1 the attack and defense of computers dr. 許 富 皓. 2 tracerouting
TRANSCRIPT
1
The Attack and Defense of Computers
Dr. 許 富 皓
2
Tracerouting
3
TraceroutingAfter identifying potential networks, we can attempt to determine their
network topology potential access paths into the network
4
ToolsUnix: traceroute.Windows: tracert.
5
Traceroute - Function
Allow a user to view the route that an IP packet follows form one host to the next.
6
traceroute - Principletraceroute uses the TTL option in the IP packet to elicit an ICMP TIME_EXCEEDED message from each router (TTL field is also a hop counter).The first packet sent by traceroute has a TTL value 1, the second packet sent has a TTL value 2, … and so on.When a UDP packet is used as a probing packet, usually it uses port number greater than 30000 as it destination port number which is rarely used by applications; hence, when the probed host receives the probing packet, an ICMP port unreachable packet will be sent back to the traceroute.
7
traceroute - InterferenceAccess control devices (such as an application-based firewall or packet-filtering routers) may filter out traffic.
8
traceroute – Where Is the Router?
Generally, once you hit a live system on a network, the system before it is a device performing routing functions (for example, a router or a firewall.)
9
traceroute – Multiple Routing Paths
In a complex environment:There may be multiple routing paths– that is, routing devices with multiple interfaces or load balancers.
Each interface may have different access control list (ACLs) applied.
In many cases, some interfaces will pass your traceroute requests, whereas others will deny them because of the ACL.
10
traceroute – Build an Access Path Diagram
After you traceroute to multiple systems on the network, you can begin to create a network diagram that depicts
the architecture of the Internet gateway
the location of devices that are providing access control functionality
The diagram is referred to as access path diagram.
11
traceroute Exploring PacketsMost flavors of traceroute in UNIX default to sending UDP packets, with the option of using ICMP packets with –I switch.In Windows, however, the default behavior is to use ICMP echo request packet.Therefore, your mileage may vary using each tool, if the site blocks UDP verses ICMP and vice verse.
12
Bypassing Access Control Device
-P n option.-S switchUDP port 53 is a good starting port number, because many sites allow inbound DNS queries (using UDP port 53), there is high probability that the access control device will allow the probes through.
However, it the target really is listening on UDP port 53, you will not receive a normal ICMP unreachable message back. Therefore, you will not see a host displayed when the packet reaches its ultimate destination.
13
Using TCP Packets to Find the RoutesBecause the TTL value used in tracerouting is in the IP header, we are not limited to UDP or ICMP packets. Literally any IP packet could be sent.Some tools are developed to provide alternate traccerouting techniques to get probes through firewalls that are blocking UDP and ICMP packets
Two tools that allow for TCP tracerouting to specific ports are the :• tcptraceroute• Cain & Abel
14
tcptraceroute - Bypass Firewall Filterstcptraceroute is a traceroute implementation using TCP packets.As mentioned in the previous slide, many firewalls filter out UDP and ICMP packets. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.
15
tcptraceroute -It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host.
If the host is not listening for incoming connections, it will respond with an RST indicating that the port is closed. If the host instead responds with a SYN|ACK, the port is known to be open, and an RST is sent by the kernel tcptraceroute is running on to tear down the connection without completing three-way handshake.
16
tracerouting Countermeasure – IDS and IPS
Depending on your site’s security paradigm, an administrator may be able to configure her/his border routers to limit ICMP and UDP traffic systems, thus minimizing your exposure.Deploy Network Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) that will detect this type of network reconnaissance.
One of the best free NIDS programs – Snort, by Marty Roesch – can detect this activity.
17
tracerouting Countermeasure - RotoRouter
Humble from Rhino9 developed a program called RotoRouter. This utility is used to log incoming traceroute requests and generate fake responses.
18
Intelligence Gathering Techniques [Arkin
]
19
Intelligence Gathering Techniques (IGT)
IGTs help an attacker to understand the characteristics and potential vulnerabilities of her/his targets.
Through intelligence gathering techniques an attacker can launch a more accurate and efficient attack to her/his targets.
20
IGT Steps
In the computer hacking world, intelligence gathering can be roughly divided into three major steps:
Footprinting
Scanning
Enumeration
21
Footprinting collect information to make a unique footprint or a profileof an organization security posture.With footprinting, using rather simple tools, we gather information such as:
Administrative, technical, and billing contacts, which include employee names, email addresses, and phone & fax numbers.IP address rangeDNS serversMail serversAnd we can also identify some of the systems that are directly connected to the Internet.
