Securing 7 Layers of Insecurity

DeepSec Vienna 2007 7 Layers of Insecurity ce: r ons i n aissan nge t i o n f r ss

e n ati at c me xpe i e mpr eco sa e C

n ntif R

m.” he k ) g t n a ide r al

d th n e i p at two i nt i t om ll wo h i 1 whe or t n pr s k

et 2 i r s

d fr

r N ur dia.org r ty

ge ne

e i p e n le r p t nate mi

occ

Fi u r e

ios p “ e igi r

g a

u or

n h de

(Wiki i C Mod



F C DeepSec Vienna 2007 2 7 Layers of Insecurity r om .c owing n unte de ung) r t foll i r e w

mons rbe on) t i a t a g unde ite c k Be n om i i be if n ti or r e a n a ec t be w i l

od ri r r v s h i i m p ha st t ye r uc th a or e a e f Au nz ( n und be e Ma g , ify orbe ng t o nc n ze d n v u o in e

cr z i ite e F Li als nna ic tia rde e

r l t mo e (

e s

ht i w. - d e Nut

c V a

rbr e lbe us ba nd 1 , m e e le l e a a l 2 v

s Re nc a ww S i m

nnt we s e e ie r , te ngs r r r r zt, rc rz e na f fe bu e nig p:// i e o if r me nut t raini r f n: Ei unde

it unte n ge is T ge htt om be

e n Pfe omm d / d

i c d be t s I k e , e r

v né e 7 f ht r t work Ar 0 f c e e e r ngunge

Re us s 0 i ng an mus non v v , i h y i i ni s d t n müs l t t a re 2 or

e e a a f r ür ul g

s fk it da

f Be : v v e i hor or a ri ri n b nt fre be r K ght e y

De Only Nur De Aut Aut m ri

Ar y e

m Cons nde e . e

e e

ha p e s .T

e a o lge ou ma

o o N a Di f Mic C. Y Som

  C DeepSec Vienna 2007 3 7 Layers of Insecurity g n ti n i r p r e g g s g in c F tin n

i si - t

in a s 1 r als n 2 B er

g erp ad g n erpri ti n g dividu ing i t F 7 1 n 0 e ol He

2 i 0 v

2 erprin r tify In oc r

p e g e r

b da t en n

ctive Fin i

e m

d p

A I Pas Prot F e

v a      g

o n

h i N A

F C DeepSec Vienna 2007 4 7 Layers of Insecurity g n ti re? n i o r p r e ts? g s in o ign in c t i F H

- s

at le 1 a h 2 r? B w ab

, r g alu d fo n o i V t k fo o 7 n g 0 i 0 ind t r

2 r p s i e o F r

b t e m at to loo at i e

w g v o

o n i N Wh Wh H

 F DeepSec Vienna 2007 5 7 Layers of Insecurity es r es l assive a tu g s ci ess n na ti n i t can r cru

p s r

eakn e en e e sig r ses g w g s a ctive or p n n t in c a o ti i iqu F

ls e res - s essm

1 ma a co ains 2 resp e un atu

to B to ay b

ag o av r m g g

au h ity ass r n n g i sign il i y d p n t 7 n ti n 0 PC rk stack a i 0 pab atch r R

2 s

r p m ca n e r b r r

etwo CE erprin e m tems ma tems sio g fo fo D N

g r ols exist fo v n    

e i o o n i N F T V Sys

 F DeepSec Vienna 2007 6 7 Layers of Insecurity ” ach ce ns ro an g pp n s” ti a ten n cks icatio i its l r p ck o p tem r ain l e g s m ? ap in f c s i F l

