Chapter 3 Netwrok analysis access

Network security Assessment: (goal) o to identify and categorize your risks. o is an integral part of any security life cycle o understand the security techniques of the network, to execute security policy and incident response procedures. o To protect networks and data from determined attacks,

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

I Introduction of Network Security Assessment

II Footprinting and Reconnaissance

III Scanning Networks

IV Assessing network services

 

Nguyen Thi Thanh Van - Khoa CNTT17/05/2017

 Network security Assessment: (goal)

o to identify and categorize your risks

o is an integral part of any security life cycle

o understand the security techniques of the network, to execute

security policy and incident response procedures

o To protect networks and data from determined attacks,

 Vulnerability scanning uses automated systems

o ensure that no obvious vulnerabilities exist

 Network security assessment

o giving practical advice that can improve a company’s security

 Web application testing

 Full-blown penetration testing

 Onsite auditing:

o provides the clearest picture of network security

 Identify IP networks and hosts of interest

 Majority network scanning and probing to identify

potentially vulnerable hosts

 Investigation of vulnerabilities and further network

probing by hand

 Exploitation of vulnerabilities and circumvention

(avoidance) of security mechanisms

 Virtualization Software: VMWare, PCVirtual

 Operating Systems: Windows, Linux…

 Supported Tools

Footprinting Scanning Networks Report

Whois, NSLookup, Search engines, Social Netw orking Site

Scanning and Enumeration

Computers Port, Application Services

Ganing access

Buffer Overflow, Spoofing, Hijacking, Pasw ord Cracking

Maintaining access Covering trackClearing Logs, Planting Rootlkits

 Threats Introduced by Footprinting

 The Footprinting Process

 Footprinting Tools

 Footprinting:

o is a method of observing and collectinginformation about

a potential target with the intention of finding a way to

attack the target

o looks for information and later analyzes it, weaknesses or

potential vulnerabilities

 Footprinting results:

o a unique organization profile with respect to

networks (Internet/intranet/ extranet/wireless)

and systems involved

17/05/2017

14

 Footprinting generally needs the following steps to

ensure proper information retrieval:

1 Collect information about a target: host and network

2 Determine the OS of web server and web application data.

3 Query such as Whois, DNS, network, and organizational

4 Locate existing or potential vulnerabilities or exploits that exist

in the current infrastructure

=> helpful to launching later attacks.

 Unearth initial information

 Locate the network range

 Ascertain active machines

 Discover open ports/access points

 Detect operating systems

 Uncover services on ports

 Map the network

 Social Engineering: ask to get information

 Network and System Attacks: gather information relating to an

environment’s system configuration and operating systems

 Information Leakage: victims of data and other company secrets

slipping out the door and into the wrong hands

 Privacy Loss: access to a system can compromise not only the

security of the system, but the privacy of the information stored on it

as well

 Using Search Engines: obtain w eb server version, IP address, subnet

data, OS information (Netcraft), URL, subdomain…

 Location and Geography: Google Earth/Map

 Social Networking and Information Gathering: Fb, Tw itter…

 Financial Services and Information Gathering

 The Value of Job Sites

 Working with E- mail

 Competitive Analysis: The reports created through competitive analysis

 Google Hacking: is possible to fine-tune results to obtain items such as

passw ords, certain file types, sensitive folders, configuration data, and other data.

 Gaining Network Information: Whois, Tracert

 Social Engineering: The Art of Hacking Humans

 Using www.dnsstuff.com, you can extract DNS

information such as:

• Mail server extensions

• IP addresses

 Necrosoft Advanced DIG

(ADIG) is a TCP-based DNS

client that supports most of

the available options,

including AXFR zone

transfer

 SpiderFoot is a free, open-source, domain footprinting

tool which will scrape the websites on that domain, as

well as search Google, Netcraft, Whois, and DNS to

build up information like:

• Subdomains

• Affiliates

• Web server versions

• Users (i.e /user)

• Similar domains

• Email addresses

• Netblocks

17/05/2017 25

17/05/2017 27

 They pick tons of e-mail addresses from searching the

Internet

 Tools:

• Web data Extractor

• 1st E-mail Address Spider

17/05/2017 29

 Find companies’ external and internal URLs

 Perform whois lookup for personal details

 Extract DNS information

 Mirror the entire website and look up names

 Extract archives of the website

 Google search for company’s news and press releases

 Use people search for personal information of employees

 Find the physical location of the web server using the tool

• services running on each computer

 The various types of scanning are as follows:

