3. Banner Grabbing or OS Fingerprinting
It can be categorized into two categories:-
- Active Banner grabbing
- Passive Banner grabbing
Specially crafted packets are sent to the Target Operating System and there response is noted.
The responses are then matched with a database to determine the Operating System.
The Response from different Operating System can be varies due to the differences in TCP/IP stack implementation.
Passive Banner grabbing
Banner grabbing from error messages:-
Error messages provides us the information such as type of server, type of Operating System etc.
Sniffing the network traffic:-
Capturing the network traffic and analyzing the packets from the target system enables an attacker to determine Operating System used by the target system.
Banner grabbing from page extensions:-
Looking for an extension in the URL may help us in determining the application version eg .aspx => IIS server and Windows platform.
.asp/.aspx:This sure-shot means victim is running
Microsoft Active Server Pages technology.
Microsoft Active Server Pages technology.
.jsp:Java Based web technology.Most of the
time database used is MySQL with JSP,
this can be used as guess
time database used is MySQL with JSP,
this can be used as guess
.PHP: PHP + HTML
.cfm: Macromedia Cold Fusion
.asmx: .Net/J2EE
.jws: Java web services
.wsdl: Web Service Definition Language (WSDL)
Tools
ID Serv : Install the ID Serv s/w and give the domain name and
ID Serv : Install the ID Serv s/w and give the domain name and
port that you need to grab, it will give you the details.
Netcraft: Give details about a domain.
Netcat(nc)
$ nc domain.com 80
HEAD / HTTP/1.1
host: localhost
HTTP/1.1 302 Found
Date: Mon, 07 Jan 2013 22:41:20 GMT
Server: Apache
X-Powered-By: PHP/4.3.11
Location: ./user/index.php
Connection: close
Content-Type: text/html
# nc 192.168.1.103 80 GET / HTTP/1.1 HTTP/1.1 400 Bad Request
Curl
$ curl -I http://domain.com
HTTP/1.1 200 OK
Date: Mon, 07 Jan 2013 22:42:08 GMT
Server: Apache
Last-Modified: Mon, 10 Sep 2012 11:34:38 GMT
ETag: "580005-1270-504dd04e"
Accept-Ranges: bytes
Content-Length: 4720
Connection: close
Content-Type: text/html
Telnet
$ telnet domain.com 80
Trying 85.10.192.140...
Connected to fabian-affolter.ch.
Escape character is '^]'.
HEAD / HTTP/1.1
host: localhost
HTTP/1.1 302 Found
Date: Mon, 07 Jan 2013 22:52:27 GMT
Server: Apache
X-Powered-By: PHP/4.3.11
Location: ./user/index.php
Connection: close
Content-Type: text/html
Connection closed by foreign host.
NMAP
$ nmap -sV -p 80 --script=banner domain.com
Starting Nmap 6.01 ( http://nmap.org ) at 2013-01-08 00:14 CET
Nmap scan report for fabian-affolter.ch (85.10.192.140)
Host is up (0.030s latency).
rDNS record for 85.10.192.140: tux29.hoststar.ch
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.56 seconds
Starting Nmap 6.01 ( http://nmap.org ) at 2013-01-08 00:14 CET
Nmap scan report for fabian-affolter.ch (85.10.192.140)
Host is up (0.030s latency).
rDNS record for 85.10.192.140: tux29.hoststar.ch
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.56 seconds
Wget
# wget -q -S domainname.com
HTTP/1.1 200 OK
Date: Mon, 07 Jan 2013 23:43:56 GMT
Server: Apache
Last-Modified: Mon, 10 Sep 2012 11:34:38 GMT
ETag: "580005-1270-504dd04e"
Accept-Ranges: bytes
Content-Length: 4720
Connection: close
Content-Type: text/html
The banner might look something like the following:
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head><title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>GET to /index.html not supported.<br /></p>
<p>Additionally, a 404 Not Found error was encountered.</p><hr>
<address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server
at 72.52.230.233 Port 80</address>
</body></html>
The HTML code is returning several errors which can be ignored. The
real information is at the end in the <address> section. You can
see the following information:
- Apache/2.2.25 (Unix) – This is an Apache web server version 2.25 running on a Unix system.
