The Attack and Defense of Computers

1

• The Attack and Defense of Computers
• Dr. ? ? ?

2

• Tracerouting

3
Tracerouting

• After identifying potential networks, we can
  attempt to determine their
• network topology
• potential access paths into the network

4
Tools

• Unix traceroute.
• Windows tracert.

5
Traceroute - Function

• Allow a user to view the route that an IP packet
  follows form one host to the next.

6
traceroute - Principle

• traceroute uses the TTL option in the IP packet
  to elicit an ICMP TIME_EXCEEDED message from each
  router (TTL field is also a hop counter).
• The first packet sent by traceroute has a TTL
  value 1, the second packet sent has a TTL value
  2, and so on.
• When a UDP packet is used as a probing packet,
  usually it uses port number greater than 30000 as
  it destination port number which is rarely used
  by applications hence, when the probed host
  receives the probing packet, an ICMP port
  unreachable packet will be sent back to the
  traceroute.

7
traceroute - Interference

• Access control devices (such as an
  application-based firewall or packet-filtering
  routers) may filter out traffic.

8
traceroute Where Is the Router?

• Generally, once you hit a live system on a
  network, the system before it is a device
  performing routing functions (for example, a
  router or a firewall.)

9
traceroute Multiple Routing Paths

• In a complex environment
• There may be multiple routing paths that is,
  routing devices with multiple interfaces or load
  balancers.
• Each interface may have different access control
  list (ACLs) applied.
• In many cases, some interfaces will pass your
  traceroute requests, whereas others will deny
  them because of the ACL.

10
traceroute Build an Access Path Diagram

• After you traceroute to multiple systems on the
  network, you can begin to create a network
  diagram that depicts
• the architecture of the Internet gateway
• the location of devices that are providing access
  control functionality
• The diagram is referred to as access path diagram.

11
traceroute Exploring Packets

• Most flavors of traceroute in UNIX default to
  sending UDP packets, with the option of using
  ICMP packets with I switch.
• In Windows, however, the default behavior is to
  use ICMP echo request packet.
• Therefore, your mileage may vary using each tool,
  if the site blocks UDP verses ICMP and vice verse.

12
Bypassing Access Control Device

• -P n option.
• -S switch
• UDP port 53 is a good starting port number,
  because many sites allow inbound DNS queries
  (using UDP port 53), there is high probability
  that the access control device will allow the
  probes through.
• However, it the target really is listening on UDP
  port 53, you will not receive a normal ICMP
  unreachable message back. Therefore, you will not
  see a host displayed when the packet reaches its
  ultimate destination.

13
Using TCP Packets to Find the Routes

• Because the TTL value used in tracerouting is in
  the IP header, we are not limited to UDP or ICMP
  packets. Literally any IP packet could be sent.
• Some tools are developed to provide alternate
  traccerouting techniques to get probes through
  firewalls that are blocking UDP and ICMP packets
• Two tools that allow for TCP tracerouting to
  specific ports are the
• tcptraceroute
• Cain Abel

14
tcptraceroute - Bypass Firewall Filters

• tcptraceroute is a traceroute implementation
  using TCP packets.
• As mentioned in the previous slide, many
  firewalls filter out UDP and ICMP packets.
  However, in many cases, these firewalls will
  permit inbound TCP packets to specific ports that
  hosts sitting behind the firewall are listening
  for connections on. By sending out TCP SYN
  packets instead of UDP or ICMP ECHO packets,
  tcptraceroute is able to bypass the most common
  firewall filters.

15
tcptraceroute -

• It is worth noting that tcptraceroute never
  completely establishes a TCP connection with the
  destination host.
• If the host is not listening for incoming
  connections, it will respond with an RST
  indicating that the port is closed.
• If the host instead responds with a SYNACK, the
  port is known to be open, and an RST is sent by
  the kernel tcptraceroute is running on to tear
  down the connection without completing three-way
  handshake.

16
tracerouting Countermeasure IDS and IPS

• Depending on your sites security paradigm, an
  administrator may be able to configure her/his
  border routers to limit ICMP and UDP traffic
  systems, thus minimizing your exposure.
• Deploy Network Intrusion Detection System (IDS)
  and Intrusion Prevention Systems (IPS) that will
  detect this type of network reconnaissance.
• One of the best free NIDS programs Snort, by
  Marty Roesch can detect this activity.

