-
If acquisition and non intrusive probing have not turned up any results, then an attacker will next turn to identifying valid user accounts or poorly protected resource shares.
-
Enumeration involves active connections to systems and directed queries.
-
The type of information enumerated by intruders:
-
Network resources and shares
-
Users and groups
-
Applications and banners
The objective of the attacker will be to identify valid user accounts or groups where he can remain inconspicuous once he has compromised the system. Enumeration involves active connections being made to the target system, or subjecting it to directed queries made to a system. Normally, an alert and secure system will log such attempts. Often the information gathered is what the target might have made public - such as a DNS address. However, it is possible that the attacker stumbles upon a remote IPC share such as the IPC$ in windows, that can be probed with a null session and shares and accounts enumerated.
Concept On ascertaining the security posture of the target, the attacker can turn this information to this advantage by exploiting some resource sharing protocol or compromising an account. The type of information enumerated by hackers can be loosely grouped into the following categories:
-
Network resources and shares
-
Users and Groups
-
Applications and Banners
---
Amarjit Singh
-
-
Saturday, April 11, 2009
What is Enumeration ???
Friday, April 10, 2009
What is Enumeration ??
Friends, for next few days, I will introduces the enumeration phase of hacking to you. I will try to explain different aspects of enumeration. After this you will be familiar with the following topics:
- Understanding Windows 2000 enumeration
- How to Connect via Null Session
- How to disguise NetBIOS Enumeration
- Disguise using SNMP enumeration
- How to steal Windows 2000 DNS information using zone transfers
- Learn to enumerate users via CIFS/SMB
- Active Directory enumerations
This is the basis behind stating that while countermeasures the generic approach of hackers towards a system.
---
Amarjit Singh
Thursday, April 9, 2009
HTTPort - Bypass an HTTP proxy
|
HTTPort allows you to bypass an HTTP proxy, which is blocking you from the Internet. With HTTPort you may use the following software (just a sample list, not limited to !) from behind an HTTP proxy: e-mail, IRC, ICQ, news, FTP, AIM, any SOCKS capable software, etc. etc. |
The basic idea is that you set up your Internet software in such a manner, that it considers your local PC to be a remote server it needs. This is where HTTPort enters. It intercepts connection from this software and runs the connection through the proxy - this is called a tunneling. Your software should use TCP/IP. HTTPort does not work with UDP/IP. There are two ways you can set up your software for use with HTTPort:
-
If your software uses a single (small range of) fixed server with a single (small range of) fixed port: For instance your software would like to connect to some.server.com:some_port. Create a new HTTPort mapping, with any local port, preferably above 1024, remote server of "some.server.com" and remote port of "some_port". Point your software to 127.0.0.1:mapped_local_port as if it was the original server it needs.
-
If your software can connect through SOCKS4 proxy: Point your software to 127.0.0.1:1080, which is a built-in HTTPort SOCKS4 server.
---
Amarjit Singh
Bypassing Firewall using Httptunnel
Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests. The requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and telnet or PPP to connect to a computer outside the firewall.
Here is how htc sends data to the destination:
-
Open TCP connection to hts
-
Send HTTP POST with a large Content-Length
-
Send TUNNEL_DATA packets until POST Content-Length would be exceeded.
-
Send TUNNEL_PADDING packets to exactly satisfy Content-Length - 1
-
Send TUNNEL_DISCONNECT (1 byte)
-
Close TCP connection
-
Go to step 1
Here is how htc gets data from the destination.
-
Open TCP connection to hts
-
Send HTTP GET
-
Wait for response from hts
-
Read TUNNEL_DATA, then TUNNEL_PADDING, TUNNEL_DISCONNECT packets
-
Close TCP connection
-
Go to step 1
Tunnel creation and destruction
This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.
---
Amarjit Singh
Wednesday, April 8, 2009
Tool: eMailTrackerPro
eMailTrackerPro analyzes the e-mail header and provides the IP
Address of the machine that sent the e-mail. This can then be used to track down the sender. This is especially helpful in preventing spamming and spoofing.
An email spoofer may just be trying to cause trouble or discredit the person being spoofed by sending some truly vile message to the recipient. The built-in location database tracks e-mails to a country or region of the world. eMailTrackerPro also provides hyperlink integration with VisualRoute.
Example: Received: from BBB (dns-name [ip-address]) by AAA ...
For tracking purposes, we are most interested in the from and by tokens in the Received header field. Where: name is the name the computer has named itself. dns-name is the reverse dns lookup on the ip-address. ip-address is the ip-address of the computer used to connect to the mail server that generated this Received header line. The ip-address is important for tracking purposes.
