SlideShare une entreprise Scribd logo

Network Vulnerability and Patching

E
Emmanuel Udeagha B.
1  sur  27
Télécharger pour lire hors ligne
Technology: INFORMATION SECURITY AND ETHICAL HACKING. December 2012 Project Title To Find Out Network Vulnerabilities and To Patch Them. (Network Scanner). Submitted By Emmanuel Udeagha Guided By Mr. RAVIKANT SHRIVAS (Faculty) Submitted To:- Appin Technology Lab Ikeja, Lagos Nigeria.
2 ACKNOWLEDGEMENT Apart from the efforts of myself, the success of any project depends largely on the encouragement and guidelines of many people who in one way or another contributed to the completion of the work. I take this opportunity to express my gratitude to the people who have been instrumental in the successful completion of this project work. I would like to show my unreserved gratitude to Mr. Ravikant Shrivas who from the beginning of my class, all through the duration of this piece of work have been wonderful in terms of support and guidance. My appreciation goes to all friends, colleagues and Staff members of Appin Technology who in one way contributed to the success of this work. Emmanuel Udeagha
3 DEDICATION This piece of work is dedicated to everyone who rendered unreserved assistance all through my training period and up till the time this research work.
4 About the Company Appin Technology Appin Technologies is a global Information Security company focused on training, consulting and outsourcing services. The company was formed as a merger of two entities, XIRS Ventures Inc based in Austin Texas and XIRS Appin incubated inside IIT, Delhi India. Later the name XIRS was dropped from the company and the merged entity is known as Appin Technologies. From USA & India, the company has now expanded its operations to Europe, Africa and South East Asia as well. Appin Knowledge Solutions Appin Knowledge Solutions, education & training arm of Appin Technologies, runs over 75 training centres globally focused on imparting instructor led training in Information Security, Ethical hacking, Secured Programming, Embedded systems & related IT domains. It also sells distance learning courses in over 71 countries across 6 continents. It has trained over 83000 candidates via training products and services. The company is among top 5 Training providers in India according to the Week magazine. Visit the website: www.appinonline.com
5 TABLE OF CONTEENT Introduction…………………………………………6 Chapter one Scanning……………………………………………………………………………..7 Types of Vulnerability scanning……………………………………………7 Network scanning…………………………………………………………………8 IP Scanning…………………………………………………………………..………9 Web Application Scanning ……………………………………………….….9 Database Security Scanning………………………………………………..10 Port Scanning………………………………………………………………………11 Types of Port Scanning…………………………………………………………11 TCp vs Port Scans…………………………………………………………………12 Vulnerability Assessment……………………………………………………..13 Chapter Two Vulnerability Identification and Patch Acquisition……………………….15 Product vendor websites and mailing lists ………………………………...15 Third-party security advisory websites…………………………………………15 Security advisory websites run by CERTs ……………………………………..15 Security advisory websites / resources run by security vendors……16 Risk Assessment and Prioritisation………………………………………………..16 Threats…………………………………………………………………………………………16 Vulnerability………………………………………………………………………………….17 Criticality……………………………………………………………………………………….17 Patch Testing…………………………………………………………………………………17 Deployment and Verification…………………………………………………………18 Patch Distribution and Application Tools……………………………………….18 Cross-platform patch management systems………………………………….18 Platform specific patch management solutions……………………………..19 Patch Management Governance…………………………………………………...19 Security Considerations………………………………………………………………….20 Criteria for Choosing a Patch Management Solution……………………..21 Fewer Vulnerabilities……………………………………………………………………..22 System compatibility……………………………………………………………………….21 Vendor Responsiveness to New Vulnerabilities……………………………….21 Ease of Deployment and Maintenance……………………………………………21 Audit Trail……………………………………………………………………………………….21 Summary…………………………………………………………….……………………22 Nmap Commands…………………………………………………………………………….23 Reference ………………………………………………………………………………………27
6 Introduction As electronic commerce, online business-to-business operations, and global connectivity have become vital components of a successful business strategy, enterprises have adopted security processes and practices to protect information assets. Most companies work diligently to maintain an efficient, effective security policy, implementing the latest products and services to prevent fraud, vandalism, sabotage, and denial of service attacks. However, many enterprises overlook a key ingredient of a successful security policy: They do not test the network and security systems to ensure that they are working as expected and there are no vulnerabilities so that an attacker will not take advantage to steal confidential information. Network penetration testing—using tools and processes to scan the network environment for vulnerabilities—helps refine an enterprise’s security policy, identify vulnerabilities, and ensure that the security implementation actually provides the protection that the enterprise requires and expects. Regularly performing penetration tests or vulnerability check helps enterprises uncover network security weaknesses that can lead to data or equipment being compromised or destroyed by exploits (attacks on a network, usually by ―exploiting‖ a vulnerability of the system), Trojans (viruses), denial of service attacks, and other intrusions. Testing also exposes vulnerabilities that may be introduced by patches and updates or by misconfigurations on servers, routers, and firewalls. SecureTEST, a security scanning service of VeriSign Consulting, uses proven methodologies and tools to detect vulnerabilities in the enterprise’s network, and to then recommend repairs or corrections if necessary. SecureTEST services can be tailored to an enterprise’s specific needs and include three levels of assessment. As the industry leader in trust services, VeriSign has the expertise, experience, and technology to recognize and detect security vulnerabilities and to provide effective, enterprise-wide solutions for them. GFI LanGuard is another security scanning software that smaller enterprises use in checking for vulnerabilities and possible loop holes intruders might take advantage of to compromise company’s network, creating back doors in other to have permanent access. In this project work, GFI Languard will be solely used as a Network scanning and vulnerability checking tool to ensure that all backdoors(undocumented access to network),loop holes are blocked and a proper patching method is applied to reduce the risk of the network been exploited by attackers.
7 Chapter One: Scanning In other for a security administrator to discover vulnerability on a Network before hackers exploit such loop holes to compromise the network and steal confidential information, there are key steps or must do to ensure Network vulnerabilities and backdoors are constantly put on check, and those steps are discussed Messer: Scanning is the process of examining carefully. In this context, a process where Security administrators examine carefully a Computer Network with a focus on finding vulnerabilities with the aid of tools and softwares such as Nmap,GFI LanGuard, firewall and anti virus etc. Whereas, Network is a collection of computers, software, and hardwares that are all connected to help their users work together. A Network connects computers by means of cabling systems, specialized software, and devices that manage data traffic. A Network enables users to share files and resources, such as printers, as well as send messages electronically (e-mail) to each other. Types of Vulnerability Scanning Below are types of vulnerability scanning, but a few of them listed below will be discussed in this piece.  Network scanning  Port Scanning  Web application security scanning  Database security scanning  ERP security scanning  Computer worm We need to understand that Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are active on the Internet and what services they offer. Another scanning method, inverse mapping, returns information about what IP addresses do not map to live hosts; this enables an attacker to make assumptions about viable addresses. Scanning is one of three components of intelligence gathering for an attacker. In the foot printing phase, the attacker creates a profile of the target organization, with information such as its domain name system (DNS) and e-mail servers, and its IP address range. Most of this information is available online. In the scanning phase, the attacker finds information about the specific IP addresses that can be accessed over the Internet,
