Keamanan Jaringan

Tim Dosen Pengajar Keamanan

Program Studi Teknik Informatika

Departemen Teknik Informatika
Contents
6. IP Network Scanning
a. Initial Network Scanning with Nmap
b. Low-Level IP Assessment
c. Vulnerability Scanning with NSE
d. Bulk Vulnerability Scanning
e. IDS and IPS Evasion
f. Network Scanning Recap
g. Network Scanning Countermeasures
Chapter 6

IP Network Scanning
Initial Network Scanning with Nmap
Network protocols and respective OSI layers
• Common network protocol:
• Internet Protocols IPv4/v6.
• Internet Control Message Protocol
(ICMP)
• Distance Vector Multicast Routing
Protocol (DVMRP)
• Internet Group Management
Protocol (IGMP)
• Address Resolution Protocol (ARP)
• Internet Protocol Security (IPsec)
• Routing Information Protocol (RIP)
ICMPv4 Sweeping with Nmap
• Within Nmap, use the -PEPM
flag to perform host discovery
using ICMPv4 echo, timestamp,
and subnet mask requests
Ping broadcast addresses
• Within an IP network, the last
address octet is reserved as the
broadcast address (e.g.,
10.10.5.255 within
10.10.5.0/24), which is used to
send traffic to all of the hosts
within a subnet.
Ping broadcast addresses
• This example shows how an
additional subnet (10.12.0.0/24)
is revealed via the
255.255.255.255 broadcast
address.
TCP scanning
• Nmap supports many TCP
scanning modes, which are
particularly useful when
performing stealth scans and
understanding low-level network
configuration.
• For the purpose of identifying
accessible services, the basic TCP
SYN (-sS) mode should be used.
TCP Scanning
• Nmap returns a state (open,
closed, or filtered) for each port.
• These Figures demonstrate SYN
probes eliciting four response
variants:
• a SYN/ACK packet (indicating an
open port);
• RST/ACK (denoting closed);
• no response; or
• an ICMP type 3 message (implying
a filter).
UDP Payload Scanning
• The connectionless nature of UDP means that
services are identified either
• through negative scanning (inferring open ports
based on ICMP unreachable responses of those
which are closed), or
• through use of correctly formatted datagrams to
elicit a response from a service (e.g., DNS, DHCP,
TFTP, and others, as listed in nmappayloads4), known
as payload scanning.
• ICMP is an unreliable indicator because security-
conscious organizations tend to filter messages,
and most operating systems rate-limit ICMP
responses by default.
• Nmap uses a combination of both negative and
payload scanning (versus just a single mode) via
the -sU flag.
• This often clouds output in which both open and
open|filtered states are returned
UDP Payload Scanning
• Using the -sUV flag, you can actively
probe each UDP port and see which
respond.
• Running Nmap in this fashion is,
however, very slow against ambiguous
open|filtered ports, and impractical
when testing large networks.
• This Figure demonstrates using Nmap
to scan five UDP ports of a single host,
taking 114 seconds to complete.
• Deeper testing reveals that port 53 is
indeed listening.
UDP Payload Scanning
• An alternative tool that you can
use to perform UDP payload
scanning is Unicornscan.
• Against the 10.3.0.1 candidate,
results are returned almost
instantly.
Low-Level IP Assessment
Low-Level IP Assessment
• By crafting probe packets and reviewing the responses, you can do
the following:
• Fingerprint the operating system of a target host or network device
• Identify hosts with IP stack implementation flaws
• Enumerate filtering devices and reverse engineer their policy
• Reveal the internal IP addresses of misconfigured systems
Low-Level IP Assessment
• You can manipulate IP and TCP
header values by using Hping3,
Scapy, Nmap, and Firewalk.
• Individual values set within IP
and TCP packet headers are
shown in These Figures.
• By manipulating these fields and
sampling responses to particular
probes, you can reverse
engineer the underlying network
configuration.
Crafting Arbitrary Packets
• This Table lists common Hping3
arguments used to craft TCP
packets from the command line.
• The utility also supports raw IP,
UDP, and scanning modes.
• Power users should consider
Scapy because it offers increased
flexibility.
Crafting Arbitrary Packets
• This Figure demonstrates Hping3
used to perform a TCP SYN port
scan of common ports.
• For full details of the modes
supported, review the
documentation.
Crafting Arbitrary Packets
• To send three TCP SYN probes to
port 80 of 10.3.0.1, use the
command in the following
Figure.
• The IP ID values returned are
sequential, and the flags
received are SYN/ACK, meaning
the port is open.
Crafting Arbitrary Packets
• A closed port sends packets with
RA flags (RST/ACK) set, as
follows:
Crafting Arbitrary Packets
• Next, we find that TCP port 23 is
blocked by an Access Control List
(ACL):