Always base tracking decisions based upon the IP Addresses that are in the header information and not on host names (which are a lookup from the IP Address anyway). Because mapping an IP Address into a host name and then back into an IP Address may yield a different IP Address. However, attackers can defeat this by using an 'anonymizer' service for web based emails -- where they can use the IP Address of the 'anonymizer' company, and open mail relay servers for normal emails.
---
Amarjit Singh
Tool: VisualRoute Mail Tracker
E-mail spoofing is a security concern that most organizations face. This is often part of a social engineering tactic employed by attackers. Sometimes, even passwords are easily obtained, if user awareness of the consequences is not there. The reason why this is a sought after information is because SMTP (Simple Mail Transfer Protocol) lacks authentication and hence spoofing is easy.
An Nslookup can reveal a MX server. The attacker can connect to the SMTP port and issue commands (in accordance with that protocol), can breach the security of the firm / user if a vulnerability can be exploited. The attacker can use this to send email that will appear to be from the address of the target user. The attacker can even send a mail asking users to change passwords on behalf of the system administrator.
This is useful when the email address is the only information available at hand.
An attacker might use this to track the user to their e-mail server. An added benefit is that he will be able to see what SMTP software the mail server is running (many times with version information as well). Information about the mail server can help if the attacker knows a vulnerability that can be exploited in order to gain more access to other resources or to cause damage to the system.
Readers who are interested in reading a real scenario may refer to the 'Bunratty Attack' by Vince Gallo. It shows how he created covert channels using valid mapi email. A copy of the presentation is available at http://chi-publishing.com/isb/backissues/ISB 2001/ISB0605/ISB0605VG.pdf
It demonstrates how one can use a valid application (in this case mapi email) to covertly communicate with and even remotely control a system on an otherwise protected network. All traffic appears to be valid email.
The other tool that can analyze email headers is eMailTrackerPro
---
Amarjit Singh
Tools-VisualLookout
VisualLookout provides high level views as well as detailed and historical views that provide traffic information in real-time or on a historical basis.
In addition the user can request a "connections" window for any server, which provides a real-time view of all the active network connections showing
who is connected,
what service is being used,
whether the connection is inbound or outbound, and
how many connections are active and how long they have been connected.
Traffic is an important measure when identifying possible hacker attacks or even Denial of Service (DOS) attacks. A change in traffic patterns from normal values is an important first clue to possible unwanted visitors. VisualLookout provides the ability to view any of the important traffic metrics as a graphical representation both from a real-time and historical perspective. VisualLookout provides the ability to capture connection activity for any server or computer system that it is monitoring. The search feature locates any connection activity based on inbound or outbound port or IP address/domain name, and can replay the history period of interest as though the session were in real time.
---
Amarjit Singh
Tool: SmartWhois
SmartWhois is a network information utility that allows the user to find all the available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator and technical support contact information.
Unlike standard Whois utilities, SmartWhois can find the information about a computer located in any part of the world, intelligently querying the right database and delivering all the related records in a short time. The program can retrieve information from more than 20 servers all over the world. SmartWhois can also save obtained information to an archive file. This is particularly useful in tracking incidents and incident handling. It allows users to load this archive the next time the program is launched and add more information to it. Thus, the list is updated on a regular basis. This feature allows building and maintaining a user defined database of IP addresses and hosting names. Alternatively, users can also load a list of IP addresses as a text file and have SmartWhois process the whole list. SmartWhois is available for download at www.tamos.com SmartWhois is capable of performing both IP address/hostname and domain name queries. TamoSoft, Inc. also hosts a tools interface at http://all-nettools.com/tools1.htm
---
Amarjit Singh
Tool: VisualRoute Trace
VisualRoute is a graphical tool that determines where and how traffic is flowing on the route between the desired destination and the user trying to access it, by providing a geographical map of the route, and the performance on each portion of that route.
VisualRoute delivers the functionality of key Internet "ping," "whois," and "traceroute" tools, in a visually integrated package. In addition, VisualRoute has the ability to identify the geographical location of routers, servers, and other IP devices. This is valuable information for identifying the source of network intrusions and Internet abusers. It helps in establishing the identify of the originating network, the web software that a server is running, detecting routing loops and identifying hosts that have the ICMP TTL bug.