8 their operating systems, the system architecture, and the services running on each computer. Network Scanning In the enumeration phase, the attacker gathers information such as network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. It is however imperative to understand that Network exploitation is 90% information gathering and 10% attack. This means that an attacker spends most his time gathering information about a target Network and understanding more of its strength and weaknesses.
9 IP Scanning IP scanning is a type of scan on your local area Network to determine the identity of all active machine and internet devices on the LAN. During the period of IP scanning with the aid of Softwares, one can customize his results once a device is identified. IP Scanning Web Application scanning A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black- box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
10 Web Vulnerability Scanning Web applications have been highly popular since 2000 because they allow users to have an interactive experience on the Internet. Rather than just view static web pages, users are able to create personal accounts, add content, query databases and complete transactions. In the process of providing an interactive experience web applications frequently collect, store and use sensitive personal data to deliver their service. Customers benefit from the convenience of these applications, while tacitly taking on risk that private information stored in web applications will be compromised through hacker attacks, insider leaks etc. Database Security Scanning Database scanning is process of scanning Database for vulnerabilities, configuration issues, weak passwords, missing patches, access control concerns and other issues that can lead to user privilege escalation with the aid of softwares. Testing systems for the occurrence of these flaws and generating a report of the findings will help a Security administrator protect an enterprise’s Database from been exploited by attackers.
11 Checking Risk Level Port scanning When live systems are discovered, an attacker will usually attempt to discover which services are available for exploitation. This is accomplished by a technique commonly known as Port Scanning. However, every application has a specific port number associated with that identifies that application. Through the use of port numbers, intruders can gain access to information on which applications and network services are available to be exploited. Nmap was the first general purpose port scanning tool available. The intruder may follow these steps to gain unauthorized access to a web server. a. DNS query to figure out which web servers are available b. Ping sweep to see which servers are alive and accessible c. Port scan to see which services are available for exploitation. Considering the possible steps a hacker would follow to gain information from a web server about a target, A Network engineer must ensure the safety of his organization’s Network is periodically checked to ascertain if it stands at risk of been compromised by intruders. However, understanding the types of Port scanning will help the IT department know when a Hacker is carrying out a Scan (Remote or Local) on its Network territory.
12 Types of Port Scans:  Vanilla: the scanner attempts to connect to all 65,535 ports  Strobe: a more focused scan looking only for known services to exploit  Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall  UDP: the scanner looks for open UDP ports  Sweep: the scanner connects to the same port on more than one machine  FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan  Stealth scan: the scanner blocks the scanned computer from recording the port scan activities. Port scanning is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system. Port Scanning. TCP vs. Port-Scanning TCP Receiver acks packets. Timeouts are error conditions Sequence numbers are used Port-Scanning Packets my not produce answers. Timeouts are not error-conditions No sequence numbers
13 Vulnerability Assessment Proper methodology is essential to the success of the penetration test. It involves gathering information and then testing the target environment. The testing process begins with gathering as much information as possible about the network architecture, topology, hardware, and software in order to find all security vulnerabilities. Researching public information such as Whois records, SEC filings, business news articles, patents, and trademarks not only provides security administrators with background information, but also gives insight into what information hackers can use to find vulnerabilities. Tools such as ping, traceroute, and nslookup can be used to retrieve information from the target environment and help determine network topology, Internet provider, and architecture. Tools such as port scanners, NMAP, SNMPC, and NAT help determine hardware, operating systems, patch levels, and services running on each target device.Also, Open-source or shareware assessment tools are available online and can be used to supplement commercial scanners. The Increasing rate of daily vulnerability assessment is alarming; this means that Security administrators must be on guard because Over 50,000 vulnerability assessments are carried out across your network, including your virtual environments. GFI LanGuard checks your operating system, virtual environments and installed applications using vulnerability check databases such as OVAL and SANS Top 20. It allows you to analyze the state of your network security, what the risks are, how exposed your network is and how to take action before it is compromised. Vulnerability assessment using GFI LanGuard is represented below with fig 1.2 and fig 1.3 respectively.
14 Fig1.3 Scanning complete, Vulnerability discovered. After scanning your network and vulnerabilities discovered as represented in figures above, one thing is left, to ensure an effective and secured Network. Patching the discovered loop holes from disaster is a Security administrator’s last resort.
15 Chapter Two Vulnerability Identification and Patch Acquisition There are a number of information resources available to system administrators in order to monitor vulnerabilities and patches that may be applicable to their installed hardware and software systems. As each type of resource has its own specialised area, system administrators need to be able to refer to more than one source for accurate and timely information on new vulnerabilities and patch releases. Some common resources are: 1. Product vendor websites and mailing lists Product vendor websites are probably the most direct and reliable resources for system administrators on vulnerability and patch related information for specific products. Many large vendors also maintain support mailing lists that enable them to broadcast notifications of vulnerabilities, patches and updates to subscribers via email. However, it should be noted that vendors sometimes do not report new vulnerabilities straight away, as they may not wish to report a specific vulnerability until a patch is available. It is therefore necessary to track other IT security resources for timely vulnerability and patch information. 2. Third-party security advisory websites A third-party security advisory website is one that is not affiliated with any one vendor, and may sometimes provide more detailed information about vulnerabilities that have been discovered. These websites may cover a large number of products and report new vulnerabilities ahead of the product vendors because, as mentioned, some vendors may choose to hold a vulnerability notification until a patch is available. These third-party vulnerability advisory websites can be divided into two categories: websites run by Computer Emergency Response Teams (CERTs) and websites run by security vendors. a) Security advisory websites run by CERTs One of the most popular vulnerability advisory websites is the US CERT/CC site. It
