Deep dive on traceroute, Firewallking, TCP traceroute and scanning

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody welcome back this is going to be a date 3 session one of the certified ethical hacker course we're gonna pick up just where we left off yesterday and if we take a look at our slide that we left from it was actually on the concept of trace route so trace routes a program that we can utilize to detect the paths that our packets take through a network I think most folks coming into the class understand that but they don't necessarily understand exactly how trace route goes about doing this what they're trying to show us within this slide is kind of like what's happening I'm just gonna go ahead and do it from my whiteboard so one of the discussions that we get into networking classes is people commonly say you know traceroute uses UDP or traceroute uses ICMP and it's it's hard to really state you know that either those are true you know ICMP TCP UDP these will operate at which layer the OSI model anybody know the answer that which layer the OSI model with these four protocols work at and I've even had people dispute where ICMP works but I promise it works at the same layer perfect yeah this is all going to be at layer four and then of course at layer three you're gonna have ipv4 possibly ipv6 and ipv4 is where traceroute really works inside of an ipv4 header there's a field called time to live and every time your packet goes from one router to another and it doesn't have to be a router you know when I say router you might think specifically like a Cisco router with a wind interface any layer 3 device that's making a routing decision could be a load balancer it could be a firewall you know could be later through switch could be a traditional router when you make and let's say that this PC sends the packet out whenever reason to pack it onto the wire you've got a layer to how to write typically it's gonna be your Ethernet header and he's got a source and destination MAC address the source is that of the PCs network interface card the destination is typically going to be your default gateway if this packets headed off network and then what happens when you make that layer 342 on a router is that you get a new layer two header so everybody familiar with that and again if this was an Ethernet link you'd have source from let's say router a destined for router B and then again at the next router you'd have a layer to rewrite this feel familiar Erick's is yeah cool so every time that later to rewrite occurs we're basically taking a hop that's what hop truly means you're moving from one network to another and what we use the TTL for is to define a maximum hop count now the highest that this field can go being eight bits is going to be 255 so the max TTL is going to be 255 hops different operating systems will sometimes use 128 sometimes use 64 and that knowing you know what we start off with with the TTL can be used later when we talk about passive OS fingerprinting in other words if you were to look at network traffic you know we talked about this passive versus active reconnaissance I could use n map but I can send lots of kind of probing packets weird packets with strange collections of flags just to see how the remote host behaves and based on that interrogation I could make a good estimate of you know that's a linux host or it's a Windows host maybe it's Windows 8 versus Windows XP I can start to kind of dial in based on how TCP behaves that would be active because we're probing it passive OS fingerprinting is just passively watching traffic go by like with Wireshark and looking at different things like the initial sequence numbers used in a TCP handshake whether or not the don't fragment data set what TTL do you start with there's a number of different things that you could look at in terms of just the the behavior but for the most part you know we generate this TTL message it's to guarantee that if we ever found a routing loop where one router says your destinations that way and the other router says your destinations that way they're both just going to ping pong the packet back and forth until that TTL drops down to zero and at that point you get a message that comes back this is your TTL expired in transit so in summary your TTL is a loop prevention mechanism and when it times out if it goes you know every time we cross a hop it goes but 128 127 126 125 eventually if it hits zero before reaching the destination you get an error message back that says sorry buddy your packet didn't make it so what I love about traceroute is it's really truly hacking you know they took something which was just a loop prevention mechanism and if you run out of hops you're gonna get an ICMP message back that says your message expired in transit so if someone were to say traceroute uses ICMP I would say yes for the error message and it's these error messages we use for actual path discovery now the outgoing packet it really doesn't matter what you have at layer four does it because all we're really concerned with is looking at your IP header and specifically looking at the TTL field within it this is just a hack on this operation you see what we do when we run trace route is we send out IP packets but we'll set the TTL to one what happens if the TTL is one how far is it going to make it it gets to the first top right it gets to this router and when he goes to make the hop or the later to rewrite from one Ethernet port to another he decrements the TTL when the when your TTL hits zero he sends back that error message saying sorry buddy your packet didn't make it so the way the traceroute works is we send out a packet with the TTL one and we discover the first hop then we set a TTL a two and we discover the next hop then we set a TTL of three and we get the next hop does that make sense how many of you just learned something let me know if you learned that new or if that was just something that you already knew just let me know in room chat say new and already or that was useful already to new it okay great cool well we're gonna let we're gonna go in layers here we're gonna get to firewalking and tcp traceroute some people say it's new some people say they knew I love it okay so let's go ahead and we'll build on this a bit all right so that's just regular little trace rot now let's get a little bit fancier with it there's a technique in networking called PBR and it's not Pabst Blue Ribbon beer it's a policy based routing what that means is when a packet comes in you know I draw my packets as envelopes you know what we normally do is we look at the destination IP of a packet we look at a routing table we make a forwarding decision policy-based routing is looking at more than just a destination IP address we could look at the source we could also look at the layer four header which is very much like an envelope as well it's going to have source and destination port numbers at least if it's a TCP or UDP packet so using policies service providers hotel networks you know and anybody providing network services to say the public or to users could apply different policies