n sys i f exp ed cies - s

n a 1 a for atta t direct atta tte 2 en ate o g o n e B do d in

o st in i r D rgo l g n an

i t pen n ai i t fo “fo u ve t 7 r n o n ormat 0

u i f e de 0 r d n er ch 2 s

tify “ab r k fo ortan i p n n e i r p b

en f er

oo e m m d sio

Prop I I L e

y g r v  etermin   

o h n i N D Ga V

W F DeepSec Vienna 2007 7 7 Layers of Insecurity eering lts gin resu

en l g a i n n ti et eject n ure” oc o i g i r

s t ct

p i r ty a e in rm/r g

i can m in ig p ibili u nf r F

b o sed - o

c f 1 yo

2 e “ cred n e u

I g

ve g et all et th hin o an n g ls can r i l c g t

d 7 n ca to n 0 i 0 o l i e r

2 r n n an p e o r

b sefu acts imp e m rmat

lect everyt F Ph U Sca e

g v fo     o

o n

n i N I C

 F DeepSec Vienna 2007 8 7 Layers of Insecurity g n ti n i r p r g e g n i in t F

- n i 1 n! r 2 p ste r i e g n or L 7 i

0 F 0

r e

atch e v b i

m s e

st W

v s

o a N Ju

 P DeepSec Vienna 2007 9 7 Layers of Insecurity ) ST) ) R CK (

g N+A n evices u (SYN ti ect to n i r n k d yo (SY p r n r o e to

g in t co F etw

ect to ect - n n

n no

1 n 2 s co

con can ects d u u at et cer o d n a 7 eth 0 al 0 ally m 2 b ems th ems yo ems yo r e

e T v b ad A

tifies

m si o l N syst syst syst e

dition

en f    d  

0 N A I Pas

DeepSec Vienna 2007 1 7 Layers of Insecurity n. g n ti n i r p r rmatio e g fo in n F

1 s n” I 2 r e e d idd a H e f “ 7 H 0

0 l 2 h o r t o

e c b al

m o

e t

v W

o r N A

 P 1

DeepSec Vienna 2007 1 7 Layers of Insecurity evices n n g o diate d n i isatio ti t l n m n i a r u o i p i r m rma e terme r g ed n in o m no rmat f F ,

t, i TL - t: n

fo n I 1 T ns

n , 2 ac r ou tio e i e es c

me p g i d Imp p t o

a o an m e ip h IP r

7 u t

i H 0

evices 0 se l d n

at ch i 2 y

r o rk dista e T d un al th

ss c b

A o n

m o

k: med

Mi N A R

e t ps

v s i    o  etwo o

o r N R H N

 P 2

DeepSec Vienna 2007 1 7 Layers of Insecurity g n ti ” n i r … p r t. e g u g in o F n l i l - t

a 1 n 2 i r p let it r t, e u g 7 0 n

ho 0 i

s 2

F r

t, e

b u e

o v

e i

v t

Sh c N “

 A 3

DeepSec Vienna 2007 1 7 Layers of Insecurity n text o g ts n ti ased n i r p men r e b e r g ce a s

in s F er un l

- n o

1 co n ames g 2 an to r s n i f b f an fo b o o ain n k b l l l l o m a et pro 7 r ities lo 0

n string il 0 s G / do is fu is fu 2

tern r

t ab r e In b

ker e

os t

m n

h versio cap e

v n    ttac

ayer 7 ayer 7 ayer 2 ayer 2

a N Mos A L L

DeepSec Vienna 2007 1 7 Layers of Insecurity g n ti n i r p r e m g u n i in ls) o F

i o ed -

1 to m

2 s s : e s r rmat l g ities e s fo act n n n erver ses itab un ue i n s n g n 7 a su o stri 3 o