VisualRoute's traceroute provides three types of data: an overall analysis, a data table, and a geographical view of the routing. The analysis is a brief description in of the number of hops, areas where problems occurred, and the type of Web server software running at the destination site. The data table lists information for each hop, including the IP address, node name, geographical location and the major Internet backbone where each server resides.
The World map gives a graphical representation of the actual path of an Internet connection. Users can zoom in/out and move the map around to position it as desired. A mouse click on a server or network name opens a pop-up window with the whois information including name, telephone and email address, providing instant contact information for problem reporting.
Tool: NeoTrace (Now McAfee Visual Trace)
NeoTrace is a diagnostic and investigative tool. It traces the network path across the Internet from the host system to a target system anywhere on the Internet. Automatic retrieval of data includes registration details for the owner of each computer on the route (address, phone, email address) and the network each node IP is registered to. Easy to read views of the data include a world map showing the locations of nodes along the route, a graph showing the relative response time of each node along the path, and a configurable list of node data.
In the screenshot shown above, we have done a traceroute for www.google.com The 3.20 version had node view, map view and list view. Note that the DNS entries have been retrieved for the various nodes and the map view allows the user to see relatively easily if a particular system is based geographically where it claims to be.
There are two aspects to traceroute - depth and breadth. There are two basic methods for searching graphs - breadth and depth. Breadth searches branch out examining all nodes within a certain hop distance, slowly increasing until the destination is discovered. Depth first search follows one path until it is exhausted, and then backs up slowly recalculating all the permutations of the preceding paths. Traceroute generates an UDP message to an unused port and sends this message with an increasing TTL value. The search ends when a port unreachable message is received.
There are many ICMP error messages that can be generated. One of these messages is ICMP port unreachable (since ports exist in TCP or UDP). However, the port unreachable message must be distinguished from such messages generated from different applications - such as from a packet filtering device
Traceroute
Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live.
Traceroute reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs .
As each router processes a IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator.
Routers with DNS entries reveal the name of routers, network affiliation and geographic location.
The best way to find the route to the target systems is to use the traceroute utility provided with most operating systems. Traceroute utility can detail the path IP packets travel between two systems. It can trace the number of routers the packets travel through, the time duration in transiting between two routers, and, if the routers have DNS entries, the names of the routers and their network affiliation and geographic location.
Let us see how traceroute works. Traceroute sends out a packet destined for the destination specified. It sets the TTL field in the packet to 1. The first router in the path receives the packet, decrements the TTL value by 1, and if the resulting TTL value is o, it discards the packet and sends a message back to the originating host to inform it that the packet has been discarded. Traceroute records the IP address and DNS name (if available) of that router, then sends out another packet with a TTL value of 2. This packet makes it through the first router, then times-out at the next router in the path. This second router also sends an error message back to the originating host. Traceroute continues to do this, recording the IP address and name of each router until a packet finally reaches the target host, or until it decides that the host is unreachable. In the process, traceroute records the time it took for each packet to travel round trip to each router.
Let us see what a tracert 216.239.36.10 command at the command prompt for windows results in.
C:\>tracert 216.239.36.10
Tracing route to ns3.google.com [216.239.36.10] over a maximum of 30 hops:
1 2171 ms 1405 ms 1530 ms 194.170.2.57
2 2685 ms 1280 ms 655 ms dxb-emix-ra.ge6303.emix.ae
[195.229.31.99]
3 1622 ms 2377 ms 2061 ms eqixva-google-gige.google.com
[206.223.115.21]
4 2498 ms 968 ms 593 ms 216.239.48.193
5 1108 ms 1683 ms 2062 ms ns3.google.com [216.239.36.10]
Trace complete.
While this is what a simple traceroute might result in, there are web interfaces where a more detailed traceroute can be done and more information obtained. One such interface is available at http://www.opus1.com
traceroute to 216.239.36.10 (216.239.36.10), 30 hops max, 40 byte
packets
1 manny.Firewall.Opusl.COM (192.245.12.95)
[AS22772/AS3908/AS6373/AS5650] 4.883 ms
2 Opus-GW (207.182.35.49) [AS22772/AS6373]
14.648 ms
3 66.62.80.165 (66.62.80.165) [AS6983] root@
addr.arpa 18.554 ms
4 laxl-core-02.tamerica.net (66.62.5.194) [AS6983] root@in-
47.849 ms
5 216.239.48.94 (216.239.48.94) [AS15169]
108.391 ms
---
Amarjit Singh
Tool-ARIN
ARIN allows search on the whois database to locate information on networks autonomous system numbers (ASNs), network-related handles and other related point of contact (POC).
ARIN whois allows querying the IP address to help find information on the strategy used for subnet addressing.
