At this stage an attacker would’ve got a list of IP ranges, DNS servers, Mail servers, employee names and phone numbers. All this would be used by attackers to probe our network to see which systems are alive and the services running on them.
There are many tools and techniques available to accomplish this.
Ping sweeps basically a method used to find out which of a range of IP addresses are a live and reachable from the internet.
Fping can be used on large networks, it doesn’t wait for a reply before trying the next IP, it sends many requests in parallel.
root@bt:#fping -a -f ipadd.txt
-a – shows systems that are alive.
-d – resolves hostnames.
-f – read from file.
-h – help.
Nmap is another tool that can be used for ping sweeps.
root@bt:#nmap –sP 192.168.1.0/24
There are other methods that can be used if ICMP is blocked but they are not as accurate as ping sweeps:
Port scanning – is a time consuming method, nmap can be used for this and many other advanced features. Port 80 is a good one to scan as many networks allows this port through to their main boarder routers to the systems on their DMZ network or even through the main firewall.
root@bt:#nmap -sP -PT80 192.168.136.0/24
Good ports to try with this method:
SMTP 25, POP 110, AUTH 113, IMAP 143.
Other tools that can be used:
hping, hping2, hping3 – TCP ping utility, has far more TCP functionality than nmap and it can also fragment packets.
root@bt:#hping 192.168.136.1 –S –p 80 –f
Icmpenum – ICMP enumeration tool, quickly identifies live systems by sending ICMP echo packets, ICMP timestamp requests and ICMP info requests. This tool can bypass some firewalls and it can also avoid detection by spoofing packets.
root@bt:#icmpenum -i2 -c 192.168.136.0
Querying The timestamp and net mask of a system – gives valuable information to an attacker because he/she can identify the time-zone of a system and the subnet it’s in. With this information an attacker can work out the broadcast address and the address of the default gateway. This will enable router and DOS attacks because an attacker knows the default gateway and the broadcast addresses respectively.
icmpenum, icmpquery, icmpush and nmap – can do this.
root@bt:#nmap -PP 192.168.136.167 – Timestamp request.
root@bt:#nmap -PM 192.168.136.167 – Net mask request.
All this information gathered by the attacker, will allow him/her to move onto the next step of this section, which is port scanning. This will provide the attacker information about the services that are running.
Port scanning is the process of probing the systems by sending TCP and UDP packets to find out the services that are running on the network. Running services will help confirm the OS of the target. Knowing this the attacker can then search for vulnerabilities on these services with the aim of escalating their privileges into the whole of the network or most of it at least. If the attacker succeeds in this they can pretty much do anything they want:
- They can delete records.
- Plant viruses or backdoors.
- They can even use the network as a station where they can run further attacks against other networks.
So port scanning helps the attacker and the administrator of the network identify three main goals:
- Which TCP/UDP services running.
- The OS used.
- Type and version of the applications on the systems.
There are many different types of scanning techniques as described by http://nmap.org/book/man-port-scanning-techniques.html and Joel Scambray, Stuart McClure and George Kurtz (2009, p 70, 71), they mentioned that many of these techniques are incorporated into nmap designed by Fyodor himself and so he is the pioneer for these types of scans:
“Types of Scans:
TCP connect scan – completes the full three-way handshake and connects to the target. It is easily detected.
TCP SYN scan – half-open scanning because a full TCP connection is not made. It is stealthier than the above scan and may not be detected but may produce a DOS on target. In this scan only a SYN packet is sent, if a SYN/ACK is received it means the port is listening. The attackers system will also send RST/ACK so that a full connection is never made.
TCP FIN scan – This technique only works on Unix based TCP/IP stacks. The target will send back an RST for all closed ports.
TCP Xmas Tree scan – A FIN, URG, and PUSH packets are sent to the target port. The target system sends an RST for all closed ports.
TCP Null scan – all flags switched off. An RST is sent by target for all closed ports.
TCP ACK scan – Determines the rules set on the firewall, which identifies if the firewall is a simple packet filter firewall that only allows connections with the ACK bit set or is it an advanced firewall (statefull firewall).
TCP Windows scan – Detects open, filtered and unfiltered ports.
TCP RPC scan (Unix only) – Identifies RPC ports.
UDP scan – Slow and unreliable sends UDP packets, if you don’t get “ICMP port unreachable” means the port is open.”
The tools available for Unix/Linux that can perform these types of scans are:
- Strobe – TCP scanner that can also grab banners.
- Udp_scan – UDP scanner, it can alert target IDS.
root@bt:#udp_scan 192.168.136.1 1-1024
- Netcat – the Swiss Army knife of network security as described by security professionals.
root@bt:#nc –vv –z –w2 192.168.136.1 80
- Nmap – the tool of choice for this report.
