Which tactic or technique(TTP) masks application traffic over port 443 (https)?
|
Portsweeping is similar to port scanning. Portsweeping attempts to find listening ports on systems. The difference is that instead of scanning one system on multiple ports, with portsweeping, multiple systems are scanned on the same port. For example, if you want to exploit a particular SQL vulnerability, you need to find which systems are running SQL Server. You can use portsweeping to scan a network for systems that can potentially be exploited. Show
View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597495943000065 Attack Detection and DefenseBrad Woodberg, ... Ralph Bonnell, in Configuring Juniper Networks NetScreen & SSG Firewalls, 2007 TCP SYN Host ScanPort scanning, especially across multiple machines, is the simplest and most common network reconnaissance method. A variety of tools, most notably NMap (www.insecure.org/), perform port scanning as well as more advanced system identification such as OS fingerprinting and service banner capture. ▪Port Scan Protection This controls how many TCP SYN packets per second per single IP source are permitted before the firewall begins dropping TCP SYN packets from that source. Packets are dropped for the remainder of the second. The configuration actually detects a quick series of 10 packet probes in a user-definable period of microseconds. To increase the detection rate, lower the period. To decrease the detection rate, increase the period. The lowest possible detection rate is 10 packets in a period of 1,000,000 microseconds (one second). No sessions are set up for dropped packets. A good starting number for Port Scan Protection is 100,000 microseconds. (Ten packets in 100,000 microseconds is 100 packets per second.) Some protocols can open up several ports in rapid succession. If you find this triggering often from trusted machines that you've verified have no malware running on them, you may need to adjust this threshold higher to weed out these false positives. You'll most commonly detect scans and sweeps from Script Kiddies or other automated, semi-intelligent attacks. More experienced Black Hats will scan more slowly, generally slow enough to avoid being detected by a firewall. This technique of sending port scanning packets infrequently over a long period of time is known as a slow scan. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597491181500125 Real-time application of OPF-based classifier in Snort IDSLuan Utimura, ... Rafał Scherer, in Optimum-Path Forest, 2022 3.5.2.4 Port scanPort Scanning is one of the most popular techniques used by attackers to discover exploitable services on a host and a network. With port scanning, an attacker can find much information about a target system, such as which services are running, which users have these services, whether anonymous authentication is supported, if certain network services require authentication, among others [55]. For this experiment's execution, the free and open-source utility Nmap,14 designed for network discovery and security auditing. The command line used to execute the attack directed at the server (192.168.0.5): where  Given the results obtained about the detections made in Table 3.24, observed that all machine learning techniques except the SVM and the unmodified Snort 3 detect the attack by Port Scan. As it is one of the attacks with the highest number of instances in the CICIDS2017 database and because it is one of the most classic attacks used by attackers, machine learning techniques can expect to quickly identify the pattern of port scanning, and that Snort 3, by itself, has the signature of this attack and possible variations in its community rules file. Table 3.24. Port ScanDetection results. Snort 3 + ABSnort 3 + OPFSnort 3 + RFSnort 3 + DTSnort 3 + SVMSnort 3DetectedYesYesYesYesNoYesAvg Classification Timea0.01090.57540.00530.0001–– aIt refers to the average time that machine learning techniques took to classify all network traffic flows related to the attack.Source: Elaborated by the authors. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128226889000116 Layer 4: The Transport LayerIn Hack the Stack, 2006 Port Scanning OverviewPort scanning involves the transmission of TCP segments or UDP datagrams to interesting port numbers at a given IP address. The usual strategy is to try to initiate a TCP connection. Replies to these messages are analyzed to ascertain whether that port is active on the remote system. Of course, knowledge is also gained by the absence of a response. Recall that port numbers range from 0 through 65,535, which means that you must send 65,535 (port 0 is reserved) probes to fully examine a system for active ports. You would think that this process is very time-consuming; however, on a quiet 10Mbps Ethernet net-work, it took approximately 7 minutes. While scanning all of these ports provides a thorough result, it