16 provides technical information about any newly uncovered vulnerability that can assist system administrators and security professionals in assessing the threat from the vulnerability. These advisories are updated as soon as new information is available from the product vendors. b) Security advisory websites / resources run by security vendors A number of third party mailing lists, such as NTBugTraq 4 maintained by CyberTrust, and BugTraq 5 maintained by SecurityFocus, are popular with IT professionals. However, system administrators should verify the information released in these websites with product vendors to confirm the accuracy of any newly discovered vulnerabilities. These websites may also offer newsgroups that system administrators can use to communicate with other users in the same field. System administrators should be careful not to release sensitive information through joining and using these mailing lists and newsgroups. To assist in the task of keeping up to date with patch releases and vulnerability reports, a number of vulnerability alert services have been developed that allow system administrators to receive automated and customised notification on any vulnerabilities in and across the specific systems they are responsible for. Some services are free to use, while others require a subscription fee. The Talisker website maintains a list of currently available vulnerability alert services6 . An RSS feed is also available that system administrators can subscribe to and keep abreast of newly discovered vulnerabilities. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In larger operating systems, a special program is provided to manage and keep track of the installation of patches. Risk Assessment and Prioritisation Timely response is critical to effective patch management. With limited resources, system administrators may need to prioritise the deployment of new patches, performing a risk assessment to determine which systems should be patched first. In general, this prioritisation should be based on the following criteria: 1. Threat – A threat is any potential direct danger to information systems. Examples of systems facing high threat levels are web servers, email servers and servers containing sensitive information.
17 2. Vulnerability – A vulnerability signifies the absence of, or a weakness in, a safeguard which could be exploited by an attacker. It could be a flawed software service running on a server, or unrestricted modem dial-in access, and so on. 3. Criticality – This is a measure of how important or valuable a system is to business operations. Systems that are frequently considered as mission critical include mail servers, database servers and network infrastructure. In general, systems facing more threats, or that are more vulnerable, or are mission critical should be accorded a higher priority in the patch management process. System administrators should identify the associated risks and actions that need to be taken once a security vulnerability has been confirmed (for example, scheduling system down time for reboot after installing a patch), and assess any impact associated with installing a security patch once that patch becomes available. Before applying a patch, system administrators need to ensure that the new patch is not going to affect the overall functionality of the system and its applications (see next section). Patch Testing Patch testing is vital to ascertain whether or not a new patch will affect the normal operation of any existing software. It is important that this testing is performed on a mirror system that has an identical or very similar configuration to the target production system. This is to ensure that the patch installation does not lead to any unintended consequences on the production system. In addition to identifying any unintended problems, patches themselves should be tested to ensure that they have fully patched the vulnerability in question or corrected the performance issue as intended. This can be accomplished by: 1. Checking that the files or configuration settings that the patch is intended to correct have been changed as outlined in the vendor’s documentation. 2. Scanning the host system with a vulnerability scanner that is capable of detecting known vulnerabilities. This technique however may not always be effective because vulnerability scanners may not check for the actual presence of the vulnerability in question. Many vulnerability scanners only check software version numbers or patch levels to determine whether vulnerabilities exist or not.
18 If it is not feasible to install the patch because, for example, testing results show that the patch will crash or seriously disrupt the production system, alternate security controls should be implemented. Patch Deployment and Verification Patching vulnerabilities in a system may be as simple as modifying a configuration setting, or it may require the installation of a completely new version of the software. No single patch method can apply across all software applications and operating systems. Product or application vendors may provide specific instructions for applying security patches and updating their products, and it is recommended that system administrators read all the relevant documentation provided by vendors before proceeding with patch installation. In addition, security patches should be deployed through an established change control process. Before applying a new patch, administrators may want to conduct a full backup of the system to be patched. This enables a quick and easy restoration of the system to a previous state if the patch has an unintended or unexpected impact on the system. After the patch is deployed, system administrators and users should verify that all systems and applications are functioning normally, and that they comply with laid down security policies and guidelines. Patch Distribution and Application Tools Organisations may want to consider using automated patch management tools to speed up the distribution and installation of patches. There are a number of patch management systems in the market that can help automate the entire patch management process. There is also a website run by patchmanagement.org that maintains a list of patch management vendors who offer solutions performing both patch assessment and remediation. They also maintain a page linking to patch management product comparisons previously published in industry magazines. Patch management systems can be broadly categorised into two areas: 1. Cross-platform patch management systems
