network_security_assesment
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
network_security_assesment [2009/06/07 21:44] k2patel |
network_security_assesment [2020/08/10 02:35] (current) |
||
|---|---|---|---|
| Line 281: | Line 281: | ||
| Classless_Inter-Domain_Routing. | Classless_Inter-Domain_Routing. | ||
| </code> | </code> | ||
| - | |||
| ==== TCP Port Scanning ==== | ==== TCP Port Scanning ==== | ||
| Line 311: | Line 310: | ||
| </code> | </code> | ||
| - | [[ http://www.geocities.com/fryxar | Nice tools From Fryxar]]\\ | + | [[ http://www.geocities.com/fryxar | Nice tools From Fryxar]] |
| + | === Fragmenting Probe Packets === | ||
| + | Probe packets can be fragmented easily with fragroute to fragment all probe packets\\ | ||
| + | flowing from your host or network or with a port scanner that supports simple\\ | ||
| + | fragmentation, such as Nmap. Many IDS sensors can’t process large volumes of fragmented\\ | ||
| + | packets because doing so creates a large overhead in terms of memory and\\ | ||
| + | CPU consumption at the network sensor level.\\ | ||
| + | == Fragtest == | ||
| + | |||
| + | Dug Song’s fragtest utility can determine exactly which types of fragmented\\ | ||
| + | ICMP messages are processed and responded to by the remote host. ICMP\\ | ||
| + | echo request messages are used by fragtest for simplicity and allow for easy analysis;\\ | ||
| + | the downside is that the tool can’t assess hosts that don’t respond to ICMP\\ | ||
| + | messages.\\ | ||
| + | After undertaking ICMP probing exercises (such as ping sweeping and hands-on use\\ | ||
| + | of the sing utility) to ensure that ICMP messages are processed and responded to by\\ | ||
| + | the remote host, fragtest can perform three particularly useful tests: | ||
| + | * Send an ICMP echo request message in 8-byte fragments (using the frag option) | ||
| + | * Send an ICMP echo request message in 8-byte fragments, along with a 16-byte overlapping fragment, favoring newer data in reassembly (using the frag-new option) | ||
| + | * Send an ICMP echo request message in 8-byte fragments, along with a 16-byte | ||
| + | overlapping fragment, favoring older data in reassembly (using the frag-old | ||
| + | option) | ||
| + | Here is | ||
| + | an example that uses fragtest to assess responses to fragmented ICMP echo\\ | ||
| + | request messages with the frag, frag-new, and frag-old options: | ||
| + | <code bash> | ||
| + | $ fragtest frag frag-new frag-old www.bbc.co.uk | ||
| + | frag: 467.695 ms | ||
| + | frag-new: 516.327 ms | ||
| + | frag-old: 471.260 ms | ||
| + | </code> | ||
| + | |||
| + | == Fragroute == | ||
| + | |||
| + | The fragroute utility intercepts, modifies, and rewrites egress traffic destined for a\\ | ||
| + | specific host, according to a predefined rule set. When built and installed, version 1.2\\ | ||
| + | comprises the following binary and configuration files: | ||
| + | <code bash> | ||
| + | /usr/local/sbin/fragtest | ||
| + | /usr/local/sbin/fragroute | ||
| + | /usr/local/etc/fragroute.conf | ||
| + | </code> | ||
| + | The fragroute.conf file defines the way fragroute fragments, delays, drops, duplicates,\\ | ||
| + | segments, interleaves, and generally mangles outbound IP traffic.\\ | ||
| + | Using the default configuration file, fragroute can be run from the command line in\\ | ||
| + | the following manner: | ||
| + | <code bash> | ||
| + | $ cat /usr/local/etc/fragroute.conf | ||
| + | tcp_seg 1 new | ||
| + | ip_frag 24 | ||
| + | ip_chaff dup | ||
| + | order random | ||
| + | |||
| + | $ fragroute | ||
| + | Usage: fragroute [-f file] dst | ||
| + | $ fragroute 192.168.102.251 | ||
| + | fragroute: tcp_seg -> ip_frag -> ip_chaff -> order -> print | ||
| + | </code> | ||
| + | Egress traffic processed by fragroute is displayed in tcpdump format if the print\\ | ||
| + | option is used in the configuration file. When running fragroute in its default configuration,\\ | ||
| + | TCP data is broken down into 1-byte segments and IP data into 24-byte\\ | ||
| + | segments, along with IP chaffing and random reordering of the outbound packets.\\ | ||
| + | fragroute.conf. The fragroute man page covers all the variables that can be set within\\ | ||
| + | the configuration file. The type of IP fragmentation and reordering used by fragtest\\ | ||
| + | when using the frag-new option can be applied to all outbound IP traffic destined for\\ | ||
| + | a specific host by defining the following variables in the fragroute.conf file: | ||
| + | <code bash> | ||
| + | ip_frag 8 old | ||
| + | order random | ||
| + | |||
| + | </code> | ||
| + | TCP data can be segmented into 4-byte, forward-overlapping chunks (favoring\\ | ||
| + | newer data), interleaved with random chaff segments bearing older timestamp\\ | ||
| + | options (for PAWS elimination), and reordered randomly using these fragroute.conf\\ | ||
| + | variables: | ||
| + | <code text> | ||
| + | tcp_seg 4 new | ||
| + | tcp_chaff paws | ||
| + | order random | ||
| + | |||
| + | </code> | ||
| + | I recommend testing the variables used by fragroute in a controlled environment\\ | ||
