scanning 1 scanning scanning 2 attack phases phase 1: reconnaissance phase 2: scanning phase 3:...
Post on 21-Dec-2015
230 views
TRANSCRIPT
Scanning 1
Scanning
Scanning 2
Attack Phases Phase 1: Reconnaissance Phase 2: Scanning Phase 3: Gaining access
o Application/OS attackso Network attacks/DoS attacks
Phase 4: Maintaining access Phase 5: Covering tracks and hiding
Scanning 3
Scanning After recon phase attacker has…
o Phone numbers, contact infoo Domain names, IP addresseso Maybe some details about
infrastructure Next, scanning
o Like burglar trying doors and windows
Scanning 4
Scanning Good guys
o Must secure every entry pointo Must work in a dynamic environmento Must deal with those pesky users
Attackero Only needs to find one holeo Can take as long as necessary
“Sadly unfair” (all-too-common in security)
Scanning 5
Scanning Techniques War driving War dialing Network mapping Port scanning Vulnerability scanning IDS and IPS
Scanning 6
War Driving Scan for wireless access points
o Preferably, not secured WLANs War driving started by Peter
Shipleyo Drove around Bay Area in 2001
Now a very popular activityo Defcon has a WarDriving contest
(including map of open access points)
Scanning 7
War Driving Must be within 100 yards or so to
reliably send/receive WLAN But, detectable from a mile or more War driver wants to find ESSID of WLAN
o ESSID == Extended Service Set Identifiero ESSID is WLAN’s “name”o ESSID acts like a password (almost)o By default, ESSID is sent in the clearo Can configure access point to not send
ESSID…
Scanning 8
War Driving 802.11 “probe” message
o Required to send ESSID in probe msgo But send “any” for ESSID and…o … some access points respond with ESSID!
So, Trudy simply asks for ESSIDo And sometimes she gets it
Can configure to require BSSID (Basic SSID)o I.e., the MAC address must be on approved listo This helps, but only a little…
Scanning 9
War Driving Many tools available Three basic techniques
o Active scanningo Passive scanningo Forced de-authentication
Tools use one (or more) of these
Scanning 10
NetStumbler Active 802.11 scanning tool
o Sends “probe” packets with “any” ESSIDo Access point within range might respondo Like “running down the street shouting…”
For Windows 2k, also version for PDAs Optionally uses GPS to locate access pts One hour in NYC: found 455 access pts
Scanning 11
NetStumbler Gathers MAC address, ESSID,
channel, and signal strengtho Also, IP address (using DHCP)o Whether it is using WEP or not
Limitationso Many access pts ignore “any” ESSIDo Highly unstealthy
Scanning 12
Wellenreiter Passive scanning tool Puts wireless card in rfmon mode
o Aka “monitor mode”o Better than promiscuous modeo Gets everything---no connection neededo Even if encrypted, ESSID still sent in clear
Can dump packets into Wireshark Also interfaces with GPS
Scanning 13
Wellenreiter Gets ESSID, MAC, IP addresses
o Entirely passive If access pt not sending ESSID
o “Non-broadcasting”, name is unknown…
o …until user “authenticates” to access pt Related tool: Kismet
o Detailed packet analysis, not war driving
Scanning 14
Wellenreiter
Scanning 15
Forced De-authentication Suppose that a particular access pt…
o Does not accept “any”o Does not broadcast ESSIDo Clients have previously authenticatedo No clients currently communicating
Invisible to NetStumber, “non-broadcasting” to Wellenreiter
What can Trudy do?
Scanning 16
ESSID-Jack Assuming Trudy has access pt MAC
addresso Get MAC from Wellenreiter, Kismet
De-authentication requires no “authentication”o That is, the ESSID is not requiredo Only need access point’s MAC address
ESSID-Jack sends de-authentication msg Then what happens?
