2 questions ,130 words per answer… 2 reference per questions one from module , one from internet
Discuss/describe one or more LAN based attacks (also known as layer 2 attacks or lower layer attacks) which are not covered in the Module 3, or share any additional thoughts you may have on LAN based attacks covered in Module 3
Discuss/describe the port scanning and/or enumeration techniques (attacks) not covered in Module 2. How can the attacks you have described be detected and prevented?
UMUC
Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 1 of 34
Contents
Topic 1: Analogy …………………………………………………………………………………………………………………………. 2
Analogy: Network Traffic …………………………………………………………………………………………………………… 2
Topic 2: Module Introduction ………………………………………………………………………………………………………… 4
Topic 3: Layer 2 and Switch Basics……………………………………………………………………………………………….. 5
Layer 2 Technology: Ethernet ……………………………………………………………………………………………………. 5
Layer 2 Switch Operation ………………………………………………………………………………………………………….. 7
Topic 4: Layer 2: MAC Attacks ……………………………………………………………………………………………………. 10
MAC Flooding Attacks ……………………………………………………………………………………………………………. 10
MAC Spoofing Attacks ……………………………………………………………………………………………………………. 12
Activity ………………………………………………………………………………………………………………………………….. 14
Mitigating MAC Attacks …………………………………………………………………………………………………………… 15
Topic 5: Layer 2: Address Resolution Protocol Exploitation ……………………………………………………………. 16
Address Resolution Protocol ……………………………………………………………………………………………………. 16
ARP Spoofing Attacks …………………………………………………………………………………………………………….. 18
Activity: Try This! ……………………………………………………………………………………………………………………. 20
Topic 6: Layer 3: Router Vulnerabilities ……………………………………………………………………………………….. 22
Router Attacks and Vulnerabilities ……………………………………………………………………………………………. 22
Routing Table Modification ……………………………………………………………………………………………………… 23
Preventing Routing Table Modification ……………………………………………………………………………………… 24
Activity: Routing Updates and MD5 Authentication …………………………………………………………………….. 26
Topic 7: Summary……………………………………………………………………………………………………………………… 32
Glossary …………………………………………………………………………………………………………………………………… 33
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 2 of 34
Topic 1: Analogy
Analogy: Network Traffic
Switching and Routing Vulnerabilities
CSEC 640 – Module 3
Analogy: Network Traffic
Just as we use stop signs and traffic lights to safely guide vehicles along roads and highways,
computer networks use their own traffic guidance systems. On a computer network, traffic is
handled using routers and switches that ensure the secure and efficient exchange of data.
Consider an analogy comparing vehicle traffic with data traffic.
Managing Network Traffic
Slide 1
Imagine you are driving and you come to an intersection with four stop signs. It takes a while to
cross because everyone has to take turns, and there can be confusion.
Now imagine what the traffic would be like if there were an overpass, where one of the roads
went over the other. That way, no one would have to stop. This model of an overpass is a
simplified way to think of a switch.
Slide 2
A switch does the same thing as a hub and a bridge, but more effectively.
A switch lets you add computers to your network and makes virtual connections between
computers that need to “talk” to each other. As soon as the computers have finished talking to
each other, the virtual connection is broken. Breaking the connection right away eliminates
collisions in network traffic.
The only shortcoming of a switch is that it will not keep a broadcast from tying up the
communication lines. When one computer needs to find the address of another computer, it
sends out a broadcast over the whole network to find the address. Each computer in the
network receives the broadcast and “looks” to see if it is the intended recipient.
The broadcast can occupy the network because none of the other computers can send a
message while it is taking place. Routers solve this problem.
Slide 3
Routers do everything that a switch does, but they use a different method to address the
packets of information—they use IP addresses. A router acts like a post office. It decides the
best route that a packet can take to get to different networks.
A router can divide your network into different subnetworks and contain a broadcast within a
smaller area so that the whole network does not need to receive the broadcast. The router
keeps your resources from being tied up with unnecessary network traffic jams.
This process is like taking a city—that is, your network—and dividing it into neighborhoods.
When the residents in one locality want to publicize a neighborhood watch meeting, they can tell
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 3 of 34
the post office to mail fliers only within that neighborhood so the post office does not waste
resources sending notices to distant areas.
A router can perform exactly this type of role, if it is so programmed.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 4 of 34
Topic 2: Module Introduction
In the TCP/IP model, the higher layers such as the application layer, TCP layer, and IP layer are
all based on the Layer 2 (data link layer) technologies.
This module provides a background on Layer 2 technologies, such as Ethernet, followed by a
look at the operation of Layer 2 switches. The module also discusses Media Access Control
(MAC) attacks and their mitigation, exploitation of the Address Resolution Protocol (ARP), and
router (Layer 3) vulnerabilities.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 5 of 34
Topic 3: Layer 2 and Switch Basics
Layer 2 Technology: Ethernet
Ethernet is a group of Layer 2 protocols for local area networks (LANs). Ethernet is the most
predominant LAN standard. Most often, the term Ethernet is used to signify IEEE 802.3.
Introduction
The network interface card (NIC) of a host—PC, printer, or server—is connected to a Layer 2
device, such as a switch or hub. The IEEE 802.3 protocol specifies how a message is framed
and transmitted on the Layer 1 wire by the NIC.
Like all other hardware in the network, the NIC has a unique address called a Media Access
Control (MAC) address. MAC addresses are 48-bit-long unique identifiers written into hardware
devices by their manufacturers. These addresses are expressed as 12 hexadecimal digits and
used by most Layer 2 technologies including Ethernet. An example of a MAC address is 5C-26-
0A-35-56-8A.
A user can find the MAC address of a PC by entering the command ipconfig/all in the Windows
command prompt.
The Ethernet Frame
The Ethernet frame is used to transmit data from a source to a destination and ranges from 72
to 1,518 bytes in length.
Destination/Source MAC Addresses
The Destination/Source MAC Addresses field specifies the MAC addresses of the source and
destination hosts. For instance, consider a network with a Host A PC and a Host B PC. The
MAC addresses of Host A and Host B are 56-34-23-34-9A and 5A-45-56-23-9A, respectively. If
Host A sends a frame to Host B, the source MAC address in the frame becomes 56-34-23-34-
9A, Host A’s MAC address. The destination MAC address becomes 5A-45-56-23-9A, or Host
B’s MAC address. A switch routes this frame based on the source and destination MAC
addresses.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 6 of 34
Type
The Type field indicates the Layer 3 protocol in the Data field. For instance:
If the Type field contains a value of 0x0800, the Data field contains an IP packet.
If the Type field contains a value of 0x0806, the Data field contains an Address
Resolution Protocol (ARP) message.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 7 of 34
Topic 3: Layer 2 and Switch Basics
Layer 2 Switch Operation
Layer 2 devices, such as switches, route an Ethernet frame based on the source and
destination MAC addresses. A switch relies on a forwarding table to forward a frame to a
destination MAC address just as a router uses a routing table to forward an IP packet to a
destination IP address. The forwarding table is called a MAC address table or a content
addressable memory (CAM) table. This module uses the term MAC table to refer to the CAM
table.
Initially, the MAC table of a switch is empty; the switch does not know the MAC address of a
PC, printer, or any other attached device. Consider the following example: a LAN consists of
Host A with a MAC address of AAAA, Host B with a MAC address of BBBB, Host C with a MAC
address of CCCC, and a switch.
Note that in the real world, MAC addresses are 48 bits long; the addresses used here are
shortened to simplify the example. Hosts A, B, and C are connected to the first, second, and
third Ethernet ports, Fa0/1, Fa0/2, and Fa0/3, respectively. Assume that the switch’s MAC table
can hold only two entries. In reality, MAC tables have much larger capacities.
Example
Step 1
Initially, the MAC table is empty. A frame originating from Host A arrives at the first Ethernet port
on the switch (Fa 0/1). Host A wants to communicate with a host whose MAC address is BBBB,
the destination address in the frame.
