remote network analysis
play

Remote Network Analysis - I know what you know - Torsten Hfler - PowerPoint PPT Presentation

Remote Network Analysis - I know what you know - Torsten Hfler htor@cs.tu-chemnitz.de Torsten Hfler, 21. November 2004 Remote Network Analysis - p. 1/41 Outline Outline 1. Introduction Introduction 2. Passive Analysis Passive


  1. Remote Network Analysis - I know what you know - Torsten Höfler htor@cs.tu-chemnitz.de Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 1/41

  2. Outline • Outline 1. Introduction Introduction 2. Passive Analysis Passive Analysis Active Analysis 3. Active Analysis Advanced Methods 4. Advanced Scanning Prevention Questions 5. Prevention 6. Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 2/41

  3. Introduction Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 3/41

  4. Motivation • play instinct :o) • Outline • explore a remote network Introduction • Motivation • Typical Targets • find backdoors • Structure of FW Systems • Structure of FW Systems • Possible Attacks • check weaknesses Passive Analysis • prepare an attack Active Analysis Advanced Methods • fool IDS systems Prevention • see which software your bank runs Questions • ... Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 4/41

  5. Typical Targets • Router / Firewalls / Packetfilter • Outline • Intrusion Detection Systems Introduction • Motivation • Typical Targets • Loghosts (to hide traces) • Structure of FW Systems • Structure of FW Systems • Possible Attacks • servers - from the outside accessible Passive Analysis (DMZ?) Active Analysis • Client-Systems / Workstations Advanced Methods Prevention • Hardware-Systems (e.g. Access Points, Questions Routers ...) Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 5/41

  6. Structure of FW Systems easy layout: • Outline Introduction • Motivation • Typical Targets • Structure of FW Systems • Structure of FW Systems • Possible Attacks Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 6/41

  7. Structure of FW Systems more complex layout(s): • Outline Introduction • Motivation • Typical Targets • Structure of FW Systems • Structure of FW Systems • Possible Attacks Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 7/41

  8. Possible Attacks ⇒ attacker (we) located in the Internet • Outline ⇒ attacks performed from outside Introduction • Motivation • Typical Targets • Structure of FW Systems • passive analysis (e.g. sniffing) • Structure of FW Systems • Possible Attacks • noticeable active analysis (e.g. scanning) Passive Analysis Active Analysis • hidden active analysis (e.g. Advanced Methods fingerprinting) Prevention • analysis of topology (e.g. firewalking, Questions tracing) • social engineering Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 8/41

  9. Passive Analysis Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 9/41

  10. Layer 2/3/4 ⇒ different possibilities: • passive fi ngerprinting (without sending anything) • Outline ◦ Layer 4 (versions of used software products) Introduction ◦ Payload Analysis (not widely used, no tools Passive Analysis available) • Layer 2/3/4 ◦ Layer 2/3 (OS’s TCP/IP implementation) • Header-Analysis • Header-Fields ◦ Header-Analysis (widely used, tools available) • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 10/41

  11. Header-Analysis • gives information about deployed • Outline topology: Introduction ◦ TTL: OS usually starts with ”typical” Passive Analysis • Layer 2/3/4 values (255, 128, 64 ...) -> difference • Header-Analysis • Header-Fields • Header-Information equals Hop-Count • Header-Analysis (example) • Header-Analysis (example) ◦ be aware of exceptions (e.g. • Example • More Examples • Summary traceroute)! Active Analysis • offered or used services e.g.: Advanced Methods ◦ analyse source or/and destination port Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 11/41

  12. Header-Fields • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 12/41

  13. Header-Information much information can be gained from the header fi elds: • Outline Field Location Tools? What? Introduction TTL IP x OS + Topology Passive Analysis Fragmentation IP x OS + Topology • Layer 2/3/4 • Header-Analysis • Header-Fields Header Length IP x OS • Header-Information • Header-Analysis (example) TOS IP - OS • Header-Analysis (example) • Example ID IP - OS + Traffi c • More Examples • Summary Source Port TCP - OS + Traffi c Active Analysis Window Size TCP/Opt x OS Advanced Methods Max. Segmentsz. TCP/Opt x OS Prevention ... ... - OS Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 13/41