what I mean by that is they might send your DNS traffic in one direction they might send your HTTP traffic in a differ direction and they might send your smtp traffic for when you're trying to send mail out in a different direction does that make sense so you basically have an if-then agreement on your router that says hey router if you see packets destined for TCP port 80 set the next hop to some other destination so this is ultimately more specific then if you were to just use traditional destination routing so what's cool about this is when performing trace route we can detect the hop by hop paths we take through a network when performing TCP trace route and this is why I'm always hesitant when people say well what does trace route use I say well uses ICMP for an error and it uses ice IP to illicit the air but you can get fancier using TCP trace route which you can install on on all the different UNIX distros whether it's Linux OSX etc there's typically built to this I can do a trace route which says you know hey show me the path that I'm taking to get to this destination IP address on port 53 and I could say me show me the path that I'm taking to get to that destination IP address on port 80 and what this gives you the ability to do is kind of look through the network that you're going through we call that the transit network and we can discover policies that are being applied to your traffic is everybody comfortable with that in summary TCP traceroute can be used to discover the path that specific traffic flows are taking this is really useful if you want to see if your web traffic is being redirected through some type of proxy that you don't know about I had a situation where I had to figure out that email traffic was being relayed through an additional agent it was kind of neat if I did a trace route to my house for HTTP it was 11 hops if I did a trace to my SMTP server it was 4 hops I was like wait a minute what's what's going on here and it was like they were taking my traffic through some type of tunnel or something but I could notice that I was going through a completely different path to get to the same IP address on a different port number you wouldn't normally know that so TCP trace route is an enhancement to traditional traceroute that allows us to detect various paths how are we doing on a scale of one to five five being you're feeling really comfortable 1 you're completely lost how's everybody doing five awesome alright we're gonna go one level deeper then we're gonna introduce a concept called fire walking and this isn't something I use real often but it is something that typically comes up on the test so we want to understand it for testing purposes fire walking is using traceroute to determine what's happening behind an app gateway so for example you've got the internet connected into the internet is a targets firewall on this firewall they're probably performing network address translation and more specifically they're probably doing network address translation with specifically with port numbers so they call it sometimes call that NAT PT or simply pad or port forwarding in other words we listen on port 80 and if it comes in to some public IP address and I'll just use Google's DNS server for example 8.8.8.8 if it's coming in to 888 on port 80 we're going to NAT it and put it to the internal IP address of 10:1 180 and again we'll forward it to port 80 so far so good now the thing that's interesting is a lot of times organizations will do this for multiple services so you can have a single IP address that's public and you could use that single IP to not two different services for example I might have a SharePoint Server on Microsoft Windows and that's when I'm forwarding people to and if you were to come in on port 53 I'm gonna send you to my bind server for DNS and this is actually 10 dot 5.5 that 53 so assuming a slash 24 mask on each of these networks what's going to be happening there is that even though we're listening on the same public IP we could go to two different internal addresses is everybody comfortable with that cool so let's say that we plug into a switch our switch could plug in directly to the DNS server but before you get to the web server you may have a device like a Bluecoat proxy or some other type of web application firewall or maybe an f5 load balancer well this would be an additional layer 3 hop and what he might be doing is taking this IP address of ten one one eighty and this could even be multiple hops right you could have another VLAN so we take a hop across you know from one VLAN to another and then when you get to that device he may be load balancing or proxying in some way so firewalking is the process of using TCP traceroute which we just learned and we're going to the same IP address in this case I just made up the IP of 8.8.8.8 and I see that if I connect there on port 80 maybe it's 11 hops and if I connect there on port 53 it's 9 hops so what this would indicate is that beyond the the the NAT gateway that there's going to be some type of internal filtering that's happening does that make sense there's some type of internal device that they're passing you through there's another hop inside of the network and we're figuring that out by looking at the TTL everybody's still feel comfortable awesome we're doing great man very very cool now I'll show you one last thing this is this is a little bit tricky number one firewall in terms of not performance but just the number of units deployed is cisco a sa so you might like Palo Alto you might like checkpoint but there's a lot of these boxes out here a lot of guys that come to my a sa class come to the sa class and they bash a sa and they say checkpoints the best firewall I go what are you doing here they say well we bought Cisco because it's cheap and in comparison Cisco is cheaper than a lot of the other vendor that's why some people use them I think it's funny but statistically you have a very good chance if you're doing a penetration test or audit of encountering an a sa since we're on the concept of traceroute what you want to know about is that when you go into an a sa and you look at the way he handles traffic that's not gonna let me do it like that let me create a new policy real quick whenever the a SA passes IP traffic I'll just match any packet he does something that's a little nasty and that is he doesn't decrement the time to live so we just learned that whenever a device crosses a layer three boundary so you go from one network to network we've got the later to rewrite the we decrement TTL well the a si by default tries to behave in a stealthy manner and he doesn't do this if you want him to you have to identify a traffic flow like traffic from the admin network going anywhere and I would say for that particular traffic decrement TTL but by default he doesn't do that another thing since we run the concept of TCP fingerprinting when looking at two applications when you know when a TCP session comes up we have a three-way handshake the whole reason for that three-way handshake is to negotiate initial sequence numbers right I'm going to start