22
Scanning
The art of detecting which systems are alive and reachable via the Internet
what services they offer
using techniques such as ping sweeps, port scans, and operating system identification (OS fingerprinting)
is called scanning
23
Information Collected by Scanning
The kind of information collected here has to do with the following:
TCP/UDP services running on each system identified.
System architecture (Sparc, Alpha, x86).
Specific IP addresses of systems reachable via the Internet.
Operating system type.
24
EnumerationEnumeration is the process of extracting valid accounts or exported resource names from systems. The information is gathered using active connections to systems and queries, which is more intrusive in nature than footprinting and scanning.
The techniques are mostly operating system specific, and can gather information such as:
User & group names.
System banners
Routing tables
SNMP information
25
Footprinting
26
Internet Footprinting
The fine art of gathering target informationDomain nameSpecific IP addresses of systems reachable via the Internet.Access control mechanisms and related access control lists.Intrusion-detection systems (IDSs)DNS hostnames
27
Where Can We Find the Information?
Company Web pages.Related organizations.Location details.Phone numbers, contact names, e-mail addresses, and personal details.Privacy or security policies, and technical details indicating the types of security mechanisms in place.Archived InformationSearch engines and resumes
28
Company Web PagesSome organizations will list their security configuration details directly on their Internet web servers.Trying reviewing the HTML source code.
29
What Info Can We Find in a Web Page Source Code (1)?
check the comment part: those parts included between <!-- and --> .Using Wget (for Unix) and Teleport Pro (for Windows) you can mirror the entire web pages on a web server. Other sites with none-www prefix name.
Many organizations have sites to handle remote access to internal resources via a web browser:
• E.g. Through Microsoft’s Outlook Web Access, a person can access the contents stored in a Microsoft Exchange server, such as e-mails, address books, a calendar, public folders. Typical URL for this kind of resource is http://owa.company.com or http://outlook.company.com.
30
What Info Can We Find in a Web Page Source Code (2)?
Sites like http://vpn.company.com or http://www.company.com/vpn will often reveal sites designed to help end users connect to their companies’ VPNs. You can also find detailed instructions on how to download and configure the VPN client software.These sites may even include a phone number to call for assistance if someone (usually this person is supposed to be an employee, however, an attacker may also use this channel to connect the VPN) get troubles to connect to the VPN.
31
Related OrganizationsOther related organizations’ web site may also leak sensitive information about the target organization.
32
Phone Numbers, Contact Names, E-mail Addresses, and Personal Details
Contact names and e-mail addresses may reveal an organization’s employees name or account name.
E.g. If an organization has an employee named John Smith than it is very possible that some of the organization’s hosts’ has an account name jsmith, johnsmith or smithj and vice verse.
From an employee’s name, an attack may find her/his home phone number or home computer which probably has some sort of remote access to the target organization.
A keystroke logger on an employee’s home machine or laptop may very well give a hacker a free ride to the organization’s inner hosts.
33
Search Engines and ResumesA lot of sensitive information could be obtained through a search engine by using appropriate searching key words.If an organization is posting for a security professional with five or more years’ experience work with CheckPoint firewalls and Snort IDS, then what kind of firewall and IDS do you think they use?.
34
Scanning
35
Comparison between Footprintng And Scanning
If footprinting is the equivalent of casing a place for information, then scanning is equivalent to knocking on the walls to find all the doors and windows.During footprinting, malicious users can obtain
a list of IP network blocksa list of IP addresses
Scanning wants to determine what systems are listening for inbound network traffic (a.k.a. alive) What systems are reachable from the Internet…
36
Purposes of Scanning and Corresponding Tools
Determining if the system is alive:Ping sweeps
• ICMP sweeps (ICMP ECHO requests)• Broadcast ICMP• Non-ECHO ICMP• TCP/UDP Sweeps
Determining which services are running or listening:
Port Scanning.Detecting the Operating System:
Active OS fingerprinting.Passive OS fingerprinting.
37
Ping Sweeps
38
ICMP ECHO RequestsOne of the most basic steps in mapping out a network is performing an automated ping sweep on a range of IP addresses and network blocks to determine if individual devices or systems are alive.One of the ping sweep tools used by malicious users for the above purpose is “ping” .Ping sends ICMP ECHO request (Type 8) packets to a target system in an attempt to elicit an ICMP ECHO reply (Type 0) indicating the target system is alive.