0 o

l P mm b 0 h Imp h

a t 2 i D r r

L e co resp a d wi

b l ( L

P /

versi servers m

P/POP u k: hig e MP

s p NS i T DP

TP o

o N D R I H SSH SMT SN F C

DeepSec Vienna 2007 1 7 Layers of Insecurity acks ts et n i att o al le.n s g e g p n ti reve n ari i

nt re r xamp n p r e o h . e ctu ti g orta ig er c a in i v h F

se startin at - t:

o d l

1 ser eries can l se d 2 ac e frastru u in ll very imp i

S qu Imp S

e try to s disc w g N r

N sfer al ll d m i a s D n r

7 i u w o i 0 s

g g 0 secret.fil s ker

ec 2 in d g tify D ne r i r i e tran e n

b ker zo en D ttac ic r vo

ito o

l m d

k: med i z A A e

b S v s i  ttac    NS

N N Mon R A Pu D

DeepSec Vienna 2007 1 7 Layers of Insecurity se n g n ti po n m i r kets u walk” i p r res e e g ed y pac in “fir m d F

l - t:

ali 1 oo 2 t ate ac lters b

s ses n

o inv n Imp o t

o ti ket fi s

vestig m p g 7 u ac in i 0 o n

ms from p i 0 resp nse

P s

2 k o g r C TL l

ste e

T a b ker MP / sp T

pin e m P P C w k: med I r I I e

s e i ame     ttac

o r

i N R N A Map

DeepSec Vienna 2007 1 7 Layers of Insecurity P) C le T / ab s DP g acces n l ti MP-cap n i 1/162 (U ns r p r sefu h 16 e ected

t g t atio ig r o in are SN h

r m o F

r p p - t:

fo 1 n 2 ac n n very u r un i s o evices g fo d Imp er ich n k i n o rk m rmatio k 7 l u an lo i 0

fo a wo 0 s

ffers r ffers sc 2 in

et r W t e

o n lt r

b ker P y m

k: med Po e

M v s efau i ttac 

N N D R A Man SN

DeepSec Vienna 2007 1 7 Layers of Insecurity g n e ti n c i r p n r e a g s in s F i - a 1 n 2 n o c e

7 R 0 se?

0 r

r o

e f

m s

at to U l

v o

Wh o

 T 9

DeepSec Vienna 2007 1 7 Layers of Insecurity ewise k li g

n e o ti n i ut d r ll p i r t e l do w g

te ap in P u on F d

o tracero a -

or wil er 1 e f TC cp 2 ls mm t at d o ac r a 2, co to r ne ll t ble o i

g, tr e, ing e g pa in p 7 h 0 p h s st

et ge t an 0 ca

l f 2

r et, et i et,

e o ack

b oo

t p m s l teln teln teln e

y y

v o n   n 

imes ch imes o

N A A

T o

 T 0

DeepSec Vienna 2007 2 7 Layers of Insecurity ) s g n ti ing n g i r r p in st r

n e 97 g n ity in g il 19 F

sio - r e

tin scan ab l 1 p 2 e (ve cap g

sinc n scri d i arall very r ing n p MP b tion un C 7 an ab 0

, I r 0 ort fo fers P etec sc

g r p

s aro ol scan D t e st disco r p of i

b er U o

n p , m Su OS d Po H e

P a v le scan an    

map C map o

d m N B Prot I T n n

 n 1

DeepSec Vienna 2007 2 7 Layers of Insecurity g n ti n i r p r e g in F

1 2 7 0

0 n 2

r a

e c

v e

o l

DeepSec Vienna 2007 2 7 Layers of Insecurity g n i 001 2 int r e g erp n ti g s n n i r d sinc int p n r r e u g tp in o F uzzy fi aro

f sed - , fo

l u e 1 o 2 d s MP e to r MP IC g

C n n i atu , I o n n

P 7 s 0 D res inclu V2 0 U

cu 2 2 r

, e sig e l MP P e fo

C b y m SMB T SN

v r    ey featu ctive scan ctive

N p K Multip Earl A

DeepSec Vienna 2007 2 7 Layers of Insecurity s an acket e Sc l p Id P ls g

n C ti n T i , too r esting ests p t t r eered

e ard n g o in PS i ted ICMP F ,

and p P - S/I

, ma 1 st N

2 ID to ” S n l/ UD l I 3 ha P au ids t r g fted C o a n le rewa i er fo 7 I 0 p ab 0 r fi s cr h 2 AP n st / r fo d

lects T e l l 2

o as

g o g m C H Sen

e n in

v i sefu   

p p N U More cap “

 h 4

DeepSec Vienna 2007 2 7 Layers of Insecurity ing r rts ito o rts n p o g p n ar f l ti mo ecifics n u i o r ks p r p r er o sp o e r b p g ed r ear on in m etw F p

