defcon: network mapping techniques simple nomad nomad mobile research centre bindview corporation
TRANSCRIPT
DefCon:Network Mapping Techniques
Simple Nomad
Nomad Mobile Research Centre
BindView Corporation
About This Presentation
Assume basics– Understand IP addressing– Understand basic system administration
Tools– Where to find them– Basic usage
A “Network” point of view
About Me
NMRC: http://www.nmrc.org/ BindView: http://razor.bindview.com/
Know Your Target
Public information Network enumeration Network mapping
Public Information
Public records WHOIS DNS Public postings
Network Enumeration
Goals of network enumeration ICMP Scanning TCP Fingerprinting Additional Probes
ICMP
Sweeping a network with Echo Typical alternates to ping
– Timestamp– Info Request
Advanced ICMP enumeration– Host or port unreachable with illegal header
length
Scanning
Why scan? Nmap – defacto standard
– Ping sweeps– Port scanning– Additional features
TCP Fingerprinting
Several different type of packets sent Various responses come back Differences can determine OS of remote
system Using just ICMP is possible
Addition Probes
Possible security devices Sweep for promiscuous devices
Network Mapping
Determine network layout Traceroute Firewalk
Bypassing the Firewall
Tools– Firewalk– Nmap
Common ports State table manipulation
Avoiding Intrusion Detection
Manipulation of “detected” data Use of fragmented packets Triggering false positive, or distraction
Connecting the Dots
View each step as a small part of a big picture
Each step is important Data could be stored for later use
Example Intrusion
WHOIS– DNS server names
Traceroute DNS zone dump Host enumeration Public systems Initial port scanning
WHOIS# whois [email protected]
Whois Server Version 1.1
Domain names in the .com, .net, and .org domains can now be registeredwith many different competing registrars. Go to http://www.internic.netfor detailed information.
Domain Name: TARGET-COMPANY.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NS1.TARGET-COMPANY.COM Name Server: NS2.TARGET-COMPANY.COM Updated Date: 06-dec-1999
>>> Last update of whois database: Mon, 20 Mar 00 03:35:14 EST <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains andRegistrars.
Traceroute# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms
2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms
3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms
4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms
5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms
6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms
7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms
8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms
17.173 ms
9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms
248.838 ms
10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms
11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms
12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306
ms 17.248 ms
13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms
Traceroute# traceroute ns2.target-company.com
traceroute to ns2.target-company.com (xxx.xx.x.x), 30 hops max, 40 byte packets
1 fw-gw (209.197.192.1) 1.770 ms 2.993 ms 0.892 ms
2 s1-0-17-access (209.197.224.73) 15.440 ms 13.571 ms s1-0-1-access (209.197
.224.69) 4.896 ms
3 dallas.tx.core1.fastlane.net (209.197.224.1) 3.929 ms 6.251 ms 15.821 ms
4 FE-0.core2.fastlane.net (209.197.224.66) 20.674 ms 15.367 ms 16.170 ms
5 hs-9-0.a09.dllstx01.us.ra.verio.net (204.214.10.113) 5.514 ms 14.367 ms 8
.203 ms
6 ge-5-0-0.a10.dllstx01.us.ra.verio.net (199.1.141.10) 8.019 ms 20.183 ms 1
6.466 ms
7 g6-0.dfw2.verio.net (129.250.31.49) 16.513 ms 17.351 ms 6.854 ms
8 core4-atm-uni0-0-0.Dallas.cw.net (204.70.10.77) 24.335 ms 16.087 ms 17.60
5 ms
9 core2-fddi-0.Dallas.cw.net (204.70.114.49) 6.875 ms 14.039 ms 14.483 ms
