DOCSLIB.ORG

Impacts of Cyberattacks on Iot Devices Table of Contents

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Impacts of Cyberattacks on Iot Devices Table of Contents PALO ALTO NETWORKS | IoT Impacts of Cyberattacks on IoT Devices Table of Contents Introduction 3 Modern IoT Attacks 3 The IoT Attack Lifecycle 4 Cyberattack Scenarios on IoT Devices & Impacts 5 Network Scanning Impacts to Network Services 5 Experiment Environment and Test Methods CPU, Memory, and Bandwidth Usage Service Response Time Results Conclusions Impacts C-IoT Device Battery Exhaustion 7 Background and Attack Vectors Unlocking the Potential of C-IoT Connectivity Experiment Environment and Test Methods Test Results Conclusions Impact Summary 8 Impacts of Cyberattacks on IoT Devices | White Paper 2 Introduction attacks. Take Xbash for example, which has botnet, ransom- ware, cryptomining, and self-propagation capabilities. Da- The early days of the internet age were about connecting peo- ta-destructive by nature, Xbash spreads by attacking weak ple, whereas today the focus is on connecting “things.” In the passwords and unpatched vulnerabilities in Linux and Mic- broadest sense, the internet of things (IoT) is a vast matrix rosoft Windows® servers. Another example, a new variant of of numerous nonstandard devices and endpoints connected the Muhstik botnet, self-installs and infects Linux servers wirelessly over the internet. IoT device connections are en- and IoT devices with its wormlike self-propagating capabil- abled by advanced wireless cellular technologies, including ity to wreak havoc with cryptomining and DDoS attacks. To 3G, 4G, 5G, and low-power wide-area (LPWA) cellular tech- understand the reasons behind these attacks and their impact nologies, such as NB-IoT and LTE-M. on IoT devices, let’s move on to discuss IoT device attack sur- Connected IoT devices are capable of generating and trans- faces. mitting real-time data from the nearest to the farthest edg- The attack surfaces of IoT devices are broadly categorized es of the network. The data is then monitored, managed, and into three main groups: hardware interfaces, communica- analyzed to achieve desired business outcomes. According to tion channels, and applications/services. The first group, the a recent forecast by IDC, there will be 41.6 billion connected physical hardware interface of the device, is the most obvious IoT devices, or “things,” generating 79.4 zettabytes (ZB) of attack surface. Attackers get access to the shell or outermost data in 2025.1 layer of the operating system kernel of the device, modify the By leveraging analytics derived from large volumes of IoT de- firmware, and go as far as to embed a backdoor through the vice-generated data, organizations gain insights germane to hardware interface to bypass normal authentication mecha- the performance of their business systems, operational pro- nisms. cesses, and customer experiences. IoT-generated data has the IoT devices connect and communicate through two types of unique potential of opening up market opportunities for one- channels: either short-range channels that include BLE, Zig- of-a-kind products and services not previously thought pos- bee/Z-Wave, and Wi-Fi or the long-range cellular network sible. Due to its compelling value proposition as a major driver channel. These communication channels represent the sec- of business transformation, IoT adoption is growing rapidly ond attack surface. Few IoT devices use secure and superi- across numerous industry verticals worldwide. Key findings or encrypted communications during initial configuration, from a recent report by Microsoft suggest that almost 88% thereby making it simple for attackers to make the IoT de- of business decision makers feel the adoption of IoT-based vice vulnerable to IP spoofing where a hacker illicitly imper- technologies is becoming critical for business success.2 How- sonates another IoT device in the network to spread malware ever, despite the business transformation benefits IoT has and launch a man-in-the-middle attack, replay attack, or a to offer, organizations are confronted with barriers when it denial-of-service (DoS) attack. comes to adoption—97% of respondents to Microsoft’s IoT Applications/services are essential to IoT devices and repre- Signals survey cited security concerns as a major challenge sent the third attack surface. The administrative interface, the when implementing IoT.3 web API, the cloud server, system functionality components, and services delivered from the applications are all suscep- Modern IoT Attacks tible to attacks. Most modern IoT attacks are unleashed by compromising this attack surface because of its scalability, All IoT devices are vulnerable to being weaponized with bot- accessibility, and proximity to the edge of the internet. Even nets for the purpose of carrying out distributed denial-of-ser- if the services are deployed on an enterprise’s intranet, at- vice (DDoS) attacks. In 2016, the Mirai botnet targeted more tackers can still infiltrate it through a vulnerable edge router. than 600,000 IoT devices, such as routers and