17
tracerouting Countermeasure - RotoRouter

• Humble from Rhino9 developed a program called
  RotoRouter. This utility is used to log incoming
  traceroute requests and generate fake responses.

18
Intelligence Gathering Techniques Arkin
19
Intelligence Gathering Techniques (IGT)

• IGTs help an attacker to understand the
  characteristics and potential vulnerabilities of
  her/his targets.
• Through intelligence gathering techniques an
  attacker can launch a more accurate and efficient
  attack to her/his targets.

20
IGT Steps

• In the computer hacking world, intelligence
  gathering can be roughly divided into three major
  steps
• Footprinting
• Scanning
• Enumeration

21
Footprinting

• collect information to make a unique footprint or
  a profileof an organization security posture.
• With footprinting, using rather simple tools, we
  gather information such as
• Administrative, technical, and billing contacts,
  which include employee names, email addresses,
  and phone fax numbers.
• IP address range
• DNS servers
• Mail servers
• And we can also identify some of the systems that
  are directly connected to the Internet.

22
Scanning

• The art of detecting
• which systems are alive and reachable via the
  Internet
• what services they offer
• using techniques such as ping sweeps, port scans,
  and operating system identification (OS
  fingerprinting)
• is called scanning

23
Information Collected by Scanning

• The kind of information collected here has to do
  with the following
• TCP/UDP services running on each system
  identified.
• System architecture (Sparc, Alpha, x86).
• Specific IP addresses of systems reachable via
  the Internet.
• Operating system type.

24
Enumeration

• Enumeration is the process of extracting valid
  accounts or exported resource names from systems.
  The information is gathered using active
  connections to systems and queries, which is more
  intrusive in nature than footprinting and
  scanning.
• The techniques are mostly operating system
  specific, and can gather information such as
• User group names.
• System banners
• Routing tables
• SNMP information

25

• Footprinting

26
Internet Footprinting

• The fine art of gathering target information
• Domain name
• Specific IP addresses of systems reachable via
  the Internet.
• Access control mechanisms and related access
  control lists.
• Intrusion-detection systems (IDSs)
• DNS hostnames

27
Where Can We Find the Information?

• Company Web pages.
• Related organizations.
• Location details.
• Phone numbers, contact names, e-mail addresses,
  and personal details.
• Privacy or security policies, and technical
  details indicating the types of security
  mechanisms in place.
• Archived Information
• Search engines and resumes

28
Company Web Pages

• Some organizations will list their security
  configuration details directly on their Internet
  web servers.
• Trying reviewing the HTML source code.

29
What Info Can We Find in a Web Page Source Code
(1)?

• check the comment part those parts included
  between lt!-- and --gt .
• Using Wget (for Unix) and Teleport Pro (for
  Windows) you can mirror the entire web pages on a
  web server.
• Other sites with none-www prefix name.
• Many organizations have sites to handle remote
  access to internal resources via a web browser
• E.g. Through Microsofts Outlook Web Access, a
  person can access the contents stored in a
  Microsoft Exchange server, such as e-mails,
  address books, a calendar, public folders.
  Typical URL for this kind of resource is
  http//owa.company.com or http//outlook.company.c
  om.

30
What Info Can We Find in a Web Page Source Code
(2)?

• Sites like http//vpn.company.com or
  http//www.company.com/vpn will often reveal
  sites designed to help end users connect to their
  companies VPNs.
• You can also find detailed instructions on how to
  download and configure the VPN client software.
• These sites may even include a phone number to
  call for assistance if someone (usually this
  person is supposed to be an employee, however, an
  attacker may also use this channel to connect the
  VPN) get troubles to connect to the VPN.

31
Related Organizations

• Other related organizations web site may also
  leak sensitive information about the target
  organization.

32
Phone Numbers, Contact Names, E-mail Addresses,
and Personal Details

• Contact names and e-mail addresses may reveal an
  organizations employees name or account name.
• E.g. If an organization has an employee named
  John Smith than it is very possible that some of
  the organizations hosts has an account name
  jsmith, johnsmith or smithj and vice verse.
• From an employees name, an attack may find
  her/his home phone number or home computer which
  probably has some sort of remote access to the
  target organization.
• A keystroke logger on an employees home machine
  or laptop may very well give a hacker a free ride
  to the organizations inner hosts.

