Anti-Hacker Tool Kit - PowerPoint

Document Sample
Anti-Hacker Tool Kit - PowerPoint Powered By Docstoc
					Anti-Hacker Tool Kit

 Chapter 6

     Port Scanners




                       1
               Introduction
• The first step in the process of hacking
  – Discover the services
  – Version label
  – Operation System
• Send few packets to the host




                                             2
             Pre Study
• TCP Packet Header




                         3
              TCP conversation
           Connect                            Disconnect
Client                   Server   Client                       Server


              SYN                                 FIN



           SYN/ACK                             ACK/FIN


              ACK                                 ACK


     Connection Established                Connection Closed



                     Three-way handshake                                4
       TCP Flag Definitions


Flag
SYN      The beginning of a connection
ACK      Acknowledge receipt of a previous
         packet or transmission
FIN      Close a TCP connection
RST      Abort a TCP connection
                                             5
         Scanning for Hosts
• Is the host alive ?
• Method
  – Ping Ping
    TCP
     • nmap –sP 192.168.0.1
            –sT




                              6
     Scanning for TCP Ports
•• RCP service
   TCP connect
  – nmap –sR 192.168.0.1
  – nmap –sT 192.168.0.1




                              7
                      SYN Scan


Nmap sends to   Nmap receives from   Nmap Assumes
Host Port       Host Port
SYN             SYN/ACK              Port is open
                                     Host is up

SYN             RST                  Port is closed
                                     Host is up

SYN             Nothing              Port is blocked by firewall
                                     Or Host is down

Nmap –sS <target host>                                             8
                     ACK Scan

No firewall~

Nmap sends Nmap receives         Nmap Assumes
to Host Port from Host Port
ACK            RST               Port is not firewall-protect
                                 Port may be open or closed
Protected by firewall~
                                 Host is up
ACK            Nothing or ICMP   Port is blocked by firewall if
               unreachable       host is up


Nmap –sA <target host>
                                                                  9
                   FIN Scan


Nmap sends     Nmap receives Nmap Assumes
to Host Port   from Host Port
FIN            RST          Port is closed Host is up



FIN            Nothing      Port is open if host is up
                            and not firewall-protected



Nmap –sF <target host>                                   10
                Xmas Scan

• Non-normal TCP operation
• Set the flags FIN,URG,PUSH
• With –sX

 Nmap –sX <target host>




                               11
                 Null scan
• Turn off all flags

• With -sN

 Nmap –sN <target host>




                             12
    Scanning for UDP Ports


Nmap sends Nmap receives      Nmap Assumes
to Host Port from Host Port
Empty UDP    Nothing          Port assumed open if host
packet                        responds to Ping.
                              Port may be closed if
                              firewall blocking ICMP
Empty UDP    ICMP             Port is closed
packet       unreachable

Nmap –sU <target host>
                                                          13
     Scanning for Protocol
IP Header
  Nmap –sO <target host>




                             14
              Hiding Your Scan

   • FTP Bounce (-f)
     Disable
     Decoys Randomizing Ports
     Fragmentation (-D)                          (-r)

   • With –sS –sF –sN -sX
      Nmap –r <target host>

Nmap –b anonymous@<ftp server> –p <targer port> <target host>
    Nmap –sS –f <target host>
   Nmap –D <spoof host> <target host>




                                                            15
             Timing Your Scan
 • Time-based algorithm
Nmap –T <name> <target host>
 • Using -T option Time
name      Probe                  Time      Use
          Response Spent on      between   Parallelize
          Timeout   One Host     Probes    d Probes
Paranoid  5 min     Unlimited    5 min     No


Sneaky     15 sec    Unlimited   12 sec    No
Polite     6 sec     Unlimited   0.4 sec   No
Normal     6 sec     Unlimited   None      No
Aggressive 1 sec     5 min       None      Yes
Insane     0.3 sec   75 sec      None      Yes      16
       TCP Reverse Ident Scanning
• Who runs the process (-I)
  Nmap –I <target host>




                                17
             OS Fingerprinting

• With –O flag

Sending specially TCP and UDP headers

Analyze the result and compare information


 OS information

                                             18
       OS Detection on Linux

• Nmap –O 192.168.0.1




                               19
             Mapping Networks
• Scanning a Class C subnet




                                20
              Mapping Networks
• Port scans in IP section




                                 21
          Scanning Tools on windows


•   Netscantools
•   Superscan
•   IPEYE
•   WUPS




                                  22
             Netscantools

• Powerful tools

• Port scanner+finger+whois+traceRoute...etc




                                         23
Super Scan




             24
                 IPEYE

• TCP stealth scan
• SYN, FIN, Xmas tree, and null scan




                                       25
         WUPS
Scanning UPD ports for Windows




                                 26
        Banner Identification

• Get the information normally
  – Hostname
  – Program
  – Version




                                 27
           Using your “Telnet”
                TelnetService
                  FTP Web Service
              World Wide Service

Try this




                                    28
                       System Log


TCP connect() method      Generate
                                     Message log
Normal timing option




                                               29
               Summary

• Protect your host
• Dishonesty
• Footprints in the sand show where one
  has been.




                                          30
                   Reference

• Nmap www.insecure.org/nmap/
• Tcmpdump www.tcpdump.org/
• Superscan
  www.foundstone.com/resources/proddesc/super
  scan.htm
• Netscanools www.netscantools.com
• RFC 1700
• RFC 793

                                            31
     What is RPC Service ?
• Remote Procedure Call
• 程序呼叫
  – 一個程式裡一部份呼叫另一部份去做某項工作




                             32
UDP_SCAN




           33
UDP_SCAN




           34