Phase&2:&Scanning&• Detec0ng&informa0on&useful&for&break9in&– Live&machines&– Network&topology&– Firewall&configura0on&– Applica0ons&and&OS&types&– Vulnerabili0es&Network&Mapping&• Finding&live&hosts&– Ping&sweep&– TCP&SYN&sweep&• Map&network&topology&&– Traceroute&• Sends&out&ICMP&or&UDP&packets&with&increasing&TTL&• Gets&back&ICMP_TIME_EXCEEDED&message&from&intermediate&routers&&Traceroute&A& R1& R2& R3& db&www&mail&1.&ICMP_ECHO&to&www.vic0m.com&TTL=1&1a.&ICMP_TIME_EXCEEDED&&from&R1&vic0m.com&A:&R1&is&my&first&hop&to&www.vic0m.com!&Traceroute&A& R1& R2& R3& db&www&mail&2.&ICMP_ECHO&to&www.vic0m.com&TTL=2&2a.&ICMP_TIME_EXCEEDED&&from&R2&vic0m.com&A:&R19R2&is&my&path&to&www.vic0m.com!&Traceroute&A& R1& R2& R3& db&www&mail&3.&ICMP_ECHO&to&www.vic0m.com&TTL=3&3a.&ICMP_TIME_EXCEEDED&&from&R3&vic0m.com&A:&R19R29R3&is&my&path&to&www.vic0m.com!&Traceroute&A& R1& R2& R3& db&www&mail&4.&ICMP_ECHO&to&www.vic0m.com&TTL=4&4a.&ICMP_REPLY&&from&www.vic0m.com&vic0m.com&A:&R19R29R39www&is&my&path&to&www.vic0m.com&Traceroute&A& R1& R2& R3& db&www&mail&Repeat&for&db&and&mail&servers&vic0m.com&A:&R19R29R39www&is&my&path&to&www.vic0m.com&&&&&R19R29R39db&is&my&path&to&db.vic0m.com&&&&&R19R29R39mail&is&my&path&to&mail.vic0m.com&è Victim network is a star with R3 at the center&&&&&&&Network&Mapping&Tools&• Cheops&– Linux&applica0on&– hYp://cheops9ng.sourceforge.net/Automa0cally&performs&ping&sweep&and&network&mapping&and&displays&results&in&GUI&Dangerous*Defenses&Against&Network&Mapping&And&Scanning&• Filter&out&outgoing&ICMP&traffic&– Maybe&allow&for&your&ISP&only&• Use&Network&Address&Transla0on&(NAT)&NAT&box&A&B&C&D&Internal&hosts&with&192.168.0.0/16&1.2.3.4&8.9.10.11&Request&1.2.3.4&Reply&1.2.3.4&How&NATs&Work&• For&internal&hosts&to&go&out&– B&s ends&traffic&to&www. go o gl e.com&– NAT&modifies&the&IP&header&of&this&traffic&• Source&IP:&B&èNAT&• Source&port:&B’s&chosen&port&Y&è&random&port&X&– NAT&remembers&that&whatever&comes&for&it&on&port&X&should&go&to&B&on&port&Y&– Go ogle&replies,&NAT&modifi es&the&IP&header&• Des0na0on&IP:&NAT&èB&• Des0na0on&port:&X&è&Y&How&NATs&Work&• For&public&services&offered&by&internal&hosts&– Y ou &adver0se&your&web&server&A&at&NAT’s&address&(1.2.3.4&and&port&80)&– NAT&remembers&that&whatever&comes&for&it&on&port&80&should&go&to&A&on&port&80&– External&clients&send&traffic&to&1.2.3.4:80&– NAT&modifies&the&IP&header&of&this&traffic&• Des0na0on&IP:&NAT&èA&• Des0na0on&port:&NAT’s&port&80&è&A’s&service&port&80&– A&repli es,&NAT&modifies&the&IP&header&• Source&IP:&AèNAT&• Source&port:&80&è&80&How&NATs&Work&• What&if&you&have&another&Web&server&C&– Y ou &adver0se&your&web&server&A&at&NAT’s&address&(1.2.3.4&and&port&55)&–¬&a&standard&Web&server&port&so&clients&must&know&to&talk&to&a&diff.