10 border6-fddi-0.Dallas.cw.net (204.70.114.66) 146.605 ms 21.045 ms 110.419
ms
11 target-company-inet.Dallas.cw.net (204.70.xxx.xxx) 83.331 ms 34.530 ms 21
.363 ms
12 ns1.target-company.com (xxx.xx.x.x) 18.105 ms 13.290 ms 29.042 ms
DNS Zone Dump# nslookupDefault Server: vortex.fastlane.netAddress: 209.197.192.7
> server ns1.target-company.comDefault Server: ns1.target-company.comAddress: xxx.xx.xx.xx
> ls -a TARGET-COMPANY.COM > dump.txt[ns1.target-company.com]######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################Received 40773 answers (0 records).>
Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0
xxx.xx.218.23 is up
xxx.xx.218.26 is up
xxx.xx.218.52 is up
xxx.xx.218.53 is up
xxx.xx.218.58 is up
xxx.xx.218.63 is up
xxx.xx.218.82 is up
xxx.xx.218.90 is up
xxx.xx.218.92 is up
xxx.xx.218.96 is up
xxx.xx.218.118 is up
xxx.xx.218.123 is up
xxx.xx.218.126 is up
xxx.xx.218.130 is up
xxx.xx.218.187 is up
xxx.xx.218.189 is up
xxx.xx.218.215 is up
xxx.xx.218.253 is up
Public Systems
www.target-system.com– www2, www3
ftp.target-system.com mail.target-system.com
Scanning# nmap -O -T Polite -n xxx.xx.17.11
Starting nmap V. 2.3BETA14 by [email protected] ( www.insecure.org/nmap/ )Interesting ports on (xxx.xx.17.11):Port State Protocol Service21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 79 open tcp finger 110 open tcp pop-3 113 open tcp auth 143 open tcp imap2
TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!)Remote operating system guess: Linux 2.0.35-37
Nmap run completed -- 1 IP address (1 host up) scanned in 625 seconds
# nmap -O xxx.xx.17.11
Starting nmap V. 2.3BETA14 by [email protected] ( www.insecure.org/nmap/ )No ports open for host (xxx.xx.17.11)Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
More Scanning# nmap -F -sS -v -v -n firewall.target-system.com
Starting nmap V. 2.3BETA14 by [email protected] ( www.insecure.org/nmap/ )
Host (xxx.xx.49.17) appears to be up ... good.
Initiating SYN half-open stealth scan against (xxx.xx.49.17)
Adding TCP port 189 (state Firewalled).
The SYN scan took 270 seconds to scan 1047 ports.
Interesting ports on (xxx.xx.49.17):
Port State Protocol Service
139 filtered tcp netbios-ssn
161 filtered tcp snmp
189 filtered tcp qft
256 filtered tcp rap
257 filtered tcp set
258 filtered tcp yak-chat
Nmap run completed -- 1 IP address (1 host up) scanned in 273 seconds
Network Mapping
cw
swb
Internet Routers
Network Mapping
cw
swb
Internet Routers
Network Mapping
Firewall
DMZ
cw
swb
VPN
Internet Routers
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel VPNxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
Basic Distributed Attack Models
Attacks that do not require direct observation of the results
Attacks that require the attacker to directly observe the results
Basic Model
Server AgentClient
Issuecommands
Processescommandsto agents
Carriesout
commands
More Advanced Model
TargetAttacker
Forged ICMPTimestamp Requests
ICMP TimestampReplies
SniffedReplies
Even More Advanced Model
Target
Firewall
Even More Advanced Model
Target
Firewall
UpstreamHost
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
(Mostly) Free Stuff
HackerShield RapidFire Update 208– With SANS Top Ten checks, including comprehensive CGI scanner– http://www.bindview.com/products/hackershield/index.html
VLAD the Scanner– Freeware open-source security scanner, including same CGI checks as
HackerShield– Focuses only on SANS Top Ten– http://razor.bindview.com/tools/index.shtml
Despoof– Detects possible spoofed packets through active queries against suspected
spoofed IP address– http://razor.bindview.com/tools/index.shtml
Questions, etc.
Thanks to:– Ofin Arkin– Donald McLachlan
For followup:– http://www.nmrc.org/– http://razor.bindview.com/– [email protected] – [email protected]