Scanning 17
ESSID-Jack
Client(s) automatically re-authenticateo ESSID-Jack
gets ESSIDo So Trudy gets
ESSID
Scanning 18
War Driving Defenses Set ESSID to nondescript name
o 1234 instead of BankOfAmerica Do not broadcast ESSID Require authentication MAC address for authentication?
o Easily spoofedo Unix/Linus tool: SirMACsAlot
Scanning 19
WEP
WEP == Wired Equivalent Privacy WEP uses RC4 for confidentiality
o Considered a strong ciphero But WEP introduces a subtle flaw
WEP uses CRC for “integrity”o Should have used a crypto hash
insteado CRC is for error detection, not integrity
Scanning 20
WEP Integrity Problems WEP “integrity” does not provide
integrityo CRC is linear, so is stream cipher XORo Can change ciphertext and CRC so that
checksum remains correct --- undetectedo This requires no knowledge of the plaintext!o Even worse if plaintext is known
CRC is not a cryptographic integrity check!o CRC designed to detect random errorso Not designed to detect intelligent changes
Scanning 21
WEP Key WEP encryption: long-term secret key, K RC4 is a stream cipher, so each packet
must be encrypted using a different keyo Initialization Vector (IV) sent with packeto Sent in the clear (IV is not secret)
Actual RC4 key for packet is (IV,K)o That is, IV is pre-pended to K
Scanning 22
Initialization Vector “Issue”
WEP uses 24-bit (3 byte) IV o Each packet gets a new IVo RC4 packet key: IV pre-pended to long-term
key, K Long term key K seldom (if ever) changes If long-term key and IV are same, then
same keystream is usedo This is bad! o It is at least as bad as reuse of one-time pad
Scanning 23
Initialization Vector “Issue”
Assume 1500 byte packets, 11 Mbps link Suppose IVs generated in sequence
o Then 1500 8/(11 106) 224 = 18,000 seconds
o Implies IV must repeat in about 5 hours Suppose IVs generated at random
o By birthday problem, some IV repeats in seconds
Again, repeated IV (with same K) is bad!
Scanning 24
WEP Active Attacks WEP: “Swiss cheese” of security
protocols If Trudy can insert traffic and observe
corresponding ciphertexto Then she will know keystream for that IVo And she can decrypt next msg that uses that
IV If Trudy knows destination IP address
o She can change IP address in ciphertexto And modify CRC so it is correcto Then access point will decrypt and forward
packet to Trudy’s selected IP address!o Requires no knowledge of the key K
Scanning 25
War Driving Defenses WEP is of limited value WPA (Wi-Fi Protected Access)
o RC4, 48 bit IV, “MIC” (named Michael) for integrity, replay protection, etc.
o Works with same hardware as WEP 802.11i (or WPA2)
o Like WPA but crypto is better (AES)o Requires different hardware than WEP
Can try to detect unusual activity Turn down the volume…
Scanning 26
Wireless Security VPN == Virtual Private Network
o Secure “tunnel” between endpointso Not wireless-specifico But can be used to secure wireless
VPN provides extra layer of securityo On top of WEP or WPAo Author says, do not use IKE pre-shared
keys in aggressive mode
Scanning 27
War Dialing Dial lots of phone numbers
o Looking for unprotected modemso One PC can scan 1k numbers/night
The movie War Games (circa 1983)o Kid tries to break into game
company…o …and accidentally starts WWIIIo Plot (such as it is) hinges on war
dialing
Scanning 28
War Dialing Can this possibly still be an issue?
o User might want to bypass annoying VPN
o Admin might want remote access User might install remote access tool
o pcAnywhere, for exampleo Only protection from war dialer is pwd?