33
Search Engines and Resumes

• A lot of sensitive information could be obtained
  through a search engine by using appropriate
  searching key words.
• If an organization is posting for a security
  professional with five or more years experience
  work with CheckPoint firewalls and Snort IDS,
  then what kind of firewall and IDS do you think
  they use?.

34

• Scanning

35
Comparison between Footprintng And Scanning

• If footprinting is the equivalent of casing a
  place for information, then scanning is
  equivalent to knocking on the walls to find all
  the doors and windows.
• During footprinting, malicious users can obtain
• a list of IP network blocks
• a list of IP addresses
• Scanning wants to determine
• what systems are listening for inbound network
  traffic (a.k.a. alive)
• What systems are reachable from the Internet

36
Purposes of Scanning and Corresponding Tools

• Determining if the system is alive
• Ping sweeps
• ICMP sweeps (ICMP ECHO requests)
• Broadcast ICMP
• Non-ECHO ICMP
• TCP/UDP Sweeps
• Determining which services are running or
  listening
• Port Scanning.
• Detecting the Operating System
• Active OS fingerprinting.
• Passive OS fingerprinting.

37

• Ping Sweeps

38
ICMP ECHO Requests

• One of the most basic steps in mapping out a
  network is performing an automated ping sweep on
  a range of IP addresses and network blocks to
  determine if individual devices or systems are
  alive.
• One of the ping sweep tools used by malicious
  users for the above purpose is ping .
• Ping sends ICMP ECHO request (Type 8) packets to
  a target system in an attempt to elicit an ICMP
  ECHO reply (Type 0) indicating the target system
  is alive.

39
fping

• One of the techniques of performing ping sweeps
  in the UNIX world.
• fping is a ping(1) like program which uses the
  Internet Control Message Protocol (ICMP) echo
  request to determine if a host is up.
• fping is different from ping in that you can
• specify any number of hosts on the command line
• or
• specify a file containing the lists of hosts to
  ping

40
fping - Example

• Example
• rootcat in.tex
• 192.168.51.1
• 192.168.51.2
• 192.168.51.3
• 192.168.51.253
• 192.168.51.254
• root fping a f in.txt
• 192.168.1.254 is alive
• 192.168.1.227 is alive
• 192.168.1.224 is alive
• 192.168.1.3 is alive
• 192.168.1.2 is alive
• 192.168.1.1 is alive
• 192.168.1.190 is alive

41
fping Increase Scanning Rate

• Instead of trying one host until it timeouts or
  replies, fping will send out a ping packet and
  move on to the next host in a round-robin
  fashion.
• If a host replies, it is noted and removed from
  the list of hosts to check.
• If a host does not respond within a certain time
  limit and/or retry limit it will be considered
  unreachable.
• Unlike ping, fping is meant to be used in scripts
  and its output is easy to parse.

42
SuperScan

• For the Windows-inclined.

43
Other Tools

• Ping Sweep
• WS_Ping ProPack
• NetScan Tools

44
Broadcast ICMP - Principle

• Sending ICMP ECHO request to the network
  broadcast addresses will produce all the
  information you need for mapping a targeted
  network in even a simpler way.
• The request will be broadcast to all alive hosts
  on the target network, and they will send ICMP
  ECHO reply to the attacker source IP after only
  one or two packets have been sent by him.

45
Broadcast ICMP Unix vs. Windows Platforms

• Here we can first distinguish between Unix and
  Windows machines.
• While Unix machines often still answer to
  requests directed to the network address (the
  answer will be the fully qualified network
  address)
• Windows machines will ignore it.

46
Using Non-ECHO ICMP Packets for Ping Sweep

• Non-ECHO ICMP packets can also be used to perform
  ping sweeps.
• Examples
• ICMP type 13 messages (TIMESTAMP)
• ICMP type 17 messages (ADDRESS MASK REQUEST)

47
Functions of Non-ECHO ICMP Packets

• ICMP timestamp request and reply allow a system
  to query another for the current time.
• The ICMP address mask request (and reply) is
  intended for diskless systems to obtain its
  subnet mask at bootstrap time.
• People can use it to request the netmask of a
  particular device.

