Network Security Tools and Defense

Total Page:16

File Type:pdf, Size:1020Kb

Network Security Tools and Defense NetworkNetwork SecuritySecurity ToolsTools andand DefenseDefense –– AnAn OverviewOverview Jeff Huberty Business Information Technology Solutions (BITS) www.bits-solutions.com HasHas YourYour SystemSystem BeenBeen Compromised?Compromised? OUTLINEOUTLINE CSI/FBICSI/FBI SurveySurvey ResultsResults SecuritySecurity GoalsGoals SecuritySecurity ThreatsThreats InternetInternet andand NetworkNetwork ToolsTools UsedUsed WhatWhat CanCan WeWe Do?Do? (best(best practices)practices) AccessAccess ControlControl OverviewOverview PhasesPhases ofof AttacksAttacks andand DefensesDefenses SmallSmall BusinessBusiness andand HomeHome PracticesPractices CSI/FBICSI/FBI SurveySurvey ResultsResults (06/2004)(06/2004) The Computer Security Institute (CSI) held its ninth annual Computer Crime and Security Survey with the following results: • Financial losses totaled $141.5 million (494 respondents); significant decrease from 530 respondents reporting $202 million last year. • The most expensive computer crime was denial of service (DoS). Theft of intellectual property, the prior leading category, was the second most expensive last year. • The vast majority of organizations in the survey do not outsource computer security activities. Survey suggests that organizations that raise their level of security awareness have reason to hope for measurable returns on their investments. “Men are from Mars, Women are from Venus. Computers are from Hell!” FourFour ObjectivesObjectives ofof ComputerComputer SecuritySecurity "A bus station is where a bus stops. A train station is where a train stops. On my desk I have a workstation..." SecuritySecurity GoalsGoals Confidentiality keeps information from being read by unauthorized people Assures that information stored in a computer is never contaminated or changed in a way that is not appropriate ensuring that the data can be accessed by all authorized people Integrity Availability "The nice thing about standards is that there are so many to choose from." SecuritySecurity GoalsGoals Availability: addresses issues from fault tolerance to protect against denial of service and access control to ensure that data is available to those authorized to access it. Confidentiality: provide protection mechanisms for the data while it is stored and transferred over networks between computers. Integrity: keeping data away from those who should not have it and making sure that those who should have it can get it are fairly basic ways to maintain the integrity of the data NEW! Nonrepudiation: Allows the formation of binding contracts w/o any paper being printed for written signatures (digital signatures) “"If it wasn't backed-up, then it wasn't important." — The sysadmin's moto. SecuritySecurity ThreatsThreats "The problem with computers is they do what you tell them." SecuritySecurity ThreatsThreats –– SANSSANS TopTop 2020 (www.sans.org) Top Vulnerabilities to Windows Top Vulnerabilities to UNIX Web Servers & Services BIND Domain Name System Workstation Service Web Server Windows Remote Access Services Authentication Microsoft SQL Server (MSSQL) Version Control Systems Windows Authentication Mail Transport Service Web Browsers Simple Network Management Protocol (SNMP) File-Sharing Applications Open Secure Sockets Layer (SSL) LSAS Exposures (OSPF) Misconfiguration of Enterprise Mail Client Services NIS/NFS Instant Messaging Databases Kernel "A computer's attention span is only as long as its power cord." ToolsTools UsedUsed forfor AttackingAttacking andand AuditingAuditing SystemsSystems onon thethe NetNet Port Scanners CombinationCombination SystemsSystems Windows