39
fpingOne of the techniques of performing ping sweeps in the UNIX world.fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can
specify any number of hosts on the command line or
specify a file containing the lists of hosts to ping
40
fping - Example
Example:[root]cat in.tex192.168.51.1192.168.51.2192.168.51.3 :192.168.51.253192.168.51.254
[root]$ fping –a –f in.txt192.168.1.254 is alive192.168.1.227 is alive192.168.1.224 is alive : 192.168.1.3 is alive192.168.1.2 is alive192.168.1.1 is alive192.168.1.190 is alive
41
fping – Increase Scanning Rate
Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion.
If a host replies, it is noted and removed from the list of hosts to check.
If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable.
Unlike ping, fping is meant to be used in scripts and its output is easy to parse.
43
Other ToolsPing SweepWS_Ping ProPackNetScan Tools
44
Broadcast ICMP - Principle
Sending ICMP ECHO request to the network broadcast addresses will produce all the information you need for mapping a targeted network in even a simpler way.
The request will be broadcast to all alive hosts on the target network, and they will send ICMP ECHO reply to the attacker source IP after only one or two packets have been sent by him.
45
Broadcast ICMP – Unix vs. Windows Platforms
Here we can first distinguish between Unix and Windows machines.
While Unix machines often still answer to requests directed to the network address (the answer will be the fully qualified network address)
Windows machines will ignore it.
46
Using Non-ECHO ICMP Packets for Ping Sweep
Non-ECHO ICMP packets can also be used to perform ping sweeps.
Examples• ICMP type 13 messages (TIMESTAMP)
• ICMP type 17 messages (ADDRESS MASK REQUEST)
47
Functions of Non-ECHO ICMP Packets
ICMP timestamp request and reply allow a system to query another for the current time.
The ICMP address mask request (and reply) is intended for diskless systems to obtain its subnet mask at bootstrap time.
People can use it to request the netmask of a particular device.
48
Non-ECHO ICMP Ping Sweep Tools
We can use the icmpush & icmpquery tools to perform this kind of scanning.Many firewalls are configured to block only ICMP ECHO traffic, and in this case it makes the non-ECHO requests a valid form of host identification.
49
What Will Happen, If ICMP Is Blocked by Target Site? (1)
It is not uncommon to come across a security-conscious site that has blocked ICMP at the border router or firewall.Although ICMP may be blocked, some addition tools and techniques can be used to determine if systems are actually alive. However, they are not as accurate or as efficient as a normal ping sweep.
50
What Will Happen, If ICMP Is Blocked by Target Site? (2)
Typically, pinging heavily utilizes ICMP (Internet Control Message Protocol) packets, even though they are not the only packet types available for network pinging.Either TCP or UDP provides alternative approach to perform ping sweeps to find if a host is alive on the network.When ICMP traffic is blocked, TCP/UDP sweep is the first alternate technique to determine live hosts.
51
TCP Sweeps
52
TCP Sweeps – Packets and Ports Used
A scanner sends a SYN packet to the target:If the target is alive, then the scanner will receive:
• SYN/ACK (the port is open.)• RST (the port is close.)
With the TCP Sweep technique, instead of sending ICMP ECHO request packets we send TCP ACK or TCP SYN packets (depending if we have root access or not) to the target network.
The port number can be selected to meet our needs. Usually a good pick would be one of the following ports – 21 / 22 / 23 / 25 / 80 (especially if a firewall is protecting the targeted network).Receiving a response is a good indication that something is up there.
53
Response of TCP Sweeps
The response depends on the target’s operating system (some OSes don’t follow the TCP/IP protocol in their implementation)
the nature of the packet sent
any firewalls, routers or packet-filtering devices used
54
TCP Sweeps - Drawbacks
Bear in mind that firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.
55
nmapA powerful network reconnaissance tool.
[root] nmap –sP 192.168.1.0/24
Starting nmap V. 3.70 by [email protected] (www.insecure.org.nmap)Host (192.168.1.0) seems to be a subnet broadcastAddress (returned 3 extra pings)Host (192.168.1.1) appears to be up.Host (192.168.1.10) appears to be up.Host (192.168.1.11) appears to be up.Host (192.168.1.15) appears to be up.Host (192.168.1.20) appears to be up.Host (192.168.1.50) appears to be up.Host (192.168.1.101) appears to be up.Host (192.168.1.102) appears to be up.Host (192.168.1.255) seems to be a subnet broadcastAddress (returned 3 extra pings).Nma run completed – 256 IP addresses (10 hosts up) scanned in 21 seconds.