48
Non-ECHO ICMP Ping Sweep Tools

• We can use the icmpush icmpquery tools to
  perform this kind of scanning.
• Many firewalls are configured to block only ICMP
  ECHO traffic, and in this case it makes the
  non-ECHO requests a valid form of host
  identification.

49
What Will Happen, If ICMP Is Blocked by Target
Site? (1)

• It is not uncommon to come across a
  security-conscious site that has blocked ICMP at
  the border router or firewall.
• Although ICMP may be blocked, some addition tools
  and techniques can be used to determine if
  systems are actually alive. However, they are not
  as accurate or as efficient as a normal ping
  sweep.

50
What Will Happen, If ICMP Is Blocked by Target
Site? (2)

• Typically, pinging heavily utilizes ICMP
  (Internet Control Message Protocol) packets, even
  though they are not the only packet types
  available for network pinging.
• Either TCP or UDP provides alternative approach
  to perform ping sweeps to find if a host is alive
  on the network.
• When ICMP traffic is blocked, TCP/UDP sweep is
  the first alternate technique to determine live
  hosts.

51

• TCP Sweeps

52
TCP Sweeps Packets and Ports Used

• A scanner sends a SYN packet to the target
• If the target is alive, then the scanner will
  receive
• SYN/ACK (the port is open.)
• RST (the port is close.)
• With the TCP Sweep technique, instead of sending
  ICMP ECHO request packets we send TCP ACK or TCP
  SYN packets (depending if we have root access or
  not) to the target network.
• The port number can be selected to meet our
  needs.
• Usually a good pick would be one of the following
  ports 21 / 22 / 23 / 25 / 80 (especially if a
  firewall is protecting the targeted network).
• Receiving a response is a good indication that
  something is up there.

53
Response of TCP Sweeps

• The response depends on
• the targets operating system (some OSes dont
  follow the TCP/IP protocol in their
  implementation)
• the nature of the packet sent
• any firewalls, routers or packet-filtering
  devices used

54
TCP Sweeps - Drawbacks

• Bear in mind that firewalls can spoof a RESET
  packet for an IP address, so TCP Sweeps may not
  be reliable.

55
nmap

• A powerful network reconnaissance tool.
• root nmap sP 192.168.1.0/24
• Starting nmap V. 3.70 by fyodor_at_insecure.org
  (www.insecure.org.nmap)
• Host (192.168.1.0) seems to be a subnet
  broadcast
• Address (returned 3 extra pings)
• Host (192.168.1.1) appears to be up.
• Host (192.168.1.10) appears to be up.
• Host (192.168.1.11) appears to be up.
• Host (192.168.1.15) appears to be up.
• Host (192.168.1.20) appears to be up.
• Host (192.168.1.50) appears to be up.
• Host (192.168.1.101) appears to be up.
• Host (192.168.1.102) appears to be up.
• Host (192.168.1.255) seems to be a subnet
  broadcast
• Address (returned 3 extra pings).
• Nma run completed 256 IP addresses (10 hosts
  up) scanned in 21 seconds.

56

• UDP Sweeps

57
UDP Sweeps (a.k.a. UDP Scans)

• This method relies on the ICMP PORT UNREACHABLE
  message, initiated by a closed UDP port.
• If no ICMP PORT UNREACHABLE message is received
  after sending a UDP datagram to a UDP port that
  scanners wish to examine on a targeted system,
  they may assume the port is opened.

58
Drawbacks of UDP Sweeps

• UDP scanning is unreliable because of a number of
  reasons
• Routers can drop UDP packets as they cross the
  Internet.
• Many UDP services do not respond when correctly
  probed.
• Firewalls are usually configured to drop UDP
  packets (except for DNS).
• UDP sweep relies on the fact that a non-active
  UDP port will respond with an ICMP PORT
  UNREACHABLE message.

59

• Port Scanning

60
Ping Sweeps vs. Port Scanning

• Ping Sweeps help malicious users identify which
  systems are alive. The next step is trying to
  determine what services (if any) are running or
  in a LISTENING state on the targeted system, by
  connecting to the TCP and UDP ports of that
  system. This is called Port Scanning.
• For the hacker it is critical to identify
  listening ports, because it helps her/him further
  identify the operating system and application in
  use.

61
Service Detection and Attacks

• The services detected as listening may suffer
  from vulnerabilities which may result from two
  reasons
• Misconfiguration of the service
• The version of the software is known to have
  security flaws
• If identified, these vulnerabilities can lead to
  privileged access gained by the attacker.

