ID X+1 to target.

5. Attacker connects with SYN to idle host to obtain updated IP ID. 6. Idle host sends back SYN+ACK to attacker.

(14)

UDP Scans

Send 0-byte UDP packet to each UDP port

UDP packet returned

• Port is open

ICMP port unreachable • Port is closed Nothing

• Port listed as open|filtered • Could be that packet was lost.

• Could be that server only returns UDP on valid input.

Disadvantages:

– ICMP error rate throttled to a few packets/second (RFC 1812), making UDP scans of all 65535 ports very slow.

(15)

Version Scanning

• Port scanning reveals which ports are open

– Guess services on well-known ports.

• How can we do better?

– Find what server: vendor and version

(16)

Banner Checking with netcat

> nc www.nku.edu 80 GET / HTTP/1.1

HTTP/1.1 400 Bad Request

Date: Sun, 07 Oct 2007 19:27:08 GMT

Server: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7a Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1 127

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD>

<TITLE>400 Bad Request</TITLE> </HEAD><BODY>

<H1>Bad Request</H1>

Your browser sent a request that this server could not understand.<P>

(17)

Version Scanning

1. If port is TCP, open connection.

2. Wait for service to identify self with banner.

3. If no identification or port is UDP,

1. Send probe string based on well-known service. 2. Check response against db of known results.

(18)

nmap version scan

> nmap -sV scanme.nmap.org

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 17:11 EDT Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.10s latency). Not shown: 996 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu))

1720/tcp filtered H.323/Q.931

9929/tcp open nping-echo Nping echo

(19)

More nmap Tools

Set source port

– Bypass firewall by using allowed source port. – Use port 80 for TCP, port 53 for UDP scans.

Decoys

– Send additional scans from list of decoys. – Spoof IP addresses of decoy hosts.

(20)

Defences

Prevention

– Disable unnecessary services. – Block ports at firewall.

– Use a stateful firewall instead of packet filter.

Detection

– Network Intrusion Detection Systems. – Port scans often have distinct signatures.

(21)

OS Fingerprinting

Identify OS by specific features of its

TCP/IP network stack implementation.

– Explore TCP/IP differences between OSes. – Build database of OS TCP/IP fingerprints. – Send set of specially tailored packets to host – Match results to identical fingerprint in db to

(22)

nmap OS fingerprint examples

> sudo nmap -O scanme.nmap.org Device type: general purpose Running: Linux 2.6.X|3.X

OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.38 - 3.0

Uptime guess: 12.224 day

TCP Sequence Prediction: Difficulty=202 (Good luck!) IP ID Sequence Generation: All zeros

> sudo nmap –v -O 192.168.1.1 Device type: general purpose Running: Linux 2.4.X

OS CPE: cpe:/o:linux:linux_kernel:2.4

OS details: Linux 2.4.18 - 2.4.35 (likely embedded) Uptime guess: 29.789 days

(23)

OS Fingerprinting Techniques

FIN probe

– RFC 793 requires no response

– MS Windows, BSDI, Cisco IOS send RST

Bogus flag probe

– Bit 7 of TCP flags unused

– Linux <2.0.35 keeps flag set in response

TCP ISN sampling

– Different algorithms for TCP ISNs

(24)

Passive Fingerprinting

• Identify OSes of hosts on network by sniffing packets sent by each host.

• Use similar characteristics as active techniques:

– TTL – MSS

– Initial Window Size – Don’t Fragment bit

(25)

Fingerprinting Defences

Detection

– NIDS

Blocking

– Firewalling

– Some probes can’t be blocked.

Deception

(26)

Vulnerability Scanning

Scan for vulnerabilities in systems

– Configuration errors

– Well-known system vulnerabilities

Scanning Tools

– Nessus

– OpenVAS – Nexpose

(27)
(28)
(29)

Scanning Tools Summary

Information Tool

IP addresses of hosts ping, nmap -sP Network topology traceroute, lft

Open ports nmap -sT -sU

Service versions nmap -sV

OS nmap –O, p0f

(30)

References

1. Fyodor, NMAP documentation, http://nmap.org/docs.html. 2. Fyodor, “Remote OS detection via TCP/IP Stack

FingerPrinting,” Phrack 54,

http://www.insecure.org/nmap/nmap-fingerprinting-article.html

References

Download now ( PDF - 30 Page - 279.25 KB )

Related documents

Production and Operations Management

This can be achieved by elimination of waste , by using improved technology , better production design and management efforts there can be increase in productivity by reducing

Control by the administrative judge of the implementation of the european directives

s’analysera alors comme une critique de sa validité au regard du droit de l’Union européenne lui-même, laquelle relève obligatoirement de la compétence exclusive de la Cour

ROYAL COMMISSION INTO TRADE UNION GOVERNANCE AND CORRUPTION ELECTRICAL TRADES UNION OF AUSTRALIA VICTORIAN BRANCH

In the financial year ending 30 June 2013, ElecNet and Protect Services paid the Victorian ETU almost $300,000 in director’s fees.. Income

Shayambhar : center for underprivileged childern

Oxford dictionary states that being underprivileged is not enjoying the same standard of living or rights as the majority of people in a society: needy and underprivileged

Komplikácie neuroaxiálnej anestézie

PDPH vzniká vtedy, keď sa punkciou vytvorí otvor v dura mater. Cez tento otvor vyteká mozgomiešný mok zo subarachnoideálneho priestoru do priestoru epidurálneho v

==================================== COMMODITY FUTURES TRADING COMMISSION FORM 1-FR-IB INSTRUCTIONS ====================================

(2) In the case of redeemable securities of an investment company registered under the Investment Company Act of 1940, which assets are in the form of cash or securities or

Working(Together(to(Address(Violence(Against( Women(and(Girls(in(Iraqi(Kurdistan( ( (

Working(Together(to(Address(Violence(Against( Women(and(Girls(in(Iraqi(Kurdistan(.

Teen Pregnancy and Childbearing in West Virginia

23 According to the Next Generation Health Education 5-12 Content Standards and Objectives (CSOs) for West Virginia Schools, effective July 1, 2012, “a major focus has been given