CSF3203 Intrusion Detection and Ethical Hacking (Chapter 7) - Higher Colleges of Technology
Document Details
Uploaded by SoftKraken
Higher Colleges of Technology
Dr. Samer Aoudi
Tags
Summary
This document is a chapter from a course on intrusion detection and ethical hacking. It covers topics such as scanning and enumeration techniques. The provided summary will help the reader understand the main concepts of the chapter.
Full Transcript
CSF3203 Intrusion Detection and Ethical Hacking Chapter 7: Scanning and Enumeration (CLO2, 4, 5) 1 Credits and Revision Control Change description: Existing material is revised and updated; related lab activities are updated Change level: Mi...
CSF3203 Intrusion Detection and Ethical Hacking Chapter 7: Scanning and Enumeration (CLO2, 4, 5) 1 Credits and Revision Control Change description: Existing material is revised and updated; related lab activities are updated Change level: Minor Versi Author Effective Date Change Description DRC No on 1.0 Unknown NA Define the first version 001 1.1 Dr. Samer Aoudi Fall 2022 (Aug 2022) Revise the first version 002 2 Chapter Learning Objectives Upon completing this chapter, students will be able to: Discuss the objectives and types of scanning in pentesting Discuss Identify various scanning and enumeration techniques Discuss enumeration and enumeration techniques Implement vulnerability scanning against virtual machines Utilize standard scanning and enumeration tools Perform network and port scanning Perform vulnerability scanning Apply countermeasures against scanning techniques 3 Scanning Now that we have collected basic information about the target network, we are ready to dig deeper by scanning the network for hosts, ports (services), and vulnerabilities Pre-Engagement Vulnerability Penetration Planning & Info Gathering Analysis & Detection Attempt (Gaining Cleaning Up Preparation (Recon) Reporting (Scanning) Access) Scanning may lead to detecting vulnerabilities in the target system 4 From Footprinting to Scanning In Footprinting, we collect high-level information about the network such as network address range Amazon Site Report from netcraft.com Scanning is more focused and allows us to get specific network information Running services on a target host 5 What is Scanning? Scanning is the process of discovering systems on a network including open ports and running services (applications) 10.1.1.1 10.1.1.2 10.1.1.3 WIN10 LINUX WIN SERVER RDP SSH APACHE IP Addresses & Open Ports of Live Hosts OS & System Architecture Services Running on Hosts Scanning refers to collecting more information using complex and aggressive reconnaissance Crafted Packets (TCP | UDP | ICMP) techniques Network Information 6 Types of Scanning 1. Network Scanning Discover active hosts on a network and produce a network map (network sweeping + network tracing) 2. Port Scanning For each discovered host, identify open ports (i.e. running services) Additionally, we can identify the version of each running service (version scanning) 3. Vulnerability Scanning Identify vulnerabilities (MBSA and Nessus) 7 Why Scanning? Network security assessment Evaluating and auditing existing security controls Firewall Penetration Test (Policy auditing) IDS proof/evaluation What techniques and tools do we Identifying unexpected new servers use? Ping Sweeps (e.g. nping) Tracerouting (e.g. scapy) Identifying open ports to: Network Scans (e.g. nmap) Proactively protect the network (Network and security admin) Attack the network (Hackers) 8 Network Scanning Process Step 1: Specify Target Network Examples: 192.168.1.1/24 128.45.12.2/16 17.122.33.1/8 Step 2: Scan for Live Hosts Called Host Discovery Typically done with a ping scan or a ping sweep (AKA network sweep) Sweep Techniques Step 3: Discover Network Topology ICMP Sweep This is done using network tracing TCP Sweep UDP Sweep 9 Ping (Single-Host Scan) A Ping command sends ICMP echo requests to a single host If the host is up it will return an ICMP echo reply 1 Echo Request 2 Echo Reply Wireshark output 10 Ping Scan (Ping Sweep) Instead of sending an echo request to single host, you can use tools to send requests to multiple hosts across a network This is used to determine the live hosts within an IP range Only live hosts will reply with an ICMP ECHO reply Echo requests to multiple hosts Attackers can create an inventory of the network 11 Host Discovery: ICMP Sweeps Technique Sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is down Pros & Cons Easy to implement Fairly slow Most networks block ICMP traffic so we don’t get a response back 12 Host Discovery: TCP Sweeps Sending TCP ACK or TCP SYN packets The port number can be selected to avoid block in by firewall Usually a good pick would be 21 / 22 / 23 / 25 / 80 But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable 13 Host Discovery: UDP Sweeps Relies on the ICMP PORT (i.e., destination) UNREACHABLE When a host is active, it will respond with ICMP PORT UNREACHABLE message to say that the port is not open https://youtu.be/K0_kHaJVcv4 2. https://youtu.be/iyqt8DHYYec 3. Cons: Routers can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets (except for DNS) UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message 14 Ping Tools (ping; fping; nping; hping3) There are many tools to perform ICMP scanning ping 192.168.40.19 If host is active Send ICMP fping and responding, Echo we receive Echo Request 192.168.40.19 Reply nping --icmp 192.168.40.19 hping3 -1 192.168.40.19 15 Quick Activity: Ping Tools (fping & nping) Using the man pages in Kali Linux, get information about fping and nping Answer the following questions: 1. What protocol does fping use? 2. How does fping differ from ping? 3. What is nping and what can you do with it? 16 Network Tracing In ICMP, the TTL (Time To Live) field of an IP packet represents the maximum number of IP routers that the packet can go through before being getting dropped Traceroute uses the TTL field to discover the routers on the path to a destination Source: https://www.loriotpro.com Each router will decrement the TTL by 1 17 Scanning Video Demo Watch a video demonstrating scanning a network to discover live hosts https://youtu.be/QTR_7ybAQcw 18 HPING3 HPING3 is a command line network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies If ICMP is blocked (ping) then HPING3 can be used to get information (through TCP) HPING3 can: Scan ports using SYN, ACK and other flags One host at a time! Discover hosts Perform foot printing Can perform sniffing Perform file transfers 19 HPING3 Modes HPING3 is available in Kali. Command: hping3 host [options] By default HPING3 uses TCP (with no flags set). You can change the mode using the following modes: -0 (Raw IP mode) hping3 192.168.44.36 -1 -1 (ICMP mode) -2 (UDP mode) hping3 192.168.44.36 -2 -8 (Scan mode) -9 (Listen mode) hping3 192.168.44.36 -9 20 HPING3 TCP Flags To set a flag in HPING3, you simply specify it as an option -S (SYN) -A (ACK) hping3 192.168.44.36 -S -R (RST) -F (FIN) hping3 192.168.44.36 -A -P (PUSH) -U (URG) hping3 192.168.44.36 -F -X (XMAS) -Y (YMAS) 21 HPING3 Port Specification By default, HPING3 uses sends packets to port 0 (destination) from a random/dynamic port (source) You can specify the source with the –s option Small s (capital S is for SYN) You can specify the destination with the –p option hping3 192.168.44.36 -S -s 44567 -p 80 SYN From this To port 80 Scan port 22 Useful HPING3 Probes: Scan Mode Scan TCP scan with no flags set: Verbose mode Closed ports respond with RST/ACK ng3 192.168.135.138 -8 20-25 -V Open ports will not respond Ports 20 to 25 ng3 192.168. 35.138 -S -8 20-25 -V SYN flag is set If SYN flags is set: Closed ports respond with RST/ACK Open ports will respond with 23 SYN/ACK Useful HPING3 Probes: FIN, PUSH and URG Set F, P, and U Count = 5 (send 5 flags packets) ng3 192.168.135.138 -FPU -p 21 Closed -c 5ports respond with Target port RST/ACK 21 Open ports will not respond Port 21 is open ng3 192.168.135.138 -FPU -p 20 -c 2 Port 20 is closed 24 Useful HPING3 Probes: Listen Mode Listen on this Listen mode interface ing3 -9 HTTP -I eth0 > output_file Intercept HTTP Send output to this traffic file To test this command, open a web browser and visit any website. Examine the output in the generated file. 25 Useful HPING3 Probes: DoS Attack 10,000 SY Target Flood packets N port mode 192.168.135.138 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand TCP header window From a random Size of each packet port size To test this command, test the FTP service on the Metasploitable target before and during. Notice that while in flood mode, hping3 does not show replies. Non-responsive FTP 26 Network Scanning One of the very first steps in network reconnaissance is to reduce a set of IP ranges into