- mod_ssl/2.2.25 – This is an Apache module that provides SSL and TLS support.
- OpenSSL/1.0.0-fips – This is an open source implementation of SSL and TLS protocols using Federal Information Processing Standard (fips)
- mod_auth_passthrough/2.1 – An Apache module that supports other programs to use their own authentication methods.
- mod_bwlimited/1.4 – this identifies a CPanel modules used for monitoring bandwidth.
- FrontPage/5.0.2.2635 – It has a FrontPage extension enabled.
- Server at 72.52.230.233 Port 80 – This shows the IP and port number.
4. Scanning Beyond IDS / Firewall
Intrusion Detection System(IDS)–> An intrusion
detection system (IDS) detects malicious activities by inspecting all
inbound and outbound network activity.It automatically alert network
security administrators when someone is performing malicious activities.
IDS works by monitoring the network traffic for malicious and
suspicious activities.
Hackers can easily fool IDS systems into thinking their attack is a legitimate traffic. They are using the techniques like fragmentation,obfuscation etc to prevent their detection.
Hackers can easily fool IDS systems into thinking their attack is a legitimate traffic. They are using the techniques like fragmentation,obfuscation etc to prevent their detection.
Fragmentation–>Fragmentation means breaking a
single packet into multiple packets of smaller pieces in order to allow
the packets to traverse the network. These smaller packets are called
fragments.
Attacker can bypass Intrusion detection systems(IDS) with the help of
a port scanner with fragmentation feature available on it such as nmap.This
is accomplished because most Intrusion detection systems(IDS) fail to
process large chunk of fragmented packets because this involves greater
CPU consumption and memory. For Accomplish this task we will use SYN/Fin Scanning Using IP Fragments.
SYN/Fin Scanning Using IP Fragments–> The TCP
header is divided into multiple packets so that the Intrusion detection
systems(IDS) is not able to detect what the packet intend to do.
eg: nmap -sS -T4 -A -f -v 192.168.1.101
-sS SYN Scan -T<0-5>: Set timing template (higher is faster) -A: Enable OS detection, version detection, script scanning, and traceroute -f; –mtu <val>: fragment packets (optionally w/given MTU) -v Verbose
We can also use Nessus.
here are two types of IDS/IPS also available that might be installed on the target machine, this is the situation that a penetration tester needs to tackle. There are so many different type of Nmap techniques that can be used in this situation, for example:
TCP ACK Scan (-sA)
It is always good to send the ACK packets rather than the SYN packets
because if there is any active firewall working on the remote computer
then because of the ACK packets the firewall cannot create the log,
since firewalls treat ACK packet as the response of the SYN packet.
As a penetration tester you need to check the response of a firewall; there might be four types of responses:
- Open port (few ports in the case of the firewall)
- Closed port (most ports are closed because of the firewall)
- Filtered (Nmap is not sure whether the port is open or not)
- Unfiltered (Nmap can access the port but is still confused about the open status of the port)
So these are some important responses that you might get during a
penetration testing. ACK scan is slightly different from the other types
of scanning techniques because it has not been designed to discover the
open ports, but it has an ability to determine the filtered and unfiltered responses. Let’s compare the two results of an ACK scan.
So now it is very easy to find out whether the target computer has a
firewall enabled or not, since a simple ACK scan means there is a lower
chance of detection at the victim side but a high chance for the
attacker to discover the firewall. The result of a SYN scan for both the
situations are as follows:
Note: The victim is the Windows computer for all the cases with the three situations.
- Firewall enabled
- Firewall enabled + all ports are closed
- Firewall disabled
Very similar to
the ACK scan with a little difference, the TCP window scan has been
designed to differentiate between open and closed ports instead of
showing unfiltered. It also requires the root privilege to execute.
Let’s examine the different responses of a TCP window scan.