generally suffices to scan only a fraction of the 64 K possibilities. If you are interested in discovering system or network services, the well-known port numbers less than 1024 may suffice. There are port numbers above 1024 that are often interesting (e.g., Web servers or proxies running at 8080 and RADIUS servers running at 1812). There are quite a few port numbers that you need to add to the basic 1024 values if you want to discover everything of interest with a high probability of success. Consider Nmap, a utility that is distributed with a list of “usual suspects” in a file named “nmap-services.” Roughly 1,200 ports are included in that list, which is a lot less than the 64 K possibilities. Use the –F option to restrict Nmap to the port numbers in that list. The list can be modified if you want to add additional port numbers. Using the –F option, my port scan experiment completed in less than 10 seconds—a big improvement over the original 7-minute experiment. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597491099500095 Web Server HackingJosh Pauli, in The Basics of Web Hacking, 2013 Port ScanningPort scanning is simply the process of identifying what ports are open on a target computer. In addition, finding out what services are running on these ports in a common outcome of this step. Ports on a computer are like any opening that allows entry into a house, whether that’s the front door, side door, or garage door. Continuing the house analogy, services are the traffic that uses an expected entry point into the house. For example, salesmen use the front door, owners use the garage door, and friends use the side door. Just as we expect salesmen to use the front door, we also expect certain services to use certain ports on a computer. It’s pretty standard for HTTP traffic to use port 80 and HTTPS traffic to use port 443. So, if we find ports 80 and 443 open, we can be somewhat sure that HTTP and HTTPS are running and the machine is probably a web server. Our goal when port scanning is to answer three questions regarding the web server: 1.What ports are open? 2.What services are running on these ports? 3.What versions of those services are running? If we can get accurate answers to these questions, we will have strengthened our foundation for attack. NmapThe most widely used port scanner is Nmap, which is available in BackTrack and has substantial documentation at http://nmap.org. First released by Gordon “Fyodor” Lyon in 1997, Nmap continues to gain momentum as the world’s best port scanner with added functionality in vulnerability scanning and exploitation. The most recent major release of Nmap at the time of this writing is version 6, and it includes a ton of functionality dedicated to scanning web servers. Updating NmapBefore you start using with Nmap, be sure that you’re running the most recent version by running the nmap -V command in a terminal. If you are not running version 6 or higher, you need to update Nmap. To perform the updating process, open a terminal in BackTrack and run the apt-get upgrade nmap command. To make sure you are running version 6 or higher, you can again use the nmap -V command after installation is complete. Running NmapThere are several scan types in Nmap and switches that add even more functionality. We already know the IP address of our web server so many of the scans in Nmap dedicated to host discovery (finding an IP address of a server) can be omitted as we are more interested in harvesting usable information about the ports, services, and versions running on the web server. We can run Nmap on our DVWA web server when it’s running on the localhost (127.0.0.1). From a terminal, run the following Nmap command. nmap -sV -O -p- 127.0.0.1 Let’s inspect each of the parts of the command you just ran, so we all understand what the scan is trying to accomplish. ■The –sV designates this scan as a versioning scan that will retrieve specific versions of the discovered running services. ■The –O means information regarding the operating system will be retrieved such as the type and version. ■The -p- means we will scan all ports. ■The 127.0.0.1 is the IP address of our target. One of Nmap’s most useful switches is fingerprinting the remote operating system to retrieve what services and versions are on the target. Nmap sends a series of packets to the remote host and compares the responses to its nmap-os-db database of more than 2600 known operating system fingerprints. The results of our first scan are shown below. Nmap scan report for localhost (127.0.0.1) Host is up (0.000096s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) 3306/tcp open mysql MySQL 5.1.41-3ubuntu12.10 7337/tcp open postgresql PostgreSQL DB 8.4.0 8080/tcp open http-proxy Burp Suite Pro http proxy Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.32 - 3.2 Network Distance: 0 hops OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 9.03 seconds