Computer Network Security

Transcription

Computer Network SecurityìCOMP 178 Spring 2022 University of the Pacific Jeff ShaferPenetration Testing:Scanning

2Stages of an AttackReconnaissanceCovering TracksMaintainingAccessComputer Network SecurityScanningExploitationSpring 2022

3Stages of a Pen Computer Network SecurityScanningExploitationSpring 2022

4Reconnaissanceì Investigating the target from public sourcesì What did we learn?ì Profile of company (marketplace, locations of majoroperations, executive/leadership team, major technologyplatforms)ì Lists of “interesting systems” to investigateì IP subnets owned/operated by targetì Only interacted with target systems in the same way alegitimate customer/user wouldìComputer Network Securitye.g., Viewing their websiteSpring 2022

5Next Step: Scanningì Active network probing in detailì Information of interestì Network addresses of hosts, categorized by purpose(servers, clients, routers, firewalls, )ì Network topologyì Operating systems of active hostsì Network services and open ports of hostsì Vulnerabilities of hostsComputer Network SecuritySpring 2022

6ScanningMinimize risks to hosts andnetwork services duringscanning phaseComputer Network SecuritySpring 2022

7Types of Network Scansì Sweeps/Tracesì Send out a small number of probes to each IPaddress and listen for replyì Make note of active systemsì Attempt to deduce network topologySweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2022

8Types of Network Scansì Port scansì Send out a larger number of probes to each active IPaddress and listen for replyì Make note of TCP and UDP ports that are listeningSweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2022

9Types of Network Scansì OS Fingerprinting and Version Scanningì Send a larger number of probes to active hosts withlistening portsì Deduce the operating system of the host by closelyexamining the repliesì Deduce the installed software and version of activenetwork services on the hostSweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2022

10Types of Network Scansì Vulnerability Scanningì Armed with lists of active hosts, their OS, andnetwork services, check for known vulnerabilities orcommon misconfigurationsSweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2022

11Scan Challengesì The more detailed the network scan, the slower it willbeììììDetecting a host is up: At little as one ICMP ping; fire andforget!Detecting a port is open: One packet per port (65,535 ifyou scan them all) x 2 (TCP UDP)Detecting versions (of OS or network services): Dozens of packets per service, having a “legitimate” conversationwith the service in the expected mannerVulnerability scanning: Even slowerì Often send multiple probes to each host & port in caseof packet lossComputer Network SecuritySpring 2022

12Scan Challengesì Setting your network scanner to MAX DETAILS willnot produce results in a timely mannerì 100 IPs and potential hosts? Ok .ì 10,000? 100,000? Days! Need to refine yourtechniqueì Iterative approach (sweeps before targeted scans)ì Reduce specific ports scanned?ì Pros: Fasterì Cons: Might miss obscure (but vulnerable) portsComputer Network SecuritySpring 2022

13Common TCP Portsì FTP – 21ì NetBIOS over TCP – 135,137ì SSH – 22ì HTTPS – 443ì Telnet – 23ì SMB over TCP - 445ì SMTP – 25ì HTTP – 80Computer Network SecuritySpring 2022

14Faster Scanners - ZMapExtreme example of tradeoff between speed and detailZMap is a fast single-packet networkscanner optimized for Internet-wide networksurveys. On a computer with a gigabitconnection, ZMap can scan the entire publicIPv4 address space in under 45 minutes.With a 10gigE connection and PF RING,ZMap can scan the IPv4 address space in 5minutes.Is this a scan or a DOS attack?Computer Network Securityhttps://zmap.io/Spring 2022

15Scanning MechanicsComputer Network SecurityìSpring 2022

16Nmapì Nmap (“Network mapper”) is a tool for networkdiscovery and security auditingì Many scanning possibilitiesì What hosts are on the network?ì What services (app name & version) are theyoffering?ì What OS version are they running?ì What packet filters / firewalls are in use?Computer Network Securityhttps://nmap.org/Spring 2022