Scanning 29
War Dialing How to find phone numbers to try?
o Internet, Whois database, organization’s Web site, social engineering, …
Maybe try numbers with same prefix
Easy to test 1,000s of numbers
Scanning 30
THC-Scan Free war dialing tool
Scanning 31
THC-Scan Can dial sequence, random, or list
o “Random” to avoid detection Parallel process on multiple machines Nudging
o Try to determine useful info Can randomize interval between dialing Detect jamming (based on busy signals) If human answers, “hangs up” (click)
Scanning 32
THC-Scan Not too user-friendly
o User must look at logs Some numbers…
o Might not require any passwordo Might require special software
(pcAnywhere)o Such info gathered via “nudging”
If password is required, o Trudy can try password cracking
Scanning 33
War Dialing Defenses Modem policy
o When possible, use VPN If possible, allow dial-out only War dial against yourself
o Find modems before attacker doeso For Windows, can use Windows
Management Instrumentation (WMI) scripts Visual inspection
Scanning 34
Network Mapping At this point, attacker is either… On the outside looking in
o I.e., on Internet looking at target DMZ Has inside access
o Attached to WLAN found war drivingo Connected via a modem found war dialing
Next, step is to analyze target networko Looking for potential targetso Critical hosts, routers, firewalls, …
Scanning 35
Network Mapping Mapping tools will be aimed
wherever attacker can reacho If outside, map DMZ, Web server, etc.o If inside, map internal network
In either case, same toolso Similar methods
Scanning 36
Sweeping Want an inventory of accessible
systems Could ping every possible address
o But often blocked by firewall Send TCP packets to common port(s)
o Look for SYN-ACK to come back Send UDP packets with unusual port
o If closed, may get “port unreachable”o But, maybe nothing is sent back
Scanning 37
Traceroute TTL field in IP header
o Usually decremented by each router When TTL reaches 0…
o Router kills packeto Sends ICMP time exceeded msg to source
Tracerouteo UNIX: traceroute uses UDP packetso Windows: tracert uses ICMP packets
Scanning 38
Traceroute Map routers from source to
dest
Scanning 39
tracert In Windows
Scanning 40
Ping and Traceroute Might
find, for example:
Scanning 41
Automated Tool
Cheops-ngo Freeo Pretty
pictureso Lots of info
(type of OS …)
o Useful for admins too
Scanning 42
Network Mapping Defenses
Block incoming ICMP packetso Except those you want outsiders to ping
Block outgoing ICMP time exceededo Except for specific addresseso Then (***) responses in traceroute
Limits attacker’s ability to map networko Also limits good uses of these features
Scanning 43
Port Scanning At this point, attacker knows…
o Addresses of live systemso Basic network topology
Now what? Assume Trudy is outsider Trudy wants to determine open ports
o 65k TCP ports and 65k UPD portso Well-known ports correspond to serviceso Open port is a doorway into machine
Scanning 44
Port Scanning Port scanning
o Knock on “doors” (ports) to see which are open
Why not simply try all TCP and UDP ports?o Not stealthy
Instead can try limited rangeo More stealthy, but might miss something
Could instead just go slowo Maybe too slow (or Trudy is too impatient)
Distributed port scan?
Scanning 45
Nmap Nmap --- most popular port scan
toolo Developed by Fydoro Free at www.insecure.orgo Unix, Linux and Windows versionso Command line and GUIo Appeared in The Matrix Reloaded
Many many options…
Scanning 46
Nmapfe
“Nmap front end”
Scanning 47
TCP 3-Way Handshake Recall the 3-way handshake…
Scanning 48
TCP Connect Scan “Polite scan” Complete the TCP 3-way handshake
o Nmap sends SYN, wait for SYN-ACKo If port is open, Nmap sends ACK, then FINo If closed, no reply, RESET, ICMP unreachable
Plusses?o Should not cause problem for target
Minuses?o Not stealthy, Trudy’s IP address in logs, etc.
Scanning 49
TCP SYN Scans Nmap sends SYN
o Gets SYN-ACK, ICMP unreachable, etc.o In any case, Nmap sends RESETo I.e., only 2/3rds of 3-way handshake
completed Plusses?
o Stealthier (may not be logged by host)o Faster, fewer packets
Minuses?o Accidental DoS attack?