The switch inspects the source MAC address to determine whether there is already an existing
entry in the table. Since the MAC table is empty, a new entry is made that records the source
MAC address and the port number. By recording these details in the MAC table, the switch
specifies where to send a frame when it needs to be sent to the source MAC address.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 8 of 34
Step 2
Since the switch does not know where the destination MAC address BBBB is, it simply floods
the frame on all active ports. In other words, the switch sends a copy of the frame to every port
in the LAN, hoping that the frame will reach the destination host.
In this example, the switch floods the frame on Fa 0/2 and Fa 0/3. This process is known as
unknown unicast flooding.
Step 3
When Host B, the intended recipient of the frame, receives the frame, it replies with a response
frame. In this frame, note that the source and destination MAC addresses are reversed
compared to the original frame that Host A sent.
When the switch receives this frame, it tries once again to search for a match in its MAC table.
Since there is no match, a new entry is added to the MAC table, recording the MAC address
BBBB and the port Fa 0/2. In this example, since the MAC table can hold only two entries, it is
at capacity.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 9 of 34
Step 4
Once the MAC table is full, Host A sends a frame whose source address is AAAA and
destination address is BBBB. The switch receives the frame and inspects the destination MAC
address to check for a corresponding entry in the MAC table. Since the second entry is a match,
the switch forwards the frame to port Fa 0/2 (Host B).
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 10 of 34
Topic 4: Layer 2: MAC Attacks
MAC Flooding Attacks
What Is a MAC Flooding Attack?
When a switch’s MAC table becomes full, the switch begins to flood frames on all active ports.
In other words, when the switch begins to flood all active ports, any host on the same LAN can
intercept any other frame regardless of its destination MAC address.
In a flooding attack, an attacker tries to create a permanently full MAC table that will force the
switch to flood (broadcast) all traffic on all active ports. The attack is launched from one of the
ports on a LAN so all communication taking place on that LAN is visible to the attacker. This
visibility enables the attacker to monitor all frames passed through the switch and to obtain
useful, sensitive information, including the data in the frame, the MAC address, and the IP
address of the victim host.
Example: MAC Flooding Attack
Step 1
The attacker generates a continuous set of frames with random source and destination MAC
addresses using tools such as MACOF, Ettercap, or Yersinia. Since the MAC table of the switch
has limited storage, it eventually runs out of space and cannot add new entries.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 11 of 34
Step 2
The victim host tries to communicate with another host.
Step 3
Since there is no corresponding MAC table entry for the destination host, every frame sent by
the victim host will be flooded to all ports. The attacker can see all the traffic sent from the victim
host.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 12 of 34
Topic 4: Layer 2: MAC Attacks
MAC Spoofing Attacks
What Is a MAC Spoofing Attack?
In a MAC spoofing attack, the attacker first identifies the MAC address of a victim host by
launching a MAC flooding attack on a LAN. The attacker then generates a fake frame by
entering the victim’s MAC address in the source field of the fake frame. The switch receives the
fake frame from the attacker’s host and updates its MAC table accordingly.
Example: MAC Spoofing Attack
Step 1
The attacker’s host performs a MAC flooding attack and obtains useful information about its
neighboring hosts, such as MAC and IP addresses. The attacker crafts a frame with the source
MAC address BBBB, the MAC address of Host B.
Step 2
Upon receiving the attacker’s frame, the switch accordingly updates its MAC table with the MAC
address BBBB and its corresponding interface, Fa 0/3, which points to the attacker.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 13 of 34
Step 3
The victim sends a frame with a destination MAC address of BBBB. The switch finds a match in
the MAC table and forwards the frame to the attacker’s host rather than to the intended host,
Host B.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 14 of 34
Topic 4: Layer 2: MAC Attacks
Activity
You will now be presented with a few questions based on Layer 2 and MAC attacks.
Question 1: On what basis do Layer 2 devices such as switches route Ethernet frames?
a. Layer 2 devices route Ethernet frames based on IP addresses.
b. Layer 2 devices route Ethernet frames based on MAC addresses.
c. Layer 2 devices route Ethernet frames based on the IP address table.
Correct answer: Option b
Feedback:
Layer 2 devices such as switches route Ethernet frames based on the source and destination
MAC addresses. A switch relies on a MAC table to forward a frame to a destination MAC
address, just as a router uses a routing table to forward an IP packet to a destination IP
address.
Question 2: Which of the following scenarios describes unknown unicast flooding?
a. A switch flooding an Ethernet frame on all active ports when it cannot locate a source MAC
address
b. A switch attempting to make additional entries in a MAC table that is at capacity
c. A switch flooding an Ethernet frame on all active ports when it cannot locate a destination
MAC address
d. Ethernet frames being sent without a destination MAC address
Correct answer: Option c
Feedback:
In unknown unicast flooding, when a switch cannot locate a particular destination MAC address,
it will simply flood an Ethernet frame on all active ports, hoping that the frame will reach the
destination host.
Question 3: Which of the following statements describes a MAC flooding attack?
a. An attacker tries to create a permanently full MAC table that will force a switch to flood traffic
on all active ports.
b. An attacker attempts to inject fake or misleading MAC addresses into a MAC table.
c. An attacker generates a fake frame by entering the victim’s MAC address in the source field
of the fake frame.
Correct answer: Option a
Feedback:
In a MAC flooding attack, an attacker tries to create a permanently full MAC table that forces the
switch to flood all traffic on all active ports. The attack is launched from one of the ports on a
LAN so all communication taking place on that LAN is visible to the attacker. This visibility
enables the attacker to monitor all frames passed through the switch and obtain useful
information.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 15 of 34
Topic 4: Layer 2: MAC Attacks
Mitigating MAC Attacks
Some common ways to prevent or mitigate MAC flooding and spoofing attacks include
implementing measures such as port security and unicast flood protection.
Port Security
Port security ties a given MAC address to a port by preventing any MAC addresses other
than the preconfigured ones from showing up on a secure port. Upon detection of an invalid
MAC address, the switch can be configured to block only the offending MAC or to simply
shut down the port.
For instance, in a Cisco switch, you can assign a secure MAC address to a secure port
using the command, (config-if) switchport port-security mac-address
001E.1345.AE32. If an attacker’s machine sends a frame with a source MAC address other
than 001E.1345.AE32 to the securely configured port, the switch will block or shut down the
port.
Port security prevents MAC flooding and spoofing attacks.
Unicast Flood Protection
A switch floods an incoming frame on all active ports if it cannot find a corresponding entry
in the MAC table or if the MAC table is full. The unicast flood protection feature allows a
system administrator to set a limit on the number of unicast floods. When flood protection
detects unknown unicast floods exceeding the predefined limit, it sends an alert and shuts
down the port that is generating the floods.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 16 of 34
Topic 5: Layer 2: Address Resolution Protocol Exploitation
Address Resolution Protocol
Address Resolution Protocol (ARP) is a protocol used to find the MAC address of a host when
the IP address of the host is known.
How Does ARP Work?
Consider an example to see how ARP works.
Assume that Host A, with the IP address 192.168.1.1/24, needs to send a frame to a destination
host with the IP address of 192.168.1.3/24.
To send the frame, Host A needs to know the MAC address of the destination host. By
comparing its own IP address with the destination host’s IP address, Host A knows that the
destination host is part of the same LAN as itself.
Host A sends an Ethernet broadcast frame. Note that the standard address for Ethernet
broadcasts is FFFF.FFFF.FFFF.
Upon receiving the broadcast frame, the switch floods the frame on all ports in the LAN, and all
the hosts in the LAN receive this broadcast frame. This broadcast frame is known as an ARP
request.
Host B and Host C receive the ARP request from Host A. Host C sends a solicited ARP reply to
Host A. The ARP reply contains Host C’s MAC address and IP address.