17NmapCommand Line (nmap)Computer Network SecurityGUI (zenmap)Spring 2022

18Target Specificationì What systems do I want to scan?ì {target specification}ì Hostnames: scanme.nmap.orgì Challenge that one hostname might map to multiplesystems (i.e. web servers behind a proxy)ì Not preferred for serious analysisì IP address(es) - either a single IP or a rangeì 192.168.0.1ì 192.168.0.0/24ì 10.0.0-255.1-254 (aka 10.0.0.0/16)Computer Network SecuritySpring 2022

19Scanning Mechanicsì Host Detectionì How do we detect if a host is active?ì Even if it is nominally configured to hide its presenceì Port Detectionì How do we detect if a port is open/listening?Computer Network SecuritySpring 2022

20Host Detectionì What hosts are on the network?nmap –sn [options] {target specification}root@kali: # nmap -sn scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 20:04Nmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.00014s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:Nmap done: 1 IP address (1 host up) bb2f scanned in 0.16Computer Network SecuritySpring 2022

21Host DetectionRoot UserUnprivileged UserìAbility to generate arbitrarypacketsìLimited to normal networksockets (i.e. connect() )ìSame subnet?ìTCP SYN to port 80ìTCP SYN to port 443ìììARP request for IPDNS Reverse LookupDifferent subnet?ìììììICMP Echo RequestICMP TimestampTCP SYN to port 443 (HTTPS)TCP ACK to port 80 (HTTP)DNS Reverse LookupComputer Network SecurityBurst in tmlCan customize –these defaults willnot detect all hostsSpring 2022

22TCP Port Detectionì What TCP ports are open on a host?nmap –sT [options] {target specification}nmap –sS [options] {target specification}root@kali: # nmap -sT scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 21:29 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.033s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 992 closed portsPORTSTATESERVICE22/tcpopenssh25/tcpfiltered smtp80/tcpopenhttp135/tcpfiltered msrpc139/tcpfiltered netbios-ssn445/tcpfiltered microsoft-ds9929/tcp opennping-echo31337/tcp openEliteComputer Network SecuritySpring 2022

23TCP Port Scan - Connectì TCP Connect scan (-sT)ì Can be run without rootNmapSYNprivilegesìTargetSYN-ACKUses OS connect()ACKì Less efficient(more packets required)RESETì Often logged by targetmachine as a connectionfailureComputer Network -scan.htmlSpring 2022

24TCP Port Scan – SYN ScanìTCP SYN scan (-sS)ììAka “half-open scanning”NmapDefault if you don’t specifyscan type / recommendedìRequires root privileges togenerate packetsìMore efficient / fewer packetsìLess likely to be logged bytarget system (no connection s still detect itComputer Network Securityhttps://nmap.org/book/synscan.htmlSpring 2022

25TCP Port Detectionì Possible TCP port states from scanningìOpen : Nmap confirmed there is an application listeningfor packets on that portì Nmap sent SYN, target responded SYN-ACKìClosed : Nmap confirmed there is not an applicationlistening for packets on that portì Nmap sent SYN, target responded RSTìFiltered : Nmap could not confirm port is open or closedì Nmap sent SYN, target responded [radio silence]ì Likely firewall blocking scan (intentionally muddyingresults and slowing down scanning considerably)Computer Network SecuritySpring 2022

26TCP Port Scan – SYN ScanOpen:Closed:Filtered:Computer Network Securityhttps://nmap.org/book/synscan.htmlSpring 2022

27TCP Port Detectionì Why were these ports filteredì TCP 25: SMTPwhen I ran this scan at home?(AT&T Uverse)ì TCP 135 : RPCroot@kali: # nmap -sT pfiltered smtp80/tcpopenhttp135/tcpfiltered msrpc139/tcpfiltered netbios-ssn445/tcpfiltered microsoft-ds9929/tcp opennping-echo31337/tcp openEliteì TCP 445 : SMBComputer Network Securityì TCP 139 : NetBIOSì Bad history of malwareabusing these services onunsuspecting(unsophisticated) homeusers!ìAT&T blocking? Spring 2022

