|
|
|
|
|
Tool used to automate dialing of large pools of
telephone numbers in an effort to find unprotected |
|
|
|
|
Full-featured, free war dialing tool |
|
Runs on Win9x, WinNT, and Win2000 |
|
Released by The Hacker’s Choice group |
|
Available at http://thc.inferno.tusculum.edu |
|
Keeps track of number of carriers (discovered
modems) |
|
Detects repeat dial tones |
|
Nudges discovered modems |
|
Jamming detection |
|
|
|
|
|
|
Tool used to attack just one telephone number
with a modem by guessing passwords |
|
THC LoginHacker available at http://thc.inferno.tusculum.edu |
|
|
|
|
|
|
Provide documented policy forbidding use of
modems on desktop machines in offices without approval from security team |
|
Periodically scan all analog lines and digital
PBX lines |
|
Perform desk-to-desk check of modem lines to
computers |
|
|
|
|
|
Finding live hosts |
|
ICMP pings |
|
TCP/UDP packets |
|
|
|
|
|
|
Traceroute utility on most Unix platforms sends
out UDP packets with incremental TTL values to trigger ICMP Time Exceeded
messages |
|
Tracert utility on Microsoft platform sends out
ICMP packets with incremental TTL values to trigger ICMP Time Exceeded
replies |
|
|
|
|
|
|
|
|
A nifty network mapper tool |
|
Available at http://www.marko.net/cheops |
|
Runs on Linux |
|
Generates network topology by using ping sweeps
and traceroute |
|
Supports remote operating system identification
using TCP Stack Fingerprinting |
|
|
|
|
|
|
Block incoming ICMP messages at Internet gateway
to make ping ineffective |
|
Filter ICMP Time Exceeded messages leaving your
network to make traceroute ineffective |
|
|
|
|
|
Used to find open ports |
|
Free port scanning tools |
|
Nmap available at www.insecure.org/Nmap |
|
Strobe at http://packetstorm.securify.com/UNIX/scanners |
|
Ultrascan for NT available at http://packetstorm.securify.com/Unix/scanners |
|
|
|
|
|
|
|
|
|
|
Full-featured port scanning tool |
|
Unix version available at http://www.insecure.org/Nmap |
|
Windows NT version available at http://www.eeye.com/html/Databases/Software/Nmapnt.html |
|
|
|
|
|
|
|
|
|
TCP Connect (-sT) |
|
Attempts to completes 3-way handshake with each
scanned port |
|
Sends SYN and waits for ACK before sending ACK |
|
Tears down connection using FIN packets |
|
If target port is closed, sender will received
either no response, a RESET packet , or an ICMP Port Unreachable packet. |
|
Not stealthy |
|
|
|
|
|
TCP SYN (-sS) |
|
Only sends the initial SYN and waits for ACK to
detect open port. |
|
SYN scans stop two-thirds of the way through the
3-way handshake |
|
Aka half-open scan |
|
Attacker sends a RESET after receiving a SYN-ACK
response |
|
A true connection is never established |
|
If
target port is closed, destination will send a RESET or nothing. |
|
Faster and stealthier than Connect scans |
|
SYN flood may cause accidental denial-of-service
attack if target is slow |
|
|
|
|
|
|
|
TCP FIN (-sF) |
|
Sends a TCP FIN to each port. A RESET indicates
that the port is closed, while no response may mean that the port is open |
|
TCP Xmas Tree (-sX) |
|
Sends a packet with FIN, URG, and PUSH code bits
set. A RESET indicates that the port is closed, while no response may mean
that the port is open |
|
Null (-sN) |
|
Sends packets with no code bits set. A RESET
indicates that the port is closed, while no response may mean that the port
is open. |
|
|
|
|
|
|
|
TCP ACK (-sA) |
|
Sends a packet with the ACK code bit set to each
target port. |
|
Allows attacker to get past some packet
filtering devices |
|
|
|
|
|
|
|
TCP ACK (-sA) |
|
Allows attacker to determine what kind of
established connections a firewall or router will allow into a network by
determining which ports through a firewall allow established connection
responses |
|
If no response or an ICMP Port Unreachable
message is returned, Nmap will label the target port as “filtered”, meaning
that a packet filter is blocking the response |
|
|
|
|
|
|
|
Window (-sW) |
|
Similar to ACK scan, but focuses on the TCP
Window size to see if ports are open or closed on a variety of operating
systems |
|
FTP Bounce (-b) |