19 This category of products can handle patches from more than one operating system, or products from different vendors. 2. Platform specific patch management solutions This category of products will only support patches from a specific vendor or platform. A well-known example is the patch management tools provided by Microsoft. Microsoft Windows Server Update Services (WSUS) is a free tool from Microsoft designed to help system administrators deploy the latest Microsoft product updates and patches to computers running the Windows operating system. Patch Management Governance All organisations need to protect information systems from known vulnerabilities and security risks by applying the latest patches recommended by product vendors, or implement other compensatory security measures. Patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches. Before security patches are applied, proper risk evaluation and testing should be conducted to minimise any undesirable effects to the normal running of information systems. A clear operational process that enables rapid testing and deployment should be established. Depending on the nature of information systems in question, risk levels may be different. For example, an information system that is only used internally faces fewer threats than an information system that directly interfaces with the Internet, serving customers or the general public. Depending on the risk level, organisations should determine the appropriate patch management strategy for each of their systems, including patch checking and patching frequency. In short, high-risk information systems should be addressed first. When evaluating whether to apply a security patch or not, the risks associated with installing the patch should be assessed. Compare the risk posed by the vulnerability with the risk of installing the patch. If an administrator decides not to apply a patch, or if no patch is available, there should be other compensating controls. These may include: 1. turning off services or capabilities related to the vulnerability
20 2. adapting or adding access controls 3. Increased monitoring of systems to detect and prevent actual attacks. Security Considerations When deploying a patch management solution, the following security issues should be considered: 1. The patch management system itself is a software application, and it might have its own set of security vulnerabilities. Patches to the patch management system and its components should be applied as soon as possible. 2. The servers that are running a patch management solution should be properly protected because this will be a central distribution point, sending updates to virtually all machines in the organisation. It could prove disastrous if the files in the patch management servers were to become infected with a virus. Any anti-virus software running on the server should have auto-protection enabled with the latest virus signatures and malicious code definitions installed in order to protect against any virus outbreak. 3. Access control to the patch management system should be secured, both physically, by limiting physical access to the central console to authorised personnel only, and logically, by restricting access to the central console to pre-registered IP addresses only. 4. Communication channels into the patch management system should be properly secured and protected. An attacker may be able to sniff network communications for sensitive information such as authentication credentials or patching statuses to determine which patches have been installed on particular systems, and hence locate vulnerable attack targets. Security measures such as data encryption should therefore be put in Place to protect sensitive information passing through the management system from leakage. 5. Regular IT security risk assessments and audits should be conducted on the patch management system.
21 Criteria For Choosing A Patch Management Solution Besides matching the specific user and business requirements, including product functionality and budget constraints, organisations should also take the following factors into consideration when considering a robust and secure patch management solution: 1. Fewer Vulnerabilities: Some patch management products have more vulnerabilities than the others. Organisations should choose an appropriate solution that looks less likely to be vulnerable itself, which in turn will reduce the need to patch the software regularly. Research should be conducted first to independently verify the product concerned. A complex product may mean more code and services that in turn might introduce more vulnerabilities. It may be wise to select a less complicated and more mature product; 2. System Compatibility: Some patch management solutions are agent-based and some are agent-less. Organisations should evaluate any impact to their systems (such as performance, stability and compatibility), if agents are to be deployed across a large number of machines; 3. Vendor Responsiveness to New Vulnerabilities: Organisations should also take note of the speed with which the solution vendor responds to new vulnerabilities with patches and updates; 4. Ease of Deployment and Maintenance: The easier the patch management solution is to deploy and maintain, the lower the implementation and ongoing maintenance costs to the organisation; 5. Audit Trail: A good patch management solution should provide comprehensive logging facilities that help system administrators easily keep track of the status of software fixes and patches on individual systems.
22 Summary In order to combat the constantly increasing number of threats, organizations must become proactive to identify risks in their network security. Regular vulnerability scanning is a critical component to all security architectures. Vulnerability scanning uses a variety of techniques to examine your external network over the Internet. Your external network likely consists of perimeter devices, such as routers and firewalls, as well as Internet accessible servers, like your email and web servers. When vulnerabilities are detected, the results are categorized in several ways, allowing customers to target the data they find most useful. Results and corrective recommendations are risk ranked based on priority and provided in executive summary and technically detailed formats, appropriate for business executives and technical administrators. This constant and early identification of security flaws allows your company the ability to react quickly and appropriately to close security holes and help prevent attacks and data compromises.
23 Nmap commands -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. -sU (UDP scans) While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. -sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi- homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly,
24 scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states. -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that ―if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.‖ Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: ―you are unlikely to get here, but if you do, drop the segment, and return.‖ When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) -sA (TCP ACK scan) This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
25 -sW (TCP Window scan) Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed if the TCP Window value in that reset is positive or zero, respectively. -sM (TCP Maimon scan) The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. --scanflags (Custom TCP scan) Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scan flags option allows you to design your own scan by specifying arbitrary. -sZ (SCTP COOKIE ECHO scan) SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. -sI <zombie host>[:<probeport>] (idle scan)
26 This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). Full details of this fascinating scan type are in the section called ―TCP Idle Scan (-sI)‖. -sO (IP protocol scan) IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. b <FTP relay host> (FTP bounce scan) An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server.
27 Reference www.nmap.org www.lynjonic .com www.wikipedia.org www.whatsmyip.org/port-scanner/ www.gfi.com www.searchsecurity.techtarget.com www.networkworld.com www.dslreports.com www.technlator.com www.esecurityplanet.com www.windowsecurity.com www.ocio.usda.gov www.features.techworld.com www.tenable.com www.autonomio-software.com

