rest of ch03
Jef Roosens
parent
a8e8bfa879
commit
a6b2734b12
|
|
@ -1 +1,8 @@
|
|||
*.pdf
|
||||
*
|
||||
|
||||
!*.md
|
||||
!img/
|
||||
!img/**
|
||||
!Makefile
|
||||
!.gitignore
|
||||
!*.yml
|
||||
|
|
|
|||
161
03_scanning.md
161
03_scanning.md
|
|
@ -10,6 +10,14 @@
|
|||
|
||||
## Network tracing
|
||||
|
||||
* discover routes that packets take between systems
|
||||
* allows constructing network diagrams
|
||||
* sends ICMP/UDP/TCP packets with varying TTL
|
||||
* requires routers to properly report dropped packets
|
||||
* often disabled for performance/security reasons
|
||||
* `traceroute` useful tool
|
||||
* web-based [tools](https://tools.keycdn.com/traceroute) also available
|
||||
|
||||
### IPv4 and IPv6
|
||||
|
||||
* important IPv4 headers
|
||||
|
|
@ -21,23 +29,11 @@
|
|||
* simpler than IPv4
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### tracing
|
||||
|
||||
* discover routes that packets take between systems
|
||||
* allows constructing network diagrams
|
||||
* sends ICMP/UDP/TCP packets with varying TTL
|
||||
* requires routers to properly report dropped packets
|
||||
* often disabled for performance/security reasons
|
||||
* `traceroute` useful tool
|
||||
* web-based [tools](https://tools.keycdn.com/traceroute) also available
|
||||
 
|
||||
|
||||
## Scanning
|
||||
|
||||
* Nmap does it all
|
||||
|
||||
### TCP
|
||||
|
||||
* 16-bit ports
|
||||
|
|
@ -97,3 +93,140 @@
|
|||
* traceroute
|
||||
* redirect messages expose network topology
|
||||
* ICMP address mask requests: determine subnet used by target host
|
||||
|
||||
### Nmap
|
||||
|
||||
* port scanner and all-in toolkit
|
||||
* important tool when performing scanning
|
||||
* TCP port scanning
|
||||
* connect scan
|
||||
* complete 3-way handshake
|
||||
* can run without root
|
||||
* not stealthy (connections can be logged)
|
||||
* doesn't use nmap to craft packets
|
||||
* syn scan/half-open scan
|
||||
* runs as root
|
||||
* only send initial SYN and listen for response
|
||||
* detectable by firewall/NIDS
|
||||
* ACK scan
|
||||
* playing with control bits
|
||||
* FIN scan: FIN bit of all packets set
|
||||
* NULL scan: all bits set to 0
|
||||
* Xmas tree scan: FIN, PSH, URG set
|
||||
* Maimon scan: FIN and ACK set
|
||||
* UDP scanning
|
||||
* scans specific UDP ports
|
||||
* sends protocol-specific messages to well-known ports
|
||||
* firewall spotting
|
||||
* generate packets with invalid TCP or UDP checksum
|
||||
* targets will drop these
|
||||
* firewalls don't always check checksum and will send a RESET/ICMP port
|
||||
unreachable instead
|
||||
* allows detecting firewalls
|
||||
* can also look for varying TTL values
|
||||
* TTL on firewall RESET message will be higher as the firewall is
|
||||
closer
|
||||
* full support for IPv6
|
||||
* OS fingerprinting
|
||||
* detect quirks of protocol behaviors for OS versions
|
||||
* **active**: send special packets to detect behavior
|
||||
* **passive**: observe patterns of network traffic (stealthy but less
|
||||
accurate)
|
||||
* version scanning
|
||||
* detect versions of services running on host
|
||||
* send packets to specific service types that reveal version information
|
||||
* useful for crafting exploits
|
||||
|
||||
### Other stuff
|
||||
|
||||
* automated monitoring
|
||||
* running nmap using cron can reveal changes in network
|
||||
* tools like [masscan](https://github.com/robertdavidgraham/masscan) well
|
||||
suited for this
|
||||
* monitoring web applications also important
|
||||
* [HTTPScreenshot](https://github.com/breenmachine/httpscreenshot):
|
||||
take screenshots of websites
|
||||
* [EyeWitness](https://github.com/RedSiege/EyeWitness): screenshots of
|
||||