cameras, to For example, the Xbash botnet has the ability to infiltrate the launch a massive DDoS attack that reached 620 Gbits at its enterprise intranet to scan and attack multiple services, such peak. Since that infamous incident, new malware families as the Telnet application protocol and File Transfer Protocol have come into existence to launch other types of aggravated (FTP). Impacts of Cyberattacks on IoT Devices | White Paper 3 1 2 3 4 Initial Access Execution Persistence Evasion The IoT Attack Lifecycle 8 7 6 5 Impact Lateral Command Information Movement & Control Collection Figure 1: Stages of the IoT attack lifecycle The IoT Attack Lifecycle 4. Evasion The use of evasion techniques ensures the attack is not dis- Now that we’ve reviewed the three main types of IoT attack covered or detected. By being evasive, the attack can clear the surfaces, let’s discuss how the IoT attack lifecycle works. The system logs and the BASH command history, hide the payload lifecycle comprises eight stages. file in the system folder with a masquerading filename, and 1. Initial Access even delete the original payload file. Advanced malware, such as the Xbash family for its ability to install host-based securi- As the name suggests, this is the first stage in the IoT attack ty monitoring tools. Lastly, to avoid detection, the attack also lifecycle. At this stage, the attack leverages the network scan- adopts anti-VM and anti-debugging techniques to detect the ning method to first locate IP addresses of vulnerable devices presence of automatic malware analysis systems, such as de- using fast port-scanning tools, such as ZMap or Masscan, to buggers and virtual machines. Examples of these include the scan the internet. Tsunami variant and the Torii botnet. 2. Execution 5. Collection of Information At this stage, the attack executes payloads or commands in At this stage, device information and sensitive files, such as the vulnerable device. In order to do this, it either gets access the private key and the cryptocurrency wallet, are collected. to the shell of the device’s operating system directly or injects Take the VPNFilter malware as an example. As an advanced the device with commands. To get direct access, brute force is persistent threat (APT) infect- ing a number of IoT network used to attack weak or default passwords for services such as routers and storage devices, VPNFilter steals sensitive data Telnet or SSH. To add to this, shell commands are then inject- from the network traffic in compromised routers. ed by exploiting the remote code execution (RCE) vulnerabili- ty or command injection vulnerability. When shell commands 6. Command and Control are executed, a general pattern follows in that a malicious ex- Next, the malicious payload also receives commands from the ecutable file (such as the ELF binary or the shell script) gets command-and-control (C2) server. For different C2 com- downloaded, the executable permission to the payload file mands, the payload continues to launch different attack ac- gets assigned, and the payload gets executed. tivities like TCP flooding, UDP flooding, and infiltration of 3. Persistence additional devices. For C2 channels, HTTP, IRC, P2P, and oth- er such protocols are used. In the third stage, the executed malware payload shows per- sistence on the device. The malware can show persistence by killing the watchdog process to avoid the system rebooting; insert itself in scheduled cron jobs, system booting initial jobs, and system daemons; and even create new accounts. The shell is, at times, left open as a redundant access channel in order to establish redundant access in the future. Impacts of Cyberattacks on IoT Devices | White Paper 4 7. Lateral Movement Cyberattack Scenarios on The lateral movement in IoT attacks is mainly to continue in- fecting a large number of new devices in the local network. For IoT Devices and Impacts example, an edge router first gets infected and then continues to infect all IoT devices that are connected to it. Network Scanning Impact on Network Services One of the most important attack stages in an IoT attack life- 8. Impact cycle is the initial access “network scanning” stage when an Malicious activities launched in the IoT device have multiple attacker starts probing available open ports with scanner IPs impacts on the device: encryption of data for a ransom, total in compromised IoT devices. It is possible to launch the attack wipe out of disk and data, and abuse for cryptomining. The remotely by exploiting a remote code execution vulnerability, BrickBot family of malware, for example, can “brick” an IoT typically on internet-facing service port 37215. device by corrupting its storage capability or by completely It is evident that the network scanning in compromised IoT reconfiguring its kernel parameters. devices costs network bandwidth resources. So, an experi- ment was designed to explore the impacts of network scan- While attack surfaces, threat vectors, and vulnerabilities ning on application or network services in compromised IoT in IoT devices are being widely researched, we haven’t seen devices.
