scan限制 scanner cannot perform vulnerability linkage scanner are not designed to do testing through a firewall scanner are only as smart as their database and cannot find unpublished vulnerabilities types of scanning: port scanning:open ports and services network scanning:ip address vulnerability scanning:presence of known weaknesses scanning objectives to detect the live system running on the network to discover whch ports are active/running 判定OS種類 判斷port與service的對應 to discover the ip address of the target system ......................................................................................................... ......................................................................................................... scanning methodology 1 check for live systems 2 check for open ports 3 service identification 4 banner grabbing/os fingerprinting 5 vulnerability scanning 6 draw network diagrams of vulnerable hosts 7 prepare proxies 8 attack ps: scan無反應的可能原因有 the destination host or network might be down icmp is filtered by a gateway the packet ttl value is too low and cant reach the target ......................................................................................................... checking live systems 常見方法:使用icmp tool: angry ip scanner:預設ping掃整個網段,用顏色表示是否live ping sweep:利用icmp echo request做掃描 firewalk:利用回應訊息來判斷gateway acl設定 ......................................................................................................... checking open ports port scan:對1個目標做掃描 distribution port scan:multiple computer對1個目標做小範圍scan,然後correlating the results,可避免被ids發現 tool: nmap:十分全面的工具 hping2 ..... scanning techniques: syn stealth/half open scan advantage:fewer sites log this scan 對方 port open 1 syn---> 2 <---syn+ack(open) 3 rst---> 對方port close 1 syn---> 2 <---rst(close) syn/ack scan:syn,ack are set 對方port open 1 syn+ack---> 2 no reply(open) 對方port close 1 syn---> 2 <---rst(close) tcp connect/full open scan : advantage:the most reliable disadvantage:the most detectable 呼叫 system call connect() 完成此工作 對方port open 1 syn---> 2 <---syn+ack(open) 3 ack---> 4 rst,ack---> 對方port close 1 syn---> 2 <---rst(close) syn/fin scanning using ip fragments splitting up the tcp header over several packets to make it harder for packet filters to detect what is happening 利用切斷的方式,讓自己的訊息做一些隱藏 ... xmas scan:FIN,URG,PSH are set advantage:it avoids the ids and tcp three-way handshake disadvantage:it works for the unix platform only fin scan:fin are set ack scan:ack are set null scan:A scan in which all flags are turned off advantage:it avoids the ids and tcp three-way handshake disadvantage:it works for the unix platform only scan type:xmas,fin,ack,null scan at port open:目標no response scan at port close:目標回應rst+ack ps: 若要避免被tcp scan,可設定成nerver send RST packet ... idle scan:zombie scanning,利用跳板來scan,會改變source ip 使用技巧:正常情況下os在主動發送packet時會對IPID遞增 對方open port 1 attacker syn---> target 2 zombie <---syn+ack(open)target 3 zombie rst,ipid=31338--> target 4 attacker syn+ack--> zombie 5 attacker <--rst,ipid=31339 zombie 對方close port 1 attacker syn---> target 2 zombie <---rst(close)target 3 attacker syn+ack--> zombie 4 attacker <--rst,ipid=31338 zombie ps: 若zombie不是在idle狀態,則 ipid會不斷增加而無法判斷 ps: idle scan可使用tool有nmap,hping2 port若是close或firewall,則ipid+1 port若是open,則ipid+2 ... icmp echo scanning: this is not really port scanning an investigation method that maps a sub-netted network's broadcast address list scan: prints a list of ips/names without actually pinging or port scanning a dns name resolution will aslo be crried out udp scanning: Closed UDP ports can return an ICMP type 3 code 3 message. No response can mean the port is open or the packet was silently dropped. reverse ident scanning 判斷這個port的service是誰在用 window scan 類似ack scan,也可判斷os blaster scan 針對unix系統scan verbose scanning ............................................... scanning tools: cheops protscan plus 針對win strobe 針對unix ipsecscan netscan tools pro:可判斷該ip目前服務的執行者是誰 wups:udp scanner superscan:port scan,權限提升 ipscanner global network inventory scanner net tools suite pack floppyscan:出現 nt當機藍畫面 atelier web ports traffic analyzer atelier web security port scanner ipeye:不同的掃描工具 ike-scan infiltrator network security scanner yaps advanced port scanner network activ scanner netgadgets p-ping tools:除了ping外,還可port scan小工具 megaping lanspy hoverip lanview netbrutescanner solarwins engineer's toolset autapf osrosoft internet tools advanced ip scanner colasoft mac scanner:專門掃mac active network monitor advanced serial data logger advanced serial port monitor wotweb antiy ports port detective cheops / cheops-ng 提供許多簡單的網絡工具,例如本地或遠程網絡映射和識別計算機操作系統 Cheops提供許多好用的圖形化用戶界面網絡工具。