• No results found

Network and Services Discovery

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Network and Services Discovery"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

Introduction Active Scanning Passive scanning Q and A

Network and Services Discovery

A quick theorical introduction to network scanning

Alexandre Dulaunoy

http://www.foo.be/

January 8, 2016

(2)

Introduction Active Scanning Passive scanning Q and A Disclaimer/Intro

Disclaimer/Intro

Network scanning is not exact science

I When an information system is able to interact over the network :

I The system is always giving some information about himself

I The system may be used to act as a network scanning tool

I Attackers are always looking for such kind of services I Network scanning is playing an important role in the process

(3)

Introduction Active Scanning Passive scanning Q and A IP protocol scanning

IP protocol scanning

How to know the IP protocol supported by a system. Not only limited to UDP or TCP. The approach used is quite simple :

-We send a raw IP packet with the protocol defined (RFC3232) and wait for the reply :

I if received an ICMP protocol unreachable, the protocol is not available on the stack

I if we got nothing, the procotol is available or ICMP packets are filtered by a firewall

e.g. : Useful for testing the protocol available on a router. Is IGMP available ?

(4)

Introduction Active Scanning Passive scanning Q and A ICMP scanning

ICMP scanning

I Nifty Internet Control Message Protocol : ICMP type 8 - echo request

ICMP type 13 - time stamp request ICMP type 15 - information request ICMP type 17 - netmask request

(5)

Introduction Active Scanning Passive scanning Q and A TCP Port Scanning - Connect scan

TCP Port Scanning - Connect Scan

A connect scan is a scan using the vallina connect() approach. The full TCP 3-way handshake is done :

-We send a SYN to the target host and port:

I We wait for the SYN-ACK from the target host

I if yes, we’ll send an ACK to the target. This means that port is open.

I If we got a RST, the target host is not listening on that port. The connect() scan is very slow, very visible (e.g. TCP Wrappers, netstat) due to the full handshake (ESTABLISHED state).

(6)

Introduction Active Scanning Passive scanning Q and A TCP Port Scanning - Half-open scan

TCP Port Scanning - Half-open scan

A half-open scan is where the full TCP handshake is not done :

-We send a SYN to the target host and port :

I We wait for the SYN-ACK from the target host

I if yes, we’ll send directly a RST to the target. This means that port is open but we don’t continue the handshake.

(7)

Introduction Active Scanning Passive scanning Q and A TCP Port Scanning - Inversed or stealh TCP scan

TCP Port Scanning - Inversed or stealh TCP scan

By default a TCP stack must respond (RFC793) to non-SYN flag on a closed port with a RST. For open port, the datagram must be discarded. But various systems are still sending RST on open ports too...

-We send an FIN or FIN/URG/PUSH or no flag to the target host and port :

I We wait for the RST from the target host

I if yes, this means that port is closed.

I If we got nothing, this is probably an open port.

Results are not always reliable but can be used in conjunction with other scan. The main advantage is not to use SYN flag (e.g. packet filter only checking for SYN).

(8)

Introduction Active Scanning Passive scanning Q and A TCP Port Scanning - ACK TCP scan

TCP Port Scanning - ACK TCP scan

An ACK scan is often used to check the kind of packet filter between you and the target host.

-We send an ACK (random ack/seq) to the target host and port :

I We wait for the RST from the target host

I Variation of the TTL and Window field is also interesting. I if yes, this means that port is unfiltered.

(9)

Introduction Active Scanning Passive scanning Q and A Hiding your active scanning

Hiding your active scanning

If you are an attacker, it’s always better to find ways to ’somewhat’ hide your various activities :

I using FTP relay (old ftp server) - RFC959

I using open proxies (e.g. CONNECT method)

I Idle scan approach

I Using a zombie host to receive your request

I Cover channel using IPID (IP identification) to receive the reply on open port from the zombie

(10)

Introduction Active Scanning Passive scanning Q and A TCP passive fingerprint

TCP passive fingerprint

Signatures are built on various TCP/IP parameters :

I TTL (max. ttl is different following the OS/version)

I Window Size

I DF bit set (some OS are sending it or not)

I ToS

I ECN, Selective Acknowledgement, ...

(11)

Introduction Active Scanning Passive scanning Q and A Passive discovery

Passive discovery

Another way to discover network services is to use an alternative tools that is gathering the information for you. For example, web crawler can do the job for you and they provide nice interface for an exhaustive search :

I intext:password | intext:login | user filetype:csv

I inurl:”ViewerFrame?Mode=refresh”

I intitle:”index of”

I ”Microsoft-IIS/” intitle:”index of”

(12)

Introduction Active Scanning Passive scanning Q and A Scanning to find vulnerable hosts?

Network Scanning

I How to scan an infrastructure?

I What are the ethical and legal requirements?

I How often do you need to scan an infrastructure?

(13)

Introduction Active Scanning Passive scanning Q and A

Q and A

I Thanks for listening.

I http://www.foo.be/

I [email protected]

References

Download now ( PDF - 13 Page - 221.03 KB )

Related documents

Structural Stability of Braced Scaffolding and Formwork with Spigot Joints

These investigations conducted on the Super Cuplok scaffolding and formwork system aimed to determine the effect of spigot joints on the strength and stability of members subject

MS Exchange Server 2010: Highly Available, High Performing And Scalable Deployment With Coyote Point Equalizer

Cookie TCP (port 80) ActiveSync L7 HTTPS 443 80 Equalizer Cookie TCP (port 80) POP3 L4 TCP 995 995 None TCP (port 995) IMAP4 L4 TCP 993 993 None TCP (port 993)

Evaluating the potential contribution of interdisciplinary obstetrics skills/drills emergency training as a quality improvement initiative: self-reported levels of pre and post- test confidence levels

This study revealed that the use of high fidelity simulation for interdisciplinary obstetrics skills/drills emergency training significantly (P<0.05) impacted on the

Quasi-phase-matched Faraday rotation in semiconductor waveguides with a magnetooptic cladding for monolithically integrated optical isolators

Abstract: Strategies are developed for obtaining nonreciprocal polarization mode conversion, also known as Faraday rotation, in waveguides in a format consistent

1 Introduction. Agenda Item: Work Item:

As with viruses, worms, and Trojan horses, scanning the outgoing traffic and scanning the listening ports (e.g. by sending a TCP SYN) can help a network to detect terminals

Design and Simulation of UHF RFID Tag Antennas and Performance Evaluation in Presence of a Metallic Surface

8 shows the simulated input reactance against UHF frequency of the proposed meandered dipole antenna with various separation distances, d.. It is clear that

167 th Air Wing Fast Track Cyber Program Blue Ridge Community and Technical College

Course content includes an ethical hacking overview, TCP/IP concepts review, network and computer Attacks, foot printing and social engineering, port scanning, enumeration,

167 th Air Wing Fast Track Cyber Security Blue Ridge Community and Technical College

Course content includes an ethical hacking overview, TCP/IP concepts review, network and computer Attacks, foot printing and social engineering, port scanning, enumeration,