1. Trang chủ
  2. » Công Nghệ Thông Tin

Tài liệu Network Mapping / Information Gathering pptx

57 348 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 57
Dung lượng 1,08 MB

Nội dung

1 IDIC - SANS GIAC LevelTwo ©2000, 2001 1 Network Mapping / Information Gathering • This is the reconnaissance section. We will examine a number of traces where the would-be attacker is trying to gather information to target a specific exploit. – Host by host scanning – Broadcast scanning – Infrastructure scanning Hello, and welcome to the Network Mapping and Information Gathering section of the course. The purpose of this section is to show you many different methods that attackers will use in order to perform reconnaissance on your network and systems. 2 IDIC - SANS GIAC LevelTwo ©2000, 2001 2 Host Scanning TCP Port 110 – POP3 20:35:25.068533 srn.org.4010 > 192.168.10.227.110: S 20:35:25.260798 srn.org.4086 > 192.168.14.101.110: S 20:35:25.279802 srn.org.4129 > 192.168.14.119.110: S 20:35:25.281073 srn.org.4141 > 192.168.14.126.110: S 20:35:25.287761 srn.org.4166 > 192.168.14.128.110: S 20:35:25.290293 srn.org.4209 > 192.168.14.136.110: S 20:35:25.295865 srn.org.4234 > 192.168.14.141.110: S 20:35:25.303651 srn.org.4277 > 192.168.14.146.110: S 20:35:25.317924 srn.org.4302 > 192.168.14.173.110: S 20:35:25.319275 srn.org.4378 > 192.168.14.171.110: S This scan looks for a single service, but on many hosts. Let us start off by talking about host-by-host scanning, where an attacker issues packets to a number of hosts on the targeted network to probe for presence of potential victims. Many of the traces we have looked at have been port scans. A port scan is when an attacker checks for various services on one host. Another common tactic is the host scan; this is when an attacker scans many hosts for one service. Please note that the attacker whose scan is shown on this slide appears to have knowledge of the 14 subnet, and the attacker is scanning only active hosts. This would serve as an indicator that the attacker has already done reconnaissance. In this case, the attacker is doing a host scan for TCP port 110, usually associated with POP3. 3 IDIC - SANS GIAC LevelTwo ©2000, 2001 3 Sequential Countup Using ICMP Echo Requests [Using ICMP Echo Requests] 01:00:38 pingmapper > 192.168.6.1: icmp: echo request 01:00:51 pingmapper > 192.168.6.2: icmp: echo request 01:01:04 pingmapper > 192.168.6.3: icmp: echo request 01:01:18 pingmapper > 192.168.6.4: icmp: echo request 01:01:31 pingmapper > 192.168.6.5: icmp: echo request 01:01:44 pingmapper > 192.168.6.6: icmp: echo request 01:01:57 pingmapper > 192.168.6.7: icmp: echo request This may appear very trivial, but when a ping gets more than one reply, attackers know they have found a subnetwork. We have already introduced the concept of network mapping. This example shows an attacker pinging each address in a subnet in order. ICMP echo requests should be blocked at the firewall or filtering router in most environments, which would protect against this type of scan. An ICMP echo request scan is a great way for an attacker to identify broadcast addresses on your subnet, if you permit ICMP echo requests into your network and ICMP echo replies out of your network. Any address that returns multiple echo replies from one ping is probably a broadcast address. So if your network is using variable length subnet masks, this technique can identify those subnets. 4 IDIC - SANS GIAC LevelTwo ©2000, 2001 4 ICMP Echo Request 23:14:11 normalping > normal: icmp: echo request 4500 0054 5336 0000 ff01 6a70 7f00 0001 7f00 0001 0800 1e15 2263 0000 13ca 0339 b181 0400 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 This is a typical ICMP echo request packet. Most ping packets contain in their 8-byte header an identifier and a sequence number. Following the header is usually a 56-byte payload, consisting of an 8-byte timestamp and a fill pattern. The FreeBSD ping packet on this slide follows the convention. (Detect and analysis by Andrew Korty, GCIA) The 20 octet IP header is grayed out; immediately after it is the 8-byte ICMP header, shown in bold. The first two bytes of the ICMP header, 0800, are the type and code for an echo request (type 8, code 0). After that is 1e15, the checksum. Next is 2263, the identifier, which is normally the process ID of the sending process on Unix. The last part of the ICMP header is 0000, which is a sequence number that normally starts at 0. The next 8 octets, italicized above, is the timestamp. You will notice that the rest of the packet consists of increasing hex values from 08 through 37, which is the fill pattern. 