a list of active or interesting hosts Perform Host Discovery Live Hosts After discovering live hosts, hackers would want to know more about each one of these hosts: Ports & Services Open Ports and Running Services Operating System And more… OS 27 Port Scanning A port scanner is a software application designed to scan a host for open ports Example: NMAP Many ISPs restrict their customers' ability to perform port scans Port scanning programs report: Ports (open, closed, or filtered) Associated services (e.g. HTTP Web Server) Best-guess running OS 28 Computer Ports A Port is An endpoint of communication Logical number between 0-65,535 Represents a running service 8 HTTP 80 2 0 1 POP3 110 2 … 2 There are ~1,000 common ports i.e. default numbers 5 Default ports can be changed 3 13 9 44 Computer Network Services 3 … Provide services to other computers Listen on dedicated ports Should be reachable via a network connection Respond to communication requests 29 Port Scanning Overview Authorized users access network services using certain software applications. Examples: Web browser Web server (HTTP 80) Email Client Email server (SMTP 25) Command Shell SSH Server (SSH 22) Hackers can test if a port is open by sending specially crafted packets. Example: Send a SYN packet: If the target responds with a SYN/ACK, the port is open If the target responds with an RST packet, the port is closed 30 Port Scanning: TCP Connect Scan This scan uses basic TCP connection establishment mechanism It complete 3-ways handshake Easy to detect by inspecting the system log By default, NMAP performs a SYN Stealth scan which does not complete the 3-way handshake 31 Network Scanning Using NMAP Using NMAP, you can perform Host Discovery by specifying a target network or a range of IP addresses. Example: nmap 192.168.135.138/24 Scans Class-C network (i.e. 256 hosts) You can also target a single host nmap 192.168.135.138 Scans a single host 32 NMAP NMAP is a powerful network exploration tool and security / port scanner tool that performs the task of a network mapper and can show running services on computer Nmap is available on Kali Zenmap is a GUI version for Windows Command line syntax: map [scan type(s)] [options] {target} SYN; TCP Connect; Null; IP, hostname, etc. networks 33 NMAP Port States NMAP without any options scans 1,000 ports on the target You can specify which ports to scan using the –p option NMAP reports the following port states: Open An application is actively accepting connections Closed A closed port is accessible (it receives and responds to NMAP probe packets), but there is no application listening on it Filtered NMAP can’t determine if the port is open because of packet filtering (e.g. firewall) Unfiltered Port is accessible, but NMAP is unable to determine whether it is open or closed Open|Filtered NMAP unable to determine whether a port is open or filtered. Open port may not respond Closed|Filtered NMAP is unable to determine whether a port is closed or filtered 34 Scan Types nmap SYN Scan -sS 192.168.135.138 Stealthy scan (doesn’t complete TCP connections) map -sT 192.168.135.138 TCP Connect Scan Completes three-way handshake nmap NULL Scan -sN 192.168.135.138 Packet flags are turned off (no flag is set) map -sF 192.168.135.138 FIN Scan Closed port responds with an RST packet 35 Scan Types –Continued nmap ACK Scan -sA 192.168.135.138 Used to get past firewall map -sX 192.168.135.138 TCP Connect Scan FIN, PSH and URG flags are set nmap UDP Scan -sU 192.168.135.138 Closed ports respond with ICMP “Port Unreachable” message (type 3, code 3 map -sF 192.168.135.138 FIN Scan Closed port responds with an RST packet 36 Scan Types –Continued nmap Service Version -sV 192.168.135.138/24 Very powerful option that enumerates the versions of running services map -sn 192.168.135.138/24 Host Discovery Skip port scan; quick host discovery nmap No Ping -Pn 192.168.135.138/24 No host discovery; probe each host assuming they are up map -sL 192.168.135.138/24 List Scan ackets are sent to the targets; Quick reverse-DNS resolution to get IP address (PTR record) 37 Scan Options nmap Port Specification -p 80 192.168.135.138 Single port map -p20-100 192.168.135.138 Port Range From port 20 to 100; Deep scan is from 0-65535 nmap OS Fingerprinting -O 192.168.135.138 Determine the Operating System ap -oN output_file 192.168.135.138 File Output Send output to a file 38 OS