Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Difficulties in Network Mapping & port scanning

From: "David Ball" <lostinvietnam () hotmail com>
Date: Sat, 07 Jan 2006 16:16:57 +0800
Many thanks to everyone who replied to my original posting. The number of in-depth technical papers on network scanning and enumeration are thin on the ground from what I can gather. After some research I managed to turn up a few decent papers which go beyond the usual "this is an nmap SYN scan" and "this is an nmap ACK scan" type papers. I've listed each below. Chapter 11 (Firewalls) of Hacking Exposed Network Security Secrets and Solutions (Fourth Edition) is also worth a read as it touches on enumeration through a Firewall. 

Happy reading!

SCANNING & ENUMERATION TECHNIQUES
----------------------------------------------------------
1. "Host Detection - Generating arbitrary responses to identify inter-networked nodes". 
http://www.zone-h.org/files/29/responses-tisc.txt

2. "Techniques to validate host connectivity"
http://packetstorm.linuxsecurity.com/papers/protocols/host-detection.txt
3. "Diggin em Walls - Detection of Firewalls, and Probing networks behind firewalls". 
http://neworder.box.sk/newsread.php?newsid=2914

4. "Host Discovery with Nmap"
http://www.l0t3k.net/biblio/fingerprinting/en/NMAP-mwdiscovery.pdf
Provides different enumeration scenarios (Firewall with Filtering, Firewall with Generic Ruleset, Firewall with specific rules, Stateful Firewall with specific rules) and describes how to customize nmap scans for best results with each scenario. Provides example tcpdump output for each scan. 

5. "Strategies for Defeating Distributed Attacks"
http://www.megasecurity.org/Dos/Simple_Nomad.txt
The title is a little misleading. Do a Find for the word "enumeration" and read from there. Also a very interesting few paragraphs on using non-echo ICMP messages for host enumeration. See especially the section titled "ICMP Defense". 

6. "Firewall Penetration Testing"
http://www.wittys.com/files/mab/fwpentesting.html
(Borrows heavily from the original Firewalk paper but still worth a read)

7. "Network Scanning Techniques" - Ofir Arkin
http://www.sys-security.com/archive/papers/Network_Scanning_Techniques.pdf

8. "Low Level enumeration with TCP/IP"
http://www.securitydocs.com/library/3012/2

TOOLS
---------

1. Mike Shiffman/David Goldsmith's Firewalk paper
http://www.packetfactory.net/projects/firewalk/firewalk-final.pdf

2. "Tcptraceroute examples"
http://michael.toren.net/code/tcptraceroute/examples.txt

3. "Paratrace Analysis and Defence" (SANS GIAC practical)
http://www.giac.org/certified_professionals/practicals/gcih/0392.php

Sincerely.

David Ball.


From: "Don Parker" <dparker () bridonsecurity com>
To: <pen-test () securityfocus com>, "David Ball" <lostinvietnam () hotmail com>
Subject: Re: Difficulties in Network Mapping & port scanning Date: Tue, 3 Jan 2006 13:27:29 -0500 

Hi David,
Well people use the same tried and true scanning/probing attempts for they still work. That said even if the firewall, or router drops them you can still glean something from that. You would of course need to be logging your probing via tcpdump or windump. Once done you can then go over your activity 
and confirm what it is that you noted.
It is not so much that you will get nothing from the f/w dropping/blocking most of the well known scan attempts, but rather that people don't really have an in-depth knowledge of the TCP/IP protocol suite. Were they to have one then there is still a lot of information to be gleaned from a dropped or reset packet. Also in seeing what triggers an IP address to be shunned by the f/w. At what rate does this happen when sending SYN packets and the like. You have to be creative and think beyond the tired and true SYN scan.
You can make certain conclusions as to what the operating system is, what firewall it is, and so on by probing it with low level packeting (new word I think!). There is profiling information to be had in the stimulus or lack thereof when conducting the first steps in a pen test. Problem is, can the pentester make sense of it. To that end one should always try and present a solution for a problem. There is a good course that is offered by a friend of mine, which will help the pen tester get the most from low level packet probing. 

http://www.rigelksecurity.com/Training/training_TCPIP.html

Hope this helps,

Don

----- Original Message ----- From: "David Ball" <lostinvietnam () hotmail com>
To: <pen-test () securityfocus com>
Sent: Tuesday, January 03, 2006 5:23 AM
Subject: Difficulties in Network Mapping & port scanning



Hi all
Many publications detail nmap port scanning techniques but make many assumptions. The truth is that a properly configured Stateful Firewall will drop even the more esoteric nmap port scanning techniques (Null, Xmas, Fin, ACK scans). Even fragmenting port scans isn't always successful (namely nmap -f and fragrouter). So a pen-tester is stuck with a Firewalled public facing DNS or mail server but with difficulties getting a reliable port scan to that machine. What I would be interested to hear are people's real life experiences port scanning networks where stateful firewalling is properly architected and configured.
Same applies to ICMP network mapping. Any Network Admin worth his salt will block outbound ICMP echo replies and time exceeded messages so traditional traceroute and ping won't work. Sure there are plenty of networks out there who aren't so security aware but for the sake of arguement let's say an existing client has done this. What options are left to map a network where ICMP messages are properly controlled? Are there IMCP mapping techniques based on source quench and Path MTU discovery messages? Paratrace is an interesting twist on the more traditional mapping techniques which I'm investigating as is tcptraceroute. So same question as the above - what other real life examples can someone quote that get around ICMP filtering to map a network on the other side of a perimeter router and stateful FW.
I guess I'm looking for "I have used this technique in the past with some success" type of reply rather than "this might work". Thanks for anyone who takes the time to reply. 

Dave.
"Paranoia is not the belief that people are out to get you.... they are! Paranoia is the belief that people are conspiring to get you". 

_________________________________________________________________
FREE English Booklet! Improve your English. http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: 

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------






_________________________________________________________________
FREE English Booklet! Improve your English. http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: 

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: