Capital Area Cyber Security User Group CLASS 3 Active Information Gathering the Fine Art of Scanning - PowerPoint PPT Presentation

slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Capital Area Cyber Security User Group CLASS 3 Active Information Gathering the Fine Art of Scanning PowerPoint Presentation
Download Presentation
Capital Area Cyber Security User Group CLASS 3 Active Information Gathering the Fine Art of Scanning

play fullscreen
1 / 93
Capital Area Cyber Security User Group CLASS 3 Active Information Gathering the Fine Art of Scanning
Download Presentation
Download Presentation

Capital Area Cyber Security User Group CLASS 3 Active Information Gathering the Fine Art of Scanning

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Capital Area Cyber Security User GroupCLASS 3Active Information Gatheringthe Fine Art of Scanning

  2. Presenter BIO • Strengths • Weakness • Security Interests • Something Fun

  3. User group Objective • Give students offensive knowledge to better defend computer networks • Hands-on security training to compliment theory, put theories into practice • “Tell me and I'll forget; show me and I may remember; involve me and I'll understand.” • Knowledge sharing: the power of group learning

  4. USER GROUP OBJECTIVE Contd. • Group Exercise: What do you seen in the following pictures? 4

  5. USER GROUP OBJECTIVE Contd. • Increase experience with a multitude of security aspects • Network with other security-minded professionals • Play in a safe lab environment not offered at work or home • Earn CPEs to maintain certifications without high costs • For CISSP • Preparing and presenting 2 hour presentation = 8 CPEs • Participating 1 hour = 1 CPE • Updating existing presentation (see ISC2 chart for specifics) 5

  6. USER GROUP OBJECTIVE Contd. • Have your questions answered, bring hard issues that require solutions • Improve public speaking and training skills 6

  7. CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010 Course Chapters: • Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality • Chapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering • Chapter 3: Gathering Network and Host Information: Scanning and Enumeration • Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding Files • Chapter 5: Trojans, Backdoors, Viruses, and Worms • Chapter 6: Gathering Data from Networks: Sniffers • Chapter 7: Denial of Service and Session Hijacking • Chapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques • Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows • Chapter 10: Wireless Network Hacking • Wi-Fi and Ethernet • Chapter 11: Physical Site Security • Chapter 12: Hacking Linux Systems • Chapter 14: Cryptography • Chapter 15: Performing a Penetration Test

  8. Course Agenda • Class 1: Methodologies and Lab Setup • Class 2: Passive Information Gathering • Class 3: Active Information Gathering (Nessus) • Class 4: Wireless and Wired Network Enumeration • Class 5: Target System Penetration • Class 6: Privilege Escalation, Maintaining Access, and Malware • Class 7: Web Application Penetration • Class 8: Covering Tracks, IDS, Reporting, and Cleanup • Class 9: Metasploit • Class 10: Physical Security (Lock Picking etc.) • Class 11: Capture the Flag

  9. Agenda • Active Information Gathering • Ping • Port Scan • Operating System Fingerprinting • Intrusion Detection Systems • Exercises

  10. DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission! Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment.

  11. Information Systems Security Assessment Framework (ISSAF)

  12. What We Know via Passive Information Gathering? • Critical Services • Key Employees • Partner Companies • Company Website, IP and email addresses • Physical address and location • Domain names • Types of operating systems, databases, servers, protocols, and programming languages used (basic)

  13. What is Active Information Gathering? • The process of searching for information that an attacker could potentially use to exploit the target network • Identify live systems • Map the network • Types of operating systems, databases, servers, protocols, and programming languages used (in-depth) • Identify system vulnerabilities

  14. Why Do Active Information Gathering? • More information about the target can make the penetration test easier during the later phases • “Know your enemies and know yourself, you will not be imperiled in a hundred battles.” –Sun Tzu, Art of War • “Generally, a hacker spends 90 percent of the time profiling and gathering information on a target and 10 percent of the time launching the attack.” -Kimberly Graves • “Good hackers will spend 90 – 95 percent of their time gathering information for an attack.” -Walker

  15. Why Do Active Information Gathering? • Timing the Attack • Example around patch releases Microsoft Patch Tuesday or Oracle CPU etc. • Off hours such as holidays, vacations, or peak hours

  16. Active Vs. Passive Information Gathering • Active • Touch the device/network or talk to employees (vulnerability scan) • Passive • Do not communicate/touch the target such as google searching for publicly available information.

  17. ICMP and Ping • Internet Control Message Protocol (ICMP) is the part of the TCP/IP protocol suite used to send error messages for network diagnostics • Ping is the most common type of ICMP message • Used to verify network connectivity • Sends an echo request to a system and waits for an echo response (only active systems respond) • Cannot show which services a system is running

  18. Ping Examples Active system response Inactive system response  Question: What does this image tell you? System is down Or Blocked Build Your Own Security Lab

  19. ICMP Message Types

  20. Ping Sweep • Command-line pinging only allows one system to be pinged at a time • Use a ping sweep to scan a large number of systems • SuperScan • Angry IP Scanner • Nmap • Nmap’s –sn option uses ping and TCP packets to find live hosts

  21. Ping Defenses alert tcp any any -> any (flags: A; ack: 0; msg: "TCP ping detected";) • Many administrators block ping from passing the gateway device • Ensure blocked activity is logged/notifications • Configure rules, test, and monitor • Disable running services to prevent ping from identifying active systems • Shields Up is a scan that will show what ports and services are open on a local machine • Netstat • Currports

  22. Shields Up

  23. Netstat

  24. Currports

  25. Types of Scanning • Port Scanning • Determine Open Ports and Services • Network Scanning • Identify IP address on a network/subnet • Vulnerability Scanning • Discover weaknesses on target systems

  26. Scanning and the Law • Do not scan without permission! • Can cause a DOS attack and go to Jail. • ISP might drop your scanning attempts and/or blacklist you

  27. CEH Scanning Methodology • Kimberly Graves CEH Book

  28. When to Scan • Determine when to scan • Don’t risk discovery if you already know the host is easy to hack • If a specific host is well guarded, opt for a less guarded host or implement a different strategy such as social engineering

  29. Port Scanning • Port scanning probes the 65,535 TCP and UDP ports to discover listening services on a target system • An attacker can determine the best means of attacking a system by knowing the open services and version numbers • Most scans only look at first 1024 ports since those ports are often hacked • FTP (20/21) • Telnet (23) • SMTP (25) • DNS (53) • TFTP (69) • HTTP (80) • SNMP (161/162)

  30. Ports • Malicious software default ports • port 1095 Remote Administration Tool – RAT • port 7777 Tini • port 31335 Trinoo • port 31337 Back Orifice • Weak protocol ports • FTP (20/21) • Telnet (23) • Common Windows ports

  31. Ports • Common Linux software based ports • Common Apple Used Ports: • Look for software that only runs on a specific O/S

  32. Port States Open – accepting incoming requests Closed – accessible but no application listening on it Filtered – firewall screening the port Unfiltered – determined to be closed, no firewall Open | Filtered – unsure if open or filtered Closed | Filtered – unsure if closed or filtered

  33. TCP and UDP • Applications use TCP/UDP ports to use the correct protocols for network communication • TCP uses a three-step handshake to open a data link and a four-step shutdown to close the link • A one-byte flag field controls communication (URG, ACK, PSH, RST, SYN, FIN) • Nmap manipulates the flags to identify active systems • UDP does not use handshaking, so it is faster but less reliable and easier to spoof. “Fire and Forget”

  34. TCP Handshakes SYN ACK (Your) Sequence # 111 (My) Sequence # 225 (+1) SYN Sequence # 110 (+1) FIN Sequence # 310 (+1) ACK (Your) Sequence # 226 (My) Sequence # 111 ACK (Your) Sequence # 416 FIN (My) Sequence # 415 (+1) ACK (Your) Sequence # 311 Data Startup Process Shutdown Process

  35. TCP Handshakes (Port Numbers in Use)

  36. TCP Flags • SYN –Initiates connection b/w hosts • ACK – Established connection b/w hosts • PSH –System is forwarding buffered data • URG –Data in packets processed quickly • FIN –No more transmissions • RST –Resets the connection

  37. Scan Types and Responses All scans will display RST for closed ports, except for an ACK scan which will return no response.

  38. Other Scan Types Closed Port Idle Scan Open Port Idle Scan IPID Probe IPID Probe IPID Probe IPID Probe IPID Response IPID = 12347 IPID Response IPID = 12346 IPID Response IPID = 12345 IPID Response IPID = 12345 Attacker Idle Host Attacker Idle Host SYN/ACK RST IPID = 12346 RST SYN SYN Victim Victim RPC scan: determine if open ports are RPC ports Idle scan: use idle host to bounce packets and make the scan harder to trace

  39. Port Scanning Tools • GUI-based • Nmap, SuperScan • Command line-based • Nmap, hping2 • Nmap is an open source network mapping and security auditing tool that modifies IP packets to gain information about active systems

  40. Nmap TCP Full Connect Example • Basic scan options: • -sS (TCP SYN) • -sT (TCP Full)

  41. Nmap Ping options Scan Types Output Scan Speed Nmap switches:

  42. Zenmap • The free cross-platform Nmap GUI • Additional features: • Save scan results • Save scan options for repetitive scans • Sort scans by host, port, and service • Display scan results in a more user-friendly format • Display a visual interpretation of traceroute

  43. Hping2 root@bt:~# hping2 --scan 1-445 -S localhost Scanning localhost (, port 1-445 445 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+ |port| serv name | flags |ttl| id | win | +----+-----------+---------+---+-----+-----+ 111 sunrpc : .S..A... 64 0 32792 All replies received. Done. Not responding ports:

  44. Defend Against Port Scanning • Only keep necessary ports open • Periodically check for open ports and close unused ports • Employee policies, training, and rules of behavior • Filter traffic through a stateful inspection firewall • IDS • Change service banners so that they return incorrect information

  45. Active OS Fingerprinting • Find high value targets and or weak targets • Actively modify and send IP packets to the target to elicit a response that can identify the host operating system • FIN probe, ACK value, Bogus Flag probe • More accurately determine the target OS • Nmap’s –O and xprobe2’s listening mode can actively identify operating systems • The target computer can more easily detect active OS fingerprinting scans

  46. Passive Stack Fingerprinting • Stealthier by examining traffic on the network • Sniffing vs. Scanning • Less accurate

  47. Nmap Fingerprinting • The -O option will try to match response packets to a database of known operating system fingerprints • Nmap’s -sV option can identify service banners on open ports • Limiters to speed up scans: • -osscan-limit • -max-os-tries

  48. Defending Against OS Fingerprinting Block unneeded or suspicious traffic at the firewall Use an Intrusion Detection System (IDS) Set access control lists (ACL) on routers to block suspicious traffic

  49. Intrusion Detection Systems • Intrusion detection systems (IDSs): • Inspect network/host activity • Identify suspicious traffic and anomalies • Snort, Suricata • Two categories of IDS: • Network-based intrusion detection systems • Host-based intrusion detection systems • IDSs are usually made of multiple software applications and/or hardware devices with the following systems • Network sensors • Central monitoring system • Report analysis • Database and storage components • Response box

  50. IDS Engines Signature-based Anomaly-based If matched If characteristic If uncharacteristic • Types of intrusion detection system engines or methods: • Signature-based • Anomaly-based