• No results found

Network Security. Network Scanning

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Network Security. Network Scanning"

Copied!
46
0
0

Loading.... (view fulltext now)

Download now ( 46 Page )

Full text

(1)

Network Security

Network Scanning

Module 2

Keith A. Watson, CISSP, CISA

IA Research Engineer, CERIAS

(2)

Network Scanning

Definition: Sending packets configured to

evoke a response from the target system;

the result or lack of result is used to infer the

configuration of the target.

(3)

Network Scanning:

Overview

Scanning What, Why and Where

Considerations

nmap and other tools

nmap features

• host discovery • port states • scan types • output 

Exercises

(4)

Network Scanning:

Why scan?

Network scanning is useful in determining

the devices that exist in a network:

• Desktops, servers, laptops

• Routers, managed switches, firewalls • Wireless access points

• Network monitoring and log collection systems • Network printers and print servers

• IP-accessible CD-ROM drive arrays • iPod Touch, iPhone, Zune devices

• Apple Time Capsules and Airport Expresses • Roku, Tivo, MythTV, Wii, Xbox, PlayStation

(5)

Network Scanning: Why

scan?

Network scanning is useful to determine

what services exist on a network:

• File services (CIFS, SMB, Appletalk, NFS, FTP)

• Infrastructure (DHCP, DNS, Bootp, TFTP, SNMP)

• Authentication (AD services, LDAP, Kerberos)

• Remote Access (VPN, SSH, Remote Desktop)

• Printer and Scanner Sharing

• Web-based interfaces (printers, firewalls, WAPs)

• Peer-to-Peer file sharing

(6)

Network Scanning:

What do we scan?

Specific systems

• Examine new systems placed on the network

• Verify network service configuration

• Re-check network service configuration

• Examine existing systems for changes in config

Network segments

• Scan all systems on specific networks (lab, classroom, admin, test networks, DMZ)

• Scan the entire network space to look for rogue systems

(7)

Network Scanning:

From

where do we scan?

The position from which you scan can

change the results

Firewalls

• From inside, you will “see” more information

• From outside, you should “see” very little

Routers w/ACLs

• If you are not scanning across ACLs, you will “see” more

Scanning from multiple positions in the

(8)

Network Scanning:

Things to Consider

Network scanning can harm your network

• At least temporarily...

• Older systems may crash or hang

• Building management systems may do weird stuff

• The network performance may be impacted

• Network devices may drop packets

• Systems may generate significant amounts of log messages

• ID systems should be alerting when scans occur

You probably shouldn’t be scanning at peak

(9)

Network Scanning:

Tools Available

nmap, version 5

iPod Touch / iPhone tools

• Net Scan ($0.99)

• iNet ($3.99)

• Network Utility (Pro version: $0.99)

• iPortScan PRO ($0.99)

• Portscan ($1.99)

Mac: Network Utility application

(10)

Network Scanning:

nmap features

multiple host discovery methods

multiple scan methods

service and version detection

OS detection

intrusion detection evasion techniques

• setting source port (20, 53, 67, 88), randomization

performance tuning

scripting engine

runtime feedback

(11)

Network Scanning:

nmap interfaces

Command line

• nmap is designed to be used from the CLI

• all options and modes can be specified

Graphical User Interface

• Zenmap is a GUI interface for nmap

(12)

Network Scanning:

nmap target selection

Targets can be IP addresses, hostnames,

FQDNs, networks

Listed as the last parameters on CLI

Examples

• poly-server.cerias.purdue.edu • purdue.edu/24

• 128.10.247.10,128.10.247.20,128.10.246.0/24 • 128.10.247-250.1-254

Use ‘-iL <file>’ to read targets from a <file>

Use ‘--exclude <host1>[,<host2>,...<hostn>]’

(13)

Network Scanning:

nmap host discovery

Host discovery is the process of determining

what systems are on the network

What’s the traditional method for

determining if a system is on the network?

Ping (ICMP, Echo Request)

(14)

Ping Example

Source Target

ICMP Echo Request ICMP Echo Reply

(15)

Network Scanning:

nmap host discovery

Host discovery is necessary to avoid

scanning “dead” IP addresses where no

system is responding for that address

Proper host discovery can shorten large

address range scans

Using a UDP echo request (ping) may not be

effective if the system’s firewall blocks them

Other nmap host discovery methods may

(16)

Network Scanning:

nmap host discovery

Disable ping (-PN)

• Skips host discovery entirely

List scan (-sL)

• Performs reverse DNS lookup

• Gets a target list

Ping scan (-sP)

• Reports responding hosts only

• Uses ping, TCP SYN to port 443, TCP ACK to port 80, ICMP timestamp request to find hosts

