CSCM28 – Security Vulnerabilities and Penetration Testing

Week 2 - Scanning

Jens Blanck

Jens Blanck CSCM28 Pen Testing 1 / 27

 Recap and Today

Recap and Today

Recap
Last week we considered reconnaissance:
Footprinting
Active vs passive Today
Everyday activities like phone/email Scanning. Technically looking into the
DNS/Ping systems running within the organization.
Google hacking
Result after stage: Documented summary
of target.

Jens Blanck CSCM28 Pen Testing 2 / 27

 Scanning

Aims of this phase

We will try to figure out:

What systems are up/down.
What services are running.
What vulnerabilities might
exist.
A network map (Draw it!).

Jens Blanck CSCM28 Pen Testing 3 / 27

 Scanning

Aims of this phase

We will try to figure out:

What systems are up/down.
What services are running.
What vulnerabilities might
exist.
A network map (Draw it!).

Jens Blanck CSCM28 Pen Testing 3 / 27

 Scanning

Aims of this phase

We will try to figure out:

What systems are up/down.
What services are running.
What vulnerabilities might
exist.
A network map (Draw it!).

Jens Blanck CSCM28 Pen Testing 3 / 27

 Scanning

Aims of this phase

We will try to figure out:

What systems are up/down.
What services are running.
What vulnerabilities might
exist.
A network map (Draw it!).

Jens Blanck CSCM28 Pen Testing 3 / 27

 Scanning

Aims of this phase

We will try to figure out:

What systems are up/down.
What services are running.
What vulnerabilities might
exist.
A network map (Draw it!).

Jens Blanck CSCM28 Pen Testing 3 / 27

 Scanning

Aims of this phase

Result: A network map

We will try to figure out:

What systems are up/down.
What services are running.
What vulnerabilities might
exist.
A network map (Draw it!).

Jens Blanck CSCM28 Pen Testing 3 / 27

 Scanning

Aims of this phase

Result: A network map

ssh
http

We will try to figure out:

What systems are up/down.
What services are running.
What vulnerabilities might
smtp ssh
exist.
A network map (Draw it!).

ftp ssh

Jens Blanck CSCM28 Pen Testing 3 / 27

 Network Protocols

Network Protocols

Jens Blanck CSCM28 Pen Testing 4 / 27

 Network Protocols

Selection of Network Protocols

UDP User Datagram Protocol. Primarily for establishing low-latency and loss-tolerating
connections between applications on the Internet. (Layer 4)

TCP Transmission Control Protocol. Enables two hosts to establish a connection and
exchange data reliably. Most web traffic. (Layer 4)

IP Internet Protocol. Protocol by which data is sent from one computer to another on
the Internet. (Layer 3)

ICMP Internet Control Message Protocol. Status and error messages. (Layer 3)

ARP Address Resolution Protocol. (Layer 2)

There are many more protocols, but these are fundamental to understanding computer
networks. We will also come in contact with some application layer protocols later (http,
pop, ssh, dns, …).

Jens Blanck CSCM28 Pen Testing 5 / 27

 Network Protocols

Internet Protocol (IP)

IP Header (IPv4)1

Payload
An IP packet consists of an IP
header and its payload. The
payload is typically a TCP packet
or a UDP packet.

1
IPv6 has 128 bit addresses.
Jens Blanck CSCM28 Pen Testing 6 / 27
 Network Protocols

IP addresses

Each network interface has an IP address:

32-bit number, range: 0 to 4,294,967,295.

… which we express in human readable form by splitting into four 8-bit numbers.
The famous “dotted quad string”.

Example: 10001001001011000000001000000001
10001001.00101100.00000010.00000001
[Link]

A few special cases:

All zeros: “this host”
All ones: “broadcast”
[Link] – loopback or localhost: keep it local, but pretend it’s an incoming packet.

Jens Blanck CSCM28 Pen Testing 7 / 27

 Network Protocols

Subnet Masks

The first 𝑛 bits of an IP address is the network address.

Same network address == same network2

Subnet mask indicates split between network and host:

32 bits: first 𝑛 are all 1s, then all 0s

Write as, e.g., [Link] or /22

Example:

Network address is [Link] .

[Link]/22 Subnet mask is 22 1s then 10 0s.
So, 210 , i.e., 1024, addresses in this network.

2
Sometimes known as a subnet.
Jens Blanck CSCM28 Pen Testing 8 / 27
 Network Protocols

Classless Inter-Domain Routing (CIDR)

Routing tables holds entries of form:

(Network address, subnet mask, link)

Routing steps:
Bitwise AND destination IP of incoming packet with each subnet mask in table.
Compare result with corresponding network address: If there is a match, then send
packet there.
If multiple entries match, pick the one with the longest subnet mask.
Bitwise AND is just a way to say “is this host in this network’s range?”