Recommandé

Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkOkehie Collins
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Jowin John Chemban
 
call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...International Journal of Engineering Inventions www.ijeijournal.com
 
NSA and PT
NSA and PTNSA and PT
NSA and PTRahmat Suhatman
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networksantoniomorancardenas
 

Recommandé

Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkOkehie Collins
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Jowin John Chemban
 
call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...International Journal of Engineering Inventions www.ijeijournal.com
 
NSA and PT
NSA and PTNSA and PT
NSA and PTRahmat Suhatman
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networksantoniomorancardenas
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
A hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsA hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsMohamed Jelidi
 
Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesFull Stack Developer at Electro Mizan Andisheh
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemNikhil Singh
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSavvius, Inc
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
 
Network and web security
Network and web securityNetwork and web security
Network and web securityNitesh Saitwal
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET Journal
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attackintegritysolutions
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security RiskDedi Dwianto
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotAn Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotEditor Jacotech
 
Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51martinvoelk
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 

Contenu connexe

Tendances

Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
A hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsA hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsMohamed Jelidi
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemNikhil Singh
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSavvius, Inc
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
 
Network and web security
Network and web securityNetwork and web security
Network and web securityNitesh Saitwal
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET Journal
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security RiskDedi Dwianto
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotAn Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotEditor Jacotech
 

Tendances (20)

Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
A hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsA hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environments
 
Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approaches
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithm
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
 
Network and web security
Network and web securityNetwork and web security
Network and web security
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi Security
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotAn Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using Honeypot
 

Similaire à Network Vulnerability and Patching

Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51martinvoelk
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Laura Arrigo
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information SecurityRachel Phillips
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical HackingSripati Mahapatra
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseEMC
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical HackingJennifer Wood
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfDipak Tiwari
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRhys A. Mossom
 
Wireless Networking
Wireless NetworkingWireless Networking
Wireless NetworkingGulshanAra14
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Cyber security & network attack6
Cyber security & network attack6Cyber security & network attack6
Cyber security & network attack6HCL Technologies
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxAfour tech
 

Similaire à Network Vulnerability and Patching (20)

Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project Report
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information Security
 
security onion
security onionsecurity onion
security onion
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdf
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 
Wireless Networking
Wireless NetworkingWireless Networking
Wireless Networking
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Cyber security & network attack6
Cyber security & network attack6Cyber security & network attack6
Cyber security & network attack6
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
 