 Port Scanning

attempting to break into a computer to learn

about the computer’s network services

 Network Scanning

o A procedure for identifying active hosts on a

network

 Vulnerability Scanning

o The automated process of proactively

identifying vulnerabilities of computing

systems present in a network

 To detect the live systems running on the network

 To discover which ports are active/running

 To discover the operating system running on the target

 War dialing involves the use of a program in conjunction

with a modem to penetrate the modem-based systems of

an organization by continually dialing in

 Companies do not control the dial-in ports as strictly as

the firewall, and machines with modems attached are

present everywhere

 A tool that identifies the phone numbers that can

successfully make a connection with a computer modem

 It generally works by using a predetermined list of

common user names and passwords in an attempt to

gain access to the system

 It is a type of War Dialer that scans a defined range of

phone numbers

attempts and notify the

administrator immediately upon being

called, or upon being connected to,

via an email message, pager or via

HTTP POST to a web server

 Conditions that can be configured to

generate notification messages

include:

o Incoming Caller ID

o Login attempt

 it is found out which hosts are up in a network by pinging

them all

 It can be run parallel so that it can run fast

 It can also be helpful to tweak the ping timeout value

with the –t option

 Tools:

o Ping <target> [option]

o Angry IP: for Windows

o

 Three Way Handshake, TCP flags

 Types of Scans

 the systems involved initiated and completed the

three-way handshake

 The advantage

o you have positive feedback that the host is

up and the connection is complete

 Downside (disadvantage):

confirmed that you as the scanning party are there

 all the flags are set except PSH

 Having all the flags set creates an illogical or illegal

combination, and the receiving system has to determine

what to do:

o Drop (old sys)

 NMAP: NMAP –sX –v <target IP>

17/05/2017

47

 The attacker sends frames to the victim with the FIN flag set.

 The victim’s response depends on whether the port is open

or closed

o if an FIN is sent to an open port there is no response,

o but if the port is closed the victim returns an RST

 NMAP: NMAP –sF <target IP address>

 The attacker sends frames to the victim with no flag set

 The victim’s response depends on whether the port is

open or closed:

o if an FIN is sent to an open port there is no response,

o if the port is closed the victim returns an RST

 NAMP: NMAP –sN <target IP address>

 IDLE Scan: allows for completely blind port scanning

 Attackers can actually scan a target without sending a single packet

to the target from their own IP address

 One way to determine whether a port is open is:

o to send a "SYN" packet to the port The target machine w ill:

• send back a "SY N|ACK" packet if the port is open,

• and an "RST" packet if the port is closed.

o A machine w hich receives an undesirable SYN|ACK packet w ill respond w ith an

RST An undesirable RST w ill be ignored

 Every IP packet on the Internet has a "fragment identification"

 Choose a "zombie" and probe for its current IPID

number

 Send SYN packet to target machine spoofing the IP

address of the “zombie”

 The target will send RST to the “zombie” if port is closed

Zombie will not send anything back

 Probe “zombie" IPID again

 It is a modification of earlier methods

 The TCP header is split up into several packets so that the packet

filters are not able to detect what the packets intend (plan) to do

 Identify open TCP ports by:

o analyzing the header information of the RST packets received

 exploits vulnerabilities in certain Oss and platforms

 There are 2 main ACK scanning techniques that involve:

o Analysis of the time-to-live (TTL) field of received packets

 test whether any filtering is being done on a port

 the UDP packets and ICMP responses generated by

hosts when ports are open and closed.

root users

An inverse UDP scan result when a port is closed

An inverse UDP scan result when a port is open

Send UDP probe

 Global Network Inventory Scanner

 Net Tools Suite Pack

 Some of the scan methods used by Nmap:

o Xmas tree: The attacker checks for TCP services by sending

"Xmas-tree" packets

o SYN Stealth: It is referred to as "half open" scanning, as a full

TCP connection is not opened

through firewalls unmolested

 -sU (UDP scans)

 -sO (Protocol Scan)

 -sI (Idle Scan)

 -sA (Ack Scan)

17/05/2017 61

17/05/2017 63

17/05/2017 65

 OS Fingerprinting

o is the method to determine the operating system that is running

on the target system

 The two different types of fingerprinting are:

o Active stack fingerprinting

 The Firewall logs your active banner grabbing scan since

you are probing directly

 Passive banner grabbing refers to indirectly scanning a

system to reveal its server’s operating system

 It is also based on the differential implantation of the

stack and the various ways an OS responds to it

 It uses sniffing techniques instead of the scanning

 You might want to try these additional get

requests for banner grabbing.