62
Port Scanning

• TCP connect() scans
• TCP SYN scans (half open scanning)
• Stealth Scans
• Explicit Stealth Mapping Techniques
• SYN/ACK scans
• FIN scans
• XMAS scans
• NULL scans
• Proxy Scanning/ FTP Bounce Scanning
• Idlescan

63
TCP connect() Scans

• With this type of scan, a scanner uses the basic
  TCP connection establishment mechanism to open a
  connection to an interesting port on the targeted
  machine
• A SYN packet is sent to the targets system
  interesting port.
• Now we wait to see what type of packet is sent
  back from the target.
• If a SYN/ACK packet is received it usually means
  the port is in a LISTENING state.
• If a RST/ACK packet is received, it usually means
  the port is not LISTENING and the connection will
  RESET.
• We finish the three-way handshake (if SYN/ACK
  packet was received) by sending an ACK.
• A connection is terminated after the full
  connection establishment process has been
  completed.

64
Drawbacks of TCP connect() Scans

• Time-Consuming.
• This kind of scan is easily detected.
• Inspecting the target system log will show a
  number of connections and error messages
  immediately after each one of them was initiated.

65
TCP SYN Scans (Half Open Scanning)

• This type of scan differs from TCP connect() scan
  because scanners do not open a full TCP
  connection. They send a SYN packet to initiate
  the three-way handshake and wait for a response.
• If scanners receive an SYN/ACK it indicates the
  port is LISTENING.
• If they do receive a SYN/ACK packet they
  immediately tear down the connection by sending a
  RESET.
• If scanners receive an RST/ACK it indicates a
  non- LISTENING port.

66
Advantages of TCP SYN Scans

• More quickly than TCP connect() scan.
• Because the TCP three-way handshake was not
  completed some of the sites will probably not log
  these scanning attempts.

67
Stealth Scan

• Stealth can also be defined as a scanning
  technique family, doing one of the following
• Pass through filtering rules.
• Not to be logged by the targeted system logging
  mechanisms.
• Try to hide themselves at the usual site /
  network traffic.

68
An Important Rule in RFC 793 (TCP)

• According to RFC 793 closed ports are required to
  reply with a RESET packet to our probe packets,
  while open ports must ignore any packet in
  question.

69
SYN/ACK Scans Packets Being Sent

• This scan intentionally disregards the TCP
  three-way handshake.
• Scanners send a SYN/ACK packet, which is step two
  in the TCP three-way handshake, while there is no
  SYN packet sent for step one.

70
SYN/ACK Scans

• Sending SYN/ACK packet to a closed port
• Because TCP is stateful, it knows no SYN has been
  sent, which is the first step in the three-way
  TCP handshake. TCP figures this packet must be a
  mistake and sends a RESET to tear down the
  connection. This is what scanners wished for
  any kind of response to give away the existence
  of the system and the fact that the probed port
  is closed.
• If scanners send the SYN/ACK to an open port, it
  will ignore any such packet.

71
FIN Scanning

• This technique sends erroneous packets at a port,
  expecting that open listening ports will send
  back different error messages than closed ports. 
  
• The scanner sends a FIN packet, which should
  close a connection that is open. 
• Closed ports reply to a FIN packet with a RST.
• Open ports, on the other hand, ignore the packet
  in question.
• The above responses are required TCP behavior. 

72
Drawback of FIN Scanning

• According to the previous slide, no response to
  the FIN probe packet to a port X is explained as
  that X is an open port.
• Therefore, silence indicates the presence of a
  service at the port.
• However, since packets can be dropped
  accidentally on the wire or blocked by firewalls,
  this isn't a very effective scan.

73
XMAS (Christmas Tree)

• XMAS is a scanning type, which sends a TCP packet
  with the URG, ACK, PST, RST, SYN and FIN flags
  set. All the TCP flags are set.
• Closed ports ? RESET packets.
• Open ports ? no response packets
• P.S. The above behavior is defined in RFC 793
  however, some OSs implementation may not follow
  the above rules.