5 IDIC - SANS GIAC LevelTwo ©2000, 2001 5 ICMP Echo Request (2) 195.61.132.6 > 128.210.67.55: icmp: echo request (DF) 4500 0028 7873 4000 f101 0614 c33d 8406 80d2 4337 0800 656a beef dead 3901 885d 0008 6f87 80d2 4337 0000 0000 0000 195.61.132.6 > 128.210.67.74: icmp: echo request (DF) 4500 0028 7873 4000 f101 0601 c33d 8406 80d2 434a 0800 5928 beef dead 3901 885d 0008 7bb6 80d2 434a 0000 0000 0000 The detect on this slide looks like a conventional ping scan, and it probably is. However, dumping the packets reveals something quite out of the ordinary. Of course, different ping programs are likely to build different packets, but the ones in this detect do seem odd. The payload is only 10 bytes in length, and the first 4 bytes of the payload are the same as the destination address. The identifier is always 0xbeef, which would make it difficult for the sending computer to know which process the replies are intended for, and the sequence number is always 0xdead, so there is no way to tell how many pings have succeeded without being dropped or duplicated. It is interesting to note that 0xdeadbeef is often used by programmers as a fill pattern. Detect and analysis by Andrew Korty, GCIA 6 IDIC - SANS GIAC LevelTwo ©2000, 2001 6 ICMP Payload Change in Large Scan 63.98.234.3 > good.guys.net.163: icmp: echo request 4500 001c 70ac 0000 1e01 ca65 3f62 ea03 **** 66a3 0800 8d3f 3bbd 2f03 23f8 6673 5010 0c00 b3ce 0000 0000 0000 0000 63.98.234.3 > good.guys.net.164: icmp: echo request 4500 001c a01c 0000 1e01 9af4 3f62 ea03 **** 66a4 0800 883f 3bbd 3403 c37a 0000 0001 0000 0000 0000 0133 0332 3334 63.98.234.3.62287 > good.guys.net.163.80: . ack 1956327536 win 3072 4500 0028 59ff 0000 2306 dc01 3f62 ea03 **** 66a3 f34f 0050 5d00 197b 749b 3070 5010 0c00 32de 0000 0133 0332 3334 The changing pattern helped make the detect, but the scan actually consists of a TCP ACK and an ICMP echo request for each system. ACKs are pretty successful at penetrating perimeters. Most of the packets have the frame padded to 46 bytes with zeros. Detect by George Bakos 7 IDIC - SANS GIAC LevelTwo ©2000, 2001 7 Version Bind 05/24-14:56:52.557482 213.1.248.131:3574 -> z.y.w.66:53 UDP TTL:49 TOS:0x0 ID:63645 Len: 38 65 18 01 80 00 01 00 00 00 00 00 00 07 76 65 72 73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 The packet shown in this slide is asking the target system to answer with the version of BIND that it is running. If an attacker sends a packet like this one to a DNS name server, and that server responds with its BIND version, then the attacker can use the appropriate exploit to compromise the server. Notice that two octets have been highlighted: byte 12 (value 07) and byte 20 (value 04). In the detect below, we have a slight variation of this packet from the same attacking host. You will notice that the second packet still has the 07 value in the 13th octet into the packet (byte 12) and the 04 value another 8 octets later (byte 20). This will be detected by the standard Snort ruleset. There is still one more variation of this attack that you see sometimes, which is almost the same as these and is yet another version query, but it has the byte pattern “00 0010 0008”. 