SCSC 455 Computer Security - PowerPoint PPT Presentation


PPT – SCSC 455 Computer Security PowerPoint presentation | free to download - id: 725304-NmEwN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

SCSC 455 Computer Security


SCSC 455 Computer Security Intrusion Detection – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 44
Provided by: NewU308


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: SCSC 455 Computer Security

SCSC 455 Computer Security
  • Intrusion Detection

  • Network scanning and packet-sniffing utilities
  • IDS -- Intrusion detection systems
  • Automated security audits

Scanners and Sniffers
  • Cracker can employ the following techniques in
    order to gain access to a Linux system
  • Port scanning, in which packets are sent to a
    host to gain information about it based on its
  • Packet sniffing, in which every packet on the
    network has its header and data examined
  • Network administrators also use these techniques
    to check for security weaknesses, and though
    some feel their use is illegitimate, it is
    important to stay ahead of crackers

Port Scanning
  • A port scan enables someone to identify a
    networks operating system and any services that
    could potentially allow greater access
  • Port scans typically use the TCP protocol and its
    associated flags to gather information about the
    host and its network services
  • Some port scanners use ICMP and UDP packets,
    which do not provide as much data as TCP, but can
    offer some information that TCP cannot

Port Scanning
Port Scanning
  • The most widely used port-scanning utility is
    nmap, the network mapper
  • a command-line utility that uses a variety of
    scanning methods
  • allows for fingerprinting hosts, greater output,
    and configuration of timing policy
  • also perform a Ping scan, which reports hosts
    that are reachable using ICMP echo packets

nmap Uses
  • Network exploration tool and port scanner
  • Security audits
  • Network inventory
  • Upgrade schedules
  • Monitoring host/service uptime

Example nmap Scan
nmap -A -T4 playground Starting
nmap ( http//
) Interesting ports on
( (The 1663 ports scanned but not
shown below are in state filtered) PORT STATE
SERVICE VERSION 22/tcp open ssh OpenSSH
3.9p1 (protocol 1.99) 53/tcp open
domain 70/tcp closed gopher 80/tcp open http
Apache httpd 2.0.52 ((Fedora)) 113/tcp closed
auth Device type general purpose Running Linux
2.4.X2.5.X2.6.X OS details Linux 2.4.7 -
2.6.11, Linux 2.6.0 - 2.6.11 Uptime 33.908 days
(since Thu Jul 21 033803 2005) Interesting
ports on ( (The
1659 ports scanned but not shown below are in
state closed) PORT STATE SERVICE
VERSION 135/tcp open msrpc Microsoft
Windows RPC 139/tcp open netbios-ssn 389/tcp
open ldap? 445/tcp open microsoft-ds
Microsoft Windows XP microsoft-ds 1002/tcp open
windows-icfw? 1025/tcp open msrpc
Microsoft Windows RPC 1720/tcp open H.323/Q.931
CompTek AquaGateKeeper 5800/tcp open vnc-http
RealVNC 4.0 (Resolution 400x250 VNC TCP port
5900) 5900/tcp open vnc VNC (protocol
3.8) MAC Address 00A0CC63854B (Lite-on
Communications) Device type general
purpose Running Microsoft Windows NT/2K/XP OS
details Microsoft Windows XP Pro RC1 through
final release Service Info OSs Windows, Windows
XP Nmap finished 2 IP addresses (2 hosts up)
scanned in 88.392 seconds
nmap Options Summary and Syntax
nmap Usage nmap Scan Type(s) Options
target specification TARGET SPECIFICATION
Can pass hostnames, IP addresses, networks, etc.
Ex,, 10.0.0-255.1-254 -Nmap 3.95 (
http// ) iL
ltinputfilenamegt Input from list of
hosts/networks -iR ltnum hostsgt Choose random
targets --exclude lthost1,host2,host3,
Exclude hosts/networks --excludefile
ltexclude_filegt Exclude list from file HOST
DISCOVERY -sL List Scan - simply list targets
to scan -sP Ping Scan - go no further than
determining if host is online -P0 Treat all
hosts as online -- skip host discovery
-PS/PA/PU portlist TCP SYN/ACK or UDP
discovery to given ports -PE/PP/PM ICMP echo,
timestamp, and netmask request discovery probes
-n/-R Never do DNS resolution/Always resolve
default sometimes SCAN TECHNIQUES
-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maim
on scans -sN/sF/sX TCP Null, FIN, and Xmas
scans --scanflags ltflagsgt Customize TCP scan
flags -sI ltzombie hostprobeportgt Idlescan
-sO IP protocol scan -b ltftp relay hostgt FTP
-p ltport rangesgt Only scan specified ports
Ex -p22 -p1-65535 -p U53,111,137,T21-25,80,13
9,8080 -F Fast - Scan only the ports listed in
the nmap-services file) -r Scan ports
consecutively - don't randomize
Port Scanning
nmap Syntax (cont)
ports to determine service/version info
--version_light Limit to most likely probes for
faster identification --version_all Try every
single probe for version detection
--version_trace Show detailed version scan
activity (for debugging) OS DETECTION -O
Enable OS detection --osscan_limit Limit OS
detection to promising targets --osscan_guess
Guess OS more aggressively TIMING AND
PERFORMANCE -T0-5 Set timing template
(higher is faster) --min_hostgroup/max_hostgroup
ltmsecgt Parallel host scan group sizes
--min_parallelism/max_parallelism ltmsecgt Probe
parallelization --min_rtt_timeout/max_rtt_timeou
t/initial_rtt_timeout ltmsecgt Specifies
probe round trip time. --host_timeout ltmsecgt
Give up on target after this long
--scan_delay/--max_scan_delay ltmsecgt Adjust
delay between probes FIREWALL/IDS EVASION AND
SPOOFING -f --mtu ltvalgt fragment packets
(optionally w/given MTU) -D ltdecoy1,decoy2,ME, Cloak a scan with decoys -S ltIP_Addressgt
Spoof source address -e ltifacegt Use specified
interface -g/--source_port ltportnumgt Use given
port number --data_length ltnumgt Append random
data to sent packets --ttl ltvalgt Set IP
time-to-live field --spoof_mac ltmac
address/prefix/vendor namegt Spoof your MAC
nmap Syntax (cont)
OUTPUT -oN/-oX/-oS/-oG ltfilegt Output scan in
normal, XML, sltrIpt kIddi3, and Grepable
format, respectively, to the given filename.
-oA ltbasenamegt Output in the three major formats
at once -v Increase verbosity level (use twice
for more effect) -dlevel Set or increase
debugging level (Up to 9 is meaningful)
--packet_trace Show all packets sent and
received --iflist Print host interfaces and
routes (for debugging) --append_output Append
to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpath/URLgt XSL stylesheet to
transform XML output to HTML --webxml
Reference stylesheet from Insecure.Org for more
portable XML --no_stylesheet Prevent
associating of XSL stylesheet w/XML output MISC
-6 Enable IPv6 scanning -A Enables OS
detection and Version detection --datadir
ltdirnamegt Specify custom Nmap data file
location --send_eth/--send_ip Send using raw
ethernet frames or IP packets --privileged
Assume that the user is fully privileged -V
Print version number -h Print this help
summary page. EXAMPLES nmap -v -A nmap -v -sP nmap -v -iR 10000 -P0 -p 80 SEE THE
Target Specification
  • 192.168.0-255.0/8 better 192.168.0-255.1-254
  • 0-155.0-255.13.37
  • Internet wide scan of all addresses ending in
  • Some available options
  • iL ltinput_file_namegt (Addresses from list)
  • iR ltnum hostsgt (Choose random targets)
  • -excludefile ltexclude_filegt