  14. Header-Analysis (example) SYN/ACK Header from www.ccc.de:80 • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 14/41

  15. Header-Analysis (example) SYN/ACK Header from www.microsoft.de:80 • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 15/41

  16. Example practical values: • Outline OS TOS DF TTL Window Options Introduction Win2000 0 1 128 65535 tsval=0, SACK Passive Analysis • Layer 2/3/4 • Header-Analysis Win98 0 1 128 8760 SACK • Header-Fields • Header-Information Linux 2.2 0 1 64 32210 tsval > 0, SACK • Header-Analysis (example) • Header-Analysis (example) • Example Linux 2.4 0 1 64 5792 tsval > 0, SACK • More Examples • Summary Linux 2.6 0 1 64 5792 tsval > 0, SACK Active Analysis FreeBSD 4.6 0 1 64 57344 tsval > 0 Advanced Methods FreeBSD 5.0 0 1 64 65535 tsval > 0 Prevention OpenBSD 16 0 64 17520 tsval=0, SACK Questions 2.x ... ... ... ... ... ... Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 16/41

  17. More Examples examples (p0f - SYN/ACK analysis): • www.metro.de - Windows 2000 SP4 • Outline • www.ebay.de - unknown Introduction • www.heise.de - NetApp Data OnTap 6.x Passive Analysis • Layer 2/3/4 • www.microsoft.de:80 - Windows 2000 (SP1+) (fi rewall!) • Header-Analysis • Header-Fields • Header-Information • www.openbsd.org:80 - Solaris 7 (up: 2533 hrs) • Header-Analysis (example) • Header-Analysis (example) • www.freebsd.org:80 - FreeBSD 4.6-4.8 (up: 9 hrs) • Example • More Examples • Summary • www.mcafee.com:80 - Windows 2000 SP4 Active Analysis • www.georgewbush.com:80 - Windows 2000 SP4 Advanced Methods • www.bundeskanzler.de:80 - Linux recent 2.4 (1) (up: Prevention 11405 hrs) Questions • www.nsa.gov:80 - Linux recent 2.4 (1) (up: 5664 hrs) • www.dod.gov:80 - Linux recent 2.4 (up: 2804 hrs) • ... Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 17/41

  18. Summary fi ngerprinting without sending any data • Outline • utilizes imprecise standard defi nitions ... Introduction Passive Analysis • ... or deviations of OSes from standards (RFC) • Layer 2/3/4 • Header-Analysis • Header-Fields • cumulative analysis of different header fi elds • Header-Information • Header-Analysis (example) • Header-Analysis (example) • manually nearly impossible (huge information • Example • More Examples databases) • Summary Active Analysis • ⇒ automated tools (ettercap, siphon, p0f) Advanced Methods • BUT: very slow / imprecise! ⇒ active analysis is Prevention more accurate Questions • new techniques (AI / Fuzzy Match) improve accurancy Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 18/41

  19. Active Analysis Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 19/41

  20. Layer 4 (Application Level) sending packets and analysing the response • ”classical manual banner grabbing” • Outline ◦ e.g. FTP Introduction , HTTP , POP , IMAP , SMTP , SSH, Passive Analysis NNTP , Finger ... Active Analysis • binary analysis • Layer 4 (Application Level) • Layer 2/3 (OS Level) ◦ e.g. /bin/ls from FTP server (which binary • OS Detection Tools Advanced Methods format (ELF , COFF) → OS) Prevention • well known ports Questions ◦ e.g. 80 → HTTP , 22 → SSH, ... • ⇒ easy to prevent/fake ◦ e.g. 222 → SSH (ipcop) • → application fi ngerprinting (sending special requests, evaluate (error) responses) ◦ automated tools: thc-amap, nmap (-sV) Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 20/41

Recommend


More recommend