k fo fo n -

o s ap 1 tach e

o 2 ce nu at s u ” k larg r

ers l r scan n s may red o

ap 7 w m 0 ns t 0 -r00te s e mated 2 r

to k scan n sca e l to el scan

b ker

u u e A m

B “ A

e g

v r    ttac

arge

o a N L Parall A

 L 5

DeepSec Vienna 2007 2 7 Layers of Insecurity ets ack d p r te rde g wan n ti n n m i u t bo r / u ket rates i p a r e s g ed ess l nt in s m te F k s, pac se a - t:

me u s r / 1 i r 2 ac R ed ro

frag weep

m g s Imp e r er

l n rt i m o n 7 u alfo p i

0 emb n 0 t n m

a 2 t ICMP

r i p c e

b m atio eass r etec S i

k: med L R D D

e t

tig v

s r     i

o N Mi R

DeepSec Vienna 2007 2 7 Layers of Insecurity g n ti le. n i r p p r e g in F o Peo

t s - l

1 s a 2 u d i resse v i

dd d 7 0 A n

2 r y

e ing f b i t m

e n v

o e

N Match

d ©

 I 7

DeepSec Vienna 2007 2 7 Layers of Insecurity ity n ibil es o ers g ti n ess S) g mb r n N d ti D eeri n orma

i r ves cred in X nu p r h inf e A ng g pro ig ork ad er n e in ike h m F s, F o l

th i i - aces (in t: etw t er o 1 cial a b 2 ing n ac ” tion esp ses so m m r yth r ed Imp ma am

s o r f dres e nu an r faking t fo n m r fo ali n n 7 u I al fo i 0 o

ad 0 l n l in on t fo

2 s a al r ail u ortan r

e n n

p b

sefu o eleph Pe m k o m k: med

U I Perso T “ E-m

e s

s r i      

o e N R Perso L

 P 8

DeepSec Vienna 2007 2 7 Layers of Insecurity o ). d n. k(s r at to atio o . m r wh g etw fo n n ti

nd in n u can a o i r t t . p u r s e o g ffic. in a ab ata is

ected d s tr -

r acces g 1 erever yo u 2 n i ce i s aff yo i

l an g om e esign r n co ss i ess wh i o t he inc 7 1 ly d r n 0 l

na w 2 i 0 rot

t. y n r

fu 2 p r ito t acc i r

i e p ar e e ow y r

b t m

n eco n ar i

m p

K with Mon L A C R e

v a      

o n

h i N Su

F C 9

DeepSec Vienna 2007 2 7 Layers of Insecurity ! n g o n i ti t n i n r p e r t e t g a in

F r - u 1 2 o y r o f

7 u 0 s? 0 o n 2

r y o

b ti k

m n e es

v a

o h N Qu

 T DeepSec Conference Vienna © November 2007

Chapter 21 Fingerprinting

 Module Network Reconnaissance: Curiosity killed the Cat D 7

eep L ayers o “Fingerprint identification occurs when an expert Sec determines that two impressions

Vien

originated from the same finger f I

or palm.” n secu n a 2007

(Wikipedia.org) rity

Fingerprinting is a reconnaissance technique which allows to identify systems, versions of operating systems, patch levels, services packs etc. by observing a target for individual responses or actions. This chapter presents the latest developments in different techniques and discusses methods how risks can be mitigated.

