Network Security Assessment

Content preview·Buy reprint rights for this chapter

This chapter discusses at a high level the rationale behind Internet-based network security assessment and penetration testing. To retain complete control over your networks and data, you must take a proactive approach to security, an approach that starts with assessment to identify and categorize your risks. Network security assessment is an integral part of any security life cycle.

From a commercial standpoint, assurance of network security is a business enabler. As a security consultant at the time of writing, I am helping a particular client in the retail sector to deploy and secure an 802.11b wireless network for use in nearly 200 stores across the United Kingdom. This wireless network has been designed in a security-conscious manner, allowing the retailer to embrace wireless technologies to improve efficiency and the quality of their service.

Shortcomings in network security and user adherence to security policy often allow Internet-based attackers to locate and compromise networks. High-profile examples of companies who have fallen victim to such determined Internet-based attackers over the last four years include:

RSA Security (http://www.2600.com/hacked_pages/2000/02/www.rsa.com/)
OpenBSD (http://lists.jammed.com/incidents/2002/08/0000.html)
NASDAQ (http://www.wired.com/news/politics/0,1283,21762,00.html)
Playboy Enterprises (http://www.vnunet.com/News/1127004)
Cryptologic (http://lists.jammed.com/ISN/2001/09/0042.html)

These compromises have come about in similar ways, involving large losses in some cases. Cryptologic is an online casino gaming provider that lost $1.9 million in a matter of hours to determined attackers. In the majority of high profile incidents, the attackers used a selection of the following techniques:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

From a commercial standpoint, assurance of network security is a business enabler. As a security consultant at the time of writing, I am helping a particular client in the retail sector to deploy and secure an 802.11b wireless network for use in nearly 200 stores across the United Kingdom. This wireless network has been designed in a security-conscious manner, allowing the retailer to embrace wireless technologies to improve efficiency and the quality of their service.

Shortcomings in network security and user adherence to security policy often allow Internet-based attackers to locate and compromise networks. High-profile examples of companies who have fallen victim to such determined Internet-based attackers over the last four years include:

RSA Security (http://www.2600.com/hacked_pages/2000/02/www.rsa.com/)
OpenBSD (http://lists.jammed.com/incidents/2002/08/0000.html)
NASDAQ (http://www.wired.com/news/politics/0,1283,21762,00.html)
Playboy Enterprises (http://www.vnunet.com/News/1127004)
Cryptologic (http://lists.jammed.com/ISN/2001/09/0042.html)

These compromises have come about in similar ways, involving large losses in some cases. Cryptologic is an online casino gaming provider that lost $1.9 million in a matter of hours to determined attackers. In the majority of high profile incidents, the attackers used a selection of the following techniques:

Compromising a poorly configured or protected peripheral system that is related to the target network space or host using publicly available exploits, such as scripts available from Packet Storm (http://www.packetstormsecurity.org) and other archives
Directly compromising key network components using private exploit tools, such as scripts that the attacker or his hacking group have developed for their own personal use

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

The Internet Protocol Version 4 (IPv4) is the networking protocol suite all public Internet sites currently use to communicate and transmit data to one another. From a network security assessment methodology standpoint, this book comprehensively discusses the steps that should be taken during the security assessment of any IPv4 network.

IPv6 is an improved protocol that is gaining popularity among academic networks. IPv6 offers a 128-bit network space (3.4 x 10³⁸ addresses) as opposed to the 32-bit space of IPv4 (only 4 billion addresses) that allows a massive number of devices to have publicly routable addresses. Eventually, the entire Internet will migrate across to IPv6, and every electronic device in your home will have an address.

Due to the large size of the Internet and sheer number of security issues and vulnerabilities publicized, opportunistic attackers (commonly referred to as script kiddies ) will continue to scour the public IP address space seeking vulnerable hosts. The combination of new vulnerabilities being disclosed on a daily basis, along with the adoption of IPv6, ensures that opportunistic attackers will always be able to compromise a certain percentage of Internet networks.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

The first type of threat that all publicly accessible networks are at risk from is that posed by opportunistic attackers. These attackers use auto-rooting scripts and network scanning tools to find and compromise vulnerable Internet hosts. Most opportunistic attackers fall into two distinct groups:

Those who compromise hosts for denial-of-service and flooding purposes
Those who compromise hosts through which attacks can be bounced (including port scans, breaking into other hosts, or sending spam email)

The second type of threat is that posed by determined attackers. A determined attacker will exhaustively probe every point of entry into a target network from the Internet, port scanning each and every IP address and assessing each and every network service in depth. Even if the determined attacker can't compromise the target network on his first attempt, he will be aware of areas of weakness. Detailed knowledge of a site's operating systems and network services allows the determined attacker to compromise the network upon the release of new exploit scripts in the future.

