06/30/14

CSRF Vulnerability on LinkedIn

csrf_linkedin

In previous blog we have seen a critical vulnerability in LinkedIn password reset module allowing an attackers to compromise LinkedIn user’s account and how helpless a LinkedIn user in case of an actual compromise of his / her account in real world scenario.

Here is a new vulnerability Cross-Site Request Forgery, CSRF present on LinkedIn Recommendation Section, which allows attacker to delete any Recommendation of Any user. 

 

Lets us understand the issue and simplicity of this attack.

1. Attacker / malicious LinkedIn user can check the recommendation given by LinkedIn User 1 to LinkedIn User 2.

2. Attacker logs into LinkedIn account, goes to the web page source and search for strings such as “Recommendation for USERNAME”.

csrf2

 Figure: Web page source shows the recommendation details with a unique Id ”515940281” for User 1’s recommendations to User 2.

 

3. To craft a malicious CSRF link attacker goes to Manage Recommendation area and check for any recommendations he has posted for others.  Clicks on it and copy the URL for any one recommendation.

The URL will be

https://www.linkedin.com/recommendations?dep=&recID=515830421&goback=%2Enas_*1_*1_*1%2Eprs

csrf1

Figure: Analyzing and collecting URL for Displaying and Withdrawing a User’s recommendation.

 4. Now same way the URL to withdraw any given recommendation by the attacker is

https://www.linkedin.com/recommendations?wdr=&recID=515830421&goback=%2Enas_*1_*1_*1%2Eprs

The only difference is to change the parameter from ‘dep’ to ‘wdr’.

Craft a URL for removing or withdrawing recommendation from User 1 to User 2 is

https://www.linkedin.com/recommendations?wdr=&recID=515940281

This is the shortest and simplest form of the vulnerable CSRF link.

5. Send this URL to User 1 in an email. More dangerously, the same CSRF link can be send using LinkedIn mail feature.

6. On clicking this link by User 1 the selected recommendation given by User 1 to User 2 will be withdrawn or deleted.

 

On reporting this issue LinkedIn was prompt to acknowledge the vulnerability and have mitigated it.

More can be read at http://packetstormsecurity.com/files/127259/

Author: Kishor Sonawane

06/23/14

VoIP Penetration Testing Part – III

In the previous tutorial VoIP Penetration Testing Part-II  we have learnt on how to do scanning against VoIP Server. In this tutorial we will configure the softphone which we will be using for further attacks.

Softphone Configuration :

Lab Setup :

  1. VoIP Server -192.168.0.4
  2. Two Softphone on two systems running on VMware’s

Steps :

1.   The main task is to configure Softphone. Download Zoiper Softphone from below link.

http://www.zoiper.com/

2.  Open your browser and enter IP address of your server. In my case it is http://192.168.0.4

Click on PBX > PBX Settings > Extensions

3.  Select Generic SIP Device and click on submit.

1

 

4.  You need to enter following detail :
User Extension: ( 202,302,402 and so on)
Display Name: (Enter the name of your choice)

2

5. Secret: (Enter string of your choice)

3

6. Click on Add Extension.

In my case I have added two extensions as shown below. After adding extension, do not forget to click on the Apply Configuration Changes button.

4

7. After clicking Apply Configuration Changes button, you will see following popup. Click on Continue with reload.

5

8. Now let us configure the Softphone.

6

9. Enter the password, which you have entered in the Secret field at the time of adding user on server. In username field enter the User extension that you have added in step 4 (E.g:100,200,) and in Domain field enter the IP address of Server. After submitting this information click on apply.

10. After Successful registration you will see following screen

7

Note: Same way we have configured one more softphone for user ‘wagh’.

11. Now let us try to call from user wagh to user sachin to check whether the setup is working properly.

8

It was observed that call from user wagh to sachin was successful.

SIP User Extension Enumeration :

The next and last step in information gathering is enumeration. It involves probing the identified services for known weaknesses. Enumeration involves getting information such as user account names, misconfigured shared resources, and software versions. One of the most common enumerations is against SIP protocol.

