• No results found

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology"

Copied!
21
0
0
Download now ( 21 Page )

Full text

(1)

Port Scanning and

Vulnerability Assessment

ECE4893 – Internetwork Security

Georgia Institute of Technology

(2)

Agenda

• Reconnaissance

• Scanning

• Network Mapping

• OS detection

(3)

Reconnaissance

• Internet Network Information Center who-is

database www.internic.net/whois.html

• Registrar’s database i.e.

www.networksolutions.com

• American Registry for Internet Numbers (ARIN)

http://ww2.arin.net/whois/

(4)

Scanning: Network Mapping

Ping and traceroute

(5)

Cheops-ng

Created by Mark Spencer for Linux systems, available at

http://www.marko.net/cheops/

Purpose: “To provide system administrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem.” This tool automates ping and traceroute.

(6)

Cheops-ng: What does it do?

• Finds active hosts in a network

• Determines the names of active hosts • Discovers host operating systems

• Detects open ports

• Maps the complete network in a graphical format • Monitors hosts

(7)

Cheops-ng: How does it work?

• Utilizes ICMP “ping” packets to search a network for alive hosts

• Domain Name Transfers (nslookup) are used to list hosts

• Invalid flags on TCP packets (queso) are used to detect the OS • Half-open TCP connections are used to detect ports

• UDP packets with small TTL values are used to map the network

(8)

Scanning:Port scanning (1)

Why: To find open ports in order to exploit them.

How:

• TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan

• TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan

• TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)

(9)

Port scanning (2)

How (cont.):

• TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall

• FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service)

• UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open

(10)

Port scanning (3)

Additional Info:

• Decoys -- insert false IP addresses in scan packets • Ping Sweeps -- identify active hosts on a target network

• Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)

(11)

OS detection

Why: To determine what Operating System is in use in order to exploit known vulnerabilities.

• Also known as TCP stack fingerprinting.

• Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs. • Each OS responds to illegal combinations in different ways.

(12)

Nmap

Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.” Available at: http://www.insecure.org/nmap/

(13)

Nmap: What does it do?

• Port scanning • OS detection • Ping sweeps

(14)

Nmap: How does it work?

• Null Scan • ICMP (ping sweep)

• IP Protocol • Reverse-Identification

• SYN sweep • ftp proxy (bounce attack)

• Xmas Tree • TCP SYN (half open)

• ACK sweep • TCP connect()

• FIN • UDP

(15)

Nmap: How does it work? (2)

• Uses the following OS detection techniques • TCP/IP fingerprinting

• stealth scanning

• dynamic delay and retransmission calculations • parallel scanning

• detection of down hosts via parallel pings • decoy scanning

• port filtering detection

• direct (non-portmapper) RPC scanning • fragmentation scanning

(16)

Vulnerability Assessment (1)

Vulnerabilities come from:

• Default configuration weakness • Configuration errors

• Security holes in applications and protocols • Failure to implement patches!

(17)

Vulnerability Assessment (2)

Vulnerability checkers use:

• Database of known vulnerabilities • Configuration tool

• Scanning engine

• Knowledge base of current scan • Report generation tool

(18)

Nessus

Purpose: “To provide to the internet community a free,

powerful, up-to-date and easy to use remote security scanner.”

Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.”

Available platforms: UNIX for client and server Windows for client only

(19)

Nessus: What does it do?

• Iteratively tests a target system (or systems) for known exploitation vulnerabilities

• Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test

• Can test multiple hosts concurrently

• Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan

(20)

What does Nessus check for?

• Backdoors • CGI abuses

• Denial of Service • Finger abuses • FTP

• Gain a shell remotely • Gain root remotely

• Port scanners

• Remote file access • RPC

• SMTP problems • Useless services • Windows

(21)

Summary

Reconnaissance

Scanning

Network Mapping

OS detection

Vulnerability assessment

Cheops, Nmap, Nessus

References

Download now ( PDF - 21 Page - 77.86KB )

Related documents

How To Check If A Port Is Safe For A Password Protected On A Remote Computer

• In a port scan based on SYN packets, the scanner machine sends out SYN packets to the different ports of a remote machine.. When the scanner machine machine receives a SYN+ACK

Determining the farmer demand for olive oil premium support: The case of Izmir, Turkey