56
UDP Sweeps
57
UDP Sweeps (a.k.a. UDP Scans)
This method relies on the ICMP PORT UNREACHABLE message, initiated by a closed UDP port.
If no ICMP PORT UNREACHABLE message is received after sending a UDP datagram to a UDP port that scanners wish to examine on a targeted system, they may assume the port is opened.
58
Drawbacks of UDP Sweeps
UDP scanning is unreliable because of a number of reasons:
Routers can drop UDP packets as they cross the Internet.
Many UDP services do not respond when correctly probed.
Firewalls are usually configured to drop UDP packets (except for DNS).
UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message.
59
Port Scanning
60
Ping Sweeps vs. Port Scanning
Ping Sweeps help malicious users identify which systems are alive. The next step is trying to determine what services (if any) are running or in a LISTENING state on the targeted system, by connecting to the TCP and UDP ports of that system. This is called – Port Scanning.
For the hacker it is critical to identify listening ports, because it helps her/him further identify the operating system and application in use.
61
Service Detection and Attacks
The services detected as listening may suffer from vulnerabilities which may result from two reasons:
Misconfiguration of the service
The version of the software is known to have security flaws
If identified, these vulnerabilities can lead to privileged access gained by the attacker.
62
Port Scanning
TCP connect() scansTCP SYN scans (half open scanning)Stealth Scans:
Explicit Stealth Mapping Techniques• SYN/ACK scans• FIN scans• XMAS scans• NULL scans
Proxy Scanning/ FTP Bounce ScanningIdlescan
63
TCP connect() Scans With this type of scan, a scanner uses the basic TCP connection establishment mechanism to open a connection to an interesting port on the targeted machine:
A SYN packet is sent to the target’s system interesting port.
Now we wait to see what type of packet is sent back from the target.
• If a SYN/ACK packet is received it usually means the port is in a LISTENING state.
• If a RST/ACK packet is received, it usually means the port is not LISTENING and the connection will RESET.
We finish the three-way handshake (if SYN/ACK packet was received) by sending an ACK.
A connection is terminated after the full connection establishment process has been completed.
64
Drawbacks of TCP connect() Scans Time-Consuming.This kind of scan is easily detected. Inspecting the target system log will show a number of connections and error messages immediately after each one of them was initiated.
65
TCP SYN Scans (Half Open Scanning)
This type of scan differs from TCP connect() scan because scanners do not open a full TCP connection. They send a SYN packet to initiate the three-way handshake and wait for a response.
If scanners receive an SYN/ACK it indicates the port is LISTENING.
• If they do receive a SYN/ACK packet they immediately tear down the connection by sending a RESET.
If scanners receive an RST/ACK it indicates a non- LISTENING port.
66
Advantages of TCP SYN Scans More quickly than TCP connect() scan.Because the TCP three-way handshake was not completed some of the sites will probably not log these scanning attempts.
67
Stealth Scan
“Stealth” can also be defined as a scanning technique family, doing one of the following:
Pass through filtering rules.
Not to be logged by the targeted system logging mechanisms.
Try to hide themselves at the usual site / network traffic.
68
An Important Rule in RFC 793 (TCP)
According to RFC 793 closed ports are required to reply with a RESET packet to our probe packets, while open ports must ignore any packet in question.
69
SYN/ACK Scans – Packets Being Sent
This scan intentionally disregards the TCP three-way handshake.
Scanners send a SYN/ACK packet, which is step two in the TCP three-way handshake, while there is no SYN packet sent for step one.
70
SYN/ACK Scans
Sending SYN/ACK packet to a closed port:Because TCP is stateful, it knows no SYN has been sent, which is the first step in the three-way TCP handshake. TCP figures this packet must be a mistake and sends a RESET to tear down the connection. This is what scanners wished for – any kind of response to give away the existence of the system and the fact that the probed port is closed.
If scanners send the SYN/ACK to an open port, it will ignore any such packet.
71
FIN ScanningThis technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The scanner sends a FIN packet, which should close a connection that is open.
Closed ports reply to a FIN packet with a RST.Open ports, on the other hand, ignore the packet in question. The above responses are required TCP behavior.
72
Drawback of FIN Scanning
According to the previous slide, no response to the FIN probe packet to a port X is explained as that X is an open port.