The ARIN page also has a set of additional tools and links to other sites such as RWhois.net. ARIN would be a good starting point for information gathering as the information retrieved is more elaborate than a standard Whois lookup.
The purpose of discussing information gathering - and footprinting in particular - is that this is the information that both the hacker and the systems administrator can gather in a non-intrusive manner. All the approaches discussed so far are completely passive (with the exception of traceroute, as it can be detected) and undetectable by the target organization. The information gathered during this phase will be used continuously throughout the penetration test.
Doing a footprinting for an organization can help its systems administrator know what nature of information lies outside the organization and the potential threat it can pose to the organization. He can take preventive measures to see that these are not used as a means of exploit and increase user awareness regarding the use of information assets.
Up to date domain contact information is important not only for addressing administration issues but can also be used by security personnel on other networks to warn of pending attacks or active compromises. By not revealing essential information, more harm can be done.
|
OrgName: |
Google Inc. |
||||
|
OrgID: |
GOGL |
||||
|
Address: |
2400 E. Bayshore Parkway |
||||
|
City: |
Mountain View |
||||
|
StateProv: |
CA |
||||
|
PostalCode: |
94043 |
||||
|
Country: |
US |
||||
|
|
|||||
|
NetRange: |
216.239.32.0 - 216.239.63.255 |
||||
|
CIDR: |
216.239.32.0/19 |
||||
|
NetName: |
|
||||
|
NetHandle: |
NET--32-0-1 |
||||
|
Parent: |
NET-216-0-0-0-0 |
||||
|
NetType: |
Direct Allocation |
||||
|
NameServer: |
NS1.GOOGLE.COM |
||||
|
NameServer: |
NS2.GOOGLE.COM |
||||
|
NameServer: |
NS3.GOOGLE.COM |
||||
|
NameServer: |
NS4.GOOGLE.COM |
||||
|
Comment: |
|||||
|
RegDate: |
2000-11-22 |
||||
|
Updated: |
2001-05-11 |
||||
|
|
|||||
|
TechHandle: |
ZG39-ARIN |
||||
|
TechName: |
Google Inc. |
||||
|
TechPhone: |
+1--0200 |
||||
|
TechEmail: |
<> |
||||
|
Attack Methods |
From the Nslookup query, an attacker can find name servers, mail exchange servers and also what class they belong to. The mail exchange servers can be further resolved into IP addresses. He can then enumerate the network further by doing a reverse IP lookup. |
||||
In this case, we look up 216.239.33.25 which is the IP of smtp1.google.com
The query gives the following result.
|
25.33.239.216.in-addr.arpa |
PTR |
smtp1.google.com |
|
33.239.216.in-addr.arpa |
NS |
ns1.google.com |
|
33.239.216.in-addr.arpa |
NS |
ns2.google.com |
|
33.239.216.in-addr.arpa |
NS |
ns3.google.com |
|
33.239.216.in-addr.arpa |
NS |
ns4.google.com |
|
ns1.google.com |
A |
216.239.32.10 |
|
ns2.google.com |
A |
216.239.34.10 |
|
ns3.google.com |
A |
216.239.36.10 |
|
ns4.google.com |
A |
216.239.38.10 |
Note that the IP actually points to .arpa domain. Further, we also retrieve more information on the name servers.
Tuesday, April 7, 2009
Top Traffic Exchange Sites for Blogs
Referring other people is a great way to get more traffic to your Website!
While I was in this process I stumbled across the idea of traffic exchanges sites. For those of you not familiar with them basically they work like this: I visit your website and in exchange you visit mine.
You receive a percentage of the credits earned by your referrals, you also receive a percentage of the traffic on any upgrades or purchases made by them.
So, here is a small list of taffic exchange sites I gathered.
- BlogToplist.com
- bNET Topsites
- BlogTopsites.com
- Blogracy.com
- BlogMad.net
- BlogAzoo.com
- BlogSoldiers.com
- BlogExplosion.com
- BlogAdvance.com
---
Amarjit Singh
Anonymizers- Make your web surfing anonymous
-
Anonymizers are services that help make your own web surfing anonymous.
-
The first anonymizer developed was Anonymizer.com, created in 1997 by Lance Cottrell.
-
An anonymizer removes all the identifying information from a user's computers while the user surfs the Internet, thereby ensuring the privacy of the user.