21 - Fingerprinting 1 DeepSec Conference Vienna © November 2007

 Some rights reserved / Einige Rechte vorbehalten

 Michael Kafka, René Pfeiffer, Sebastian Mayer C.a.T. Consulting and Trainings, Vienna, Austria

 You may freely use, distribute and modify this work under following D agreement: 7

eep  Diese Arbeit darf frei genutzt, verbreitet und bearbeitet werden unter L

folgenden Bedingungen: ayers o Sec Authors must be referenced (also for modification) Autoren müssen genannt werden (auch bei Bearbeitung)

Vien

Only for non commercial use f I Nur für nichtkommerzielle Nutzung n secu

Derivative work under same licence n

Derivative Arbeit unter selber Lizenz a 2007

http://www.creativecommons.com rity

This presentation is published under the CreativeCommons License which can be viewed in detail on their hompage: http://creativecommons.org/licenses/by-nc-sa/2.0/at/ Read more on http://www.creativecommons.com

You are free:

to Share — to copy, distribute and transmit the work

to Remix — to adapt the work

Under the following conditions: Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Noncommercial. You may not use this work for commercial purposes.

Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

● For any reuse or distribution, you must make clear to others the license terms of this work. The best way to do this is with a link to this web page. ● Any of the above conditions can be waived if you get permission from the copyright holder. ● Nothing in this license impairs or restricts the author's moral rights.

Chapter 21 Fingerprinting

 Agenda  Fingerprinting Basics  Passive Fingerprinting D 7

eep  Protocol Headers L ayers o

 Active Fingerprinting Sec  Identify Individuals

Vien f I n secu n a 2007 rity

Fingerprinting Basics

 How to Find Valuable Hints? What to look for, what to ignore? What is it good for? D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

Fingerprinting Basics

 Systems may have unique signatures  Network stack responses  DCE RPC signatures D 7

eep  Versions and protocols are crucial L ayers o

 for matching against weaknesses Sec  for capability assessment

Vien  Tools exist for automating scans f I n secu  Fingerprinting may be active or passive n a 2007 rity

Fingerprinting Basics Why find out Details?

 Versions unveil state of maintenance  Look for “forgotten systems”  Identify “abandoned applications” D 7

eep  Gather information for attack approach L ayers o

 Determine dependencies Sec  Important for indirect attacks

Vien  Proper chaining of exploits f I n secu n a 2007 rity

Fingerprinting Information

 Collect everything  Scan and get all you can get  Useful to get the “big picture” D 7

eep  Information can be used in social engineering L ayers o

 Facts improve credibility Sec  Phone calls can confirm/reject results

Vien f I n secu n a 2007 rity

21 - Fingerprinting 7

Passive Fingerprinting

 Just Watch or Listen! D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

p0f

 Passive method  Identifies  systems that connect to you (SYN) D 7

eep  systems you connect to (SYN+ACK) L ayers o

 systems you cannot connect to (RST) Sec  Additionally detects network devices

Vien  NAT f I n secu  load balancers n a 2007 rity

p0f is a passive fingerprinting sensor. It works by analysing the behaviour of the TCP/IP interaction (TCP handshake, options, MTU, MSS, parameters, patterns). It can detect firewalls, NAT devices, Internet connections and the like). p0f only needs to have access to the network packets. It can also work on recorded or mirrored packets.

21 - Fingerprinting 9

Protocol Headers

 A Wealth of “Hidden” Information. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

Protocol Header Information

 Network distances  Round trip time, TTL  Analyse hop count, intermediate devices D 7

eep  Hops that change information L ayers o

 Missing IP options, normalisation Sec  NAT devices

Vien  Risk: medium Impact: medium f I n secu n a 2007 rity

The hop count and the round trip time often give interesting information. Tracing the packet routes either with a tcptrace-like tool or the IP option record route let's you determine the AS number, the ISP and maybe load balancing devices as well as changing routes. There are methods of detecting NAT devices and estimating the host behind them. • Detecting NAT Devices using sFlow by Peter Phaal • A Technique for Counting NATted Hosts by Steve Bellovin, AT&T Proper packet inspection and normalisation can avoid these techniques. The Linux kernel, OpenBSD and recent FreeBSD systems apply countermeasures against the proposal by Steve Bellovin. Mitigation: • Deploy packet filters that “scrub” packets (OpenBSD has this option for example) • Use layer 4/7 proxies