Upon receiving the ARP reply, Host A knows the MAC address of the host whose corresponding
IP address is 192.168.1.3.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 17 of 34
What Is Gratuitous ARP?
Consider an example to understand Gratuitous ARP.
Sending a Gratuitous ARP means sending an ARP reply when no ARP request has been made.
Host C sends an unsolicited ARP reply to the broadcast address FFFF.FFFF.FFFF to tell its
neighboring hosts in the LAN that its MAC address is CCCC.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 18 of 34
Topic 5: Layer 2: Address Resolution Protocol Exploitation
ARP Spoofing Attacks
An ARP spoofing attack, also known as ARP poisoning, enables an attacker to sniff out all IP
packets sent to the target host. Consider an example of how an ARP spoofing attack is carried
out.
Step 1
The attack is initiated by a host with the IP address 192.168.1.2. The attacker’s host machine
sends a fake Gratuitous ARP to Host A. The fake Gratuitous ARP tells Host A that 192.168.1.3
is tied to the MAC address of BBBB. Note that 192.168.1.3 is actually tied to Host C, not the
attacker. Upon receiving the ARP request, Host A adds a new entry to its ARP table, correlating
the MAC address BBBB with the IP address 192.168.1.3.
Step 2
As seen with the frame sent by Host A, all the IP packets intended for Host C are sent to the
attacker’s MAC address. This is because Host A believes that Host C’s MAC address is BBBB,
which is actually the attacker’s MAC address.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 19 of 34
Step 3
As soon as the attacker receives the packet from Host A, it masquerades as Host C by sending
an acknowledgment packet back to Host A.
Step 4
The attacker forwards the packet originally sent by Host A to Host C. Host C believes that this
packet is from Host A. The attacker has achieved its goal, which is to intercept and read, or
sniff, the packet originating from Host A.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 20 of 34
Topic 5: Layer 2: Address Resolution Protocol Exploitation
Activity: Try This!
Consider an example of a network with an attacker and two hosts, as shown here in Diagram A
and Diagram B. After the attacker’s host sends a fake Gratuitous ARP to Host A in Diagram A,
and Step 1 and Step 2 are completed in Diagram B, which of the following options would
correctly reflect the values in the switch’s MAC table? Assume that the MAC table is initially
empty.
Diagram A
Diagram B
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 21 of 34
a.
MAC Address Interface
1. AAAA Fa 0/1
2. BBBB Fa 0/2
b.
MAC Address Interface
1. BBBB Fa 0/2
2. AAAA Fa 0/1
c.
MAC Address Interface
1. BBBB Fa 0/2
2. CCCC Fa 0/3
Correct answer: Option b
Feedback:
The source MAC address of the Gratuitous ARP frame sent to Host A is BBBB. This frame
originates from the attacker’s host and is forwarded to switch port Fa0/2. Therefore, the first line
in the MAC table is filled with BBBB as the MAC address and Fa0/2 as the interface.
When Host A sends an IP packet intended for Host C (Step1 in Diagram B), the source MAC
address of the frame is AAAA and that frame is sent to switch port Fa 0/1. As a result, the
second line of the MAC table contains AAAA as the MAC address and Fa 0/1 as the interface.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 22 of 34
Topic 6: Layer 3: Router Vulnerabilities
Router Attacks and Vulnerabilities
A router is a network device that routes IP packets across computer networks. Since a router
deals with IP packets, it is a Layer 3 device. When a packet arrives at a router, the router
inspects the IP header of the packet. Based on the destination and source IP addresses, the
router decides to which network device it will forward the packet. Routers are prone to various
types of attacks.
Routing Table Modification
Routing table modification, also known as a rerouting attack, is a common vulnerability unique
to routers. This attack involves manipulating router updates to route traffic to unwanted
destinations.
Other Common Attacks
Other common router attacks include:
Accessing and exploiting vulnerabilities: An attacker may exploit known vulnerabilities in
running services such as Hypertext Transfer Protocol (HTTP), Domain Name System
(DNS), and Dynamic Host Configuration Protocol (DHCP), or through brute force password
guessing. An attacker may also attempt to exploit known vulnerabilities in the router’s
operating software or protocols.
Launching denial of service (DoS) attacks: An attacker may perform various types of DoS
attacks.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 23 of 34
Topic 6: Layer 3: Router Vulnerabilities
Routing Table Modification
Routers exchange information with each other to build their own routing tables. Attackers use
this act of exchanging information as an opportunity to destabilize or damage networks.
Introduction
Dynamic routing protocols such as Routing Information Protocol (RIP), Open Shortest Path First
(OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP) help determine the path of a
packet through a network without having to manually configure it.
Routers build routing tables by exchanging routing information with each other. When a packet
arrives at a router, it routes the packet based on this table. Attackers try to inject bogus entries
into routing tables in an attempt to compromise network stability. If a routing table is inaccurate,
packets could end up being dropped as they are routed to invalid destinations. This significantly
decreases the stability of the network.
Example: Routing Table Modification
As seen in this diagram, if a router uses the RIP version 1 routing protocol that does not
implement authentication or is not correctly configured, an attacker can send false routing
update packets to contaminate the routing table.
Without security measures in place, routers send routing updates in clear text. This enables an
attacker to masquerade as a trusted neighbor, send a bogus routing update, and pollute the
routing table.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 24 of 34
Topic 6: Layer 3: Router Vulnerabilities
Preventing Routing Table Modification
Introduction
Network administrators can use routing protocols with authentication to prevent attacks based
on unauthorized routing changes. Authenticated router updates ensure that the update
messages come from a legitimate source.
The most commonly used form of authentication for routing protocol updates is MD5
authentication. This method is used to detect any unauthorized or false routing messages from
unknown sources. All dynamic routing protocols except RIP version 1 implement MD5
authentication.
Step 1
Router A uses its routing update along with the preshared key as an input to the hash function.
Then the hash function produces a keyed hash.
Step 2
Router A sends Router B a packet containing the keyed hash along with the routing update.
Note that the routing update is clear text.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 25 of 34
Step 3
Router B uses the routing update from Router A as an input to the hash function and obtains a
keyed hash from the hash function.
Step 4
Router B compares the keyed hash it generated on the routing update, using the preshared key,
with the keyed hash received from Router A. If the two hash values match, Router B knows two
things for certain:
The routing update has originated from Router A (authentication).
The routing update has not been modified in transit (integrity).
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 26 of 34
Topic 6: Layer 3: Router Vulnerabilities
Activity: Routing Updates and MD5 Authentication
Introduction
Consider an example of a network that contains two routers: Router A and Router B. Both
routers are running the dynamic routing protocol RIP version 2.
Network Path Analysis
The diagram shows the routing table of Router B. As seen in the diagram, the dynamic routing
protocol RIP version 2 is currently running on both routers. RIP version 2 is an enhanced
version of the RIP version 1 routing protocol. As is the case with any dynamic routing protocol, a
router needs to send and receive routing updates to and from its neighboring routers to build a
routing table.
Routing Table Analysis
A routing table contains multiple rows. Each row contains at least two fields: a destination
address and the name of the interface where the IP packet should be routed, or the IP address
of another router that will carry the IP packet on its next step through the network.
For example, consider the routing table of Router B. We can interpret the line starting with R in
the routing table as “to reach the destination network 172.16.0.0, which is a network behind
Router A, a packet must be forwarded to the interface 10.10.10.1 of Router A.”
To build a routing table, routers must exchange their routing information with their neighboring
routers. In this example, Router A has only one network, 172.16.0.0/24, attached to itself.
Therefore, when Router A sends its routing update to Router B, this network address,
172.16.0.0/24, must be included in the update payload.
In addition, when RIP version 2 is configured to support MD5 authentication, a keyed hash (also
called keyed message digest) is also included in Router A’s routing update, along with the
routing update payload, which is clear text.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 27 of 34
Reference: Cain & Abel product screenshot reprinted with permission from Massimiliano Montoro, the
developer of Cain & Abel.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 28 of 34
Workspace
Screenshot A
Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.