counting at 10 25 and you acknowledge that and then you send me a sin that says you want to start counting at the number one I acknowledge that we're good to go we can now send data back and forth our data is basically going to have a number on it a sequence number that says this is where it goes within the flow so if we have asymmetric routing and we've got any type of load distribution and packets arrive out of order we can use the sequence number to put them back in order well the ASC does something kind of freaky as well it's called TCP sequence number randomization so if you try to do a three-way handshake with the device that's behind the knee si he's gonna fuzz those numbers you know how we do NAT he's basically Natick which is just a rewrite but instead of doing in the IP header he's doing in your TCP header on the sequence numbers so you're trying to probe a server and you're using and map and you're using OS DTAC if that servers behind an a sa in your OS detection is relying upon TCP initial sequence numbers this sequence number scramble is they a sequence number randomization is gonna scramble that detection process and give you bogus results just some kind of behind the scenes info so we talked about traceroute which we opened up with we said this is a way to detect a path it's based on receiving ICMP our messages back does ICP our messages are gonna be sourced from a router and we're basically learning who it is right so if our first routers named router 1 router 1 sends us an error message back and I go cool that was the first time this IP address what was the next one what was the next one so we figured out traceroute we said trick tcp traceroute will show us policy-based routing that's occurring inside of an organization so if certain traffic is are being redirected through some type of inspection engine we could detect that you could even detect it behind the firewall through tools or a process called firewalking cool so that was firewalking the last piece I'm going to show you was the aasa' which is you know one of the most popular platforms for you know for firewall solutions does a TCP sequence number randomization which is gonna make your OS fingerprinting a little bit unreliable and it also doesn't decrement TTL which is going to make your trace route a little bit less reliable and also realize that it could be turned on if the administrator created a policy to do so but it's not on by default just good things to understand about tray strap all right that's a whole lot of traceroute was that cool stuff or not really we're still in that we're still in the process of you know just kind of learning how to map out an environment we're looking at footprinting you know when you think about footprinting this is what you know the bank robbers do before they rob the bank they want to know where the security cameras are they want to know what time the armored truck shows up they want to know how many tellers are working when they take their lunch breaks is there a guard on site it's just putting together that information so you can have a more successful attack when you look at a tracer analysis what you're basically seeing is the sequence of events between the attacker and the victim which hops are we crossing which types of devices now typically your traceroute output is going to be based on just a command-line tool you're going to see a series of IP addresses returned there's GUI tools as well like visual route and we'll actually do a GUI P look-up on H IP address and build you a graph showing you you know geographically where you're connecting through there's another utility for trace route called MTR and if you haven't used this very very useful MTR is trace route and ping all in one and it keeps running in a loop again and again and again this is a little bit better for network troubleshooting but you can use this if you actually do get into a target so here's the attacker here's the victim if you are installing software on that victim system and you want to see the return path you might do a trace route from the victim to the attacker and compare that to the trace route for the attacker to the victim and many times you'll see that you have asymmetric routing which indicates you've got some other type of device sanitizing outbound traffic that could be looking for certain types of threats or call home procedures that are being used by a back door or rootkit so understanding what's happening with your network traffic extremely valuable mtrs an excellent utility not only does it show you trace route but it also shows you latency on a per hop basis footprint through social engineering this is going a little bit further but this is talking to people and cutting them into giving you more information as far as what you should know for testing purposes and I guess just real-world shoulder surfing is simply looking over somebody's shoulder I'm trying to detect what they're trying to monitor what they're typing in dumpster-diving is just going through their trash looking for anything that's been thrown away maybe back up CDs or pieces of paper with IP addresses or passwords written on them don't have a lot to add there we talked a bit about social networking sites yesterday Facebook LinkedIn Twitter etc I think most of that's pretty obvious regarding what you can get now the key that we're starting to see are the pattern that we're starting to see at this point is that there's a ton of information out there and we just need a good way to collect and organize it all especially if you're working with multiple people I've been working with lots of other folks you're probably doing the same types of scans and collecting the same type of procedures again and again so you could use a framework to organize that one framework that you can use between multiple pen testers it's not covered in the class but it's a good one to know about is called the dradis framework Drad is alternatively you can get all this information and you know some people they just throw it into like a paste bin file or text file other people like to visualize it there's a application called melty go if any of you guys had an opportunity to mess with this yet just let me know in a room chat if you have melty go it has the ability to take in information like an IP address or a company name or an individual and run transforms against it what a transform is is an operation that tries to resolve other data such as taking a hostname and turning it into an IP address or taking a person's name in seeing what domains they have registered or companies they have registered this tool you'll supply it a piece of information like my name Rylan field and then you could say what domains is Rylan fill down and then you can say what business is is he involved with where's the geographically located and these transforms are just different types of lookups but as you build them it creates lines and connections between different related entities and then you can run transforms against those entities so I could say for example show me websites that have Stormwind com involved so it does bunch of lookups comes