In light of this, the networks that are most at risk are those with sizeable numbers of publicly accessible hosts. Having many entry points into a network multiplies the exploitable vulnerabilities that exist at different levels; managing these risks becomes an increasingly difficult task as networks grow.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Most security providers (both service and product companies) offer a number of assessment services branded in a variety of ways. Figure 1-1 shows the key service offerings along with the depth of assessment and relative cost. Each service type can provide varying degrees of security assurance.

Figure 1-1: Different security testing services

Vulnerability scanning uses automated systems (such as ISS Internet Scanner, QualysGuard, or eEye Retina) with minimal hands-on qualification and assessment of vulnerabilities. This is an inexpensive way to ensure that no obvious vulnerabilities exist, but it doesn't provide a clear strategy to improve security.

Network security assessment lies neatly between vulnerability assessment and full-blown penetration testing; it offers an effective blend of tools and hands-on vulnerability testing and qualification by trained analysts. The report is usually hand-written, giving professional advice that can improve a company's security.

Full-blown penetration testing is outside the scope of this book; it involves multiple attack vectors (e.g., telephone war dialing, social engineering, wireless testing, etc.) to compromise the target environment. Instead this book fully demonstrates and discusses the methodologies adopted by determined Internet-based attackers to compromise IP networks remotely, which in turn will allow you to improve IP network security.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

The best practice assessment methodology used by determined attackers and network security consultants involves four distinct high-level components:

Network enumeration to identify IP networks and hosts of interest
Bulk network scanning and probing to identify potentially vulnerable hosts
Investigation of vulnerabilities and further network probing by hand
Exploitation of vulnerabilities and circumvention of security mechanisms

This complete methodology is relevant to Internet-based networks being tested in a blind fashion with limited target information (such as a single DNS domain name). If a consultant is enlisted to assess a specific block of IP space, he skips initial network enumeration and commences bulk network scanning and investigation of vulnerabilities.

Publicly available reconnaissance techniques, including web and newsgroup searches, Network Information Center (NIC) WHOIS querying, and Domain Name System (DNS) probing, are used to collect data about the structure of the target network from the Internet without actually scanning the network or necessarily probing it directly.

Initial reconnaissance is very important because it identifies hosts that aren't properly fortified from attack. A determined attacker invests time in identifying peripheral networks and hosts, while companies and organizations concentrate their efforts on securing obvious public systems (such as public web and mail servers) but neglecting hosts and networks that lay off the beaten track.

It may well be the case that a determined attacker also enumerates networks of third party suppliers and business partners that, in turn, have access to the target network space. Nowadays such third parties often have dedicated links into areas of internal corporate network space through VPN tunnels and other links.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Assessment of large networks in particular can become a very cyclic process if you are testing the networks of an organization in a blind sense and are given minimal information. As you test the network, information leak bugs can be abused to find different types of useful information (including trusted domain names, IP address blocks, and user account details) that is then fed back into other processes. Figure 1-2s flowchart defines this approach and the data being passed between processes.

Figure 1-2: The cyclic approach to network security assessment

This flowchart starts with network enumeration, then bulk network scanning, and finally specific service assessment. It may be the case that by assessing a rogue non-authoritative DNS service an analyst may identify previously unknown IP address blocks, which can be fed back into the network enumeration process to identify further network components. In the same way, an analyst may enumerate a number of account usernames by exploiting public folder information leak vulnerabilities in Microsoft Outlook Web Access, which can be fed into a brute-force password grinding process later on.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

This chapter describes the operating systems and some key tools required to undertake an IP-based network security assessment. Many advanced TCP/IP assessment utilities are available only for Unix-based systems such as Linux, so you will often find that a competent security consultant uses a variety of tools under different operating systems to assess and successfully penetrate a network. These tools and their respective uses are discussed in detail throughout the book, and they are listed here so that you can select and start to prepare your assessment platform before moving forward.

All tools listed in this book can also be found in the O'Reilly archive at http://examples.oreilly.com/networksa/tools. I have listed the original sites in most cases so that you can freely browse other tools and papers on each respective site.