| + | before live networks and systems are tested. This ensures that you see decent results\\ | ||
| + | when passing probes through fragroute and allows you to check for adverse reactions\\ | ||
| + | to fragmented traffic being processed. Applications and hardware appliances\\ | ||
| + | alike have been known to crash and hang from processing heavily fragmented and | ||
| + | mangled data!\\ | ||
| [[ http://monkey.org/~dugsong/fragroute | Nice tools from Dugsongs]] | [[ http://monkey.org/~dugsong/fragroute | Nice tools from Dugsongs]] | ||
| + | Using Nmap to perform a fragmented SYN scan | ||
| + | <code bash> | ||
| + | $ nmap -sS -f 192.168.102.251 | ||
| + | </code> | ||
| + | |||
| + | Using Nmap to specify decoy addresses | ||
| + | <code bash> | ||
| + | $ nmap -sS -P0 -D 62.232.12.8,ME,65.213.217.241 192.168.102.251 | ||
| + | </code> | ||
| + | |||
| + | == Assessing source routing vulnerabilities == | ||
| + | tools that can assess and exploit source routing vulnerabilities found in\\ | ||
| + | remote networks: | ||
| + | * LSRScan [[ http://www.synacklabs.net/projects/lsrscan | lsrscan ]] | ||
| + | * LSRTunnel [[ http://www.synacklabs.net/projects/lsrtunnel | lsrtunnel ]] | ||
| + | LSRScan. The LSRScan tool crafts probe packets with specific source routing options\\ | ||
| + | to determine exactly how remote hosts deal with source-routed packets. The tool\\ | ||
| + | checks for the following two behaviors: | ||
| + | * Whether the target host reverses the source route when sending packets back | ||
| + | * Whether the target host can forward source-routed packets to an internal host, by setting the offset pointer to be greater than the number of hops defined in the loose hop list | ||
| + | The basic usage of the tool is as follows: | ||
| + | <code bash> | ||
| + | $ lsrscan | ||
| + | usage: lsrscan [-p dstport] [-s srcport] [-S ip] | ||
| + | [-t (to|through|both)] [-b host<:host ...>] | ||
| + | [-a host<:host ...>] <hosts> | ||
| + | </code> | ||
| + | LSRTunnel. LSRTunnel spoofs connections using source-routed packets. For the tool\\ | ||
| + | to work, the target host must reverse the source route (otherwise the user will not see\\ | ||
| + | the responses and be able to spoof a full TCP connection). LSRTunnel requires a\\ | ||
| + | spare IP address on the local subnet to use as a proxy for the remote host.\\ | ||
| + | Running LSRTunnel with no options shows the usage syntax: | ||
| + | <code bash> | ||
| + | $ lsrtunnel | ||
| + | usage: lsrtunnel -i <proxy IP> -t <target IP> -f <spoofed IP> | ||
| + | </code> | ||
| + | |||
| + | == Using Specific Source Ports to Bypass Filtering == | ||
| + | information regarding circumvention of Firewall-1 in certain\\ | ||
| + | configurations, consult the excellent presentation from Black Hat Briefings 2000 by\\ | ||
| + | Thomas Lopatic et al. titled “A Stateful Inspection of Firewall-1” available as a Real\\ | ||
| + | Media video stream and PowerPoint presentation from [[ http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html | Link]] | ||
| + | |||
| + | === Low-Level IP Assessment === | ||
| + | Tools such as Nmap, Hping2, and Firewalk perform low-level IP assessment. | ||
| + | |||
| + | Insight into the following areas of a network can be gleaned through low-level IP assessment: | ||
| + | |||
| + | * Uptime of target hosts (by analyzing the TCP timestamp option) | ||
| + | * TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes) | ||
| + | * TCP sequence and IP ID incrementation (by running predictability tests) | ||
| + | * The operating system of the target host (using IP fingerprinting) | ||
| + | |||
| + | The TCP timestamp option is defined in RFC 1323. | ||
| + | == Analyzing Responses to TCP Probes == | ||
| + | A TCP probe always results in one of four responses. These responses potentially\\ | ||
| + | allow an analyst to identify where a connection was accepted, or why and where it\\ | ||
| + | was rejected, dropped, or lost: | ||
| + | * TCP SYN/ACK | ||
| + | If a SYN/ACK packet is received, the port is considered open. | ||
| + | * TCP RST/ACK | ||
| + | If an RST/ACK packet is received, the probe packet was rejected by either the\\ | ||
| + | target host or an upstream security device (e.g., a firewall with a reject rule in its policy). | ||
| + | * ICMP type 3 code 13 | ||
| + | If an ICMP type 3 code 13 message is received, the host (or a device such as a\\ | ||
| + | firewall) has administratively prohibited the connection according to an Access Control List (ACL) rule. | ||
| + | * Nothing | ||
| + | If no packet is received, an intermediary security device silently dropped it. | ||
| + | |||
| + | ==== Simple tcpdump ==== | ||
| + | dumping traffic with pcap_filter | ||
| + | <code bash> | ||
| + | tcpdump -i eth2 -s 0 -w /tmp/mar_2017.pcap host 192.168.1.86 | ||
| + | </code> | ||
| + | |||
| + | Reading pcap output file | ||
| + | <code bash> | ||
| + | tcpdump -qns 0 -X -r /tmp/mar_2017.pcap | ||
| + | </code> | ||
| - | [[87]] | ||
network_security_assesment.1244411094.txt.gz · Last modified: 2020/08/10 02:30 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