Enumeration AuditingAuditing Web Hacking PortPort RedirectionRedirection Password Cracking/Brute SniffersSniffers Force Backdoors and Remote WirelessWireless ToolsTools Access WarWar DialersDialers Simple Source Auditing TCP/IPTCP/IP StackStack "ASCII stupid question, get a stupid ANSI !" InternetInternet ToolsTools ¾ Port Scanners (Nmap, SuperScan, IpEye, Fscan, WUPS, Udp_scan) ¾ Windows Enumeration (Winfingerprint, GetUserInfo, Enum, PsTools) ¾ Web Hacking ¾ Vulnerability Scanners (Whisker, Nikto, Stealth, Twwwscan/Arirang) ¾ All-Purpose (Curl, OpenSSL, Stunnel) ¾ Application Inspection (Achilles, WebSleuth, Wget) ¾ Password Cracking/Brute-Force ¾ PassFilt.dll and Windows Password Policies ¾ PAM and UNIX Password Policies ¾ OpenBSD login.conf "ERROR: Computer possessed; Load EXOR.SYS ? [Y/N]" PortscanPortscan ThreatThreat ExampleExample Below is a capture of a malicious Here is the view from the attacks side using NMAP: port scan: Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-11-30 21:57 EST TCPDUMP Capture: Interesting ports on (66.252.X.2): 535> (DF) [tos 0x10] (The 1655 ports scanned but not shown below are in state: filtered) 20:38:27.470402 66.90.95.X.22 > PORT STATE SERVICE 66.252.X.2.61627: P 271600:271792(192) 21/tcp open ftp 66.252.X.2.61627: P 271600:271792(192) 22/tcp open ssh ack 289 win 65535 <nop,nop,timestamp 25/tcp open smtp 880842161 1498707535> (DF) [tos 0x10] 80/tcp open http 20:38:27.470426 66.90.95.X.22 > 113/tcp open auth 66.252.X.2.61627: P 271792:271984(192) 443/tcp open https ack 289 win 65535 <nop,nop,timestamp SHOWS us what services are running on this 880842161 1498707535> (DF) [tos 0x10] network. An attack could be staged on each or any of the services. A Denial of Service 20:38:27.470437 66.252.X.2.61627 > or any of the services. A Denial of Service (DoS) attack would target open ports in an 66.90.95.X.22: . ack 260016 win 50180 (DoS) attack would target open ports in an attempt to slow/halt the systems <nop,nop,timestamp 1498707535 attempt to slow/halt the systems connections. An exploit attack would be 880842155> (DF) connections. An exploit attack would be directed to the service flaws running on that This is seen from the Administrators port. I.E. HTTP (Web Browsers) can be side of the field. buffer overrun with the right knowledge and software. "The definition of a hacker ? Someone who, after installing a new program, goes immediately into the [Tools][Options] menu." WhatWhat IfIf MSMS CreatedCreated NMap?NMap? WebWeb serverserver ExploitExploit AttemptAttempt The following is a real capture of an exploit attempt on 30–NOV-04: Httpd access log: 66.205.59.245 Å-Attackers IP- - [30/Nov/2004:20:18:16 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 Å- Buffer Overflow attempt Basically, this is a repeated string of text that is sent to a web server in an attempt to overflow the buffer. If this attack was successful (un-patched web server) it would drop them into a UNIX/TS shell prompt and then they are in the system. Most UNIX web server administrators won’t allow web servers to run as root, however there are plenty out there that do. This attack filled about 8 megs of log space in a matter of 30 minutes. A simple solution is to stay patched and make sure you have the proper IDS/Firewalling/Filtering in place prior to rolling out a global Web server. "A computer program does what you tell it to do, not what you want it to do." Greer’s Third Law. InternetInternet Tools,Tools, cont’dcont’d ¾ Password Cracking/Brute Force Tools ¾ John the Ripper ¾ L0phtCrack ¾ Grabbing Windows Password Hashes (Pwdump, Lsadump2, Winhash, Ddumper, XSCAN) ¾ Active Brute-Force (SMBGrind, Nbaudit, John the ripper2x) ¾ Backdoors and Remote Access (VNC, Netbus, Back Orifice, SubSeven, Loki, stcpshell, Knark, AGOBOT, Phatbot, SDBOT) ¾ Simple Source Auditing (Flawfinder, RATS) ¾ Combination System Auditing (Nessus, STAT, Retina, Internet Scanner, Tripwire) "Before software can be reusable it first has to be usable." — Ralph Johnson. NetworkNetwork ToolsTools ¾ PortPort RedirectionRedirection (datapipe,(datapipe, Fpipe)Fpipe) ¾ SniffersSniffers (BUTTSniffer,(BUTTSniffer, Tcpdump,Tcpdump, Windump,Windump, Ethereal,Ethereal, Dsniff,Dsniff, Snort)Snort) ¾ WirelessWireless (Netstumbler,(Netstumbler, AiroPeek)AiroPeek) ¾ WarWar DialersDialers (ToneLoc,(ToneLoc, THCTHC--Scan)Scan) ¾ TCP/IPTCP/IP StackStack (ISIC,(ISIC, Iptest,Iptest, Nemesis)Nemesis) "It's 5.50 a.m.... Do you know where your stack pointer is ?" WhatWhat CanCan WeWe Do?Do? Take steps to increase security awareness • Education, training, periodic bulletins, etc., cultivate user acceptance of security technologies that need to be deployed. Policies need to be established and enforced • Describe the responsibilities of individuals and groups in safeguarding organizational assets from loss or misuse. IT infrastructure needs to be security-enabled • IT and network administrators need to keep themselves informed about security vulnerabilities and fixes, to include best-of-breed technologies and methodologies for coping with security threats. On-going vigiliance, in the form of vulnerability assessments must be part of the operational routine • Security should be seen as a work in progress and never a finished project. Hackers adapt; so should the organization. PoliciesPolicies andand SettingsSettings Firewall Setting Policy No outside Web access. Drop all outgoing packets to any IP, Port 80 Outside connections to Public Web Server Only. Drop all incoming TCP SYN packets to any IP except 150:160.170.180, port 80 Prevent Web-Radios from eating up the available bandwidth.
Recommended publications
  • Implementing Cisco Cyber Security Operations
    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
    [Show full text]
  • TV Superscan 2 Enhanced Users Guide
    TV Superscan 2 Enhanced Users Guide To Reset the TV SuperScan Unit: 1. Unplug Power from Unit 2. Press & Hold “Select” and “Zoom” buttons at the same time. 3. While holding buttons, plug in power. When red lights on, release the two buttons. 4. If you get some output on the screen press the “Zoom” button once more to complete the reset procedure. © 1998 ADS Technologies. All Rights Reserved First Edition: Revision 1.0 April, 1998 Microsoft, MS-DOS, Windows, and Windows 95 and Windows 98 are registered trademarks of Microsoft Corporation. IBM is a registered trade- mark of International Business Machines, Inc. ADS is a registered trademark of ADS Technologies Inc. ADS Technologies (ADS) makes no warranty of any kind with regard to this material, including but not limited to, the implied warranties of mer- chantability and fitness for a particular purpose. The information furnished within this written document is for information purposes only and is sub- ject to change without notice. ADS Technologies assumes no responsi- bility or liability for any errors or inaccuracies that may appear herein. ADS makes no commitment to update or to keep current information contained within this document. Table of Contents A Letter from the President of ADS . 6 Introduction . 7 System Requirements . 7 Package Contents . 8 Chapter 1 Installation Guide . 9 Installing the Hardware . 11 Connecting to a Desktop Computer . 11 Connecting to a Laptop Computer . 14 Connection Diagrams. 16 Desktop Connection Diagram . 16 Laptop Connection Diagram . 16 Chapter 2 TV Superscan 2 Enhanced . 17 Overview . 19 Menu/Enter Button . 19 Select .