You can see four columns of results: PORT, STATE, SERVICE, and VERSION. In this instance, we have four rows of results meaning we have four services running on this web server. It is pretty self-explanatory what is running on this machine (your results may vary slightly depending on what you have running in your VM), but let’s discuss each, so we are all on the same page with these Nmap results. ■There is an Apache 2.2.14 web server running on port 80. ■There is a 5.1.41 MySQL database running on port 3306. ■There is a PostreSQL 8.4 database running on port 7175. ■There is a web proxy (Burp Suite) running on port 8080. Knowing the exact services and versions will be a great piece of information in the upcoming vulnerability scanning and exploitation phases. There are also additional notes about the kernel version, the operating system build details, and the number of network hops (0 because we scanned our localhost). AlertRunning Nmap against localhost can be deceiving, as the ports that are listening on the machine may not actually be available to another machine. Some of these machines may be on the same local area network (LAN) or completely outside of the LAN. 127.0.0.1 only pertains to the local machine and is the loopback address that every machine uses to communicate to itself. In order to get a clear understanding of what is accessible by outsiders to this machine, you would actually need to run this same Nmap scan from two different machines. You could run one from a machine inside the network (your coworker’s machine) and one from a machine outside network (your home machine). You would then have three scans to compare the results of. It’s not critical that you do this for our work, but it’s important to realize that you may get different results depending on what network you scan from. Nmap Scripting Engine (NSE)One of the ways that Nmap has expanded its functionality is the inclusion of scripts to conduct specialized scans. You simply have to invoke the script and provide any necessary arguments in order to make use of the scripts. The Nmap Scripting Engine (NSE) handles this functionality and fortunately for us has tons of web-specific scripts ready to use. Our DVWA web server is pretty boring, but it’s important to realize what is capable when using NSE. There are nearly 400 Nmap scripts (396 to be exact at last count), so you’re sure to find a couple that are useful! You can see all current NSE scripts and the accompanying documentation at http://nmap.org/nsedoc/. Here are a couple applicable Nmap scripts that you can use on web servers. You invoke all NSE scripts with --script= | [boot loader] | timeout=30 | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS | [operating systems] |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect The Nmap findings from port scanning tie directly into the following sections when Nessus and Nikto are used to scan for vulnerabilities in the web server. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166004000022 Assessments and AuditsLauren Collins, in Cyber Security and IT Infrastructure Protection, 2014 Port Scanning and Password CrackingPort scanning is one of the most popular techniques a hacker can use to discover services that can be compromised. For instance, a port scanner will send a TCP SYN request to the host (or range of hosts) set to scan. Ping sweeps are also an option when attempting to define which hosts are available before starting the TCP port scans. Most port scanners only scan TCP ports by default, and some will have UDP by default as well. Some software packages will perform the discovery and auditing of your systems and network, or if you’re really good and know your way around the command line on a switch, you can navigate around a network quickly to locate and there are free open-source programs as well. Network Mapper (NMAP), an open-source license, will allow scanning of UDP packets and is shown in Figure 12.1. Other common programs that can be used, other than NMAP, are SuperScan and NetScan. A scan will probe the accessible hosts for up to 65,535 viable TCP and UDP ports. You can select specific ports you’d like to scan in order to return fewer results, and also filter to view the services available. Port scans provide the following information from accessible hosts on the network: Figure 12.1. Network Mapper (NMAP), a utility used for scanning ports. •Network address of the hosts discovered •Services and/or applications the hosts are running •Hosts that are operational and reachable on the network For your initial scan, it is recommended that you scan all ports from 1 to 65,535. There are many options to get as granular as you want. For instance, a scan can be performed on only well-known ports, or a scan may only involve a certain range of ports specific to your system. If the scanner is unable to find hosts that you are certain would show up, ICMP may be