Xem mẫu

44 Hacking Exposed: Network Security Secrets and Solutions Identifyinglisteningportsiscriticaltodeterminingthetypeofoperatingsystemandap-plications in use. Active services that are listening may allow an unauthorized user to gain access to systems that are misconfigured or running a version of software known to have security vulnerabilities. Port scanning tools and techniques have evolved signifi-cantly over the past few years. We will focus on several popular port scanning tools and techniques that will provide us with a wealth of information. The port scanning tech-niques that follow differ from those previously mentioned, when we were trying to just identify systems that were alive. For the following steps, we will assume that the sys-tems are alive and we are now trying to determine all the listening ports or potential ac-cess points on our target. Thereareseveralobjectivesthatwewouldliketoaccomplishwhenportscanningthe target system(s). These include but are not limited to the following: Identifying both the TCP and UDP services running on the target system Identifying the type of operating system of the target system Identifying specific applications or versions of a particular service Scan Types Before we jump into the requisite port scanning tools, we must discuss the various port scanning techniques available. One of the pioneers of implementing various port scan-ning techniques is Fyodor. He has incorporated numerous scanning techniques into his nmaptool. Many of the scan types we will be discussing are the direct work of Fyodor himself. TCP connect scan This type of scan connects to the target port and completes a full three-way handshake (SYN, SYN/ACK, and ACK). It is easily detected by the target system. Figure 2-2 provides a diagram of the TCP three-way handshake. TCP SYN scan This technique is called half-open scanning because a full TCP connection is not made. Instead, a SYN packet is sent to the target port. If a SYN/ACK is received from the target port, we can deduce that it is in the LISTENING state. If a RST/ACK is received, it usually indicates that the port is not listening. A RST/ACK will be sent by the system performing the port scan so that a full connection is never established. This technique has the advantage of being stealthier than a full TCP connect, and it may not be logged by the target system. TCP FIN scan This technique sends a FIN packet to the target port. Based on RFC 793 (http://www.ietf.org/rfc/rfc0793.txt), the target system should send back an RST for all closed ports. This technique usually only works on UNIX-based TCP/IP stacks. Chapter 2: Scanning 45 Figure 2-2. A TCP connect requires a three-way handshake: (1) sending a SYN packet, (2) receiving a SYN/ACK packet, and (3) sending an ACK packet TCP Xmas Tree scan This technique sends a FIN, URG, and PUSH packet to the target port. Based on RFC 793, the target system should send back an RST for all closed ports. TCP Null scan This technique turns off all flags. Based on RFC 793, the target system should send back an RST for all closed ports. TCP ACK scan This technique is used to map out firewall rulesets. It can help determine if the firewall is a simple packet filter allowing only established connections (connections with the ACK bit set) or a stateful firewall performing advance packet filtering. TCP Windows scan This technique may detect open as well as filtered/ non-filtered ports on some systems (for example, AIX and FreeBSD) due to an anomaly in the way the TCP windows size is reported. TCP RPC scan This technique is specific to UNIX systems and is used to detect and identify remote procedure call (RPC) ports and their associated program and version number. UDP scan This technique sends a UDP packet to the target port. If the target port responds with an “ICMP port unreachable” message, the port is closed. Conversely, if we don’t receive an “ICMP port unreachable” message, we can deduce the port is open. Since UDP is known as a connectionless protocol, the accuracy of this technique is highly dependent on many factors related to the utilization of network and system resources. In addition, UDP scanning is a very slow process if you are trying to scan a device that employs heavy packet filtering. If you plan on doing UDP scans over the Internet, be prepared for unreliable results. Certain IP implementations have the unfortunate distinction of sending back RSTs for all ports scanned whether or not they are listening. Thus, your results may vary when per-forming these scans; however, SYN and connect ( ) scans should work against all hosts. 46 Hacking Exposed: Network Security Secrets and Solutions Identifying TCP and UDP Services Running Theutilityofagoodportscanningtoolisacriticalcomponentofthefootprintingprocess. WhiletherearemanyportscannersavailableforboththeUNIXandNTenvironment,we shall limit our discussion to some of the more popular and time-proven port scanners. Strobe Strobe is a venerable TCP port scanning utility written by Julian Assange (ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strobe-1.06.tgz). It has been around for some time and is one of the fastest and most reliable TCP scanners available. Some of strobe’s key features include the ability to optimize system and network re-sourcesandtoscanthetargetsysteminanefficientmanner.Inadditiontobeingefficient, strobeversion 1.04 and later will actually grab the associated banner (if available) of each port that they connect to. This may help identify both the operating system and the running service. Banner grabbing is explained in more detail in Chapter 3. Strobeoutput lists each listening TCP port: [tsunami] strobe 192.168.1.10 strobe 1.03 © 1995 Julian Assange (proff@suburbia.net). 