Basic Hacking – Nmap the Target Network (part 1)

cover Before actually breaking into a network, hackers—at least the good ones—spend a bit of time (and sometimes more than just a bit) getting to know the target network, mapping it out. The more information they can gather about the network, the better they will know how to break into it—and whether or not they really want to try.

Nmap is one of the premier tools used for ping sweeps and port scans, as well as for operating system identification. We will see how these capabilities (among numerous others) are used by potential intruders to gather information about, or fingerprint, their targets in advance of a cyber attack. In addition, we will see how and where complementary tools are used to gain the maximum possible amount of information from the network.

Let’s start with a description of the target environment. Keep in mind that, when beginning to investigate a network, an intruder probably will not know this information; identifying this information is the goal. The network under examination in this case belongs to a medium-sized corporation and follows a typical network design supporting a 10/100 MB Ethernet network. There is an Internet router, providing connectivity to the Internet, followed by a firewall. A demilitarized zone (DMZ) lies behind the firewall, along with the firm’s backbone switch. The corporate local area network (LAN) connects to this backbone switch, as illustrated in Figure 1
fig1
(click to enlarge)

Network fingerprinting attempts to capitalize on the information leakage from the network to draw a network topology map similar to or even more detailed than the one shown in Figure 1. Intruders often elect to begin their information gathering by examining the DMZ, as was the case here, because the DMZ generally hosts the public-facing Web server, and therefore it is the first place to connect to or interact with the target’s network. The DMZ can often provide many bits of useful information relevant to the overall network. First of all, it is sure to have Internet-accessible hosts with open ports—that is, hosts that can be reached across the firewall from the Internet.

In addition to Web servers, DMZs often include domain name servers (DNSs) and mail servers. The DNS is needed to facilitate Internet routing to and from the Web server. Placing a mail server in the DMZ can allow for direct mail responses to queries on the company’s Web site. It also potentially allows employees to access company e-mail over the Web. Because they expect so much anonymous Internet traffic, DMZs are usually not monitored by intrusion detection systems (IDSs) or other network-monitoring tools. This situation is changing, however. As IDS traffic-processing capabilities improve, more and more companies are starting to monitor the DMZ as well.

An unlucky few DMZ systems are misconfigured and provide a logical connection with the back-end network, increasing the attractiveness of these systems to hackers. Such a logical connection is shown in Figure 2.
fig2
(click to enlarge)

The purpose of such connections is generally to allow Web developers to upload newly developed Web content from their development PCs to the production Web server. When such connections exist, they are effectively back doors that allow hackers to access network resources almost entirely undetected—undetected to the extent that they are not using the established route through the router and across the firewall. These connections can be discovered by examination of the routing tables on the hosts within the DMZ. In addition, when these connections are left in place for long periods of time or permanently, they can be identified through ping sweeps and traceroutes of the DMZ or by examination of the ARP (Address Resolution Protocol) table.

The firm in this particular case had a relatively simple and straightforward DMZ because there was no large-scale Web infrastructure. The more complicated the Web infrastructure becomes—consisting of, for example, numerous Web servers hosting a large collection of Web-based applications, each communicating with multiple databases—the greater will be the likelihood of identifying useful information on the target network or of finding a direct vulnerability.

Therefore, because intruders often spend time casing out the DMZ before launching attacks against other network resources, it is essential that security administrators follow a similar process to evaluate the installation of the company’s DMZ in order to ascertain its security posture.

1. Port Scans
The intruder in this case study began the reconnaissance with a simple scan. The first scan is always simple, to avoid creating too much of a racket (noise), which could trigger network monitoring and intrusion detection tools. And in any case, the first step is to find out what hosts are listening and can be attacked at all, using the following Nmap command:

#nmap -p80 http://www.targetcompany.com/24

If the command executes successfully, the IP address of the company’s Web server(s) will be returned. Here’s the result of the command:

Starting nmap V. 2.54BETA7 ( http://www.insecure.org/nmap )

Interesting ports on target_machine_name(X.X.X.03):

Port State Service

80/tcp open http

Nmap run completed – 1 IP address (1 host up) scanned in 1 second

Scanning for port 80, while not necessarily a guarantee, does help to find all the hosts on the target network that are running Web servers. In addition to the public Web server, there may be staging, development, backup, or internal Web servers that are insecure or offer private information. In addition, port 80 is likely to be open on the firewall because Web traffic generally passes over this port. Nmap returns the IP address (X.X.X.03) of the target, potentially allowing the hacker to scan the related class C address space (X.X.X.x). But first the hacker must verify the class associated with the IP address. A popular method for doing this is to consult the whois service for the domain:

#whois targetcompany.com

Whois is available as a command-line tool on most UNIX flavors, as well as over numerous Web sites, such as arin.net (American Registry for Internet Numbers) and networksolutions.com, and sometimes whois is all that’s necessary. The following information was returned on whois queries against the author’s firm:

Registrant:

ANG Computer Technologies, Inc. (GSECURITY2-DOM)
7215-C Hanover Parkway
Greenbelt, MD 20770
US
Domain Name: GSECURITY.COM

Administrative Contact:
ANG Computer Technologies, Inc. (025138-OR) no.valid.email@worldnic.com
ANG Computer Technologies, Inc.
7215-C Hanover Parkway
Greenbelt, MD 20770
US
301-345-7595

Technical Contact:
VeriSign, Inc. (HOST-ORG) namehost@WORLDNIC.NET
VeriSign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
US
1-888-642-9675

Record expires on 01-Aug-2005.
Record created on 01-Aug-2001.
Database last updated on 18-Mar-2003 20:37:00 EST.