blocked. Once you have concluded what hosts are available and which ports are open, more sophisticate scans can be run to verify that the ports are open and that the tool is not reporting a false positive: •UDP Scan is a basic UDP scan that looks for any open UDP ports on the host. This option is used to see what is running and determine whether or not Intrusion Detection Systems (IDS), firewalls, or other logging devices log the connection. •Connect is a basic TCP scan that looks for any open TCP ports on the host. This scan is used to see what is running and determine whether or not IDS, firewalls, or other logging devices log the connection. •SYN Stealth is a scan that initiates a half-open TCP connection, with the host potentially dodging IDS systems and logging. This option is a great scan for testing IDS systems, firewalls, and other logging devices. •FIN Stealth, Xmas Tree and Null are scans that allow you to get creative by sending odd-shaped packets to the network hosts in order to see how the hosts respond. These scans basically alter the flags in the TCP headers of each packet, which allows you to test how each host handles them to point out weak TCP/IP implementations and patches that may need to be applied. In Chapter 60, denial-of-service attack was one of the many attacks that were described. When running scans, it is possible to create your own denial-of-dervice attack and potentially crash applications or the entire network. Unfortunately, if there is a host on the network with a weak TCP/IP stack, there is no way to prevent your scan from becoming a DoS attack. To reduce the chance of this happening, use slow NMAP timing options when running scans. Refer to Figure 12.1 to see all the options available when running scans. Password cracking is a process whereby a hacker or a system can retrieve passwords from records that have been stored or transmitted by a system. A popular tactic, and most common, is to try and guess the password. There is always the option to change the password and to state you have forgotten it; that approach works more than most would assume and has destroyed many people’s virtual lives. In an organization, it is always more secure to assign a user a new password rather than allow them to answer a set of questions to recover their forgotten password. Although only administrators can assign new passwords, the extra security layer is a must. When reflecting how all of us have answered a series of questions to regain a forgotten password, consider a program running through a file system, file by file, attempting to obtain the record where the answers to your challenge questions and password are makes complete sense. That is exactly how a password can be cracked. Encryption is a common process that individuals and organizations practice, and although it may take longer to crack, an encrypted password is easily attainable. If MD5 or SHA1 hash is used to encrypt a string of characters, that encrypted password is then a string of characters that is stored in the database. Rainbow tables of encrypted hashes contain all possible uses of a password, and such tools are available for free downloads. When comparing the rainbow tables and the target hashes, newer computers have a powerful enough processor and graphics card to achieve quantifiable results quickly. Graphic processing units (GPUs) were designed to do supercomputing where high-end math calculations can be done quickly in electronic trading and password cracking. GPUs are much faster than CPUs at calculating predefined tasks and comprise faster memory and wider input/output (I/O) channels to facilitate rapid computations. There are several ways to limit the effectiveness of the powerful tools available to hackers. Salted hashes are a randomly generated piece of information that is added to the data prior to running it through the hashing process. A salt is arbitrarily generated information that is added to the data before running through the hashing process. Now the encrypted value cannot be cracked using rainbow tables, and the salt will have to be stored in encrypted databases utilizing a different salt for each password. A hacker would have to decrypt the database as well as each password and its record. Two-factor authentication is another technique organizations can use to intensify security measures. This is a form of security that will add greater security, even in the event a hashed password has been breached. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166813000124 The Enemy (The Intruder’s Genesis)Dr.Pramod Pandya, in Computer and Information Security Handbook (Second Edition), 2013 2 Active ReconnaissanceThe first step involves searching for Internet domain names, to help to identify those entities that would hold valuable information worth gaining access to. The next step is to map the domain names to network addresses, and finally map out the detail infrastructure of that network. Now we can begin to discover IP addresses of the network nodes and attempt to identify DNS servers, database servers, email servers, and Web servers. These various servers would hold the sensitive information of value. The next phase would be to place the DNS servers, email, and Web servers and database servers on the network and reproduce a complete network, including its functional specification. Once the target network is mapped out, we will use network-based tools to get all the information about that server, and then make a preparation to design a scheme to attack the network. The domain name registered by the target corporate network can be found by entering the organization’s domain name in a search at www.internic.net/whois.html. Thus, we can learn addresses for the target networks’ DNS servers, Web servers, and email servers. The GFI Languard NSS software has a utility “whois” that easily allows discovering all the information regarding a domain name registered to a corporate network. DNS Zone transfers refer to learning about the servers and their IP addresses from zone files. Information collected is used to determine what TCP and or UDP services such as HTTP, SMTP, or FTP are in either “listening,” “wait,” or “closed” state, including the types of operating system and applications currently in use. The examples of port scanning, and enumeration illustrated in this chapter were obtained using the network in Figure 28.2. The network consists of the following computers: Figure 28.2. Switched Ethernet network. •kailash a Windows 2000 server—Domain PANDYA •kalidas a Windows XP workstation •nanjun a Linux server Network MappingNetwork mapping (see Figure 28.3) is the process of discovering information about the topology of the target network, thus finding the IP addresses of gateways, routers, email, Web, FTP servers, and database servers. The next step is to sweep the target network to find live nodes by sending ping packets and waiting for response from the target nodes. ICMP messages can be blocked, so an alternative is to send a TCP or UDP packet to a port such as 80 (http) that is frequently open, and live machines will send a SYN-ACK packet in response. Once the live nodes are mapped, standard utility such as traceroute can provide additional information about the network topology by discovering the paths taken by packets to each host, which provides information about the routers and gateways in the network and the general network layout. Figure 28.3. Network mapping of computers in Figure 28.2. The screenshot in Figure 28.3 is obtained using a network security scanner from GFI Languard (http://www.gfi.com). This software is a commercial product, but a trial version 6.0 can be downloaded for 14 days. NmapThe Nmap main page is described as a security/network exploration tool and port-scanner. The basic command line syntax to invoke Nmap is as follows: •nmap [scan type(s)] [options] {target specification} •Nmap has a huge list of command-line options, generally categorized into target specification, host listing, port specifications, service identification, scan technique, scripted scans, and output options. Some of the Nmap switches only work when run as the root (superuser). •nmap -sL 192.168.1.0/24—Lists all the hosts scanned (all responding IPs in the subnet from 192.168.1.1 to 192.168.1.254). •nmap -p80,443 192.168.1.10-20—Scans the IP address range looking for open ports 80 and 443. •nmap -p T:80,8080,6588,800 172.16.0.1/22 — Scans all hosts between 172.16.0.1 and 172.16.3.254, looking for open TCP ports 80, 8080, 6588, and 800 (the default listening ports for various proxy servers). •nmap -sP 192.168.1.10,20 — Ping scans two hosts in a fast scan. •nmap -PN 192.168.1.0/29 — Scans all the hosts in the 192.168.1.1 to 192.168.1.6 range. Sometimes host-based firewalls deny ping requests, and it is difficult to scan such hosts. The -PN scan is useful in such cases; it scans the hosts assuming them to be online. nmap -A -F 192.168.1.1 — Detects target OS and services running on it, in fast-scan mode. IdlescanThis scan will probe 192.168.1.95 while pretending that the scan packets come from another host; the target’s logs will show that the scan originated from 192.168.1.10. This is called a zombie host. Zombie hosts are those controlled by other hosts on the network. Not all hosts can be used as zombies, as certain conditions are required to be met before this is possible. (Using packages such as hping may enable you to find a zombie host on the network.) The -v switch increases the verbosity of the output. Decoy HostThis command is especially useful while testing IDS/IPS. The -sS option will perform a SYN scan on the target host. While doing so, it will spoof the packet contents to make the target host see them as coming from the specified (-D) decoy hosts. The -sI and -D switches can’t be combined, for obvious