scanning


scan限制

scanner cannot perform vulnerability linkage
scanner are not designed to do testing through a firewall
scanner are only as smart as their database and cannot find unpublished vulnerabilities

types of scanning:
port scanning:open ports and services
network scanning:ip address
vulnerability scanning:presence of known weaknesses

scanning objectives
to detect the live system running on the network
to discover whch ports are active/running
判定OS種類
判斷port與service的對應
to discover the ip address of the target system

……………………………………………………………………………………………
……………………………………………………………………………………………

scanning methodology
1 check for live systems
2 check for open ports
3 service identification
4 banner grabbing/os fingerprinting
5 vulnerability scanning
6 draw network diagrams of vulnerable hosts
7 prepare proxies
8 attack

ps:
scan無反應的可能原因有
the destination host or network might be down
icmp is filtered by a gateway
the packet ttl value is too low and cant reach the target

……………………………………………………………………………………………

checking live systems
常見方法:使用icmp
tool:
angry ip scanner:預設ping掃整個網段,用顏色表示是否live
ping sweep:利用icmp echo request做掃描
firewalk:利用回應訊息來判斷gateway acl設定

……………………………………………………………………………………………

checking open ports
port scan:對1個目標做掃描
distribution port scan:multiple computer對1個目標做小範圍scan,然後correlating the results,可避免被ids發現
tool:
nmap:十分全面的工具
hping2

…..

scanning techniques:
syn stealth/half open scan
advantage:fewer sites log this scan
對方 port open
1 syn—>
2 <—syn+ack(open)
3 rst—>
對方port close
1 syn—>
2 <—rst(close)

syn/ack scan:syn,ack are set
對方port open
1 syn+ack—>
2 no reply(open)
對方port close
1 syn—>
2 <—rst(close)

tcp connect/full open scan :
advantage:the most reliable
disadvantage:the most detectable
呼叫 system call connect() 完成此工作
對方port open
1 syn—>
2 <—syn+ack(open)
3 ack—>
4 rst,ack—>
對方port close
1 syn—>
2 <—rst(close)

syn/fin scanning using ip fragments
splitting up the tcp header over several packets to make it harder for packet filters to detect what is happening
利用切斷的方式,讓自己的訊息做一些隱藏

xmas scan:FIN,URG,PSH are set
advantage:it avoids the ids and tcp three-way handshake
disadvantage:it works for the unix platform only
fin scan:fin are set
ack scan:ack are set
null scan:A scan in which all flags are turned off
advantage:it avoids the ids and tcp three-way handshake
disadvantage:it works for the unix platform only

scan type:xmas,fin,ack,null
scan at port open:目標no response
scan at port close:目標回應rst+ack
ps:
若要避免被tcp scan,可設定成nerver send RST packet

idle scan:zombie scanning,利用跳板來scan,會改變source ip
使用技巧:正常情況下os在主動發送packet時會對IPID遞增
對方open port
1 attacker syn—> target
2 zombie <—syn+ack(open)target
3 zombie rst,ipid=31338–> target
4 attacker syn+ack–> zombie
5 attacker <–rst,ipid=31339 zombie
對方close port
1 attacker syn—> target
2 zombie <—rst(close)target
3 attacker syn+ack–> zombie
4 attacker <–rst,ipid=31338 zombie
ps:
若zombie不是在idle狀態,則 ipid會不斷增加而無法判斷
ps:
idle scan可使用tool有nmap,hping2
port若是close或firewall,則ipid+1
port若是open,則ipid+2

icmp echo scanning:
this is not really port scanning
an investigation method that maps a sub-netted network’s broadcast address
list scan:
prints a list of ips/names without actually pinging or port scanning
a dns name resolution will aslo be crried out

udp scanning:
Closed UDP ports can return an ICMP type 3 code 3 message.
No response can mean the port is open or the packet was silently dropped.

reverse ident scanning
判斷這個port的service是誰在用

window scan
類似ack scan,也可判斷os

blaster scan
針對unix系統scan

verbose scanning

………………………………………..

scanning tools:
cheops
protscan plus 針對win
strobe 針對unix
ipsecscan
netscan tools pro:可判斷該ip目前服務的執行者是誰
wups:udp scanner
superscan:port scan,權限提升
ipscanner
global network inventory scanner
net tools suite pack
floppyscan:出現 nt當機藍畫面
atelier web ports traffic analyzer
atelier web security port scanner
ipeye:不同的掃描工具
ike-scan
infiltrator network security scanner
yaps
advanced port scanner
network activ scanner
netgadgets
p-ping tools:除了ping外,還可port scan小工具
megaping
lanspy
hoverip
lanview
netbrutescanner
solarwins engineer’s toolset
autapf
osrosoft internet tools
advanced ip scanner
colasoft mac scanner:專門掃mac
active network monitor
advanced serial data logger
advanced serial port monitor
wotweb
antiy ports
port detective

cheops / cheops-ng
提供許多簡單的網絡工具,例如本地或遠程網絡映射和識別計算機操作系統
Cheops提供許多好用的圖形化用戶界面網絡工具。它含有主機/網絡發現功能,也就是主機操作系統檢測。
Cheops-ng用來探查主機上運行的服務。 針對某些服務,cheops-ng可以探查到運行服務的應用程序是什麼,以及程序的版本號。Cheops已經停止開發和維護,所以請最好使用 cheops-ng。

…………………………………………..

war dialing
說明:針對傳統電話號碼來做的,利用 pstn來做資料交換
盛行在1990 年代末期,它是指電腦駭客以任意打電話 (dialing),利用數據機回應的方式進行攻擊
但隨著無線時代的來臨,war dialing已逐漸被war driving 所取代