Jens Blanck CSCM28 Pen Testing 9 / 27

 Network Protocols

Example: Routing

Packet for [Link]:

11000010.00011000.00001000.00110010
Match for Edinburgh:
Mask: 11111111.11111111.11111100.00000000
AND: 11000010.00011000.00001000.00000000
Result: 11000010.00011000.00001000.00000000
Result: [Link]
No such match for Cambridge or Oxford.
Jens Blanck CSCM28 Pen Testing 10 / 27
 Network Protocols

Example: Routing

Packet for [Link]:

11000010.00011000.00001000.00110010
Match for Edinburgh:
Mask: 11111111.11111111.11111100.00000000
AND: 11000010.00011000.00001000.00000000
Result: 11000010.00011000.00001000.00000000
Result: [Link]
No such match for Cambridge or Oxford.
Jens Blanck CSCM28 Pen Testing 10 / 27
 Network Protocols

Example: Routing

Packet for [Link]:

11000010.00011000.00001000.00110010
Match for Edinburgh:
Mask: 11111111.11111111.11111100.00000000
AND: 11000010.00011000.00001000.00000000
Result: 11000010.00011000.00001000.00000000
Result: [Link]
No such match for Cambridge or Oxford.
Jens Blanck CSCM28 Pen Testing 10 / 27
 Network Protocols

Example: Routing

Packet for [Link]:

11000010.00011000.00001000.00110010
Match for Edinburgh:
Mask: 11111111.11111111.11111100.00000000
AND: 11000010.00011000.00001000.00000000
Result: 11000010.00011000.00001000.00000000
Result: [Link]
No such match for Cambridge or Oxford.
Jens Blanck CSCM28 Pen Testing 10 / 27
 Network Protocols

Internet Control Message Protocol (ICMP)

Mainly used for reporting errors within IP (e.g. routers etc).

Information added after IP header.

Many, many error codes, some common:

Echo reply (how ping works)
Destination unreachable
Source quench (send data slower)
Time exceeded (TTL, traceroute!)
Redirect (send elsewhere)

Jens Blanck CSCM28 Pen Testing 11 / 27

 Network Protocols

User Datagram Protocol (UDP)

UDP is a thin layer over IP:

Programmer says ”send
this data to this IP/port”.
No guarantees.
No state
maintenance/connection
setup etc.

Jens Blanck CSCM28 Pen Testing 12 / 27

 Network Protocols

Transmission Control Protocol (TCP)

TCP provides:
Stateful, reliable,
connection-oriented.
Full duplex service.
3-way handshake to
establish connection.
TCP code can buffer
bytes, rather than
sending immediately.

Jens Blanck CSCM28 Pen Testing 13 / 27

 Network Protocols

TCP Flags

TCP flags are the basis for most scans:

ACK Acknowledge something (typically as a reply).

RST Reset connection.
SYN/FIN For connection setup/teardown. (Synchronize/Finish).
URG Packet contains urgent data. (Isn’t used much.)
PSH Push buffered data.

Responses to flags differ, and can provide information to us.

Jens Blanck CSCM28 Pen Testing 14 / 27

 Network Protocols

TCP Handshake

A typical TCP session

SYN

SYN/ACK Establishing connection

ACK

FIN

ACK
FIN
Closing connection

ACK

Jens Blanck CSCM28 Pen Testing 15 / 27

 Tools and Scans

sudo

From now on, some of the commands (or

particular versions of them) will need to
be run as the root user (or administrator
on windows).

Easiest way to do that is to prefix the

command with sudo.

Jens Blanck CSCM28 Pen Testing 16 / 27

 Tools and Scans Nmap

Nmap
NMAP(1) Nmap Reference Guide NMAP(1)

NAME
nmap - Network exploration tool and security / port scanner

Host discovery
Port discovery / enumeration
Service discovery
Operating system version detection
Hardware (MAC) address detection
Vulnerability / exploit detection, using Nmap scripts (NSE)

Jens Blanck CSCM28 Pen Testing 17 / 27

 Tools and Scans Nmap

Nmap Examples

nmap -sP [Link]/24 ping scan given network range

verbose, stealth syn scan, OS detection,

nmap -v -sS -A -T4 <target>
timelimit 10ms (aggresive)

nmap -p 1-65535 -sV <target> scan all ports, determine version

nmap -iL [Link] scan from file

nmap -p80 [Link]/24 -oG - | [Link] -h – combine with vulnerability scanners

Jens Blanck CSCM28 Pen Testing 18 / 27

 Tools and Scans Nmap

Nmap – syn stealth scan

SYN

Open port SYN/ACK

RST

Jens Blanck CSCM28 Pen Testing 19 / 27

 Tools and Scans Nmap

Nmap – syn stealth scan

SYN

Open port SYN/ACK

RST

SYN
Closed port
RST

Jens Blanck CSCM28 Pen Testing 19 / 27

 Tools and Scans Nmap

Nmap – syn stealth scan

SYN

Open port SYN/ACK

RST

SYN
Closed port
RST

SYN
Filtered port
SYN

Jens Blanck CSCM28 Pen Testing 19 / 27

 Tools and Scans Nmap

Nmap – other scans

Null scan (-sN) Does not set any bits (TCP flag header is 0)
FIN scan (-sF) Sets just the TCP FIN bit.
Xmas scan (-sX) Sets URG/PSH/FIN flags.

