An intrusion detection system is one way of detecting ping sweep. There are several solution such as snort. Snort is an open source IDS that is resourceful and lightweight.
Snort
Snort can be downloaded from http://www.snort.org. Authored by Martin Roesch.
Snort is a cross-platform, lightweight network intrusion detection tool that can be deployed to monitor small TCP/IP network and capable of detecting a range of suspicious network traffic. Snort features rules based logging to perform content pattern matching and detect a variety of attack and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes etc.
Snort has three primary uses. It can be used as packet sniffer or packet logger. It can also be used as a complete network intrusion detection.
Genius
Genius is efficient in helping user to use several popular Internet protocols. Written by Coda Hale. Can be downloaded under GNU Public license from http://www.indiesoft.com.
BlackICE
BlackICE Defender is not just a firewall, it is also an IDS. In reality, it is a "hybrid" between firewall and IDS. BlackICE Defender combine firewall technology with intrusion detection technology. That means it uses more than one method to protect the system.
Scanlogd
Scanlogd detect port scans and writes one line per scan via syslog(3) mechanism. Written by Solar Designer and Steffen Dettmer.
Thursday, January 24, 2008
Ping Sweep
Ping Sweep is to query multiple hosts using ICMP ECHO request. It differs from a single ping in that while as single ping will indicate the availability of one specified host, a ping sweep detects multiple hosts.
There are a number of ping sweep tools for UNIX : gping, nmap; for Windows: Pinger from Rhino9, fping and Ping Sweep from SolarWinds
ICMP does not use ports and hence does not fall under port scanning. Ping sweeps are a small part of network scanning which has to be done before any port scanning.
What is a firewall has blocked ICMP ECHO request? The attacker can still gain information by using ICMP type 13 (TIMESTAMP) and type 17 (Address Mask Requests). Reader interested in learning more can refer to Ofir Arkin's paper on "ICMP Usage in Scanning or Understanding some of the ICMP protocol's Hazards". He also has a tool called Xprobe that use ICMP to scan the network.
WS_Ping ProPack
WS_Ping ProPack implement 32 bit graphic PING client for Windows replacing the old WSPING32. Additional functionalities include: Traceroute, Domain Name Services lookup, Finger, Whois, LDAP, SNMP and SCAN IP.
NetScan Tools
NetScan Tools Pro 2003 has added feature to the standard ping utility such as subnet masking where the tool send an ICMP Address Mask request to the target and reports result. Traceroute and Ping now include graphing capacity which means it show packet verses the response time. The data gathered during a sweepcan be viewed in report form by double clicking on a target. The custom ICMP Generator can generate any ICMP packet type 0-31 including the usual codes.
Hexdump of ping packet can reveal MAC address and IP of the machine. If we can obtain the subnet mask, we can decipher the network address.
hping
hping is a command-line TCP/IP packet assembler/analyzer. It can be downloaded from http://www.hping.org/download.html.
This tool can used for firewall scanning, advanced port scanning, network testing, using different protocol, TOS, fragmentation, man ual path MTU discovery, advanced traceroute, under all the supported protocols, remote OS fingerprinting, remote uptime guessing and TCP/IP stacks auditing.
icmpenum
icampenum not only use ICMP ECHO to probe network, but also ICMP Timestamp, ICMP Information packet as well. It is particular helpful for probing system that failed to block Timestamp or Information packet. It also support trusted addresses.
There are a number of ping sweep tools for UNIX : gping, nmap; for Windows: Pinger from Rhino9, fping and Ping Sweep from SolarWinds
ICMP does not use ports and hence does not fall under port scanning. Ping sweeps are a small part of network scanning which has to be done before any port scanning.
What is a firewall has blocked ICMP ECHO request? The attacker can still gain information by using ICMP type 13 (TIMESTAMP) and type 17 (Address Mask Requests). Reader interested in learning more can refer to Ofir Arkin's paper on "ICMP Usage in Scanning or Understanding some of the ICMP protocol's Hazards". He also has a tool called Xprobe that use ICMP to scan the network.
WS_Ping ProPack
WS_Ping ProPack implement 32 bit graphic PING client for Windows replacing the old WSPING32. Additional functionalities include: Traceroute, Domain Name Services lookup, Finger, Whois, LDAP, SNMP and SCAN IP.
NetScan Tools
NetScan Tools Pro 2003 has added feature to the standard ping utility such as subnet masking where the tool send an ICMP Address Mask request to the target and reports result. Traceroute and Ping now include graphing capacity which means it show packet verses the response time. The data gathered during a sweepcan be viewed in report form by double clicking on a target. The custom ICMP Generator can generate any ICMP packet type 0-31 including the usual codes.