很多公司非常重視防火牆的安全。然而,這個堅固的防線只封住了網絡的前門,但內部網中不註冊的調製調解器卻向入侵者敞開了「後門」。
War Dialers能迅速地找出這些調製調解器,隨即攻入網絡。因此,它成為一個非常受入侵者歡迎的工具。
War Dialer因電影「War Games」而一舉成名。它的攻擊原理非常簡單:不斷以順序或亂序撥打電話號碼,尋找調製調解器接通後熟悉的回應音。
一旦War Dialers找到一大堆能接通的調製調解器後,黑客們便撥號入網繼續尋找系統內未加保護的登錄或容易猜測的密碼。
War Dialers首選攻擊對象是「沒有密碼」的PC遠端管理軟體。這些軟體通常是由最終用戶安裝用來遠端訪問公司內部系統的。
這些PC遠端控制程式當用到不安全的調製調解器時是異常脆弱的。

war dialing tool:
phonesweep:try電話號碼判斷是電話,傳真,事務,..等
thc scan
toneloc
modemscan

THC-Scan(The Hacker’s Choice – Scanner)
這個War Dialers工具是由「van Hauser」撰寫的。它的功能非常齊全。THC-Scan 2.0版於1998年聖誕節推出,THC-Scan與Toneloc (由「Minor Threat」及「Mucho Maas」撰寫) 用途近似。THC-Scan與其他普通War Dialers工具不同,它能自動檢查調製調解器的速度、數據位、校驗位及停止位。 此工具也嘗試去判斷被發現的電腦所使用的操作系統。而且,THC-Scan有能力確認什麼時候能再有撥號音,這樣,黑客們便可以不經過你的PBX就可以撥打免費電話。

war dialing countermeasures
使用sandtrap tool

最有效防範措施就是使用安全的調製調解器。取消那些沒有用途的調製調解器。且用戶必須向IT部門註冊後才能使用調製調解器。
對那些已註冊並且只 用作外發的調製調解器,就將公司的PBX的權限調至只方便外撥。每個公司應有嚴格的政策描述註冊的調製調解器並控制PBX。
由於市場零售店內有使用方便、 價格便宜的數字調製調解器出售, 用戶也能把調製調解器安裝在只有數字線的PBX上使用。

run a war-dailing tool with range of phone numbers and look for connect response
定期作滲透測試,找出電話交換器內不合法的調製調解器。
選用一個好的工具去尋找與網絡連接的調製調解器。對於被發現、但未登記的調製調解器,要麼拿掉它們,要麼重新登記。

……………………………………………………………………………………………

banner grabbing
Connect to the active services and review the banner information

os fingerprinting:
active stack fingerprinting:當封包進os,不同os回應方式不一樣,但也可以用設備偽造
passive fingerprinting:需搭配sniff,攔截該網段出來的封包,且要花較多時間,主要分析的有ttl,windows size,df,tos

tool
telnet:active stack fingerprinting
pof:passive fingerprinting
httprint:web server fingerprinting tool,可看server版本
miart http header
active stack fingerprinting
xprobe2
ring v2
html tool:
netcraft:anti-phishing tool bar,看web使用的網頁伺服器與主機類型,屬passive scanning
nmap
queso

用telnet做grab
telnet 80
HEAD /HTTP /1.0

改變banner tool
mod_headers:for apache
iis lockdown tool
servermask

hiding file extensions:
mod_negotiation:for apache
pagexchanger:for iis

……………………………………………………………………………………………

vulnerability scanning tool:
bidiblah automated scanner
qualys web based scanner:online tool
saint
iis security scanner:商用工具
nessus
gfi languard:一款Windows平台上的商業網絡安全掃瞄器
satan(security administrator’s tool for analyzing networks)
retina:報表整理很好
nagios
packettrap’s pt360
nikto:比較早的tool,open source
safesuite internet scanner
identtcpscan

ps:
Vulnerability assessment tools perform a good analysis of system vulnerabilities; however, they are noisy and will quickly trip IDS systems.

……………………………………………………………………………………………

drawing network diagrams

tool:
friendly pinger:試圖看出網路結構,回應方式,來畫出角色
lansurveyor
ipsonar
lanstate
insightix visibility
ipcheck server monitor
prtg traffic grapher:分析流量

……………………………………………………………………………………………

preparing proxies

the main function of the proxy servers are:
firewalling and filtering:可繞過檢查機制
connection sharing
caching:proxy主要用途

the purpose for running the proxy servers are:
to help the system administrator
to help the user to stay anonymous on the internet

tool
sockschain:
proxy workbench:創造連結走向,利用free proxy來轉
proxymanager
super proxy helper
happy browser tool
multiproxy
tor(The Onion Router):用來匿名連接,常配合privoxy和polipo連合使用
proxy finder
proxybag
proxy scanner server
charon

anonymizers
help to make web surfing anonymous
目地:定期清除瀏覽記錄

tool
primedius anonymizer
stealthsurfer tool
browzar:anonymous surfing,每次關掉時會自動清除cookie,history,…等
torpark
ip privacy
a4proxy(anoymity 4 proxy)
psiphon:主要目地是繞過政府管制

tool
mowser
phonifier
analogx proxy
netproxy
proxy+
proxyswitcher lite
jap
proxomitron
g-zapper:專門清除google cookie
ssl proxy tool:用ssl連結proxy

http tunneling
透過tunneling techniques可以避開資料過濾
tool:
httptunnel for windows
httport

spoofing ip address
using source routing

detecting ip spoofing tool:
despoof tool

……………………………………………………………………………………………

countermeasures
firewall 對scan有一定程度的阻擋
在防護機制上增加辨識os難度
預設port需做調整
在公用網路上的資料要儘量減少

tool:
sentrypc