penetration test (part i) - professional information security association
TRANSCRIPT
Penetration Test (Part I)
[pen/&/ ‘trei/ch/ /&/ n] 名滲透;貫徹力;看穿
[test] 名試驗;考試;試驗品;分析
Sang Young x Anthony Lai
PISA Program Committees
Prerequisites• Windows and/or Linux/Unix administrative
background• Understand basic TCP/IP• Enthusiasm, ethical and disciplined (don’t try to
hack everywhere ☺)• Backtrack2 – standard audit security tools
collection (Many folks in DefCon are using it for competition) . – Align BackTrack to penetration testing methodologies
and assessment frameworks (ISSAF and OSSTMM). – It will be used for our future pen-testing workshop
series and your next mission.• Lastly, think with creativity and enjoy.
BackTrack 2
• New exciting features in BackTrack 2, to mention a few: – Updated Kernel-Running 2.6.20, with several patches. – Broadcom based wireless card support – Most wireless drivers are built to support raw packet injection – Metasploit2 and Metasploit3 framework integration – Alignment to open standards and frameworks like ISSAF and
OSSTMM – Redesigned menu structure to assist the novice as well as the
pro – More than 300 different up-to-date tools – Japanese input support-reading and writing in Hiragana /
Katakana / Kanji.
Learn the reality
• Checklist audit is out-dated.• Most of the corporations are in compliance
of “Paper” policy only.• Controls are there but ineffective.• Controls are there but lacking of
monitoring• Controls are there but cannot deal with
baseline attacks/vulnerabilities
Understand the security posture
• Learn the hacks in the real world.• Face and learn the reality• It is good but not to be too aggressive
including conducting test on production site. You will scare your management ☺
Agenda
• Understand the penetration test methodology, practices and deliverables.
• Technical recap• Tools manipulation• Reporting template and components
Penetration Test Methodology
• OSSTMM 2.2– Adopt open standard
and get the management buy-in.
– Get its free manual from http://www.isecom.org/osstmm/
Pentest Framework Misunderstanding on Pentesting
• Capture the flag?• Free style?• I don’t care the impact…• Attack and technical stuff are the most
critical and time consuming.
Facts on Pentesting
• Defined disclaimer, terms,scope, objective and approach.
• 60 minutes fun but 60 hours writing.• Require communication and consent with
clients.• The pen-tester violates the agreement is
liable for legal action from client.
Various Stages of Pentesting
Technical Perspective• Information Gathering• Scanning• Enumeration• Exploit and Attack• Maintain access• Recovery• Log your activity
Management Perspective
• Scope definition and agreement• Meeting and Communication• Keep all Pentesting activities
records• Regular progress and issue
update• Reporting and presentation
Security Analysis
Information Gathering• Reconnaissance
– Non-intrusive and intrusive target search• Scanning• Enumeration
Before launching any exploit and attack, our nextcritical step is:Analyzing existing security control and vulnerabilties-> Security Analysis
Penetration Flowchart
Non-intrusive Target Search
Pre-site Inspection
Build a target database
• List all of the potential targets and their properties– Name (DNS and/or NetBIOS)– IP address– Operating system and patch level– Functgions and network services including ports– Assigned analyst– Assessment locations– Other notes
• Information Source– From your client– From your research (we focus on it ☺)
Analyze client provided information
• Fill in the target database based on the information your client provided to you
• Cross check the database against– Client provided data– Results of your testing– Discussions and interviews with technical staff
• When dealing with conflicting information:– Note the data and source– Use a console review to resolve the conflict– Do not test the target until you get a reliable clarification if there
are too many data conflicts– If you ignore the conflicts, it surely impacts your analysis or even
lead to wrong judgments or trouble during testing.
Analyze email header
• Email header provides many information:– Operating system and version– Application name and version– Internal user names– Internal system names and IP addresses
• You could get email by formally requesting it from your client.
• You could send an erroneous email to the target company, causing it to “bounce back” to you as undeliverable.
Example: Email Header Return-Path: [[email protected]]
Received: from server.mymailhost.com (mail.mymailhost.com[126.43.75.123]) by pilot01.cl.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597; Fri, 12 Jul 2002 16:11:20 -0400 (EDT)
Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98]) by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
Date: Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
From: Hot Summer Deals <[email protected]>
Subject: Just what you've been waiting for!!
Analysis ResultsReceived: from server.mymailhost.com (mail.mymailhost.com
[126.43.75.123]) by pilot01.cl.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597; Fri, 12 Jul 2002 16:11:20 -0400 (EDT)
• In this header, you see that the message was received by a Pilot mail server (pilot01.cl.msu.edu); the remainder of this line contains version information and the message id assigned by the Pilot mail server. The time stamp shows when the message was delivered to Pilot. The first line shows three important pieces:
• Mail server IP address: 126.43.75.123This is the Internet IP address from which Pilot received the message.
• Mail server domain name: mail.mymailhost.comThis is the domain name (DNS name) which matches the above IP address.
• Mail server identification: server.mymailhost.comThis is what the server claimed its name to be. This may or may not agree with the domain name; a mail server may have more than one identity.
Analysis Result: The second header gives more clues:
Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98]) by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
• In this header, the receiving mail server name (server.mymailhost.com) matches the name shown in the first header (so far so good).
• The first line of this header reveals the source: • Originating IP address: 127.34.56.98
This is the Internet IP address from which the remote mail server received the message.
• Originating domain name: 127-34-56-98.dsl.mybigisp.comThis is the domain name (DNS name) which matches the above IP address. This reveals that the IP address may be owned by an organization known as "mybigisp.com". This would appear to be a high-speed DSL subscriber to mybigisp.com, but only that organization can tell you for certain.
• Originating system identification: aol.comThis is what the originator claimed its name to be. In this case, the sender is claiming to be "aol.com", but the source IP address and domain name do not fit.
Email header analysis
• A number of tools are available for verifying the owner of an IP address. The authoritative reference for IP addresses is the American Registry of Internet Numbers. Using ARIN's "Search WHOIS" tool (or one of the other tools), you can find the identification of the IP address owner.
Search public archives• With wealth of information• Gain a big picture
understanding of the target environment– Query whois– Query nslookup
• Tools include Netcraft, Way Back Machine, Edgar, News sites (CNN and CNBC)
• Technicians may post sensitive information to:– Public newsgroup– Public mailing lists(Search them!)
DNS/Who Is Resolver
• SolarWinds DNS Resolver tool looks up and creates a detailed report on domain names, URLs, IP addresses, network addresses or e-mail addresses. You can also define a custom "Who Is" server.
Attempt to make DNS Zone
transfer
People Search
• People and Company Search– Google– www.paterva.com– Sensepost tools– Newsgroup
Google Hacking
• Special operators (e.g. inurl, site, intext, intitle)
• Find out vulnerable remote service and administrative console
• Nothing new (Out-dated) ☺
www.paterva.com www.paterva.com
Search “Bruce Schneier”
Intrusive Target Search
Scanning
• Port Scanning– Learn about the running services associated
with “well-known” port number• Network Scanning
– Identify active hosts on a network• Vulnerability Scanning
– Identify the systems vulnerabilities and check whether there should have a patch for correction.
Scanning Objectives
• To detect live systems on the network• To uncover which ports are active/running• Discover the operating system running on
the target system (fingerprinting)• Discover services running/listening on the
target system• Discover the IP address of the target
system
Before getting to know various kinds of scanning, we need to know some
concepts in TCP/IP
Technical Recap
• Protocols, TCP Packet and Handshake• Port Numbers assignment• Network Design and other infrastructure
components
They are mentioned in appendix and need your efforts to work on further research !
TCP Vs UDP
• Difference between TCP and UDP– TCP: With sliding windows to control the size
of the received data at the receiving end– UDP: Noop ☺– TCP: With sequence and acknowledge
numbers for error tolerance and retransmission.
– UDP: Noop ☺
Technical Recap – 3-way Handshake
• TCP Handshake– This handshake is often referred to as the "three way handshake" because of the three
frames that pass back and forth:
– The First Frame – The initial synchronize (SYN) frame is sent from the station initiating the conversation to the destination station. The SYN frame includes initial sequence numbers and the port that will be used for the conversation, as well as other initialization parameters.
The Second Frame – The destination station receives the SYN frame. If everything is in agreement, it sends an acknowledgement to the SYN (called an ACK) and its own SYN parameters.
The Third Frame – The original station receives the ACK to its original SYN, as well as the SYN from the destination device. Assuming everything is in order, the source station sends an ACK to the destination station's SYN.
This handshake occurs every time a TCP session is established. It's this three-way handshake that allows NMAP to gather so much information about the ports on a device.
Figure 2. TCP Header Layout
TCP Header Layout TCP Header Flags• URG (Urgent) flag (1 bits)
If the URG flag is set, it indicates that the urgent pointer is valid and points to urgent data. Simple enough, eh? Urgent data is data that should be acted upon as soon as possible, even before "normal" data that may be waiting should be processed.
• ACK (Acknowledgement) flag (1 bits)The ACK flag says that the ACK number is valid. ThePacket is at least an acknowledgement of data that hasbeen received.
TCP Header Flags
• PSH (Push) flag (1 bits)The push flag tells the receiving end of the tcp connectionto "push" all buffered data to the receiving application. Itbasically says "done for now".
TCP Header Flags• RST (Reset) flag (1 bits)Resets the receiving end of the tcp connection. Erroneous packets areresponded to with this flag set, for example, an ack to a packet you never sent.
• SYN (Synchronize) flag (1 bits)The syn flag is set for the opening packets of a tcp connection whereboth ends have to "synchronize" their tcp buffers and set up whatever.
• FIN (Finished) flag (1 bits)This flag signifies that the sending end will not be sending any moredata.
TCP header flags and NMAP Scan
• Various NMAP scan are dependent on the ON and OFF of the TCP header flags
• Various scan details are covered in Appendix.
Technical Recap – Port
• Service is running on it.• Each port is assigned with a number• 0 -1024 ports are officially assigned.
Common Port Numbershttp://www.iana.org/assignments/port-numbers
NMAP
• With Client-based GUI and Command Mode
• With Ping Sweep to identify active host(s)• Various types of Scan (Xmas, NULL, Syn.
Scan, etc)• Tune the parameters could prevent from
IDS/Firewall detection.
NMAP – Scan Types and Techniques
NMAP – OS Detection
• OS Detection– -O (Enable OS detection) – Enables OS detection, as discussed above.
Alternatively, you can use -A to enable OS detection along with other things. 2nd generation OS detection is tried first. If that fails, Nmap will either print out the host fingerprint and ask you to submit it (if you are certain about what the target host is running), or Nmap will fall back to the 1st generation OS detection system in case its larger database has a match.
NMAP – Version Detection
• Version detection is enabled and controlled with the following options:– -sV (Version detection)
• Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.
NMAP: Usage and Examplenmap -v scanme.nmap.org• This option scans all reserved TCP ports on the machine
scanme.nmap.org . The -v option enables verbose mode.
nmap -sS -O scanme.nmap.org/24• Launches a stealth SYN scan against each machine that
is up out of the 255 machines on “class C” network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.
.
NMAP: Usage and Examplenmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127• Launches host enumeration and a TCP scan at the first half of each of the
255 possible 8 bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.
nmap -v -iR 100000 -P0 -p 80• Asks Nmap to choose 100,000 hosts at random and scan them for web
servers (port 80). Host enumeration is disabled with -P0 since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.
nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG logs/pbport80scan.gnmap 216.163.128.20/20
• This scans 4096 IPs for any webservers (without pinging them) and saves the output in grepable and XML formats.
NMAP Scan Type
• X’Mas Scan• The Xmas tree scan sends a TCP frame to
a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.
Other Scanning Tools
• SuperScan• THC Scan• Pinger • Cheops• NetScan Tools Pro 2003• ipEye and IPSecScan
Finalize target database
• Please mark down all the information gathered to your target database sheet
• Please clarify with your clients if you cannot find their stated targets before starting any assignment.