|
Bounces a TCP scan off of an FTP server, hiding
originator of the scan. |
|
Checking FTP servers for bounce capability at http://www.cert.org/advisories/CA-1997-27.html |
|
|
|
|
|
UDP Scanning (-U) |
|
Sends a UDP packet to target ports to determine
if a UDP service is listening |
|
If the target system returns an ICMP Port
Unreachable message, the target port is closed. Otherwise, the target port
is assumed to be open. |
|
Unreliable since there may be false positives |
|
Client program of discovered open port is used
to verify service |
|
Ping (-sP) |
|
Sends ICMP echo request packets to every machine
on the target network, allowing for locating live hosts. This isn’t port
scanning; it’s network mapping. |
|
Can use TCP packets instead of ICMP to conduct
Ping sweep |
|
|
|
|
|
|
|
RPC Scanning (-sR) |
|
Scans RPC services using all discovered open
TCP/UDP ports on the target to send RPC NULL commands. Tries to determine if an RPC program is
listening at the port and identifies type of RPC program |
|
|
|
|
|
|
Choose specific source ports to increase the
chance that the packets will be admitted into the target network |
|
Using source port of 25 or 80 together with an
ACK scan will make the traffic look like responses to Web traffic or
outgoing email |
|
Using TCP source port 20 will look like incoming
FTP data connection |
|
Using UDP source port of 53 will look like DNS
responses |
|
|
|
|
Nmap allows attacker to specify decoy source
addresses to use during scan |
|
Packets containing attacker’s actual address are
interleaved with decoy packets |
|
|
|
|
|
Used to determining operating system of target |
|
Nmap sends various abnormal packets |
|
NULL packet to open port |
|
SYN/FIN/URG/PSH packet to open port |
|
SYN packet to closed port |
|
ACK packet to closed port |
|
FIN/PSH/URG packet to closed port |
|
UDP packet to closed port |
|
Nmap sends series of SYN packets to determine
predictability of Initial Sequence Number |
|
Nmap compares responses against database describing how various systems respond
to illegal code bit combinations and sequence number prediction check |
|
|
|
|
|
Paranoid |
|
Send one packet every 5 minutes |
|
Sneaky |
|
Send one packet every 15 seconds |
|
Polite |
|
Send one packet every 0.4 seconds |
|
Normal |
|
Send packets as quickly as possible without
missing target ports |
|
Aggressive |
|
wait no more than 1.25 seconds for any response |
|
Insane |
|
wait no
more than 0.3 seconds for any response |
|
Prone to traffic loss |
|
|
|
|
|
|
|
Unix systems |
|
remove all unneeded services in /etc/inetd.conf |
|
Remove unneeded services in /etc/rc*.d |
|
Windows systems |
|
uninstall unneeded services or shut them off in
the services control panel |
|
Scan your own systems before the attackers do |
|
Use stateful packet filter or proxy-based
firewall |
|
blocks
ACK scans |
|
Blocks FTP data source port scans |
|
|
|
|
Tool which allows attacker to determine firewall
filter rules |
|
sends packets through a packet filter device to
determine which ports are open through it |
|
Identifies TCP and UDP ports that firewall
allows new connection initiations |
|
Available at http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html |
|
|
|
|
|
|
Requires the attacker to specify IP address of
the packet-filtering device and IP address of destination machine |
|
Sends packets with incrementally higher TTL
values until ICMP Time Exceed message is received from packet-filtering
device |
|
|
|
|
|
|
|
|
Firewalk generates a series of packets with TTL
set to one greater than the hop count to the packet filtering device |
|
Packets contain incrementing destination TCP and
UDP port numbers |
|
An ICMP Time Exceeded response means that the
port is open through the firewall |
|
If nothing or ICMP Port Unreachable comes back,
the port is probably filtered by the firewall |
|
Works well against traditional and stateful
packet filters |
|
Does not work against proxy-based firewalls
since proxies do not forward packets |
|
|
|
|
|
|
|
Configure firewall to pass a minimum set of
ports |
|
Accept the fact that an attacker can determine
