IP Addresses Every system connected to a network has a unique Internet Protocol (IP) Address which acts as its identity on that network. An IP Address is a 32-bit address which is divided into four fields of 8-bits each. For Example, 203.94.35.12 All data sent or received by a system will be addressed from or to the system. An attacker’s first step is to find out the IP Address of the target system. IP Addresses: Finding out an IP Address A remote IP Address can easily be found out by any of the following methods: Through Instant Messaging Software Through Internet Relay Chat Through Your website Through Email Headers Finding an IP Address via Instant Messengers 1. Ask your friend to come online and chat with you. 1. Case I: If you are chatting on ICQ, then the following connection exists between your system and your friend’s system: Your System------DIRECT CONNECTION----◊ Friend’s System Friend’s System---------DIRECT CONNECTION-------◊ Your System Now, goto MSDOS or the command line and type: C:\>netstat -n This command will give you the IP Address of your friend’s computer. 3. Case 2: If you are chatting on other messengers like MSN, YAHOO etc. then the following indirect connection exists between your system and your friend’s system:
Your System------Chat Server----◊ Friend’s System Friend’s System---------Chat Server-------◊ Your System Thus in this case, you first have to establish a direct connection with your friend’s computer by either sending him a file or by using the call feature. Then, goto MSDOS or the command line and type: C:\>netstat -n This command will give you the IP Address of your friend’s computer. Countermeasures Do not accept File transfers or calls from unknown people Chat online only after logging on through a Proxy Server. A Proxy Server acts as a buffer between you and the un-trusted network known as the Internet, hence protecting your identity. Case I: Your System------Proxy Server------ Friend’s System Case 2: Your System-----Proxy------Chat Server------Friend’s System Some good Proxy Servers are: Wingate (For Windows Platform) Squid (For Unix Platforms)
Finding an IP Address via Internet Relay Chat It is very easy to get the IP Address of your friend through IRC: 1. Ask your friend to chat with you on IRC. 1. Type the following command to get his IP Address: /whois nicknameofvictim If this does not work, then one can send a file to the friend and use the ‘netstat’ command to get his IP Address. Countermeasures
One should connect to the IRC server through a proxy. One should not accept any files or direct chat requests from unknown people. One can also use the below command to hide one’s IP Address: /mode your_nickname +x OR /mode your_nickname + Finding an IP Address via your website One can easily log the IP Addresses of all visitors to their website by using simply JAVA applets or JavaScript code. Countermeasures One should surf the Internet through a Proxy Server. One can also make use of the numerous Free Anonymous Surfing Proxy Services. For Example, www.anonymizer.com Finding an IP Address via Email Headers Hotmail.com along with numerous other Email Service Providers, add the IP Address of the sender to each outgoing email. A Typical excerpt of such a Header of an email sent from a Hotmail account is: Return-Path: <
[email protected]> Received: from hotmail.com by delhi1.mtnl.net.in (8.9.1/1.1.20.3/26Oct99-0620AM) id TAA0000032714; Sun, 23 Jan 2000 19:02:21 +0530 (IST) Message-ID: <
[email protected]> Received: from 202.54.109.174 by www.hotmail.com with HTTP; Sun, 23 Jan 2000 05:30:14 PST X-Originating-IP: [202.xx.109.174] IP Addresses: Dangers & Concerns
Dangers & Concerns
DOS Attacks Disconnect from the Internet Trojans Exploitation Geographical Information: Click Here File Sharing Exploits
General Hacking Methodology A typical attacker works in the following manner: 1. Identify the target system. 1. Gathering Information on the target system. 1. Finding a possible loophole in the target system. 1. Exploiting this loophole using exploit code. 1. Removing all traces from the log files and escaping without a trace. Scanning, Fingerprinting & Information Gathering Port Scanning Daemon Banner Grabbing ICMP Scanning, Host Detection and Information Gathering Techniques Remote OS Fingerprinting Techniques Active Fingerprinting Passive Fingerprinting Email Headers Fingerprinting Port Scanning Unscanned: An Introduction Port Scanning means to scan the target system in order to get a list of open ports (i.e. ports listening for connections) and services running on these open ports.
Port Scanning is normally the first step that an attacker undertakes. Is used to get a list of open ports, services and the Operating System running on the target system. Can be performed easily by using different methods. Manual Port Scanning can be performed using the famous ‘Telnet’ program. It is often the first tell tale sign, that gives an attacker away to the system administrator. Port Scanning Unscanned: TCP Connect Scanning Port Scanner establishes a full 3-way TCP\IP Handshake with all ports on the remote system. Attacker-----SYN Packet---◊ Target System Case I: (Open) Target system-----SYN\ACK Packet--◊ Attacker Case 2: (Closed) Target System----RST\ACK Packet----◊ Attacker Attacker----ACK Packet-----◊ Target System Classic Example of Port Scanning. Easily Detected and Traced. Accurate and Fastest Port Scanning Method. Port Scanning Unscanned: TCP Connect Scanning The regular 3-way TCP\IP Handshake has been depicted below: 1. Client---------SYN Packet-------------◊ Host 2. Host-----------SYN\ACK Packet--------◊ Client 3. Client----------ACK Packet---------------◊ Host Detection and Countermeasures Initialization and Termination of Connections on multiple ports from the same remote IP Address. Only monitoring can be done. No effective countermeasure available, without compromising on the services offered by the system.
