WIXLIB

Computer Network SecurityìCOMP 178 Spring 2021 University of the Pacific Jeff ShaferPenetration Testing:Scanning

2Stages of an AttackReconnaissanceCovering TracksMaintainingAccessComputer Network SecurityScanningExploitationSpring 2021

3Stages of a Pen Computer Network SecurityScanningExploitationSpring 2021

4Reconnaissanceì Investigating the target from public sourcesì What did we learn?ì Profile of company (marketplace, locations of majoroperations, executive/leadership team, major technologyplatforms)ì Lists of “interesting systems” to investigateì IP subnets owned/operated by targetì Only interacted with target systems in the same way alegitimate customer/user wouldìComputer Network Securitye.g., Viewing their websiteSpring 2021

5Next Step: Scanningì Active network probing in detailì Information of interestì Network addresses of hosts, categorized by purpose(servers, clients, routers, firewalls, )ì Network topologyì Operating systems of active hostsì Network services and open ports of hostsì Vulnerabilities of hostsComputer Network SecuritySpring 2021

6ScanningMinimize risks to hosts andnetwork services duringscanning phaseComputer Network SecuritySpring 2021

7Types of Network Scansì Sweeps/Tracesì Send out a small number of probes to each IPaddress and listen for replyì Make note of active systemsì Attempt to deduce network topologySweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2021

8Types of Network Scansì Port scansì Send out a larger number of probes to each active IPaddress and listen for replyì Make note of TCP and UDP ports that are listeningSweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2021

9Types of Network Scansì OS Fingerprinting and Version Scanningì Send a larger number of probes to active hosts withlistening portsì Deduce the operating system of the host by closelyexamining the repliesì Deduce the installed software and version of activenetwork services on the hostSweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2021

10Types of Network Scansì Vulnerability Scanningì Armed with lists of active hosts, their OS, andnetwork services, check for known vulnerabilities orcommon misconfigurationsSweepComputer Network SecurityPort ScanFingerprintingVulnsSpring 2021

11Scan Challengesì The more detailed the network scan, the slower it willbeììììDetecting a host is up: At little as one ICMP ping; fire andforget!Detecting a port is open: One packet per port (65,535 ifyou scan them all) x 2 (TCP UDP)Detecting versions (of OS or network services): Dozens of packets per service, having a “legitimate” conversationwith the service in the expected mannerVulnerability scanning: Even slowerì Often send multiple probes to each host & port in caseof packet lossComputer Network SecuritySpring 2021

12Scan Challengesì Setting your network scanner to MAX DETAILS willnot produce results in a timely mannerì 100 IPs and potential hosts? Ok .ì 10,000? 100,000? Days! Need to refine yourtechniqueì Iterative approach (sweeps before targeted scans)ì Reduce specific ports scanned?ì Pros: Fasterì Cons: Might miss obscure (but vulnerable) portsComputer Network SecuritySpring 2021

13Common TCP Portsì FTP – 21ì NetBIOS over TCP – 135,137ì SSH – 22ì HTTPS – 443ì Telnet – 23ì SMB over TCP - 445ì SMTP – 25ì HTTP – 80Computer Network SecuritySpring 2021

14Faster Scanners - ZMapExtreme example of tradeoff between speed and detailZMap is a fast single-packet networkscanner optimized for Internet-wide networksurveys. On a computer with a gigabitconnection, ZMap can scan the entire publicIPv4 address space in under 45 minutes.With a 10gigE connection and PF RING,ZMap can scan the IPv4 address space in 5minutes.Is this a scan or a DOS attack?Computer Network Securityhttps://zmap.io/Spring 2021

15Scanning MechanicsComputer Network SecurityìSpring 2021

16Nmapì Nmap (“Network mapper”) is a tool for networkdiscovery and security auditingì Many scanning possibilitiesì What hosts are on the network?ì What services (app name & version) are theyoffering?ì What OS version are they running?ì What packet filters / firewalls are in use?Computer Network Securityhttps://nmap.org/Spring 2021

17NmapCommand Line (nmap)Computer Network SecurityGUI (zenmap)Spring 2021

18Target Specificationì What systems do I want to scan?ì {target specification}ì Hostnames: scanme.nmap.orgì Challenge that one hostname might map to multiplesystems (i.e. web servers behind a proxy)ì Not preferred for serious analysisì IP address(es) - either a single IP or a rangeì 192.168.0.1ì 192.168.0.0/24ì 10.0.0-255.1-254 (aka 10.0.0.0/16)Computer Network SecuritySpring 2021

19Scanning Mechanicsì Host Detectionì How do we detect if a host is active?ì Even if it is nominally configured to hide its presenceì Port Detectionì How do we detect if a port is open/listening?Computer Network SecuritySpring 2021

20Host Detectionì What hosts are on the network?nmap –sn [options] {target specification}root@kali: # nmap -sn scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 20:04Nmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.00014s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:Nmap done: 1 IP address (1 host up) bb2f scanned in 0.16Computer Network SecuritySpring 2021

21Host DetectionRoot UserUnprivileged UserìAbility to generate arbitrarypacketsìLimited to normal networksockets (i.e. connect() )ìSame subnet?ìTCP SYN to port 80ìTCP SYN to port 443ìììARP request for IPDNS Reverse LookupDifferent subnet?ìììììICMP Echo RequestICMP TimestampTCP SYN to port 443 (HTTPS)TCP ACK to port 80 (HTTP)DNS Reverse LookupComputer Network SecurityBurst in tmlCan customize –these defaults willnot detect all hostsSpring 2021

