Network scanning - Amazon Web Services

 Scanning NetworksNetwork scanningNetwork scanning refers to the process of obtaining additional information and performing a more detailed reconnaissance based on the collected information in the footprinting phase. In this phase, a number of different procedures are used with the objective to identify hosts, ports, and services in the target network. The whole purpose is to identify vulnerabilities in communication channels and then create an attack plan.Scanning has three types:Port scanning - used to list open ports and servicesNetwork scanning - used to list IP addressesVulnerability scanning - used to discover the presence of known vulnerabilitiesScanning techniquesPort scanning techniques are extremely useful when it comes to identifying open ports. Scanning techniques represent different categories which are used based on protocol types. They are categorized into three categories:Scanning ICMP network servicesScanning TCP network servicesScanning UDP network servicesScanning ICMP network servicesICMP ScanningICMP scanning is used for identifying active devices and determining whether ICMP can pass through a firewall.Ping SweepPing sweep is used to determine the range of IP addresses that is mapped to active devices. It allows hackers to calculate subnet masks and identify the number of present hosts in the subnet. This in turn enables them to create an inventory of active devices in the subnet.ICMP Echo ScanningICMP Echo Scanning is used to determine which hosts are active in a target network by pinging all the machines in the network.Scanning TCP network servicesTCP ConnectTCP connect scan used for detecting open ports upon the completion of the three-way handshake. It works by establishing a full connection and then dropping it by sending a RST packet.Stealth ScanStealth scan is used for bypassing firewall and logging mechanisms. It works by resetting the TCP connection before the three-way handshake is completed, which in turn makes the connection half open.Inverse TCP Flag ScanningInverse TCP flag scanning works by sending TCP probe packets with or without TCP flags. Based on the response, it is possible to determine whether the port is open or closed. If there is no response, then the port is open. If the response is RST, then the port is closed.Xmas ScanXmas scan works by sending a TCP frame with FIN, URG, and PUSH flags set to the target device. Based on the response, it is possible to determine whether the port is open or closed. If there is no response, then the port is open. If the response is RST, then the port is closed. It is important to note that this scan works only for UNIX hosts.ACK Flag Probe ScanningACK flag probe scanning works by sending TCP probe packets with ACK flag set in order to determine whether the port is open or closed. This is done by analyzing the TTL and WINDOW field of the received RST packet’s header. The port is open if the TTL value is less than 64. Similarly, the port is also considered to be open if the WINDOW value is not 0 (zero). Otherwise, the port is considered to be closed.ACK flag probe is also used to determine the filtering rules of the target network. If there is no response, then that means that a stateful firewall is present. If the response is RST, then the port is not filtered.Scanning UDP network servicesIDLE/IPID Header ScanIDLE/IPID header scan works by sending a spoofed source address to the target to determine which services are available. In this scan, hackers use IP address of a zombie machine for sending out the packets. Based on the IPID of the packer (fragment identification number), it is possible to determine whether the port is open or closed.UDP ScanningUDP scanning uses UDP protocol to test whether the port is open or closed. In this scan there is no flag manipulation. Instead, ICMP is used to determine if the port is open or not. So, ifa packet is sent to a port and the ICMP port unreachable packet is returned, then that means that the port is closed. If, however, there is no response, then the port is open.SSDP and List ScanningSSDP, or Simple Service Discovery Protocol, service responds to queries sent over IPv4 and IPv6 broadcast addresses. Attackers use this scan to exploit UPnP vulnerabilities and carry out buffer overflow or DoS attacks.List scanning indirectly discovers hosts. This scan works by listing out IP addresses and names without pinging the hosts and with performing a reverse DNS resolution to identify the names of the hosts.Protecting the networkOpen ports allow hackers to compromise the network, so it is important to apply certain countermeasures to protect the network from being scanned. Some of the countermeasures include:Configuring firewall and IDS to detect and block scansEnsuring that the firewall properly detects and blocks port scansProtecting mechanisms for filtering and routing from being bypassed using certain portsUpdating the router, IDS, and firewallSetting custom firewall rules and blocking unwanted ports Filtering ICMP messages Checking the configuration of the network and its portsEnsuring the proper configuration of anti- scanning and spoofing rulesetsBypassing IDS and FirewallScanning beyond IDS and firewall is possible by using the following