The member farmers may receive new information on the policy applications faster and may get more details on how to apply for receiving the premium via the assistance from

VAROVANIE VAROVANIE NEBEZPEČENSTVO

Inštalácia musí byť vykonaná licencovanú plynárenskou firmou a všetky spoje musia byť preskúšané z hľadiska tesnosti pred použitím grilu. Nepoužívajte lak,

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

In Figure 7c a FIN scan is run on a closed port and provided the target host’s TCP/IP stack conforms to the RFC 793 Transmission Control Protocol, a RST packet is sent back to

Design of an Oxygen Flow Meter for Hospital Application

From the full scale design layout, Figure 1, a complete detail drawing was prepared for each component of the instrument. These drawings, located in Appendix IV,

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

If a scan type is not specified on the command line and Nmap is run from root or administrator, the TCP SYN scan is used by default!. This scan works on all operating systems and is

Network and Services Discovery

Introduction Active Scanning Passive scanning Q and A TCP Port Scanning - Inversed or stealh TCP scan. TCP Port Scanning - Inversed or stealh

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Description It is a network mapper which is used to scan a remote machine through various nmap scanning techniques like TCP connect scan(TCP), Stealth scan (SYN), UDP

Content Distribution Networks (CDN)

internal server firewall client SYN SYN SYN+ACK ACK SYN+ACK ACK SYN data data Application Layer Socket Layer TCP/IP Layer NIC driver NIC Application Layer Socket Layer TCP/IP Layer

Psychological Distress and Pain Reporting in Australian Coal Miners

The models were grouped as follows: (1) one-way ANOVAs that examined the effects of job category, age, experience, and gender on both psychological distress and pain regions; (2)

Effective network security audit trail management

The research formulated several conjectures regarding factors that may lead to faster malware detection times, and described a research plan and a survey instrument to test

Hoofstuk 6: Die boodskap van die boek

Wanneer die verskillende punte waarin die kortverhaal met die novelle ooreen- stem, ook op die Jonaverhaal toegepas word, word dit duidelik dat die Jonateks nie geskiedskrywing of

A quasi-experimental test of an intervention to increase the use of thiazide-based treatment regimens for people with hypertension

A priori, we specified that to be classified as effective, our implementation intervention would have to first, increase the proportion of "eligible" hypertensive

Discovery Scans. Nmap Scan Types. Option Example Description. Nmap Cheat Sheet - Page 1

-sn No port scan; discovery only; use combination of ICMP, ECHO, REQUEST, TCP SYN to port 443; TCP ACK to port 80; and an ICMP timestamp request.. -PS<portlist> Discover

Fixtures and Results. National League 3 London & SE 11/04/2015. London 1 North 11/04/2015. London 1 South 11/04/2015. London 2 North East 11/04/2015

This fixture has been re-arranged from Saturday 28 Feb 2015 Saffron Walden - Rochford Hundred 18/04/2015. London 2

Case 1:12-cv RWZ Document 8 Filed 11/16/12 Page 1 of 8 UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS

Notably, apart from a name change of the defendant, the texts of the complaint and the Motion Subpoena Felony Complaint are substantively identical to other civil actions in this

NATIONAL SUN YAT-SEN UNIVERSITY. College of Science Regulations for Generation of Committee Members

Faculty members of the Departments/Institutes of Chemistry, Physics, Biological Sciences, Applied Mathematics, Biomedical Sciences, as well as Medical Science and Technology

The Seven Essentials of Highly Engaged Alumni

After previous market research offered the Seven Essentials of Highly Engaged Alumni as a tool for understanding alumni engagement and program offerings, a series of

Concurrent and longitudinal contribution of exposure to bullying in childhood to mental health: the role of vulnerability and resilience

Findings This population-based cohort study using a twin differences design (11 108 twins) provides evidence that childhood exposure to bullying directly contributes to multiple

Software Delivery Legacy Guide. (Legacy)

Installation packages (also known as packages) contain products or product components (known as the package’s payload) and installation information used by the Installer application

Evaluating the potential contribution of interdisciplinary obstetrics skills/drills emergency training as a quality improvement initiative: self-reported levels of pre and post- test confidence levels

This study revealed that the use of high fidelity simulation for interdisciplinary obstetrics skills/drills emergency training significantly (P<0.05) impacted on the