Monday 31 August 2015

Ethical Hacking - Module 3 : Scanning5


Anonymizers








An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (gopher:) Internet services.

To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home
page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities.


Why Use an Anonymizer

Ensures privacy: It protects your identity by making your web navigation activities untraceable. Your privacy is maintained until and unless you disclose your personal information on the web by filling out forms, etc.

Accesses government-restricted content: Most governments prevent their citizens from accessing certain websites or content in order to avoid them from accessing inappropriate information or sensitive information. But these people can access even these types of resources by an anonymizer located outside the country.

Protect you from online attacks: Anonymizers protect you from all instances of online pharming attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers.


Bypass IDS and firewall rules: Bypassing of firewalls is mostly done in organizations or schools by employees or students accessing websites they are not supposed to access. An anonymizer service gets around your organization's firewall by setting up a
connection between your computer and the anonymizer service. By doing such, firewalls can see only the connection from you to anonymizer's web address. The anonymizer will then connect to Twitter or any website you wanted to access with the help of an Internet connection and sends the content back to you. For your
organization, it looks like your system is connected to an anonymizer's web address, but not to Twitter or other sites.


Types of Anonymizers

An anonymizer is a service through which one can hide their identity when using certain services of the Internet. It basically works by encrypting the data from your computer, so that is cannot be understood by Internet service providers or anyone who might try to access it. Basically, anonymizers are of two types:

* Networked anonymizers
* Single-point anonymizers


Networked Anonymizers

These type of anonymizer first transfers your information through a network of Internet computers before sending it to the website. Since the information passes through several Internet computers, it becomes more cumbersome fo r anyone trying to track your
information to establish the connection between you and anonymizer.


Example: If you want to visit any web page you have to make a request. The request will first pass through A, B, and C Internet computers prior to going to the website. Then after being opened, the page will be transferred back through C, B, and A and then to you.


Advantage: Complication of the communications makes tra ffic analysis complex.


Disadvantage: Any multi-node network communications have some degree of risk at each node for compromising confidentiality.

Single-point Anonymizers
 
Single-point anonymizers first transfer your information through a website before sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity.


Advantage: IP address and related identifying information are protected by the arms-length communications.


Disadvantage: It offers less resistance to sophisticated traffic analysis Ethical.


Tools:
      Psiphon
      Your-Freedom
      G-Zapper

Spoofing IP Address

Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a fake IP in place of the attacker's assigned IP. When the attacker sends a connection request to
the target host, the target host replys to the attacker's request. But the reply is sent to the spoofed address. When spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources.


IP spoofing using Hping2:


# Hping2 www.cctechz.com -a 7.7.7.7


Using Hping2 you can perform IP spoofing. It helps you to send arbitrary TCP/IP packets to network hosts.


IP Spoofing Detection Techniques:
 

1. Direct TTL Probes

 

Initially send a packet to the host of suspect spoofed packet and wait for the reply. Check whether the TTL value in the reply matches with the TTL value of the packet that you are checking. Both will have the same TTL if they are the same protocol. Though, initial TTL values vary based on the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the commonly used initial values are 64 and 128 and for ICMP, the values are 128 and 255. If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. The hop count can be determined by deducting the TTL value in the reply from the initial TTL value. If the TTL in the reply is not matching with the TTL of the packet that you are checking, it is a spoofed packet. If the attacker knows the hop count between source and host, it will be very easy for the attacker to launch an attack. In this case, the test results in a false negative.

2.IP Identification Number




Spoofed packets can be identified based on the identification number (IP ID) in the IP header that increases each time a packet is sent. This method is effective even when both the attacker
and victim are on same subnet. 


To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply. If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet.

3. TCP Flow Control Method


The TCP can optimize the flow control on both the send and the receiver side with its algorithm. The algorithm accomplishes the flow control based on the sliding window principle. The flow of IP packets can be controlled by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. When the window size is set to zero, the sender should stop sending more data.

In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker who is unaware of the ACK packet containing window size information continues to send data to the victim. If the victim receives data packets beyond the window size, then the packets must be treated as spoofed. For effective flow control method and early detection of spoofing, the initial window size must be very small.


Most spoofing attacks occur during the handshake, as it is difficult to build multiple spoofing replies with the correct sequence number. Therefore, the flow control spoofed packet
detection must be applied at the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If the sender sends an ACK with any data, then it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet but not ACK with data.


IP Spoofing Counter measures 

Besides these basic countermeasures, you can perform the following to avoid IP spoofing attacks:

* You should limit the access to configuration information 

  on a machine
* You should always disable commands like ping
* You should reduce TTL fields in TCP/IP requests
* You should use multilayered firewalls



Scanning Pen Testing