Targeting SIP proxy or location server will provide user registration and presence.

Lab Setup :
1. Client where the softphone is installed – 192.168.0.5
2. Server IP – 192.168.0.7

Before starting the practical, let us understand the SIP Request method and Response code.

SIP Request Method:

1
SIP Response Code:

2

Methods of enumeration:

  • REGISTER  – username enumeration
  • INVITE  – username enumeration
  • OPTIONS – username enumeration

1.  Username enumeration using REGISTER request method:

This involves gaining information about valid accounts registered on the VoIP network using error messages from SIP proxy or registration servers. Attacker sends SIP REGISTER requests to the proxy or registration server with the specified extension and checks for the response status code if and extension is valid. When the 401 Unauthorized or 407 Proxy Authentication Required or 200 OK is received, the SIP account username was valid. If 403 Forbidden is received, the SIP account username was invalid.

3

 

SIPVicious is a suite of command-line tools that works on Linux, Mac and Windows platforms.

The suite of tools includes

  • Svmap
  • Svwar
  • Svcrack
  • Svreport
  • Svcrash

For extension scanning, the svwar.py tool is used, which supports REGISTER, INVITE and OPTIONS scans. It supports all  three extension enumeration methods, the default method for enumeration is REGISTER.

4

2. Username enumeration using INVITE request method:

Sending an SIP INVITE request, means initializing a call to target with valid user usually generates 100 Trying and 180 Ringing messages, which means the SIP username extension was valid. When 404 Not Found is received, it means the SIP username extension was invalid. INVITE requests can be sent directly to phones if their IP addresses are known.

5

You will see calling screen on 192.168.0.5 System when you send INVITE request.

6

3. Username enumeration using OPTIONS request method:

The OPTIONS method is the most stealthy and effective methods.
The OPTIONS is used to advertise supported message capabilities and legitimate users.
Depending on if the received message was 200 OK or 404 Not Found, you can differentiate the valid and invalid SIP username extensions.

7

Svmap allows specifying the request method, which is being used for scanning.
The default method is OPTIONS.

8

In next and last tutorial we will learn on exploitation phase with various attacks.

Author: Sachin Wagh

Security Consultant, Varutra Consulting

06/5/14

Better Secure Than Sorry! Neglected, Assumed and Hence Vulnerable Menace: Password Attacks

password

On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. By the time they were discovered, they had already cracked 47,642 passwords.

In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The cracker then leaked the full list of 32 million passwords (with no other identifiable information) to the Internet. Passwords were stored in clear text in the database and were extracted through an SQL Injection vulnerability.

In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data were leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals.

On July 11, 2011, Booz Allen Hamilton, a large American consulting firm that does a substantial amount of work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. “The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel – including personnel from USCENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors.” These leaked passwords wound up being hashed in Sha1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.

On July 18, 2011, Microsoft Hotmail banned the password “123456.” Surprisingly passwords such as “123456,” “password,” and “12345678” made it to the top three in the Worst Password List of 2013’ released by SplashData.

Confidentiality, integrity, and availability (CIA) triad is critical to guide policies for information security within an organization. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorized people.

An attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, in the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when he gains entry to the system. And he can even use an availability attack as part of the overall effort to neutralize alarms and defensive systems, so they can’t report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity, and availability) would be in jeopardy. Always think C-I-A.

Intruders
One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as hackers or crackers. Anderson [ANDE80] identified three classes of intruders:

  • Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.
  • Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized or who is authorized for such access but misuses his or her privileges.
  • Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.

The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider.

Intruder attacks range from benign to serious. At the benign end of the scale, there are many people who simply wish to explore a network to see the content. At the serious end, there are individuals who are attempting to read privileged data, perform unauthorized modifications to it, or disrupt the system.An analysis of password attacks revealed that there were two levels of hackers. The high level was a sophisticated user with a thorough knowledge of the technology; the low level was the ‘foot solders’ that merely used the supplied cracking programs with little understanding of how they worked. This teamwork combined the two most serious weapons in the intruder armory: sophisticated knowledge of how to intrude and willingness to spend countless hours ‘turning doorknobs’ to probe for weaknesses.