    [Show full text]
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • Wireshark & Ethereal Network Protocol Analyzer
    377_Eth2e_FM.qxd 11/14/06 1:23 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • Know Your Network
    Know Your Network Network Security Assessment Chris McNab CHAPTERChapter 4 4 IP Network Scanning This chapter focuses on the technical execution of IP network scanning. After under- taking initial reconnaissance to identify IP address spaces of interest, network scan- ning builds a clearer picture of accessible hosts and their network services. Network scanning and reconnaissance is the real data gathering exercise of an Internet-based security assessment. The rationale behind IP network scanning is to gain insight into the following elements of a given network: • ICMP message types that generate responses from target hosts • Accessible TCP and UDP network services running on the target hosts • Operating platforms of target hosts and their configuration • Areas of vulnerability within target host IP stack implementations (including sequence number predictability for TCP spoofing and session hijacking) • Configuration of filtering and security systems (including firewalls, border rout- ers, switches, and IDS sensors) Performing both network scanning and reconnaissance tasks paints a clear picture of the network topology and its security mechanisms. Before penetrating the target net- work, further assessment steps involve gathering specific information about the TCP and UDP network services that are running, including their versions and enabled options. ICMP Probing The Internet Control Message Protocol (ICMP) identifies potentially weak and poorly protected networks. ICMP is a short messaging protocol that’s used by sys- tems administrators and end users for continuity testing of networks (e.g., using the ping or traceroute commands). From a network scanning and probing perspective, the following types of ICMP messages are useful: 36 This is the Title of the Book, eMatter Edition Copyright © 2004 O’Reilly & Associates, Inc.
    [Show full text]
  • Surveying Port Scans and Their Detection Methodologies
    Surveying Port Scans and Their Detection Methodologies Monowar H Bhuyan1, D K Bhattacharyya1 and J K Kalita2 1Department of Computer Science & Engineering Tezpur University Napaam, Tezpur, Assam, India 2Department of Computer Science University of Colorado at Colorado Springs CO 80933-7150, USA Email: mhb,dkb @tezu.ernet.in, [email protected] { } Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of IP addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection, and other characteristics. This survey also reports on the available datasets and evaluation criteria for port scan detection approaches. Keywords: TCP/IP, UDP, OS fingerprinting, coordinated scanning Received 21 May 2010; revised 23 August 2010 1. INTRODUCTION similar, except that a positive response from the target results in further communication to determine whether The Internet is a complex entity comprised of diverse the target is vulnerable to a particular exploit. As can networks, users, and resources. Most users are oblivious be found in [3], most attacks are preceded by some form to the design of the Internet and its components and of scanning activity, particularly vulnerability scanning.
    [Show full text]
  • Introducing Network Analysis
    377_Eth_2e_ch01.qxd 11/14/06 9:27 AM Page 1 Chapter 1 Introducing Network Analysis Solutions in this chapter: ■ What is Network Analysis and Sniffing? ■ Who Uses Network Analysis? ■ How Does it Work? ■ Detecting Sniffers ■ Protecting Against Sniffers ■ Network Analysis and Policy Summary Solutions Fast Track Frequently Asked Questions 1 377_Eth_2e_ch01.qxd 11/14/06 9:27 AM Page 2 2 Chapter 1 • Introducing Network Analysis Introduction “Why is the network slow?”“Why can’t I access my e-mail?”“Why can’t I get to the shared drive?”“Why is my computer acting strange?” If you are a systems administrator, network engineer, or security engineer you have heard these ques- tions countless times.Thus begins the tedious and sometimes painful journey of troubleshooting.You start by trying to replicate the problem from your computer, but you can’t connect to the local network or the Internet either. What should you do? Go to each of the servers and make sure they are up and functioning? Check that your router is functioning? Check each computer for a malfunctioning network card? Now consider this scenario.You go to your main network switch or border router and configure one of the unused ports for port mirroring.You plug in your laptop, fire up your network analyzer, and see thousands of Transmission Control Protocol (TCP) packets (destined for port 25) with various Internet Protocol (IP) addresses.You investigate and learn that there is a virus on the network that spreads through e-mail, and immediately apply access filters to block these packets from entering or exiting your network.Thankfully, you were able to contain the problem relatively quickly because of your knowledge and use of your network analyzer.
