10/16/07

CS G254/U645 Network Security

Problem Set – III Solutions

1) Port scanning

a) NMAP is a powerful Linux tool that allows you to scan the target machine. There are a number of ways NMAP can be used. Here is an example output for scanning a Windows VM called AMBIENT:

To find out what OS is running by looking at port 80:

[root@acid atul]# nmap -sS -p 80 -O -v 192.168.10.23

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-02-17 14:39 EST

Initiating SYN Stealth Scan against ambient.ournetwork.com (192.168.10.23) [1 port] at 14:39

Discovered open port 80/tcp on 192.168.10.23

The SYN Stealth Scan took 0.03s to scan 1 total ports.

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

For OSScan assuming that port 80 is open and port 30726 is closed and neither are firewalled

For OSScan assuming that port 80 is open and port 36106 is closed and neither are firewalled

Host ambient.ournetwork.com (192.168.10.23) appears to be up ... good.

Interesting ports on ambient.ournetwork.com (192.168.10.23):

PORT STATE SERVICE

80/tcp open http

MAC Address: 00:0F:1F:7A:CE:8D (WW Pcba Test)

Device type: general purpose

Running: Microsoft Windows 95/98/ME|NT/2K/XP

OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP

TCP Sequence Prediction: Class=random positive increments

Difficulty=10789 (Worthy challenge)

IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 4.079 seconds

Find open ports, do a stealth TCP Scan, UDP scan, RPC scan.

[root@acid atul]# nmap -sSUR 192.168.10.23

Interesting ports on ambient.ournetwork.com (192.168.10.23):

(The 3099 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE VERSION

7/tcp open echo

7/udp open echo

9/tcp open discard

9/udp open|filtered discard

13/tcp open daytime

13/udp open daytime

...

443/tcp open https

445/tcp open microsoft-ds

445/udp open|filtered microsoft-ds

500/udp open|filtered isakmp

563/tcp open snews

1025/tcp open NFS-or-IIS

1029/tcp open ms-lsa

1031/udp open iad2

1032/tcp open iad3

1645/udp open|filtered radius

1646/udp open|filtered radacct

1812/udp open|filtered radius

1813/udp open|filtered radacct

3372/tcp open msdtc

3456/udp open|filtered IISrpc-or-vat

MAC Address: 00:0F:1F:7A:CE:8D (WW Pcba Test)

Nmap run completed -- 1 IP address (1 host up) scanned in 6.255 seconds

Example output for scanning a LINUX VM called ACID:

To find out what OS is running by inspecting port 80:

[root@acid atul]# nmap -sS -p 80 -O -v 192.168.10.10

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-02-17 14:41 EST

Initiating SYN Stealth Scan against acid.ournetwork.com (192.168.10.10) [1 port] at 14:41

Discovered open port 80/tcp on 192.168.10.10

The SYN Stealth Scan took 0.04s to scan 1 total ports.

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

For OSScan assuming that port 80 is open and port 38920 is closed and neither are firewalled

Insufficient responses for TCP sequencing (3), OS detection may be less accurate

Host acid.ournetwork.com (192.168.10.10) appears to be up ... good.

Interesting ports on acid.ournetwork.com (192.168.10.10):

PORT STATE SERVICE

80/tcp open http

Device type: general purpose

Running: Linux 2.4.X|2.5.X|2.6.X

OS details: Linux 2.4.0 - 2.5.20, Gentoo 1.2 linux (Kernel 2.4.19-gentoo-rc5), Linux 2.4.20, Linux 2.4.20 - 2.4.22 w/grsecurity.org patch, Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)

Uptime 7.150 days (since Thu Feb 10 11:04:32 2005)

IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 2.318 sec

Find open ports, do a stealth TCP Scan, UDP scan, RPC scan.

