3 - Scanning Networks Flashcards
What is scanning?
a set of procedures used for identifying hosts, ports, and services in a network.
What are the objectives of scanning?
- Discover live hosts, IP addresses, and open ports of live hosts
- Discover OS and system architecture
- Discover services running on hosts
- Discover vulnerabilities in live hosts
What are the Types of Scanning?
-
Port Scanning
- Involves connecting to or probing TCP and UDP ports on the target system to determine if the services are running or are in a listening state.
-
Network Scanning
- Lists IP addresses
- A procedure for identifying active hosts on a network, either to attack them or to assess the security of the network.
-
Vulnerability Scanning
- A method used to check whether a system is exploitable
- A vulnerability scanner consists of scanning engine and catalog
- The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers
What are the TCP Communication Flags?
-
SYN
- Synchronize
- Notifies transmission of a new sequence number
- Establishes connection
-
ACK
- Acknowledgement
- Confirms receipt of transmission and identifies next expected sequence number
-
PSH
- Push
- The system raises the PSH flag at the time of start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
-
URG
- Urgent
- Instructs the system to process the data contained in packets as soon as possible
-
FIN
- Finish
- Announces that it will not send more transmissions to the remote system and terminates the connection established by the SYN flag
-
RST
- Reset
- Aborts connection
What is a TCP/IP Connection?
- TCP is connection-oriented which prioritizes connection establishment before data transfer between applications
- TCP initiates a 3-way handshake:
- Source sends SYN to Dest
- Dest responds with SYN/ACK to source
- Source sends ACK to Dest
What is involved in Scanning IPv6 Networks?
- IPv6 increases the size of IP address space from 32 bits to 128 bits to support more levels of addressing hierarchy
- Scanning in IPv6 is more complex due to size
- A number of scanning tools do not support ping sweeps on IPv6 networks.
- Attackers need to harvest the IP addresses from various sources
- Once an attacker is able to compromise one host in the subnet, he or she can probe the “all hosts” and link local multicast address
What are some Scanning Techniques?
-
ICMP Scanning - Checking for Live Systems
- Ping scan involves sending ICMP ECHO requests to a host
- If host is alive, it will return an ICMP ECHO reply.
- Useful for locating active devices or determining if the ICMP is passing through a FW
-
Ping Sweep - Checking for Live Systems
- Used to determine the live hosts in an IP range by sending ICMP ECHO requests to multiple hosts.
- If host is alive it will return an ICMP ECHO reply
- Ping sweep is used to create an inventory of live systems in the subnet.
-
ICMP Echo Scanning:
- Pings all machines in the target network to discover live machines
- Attackers send ICMO probes to the broadcast or network address which relays to all the host addresses in the subnet
- Windows based networks do not answer to probes in broadcast address.
-
TCP Connect/Full Open Scan:
- Detects when a port is open after completing the 3-way handshake
- This scan establishes a full connection and tears it down by sending an RST packet.
-
Stealth Scan (Half-Open/SYN Scan):
- Involves resetting the TCP connection between the client and server abruptly before completion of 3-way handshake signals
- Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
-
Inverse TCP Flag Scanning:
- Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags
- No flag set is Null Scanning
- FIN, URG, PSH are called XMAS scans
- No response implies that the port is open while RST means that the port is closed.
- This generally doesn’t apply to Windows systems
- Needs SU privileges
-
Xmas Scanning:
- Attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags set
- Does not work against Windows systems
-
ACK Flag Probe Scanning:
- Attackers send TCP probe packets with ACK flag to remote device and then analyzes header of received RST packet to find out if the port is open or closed
- If TTL value of RST packet on a port is less than boundary value of 64, then port is open.
- If Window value of RST packet on a port is a non-zero value, then port is open.
- Can also be used to check the filtering system of target
- Attackers send an ACK probe packet with random sequence number, no response implies that the port is filtered (stateful firewall is present) and RST response means port is not filtered
-
IDLE/IPID Header Scan:
- Every IP packet on the Internet has a fragment ID number (IPID).
- OS increases the IPID for each packet sent, thus, probing an IPID gives an attacker the number of packets sent after the last probe.
- A machine that receives an unsolicited SYN/ACK packet will respond with an RST.
- An unsolicited RST will be ignored.
- Requires using a zombie computer to interact with host.
-
UDP Scanning:
- No 3-way handshake
- Remote system does not respond when port is open.
- Remote system will respond with “ICMP port unreachable message” if port is closed.
- Spywares and Trojan horses use UDP ports
- Works with Windows devices
- Requires root privs
-
SSDP and List Scanning:
- Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with the UPnP to detect plug and play devices.
- Vulns in UPnP may allow attackers to launch Buffer Overflow or DoS attacks.