DEMO Time ☺- Scan hosts and Identify possible
operating system/service/version with NMAP
Identify and Exploit Vulnerabilities
Security Analysis
• Threat analysis• Vulnerability analysis• Rank those items• Existing exploits• Study the probable and easy way• Think of interesting, creative and fun way
to exploit• Try to make your exploit “Stealthy”
Exploit
• Metasploit• Manual Exploit• Open Source Vs Commercial Tools• Automated tools like Core Impact
Metasploit
• Two types of UI: Web (msfweb) and Command/Console Mode (msfconsole)
• Simple commands• There is a beta release of Web Application
Attack Framework W3AF: http://w3af.sourceforge.net/
Metasploit: Get StartedThe Console Interface• After you have installed the Framework, you should verify that everything is
working correctly. The quickest way to do this is to execute the msfconsole user interface. This interface should display an ASCII Metasploit logo, print the current version, number of payloads, number of exploits, and drop to a 'msf' prompt. From this prompt, type help to get a list of valid commands. You are currently in the 'main' mode; this allows you to list exploits, list payloads, and configure global options. To list all available exploits, type show exploits. To obtain more information about a given exploit, type info module_name.
Console Efficiency• The console has been designed with efficiency in mind and can be used as
a standard shell in many situations. If you enter an unknown command, the console will scan the system path to determine if you typed a external command. If it finds a match, that command will be executed with the supplied arguments. This allows you to use your standard set of tools without having to leave the console. Tab completion defaults to file-name matching when the command entered is not an internal console command.This allows you to navigate the file system normally, similar to using a bash shell.
Metasploit: Get StartedSelecting an Exploit• From the msf prompt, you can choose an exploit with the use command.
This command takes the name of the exploit module as the first argument, enters exploit mode, and loads the Temporary environment for that exploit. You can switch between active exploits with the use command and drop back to the main shell with the back command.
Exploit Basics• After selecting an exploit, your available command selection changes. Enter
the help command again to get an idea of what is available. The showcommand now has a completely different set of arguments, these allow you to view the standard options, advanced options, exploit targets, and compatible payloads. The check command invokes the vulnerability check mode of the selected exploit. The exploit command actually launches the selected exploit.
Metasploit: Using the framework1. Choosing an Exploit Module• From the msfconsole interface, you may view the available exploit
modules through with the show exploits command. Select an exploit with the use command, specifying the short module name as the argument. The show info command can be used to view information about a specific exploit module.
2. Configuring the Active Exploit• Once you have selected an exploit, the next step is to determine
what options it requires. This can be accomplished with the show options command. Most exploits use RHOST to specify the target address and RPORT to set the target port. Use the set command to configure the appropriate values for all required options. If you have any questions about what a given option does, refer to the module source code. Advanced options are available with some exploit modules, these can be viewed with the show advanced command.
Metasploit: Using the framework3. Verifying the Exploit Options• The check command can be used to determine whether
the target system is vulnerable to the active exploit module.
• This is a quick way to verify that all options have been correctly set and that the target is actually vulnerable to exploitation. Not all exploit modules have implemented the check functionality.
• In many cases it is nearly impossible to determine whether a service is vulnerable without actually exploiting it.
• A check command should never result in the target system crashing or becoming unavailable. Many modules simply display version information and expect you to analyze it before proceeding.
Metasploit: Using the framework4. Selecting the Payload• The payload is the actual code that will run on the target system after a
successful exploit attempt. Use the show payloads command to list all payloads compatible with the current exploit. If you are behind a firewall, you may want to use a bind shell payload, if your target is behind one and you are not, you would use a reverse connect payload. You can use the info payload_name command to view detailed information about a given payload.
• Once you have decided on a payload, use the set command to specify the payload module name as the value for the PAYLOAD environment variable. Once the payload has been set, use the show optionscommand to display all available payload options. Most payloads have at least on required option. Advanced options are provided by a handful of payload options; use the show advanced command to view these.
Metasploit: Using the framework5. Selecting a Target• Many exploits will require the TARGET environment variable to be
set to the index number of the desired target. The show targetscommand will list all targets provided by the exploit module. Many exploits will default to a brute-force target type; this may not be desirable in all situations.
6. Launching the Exploit• The exploit command will launch the attack. If everything went well,
your payload will execute and potentially provide you with an interactive command shell on the exploited system.