back with a couple of websites I say resolved by the IP addresses and it might say we had eight different host names but they all resolved to the same IP where I could right-click on the IP and say show me where that's geographically located oh okay cool and you just put that data to the side now you can come back to your Stormwind comm and look get up you can say who owns Stormwind calm and it could say Tom gronke you can right-click Tom gronke who's the owner and you could say what are their organizations is he involved in and he could do lookups and it could say he owns these other domains and I go cool what IP addresses to those resolved do different ApS where they geographically located same data center so it gives you ways to just look up tons and tons and tons of information and then visualize how it's related does that make sense this is they're getting a community edition of this Titan to the new version of Callie a new version of Callie is coming out I think August 12 it should happen after DEFCON and it's gonna have a community edition of this built into it alright so footprinting countermeasures so this is pretty dangerous is anybody googled themselves lots of information about you out there maybe it's valid maybe it's invalid anybody can find it well one of the easiest countermeasures to these footprinting attacks is putting out information that's bogus so if somebody is trying to look up information on you let's have let's just give information that's misleading we can have fake names maybe registered under our domain right so if you do a domain lookup for me maybe there's a real technical contact or administrative contact but the other two names are bogus and if anybody ever calls asking for those names I'd immediately know that that was something that you know is no good alternatively there's a lot of things you could do in along the lines of misinformation one that I've done in the past that I think is kind of fun let's take a look at a DNS mining for a second come over here and let's cancel out the a sa and Shh okay I have about a dozen different passwords so when things don't work ah this one alright so I one of the one of the things that we can do when we're at Foot printing one of the first places to start is a DNS scan there's a Perl script you have for this that's built into Kali called fierce and you don't necessarily have to use a perl script you can do DNS mining just by writing a pretty simple python script and referencing a word list and doing a bunch of recursive lookups and you can even multi-threaded if you're interested in learning how to do that there's a book called blackhat Python that really walks you out this is how you make a four line Python script here's how we add two more lines to make it more powerful here's another two lines to give it some sorting and before you know it you build a full-blown program furis is just a perl script that someone else wrote that gives you ability to do DNS mining what that would look like we can do fierce - DNS and we can do a lookup against storm wind calm so this is one of the things that people will do you know when they're trying to match out and map out an organization and here you see like there's a sales there's a WW promo dot storm wind calm there's server dot storm wind calm staging and you see the relevant IP addresses here right so why would anybody go to let's say test storm comm that isn't involved in the organization or the vault storm accom that looks that looks enticing we might want to click on that well if you want to protect your organization you could just put some bogus assets in here that aren't really being used and when you come over here to the IP addresses that they point to well there's various let's just bring up chrome real quick and you can put do not scan list and you'll find IP addresses that belong to like different government agencies and here they're just showing you entire class a blocks so MacDill Air Force Base that's right up the street so this would be located in Tampa Florida so I can start creating assets from my companies it's my company comm I can have the vault at my company comm located at 126 216 115 dot 34 and what that's gonna do is hit the slash 16 network that's assigned to MacDill Air Force Base anybody else know what else goes on at MacDill Air Force Base besides golfing and an airshow some of you guys were local right this is where Central Command SOCOM and cyber commander run out of so if somebody's probing me I don't have time to chase down every attacker I've drawn pilots all that type of stuff I don't have time to chase down everyone but if part of you know the attacks are coming in at me are also hitting a military base maybe they've got somebody else looking at them so what you could do is just create additional DNS a records that provide information that looks like it would be promising but it's pointing to perhaps other people's networks now that's not really ethically the best practice but you could put misinformation out there for other people to find them it's just extra data that they've got to sort through all right so i additionally you could just kind of limit what information that you put publicly not disclosing you know that the the particular features or services that you're using the organization one of the things we talked about was job sites right we said on a job site if you apply if you post an opening and you say somebody must know Cisco AAS a source fire IPS Ark site they're going to know exactly what you're using if they wanted to attack your sim sims have vulnerabilities as well so they would know what they could use if they could find it and would have known all right from the login screen but it just gives people more additional information the flipside of that which is pretty neat are targeting recruiters this was something I heard from somebody my DEFCON group by targeting job recruiters if you can get your hands on all the resumes and then they have an internal database where they stick all the candidate resident resumes in and those resumes are in a searchable format so if you can get as an attacker if you were able to compromise someone's a counter to get their access into a resume database you could look through employees previous job history right so let's say that I was targeting Disneyworld and somebody used to work at Disney World it would say when I worked at Disney World I was responsible for the maintenance administration of f5 load balancers you know we had a big Citrix environment we did this and this and this so they'll put it into the resume so people's existing resumes which you can also look for online could disclose information about a target so that's probably enough fun footprinting let's start working towards scanning alright let me just pop back over here for two seconds how are we doing so far guys any questions how's the pace good so far in our questions are we still having fun I hope everybody's learning a little bit right there's you know almost 20 people so we've got different backgrounds I hope I'm going at a good pace so let's take a look at network scanning the baseline