techniques:Packet fragmentation works by sending fragmented probe packets to the server which then reassembles them once all packets are received.Source routing works by specifying which path the malformed packet will take to get to the target host.IP address decoy works by generating decoy IP addresses and thus preventing the IDS/Firewall from determining the real IP address.IP address spoofing works by changing the IP address of the source and thus making the packet appear to come from someone else.Proxy server works by using a series of proxy servers to conceal the real source of the scan.Banner grabbingBanner grabbing refers to determining the operating system of the target. Knowing the operating system help attackers exploit known vulnerabilities as well as form an attack plan.Banner grabbing can be active and passive. Active banner grabbing works by sending malformed packets to the OS and then recording the responses. Because different operating systems have different TCP/IP stack implementations, each response is analyzed to determine the operating system. Passive banner grabbing uses sniffing to determine the operating system. It includes analyzing error messages, sniffing the traffic on the network, and examining page extensions.Operating system can be identified by reading the values of TTL (time to live) and TCP window size in the IP header of the first packet. These values are different for different operating systems.Banner grabbing can be prevented by disabling banners and by hiding web page extensions.Drawing and mapping out network topologiesNetwork diagrams are useful when it comes to identifying and understanding the topology of the target network. The diagram can tell the attacker how firewalls, IDSs, routers, and other devices are arranged in the network. This information can be used for vulnerability discovery and exploit. Network mapping can be done using mapping tools which are able to draw detailed maps.EnumerationEnumeration is the process of extracting information from a system or a network by creating active connections and performing queries. The information collected through this process is used to discover vulnerabilities in the system and then exploit them. Attackers use this information to discover and exploit vulnerabilities in the system or network. The information that is collected in this process include:Routing tablesUsers and groupsMachine namesNetwork resourcesTechniques used in enumeration include:Using emails to extract usernamesUsing default passwords to extract informationBrute forcing Active DirectoryUsing DNS Zone Transfer to extract informationExtracting user groups from WindowsUsing SNMP to extract usernamesFollowing table shows which TCP and UDP services and ports should be enumerated:TCP/UDP 53DNS ZONE TRANSFERTCP/UDP 135Microsoft RPC Endpoint MapperTCP/UDP 445SMB over TCPTCP/UDP 389LDAPTCP/UDP 3268Global Catalog ServiceTCP/UDP 162SNMP TrapTCP/UDP 5060, 5061SIP - Session Initiation ProtocolTCP 139SMB over NetBIOSTCP 25SMTPUDP 137NetBIOS Name ServiceUDP 161SNMPUDP 500ISAKMP/IKE NetBIOS EnumerationNetBIOS provides a lot of important information and thus should be considered first when performing enumeration. NetBIOS is a unique name of a Windows machine. It consists of 16 ASCII characters, out of which 15 characters represent the name, and the last one is the service or name record type. NetBIOS is easily exploitable and often used by hackers when attacking a target. NetBIOS enumeration heps attacker collect information about all computers that belong to one domain, individual host shares in the network, as well as passwords and policies.SNMP EnumerationSNMP enumeration works by using SNMP to enumerate users and devices on a target system. Using SNMP enumeration, attackers are able to extract information about hosts, routers, devices, routing tables, and other network resources. SNMP stands for Simple Network Management Protocol. It is an application layer protocol which runs on UDP and is responsible for maintaining and managing routers, hubs and switches. It consists of a manager and an agent. The manager is installed on a computer, whereas agents are embedded into network devices. The manager needs two passwords to access and configure the agent. These passwords are called read community string and read/write community string. Attackers use them to collect device work objects that are being managed by the SNMP are stored in a database called Management Information Base or MIB. Each object has its own identifier which is used to access the object. Objects can be scalar (single object instance) and tabular (groups of related instances). The object identifier contains information about the object including its type, access level, and restrictions. The information contained in the object identifier can be translated into a human readable form.LDAP EnumerationLDAP stands for Lightweight Directory Access Protocol. This protocol has access to directory services. Querying LDAP may return information about usernames, addresses, servers, and other sensitive information which can help the attacker perform an attack..NTP EnumerationNTP stands for Network Time Protocol and its role is to ensure that the networked computer clocks are synchronized. NTP enumeration