Host Discovery
  • Reduce the number of hosts on a network to be
  • Specify how each host is to be identified as
  • Firewall considerations
  • Default Each requested IP address
  • Attempt TCP ACK to port 80
  • Attempt ICMP Echo Request

Host Discovery
  • Some available host discovery options
  • sL (List Scan)
  • sP (Ping Scan)
  • Use only pings to scan the IP addresses specified
  • Prints all host responding to a ping
  • P0 (No Ping)
  • PS port list (TCP SYN Ping Scan)
  • TCP SYN Packet sent to port 80 for every IP
  • Else to every port in the list
  • PA port list (TCP ACK Ping Scan)
  • PU port list (UDP Ping Scan)
  • PE -PP -PM (ICMP Ping Scan)
  • PR (ARP Ping Scan)

Port Scanning Basics
  • nmap scans more than 1660 ports
  • Most port scanners list ports as opened or closed
  • nmap recognizes 6 port states
  • Open
  • Accepting TCP connections or UDP packets
  • Closed
  • Host is up on the IP address
  • Accessible but no app is listening
  • Try later

Port Scanning Basics
  • nmap recognizes 6 port states (contd)
  • Filtered
  • No response from probe
  • Firewall probably did a stealth drop
  • Forces nmap to retry many times
  • Unfiltered
  • Port is accessible but not whether open or closed
  • Used in mapping firewall rulesets
  • Try Window scan, SYN scan, FIN scan

Port Scanning Basics
  • nmap recognizes 6 port states (contd)
  • openfiltered
  • When unable to determine whether port is open of
  • closedfiltered
  • When unable to determine whether port is closed
    or filtered

Port Scanning Techniques
  • Only one scan technique can be used at a time
  • Usually must have root privilege
  • Some available scan techniques
  • sS (TCP SYN scan)
  • Default
  • Half-open scanning
  • The open request is never completed
  • sT (TCP connect() scan)
  • A full TCP connection is attempted
  • Firewalls tend to block incomplete TCP connect
  • The scan control is handed over to the OS.

