DefCon: Network Mapping Techniques

1
DefConNetwork Mapping Techniques

• Simple Nomad
• Nomad Mobile Research Centre
• BindView Corporation

2
About This Presentation

• Assume basics
• Understand IP addressing
• Understand basic system administration
• Tools
• Where to find them
• Basic usage
• A Network point of view

3
About Me

• NMRC http//www.nmrc.org/
• BindView http//razor.bindview.com/

4
Know Your Target

• Public information
• Network enumeration
• Network mapping

5
Public Information

• Public records
• WHOIS
• DNS
• Public postings

6
Network Enumeration

• Goals of network enumeration
• ICMP
• Scanning
• TCP Fingerprinting
• Additional Probes

7
ICMP

• Sweeping a network with Echo
• Typical alternates to ping
• Timestamp
• Info Request
• Advanced ICMP enumeration
• Host or port unreachable with illegal header
  length

8
Scanning

• Why scan?
• Nmap defacto standard
• Ping sweeps
• Port scanning
• Additional features

9
TCP Fingerprinting

• Several different type of packets sent
• Various responses come back
• Differences can determine OS of remote system
• Using just ICMP is possible

10
Addition Probes

• Possible security devices
• Sweep for promiscuous devices

11
Network Mapping

• Determine network layout
• Traceroute
• Firewalk

12
Bypassing the Firewall

• Tools
• Firewalk
• Nmap
• Common ports
• State table manipulation

13
Avoiding Intrusion Detection

• Manipulation of detected data
• Use of fragmented packets
• Triggering false positive, or distraction

14
Connecting the Dots

• View each step as a small part of a big picture
• Each step is important
• Data could be stored for later use

15
Example Intrusion

• WHOIS
• DNS server names
• Traceroute
• DNS zone dump
• Host enumeration
• Public systems
• Initial port scanning

16
WHOIS

• whois target-company.com_at_internic.net
• Whois Server Version 1.1
• Domain names in the .com, .net, and .org domains
  can now be registered
• with many different competing registrars. Go to
  http//www.internic.net
• for detailed information.
• Domain Name TARGET-COMPANY.COM
• Registrar NETWORK SOLUTIONS, INC.
• Whois Server whois.networksolutions.com
• Referral URL www.networksolutions.com
• Name Server NS1.TARGET-COMPANY.COM
• Name Server NS2.TARGET-COMPANY.COM
• Updated Date 06-dec-1999
• gtgtgt Last update of whois database Mon, 20 Mar 00
  033514 EST ltltlt

17
Traceroute

• traceroute ns1.target-company.com
• traceroute to ns1.target-company.com
  (xxx.xx.xx.xx), 30 hops max, 40 byte packets
• 1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms
  0.875 ms
• 2 s1-0-1-access (209.197.224.69) 4.816 ms
  5.275 ms 3.969 ms
• 3 dallas.tx.core1.fastlane.net (209.197.224.1)
  4.622 ms 9.439 ms 3.977 ms
• 4 atm8-0-024.CR-1.usdlls.savvis.net
  (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms
• 5 Serial1-0-1.GW1.DFW1.ALTER.NET
  (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms
• 6 103.ATM3-0.XR2.DFW4.ALTER.NET
  (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms
• 7 152.63.96.85 (152.63.96.85) 10.565 ms
  25.423 ms 25.369 ms
• 8 dfw2-core2-pt4-1-0.atlas.digex.net
  (206.181.125.153) 13.289 ms 10.585 ms
• 17.173 ms
• 9 dfw2-core1-fa8-1-0.atlas.digex.net
  (165.117.52.101) 44.951 ms 241.358 ms
• 248.838 ms
• 10 swbell-net.demarc.swbell.net (206.181.125.10)
  12.242 ms 13.821 ms 27.618 ms
• 11 ded2-fa1-0-0.rcsntx.swbell.net
  (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms
• 12 target-company-818777.cust-rtr.swbell.net
  (151.164.x.xxx) 52.104 ms 24.306
• ms 17.248 ms
• ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms
  24.383 ms 27.489 ms

18
Traceroute

• traceroute ns2.target-company.com
• traceroute to ns2.target-company.com
  (xxx.xx.x.x), 30 hops max, 40 byte packets
• 1 fw-gw (209.197.192.1) 1.770 ms 2.993 ms
  0.892 ms
• 2 s1-0-17-access (209.197.224.73) 15.440 ms
  13.571 ms s1-0-1-access (209.197
• .224.69) 4.896 ms
• 3 dallas.tx.core1.fastlane.net (209.197.224.1)
  3.929 ms 6.251 ms 15.821 ms
• 4 FE-0.core2.fastlane.net (209.197.224.66)
  20.674 ms 15.367 ms 16.170 ms
• 5 hs-9-0.a09.dllstx01.us.ra.verio.net
  (204.214.10.113) 5.514 ms 14.367 ms 8
• .203 ms
• 6 ge-5-0-0.a10.dllstx01.us.ra.verio.net
  (199.1.141.10) 8.019 ms 20.183 ms 1
• 6.466 ms
• 7 g6-0.dfw2.verio.net (129.250.31.49) 16.513
  ms 17.351 ms 6.854 ms
• 8 core4-atm-uni0-0-0.Dallas.cw.net
  (204.70.10.77) 24.335 ms 16.087 ms 17.60
• 5 ms
• 9 core2-fddi-0.Dallas.cw.net (204.70.114.49)
  6.875 ms 14.039 ms 14.483 ms
• 10 border6-fddi-0.Dallas.cw.net (204.70.114.66)
  146.605 ms 21.045 ms 110.419
• ms
• 11 target-company-inet.Dallas.cw.net
  (204.70.xxx.xxx) 83.331 ms 34.530 ms 21
• .363 ms