Probe Response Assigned State

No response received (even after retransmissions) open / filtered
TCP RST packet closed
ICMP unreachable error filtered

Can sneak through TCP firewalls (which look for SYN).

Jens Blanck CSCM28 Pen Testing 20 / 27

 Tools and Scans Hping3

Hping3
HPING3(8) System Manager's Manual HPING3(8)

NAME
hping3 - send (almost) arbitrary TCP/IP packets to network hosts

Advanced port scanning.

Manual path MTU discovery (don’t fragment).
Advanced traceroute, under all the supported protocols.
Remote OS fingerprinting.
Remote uptime guessing.
TCP/IP stacks auditing.

Jens Blanck CSCM28 Pen Testing 21 / 27

 Tools and Scans Hping3

Hping3 Examples

hping3 -1 <target> normal ping via ICMP

hping3 -2 <target> UDP ping

hping3 –a hostname -1 <target> spoof host, wont get response

hping3 -S -p 80 -s 5050 <target> send syn packet from port 5050 to port 80

hping3 –V ... add verbose output

Jens Blanck CSCM28 Pen Testing 22 / 27

 Tools and Scans Hping3

Hping3 – Advanced Scans

Ack scan
hping3 -c <packet_count> -p <port> -A <target>

Used to see if a host is alive (when Ping is blocked for example). This should send a RST
response back if the port is open.

Smurf Attack
hping3 -1 --flood –a <target_ip> <broadcast_network_address>

Floods a target system via spoofed broadcast ping messages.

DOS Land Attack

hping3 -c <packet_count> -s <src_port> -d <dst_port> --flood
-a <target_IP(source spoof)> <target_IP>

Send a spoofed TCP syn packet (connection initiation) with the targets IP to an open port
as both source and destination. This causes the machine to reply to itself continuously.
Jens Blanck CSCM28 Pen Testing 23 / 27
 Tools and Scans Hping3

Hping3 – Advanced Scans

Ack scan
hping3 -c <packet_count> -p <port> -A <target>

Used to see if a host is alive (when Ping is blocked for example). This should send a RST
response back if the port is open.

Smurf Attack
hping3 -1 --flood –a <target_ip> <broadcast_network_address>

Floods a target system via spoofed broadcast ping messages.

DOS Land Attack

hping3 -c <packet_count> -s <src_port> -d <dst_port> --flood
-a <target_IP(source spoof)> <target_IP>

Send a spoofed TCP syn packet (connection initiation) with the targets IP to an open port
as both source and destination. This causes the machine to reply to itself continuously.
Jens Blanck CSCM28 Pen Testing 23 / 27
 Tools and Scans Hping3

Hping3 – Advanced Scans

Ack scan
hping3 -c <packet_count> -p <port> -A <target>

Used to see if a host is alive (when Ping is blocked for example). This should send a RST
response back if the port is open.

Smurf Attack
hping3 -1 --flood –a <target_ip> <broadcast_network_address>

Floods a target system via spoofed broadcast ping messages.

DOS Land Attack

hping3 -c <packet_count> -s <src_port> -d <dst_port> --flood
-a <target_IP(source spoof)> <target_IP>

Send a spoofed TCP syn packet (connection initiation) with the targets IP to an open port
as both source and destination. This causes the machine to reply to itself continuously.
Jens Blanck CSCM28 Pen Testing 23 / 27
 Tools and Scans Hping3

Smurf Attack
Generate a fake echo request containing a spoofed source IP, which is actually the target
server address.

The request is sent to a broadcast network.

The request is transmitted to all of these network hosts.
Each host sends an ICMP response to the spoofed source address.
With enough ICMP responses forwarded, the target server is brought down.

Jens Blanck CSCM28 Pen Testing 24 / 27

 Tools and Scans Avoiding Detection

Avoiding Detection

We will not cover this in depth. But, …

Some hints: Fragmentation

Proxies
Tunnelling
Spoofing
Tor
…

Jens Blanck CSCM28 Pen Testing 25 / 27

 Countermeasures

Countermeasures

Not easy!

Filtering, using Access Control List (ACL), limiting what IP addresses can request.

Hiding/encrypting content (but hard).

Anti-spoofing rules, makes sure source and destination IPs appear on the correct side
of the firewall/IDS3 .

In reality: careful configuration based on the above.

3
Intrusion Detection System
Jens Blanck CSCM28 Pen Testing 26 / 27
 Summary

Summary

Core network technologies:

IP/ICMP/UDP/TCP.
Steps for scanning: Lab: Exploring the above + tools that help.
Looking for hosts (up/down)
What open ports
Next week: Enumeration and access
What services (fingerprinting)
nmap and hping3.
Countermeasures

Jens Blanck CSCM28 Pen Testing 27 / 27