Password Protection
The front line of defense against intruders is the password system. Virtually all the multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following way:

  • The ID determines whether the user is authorized to gain access to the system. In some system only those who already have an ID filed on the system are allowed to gain access.
  • The ID determines the privileges accorded to the user. Few users may have ‘super-user’ status that enables them to read files and perform functions that are specially protected by the operating system. Some systems have guest or anonymous accounts, and the users of these accounts have more limited privileges than others.
  • The ID is used in what is referred to as discretionary access control. For example, by listing the IDs of other users, a user may grant permission to them to read files owned by that user.

Password Attacks

The ability to crack passwords using computer programs is also a function of the number of possible passwords per second, which can be checked. If a hash of the target password is available to the attacker, this number can be quite large. If not, the rate depends on whether the authentication software limits how often a password can be tried, either by time delays, CAPTCHAs, or forced lockouts after some number of failed attempts. Another situation where quick guessing is possible is when the password is used to form a cryptographic key. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data.

Attempting to crack passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.
With regard to passwords, it’s simple: don’t use passwords that may be found in a dictionary. For enterprise and more security conscious web sites implement password policies that mandate the use of numbers, letters and, sometimes, special characters. But is this enough?

With the recent publication of hundreds of thousands of usernames and associated passwords, it appears that common sense is in fact, not very common.

The recent Yahoo! E-mail hack revealed that ‘123456’ was used as the password for 1,666 users. Believe it or not, 780 users used ‘password’. Please!

Once hackers are able to infiltrate a site, they make their way to the list of usernames and passwords. A file that is typically encrypted or ‘hashed’ using MD5 (Message-Digest Algorithm) is a widely used cryptographic hash function.

Hackers will then try to generate hashes through brute force and compare the data from the stolen file to the newly created hash file. This is how, after a breach, they are able to post all of the passwords online.

A quick distinction: a Dictionary Attack is where a hacker will use a dictionary file to iterate through every possible word to produce a hash file which can then be used to compare to the target hash.

Dictionary files can be downloaded from a number of places such as the Pirate Bay, so it’s something that script kiddies can use. A dictionary attack works well on single word passwords, but fail on more complex passwords such as those required in most mature organizations.

Brute Force Attacks are different in that they will cycle through every possible combination of characters (e.g., aaaaaaa, aaaaaab, aaaaaac, aaaaaad, etc.), rather than employing a dictionary list. While very effective, given enough time, brute force attacks will typically waste a lot of cycles trying to crack a hash from nonsense letter combinations like:

  • dddddd
  • jhakdsj
  • asdasda

If we calculate that we can move through 50 hashes per second, then a 7 letter password (the most common password length) has 56,222,671,232 possible word combinations (see Table 1), which would take almost 2,000 years to crack using brute force.

table_passPasswords that resemble line noise are only generated by the most paranoid users. Most people will generate words or phrases that they can easily remember. This means that they will follow some basic word construction rules in the creation of their password/passphrase.

Rainbow tables (that uses pre-computed password hash chains) are used by security testers or hackers as a faster technique to crack a password. A password with a large salt value can defend against rainbow tables though.

Password Selection Strategies
To eliminate guessable passwords while allowing the user to select a password that is memorable, four basic techniques are used:

  • User education: Users can be told the importance of using hard-to-guess password and can be provided with guidelines for selecting strong passwords.
  • Computer generated passwords: Though these passwords are random in nature, users may not be able to remember them.
  • Reactive password checking: The system periodically runs its own password cracker to find the guessable passwords.
  • Proactive password checking: A user is allowed to select his or her own password, however at the time of selection the system checks to see if the password is allowable and, if not, rejects it.