[root@acid atul]# nmap -sSUR 192.168.10.10

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-02-15 15:10 EST

Interesting ports on acid.ournetwork.com (192.168.10.10):

(The 3125 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE VERSION

21/tcp open ftp

22/tcp open ssh

53/tcp open domain

53/udp open|filtered domain

80/tcp open http

111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)

111/udp open|filtered rpcbind

443/tcp open https

631/udp open|filtered unknown

978/udp open|filtered unknown

1241/tcp open nessus

32768/udp open|filtered omad

32770/udp open|filtered sometimes-rpc4

Nmap run completed -- 1 IP address (1 host up) scanned in 3.711 seconds

b) Depending on the type of your scan you will see various types of packets in Ethereal. For the example above we saw mainly TCP and UDP packets to and from our target machine:

...

6033 17.865672 192.168.10.10 192.168.10.23 UDP Source port: 59650 Destination port: radius-acct[Malformed Packet]

6034 17.877581 192.168.10.10 192.168.10.23 UDP Source port: 59649 Destination port: microsoft-ds[Malformed Packet]

6035 17.881578 192.168.10.10 192.168.10.23 UDP Source port: 59649 Destination port: radius[Malformed Packet]

6036 17.981571 192.168.10.10 192.168.10.23 UDP Source port: 59650 Destination port: microsoft-ds[Malformed Packet]

6037 17.985563 192.168.10.10 192.168.10.23 UDP Source port: 59650 Destination port: radius[Malformed Packet]

6065 18.702842 192.168.10.23 192.168.10.10 UDP Source port: daytime Destination port: 33043

6066 18.702850 192.168.10.23 192.168.10.10 UDP Source port: daytime Destination port: 33043

6069 18.902762 192.168.10.23 192.168.10.10 UDP Source port: qotd Destination port: 33043

6070 18.902766 192.168.10.23 192.168.10.10 UDP Source port: qotd Destination port: 33043

6073 19.102699 192.168.10.23 192.168.10.10 UDP Source port: chargen Destination port: 33043

...

3183 15.545908 192.168.10.10 192.168.10.23 TCP 59648 > 601 [SYN] Seq=0 Ack=0 Win=3072 Len=0

3184 15.545927 192.168.10.10 192.168.10.23 TCP 59648 > 1489 [SYN] Seq=0 Ack=0 Win=3072 Len=0

3185 15.545946 192.168.10.10 192.168.10.23 TCP 59648 > 661 [SYN] Seq=0 Ack=0 Win=4096 Len=0

3186 15.545964 192.168.10.10 192.168.10.23 TCP 59648 > whoami [SYN] Seq=0 Ack=0 Win=4096 Len=0

3187 15.545983 192.168.10.10 192.168.10.23 TCP 59648 > 609 [SYN] Seq=0 Ack=0 Win=1024 Len=0

3188 15.546001 192.168.10.10 192.168.10.23 TCP 59648 > 735 [SYN] Seq=0 Ack=0 Win=1024 Len=0

3189 15.546020 192.168.10.10 192.168.10.23 TCP 59648 > 892 [SYN] Seq=0 Ack=0 Win=2048 Len=0

3190 15.546039 192.168.10.10 192.168.10.23 TCP 59648 > 352 [SYN] Seq=0 Ack=0 Win=4096 Len=0

c) In a TCP connect() scan, TCP connections are opened with each interesting port on the target host. This scan is the most basic and fastest, yet it is the most detectable and easy to filter, this is because the hand- shaking is completed and a connection is actually made. The target host's log file will show a large number of connections and error messages for the services and then shut those connections down. In a TCP SYN scan, a TCP connection is only "half-opened". You initiate a TCP connection and wait for a response. Once you get a response, you close the connection with an RST packet. Here, the hand-shaking is stopped before a connection can be made. This scan is advantageous because it is harder to detect (it starts as a normal TCP connection) and few sites will log it. However, you need root privileges to do SYN scans.

