LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Network and Host Mapping Print E-mail
User Rating:      How can I rate this item?
Source: Ryan W. Maple - Posted by Ryan W. Maple   
Learn tips and tricks In order to keep yourself secure you must understand your enemy. Prevention is the only protection from becoming the victim of a security exploit. The first step in doing this is to determine what services your servers offer, so you can secure them in the best manner possible. Network scanning can be used to determine potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus is quite useful for anyone wishing to explore their networked environment, including attackers.

Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful. Once these listeners are found, means to exploit the host can be developed. Unnecessarily offering a particular service to a hacker means another avenue to exploit the host.

Many different types of scanning are currently available. These range from a simple ping test to see if the host is alive, network broadcasts, and even performing a "stealth" attack by manipulating the ICMP, TCP, or UDP information in a data packet, intentionally violating the protocol definition in an attempt to trick a firewall.

Becoming familiar with the tools and techniques an attacker might use to probe a network is the only way to know what information is available if someone attempts to mount an attack against us. Among the things that can be determined from port scanning a machine include:

  • Services a host is offering which can then be used to construct the appropriate attack based on information gathered from this process
  • If there is in fact a host at the IP address that is being scanned
  • A topology map of our network, which can be used to determine where firewalls and other hosts are positioned, trusted relationships between those hosts, and routing and DNS information
  • Operating system identification, vendor release and version, as well as applications and their versions
  • Disclosure of the username and owner of any process connected via TCP, which can then be used to determine, for example, the username of which the web server is running

Depending on where the port scan is initiated from will determine what type of information can be gathered. A port scan run from the outside of a firewall will reveal less information than a port scan done right from the local network. Network scanning from the local network can be used to determine the 'worst case' scenerio which will allow us to have the same level of information as an intruder would, had she managed to subvert the firewall before doing the analysis. Scanning from outside the firewall can also be beneficial to determine what ports are available to the public Internet, at which point firewall rules can be adjusted accordingly.

Many different types of network scanners exist today, including freely available ones as well as commercial. The one that we will be using and most hackers use is called "nmap", and is a utility used for scanning large networks, although it works fine for single hosts. It supports the following types of attack/anaysis:

  • Vanilla TCP connect() scanning
  • TCP SYN (half open) scanning
  • TCP FIN, Xmas or NULL (stealth) scanning
  • TCP ftp proxy (bounce attack) scanning
  • SYN/FIN scanning using IP fragments (bypasses firewalls)
  • UDP raw ICMP port unreachable scanning
  • TCP Ping scanning
  • ICMP scanning
  • Direct (non portmapper) RPC scanning
  • Remote OS Identification by TCP/IP fingerprinting
  • Reverse-ident scanning

Nmap is highly configurable, and offers many services:

  • Flexible target and port specification, so an entire network or only a single host can be scanned at once
  • Decoy scanning, which can be used to confuse intrusion detection systems from finding the real host performing an attack
  • Determination of TCP sequence predictability, which can be used in man-in-the-middle attacks
  • Output to machine parseable or human readable log files for analysis

Graphical support, as well as command-line support, is available with nmap. Using the graphical front end, we will be able to determine:

  • Hosts that respond to ICMP
  • Version of Solaris that is reported
  • Services the servers are offering. This will be determined using SYN/FIN scanning.

The attacker community is investing an incredible amount of effort to scan the Internet. The single most important service for our site to block is ICMP echo requests. Many attacks originate from this type of service, not only pinging a host to see if it's reachable. Recon probes should be taken seriously; if attackers can learn where your hosts are, they can make fairly short work of determining what services these hosts run. If they can't determine which of the hosts in our network address space are active, they have a very sparse matrix to deal with.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Google Removes SSLv3 Fallback Support From Chrome
Hacker Lexicon: What Is End-to-End Encryption?
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.