Domain servers in listed order:
NS.CIHOST.COM 216.221.162.81
NS2.CIHOST.COM 216.221.162.111

If the hacker is unable to identify the class of the network (as was the case here), the entire class C will have to be scanned, as follows:

#nmap -v -p 80 X.X.X.1-254

#nmap -v -p 53 -sU X.X.X.1-254

#nmap -v -p 53 -sT X.X.X.1-254

#nmap -v -p 25 X.X.X.1-254

#nmap -v -p 110 X.X.X.1-254

#nmap -v -p 143 X.X.X.1-254

#nmap -v -p 139 X.X.X.1-254

#nmap -v -p 445 X.X.X.1-254

#nmap -v -p 6000 X.X.X.1-254

As we can see, the intruder uses numerous scans rather than one, larger scan in order to keep his activities quiet, beneath the radar of an IDS and watchful security administrators.

The intruder did not specify the protocol in the scan against port 80 (the Hyper-Text Transfer Protocol, or HTTP), because Nmap will default to TCP (Transmission Control Protocol), and there is little reason to scan for UDP (User Datagram Protocol) over this port. In successive scans against port 53 (the DNS port), the protocols UDP and TCP were specified. Over these ports, zone information is exchanged; in other words, the host name–to–IP address mappings for that zone are exchanged between DNS servers and routers. Although the DNS has primarily UDP traffic, it does switch to TCP if the traffic is larger than 512 bytes.

If DNS traffic is allowed through the firewall, a zone transfer might be possible. A zone transfer is a querying of the full DNS record, or potentially the entire host name–to–IP address mapping of the zone. We say “potentially” because an individual DNS may not contain information for all the hosts in the zone. Some zones can be split among multiple DNSs, and other hosts may have Dynamic Host Configuration Protocol (DHCP), which allocates IP addresses from a previously specified range on demand—usually when the machine connects to the network. Still, capturing this information (a zone transfer) is one potential way to identify the data path to the corporate network. A zone transfer will be possible if the DNS allows transfers to unauthorized zones; however, many DNSs now block zone transfers except to specifically authorized IP addresses.

The intruder also checks ports 25 (SMTP), 110 (POP3), and 143 (IMAP). An open port 25 may indicate an e-mail server, especially in conjunction with ports 110 and 143 because these are interfaces at which the e-mail servers aim to allow users to download their e-mails to their machines.

Checks for ports 139,445, and 6000 are an effort to identify the operating system of the target. Ports 139 and 445 are typical Windows ports (for NT and 2000/XP, respectively), and port 6000 is a typical UNIX port (the X11 service). Identifying the target’s operating system is a large step in the direction of compromising the target because potential avenues of attack and known vulnerabilities can be explored. For instance, there are numerous, well-documented holes for Windows operating systems. Although Nmap has a specific option (-0) for determining the operating system of a target host, this “poor man’s version identification” can be helpful early because the scans take less time than an OS identification scan takes. The savings in time is important because at this point the hacker is casting a wide net, and every effort needs to be made to keep the scans quiet. The -0 scan is generally done against specific hosts, as we will discuss in Section 1.3.

In this manner, the intruder can perform numerous scans to find open ports on the firewall and identify hosts and running applications behind the firewall. Because the scans are kept small—only one port scanned at a time—this approach helps minimize the chances of triggering an IDS alert. Spacing the scans apart in time can further keep things quiet. Although there is no rule of thumb for how slow one should go, we have seen network mapping performed at a rate of just one scan per day over several months.

Identifying the applications not only helps to identify the vulnerabilities that they may bring to the network, but also indicates how to connect to the target. Once we know an application—for example, Telnet—running on a target network, we can research that application to identify its known holes and attempt to exploit those against the target. Sometimes during our research, we will also find exploit code for those vulnerabilities. Keep in mind that we must also identify the specific version and sometimes the maker of the application to research it thoroughly. Simultaneously, once we know that Telnet is running, we know that Telnet connections may be a way to access the network.

For example, once the attacker in this case had identified port 25 (SMTP) as being open, he attempted to identify the version of the application by making a Telnet connection to the port:

# telnet target_IP_address 25

The banner presented during the connection process will generally reveal all the information necessary. There are many applications for capturing application banners, including the freeware tools What’s Running, netcat, and Grabbb. These tools are available at http://www.woodstone.nu/whats, packetstormsecurity.org, and http://ftp.firewalls.com.br/grabbb.tar.gz.

One way to use the Grabbb tool is to create a file with all the IP addresses to be scanned. For example, the following echo command can be used to create a file with the target IP address, in this case (for illustration) the address for the author’s machine:

#echo ” X.X.X.03″ > example.txt

And now we run Grabbb, pointing to the example.txt file (through the –i flag):

#grabbb -i example.txt 22:25:80

The output generated by this command is as follows:

X.X.X.03:22: SSH-2.0-OpenSSH_3.5p1

X.X.X.03:25: 220 Welcome to Mail Server

X.X.X.03:80: Apache

We can see now the banners returned by applications running over ports 22, 25, and 80.

thats it folks, i’ll continue this series next time with OS detection, untill then ciao :]

info taken from | Defend I.T

Advertisements

About this entry