3 - Scanning Networks

Question 1

What is scanning?

Answer 1

a set of procedures used for identifying hosts, ports, and services in a network.

Question 2

What are the objectives of scanning?

Answer 2

• Discover live hosts, IP addresses, and open ports of live hosts
• Discover OS and system architecture
• Discover services running on hosts
• Discover vulnerabilities in live hosts

Question 3

What are the Types of Scanning?

Answer 3

• Port Scanning
  
  • Involves connecting to or probing TCP and UDP ports on the target system to determine if the services are running or are in a listening state.
• Network Scanning
  
  • Lists IP addresses
  • A procedure for identifying active hosts on a network, either to attack them or to assess the security of the network.
• Vulnerability Scanning
  
  • A method used to check whether a system is exploitable
  • A vulnerability scanner consists of scanning engine and catalog
  • The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers

Question 4

What are the TCP Communication Flags?

Answer 4

• SYN
  
  • Synchronize
  • Notifies transmission of a new sequence number
  • Establishes connection
• ACK
  
  • Acknowledgement
  • Confirms receipt of transmission and identifies next expected sequence number
• PSH
  
  • Push
  • The system raises the PSH flag at the time of start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
• URG
  
  • Urgent
  • Instructs the system to process the data contained in packets as soon as possible
• FIN
  
  • Finish
  • Announces that it will not send more transmissions to the remote system and terminates the connection established by the SYN flag
• RST
  
  • Reset
  • Aborts connection

Question 5

What is a TCP/IP Connection?

Answer 5

• TCP is connection-oriented which prioritizes connection establishment before data transfer between applications
• TCP initiates a 3-way handshake:
  
  • Source sends SYN to Dest
  • Dest responds with SYN/ACK to source
  • Source sends ACK to Dest

Question 6

What is involved in Scanning IPv6 Networks?

Answer 6

• IPv6 increases the size of IP address space from 32 bits to 128 bits to support more levels of addressing hierarchy
• Scanning in IPv6 is more complex due to size
• A number of scanning tools do not support ping sweeps on IPv6 networks.
• Attackers need to harvest the IP addresses from various sources
• Once an attacker is able to compromise one host in the subnet, he or she can probe the “all hosts” and link local multicast address

Question 7

What are some Scanning Techniques?

Answer 7

• ICMP Scanning - Checking for Live Systems
  
  • Ping scan involves sending ICMP ECHO requests to a host
  • If host is alive, it will return an ICMP ECHO reply.
  • Useful for locating active devices or determining if the ICMP is passing through a FW
• Ping Sweep - Checking for Live Systems
  
  • Used to determine the live hosts in an IP range by sending ICMP ECHO requests to multiple hosts.
  • If host is alive it will return an ICMP ECHO reply
  • Ping sweep is used to create an inventory of live systems in the subnet.
• ICMP Echo Scanning:
  
  • Pings all machines in the target network to discover live machines
  • Attackers send ICMO probes to the broadcast or network address which relays to all the host addresses in the subnet
  • Windows based networks do not answer to probes in broadcast address.
• TCP Connect/Full Open Scan:
  
  • Detects when a port is open after completing the 3-way handshake
  • This scan establishes a full connection and tears it down by sending an RST packet.
• Stealth Scan (Half-Open/SYN Scan):
  
  • Involves resetting the TCP connection between the client and server abruptly before completion of 3-way handshake signals
  • Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
• Inverse TCP Flag Scanning:
  
  • Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags
  • No flag set is Null Scanning
  • FIN, URG, PSH are called XMAS scans
  • No response implies that the port is open while RST means that the port is closed.
  • This generally doesn’t apply to Windows systems
  • Needs SU privileges
• Xmas Scanning:
  
  • Attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags set
  • Does not work against Windows systems
• ACK Flag Probe Scanning:
  
  • Attackers send TCP probe packets with ACK flag to remote device and then analyzes header of received RST packet to find out if the port is open or closed
  • If TTL value of RST packet on a port is less than boundary value of 64, then port is open.
  • If Window value of RST packet on a port is a non-zero value, then port is open.
  • Can also be used to check the filtering system of target
  • Attackers send an ACK probe packet with random sequence number, no response implies that the port is filtered (stateful firewall is present) and RST response means port is not filtered
• IDLE/IPID Header Scan:
  
  • Every IP packet on the Internet has a fragment ID number (IPID).
  • OS increases the IPID for each packet sent, thus, probing an IPID gives an attacker the number of packets sent after the last probe.
  • A machine that receives an unsolicited SYN/ACK packet will respond with an RST.
  • An unsolicited RST will be ignored.
  • Requires using a zombie computer to interact with host.
• UDP Scanning:
  
  • No 3-way handshake
  • Remote system does not respond when port is open.
  • Remote system will respond with “ICMP port unreachable message” if port is closed.
  • Spywares and Trojan horses use UDP ports
  • Works with Windows devices
  • Requires root privs
• SSDP and List Scanning:
  
  • Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with the UPnP to detect plug and play devices.
  • Vulns in UPnP may allow attackers to launch Buffer Overflow or DoS attacks.
  • Attackers may use UPnP SSDP M-SEARCH info discovery tool to check if the machine is vulnerable to UPnP exploits
  • List Scanning:
  • This type of scan simply generates and prints a list of IPs/Names without actually pinging them
  • A reverse DNS resolution is carried out to identify host names

Question 8

What are some Port Scanning Countermeasures?

Answer 8

• Configure FW and IDS rules to detect and block probes
• Run port scanning tools against hosts on the network to determine whether the FW properly detects the port scanning activity
• Ensure the mechanism for routing and filtering at the routers and FW’s cannot be bypassed by using particular ports or methods.
• Ensure that the router, IDS, and firewall firmware are updated to their latest releases/version.
• Use a custom rule set to lock down the network and block unwanted ports at the firewall.
• Filter all ICMP messages (inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and others.
• Perform TCP and UDP scanning along with ICMP probes against your org’s IP address space to check the network config and it’s available ports.
• Ensure that the ant-scanning and anti-spoofing rules are properly configured.

Question 9

What are some IDS/Firewall Evasion Techniques?

Answer 9

• Packet Fragmentation:
  
  • Sending fragmented probe packets to the intended server which re-assembles after receiving all the fragments
  • Refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network
• Source Routing:
  
  • Specifying the routing path for the malformed packet to reach the intended server
  • As the packet travels through the nodes in the network, each router examines the destination IP and chooses the next hop.
  • Source Routing refers to where the originator of packet decides the route the packet must take.
• IP Address Decoy:
  
  • Generating or manually specifying IP addresses of the decoys so that the IDS/FW cannot determine the actual IP address.
  • Refers to generating or manually specifying IP addresses of the decoys in order to evade IDS/FW.
  • It appears to the target that the decoys as well as the host(s) are scanning the network.
• IP Address Spoofing:
  
  • Changing source IP addresses so that the packet appears to be from someone else.
  • Refers to changing the source IP address so that the attack appears to be coming from someone else.
• Proxy Server:
  
  • Using chain of proxy servers to hide the actual source of a scan and evade certain IDS/FW restrictions.
  • A Proxy Server is an application that can serve as an intermediary for connecting with other computers.Used for:
  • Proxy Chaining:
    
    • The larger the number of proxy servers used, the greater the attacker’s anonymity
• Anonymizers:
• Removes all the identifying info form the user’s computer while the user surfs the internet
• Makes activity untraceable
• Allows you to bypass internet censors
  
  • Types:
    
    • Networked Anonymizers:
      
      • Passes your info through a network of Internet connected computers before passing it to the website
      • Makes traffic analyzing very difficult
    • Single Point Anonymizers:
      
      • Transfers your info through a website before sending it to the target website and vice versa

Question 10

What are some IP Spoofing Detection Techniques?