Hexdump of ping packet can reveal MAC address and IP of the machine. If we can obtain the subnet mask, we can decipher the network address.
hping
hping is a command-line TCP/IP packet assembler/analyzer. It can be downloaded from http://www.hping.org/download.html.
This tool can used for firewall scanning, advanced port scanning, network testing, using different protocol, TOS, fragmentation, man ual path MTU discovery, advanced traceroute, under all the supported protocols, remote OS fingerprinting, remote uptime guessing and TCP/IP stacks auditing.
icmpenum
icampenum not only use ICMP ECHO to probe network, but also ICMP Timestamp, ICMP Information packet as well. It is particular helpful for probing system that failed to block Timestamp or Information packet. It also support trusted addresses.
Monday, January 21, 2008
Detect "Live" Machine on Target System
The first step in mapping a target network will be to find the limits of the network and determine the defense. The attack will look for means of entry by building an inventory of the target network. This will give an indication of any vulnerability that can exploited and how well network perimeters are guarded. The attack will intrude with minimal footprint and lie low to access what measures are being taken by the target system to detect intrusion.
Two types of tool can be used for this purpose - War dialers and Ping utilities.
War Dialer
ICMP packets can be used to determine whether a target IP address is alive or not, by simply sending ICMP ECHO (ICMP type 8) packet to the target and waiting for ICMP ECHO reply (ICMP type 0) . If ICMP ECHO reply is received, it means the target is alive. No response could mean one of four scenario: target is down, query was lost in transit, the traffic is being filtered or the system is configured not to repsond.
It is worth noticed that while UNIX and Linux follow the RFC suggestions in their deployment of ping utility, Windows shows a variation. Windows systems keep the ICMP identifier as constant and use the sequence number filed to differentiate between machine in their ping utility. For each ICMP ECHO request the ICMP sequence number is a unique number. The gap between one ICMP sequence number filed value to another is 100 hex/256 decimal.
The implementation of the ping utility in Windows system sees the ICMP datagram field as signed values based on the OS system used. This is in constant with UNIX systems which uses the value of the utility instead. Therefore whenver an ICMP query datagram with an ICMP identifier field value of 256/512/768 isgenerated, it indicates that the underlying operating system is Windows based. This assumes significance as all security are operating system dependent and identifying which operating system runs on the target host can shorten the attack phase.
UNIX and related system set sequence number to 0 on its first query to a host and will increase this number only if sequential queries are sent to the system. In other words, each time the ping command is used, the value 0 will be returned to the first query sent.
Two types of tool can be used for this purpose - War dialers and Ping utilities.
War Dialer
A war dialer is a tool used to scan a large pool of telephone numbers to detect vulnerable modems to provide access to the target. A more aggressive version might attempt to determine the operating system and a very aggressive version might attempt to perform some automated break-in attempts. A real scanner will attempt to analyze the carrier information, the negotiation and presence of protocols and banners to attempt to analyze the operating system. It will then attempt to use default username/password combination for the system.
- THC Scan - is a free war dialer released by "van Hauser" of the Hacker's Choice (THC), a European hacker/phreaker group. What set THC Scan apart from commercial dialer is the flexibility of its internal configuration. An attacker can use THC Scan with THC Login Hacker to brute force system that have been discovered.
- ToneLoc
- TBA
A demon dialer is tool used to monitor a specific phone number and target its modem to gain access to the system.
Ping
Ping send out an ICMP echo request packet and wait for an ICMP echo reply from an active system. Alternatively, TCP/UDP packets are sent if incoming ICMP messages are blocked. ICMP is for error reporting, gathering network information, flow control and packet rerouting.
- Pinger - is one of the fastest ICMP sweep scanner
- WS_Ping ProPack
- NetScan Tools
- HPing
- icmpenum
ICMP packets can be used to determine whether a target IP address is alive or not, by simply sending ICMP ECHO (ICMP type 8) packet to the target and waiting for ICMP ECHO reply (ICMP type 0) . If ICMP ECHO reply is received, it means the target is alive. No response could mean one of four scenario: target is down, query was lost in transit, the traffic is being filtered or the system is configured not to repsond.