(17)

Network Scanning:

nmap host discovery

TCP SYN ping (-PS <portlist>)

• SYN sent to specified ports (default: 80)

• Host is up if SYN/ACK or RST received

TCP ACK ping (-PA <portlist>)

• ACK sent to specified ports (default: 80)

• Host is up if RST received

UDP ping (-PU <portlist>)

• Empty UDP packet sent to specified ports (default: 40125)

(18)

TCP Connection

Establishment

Source Target SYN SYN+ACK ACK

(19)

SYN Ping

Source Target

SYN

(20)

SYN Ping

Source Target

SYN RST

(21)

SYN Ping

Source Target

(22)

Network Scanning:

nmap host discovery

SCTP INIT ping (-PY <portlist>)

• Sends SCTP INIT packet to specified ports (default: 80)

• Host is up if any response received

ICMP ping types (-PE, -PP, -PM)

• -PE is an echo request

• -PP is a timestamp request

• -PM is a address mask request

(23)

Network Scanning:

nmap host discovery

IP Protocol ping (-PO <protocollist>)

• Sends a packet with the specified protocol

number in the header (default: send packets for ICMP, IGMP, IP-in-IP)

• Host is up if any response received

ARP ping (-PR)

• Sends an ARP request on the local ethernet network

• Host is up if any response received

(24)

Network Scanning:

nmap host discovery

Common ports to use in host discovery

• Windows: TCP/135, UDP/137, UDP/138, TCP/139, TCP&UDP/445, TCP&UDP/1025-1030, TCP/3389

• UNIX: TCP/21, TCP/22, TCP/23, TCP/25, UDP/53, TCP/80, TCP&UDP/111, UDP/161, UDP/514

• Network devices: TCP/22, TCP/23, UDP/53, UDP/ 67-68, TCP/80, TCP/443, UDP/161

Bottom line: Unless your host is blocking

standard ICMP pings, you can stick to the

default host discovery methods

(25)

Network Scanning:

nmap port states

open

• Accepts TCP, UDP, SCTP connections

closed

• Responds but no application is listening

filtered

• Little info available to determine actual state

• Firewalls may be dropping probes

unfiltered

(26)

Network Scanning:

nmap port states

open|filtered

• Unable to determine if port is open or filtered

• Reported by UDP, IP Protocol, FIN, NULL, Xmas

closed|filtered

• Unable to determine if port is closed or filtered

(27)

Network Scanning:

nmap scan modes

TCP SYN scan (-sS)

• Starts TCP three-way handshake

• Open if a SYN/ACK received

• Closed if RST received

• Filtered if ICMP error or no response received

TCP connect scan (-sT)

• Opens TCP connection, sends no data

(28)

Network Scanning:

nmap scan modes

UDP scan (-sU)

• Sends empty UDP packet

• Closed if ICMP port unreachable received

• Filtered if other ICMP received

• Open|filtered if there is no response

• Scan can be very slow, due to timeout periods

SCTP INIT scan (-sY)

• Sends an empty SCTP INIT chunk

• Open if INIT-ACK received

• Closed if ABORT received

(29)

Network Scanning:

nmap scan modes

NULL scan (-sN)

• Sends TCP packet with no header bits set

FIN scan (-sF)

• Sends TCP packet with FIN set

Xmas scan (-sX)

• Sends TCP packet with FIN, PSH, URG set

Responses to NULL, FIN, Xmas:

• Closed is RST received

(30)

Network Scanning:

nmap scan modes

TCP Window (-sW) and Maimon (-sM) scans

• Rely on implementation details in specific systems

IP Protocol scans (-sO)

• Determines what IP protocols are supported

FTP Bounce scans (-b <ftprelay>)

• Old FTP server bug

Idle scan (-sI <zombie>)

• Can map out trust relationships between systems

Custom TCP scan (--scanflags)

(31)

Network Scanning:

nmap port specification

Port numbers are associated with specific

network services or applications (1-65535)

Most port number assignments are fixed

• Assigned by IANA

Without specifying ports, nmap choose the

1000 most common ports to scan for each

protocol

(32)

Network Scanning:

nmap port specification

Specify additional ports with -p option

• -p- or -p1-65535

• -p U:53,137,161,T:21,22,25,80,443,8080

Fast scan (-F)

• Scans only 100 common ports

Avoid port randomization (-r)

(33)

Network Scanning:

nmap fingerprint modes

nmap attempts to detect the OS version

based on “fingerprinting” the TCP stack

• Quirks and implementation details can be

evaluated and compared against a database of known TCP stack implementations

(34)

Network Scanning:

Other options/features

Service and Version detection (-sV)

• Attempts to determine the versions of software

Timing and Performance options

• Retries, timeouts, delays, rate limiting, scan rates

Scripting Engine

• Includes library of scan functions

• Write your own scripts

Firewall/IDS Evasion and Spoofing

• Attempts bypass firewalls

(35)

Network Scanning:

nmap output example 1

golgafrincham:~ admin$ sudo nmap -sP dis

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-05 14:34 EST Host 128.10.247.70 is up (0.00015s latency).