Screenshot B
Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 29 of 34
Question 1: Which of these screenshots shows an MD5 authenticated routing update sent by
Router A?
a. Screenshot A
b. Screenshot B
Correct answer: Option b
Feedback:
The routing update in Screenshot B has an Authentication: Keyed Message Digest field. This
clearly indicates that this update is sent by Router A, which supports MD5 authentication.
Question 2: The keyed hash or message digest value used in the routing update is
54 ee c9 71 a1 dbea 33 ba 22 15 fb 2b af 20 8a.
a. True
b. False
Correct answer: Option a
Feedback:
The keyed hash or message digest value used in the routing update is54 ee c9 71 a1 dbea 33
ba 22 15 fb 2b af 20 8a.In Screenshot B, you can see the Authentication: Keyed Message
Digest field. In this authentication field, you can easily observe a long numerical hash value “54
ee c9 71 a1 dbea 33 ba 22 15 fb 2b af 20 8a”. This hash value is included in the Authentication
Data Trailer field within the Authentication: Keyed Message Digest field.
Review
Step 1
Once again, consider the example of Router A and Router B, both of which are running RIP
version 2. A keyed MD5 hash can also be cracked easily if a system administrator uses a
simple password or preshared key to generate the keyed hash. To illustrate the point, assume
that the password “flower” was used when configuring routers A and B for MD5 authentication.
Also, assume that a packet sniffer, Cain & Abel, is being used to sniff out a routing update
originating from Router A.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 30 of 34
Step 2
In sniffing mode, Cain & Abel sniffs routing updates and produces an output as shown in this
screenshot. The fields shown include Router, Version, Auth Type, and Last Hash. The Router
field contains two IP addresses: 10.10.10.1 and 10.10.10.2, which belong to routers A and B
respectively, as shown previously in the network diagram. A value of 2 in the Version field
indicates that RIP version 2 is running on both routers. The value MD5 in the Auth Type field
implies that MD5 authentication is being used for keyed hashing. Finally, the Last Hash field
shows the actual hash value being used.
Reference: Cain & Abel product screenshot reprinted with permission from Massimiliano Montoro, the
developer of Cain & Abel.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 31 of 34
Step 3
Cain & Abel is first used in sniffing mode and then as a password-cracking tool. Applying a
dictionary attack, the intruder can easily identify the password “flower.”
Reference: Cain & Abel product screenshot reprinted with permission from Massimiliano Montoro, the
developer of Cain & Abel.
Further Challenges
Measure the performance degradation or average delay time caused by the MD5 authenticated
routing update with respect to EIGRP, RIP version 2, and OSPF routing protocols. Which
routing protocol will suffer most from the performance degradation as the number of routers
participating in routing updates increases?
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 32 of 34
Topic 7: Summary
We have come to the end of Module 3. The key concepts covered in this module are listed
below.
Ethernet is a group of Layer 2 protocols for local area network (LANs). IEEE 802.3
Ethernet is the most predominant LAN standard.
Layer 3 devices, such as routers, route packets based on the source and destination IP
addresses. Layer 2 devices, such as switches, route an Ethernet frame based on the
source and destination MAC addresses.
In a MAC flooding attack, the attacker creates a permanently full MAC table that forces
the switch to flood all traffic on all active ports.
For a MAC spoofing attack, the attacker first needs to find the MAC address of a victim
host by launching a MAC flooding attack on a LAN. The attacker can then generate a
fake frame by putting the victim’s MAC address in the source field of the fake frame. The
switch receives the fake frame from the attacker’s host and updates its MAC table
accordingly.
Address Resolution Protocol (ARP) is a protocol used to find the MAC address of a host,
given that its IP address is known.
The goal of an ARP spoofing attack is to enable the attacker to sniff out all IP packets
sent to the target host.
A router routes IP packets across computer networks. Routing table modification, also
known as a rerouting attack, is a common vulnerability unique to routers. This attack
involves manipulating router updates to route traffic to unwanted destinations.
The most commonly used form of authentication for routing protocol updates is MD5
authentication. This form of authentication is used to detect any unauthorized or false
routing messages from unknown sources. All dynamic routing protocols except RIP
version 1 implement MD5 authentication.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 33 of 34
Glossary
Term Definition
Address Resolution
Protocol (ARP)
Address Resolution Protocol (ARP) is a protocol used to
find the MAC address of a host when the IP address of the
host is known.
ARP Spoofing Attack An ARP spoofing attack is also known as ARP poisoning.
The goal of such an attack is to enable the attacker to sniff
out all IP packets sent to the target host.
Content Addressable
Memory (CAM) Table
A switch relies on a forwarding table to forward a frame to a
destination MAC address. The forwarding table is called a
MAC address table or a content addressable memory
(CAM) table.
Denial of Service (DoS) DoS attacks flood a target site with large volumes of traffic
using “zombie” servers. This flood of traffic consumes all of
the target site’s network or system resources and denies
access to legitimate users.
Dynamic Host
Configuration Protocol
(DHCP)
DHCP enables servers to distribute Internet Protocol (IP)
addresses and configuration data to clients in a network.
Domain Name System
(DNS)
The DNS translates Internet domain names such as
www.xyz.com into Internet Protocol (IP) addresses.
Enhanced Interior
Gateway Routing
Protocol (EIGRP)
EIGRP is an interior gateway protocol that enables efficient
exchange of routing updates between routers.
Ethernet Ethernet is a group of Layer 2 protocols for local area
network (LANs). IEEE 802.3 Ethernet is the most
predominant LAN standard. Usually, the term Ethernet is
used to signify IEEE 802.3.
Ettercap Ettercap is a network tool for carrying out man-in-the-middle
attacks on a LAN.
Hypertext Transfer
Protocol (HTTP)
HTTP transmits Web pages to clients.
Media Access Control
(MAC) Address
A network interface card (NIC) has a unique address called
a Media Access Control (MAC) address. MAC addresses
are 48-bit long unique identifiers written into hardware
devices by their manufacturers. These addresses are
expressed as 12 hexadecimal digits and used by most
Layer 2 technologies including Ethernet.
MAC Flooding Attack In a MAC flooding attack, the attacker creates a
permanently full MAC table that forces the switch to flood all
traffic on all active ports.
MACOF MACOF is a tool that can generate random MAC addresses
to overload the switch of a network and access data
passing through the switch.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 34 of 34
Term Definition
MAC Spoofing Attack In a MAC spoofing attack, the attacker first finds the MAC
address of a victim host by launching a MAC flooding attack
on a LAN. The attacker can then generate a fake frame by
putting the victim’s MAC address in the source field of the
fake frame. The switch receives the fake frame from the
attacker’s host and updates its MAC table accordingly.
MD5 Authentication The most commonly used form of authentication for routing
protocol updates is MD5 authentication. This form of
authentication is used to detect any unauthorized or false
routing messages from unknown sources. All dynamic
routing protocols except RIP version 1 implement MD5
authentication.
Network Interface Card
(NIC)
A network interface card is a piece of hardware that is used
to connect a computer to a network.
Open Shortest Path First
(OSPF)
OSPF is a dynamic routing protocol that enables routers to
share routes with other routers.
Port Security Port security ties a given MAC address to a port by
preventing any MAC addresses other than the
preconfigured ones from showing up on a secure port.
Routing Information
Protocol (RIP)
RIP is a dynamic routing protocol used by local area
homogenous networks to ensure that all hosts in the
network share the same routing path data.
Routing Table
Modification
Routing table modification, also known as a rerouting
attack, is a common vulnerability unique to routers. This
attack involves manipulating router updates to route traffic
to unwanted destinations.
Unicast Flood Protection The unicast flood protection feature allows a system
administrator to set a limit on the number of unicast floods.
When flood protection detects unknown unicast floods
exceeding the predefined limit, it sends an alert and shuts
down the port that is generating the floods.
