NETSEC 04

We will now talk about the phases in an attack. Although the full attack process is done in 7 steps, the simplified one in the syllabus just involve:1) Reconnaissance - Find out information about the network and gauge feasibility
2) Active Attack - Cause damage to the victim
3) Clearing Traces - Clear evidence of the attack

A simple way to find machines in a network is to do a ping (echo-request) scan. Replies typically mean a live host, while no reply may indicate a firewalled host or a down host.

We can also perform scans on specific hosts to find open ports, and also to find the network architecture and the operating systems involved.

A good utility is the Whois database which allows anyone to look up a domain. The contact information (name of authoritative figures) and various other information such as the registered DNS can be obtained.

The information found can then be used to perform social engineering attacks or phishing attacks. A good way to prevent this is to fill in only generic names, such as webmaster@domain.com.

We can also use search engines to find out information about the company network. We can also find the company website to see the different services they provide, and the different critical employees (to attack, or to impersonate).

Network scanning refers to the procedure for identifying active hosts on a network, either for attacking or assessment. This is the footprinting phase where the attacker creates a profile of the target organization such information such as DNS, email-servers and IP address range.

Tools, some free and some commercial, can be used to scan. The simplest, but the most inconvenient tool for scanning is the "ping". Ping stands for Packet Internet Groper and it works like a sonar, with a Echo-Request (ICMP 8) and a Echo-Reply (ICMP 0).

As mentioned, the lack of a reply may indicate a down host, or a firewalled host. Firewalls can be used to ignore Echo Requests, or to restrict Echo Replies.

We now go to the topic of Port Scanning. A port is a logical endpoint in a host, like a door to a house. As certain applications listen to specific port numbers, it can be used to identify the services running on a host. A host can have at most 65535 ports (excluding 0).

Services are referred to as daemons in Unix. Servers typically use a low port number >1024 while clients use port numbers <=1024.

Some common ports and services are:
FTP Active - 20
FTP Passive - 21
SSH - 22
Telnet - 23
SMTP - 25
DNS - 53
HTTP - 80
POP3 - 110

Port scanning is the systematic scanning of a host's ports to discover the services running on a target machine. Port scanning identifies the possible ways of connecting to a computer network. Port scanning can be legally used to manage a network, or maliciously used to look for vulnerabilities. Port scanning is usually one of the first things an attacker perform before penetration of a computer.

It gives an idea where to probe for weaknesses and is accomplished by sending certain crafted packets (such as a SYN packet) to each port and interpreting its reply (or its lack thereof).

In a SYN scan, if a port is open, the attacker would receive a SYN,ACK from the victim. If it's close, the victim will respond with a RST.

Port scanning itself is not illegal, and it's difficult to stop port scans (unless we employ an IDS or IPS). These are the different types of port scanning methods covered in lecture:

Vanilla - The scanner attempts to connect to all 65535 ports on the same machine.
Strobe - The scanner connects to only selected ports on the same machine.
Sweep - The scanner connects to the same port(s) on more than one computer.
Stealth - The scanner attempts to prevent the scanning from being recorded.
UDP - UDP variant of all the above methods.

Defenses for port-scanning can be to close all unnecessary ports. Firewalls and IDS can help block the scans. Changing the default port numbers can defend against Sweep scans (but Vanilla scans will still find it, though they wouldn't know what service is it). (To close ports, shut down the service using that port.)