Metasploit: Temp. EnvironmentTemporary Environment• The Temporary environment is accessed through the set and unset commands. This
environment only applies to the currently loaded exploit module; switching to another exploit via the use command will result in the Temporary environment for the current module being swapped out with the environment of the new module. If no exploit is currently active, the set and setg commands will not be available. Switching back to the original exploit module will result in the original environment being restored. Inactive Temporary environments are simply stored in memory and activated once their associated module has been selected. The following example shows how the use command selects an active exploit and how the back command reverts to the main mode.
msf > use apache_chunked_win32 msf apache_chunked_win32 > setmsf apache_chunked_win32 > set FOO BAR FOO -> BAR msf apache_chunked_win32 > set FOO: BAR msf apache_chunked_win32 > backmsf > use poptop_negative_readmsf poptop_negative_read > setmsf poptop_negative_read > backmsf > use apache_chunked_win32msf apache_chunked_win32 > set FOO: BAR msf apache_chunked_win32 >
Metasploit: Save command
Saved Environment• The save command can be used to
synchronize the Global and all Temporary environments to disk. The saved environment is written to ~/.msf/config and will be loaded when any of the user interfaces are executed.
Metasploit: Advanced Setting
• Bypassing IDS and firewall, enable stealthy exploit
• With logging facility to show pentester activity.
With logging facilityLogging• This variable is used to enable or disable session logging.. Session
logs are stored in ~/.msf/logs by default, the directory can be changed used the LogDir environment variable. You can use the msflogdump utility to view the generated session logs. These logs contain the complete environment for the exploit as well as per-packet timestamps.
LogDir• This option specifies what directory the log files should be stored in.
It defaults to ~/.msf/logs. There are two types of log files, the main log and the session logs. The main log will record each significant action performed by the console interface. A new session log will be created for each successful exploit attempt.
DEMO Time ☺- Exploit with Metasploit
Local Target Assessment
Enumeration [inju:m/&/ 'rei/ch/ /&/ n] 名計算;列舉;細目
• Gather host configuration data• User account information• Crack password• Password storage• Default and “wild guessed” password• Host Assessment with DumpSec
– Retrieve permissions and audit settings, user/group information, system security policies/installed services/assigned user rights.
DEMO Time ☺- Password Dump and Crack with Pwddump
and John the Ripper
Reporting
• Essential Components• Pre-meeting with auditors or/and board• http://www.vulnerabilityassessment.co.uk/r
eport%20template.html
Report Template
Report Template Resources: Pentest, BackTrack2, NMAP and Metasploit• Pentest framework
– http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html• Pre-site Inspection Checklist
– http://www.vulnerabilityassessment.co.uk/Presite%20Inspection.html• Pentest Final Report Template
– http://www.vulnerabilityassessment.co.uk/report%20template.html• BackTrack 2
– http://www.remote-exploit.org/backtrack.html• NMAP
– http://www.insecure.org– http://nmap-online.com/ (Online NMAP ☺)– http://www.networkuptime.com/nmap/index.shtml (Detailed tutorials on TCP/IP, NMAP and
its scanning techniques• Metasploit and demo of exploit (Web UI)
– http://www.irongeek.com/i.php?page=videos/metasploit1• Metasploit Tutorial (Command mode)
– http://www.ethicalhacker.net/content/view/29/24/– http://www.metasploit.com/projects/Framework/docs/CrashCourse-2.2.html
• Metasploit Framework Web Site– http://www.metasploit.com– http://metasploit.com/projects/Framework/exploits.html
• Securityfocus – Metasploit Framework Part I/II– http://www.securityfocus.com/infocus/1789
Resources: Pentest, BackTrack2, NMAP and Metasploit• BackTrack 2
– http://www.remote-exploit.org/backtrack.html– http://backtrack.offensive-security.com/index.php?title=Main_Page (with tool list,
how to crack techniques and links to Metasploit tutorials from Securityfocus) • NMAP
– http://www.insecure.org– http://nmap-online.com/ (Online NMAP ☺)– http://www.networkuptime.com/nmap/index.shtml (Detailed tutorials on TCP/IP,
NMAP and its scanning techniques• Metasploit and demo of exploit (Web UI)
– http://www.irongeek.com/i.php?page=videos/metasploit1• Metasploit Tutorial (Command mode)
– http://www.ethicalhacker.net/content/view/29/24/– http://www.metasploit.com/projects/Framework/docs/CrashCourse-2.2.html
• Metasploit Framework Web Site– http://www.metasploit.com– http://metasploit.com/projects/Framework/exploits.html
• Securityfocus – Metasploit Framework Part I/II– http://www.securityfocus.com/infocus/1789
Resources: OS Fingerprinting
• Passive OS Fingerprinting: Details and Techniqueshttp://www.ouah.org/incosfingerp.htm
Resources – TCP and Port
• IPv4http://en.wikipedia.org/wiki/IPv4
• Port Number Assignmenthttp://www.iana.org/assignments/port-numbers
Our next mission …. (Oct ? Nov?)