of network scanning thinking about public subs yeah boy checking when we do not work scanning the first thing that may come to mind is like a ping sweep so an ICMP echo request just says hey are you there and somebody comes back with an echo reply what's the problem with ICMP echo request and wrecker reply how reliable is this today 2015 um it's pretty reliable its ping but you may have a host that's op that just simply doesn't reply ICMP could be filtered so the way that it used to work historically was you'd script all these attacks you'd say do a ping sweep of this subnet and then you take the report for all the hosts that are up and you'd feed that maybe into a text file and then use that text file as a source for the next line in the script that says you know go ahead and do a port scan against everybody that did you know this ICMP echo request and then if these ports are open maybe you launch attacks or you try to do you know login attempts against those ports so at the beginning of the script the first thing it checked for was an actor request if you didn't reply to that echo request your name or your IP address really wouldn't write up in the text file of devices that get the port scan which wouldn't wind up in the attack script that you know is this port up and we're going to try to log into it so what people started doing years ago was blocking access to ICMP so what you can do today is kind of neat even on some network hardware let me see if I've got em remote installed I do so when you ping and again this is going back to an AAS a look at this did you know you can ping using TCP from some Cisco devices and the idea is if you type ping by default it'll use ICMP but you can also do a TCP ping just to get around this a TCP ping is simply sending you know if we suspect the service is open we send a TCP syn to a common port like 88 or 25 or 445 if it's a Windows host or 443 and the idea is that that me get a syn ACK where the ICMP would just be discarded any questions on ping versus TCP ping ping doesn't always work as an alternative you can do TCP ping but you've got to have a good port ping sweep is simply going to every IP address within a range sing his up and maps a common utility for this what did we learn a couple days ago about nmap doing a ping sweep to a local subnet how is that different from a remote subnet anybody remember showed you guys this on Monday I did a ping sweep of my local subnet and I was using wireshark looking for ICMP traffic and I didn't see any perfect if it's your local subnet he doesn't send ICMP because he can send ARP there's a utility called our ping which you can use to do the same thing it's just neat that nmap does this by default if it's the local subnet using ARP is going to be more reliable than ICMP so we just have to have a device that's on that local subnet other ping sweep tools there's utility for Windows called angry IP scanner runs pretty quickly and aggressively thus the term angry also will sort of tell you the hostname and try to determine that ports are open and can resolve the MAC address if it's a locally connected subnet and then within SolarWinds this is a network toolset there's a capability to do things like ping sweeps as well as an SNMP browser so let's take a look at TCP moving away from ICMP we know that TCP uses a three-way handshake to establish a connection the reason we do that we send a syn which is short for synchronized and it says I want to start sending you data and I'm going to start with the sequence number at 10 what the responding device in this case our server does is he acknowledges our sequence number with an acknowledgment of 11 and he tells us I'm going to use sequence number 142 so this is why you send a syn you receive a syn ACK that's an acknowledgment to your sing or synchronization requests and they're sending us n saying this is the number that I'm going to count with 142 and then I acknowledge there 142 with the 143 so far so good we're just building in layers here so when you look at TCP he's different from UDP one is the fact that he's got this sequence number that we have to calculate why is that well we have guaranteed delivery if something doesn't get to you you can request that I retransmit and I'll go ahead and do that every package that I'm gonna send you is gonna have a number and we know whether it got they're not making it very reliable now a CP has different communication flags for whatever it is that we're trying to do the common ones that we know are sin sin an act because that's what's used to set up your session at the end of the session you'll see a fin and a reset so fin says I'm done communicating and reset tears it down additionally this should be AK here additionally you've got a push which sense says send all of your buffer data immediately and you have urgent which is a flag that says this should be processed immediately what that boils down to is you've got a TCP header look something like this like source destination port numbers sequence numbers acknowledgments etc within here are TCP flags the reason we care about these TCP flags as an attacker is because different systems have different tcp/ip stacks and by sending these flags out of order remember that TCP is a standard there's an RFC that defines how it works but still when people engineers read these RFC's they sometimes interpret things differently and just do things a little bit differently so as attackers we can look for differences in different vendors tcp/ip stacks and that's what we use to identify what the operating system is so you can use a custom packet crafting utility to basically send a TCP packet and we can fraudulently populate these flags so if I want to spoof a packet and say that it's coming from a different location like Google's DNS server I just fill out the source IP address and they say that should be 8.8.8.8 when it comes down to my TCP flags I can turn them on and off with a mouse click the reason that you might want to do this is just a probe different devices and see how they behave I've created a large pretty large number of different denial of service attacks against network infrastructure IPS is firewalls switches routers all just coming in here in creating conditions that should normally be possible you know they'll say things like you can never have a packet that you know has all the flag set at once I go sure I can and I can set every TCP flagged on and they can say you know source address should never be a broadcast address well sure I'll just put the source address is 255 255 255 and then you know you send it to a device and you just see how it behaves some devices don't know how to handle it and they'll crash and that's simply denial of service condition I talked a little bit about this and I did a talk at b-sides called igniting firewalls and I didn't actually release any zero days because I might want to work at Cisco some day but I talked about what I did to find those types of vulnerabilities so if you go to youtube new-type igniting firewalls you can see a bit more about that as far as the skinning tool your de facto scanning tool for ping