Network Vulnerability and Patching

  • 1. Technology: INFORMATION SECURITY AND ETHICAL HACKING. December 2012 Project Title To Find Out Network Vulnerabilities and To Patch Them. (Network Scanner). Submitted By Emmanuel Udeagha Guided By Mr. RAVIKANT SHRIVAS (Faculty) Submitted To:- Appin Technology Lab Ikeja, Lagos Nigeria.
  • 2. 2 ACKNOWLEDGEMENT Apart from the efforts of myself, the success of any project depends largely on the encouragement and guidelines of many people who in one way or another contributed to the completion of the work. I take this opportunity to express my gratitude to the people who have been instrumental in the successful completion of this project work. I would like to show my unreserved gratitude to Mr. Ravikant Shrivas who from the beginning of my class, all through the duration of this piece of work have been wonderful in terms of support and guidance. My appreciation goes to all friends, colleagues and Staff members of Appin Technology who in one way contributed to the success of this work. Emmanuel Udeagha
  • 3. 3 DEDICATION This piece of work is dedicated to everyone who rendered unreserved assistance all through my training period and up till the time this research work.
  • 4. 4 About the Company Appin Technology Appin Technologies is a global Information Security company focused on training, consulting and outsourcing services. The company was formed as a merger of two entities, XIRS Ventures Inc based in Austin Texas and XIRS Appin incubated inside IIT, Delhi India. Later the name XIRS was dropped from the company and the merged entity is known as Appin Technologies. From USA & India, the company has now expanded its operations to Europe, Africa and South East Asia as well. Appin Knowledge Solutions Appin Knowledge Solutions, education & training arm of Appin Technologies, runs over 75 training centres globally focused on imparting instructor led training in Information Security, Ethical hacking, Secured Programming, Embedded systems & related IT domains. It also sells distance learning courses in over 71 countries across 6 continents. It has trained over 83000 candidates via training products and services. The company is among top 5 Training providers in India according to the Week magazine. Visit the website: www.appinonline.com
  • 5. 5 TABLE OF CONTEENT Introduction…………………………………………6 Chapter one Scanning……………………………………………………………………………..7 Types of Vulnerability scanning……………………………………………7 Network scanning…………………………………………………………………8 IP Scanning…………………………………………………………………..………9 Web Application Scanning ……………………………………………….….9 Database Security Scanning………………………………………………..10 Port Scanning………………………………………………………………………11 Types of Port Scanning…………………………………………………………11 TCp vs Port Scans…………………………………………………………………12 Vulnerability Assessment……………………………………………………..13 Chapter Two Vulnerability Identification and Patch Acquisition……………………….15 Product vendor websites and mailing lists ………………………………...15 Third-party security advisory websites…………………………………………15 Security advisory websites run by CERTs ……………………………………..15 Security advisory websites / resources run by security vendors……16 Risk Assessment and Prioritisation………………………………………………..16 Threats…………………………………………………………………………………………16 Vulnerability………………………………………………………………………………….17 Criticality……………………………………………………………………………………….17 Patch Testing…………………………………………………………………………………17 Deployment and Verification…………………………………………………………18 Patch Distribution and Application Tools……………………………………….18 Cross-platform patch management systems………………………………….18 Platform specific patch management solutions……………………………..19 Patch Management Governance…………………………………………………...19 Security Considerations………………………………………………………………….20 Criteria for Choosing a Patch Management Solution……………………..21 Fewer Vulnerabilities……………………………………………………………………..22 System compatibility……………………………………………………………………….21 Vendor Responsiveness to New Vulnerabilities……………………………….21 Ease of Deployment and Maintenance……………………………………………21 Audit Trail……………………………………………………………………………………….21 Summary…………………………………………………………….……………………22 Nmap Commands…………………………………………………………………………….23 Reference ………………………………………………………………………………………27
  • 6. 6 Introduction As electronic commerce, online business-to-business operations, and global connectivity have become vital components of a successful business strategy, enterprises have adopted security processes and practices to protect information assets. Most companies work diligently to maintain an efficient, effective security policy, implementing the latest products and services to prevent fraud, vandalism, sabotage, and denial of service attacks. However, many enterprises overlook a key ingredient of a successful security policy: They do not test the network and security systems to ensure that they are working as expected and there are no vulnerabilities so that an attacker will not take advantage to steal confidential information. Network penetration testing—using tools and processes to scan the network environment for vulnerabilities—helps refine an enterprise’s security policy, identify vulnerabilities, and ensure that the security implementation actually provides the protection that the enterprise requires and expects. Regularly performing penetration tests or vulnerability check helps enterprises uncover network security weaknesses that can lead to data or equipment being compromised or destroyed by exploits (attacks on a network, usually by ―exploiting‖ a vulnerability of the system), Trojans (viruses), denial of service attacks, and other intrusions. Testing also exposes vulnerabilities that may be introduced by patches and updates or by misconfigurations on servers, routers, and firewalls. SecureTEST, a security scanning service of VeriSign Consulting, uses proven methodologies and tools to detect vulnerabilities in the enterprise’s network, and to then recommend repairs or corrections if necessary. SecureTEST services can be tailored to an enterprise’s specific needs and include three levels of assessment. As the industry leader in trust services, VeriSign has the expertise, experience, and technology to recognize and detect security vulnerabilities and to provide effective, enterprise-wide solutions for them. GFI LanGuard is another security scanning software that smaller enterprises use in checking for vulnerabilities and possible loop holes intruders might take advantage of to compromise company’s network, creating back doors in other to have permanent access. In this project work, GFI Languard will be solely used as a Network scanning and vulnerability checking tool to ensure that all backdoors(undocumented access to network),loop holes are blocked and a proper patching method is applied to reduce the risk of the network been exploited by attackers.
  • 7. 7 Chapter One: Scanning In other for a security administrator to discover vulnerability on a Network before hackers exploit such loop holes to compromise the network and steal confidential information, there are key steps or must do to ensure Network vulnerabilities and backdoors are constantly put on check, and those steps are discussed Messer: Scanning is the process of examining carefully. In this context, a process where Security administrators examine carefully a Computer Network with a focus on finding vulnerabilities with the aid of tools and softwares such as Nmap,GFI LanGuard, firewall and anti virus etc. Whereas, Network is a collection of computers, software, and hardwares that are all connected to help their users work together. A Network connects computers by means of cabling systems, specialized software, and devices that manage data traffic. A Network enables users to share files and resources, such as printers, as well as send messages electronically (e-mail) to each other. Types of Vulnerability Scanning Below are types of vulnerability scanning, but a few of them listed below will be discussed in this piece.  Network scanning  Port Scanning  Web application security scanning  Database security scanning  ERP security scanning  Computer worm We need to understand that Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are active on the Internet and what services they offer. Another scanning method, inverse mapping, returns information about what IP addresses do not map to live hosts; this enables an attacker to make assumptions about viable addresses. Scanning is one of three components of intelligence gathering for an attacker. In the foot printing phase, the attacker creates a profile of the target organization, with information such as its domain name system (DNS) and e-mail servers, and its IP address range. Most of this information is available online. In the scanning phase, the attacker finds information about the specific IP addresses that can be accessed over the Internet,
  • 8. 8 their operating systems, the system architecture, and the services running on each computer. Network Scanning In the enumeration phase, the attacker gathers information such as network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. It is however imperative to understand that Network exploitation is 90% information gathering and 10% attack. This means that an attacker spends most his time gathering information about a target Network and understanding more of its strength and weaknesses.
  • 9. 9 IP Scanning IP scanning is a type of scan on your local area Network to determine the identity of all active machine and internet devices on the LAN. During the period of IP scanning with the aid of Softwares, one can customize his results once a device is identified. IP Scanning Web Application scanning A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black- box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
  • 10. 10 Web Vulnerability Scanning Web applications have been highly popular since 2000 because they allow users to have an interactive experience on the Internet. Rather than just view static web pages, users are able to create personal accounts, add content, query databases and complete transactions. In the process of providing an interactive experience web applications frequently collect, store and use sensitive personal data to deliver their service. Customers benefit from the convenience of these applications, while tacitly taking on risk that private information stored in web applications will be compromised through hacker attacks, insider leaks etc. Database Security Scanning Database scanning is process of scanning Database for vulnerabilities, configuration issues, weak passwords, missing patches, access control concerns and other issues that can lead to user privilege escalation with the aid of softwares. Testing systems for the occurrence of these flaws and generating a report of the findings will help a Security administrator protect an enterprise’s Database from been exploited by attackers.