Many anonymizer sites create an anonymized URL by appending the name of the site the user wishes to access to their own URL, e.g.:
http://anon.free.anonymizer.com/http://www.yahoo.com/
After the user anonymizes a web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Most anonymizers can anonymize at least the web (http:), file transfer protocol (ftp:), and gopher (gopher:) Internet services.
However, anonymizers have the following limitations:
-
HTTPS. Secure protocols like "https:" cannot be properly anonymized, since the browser needs to access the site directly to properly maintain the secure encryption.
-
Plugins. If an accessed site invokes a third-party plugin, then there is no guarantee that they will not establish independent direct connections from the user computer to a remote site.
-
Logs. All anonymizer sites claim that they don't keep a log of requests. Some sites, such as the Anonymizer, keep a log of the addresses accessed, but don't keep a log of the connection between accessed addresses and users logged in.
-
Java. Any Java application that is accessed through an anonymizer will not be able to bypass the Java security wall.
-
Active X. Active-X applications have almost unlimited access to the user's computer system.
-
JavaScript. The JavaScript scripting language is disabled with url-based anonymizers
Some anonymizer sites are:
-
Anonymizer.com
-
Anonymize.net
-
@nonymouse.com
-
Iprive.com
-
MagusNet Public Proxy
-
MuteMail.com PublicProxyServers.com
-
Rewebber.de
-
SilentSurf.com
-
Surfola.com
-
Ultimate-anonymity.com
---
Amarjit Singh
-
Proxy Servers - Protection against hacking attacks
Proxy is a network computer that can serve as an intermediate for connection with other computers. They are usually used for the following purposes:
-
As firewall, a proxy protects the local network from outside access.
-
As IP-addresses multiplexer, a proxy allows to connect a number of computers to Internet when having only one IP-address
-
Proxy servers can be used (to some extent) to anonymize web surfing.
-
Specialized proxy servers can filter out unwanted content, such as ads or 'unsuitable' material.
-
Proxy servers can afford some protection against hacking attacks.
The program Wingate is often used as proxy. Quite a number of such proxies are open to easy access. Anonymous proxies hide the real IP address (and sometimes other information) from websites that the user visits. There are two sorts; ones can be used in the same way as the non-anonymous proxies above, and web-based anonymizers.
Using a non-anonymous proxy:
HTTP_X_FORWARDED_FOR = 62.64.175.55, 194.72.9.37. This shows the IP address (first number) and possibly the IP address of the proxy server used (second).
Using an anonymous proxy:
HTTP_X_FORWARDED_FOR = 66.51.107.3 This now only shows the IP address of the proxy.
---
Amarjit Singh
Cheops-Network management tool-equivalent of a Swiss-army knife
Cheops (KEE-ops) is a Network management tool for mapping and monitoring the network. It has host/network discovery functionality as well as OS detection of hosts.
Cheops is an Open Source Network User Interface. It is designed to be the network equivalent of a Swiss-army knife, unifying your network utilities. Cheops does for the network what a file manager does for the file system.
Cheops can optionally determine the OS of hosts on the network, selecting appropriate icons for them. Cheops can show the routes taken to access areas of the network. This feature is designed for larger networks, with routers, subnets, etc. This mapping not only makes hierarchy clearer, but can show unusual routing issues.
Cheops includes a generalized TCP port scanner to see what ports on the network are in use. It can be used to retrieve version information for certain services, to be sure any given host is up-to-date with the latest revision of its services.
Cheops includes a simple integrated SNMP browser, including write capability, using the UCD SNMP library. Cheops also supports a plug-in interface, which includes support for SNMP plug-ins, similar in concept to those of HP Openview.
Cheops can monitor critical servers, and immediately notify the concerned person through its event log, standard e-mail, and soon via paging, when things go wrong. The network administrator can know exactly which system is up or down, and just when problems occur. Right clicking on a host quickly shows a list of common services it supports, and rapid, easy access to them. The co-developer has given cheops a makeover and it is called Cheops-ng (new generation)
---
Amarjit Singh
Monday, April 6, 2009
Passive Fingerprinting
- Passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it.
- However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.
- Passive fingerprinting is less accurate than active fingerprinting.
Like active fingerprinting, passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.
Note The four areas that are typically noted to determine the operating system are:
TTL - What the operating system sets the Time To Live on the outbound packet
Window Size - What the operating system sets the Window Size at.
DF - Does the operating system set the Don't Fragment bit?
TOS - Does the operating system set the Type of Service, and if so, at what?