Selecting the operating platforms to use during a network security assessment depends on the type of network you are going to test (e.g., completely Microsoft Windows), and the depth to which you will perform your assessment. Often it is the case that to successfully launch exploit scripts against Linux or Unix systems, access to a Unix-like platform (usually Linux or BSD-derived) is required to correctly compile and run specialist exploit tools. What follows is a discussion of the operating systems that are commonly used.

As Windows NT systems (NT 4.0, 2000, XP, 2003 Server, etc.) start to mature and become more flexible, many more network assessment and hacking tools are available that run cleanly on the platform. Previous Windows releases didn't give raw access to network sockets, so many tools used by consultants had to be run from Unix-based platforms. This is no longer the case; increasing amounts of useful security utilities have been ported across to Windows, including nmap and powerful tools within the dsniff package, such as arpspoof.

Linux is the choice of most hackers and security consultants alike. The Linux platform is versatile, and the system kernel provides low-level support for leading-edge technologies and protocols (Bluetooth being a good example at the time of writing). All mainstream IP-based attack and penetration tools can be built and run under Linux with no problems, due to the inclusion of extensive networking libraries such as

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Selecting the operating platforms to use during a network security assessment depends on the type of network you are going to test (e.g., completely Microsoft Windows), and the depth to which you will perform your assessment. Often it is the case that to successfully launch exploit scripts against Linux or Unix systems, access to a Unix-like platform (usually Linux or BSD-derived) is required to correctly compile and run specialist exploit tools. What follows is a discussion of the operating systems that are commonly used.

As Windows NT systems (NT 4.0, 2000, XP, 2003 Server, etc.) start to mature and become more flexible, many more network assessment and hacking tools are available that run cleanly on the platform. Previous Windows releases didn't give raw access to network sockets, so many tools used by consultants had to be run from Unix-based platforms. This is no longer the case; increasing amounts of useful security utilities have been ported across to Windows, including nmap and powerful tools within the dsniff package, such as arpspoof.

Linux is the choice of most hackers and security consultants alike. The Linux platform is versatile, and the system kernel provides low-level support for leading-edge technologies and protocols (Bluetooth being a good example at the time of writing). All mainstream IP-based attack and penetration tools can be built and run under Linux with no problems, due to the inclusion of extensive networking libraries such as libpcap.

I use Red Hat (http://www.redhat.com) and Debian (http://www.debian.org) Linux distributions on laptops and servers within the office. Debian is useful because of its apt-get package search and installation tool that can be used to install and update system packages. Red Hat packages are easily installed using the rpm command along with various wrappers that hook into sites such as RPMfind (http://www.rpmfind.net) to automatically update and install packages.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Following is an introduction to a small number of scanning tools that I will discuss throughout the book.

The command-line driven nmap utility is a port scanner designed to scan large networks and determine which hosts are up and which TCP and UDP network services they offer. nmap supports a large number of popular ICMP, TCP, and UDP scanning techniques, also offering a number of advanced features such as service protocol fingerprinting, IP fingerprinting, stealth scanning and low-level filter analysis.

nmap is available from http://www.insecure.org/nmap/. Currently nmap can be run under Windows 2000 and Unix operating systems, including Linux and MacOS X.

Nessus is a vulnerability assessment package that can perform many automated tests against a target network, including:

ICMP sweeping
TCP and UDP port scanning
Banner grabbing and network service assessment
Brute force against common network services
IP fingerprinting and other peripheral functions

I know of auditing teams within the big five accounting firms who use Nessus to undertake much of their network scanning and assessment work. Nessus has two components (daemon and client) and deploys in a distributed fashion that permits effective network coverage and management.

Nessus has a good reporting engine that can present comprehensive results along with relevant CVE entries. CVE is a detailed list of common vulnerabilities maintained by the MITRE Corporation (accessible at http://cve.mitre.org).

Nessus is available for download from http://www.nessus.org. At the time of writing, the daemon component is available only for Unix-based systems such as Linux, Solaris, and FreeBSD. The Unix Nessus client software is bundled with the daemon component in a single package; Windows clients are also available.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Commercial scanning packages are used by many network administrators and those responsible for the security of large networks. Although not cheap (with software licenses often in the magnitude of tens of thousands of dollars), commercial systems are supported and maintained by the respective vendor, so vulnerability databases are kept up-to-date. With this level of professional support, a network administrator can assure the security of his network to a certain level.

