Security

vulnerabilities
and penetration
testing
Dr Phillip James
 Last week we considered reconnaissance:
Recap and • Footprinting
today • Active vs passive
• Everyday activities like phone/email
• Whois/DNS/Ping
• Google hacking

Result after stage: Documented summary of target.

Today: Scanning. Technically looking into the

systems running within the organization.
Scanning
Looking over the horizon.
 We will try to figure out:
Aims of this • What systems are up/down.
phase • What services are running.
• What vulnerabilities might exist.
• A network map (Draw it!).

Result:
ssh
http
ssh

ftp

ssh

smtp
The setup

Firewall
(Prevention)
 Four core network technologies:
Technologies
available UDP: primarily for establishing low-latency and
loss-tolerating connections between applications
on the internet.

TCP: enables two hosts to establish a connection

and exchange data reliably. Most web traffic.

IP: Protocol by which data is sent from one

computer to another on the Internet.

ICMP: Error message protocol.

Network
protocols
Network layers
 Application layer (e.g. HTTP,
POP, DNS)
Layer by layer • High level protocols with
which user applications
interact.
Presentation layer (e.g. Unicode)
• Syntax & semantics of
information transmitted;
representation.
Session layer (Hardly used)
• Allows users on different
machines to establish
sessions between them.
Transport layer (e.g. TCP, UDP)
• Provides connection-
oriented services
between end systems.
Network layer (e.g. IP)
• Concerns routing of data
across a subnet.
Data link layer
• Transmission of data
across a single link.
Physical layer
• Transmission
characteristics of
physical medium used.
 Header part:

IP

Internet protocol

Text part: a UDP or TCP packet.

 Each network interface has an IP address:
32-bit number, range: 0 to 4,294,967,295
IP addresses … which we express in human readable form by splitting into
4 8-bit numbers.

The famous “dotted quad string”.

Example: 10001001001011000000001000000001
10001001.00101100.00000010.00000001
137.44.2.1

A few special cases

• All zeros: “this host”
• All ones: “broadcast”
• 127.0.0.1 – loopback: keep it local, but pretend it’s
an incoming packet.
 The first n bits of an IP address is the network address.
Subnet masks Same network address == same network

Subnet mask indicates split between network and host:

32 bits: first n are all 1s, then all 0s
Write as, e.g., 255.255.252.0 or /22

Example:
194.24.8.0/22
Network address is 194.24.8.0
Subnet mask is 22 1s then 10 0s
So, 210, ie 1024, addresses in this network.

CIDR
Classless Interdomain Routing
Routing tables holds entries of form:
(Network address, subnet mask, link)
Routing steps:
• Bitwise AND destination IP of incoming packet
with each subnet mask...
• Compare result with corresponding network
address: match? Send packet there...
• If multiple entries match, pick the one with the
longest netmask.
• Bitwise AND is just a way to say “is this host in
this network’s range?”
Example
routing

Packet for 194.24.8.50:

11000010.00011000.00001000.00110010
Match for Edinburgh:
Mask: 11111111.11111111.11111100.00000000
AND: 11000010.00011000.00001000.00000000
Result: 11000010.00011000.00001000.00000000
Result: 194.24.8.0
No such match for Cambridge or Oxford.
 Mainly used for reporting errors within IP (e.g.
routers etc).
ICMP
Information added as a header after IP header.

Internet control message protocol

Many, many error codes, some common:

• Echo reply (how ping works)
• Destination unreachable
• Source quench (send data slower)
• Time exceeded (TTL, traceroute!)
• Redirect (send elsewhere)
 UDP is a thin layer over IP:
• Programmer says "send this data to this IP/port”.
UDP • No guarantees.
• No state maintenance/connection setup etc.

User datagram protocol 32 bits

Missing flags
Source port # Dest. port #
Segment length Checksum

Application data
(message)
 • Stateful, reliable, connection-oriented.
• Full duplex service.
TCP • 3-way handshake to establish connection.
• TCP code can buffer bytes, rather than sending
Transmission control protocol immediately.
Rely on me 32 bits

Source port # Dest. port #

Sequence number
Acknowledgement number
Header length
Flags Receive window
Internet checksum Urgent data pointer

Options

Data
 TCP flags for the basis for most scans:

TCP flags • ACK – does this packet carry an ACK?