&port&– NAT&remembers&that&whatever&comes&for&it&on&port&55&should&go&to&C&on&port&80&– External&clients&send&traffic&to&1.2.3.4:55&– NAT&modifies&the&IP&header&of&this&traffic&• Des0na0on&IP:&NAT&èC&• Des0na0on&port:&NAT’s&port&55è&C’s&service&port&80&– C &replies,&NAT&modifi es&the&IP&header&• Source&IP:&CèNAT,&source&port:&80&è&55&&Port&Scanning&• Finding&applica0ons&that&listen&on&ports&• Send&various&packets:&– Establish&and&tear&down&TCP&connec0on&– Half9open&and&tear&down&TCP&connec0on&– Send&invalid&TCP&packets:&FIN,&Null,&Xmas&scan&– Send&TCP&ACK&packets&–&find&firewall&holes&– Obscure&the&source&–&FTP&bounce&scans&– UDP&scans&– Find&RPC&applica0ons&Dangerous*Port&Scanning&• Set&source&port&and&address&– To&allow&packets&to&pass&through&the&firewall&– To&hide&your&source&address&• Use&TCP&fingerprin0ng&to&find&out&OS&type&– TCP&standard&does¬&specify&how&to&handle&invalid&packets&– Implementa0ons&differ&a&lot&Port&Scanning&Tools&• Nmap&– Unix&and&Windows&NT&applica0on&and&GUI&– hYp://nmap.org/&– Various&scan&types&&– Adjustable&0ming&Dangerous*Defenses&Against&Port&Scanning&• Close&all&unused&ports&• Remove&all&unnecessary&services&• Filter&out&all&unnecessary&traffic&• Find&openings&before&the&aYackers&do&• Use&smart&filtering,&based&on&client’s&IP&Firewalk:&Determining&Firewall&Rules&• Find&out&firewall&rules&for&new&connec0ons&• We&don’t&care&about&target&machine,&just&about&packet&types&that&can&get&through&the&firewall&– Find&out&distance&to&firewall&using&traceroute&– Ping&arbitrary&des0na0on&selng&TTL=distance+1&– If&you&receive&ICMP_TIME_EXCEEDED&&message,&the&ping&went&through&Defenses&Against&Firewalking&• Filter&out&outgoing&ICMP&traffic&• Use&firewall&proxies&– This&defense&works&because&a&proxy&recreates&each&packet&including&the&TTL&field&Vulnerability&Scanning&• The&aYacker&knows&OS&and&applica0ons&installed&on&live&hosts&– He&can&now&find&for&each&combina0on&• Vulnerability&exploits&• Common&configura0on&errors&• Default&configura0on&&• Vulnerability&scanning&tool&uses&a&database&of&known&vulnerabili0es&to&generate&packets&• Vulnerability&scanning&is&also&used&for&sysadmin&Vulnerability&Scanning&Tools&• SARA&– hYp://www9arc.com/sara&• SAINT&– hYp://www.saintcorpora0on.com&• Nessus&– hYp://www.nessus.org&Dangerous*Defenses&Against&&Vulnerability&Scanning&• Close&your&ports&and&keep&systems&patched&• Find&your&vulnerabili0es&before&the&aYackers&do&At&The&End&Of&Scanning&Phase&&• AYacker&has&a&list&of&“live”&IP&addresses&&• Open&ports&and&applica0ons&at&live&machines&• Some&informa0on&about&OS&type&and&version&of&live&machines&• Some&informa0on&about&applica0on&versions&at&open&ports&• Informa0on&about&network&topology&• Informa0on&about&firewall&configura0on&Phase&3:&Gaining&Access&• Exploit&vulnerabili0es&– Exploits&for&a&specific&vulnerability&can&be&downloaded&from&hacker&sites&– Skilled&hackers&write&new&exploits&What&is&a&vulnerability?&What&is&an&exploit?&Stack9Based&Overflow&AYacks&•
View Full Document