Here's a selection of popular commercial packages:

Core IMPACT (http://www.corest.com/products/coreimpact/)
ISS Internet Scanner (http://www.iss.net)
Cisco Secure Scanner (http://www.cisco.com/warp/public/cc/pd/sqsw/nesn/)

A problem with such one-stop automated vulnerability assessment packages is that increasingly, they record false positive results. When professionally scanning large networks, it is often advisable to use a commercial system such as ISS Internet Scanner to perform an initial bulk scanning and network service assessment of a network, then fully qualify vulnerabilities and investigate network components by hand to produce accurate results.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

When assessing the security of specific services, specialist tools can perform assessment in specific areas, such as enumeration and brute-force password grinding. What follows here is an introduction to a number of freely available tools you can use to assess Windows networking, DNS, and web services.

NetBIOS, Server Message Block (SMB), and Common Internet File System (CIFS) protocols are used primarily within Microsoft Windows networks for user authentication, file sharing, and access to services such as Microsoft Exchange over RPC. CIFS is a relatively new incarnation of SMB over NetBIOS; it's for vendors seeking to move away from NetBIOS and toward CIFS. Windows 2000, for example, runs SMB over NetBIOS on port 139 and CIFS on port 445. CIFS is the native protocol used in Windows 2000 networks, so SMB access through NetBIOS provides backward compatibility.

NetBIOS and CIFS assessment tools fall into two categories: enumeration and information gathering, and brute-force password guessing. Enumeration tools are used to gather system information using anonymous null sessions and other techniques. Brute-force tools are then used to compromise account passwords and gain access to shared files and resources.

Section 2.4.1.1: Enumeration and information gathering tools

enum (http://razor.bindview.com/tools/files/enum.tar.gz): Jordan Ritter's enum utility is a Windows command-line tool that extensively queries target hosts running NetBIOS through TCP port 139. The tool can list usernames, password policy, shares, and details of other hosts including domain controllers.
epdump (http://www.packetstormsecurity.org/NT/audit/epdump.zip): The epdump Windows command-line utility queries the RPC end-point mapping service at TCP port 135 to enumerate network interfaces along with details of RPC services and named pipes that are accessible.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

This chapter focuses on the first steps you should take when assuming the role of an Internet-based attacker. An early avenue that any competent attacker would pursue involves querying entirely legal and public sources of information, such as WHOIS, DNS, and even web and newsgroup search engines including Google. Attackers can often build a clear picture of your network by launching indirect probes, without most network administrators even knowing. By identifying systems of interest (such as development or test systems), attackers can focus on specific areas of the target network later on.

This chapter comprehensively covers enumeration through Web and newsgroup searches, NIC querying, DNS querying, and SMTP probing.

The reconnaissance process is often interactive, repeating the full enumeration cycle when a new piece of information (such as a domain name or office address) is found. The scope of the assessment exercise usually defines the boundaries, which sometimes include testing third parties that you identify while performing in-depth enumeration. I know of a number of companies whose networks were compromised by extremely determined attackers breaking home user PCs that were using always-on cable modem connections and then "piggy backing" into the corporate network.

As web crawlers scour the Internet's web sites for content, they catalog pieces of potentially useful information. Search engines, such as Google, now provide advanced search functions that allow attackers to build a clearer picture of the network that they plan to attack later.

In particular, the following types of information are easily found:

Employee contact details and information
Email addresses
DDI telephone numbers
Physical addresses of offices from which the employees are based
Details of internal email systems

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

As web crawlers scour the Internet's web sites for content, they catalog pieces of potentially useful information. Search engines, such as Google, now provide advanced search functions that allow attackers to build a clearer picture of the network that they plan to attack later.

In particular, the following types of information are easily found:

Employee contact details and information
Email addresses
DDI telephone numbers
Physical addresses of offices from which the employees are based
Details of internal email systems
DNS layout and naming convention, including domains and hostnames
Documents that reside on publicly accessible servers

Direct-dial telephone numbers are especially useful to determined attackers, who may later launch war dialing and other telephone-based attacks. It is very difficult for organizations and companies to prevent this information from being ascertained; for example, it is made freely available every time a user posts to a mailing list with his signature. To manage this risk more effectively, companies should go through public record querying exercises to ensure that the information an attacker can collect doesn't lead to a compromise.