MAC Address: 00:11:43:A0:98:42 (Dell)

(36)

Network Scanning:

nmap output example 2

golgafrincham:~ admin$ sudo nmap -sS dis

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-05 14:23 EST Interesting ports on 128.10.247.70:

Not shown: 998 closed ports PORT STATE SERVICE

22/tcp open ssh 80/tcp open http

MAC Address: 00:11:43:A0:98:42 (Dell)

(37)

Network Scanning:

nmap output example 3

golgafrincham:~ admin$ sudo nmap -O milliways

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-05 14:38 EST Interesting ports on 128.10.247.50:

Not shown: 996 filtered ports PORT STATE SERVICE

22/tcp open ssh

9101/tcp open jetdirect 9102/tcp open jetdirect 9103/tcp open jetdirect

MAC Address: 00:B0:D0:DB:A5:56 (Dell Computer)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose Running: FreeBSD 7.X

(38)

Network Scanning:

saving nmap output

nmap output can be saved as

• Text (default): -oN <file>

• XML: -oX <file>

• l33t: -oS <file>

• Grepable: -oG <file>

• All at once: -oA <basename>

Verbose output (-v)

Debugging (-d <level>)

(39)

Network Scanning:

nmap output differencing

Differencing provides a method to see

changes over time

golgafrincham:~ admin$ ndiff yesterday.xml today.xml -Nmap 5.00 at 2009-11-05 14:59

+Nmap 5.00 at 2009-11-05 15:01

128.10.247.50, 00:B0:D0:DB:A5:56: -Not shown: 999 filtered ports

+Not shown: 998 filtered ports PORT STATE SERVICE VERSION

(40)

I hate command lines...

nmap includes a GUI tool called Zenmap

It is a simple interface for constructing the

command line options for nmap

Notice that as you choose options, the

command line listed changes

The Zenmap output is the same as nmap

It’s a learning tool for nmap parameters

For our exercises you can use which ever

(41)

Let’s get started...

Boot up BackTrack if you haven’t already

OR

Install nmap on your machine

(42)

Network Scanning:

Exercise 1

Using Zenmap or nmap do a SYN scan on

192.168.1.20

(43)

Network Scanning:

Exercise 2

Use Zenmap or nmap to do an OS detection

scan against 192.168.1.25

What operating system does this machine

(44)

Network Scanning:

Exercise 3

Scan targets in the range of 192.168.1.20-26

Choose any scan method

What OSs are used?

What services are available?

With everyone scanning at once watch for

(45)

Network Scanning:

Exercise 4

Experiment with Zenmap and nmap

Any IP on 192.168.1.0 is a target

Attempt different scan modes and attempt

(46)

End of Module 2

References

Download now ( PDF - 46 Page - 439.48 KB )

Related documents

Infor Web UI High Availability Deployment

3 Configure the network load balancer to check the availability of both the Apache web server (default port 80) and the Tomcat server (default ports 8132 and 8009) of each server

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014

Freeze Process-A (or more) Network Quarantine Host (Disable Any network activity (other than ATP/AGMC Communication) SIEM eGRC Compliancy Incident Response

Our Vision A sustainable energy economy for Florida, the nation and the world To lead in creating technological, environmental and economic

 seeking knowledge and skills in energy, business management, energy policy and environmental and social impact assessment.  aspiring leaders in

TECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations

• Block the default ports on the firewalls • Apply Network Security practices • Apply Connection Security settings • Apply Changes to Configuration Files • Apply

Official Audit Report Issued December 10, 2014

The Office of Medicaid (MassHealth) paid questionable or unallowable medical claims totaling $35,137,347 during our audit period for non-emergency services provided to Limited

Seven Reasons to Embrace Cloud Security

Gap Free Security: Cloud is Pervasive and Up-To-Date on Security Threats Traditional enterprise security is delivered as a host based and/or network based solution.. In the host based

Kotler Chapter 14 MCQ

126) A company's marketing communications mix also called its promotion mixblends five different parts. Name and define these parts. Answer: Advertising is any paid-for

Brambles (Raspberries and Blackberries)

Different types of brambles require different kinds of management: Primocane-fruiting raspberries (fall-bearing raspberries) produce fruit at the top of first-year canes (primocanes)