Debian DokuWiki

User Tools

Site Tools

Trace: ipxe lvm james iptables bind docker ssl tuneup_guide tomcat mod_proxy_ajp
network_security_assesment

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_security_assesment [2009/06/07 22:25] k2patelnetwork_security_assesment [2020/08/10 02:35] (current) – external edit 127.0.0.1
Line 281: Line 281:
 Classless_Inter-Domain_Routing. Classless_Inter-Domain_Routing.
 </code> </code>
- 
 ==== TCP Port Scanning ==== ==== TCP Port Scanning ====
  
Line 353: Line 352:
 /usr/local/etc/fragroute.conf /usr/local/etc/fragroute.conf
 </code> </code>
-The fragroute.conf file defines the way fragroute fragments, delays, drops, duplicates, +The fragroute.conf file defines the way fragroute fragments, delays, drops, duplicates,\\ 
-segments, interleaves, and generally mangles outbound IP traffic. +segments, interleaves, and generally mangles outbound IP traffic.\\ 
-Using the default configuration file, fragroute can be run from the command line in+Using the default configuration file, fragroute can be run from the command line in\\
 the following manner: the following manner:
 +<code bash>
 $ cat /usr/local/etc/fragroute.conf $ cat /usr/local/etc/fragroute.conf
 tcp_seg 1 new tcp_seg 1 new
Line 367: Line 367:
 $ fragroute 192.168.102.251 $ fragroute 192.168.102.251
 fragroute: tcp_seg -> ip_frag -> ip_chaff -> order -> print fragroute: tcp_seg -> ip_frag -> ip_chaff -> order -> print
-Egress traffic processed by fragroute is displayed in tcpdump format if the print +</code> 
-option is used in the configuration file. When running fragroute in its default configuration, +Egress traffic processed by fragroute is displayed in tcpdump format if the print\\ 
-TCP data is broken down into 1-byte segments and IP data into 24-byte +option is used in the configuration file. When running fragroute in its default configuration,\\ 
-segments, along with IP chaffing and random reordering of the outbound packets. +TCP data is broken down into 1-byte segments and IP data into 24-byte\\ 
-fragroute.conf. The fragroute man page covers all the variables that can be set within +segments, along with IP chaffing and random reordering of the outbound packets.\\ 
-the configuration file. The type of IP fragmentation and reordering used by fragtest +fragroute.conf. The fragroute man page covers all the variables that can be set within\\ 
-when using the frag-new option can be applied to all outbound IP traffic destined for+the configuration file. The type of IP fragmentation and reordering used by fragtest\\ 
 +when using the frag-new option can be applied to all outbound IP traffic destined for\\
 a specific host by defining the following variables in the fragroute.conf file: a specific host by defining the following variables in the fragroute.conf file:
 +<code bash>
 ip_frag 8 old ip_frag 8 old
 order random order random
 print print
-TCP data can be segmented into 4-byte, forward-overlapping chunks (favoring +</code> 
-newer data), interleaved with random chaff segments bearing older timestamp +TCP data can be segmented into 4-byte, forward-overlapping chunks (favoring\\ 
-options (for PAWS elimination), and reordered randomly using these fragroute.conf+newer data), interleaved with random chaff segments bearing older timestamp\\ 
 +options (for PAWS elimination), and reordered randomly using these fragroute.conf\\
 variables: variables:
 +<code text>
 +tcp_seg 4 new
 +tcp_chaff paws
 +order random
 +print
 +</code>
 +I recommend testing the variables used by fragroute in a controlled environment\\
 +before live networks and systems are tested. This ensures that you see decent results\\
 +when passing probes through fragroute and allows you to check for adverse reactions\\
 +to fragmented traffic being processed. Applications and hardware appliances\\
 +alike have been known to crash and hang from processing heavily fragmented and
 +mangled data!\\
 +
 [[ http://monkey.org/~dugsong/fragroute | Nice tools from Dugsongs]] [[ http://monkey.org/~dugsong/fragroute | Nice tools from Dugsongs]]
  