Port Scanning Techniques (contd)
  • Some additional available scan techniques
  • sU (UDP scan)
  • Picks up services like DNS, SNMP, DHCP
  • A UDP packet is sent with no data to all targeted
  • ICMP port unreachable --gt port is closed
  • ICMP 3 code 1,2,9,10 or 13 --gt port is filtered
  • Responds with a UDP packet --gt port is open
  • No response --gt port is openfiltered
  • sN (TCP null scan) no flags set
  • sF (TCP FIN scan) only the FIN bit is set
  • sX (Xmas scan) FIN, PSH, URG bits are set
  • RST packet received --gt port is closed
  • No response --gt port is openfiltered
  • ICMP unreachable (1,2,3,9,10,13) --gt port is

Port Scanning Techniques (contd)
  • Some additional available scan techniques
  • sA (TCP ACK scan)
  • No open ports are discovered
  • Does determine if the firewall is statefull
  • Unfiltered systems return a RST packet and
    labeled unfiltered
  • Noresponse of ICMP errors are labeled filtered
  • sW (TCP window scan)
  • sO (IP protocol scan)
  • Cycles through all of the IP protocols

Service and Version Detection
  • Probes discovered ports
  • nmap-service-probes contains probes for querying
  • sV (Version detection)

OS Detection
  • Uses TCP and UDP scans
  • Compares to the nmap-os-fingerprints database
  • o (Enable OS detection)
  • A (Enable both OS and version detection)

  • Piles of output
  • Learn perl and grep
  • Many formats
  • oN ltfilespecgt (Normal optput)
  • oX ltfilespec (XML output)
  • v (Increase verbosity level)

nmap Conclusion
  • Powerful
  • Invasive
  • obvious if you are not careful
  • illegal if not done correctly

Port Scanning
Port Scanning
Packet Sniffing
  • A packet sniffer allows for the examination of
    any or all of the traffic passing through a
    network cable or wireless space
  • An Ethernet card can enable packet sniffing only
    if it is operating in promiscuous mode
  • Users must be logged in as root to use this
    mode, so packet sniffers require root access
  • If encryption technologies such as SSH, GPG, and
    stunnel are used, packet data is more secure

Packet Sniffing
  • Three popular Linux utilities are
  • IPTraf displays individual network connections,
    with protocol and other data for each one
  • also displays statistics by protocols, certain
    host names, or certain IP addresses
  • tcpdump provides information similar to IPTraf,
    but it also includes more detailed information
    about network packets
  • Ethereal takes tcpdump a step farther in that it
    is a graphical network analysis tool

Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
Packet Sniffing
  • Network scanning and packet-sniffing utilities
  • IDS -- Intrusion detection systems
  • Automated security audits

Intrusion Detection Software
  • Intrusion detection is the process of noticing
    when someone is trying to break into (or has
    already broken into) a system
  • This category of software is called intrusion
    detection systems (IDS)
  • PortSentry, by Psionic, watches network ports for
    packets that appear to be port scans
  • A more complex tool than PortSentry is Linux IDS,
    or LIDS, which can alter the Linux kernel

Big Brother
  • Big Brother provides a different level of
    intrusion detection than LIDS and it uses a
    client/server model similar to SNMP
  • includes a server that gathers data from clients
    on each network host and displays that data as a
    Web page
  • Some standard services Big Brother will manage
    are DNS, FTP, HTTP, POP3, SSH, Telnet, disk space
    and memory usage

Using Intrusion Detection Software
  • Suggested use of intrusion detection tools
  • Use nmap to scan the system after configuration
    to check for security holes
  • Next use PortSentry to watch for outside hosts
    trying to port scan the server
  • Use LIDS to secure your file system and processes
    so that anyone who is able to gain unauthorized
    access will have very limited power
  • Use Big Brother to keep a constant eye on
    services that are provided on network servers

  • Network scanning and packet-sniffing utilities
  • IDS -- Intrusion detection systems
  • Automated security audits

System Security Audits
  • The best way to test confidence in the security
    of a Linux system is to perform a security audit
  • Security audits are reviews or tests of how
    secure the system is and what needs to be done to
    improve its security
  • A security audit could take the form of
  • A careful review of the security policy
  • Use of special security-auditing software

System Security Audits
  • One of the first security-auditing programs was
    called Security Administrator Tool for Analyzing
    Networks (SATAN)
  • The Security Administrators Integrated Network
    Tool (SAINT) replaced SATAN
  • SAINT uses a Web browser interface to manage an
    attack on a network and report vulnerabilities
  • Other security audit tools are Tiger and SARA