Scanning 50
FIN Scan FIN scan
o Send FIN for non-existent connectiono Port closed, protocol says send RESETo Port open, protocol says nothingo No reply may indicate port is open
Scanning 51
Xmas Tree and Null Scans Xmas tree scan
o All flag bits set: URG,ACK,PSH,RST,SYN,FIN Null scan
o Send packet with no flag bits set Both of these violate protocol Expect same behavior as FIN scan Note: These do not work against
Windowso Since Windows does not follow the RFCs
Scanning 52
TCP ACK Scan Simpleminded packet filter might…
o Allow outbound, established connectionso Block incoming if ACK bit not set
Scanning 53
TCP ACK Scan Packet filter assumes
o ACK bit set established connection How can Trudy take advantage of
this? Send packets with ACK bit set!
o These pass thru open portso Allows for simple port scan of firewall
Scanning 54
TCP ACK Scan
No response/unreachable: filtered RESET if port is not filtered
Scanning 55
TCP ACK Scan Trudy learns…
o Kinds of established connections that are allowed thru packet filter
ACK scan used to determining filtering rules
ACK scan not so useful for scanning open ports on a hosto Different OSs respond differentlyo Some RESET if port is open, some if port
closed
Scanning 56
FTP Bounce Scan Obscures source of scan
o So Trudy’s address not loggedo Stealthy
Relies on FTP forwardingo User can request that a file be
forwarded to another machineo Mostly disabled today
Scanning 57
FTP Bounce Scan FTP server informs attacker of result
Scanning 58
Idle Scanning
Suppose no forwarding FTP server Another way to obscure source of
scan IP header has ID field
o Used to group fragments togethero ID must be unique per packeto Often just increment a counter
(Windows)
Scanning 59
Idle Scanning Pick a machine to blame for scan Blamed machine…
o Attacker must be able to send/receiveo Must have predictable IP IDso Mostly idle, does not send much traffic
(why?)o So IP IDs are predictable
Make it look like this machine scanso See next slide
Scanning 60
Idle Scanning Prepare to scan
Scanning 61
Idle Scan For the scan… Attacker sends spoofed SYN to target
o “Source” is the blamed machineo Selected port
Port listening: SYN-ACK to blamed machineo Blamed machine sends RESET to target
Port closed: RESET/nothing to blamedo Blamed machine sends nothing
So what???
Scanning 62
Idle Scanning Recall, last IP ID is X (next is X + 1)
Scanning 63
Idle Scan Very clever! Nmap automates this May need to repeat multiple times
o If blamed guy is not “idle enough” May want to use several blamed
guys Other improvements?
Scanning 64
UDP? Much simpler, so fewer scan options Not so easy to violate protocol Nmap provides “polite scan”
o Not stealthy If ICMP unreachable, port is closed If UDP packet sent back, then port is
open If nothing comes back… don’t know
Scanning 65
Version Scanning Nmap detect service/software on a port
o In case service does not use official porto And to determine software versiono Can determine services that use SSL
After 3-way handshake, service usually identifies itselfo If not, Nmap sends some probing packetso UDP services are similarly easy to ID
Scanning 66
Ping Sweeps Nmap provides ping sweeps too If incoming ICMP blocked, Nmap
does sweep using TCP packetso To find live hosts, not as a port scan
Scanning 67
RPC Scans
Nmap can scan for RPC applications
o RPC is for distributed apps
o Makes distributed app easy to program
Scanning 68
RPC Scans Familiar RPC services (Linux/UNIX)
o Rpc.rstatd: performance stats from kernelo Rwalld: msgs to logged in userso Rup: up time and load avg of a serviceo Sadmind: older service for Solaris admino Rpc.statd: used with NFS
Many vulnerabilities in RPCo RPC scan may provide useful info to
attacker
Scanning 69
Source Port Nmap can set source port
o To avoid filtering at target Might set source port to 80 or 25
o Looks like Web traffic, email Source port 20 also useful
o Looks like FTP data connectiono Why FTP?
Scanning 70
FTP
Difficult for simple packet filtero Due to control connection (port 21) and
data connection (port 20) UDP port 53 (DNS) also a good choice
Scanning 71
Decoys
Spoofed source addresses If attacker uses n decoys
o Then n + 1 packets sent to each porto One with correct source address
(except for FTP bounce or idle scans)…
o …and n with specified spoofed sources
What good does this do?