This type of scan does not open any active
session with the target computer, so there is no chance that the
victim’s computer can create a log of the activities. It works on the
simple phenomena to send ACK packets and receive a single RST packet in
response.
Fragment Packets (-f)
It is a very general concept and can be used
in so many different situations, for example: if the target machine does
not have the capabilities to handle larger packets then the
fragmentation technique is useful to evade the firewall. The parameter
of this technique is -f, it just split the request into small segments of IP packets called the fragmented IP packets. You can use -f twice -ff if you want to further break the IP headers.
Specify a specific MTU
Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.This is similar to the packet fragmentation technique that we have explained above.During the scan that size of the nmap will create packets with size based on the number that we will give.In this example we gave the number 24 so the nmap will create 24-byte packets causing a confusion to the firewall.Have in mind that the MTU number must be a multiple of 8 (8,16,24,32 etc). You can specify the MTU of your choice with the command –mtu number target.
Use Decoy addresses
In this type of scan you can instruct Nmap to spoof packets from other hosts.In
the firewall logs it will be not only our IP address but also and the
IP addresses of the decoys so it will be much harder to determine from
which system the scan started.There are two options that you can use in this type of scan:
- nmap -D RND:10 [target] (Generates a random number of decoys)
- nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the IP addresses of the decoys)
Source port number specification
A common error that many administrators are doing when configuring firewalls is to set up a rule to allow all incoming traffic that comes from a specific port number.The –source-port option of Nmap can be used to exploit this misconfiguration.Common ports that you can use for this type of scan are: 20,53 and 67
Append Random Data
Many firewalls are inspecting packets by looking at their size in order to identify a potential port scan.This is because many scanners are sending packets that have specific size.In order to avoid that kind of detection you can use the command –data-length to add additional data and to send packets with different size than the default.In the image below we have changed the packet size by adding 25 more bytes.
Scan with Random Order
In this technique you can scan a number of hosts in random order and not sequential.The command that you use to instruct Nmap to scan for host in random order is –randomize-hosts.This technique combined with slow timing options in nmap command can be very effective when you don’t want to alert firewalls.
Spoof MAC Address
This one is the simpler techniques,you can
spoof your MAC (attacker MAC) address., MAC address spoofing creates a
very difficult situation for the victim to identify the computer who
originated the incoming request. Nmap can select a completely random MAC
address for each and every scan based on the vendor name, the other
option is to manually specify the MAC address (by doing this an attacker
can spoof the address of a computer on the same network). Nmap has the
database called nmap-mac-prefixes and whenever the vendor name is given it looks on the database to find the suitable MAC address.
# nmap –spoof-mac Cisco 192.168.1.3
Nmap Timing Options
Timing option is a very important and an
interesting feature of a Nmap, since sometimes you need to make a delay
between every request. There are so many reasons for this but the most
important reason is stress on the network; sometimes the victim’s
computer and even a network cannot handle a big request. As a
penetration tester you need to make sure that your scanning should not
be treated as a Denial of Service attack (DoS), so the timely response
and request are very important aspects in scanning.
Delay (–scan_delay)
Host Timeout Option (–host-timeout)
Sometimes a host takes too much time to
respond and if you are scanning an entire network then it is very
difficult to wait for a single host. There might be so many reasons
behind a slow response, for example the network connectivity and the
firewall, so if you don’t want to waste your time then you can set a
time limit.
Check Nmap Scripting.
5.Scan for Vulnerability
Vulnerability scanning checks systems for weaknesses in an application, computer or network.
External vulnerability scans
Internal vulnerability scans
Black-box testing
Grey-box testing
White-box testing
Enter Goolag Scan
Goolag Scan, cDc's Google-powered
vulnerability scanner, uses selected search queries to uncover links to
exposed Web applications, backdoors
and documents that contain potentially useful information for
attackers. Although skilled hackers have long been able to find such
material with their own custom-search techniques, Goolag Scan promises
to give the same power to far less knowledgeable individuals,
conceivably expanding the ranks of attackers significantly.
Tools
Nessus :
GFI Languard :
Qualys :
Metasploit :
No comments:
Post a Comment