    [Show full text]
  • Evaluation of Network Port Scanning Tools
    Evaluation of Network Port Scanning Tools Nazar El-Nazeer and Kevin Daimi Department of Mathematics, Computer Science and Software Engineering University of Detroit Mercy, 4001 McNichols Road, Detroit, MI 48221 {elnazen, daimikj}@udmercy.edu ABSTRACT implies protecting data and information from attacks during their transmission from the source to destination. Attackers can detect the vulnerabilities in networks and Neglecting network port scans could result in possibly pose enormous threats in these situations. To unavoidable consequences. Network attackers prevent problems, cryptology provides the most continuously monitor and check communication ports promising measures to deter, prevent, detect, and correct looking for any open port. To protect computers and security violations. networks, computers need to be safeguarded against applications that aren't required by any function To protect computer networks, a number of protection currently in use. To accomplish this, the available ports tasks need to be implemented. These tasks are needed and the applications utilizing them should be to enforce the security for wireless network, electronic determined. This paper attempts to evaluate eight port mail, IP, and at the transport level. Furthermore, these scanning tools based on fifteen criterions. The criteria tasks should efficiently deal with intruders and were reached after fully testing each tool. The malicious software [23]. outcomes of the evaluation process are discussed. Internet and web are tremendously vulnerable to various Keywords attacks. Therefore securing web services is a critical requirement. In particular, security at the transport layer Network Security, Evaluation Criteria, Network must never be overlooked. The subdivision of the Security Tools, Network Port Scanning Internet by the transport layer presents ample outcomes both in the way in which business is performed on the network and with regard to the vulnerability caused by I.
    [Show full text]
  • Scanning and Enumeration Tools
    SCANNING AND ENUMERATION TOOLS Barbagallo Valerio Da Lozzo Valerio Mellini Giampiero UNIX Windows Host Port OS Anonimity Tool TCP scan UDP scan DOS discovery scanner fingerprinting level x SATAN x x x x Medium x SARA x x x Medium x Nessus x x x x Medium Advanced IP x x x Medium scanner Advanced port x x x Medium scanner x Strobe x x x Medium x Udp_scan x x x Low x Netcat x x x x Low x Xprobe x x x Low SoftPerfect x Network x x x Low Scanner Angry IP x x x x Low Scanner GFI LANGuard x x x x x Low Network Scanner x Superscan x x x x Medium Scanmetender x x x x x Medium Standard There are many software able to scan networks and used for different aims. They are used by white hat hackers to test the network security, but they can also be used by black hat hackers whose intention is to penetrate the target machine/organization. In this paper we describe some of these tools. Strobe Strobe was the port scanner that Fyodor preferred, before he developed Nmap. This dated tool permit to optimize the use of the systems' resources and networks, so to make the system's scan in efficient way. It's a TCP scanner, but it doesn’t own any UDP scan functionality. This is the output of a test with Strobe. giampiero@mellini:~/Desktop/strobe$ ./strobe localhost strobe 1.03 (c) 1995 Julian Assange ([email protected]). localhost http 80/tcp www www-http World Wide Web HTTP localhost www 80/tcp World Wide Web HTTP [TXL] localhost unknown 631/tcp unassigned localhost unknown 2207/tcp unassigned localhost unknown 2208/tcp unassigned localhost unknown 5900/tcp unassigned localhost unknown 7144/tcp unassigned localhost unknown 7145/tcp unassigned localhost unknown 62343/tcp unassigned Udp_scan Since Strobe is limited to TCP scanner, another tool very useful is Udp_scan, which allows you to perform the scanner through UDP protocol.
    [Show full text]
  • Netcat, Superscan, Winscan
    IEEE Globecom 2011 Information Warfare Tom Chen Swansea University Wales, UK [email protected] Outline • Background - Definitions; actors; targets; historical cases • Attack techniques - Reconnaissance; intrusions; stealth; persistent control; DDoS • Defense techniques - Deterrence; prevention; detection; attribution; intrusion tolerance; self healing • Open research issues • Conclusions and future directions TC/Globecom2011/12-9-11 p. 2 Background TC/Globecom2011/12-9-11 p. 3 Section Outline • Definitions • Actors • Targets • Historical cases TC/Globecom2011/12-9-11 p. 4 Definitions • Info. warfare (or cyber warfare): military or political conflicts between nations carried out through computer networks - Actions to adversely affect enemy’s info. and info. systems while defending own - Information is both target and means for gaining advantage (in support of military/political goals) - Definitions vary, e.g., U.S. DoD defines broadly: “operations directed against information in any form, transmitted over any media, including operations against information content, its supporting systems and software, the physical hardware device that stores the data or instructions, and also human practices and perceptions” TC/Globecom2011/12-9-11 p. 5 DoD Definitions Info. Operations Broad (info. warfare) definition Psychological Military Operations Computer Electronic operations deception security network warfare Propaganda Weapon hiding, Classified operations Radio Examples: leaflets target decoys info. (CNO) jamming *Definition here Computer Computer Computer network network network exploitation/ attack (CNA) defense (CND) espionage (CNE) DDoS, Firewalls, Backdoors, malware IDS data theft TC/Globecom2011/12-9-11 p. 6 Recognition as Warfare Domain • U.S. DoD Strategy for Operating in Cyberspace (July 2011) recognizes cyberspace as 5th operational domain (with sea, air, land, space) “Potential U.S.