• And probes to TCP port 3306 are

dropped in transit:
Vulnerability Scanning with NSE
Nmap Scripting Engine (NSE)
• Within Nmap, NSE provides
support for a number of tests
against particular services.
• This Figure demonstrates default
NSE scripts executed (via -sSC)
against particular services
running on 192.168.10.10.
Nmap Scripting Engine (NSE)
• Many useful scripts are not included
in the default category and won’t
fire unless explicitly invoked.
• Particular scripts are executed by
using --script (along with arguments
passed via --script-args).
• Using the --script-help argument,
you can review individual scripts, as
demonstrated in this Figure
(showing AFP scripts within the
discovery category).
Bulk Vulnerability Scanning
Bulk Vulnerability Scanning
• NSE functionality is somewhat limited when testing large heterogeneous
environments.
• Security professionals often rely on feature-rich commercially supported tools to
perform deep automated assessment of IP networks.
• Four popular scanning utilities are as follows:
• Nessus
• OpenVAS
• Qualys
• Rapid7 Nexpose
• These tools perform host discovery, port scanning, and exposed service assessment
over both IPv4 and IPv6.
• OpenVAS is free to use and included within Kali Linux, and tutorials online detail the
setup and use of the scanner.
IDS and IPS Evasion
IDS and IPS Evasion
• Security-conscious organizations use IDS and IPS technologies to passively monitor and actively
block suspicious network traffic.
• You can adopt three particular tactics at Layers 3 and 4 to interfere with, or bypass detection:
• Inserting data that is seen by a sensor but disregarded by the destination host
• Fragmenting packets so that a sensor disregards them (but are later reassembled)
• Modifying packet data (e.g., appending data and setting particular flags)
• The SniffJoke utility found within Kali Linux supports the first two approaches via plugins that define
how egress traffic is manipulated.
• Depending on network configuration and the OS of the destination host, you can adopt different
tactics.
• Nmap’s evasion features include fragmentation and modification of packet data, applied to mask
port scanning (a favorite being --data-length, which appends data to each packet, fooling signature-
based detection systems).
• A third tool worth consideration is Stonesoft Evader, which can bypass detection by Palo Alto
Networks appliances by fragmenting and modifying egress packets.
TTL Manipulation
• The target host is six hops away from the
source, and an IDS sensor is deployed
between hops three and four.
• By sending packets with a TTL that expires
before the destination, an adversary can
insert data into the network flow (from the
perspective of the sensor).
• A second technique is to send material to
the destination that is disregarded, but
parsed by the sensor (or vice versa)—
achieved through fragmentation and
segment overlapping.
• The underlying problem is that the sensor
does not have enough context to correctly
perform network flow reassembly.
Data Insertion and Scrambling with SniffJoke
• Within SniffJoke, data manipulation and insertion
attacks are known as hacks and scrambles.
• Examples of hacks include:
• inserting a fake payload (causing the sensor to parse
session data that is not processed by the destination),
• providing false sequencing information (causing the
sensor to lose state and parse erroneous data), and
• injection of fake signaling information (via insertion of FIN,
RST, or SYN packets that are disregarded by the
destination, but cause the sensor to believe the session
has ended or a new one established).
• Packets can be malformed and fragmented in a
number of ways.
• The trick is to adopt an approach where packets are
processed by the sensor and disregarded by the
destination host, or vice versa.
• Many of these approaches depend on the IP stack
implementation of the sensor and destination host
(through identifying a mismatch and abusing it for
gain).
• Scrambling tactics adopted by SniffJoke focus on
generating packets that are disregarded by the
destination host, as follows:
• Setting bad checksums of packets: Sensors in high-
throughput environments often do not calculate
packet checksums for performance reasons. If this is
the case, malicious content is parsed by the sensor but
disregarded upon receipt by the destination host.
• Use of uncommon IP and TCP options: A sensor might
disregard packets with certain flags and options set
within IP and TCP headers, whereas the destination
host accepts the packet upon receipt.
• One important topic that is not highlighted within
the SniffJoke documentation is that of packet
fragmentation and segment overlapping.
• Attackers can use these tactics to evade and bypass
IDS and IPS mechanisms because fragmented
packets might be reassembled differently by the
sensor than by the destination host.
Network Scanning Recap
Network Scanning Recap
• Initial network scanning:
• Nmap is used to identify accessible hosts and then perform comprehensive scanning of all TCP and SCTP ports, and
common UDP ports. Use the -A flag to perform OS and network service fingerprinting.
• Low-level IP assessment
• Sample TCP sequence, IP ID, and TCP timestamp values using Nmap with the -O flag.
• You can investigate low-level configuration by using Firewalk, Hping3, and Scapy to craft packets with particular flags.
• Vulnerability scanning with Nmap
• NSE supports the testing of specific services (including DNS, HTTP, MongoDB, Microsoft SQL Server, Oracle, and SNMP).
• Although these tests are by no means exhaustive, they often provide useful information.
• Bulk vulnerability scanning
• Tools including Nessus, OpenVAS, Qualys, and Rapid7 Nexpose perform broadassessment in line with PCI DSS and other
requirements.
• Vulnerability scanners often produce large datasets and false positives.
• As such, you should crosscheck output with Nmap results to validate proper coverage.
• IDS and IPS evasion
• Through fragmenting and injecting packets using SniffJoke and Nmap, it is possible to evade network security
mechanisms including IDS and IPS.
Network Scanning Countermeasures
Network Scanning Countermeasures
• Filter inbound ICMP messages at your
network edge to prevent ping
sweeping.
• Filter outbound ICMP unreachable
(type 3) messages at border routers
and fire walls to prevent port scanning
and reverse engineering of your ACLs.
• Ensure that software running on
critical network devices (core
switches, edge routers, and firewalls)
is patched up to date.
• This is important when mitigating
denial of service and availability issues.
• Review logging and auditing configuration of
your network devices to ensure that automated
vulnerability scans and large volumes of
malicious data do not result in denial of service
through logging infrastructure being
overwhelmed.
• Assess the way that your network devices handle
fragmented and malformed packets by using
Nmap and SniffJoke when performing scanning
and probing exercises.
• Large volumes of bad data can exhaust security
mechanisms, causing them to fail-open.
• Be aware of your own network configuration and
publicly accessible services by launching network
scans against your IP address space.
• It is surprising how few organizations undertake
simple port scanning exercises and are caught off-
guard by opportunistic attackers.
Discussion
References
1. Chris McNab, Network Security Assessment, 2016, O'Reilly Media