ScanningWhat Can We Scan ForModemsLive HostsMapping your networkMapping (more)Port ScanningPort Scanning (more)Slide 9Windows Specific ServicesStandard UNIX ServicesPlatform Neutral ServicesUDP ScansTCP Stack FingerprintingDefenses Against Port ScanningDefenses (more)Determining Firewall RulesReviewVulnerability ScanningVulnerability Scanning ToolsBunch of Vulnerability ScannersWi-FiScanningCS-480bDick SteflikWhat Can We Scan For•Modems (and other telephone devices)•Live Hosts•TCP ports•UDP ports•Promiscuous NICsModems•Repeatedly dial phone numbers looking for a modem to answer or other things•War Dialers – used to find modems•ToneLoc – 1994 by Minor Threat & Mucho Maas–THC-Scan 2.0 – VanHouser, releaces by Hackers Choice•thc.inferno.tusclum.edu•Win9x, NT, W2000•100 lines/hour•TBA – LOpht (www.Lopht.com)–War dialing on a PALM•Demon Dialers – once a modem is found repeatedly dial it and guess passwords•Other things•Free phone calls – if the phone answers and gives a dial tone you have dialed into a number the will let you dial another number, some companies do this so that roaming employees can dial into the company or into a company owned 800 numberLive Hosts•Try pinging (ICMP Echo request) all hosts on a particular subnet to see who replies•No reply indicates host is not live•Incoming ICMP messages are blocked•It’s a good idea to block incoming ICMP messages at the firewall•If no reply a hacker would try connecting to a commonly open port (TCP port 80) or sending a UDP packet to a commonly open port.•In java (which doesn’t do ICMP) send a ping using JNI to execute the ping command as an OS command line command.Mapping your network•Once the live hosts are known, a map of your network can be arrived at by determining how the hosts are connected together•traceroute (unix/linux) / tracert (w2000) Microsoft(R) Windows NT(TM)(C) Copyright 1985-1996 Microsoft Corp.C:\users>tracert mail.binghamton.eduTracing route to mail.binghamton.edu [128.226.1.18]over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 128.226.121.1 2 <10 ms <10 ms <10 ms 128.226.100.25 3 <10 ms <10 ms <10 ms bingnet2.cc.binghamton.edu [128.226.1.18]Trace complete.Mapping (more)•By doing repetitive traceroutes to the hosts discovered in the host scan the network topology can be discovered.•Another way to do this is by using a mapping program like Cheops (www.marko.net/cheops>•runs on Linux and automates the process of inventorying a network•does operating system identification by using TCP Stack FingerprintingPort Scanning•Once and attacker knows the topology of your network the tedious task of identifying open ports and services•TCP and UDP scans are fine if you are scanning your own network looking for vulnerabilities but are to easily detectable for a hacker•Nmap (www.insecure.org/Nmap)•most versions of Unix•ported to W/NT by eEye (www.eeye.com/html/Databases/Software/Nmapnt.html)•does many types of scansPort Scanning (more)•TCP Connect - completes 3-way handshake•TCP SYN - sends only initial SYN and waits for SYN-ACK•TCP FIN - send TCP FIN to each port, reset indicates port is closed; violates the protocol•TCP Xmas Tree - Sends packet with FIN, URG, PUSH set; reset indicates port is closed, no resp. may mean port is open. This actually violates the protocol; doesn’t work on Windows machine as MS didn’t follow the RFC•NULL - send packet with no code bits set, reset indicates port closed; •TCP ACK - Send a packet with ACK bit set, helps determine a packet filter’s rules•Window - similar to ACK scan but focuses on TCP window size to determine if ports are open or closedPort Scanning (more)•FTP Bounce - Bounces a TCP scan off of an FTP server to obscure the originator of the scan•RPC Scanning - Scans for Remote Procedure Call (RPC) services on the target machine, send an RPC null command to determine if an RPC program is listeningWindows Specific ServicesNetBIOS (TCP Ports 137, 138, 139) – used for Windows networking to connect clients to file and print servers. Should never be allowed through the Firewall except through an encrypted tunnel (as in a VPN)RPC Locator (TCP Port 135) – used by Windows networking to locate network services that use the RPC protocol. Should never be allowed through the Firewall. Terminal Services (TCP Port 3389) – gives the connecting complete control over the host machine. Should never be allowed through the Firewall except through an encrypted tunnel (as in a VPN)Standard UNIX Services•Chargen (TCP and/or UDP port 19)•Daytime (TCP and/or UDP Port 13)•Discard (TCP and/or UDP Port 9)•Echo (TCP and/or UDP Port 7)•Finger (TCP Port 79)•NFS (TCP and/or UDP Port 2049)•Quote (UDP Port 17)•RPC (UDP Port 111)•RSH (TCP Port 514)•SSH (TCP Port 22)Platform Neutral Services•Telnet (TCP Port 23)•TFTP (UDP Port 69)•Bootp (UDP Port 67)•DHCP (UDP Port 68)•LDAP (TCP and/or UDP Port 389)•SNMP (UDP Port 161)•VNC (TCP Ports 5800+, 5900+)•HTTP (TCP Port 80)•HTTPS (TCP Port 443)UDP Scans•Because UDP is a much simpler protocol than TCP is it is inherently less reliable for scanning•A UDP packet is sent to each UDP port•If an ICMP “Port Unreachable” message is received then interpret the port as being closed•Otherwise assume the port is open•False positives are very commonTCP Stack Fingerprinting•The TCP RFC defines how TCP should respond under normal conditions (no protocol violations) but not how to act in response to protocol violation•If you spend the time attempting a number of protocol violation and record the responses they will always be the same for specific operating systems/versions•These responses can be treated as fingerprints and allow a hacker to determine what OS is being addressed.•Nmap maintains a rather complete database of known operating system fingerprints and can pretty reliably identify most major operating systemsDefenses Against Port Scanning•Harden your systems•Make sure all OS patches are installed•Close all ports not needed•Delete all programs associated with closed ports•If you are comfortable managing your server via a command line interface remember to disable the GUI interface•Don’t forget to delete the X Windows software•Remove all unneeded software from your server•A production web server shouldn’t need software development software, so remove all of the