Passive fingerprinting need not be fully accurate nor does it have to be limited to these four signatures. However, by looking at several signatures and combining the information, the accuracy can be improved upon. The following is the analysis of a sniffed packet dissected by Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/)
04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604
TCP TTL:45 TOS:oxo ID:56257
***F**A* Seq: 0x9DD90553
Ack: 0xE3C65D7Win: 0x7D78
Based on the 4 criteria, the following is identified:
TTL: 45
Window Size: 0x7D78 (or 32120 in decimal)
DF: The Don't Fragment bit is set
TOS: 0x0
This information is then compared to a database of signatures. Considering the TTL used by the remote host, it is seen from the sniffer trace that the TTL is set at 45. This indicates that it went through 19 hops to get to the target, so the original TTL must have been set at 64. Based on this TTL, it appears that the packet was sent from a Linux or FreeBSD box, (however, more system signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the remote host.
The next step is to compare the Window size. The Window Size is another effective tool, specifically what Window Size is used and how often the size changes. In the above signature, it is set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and Solaris tend to maintain the same Window Size throughout a session. However, Cisco routers and Microsoft Windows/NT Window Sizes are constantly changing. The Window Size is more accurate if measured after the initial three -way handshake (due to TCP slow start).
Most systems use the DF bit set, so this is of limited value. However, this does make it easier to identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of limited value. This seems to be more session based then operating system. In other words, it's not so much the operating system that determines the TOS, but the protocol used. Therefore, based on the information above, specifically TTL and Window size, one can compare the results to the database of signatures and with a degree of confidence determine the OS (in this case, Linux kernel 2.2.x).
Threat Passive fingerprinting can be used for several other purposes. It can be used by crackers as 'stealthy' fingerprinting. For example, to determine the Operating System of a 'potential victim', such as a web server, one only needs to request a webpage from the server, and then analyze the sniffer traces. This bypasses the need for using an active tool that can be detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the proxy firewalls based on the signatures we have discussed. Organizations can use Passive Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not authorized on the network.
---
Amarjit Singh
Active Stack Fingerprinting: This technique is called OS fingerprinting
- Fingerprinting is done to determine the remote OS
- Allows attacker to leave smaller footprint and have greater chance to succeed
- Based on the fact that various OS vendors implement the TCP stack differently
- Specially crafted packets sent to remote OS and response is noted. This is compared with a database to determine the OS
Concept The term OS fingerprinting defines any method used to determine what operating system is running on a remote computer. OS fingerprinting is an essential part of network reconnaissance, because the attacker has a greater probability of succeeding in his attack if he can formulate his attack strategy based on operating systems specific vulnerabilities.
Note Remote OS fingerprinting is carried out by noting the way the remote system responds to specifically crafted TCP packets. These can range from examining the default TCP window size in a packet, to measuring the amount of data in ICMP packets, and even gauging TCP initial sequence numbers. Similar to port scanning, there are several methods to successfully fingerprint an OS. Querying the services running on a target machine is often the simplest means for OS fingerprinting.
Note Active stack fingerprinting is based on the principle that an operating system's IP stack has its own unique way of responding to specially crafted TCP packets. This arises due to the different interpretations that vendors abide with while implementing the TCP/IP stack on the particular OS. In active fingerprinting, a variety of malformed packets are sent to the remote host, and the responses compared to a database.
For instance, in Nmap, the OS fingerprint is done through eight tests. Each of these tests is described below.
The first test is named T1 for test 1. In this test a TCP packet with the SYN, and ECN-Echo flags enabled is sent to an open TCP port.
The second test is named T2 for test 2. It involves sending a TCP packet with no flags enabled to an open TCP port. This type of packet is known as a NULL packet.
The third test is named T3 for test 3. It involves sending a TCP packet with the URG, PSH, SYN, and FIN flags enabled to an open TCP port.
The fourth test is named T4 for test 4. It involves sending a TCP packet with the ACK flag enabled to an open TCP port.
The fifth test is named T5 for test 5. It involves sending a TCP packet with the SYN flag enabled to a closed TCP port.
The sixth test is named T6 for test 6. It involves sending a TCP packet with the ACK flag enabled to a closed TCP port.
The seventh test is named T7 for test 7. It involves sending a TCP packet with the URG, PSH, and FIN flags enabled to a closed TCP port.
The eighth test is named PU for port unreachable test. It involves sending a UDP packet to a closed UDP port. The objective is to extract an ICMP port unreachable message back from the target machine.
But this is not all. The last test that Nmap performs is named TSeq for TCP sequenceability test. The test tries to determine the sequence generation patterns of the TCP initial sequence numbers also known as TCP ISN sampling, the IP identification numbers also known as IPID sampling, and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port.