Load more

Recommended publications
  • Red Hat Enterprise Linux 3 Security Guide
    Red Hat Enterprise Linux 3 Security Guide Red Hat Enterprise Linux 3: Security Guide Copyright © 2003 by Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhel-sg(EN)-3-Print-RHI (2003-07-25T17:12) Copyright © 2003 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Red Hat, Red Hat Network, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Motif and UNIX are registered trademarks of The Open Group. XFree86 is a trademark of The XFree86 Project, Inc, and is pending registration. Intel and Pentium are registered trademarks of Intel Corporation. Itanium and Celeron are trademarks of Intel Corporation. AMD, Opteron, Athlon, Duron, and K6 are registered trademarks of Advanced Micro Devices, Inc.
    [Show full text]
  • An Internet-Wide View of Internet-Wide Scanning
    This paper appeared in Proceedings of the 23rd USENIX Security Symposium, August 2014. An Internet-Wide View of Internet-Wide Scanning Zakir Durumeric Michael Bailey J. Alex Halderman University of Michigan University of Michigan University of Michigan [email protected] [email protected] [email protected] Abstract scanning, and successfully fingerprint ZMap and Mass- can. We present a broad view of the current scanning While it is widely known that port scanning is widespread, landscape, including analyzing who is performing large neither the scanning landscape nor the defensive reactions scans, what protocols they target, and what software and of network operators have been measured at Internet scale. providers they use. In some cases we can determine the In this work, we analyze data from a large network tele- identity of the scanners and the intent of their scans. scope to study scanning activity from the past year, un- We find that scanning practice has changed dramati- covering large horizontal scan operations and identifying cally since previous studies from 5–10 years ago [5,39,45]. broad patterns in scanning behavior. We present an analy- Many large, likely malicious scans now originate from sis of who is scanning, what services are being targeted, bullet-proof hosting providers instead of from botnets. and the impact of new scanners on the overall landscape. Internet-scale horizontal scans have become common. Al- We also analyze the scanning behavior triggered by recent most 80% of non-Conficker probe traffic originates from vulnerabilities in Linksys routers, OpenSSL, and NTP. scans targeting ≥1% of the IPv4 address space and 68% We empirically analyze the defensive behaviors that orga- from scans targeting ≥10%.
    [Show full text]
  • Design and Implementation of Port Scanner and Sniffer
    DESIGN AND IMPLEMENTATION OF PORT SCANNER AND SNIFFER 1Snehal Dhabarde, 2Reshma Zade,3Nayan Paraswar, 4Samruddhi Sonak, Department of Information Technology, Rajiv Gandhi College of Engineering and Research Nagpur Email:[email protected],[email protected],3nayanparaswar [email protected],[email protected] Abstract: A port scanner is a piece of software Port scanning has different legitimate uses that it designed to search a network host for open performs in a system. It can be used to send a ports. The only way to track open ports is by request to connect to the aimed computer and using a port scanner, and the most accurate note the ports that responds or appears to open. port scanner will be an online port scan. This Port scanning is also used to configure project aims at the creation of a applications for network security to inform the comprehensive application, which can be used administrators in case they detect some at corporate environments. The port scanner connections across a wide range of ports from a and sniffer software is as simple as possible so single host. Port scanning may involve all of the that it can be configured even by a 65,535 ports or only the ports that are well- nontechnical person. This is often used by known to provide services vulnerable to different administrators to check the security of their security related exploits. If a port on a remote networks and by hackers to compromise it. host is open for incoming connection requests The main objective of this project is to scan and you send it a SYN packet, the remote host the various ports within a specified range.