Active Fingerprinting

 “Shout, shout, let it all out. …” D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

Banner Grabbing

 Layer 2 is full of announcements  Layer 7 is full of banners  Most Internet protocols are based on text D 7

eep  Attackers look for L ayers o

 version strings Sec  capabilities

Vien  host / domain names f I n secu n a 2007 rity

Popular banners

 CDP/LLDP strings  FTP servers  SMTP dialogues D 7

eep  SNMP communities L ayers o

 HTTP responses Sec  SSH version information

Vien  IMAP/POP3 servers f I n secu  DNS (with suitable tools) n a 2007  Risk: high Impact: medium rity

Mitigation: • Always try to get rid of standard banners. • Change/delete any hint on version numbers or patch level; don't use fake version numbers, delete them altogether instead (version numbers makes your system more attractive) • Avoid publishing all available options and every installed module • Use filters to modify/delete banner strings if possible

DNS Digging

 DNS zones are very important  Public records disclose starting points  Avoid secret.fileserver.example.net D 7

eep  Attackers will use dictionaries L ayers o

 Attackers will try to Sec  zone transfer all data

Vien  identify DNS infrastructure f I n secu  Monitoring DNS queries can reveal attacks n a 2007  Risk: medium Impact: high rity

Mitigation: • Use “split horizon” DNS – use an internal and an external DNS zone • Use different servers for internal and external zone • Keep your external DNS zone as uninteresting and generic as possible • Allow zone transfers only to DNS peers as required by DNS operation (usually your backup DNS servers)

Firewalking

 Mapping packet filters by response  Attackers investigate  IP TTL D 7

eep  ICMP responses L ayers o

 IP/TCP options Sec  responses to invalid packets

Vien  Name stems from tool “firewalk” f I n secu  Risk: medium Impact: medium n a 2007 rity

firewalk was born out of research conducted with traceroute. The tool was first mentioned in a publication (1998). Mitigation: • Block ICMP TTL Exceeded packets from internal hosts to outside hosts if possible. • Drop all packets to unused ports. • NAT devices or proxy servers break firewalk probes.

SNMP Walking

 SNMP offers rich informations  Many network devices are SNMP-capable  Attackers look for unprotected access D 7

eep  Port scanners on port 161/162 (UDP/TCP) L ayers o

 Default information very useful Sec  Risk: medium Impact: high

Vien f I n secu n a 2007 rity

Mitigation: • Block all untrusted access to SNMP ports. • Collect all SNMP-accessible devices on a separate network or VLAN. • Monitor SNMP probes and set alarms/warnings. • Use and deploy SNMP v3 if possible (v3 offers encryption, integrity and authentication). • Don't use SNMP writes with version prior to 3. Make sure write access is disabled.

Tools for Reconnaissance

 What to Use? D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

21 - Fingerprinting 18

Tools of the trade

 Times change, tools adapt  telnet, ping, traceroute  telnet, hping2, tcptraceroute D 7

eep  Any packet generator will do L ayers o

 Any tool capable of TCP will do likewise Sec  telnet is still common

Vien f I n secu n a 2007 rity

nmap

 nmap is around since 1997  Host discovery  OS detection D 7

eep  Port scanning L ayers o

 Support for scripting Sec  nmap offers parallel scanning

Vien  TCP, UDP, ICMP capability f I n secu  Protocol scan n a 2007  Idle scan rity  Banner grabbing (version strings)