28TCP Port Detectionì Result of identical scan, but from an EC2 virtual machine (AWS)ubuntu@ip-172-31-52-244: nmap -sT scanme.nmap.orgStarting Nmap 7.60 ( https://nmap.org ) at 2020-01-27 07:22 UTCNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.021s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 996 closed portsPORTSTATE SERVICE22/tcpopen ssh80/tcpopen http9929/tcp open nping-echo31337/tcp open Elite Usefulsecondslesson about whereNmap done: 1 IP address (1 host up) scanned in 0.73Computer Network Securityyou are scanning from?Spring 2022

29UDP Port Detectionì What UDP ports are open on a host?nmap –sU [options] {target specification}root@kali: # nmap -sU scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 21:31 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.0043s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 999 open filtered portsPORTSTATE SERVICE123/udp open ntpNmap done: 1 IP address (1 host up) scanned in 4.25 secondsComputer Network n.htmlSpring 2022

30UDP Port Detectionì Sends a UDP packet to each port in a scan and listens forany replyì Empty payload for most portsì Hard to know what to send to a mystery applicationì Big challenge – most applications will just discard/ignorean empty UDP packetì Protocol-specific payload for a few specific ports to elicitmore replies (sneaky!)ìììComputer Network SecurityUDP 53 (DNS)UDP 161 (SNMP) Spring 2022

31UDP Port Detectionì Possible UDP port states from scanningì Open : Nmap sent packet, target responded withany UDP packetì Open Filtered : Nmap sent packet, no responsefrom target (even after retransmissions)ì Closed : Nmap sent packet, target responded withICMP port unreachable (type 3, code 3)ì Filtered : Nmap sent packet, target responded withICMP unreachable (type 3, other codes)Computer Network SecuritySpring 2022

32Port DetectionTable 6.1. Required --top-ports values for reaching various effectiveness levelsì Nmap does not scan allports by default!ììììChecking all 65,535 ports isslooooooooow and nearlyall are closedOnly most popular 1000ports are checked bydefaultGood odds for TCP, less sofor UDPScanned in random orderComputer Network SecurityTCP portsrequiredEffectivenessUDP r-portsSpring 2022

33Port Detectionì Can override with --top-ports n optionì Can reduce to top 100 ports with -F (fast mode)ì Can specify specific ports with -p optionì A single port: -p 80ì A list: -p 80,443ì A range: -p 0-65535ì UDP port scans can be improved with version detection(-sV) because the probes sent are tailored to thespecific application that typically listens on that portComputer Network SecuritySpring 2022

34OS Detectionì What operating systems are on the network?nmap –O [options] {target specification}Computer Network Securityroot@kali: # nmap -O scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 20:19 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.027s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 992 closed 29/tcp opennping-echo31337/tcp openEliteDevice type: general purposeRunning: Microsoft Windows XP 7 2012OS CPE: cpe:/o:microsoft:windows xp::sp3cpe:/o:microsoft:windows 7 cpe:/o:microsoft:windows server 2012OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 orWindows 7 or Windows Server 2012Spring 2022

35OS Detectionì Purposes of OS detection?ì Check if hosts are vulnerable to known exploitsì Inventory of systems on networkì Detect unauthorized devices on the network (e.g.wireless access point)Computer Network SecuritySpring 2022

36OS Detectionì How is the OS detected?ì “Nmap OS fingerprinting works by sending up to 16TCP, UDP, and ICMP probes to known open andclosed ports of the target machine. These probes arespecially designed to exploit various ambiguities inthe standard protocol RFCs. Then Nmap listens forresponses. Dozens of attributes in those responsesare analyzed and combined to generate afingerprint. Every probe packet is tracked and resentat least once if there is no response.”More info: r Network SecuritySpring 2022

37Service & Version Detectionì Final main piece of Nmap functionalityì Key challenges remainingì If a service is listening on TCP Port 80, are we sureit’s a web server? (Nmap port scan will label it httpwithout any verification)ì If some service is listening on nonstandard port12345, what is it?ì Can we find more details about the specific serviceapplication and its version number?Computer Network SecuritySpring 2022