Using a powerful advanced search function, Google can indirectly map networks and gather potentially useful information. The advanced search function itself is directly accessible at http://www.google.com/advanced_search?hl=en. In terms of the functionality, searches can be refined in the following ways:

Filtering words: Exclude pages that don't include specific words or phrases, for example

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Network Information Centers (NICs) store useful information in WHOIS databases, primarily as network, route, or person objects. WHOIS database objects define which areas of Internet space are registered to which organizations, with other information such as routing and contact details in the case of abuse.

There are three primary regions under which all public Internet-based network blocks and IP address spaces fall. The following international registrars around the world can retrieve useful information (including names of technical IT staff, details of IP network blocks, and physical office locations):

American Registry for Internet Numbers (ARIN) at http://www.arin.net
Asia Pacific Network Information Centre (APNIC) at http://www.apnic.net
Réseaux IP Européens (RIPE) at http://www.ripe.net

Each respective regional registrar's WHOIS database contains information relevant to that particular region. For example, the RIPE WHOIS database doesn't contain information about network space and other objects that are found in the Americas.

Tools that are used to query NIC WHOIS databases include:

The Sam Spade Windows client (available from http://www.samspade.org)
The whois client found within Unix-based environments
Direct querying via the appropriate regional WHOIS

Section 3.2.1.1: Using the Sam Spade Windows client

The Sam Spade client is a powerful and easy-to-use Windows tool that can perform many public-record query functions, as shown in Figure 3-4.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Using tools such as nslookup , host, and dig, you can launch DNS requests and probes against domains and IP address blocks identified during the web search and NIC querying phases. Other tools also perform reverse DNS sweeps against IP network blocks to identify hostnames and other domains.

DNS requests and probes can be launched to retrieve parts of, or in some cases, entire DNS zone files for specified domains or network spaces. Most DNS servers around the Internet can be quizzed for useful information, including:

Authoritative DNS server information from name server (NS) records
Domain and subdomain information
Hostname information from A, PTR, and CNAME records
Public points of presence that list mail exchanger (MX) records

In some cases, poorly configured DNS servers also allow you to enumerate:

Operating-system and platform information of hosts from the host information (HINFO) record
Names and IP addresses of internal or nonpublic hosts and networks

You can very often uncover previously unknown network blocks and hosts during DNS querying. If new network blocks are found, I recommend launching a second round of WHOIS queries and web searches to get further information about each new network block.

DNS probing in this fashion is stealthy in the sense that there is no active scanning or probing of the target networks. Instead, you simply probe and query the authoritative DNS servers for those domains or network blocks that are often run by ISPs. Most name servers aren't even configured to pick up on potential sweeps of this sort, because it resembles standard DNS traffic.

Forward DNS records are required for organizations and companies to integrate and work correctly as part of the Internet. Two examples of legitimate forward queries are when an end user accesses a web site and during the receipt of email when SMTP mail exchanger information is requested about the relevant domain. Attackers issue forward DNS queries to identify mail servers and other obvious Internet-based systems.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

It is an interesting and entirely legal exercise to enumerate the CIA and other organizations' networks from the Internet by querying public records. As a recap, here is a list of public Internet-based querying techniques and their application:

Web and newsgroup searches: Using Google to perform searches against established domain names and target networks to identify personnel, hostnames, domain names, and useful data residing on publicly accessible web servers.
NIC querying: Querying NIC databases such as ARIN, APNIC, and RIPE to retrieve network block, routing, and contact details related to the target networks and domain names. NIC querying gives useful information relating to the sizes of reserved network blocks (useful later when performing intrusive network scanning).
DNS querying: Querying publicly accessible DNS servers to enumerate hostnames and subdomains. Misconfigured DNS servers can also be abused to download DNS zone files that categorically list subdomains, hostnames, operating platforms of devices and internal network information in severe cases.
SMTP probing: Sending email to nonexistent accounts at target domains to map internal network space by analyzing the responses from the SMTP system.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Use the following checklist of countermeasures to effectively reconfigure your Internet-facing systems not to give away potentially sensitive information:

