|
Size: 3371
Comment:
|
← Revision 7 as of 2010-03-08 19:10:42 ⇥
Size: 3402
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
| Scanning is a method of determining if a determining what system and services are running on a machine | Scanning is a method of determining what system and services are running on a machine |
| Line 13: | Line 13: |
| Network ping sweeps are used to find active systems on a network. They ork by using ICMP to ping every IP address on a network. If a system responds, you know it's there. Tools used to do network ping sweeps include fping on *Nix systems and nmap Windows systems. | Network ping sweeps are used to find active systems on a network. They work by using ICMP to ping every IP address on a network. If a system responds, you know it's there. Tools used to do network ping sweeps include fping on *Nix systems and nmap on Windows systems. |
| Line 15: | Line 15: |
| Detecting a ping sweep is important to maintain security. Snort can be used to detect ping sweeps, and most commercial network and desktop firewalls can detect ping sweeps. Preventing a ping sweep can be done by evaluating the ICMP traffic that you allow into your network | Detecting a ping sweep is important to maintain security. Snort can be used to detect ping sweeps, and most commercial network and desktop firewalls can detect ping sweeps. Preventing a ping sweep can be done by evaluating the ICMP traffic that you allow into your network. [Dr. A: What would you suggest blocking?] |
| Line 21: | Line 21: |
| To defend against ICMP queries, it is possible to block the ICMP types that give out information at your border routers | To defend against ICMP queries, it is possible to block the ICMP types that give out information at your border routers. |
Back to Cptr427Winter2010
Hacking Exposed Chapter 2: Scanning
Scanning is a method of determining what system and services are running on a machine
Determining if the System is Alive
Network Ping Sweeps
Network ping sweeps are used to find active systems on a network. They work by using ICMP to ping every IP address on a network. If a system responds, you know it's there. Tools used to do network ping sweeps include fping on *Nix systems and nmap on Windows systems.
Detecting a ping sweep is important to maintain security. Snort can be used to detect ping sweeps, and most commercial network and desktop firewalls can detect ping sweeps. Preventing a ping sweep can be done by evaluating the ICMP traffic that you allow into your network. [Dr. A: What would you suggest blocking?]
ICMP Queries
ICMP Queries are used as a scanning technique that takes advantage of the expected default replies to different types of ICMP traffic.
To defend against ICMP queries, it is possible to block the ICMP types that give out information at your border routers.
Determining Which Services are Running or Listening
Port Scanning
After finding responsive systems, an attacker will typically attempt to determine which services are running on a machine. One technique used to do so is port scanning. Port scanning is the process of sending packets to TCP or UDP ports on a target system are running or in a listening state. This allows the attacker to determine what attacks will be effective against a system.
Scan Types
- TCP Connect Scan
- TCP SYN Scan
- TCP FIN Scan
- TCP Xmas Tree Scan
- Many more
Identifying TCP and UDP Services Running
Tools to identify running services include:
- Strobe: a TCP scanning utility for Linux
- udp_scan: a udp scanner for Linux
- netcat: A tool that can be used to do TCP and UDP scans for Linux
- nmap: A tool that can scan both TCP and UDP for UNIX
SuperScan: TCP/UDP scanner for Windows
- WUPS: UDP Scanner for Windows
- Many more
Defending against port scans
Detecting port scans can be done with Snort and many other firewalls. Preventing a port scan is not viable, but limiting exposure is. This can be accomplished by disabling services that are not necessary on the target machine.
Detecting the Operating System
Active Operating System Detection
Active Stack Fingerprinting is a technique for active OS detections that takes advantage of the differences in implementation of the IP stack. This technique can produce results with a high degree of accuracy. It uses many different probes to determine the OS, such as FIN Probe, Bonus Flag probe, Initial sequence number sampling, TCP initial window size, and others.
Countermeasures include detecting the probe, but prevention is not really necessary or viable.
Passive OS detection
Passive Stack Fingerprinting monitors network traffic to determine the OS, using signatures such as the TTL, window size, and the DF bit.
Prevention: Same as above
Automated Discovery Tools
ADTs are bundles of software that can do many of the techniques discussed earlier. The defense agains such tools lies in the defense against each individual part, discussed earlier.