38Service & Version Detectionì What services are on the network?nmap –sV [options] {target specification}root@kali: # nmap -sV scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 20:35 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.084s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 992 closed portsPORTSTATESERVICEVERSION22/tcpopensshOpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13(Ubuntu Linux; protocol 2.0)80/tcpopenhttpApache httpd 2.4.7 ((Ubuntu))9929/tcp opennping-echoNping echo31337/tcp opentcpwrappedService Info: OS: Linux; CPE: cpe:/o:linux:linux kernelComputer Network SecuritySpring 2022

39Doing it ALL(Host Port OS Version scripts)nmap –A [options] {target specification}ubuntu@ip-172-31-52-244: nmap -A scanme.nmap.orgStarting Nmap 7.60 ( https://nmap.org ) at 2020-01-27 08:22 UTCNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.021s latency).Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2fNot shown: 996 closed portsPORTSTATE SERVICEVERSION22/tcpopen sshOpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) ssh-hostkey: 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA) 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA) 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA) 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (EdDSA)80/tcpopen httpApache httpd 2.4.7 ((Ubuntu)) http-server-header: Apache/2.4.7 (Ubuntu) http-title: Go ahead and ScanMe!9929/tcp open nping-echo Nping echo31337/tcp open tcpwrappedService Info: OS: Linux; CPE: cpe:/o:linux:linux kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.26 secondsSpring 2022Big drawback for always using -A: 12.26 seconds vs 0.38 seconds for –sT for ONE HOSTComputer Network Security

40Nmap Tips and Tricksì How close is my scan to finishing?ì Press any key while running to see current status(runtime, hosts scanned, hosts up, )ì How do I get more information / more debugginginformation?ìììComputer Network SecurityPress v or d while running to increase verbosity /debugging levelPress shift-v or shift-d while running to decreaseverbosity / debugging levelUse the --packet-trace option to see all packetssentSpring 2022

41Nmap Tips and Tricksì How do I control the speed at which Nmap scans?nmap -T[time option] [opt] {target}ì “Timing Templates”ì -T0: Paranoid: 300s between probes Sufficiently slowthat IDS won’tì -T1: Sneaky: 15s between probesdetect scan?ì -T2: Polite: 0.4s between probesì -T3: Normal (default)ì -T4: Aggressive: More parallelism, shorter timeoutsConsider -T4 for LANì -T5: Insane: MOAR!!Computer Network emplates.htmlSpring 2022

42Nmap Tips and TricksìHow do I control the Nmap output format?nmap -o[output option] [opt] {target}ìOutput FormatsììììììNo option – Default human-readable option-oN [filename] – Similar output saved to file-oX [filename] – XML output, easily imported-oG [filename] – “Grepable” single-line-per-host-oA [dirname] – Normal XML Grepable in a directory-oS [filename] – sCRiPt KiDDi3 0utPU ì This format is provided for the l33t haXXorZ! JComputer Network Securityhttps://nmap.org/book/output.htmlSpring 2022

43Nmap Tips and Tricksì Why did Nmap mark that port as open, closed,filtered, ?nmap --reason [opt] {target}root@kali: # nmap -sT --reason scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 20:09 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up, received reset ttl 128 (0.043s latency).Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2fNot shown: 992 closed portsReason: 992 -ack25/tcpfiltered d msrpcno-response139/tcpfiltered netbios-ssn no-response445/tcpfiltered microsoft-ds no-response9929/tcp opennping-echosyn-ack31337/tcp openElitesyn-ackComputer Network SecuritySpring 2022

44Nmap Tips and TricksìHow do I reduce the scan time?ìOmit non-critical testsììììSkip the port scan (-sn) when you only need to know what hosts are onlineLimit the number of ports scannedSkip advanced scan types (-sC, -sV, -O, --traceroute, and -A)Turn off DNS resolution when it isn't necessaryìNmap does reverse DNS lookup against every host by defaultìOptimize Timing Parameters (-T templates)ìSeparate and Optimize UDP ScansìScan From a Favorable Network LocationìComputer Network SecurityInside the LAN is almost always pring 2022

Nmap ìNmap (“Network mapper”) is a tool for network discovery and security auditing . ìPossible TCP port states from scanning ì Open: Nmap confirmed t