your firewall rules |
|
Filter out ICMP Time Exceeded messages leaving
your network |
|
Side effect of crippling traceroute |
|
Replace traditional and stateful packet filters
with proxy-based firewalls |
|
|
|
|
|
Checks for the following types of
vulnerabilities |
|
Common configuration errors |
|
Default configuration weaknesses |
|
Well-known system vulnerabilities |
|
|
|
|
|
|
|
|
SARA http://www-arc.com/sara |
|
SAINT http://www.wwdsi.com/saint |
|
VLAD http://razor.bindview.com/tools |
|
Nessus http://www.nessus.org |
|
|
|
|
|
|
|
|
Network Associates’ CyberCop Scanner http://www.pgp.com/products/cybercop-scanner/default.asp |
|
ISS’s Internet Scanner http://www.iss.net |
|
Cisco’s Secure Scanner http://www.cisco.com/warp/public/cc/pc/sqsw/nesn |
|
Axents NetRecon http://www.axent.com |
|
eEye’s Retina Scanner http://www.eeye.com |
|
|
|
|
|
|
Free |
|
Source code available for review |
|
Support for new vulnerability checks |
|
You can write your own vulnerability checks in C
or in Nessus Attack-Scripting Language(NASL) |
|
|
|
|
|
Small modular programs to check for a specific
vulnerability |
|
Categories of plug-ins |
|
Finger abuses |
|
Windows |
|
Backdoors |
|
Gain a shell remotely |
|
CGI abuses |
|
General |
|
Remote file access |
|
RPC |
|
Firewalls |
|
FTP |
|
SMTP problems |
|
Useless services |
|
Gain root remotely |
|
NIS |
|
Denial-of-Service |
|
Miscellaneous |
|
|
|
|
|
|
|
|
Nessus server includes a vulnerability database
(set of plug-ins), a knowledge base of the current active scan, and a
scanning engine |
|
Supports strong authentication for the
client-to-server commumication via public key encryption |
|
Nessus server runs on Unix platforms (Solaris,
Linux, FreeBSD) |
|
Nessus client runs on Linux, Solaris, FreeBSD,
Windows9x, Windows NT/2000, and any Java-enabled browser (eg. Macintosh
with Netscape) |
|
|
|
|
|
|
|
|
|
|
Used by attackers to find exploit code via
search engines and attacker-friendly web sites |
|
|
|
|
|
Scan your own network using latest vulnerability
database |
|
Do not use dangerous plug-ins against production
servers |
|
Close all unused ports |
|
Apply patches to your systems |
|
Have policy and practices for building and
maintaining secure systems |
|
|
|
|
Network-based IDSs have a database of attack
signatures used to match against network traffic |
|
When an attack is detected, an administrator can
be notified via email or pager |
|
|
|
|
|
|
Modify appearance of traffic so it does not
match the signature |
|
Change the context |
|
|
|
|
Use IP fragments on IDSs that cannot perform
packet reassembly |
|
Send a flood of fragments to saturate IDS prior
to attacking targets |
|
Fragment the packets in unexpected ways |
|
|
|
|
Create an initial fragment that is very small |
|
Packet is sliced in the middle of the TCP header |
|
|
|
|
|
|
Manipulates the fragment offset field of the IP
header |
|
Each IP packet is fragmented into to packets |
|
First fragment contains TCP port number of a
harmless service not closely monitored |
|
Second fragment has an offset value so small
that the fragments overlap during reassembly |
|
|
|
|
|
|
FragRouter http://www.anzen.com/research/nidsbench |
|
Runs on BSD, Linux, and Solaris |
|
A router that fragments all packets in various
ways |
|
Works in combination with other attack tools |
|
|
|
|
|
|
Whisker http://www.wiretrip.net/rfp |
|
Scanning tool that looks for vulnerable CGI
scripts on Web servers |
|
Evades network-based IDS detection at
Application Level by subtly changing the format of the CGI requests |
|
Manipulates the request so that they do not
match the IDS signatures exactly |
|
|
|
|
URL Encoding with unicode equivalent |
|
/./ directory insertion |
|
Premature URL ending |
|
Long URL |
|
Fake parameter |
|
Using Tab in lieu of space separation |
|
Case sensitivity |
|
Windows delimiter |
|
Null method |
|
Session splicing |
|
|
|
|
|
|
Keep attack signatures on IDS systems up-to-date |
|
Use both network-based and host-based IDS |
|
Use host-based IDS agent on sensitive Web, DNS,
and mail servers |
|
|
|
|
|
Notes