Let’s join!• Next Mission: Pentesting Assignment• Team Formation
– Goal: There are hidden hosts/targets, your team needs to provide a report with identified risk, threat(s), vulnerabilities and control recommendation. Your security analysis and pentestreport will be reviewed and commented by our panels. .
– Strongly recommended: Took part I)– various skills from networking, application, server, auditing, risk
assessment and security analysis as well as exploits understanding), Windows and Linux skills and using BackTrack2 or your preferred audit tools
– Expected team size: 3 – 5– Prepare yourself and team and there is 1.5 -2 months for you ☺– Any Prize? Cash? Souvenir? Hahaha…just brainstorming
Let’s join• Panel and Engineer Recruitment ( 6 – 12)
- Application/Network/OS/Infrastructure/Audit Experts (5 -10)– Scenario designer Vulnerability researcher– Technical Support
Deliverables/Operations: - Vulnerable Systems on VM- Scenarios design with network diagrams, login screen, available
services/devices, etc.- Provide comment on the details of the pentest report- Support the vulnerable systems and coordination of the activities
on the pentest day.
Pentesting Workshop Roadmap- We need your efforts and expertise
• Network Devices (Switches/Routers/Gateway)• Firewall & IDS/IPS• DNS, Web Server and FTP Server• LDAP, Key Server and Authentication Server• Remote Access Server (RAS) • Windows and Linux/Unix as well as MacOS• Wireless and Bluetooth• Web Application• Physical Security
Summary
• It is just the 101 introduction• With creative thinking as an attacker• Don’t be limited by the tools you know.• Attach to testing methodology and process• Obtain agreement/understanding from
clients
Finally….with FunThank you your participation.
Q & A
Appendix• Appendix A: Technical Recap (Protocols: TCP, UDP, ICMP)
http://www.networkuptime.com/nmap/index.shtml
• Appendix B: The reason of OS Detection (http://http://www.ouah.org/incosfingerp.htm)
• Appendix C: NMAP Scan Breakdown (http://www.networkuptime.com/nmap/index.shtml with clear diagram illustration and show what response you will get if the port is opened or closed.)
Appendix A: Technical Recap - Protocol
• ICMP– The Internet Control Message Protocol (ICMP) is one of the core
protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached.
– ICMP differs in purpose from TCP and UDP in that it is usually not used directly by user network applications. One exception isthe ping tool, which sends ICMP Echo Request messages (and receives Echo Response messages) to determine whether a host is reachable and how long packets take to get to and from that host.
– ICMP Type 3: Unreachable Destination Address– http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
ICMP Packet Formathttp://www.networksorcery.com/enp/protocol/icmp/msg3.htm
ICMP Code and DescriptionCode Description • 0 Network unreachable error. • 1 Host unreachable error. • 2 Protocol unreachable error. When the designated transport protocol is not supported. • 3 Port unreachable error. When the designated transport protocol (e.g., UDP) is unable to
demultiplex the datagram but has no protocol mechanism to inform the sender. • 4 The datagram is too big. Packet fragmentation is required but the DF bit in the IP header is set. • 5 Source route failed error. • 6 Destination network unknown error. • 7 Destination host unknown error. • 8 Source host isolated error. Obsolete. • 9 The destination network is administratively prohibited. • 10 The destination host is administratively prohibited. • 11 The network is unreachable for Type Of Service. • 12 The host is unreachable for Type Of Service. • 13 Communication Administratively Prohibited. This is generated if a router cannot forward a
packet due to administrative filtering. • 14 Host precedence violation. Sent by the first hop router to a host to indicate that a requested
precedence is not permitted for the particular combination of source/destination host or network, upper layer protocol, and source/destination port.
• 15 Precedence cutoff in effect. The network operators have imposed a minimum level of precedence required for operation, the datagram was sent with a precedence below this level.
