Professional Documents
Culture Documents
2/7/13
2/7/13
Aim at whichever system they can reach If no access for your inernal network then start form your internet gateway. if the attackers have internal access to your network already,such as malicious employees,then they will start scanning and mapping your
2/7/13
2/7/13
To build an inventory of accessible systems, attackers sometimes attempt to ping(ICMP Echo Request packet) all possible addresses in the target network to determine which ones have active hosts. If a reply(ICMP Echo Response) comes back, that address has an active machine
2/7/13
2/7/13
The Destination Host Unreachable Message : means that a route to the destination computer system cannot be found. The Request Timed Out Message : this error message indicates that your host did not receive the ping message back from the destination 2/7/13 device within the designated time
Continue
The Unknown Host Message : generated when the hostname of the destination computer cannot be resolved i.e incorrect hostname .
2/7/13
ping the IP address of your local loopback, using the command ping 127.0.0.1. If this command is successful, you know that the TCP/IP protocol suite is installed correctly on your system and functioning. If you are unable to ping the local loopback adapter, TCP/IP might need to be reloaded or reconfigured on the machine you are using.
2/7/13
2/7/13
Because many networks block incoming ICMP messages ,so, alternatively send a TCP or UDP packet to a port that is commonly open like TCP port 80(for web service). If the port is open, target address responds with a SYN-ACK packet. If nothing come back then may or may not be a machine there.
2/7/13
Whats next ?
v
Once attackers determine which hosts are alive then whats next : Want to learn your network topology But How? Use a technique known as tracerouting.
2/7/13
Tracerouting relies on the Timeto-Live (TTL) field in the IP header. This field is just decremented by one for each hop between the source and destination. TTL doesnt deal with time,it deals with hope. If the TTL is zero, the router sends back an ICMP Time Exceeded message to the originator of the
2/7/13
Continue
The first router receives the packet, decrements the TTL to zero, and sends back an ICMP Time Exceeded message. What is the source address of the ICMP Time Exceeded message? It's the IP address of the first router on the path to my destination. Bingo! I know the address of the first router on the way to my destination.
This process continues as I send packets with incrementally higher TTLs until I reach my destination. 2/7/13
2/7/13
2/7/13
Continue
In Windows : TRACERT
2/7/13
The first column represents the hop number. The next three columns indicate the round-trip time, in milliseconds, that a packet takes in its attempts to reach the destination. The last column is the hostname and the IP address of the responding 2/7/13 device.
Continue
Have you ever done a traceroute and noticed that some of your hops are identified with just a bunch of stars (***) and not an IP address ?
2/7/13
That's because that hop isn't responding with an ICMP Time Exceeded message. Reason : Network may be very congested 2/7/13
Of course attackers won't want to ping an entire network by hand to create network topology, so they use automated tools. Doing all of this pinging, tracerouting, and reconciling is a lot of work ? Use Cheops-ng : for Linux Use Spiceworks : for Windows
2/7/13
Spiceworks
2/7/13
After scan
2/7/13
Continue
2/7/13
Continue
2/7/13
Map
2/7/13
Quick find
2/7/13
How do you prevent an attacker from mapping your network using ping, traceroute, Cheops-ng, and related network-mapping tools?
2/7/13
Continue
v
These tools rely on by using firewalls and the packet filtering capabilities of your routers. At your Internet gateway, you should block incoming ICMP messages, except to hosts that you want the public to be able to ping.
I. II.
2/7/13
Port Scanning
At this point in the attack, the attacker knows the addresses of live systems on the target network and has a basic understanding of the network topology. Whats Next ?
2/7/13
The attacker wants to discover the potential entryways into the machines by analyzing which ports are open. the active TCP and UDP ports on the machines are indicative of the services running on those systems. Each machine with a TCP/IP stack has 65,536 TCP ports and 65,536
2/7/13
Web server : TCP 80 DNS server : UDP 53 Internet mail server : TCP 25 Of course, any service can be configured to listen on any port, but the major services listen on a variety of "well-known" port numbers, so the client software knows where to connect for the service.
2/7/13
Scanning Tools
v
Various tools like : Nmap by Fyodor Strobe Julian Assange Ultrascan We will discuss Nmap here.
2/7/13
Nmap runs on most varieties of UNIX, Linux, and Windows. the movie The Matrix Reloaded in 2003, where the much-beloved character Trinity used Nmap to help save Neo. A very capable GUI front end, so called as the Nmap front end (Nmapfe).
2/7/13
Continue
2/7/13
Nmapfe offers a simple-to-use, point-and-click interface that automatically generates the appropriate command-line option to feed to the Nmap executable. The Command: line at the bottom of the Nmapfe screen shows the options that will be fed into the Nmap command line.
2/7/13
Continue
2/7/13
Ports/Host :
2/7/13
Host details..
2/7/13
Topology
2/7/13
Continue
2/7/13
Continue
2/7/13
Continue
2/7/13
Any Query ?
2/7/13