  • 11. 11 Checking Risk Level Port scanning When live systems are discovered, an attacker will usually attempt to discover which services are available for exploitation. This is accomplished by a technique commonly known as Port Scanning. However, every application has a specific port number associated with that identifies that application. Through the use of port numbers, intruders can gain access to information on which applications and network services are available to be exploited. Nmap was the first general purpose port scanning tool available. The intruder may follow these steps to gain unauthorized access to a web server. a. DNS query to figure out which web servers are available b. Ping sweep to see which servers are alive and accessible c. Port scan to see which services are available for exploitation. Considering the possible steps a hacker would follow to gain information from a web server about a target, A Network engineer must ensure the safety of his organization’s Network is periodically checked to ascertain if it stands at risk of been compromised by intruders. However, understanding the types of Port scanning will help the IT department know when a Hacker is carrying out a Scan (Remote or Local) on its Network territory.
  • 12. 12 Types of Port Scans:  Vanilla: the scanner attempts to connect to all 65,535 ports  Strobe: a more focused scan looking only for known services to exploit  Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall  UDP: the scanner looks for open UDP ports  Sweep: the scanner connects to the same port on more than one machine  FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan  Stealth scan: the scanner blocks the scanned computer from recording the port scan activities. Port scanning is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system. Port Scanning. TCP vs. Port-Scanning TCP Receiver acks packets. Timeouts are error conditions Sequence numbers are used Port-Scanning Packets my not produce answers. Timeouts are not error-conditions No sequence numbers
  • 13. 13 Vulnerability Assessment Proper methodology is essential to the success of the penetration test. It involves gathering information and then testing the target environment. The testing process begins with gathering as much information as possible about the network architecture, topology, hardware, and software in order to find all security vulnerabilities. Researching public information such as Whois records, SEC filings, business news articles, patents, and trademarks not only provides security administrators with background information, but also gives insight into what information hackers can use to find vulnerabilities. Tools such as ping, traceroute, and nslookup can be used to retrieve information from the target environment and help determine network topology, Internet provider, and architecture. Tools such as port scanners, NMAP, SNMPC, and NAT help determine hardware, operating systems, patch levels, and services running on each target device.Also, Open-source or shareware assessment tools are available online and can be used to supplement commercial scanners. The Increasing rate of daily vulnerability assessment is alarming; this means that Security administrators must be on guard because Over 50,000 vulnerability assessments are carried out across your network, including your virtual environments. GFI LanGuard checks your operating system, virtual environments and installed applications using vulnerability check databases such as OVAL and SANS Top 20. It allows you to analyze the state of your network security, what the risks are, how exposed your network is and how to take action before it is compromised. Vulnerability assessment using GFI LanGuard is represented below with fig 1.2 and fig 1.3 respectively.
  • 14. 14 Fig1.3 Scanning complete, Vulnerability discovered. After scanning your network and vulnerabilities discovered as represented in figures above, one thing is left, to ensure an effective and secured Network. Patching the discovered loop holes from disaster is a Security administrator’s last resort.
  • 15. 15 Chapter Two Vulnerability Identification and Patch Acquisition There are a number of information resources available to system administrators in order to monitor vulnerabilities and patches that may be applicable to their installed hardware and software systems. As each type of resource has its own specialised area, system administrators need to be able to refer to more than one source for accurate and timely information on new vulnerabilities and patch releases. Some common resources are: 1. Product vendor websites and mailing lists Product vendor websites are probably the most direct and reliable resources for system administrators on vulnerability and patch related information for specific products. Many large vendors also maintain support mailing lists that enable them to broadcast notifications of vulnerabilities, patches and updates to subscribers via email. However, it should be noted that vendors sometimes do not report new vulnerabilities straight away, as they may not wish to report a specific vulnerability until a patch is available. It is therefore necessary to track other IT security resources for timely vulnerability and patch information. 2. Third-party security advisory websites A third-party security advisory website is one that is not affiliated with any one vendor, and may sometimes provide more detailed information about vulnerabilities that have been discovered. These websites may cover a large number of products and report new vulnerabilities ahead of the product vendors because, as mentioned, some vendors may choose to hold a vulnerability notification until a patch is available. These third-party vulnerability advisory websites can be divided into two categories: websites run by Computer Emergency Response Teams (CERTs) and websites run by security vendors. a) Security advisory websites run by CERTs One of the most popular vulnerability advisory websites is the US CERT/CC site. It
  • 16. 16 provides technical information about any newly uncovered vulnerability that can assist system administrators and security professionals in assessing the threat from the vulnerability. These advisories are updated as soon as new information is available from the product vendors. b) Security advisory websites / resources run by security vendors A number of third party mailing lists, such as NTBugTraq 4 maintained by CyberTrust, and BugTraq 5 maintained by SecurityFocus, are popular with IT professionals. However, system administrators should verify the information released in these websites with product vendors to confirm the accuracy of any newly discovered vulnerabilities. These websites may also offer newsgroups that system administrators can use to communicate with other users in the same field. System administrators should be careful not to release sensitive information through joining and using these mailing lists and newsgroups. To assist in the task of keeping up to date with patch releases and vulnerability reports, a number of vulnerability alert services have been developed that allow system administrators to receive automated and customised notification on any vulnerabilities in and across the specific systems they are responsible for. Some services are free to use, while others require a subscription fee. The Talisker website maintains a list of currently available vulnerability alert services6 . An RSS feed is also available that system administrators can subscribe to and keep abreast of newly discovered vulnerabilities. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In larger operating systems, a special program is provided to manage and keep track of the installation of patches. Risk Assessment and Prioritisation Timely response is critical to effective patch management. With limited resources, system administrators may need to prioritise the deployment of new patches, performing a risk assessment to determine which systems should be patched first. In general, this prioritisation should be based on the following criteria: 1. Threat – A threat is any potential direct danger to information systems. Examples of systems facing high threat levels are web servers, email servers and servers containing sensitive information.
  • 17. 17 2. Vulnerability – A vulnerability signifies the absence of, or a weakness in, a safeguard which could be exploited by an attacker. It could be a flawed software service running on a server, or unrestricted modem dial-in access, and so on. 3. Criticality – This is a measure of how important or valuable a system is to business operations. Systems that are frequently considered as mission critical include mail servers, database servers and network infrastructure. In general, systems facing more threats, or that are more vulnerable, or are mission critical should be accorded a higher priority in the patch management process. System administrators should identify the associated risks and actions that need to be taken once a security vulnerability has been confirmed (for example, scheduling system down time for reboot after installing a patch), and assess any impact associated with installing a security patch once that patch becomes available. Before applying a patch, system administrators need to ensure that the new patch is not going to affect the overall functionality of the system and its applications (see next section). Patch Testing Patch testing is vital to ascertain whether or not a new patch will affect the normal operation of any existing software. It is important that this testing is performed on a mirror system that has an identical or very similar configuration to the target production system. This is to ensure that the patch installation does not lead to any unintended consequences on the production system. In addition to identifying any unintended problems, patches themselves should be tested to ensure that they have fully patched the vulnerability in question or corrected the performance issue as intended. This can be accomplished by: 1. Checking that the files or configuration settings that the patch is intended to correct have been changed as outlined in the vendor’s documentation. 2. Scanning the host system with a vulnerability scanner that is capable of detecting known vulnerabilities. This technique however may not always be effective because vulnerability scanners may not check for the actual presence of the vulnerability in question. Many vulnerability scanners only check software version numbers or patch levels to determine whether vulnerabilities exist or not.