    [Show full text]
  • A Descriptive Study of Active Scanning & Reconnaissance Tools
    IARJSET ISSN (Online) 2393-8021 ISSN (Print) 2394-1588 International Advanced Research Journal in Science, Engineering and Technology Vol. 3, Issue 4, April 2016 A Descriptive study of Active Scanning & Reconnaissance tools Manjit Kaur1, Gurpreet Kaur2, Er. Gurjot Singh3 Post Graduate, P.G. Department of Computer Science & Applications, K.M.V., Jalandhar, Punjab, India 1,2 Asstt. Prof., P.G. Department of Computer Science & Applications, K.M.V., Jalandhar, Punjab, India 3 Abstract: Scanning is a skilled of pinpointing active and communicable system via internet. It makes use of assorted approaches such as operating system identification and port scanning to be aware of various services which are solicited by the system. It offers us information concerning the TCP/UDP services which are active on each discovered system, architecture of the system, type of operating system etc. Today, there is a constant increase in the number of automated scanners which further provides a path for the successful set up of attacks. A part scanner is a piece of software framed to rummage a network for open ports. This is commonly used by administrators to keep an eye on the security of their networks and by hackers to compromise it. Programs make use of ports to see and acknowledge the out of doors world. Viruses now have inbuilt port scanners that rummage the internet searching for unsuspecting computers with open ports, when they discover them, they cripple our software or worse, stay hidden and report our secret activity and subject matter to another system. In this paper, we have studied the detailing of ports, relative services running on particular ports and also extend the critical subject matter concerning port scanning tools.
    [Show full text]
  • Certified Ethical Hacker Module 3
    Determines the Remote Host OS Diferent Vendors implement TCP diferently Based Upon Reply determines OS Special crafted packets sent Active Stack Fingerprinting NMap uses 8 tests And look at the responses Rather than send packets to the host Captures trafc coming from the host Types of Fingerprinting Fingerprinting What is the TTL on the outbound packet? TTL What is the TCP Window Size? Window Size Passive Fingerprinting Mainly four areas Does the OS set the Don't Fragment bit? DF If so, what is it? Is a Type of Service set? TOS If ICMP is blocked To determine live hosts Next step after ICMP discovery fails To identify potential ports for These ports are the basis of the next attack stages furthering the attacks Why? To understand what applications are running on the ports To discover the OS Sent from client SYN Sent from server SYN/ACK TCP Three Way Handshake Sent from client ACK Not UDP ONLY TCP Discovers services Most popular Potential targets run many services reconnaissance technique Finds potential vulnerabilities Also known as a TCP Connect Scan Also known as a Vanilla scan Full connection is opened to the target SYN SYN/ACK Uses three way handshake ACK Open scan Easy to detect Easy to block Problems Cannot be spoofed Provides great information Best scan for Benefits determining port state Difers from the full connect scan SYN SYN/ACK Three way handshake is not completed Motivation and Study Techniques to help RST is sent to tear down the connection Cisco RST you learn, remember, and pass your CISSP Connection is never established technical exams! Half-open scan CEH Sophisticated IDS and Firewalls can now detect these More coming soon..
    [Show full text]