Brute Force Attack

When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys or passwords until the correct one is found.Brute-force attacks can be made less effective by obfuscating the data to be encoded, something that makes it more difficult for an attacker to recognize when he/she has cracked the code. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.

Dictionary Attack

It is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values).

In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), such as single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit. However these are easy to defeat. Adding a single random character in the middle can make dictionary attacks untenable. Unlike brute-force attacks, dictionary attacks are not guaranteed to succeed.

Password Aging

Auditors and other security practitioners continue to recommend password aging, the idea that a password must be renewed within a set period or it expires, as a best practice to protect accounts against unauthorized access and to ensure separation of duties. At best, this is a waste of time and a distraction that reduces user support for well-founded security initiatives. At worst, it actually increases the potential for misuse of accounts.

Password aging is counterproductive in that it inevitably encourages more people to write down more passwords. Arguments for the security value of password aging hinge on several assumptions about the vulnerability of passwords, each of which is flawed in a significant way.

Assumption No. 1: Password Aging Is a Protection Against Brute-Force Attacks Against Specific Passwords

It is relatively easy to gain access to a computer without the need for brute-force attacks. For example, if an attacker has physical access to a Unix system or Windows PC for longer than a few minutes, that attacker can easily bypass the password security and gain access to the administrator account without mounting any kind of attack on account passwords.

Furthermore, in organizations today, keyboard-logging software is more common than password-cracking software. If the attacker does not have unrestricted access to the device for longer periods, login failure lockout and a moderately complex password should defeat manual guessing attempts.

Assumption No. 2: Password Aging Is a Protection Against Password Sharing

Users who are willing to share passwords will continue to do so, whether or not password changes are required. Password aging may reduce the size of the group knowing the password but will not eliminate it.

Assumption No. 3: Password Aging Limits the Effect of Stolen Passwords

Even with password aging set to 30 days, the attacker will have, on average, 15 days with a stolen password. This is more than enough time to cause significant and lasting damage, including the creation of other entry points (back doors) into the system. If passwords are stolen through automated keystroke logging software, which is increasingly the case, then the new password will be stolen the first time it’s used. Other ways of password theft, such as social engineering and shoulder surfing, are also repeatable.

Preventions

The best method of preventing a password from being cracked is to ensure that attackers cannot get access even to the hashed password. For example, on the Unix operating system, hashed passwords were originally stored in a publicly accessible file /etc/passwd. On modern Unix (and similar) systems, on the other hand, they are stored in the file /etc/shadow, which is accessible only to programs running with enhanced privileges (i.e., “system” privileges). This makes it harder for a malicious user to obtain the hashed passwords in the first instance. Unfortunately, many common Network Protocols transmit passwords in cleartext or use weak challenge/response schemes.

Password guessing: Most host administrators have improved their password controls, but the group account still abound, and password-directory and password-cracking programs can easily crack at least 10 percent of the passwords users choose. The deterrent is enforcement of good passwords.

Password sniffing: CERT estimated long back in 1994, thousands of systems will be the victims of password sniffers. On LANs any internal machine on the network can see the traffic for every machine on that network. Sniffer programs exploit this characteristic, monitoring all IP traffic and capturing the first 128 bytes or so of every encrypted FTP or Telnet session. The deterrent is to utilize programs that provide one- time (non-reusable) passwords.

Apostrophe Use

Here we are expecting one apostrophe followed by an‘s’, and positioned at the last or second to last character. For the algorithm we are not concerned with the apostrophe to show a contraction, only possession and plural possession.

Hyphens and Underscores

The rule here is that these are uses independently for the separation of two unique constructions; then each word is tested separately.

Ending Punctuation

Ending punctuation (! ? . , ) is expected to be at the end of the password, and we would not expect to see more than one punctuation character. Any other ending punctuation is not accepted.

Suffixes

Accepted suffixes include -able, -ac, -acity, -age, etc. Here is a comprehensive Suffix Worksheet. The rule here is that the last letter before the suffix cannot be the same as the first letter of the suffix. The rule does not allow for repeating vowels.