2) Enumeration

Netcat can be used for banner grabbing after interesting opened ports have been identified. Here is an example of running nc:

[root@acid pub]# echo 'HEAD /HTTP/1.0' | nc 192.168.10.10 80

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<title>400 Bad Request</title>

</head><body>

<h1>Bad Request</h1>

<p>Your browser sent a request that this server could not understand.<br />

</p>

<hr>

<address>Apache/2.0.52 (Fedora) Server at 192.168.10.10 Port 80</address>

</body></html>

[root@acid ftproot]# nc 192.168.10.10 21

220 (vsFTPd 2.0.1)

530 Please login with USER and PASS.

[root@acid ftproot]# nc 192.168.10.23 25

220 ambient Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at

Tue, 15 Feb 2005 15:40:07 -0500

3) Vulnerability Scanners

a,b) After installing nessus, creating a user and running nessus daemon, you can run nessus client and specify target machines to scan. Nessus is all-in-one tool that will scan for open ports, do banner grabbing and remote system identification. Here is the summary of open ports found by nessus on AMBIENT with services that are running on those ports:

1038,1037,137/udp,

53/udp - DNS

1036,1035/tcp

161/tcp – SNMP

119/tcp – NNTP

137/udp,137,139/tcp – NETBIOS

135,1029,445,1032/tcp – various Win2K services

25/tcp, 161/udp – SMTP

21/tcp – FTP

80/tcp – HTTP

1025/tcp – IIS

Ports opened on ACID are:

32769,32768/tcp

111/udp, 111/tcp – sunrpc

80/tcp – http

21/tcp -FTP

c) Nessus can be used by system administrator to scan machines on the local network for possible vulnerabilities. This vulnerability scanner provides easier identification of unnecessary open ports and outdated services. It provides detailed warnings if the host has unpatched vulnerability. Nessus powerful set of plug-ins allows systems administrators (as well as malicious users) to scan target hosts and automatically determine whether targets are susceptible to known attacks.

4) Viruses and worms

a) Telescope: Block of addresses (typically large block) that is not in use – no traffic should be destined for this block. They are used for detecting random probes by worms and other attackers – also for detecting attacks in which the source address of the attack packets is being randomly spoofed.

b) Backscatter: These are packets that originate at victims and are destined for the randomly spoofed source addresses in the attack packets. When a victim gets attacked and the source addresses are spoofed the victim sends out packets to these spoofed source addresses that actually belong to other legitimate hosts. These packets constitute backscatter. Backscatter can be detected using telescopes.

c) Honey pots are machines/resources that attract attack traffic. They are used to detect and thwart attacks. They often run services that are seemingly vulnerable. Some honeypots enable the detection of the source of the attack traffic; others work to keep the attacker busy. They are monitored carefully to understand the attack behavior.

d) Proof by contradiction

Assume that there exists a checker C that catches all viruses and only viruses, in other words C(V) = 1 if and only if V is a virus. Then construct the following virus V:

V: Run C on V.

If C(V) = 1 do nothing

Else spread

Now observe that if C(V) = 1 then V does nothing and so C has caught a non-virus. And if C(V) = 0 then V is a virus and C has failed to catch it. In either case we get a contradiction. Hence it must be the case that our assumption is false. Thus there does not exist a checker that catches all viruses and only viruses.

5) Warms

a) 3 * 0.6 = 1.8/hr.

b) a(T+x) + a(T-x) = e^Kx/(1+e^Kx) + (e^-Kx/(1+e^-Kx) = e^Kx/(1+e^Kx) + 1/(1+e^Kx) = 1.

c) The Sapphire or SQL Slammer worm struck. The worm overwhelmed the Internet within 15 minutes bringing all Internet communications throughout the world to a standstill. The worm spread extremely rapidly from one vulnerable Microsoft SQL server to another. Though the worm itself did nothing other than replicate, there were so many infection packets traversing the Internet that it crowded out all legitimate traffic. Router operators and ISPs responded by installing filters and fixes and over the course of a couple days the Internet gradually limped back to normal.