 Take a look at

GET REQUESTS KNOWN_TESTS.htm file

 Apache Server

can use a simple directive in their httpd.conf file to change

banner information

Header set Server "New Server Name“

o Apache 1.3.x users have to edit defines in httpd.h and recompile

Apache to get the same result

 It modifies web server's

"fingerprint“ by removing

unnecessary HTTP

response data, modifying

cookie values and adjusting

other response information

identity of server

 identify problems and holes in operating systems and

applications

 Operation: checking coding, ports, variables, banners, and

many other potential problem areas

 victims can use vulnerability scanning to find out:

o if there is a possibility of being successfully attacked and

o what needs to be fixed to remove the vulnerability

 can check entire operating environments, including networks

and virtual machines.

 if they don’t find those issues then they may leave the false

impression that there are no problems.

o Therefore, it is wise to verify the results of these applications

 Bidiblah automates footprinting, DNS enumeration,

banner grabbing, port scanning, and vulnerability

assessment into a one single program

 This tool is based on the following methodology:

 Nessus is a vulnerability scanner, which looks for bugs in

o Client-server architecture

 Provides information about the software, hardware, and network

topologies

attacker needs Perl 5 and a C compiler installed on the system

at least 20MB of disk space

17/05/2017 79

 to help you fully visualize the network

environment and start getting a

clearer picture of what the network

looks like

 you can clearly see holes and

deficiencies that can be exploited.

 Tools:

 A network management tool that can be used for

detecting OS, mapping, finding out the list of services

running on a network, generalized port scanning, and so

on.

 A powerful for network administration: monitoring

 It can be used for pinging of all devices in parallel at once and in

assignment of external commands (like telnet, tracert, net.exe) to

devices

17/05/2017 83

17/05/2017 85

 perform several functions

■ Filtering traffic in and out of the netw ork

 SSLproxy is a transparent proxy that can translate between

encrypted and unencrypted data transport on socket

connections

 It also has a non-transparent mode for automatic

encryption-detection on netbios

 When should I use SSLProxy?

o launch an attack on a remote server which has SSL installed

o The exploits you send will be caught by the IDS and you want to mask this

detection

o Run SSLproxy on your machine and tunnel all the exploits through this

proxy, which will use SSL to transmit the packets to the remote server

blinding the IDS

Exploits SSLProxy IDS SSLProxy

Internet

17/05/2017 89

All port are blocked

 HTTPort (client) and HTTHost (server) are free tools

which can be used to tunnel any TCP traffic through

HTTP protocol

 Visit http://www.htthost.com for more information

 It is a free open source tool Source code is available on

the Internet

 IP Spoofing

address to another IP

spoofed address (not to the

attacker’s real address)

 attacker must inject himself into the path that traffic would normally take, to

get from the destination machine back to the source

 Source routing:

o specif y the path a packet will take through the Internet

o is built into the TCP/IP protocol suite

o works by using a 39-by te source route option f ield in the IP header

 There are 2 types of source routing:

o Loose source routing (LSR)

– The sender specifies a list of IP addresses that the traffic or packet

must go through

o Strict (exact) source routing (SRS)

– The sender specifies the exact path that the packet must take

 When an attacker is spoofing packets, he is usually at a different

location than the address being spoofed

 Attacker's TTL will be different from the spoofed address' real TTL

TTL doesn't match

17/05/2017 95

 The firewall:

o should be good enough to detect the probes of an attacker

o should carry out stateful inspection, w ith it having a specific rule set

o should be used to find out the OS detection method used by some tools (Nmap)

 Only necessary ports should be kept open (the rest should be filtered)

 All sensitive information that is not to be disclosed to the public over

the Internet should not be displayed

~ Secure Filtering, Monitoring, and Access Control

~ SentryPC enables you to control, restrict and monitor access and

usage of

your PC

~ Features:

• Complete Time Management

• Application Scheduling and Filtering

• Website Filtering

• Chat Filtering

• Keystroke Filtering

• Powerful Security Features

• Protects your Users