Fingerprinting (AKA Banner Grabbing) OS Fingerprinting is the process of determining the operating system (OS) used by a host on a network Goal is to guess host role and vulnerabilities Two types: Passive Done via sniffing information (e.g. error messages; TTL; Window size are analyzed) Active Attacker sends a variety of malformed packets to the remote host, and the responses are compared with a database (e.g. Null scan to an open port) 39 Banner Grabbing Countermeasures Whenever a port is open, it implies that a service/banner is running on it Banner As a countermeasure, disable or change the banner Display false banners to mislead or deceive attackers Turn off unnecessary services on the network host to limit information disclosure 40 From Scanning to Vulnerability Detection Scan a Network Scan a Host (Discover Ports What Next? (Discover Live Hosts) & Services) 41 Vulnerability Detection Some (i.e., not necessarily all) of the discovered services may be vulnerable Web Server DB Server Mail Server Footprint these discovered services to obtain additional information such as the version, and use this information to discover vulnerabilities if any 42 Vulnerability Databases A tool like NMAP allows you to get a lot of information about running services on the target Research the discovered services using vulnerability databases such as CVE Details 43 Common Vulnerabilities Exposure (CVE) CVE® is a “list of entries—each containing an identification number, a description, and at least one public reference— for publicly known cybersecurity vulnerabilities.” Source: https://cve.mitre.org/ National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/search CVE Details https://www.cvedetails.com/ 44 Searchable Exploit Database (Kali) SearchSploit - Exploit Database Archive Search man searchsploit 45 Vulnerability Scanning Auditors and Security Analysts may use automated vulnerability scanning tools such as Nessus Vulnerability-scanning software scans the computer against the Common Vulnerability and Exposures (CVE) index Human judgement is still needed to analyze the results Nessus is a vulnerability assessment tool that automates vulnerability scanning 46 Scanning Countermeasures Ping Sweep Countermeasures Configure the firewall to detect and prevent ping sweep attempts instantaneously Use IDS and IPS such as Snort to detect and prevent ping sweep attempts Port Scanning Countermeasures Configure firewalls, IDS, and IPS to detect and block probes Use custom rules to lock down the network and block unwanted ports. The firewall should be able to examine the data contained in each packet before allowing the traffic to pass through it Run port Scanning tools to determine whether the firewall accurately detects the port scanning activities Security Experts should ensure the proper configuration of anti-scanners and anti-spoofing rules Security experts of an organization must also ensure that the IDS, routers, and firewall firmware are updated to their latest releases Block unwanted services running on the ports and update the service versions Ensure that the versions of services running on the ports are non-vulnerable 47 Enumeration Enumeration is the process of extracting usernames, machine names, network resources, shares, and services from a system or network To perform enumeration, an attacker creates active connections with the system and sends directed queries to gain more information about the target, including: Network resources Network shares Routing tables Audit and service settings SNMP and fully qualified domain name (FQDN) details Machine names Users and groups Applications and banners 48 Enumeration Techniques (1 of 2) Extract usernames using email IDs Every email address contains two parts, a username and a domain name, in the format “username@domainname” Extract information using default passwords Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often ignore recommendations to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases an attacker’s task of enumerating and exploiting the target system. Brute force Active Directory There is a design error in the Microsoft Active Directory implementation. If a user enables the “logon hours” feature, then all the attempts at service authentication result in different error messages. Attackers take advantage of this to enumerate valid usernames. An attacker who succeeds in