Technical Recap
• TCP Packet Header and Handshake
Figure 1. IPv4 Header Layout Figure 2. TCP Header Layout
Figure 4. ICMP Destination Unreachable Header Layout
Figure 3. ICMP Echo Request or Reply Header Layout
Figure 5. UDP Header Layout
Technical Recap
• Access Control– Two factor and token-based authentication– Authentication Server (Kerberos, LDAP)– Biometrics (Behavioral and Characteristic)
• What are the most concerned issues?
Technical Recap
• Network Design– Internet Infrastructure
• DMZ• Screened subnet• Bastioned Host• Honeypot• Intrusion Detection System• Load balancer• Data confidentiality: Encryption, VPN, SSL/VPN
• What are the most concerned issues for each component?
Secure Network Design
• http://www.defconpics.org/other/Principles%20of%20Secure%20Network%20Design.pdf
Locate gateways and firewalls
• GW and FW marks the perimeter of the networks.– Located immediately in front of the target– If the target does not reply, the last identifiable
gateway is often a firewall preventing the target from responding
• With traceroute command (Linux)• With tracert command (Windows NT/2000/XP)• Hping2• Use SolarWinds for TraceRoute• Check if there is no reply from the gateway
Appendix B: OS Detection• Reasons for OS Detection
– While some benefits of discovering the underlying OS and device types on a network are obvious, others are more obscure. This section lists the top reasons I hear for discovering this extra information.
• Determining vulnerability of target hosts– It is sometimes very difficult to determine remotely whether an available service
is susceptible or patched for a certain vulnerability. Even obtaining the application version number doesn't always help, since OS distributors often backport security fixes without changing the version number. The surest way to verify that a vulnerability is real is to exploit it, but that risks crashing the service and can lead to wasted hours or even days of frustrating exploitation efforts if the service turns out to be patched.
– OS detection can help reduce these false positives. For example, the Rwho daemon on unpatched Sun Solaris 7 through 9 may be remotely exploitable (Sun alert #57659). Remotely determining vulnerability is difficult, but you can rule it out by finding that a target system is running Solaris 10.
– Taking this from the perspective of a systems administrator rather than a pen-tester, imagine you run a large Sun shop when alert #57659 comes out. Scan your whole network with OS detection to find machines which need patching before the bad guys do.
OS Detection• Tailoring exploits
Even after you discover a vulnerability in a target system, OS detection can be helpful in exploiting it. Buffer overflows, format-string exploits, and many other vulnerabilities often require custom-tailored shellcode with offsets and assembly payloads generated to match the target OS and hardware architecture. In some cases, you only get one try because the service crashes if you get the shellcode wrong. Use OS detection first or you may end up sending Linux shellcode to a FreeBSD server.
• Network inventory and supportWhile it isn't as exciting as busting root through a specially crafted format string exploit, there are many administrative reasons to keep track of what is running on your network. Before you renew that IRIX support contract for another year, scan to see if anyone still uses such machines. An inventory can also be useful for IT budgeting and ensuring that all company equipment is accounted for.
OS Detection• Detecting unauthorized and dangerous devices
With the ubiquity of mobile devices and cheap commodity networking equipment, companies are increasingly finding that employees are extending their networks in undesirable ways. They may install a $20 wireless access point (WAP) in their cubicle without realizing (or caring) that they just opened up the protected corporate network to potential attackers in the parking lot or nearby buildings. WAPs can be so dangerous that Nmap has a special category for detecting them. Users may also cause sysadmins grief by connecting insecure and/or worm-infected laptops to the corporate network. Regular scanning can detect unauthorized devices for investigation and containment.
• Social engineeringAnother possible use is social engineering. Lets say that you are scanning a target company and Nmap reports a “Datavoice TxPORT PRISM 3000 T1 CSU/DSU 6.22/2.06”. You could call up the target pretending to be Datavoice support and discuss some issues with their PRISM 3000. Tell them you are about to announce a big security hole, but are first providing the patch to valued customers. Some naive administrators might assume that only an authorized engineer from Datavoice would know so much about their CSU/DSU. Of course the patch you send them is a Trojan horse that gives you remote access to sniff and traipse through their network. Be sure to read the rest of this chapter for detection accuracy and verification advice before trying this. If you guess the target system wrong and they call the police, that will be an embarrassing story to tell your cellmates.