Tool: Super Scan - Port scanner
SuperScan is a powerful connect-based TCP port scanner, pinger and hostname resolver. Released by Foundstone, its multithreaded and asynchronous techniques make this program extremely fast and versatile. SuperScan can do ping sweeps and scan any IP range. The attacker can also compile a list of target IP as a text file and use SuperScan to extract this list for scanning. The visual interface allows the attacker to view responses from connected hosts. The built in editor allows manipulation of port list and port descriptions. The advantage is that certain ports can be skipped as the ping results can be analyzed before hand to make the scan faster. The tool can be used to connect to any discovered open port using user-specified "helper" applications and then assign a custom helper application to any port. The attacker can also choose to save the scan list to a text file for future reference. The scan can be done slowly as well by controlling the transmission speed.
On the windows platform, Superscan does a very good job of swiftly looking for open ports. However, it does not give additional information such as if the port is closed, open, or filtered. Nmap is the better scanner for more detailed information, or when the attacker wants to use more advanced scanning techniques - for now SuperScan detects common ports.
Readers should note that the term "attacker" is used here, as these are the tools you might see being used over the Internet for unauthorized access. From a penetration tester's viewpoint, these very tools can be used to test the network as well as assist in doing reconnaissance about the attacker. In our example here, we find additional information on TCP ports that were not listed by NetScan Tools - we find a port with pcAnywhere data connection. This is good news to an attacker as he has to just get one point of access into the target system. Let us look at the data we have obtained here.
* + 64.3x.3x.xxx xxxxxx.com
|___ 25 Simple Mail Transfer
|___ 220 X1 NT-ESMTP Server xxxxxx.com (IMail 5.05 111734-1)..
|___ 80 World Wide Web HTTP
|___ HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Cache-Control:
no-cache..Expires: Mon, 21 Apr 2003 05:02:42 GMT..Content-Location:
|___ 110 Post Office Protocol - Version 3
|___ +OK X1 NT-POP3 Server xxxxxx.com (IMail 5.08 228329-2)..
|___ 135 DCE endpoint resolution |__ 139 NETBIOS Session Service
|___ 143 Internet Message Access Protocol
|___ * OK IMAP4 Server (IMail 5.09)..
|___ 1032 BBN IAD
|___ 5631 pcANYWHEREdata
|___ 5800 Virtual Network Computing server
|___ 5900 Virtual Network Computing server
|___ RFB 003.003.
Notice how the scanner returns additional information about the services running on the ports. Here, we see some banner grabbing done for the HTTP server, SMTP server, IMAP server and the POP3 server.
Tool: NetScan Tools Pro
NetScanTools consists of many independent network functions joined together in a single tabbed window. Most functions are designed to run in separate threads so several tabs can be used simultaneously. This program operates best on the newer Windows platforms.
NetScanTools Pro has a scanner tab - Port Prober, which will be discussed here. Port Probe (a port scanner) is an essential tool in determining the services or daemons running on a target machine. This prober is multithreaded, configurable and it allows running four different types of probing patterns. The user can build lists of target IP Addresses and lists of ports to probe, specifying timeouts and the protocol to connect with. Additionally, any data that is received from the target port upon connection is saved for viewing. The results are presented in a treeview and are colorcoded with different types of images for easy location of information at a glance.
The types of port connections supported are:
TCP Full Connect. This mode makes a full connection to the target's TCP ports and can save any data or banners returned from the target. This mode is the most accurate for determining TCP services, but it is also easily recognized by Intrusion Detection Systems (IDS).
UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return. The absence of that message indicates either the port is used, or the target does not return the ICMP message which can lead to false positives. It can save any data or banners returned from the target. This mode is also easily recognized by IDS.
TCP Full/UDP ICMP Combined. This mode combines the previous two modes into one operation.
TCP SYN Half Open. (Windows XP/2000 only) This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with a SYN|ACK and closed ports respond with ACK|RST or RST. This mode is less likely to be noted by IDS, but since the connection is never fully completed, it cannot gather data or banner information. However, the attacker has full control over TTL, Source Port, MTU, Sequence number, and Window parameters in the SYN packet.
TCP Other. (Windows XP/2000 only) This mode sends out a TCP packet with any combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port and listens for the response. Again, the attacker can have full control over TTL, Source Port, MTU, Sequence number, and Window parameters in the custom TCP packet. The Analyze feature helps with analyzing the response based on the flag settings chosen. Each operating system responds differently to these special combinations. The tool includes presets for XMAS, NULL, FIN and ACK flag settings.