Vowels

The word needs to contain at least one vowel.

Employing Character Position Analysis, analyzing a character’s position in relation to its neighbors, allows a hacker to know if the characters fit next to each other. There are three tests involved as well as methods for getting more accurate results, as well as how to deal with more complex characters. This heuristic approach allows hackers to crack long and complicated passwords quicker.

Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Cryptologists and computer scientists often refer to the strength or ‘hardness’ in terms of entropy.

Entropy

Entropy is a measure of unpredictability of information content.

It is usual in the computer industry to specify password strength in terms of information entropy, measured in bits, a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of “entropy bits” in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search. Thus, adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker’s task twice as difficult. On average, an attacker will have to try half of the possible passwords before finding the correct one.

Entropy is defined in the context of a probabilistic model. Independent fair coin flips have entropy of 1 bit per flip. A source that always generates a long string of Bs has entropy of 0, since the next character will always be a ‘B’.

NIST Special Publication 800-63 suggests the following scheme to roughly estimate the entropy of human- generated passwords

    • The entropy of the first character is four bits;
    • The entropy of the next seven characters are two bits per character;
    • The ninth through the twentieth character has 1.5 bits of entropy per character;
    • Characters 21 and above have one bit of entropy per character.
    • A “bonus” of six bits is added if both upper case letters and non-alphabetic characters are used.
    • A “bonus” of six bits is added for passwords of length 1 through 19 characters following an extensive dictionary check to ensure the password is not contained within a large dictionary. Passwords of 20 characters or more do not receive this bonus because it is assumed they are pass-phrases consisting of multiple dictionary words.

Guidelines for Strong Passwords

  • A minimum password length of 12 to 14 characters if permitted
  • Generating passwords randomly where feasible
  • Avoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors’ names or dates)
  • Including numbers and symbols in passwords if allowed by the system
  • If the system recognizes case as significant, using capital and lower-case letters
  • Avoiding using something that the public or workmates know one strongly likes or dislikes

References
1. William Stallings, Network Security Essentials: Applications and Standards, Pearson Education
2. Daniel Minoli | Emma Minoli, Web Commerce Technology Handbook, Tata McGraw-Hill
3. Mark Nicolett, Manage Passwords to Secure Your IT Environment, Gartner
4. Ray Wagner | Ant Allan | Jay Heiser, Management Update: Eight Security Practices Offer More Value Than Pass-word Aging, Gartner
5. Gery Menegaz, Brute Force Attacks: Beyond password basics, ZDNet.com
6. Password cracking – Wikipedia, the free encyclopedia

About the Author

Kishor Sonawane and Satish Chinchorkar (Varutra Consulting) – Article written for Pentest Magazine May 2014 issue.

06/4/14

VoIP Penetration Testing Part-II

In the previous tutorial VoIP Penetration Testing Part-I we have learnt on how to do Information Gathering/ Footprinting using Google dorks and identify the target IP address of the TFTP server. Now let’s start with the scanning phase.

Note: I have used dynamic IP address, so in my case VoIP Server IP is 192.168.1.108. In your case it may be different.

In scanning phase we will use following techniques,

1.  Footprinting:

TOOL:

  •     SMAP :

SMAP  is a simple scanner for SIP, enabled devices. SMAP sends off various SIP requests awaiting responses from SIP enabled DSL router, proxies and user agents.

                 SMAP Usage:

SMAP-1

Scanning single host using SMAP:

SMAP-2

Now identifying SIP enabled host.

Use SMAP to fingerprint the server/client type and version:

SMAP-3

Another useful feature of SMAP is -l argument to go in learning mode to provide more useful information.

4(1)SMAP-4(2)

 

  •     SIPSAK :

SIPSAK is a small command line tool for developers and administrators of SIP applications.

                SIPSAK Usage:

5

It can be used for some simple tests on SIP applications and devices.

6

  •      SVMAP:

is a free and Open Source scanner to identify SIP devices and PBX servers on a target network. It can also be helpful for systems administrators when used as a network inventory tool. SVMAP was designed to be faster by specifically targeting SIP over UDP.