Yersinia Yersinia is a network tool designed to exploit weaknesses in
LAN-based network protocols.
UMUCMonitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 1 of 37
Contents
Topic 1: Analogy ……………………………………………………………………………………………………………… 2
Reconnaissance Strategies …………………………………………………………………………………………… 2
Topic 2: Module Introduction …………………………………………………………………………………………….. 3
Topic 3: Reconnaissance …………………………………………………………………………………………………. 4
What is Reconnaissance? …………………………………………………………………………………………….. 4
Passive Reconnaissance ………………………………………………………………………………………………. 5
Active Reconnaissance …………………………………………………………………………………………………. 7
Activity: Active Reconnaissance …………………………………………………………………………………….. 9
Topic 4: Scanning ………………………………………………………………………………………………………….. 17
What Is Scanning? ……………………………………………………………………………………………………… 17
IP Scanning ……………………………………………………………………………………………………………….. 18
Port Scanning…………………………………………………………………………………………………………….. 19
Types of Port Scans ……………………………………………………………………………………………………. 20
Vulnerability Scanning ………………………………………………………………………………………………… 25
Quiz ………………………………………………………………………………………………………………………….. 26
Port Scanning Tool: Nmap …………………………………………………………………………………………… 28
Topic 5: Enumeration …………………………………………………………………………………………………….. 30
What Is Enumeration? ………………………………………………………………………………………………… 30
Topic 6: Summary………………………………………………………………………………………………………….. 34
Glossary ……………………………………………………………………………………………………………………….. 35
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 2 of 37
Topic 1: Analogy
Reconnaissance Strategies
The Preattack Phases
CSEC 640 – Module 2
Reconnaissance Strategies
Soldiers often carry out reconnaissance missions in which their only task is to collect
facts about an enemy target. Doing so helps them prepare an effective, customized
attack strategy. Similarly, hackers trying to break into protected networks research their
targets to find ways to carry out an effective attack. Here is an analogy comparing
military preattack strategies to the preattack exercises carried out by professional
hackers and penetration testers, or “pentesters.”
Step 1
Military officers conduct scouting to collect information about their targets before an
attack. Their goals are to make sure the enemy does not see them coming and to collect
as much data as possible about the enemy, so that the attack is effective.
Step 2
Reconnaissance is another word for scouting. The U.S. Army’s reconnaissance and
surveillance course trains military personnel in surveillance and target acquisition. In
reconnaissance, the armed forces research a target to plan the exact point of contact
with that target.
Step 3
Reconnaissance, however, is not limited to warfare. It is a tactic used by ordinary people
in everyday life. Hackers, for instance, who want to attack a particular network or
computer system, perform reconnaissance to learn more about the target.
Just as soldiers might monitor enemy troops from a distance as part of a reconnaissance
exercise, hackers might observe activity on a target Web site as part of their
reconnaissance. The goal remains the same for both: to study the target and move in
precisely, not randomly.
Step 4
During reconnaissance, hackers use social engineering techniques and technical tools
to learn about the target systems’ owners, domain names, and IP addresses, among
other necessary details. Hackers need enough data to ensure that they are in and out of
a system long before the victim has noticed that important data has been compromised.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 3 of 37
Topic 2: Module Introduction
Before hackers or penetration testers launch an attack against an organization’s
network, they conduct a preattack exercise. This exercise helps them gather
information—technical and nontechnical—about the system that they are targeting. This
information helps attackers decide what type of attack will be most effective against their
targets.
The first three phases of this preattack exercise are the most critical and are called
reconnaissance, scanning, and enumeration. Understanding how these phases work
together gives a clear indication of how attackers progress in their study of a target and
launch an attack. This module covers active and passive reconnaissance techniques,
types of scanning, scanning tools and techniques, and enumeration.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 4 of 37
Topic 3: Reconnaissance
What Is Reconnaissance?
Reconnaissance
Reconnaissance is the first step in engineering an effective attack.
Footprinting
Attackers or penetration testers use a process called footprinting during the
reconnaissance phase. This process helps them to gather preliminary information about
the network they are targeting. The target network can belong to an individual, a
corporation, a government, or any public institution.
Data Collection
Though hackers aim to collect as much information as possible, the data they collect
during this phase is not enough to draw an accurate map of the target network.
Target
At the end of the reconnaissance phase, attackers manage to learn about the people
they are targeting and the target network’s IP address.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 5 of 37
Topic 3: Reconnaissance
Passive Reconnaissance
There are two types of reconnaissance: passive and active.
Passive reconnaissance presents a low level of risk for hackers because they spy on
victims who are unaware that their moves are being watched. Through passive
reconnaissance, hackers gather data from sources that are freely available to the public,
such as open source sites, groups and forums, social engineering sites, vulnerability
research sites, and people-search sites.
Open Source Sites
To use open source sites to gather data about a target, the attacker:
1. first looks for a target Web site
2. downloads the target Web site
3. uses various tools to analyze it
One of the most popular Web site downloading tools is the freely available wget located
at www.gnu.org/software/wget.
Here the wget recursively retrieves the Web pages at www.umuc.edu. The “-r” option of
wget enables recursive mirroring of all pages on the site.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 6 of 37
Groups and Forums
Many users share information about the vulnerabilities of their systems and ask for
solutions or answer queries posed by other users. Hackers use such forums to gather
information about target systems and find vulnerabilities in the systems.
Social Engineering Techniques
Social engineering is the art of tricking people into giving out classified data. A common
social engineering technique that hackers use is joining chat rooms their targets might
use. In these chat rooms, hackers are able to start conversations through which they can
extract valuable data from targets.
Vulnerability Research Sites
Hackers visit vulnerability research Web sites such as www.securityfocus.com or
www.hackerstorm.com for the latest attack tools and techniques.
People-Search Sites
To find information such as names of a system administrator, security engineer, or
network engineer of a target company, hackers visit people-search Web sites such as
people.yahoo.com or www.peoplefinder.com.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 7 of 37
Topic 3: Reconnaissance
Active Reconnaissance
In active reconnaissance, attackers use technical tools to probe the target network for
information. For example, attackers may try to connect to different port numbers on the
target IP to see which ones are open. In this way, they determine which software/servers
are running on that IP—some of which might be vulnerable.
Data about a network’s IP addresses is usually found through the Domain Name System
(DNS). Hackers use several technical tools to query the target network’s DNS to
discover this data.
During this phase, hackers use technical tools to learn more about their target.
Whois (www.whois.net)
NSLookup
ARIN (www.arin.net)
DIG
Traceroute
Whois (www.whois.net)
Hackers interrogate the Internet domain name administration system to locate the
domain name of a target system. Whois allows hackers to query DNS and obtain
registered information, such as the domain ownership, address, location, and phone
number.
NSLookup
The NSLookup tool allows anyone to query a DNS server for information such as host
names and IP addresses. Using the NSLookup tool, a hacker can perform a DNS zone
transfer and gather a great deal of information about the target.
ARIN (www.arin.net)
The American Registry for Internet Numbers (ARIN) is one of five worldwide regional
Internet registries (RIR). ARIN oversees public IP addresses for North America. Hackers
query ARIN to identify the range of IP addresses their target network uses.
ARIN allows hackers to:
Conduct Whois-type searches on its database to locate information about network-
related handles, subnet masks, and related points of contact (POC).
Query an IP address to help identify how IP addresses are assigned. For example, a
hacker can enter the Web server IP address of a target network into the ARIN Web
site, www.arin.net, using Whois to identify the number and the range of IP addresses
in use.
DIG
Like the NSLookup tool, Domain Information Groper (DIG) is a flexible tool that performs
DNS lookups. DIG interrogates DNS name servers and displays the responses that it
receives from the name servers. The responses include data such as host names, IP
addresses, and e-mail exchanges.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 8 of 37
Traceroute
Hackers use the Traceroute tool to discover the routes or paths, devices or routers, and
Internet service providers (ISPs) that a data packet must cross to reach its target host.