 +Using Nmap to perform a fragmented SYN scan
 +<code bash>
 +$ nmap -sS -f 192.168.102.251
 +</code>
 +
 +Using Nmap to specify decoy addresses
 +<code bash>
 +$ nmap -sS -P0 -D 62.232.12.8,ME,65.213.217.241 192.168.102.251
 +</code>
 +
 +== Assessing source routing vulnerabilities ==
 +tools that can assess and exploit source routing vulnerabilities found in\\
 +remote networks:
 +  * LSRScan [[ http://www.synacklabs.net/projects/lsrscan | lsrscan ]]
 +  * LSRTunnel [[ http://www.synacklabs.net/projects/lsrtunnel | lsrtunnel ]]
 +LSRScan. The LSRScan tool crafts probe packets with specific source routing options\\
 +to determine exactly how remote hosts deal with source-routed packets. The tool\\
 +checks for the following two behaviors:
 +  * Whether the target host reverses the source route when sending packets back
 +  * Whether the target host can forward source-routed packets to an internal host, by setting the offset pointer to be greater than the number of hops defined in the loose hop list
 +The basic usage of the tool is as follows:
 +<code bash>
 +$ lsrscan
 +usage: lsrscan [-p dstport] [-s srcport] [-S ip]
 +[-t (to|through|both)] [-b host<:host ...>]
 +[-a host<:host ...>] <hosts>
 +</code>
 +LSRTunnel. LSRTunnel spoofs connections using source-routed packets. For the tool\\
 +to work, the target host must reverse the source route (otherwise the user will not see\\
 +the responses and be able to spoof a full TCP connection). LSRTunnel requires a\\
 +spare IP address on the local subnet to use as a proxy for the remote host.\\
 +Running LSRTunnel with no options shows the usage syntax:
 +<code bash>
 +$ lsrtunnel
 +usage: lsrtunnel -i <proxy IP> -t <target IP> -f <spoofed IP>
 +</code>
 +
 +== Using Specific Source Ports to Bypass Filtering ==
 +information regarding circumvention of Firewall-1 in certain\\
 +configurations, consult the excellent presentation from Black Hat Briefings 2000 by\\
 +Thomas Lopatic et al. titled “A Stateful Inspection of Firewall-1” available as a Real\\
 +Media video stream and PowerPoint presentation from [[ http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html | Link]]
 +
 +=== Low-Level IP Assessment ===
 +Tools such as Nmap, Hping2, and Firewalk perform low-level IP assessment.
 +
 +Insight into the following areas of a network can be gleaned through low-level IP assessment:
 +
 +  * Uptime of target hosts (by analyzing the TCP timestamp option)
 +  * TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes)
 +  * TCP sequence and IP ID incrementation (by running predictability tests)
 +  * The operating system of the target host (using IP fingerprinting)
 +
 +The TCP timestamp option is defined in RFC 1323.
 +== Analyzing Responses to TCP Probes ==
 +A TCP probe always results in one of four responses. These responses potentially\\
 +allow an analyst to identify where a connection was accepted, or why and where it\\
 +was rejected, dropped, or lost:
 +  * TCP SYN/ACK
 +If a SYN/ACK packet is received, the port is considered open.
 +  * TCP RST/ACK
 +If an RST/ACK packet is received, the probe packet was rejected by either the\\
 +target host or an upstream security device (e.g., a firewall with a reject rule in its policy).
 +  * ICMP type 3 code 13
 +If an ICMP type 3 code 13 message is received, the host (or a device such as a\\
 +firewall) has administratively prohibited the connection according to an Access Control List (ACL) rule.
 +  * Nothing
 +If no packet is received, an intermediary security device silently dropped it.
 +
 +==== Simple tcpdump ====
 +dumping traffic with pcap_filter
 +<code bash>
 +tcpdump -i eth2 -s 0 -w /tmp/mar_2017.pcap host 192.168.1.86
 +</code>
 +
 +Reading pcap output file
 +<code bash>
 +tcpdump -qns 0 -X -r /tmp/mar_2017.pcap
 +</code>
  
-[[87]] 
network_security_assesment.1244413501.txt.gz · Last modified: 2020/08/10 02:30 (external edit)