reasons. Now, a word of caution: Be careful not to cause an unintended denial-of-service (DoS) attack while using the -D option. To understand how this could happen, we need to know how a TCP handshake operates. TCP, being a connection-oriented protocol that guarantees delivery of packets, operates with a three-way handshake: •The client initiates the communication by a SYN. •The server acknowledges with a SYN-ACK. •The client again sends an ACK, and now they can communicate. If the -D switch is used, and there is a live host at the decoy IP address, then the SYN-ACK reaches the actual host at the decoy IP address, and not the host running the Nmap scan. Since the real host at the decoy address did not initiate the connection, it closes the connection by sending a TCP Reset (RST). There’s no problem with this. However, a problem occurs if the decoy IP address is not active on the network — there is no RST sent to the scan target, which keeps the connection open. As Nmap continues to generate more and more requests to the target with the decoy IP as the source, the scan target has a growing list of open connections for which it maintains the “connection-initiated” state. This ends up consuming more and more resources on the target and may cause a DoS to other, legitimate hosts and communications. FIN ScanThe Nmap FIN scan comes in handy in such circumstances. The standard use of a FIN packet is to terminate the TCP connection — typically after the data transfer is complete. Instead of a SYN packet, Nmap initiates a FIN scan by using a FIN packet. Since there is no earlier communication between the scanning host and the target host, the target responds with an RST packet to reset the connection. However, by doing so, it reveals its presence. A FIN scan is initiated using a command like nmap -sF 192.168.1.1. Port ScanningThe second step in reconnaissance is known as port scanning. All networks are secured by one firewall on the perimeter of the network, and this firewall is configured to permit HTTP and SMTP traffic to pass through. Other application traffic is forced to use a secured tunnel to pass through the network. Of course, the perimeter firewall is configured to monitor the traffic, and a log is kept for analysis. Internal network is built using Ethernet segments to reflect the infrastructure of the organization. IP network segments are then superimposed on the Ethernet segments. Each IP network segment is secured from each other by a firewall. Each of the IP segments is connected to the layer-3 switch, thus further protecting each IP segment from an external attack. The IP traffics from the layer-3 switch are directed to pass through a Demilitarized ZONE (DMZ) before it enters the perimeter router. The nodes in the DMZ are DNS, SMTP, and HTTP servers, which are permitted for both inbound and outbound traffic. The attacker would scan the ports on the perimeter firewall and look for open ports on the firewall. The firewall would have the ports such as 80 and 25 (well-known) open for Web and email services. The goal of the attacker is to find which ports in “listen,” “wait,” or “closed” state. TCP Full Connect. Full TCP connection is a three-way handshake between a source host and a target host to establish a normal connection. This is used to determine the open TCP ports on the target network, even though the packets have to pass through the firewall. If an intrusion detection system (IDS) is installed on the target network and configured to trigger an alarm to indicate an anomalous behavior on the network, then this activity will be recorded by IDS. PingThis mode sends a short UDP packet to the target’s UDP ports and looks for an ICMP “Port Unreachable” message in response. The absence of that message indicates either that the port is in use or the target does not return the ICMP message, which can lead to false positives (A false positive occurs when an IDS reports as an intrusion an event that is in fact legitimate network activity). This mode, too, is easily recognized by IDS. TCP SYN Half OpenIn Chapter 27, we talked about the mode of the TCP session. This mode normally sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with SYN+ACK, and closed ports respond with ACK+RST or RST. This mode is less likely to be recorded by IDS, since the TCP connection is not fully complete, and consequently the attacker might get away with this mode of intrusion. Fragmentation ScanningIn this method of scanning, you break up IP packets into a number of fragments. Consequently, you are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing. IP fragmentation can also lead to a DoS. Port NumbersPublic IP addresses are controlled by the Internet Assigned Numbers Authority (IANA) www.iana.org, and are unique globally. Port numbers are unique only within a computer system, and they are 16-bit unsigned numbers. The port numbers are divided into three ranges: the