provides hackers with information about the hosts that are connected to NTP server as well as IP addresses, system names, and operating systems of the clients.SMTP and DNS EnumerationSMTP stands for Simple Mail Transport Protocol and is used for sending emails. SMTP enumeration helps identify valid users on the SMTP server.DNS enumeration helps locate the target’s DNS server and records. Through this enumeration, attackers are able to collect information about DNS server names, hosts, usernames, machine names, IP addresses, and so on. The objective here is to retrieve a copy of the domain’s zone file.Scanning for vulnerabilitiesVulnerability research helps identify vulnerabilities which could compromise the system. Vulnerabilities are typically categorized into one of the following categories:MisconfigurationDefault installationsBuffer overflowsUnpatched serversDesign flawsOperating system flawsApplication flawsOpen servicesDefault passwordsVulnerability assessment examines the system and its ability to resist an attack by scanning the network and looking for vulnerabilities. The assessment helps identify vulnerabilities that could be exploited, and estimate how effective certain security measures would be against an attack. Vulnerability assessment is performed using vulnerability scanners which are designed to collect information about network vulnerabilities, open ports, running services, application vulnerabilities, service vulnerabilities, and configuration errors. Vulnerability scanning uses two approaches:Active scanning: interacting directly with the target network to discover vulnerabilitiesPassive scanning: discovering vulnerabilities without a direct interaction with the target networkVulnerability assessment has several different types:Active assessment: utilizes network scanners to discover present hosts, services, and vulnerabilitiesPassive assessment: discovers present hosts, services, and vulnerabilities by sniffing the trafficExternal assessment: discovers vulnerabilities and threats that are accessible outside of the organizationInternal assessment: discovers vulnerabilities and threats that are present internallyHost-Based assessment: discovers vulnerabilities and threats on a specific server by examining the configurationNetwork assessment: identifies potential attacks on the networkApplication assessment: examines the configuration of the web infrastructure Wireless network assessment: discovers vulnerabilities and threats in the organization’s wireless networkVulnerability management refers to the evaluation and control of the risks and vulnerabilities in the system. It contains the following phases:Pre-assessment phaseCreating baseline: identifying critical assets and prioritizing them to create a baseline for the assessmentAssessment phaseVulnerability assessment: identifying known vulnerabilitiesPost-assessment phaseRisk assessment: assessing the vulnerability and risk levels for the identified assetsRemediation: mitigating and reducing the severity of the identified vulnerabilitiesVerification: ensuring that all phases have been successfully completedMonitoring: identifying new threats and vulnerabilitiesEmploying the right vulnerability assessment solution is important as it helps identify security vulnerabilities on time. Different assessment solutions are used for different approaches. These solutions are categorized into four types:Product-based solutions: installed in the internal networkService-based solutions: offered by third partiesTree-based assessment: different strategies are selected for each machineInference-based assessment: starts by finding the protocols to scan, then scans the found protocols and their services, and after it finds them, it selects vulnerabilities and begins with executing relevant tests.Scanning solutions perform vulnerability penetration tests in three steps. They first locate the live hosts in the network. Once they detect the hosts, they move onto enumerating open ports and services. In the final step, they test the found services for known vulnerabilities.The tools used for vulnerability assessment fall into one of the six types:Host-based vulnerability assessment toolsDepth assessment toolsApplication-layer vulnerability assessment toolsScope assessment toolsActive/Passive toolsLocation/Data examined toolsVulnerabilities that are identified are stored into databases and given certain scores based on their severity and risk. Some of the scoring systems are:CVSS - Common Vulnerability Scoring SystemCVE - Common Vulnerabilities and ExposuresNVD - National Vulnerability DatabaseThe Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. CVE is a list of common identifiers for publicly known cybersecurity vulnerabilities.NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.Vulnerability assessment report is written after an assessment is performed. This report details what has been done and what has been discovered during the assessment. It is created to help organizations resolve security issues if they exist. Typically, they contain information about the scan, target, and results. Reports are classified into security vulnerability report and security vulnerability summary. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download