Configure web servers to prevent indexing of directories that don't contain index.html or similar index files (default.asp under IIS, for example). Also ensure that sensitive documents and files aren't kept on publicly accessible hosts, such as HTTP or FTP servers.
Always use a generic, centralized network administration contact detail (such as an IT help desk) in Network Information Center databases, to prevent potential social engineering and war dialing attacks against IT departments from being effective.
Configure all name servers to disallow DNS zone transfers to untrusted hosts.
Ensure that nonpublic hostnames aren't referenced to IP addresses within the DNS zone files of publicly accessible DNS servers, to prevent reverse DNS sweeping from being effective. This practice is known as split horizon DNS, using separate DNS zones internally and externally.
Ensure that HINFO and other novelty records don't appear in DNS zone files.
Configure SMTP servers either to ignore email messages to unknown recipients or to send responses that don't include the following types of information:
- Details of mail relay systems being used (such as Sendmail or MS Exchange).
- Internal IP address or host information.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

This chapter focuses on the technical execution of IP network scanning. After undertaking initial reconnaissance to identify IP address spaces of interest, network scanning builds a clearer picture of accessible hosts and their network services. Network scanning and reconnaissance is the real data gathering exercise of an Internet-based security assessment. The rationale behind IP network scanning is to gain insight into the following elements of a given network:

ICMP message types that generate responses from target hosts
Accessible TCP and UDP network services running on the target hosts
Operating platforms of target hosts and their configuration
Areas of vulnerability within target host IP stack implementations (including sequence number predictability for TCP spoofing and session hijacking)
Configuration of filtering and security systems (including firewalls, border routers, switches, and IDS sensors)

Performing both network scanning and reconnaissance tasks paints a clear picture of the network topology and its security mechanisms. Before penetrating the target network, further assessment steps involve gathering specific information about the TCP and UDP network services that are running, including their versions and enabled options.

The Internet Control Message Protocol (ICMP) identifies potentially weak and poorly protected networks. ICMP is a short messaging protocol that's used by systems administrators and end users for continuity testing of networks (e.g., using the ping or traceroute commands). From a network scanning and probing perspective, the following types of ICMP messages are useful:

Type 8 (echo request): Echo request messages are also known as ping packets. You can use a scanning tool such as

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

The Internet Control Message Protocol (ICMP) identifies potentially weak and poorly protected networks. ICMP is a short messaging protocol that's used by systems administrators and end users for continuity testing of networks (e.g., using the ping or traceroute commands). From a network scanning and probing perspective, the following types of ICMP messages are useful:

Type 8 (echo request): Echo request messages are also known as ping packets. You can use a scanning tool such as nmap to perform ping sweeping and easily identify hosts that are accessible.
Type 13 (timestamp request): A timestamp request message requests system time information from the target host. The response is in a decimal format and is the number of milliseconds elapsed since midnight GMT.
Type 15 (information request): The ICMP information request message was intended to support self-configuring systems such as diskless workstations at boot time, to allow them to discover their network address. Protocols such as RARP, BOOTP, or DHCP do so more robustly, so type 15 messages are rarely used.
Type 17 (subnet address mask request): An address mask request message reveals the subnet mask used by the target host. This information is useful when mapping networks and identifying the size of subnets and network spaces used by organizations.

Firewalls of security-conscious organizations often blanket-filter inbound ICMP messages and so ICMP probing isn't effective; however, ICMP isn't filtered in most networks because ICMP messages are often useful for network troubleshooting purposes.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Accessible TCP ports can be identified by port scanning target IP addresses. The following nine different types of TCP port scanning are used in the wild by both attackers and security consultants:

Standard scanning methods: Vanilla connect( ) scanning
Half-open SYN flag scanning
Stealth TCP scanning methods: Inverse TCP flag scanning
ACK flag probe scanning
TCP fragmentation scanning
Third-party and spoofed TCP scanning methods: FTP bounce scanning
Proxy bounce scanning
Sniffer-based spoofed scanning
IP ID header scanning

What follows is a technical breakdown for each TCP port scanning type, along with details of Windows and Unix-based tools that can perform scanning.

Standard scanning methods, such as vanilla and half-open SYN scanning, are extremely simple direct techniques used to identify accessible TCP ports and services accurately. These scanning methods are reliable but are easily logged and identified.

Section 4.2.1.1: Vanilla connect( ) scanning

TCP

connect(
)

port scanning is the most simple type of probe to launch. There is no stealth whatsoever involved in this form of scanning because a full TCP/IP connection is established with TCP port one of the target host, then incrementally through ports two, three, four, and so on.