Scanning 72
Active OS Fingerprinting Attacker wants to know the OS How to do this? RFCs do not specify everything
o E.g., how to respond to illegal combinations of TCP control bits
o Nmap knows the inconsistencies
Scanning 73
Active OS Fingerprinting Nmap uses the following
o SYN packet to open porto NULL packet to open porto SYN|FIN|URG|PSH to open porto ACK to open porto FIN|PSH|URG to closed porto UDP packet to closed port
Scanning 74
Active OS Fingerprinting Predictability of initial sequence
numbers also used by Nmapo Nmap has database of > 1000 platforms
Xprobe2 --- active OS fingerprinting toolo Stealthier and more accurate than Nmap
Passive OS fingerprinting is possibleo No traffic sent to targeto Sniff packets sent by targeto This is covered in Chapter 8
Scanning 75
Nmap Timing Options Paranoid --- one packet per 5 minutes Sneaky --- one packet per 15 seconds Polite --- one packet per 0.4 seconds Normal --- as quickly as possible Aggressive --- wait max of 1.25 sec for
reply Insane --- Wait max of 0.3 sec for reply
o Will lose packets, resulting in false negatives Timing also customizable
Scanning 76
Fragmentation Nmap also allows fragmentation Helps against some IDS systems
o Discuss later…
Scanning 77
Port Scanning Defenses
Harden the systemo Close unused
portso Minimize
services/toolso Check ports in
use
Scanning 78
Port Scanning Defenses Scan yourself using Nmap
o But this can cause problems Use more intelligent firewalls
o Stateful packet filters or proxies…o …instead of packet filters
Scanning 79
Firewalk Determines what gets thru firewall
o Assuming a packet filter firewall Nmap vs Firewalk
o Nmap does port scan of hostso What happens if you Nmap a firewall?o Tells you ports firewall is listening ono But, you want to know filtered ports
Scanning 80
Firewalk Nmap vs Firewalk But what about Nmap ACK scan?
o Attacker learns which ports firewall allows established connections
o But SYN packets might be dropped Firewalk tells attacker ports that firewall
allows new connections ono More useful info to attacker
Scanning 81
Firewalk Requires 2 IP addresses
o Address before filtering takes place (i.e., external address of firewall)
o Destination on other side of firewall Firewalk has 2 phases
o Network discovery (like traceroute)o Actual scanning
Scanning 82
Firewalk Network discovery phase
o Use TTL to find hops to firewall
Scanning 83
Firewalk Scanning phase
o Packet sent to host behind firewall
o Note: this works even if NAT is used
Scanning 84
Firewalk TTL field crucial to Firewalk Packet filter and stateful packet
filters both decrement TTL fieldo So Firewalk can work against these
Application proxy firewall?o Proxy does not forward packeto Instead, creates a new packet… so
what?