Traceroute is based on the Internet Control Message Protocol (ICMP). This is important
because ICMP packets are blocked by many network devices such as firewalls. By using
Traceroute or other ICMP-based tools, hackers are able to easily discover firewalls in
the data path.
DNS and Zone Transfer
A DNS server is responsible for resolving host names to corresponding IP addresses.
When a host name—for example, www.umuc.edu—is typed into a Web browser, the
DNS server converts it into an IP address. This is because the systems running on the
Internet recognize only IP addresses. Every DNS server has a name space, known as a
zone. A zone can contain one or more domain names.
There are two types of DNS servers organized in a hierarchy: a master DNS server and
a secondary DNS server. When a DNS zone has to be updated, the update is executed
within a primary zone on a master server. The updated records in the database of the
master server are then transferred to the secondary DNS server. This kind of transfer is
called a zone transfer.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 9 of 37
Topic 3: Reconnaissance
Activity: Active Reconnaissance
Introduction
Krista Le Saad is a popular gray hat hacker known for her reconnaissance skills. She
has been given an assignment to find out the IP address of the administrative system
managing an online bookstore called www.largobooks.com. The assignment has been
delegated to Krista by a penetration tester, Sean Stasis.
Sean works for a leading IT security firm and needs to find the loopholes and
vulnerabilities in www.largobooks.com’s network. He often outsources such
assignments to young aspiring hackers. Sean’s team is ready to begin fixing patches on
all vulnerabilities once he gets the results from Krista’s inquiries.
Krista has been given 24 hours to hack into www.largobooks.com. To meet that
deadline, Krista needs your help. In this activity, you will be asked to perform three
active reconnaissance steps. You will use tools, commands, and Web sites, such
as FindRecord and NSLookup, to locate the DNS and IP address and perform a
zone transfer.
Workspace
To help Krista find the IP address of www.largobooks.com’s administrative system,
perform the following three steps:
Use FindRecord to locate the DNS.
Use NSLookup to find the IP address associated with the DNS.
Use NSLookup to perform a zone transfer.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 10 of 37
Step 1
To query the DNS of www.largobooks.com, Krista uses a tool similar to Whois called
FindRecord.
On typing www.largobooks.com in the Record Locator field and searching the site, she
received the following output.
NOTE: If you use the Whois tool on a Linux OS, type the command: whois
largobooks.com.
Domain name: largobooks.com
Registrant Contact:
n/a
Alan Carswell ()
Fax:
7704 Morningside Dr. NW
Washington, DC 20012
AF
Administrative Contact:
n/a
Alan Carswell (adcarswell@gmail.com)
+1.2028297638
Fax: +1.5555555555
7704 Morningside Dr. NW
Washington, DC 20012
AF
Technical Contact:
n/a
Alan Carswell (adcarswell@gmail.com)
+1.2028297638
Fax: +1.5555555555
7704 Morningside Dr. NW
Washington, DC 20012
AF
Status: Locked
Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com
Creation date: 02 Jul 20XX 11:10:00
Expiration date: 02 Jul 20XX 06:10:00
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 11 of 37
Analyze the output and answer the following question.
Step 2
Question: Which of the following information is available in the FindRecord output?
a. Technical contact
b. Administrative contact
c. Domain name
d. IP address of DNS
e. DNS
Correct answers: Options a, b, c, and e
Feedback for the correct answer:
That’s correct.
The technical contact data, the administrative contact, the domain name, and the DNS
data showing all the name servers are available in the output.
Feedback for the incorrect or partially correct answer:
Not quite.
The IP address of the DNS is not available in these results. The domain name,
administrative contact, technical contact, and name servers are clearly mentioned.
Step 3
Krista can find the IP address of the DNS server by using a tool such as NSLookup. In
this activity, use the IPAddress Locator to help her.
Activity
The following output was generated on typing largobooks.com in the IPAddress
Locator.
Server: adedcns01.us.umuc.edu
Address: 131.171.34.194
Non-authoritative answer:
Name: largobooks.com
Address: 199.58.184.57
The IP address of www.largobooks.com DNS is 199.58.184.57.
Note: You can execute NSlookup commands at the Windows command prompt.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 12 of 37
Step 4
In this step, you perform a zone transfer. The following commands can be executed at
the Windows command prompt.
Activity 1
On typing nslookup and pressing the Enter key, the following output is displayed.
The IP address is displayed.
Note: Once nslookup is typed at the Windows command prompt, the prompt will change
to “>.” This indicates that NSLookup is in the execution mode.
Activity 2
On typing server 8.8.8.8 and pressing the Enter key, the following output is displayed.
The default DNS has been set as Google DNS.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 13 of 37
Activity 3
On typing set type=any and pressing the Enter key, the following output is displayed.
This command specifies all types of data.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 14 of 37
Activity 4
On typing largobooks.com and pressing the Enter key, the following output is
displayed.
Finally, the zone transfer request is sent from your host to largobooks.com’s DNS
server.
Going beyond the initial search results, the DNS server loads the zone information and
replies with either a partial or full transfer of the zone to your host.
View the command you have typed in this step and the corresponding results. Then,
answer the question.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 15 of 37
Question 2: Which of the following data is available in the screenshot?
a. Web server IP address
b. FTP server list
c. Domain name servers list
d. Mail exchange servers list
Correct answers: Options a, c, and d
Feedback:
In the output you cannot see the FTP server list. You can see the Web server’s IP
address—199.58.184.57, the list of www.largobooks.com’s domain name servers, and
the mail exchange server’s list, which is indicated by the “MX” that stands for mail
exchange. This list specifies mail servers for a domain.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 16 of 37
Review
A job well done! You’ve helped Krista locate the IP address and learned to work with
DNS query tools.
While the technical tools are no doubt important and widely used, nontechnical methods
of reconnaissance are equally important to hackers.
Nontechnical data is gathered by exploiting human psychology—logic persuasion, need-
based persuasion, and reciprocation-based social engineering. The infamous hacker
Kevin Mitnick was not only tech-savvy but also a master of social engineering.
Social Engineering
Social engineering gives the age-old art of lies and manipulation a technological twist.
Using Web-based technologies, such as chat rooms and online forums, attackers
persuade or trick strangers into giving up personal information such as access codes,
log-in names, and passwords.
Since face-to-face interactions are not required in online conversations, social engineers
can make up an identity to cheat innocent victims they meet online. This is a social
approach to getting confidential data, as opposed to cracking system codes through
technological means.
Further Challenges
Visit the Web site www.whois.net and carry out this exercise in real time using
NSLookup to query the DNS. Then visit www.arin.net and enter the Web address you
found in this activity. Compare the results you get from these sites.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 17 of 37
Topic 4: Scanning
What Is Scanning?
In the scanning phase, hackers use different techniques to discover live systems,
devices, and open ports or services. There are various types of scanning, such as IP
scanning, port scanning, and vulnerability scanning.
Sometimes, it is not easy to differentiate between the three preattack phases—
reconnaissance, scanning, and enumeration. Many of the same information-gathering
techniques are used across these phases. For example, port scanning can be
considered a part of reconnaissance or a part of the scanning phase.
Types of Scanning
IP Scanning
IP scanning is a technique that can be used to identify the live systems connected to
a network segment or IP range.
Port Scanning
Port scanning is the process of scanning a host to determine which Transmission
Control Protocol ports (TCPs) or User Datagram Protocol ports (UDPs) are
accessible.
Vulnerability Scanning
Vulnerability scanning is the process of automatically assessing networks or
applications for vulnerabilities.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 18 of 37
Topic 4: Scanning
IP Scanning
IP scanning is used by system administrators to check the connectivity of the hosts on
the network. The most popular tool for IP scanning is ping. Ping sends an ICMP request
to test which target hosts are accessible across an IP network. Target hosts that are live
return ICMP reply messages.