Idle Scan D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

The idle scan requires an intermediate host, called a zombie, that produces predictable IP IDs. The scans works by sending spoofed TCP/IP SYN packets to the target to be analysed. The sender address is the one from the zombie host. An open port at the target will produce a SYN+ACK packet which is sent to the zombie. Since the zombie didn't send the packet it replies with a RST and increases the IP ID. The attacker can then check for the next IP ID and deduce the state of the port at the target. This technique was discovered by Salvatore 'Antirez' Sanfilippo, the author of hping, in 1998. There are still systems in use that are vulnerable to simple IP ID generation and thus can be used as zombies in idle scans.

xprobe2

 Active scanning tool, around since 2001  Early focus on ICMP footprints  Key features include fuzzy fingerprinting D 7

eep  Multiple signatures used L ayers o

 TCP, UDP, ICMP Sec  SNMP V2

Vien  SMB f I n secu n a 2007 rity

xprobe2 is the result of Ofir Arkin's research on ICMP. The results were published in a paper called ICMP Usage in Scanning (2001). Fyodor Yarochkin and Ofir Arkin coded the first version of xprobe and published it with the paper. xprobe2 sends UDP and ICMP datagrams to the target, trying to provoke ICMP answers. Surprisingly the handling of ICMP by different TCP/IP stacks provides enough information to identify the system that created the packets.

hping2/hping3

 “ping on steroids”  Sends crafted UDP, ICMP, TCP packets  Collects TCP ISN, pioneered Idle Scan D 7

eep  Has API for automated tests L ayers o

 Useful for firewall/IDS/IPS testing Sec  More capable than standard tools

Vien f I n secu n a 2007 rity

hping has a long history. The tool was first used to punch holes into firewalls (by using suitable forwarding/tunneling ports) and TCP/IP protocol checks. hping3 offers a full API in Tcl and enables the user to automate all tests by constructing scripts. foreach i [list 5 6 7 8 9 10] { hping send "ip(daddr=192.168.1.8,ttl=$i)+icmp(type=8,code=0)" } This snipped of code sends ICMP type 8 code 0 packets with varying TTL. Construction of packets can be easily done with a few commands.

Large networks

 Attackers map large networks  Automated scans for popular ports  “Auto-r00ter” attached D 7

eep  Parallel scans may appear on monitoring L ayers o

 Large scans reduce number of ports Sec  Bulk scanners look for specifics

Vien f I n secu n a 2007 rity

Port Scanning Risks

 Risk: medium Impact: medium  Mitigation  Drop malformed/useless/unwanted packets D 7

eep  Detect port sweeps, packet rates L ayers o

 Limit ICMP error rate Sec  Reassemble fragments at border

Vien f I n secu n a 2007 rity

21 - Fingerprinting 25

Identify Individuals

 Matching Addresses to People. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

Personal Information

 Look out for anything like  E-mail addresses  Telephone numbers, FAX numbers D 7

eep  “Personalised” network addresses L ayers o

 Personal namespaces (in DNS) Sec  Personal information improves credibility

Vien  Important for social engineering f I n secu  Useful for faking other information n a 2007  Risk: medium Impact: high rity

Keeping corporate information locked is not an easy task. A lot of information will be published by normal business or organisational processes. Mitigation: • Classify information and publish guidelines how to deal with data according to classification levels. • Publish generic contact information (central phone number, central address). • Keep personalised namespaces internal. • Control access to directory services (limit to authorised access if possible). • Create and publish guidelines for use of email and email addresses.

Chapter 21 Fingerprinting

 Summary  Reconnaissance is about information.  Any protocol is affected. D 7

eep  Carefully design access to network(s). L ayers o

 Monitor incoming traffic. Sec  Limit access wherever you can.

Vien  Know where your data is and what to do f I n

with it. secu n a 2007 rity

Thank you for your attention!

 Questions? D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

21 - Fingerprinting 29