它含有主機/網絡發現功能,也就是主機操作系統檢測。 Cheops-ng用來探查主機上運行的服務。 針對某些服務,cheops-ng可以探查到運行服務的應用程序是什麼,以及程序的版本號。Cheops已經停止開發和維護,所以請最好使用 cheops-ng。 .................................................. war dialing 說明:針對傳統電話號碼來做的,利用 pstn來做資料交換 盛行在1990 年代末期,它是指電腦駭客以任意打電話 (dialing),利用數據機回應的方式進行攻擊 但隨著無線時代的來臨,war dialing已逐漸被war driving 所取代 很多公司非常重視防火牆的安全。然而,這個堅固的防線只封住了網絡的前門,但內部網中不註冊的調製調解器卻向入侵者敞開了「後門」。 War Dialers能迅速地找出這些調製調解器,隨即攻入網絡。因此,它成為一個非常受入侵者歡迎的工具。 War Dialer因電影「War Games」而一舉成名。它的攻擊原理非常簡單:不斷以順序或亂序撥打電話號碼,尋找調製調解器接通後熟悉的回應音。 一旦War Dialers找到一大堆能接通的調製調解器後,黑客們便撥號入網繼續尋找系統內未加保護的登錄或容易猜測的密碼。 War Dialers首選攻擊對象是「沒有密碼」的PC遠端管理軟體。這些軟體通常是由最終用戶安裝用來遠端訪問公司內部系統的。 這些PC遠端控制程式當用到不安全的調製調解器時是異常脆弱的。 war dialing tool: phonesweep:try電話號碼判斷是電話,傳真,事務,..等 thc scan toneloc modemscan THC-Scan(The Hacker's Choice - Scanner) 這個War Dialers工具是由「van Hauser」撰寫的。它的功能非常齊全。THC-Scan 2.0版於1998年聖誕節推出,THC-Scan與Toneloc (由「Minor Threat」及「Mucho Maas」撰寫) 用途近似。THC-Scan與其他普通War Dialers工具不同,它能自動檢查調製調解器的速度、數據位、校驗位及停止位。 此工具也嘗試去判斷被發現的電腦所使用的操作系統。而且,THC-Scan有能力確認什麼時候能再有撥號音,這樣,黑客們便可以不經過你的PBX就可以撥打免費電話。 war dialing countermeasures 使用sandtrap tool 最有效防範措施就是使用安全的調製調解器。取消那些沒有用途的調製調解器。且用戶必須向IT部門註冊後才能使用調製調解器。 對那些已註冊並且只 用作外發的調製調解器,就將公司的PBX的權限調至只方便外撥。每個公司應有嚴格的政策描述註冊的調製調解器並控制PBX。 由於市場零售店內有使用方便、 價格便宜的數字調製調解器出售, 用戶也能把調製調解器安裝在只有數字線的PBX上使用。 run a war-dailing tool with range of phone numbers and look for connect response 定期作滲透測試,找出電話交換器內不合法的調製調解器。 選用一個好的工具去尋找與網絡連接的調製調解器。對於被發現、但未登記的調製調解器,要麼拿掉它們,要麼重新登記。 ......................................................................................................... banner grabbing Connect to the active services and review the banner information os fingerprinting: active stack fingerprinting:當封包進os,不同os回應方式不一樣,但也可以用設備偽造 passive fingerprinting:需搭配sniff,攔截該網段出來的封包,且要花較多時間,主要分析的有ttl,windows size,df,tos ... tool telnet:active stack fingerprinting pof:passive fingerprinting httprint:web server fingerprinting tool,可看server版本 miart http header active stack fingerprinting xprobe2 ring v2 html tool: netcraft:anti-phishing tool bar,看web使用的網頁伺服器與主機類型,屬passive scanning nmap queso 用telnet做grab telnet 80 HEAD /HTTP /1.0 ... 改變banner tool mod_headers:for apache iis lockdown tool servermask hiding file extensions: mod_negotiation:for apache pagexchanger:for iis ......................................................................................................... vulnerability scanning tool: bidiblah automated scanner qualys web based scanner:online tool saint iis security scanner:商用工具 nessus gfi languard:一款Windows平台上的商業網絡安全掃瞄器 satan(security administrator's tool for analyzing networks) retina:報表整理很好 nagios packettrap's pt360 nikto:比較早的tool,open source safesuite internet scanner identtcpscan ps: Vulnerability assessment tools perform a good analysis of system vulnerabilities; however, they are noisy and will quickly trip IDS systems. ......................................................................................................... drawing network diagrams tool: friendly pinger:試圖看出網路結構,回應方式,來畫出角色 lansurveyor ipsonar lanstate insightix visibility ipcheck server monitor prtg traffic grapher:分析流量 ......................................................................................................... preparing proxies the main function of the proxy servers are: firewalling and filtering:可繞過檢查機制 connection sharing caching:proxy主要用途 the purpose for running the proxy servers are: to help the system administrator to help the user to stay anonymous on the internet tool sockschain: proxy workbench:創造連結走向,利用free proxy來轉 proxymanager super proxy helper happy browser tool multiproxy tor(The Onion Router):用來匿名連接,常配合privoxy和polipo連合使用 proxy finder proxybag proxy scanner server charon ... anonymizers help to make web surfing anonymous 目地:定期清除瀏覽記錄 tool primedius anonymizer stealthsurfer tool browzar:anonymous surfing,每次關掉時會自動清除cookie,history,...等 torpark ip privacy a4proxy(anoymity 4 proxy) psiphon:主要目地是繞過政府管制 tool mowser phonifier analogx proxy netproxy proxy+ proxyswitcher lite jap proxomitron g-zapper:專門清除google cookie ssl proxy tool:用ssl連結proxy ... http tunneling 透過tunneling techniques可以避開資料過濾 tool: httptunnel for windows httport ... spoofing ip address using source routing detecting ip spoofing tool: despoof tool ......................................................................................................... countermeasures firewall 對scan有一定程度的阻擋 在防護機制上增加辨識os難度 預設port需做調整 在公用網路上的資料要儘量減少 tool: sentrypc |