One of the most valuable pieces of information that can be obtained through scanning and investigation techniques is the operating system installed on the target. Scanning, probing and detection techniques are explored in the context of the Network Mapper and Xprobe2 tools.
Protocols and Techniques
Protocol Architecture
- Transmission Control Protocol (TCP)
- Sequence Number Field
- Opening and Closing Connections
- User Datagram Protocol (UDP)
- Internet Protocol (IP)
- Internet Protocol version 4
- Internet Control Message Protocol (ICMP)
- Destination Unreachable Message
- Echo or Echo Reply Message
- Internet Protocol version 6 (IPv6)
- Summary
Most of the information in this section is taken from RFC 793 (Postel 1981a), which deals with the TCP protocol. Otherwise, the sequence number field in the Echo Reply message must be the same as in the Echo Request message field.
Scanning Techniques
- Firewalls
- Port Scanning
- A new port scanning proposal
- Other TCP/IP Attacks
- IP Spoofing (IP Hijack)
- Address Resolution Protocol (ARP) Spoofing
- ICMP Attacks
- Operating System (OS) Fingerprinting
- Summary
Another challenge for IPID scanning is egress filtering performed by the ISP or ISP (eg, the ISP checks to see if the packet sent from it actually comes from a valid system in its network). Ping Flood: A program like Packet InterNet Gopher (PING) is used (PING is part of the "iputils" package and the latest versions are available in source form at anonymous ftp ftp://ftp.inr.ac.ru/ip- routing/iputils-‐ current.tar.gz.) The UDP protocol is mainly used for this attack, although some versions of PING can send TCP packets.
Tests and Experiments
Practical Investigation with IPv4
- IPID scan
- Scenario 1 – Confirming if Linux 2.6.x is immune to
- Scenario 3 - Confirming if another Linux OS running
- Scenario 4 - Confirming if Linux 2.6.x is immune to
- Microsoft Windows XP Professional IPID incremental
- Other port scanning techniques
- SYN Scan
- UDP Scan
- TCP Scan
- Null Scan
- ACK scan
- FIN scan
- Window scan
- Xmas scan
- TCP Maimon scan
- Protocol scan
- OS Detection
- Using Nmap
- Using Xprobe2
As can be seen from the results in Appendix C.1, Nmap was able to detect that the SSH port was open regardless of whether the firewall was enabled or not. As can be seen from the output in Appendix C.1, the ports that were found open when the firewall was disabled were ports 22 (SSH), 111 (rpcbind), and 631 (ipp). However, when the firewall was enabled, ports 22 (SSH) and 113 (closed for authentication) were found by Nmap.
The outputs in Appendix C.1 show that Nmap saw ports 22 (SSH), 111 (rpcbind), and 631 (ipp) open/filtered when the firewall was disabled. Based on the results in Appendix C.1, it can be seen that protocols 1 (icmp) and 6 (tcp) are available without a firewall enabled, protocols 2 (igmp) and 41 (ipv6) are open/filtered, and protocol 17 (udp ) is filtered.
Realisation of Preliminary Countermeasures
- Unique Linux Characteristics
- Preliminary Countermeasures for Linux
- Summary
Again, these facts were found not to be true in tests performed with Xprobe2, and the TTL value was 64 for kernel version 2.6.16. Other features in the TCP/IP response stack with Linux version 2.2.x and 2.4.x are shown in Table 3 (Arkin 2001b). Another characteristic of Linux is that it specifies more than 8 data bytes in ICMP error messages.
In the tests performed against the Linux systems, it was observed that the Destination Unreachable ICMP messages were blocked and the TCP SYN packets were dropped when the firewall was disabled. All fields in the ICMP messages must be checked by the firewall to prevent Parameter Problem ICMP messages.
Validation of Preliminary Countermeasures
- Type Of Service
- Nmap's Results
- Xprobe2's Results
- ICMP Echo Ignore All
- Nmap's Results
- Xprobe2's Results
- IP Default TTL
- Nmap's Result
- Xprobe2's Results
- TCP Window Scaling
- Nmap's Output
- Xprobe2's Results
- Timestamps
- Nmap's Results
- Other modifications of the TCP/IP stack
The order of the options should not affect the TCP/IP communication. From the output, Xprobe2 guessed that the operating system of the target is either Foundary Networks IronWare or Linux. From the output, it is clear that Nmap was able to determine that the operating system running on the target system was Linux.
The impact that the TTL value has on the OS fingerprinting tools needs to be investigated. The other guesses were that the target's operating system is Linux and in one situation that it was NETBSD 2.0.
Countermeasures
OS Fingerprinting Tools Detection
- Detecting Nmap
- Detecting Other OS Fingerprinting Tools
As can be seen from the above output, Nmap was unable to determine which operating system was running on the target system as it could not find an open port. Investigation was done to see how other OS fingerprinting tools responded to this modification on the target system. From the above results it is seen that Xprobe2 was not accomplished by installing the OSF module on the target system.
As seen above, when OSF was loaded, SAINT was unable to detect even open ports from the target. The result of the above output indicates that NetworkActiv Port Scanner is not as specific as Nmap, and was unable to determine the operating system running on the target.
Final Countermeasures
- Type of Service Field
- OS Fingerprinting Tools Detection
- Port 0 Disabled
- Block ICMP messages
- Conclusion
- Future Work
The installation and loading of this module is done with the steps shown in Appendix D. The Nmap packages are blocked with the statement:. It was found that with the installation of the OSF module, the CPU was not affected by the overhead. Window (16 bits): This field indicates the number of data octets, starting with the one specified in the acknowledgment field, that the sender of the packet is willing to receive.