It is worth noticed that while UNIX and Linux follow the RFC suggestions in their deployment of ping utility, Windows shows a variation. Windows systems keep the ICMP identifier as constant and use the sequence number filed to differentiate between machine in their ping utility. For each ICMP ECHO request the ICMP sequence number is a unique number. The gap between one ICMP sequence number filed value to another is 100 hex/256 decimal.
The implementation of the ping utility in Windows system sees the ICMP datagram field as signed values based on the OS system used. This is in constant with UNIX systems which uses the value of the utility instead. Therefore whenver an ICMP query datagram with an ICMP identifier field value of 256/512/768 isgenerated, it indicates that the underlying operating system is Windows based. This assumes significance as all security are operating system dependent and identifying which operating system runs on the target host can shorten the attack phase.
UNIX and related system set sequence number to 0 on its first query to a host and will increase this number only if sequential queries are sent to the system. In other words, each time the ping command is used, the value 0 will be returned to the first query sent.
Thursday, January 17, 2008
Footprinting Tools
There are many tools for footprinting. Following lists out a few popular tools:
- NeoTrace - diagnostic and investigative tool. It traces network path access internet
- VisualRoute - graphical tool that determines where and how traffic is flowing on the route between desired destination and the user trying to access, by providing a geographical map of the route and the performance on each portion of that route.
- SmartWhois - network information utility that allows user to find all the information available about an IP address, host or domain name. (www.tamos.com)
- VisualLookout - real time TCP/IP monitor that can help detect intrusions that have crosed the firewall. It is basically an IDS tools
- VisualRoute Mail Tracker - part of VisualRoute that can track a spoofed mail or even ordinary mail.
- eMailTrackerPro - analyzes email header and provides the IP address of the machine that sent the email.
Locate Network Range
To find the network range, attacker can get more detailed information from the appropriate regional registry database. They can also trace the route between his system and the target system.
There are many traceroute tools and two of the popular tools are NeoTrace and Visual Route. Some other tools are based on POC input of the various ISP/NSP router and thus it is possible that the information shown on these tools may not be entirely correct. It is always a good practice to check more than on registry.
IF the DNS servers are not set up correctly, the attack may be able to obtaining the list of internal machine. And if attacker traceroute to a machine, he can also get internal IP of the gateway which can be of use.
ARIN allows search on the whois database to locate information on network autonomous system numbers (ASNs), network related handles and other related point of contact. ARIN also has a set of additional tools and links to other sites such as RWhois.net.
Up to this moment the information gathering activities are completely passive (with exception of traceroute which can be detected) and undetectable by the target organization. Doing footprinting help administrator know what information lies outside the organization and potential threat it can pose to the organization.
Traceroute
Traceroute works by exploited a feature in Internet Protocol called Time To Live (TTL). TTL is interpreted to indicate the maximum number of routers a packet may transit. Each router handle a packet will decrement TTL count in ICMP header by 1. When the count reach zero, the packet will be discarded and an error message will be transmitted to the originator.
Traceroute send out a packet destined for the target. It sets the TTL to 1. The first router receives the packet, decrement TTL by 1 and if the result is 0, it discards the packet and send a message back to the originator to inform it that the packet is discarded. Traceroute record the IP address and DNS name, if any, of the router, then send out packet with TTL = 2. This packet make it through first router and then is discarded by second router. The second router send a message back to the originator. Traceroute repeatly do this and record the IP address as the packet route through the network to reach the destination, or until the host is unreachable. Traceroute also record the time it took for each packet to travel round trip to each router.
There are many traceroute tools and two of the popular tools are NeoTrace and Visual Route. Some other tools are based on POC input of the various ISP/NSP router and thus it is possible that the information shown on these tools may not be entirely correct. It is always a good practice to check more than on registry.
IF the DNS servers are not set up correctly, the attack may be able to obtaining the list of internal machine. And if attacker traceroute to a machine, he can also get internal IP of the gateway which can be of use.
ARIN allows search on the whois database to locate information on network autonomous system numbers (ASNs), network related handles and other related point of contact. ARIN also has a set of additional tools and links to other sites such as RWhois.net.
Up to this moment the information gathering activities are completely passive (with exception of traceroute which can be detected) and undetectable by the target organization. Doing footprinting help administrator know what information lies outside the organization and potential threat it can pose to the organization.
Traceroute
Traceroute works by exploited a feature in Internet Protocol called Time To Live (TTL). TTL is interpreted to indicate the maximum number of routers a packet may transit. Each router handle a packet will decrement TTL count in ICMP header by 1. When the count reach zero, the packet will be discarded and an error message will be transmitted to the originator.