webpages, RDP and VNC servers, tries to login with default
|
||||
credentials
|
||||
* scanning cloud infrastructure
|
||||
* lots of cloud usage
|
||||
* companies often don't configure cloud service correctly
|
||||
* very large IP addresses to search through
|
||||
* use tools like [Shodan](https://www.shodan.io/) or
|
||||
[Censys](https://search.censys.io/)
|
||||
* automatically perform scans that can be accessed online
|
||||
* allow monitoring target without direct contact
|
||||
* badly configured S3
|
||||
* buckets that allow writing without authorisation
|
||||
* subdomain takeover allows attacker to take over bucket URL
|
||||
* packet crafting
|
||||
* sometimes very specific/controlled packets are required
|
||||
* tools like [Scapy](https://scapy.net/) allow crafting packets for various
|
||||
protocols
|
||||
* Python tool
|
||||
* provides REPL to forge, send and receive packets
|
||||
|
||||
## Vulnerability scanning
|
||||
|
||||
* process used to identify security weaknesses and vulnerabilities in a system,
|
||||
network or application
|
||||
* involves using automated tools to scan systems for known vulnerabilities
|
||||
and weaknesses
|
||||
* critical component of a robust cybersecurity strategy
|
||||
* automated scanning allows detecting problems before they're possibly
|
||||
exploited
|
||||
* key aspects
|
||||
* **goal**: identify and address security flaws before they're exploited
|
||||
* **scan types**
|
||||
* network scanning
|
||||
* web app scanning
|
||||
* host scanning
|
||||
* **process**
|
||||
1. discovery: identify all relevant devices, systems and applications
|
||||
2. scanning: use automated tools to scan targets for known
|
||||
vulnerabilities
|
||||
3. analysis: analyse results for vulnerabilities and prioritize them
|
||||
4. reporting: generate report detailing results
|
||||
* **frequency**: how often to perform scans
|
||||
* **compliance**: many regulatory standards require regular vulnerability scanning
|
||||
|
||||
### Methods
|
||||
|
||||
* Nmap Scripting Engine (NSE)
|
||||
* allows extending nmap with Lua scripts
|
||||
* greatly broadens scope of nmap
|
||||
* nmap comes with a ton of ready-to-use scripts
|
||||
* perfect for vulnerability scanning
|
||||
* [Tenable](https://www.tenable.com/) Nessus
|
||||
* modern vulnerability scanner
|
||||
* can detect tens of thousands of vulnerabilities
|
||||
* free for personal use
|
||||
* [OpenVAS](https://github.com/greenbone/)
|
||||
* open-source vulnerability scanner
|
||||
* less expansive than Nessus
|
||||
|
||||
### Enumerating users
|
||||
|
||||
* process of retrieving list of usernames for system
|
||||
* numerous methods
|
||||
* public sources of information (websites, emails...)
|
||||
* pentest: ask for list of users (grey box)
|
||||
* Linux
|
||||
* local: `/etc/passwd`
|
||||
* remotely
|
||||
* `finger @IP`
|
||||
* query NIS or LDAP server if present
|
||||
* `enum4linux` tool
|
||||
* Windows
|
||||
* list users using SMB session
|
||||
* possible anonymously on older versions of Windows
|
||||
* if single user is known, listing all users is possible
|
||||
|
||||
### Netcat
|
||||
|
||||
* netcat is useful
|
||||
* general purpose TCP and UDP network tool
|
||||
* installed basically everywhere
|
||||
* used for setting up reverse shells among other things
|
||||
* it's just a useful network tunnel
|
||||
|
|
|
|||
2
Makefile
2
Makefile
|
|
@ -1,2 +1,2 @@
|
|||
samenvatting.pdf: *.md metadata.yml
|
||||
pandoc --toc -o $@ $^
|
||||
pandoc --standalone --toc -o $@ $^
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
---
|
||||
title: Network Security Summary
|
||||
geometry:
|
||||
- top=30mm
|
||||
- left=30mm
|
||||
- right=30mm
|
||||
---
|
||||
|
|
|
|||
Loading…
Reference in New Issue