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 echo discard sunrpc daytime chargen ftp exec login cmd ssh telnet smtp nfs lockd unknown unknown unknown unknown unknown 7/tcp Echo [95,JBP] 9/tcp Discard [94,JBP] 111/tcp rpcbind SUN RPC 13/tcp Daytime [93,JBP] 19/tcp ttytst source 21/tcp File Transfer [Control] [96,JBP] 512/tcp remote process execution; 513/tcp remote login a la telnet; 514/tcp shell like exec, but automatic 22/tcp Secure Shell 23/tcp Telnet [112,JBP] 25/tcp Simple Mail Transfer [102,JBP] 2049/tcp networked file system 4045/tcp 32772/tcp unassigned 32773/tcp unassigned 32778/tcp unassigned 32799/tcp unassigned 32804/tcp unassigned While strobeis highly reliable, it is important to keep in mind some of its limitations. StrobeisaTCPscanneronlyanddoesnotprovideUDPscanningcapabilities.Thus,for our earlier scan, we are only looking at half the picture. In addition, strobeonly em-ploys TCP connect scanning technology when connecting to each port. While this behav-ior adds to strobe’s reliability, it also makes port scans easily detectable by the target system. For additional scanning techniques beyond what strobecan provide, we must dig deeper into our toolkit. Chapter 2: Scanning 47 udp_scan Since strobe only covers TCP scanning, we can use udp_scan, originally from SATAN (Security Administrator Tool for Analyzing Networks), written by Dan Farmer and Wietse Venema in 1995. While SATAN is a bit dated, its tools still work quite well. In ad-dition, newer versions of SATAN, now called SAINT, have been released by http://wwdsilx.wwdsi.com. There are many other utilities that perform UDP scans; however, we have found that udp_scanis one of the most reliable UDP scanners avail-able. We should point out that although udp_scanis reliable, it does have a nasty side-effect of triggering a SATAN scan message from major IDS products. Thus, it is not one of the more stealthy tools you could employ. Typically, we will look for all well-known ports below 1024 and specific high-risk ports above 1024. [tsunami] udp_scan 192.168.1.1 1-1024 42:UNKNOWN: 53:UNKNOWN: 123:UNKNOWN: 135:UNKNOWN: netcat Another excellent utility is netcator nc, written by Hobbit (hobbit@avian.org). This utility can perform so many tasks that we call it the Swiss army knife in our security toolkit.Whilewewilldiscussmanyofitsadvancedfeaturesthroughoutthebook,ncwill provide basic TCP and UDP port scanning capabilities. The –vand –vvoptions provide verbose and very verbose output, respectively. The –zoption provides zero mode I/O and is used for port scanning, and the –w2option provides a timeout value for each con-nection. By default, ncwill use TCP ports. Therefore, we must specify the –uoption for UDP scanning (as in the second example). [tsunami] nc -v -z -w2 192.168.1.1 1-140 [192.168.1.1] 139 (?) open [192.168.1.1] 135 (?) open [192.168.1.1] 110 (pop-3) open [192.168.1.1] 106 (?) open [192.168.1.1] 81 (?) open [192.168.1.1] 80 (http) open [192.168.1.1] 79 (finger) open [192.168.1.1] 53 (domain) open [192.168.1.1] 42 (?) open [192.168.1.1] 25 (smtp) open [192.168.1.1] 21 (ftp) open [tsunami] nc -u -v -z -w2 192.168.1.1 1-140 [192.168.1.1] 135 (ntportmap) open [192.168.1.1] 123 (ntp) open [192.168.1.1] 53 (domain) open [192.168.1.1] 42 (name) open 48 Hacking Exposed: Network Security Secrets and Solutions Network Mapper (nmap) Now that we have discussed basic port scanning tools, we can move on to the premier port scanning tool available, nmap. Nmap(http://www.insecure.org/nmap) by Fyodor providesbasicTCPandUDPscanningcapabilitiesaswellasincorporatingtheaforemen-tioned scanning techniques. Rarely does a tool come along that provides so much utility in one package. Let’s explore some of its most useful features. [tsunami]# nmap –h nmap V. 2.53 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types (`*` options require root privileges) -sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: `1-1024,1080,6666,31337` -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don`t ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oM Output normal/machine parsable scan logs to -iL Get targets from file; Use `-` for stdin * -S /-e Specify source address or network interface --interactive Go into interactive mode (then press h for help) [tsunami] nmap –sS 192.168.1.1 Starting nmap V. 2.53 by fyodor@insecure.org Interesting ports on (192.168.1.11): (The 1504 ports scanned but not shown below are in state: closed) Port State 21 open 25 open 42 open 53 open 79 open 80 open 81 open 106 open 110 open 135 open 139 open 443 open Protocol tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp Service ftp smtp nameserver domain finger http hosts2-ns pop3pw pop-3 loc-srv netbios-ssn https ... - tailieumienphi.vn
nguon tai.lieu . vn