extracting valid usernames can conduct a brute-force attack to crack the respective passwords 49 Enumeration Techniques (2 of 2) Extract information using DNS Zone Transfer Covered in a previous chapter Extract user groups from Windows The attacker can extract information from groups in which a registered user is a member by using the Windows interface or command-line method Extract usernames using SNMP Attackers can easily guess read-only or read-write community strings by using the SNMP application programming interface (API) to extract usernames 50 SNMP Enumeration Video Demo Watch a video demonstrating enumerating username/password using SNMP https://youtu.be/zYqSOcbVZ4k 51 Services and Ports Enumeration There are several services and ports that provide enumeration opportunity: TCP/UDP 53: DNS Zone Transfer TCP/UDP 135: Microsoft RPC Endpoint Mapper UDP 137: NetBIOS Name Service (NBNS) TCP 139: NetBIOS Session Service (SMB over NetBIOS) TCP/UDP 445: SMB over TCP (Direct Host) UDP 161: Simple Network Management Protocol (SNMP) TCP/UDP 162: SNMP Trap TCP/UDP 389: Lightweight Directory Access Protocol (LDAP) TCP 2049: Network File System (NFS) TCP 25: Simple Mail Transfer Protocol (SMTP) And more... 52 NetBIOS Enumeration The first step in enumerating a Windows system is to take advantage of the NetBIOS API Windows uses NetBIOS for file and printer sharing The NetBIOS name is a unique 16-character ASCII string assigned to Windows systems to identify network devices over TCP/IP; 15 characters are used for the device name, and the 16th is reserved for the service or record type NetBIOS uses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 139 (session services) Attackers usually target the NetBIOS service because it is easy to exploit and run on Windows systems even when not in use Attackers use NetBIOS enumeration to obtain the following: The list of computers that belong to a domain The list of shares on the individual hosts in a network Policies and passwords 53 NetBIOS Name List 54 Nbtstat Utility Nbtstat is a Windows utility that helps in troubleshooting NETBIOS name resolution problems nbtstat 55 NetBIOS Enumeration Using NMAP nmap --script nbstat.nse 56 Enumerating User Accounts Enumerating user accounts using the PsTools suite helps in controlling and managing remote systems from the command line The suite includes several tools such as: PsExec is a lightweight Telnet replacement that can execute processes on other systems PsFile is a command-line utility that shows a list of files on a system that opened remotely PsGetSid translates SIDs to their display name and vice versa PsKill is a kill utility that can kill processes on remote systems PsInfo is a command-line tool that gathers key information about local or remote legacy Windows NT/2000 systems PsList is a command-line tool that displays central processing unit (CPU) and memory information PsPasswd can change an account password on local or remote systems PsShutdown can shut down or reboot a local or remote computer 57 Enumerating Shared Resources Using Net View Net View is a command-line utility that displays a list of computers in a specified workgroup or shared resources available on a specified computer net view \\ Host name or IP address net view \\ /ALL Display all the shares on this specific host net view /domain The above command displays all the shares in the domain 58 Quick Quiz (1 of 2) Scanning may lead to detecting vulnerabilities _____________ in the target system. active hosts The outcome of a network scan is a list of _______________. running service An open port often indicates there is a _____________. ICMP (or PING) A(n) _______________ sweep involves sending an Echo Request and is easily blocked. TCP A(n) _______________ sweep involves setting SYN or ACK flags in the sent packets. 59 Quick Quiz (2 of 2) In a ____________ UDP sweep, non-active ports will respond with an ICMP PORT UNREACHABLE message. The __________ TTL field of an ICMP packet represents the maximum number of IP routers that the packet can go through before being getting dropped. False TRUE OR FALSE? Hping3 can scan an entire network range. Active ________ Banner grabbing involves sending malformed packets and comparing results against database entries. 60 Resources https://nvd.nist.gov/vuln/search https://www.cvedetails.com https://vulners.com/ https://www.securitymetrics.com 61