05/24-14:56:53.166333 213.1.248.131:3575 -> z.y.w.98:53 UDP TTL:49 TOS:0x0 ID:63647 Len: 38 4B 2B 01 80 00 01 00 00 00 00 00 00 07 76 65 72 K+ ver 73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 sion.bind If your host responds to this query, this is not a good sign. There is a good chance it will be compromised shortly thereafter. Detects by Laurie Zirkle 8 IDIC - SANS GIAC LevelTwo ©2000, 2001 8 RPC Info Query 05/20-08:28:20.109310 202.152.12.170:948 -> z.y.w.98:111 TCP TTL:47 TOS:0x0 ID:49185 DF *****PA* Seq: 0x7A679FD2 Ack: 0xD8600F48 Win: 0x7D78 TCP Options => NOP NOP TS: 30003373 579257539 80 00 00 28 3A D7 D6 BF 00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RPC packets will generally have the 00 01 86 prefix shown in the signature for this detect. SUNRPC is the building block for a number of services, the most well known and frequently used being NFS. RPCs and even NFS can be implemented over TCP as well as over UDP. Remote Procedure Calls are not programmed to sockets, but to functions. The log file entries from systems tend to reflect this, including the ever popular dump() call. There are common attacks for many well known RPC services such as tooltalk and statd. Here is one more that is slightly different, but you still have the same signature: 01 86 A0 00 00 00 02 00 00 00 04 [**] RPC Info Query [**] 05/18-18:35:50.788732 203.231.10.220:872 -> z.y.w.98:111 TCP TTL:47 TOS:0x0 ID:22796 DF *****PA* Seq: 0x356EBD5D Ack: 0x51D3CF02 Win: 0x7D78 TCP Options => NOP NOP TS: 187385869 565623365 80 00 00 28 5E 76 20 50 00 00 00 00 00 00 00 02 (^v P 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Snort detect by Laurie Zirkle 9 IDIC - SANS GIAC LevelTwo ©2000, 2001 9 Printer Hunting 08:27:36.603367 192.168.1.1.63766 > 192.168.12.3.9100:S 2784969512:2784969512(0) win 65535 <nop,wscale 1,mss 1460> 08:27:40.102674 192.168.1.1.63766 > 192.168.12.3.9100:S 2784969512:2784969512(0) win 65535 <nop,wscale 1,mss 1460> 08:27:46.502821 192.168.1.1.63766 > 192.168.12.3.9100:S 2784969512:2784969512(0) win 65535 <nop,wscale 1,mss 1460> About every 5 - 10 seconds, myhost (192.168.1.1) sends a TCP connection attempt from a varying high-numbered port to the remotehost (192.168.12.3) port 9100. The number of connection attempts using the same source port varies from one to a handful; then the source port changes. The remote host does not respond to these attempts. By looking up port numbers on the internet, we found that port 9100 is the standard port used by networked Hewlett Packard LaserJet printers. Searching the network traces shows other connections to destination port 9100 to machines that are definitely networked HP LaserJet printers. A check of myhost's print queue showed that a print job has been trying to print to a remote LaserJet printer for about a month. The IP address of this printer in the hosts file is correct and does not match the IP for remotehost. However, looking back in the system change log, we find that the current IP of remotehost is the same as the original IP of the printer that the print queue is going to. This IP was updated in /etc/hosts when the network was subnetted and new IP's were assigned. Printing on myhost is done via HP's JetDirect software. When the print job was cancelled, the TCP connection attempts to remotehost stopped. When the printer was removed and re-added with the correct IP address via JetDirect, printing went to the printer and not to remotehost. Detect and analysis by Mike Harvey, GCIA. 10 IDIC - SANS GIAC LevelTwo ©2000, 2001 10 Port 7306 Scan 09:54:40 prober.374 > ludmi.arpa.net.7306: S 4984444:4984444(0) win 8192 (DF) 09:54:40 prober.375 > 192.168.21.20.7306: S 4984454:4984454(0) win 8192 (DF) 09:54:41 prober.376 > 192.168.21.21.7306: S 4984945:4984945(0) win 8192 (DF) 09:54:41 prober.377 > 192.168.21.22.7306: S 4984955:4984955(0) win 8192 (DF) 09:54:41 prober.378 > 192.168.21.23.7306: S 4984965:4984965(0) win 8192 (DF) During December 1998 and January 1999, there were a large number of reports of puzzling scans, often to high numbered TCP and UDP ports. This is one more reason to configure your firewall to deny all and then add back what you need to do business. By mid 1999, it was clear that many of these scans had a purpose; they were looking for malicious code, or trojans. In this case, port 7306 is commonly associated with the NetMonitor trojan. [...]