74
Null Scans

• Null scan is a scanning type, which sends a TCP
  packet that turns off all flags.
• Closed ports ? RESET packets.
• Open ports ? no response packets
• According to RFC 793 this should work against
  every implementation of TCP regardless of the
  operating system it runs on. Life is not always
  simple. Windows, CISCO, BSDI, HP/UX, MVS IRIX
  have a broken TCP implementation they send
  RESETs to open ports as well.

75
Properties of FTP Protocol

• The FTP protocol supports the following scenario
• attacker.com connects to an FTP server, which has
  a world writable directory, and establishes a
  control communication connection.
• The attacker can then ask the FTP server to
  initiate an active server data transfer process
  and send a file anywhere on the Internet,
  presumably to a user data transfer process.

76
Proxy Scanning/FTP Bounce Scanning

• Redirect the scanning traffic to a target port,
  then
• If the transfer is successful (150 and 226
  response), the target host is listening on the
  specified port scanned.
• Otherwise, a 425 Cant build data connection
  Connection refused message will be received.

77
Commonly Adopted Port Scanning Signatures

• Several packets to different destination ports
  from the same source address within a short
  period of time.
• SYN to a non-listening port.
• Obviously, there are many other ways to detect
  port scans, up to dumping all the packet headers
  to a file and analyzing them manually.
• P.S. It is always possible for an attacker to
  make her attack either very unlikely to be
  noticed, or very unlikely to be traced to its
  real origin, while still being able to obtain the
  port number information.

78
Port Scanning Techniques to Avoid Being Detected

• Random port scan.
• Slow scan.
• Fragmentation scanning.
• Decoy.
• Coordinated scans.

79
Random Port Scan

• Many commercial intrusion detection systems and
  firewalls are looking for sequential connection
  attempts. When the pattern is matched a port scan
  is reported.
• Randomizing the sequence of ports probed may
  prevent detection.

80
Slow Scan Site Detection Threshold

• Intrusion detection systems can determine if a
  specific IP tries to port scan the network they
  are defending. It is done by analyzing the
  network traffic over a certain amount of time.
• The amount of time is called the site detection
  threshold.

81
Slow Scan

• Some hackers are very patient and can use network
  scanners that spread out the scan over a long
  period of time.
• The scan rate can be, for example, as low as 2
  packets per day per target site.
• If the attacker can guess the detection threshold
  of its target, he can reduce the chances of
  detection to a minimum or even to no detection at
  all, as long as he doesnt include a signature
  with his packet that alerts the intrusion
  detection system in other way.

82
Fragmentation and IDS

• All IP packets that carry data can be fragmented.
• Some filtering devices and intrusion detection
  systems may incorrectly reassemble or completely
  miss portions of the scan. They may assume that
  this was just another segment of traffic that has
  already passed through their access list.

83
Fragmentation Scanning - Countermeasure

• Filtering devices that queue all IP fragments can
  handle this method.
• Linux is a good example with the
  CONFIG_IP_ALWAYS_DEFRAG kernel option.
• Some networks cannot afford the performance hit
  this causes and disable this feature.
• This kind of scan has been fixed in most vendors
  products.

84
Decoy

• Some network scanners include options for Decoys
  or spoofed addresses in their attacks.
• It would appear to the attacked network/host that
  the host(s) you specified as decoys are scanning
  them as well. This will drive intrusion detection
  systems into thinking that the target network is
  being port scanned by all the hosts, and
  determining who the real attacker is, will be
  nearly impossible.

85
Anti-Decoy

• One way that helped intrusion detection systems
  detect the decoy hosts in the past was the TTL
  (Time to Live) field values in the scanned
  packets.
• If all the incoming packets TTL values have the
  same value, it is likely that they were generated
  in the same factory.

86
Weaknesses of Previous Scan Methods

• Probing a few target systems from a single IP
  within a certain amount of time will usually turn
  on the alarm of the intrusion detection systems.
• We have already discussed a way to try to bypass
  this using slow scans. But even a slow scan can
  sometimes be detected.

87
Coordinated Attacks

• When a group of attackers are working together to
  achieve a common goal, trying to get unauthorized
  access on a targeted network for example, we call
  this coordinated attacks.
• Coordinated attacks can be used to target a
  single host or even an entire network.

88
Coordinated Scans

• If multiple IPs probe a target network, each one
  of them probes for a certain service on a certain
  machine in a different time period, and
  therefore it would be nearly impossible to detect
  these scans.

89
(No Transcript)