sweeps and port scans is going to be nmap it can not only determine that the host is open it can tell you what services are listening it can try to identify the services that are there it can determine the operating system and it even has some light capabilities to do vulnerability scanning HP and HP to our custom packet crafting utilities they run from the command line and once again this gives you the ability to set the attributes that you would want inside of a tcp/ip packet so I could say I want to use these flags one this is a source IP address this is really handy when you're trying to make custom packet conditions that shouldn't normally exist or if you wanted to spoof a bunch of packets and make them look like they're coming from somewhere you can build the packet with H ping which is a little bit of a pain the arguments for it aren't that intuitive so it might take you you know ten minutes of putzing with it to create the single packet that you want the cool thing is you could capture that packet with TCP dump or Wireshark and when you do that it'll just output it as a pcap file once you have that packet capture file which is just like a text file or a JPEG or anything else you could replay it with TCP replay which is a third utility TCP replay lets you take a peek app file and send this you know whatever those power are out onto your network interface so I'll typically build the custom packet with hpe I do all my experimentation there once I'm done I'll capture it and I'll just use TCP replay to use that same pack in the future or you could just copy the string or argument that's used to a text file so let's take a look at scanning techniques this is something that's been a heavy testing point over the years with ceh see if I've got slides on each of these yeah so there's different scanning techniques we're going to talk about like send scans Christmas scans fin scans etc and these are going to build in complexity so the most common scan type that we do is call the TCP connect also known as a fuller open scan basically you send a syn to a service on a particular port if you send a syn ACK we can come back with an ACK and reset in other words or basically just connecting to that device and we want to see whether or not it's open and they actually describe this wrong in a slide yeah kind of so I'd ignore the reset for now we do tear it down but we do actually complete the three-way handshake let me show you the difference in a TCP or full connect scan three-way handshake is completed meaning you send the syn you get the syn ACK and you send an ACK and then after the ACK it's torn down but the three-way handshake did complete and what we call a stealth scan or a half-open skin you send a syn and when they send a syn ACK back to you you tear it down so in that sit in that scenario the three-way handshake did not complete is everybody okay with that you see the difference we didn't complete the 3-way handshake versus we did when they first introduced this they said here's this new stealthy thing we can do to not show up as having built a full connection in the operating system locks and we go oh that's clever but they were talking about this like publicly so you know a couple weeks later all of your IDs vendors have signatures that say when I see a syn a cynic followed by reset this is a stealth skin so in most scenarios the stealth skin will actually get logged and create an alert on an IDs we're a full connect scan will not they don't tell you that in the book as far as the book and the tests are concerned this is what you can use to bypass firewall rules and logging mechanisms and Hydra traffic but in reality this is probably going to make more noise than a full connect scan a Christmas scan is where we send a TCP packet and it's got the fin urge and push flag set and we say it's lit up like a Christmas tree well this won't work against current versions of Windows but it will work against versions of Unix the idea is when you send it to a server and a port is open you don't get a response but if I send fin urgent push to a server and I receive a reset it means the port is closed so this is called inverse scanning a lot of times what would happen is we might do a Christmas scan against the collection of ports from let's say like 21 to 25 that's pretty juicy and what happens is you only get a response which is going to be a reset for port 24 if that's what happens if this is my skin and this is what comes back which ports were listening all but 24 perfect so 21 was listening what's port 21 for I'm gonna ask you 22 23 and 25 so let's see 21 is going to be FTP 22 is gonna be asked to say CH 25 is gonna be SMTP for Simple Mail Transfer Protocol 23 is gonna be telnet we should know this type of stuff for the test though not only is a great bar talk the ladies love this stuff but also definitely testable alright so a fin skin the thin skin is where you send a fin and if the port is open no response if it's closed you get a reset fair enough doesn't work against windows works well against UNIX now is that always the case not really let's talk about why if I know that a server is a linux server how would I know that well I don't know I went to I connect to the server on port 80 I get an apache greeting screen that's kind of like the default installation and it's got something there that hints to the Box being Linux I could go okay since I know that this is a linux server a fin scan should work right so if I send a fin to port 80 and it's open I shouldn't get anything back if I send a fin to 81 I should get a reset because it's closed agreed just taking what we learned in the last slide and applying it to a new situation if I've determined that the box is a Linux box I can use this fin skin and this should be the result well a lot of times what people will put in front of their webserver is a what like if the internet is here and the web server is there what might be in the middle do we just plug it in directly good firewalls well there's all different types of firewalls may be reverse proxy who knows so our question could be what type of firewall is this now I don't mean as a checkpoint or Palo Alto I'm asking is it stateful packet inspection or is it a simple packet filter what's the difference well packet filtering is what we see with the typical router when someone wrote an access control list and they're doing port filtering all that an ACL does is look at the packet it looks at the layer 3 in layer 4 envelope meaning it looks at IP addresses and it looks at port numbers and if it sees things it likes like port 80 let it through if it's not port 80 to drop it so packet filtering just does this stateful packet inspection of course still uses ACLs but it also performs as the name suggests stateful packet inspection in other words he looks at the TCP sessions and you have to do a three-way handshake and once you do a three-way handshake that connection goes into a connection table and is going to be monitored this isn't any type of bleeding edge technology but it's a major difference between simple packet filters which people still use and a modern firewall