19
DNS Zone Dump

• nslookup
• Default Server vortex.fastlane.net
• Address 209.197.192.7
• gt server ns1.target-company.com
• Default Server ns1.target-company.com
• Address xxx.xx.xx.xx
• gt ls -a TARGET-COMPANY.COM gt dump.txt
• ns1.target-company.com
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  

20
Host Enumeration

• ./icmpenum -i 2 -c xxx.xx.218.0
• xxx.xx.218.23 is up
• xxx.xx.218.26 is up
• xxx.xx.218.52 is up
• xxx.xx.218.53 is up
• xxx.xx.218.58 is up
• xxx.xx.218.63 is up
• xxx.xx.218.82 is up
• xxx.xx.218.90 is up
• xxx.xx.218.92 is up
• xxx.xx.218.96 is up
• xxx.xx.218.118 is up
• xxx.xx.218.123 is up
• xxx.xx.218.126 is up
• xxx.xx.218.130 is up
• xxx.xx.218.187 is up
• xxx.xx.218.189 is up
• xxx.xx.218.215 is up
• xxx.xx.218.253 is up

21
Public Systems

• www.target-system.com
• www2, www3
• ftp.target-system.com
• mail.target-system.com

22
Scanning

• nmap -O -T Polite -n xxx.xx.17.11
• Starting nmap V. 2.3BETA14 by fyodor_at_insecure.org
  ( www.insecure.org/nmap/ )
• Interesting ports on (xxx.xx.17.11)
• Port State Protocol Service
• 21 open tcp ftp
  
• 23 open tcp telnet
  
• 25 open tcp smtp
  
• 79 open tcp finger
  
• 110 open tcp pop-3
  
• 113 open tcp auth
  
• 143 open tcp imap2
  
• TCP Sequence Prediction Classtruly random
• Difficulty9999999 (Good
  luck!)
• Remote operating system guess Linux 2.0.35-37
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 625 seconds

23
More Scanning

• nmap -F -sS -v -v -n firewall.target-system.com
• Starting nmap V. 2.3BETA14 by fyodor_at_insecure.org
  ( www.insecure.org/nmap/ )
• Host (xxx.xx.49.17) appears to be up ... good.
• Initiating SYN half-open stealth scan against
  (xxx.xx.49.17)
• Adding TCP port 189 (state Firewalled).
• The SYN scan took 270 seconds to scan 1047 ports.
• Interesting ports on (xxx.xx.49.17)
• Port State Protocol Service
• 139 filtered tcp netbios-ssn
  
• 161 filtered tcp snmp
  
• 189 filtered tcp qft
  
• 256 filtered tcp rap
  
• 257 filtered tcp set
  
• 258 filtered tcp yak-chat
  
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 273 seconds

24
Network Mapping
cw
swb
Internet Routers
25
Network Mapping
cw
swb
Internet Routers
26
Network Mapping
VPN
cw
Firewall
swb
DMZ
Internet Routers
27
Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
28
Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
29
Network Mapping
VPN
NT
cw
Firewall
Linux
www
Sun
swb
ftp
Hosts Inside
DMZ
Internet Routers
30
Network Mapping
Checkpoint Firewall-1 Nortel VPN xxx.xx.22. 7
VPN
NT
cw
Nortel CVX1800 151.164.x.xxx
Firewall
Linux
IDS?
Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17
www
AIX 4.2.1 xxx.xx.48.1
Sun
swb
ftp
Cisco 7206 204.70.xxx.xxx
Linux 2.0.38 xxx.xx.48.2
Hosts Inside
DMZ
Internet Routers
31
Basic Distributed Attack Models

• Attacks that do not require direct observation of
  the results
• Attacks that require the attacker to directly
  observe the results

32
Basic Model
Client
Server
Agent
Issue commands
Processes commands to agents
Carries out commands
33
More Advanced Model
Forged ICMP Timestamp Requests
Target
Attacker
Sniffed Replies
ICMP Timestamp Replies
34
Even More Advanced Model
F i r e w a l l
Target
35
Even More Advanced Model
F i r e w a l l
Target
Upstream Host
36
Even More Advanced Model
Attack Node
F i r e w a l l
Attack Node
Target
Attack Node
Master Node
Upstream Host
37
Even More Advanced Model
Attack Node
F i r e w a l l
Attack Node
Attacks or Probes
Target
Attack Node
Master Node
Upstream Host
38
Even More Advanced Model
Attack Node
F i r e w a l l
Attack Node
Attacks or Probes
Target
Attack Node
Master Node
Replies
Upstream Host
39
Even More Advanced Model
Attack Node
F i r e w a l l
Attack Node
Attacks or Probes
Target
Attack Node
Master Node
Sniffed Replies
Replies
Upstream Host
40
Even More Advanced Model
Attack Node
F i r e w a l l
Attack Node
Attacks or Probes
Target
Attack Node
Master Node
Sniffed Replies
Replies
Upstream Host
41
(Mostly) Free Stuff

• HackerShield RapidFire Update 208
• With SANS Top Ten checks, including comprehensive
  CGI scanner
• http//www.bindview.com/products/hackershield/inde
  x.html
• VLAD the Scanner
• Freeware open-source security scanner, including
  same CGI checks as HackerShield
• Focuses only on SANS Top Ten
• http//razor.bindview.com/tools/index.shtml
• Despoof
• Detects possible spoofed packets through active
  queries against suspected spoofed IP address
• http//razor.bindview.com/tools/index.shtml

42
Questions, etc.

• Thanks to
• Ofin Arkin
• Donald McLachlan
• For followup
• http//www.nmrc.org/
• http//razor.bindview.com/
• thegnome_at_nmrc.org
• thegnome_at_razor.bindview.com