A technique such as ping sweep is used to identify a range of IP addresses or live port
numbers of the target system. Based on best security practices, system administrators
typically configure the firewalls or border-routers to block ICMP requests originating from
outside the network. An IP scanner can be used by an inside attacker to draw a network
map.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 19 of 37
Topic 4: Scanning
Port Scanning
Meet Philippe Posen, a freelance security analyst. He’s hard at work performing port
scans. Philippe uses port scanning to search a network host for open ports. The ports
can be considered open if their related service is available in the host network. After
successful port scanning, Philippe will be able to identify which services are provided by
the host network.
There are two different kinds of port scans: horizontal and vertical scans.
Horizontal and Vertical Scans
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 20 of 37
Topic 4: Scanning
Types of Port Scans
Hackers can perform several different types of horizontal or vertical scans. The type of
scan a hacker uses is based on the type of data the hacker wants. The types of scans
include the TCP connect scan, SYN stealth scan, NULL scan, ACK scan, FIN scan, and
Xmas tree scan.
TCP Connect Scan
Connecting via a TCP is the simplest scan technique.
Scenario 1
An attacker tries to establish a connection on a port of the target system by a three-way
handshake.
The attacker knows the target port is open if the connection is successfully established.
Scenario 2
The attacker knows that the target port is closed if the packet with the reset flag (RST
flag) is sent by the target host.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 21 of 37
SYN Stealth Scan
This scan is called a half-open scan because a full TCP connection is never established.
Scenario 1
An attacker generates an initial SYN packet to the target. If the port is open, the target
responds with an SYN/ACK.
The attacker does not respond back with the ACK in this case. Therefore, a full TCP
connection is never established. This is why this type of scan is sometimes called a half-
open scan.
Scenario 2
Some firewalls only log established connections. Since no connection is established in
an SYN stealth scan, it can pass through the firewall without being logged. However, an
SYN stealth scan is not completely stealthy as many firewalls and IDSs detect SYN
scans.
Scenario 3
If the port is closed, the attacker receives an RST from the target.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 22 of 37
NULL Scan
From the attacker’s perspective, the NULL scan is not always reliable since not all hosts
comply with RFC 793.
Scenario 1
An attacker sends a data packet without any flag set. No real TCP/IP packet exists
without any flag set. If the port is open, the target host ignores the packet and does not
respond.
Scenario 2
According to RFC 793, when a packet is sent to a port with no flag set, the target
responds with an RST packet if the port is closed.
Some hosts send an RST packet in response to a null packet, regardless of whether the
port is open or not. That’s why the NULL scan is considered unreliable.
FIN Scan
Just like a NULL scan, the FIN scan is not reliable.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 23 of 37
Scenario 1
An attacker sends an FIN (finish) packet to the target. The FIN packet is able to bypass
firewalls because firewalls try to avoid any errors with legitimate FIN packets. The target
simply ignores the FIN packet if the port is open.
Scenario 2
The target responds with an RST if the port is closed. Some hosts will send an RST
packet regardless of the port being open or closed, making the FIN scan unreliable.
ACK Scan
Attackers use ACK scanning to learn which firewall ports are filtered and which are
unfiltered.
Scenario 1
An attacker sends an ACK packet to the target port’s firewall.
If there is no response or an “ICMP destination unreachable” message is returned, then
the port is considered to be filtered.
This means that the firewall is stateful. It knows that no internal host has initiated any
SYN packet that matches the ACK packet sent by the attacker.
Scenario 2
If the target’s firewall returns an RST, then the port is unfiltered. Because there is no
firewall rule for that port, the attacker knows that the port is vulnerable.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 24 of 37
Xmas Tree Scan
This scan gets its name from the fact that all three flag sets that are sent to the target—
URG, PUSH, and FIN—light up with different colors and flash on and off like Christmas
tree lights.
Scenario 1
An attacker sends a TCP packet to the remote target with the URG, PUSH, and FIN flag
set. Similar to the FIN scan, an open port does not respond.
Scenario 2
On the other hand, a closed port responds with an RST packet.
Some hosts send an RST packet in response to a null packet, regardless of whether the
port is open or not.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 25 of 37
Topic 4: Scanning
Vulnerability Scanning
A vulnerability scan is a computer program that checks target networks for weaknesses.
Attackers use vulnerability scans to identify all devices on a network that are open to
known vulnerabilities.
The Nessus tool, located at www.nessus.org, is one of the most well-known vulnerability
scanners. Nessus begins by probing a range of IP addresses on a target network to find
active or live hosts. After detecting all known vulnerabilities, the tool provides a report in
a variety of formats. This report lists services or suggested best practices that system
administrators can employ to secure the network. Attackers can use the Nessus tool to
identify vulnerable and weak spots in a target network.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 26 of 37
Topic 4: Scanning
Quiz
Jorge, a black hat hacker, is launching a port-scanning attack on a Web server with an
IP address of 192.168.195.128.
Question 1: In the packets numbered 9–19, which type of port scanning is used to
attack the Web server?
a. Xmas tree scan
b. FIN scan
c. SYN stealth scan
Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.
Correct answer: Option c
Feedback:
If you look at packets 15 and 16, the SYN and SYN+ACK packets are exchanged by the
attacker and Web server. However, no ACK is sent from the attacker’s host. Instead, the
attacker sends a new SYN packet to the Web server. This new SYN packet clearly
indicates that this is an SYN stealth scan.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 27 of 37
Question 2: In the packets numbered 5–15, identify the type of port scanning used to
attack the Web server.
a. Xmas tree scan
b. NULL scan
c. SYN stealth scan
Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.
Correct answer: Option b
Feedback:
The SYN packets do not set a TCP flag. “
This identifies a NULL scanning attack.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 28 of 37
Topic 4: Scanning
Port Scanning Tool: Nmap
What Is Nmap?
Nmap is a free open source network-mapping utility that determines which hosts are
available on the network and lists the services offered by these hosts. With Nmap, a
system administrator can perform many types of port scans.
Popular Nmap switches, options, and techniques include these:
-sT: TCP connect scan
-sS: SYN stealth scan
-sF: FIN scan
-sX: Xmas tree scan
-sN: NULL scan
-sA: ACK scan
-sI: NULL scan
-v: Verbose mode
-p: an instruction specifying the port numbers to scan
-P0 (or Pn): an instruction to not try to ping the IP addresses. Some firewalls block
ICMP.
-O: an attempt to detect the operating system
Nmap Example
Here is an example of how Nmap can be used to carry out an SYN stealth scan on a
Web server.
Reference: Nmap product screenshot reprinted with permission from Gordon Lyon, the developer of Nmap.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 29 of 37
Target
A Web server with an IP address of 192.168.195.128 is running.
Command
The Nmap command: nmap –sS 192.168.195.128 is entered.
Open Ports
An attacker performs an SYN stealth scan on the Web server using Nmap. The output
shows that ports 80, 135, 139, 443, 445, and 3306 are open.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 30 of 37
Topic 5: Enumeration
What Is Enumeration?
After performing reconnaissance and scanning, if a hacker still has not identified the
target system, he or she would launch an enumeration attack on the target as the final
step in the preattack exercise.
During enumeration, hackers employ a set of techniques to extract technical information
such as user accounts, operating systems, application names, and network resources of
target systems.
Using Nmap
A Web server with an IP address of 192.168.195.128 is running. An attacker uses Nmap
to perform an SYN stealth scan on the Web server. The output shows that ports 80, 135,
139, 443, 445, and 3306 are open.
1. Target
The attacker learns that the Web server running on the target network has an IP
address of 192.168.195.128.
2. Nmap Tool
The attacker uses Nmap to fingerprint the target Web server. The attacker enters the
Nmap command Nmap –sS –p T:1-1023 –O –v –Pn 192.168.195.128 to specify that
the TCP stealth scan is performed with a port range of 1 through 1023 on the host IP
192.168.195.128.
3. OS Switch
The attacker enables the -O switch to attempt to determine the operating system.