if something is doing stateful packet inspection it could possibly be doing deep packet inspection which says if you see something at layer 4 let's say this is a TCP header and it's going to port 80 open up the contents and let's look at that payload our layer 5 through 7 and he can use an HTTP inspection engine possibly like this is what your your a sa a checkpoint in Palo Alto are going to do so I can expect that a target is going to have a firewall but I'd like to know is it a really crummy just very simple packet filter firewall where is it stateful packet inspection I can determine that pretty easy using this type of scan can you imagine how how would is stateful packet inspection firewall deal with the thin scan it'll drop it because he didn't see the three-way handshake first says did we see a three-way handshake no silently drop it so you'd never get the reset so using things like axe cans or fin skins is when you just send an individual AK or a fin or even a syn ACK and you're just trying to get a reset and if I think there's a firewall or some type of device in the middle which remember these guys try to be slick he's not dropping the TTL to try to hide his presence but by testing for stateful packet inspection I can go cool we've got a device in there that's looking a little bit closer let's be more careful so some of these tools are great because they can be used to say okay that's a Windows host or a Linux host based on how it handled this particular message but it could be like oh you know we could think it was a Windows host when it was really Linux because stateful packet inspection was dropping this a null scan is super easy to remember if you get a question on this on the task this is like free points what what flags are set in a null scan no flags it says I'm going to send you a TCP header with no flag set you go that shouldn't happen and I go well we're just doing it to see how the remote host behaves and it's one of the situations where if the port is open you don't get a response if it's closed we might get a recenter ACK all right we've got how are you guys doing everybody keeping up feeling energized your brain doesn't hurt yet I hope do pops doing good okay awesome Jake everybody's keeping up all right here is where we're gonna do some packet kung-fu all right so let's say that there's okay so when I want to scan a system let's say that I'm in my I'm on a wireless network at the airport and I want to look around and I see that there's let's make this interesting I'm on the public Wi-Fi at the airport and I know that there's a router dot one but I'm curious what services the router is running you know you've got all these people hacking airplanes now and FAA doesn't have much of a sense of humor so when we look at you know probing Wi-Fi networks in an environment where they could actually be watching for things like port skins you might want to be really really careful about what you do so what we could do to do a port scan but not have it come from us is find what do they call the is it a patsy that they use in the financial scams kind of like the clueless guy that doesn't really know what's going on you find your patsy you find you're kind of clueless host so here we are we're on a network and maybe somebody's smartphone join the network or their tablet but it's not really doing anything so if I can go OK dot one is the gateway I've got a hunch that somebody might be monitoring this that they may have some type of logging engine that's watching for scans so what I could do is bounce a scan off somebody else I could just do some regular ARP and I can pace it out slowly slowly is what's going to keep me from being detected so just aren't for different devices in my environment maybe sending out one ARP to a different IP every minute shouldn't look suspicious at all IP addresses shouldn't be changing that often what I can do is use ARP to learn an IP address two MAC address mapping what's neat about that is by looking at the MAC address a MAC address is 48 bits in length the first 24 bits are called your organizational unique identifier it lets me whether it's an apple or Samsung or you know Nokia tablet whatever so by looking at art cache I can identify different terms types of devices and then I can find one like you know say an iPhone and I go I don't think anybody's got a port scan engine alight like a monitoring agent on their iPhone no type of software firewall so I can look for some commonly open ports on an iPhone I know it's an iPhone based on the o UI and if there's a TCP service that's listening I can send a syn and he's gonna send a syn ACK agreed at least if one port any port is listening maybe it's a discovery service could be TCP or it could be UDP no we're gonna get a little bit deeper into packets we talked about the IP header right I said the IP header is just an envelope let's take a look at it come over here it's pop-up Wireshark and I'm gonna show you a pretty neat utility you know this is something that it's not update right now this is something that that gives you the ability to do stealth scans it's a little complicated but it's very cool so I've got a bunch of traffic going on cuz I'm streaming my desktop so I'm going to stop this and what we want to look at our packets coming from one computer going to the next and when you look at packets in Wireshark if you're not familiar with this you've basically got three major windows the top window which is this kind of purple window that I'm moving the mouse and up and down over is gonna be our packets over on the left-hand side since I started my capture I got 30 mm see the number and you see how it increments and the time shows you how long the pack the capture was running so ten point two seconds into my capture this is what I saw here's source and destination so that's just a collection of packets when you highlight them you can look at the details below here's your Ethernet header which is later - here's your IP header which is your layer 3 head a source and destination IP here's your TCP header which is layer 4 so it takes all that intangible stuff and it actually just lays it out for us really pretty now what's cool this is we can look inside the IP header and get to know it a little bit better one of the things your IP header has has an IP ID I imagine some of you guys have seen Wireshark before how many of you are familiar with the IP ID I'm curious because some people are going what the heck are we getting into here and other peoples that might say of course yeah the IP ID look at it all the time I don't know anybody familiar with this nope this is pretty neat this is something that goes on in every single packet that you know going on on the Internet right but what's neat is look at the numbers one six eight zero seven if I go to the next packet one six eight zero eight the next packet one six eight zero nine I hope and it was one six eight ten once it and then it jumps all the sudden but that IP ID was a response coming from someone else it was from 63 back to 62 and if we looked at his responses see all these messages coming back from 63 see how they