There are many other functions that can be performed with nmap. These can be identified by typing “nmap –help”.
The different options presented in the help manual explains why security professionals consider this tool to be one of the best tools, however this tool can also be used by the attackers and so it is very important for security professionals to learn how to use it and to make good use of it.
root@bt:#nmap -sS 192.168.136.167
One system TCP SYN scan.
root@bt:#nmap -sF 192.168.136.0/24
CIDR block scan
To evade IDSs nmap provide the fragment option –f, but it is still possible to get detected if the network has a properly configured IDS.
The decoy option (-D) tries to get around IDSs and firewalls by sending a decoy scan at the same time as the real scans it spoofs the source address with the address of a legitimate server and mixes these scans with real ones. The decoy servers should be live legitimate servers otherwise the scan will produce a SYN flood causing a DOS on the target.
root@bt:#nmap -sS 192.168.136.155 -D 192.168.136.1
Nmap used to offer an option to identify the user of a TCP connection (-I) but it’s no longer supported:
If an attacker were able to use this option and manages to get a reply from a root user, it means the service is running as root and so if he/she compromises this service the attacker would get root access.
Having completed these scans an attacker would have a strong idea of the OS and the services running. This proves to us that it is very hard if not impossible for a system to get compromised if there’s no ports open and so the more open ports a network device has the easier it is to compromise it.
The next step would be to increase the accuracy of the OS fingerprint.
Detecting The OS (Operating System)
As described by Michael Gregg (2008, p 131), OS detection can be in one of two ways, active and passive.
It is very important to have an OS fingerprint that is as accurate as possible, because from an attackers point of view he/she wouldn’t want to spend a considerable amount of time researching how to compromise vulnerabilities that are not there due to an OS fingerprint that is not accurate and from an administrator’s side we don’t want to waste time patching things that don’t exist.
Some of the tools available to make this task easier: 5nmp, autoscan, nmap, sslscan, xprobe2, etc. Nmap will be illustrated here.
The following shows a list of probes that help ID an OS:
- FIN Probe.
- Bogus Flag Probe.
- Initial Sequence number Sampling.
- “Don’t Fragment bit” monitoring.
- TCP initial Window size.
- ACK Value.
- ICMP error message quenching.
- ICMP message Quoting.
- ICMP error message – echoing integrity.
- Type Of Service (TOS).
- Fragmentation Handling.
- TCP Options.
Nmap implements all of these except for the fragmentation handling and ICMP error message:
root@bt:#nmap -O 192.168.136.167
The above is an example of stack fingerprinting, it requires at least one port to be open. If there are no ports open you can use nmap’s -pn option (n for port number) to get a good guess of the OS.
root@bt:#nmap -p80 192.168.136.167
Active fingerprinting can easily be detected by IDSs because it is not stealthy and requires a connection with the target.
One would ask why is it important to be stealthy when I’m the administrator of this network and so there is no problem if my IDS detects this?
The answer to this question is that we are trying to perform these steps in the same way an attacker would, which will test the effectiveness of our control measures.
With passive fingerprinting the attacker monitors the network from inside, it needs the attacker to be on an interface port that allows packet capture (a mirrored port).
Lance Spitzner describes passive fingerprinting [online] as:
“Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all you need to do is capture packets sent from the remote system. Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Just like in active fingerprinting, passive fingerprinting is based on the principle that every operating system’s IP stack has its own idiosyncrasies. By analyzing sniffer traces and identifying these differences, you may be able determine the operating system of the remote host.
There are four TCP areas that we will look at to determine the operating system (however there are other signatures that can be used). These signatures are:
TTL – What the operating system sets the Time To Live on the outbound packet
Window Size – What the operating system sets the Window Size at.
DF – Does the operating system set the Don’t Fragment bit.
TOS – Does the operating system set the Type of Service, and if so, at what.”
Tools such as Snort, Wire shark and Siphon can be used:
If we telnet to a system:
Then using a sniffer such as wireshark, tcpdump or snort, we can take a packet trace:
Then we can review the siphon fingerprint database osprint.conf:
root@bt:#grep –i linux osprint.conf
Window:TTL:DF:Operating System DF = 1 for ON, 0 for OFF.
So from the example OS finger prints shown below:
Window TTL DF Operating System
7D78 64 1 Linux 2.1.122 – 2.2.14
We can also use siphon and either surf to a web site like I’ve done here or telnet to the target:
root@bt:#./siphon -v -i eth0 -o fingerprint.out
As you can see above just by setting siphon to monitor traffic on eth0 (interface Ethernet 0) and surfing to websites I managed to get valuable information without directly connecting to target. I obtained the IP addresses, TTL, DF, and the operating system window.
root@bt:#grep –i FAF0 osprint.conf
We get a confirmation of the OS used.