Port Scanning Unscanned: TCP SYN Scanning Also known as ‘Half Open Scanning’ because only half of the complete 3-way TCP\IP connection is established. Attacker-----SYN Packet---◊ Target System Case I: (Open) Target system-----SYN\ACK Packet--◊ Attacker Case 2: (Closed) Target System----RST\ACK Packet----◊ Attacker Example of Stealth Port Scanning. Thus, a bit difficult to trace. But not impossible to trace. Can be detected, if commands like netstat, show a lot of connections in the ‘SYN_RECEIVED’ state. Can be counter attacked by creating a router or firewall rule which creates a buffer and does not allow more than a pre-defined number of connections to be established from the same IP Address. Port Scanning Unscanned: SYN/ACK Scanning In this method, the port scanner proceeds as below: Attacker-----SYN\ACK Packet---◊ Target System Case 1: (Closed) Target System----RST Packet----◊ Attacker Case 2: (Open) The target system will not send any response. Can be detected only using a packet sniffer or a traffic logger. Highly Unreliable. Easily filtered using firewall or router rules. Port Scanning Unscanned: FIN Scanning In this method, the port scanner proceeds as below: Attacker-----FIN Packet---◊ Target System Case 1: (Open) The target system will not respond to the packet. Case 2: (Closed) Target System-----Error Message----◊ Attacker This type of scanning is stealth to a certain extend only.
It is Inaccurate with non Unix operating systems. Can be filtered using a firewall or router rule. Example: Filter all FIN packets which do not come from IP Addresses, with which a connection has been established in the recent past. Port Scanning Unscanned: NULL Scanning In this method, the port scanner proceeds as below: Attacker-----NULL Packet---◊ Target System Case 1: (Open) No Reply or Error Message from application. Case 2: (Closed) Target System-----RST Packet----◊ Attacker NOTE: A Null packet is one with all flags like SYN, ACK, RST etc turned off. Works accurately with only selected Operating Systems. On receiving a NULL packet, a system does not know what to do with it, as all flags have been turned off in the packet. Port Scanning Unscanned: XMAS Tree Scanning In this method, the port scanner proceeds as below: Attacker-----XMAS Packet---◊ Target System Case 1: (Open) No Reply or Error Message from application. Case 2: (Closed) Target System-----RST Packet----◊ Attacker NOTE: A XMAS packet is one with all flags like SYN, ACK, RST etc turned ON. Works accurately with only selected Operating Systems. On receiving a XMAS packet, a system again does not know what to do with it, as no flags have been turned on in the packet. Port Scanning Unscanned: Security Threats
Port Scanning is commonly used by computer attackers to get the following information about the target system:
List of Open Ports Services Running Exact Names and Versions of all the Services or Daemons. Operating System name and version
All this information can collectively prove to be invaluable when the attacker is actually trying to infiltrate into the target system.
Port Scanning Unscanned: Major Tools Available Some of the best and the most commonly used Port Scanners are: Nmap Strobe Hping Common Features of all above Port Scanners:
Very Easy to Use Display Detailed Results
The easy usability and the detailed information reports generated by popular port scanners has led to an alarming increase in the number of script kiddies. Port Scanning Unscanned: Counter-Attacks Strategies Although, it is impossible to stop clients from Port Scanning your network, however, it is advisable to take all possible measures against possible attackers. Some useful Anti-Port Scanning software available are:
Scanlogd (A Unix based Port Scan Detector & Logger) BlackICE (A Windows based Port Scan Detector & Logger) Snort: A packet sniffer cum IDS. Abacus Port sentry: Capable of Detecting both normal and stealth port scanning attempts.
Other than the above tools, it is always advisable to disable as many services as possible. In other words, one should try to close as many ports as possible, without compromising on the services offered by that system.
Port Scanning Unscanned: Anonymous Port Scanning Here, the attacker performs port scanning via a proxy server. The Proxy Server acts as a buffer between the attacker and the target system and all communication between the two parties takes place only via this proxy server. No direct connection is established: Attacker-----◊ Proxy Server-------◊ Target System Target System-----◊Proxy Server-----◊ Attacker Counterattack Tools rendered useless.
Daemon Banner Grabbing It is the process of getting useful bits of information about the target system by recording the welcome banners of the daemons running on its various ports. Daemon Banner Grabbing can be used to get the following information about the target system:
Daemon name and version number. Operating System Security Measures used. To identify possible points of entry.