Scanning 85
Firewalk How can Trudy use Firewalk
results? To install software, must know
which ports can be used Scan for new services on open
portso Example: SSH (TCP port 22) open, but
no SSH not availableo SSH temporarily activated by admin…
Scanning 86
Firewalk Defenses Learn to live with it
o Since based on TCP/IP fundamentalso Focus on better firewall rules/mgmt
Use proxy-based firewallo Might create problemso Likely to be much slower
Scanning 87
Attack So Far… Trudy knows
o Addresses of live hosts (ping, Cheops-ng)
o Network topology (Traceroute, Cheops-ng)
o Open ports on live hosts (Nmap)o Services & version numbers (Nmap)o OS types (Nmap, Xprobe2)o Ports open thru firewall (Firewalk)
Scanning 88
Vulnerability Scanning Now what? Trudy want to know vulnerabilities Tools automate process
o Connect to host, test for vulnerabilities Types of vulnerabilities
o Configuration errorso Default configuration weaknesseso Well-known (published) vulnerabilities
100s to 1000s of vulnerabilities
Scanning 89
Vulnerability Scanning Tools
Tools typically employ the followingo Vulnerability databaseo User configurationo Scanning engineo Knowledge base of current scano Results/report/repository
Scanning 90
Vulnerability Scanning Tools
Scanning 91
Vulnerability Scanning Tools
Commercial tools include…o Harris STAT Scannero ISS’a Internet Scannero CFI LANguard Scannero E-eye’s Retina Scannero Qualys’s QualysGuard (subscription based)o McAfee’s Foundstone Foundscan (also
subscription based)
Scanning 92
Nessus Nessus --- the most popular free
vulnerability scanning toolo Can write your own vulnerability
checks and lots of people have already done so
Nessus plug-inso More than 1,000 plug-ins in
categories
Scanning 93
Nessus Plug-Ins Categories of plug-ins are…
o Backdoors, CGI abuses, Cisco, Default UNIX accounts, DoS, Finger abuses, Firewalls, FTP, Gain shell remotely, Gain root remotely, General, Misc, Netware, NIS, P2P file sharing, Remote file access, RPC, SMTP, SNMP, Windows, Useless services
Each category: 2 to 100s of vulnerabilities
Scanning 94
Nessus Architecture Client-server architecture
o Client-server authentication, encryption, etc.
Scanning 95
Nessus Attacker selects…
o Plug-ins, target system, port range/type of scanning, port for Nessus client-server communication, encryption alg, email address for report
Attacker can also write scripts
Scanning 96
Nessus Report Nessus
report format Other tools
make Nessus report more readable and informative
Scanning 97
Vulnerability Scan Defenses
Close unused ports Install latest patches Run tools against your network
o Be careful of DoS…
Scanning 98
Nessus DoS
Options
Some risky, some not
Pwd guess could also be problem
Scanning 99
Limitations of Vulnerability Scanning
Tools Only detect known vulnerabilities Tools don’t understand network
architectureo Attacker might
Only gives a snapshot in timeo Environment is dynamic
Scanning 100
IDS (and IPS) Scanning tools are noisy Port scan may use 10,000s of
packets Vulnerability scan may send
100,000s or millions of packets IDS likely to notice such activity Attacker must try to evade IDS
Scanning 101
IDS Mostly signature based
Scanning 102
IDS Evasion To avoid signature detection… Change traffic
o Change packet structure or syntax Change the context
o IDS might not know full context
Scanning 103
IDS Evasion at Network Level
Fragments create problem for IDS Must reassemble fragments Attacker could…
o Use fragments --- IDS may not handle it
o Fragment flood --- overwhelm IDSo Fragment in unusual ways --- to
exploit weakness in IDS handling of fragments
Scanning 104
Fragmentation Tiny fragments
o Not too effective vs modern IDS
Scanning 105
Fragmentation Fragment overlap
o Handled differently by different OSs…o Which makes IDSs job is more difficult
Scanning 106
FragRouter and FragRoute FragRouter --- fragmentation tool Options include
o Various sized fragmentso Various overlapping schemes
Separates fragmentation from the attack
Scanning 107
IDS Evasion at App Level Nitko --- CGI scanner (IDS evasion) CGI scripts run on server, activated by
user on the network Large number of CGI scripts vulnerable Nessus does some CGI scanning Nitko much more sophisticated
o For attacks, makes subtle changes in HTTP to evade signature detection
Scanning 108
Nikto IDS evasion strategies
o Hex equivalents of characters, “Change” to current directory, URL does not include CGI script info (instead, placed in HTTP header), Long (nonexistent but ignored) directory name, Fake parameter(s), TAB separations (instead of spaces), Case, Windows delimiters (backslash), NULL method, Session splicing (separate TPC packets, not fragments)
Scanning 109
IDS Evasion Defenses Use IDS, regardless of attacks Keep signatures up to date Use host-based & network-based
IDSo For example, fragmentation attack
easier to detect with host-based defense
Scanning 110
Conclusion
Scanning 111
Summary