4. Ping
The attacker specifies -Pn, which means that ping is not used.
5. OS Details
Note that the operating system is Microsoft Windows XP 2003 or Microsoft XP
Professional SP2.
6. Result
The results show that the host server with an IP address of 192.168.195.128 has
ports 80, 135, 139, 443, and 445 open and uses Microsoft Windows XP 2003 as its
operating system.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 31 of 37
Reference: Nmap product screenshot reprinted with permission from Gordon Lyon, the developer of Nmap.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 32 of 37
Using Telnet
Sometimes a hacker does not even need a sophisticated tool like Nmap. A hacker can
simply use a Telnet command to grab the HTTP header and identify the type of
operating system or Web server the target uses.
1. Telnet Command
The attacker types the command telnet www.umuc.edu 80 to connect to the Web
server www.umuc.edu.
2. HEAD
Then, the attacker types HEAD / HTTP/1.0 to send an HTTP request to the Web
server.
3. Apache X
The telnet output displays the content of the HTTP response header received from
the UMUC Web server. The HTTP header shows that the type of Web server is
Apache powered by PHP.
4. Malformed HTTP Packet
Using another telnet connection—telnet www.umuc.edu—the attacker sends a
malformed HTTP packet to the Web server, which is an invalid input as HTTP 3.0 is
not available. The attacker sends a malformed packet because some targets do not
show any useful information if they are given a valid input.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 33 of 37
However, when the target receives a malformed input, it returns a useful banner of
information. Therefore, attackers do not always need to send a valid input to a target
to get useful information. They can give an invalid input and observe an output.
5. Web Server
The invalid malformed input returns some useful information: Apache Web server,
HTTP 1.1, and some information that is not that useful, such as Charset.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 34 of 37
Topic 6: Summary
We have come to the end of Module 2. The key concepts covered in this module are
listed below.
Hackers or penetration testers carry out a preattack exercise to study the target they
plan to attack. The first three phases of this preattack exercise—reconnaissance,
scanning, and enumeration—are the most critical.
The reconnaissance phase is performed in two stages: passive and active
reconnaissance. During passive reconnaissance, hackers research open-source
sites and groups and forums, as well as social engineering sites to gather
nontechnical data about their targets. During active reconnaissance, hackers use
technical tools such as Whois, NSLookup, the American Registry for Internet
Numbers (ARIN), Domain Information Groper (DIG), and Traceroute to find their
targets’ IP addresses.
By using Whois or similar tools to query a domain name, hackers are able to find out
the domain name, administrative contact, technical contact, and name servers of
their target. The IP address of the domain name server is not revealed until hackers
type the NSLookup command and perform a zone transfer.
Scanning, the second preattack phase, helps hackers discover live systems,
devices, and open ports in their network. There are three types of scanning: IP, port,
and vulnerability scanning.
IP scanning is used to identify live systems connected to a network. Port scanning is
used to find accessible Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP) ports. Vulnerability scanning is used to assess networks for
vulnerabilities.
There are two types of port scans: horizontal and vertical. Port scans that help
hackers obtain data—TCP connect scans, SYN scans, NULL scans, ACK scans, FIN
scans, and Xmas tree scans—can be performed as horizontal or vertical scans.
Nmap is a free open source network-mapping utility that determines which hosts are
available on the network and lists the services those hosts offer. With Nmap, a
system administrator can perform many types of port scans.
In the last phase of the preattack exercise, hackers launch an enumeration attack to
identify the operating systems and user accounts of their targets. This attack is
carried out using a set of techniques to extract technical information such as user
accounts, operating systems, application names, and network resources.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 35 of 37
Glossary
Term Definition
Active Reconnaissance During active reconnaissance, hackers use technical tools
such as Whois, NSLookup, ARIN, DIG, and Traceroute to
find out their targets’ IP addresses.
ACK Scan
ACK scanning is a type of port scan that tells whether ports
on a firewall are filtered or unfiltered. If the target’s firewall
returns an RST, then the port is unfiltered and vulnerable.
American Registry for
Internet Numbers
The American Registry for Internet Numbers (ARIN) is the
IP address registry for North America. ARIN allows Whois-
type searches on its database to locate information on
networks.
Domain Information
Groper
The DIG command allows attackers to search the DNS
database and find the open name servers attached to a
domain.
Domain Name Service The Domain Name Service (DNS) translates Internet
domain names, such as www.xyz.com, into Internet
Protocol (IP) addresses.
Domain Name System Domain Name System is an Internet system that associates
domain names with IP addresses, allowing computers to
communicate over the World Wide Web.
Enumeration Enumeration is the third phase in a hacker’s preattack
exercise. Hackers use enumeration techniques to learn
technical data—operating systems and user accounts—
about a network system.
FIN Scan
The FIN (finish) scan is a type of port scan that is able to
pass through firewalls. Open ports don’t respond, but
closed ports respond with an RST.
Footprinting A method of processing or gathering information about a
target system.
Internet Control
Message Protocol
The Internet Control Message Protocol (ICMP) integrates
with the Internet Protocol (IP). It reports error, control, and
informational messages between a host and a gateway.
Nmap The Nmap security scanner is used to discover hosts and
services on a network. Based on the network conditions, it
sends packets with specific information to the target host
and evaluates the responses to create a network map.
NSLookup The NSLookup tool queries a DNS server and performs a
DNS zone transfer to gather data on a targeted network.
NULL Scan
A NULL scan is a type of port scan in which an attacker
sends a data packet without any flag set. If the packet is
open, the target host ignores the packet.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 36 of 37
Term Definition
Passive
Reconnaissance
During passive reconnaissance, hackers research open-
source sites and groups and forums, as well as social
engineering sites, to gather nontechnical data about their
targets. To do this, hackers use social engineering.
Penetration Testers Penetration testers are security analysts that perform
penetration tests, or pentests, to assess the security of a
network system.
Ping This utility sends an ICMP echo request (ping) to a target
system and waits for a reply (pong).
Port Scanner Port scanners identify open ports and help an intruder
identify a target system’s weak access point.
Reconnaissance Reconnaissance is the first phase of the preattack exercise
carried out by hackers to learn about the people who work
at the target company and the target network’s IP address.
Hackers use a process called footprinting and perform two
types of reconnaissance: passive and active.
RFC 793 RFC (Request for Comments) 793 is a document which
describes the DoD Standard Transmission Control Protocol
(TCP).
Scanning Scanning is the second preattack phase used by hackers to
discover live systems, devices, and open ports on a
network. Hackers perform three types of scanning: IP, port,
and vulnerability scanning.
Social Engineering Social engineering is a method of gathering information,
seeking computer access, or committing fraud by using
manipulation and deceit to get people to reveal confidential
information about themselves or an organization.
SYN Scan
In an SYN stealth scan, the attacker sends an initial SYN
packet to the target. If the port is open, the target responds
with an SYN/ACK.
TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is
the communication protocol suite for the Internet.
TCP Connect Scan
In a TCP connect scan, an attacker tries to establish a
connection on a port of the target system by a three-way
handshake. The attacker knows the target port is open if the
connection is successfully established.
User Datagram Protocol User Datagram Protocol (UDP) is a network protocol that
allows computers to exchange messages over an Internet
network without the need for special transmission channels
or data paths.
Vulnerability Scanner Vulnerability scanners analyze, classify, and identify flaws
and vulnerabilities in the targeted system.
Wget Located at www.gnu.org/software/wget, the wget tool is a
popular and freely available Web site downloading tool.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640
© UMUC 2012 Page 37 of 37
Term Definition
Whois A tool that allows hackers to query DNS to obtain registered
information, such as the domain ownership, address,
location, and phone number.
Xmas Tree Scan
To perform the Xmas tree scan, an attacker sends a TCP
packet to the remote target with the URG, PUSH, and FIN
flag set. As in a FIN scan, open ports don’t respond, but
closed ports respond with an RST.