    [Show full text]
  • GL550 Enterprise Linux Security Administration
    EVALUATION COPY Unauthorized Reproduction or Distribution Enterprise LinuxProhibited Security Administration Student Workbook EVALUATION COPY Unauthorized Reproduction GL550 ENTERPRISE LINUX SECURITY ADMINISTRATION RHEL7 SLES12 or Distribution The contents of this course and all its modules and related materials, including handouts to audience members, are copyright ©2017 Guru Labs L.C. No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record, without the prior written permission of Guru Labs. This curriculum contains proprietary information which is for the exclusive use of customers of Guru Labs L.C., and is not to be shared with personnel other than those in attendance at this course. This instructional program, including all material provided herein, is supplied without any guarantees from Guru Labs L.C. Guru Labs L.C. assumes no liability for damages or legal action arising from Prohibited the use or misuse of contents or details contained herein. Photocopying any part of this manual without prior written consent of Guru Labs L.C. is a violation of federal law. This manual should not appear to be a photocopy. If you believe that Guru Labs training materials are being photocopied without permission, please email [email protected] or call 1-801-298-5227. Guru Labs L.C. accepts no liability for any claims, demands, losses, damages, costs or expenses suffered or incurred howsoever arising from or in
    [Show full text]
  • 4. Offensive and Defensive Network Security Cryptoworks21 • July 15, 2021
    Fundamentals of Network Security 4. Offensive and defensive network security CryptoWorks21 • July 15, 2021 Dr Douglas Stebila https://www.douglas.stebila.ca/teaching/cryptoworks21 Fundamentals of Network Security • Basics of Information Security – Security architecture and infrastructure; security goals (confidentiality, integrity, availability, and authenticity); threats/vulnerabilities/attacks; risk management • Cryptographic Building Blocks – Symmetric crypto: ciphers (stream, block), hash functions, message authentication codes, pseudorandom functions – Public key crypto: public key encryption, digital signatures, key agreement • Network Security Protocols & Standards – Overview of networking and PKI – Transport Layer Security (TLS) protocol – Overview: SSH, IPsec, Wireless (Tool: Wireshark) • Offensive and defensive network security – Offensive: Pen-tester/attack sequence: reconnaissance; gaining access; maintaining access (Tool: nmap) • Supplemental material: denial of service attacks – Defensive: Firewalls and intrusion detection • Access Control & Authentication; Web Application Security – Access control: discretionary/mandatory/role-based; phases – Authentication: something you know/have/are/somewhere you are – Web security: cookies, SQL injection – Supplemental material: Passwords 3 Assignment 2 2a) Offensive network 2b) Defensive network security security • Use nmap to scan • Set up firewall rules in services running on your Kali to prevent your computer certain types of – Will be scanning from outbound traffic (egress guest
    [Show full text]
  • Nmap Tutorial 1/10 2004-10-10 Lätt Redigerad Av Jan-Erik Jonsson
    NMap tutorial 1/10 2004-10-10 Lätt redigerad av Jan-Erik Jonsson Basic Scan Types [-sT, -sS] TCP connect() Scans [-sT] SYN Stealth Scanning [-sS] FIN, Null and Xmas Tree Scans [- sF, -sN, -sX] Ping Scanning [-sP] UDP Scans [-sU] IP Protocol Scans [-sO] Idle Scanning [-sI] ACK Scan [-sA] Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] Timing And Hiding Scans Timing Decoys FTP Bounce Turning Pings Off Fragmenting Idle Scanning http://www.security-forums.com/forum/viewtopic.php?t=7872 NMAP - A Stealth Port Scanner by Andrew J. Bennieston 1 INTRODUCTION ................................................................................................................................................. 2 2 DISCLAIMER...................................................................................................................................................... 2 3 BASIC SCAN TYPES [-ST, -SS] ........................................................................................................................... 2 3.1 TCP connect() Scans [-sT]........................................................................................................................ 2 3.2 SYN Stealth Scanning [-sS]....................................................................................................................... 2 4 FIN, NULL AND XMAS TREE SCANS [-SF, -SN, -SX] ......................................................................................... 3 5 PING SCANNING [-SP] ......................................................................................................................................