22TCP Port Detectionì What TCP ports are open on a host?nmap –sT [options] {target specification}nmap –sS [options] {target specification}root@kali: # nmap -sT scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 21:29 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.033s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 992 closed portsPORTSTATESERVICE22/tcpopenssh25/tcpfiltered smtp80/tcpopenhttp135/tcpfiltered msrpc139/tcpfiltered netbios-ssn445/tcpfiltered microsoft-ds9929/tcp opennping-echo31337/tcp openEliteComputer Network SecuritySpring 2021

23TCP Port Scan - Connectì TCP Connect scan (-sT)ì Can be run without rootNmapSYNprivilegesìTargetSYN-ACKUses OS connect()ACKì Less efficient(more packets required)RESETì Often logged by targetmachine as a connectionfailureComputer Network -scan.htmlSpring 2021

24TCP Port Scan – SYN ScanìTCP SYN scan (-sS)ììAka “half-open scanning”NmapDefault if you don’t specifyscan type / recommendedìRequires root privileges togenerate packetsìMore efficient / fewer packetsìLess likely to be logged bytarget system (no connection s still detect itComputer Network Securityhttps://nmap.org/book/synscan.htmlSpring 2021

25TCP Port Detectionì Possible TCP port states from scanningìOpen : Nmap confirmed there is an application listeningfor packets on that portì Nmap sent SYN, target responded SYN-ACKìClosed : Nmap confirmed there is not an applicationlistening for packets on that portì Nmap sent SYN, target responded RSTìFiltered : Nmap could not confirm port is open or closedì Nmap sent SYN, target responded [radio silence]ì Likely firewall blocking scan (intentionally muddyingresults and slowing down scanning considerably)Computer Network SecuritySpring 2021

26TCP Port Scan – SYN ScanOpen:Closed:Filtered:Computer Network Securityhttps://nmap.org/book/synscan.htmlSpring 2021

27TCP Port Detectionì Why were these ports filteredì TCP 25: SMTPwhen I ran this scan at home?(AT&T Uverse)ì TCP 135 : RPCroot@kali: # nmap -sT pfiltered smtp80/tcpopenhttp135/tcpfiltered msrpc139/tcpfiltered netbios-ssn445/tcpfiltered microsoft-ds9929/tcp opennping-echo31337/tcp openEliteì TCP 445 : SMBComputer Network Securityì TCP 139 : NetBIOSì Bad history of malwareabusing these services onunsuspecting(unsophisticated) homeusers!ìAT&T blocking? Spring 2021

28TCP Port Detectionì Result of identical scan, but from an EC2 virtual machine (AWS)ubuntu@ip-172-31-52-244: nmap -sT scanme.nmap.orgStarting Nmap 7.60 ( https://nmap.org ) at 2020-01-27 07:22 UTCNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.021s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 996 closed portsPORTSTATE SERVICE22/tcpopen ssh80/tcpopen http9929/tcp open nping-echo31337/tcp open Elite Usefulsecondslesson about whereNmap done: 1 IP address (1 host up) scanned in 0.73Computer Network Securityyou are scanning from?Spring 2021

29UDP Port Detectionì What UDP ports are open on a host?nmap –sU [options] {target specification}root@kali: # nmap -sU scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 21:31 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.0043s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 999 open filtered portsPORTSTATE SERVICE123/udp open ntpNmap done: 1 IP address (1 host up) scanned in 4.25 secondsComputer Network n.htmlSpring 2021

30UDP Port Detectionì Sends a UDP packet to each port in a scan and listens forany replyì Empty payload for most portsì Hard to know what to send to a mystery applicationì Big challenge – most applications will just discard/ignorean empty UDP packetì Protocol-specific payload for a few specific ports to elicitmore replies (sneaky!)ìììComputer Network SecurityUDP 53 (DNS)UDP 161 (SNMP) Spring 2021

31UDP Port Detectionì Possible UDP port states from scanningì Open : Nmap sent packet, target responded withany UDP packetì Open Filtered : Nmap sent packet, no responsefrom target (even after retransmissions)ì Closed : Nmap sent packet, target responded withICMP port unreachable (type 3, code 3)ì Filtered : Nmap sent packet, target responded withICMP unreachable (type 3, other codes)Computer Network SecuritySpring 2021

32Port DetectionTable 6.1. Required --top-ports values for reaching various effectiveness levelsì Nmap does not scan allports by default!ììììChecking all 65,535 ports isslooooooooow and nearlyall are closedOnly most popular 1000ports are checked bydefaultGood odds for TCP, less sofor UDPScanned in random orderComputer Network SecurityTCP portsrequiredEffectivenessUDP r-portsSpring 2021

33Port Detectionì Can override with --top-ports n optionì Can reduce to top 100 ports with -F (fast mode)ì Can specify specific ports with -p optionì A single port: -p 80ì A list: -p 80,443ì A range: -p 0-65535ì UDP port scans can be improved with version detection(-sV) because the probes sent are tailored to thespecific application that typically listens on that portComputer Network SecuritySpring 2021

34OS Detectionì What operating systems are on the network?nmap –O [options] {target specification}Computer Network Securityroot@kali: # nmap -O scanme.nmap.orgStarting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 20:19 PSTNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.027s latency).Other addresses for scanme.nmap.org (not scanned):2600:3c01::f03c:91ff:fe18:bb2fNot shown: 992 closed 29/tcp opennping-echo31337/tcp openEliteDevice type: general purposeRunning: Microsoft Windows XP 7 2012OS CPE: cpe:/o:microsoft:windows xp::sp3cpe:/o:microsoft:windows 7 cpe:/o:microsoft:windows server 2012OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 orWindows 7 or Windows Server 2012Spring 2021

35OS Detectionì Purposes of OS detection?ì Check if hosts are vulnerable to known exploitsì Inventory of systems on networkì Detect unauthorized devices on the network (e.g.wireless access point)Computer Network SecuritySpring 2021