  • 18. 18 If it is not feasible to install the patch because, for example, testing results show that the patch will crash or seriously disrupt the production system, alternate security controls should be implemented. Patch Deployment and Verification Patching vulnerabilities in a system may be as simple as modifying a configuration setting, or it may require the installation of a completely new version of the software. No single patch method can apply across all software applications and operating systems. Product or application vendors may provide specific instructions for applying security patches and updating their products, and it is recommended that system administrators read all the relevant documentation provided by vendors before proceeding with patch installation. In addition, security patches should be deployed through an established change control process. Before applying a new patch, administrators may want to conduct a full backup of the system to be patched. This enables a quick and easy restoration of the system to a previous state if the patch has an unintended or unexpected impact on the system. After the patch is deployed, system administrators and users should verify that all systems and applications are functioning normally, and that they comply with laid down security policies and guidelines. Patch Distribution and Application Tools Organisations may want to consider using automated patch management tools to speed up the distribution and installation of patches. There are a number of patch management systems in the market that can help automate the entire patch management process. There is also a website run by patchmanagement.org that maintains a list of patch management vendors who offer solutions performing both patch assessment and remediation. They also maintain a page linking to patch management product comparisons previously published in industry magazines. Patch management systems can be broadly categorised into two areas: 1. Cross-platform patch management systems
  • 19. 19 This category of products can handle patches from more than one operating system, or products from different vendors. 2. Platform specific patch management solutions This category of products will only support patches from a specific vendor or platform. A well-known example is the patch management tools provided by Microsoft. Microsoft Windows Server Update Services (WSUS) is a free tool from Microsoft designed to help system administrators deploy the latest Microsoft product updates and patches to computers running the Windows operating system. Patch Management Governance All organisations need to protect information systems from known vulnerabilities and security risks by applying the latest patches recommended by product vendors, or implement other compensatory security measures. Patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches. Before security patches are applied, proper risk evaluation and testing should be conducted to minimise any undesirable effects to the normal running of information systems. A clear operational process that enables rapid testing and deployment should be established. Depending on the nature of information systems in question, risk levels may be different. For example, an information system that is only used internally faces fewer threats than an information system that directly interfaces with the Internet, serving customers or the general public. Depending on the risk level, organisations should determine the appropriate patch management strategy for each of their systems, including patch checking and patching frequency. In short, high-risk information systems should be addressed first. When evaluating whether to apply a security patch or not, the risks associated with installing the patch should be assessed. Compare the risk posed by the vulnerability with the risk of installing the patch. If an administrator decides not to apply a patch, or if no patch is available, there should be other compensating controls. These may include: 1. turning off services or capabilities related to the vulnerability
  • 20. 20 2. adapting or adding access controls 3. Increased monitoring of systems to detect and prevent actual attacks. Security Considerations When deploying a patch management solution, the following security issues should be considered: 1. The patch management system itself is a software application, and it might have its own set of security vulnerabilities. Patches to the patch management system and its components should be applied as soon as possible. 2. The servers that are running a patch management solution should be properly protected because this will be a central distribution point, sending updates to virtually all machines in the organisation. It could prove disastrous if the files in the patch management servers were to become infected with a virus. Any anti-virus software running on the server should have auto-protection enabled with the latest virus signatures and malicious code definitions installed in order to protect against any virus outbreak. 3. Access control to the patch management system should be secured, both physically, by limiting physical access to the central console to authorised personnel only, and logically, by restricting access to the central console to pre-registered IP addresses only. 4. Communication channels into the patch management system should be properly secured and protected. An attacker may be able to sniff network communications for sensitive information such as authentication credentials or patching statuses to determine which patches have been installed on particular systems, and hence locate vulnerable attack targets. Security measures such as data encryption should therefore be put in Place to protect sensitive information passing through the management system from leakage. 5. Regular IT security risk assessments and audits should be conducted on the patch management system.
  • 21. 21 Criteria For Choosing A Patch Management Solution Besides matching the specific user and business requirements, including product functionality and budget constraints, organisations should also take the following factors into consideration when considering a robust and secure patch management solution: 1. Fewer Vulnerabilities: Some patch management products have more vulnerabilities than the others. Organisations should choose an appropriate solution that looks less likely to be vulnerable itself, which in turn will reduce the need to patch the software regularly. Research should be conducted first to independently verify the product concerned. A complex product may mean more code and services that in turn might introduce more vulnerabilities. It may be wise to select a less complicated and more mature product; 2. System Compatibility: Some patch management solutions are agent-based and some are agent-less. Organisations should evaluate any impact to their systems (such as performance, stability and compatibility), if agents are to be deployed across a large number of machines; 3. Vendor Responsiveness to New Vulnerabilities: Organisations should also take note of the speed with which the solution vendor responds to new vulnerabilities with patches and updates; 4. Ease of Deployment and Maintenance: The easier the patch management solution is to deploy and maintain, the lower the implementation and ongoing maintenance costs to the organisation; 5. Audit Trail: A good patch management solution should provide comprehensive logging facilities that help system administrators easily keep track of the status of software fixes and patches on individual systems.
  • 22. 22 Summary In order to combat the constantly increasing number of threats, organizations must become proactive to identify risks in their network security. Regular vulnerability scanning is a critical component to all security architectures. Vulnerability scanning uses a variety of techniques to examine your external network over the Internet. Your external network likely consists of perimeter devices, such as routers and firewalls, as well as Internet accessible servers, like your email and web servers. When vulnerabilities are detected, the results are categorized in several ways, allowing customers to target the data they find most useful. Results and corrective recommendations are risk ranked based on priority and provided in executive summary and technically detailed formats, appropriate for business executives and technical administrators. This constant and early identification of security flaws allows your company the ability to react quickly and appropriately to close security holes and help prevent attacks and data compromises.
  • 23. 23 Nmap commands -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. -sU (UDP scans) While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. -sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi- homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly,
  • 24. 24 scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states. -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that ―if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.‖ Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: ―you are unlikely to get here, but if you do, drop the segment, and return.‖ When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) -sA (TCP ACK scan) This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
  • 25. 25 -sW (TCP Window scan) Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed if the TCP Window value in that reset is positive or zero, respectively. -sM (TCP Maimon scan) The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. --scanflags (Custom TCP scan) Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scan flags option allows you to design your own scan by specifying arbitrary. -sZ (SCTP COOKIE ECHO scan) SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. -sI <zombie host>[:<probeport>] (idle scan)
  • 26. 26 This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). Full details of this fascinating scan type are in the section called ―TCP Idle Scan (-sI)‖. -sO (IP protocol scan) IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. b <FTP relay host> (FTP bounce scan) An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server.