TCP/IP's reliability as a protocol, vanilla port scanning is a very accurate way to determine which TCP services are accessible on a given target host. Figures Figure 4-2 and Figure 4-3 show the various TCP packets and their flags, as they are sent and received by the attacker and the host he is scanning.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Because UDP is a connectionless protocol, there are only two ways to effectively enumerate accessible UDP network services across an IP network:

Send UDP probe packets to all 65535 UDP ports, then wait for "ICMP destination port unreachable" messages to identify UDP ports that aren't accessible.
Use specific UDP service clients (such as snmpwalk, dig, or tftp) to send UDP datagrams to target UDP network services and await a positive response.

Many security-conscious organizations filter ICMP messages to and from their Internet-based hosts, so it is often difficult to assess which UDP services are accessible via simple port scanning. If "ICMP destination port unreachable" messages can escape the target network, a traditional UDP port scan can be undertaken to deductively identify open UDP ports on target hosts.

Figures Figure 4-12 and Figure 4-13 show the UDP packets and ICMP responses generated by hosts when ports are open and closed.

Figure 4-12: An inverse UDP scan result when a port is open

UDP port scanning is an inverted scanning type in which open ports don't respond. What is looked for, in particular, are ICMP destination port unreachable (type 3 code 3) messages from the target host, as shown in Figure 4-13.

Figure 4-13: An inverse UDP scan result when a port is closed

nmap supports UDP port scanning with the - sU option. The latest version of Foundstone's SuperScan also supports UDP port scanning. However, both tools wait for negative "ICMP destination port unreachable" messages to identify open ports (i.e., those ports that don't respond). If these ICMP messages are filtered by a firewall as they try to travel out of the target network, inaccurate results are gleaned.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

IDS evasion, when launching any type of IP probe or scan, involves one or both of the following tactics:

Use of fragmented probe packets, assembled when they reach the target host
Use of spoofing to emulate multiple fake hosts launching network scanning probes, in which the real IP address of the scanning host is inserted to collect results

Filtering mechanisms can be circumvented at times using malformed or fragmented packets. However, the common techniques used to bypass packet filters at either the network or system-kernel level are as follows:

Use of source routing
Use of specific TCP or UDP source ports

First, I'll discuss IDS evasion techniques of fragmenting data and emulating multiple hosts, and then filter circumvention methodologies. These techniques can often be mixed to launch attacks using source routed, fragmented packets to bypass both filters and IDS systems.

Probe packets can be fragmented easily with fragroute to fragment all probe packets flowing from your host or network or with a port scanner that supports simple fragmentation, such as nmap. Many IDS sensors can't process large volumes of fragmented packets because doing so creates a large overhead in terms of memory and CPU consumption at the network sensor level.

Section 4.4.1.1: fragtest

Dug Song's fragtest utility (available as part of the fragroute package from http://www.monkey.org/~dugsong/fragroute/) can determine exactly which types of fragmented ICMP messages are processed and responded to by the remote host. ICMP echo request messages are used by fragtest for simplicity and allow for easy analysis; the downside is that the tool can't assess hosts that don't respond to ICMP messages.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Tools such as nmap, hping2, and firewalk perform low-level IP assessment. Sometimes holes exist to allow certain TCP services through the firewall, but the expected service isn't running on the target host. Such low-level network details are useful to know, especially in sensitive environments (e.g., online banking environments), because very small holes in network integrity can sometimes be abused along with larger problems to gain or retain access to target hosts.

Insight into the following areas of a network can be gleaned through low-level IP assessment:

Uptime of target hosts (by analyzing the TCP timestamp option)
TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes)
TCP sequence and IP ID incrementation (by running predictability tests)
The operating system of the target host (using IP fingerprinting)

nmap automatically attempts to calculate target host uptime information by analyzing the TCP timestamp option values of packets received. The TCP timestamp option is defined in RFC 1323; however, many platforms don't adhere to RFC 1323. This feature often gives accurate results against Linux operating systems and others such as FreeBSD, but your mileage may vary.

A TCP probe always results in one of four responses. These responses potentially allow an analyst to identify where a connection was accepted, or why and where it was rejected, dropped, or lost:

TCP SYN/ACK: If a SYN/ACK packet is received, the port is considered open.
TCP RST/ACK: If a RST/ACK packet is received, the probe packet was either rejected by the target host or an upstream security device (e.g., a firewall with a reject rule in its policy).