Well Known Ports (0..1023), the Registered Ports (1024..49151), and the Dynamic and/or Private Ports (49152..65535). Well-Known PortsPort numbers 0 to 1023 are well-known ports. These well-known ports (also called standard ports) are assigned to services by the IANA. On Unix, the text file named /etc/services (on Windows 2000 the file named %windir%\ system32\ drivers\ etc\ services) lists these service names and the ports they use. Here are a few lines extracted from this file: •echo 7/tcp Echo •ftp-data 20/udp File Transfer [Default Data] •ftp 21/tcp File Transfer [Control] •ssh 22/tcp SSH Remote Login Protocol •telnet 23/tcp Telnet •domain 53/udp Domain Name Server •www-http 80/tcp World Wide Web HTTP Nonstandard PortsBy a nonstandard port, we simply mean a port whose number is higher than 1023. In this range also, several services are “standard.” For example: •wins 1512/tcp # Microsoft Windows Internet Name Service •yahoo 5010 # Yahoo! Messenger •x11 6000-6063/tcp # X Window System Once the IP address of a target system is known, an attacker can then begin the process of port scanning, looking for holes in the system through which the attacker can gain access to the network nodes. We have already discussed the significance of TCP and UDP port numbers, and the well-known and not so well-known services that run at these ports. Each of these ports is a potential entryway or “hole” into the network. If a port is open, there is a service listening on it; well-known services have assigned port numbers, such as http on TCP port 80 or telnet on TCP port 23. Port scanning is the process of sending packets (TCP or UDP) to each port on a system to find out which ones are open. A port scanner such as Nmap is capable of a wider variety of TCP scans that are harder to detect. Nmap allows an option for a TCP SYN stealth scan in which the third message is not an ACK but a FIN that forces the TCP connection to be closed before fully opening. This half-open connection is not logged at the target, but may be noticed by routers or firewalls that record the original SYN packet. Nmap also allows options that give the attacker more control over the packets sent. The attacker can set the rate at which packets are sent, since changing the timing to space out the packets can help avoid raising the target’s suspicions that it is being scanned. If the rate is set too fast, packets can be lost, and incorrect results will be returned. The attacker can also fragment the packets to avoid intrusion detection systems, many of which only look for the whole suspicious packet to be sent at once. Nmap even allows the attacker to set the source port, for example, to 80 to appear as Web traffic to a packet filter, as well as to set a decoy source address to obscure the real address by sending an extra packet per decoy address. Bounce ScansIn the bounce scan, the attacker would attempt to fool or mislead the victim into believing that the attack originated from a different source IP address, often known as the distributed denial-of-service attacks (DDoS). Such an attack would make it difficult to trace the attacker’s IP address. Most commercial Internet sites such as Yahoo, Google, Microsoft, and others support proxy services so that all Web traffic can be directed to a single server for filtering as well as caching to improve performance. We have seen cases of DDOS in spite of the proxy servers’ setup to protect the networks. Vulnerability ScanningOne essential type of tool for any attacker or defender is the vulnerability scanner. These tools allow the attacker to connect to a target system and check for such vulnerabilities as configuration errors, default configuration settings that allow attackers access, and the most recently reported system vulnerabilities. Most commercial Network Security Services (NSS) are expensive and do not come with the source code, while the open-source NSSs are free and the source code is readily available. The open-source tool Nessus is an extremely powerful network scanner and can be configured to run a variety of attacks. Nessus includes a variety of plug-ins that can be enabled, depending on the type of security checks the user wishes to perform. Nessus includes its own scripting language, called Nessus Attack Scripting Language (NASL), which can be used to create individualized attacks and incorporate them with the other plug-ins. Although attacks could be written in C, Perl, Python, or a variety of other languages, NASL was designed to be an attack language. The screenshot in Figure 28.4 was obtained using a network security scanner from GFI Languard. Figure 28.4. Vulnerable open ports on the computers in Figure 28.2. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123943972000283 Using NmapAngela Orebaugh, Becky Pinkard, in Nmap in the Enterprise, 2008 Advanced Port ScanningNmap includes several advanced port scanning options that manipulate the raw packet in a variety of ways to solicit responses from the target. According to the TCP Request For Comment (RFC), any packet not containing a SYN, RST, or ACK flag will result in a returned RST if the port is closed and no response if the port is open (reported as open|filtered). Nmap includes the following three scan options to take advantage of this characteristic: ■TCP Null scan The TCP Null scan (-sN ) does not set any flag bits in the TCP header. ■TCP FIN scan The TCP FIN scan (-sF ) sets only the FIN flag. ■Xmas scan The Xmas scan (-sX ) sets the FIN, PSH, and URG flags. If Nmap receives an ICMP unreachable error it will report the port as filtered. These advanced port scanning options are stealthy and may bypass firewalls and other security controls. However, most host- and network-based intrusion detection systems (IDSes) will detect this type of scan activity. Keep in mind that OSes that don’t follow the TCP RFC may send misleading responses. Nmap includes an advanced port scan option that is used to scan firewalls to determine their connection state and rulesets. The TCP ACK scan (-sA) creates and sends a packet to the target with only the ACK flag set. Unfiltered systems will respond with a RST packet for both open and closed ports. If an ICMP error message or no response is received, the port is considered filtered by a firewall. A similar technique to the TCP ACK scan is the TCP Window scan (-sW ). The Window scan sends a packet with only the ACK flag set, but also analyzes the TCP Window field in the RST response to determine if the port is open or closed. The TCP window size is an implementation detail of a few types of systems. Some systems will use a positive window size if the port is open, and a zero window size if the port is closed. The Maimon scan (-sM ), named after the discoverer Uriel Maimon, sets the FIN and ACK flags in the port scan packet. The target system will generate a RST packet for a port that is open or closed. More information on this scan technique can be found in Phrack Magazine issue #49 (November 1996), www.phrack.org/issues.html?issue=49&id=15-article. Another advanced port scanning technique is the Idle scan (-sI ). The idle allows you to specify another system to use in the scanning, known as a zombie host. The zombie host is used to mask your IP address and to analyze IP fragmentation ID sequence generation to determine open ports on the target. The idle scan is a very stealthy, blind TCP port scan. A blind scan spoofs your real IP address as another host, so your scanning system will not see any responses from the target, since they are sent to the spoofed host. The trick is to analyze the spoofed host to conclude responses from the target. Fyodor has a great write up on the idle scan including examples at http://insecure.org/nmap/idlescan.html. The idle scan uses TCP port 80 by default if no ports are specified. Another stealthy scan method is the FTP bounce scan (-b). The FTP bounce scan uses the FTP proxy feature on an FTP server to scan a target from the FTP server instead of your system. The FTP proxy feature allows you to log into an FTP server and request a file to be sent to another system. By sending files to a target system and port you can determine whether a port is open or closed. Most FTP servers no longer support this functionality, but some are still available. The FTP bounce scan can be used to bypass firewalls by scanning from an organization’s FTP server, which may be on an internal network, or allowed to the internal network by the firewall rules. To have even more control over packet creation, Nmap provides the --scanflags command-line option to allow you to specify TCP flags to set in the packet. This allows you to solicit a variety of responses from targets, as well as evade IDSes. You can use numerical flag values or symbolic names in any order. For example, to set the URG and PSH flags you would use the following option: ––scanflags URGPSH You can provide a TCP scan type to tell Nmap how to interpret the results. For example, supplying the -sA command-line option along with the --scanflags tells Nmap to use the specified flags but to interpret the results the same way an ACK scan would. By default, Nmap uses the SYN scan for result interpretation. Nmap has two other less used port scanning command-line options that provide valuable information. The --traceroute command-line option is performed after the scan and works with all scan types except the TCP connect scan (-sT ) and idle scan (-sI ). It uses Nmap’s own traceroute algorithm and timing characteristics to determine the mostly likely port and protocol to reach the target. The --reason command-line option shows more detail about the responses from the target host, including the type of packet that was received in response to the probe. This option is also automatically enabled by the nmap debug (-d ) command-line option. |