               SVMAP Usage:

7

Scanning single IP using svmap:

8

You can also specify a name instead of an IP address:

./svmap sipvicious.org

Performing fingerprint (- -fp) scanning using svmap:

9(1)9(2)

  2.  ICMP Ping Sweeps:   

In ICMP Ping Sweeps, pinging includes sending ICMP type 8 packets (ICMP ECHO REQUEST) to an IP address. If the router or firewall does not block ICMP the host will reply with an ICMP type 0 packet (ICMP ECHO REPLY).

TOOL:

  • fping
  • Nmap
  • SuperScan
  • Nessus

 

  •      fping:

fping is used with the command-line option –g to specify the range of hosts to scan, along with the -s option.

10

  •      NMAP Ping Scan (-sP):

This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect, which computers are online rather than which ports are open. Four methods exist within Nmap for ping sweeping. The first method sends an ICMP ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will try a “TCP Ping”, to determine whether ICMP is blocked, or if the host is really not online.

A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST , or a SYN/ACK , is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and thus not responding to anything. When you run Nmap ping scan as root, the default is to use the ICMP and ACK methods.

11

12

  3.  ARP Pings:

Arping is a command line tool for ARP pinging IP and MAC addresses. Let us find out the reachability of an IP address on the local ethernet with arping.

arping  –i  eth0 –c 5 192.168.1.108

13

             Where,

               –i eth0 : Specify network interface.

               –c 5 : Stop after sending 5 ARP REQUEST packets.

  4.  TCP Ping Scan:

A TCP ping scan involves sending a TCP SYN-flagged or ACK-flagged packet to a commonly used TCP port on the target host. ACK packets are more useful, because they can be used to bypass stateless firewalls that monitor only for incoming SYNs. By default, Nmap uses a SYN packet on port 80 to probe, but it can be customized from the command line to use an ACK packet on a different port using the -PT option

TOOL:

  •       NMAP:

14

  5.  Hping3:

 Hping3 is one of the tools for security auditing and testing of firewalls and networks.

         A subset of stuff you can do using hping:

  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced trace route, under all the supported protocols
  • Remote OS fingerprinting

 

  •       TCP SYN SCAN:

hping3 -S -c 4 192.168.1.108 -p 21

15

 NOTE: I had to use -c 4 flag in order to send the SYN packet four times, otherwise hping will continue sending probes.

  •        TCP ACK SCAN:

TCP ACK Scan can be performed by setting up ACK flag in probe packets;

                                                                          hping3 -A 192.168.1.108 -p 80 -c 1

  •        XMAS SCAN:

XMAS Scan can be performed by setting FINISH,PUSH,URGENT flag in probe packets;

            hping3 -F -P -U 192.168.1.108 -p 80 -c 1

  •        UDP SCAN:

hping can be configured to operate in UDP mode by  specifying -2 in the command line.

     hping3 -2 192.168.1.108 -p 161 -c 1

  6.  SNMP Sweeps:

Simple Network Management Protocol (SNMP) scanning is another effective method of determining active network equipment.SNMP v3 is based on stronger encryption such as AES and 3DES.

nmap –sU 192.168.1.108

16

  7.  Port Scanning:

TOOL:

  •        NMAP:

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service up time. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

               TCP SYN SCAN:

nmap 192.168.1.108

17

               Version Detection:

nmap -sV 192.168.1.108

18

  8.  Host/Device OS Identification:

Nmap has a built-in OS detection option i.e. -O

Nmap –O –PO 192.168.1.108

19

  9.  Banner Grabbing:

Banner grabbing, is a method of connecting to a port on a remote target to determine further information about the associated services running on that specific port(s).

TOOL:

  •     Netcat:

 Netcat is a featured networking utility, which reads and writes data across network connections, using the TCP/IP protocol.

20

Author: Sachin Wagh

Security Consultant, Varutra Consulting