    [Show full text]
  • Identifying Vulnerabilities Using Internet-Wide Scanning Data
    Identifying Vulnerabilities Using Internet-wide Scanning Data Jamie O’Hare, Rich Macfarlane, Owen Lo School of Computing Edinburgh Napier University Edinburgh, United Kingdom 40168785, r.macfarlane, [email protected] Abstract—Internet-wide scanning projects such as Shodan and of service, through the considerable time and resources re- Censys, scan the Internet and collect active reconnaissance results quired to perform the scans. Due to this potential issue, as for online devices. Access to this information is provided through well as specific legal requirements, vulnerability assessment associated websites. The Internet-wide scanning data can be used to identify devices and services which are exposed on the Internet. tools typically require permission from the target organization It is possible to identify services as being susceptible to known- before being used. vulnerabilities by analysing the data. Analysing this information The known vulnerabilities identified by these tools are is classed as passive reconnaissance, as the target devices are associated with a specific Common Vulnerabilities and Ex- not being directly communicated with. This paper goes on to posure (CVE), which highlights a vulnerability for a specific define this as contactless active reconnaissance. The vulnerability identification functionality in these Internet-wide scanning tools is service. A CVE entry contains information associated with currently limited to a small number of high profile vulnerabilities. the vulnerability including a Common Platform Enumeration This work looks towards extending these features through the (CPE) and a Common Vulnerability Scoring System (CVSS). creation of a tool Scout which combines data from Censys The CPE ties a CVE to a specific product and version, while and the National Vulnerability Database to passively identify the CVSS provides an impact score.
    [Show full text]
  • Surveying Port Scans and Their Detection Methodologies
    Surveying Port Scans and Their Detection Methodologies Monowar H Bhuyan1, D K Bhattacharyya1 and J K Kalita2 1Department of Computer Science & Engineering Tezpur University Napaam, Tezpur, Assam, India 2Department of Computer Science University of Colorado at Colorado Springs CO 80933-7150, USA Email: mhb,dkb @tezu.ernet.in, [email protected] { } Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of IP addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection, and other characteristics. This survey also reports on the available datasets and evaluation criteria for port scan detection approaches. Keywords: TCP/IP, UDP, OS fingerprinting, coordinated scanning Received 21 May 2010; revised 23 August 2010 1. INTRODUCTION similar, except that a positive response from the target results in further communication to determine whether The Internet is a complex entity comprised of diverse the target is vulnerable to a particular exploit. As can networks, users, and resources. Most users are oblivious be found in [3], most attacks are preceded by some form to the design of the Internet and its components and of scanning activity, particularly vulnerability scanning.
    [Show full text]
  • Evaluation of Network Port Scanning Tools
    Evaluation of Network Port Scanning Tools Nazar El-Nazeer and Kevin Daimi Department of Mathematics, Computer Science and Software Engineering University of Detroit Mercy, 4001 McNichols Road, Detroit, MI 48221 {elnazen, daimikj}@udmercy.edu ABSTRACT implies protecting data and information from attacks during their transmission from the source to destination. Attackers can detect the vulnerabilities in networks and Neglecting network port scans could result in possibly pose enormous threats in these situations. To unavoidable consequences. Network attackers prevent problems, cryptology provides the most continuously monitor and check communication ports promising measures to deter, prevent, detect, and correct looking for any open port. To protect computers and security violations. networks, computers need to be safeguarded against applications that aren't required by any function To protect computer networks, a number of protection currently in use. To accomplish this, the available ports tasks need to be implemented. These tasks are needed and the applications utilizing them should be to enforce the security for wireless network, electronic determined. This paper attempts to evaluate eight port mail, IP, and at the transport level. Furthermore, these scanning tools based on fifteen criterions. The criteria tasks should efficiently deal with intruders and were reached after fully testing each tool. The malicious software [23]. outcomes of the evaluation process are discussed. Internet and web are tremendously vulnerable to various Keywords attacks. Therefore securing web services is a critical requirement. In particular, security at the transport layer Network Security, Evaluation Criteria, Network must never be overlooked. The subdivision of the Security Tools, Network Port Scanning Internet by the transport layer presents ample outcomes both in the way in which business is performed on the network and with regard to the vulnerability caused by I.
    [Show full text]
  • Internet-Facing Plcs - a New Back Orifice
    Internet-facing PLCs - A New Back Orifice Johannes Klick, Stephan Lau, Daniel Marzin, Jan-Ole Malchow, Volker Roth Freie Universität Berlin - Secure Identity Research Group <firstname>.<lastname>@fu-berlin.de Abstract—Industrial control systems (ICS) are integral com- The approach we take is to turn PLCs into gateways (we ponents of production and control processes. Our modern infras- focus on Siemens PLCs). This is enabled by a notorious lack tructure heavily relies on them. Unfortunately, from a security of proper means of authentication in PLCs. A knowledgeable perspective, thousands of PLCs are deployed in an Internet-facing adversary with access to a PLC can download and upload code fashion. Security features are largely absent in PLCs. If they are to it, as long as the code consists of MC7 bytecode, which is the present then they are often ignored or disabled because security native form of PLC code. We explored the runtime environment is often at odds with operations. As a consequence, it is often possible to load arbitrary code onto an Internet-facing PLC. of PLCs and found that it is possible to implement several Besides being a grave problem in its own right, it is possible network services using uploaded MC7 code. In particular, we to leverage PLCs as network gateways into production networks implemented and perhaps even the corporate IT network. In this paper, we analyze and discuss this threat vector and we demonstrate • a SNMP scanner for Siemens PLCs, and that exploiting it is feasible. For demonstration purposes, we • developed a prototypical port scanner and a SOCKS proxy that a fully fledged SOCKS proxy for Siemens PLCs runs in a PLC.