Appendix C: NMAP Scan Techniques
• TCP SYN Scan (-sS)The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process. When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.
If a scan type is not specified on the nmap command line and nmap currently has privileged access to the host (root or administrator), the TCP SYN scan is used by default.
NMAP Scan Techniques
• TCP connect() Scan (-sT)
The TCP connect() scan is named after the connect() call that's used by the operating system to initiate a TCP connection to a remote device. Unlike the TCP SYN scan (-sS), the TCP connect() scan uses a normal TCP connection to determine if a port is available. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network.
NMAP Scan Techniques (Stealthy)
• The Xmas Tree Scan (-sX)The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.
• FIN ScanThe FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking. If a TCP session isn't active, the session certainly can't be formally closed!
NMAP Scan Techniques (Stealthy)
• The Null Scan (-sN)The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world.
Advantages of the FIN, Xmas Tree, and Null Scan
• Since no TCP sessions are created for any of these scans, they are remarkably quiet from the perspective of the remote device's applications. Therefore, none of these scans should appear in any of the application logs.
• These scans are also some of the most minimal port-level scans that nmap can execute. For a closed port, only two packets are transferred. A single frame is all that's necessary to find an open port!
Disadvantages of the FIN, Xmas Tree, and Null Scan
• Unfortunately, Microsoft's implementation of the TCP/IP stack renders these particular scans less that useful. On a Windows-based computer, all ports will appear to be closed regardless of their actual state. This provides a backhanded advantage, since any device showing open ports must not be a Windows-based device!
• These scan types are using packets that do not follow the rules of TCP. To create these specialized packets, the raw sockets capability of the operating system builds the packets from scratch. This avoids the operating system requirements that are usually forced on IP communication, but it also requires that the user running these nmap scans have privileged access to the system.
When to use the FIN, Xmas Tree, and Null Scan
• Although TCP SYN scans are relatively subtle, the FIN, Xmas tree, and null scans are even more invisible on the network. They don't show up in application log files, they take little network bandwidth, and they provide extensive port information on non-Windows based systems. If the scanned device is susceptible to these odd TCP packets, information can be gathered with only a whisper of network communication!
NMAP Scan Techniques
• The Ping scan (-sP)It is one of the quickest scans that nmapperforms, since no actual ports are queried. Unlike a port scan where thousands of packets are transferred between two stations, a ping scan requires only two frames. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.
NMAP Scan Techniques
• UDP Scan (-sU)UDP has no need for SYNs, FINs, or any other fancy handshaking. With the UDP protocol, packets are sent and received without warning and prior notice is not usually expected. This lack of a formal communications process greatly simplifies UDP scanning!
NMAP Scan Techniques
• IP Protocol Scan (-sO)
The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified.
The list of IP protocols is found in the nmap-protocols file. If the nmap-protocols file isn't found, nmap reverts to the /etc/protocols file.
NMAP Scan Techniques
• ACK Scan (-sA)Nmap's unique ACK scan will never locate an open port. The ACK scan only provides a "filtered" or "unfiltered" disposition because it never connects to an application to confirm an "open" state. At face value this appears to be rather limiting, but in reality the ACK scan can characterize the ability of a packet to traverse firewalls or packet filtered links.
NMAP Scan Techniques
• Window Scan (-sW)
The window scan is similar to an ACK scan, but the window scan has the advantage of identifying open ports. The origins of the window scan can be found in this archive from the nmap-hackers mailing list:
http://seclists.org/lists/nmap-hackers/1999/Jul-Sep/0021.html
NMAP Scan Techniques
• RPC Scan (-sR)
A remote program call (RPC) scan is used to locate and identify RPC applications. After open ports are identified with another scan type, the RPC scan sends each open port an RPC null to provoke a response from any RPC application that might be running. The RPC scan runs automatically during a version scan (-sV).
The RPC scan is referenced as an RPCGrindscan in the nmap output.
NMAP Scan Techniques• IdleScan (-sI <zombie host:[probeport]>)
Nmap's idlescan is an ingenious way of scanning a remote device. Nmapuses idlescan to gather port information using another station on the network, and it will appear that the scanning process is initiated from this third-party IP address instead of the nmap station. Although this seems complex, it's a simple process of examining IP fragmentation identification sequences and implementing IP address spoofing.