- Attackers may use UPnP SSDP M-SEARCH info discovery tool to check if the machine is vulnerable to UPnP exploits
- List Scanning:
- This type of scan simply generates and prints a list of IPs/Names without actually pinging them
- A reverse DNS resolution is carried out to identify host names
What are some Port Scanning Countermeasures?
- Configure FW and IDS rules to detect and block probes
- Run port scanning tools against hosts on the network to determine whether the FW properly detects the port scanning activity
- Ensure the mechanism for routing and filtering at the routers and FW’s cannot be bypassed by using particular ports or methods.
- Ensure that the router, IDS, and firewall firmware are updated to their latest releases/version.
- Use a custom rule set to lock down the network and block unwanted ports at the firewall.
- Filter all ICMP messages (inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and others.
- Perform TCP and UDP scanning along with ICMP probes against your org’s IP address space to check the network config and it’s available ports.
- Ensure that the ant-scanning and anti-spoofing rules are properly configured.
What are some IDS/Firewall Evasion Techniques?
-
Packet Fragmentation:
- Sending fragmented probe packets to the intended server which re-assembles after receiving all the fragments
- Refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network
-
Source Routing:
- Specifying the routing path for the malformed packet to reach the intended server
- As the packet travels through the nodes in the network, each router examines the destination IP and chooses the next hop.
- Source Routing refers to where the originator of packet decides the route the packet must take.
-
IP Address Decoy:
- Generating or manually specifying IP addresses of the decoys so that the IDS/FW cannot determine the actual IP address.
- Refers to generating or manually specifying IP addresses of the decoys in order to evade IDS/FW.
- It appears to the target that the decoys as well as the host(s) are scanning the network.
-
IP Address Spoofing:
- Changing source IP addresses so that the packet appears to be from someone else.
- Refers to changing the source IP address so that the attack appears to be coming from someone else.
-
Proxy Server:
- Using chain of proxy servers to hide the actual source of a scan and evade certain IDS/FW restrictions.
- A Proxy Server is an application that can serve as an intermediary for connecting with other computers.Used for:
-
Proxy Chaining:
- The larger the number of proxy servers used, the greater the attacker’s anonymity
- Anonymizers:
- Removes all the identifying info form the user’s computer while the user surfs the internet
- Makes activity untraceable
- Allows you to bypass internet censors
-
Types:
-
Networked Anonymizers:
- Passes your info through a network of Internet connected computers before passing it to the website
- Makes traffic analyzing very difficult
-
Single Point Anonymizers:
- Transfers your info through a website before sending it to the target website and vice versa
-
Networked Anonymizers:
-
Types:
What are some IP Spoofing Detection Techniques?
-
Direct TTL Probes:
- Send packet to suspected host that triggers a reply and compare the TTL value to see if it is the same as initial received packet.
- This is useful when the attacker is in a different subnet from that of the victim.
-
IP Identification Number:
- Send packet to suspected host that triggers a reply and compare the IP ID with suspect traffic.
- If IPID’s are not close in value to the packet being checked, suspect traffic is spoofed.
-
TCP Flow Control Method:
- Attackers sending spoofed TCP packets will not receive the targets SYN-ACK packets
- Therefore attackers cannot be responsive to change in the congestion window size
- So if traffic continues after a window size is exhausted, most probably packets are spoofed.
What is Banner Grabbing (OS Fingerprinting)?
- The method used to determine the OS running on a remote target system
- This allows attacker to figure out weaknesses for the target system
-
Active:
- Specially crafted packets are sent to target and responses are noted
- Responses are compared to DB that have previous OS repsonses
-
Passive:
- Banner grabbing from error messages (error messages have useful info)
- Sniffing the network traffic
- Banner Grabbing from page extensions
- This may assist in determining application version and OS
What is an ARP Ping Scan and UDP Ping Scan?
- ARP Ping Scan: Attackers send ARP request probes to target hosts, and an ARP response indicates that the host is active
- UDP Ping Scan: Attackers send UDP packets to target hosts, and a UDP response indicates that the host is active.
What are some Ping sweep countermeasures?
- Configure firewalls
- Use IDS
- Evaluate the type of ICMP traffic
- Cut off connections with any host that performs more than 10ICMP ECHO requests
- Use DMZ’s
- Limit ICMP traffic
What are some host discovery techniques?
- ICMP Timestamp and Address Mask Ping Scan: Query a timestamp message to acquire the information related to the current time from the target host machine.
- TCP SYN Ping Scan: Send empty TCP SYN packets to a target host and an ACK response means that the host is active.
- TCP ACK Ping Scan: Send empty TCP ACK packets to a target host, and an RST response means that the host is active.
- IP Protocol Ping Scan: Send various probe packets to the target host using different IP protocols and any response from any probe indicates that a host is active.
What is the TCP Maimon scan?
Send FIN/ACK probes, and if no response, then the port is Open | Filtered, but if RST packet is sent in response, then the port is closed.