Answer 10

• Direct TTL Probes:
  
  • Send packet to suspected host that triggers a reply and compare the TTL value to see if it is the same as initial received packet.
  • This is useful when the attacker is in a different subnet from that of the victim.
• IP Identification Number:
  
  • Send packet to suspected host that triggers a reply and compare the IP ID with suspect traffic.
  • If IPID’s are not close in value to the packet being checked, suspect traffic is spoofed.
• TCP Flow Control Method:
  
  • Attackers sending spoofed TCP packets will not receive the targets SYN-ACK packets
  • Therefore attackers cannot be responsive to change in the congestion window size
  • So if traffic continues after a window size is exhausted, most probably packets are spoofed.

Question 11

What is Banner Grabbing (OS Fingerprinting)?

Answer 11

• The method used to determine the OS running on a remote target system
• This allows attacker to figure out weaknesses for the target system
• Active:
  
  • Specially crafted packets are sent to target and responses are noted
  • Responses are compared to DB that have previous OS repsonses
• Passive:
  
  • Banner grabbing from error messages (error messages have useful info)
  • Sniffing the network traffic
  • Banner Grabbing from page extensions
  • This may assist in determining application version and OS

Question 12

What is an ARP Ping Scan and UDP Ping Scan?

Answer 12

• ARP Ping Scan: Attackers send ARP request probes to target hosts, and an ARP response indicates that the host is active
• UDP Ping Scan: Attackers send UDP packets to target hosts, and a UDP response indicates that the host is active.

Question 13

What are some Ping sweep countermeasures?

Answer 13

• Configure firewalls
• Use IDS
• Evaluate the type of ICMP traffic
• Cut off connections with any host that performs more than 10ICMP ECHO requests
• Use DMZ’s
• Limit ICMP traffic

Question 14

What are some host discovery techniques?

Answer 14

• ICMP Timestamp and Address Mask Ping Scan: Query a timestamp message to acquire the information related to the current time from the target host machine.
• TCP SYN Ping Scan: Send empty TCP SYN packets to a target host and an ACK response means that the host is active.
• TCP ACK Ping Scan: Send empty TCP ACK packets to a target host, and an RST response means that the host is active.
• IP Protocol Ping Scan: Send various probe packets to the target host using different IP protocols and any response from any probe indicates that a host is active.

Question 15

What is the TCP Maimon scan?

Answer 15

Send FIN/ACK probes, and if no response, then the port is Open | Filtered, but if RST packet is sent in response, then the port is closed.

Question 16

What is the SCTP INIT scanning?

Answer 16

Send an INIT chunk to the target host, and an INIT+ACK chunk response implies open port, whereas an ABORT Chunk response means that the port is closed. No response means port is filtered.

Question 17

What is SCTP Cookie ECHO Scanning?

Answer 17

Send cookie ECHO chunk to host, and no response implies that the port is open, whereas an ABORT chunk means that the port is closed. Not blocked by non-stateful firewall rulesets.

Question 18

What is Service Version Discovery?

Answer 18

Helps attackers to obtain info about the running services and their versions on a target system.

• Flag: -sV

Question 19

What are some NMAP scan time reduction techniques?

Answer 19

• Omit Non-critical tests
• Optimize timing parameters
• Separate and optimize UDP scans
• Upgrade Nmap
• Execute concurrent NMAP instances
• Scan from a favorable network location
• Increase available bandwidth and CPU time

Question 20

What is the TTL for OS’s?

Answer 20

• Windows: 128
• Linux: 64

Question 21

What is Source Port Manipulation?

Answer 21

Manipulating actual port numbers with common port numbers in order to evade an IDS or firewall. Occurs when a FW allows common port numbers.

Question 22

What are some ways to create custom packets?

Answer 22

• Using Packet Crafting Tools
• Appending Custom Binary Data: Send binary data as payloads
• Appending Custom String: Send a regular string as payloads
• Appending Random Data: Append a number of random data bytes to most of the packets without protocol-specific payloads.

Question 23

What is Randomized Host Order and Sending Bad Checksums consist of?

Answer 23

• Randomized Host Order: scan the number of hosts in target network in random order to scan an intended target that is behind a firewall.
• Sending Bad Checksums: Sends packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain FW rulesets.