Can easily be executed manually using ‘Telnet’ or by using Port Scanners. Daemon Banner Grabbing: Possible Countermeasures Edit the default welcome message and ensure important information is not given out. To misguide the attacker and display false daemon banners. Use a long false daemon banner and in the background record information on the client and try and trace him. ICMP Scanning: An Introduction
The Internet Control Message Protocol (ICMP) is the de facto protocol used for reporting errors that might have occurred while transferring data packets over networks Extremely Useful in Information Gathering. Originally, designed for network diagnosis and to find out as to what went wrong in the data communication. Can be used to find out the following:
Host Detection Operating System Information Network Topography Information Firewall Detection
ICMP Scanning: An Introduction Continued Each ICMP Message has a ‘code’ and a ‘type’ value, the unique combination of which corresponds to the specific error message that it is carrying. For Example, an ICMP message with a ‘type’ value of 3 and a ‘code’ value of 3, represents the “Port Unreachable” error message. While, an ICMP message with a ‘type’ value of 3 and a ‘code’ value of 2, represents the “Protocol Unreachable” error message. ICMP Scanning: Host Detection Techniques This technique reveals to the attacker whether or not a particular host is connected to the Internet or not. (I.e. alive or not) It makes use of the ‘Echo Request’ and ‘Echo Reply’ ICMP messages. Working: Client-----------ICMP Echo Request------------◊ Host Case 1: (Alive) Host---------------ICMP Echo Reply--------------◊ Client Case 2: (Not Alive) There is NO response from the host.
ICMP Scanning: Host Detection Techniques Does this ICMP Host Detection technique ring a bell? Yes, it is indeed popularly known as the ‘ping’ command or utility. The ‘ping’ utility can be used to determine whether the remote host is alive or not. Ping’s working is similar to that of a real life sonar system See Example. The ping command can be used by the attacker for the following purposes: Host Detection Purposes To clog up valuable network resources by sending infinite ‘Echo request’ ICMP messages. Firewall detection ICMP Scanning: Host Detection---Ping Example Below is sample output of a PING command executed on a Windows machine: C:\WINDOWS>ping mail2.bol.net.in Pinging mail2.bol.net.in [203.94.243.71] with 32 bytes of data: Reply from 203.94.243.71: bytes=32 time=163ms TTL=61 Reply from 203.94.243.71: bytes=32 time=185ms TTL=61 Reply from 203.94.243.71: bytes=32 time=153ms TTL=61 Reply from 203.94.243.71: bytes=32 time=129ms TTL=61 …………… ICMP Scanning: Host Detection Countermeasures Echo Requests or PING messages can easily be filtered at the router level by using the below Access Control List (ACL): access-list 101 deny icmp any any 8 To filter out all Echo Requests or PING messages accept those coming from say your ISP we can use: access-list 101 deny icmp any any 8 access-list 101 permit icmp xx.xx.xx.xx 0.0.0.255 any 8
ICMP Scanning: Time Stamping OS Detection Techniques This technique helps one system to query another system for the current time in the latter system. Can also be used for Operating System Detection. It makes use of the ‘Timestamp Request’ and ‘Timestamp Reply’ ICMP messages. Working: Client-----------ICMP Timestamp Request------------◊ Host Host-----------ICMP Timestamp Reply------------◊ Client Depending upon response, sometimes Operating System running on host, can be deduced. ICMP Scanning: Time Stamping Countermeasures Timestamp Requests can easily be filtered at the router level by using the below Access Control List (ACL): access-list 101 deny icmp any any 13 To filter out all Timestamp Requests accept those coming from say your ISP, you can use: access-list 101 deny icmp any any 13 access-list 101 permit icmp xxx.xxx.xxx.xxx 0.0.0.255 any 13
ICMP Scanning: Address Mask Messages Technique This technique can be used to find out the address mask of the target system. It makes use of the ‘Address Mask Request’ and ‘Address Mask Reply’ ICMP messages. Working: Client-----------ICMP Address Mask Request------------◊ Host
Host-----------ICMP Address mask Reply------------◊ Client Such a technique can easily be filtered at the router level by using an ACL similar to what we earlier discussed.
ICMP Scanning: OS Detection Techniques There are numerous possible ICMP query messages that one can generate and send across a network. When a host receives a particular type of ICMP query message, then according to its operating system, the host will generate a predefined respond. This response varies from OS to OS and the contents of the response generated due to the ICMP messages varies from one OS to another and is same for one type of OS. In other words, the response of a host due to a particular type of ICMP message is hugely dependent on the OS running on it. The same ICMP message sent to a UNIX system and a Windows system, will generate two different responses. This difference in responses, exists due to different Operating Systems. ICMP Scanning: OS Detection Techniques Contd. By sending ICMP messages to a host and comparing the responses invoked against the known responses, one can deduce the OS running on the host. Working: 1. Send particular ICMP messages to the remote host. 1. Record the response that you get from the remote system, when you perform Step 1. 1. Compare this response received, to the already known responses shown by the various Operating Systems so that you can deduce the exact OS name and version running on the remote host.