• RST – reset connection.
SRAF UP • SYN/FIN – for connection setup/teardown
• URG – packet contains urgent data.
(doesn’t tend to get used)
• PSH – Push buffered data.

Responses to flags differ, and can provide

information to us.
 A typical TCP session:

Shake my hand SYN

SYN/ACK

ACK

...
FIN/ACK

ACK

FIN/ACK

ACK
Tools and scans
nmap

• Host discovery
• Port discovery / enumeration
• Service discovery
• Operating system version detection
• Hardware (MAC) address detection
• Vulnerability / exploit detection, using Nmap
scripts (NSE)
 nmap -sP 10.0.0.0/24
(ping scan given network range)
Selected
examples nmap -v -sS -A -T4 <target>
(verbose, stealth syn scan, OS detection, timelimit
10ms (aggresive))

nmap -p 1-65535 -sV <target>

(scan all ports, determine version)

nmap -iL ip-addresses.txt

(scan from file)

nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h –

(combine with vulnerability scanners)
 Syn scan open port:
SYN
Example: syn SYN/ACK

scan RST

Syn scan closed port:

SYN

RST

Syn scan filtered port:

SYN

SYN

Try it with the --packet-trace option

 Null scan (-sN)
Does not set any bits (TCP flag header is 0)
Advanced FIN scan (-sF)
scans Sets just the TCP FIN bit.
Xmas scan (-sX)
Sets URG/PSH/FIN flags.

Probe Response Assigned State

No response received (even after
open|filtered
retransmissions)
TCP RST packet closed
ICMP unreachable error filtered

Can sneak through TCP firewalls (which look for SYN)

hping

• Advanced port scanning.

• Manual path MTU discovery (don’t fragment).
• Advanced traceroute, under all the supported
protocols.
• Remote OS fingerprinting.
• Remote uptime guessing.
• TCP/IP stacks auditing.
 hping3 -1 <target>
Selected (normal ping via ICMP)

examples hping3 -2 <target>

(UDP ping)

hping3 –a hostname -1 <target>

(spoof host, wont get response)

hping3 -S -p 80 -s 5050 <target>

(send syn packet from port 5050 to port 80)

hping3 –V …
(add verbose output)
 Ack scan
hping3 -c <packet_count> -p <port> -A <target>
Advanced Used to see if a host is alive (when Ping is blocked for example). This
scans should send a RST response back if the port is open.

Smurf Attack
hping3 -1 --flood –a <target_ip> <broadcast_network_address>
Floods a target system via spoofed broadcast ping messages.

DOS Land Attack

hping3 -c <packet_count> -s <src_port> -d <dst_port> --flood -a
<target_IP(source spoof)> <target_IP>
Send a spoofed TCP syn packet (connection initiation) with the
targets IP to an open port as both source and destination. This
causes the machine to reply to itself continuously.
 Generate a fake echo request containing a spoofed source IP,
which is actually the target server address.
Example:
smurf scan

• The request is sent to a broadcast network.

• The request is transmitted to all of these network hosts.
• Each host sends an ICMP response to the spoofed source
address.
• With enough ICMP responses forwarded, the target server
is brought down.
Avoiding We will not cover this in depth, but!
detection
Hints:
Read my friends, read Fragmentation
Proxies
Tunelling
Spoofing
Tor…
Countermeasures
Not much Filtering, using ACL, limiting what IP addresses can
request.
hope!
Hiding/encrypting content (but hard).

Anti-spoofing rules, makes sure source and

destination IPs appear on the correct side of the
firewall/IDS.

In reality: careful configuration based on the above.


Summary
Noun: a brief statement or account
of the main points of something.
• Core network technologies: IP/ICMP/UDP/TCP.
• Steps for scanning:
• Looking for hosts (up/down)
• What open ports
• What services (fingerprinting)
• nmap and hping.
• Counter measures
Lab: Exploring the above + tools that help.
Next week: Enumeration and access