network security scan
play

Network Security: Scan Seungwon Shin, KAIST some slides from Dr. - PowerPoint PPT Presentation

Apr 13, 2023 •367 likes •675 views

Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden More about Scan Scan Techniques Network scanning where is a target? which service is available on a target? can I have more information? Vulnerability scanning

  1. Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden

  2. More about Scan

  3. Scan Techniques Network scanning where is a target? which service is available on a target? can I have more information? Vulnerability scanning which vulnerable services are running on a target?

  4. ICMP Scan ICMP protocol used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached several types type 8 echo request ping packet type 13 timestamp request from nmap.org type 15 information request RARP , BOOTP (rarely used) type 17 subnet address mask request find the subnet mask used by the target host

  5. ICMP Scan Example Nmap send ping packet not so effective ICMPScan a bulk scanner that sends type 8, 13, 15, and 17 messages example icmpscan -c -t 500 -r 1 192.168.1.0/24 c: enable promiscuous mode t: timeout for probe response (ms) r: retries for each probe xprobe2 can do OS fingerprinting with ICMP example xprobe2 -v 192,168.0.174

  6. xprobe2 example

  7. How xprobe2 works How to fingerprint use OS specific implementation of TCP/IP stack 14:42:36.105884 IP (tos 0x6, ECT(0) , ttl 64 , id 19475, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.4 > 192.168.0.101 : ICMP echo request, id 19639, seq 1, length 64 14:42:36.107486 IP (tos 0x0, ttl 128 , id 59791, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.101 > 192.168.0.4 : ICMP echo reply, id 19639, seq 1, length 64 Linux Windows XP SP2 192.168.0.101 192.168.0.4 Linux 192.168.0.100 14:45:59.273678 IP (tos 0x6, ECT(0) , ttl 64 , id 49892, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.0.4 > 192.168.0.100 : ICMP echo request, id 22065, seq 1, length 64 14:45:59.275212 IP (tos 0x6, ECT(0) , ttl 64 , id 56932, offset 0, flags [none], proto: ICMP (1), length: 84) 192.168.0.100 > 192.168.0.4 : ICMP echo reply, id 22065, seq 1, length 64

  8. TCP Scan usual connect( ) call scan half-open TCP SYN scan kind of stealthy inverse TCP flag scan ACK flag scan TCP fragmentation scan with the help of a third-party FTP bounce

  9. Inverse TCP flag F/W and IDS will detect (or record) a SYN packet sent to some sensitive network ports e.g., port 80, 443, and etc An attacker can evade by sending FIN probe packet (FIN flag) XMAS probe (FIN, URG, and PUSH flag) NULL probe (no flags) TCP FIN packet to 80 attacker target if open: no response if closed: RST/ACK RFC 793: out of state packet to an open port - discard

  10. FTP Bounce Scan Why do we need this? hide an attacker attacker 1. set up a connection 2. issue a PORT command 3. issue a LIST command 6. deliver the results FTP server 4. create a connection to the target 5. response from the target target

  11. FTP Bounce Scan PORT 143.248.111.100:23 200 PORT command successful LIST 143.248.111.100:23 LIST 143.248.111.100:23 150 Opening ASCII mode data connection for the list 425 Can’t build data connection: Connection refused 226 transfer complete 23 closed 23 open

  12. Others Some more useful tools whois dig nslookup web search and much more

  13. Vulnerability Scan Vulnerability scanner an automated tool that scans hosts and networks for known vulnerabilities and weaknesses find which host is vulnerable to what Examples NESSUS now commercial product OpenVAS fork of NESSUS, open source Retina commercial product

  14. Vulnerability Scan How it works Similar to virus scanning software: Contain a database of vulnerability signatures that the tool searches for on a target system Cannot find vulnerabilities not in the database New vulnerabilities are discovered often Vulnerability database must be updated regularly

  15. Vulnerability Scan Find what Network vulnerabilities Host-based (OS) vulnerabilities Misconfigured file permissions Open services Missing patches Vulnerabilities in commonly exploited applications Web, DNS, and mail servers

  16. Vulnerability Scan target GUI target Vulnerability Scanning Engine Database target Knowledge Base target Results target

  17. OpenVAS • www.openvas.org

  18. Case Study

  19. Interesting Research Work A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan written by Ang Cui and Salvatore J. Stolfo Columbia University Published in ACSAC 2012 Student Best Paper

  20. Problem Domain and Goal Embedded Devices have been known that they are Insecure and available as a source for new, stealthy botnets Then, how to know if it is true A global scan method can be used in getting some clues