Traceroute send out a packet destined for the target. It sets the TTL to 1. The first router receives the packet, decrement TTL by 1 and if the result is 0, it discards the packet and send a message back to the originator to inform it that the packet is discarded. Traceroute record the IP address and DNS name, if any, of the router, then send out packet with TTL = 2. This packet make it through first router and then is discarded by second router. The second router send a message back to the originator. Traceroute repeatly do this and record the IP address as the packet route through the network to reach the destination, or until the host is unreachable. Traceroute also record the time it took for each packet to travel round trip to each router.
Wednesday, January 16, 2008
NsLookup
Nslookup is a valuable tool for query DNS information for host name resolution. It is bundled with both UNIX and windows operating systems and can be run at command prompt.
Nslookup allows query DNS other than the default one by type "server" (where is the host name of the server you want to use for future lookups). A zone transfer can be done if the security is lax. Following is an example:
> nslookup Default Server: ntsysa06.corp.root Address: 10.87.122.146
> server 10.2.202.1
Default Server: dns-286-cns-02.corp.com
Address: 10.2.202.1
> set type=any
> ls -d target.com
systemA 1DINA 10.12.133.147
geekL 1DINA 10.12.133.151
Nslookup employs the domain name delegation method when used on the local domain. That means, making query for "systemA.targetcompany.com" failed will go one level up to find "targetcompany.com". To query host outside domain, a fully qualified domain name (FQDN) must be typed.
Nslookup interface at http://www.zoneedit.com/lookup.html provide an interactive mode.
In addition, the attacker can use dig and host command to obtain more information on UNIX system.
The DNS namespaces is divided into zones. For each DNS domain name included in a zone, the zone becomes a storage database for a single DNS domain name and is the authoritative source.
At basic level, an attacker can try to obtain more information by using various Nslookup switch.
At higher level, an attacker can attempt a zone transfer at DNS level, which can have drastic implication.
To defense the target, inappropriate queries must be refused by the system.
To check zone transfer, specify exact IP addresses from where zone transfers may be allowed. The firewall must be configured to check TCP port 53 (which unlike UDP port 53 is used for zone transfers instead of DNS queries) access. Another best practice is to use more than one DNS or the split DNS approach where one DNS caters to the external interface and the other to the internal interface. This will let the internal DNS act like a proxy server and check leaking of information from external queries.
Check out DNS concept from RFC 1912 Common DNS Operational and Configuration Errors, RFC 2182 Section and Operation of Secondary DNS Server, RFC 2219 Use of DNS Aliases for Network Services.
Nslookup allows query DNS other than the default one by type "server"
> nslookup Default Server: ntsysa06.corp.root Address: 10.87.122.146
> server 10.2.202.1
Default Server: dns-286-cns-02.corp.com
Address: 10.2.202.1
> set type=any
> ls -d target.com
systemA 1DINA 10.12.133.147
geekL 1DINA 10.12.133.151
Nslookup employs the domain name delegation method when used on the local domain. That means, making query for "systemA.targetcompany.com" failed will go one level up to find "targetcompany.com". To query host outside domain, a fully qualified domain name (FQDN) must be typed.
Nslookup interface at http://www.zoneedit.com/lookup.html provide an interactive mode.
In addition, the attacker can use dig and host command to obtain more information on UNIX system.
The DNS namespaces is divided into zones. For each DNS domain name included in a zone, the zone becomes a storage database for a single DNS domain name and is the authoritative source.
At basic level, an attacker can try to obtain more information by using various Nslookup switch.
At higher level, an attacker can attempt a zone transfer at DNS level, which can have drastic implication.
To defense the target, inappropriate queries must be refused by the system.
To check zone transfer, specify exact IP addresses from where zone transfers may be allowed. The firewall must be configured to check TCP port 53 (which unlike UDP port 53 is used for zone transfers instead of DNS queries) access. Another best practice is to use more than one DNS or the split DNS approach where one DNS caters to the external interface and the other to the internal interface. This will let the internal DNS act like a proxy server and check leaking of information from external queries.
Check out DNS concept from RFC 1912 Common DNS Operational and Configuration Errors, RFC 2182 Section and Operation of Secondary DNS Server, RFC 2219 Use of DNS Aliases for Network Services.
Tuesday, January 15, 2008
Education on Ethical Hacking
There are formal education training for ethical hacking. University of Abertay offers BSc (Hons) Ethical Hacking & Countermeasures, MSc/PGDip Ethical Hacking & Countermeasures.
Subscribe to:
Posts (Atom)