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Different IP network scanning methods allow you to test and effectively identify vulnerable network components. Here is a list of effective network scanning techniques and their applications:

ICMP scanning and probing: By launching an ICMP ping sweep, you can effectively identify poorly protected hosts (as security conscious administrators filter inbound ICMP messages) and perform a degree of operating-system fingerprinting and reconnaissance by analyzing responses to the ICMP probes.
Half-open SYN flag TCP port scanning: A SYN port scan is often the most effective type of port scan to launch directly against a target IP network space. SYN scanning is extremely fast, allowing you to scan large networks quickly.
Inverse TCP port scanning: Inverse scanning types (particularly FIN, Xmas, and NULL) take advantage of idiosyncrasies in certain TCP/IP stack implementations. This scanning type isn't effective when scanning large network spaces, although it is useful when testing and investigating the security of specific hosts and small network segments.
Third-party TCP port scanning: Using a combination of vulnerable network components and TCP spoofing, third-party TCP port scans can be effectively launched. Scanning in this fashion has two benefits: hiding the true source of a TCP scan and assessing the filters and levels of trust between hosts. Although time consuming to undertake, third-party scanning is extremely useful when applied correctly.
UDP port scanning: Identifying accessible UDP services can be undertaken easily only if ICMP type 3 code 3 (destination port unreachable) messages are allowed back through filtering mechanisms that protect target systems. UDP services can sometimes be used to gather useful data or directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in particular).

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Here is a checklist of countermeasures to use when considering technical modifications to networks and filtering devices to reduce the effectiveness of network scanning and probing undertaken by attackers:

Filter inbound ICMP message types at border routers and firewalls. This forces attackers to use full-blown TCP port scans against all of your IP addresses to map your network correctly.
Filter all outbound ICMP type 3 unreachable messages at border routers and firewalls to prevent UDP port scanning and firewalking from being effective.
Consider configuring Internet firewalls so that they can identify port scans and throttle the connections accordingly. You can configure commercial firewall appliances (such as those from Check Point, NetScreen, and WatchGuard) to prevent fast port scans and SYN floods being launched against your networks. On the open source side, there are many tools such as portsentry that can identify port scans and drop all packets from the source IP address for a given period of time.
Assess the way that your network firewall and IDS devices handle fragmented IP packets by using fragtest and fragroute when performing scanning and probing exercises. Some devices crash or fail under conditions in which high volumes of fragmented packets are being processed.
Ensure that your routing and filtering mechanisms (both firewalls and routers) can't be bypassed using specific source ports or source-routing techniques.
If you house publicly accessible FTP services, ensure that your firewalls aren't vulnerable to stateful circumvention attacks relating to malformed PORT and PASV commands.
If a commercial firewall is in use, ensure the following:
- The latest service pack is installed.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy reprint rights for this chapter

Remote information services can collect information for later use (such as username and internal IP address information) and run arbitrary commands on the target server by exploiting process manipulation vulnerabilities. This chapter focuses on the assessment of these services and lists relevant tools and techniques that can test and assure the security of your services.

Unix-based systems and various device platforms, such as Cisco IOS, run remote information services that provide system, user, and network details over IP. Such services can be probed to collate username listings and details of trusted networks and hosts, and, in some cases, compromise systems directly.

I derived a basic list of remote information services from the /etc/services file:

systat          11/tcp
netstat         15/tcp
domain          53/tcp
domain          53/udp
finger          79/tcp
auth            113/tcp
snmp            161/udp
ldap            389/tcp
rwho            513/udp
globalcat       3268/tcp

The systat and netstat services are interesting because current network and system information can be found easily by connecting to the services using telnet. The /etc/inetd.conf file on a system running systat and netstat typically includes the following lines:

systats stream  tcp  nowait  root /usr/bin/ps      ps -ef
netstat stream  tcp  nowait  root /usr/bin/netstat netstat -a

The ps -ef and netstat -a commands are bound to TCP ports 11 and 15, respectively. Example 5-1 shows how to use telnet to connect to the systat service and derive system process information.

Example 5-1. Using telnet to connect to the systat service

# telnet 192.168.0.1 11
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Jan03 ?        00:00:05 init [2]
root         2     1  0 Jan03 ?        00:00:00 [keventd]
root         3     1  0 Jan03

Table of Contents

Section 2.4.1.1: Enumeration and information gathering tools

Section 3.2.1.1: Using the Sam Spade Windows client

Section 4.2.1.1: Vanilla connect( ) scanning

Section 4.4.1.1: fragtest