The four types of probe patterns are:
Sequential Probe. This method scans a linear set of ports as defined by the start/end port numbers over a linear set of IP addresses as defined by the IP address range settings.
Probe Port List. This mode probes only the ports listed in the Port List. This mode probes either a single host or a range of IP addresses based on the selection made in the Probe Single Host/Probe IP Range radio button group. It probes each host sequentially, that is the first, then the second etc., using the list of port numbers shown in the Port List.
Sequential Port Probe Using the Target List. This mode probes every port using the Starting through ending port range on every computer in the target list.
Probe a List of Ports on a List of Targets. This mode is the most stealthy mode and uses the least amount of CPU time and bandwidth because scanning is restricted to only the target ports on the target machines.
The tool also includes Ping before probe. This option allows the attacker to skip (automatically or by user response to a message) hosts that do not respond to pings. He can control the number of threads used to probe the host and the delay between launching each thread. He can also vary the amount of time to wait for a response to a probe of the port and the amount of time to wait after a connection for a banner to be sent.
Ethical Hacker and Scanning Tools
Can an ethical hacker simulate the scanning techniques to ensure the security of the network? The first and foremost armor is knowledge itself. The results of a scanner can be misleading if the ethical hacker does not have a good knowledge of common vulnerabilities, commonly affected hosts, and patterns indicating misuse.
Apart from this, performing an exhaustive scan against all the systems in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems, and the dynamic nature of network deployments (wireless, DHCP, etc.). Therefore mere scanning does not a security check complete.
Tool: ipEye, IPSecScan
ipEye is a command-line driven port scanner written by Arne Vidstrom. It is a lightweight powerful tool bearing similarities with the command shell tools seen with UNIX. However, this port scanner is restricted to the Windows platform - 2000 and XP. Another drawback of this tool is that the hacker needs to know the specific IP before he can initiate a scan.
The basic usage for ipEye is:
ipEye -p [optional parameters]
The scantype parameter can take values of: -syn = SYN scan, -fin = FIN scan, -null = Null scan, - xmas = Xmas scan
However, the FIN, Null and Xmas scans don't work against Windows systems. Of these scan types, only the SYN SCAN is valid when scanning a Windows system. ipEye will scan the requested ports, given a valid IP address, and return a list of the FIN, Null and Xmas scans don't work against Windows systems.
"Closed" indicates that there is a computer on the other end, but there is no service that listens at the port.
"Reject" indicates the presence of a firewall or packet filtering device (sending a reset back) protecting the port.
"Drop" indicates the presence of a firewall or packet filtering device that drops packets directed to port, or it indicates that the particular system is not alive on the target network.
"Open" indicates that there is a service listening at the port.
Note in the above scan we see ports 135 and 139 as open.
Let us see the same scan done with IPSecScan. IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.
In the scan above we have specified a range of IP addresses from 192.168.2.1 to 192.168.2.118. Note that the scan returns "Disabled" for some IPs - such as IP 192.168.2.1. This indicates that the system either doesn't support IPSec, has IPSec disabled, or that it is configured not to reveal that it has IPSec enabled.
IPsec is the short for IP Security. It is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer.
IPsec = AH + ESP + IPcomp + IKE
Authentication Header (AH): provides authenticity guarantee for packets, by attaching strong crypto checksum to packets. If a packet is received with AH and the checksum operation is successful, it indicates that the packet was originated by the expected peer (the packet was not generated by impersonator) and that the packet was not modified in transit. Unlike other protocols, AH covers the whole packet, from the IP header to the end of the packet.
Encapsulating Security Payload (ESP) provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms. If a packet is received with ESP and successfully decrypted it indicates that the packet was not wiretapped in the middle, if the sender and the receiver share a secret key, and no other party knows the key.
ESP provides encryption service to the packets. However, encryption tends to give negative impact to compression on the wire (such as ppp compression). IP Compression (IPcomp) provides a way to compress packet before encryption by ESP.
As discussed above, AH and ESP need shared secret key between peers. For communication between distant locations, there is a need to provide ways to negotiate keys in secrecy. Internet Key Exchange (IKE) makes this possible.
IPsec has been deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two encryption modes: Transport and Tunnel.
Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.
For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates.
Note security of IPsec protocols depend on the secrecy of secret keys. If secret keys are compromised, IPsec protocols can no longer be secure.
Reference for readers: Old IPsec suite - RFC1825, New IPsec suite - RFC2401
Subscribe to: Posts (Atom)