Network Mapping

Chandan Gautam Click to edit Master subtitle style 12MCMB03

2/7/13

Rconnaissance phase finished whats next:get into mind of network architect

v

Attacker wants to take an inventory of the system on the network like

1. Determining address of the target 2. Gaining an understanding of the network topology

2/7/13

Where will the attacker point their tools for mapping?

Aim at whichever system they can reach If no access for your inernal network then start form your internet gateway. if the attackers have internal access to your network already,such as malicious employees,then they will start scanning and mapping your

2/7/13

Sweeping : Finding live host

There is two way: 1. ICMP Message 2. TCP or UDP packet

2/7/13

Ping: ICMP Message

To build an inventory of accessible systems, attackers sometimes attempt to ping(ICMP Echo Request packet) all possible addresses in the target network to determine which ones have active hosts. If a reply(ICMP Echo Response) comes back, that address has an active machine

2/7/13

Ping Commanmd in Windows

2/7/13

Two type of message in PiING

The Destination Host Unreachable Message : means that a route to the destination computer system cannot be found. The Request Timed Out Message : this error message indicates that your host did not receive the ping message back from the destination 2/7/13 device within the designated time

Continue

The Unknown Host Message : generated when the hostname of the destination computer cannot be resolved i.e incorrect hostname .

2/7/13

Troubleshooting with ping

ping the IP address of your local loopback, using the command ping 127.0.0.1. If this command is successful, you know that the TCP/IP protocol suite is installed correctly on your system and functioning. If you are unable to ping the local loopback adapter, TCP/IP might need to be reloaded or reconfigured on the machine you are using.
2/7/13

ICMP message type

2/7/13

TCP or UDP message

Because many networks block incoming ICMP messages ,so, alternatively send a TCP or UDP packet to a port that is commonly open like TCP port 80(for web service). If the port is open, target address responds with a SYN-ACK packet. If nothing come back then may or may not be a machine there.

2/7/13

Whats next ?
v

Once attackers determine which hosts are alive then whats next : Want to learn your network topology But How? Use a technique known as tracerouting.

2/7/13

TRACEROUTE:Where are the hops?

Tracerouting relies on the Timeto-Live (TTL) field in the IP header. This field is just decremented by one for each hop between the source and destination. TTL doesnt deal with time,it deals with hope. If the TTL is zero, the router sends back an ICMP Time Exceeded message to the originator of the

2/7/13

Continue
The first router receives the packet, decrements the TTL to zero, and sends back an ICMP Time Exceeded message. What is the source address of the ICMP Time Exceeded message? It's the IP address of the first router on the path to my destination. Bingo! I know the address of the first router on the way to my destination.

This process continues as I send packets with incrementally higher TTLs until I reach my destination. 2/7/13

Trceroute: same tool with different name

2/7/13

Trceroute: tool with windows

2/7/13

Continue

In Windows : TRACERT

2/7/13

Whats tracert says to us?

The first column represents the hop number. The next three columns indicate the round-trip time, in milliseconds, that a packet takes in its attempts to reach the destination. The last column is the hostname and the IP address of the responding 2/7/13 device.

Continue

Have you ever done a traceroute and noticed that some of your hops are identified with just a bunch of stars (***) and not an IP address ?

2/7/13

Tracert with bunch of stars ***

That's because that hop isn't responding with an ICMP Time Exceeded message. Reason : Network may be very congested 2/7/13

How to ping entire network ?

Of course attackers won't want to ping an entire network by hand to create network topology, so they use automated tools. Doing all of this pinging, tracerouting, and reconciling is a lot of work ? Use Cheops-ng : for Linux Use Spiceworks : for Windows

2/7/13

Spiceworks

2/7/13

After scan

2/7/13

Continue

2/7/13

Continue

2/7/13

Map

2/7/13

Quick find

2/7/13

Defence against N/w Mapping :

How do you prevent an attacker from mapping your network using ping, traceroute, Cheops-ng, and related network-mapping tools?

2/7/13

Continue
v

These tools rely on by using firewalls and the packet filtering capabilities of your routers. At your Internet gateway, you should block incoming ICMP messages, except to hosts that you want the public to be able to ping.

I. II.

2/7/13

Port Scanning

At this point in the attack, the attacker knows the addresses of live systems on the target network and has a basic understanding of the network topology. Whats Next ?

2/7/13

Determining Open Ports Using Port Scanners

The attacker wants to discover the potential entryways into the machines by analyzing which ports are open. the active TCP and UDP ports on the machines are indicative of the services running on those systems. Each machine with a TCP/IP stack has 65,536 TCP ports and 65,536

2/7/13

PORT no. and its services

Web server : TCP 80 DNS server : UDP 53 Internet mail server : TCP 25 Of course, any service can be configured to listen on any port, but the major services listen on a variety of "well-known" port numbers, so the client software knows where to connect for the service.

2/7/13

Scanning Tools
v

Various tools like : Nmap by Fyodor Strobe Julian Assange Ultrascan We will discuss Nmap here.

2/7/13

Nmap 6.25 : A FullFeatured Port-Scanning Tool

Nmap runs on most varieties of UNIX, Linux, and Windows. the movie The Matrix Reloaded in 2003, where the much-beloved character Trinity used Nmap to help save Neo. A very capable GUI front end, so called as the Nmap front end (Nmapfe).

2/7/13

Continue

2/7/13

Nmapfe offers a simple-to-use, point-and-click interface that automatically generates the appropriate command-line option to feed to the Nmap executable. The Command: line at the bottom of the Nmapfe screen shows the options that will be fed into the Nmap command line.

2/7/13

Continue

2/7/13

Ports/Host :

2/7/13

Host details..

2/7/13

Topology

2/7/13

Continue

2/7/13

Continue

2/7/13

Continue

2/7/13

Any Query ?
2/7/13