Time to Live (8 bits): The Time to Live field indicates the lifetime of the packet. The checksum is calculated in the same way as the checksum of the TCP packet is calculated.
Time Exceeded Message
Most of the information in this appendix is taken from RFC 792 (Postel 1981c), which deals with the Internet Control Message Protocol. Checksum (16 bits): The value of this field is the one's complement of the one's complement sum of the ICMP message starting with the ICMP Type field. Internet Header + 64-bit data datagram: If the higher-level protocol uses a port number, it is then taken as part of the first 64 data bits of the original packet's data.
Parameter Problem Message
Pointer (8 bits): Should the code of the message be equal to 0, this field points to the byte that caused the error.
Source Quench Message
Code (8 bits): The value of this field is 0, which is usually received from the host or gateway.
Redirect Message
2 = Redirection datagrams for the type of service and the network 3 = Redirection datagrams for the type of service and the host. Gateway Internet Address (32 bits): This field contains the address of the gateway to which the original datagram's data should be sent.
Timestamp or Timestamp Reply Message
Otherwise, the Identifier field of the Echo Reply message must be the same as that in the Echo Request message field. Originate Timestamp (32 bits): This is the time, in milliseconds (since midnight UT), that the sender sent the Echo message. Transmission Timestamp (32 bits): This is the time, in milliseconds (since midnight UT) that the receiver of the Echo message sends the Echo Reply message back to the sender of the Echo message.
Should the timestamps not be accurate because the UT is not available, then any time can be used for the timestamp, but the high order bits of the timestamp must be set to indicate that it is a non-standard value. Most of the information in this appendix is taken from RFC 2460 (Deering & Hinden 1998), which deals with Internet Protocol version 6.
Format of the IPv6 Header
- IPv6 Extension Headers
- Hop-by-Hop Option Header
- Routing Header
- Fragment Header
- Authentication Header
- Encapsulating Security Payload (ESP) Header
- Destination Option Header
- Upper-Layer Header
- No Next Header
This header is identified by the next header field of the previous header with a value of 44. The header is identified by the next header field of the previous header which has a value of 51. Next header (8 bits): This identifies the type of header that follows authentication title. 8 bits): This field specifies the length of the Authentication.
Authentication data (variable length): This field contains the Integrity Check Value (ICV) of the packet. This header is identified by the Next Header field of the previous header which has a value of 60.
Destination Unreachable Error Message
A packet that has an IPv6 multicast destination address or is sent as link-level multicast. To limit the rate at which error messages are sent using a portion of the available bandwidth. As many packets as will fit an ICMP packet without exceeding the smallest IPv6 MTU.
Checksum (16 bits): This field is the one's complement of the one's complement of the entire ICMPv6 message, starting with the Type field and ending with the pseudo header. Unused (32 bits): This field is unused for all code values and the sender must set the value of this field to zero.
Packet Too Big Error Message
Time Exceed Error Message
Parameter Problem Error Message
Pointer (32 bits): This field identifies the offset in bytes in the packet where the error was detected.
Echo Request and Echo Reply Informational Message
Otherwise, the sequence number of the Echo Reply message must be the same as that in the Echo Request message field. Appendix B.1 - Settings when the firewall is disabled. sbin/iptables --table nat --flush;. sbin/iptables --table nat --delete-chain;. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts;. echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects;. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses;. Appendix B.2 - Settings when the firewall is enabled. sbin/iptables --table nat --flush;. sbin/iptables --table nat --delete-chain;. sbin/iptables --policy INPUT DROP;. sbin/iptables --policy OUTPUT DROP;. sbin/iptables --policy FORWARD DROP;. sbin/iptables --new forward_ext;. sbin/iptables --new input_ext;. sbin/iptables --new deny_func;. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts;. echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects;. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses;. sbin/iptables -A INPUT -i lo -j ACCEPT;. sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;. sbin/iptables -A INPUT -j input_ext;. sbin/iptables -A EXIT -o lo -j ACCEPT;. sbin/iptables -A EXIT -m state --state NEW,CONNECTED,INSTALLED -j ACCEPT;. sbin/iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED, ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED, ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED, ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED, ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED, ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED,INSTALLED -m icmp --icmp-type 18 -j ACCEPT;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED, ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT;. sbin/iptables -A input_ext -p icmp -m state --state CONNECTED,INSTALLED -m icmp --icmp-type 5 -j ACCEPT;. log-tcp-options --log-ip-options;. sbin/iptables -A input_ext -m pkttype --pkt-type multicast -j DROP;. sbin/iptables -A input_ext -j DROP;. sbin/iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset;. sbin/iptables -A reject_func -p udp -j REJECT --reject-with icmp-port- unreachable;. sbin/iptables -A reject_func -j REJECT --reject-with icmp-proto- unreachable;.
Appendix B.3 – Suggested additions to firewalls. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts;. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects;. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses;. sbin/iptables -p icmp --icmp-type any -I OUTPUT -j DROP;. sbin/insmod /home/user/osf/ipt_osf.ko;. home/user/osf/load /home/user/osf/pf.os /proc/sys/net/ipv4/osf;. 68/udp open|filtered dhcpc 111/udp open|rpcbind filtered 631/udp open|unknown filtered 1024/udp open|filtered unknown.
GNU General Public License