go in order so all the packets that are going in order that are part of the same flow are gonna have the same ip ID if that target that I was talking to was talking to a bunch of different people at once imagine BitTorrent right you could be talking to tons of people you may not get that sequence of one packet after another after another that's why we call this type of attack in idle scan watch how this is going to work I'm on the airplane or I'm at the airport and I scan and let's say that I hit somebody's iPad and it's not really doing anything they're just reading a PDF so I can send a TCP syn or I can send a UDP message that elicits a response and then when the response comes in I can note the IP ID does that make sense so I'm just checking that target to see what his IP ID is why on earth would I do that because if there's an Air Marshal I want them to come talk to that guy and not me watch how we're gonna do this what we're looking at is a concept called an idle scan it's based on the fact that most networks services listen on TCP port such as web servers on port 80 ml servers on port 25 a machine that receives an unsolicited syn ACK what does that mean it means you weren't talking to anybody when should you get a syn ACK when you set out a sin but here's the thing you didn't send one out so if your computer gets an unsolicited syn ack means a syn ack from somebody you weren't talking to you respond with the reset so you said I wasn't talking to you and if that was my computer that route that I got the reset I don't need to respond to that does that make sense why I wouldn't need to respond to it if anybody's lost at any point just say lost let me know where to start over so if I get a cynic and I wasn't talking to you I'm just going to respond with the reset so one way to determine whether a server is open or a port is open or closed is by sending a syn and we get a syn ACK every IP packet on your internet on the internet on your local network wherever has an IP ID this is used for fragmenting packets if I fragment packets and we need to reassemble them later that IP ID says which pieces go together the target machine will send back a cynic if the ports opened in a reset if the port is closed your operating system increments the IP ID for each packet sent so what we're going to do is probing for IP IDs and we're going to be able to scan somebody without our IP address showing up in their logs watch how this works the first thing that we do is the attacker target somebody else this zombie is gonna be lets say an iPad how did identify him through a nice slow ARP scan I had you know a four hour flight had plenty of time to discover the network so I send a syn ACK to the zombie that iPad when he responds with the reset I can look at its IP ID number and write it down any question to that or and any questions on that so again we send a syn ACK packet to the zombie every packets going to have an IP ID when the zombie didn't expect the syn ACK he responds with the reset de closing his current IP ID and we go ahead and we write that down in this case he said the response came back is 3 1 3 3 7 now in step 2 this is where spoofing comes in I'm gonna send a syn packet not a syn ACK but a sin to a target machine that's the gateway so if I'm on a plane or I'm gonna you know at the airport and I want to look around I'm gonna send a syn to port 80 on dot 1 which is the gateway but I'm spoofing the source as that I pad was sitting there idle if the ports opened he sends a cynic to the iPad let me use a different color pen so it shows up so here comes the cynic to the iPad what's the iPad gonna do he would act he'd say hey I'm open so what we do in this scenario you've got the attacker and the attacker sends a message to your gateway which is dot one but he spoofs the iPads IP address watch how this works if the server is listening on port 80 he sends a syn ACK back to the iPad the iPad says I wasn't talking to you and he generates a new packet a reset packet which causes the IP ID counter to climb if dot one is closed on port 80 and a message comes in it's going to illicit a reset that means the iPad gets a reset you don't need to respond to a reset so in that case the IP ID doesn't climb everybody okay with this and then what we do is a third step is we probe the zombie again I send a syn to that iPad to the same port number and I see how many numbers the IP ID went up if it comes back as three one 339 it incremented by to support 80 must be open if it came back is three one three three eight it must be closed everybody follow how that worked or do you want to see it one more time Steve says made sense got it okay cool so this is just a way so if if this device is gonna have some type of engine on it watching for port skins he's gonna think this scan is coming from the iPad not from the attacker in the attackers bouncing him off the iPad just by leveraging the IP ID cool so let's scan is kind of dumb echo skinny doesn't matter UDP skinning so this is one last thing we'll take a break with UDP you don't have sins and acts so if you connect to UDP port and it's open there's no response if you connect to a port that's closed you get an ICMP unreachable message so the way that you can scan a remote device for UDP is by sending UDP messages to different ports you're not going to get anything from an open port but closer sports close ports are going to give you responses which is going to be an ICMP error message and then once again this is at inverse scanning so if I scan ports 21 through 25 and 24 and 25 reply it means 21 through 23 are listening does that make sense anything that I don't get a reply for must mean that it's open all right in an axe can this is real similar this is what I talked about with looking for firewalls if I send an ACK just a TCP act to a port like let's say that I did a full connect and it tells me port 80 is listening and I go cool what happens if I just send an ack to port 80 well if I get a reset for that it means there's not a stateful packet inspection firewall if I do a three-way handshake import ATS open but when I send an ACK there's no response it means that there's a PAC there's a stateful packet inspection firewall and he's silently dropping my packets without sending back a notification that's just kind of a revisit about what we talked about earlier here's a list of do not scan IP addresses talked about that and let's go ahead and break when we come back from the break we'll talk about banner grabbing and then we'll start to get into enumeration of it so cool how are you guys do is everybody having fun hopefully learning stuff having a good time if you're not and there's something I can do to make it better let me know but I hope you guys are having a good time with this we'll go ahead and start our break and I'll see you back in 15

Info

Channel: Ryan Lindfield

Views: 18,867

Rating: undefined out of 5

Keywords: traceroute, CEH, idlescan, idle scan, TTL, hacking, networks, firewalk, firewalking, nmap, tcp traceroute, IP ID

Id: Ih3KgQnT6T0

Channel Id: undefined

Length: 66min 10sec (3970 seconds)

Published: Wed Jul 22 2015