  21. Approach Scan the world Identify Embedded Devices Scan the world’s largest cisco-IOS | web_cisco-web level_15_access | web_cisco-web Residential ISPs Linksys SPA Configuration | web_linksys-spa Commercial ISPs Linksys PAP2 Configuration | web_linksys-pap2 EDU, GOV etc SpeedStream Router Configurator | web_speedstream DD-WRT Control Panel | web_ddwrt Scan in United States Asia Europe Try the default password root: username_prompt: ['sername:'] username: ['cisco � ] askuser: true passstr: ['assword:'] incorrect: [sername, assword] success: ['\$', '\#', '>'] passwords: ['cisco � ] deviceType: cisco linesep: ''

  22. Scan Recognizance scan large portions of the internet port 23 (telnet) and 80 (http) Identification try to connect all telnet and http servers detect their manufacturer and model of the device Verification try to log in with the default password

  23. Result Distribution of vulnerable embedded devices total number: 540,435

  24. Result Distribution of vulnerable embedded devices (types)

  25. Result

  26. Why is this important? – Router Exploitation • DIK (Da IOS Rootkit, Sebastian Muniz) – http://eusecwest.com/esw08/esw08-muniz.pdf • Router Transit Vulnerabilities (Felix Linder) – http://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit- SLIDES.pdf • Reliable Cisco IOS Exploit (Felix Linder) – http://www.phenoelit-us.org/stuff/FX_Phenoelit_25c3_Cisco_IOS.pdf – Router Botnet • Network Bluepill – http://dronebl.org/blog • Keiten Bot – Helel Mod 1.0 – Ezba � Elohim – Runs on D-link routers – http://packetstormsecurity.nl/irc/kaiten.c

  27. Some Extension When Firmware Modifications Attack: A Case Study of Embedded Exploitation NDSS, 2013 The State of Embedded-Device Security (Spoiler Alert: It's Bad) IEEE S&P Magazine, 2012 Shodan!

  28. Shodan It is a search engine that allows you to look for devices connected to the internet mostly embedded devices webcam, wireless AP , and etc How to provide search results? scanning networks

  29. Shodan

  30. Shodan

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Pieter Abbeel UC Berkeley EECS Many slides adapted from Thrun, Burgard and Fox, Probabilistic Robotics Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a map and a map, find the

831 views • 50 slides
Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Pieter Abbeel UC Berkeley EECS Many slides adapted from Thrun, Burgard and Fox, Probabilistic Robotics Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a map and a map, find the

650 views • 49 slides
Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Pieter Abbeel UC Berkeley EECS Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a map and a map, find the rigid-body n transformation (translation+rotation) that aligns them best

710 views • 26 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
P P Partial Partial-Scan & Scan ti l ti l S S Scan & Scan & S & S

P P Partial Partial-Scan & Scan ti l ti l S S Scan & Scan & S & S

Testability: Lecture Testability: Lecture 24 24 P P Partial Partial-Scan & Scan ti l ti l S S Scan & Scan & S & S Variations Variations Variations Variations Shaahin Hessabi Department of Computer Engineering

335 views • 17 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides
Dataset Coverage Deployed MCA on 4 different cloud providers 31 vantage points in 5 continents

Dataset Coverage Deployed MCA on 4 different cloud providers 31 vantage points in 5 continents

Dataset Coverage Deployed MCA on 4 different cloud providers 31 vantage points in 5 continents 1 Dataset Coverage Deployed MCA on 4 different cloud providers 31 vantage points in 5 continents MCA measurements to 19866 IPv4

342 views • 11 slides
UDP Scanning John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604

UDP Scanning John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604

UDP Scanning John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604 FIRST 2002 John Kristoff - DePaul University 1 What are we talking about? Remotely probing hosts using UDP messages Comparing UDP, ICMP

346 views • 12 slides
Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Project

481 views • 15 slides
BPF as a revolutionary technology for the container landscape Daniel Borkmann, Cilium.io

BPF as a revolutionary technology for the container landscape Daniel Borkmann, Cilium.io

BPF as a revolutionary technology for the container landscape Daniel Borkmann, Cilium.io FOSDEM20 Landscape: continuously decreasing lifetime Source: sysdig 19 container usage report Landscape: continuously increasing density Source:

762 views • 39 slides
Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source address? Hide the attackers activity nmap decoy option Hide the attackers identity To be able to view the responses, the attacker

548 views • 17 slides
Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of

Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of

Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of Computer Science Saarland University Saarbr ucken, Germany December 18, 2013 C4 2 / 14 C4 Frontend Lexer Parser C-Code Token Stream AST 2 /

907 views • 43 slides
Outline basic ideas ICMP header format message types ICMP related command (ping

Outline basic ideas ICMP header format message types ICMP related command (ping

1 /20 ICMP: Internet Control Message Protocol Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last updated: Aug 8, 2002 Applied Network Research Group Department of Computer Engineering,

981 views • 9 slides
New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou Fall Jean-Louis Roch GreHack15, Grenoble, November 20 th 2015 1 New Results for the PTB-PTS Attack on Tunneling Gateways Packet Too Big (PTB) or

597 views • 20 slides

More recommend