Therefore, silence indicates the presence of a service at the port.
However, since packets can be dropped accidentally on the wire or blocked by firewalls, this isn't a very effective scan.
73
XMAS (Christmas Tree)
XMAS is a scanning type, which sends a TCP packet with the URG, ACK, PST, RST, SYN and FIN flags set. All the TCP flags are set.
Closed ports RESET packets.
Open ports no response packets• P.S.: The above behavior is defined in RFC 793;
however, some OSs’ implementation may not follow the above rules.
74
Null ScansNull scan is a scanning type, which sends a TCP packet that turns off all flags.
Closed ports RESET packets.Open ports no response packets
According to RFC 793 this should work against every implementation of TCP regardless of the operating system it runs on. Life is not always simple. Windows, CISCO, BSDI, HP/UX, MVS & IRIX have a broken TCP implementation – they send RESETs to open ports as well.
75
Properties of FTP Protocol
The FTP protocol supports the following scenario:attacker.com connects to an FTP server, which has a world writable directory, and establishes a control communication connection.
The attacker can then ask the FTP server to initiate an active server data transfer process and send a file anywhere on the Internet, presumably to a user data transfer process.
76
Proxy Scanning/FTP Bounce Scanning
Redirect the scanning traffic to a target port, then
If the transfer is successful (150 and 226 response), the target host is listening on the specified port scanned.
Otherwise, a “425 Can’t build data connection: Connection refused” message will be received.
77
Commonly Adopted Port Scanning Signatures
Several packets to different destination ports from the same source address within a short period of time. SYN to a non-listening port. Obviously, there are many other ways to detect port scans, up to dumping all the packet headers to a file and analyzing them manually.
P.S.: It is always possible for an attacker to make her attack either very unlikely to be noticed, or very unlikely to be traced to its real origin, while still being able to obtain the port number information.
78
Port Scanning Techniques to Avoid Being Detected
Random port scan.Slow scan.Fragmentation scanning.Decoy.Coordinated scans.
79
Random Port Scan
Many commercial intrusion detection systems and firewalls are looking for sequential connection attempts. When the pattern is matched a port scan is reported.
Randomizing the sequence of ports probed may prevent detection.
80
Slow Scan – Site Detection Threshold
Intrusion detection systems can determine if a specific IP tries to port scan the network they are defending. It is done by analyzing the network traffic over a certain amount of time.
The amount of time is called the site detection threshold.
81
Slow Scan
Some hackers are very patient and can use network scanners that spread out the scan over a long period of time.
The scan rate can be, for example, as low as 2 packets per day per target site.
If the attacker can guess the detection threshold of its target, he can reduce the chances of detection to a minimum or even to no detection at all, as long as he doesn’t include a signature with his packet that alerts the intrusion detection system in other way.
82
Fragmentation and IDS
All IP packets that carry data can be fragmented.
Some filtering devices and intrusion detection systems may incorrectly reassemble or completely miss portions of the scan. They may assume that this was just another segment of traffic that has already passed through their access list.
83
Fragmentation Scanning - Countermeasure
Filtering devices that queue all IP fragments can handle this method.
Linux is a good example with the CONFIG_IP_ALWAYS_DEFRAG kernel option.
Some networks cannot afford the performance hit this causes and disable this feature.
This kind of scan has been fixed in most vendors’ products.
84
Decoy
Some network scanners include options for Decoys or spoofed addresses in their attacks.
It would appear to the attacked network/host that the host(s) you specified as decoys are scanning them as well. This will drive intrusion detection systems into thinking that the target network is being port scanned by all the hosts, and determining who the real attacker is, will be nearly impossible.
85
Anti-Decoy
One way that helped intrusion detection systems detect the decoy hosts in the past was the TTL (Time to Live) field values in the scanned packets.
If all the incoming packets TTL values have the same value, it is likely that they were generated in the same “factory”.
86
Weaknesses of Previous Scan Methods
Probing a few target systems from a single IP within a certain amount of time will usually turn on the alarm of the intrusion detection systems.
We have already discussed a way to try to bypass this – using slow scans. But even a slow scan can sometimes be detected.
87
Coordinated Attacks
When a group of attackers are working together to achieve a common goal, trying to get unauthorized access on a targeted network for example, we call this – coordinated attacks.
Coordinated attacks can be used to target a single host or even an entire network.
88
Coordinated Scans
If multiple IPs probe a target network, each one of them probes for a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.
89