... mentioned at the sans web site This tool is a follow-on to doomdns Detect and analysis by Mike Harvey, GCIA 25 Scanning for Web Servers 31337 Signature Port date 0 4/2 6/9 8 0 4/2 6/9 8 0 4/2 6/9 8 0 4/2 6/9 8 0 4/2 6/9 8 0 4/2 6/9 8 0 4/2 6/9 8 0 4/2 6/9 8 0 4/2 6/9 8 time 20:27:37 20:27:37 20:27:37 20:27:37 20:27:37 20:27:37 20:27:37 20:27:37 20:27:37 source IP src port 202.256.20.6 31337 202.256.20.6 31337 202.256.20.6 31337... with either Clearcase, which is source control product from Rational Software (http :// www.rational.com/products/clearcase/index.jtmpl) or Backweb (http :// www.backweb.com/), which is a push based software distribution solution A quick search of Backweb’s site verified the Compaq relationship (http :// www.backweb.com/html/compaq.html) On the client computer an application named Compaq Service Connection.. .Network MappingNetwork mapping refers to an attacker probing your systems in order to determine what their IP addresses are IDIC - SANS GIAC LevelTwo ©2000, 2001 11 Another technique that attackers use to gain information about your systems is network mapping There are many ways to do network mapping, but they all have the same goal: determining... is wrong The “global load balancing” concept is described by Howard Kash in his “Analysis of the Type0 (Class 0) DNS that has been detected, version 1.0” located at: http :// www.sans.org/newlook/resources/IDFAQ/DNS.htm 12 Network Mapping with UDP Echo Requests 02:08:48 02:15:04 02:15:13 02:22:38 02:27:07 02:30:38 02:49:31 02:49:55 03:00:19 mapper.com.3066 mapper.com.3066 mapper.com.3066 mapper.com.3066... following information 2 bytes: bindery object type (always 030c in hi-lo order) 12 bytes: Mac address of card (ASCII) 2 bytes: frame type also high bit (8000) is set if card is not configured 2 bytes : unit type (hex 81 for NetJet card) 32 bytes: node name (ASCII) which is: print server name for Queue Server mode printer name for RPTR mode IANA Asssignment: ftp :// ftp.isi.edu/in-notes/iana/assignments/enterprise-numbers... are also used 26 Information Gathering Using NetBIOS One of the characteristics of NetBIOS is that UDP 137 is often caused by something a site initiates For example, if you send email to a site running Microsoft Exchange, they will often send a port 137 attempt So we look for the causing factor: Here is the pattern: 1 2/0 2/9 7 08:27:18 jellypc.net 1112 -> www.srnaccess.com http 1 2/0 2/9 7 08:27:19 207.256.242.26... address so the updates could be delivered.” 34 Napster – TCP 6699 0 4/0 3/2 000 13:25:29.352 TCP connection dropped "Source:208.184.216.184, 1931, WAN - " "Destination:user.mynet, 6699, LAN - " - Rule 0 0 4/0 3/2 000 13:25:34.272 TCP connection dropped "Source:208.184.216.184, 1932, WAN - " "Destination:user.mynet, 6700, LAN - " - Rule 0 0 4/0 3/2 000 13:25:40.912 TCP connection dropped "Source:208.184.216.184,... Strom, GCIA: “This is a log from our corporate firewall The detect is showing an attempt to connect to host x.icq.yyy.com on port 4000 Port 4000 is commonly used for Terabase (per ftp :// ftp.isi.edu/innotes/iana/assignments/port-numbers) as well as ICQ In this situation, the destination host name is x.icq.yyy.com In reviewing the traffic from 172.10.253.10 and after reviewing the applications on 172.10.253.10,... allows such connections to your IPC$ share, then attackers can gather information on your system The next slide shows some of the information that can be collected through a null session 32 A “Real” Example 2/1 8/9 8 1:39 AM - Diablo - \\192.168.4.22 UserName,Administrator Groups,Administrators (Local, Members can fully administer the computer/domain) AccountType,User HomeDrive HomeDir PswdCanBeChanged,Yes... What is it? - “finger for NT” – Provides information about user names and shares • Demonstration exploit • Defending against null sessioning IDIC - SANS GIAC LevelTwo ©2000, 2001 31 Null sessioning is a way of gathering information about a Windows system Some people compare it to the “finger” command on Unix systems, but null sessioning can reveal much more information When you establish a null session, . DNS that has been detected, version 1.0” located at: http :// www.sans.org/newlook/resources/IDFAQ/DNS.htm 13 IDIC - SANS GIAC LevelTwo ©2000, 2001 13 02:08:48. Server mode printer name for RPTR mode IANA Asssignment: ftp :// ftp.isi.edu/in-notes/iana/assignments/enterprise-numbers

Ngày đăng: 24/01/2014, 10:20

TỪ KHÓA LIÊN QUAN

w