Topic 2 - Network based Security Testing

By default, when running a host discovery task, nmap sequentially sends (i) an ICMP echo request, (ii) a TCP SYN packet to port 443, (iii) a TCP ACK packet to port 80, and (iv) an ICMP timestamp request to an IP address. Give rational

(i) Use an ICMP echo request for those router that are blocking TCP and UDP packets. If an ICMP ECHO_REPLY (ICMP Type 0)is received it indicates the target system is alive (ii) This technique is called halfopen scanning because a full TCP connection is not made. Instead, only a SYN packet is sent to the target port. If a SYN/ACK is received from the target port, we can deduce that it is in the LISTENING state. Port 443 is commonly used for webservers and are often open on targets (iii) TCP ACK scan This technique is used to map out firewall rulesets. It can help determine if the firewall is a simple packet filter allowing only established connections (connections with the ACK bit set) or a stateful firewall performing advance packet filtering. Port 80 is commonly used for webservers and are often open on targets. (iv) if ingress (inbound) ICMP ECHO packets are dropped by a border router or firewall, it may still be possible, that they allow the ICMP timestamp request therefore it is possible to identify systems (alive hosts) using one of these alternate ICMP TIME STAMP REQUEST.

Stateless/Basic vs Statefull Firewall

A basic or stateless packet filtering firewall can only filter network traffic or packets by rulesets based on static data and it is unable to remember the data of packets it filters.The firewall will not be able to remember the state of a connection based on previous packets received and their flags (e.g. SYN, ACK or FIN flags). A stateful packet filtering on the other hand is able to remember the flags of previous network traffic received and thus their connection states. With that information available it is able to filter according to more granular rulesets that analyse a history of network packets and their flags (e.g. SYN, ACK or FIN). Thus, determining the state of the network connection.

PING SWEEP

A ping sweep, or ICMP sweep can generate a list of hosts on networks. This can be done using tools such as nmap. It works by sending a PING (or ECHO) request to each address in the subnet. Hosts that exist may reply with a response which let the scanning tool know that a host is up and listening to requests. In the case of hosts configured to block ping requests, the tool might get an access denied response. In this instance the tool knows some host is there, but it may not learn as much about it as if it replied to the ECHO request.

ICMP timestamp ping

An ICMP timestamp ping operates similarly to other ICMP-based pings. The source workstation sends an ICMP Get Timestamp message and waits for an ICMP Send Timestamp response.

DNS

DNS is used to translate names such as www.google.com to IP address such as 8.8.4.5 as humans are good at remembering names but not IP addresses. DNS servers on the Internet help translate between names IP and on devices such as laptops they will have DNS resolver that will help find the IP address and they will also have a DNS cache where this can be stored.

NMAP non-standard/stealth scan options

FIN Scan The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking. If a TCP session isn't active, the session certainly can't be formally closed! The Null Scan (-sN) The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. The Xmas Tree Scan (-sX) The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.

ICMP Echo scanning

ICMP echo scanning is used to discover live machines by pinging all the machines in the target network. Attackers send ICMP probes to the broadcast or network address which is relayed to all the host addresses in the subnet. The live systems will send ICMP echo reply message to the source of ICMP echo probe.

Stateless/Basic vs Statefull Firewall benifits

OSI Layer: This ability to take into account and remember flags in a network packet essentially means that a stateful packet filtering firewall is capable of operating at level 4 (Transport Layer) of the OSI model as opposed to a stateless packet filtering firewall that operates at level 3 (Network Layer). Operating at a higher layer means that the stateful firewall is able to interpret more information and set more granular rulesets for filtering as opposed to a stateless firewall. For example, a stateful firewall via analysing the SYN packet is able to tell whether a packet is a response to a previous outward bound connection request while a stateless packet filtering firewall can't. Network Scans: A stateful firewall is much more effective at blocking network scans than a stateless firewall simply because of the fact that it can remember connection states. An attacker scanning a network that is protected by a stateful packet filtering firewall might have to be a lot more careful when scanning. For example, a stateful packet filtering firewall might be suspicious when an attacker sends multiple SYN/ACK packets to a single hosts and proceeds to blacklists the IP address of the attacker to the attacker's frustration. A stateless packet filtering firewall on the other hand would not be able to remember the information of a packet state. Performance & Config: Performance and ease of configuration is more on stateless firewalls. More details are required to configure on statefull firewalls and tracking states requires more hardware peformance.

Describe port scanning

Port scanning is the process of sending packets to TCP and UDP ports on the target system to determine what services are running or are in a LISTENING state. Identifying listening ports is critical to determining the services running, and consequently the vulnerabilities present from your remote system. Additionally, you can determine the type and version of the operating system and applications in use.

Port scanners for operating system identification

TCP/IP stack fingerprinting: Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP. The TCP/IP fields examples: TTL, window size, packet size etc. TCP Port Service Scanning: Based on certain number of ports open, the scanner can identify the application and the OS running on the machine. eg: 445 (SMB), 139 (Netbios-ssn), 135 (RPC), 3389 (RDP) points to a Windows machine

how can the TRACEROUTE tool can be used to obtain information on the target network

TRACEROUTE can be ran in an attempt to determine the target network topology and potential access paths. It provides information about perimeter devices to build up a map of the target network.

TCP ACK

The ACK scan probe packet has only the ACK flag set When scanning unfiltered systems, open and closed ports will both return a RST packet. meaning that they are reachable by the ACK packet

TRACEROUTE tool

The tool lets you view the route an IP packet follows from one hop to the next. - It sends a udp datagram at a high value (tcp/udp) port that is likely to be closed. - It uses the Time-To-Live filed in the IP packet which it queries as it moves through he targeted routers. - Each router (hop) that handles a datagram is required to decrease the TTL by 1. The reason for this is to prevent datagrams going into infinite loops - when the TTL reaches 0 that datagram will be thrown away and an ICMP error message "time exceeded" will be sent back to the source. That ICMP datagram returned contains the IP address of the router. This can be used to determine the path of the packet by sending multiple IP packets to all discovered hosts/routers to build a network map.

DNS cache poisoning attack

The way DNS cache poisoning can work is that it takes advantage of the fact the DNS does not use authentication. An attacker will send a malicious DNS reply to the user claiming that the host name links to an IP address of their choosing, the DNS cache for the user will then be updated and next time the user enters the hostname the DNS resolver will check the DNS cache find an entry and direct the user to the IP address. The attacker could then conduct a man in the middle attack, or try to infect the user's device. The wrong IP will remain until the cache expires or the user realizes and removes it.

TCP SYN Scan

This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non- listener. If a SYN|ACK is received, you immediately send a RST to tear down the connection (actually the kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it.

UDP port scanning slower than TCP

UDP is connection less protocol. Unlike TCP which establishes a connection between communicating parties, in UDP the sender sends the data and assumes the target got the message and it will not get back an Acknowledge. Due to this, UDP scans like nmap sU, have to retransmit to ensure that all hosts get the message. Since no timeout exist, nmap has to listen back for replies for a longer period as hosts are not obliged to reply before a certain timeout.

DNS Enumeration

is a passive method meaning that the targeted environment (paying customer) will not be aware of any of the information gathering as their network will not be touched. WHOIS database is a tool that is used for passive information gathering as it provides information about IP addresses and domain names, DNS server names, etc..

DNS interrogation

is active information gathering by actually contacting the DNS server of the target environment. if the DNS server is misconfigured, it allows zone transfer on internal information which means that information about the internal network becomes available. Tools like lookup, dig and host can be used to actively probe the DNS server.