    [Show full text]
  • An Intelligent Improvement of Internet-Wide Scan Engine for Fast Discovery of Vulnerable Iot Devices
    S S symmetry Article An Intelligent Improvement of Internet-Wide Scan Engine for Fast Discovery of Vulnerable IoT Devices Hwankuk Kim ID , Taeun Kim and Daeil Jang * Korea Internet & Security Agency, 9, Jinheung-gil, Naju-si, Jeollanam-do 58324, Korea; [email protected] (H.K.); [email protected] (T.K.) * Correspondence: [email protected]; Tel.: +82-61-820-1274 Received: 31 March 2018; Accepted: 7 May 2018; Published: 10 May 2018 Abstract: Since 2016, Mirai and Persirai malware have infected hundreds of thousands of Internet of Things (IoT) devices and created a massive IoT botnet, which caused distributed denial of service (DDoS) attacks. IoT malware targets vulnerable IoT devices, which are vulnerable to security risks. Techniques are needed to prevent IoT devices from being exploited by attackers. However, unlike high-performance PCs, IoT devices are lightweight, low-power, and low-cost, having performance limitations regarding processing and memory, which makes it difficult to install security and anti-malware programs. Recently, several studies have been attempted to quickly search for vulnerable internet-connected devices to solve this real issue. Issues yet to be studied still exist regarding these types of internet-wide scan technologies, such as filtering by security devices and a shortage of collected operating system (OS) information. This paper proposes an intelligent internet-wide scan model that improves IP state scanning with advanced internet protocol (IP) randomization, reactive protocol (port) scanning, and OS fingerprinting scanning, applying k* algorithm in order to find vulnerable IoT devices. Additionally, we describe the experiment’s results compared to the existing internet-wide scan technologies, such as ZMap and Shodan.
    [Show full text]
  • NMAP - a Stealth Port Scanner
    NMAP - A Stealth Port Scanner Andrew J. Bennieston http://www.nmap-tutorial.com Contents 1 Introduction 4 2 Disclaimer 4 3 Basic Scan Types [-sT, -sS] 4 3.1 TCP connect() Scan [-sT] . 4 3.2 SYN Stealth Scan [-sS] . 5 4 FIN, Null and Xmas Tree Scans [-sF, -sN, -sX] 6 5 Ping Scan [-sP] 7 6 UDP Scan [-sU] 8 7 IP Protocol Scans [-sO] 8 8 Idle Scanning [-sI] 9 9 Version Detection [-sV] 10 10 ACK Scan [-sA] 10 11 Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] 11 12 Timing and Hiding Scans 11 12.1 Timing . 11 12.2 Decoys . 11 12.3 FTP Bounce . 12 12.4 Turning Off Ping . 12 12.5 Fragmenting . 12 12.6 Idle Scanning . 13 13 OS Fingerprinting 13 14 Outputting Logs 13 15 Other Nmap Options 13 15.1 IPv6 . 13 15.2 Verbose Mode . 13 15.3 Resuming . 13 15.4 Reading Targets From A File . 14 15.5 Fast Scan . 14 15.6 Time-To-Live . 14 2 16 Typical Scanning Session 14 17 Frequently Asked Questions 18 17.1 I tried a scan and it appeared in firewall logs or alerts. What else can I do to help hide my scan? . 18 17.2 NMAP seems to have stopped, or my scan is taking a very long while. Why is this? . 19 17.3 Will -sN -sX and -sF work against any host, or just Windows hosts? 20 17.4 How do I find a dummy host for the Idle Scan (-sI)? . 20 17.5 What does ”Host seems down.
    [Show full text]