SERVICE DETECTION
 | ||
| | ||
| | ||
Detecting devices is only a start. Profiling running services of a host shows us the possible vulnerable services running on the target.
nmap
| Popularity: | 10 |
| Simplicity: | 10 |
| Impact: | 3 |
| Risk Rating: | 8 |
As you'll recall from Chapter 2, nmap is the definitive port scanner of modern UNIXborn hackers. Its uses vary from simple port scanning to determining live hosts on a given subnetor determining operating systems of remote hosts . This robust monster of a tool has so many features that they cannot all be covered in this chapter (refer to Chapter 2 for more details). nmap is highly recommended; see "man nmap" on a UNIX machine running the product for more information. Using nmap to perform our port scanning, we find out which ports our router (10.14.208.3) is listening on. The type of ports found go a long way in identifying the type of router we have targeted . Table 7-1 shows the common TCP and UDP ports found on the most popular network devices. For a more complete list of default passwords, see http://phenoelit.darklab.org/cgi-bin/display.pl?SUBF=list&SORT=1.
| Hardware | TCP | UDP |
|---|---|---|
| Cisco routers | 21 (FTP) 23 (telnet) 22 (SSH) 79 (finger) 80 (HTTP) 179 (BGP) 512 ( exec ) 513 (login) 514 (shell) 1993 (Cisco SNMP) 1999 (Cisco ident) 2001 4001 6001 9001 (XRemote service) | 0 (tcpmux) 49 (domain) 67 (bootps) 69 (TFTP) 123 (NTP) 161 (SNMP) |
| Cisco switches | 23 (telnet) | 0 (tcpmux) 123 (NTP) 161 (SNMP) |
| Bay routers | 21 (FTP) 23 (telnet) | 7 (echo) 9 (discard) 67 (bootps) 68 (bootpc) 69 (TFTP) 161 (SNMP) 520 (route) |
| Ascend routers | 23 (telnet) | 7 (echo) 9 (discard) [*] 161 (SNMP) 162 (snmp-trap) 514 (shell) 520 (route) |
| [*] The Ascend discard port accepts only a specially formatted packet (according to the McAfee, Inc., advisory), so your success with receiving a response to scanning this port will vary. | ||
If we were looking for Cisco routers, we would scan for TCP ports 1-25, 80, 512-515, 2001, 4001, 6001, and 9001. The results of the scan will tell us many things about the device's origin:
[/root]# nmap -p1-25,80,512-515,2001,4001,6001,9001 192.168.0.1 Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on (192.168.0.1): Port State Protocol Service 7 open tcp echo 9 open tcp discard 13 open tcp daytime 19 open tcp chargen 22 open tcp ssh 23 filtered tcp telnet 2001 open tcp dc 6001 open tcp X11:1
To confirm our assumption about the vendor and the operating-system level, we'll want to use TCP fingerprinting (as discussed in Chapter 2).
Also present with most Cisco devices are the typical "User Access Verification" prompts on the vty ports (23 and 2001). Just telnet to the router on these ports and you'll get this familiar banner:
User Access Verification Password:
Many Cisco devices are running SSH as a replacement for telnet. Even with this secure replacement, a familiar banner can still be discovered :
root@irc.example.com:~$ telnet 10.14.208.3 22 Trying 10.14.208.3... Connected to 10.14.208.3. Escape character is '^]'. SSH-1.5-Cisco-1.25 Connection closed by foreign host. root@irc.example.com:~#
Service Detection Countermeasures
To counter the information disclosure that port scanners accomplish, a limited amount of tools have been developed. Overall, the best policy is to completely deny all unwanted traffic at network borders. Keeping limited visibility to the open Internet is primary. Use of PortSentry is the second-best method of protection; PortSentry listens to unused ports on a system and detects connection requests on these supposedly quiet ports. Here's an example:
root# netstat -lpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:54320 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:32774 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:27665 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:20034 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:12346 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:5742 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:635 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:119 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1959/portsentry tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1959/portsentry
Specific ports can be selected through a configuration file:
# PortSentry Configuration # $Id: portsentry.conf,v 1.23 2001/06/26 15:20:56 crowland Exp crowland $ # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments. # The default ports will catch a large number of common probes # All entries must be in quotes. ####################### # Port Configurations # ####################### # Use these for just bare-bones TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771, 32772,32773,32774,49724,54320" UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337, 54321"
If an attacker runs a port scan, PortSentry detects the connection attempts to unused ports and drops all future connections from the destination IP via a null route command. A null route will halt all communication to the attacker and keep him guessing and permanently locked out of your host:
/sbin/route add 31.3.3.7 dev lo
After blocking is in place, your routing table should look similar to this:
root# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 31.3.3.7 * 255.255.255.255 UH 0 0 0 lo localnet * 255.255.255.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.254 0.0.0.0 UG 1 0 0 eth0
Before running PortSentry, be sure to go over the configuration file carefully ; spoofed packets can be sent, leaving an attacker capable of selecting hosts to become unresponsive .
Operating System Identification
| Popularity: | 10 |
| Simplicity: | 10 |
| Impact: | 2 |
| Risk Rating: | 7 |
In the preceding example, we suspect that the IP address 10.14.208.3 is a Cisco router, but we can use nmap's operating system (OS) identification to confirm our assumption.
With TCP port 13 open, we scan using nmap's -O parameter to detect the operating system present on the devicein this case, Cisco IOS 11.2:
[root@source /tmp]# nmap -O -p13 -n 192.168.0.1 Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Warning: No ports found open on this machine, OS detection will be MUCH less reliable Interesting ports on (172.29.11.254): Port State Protocol Service 13 filtered tcp daytime Remote operating system guess: Cisco Router/Switch with IOS 11.2
| Tip | Be sure to restrict your OS identification scans to a single port whenever possible. A number of operating systems, including Cisco's IOS and Sun's Solaris, have known problems with the non-RFC compliant packets and will bring down some boxes. See Chapter 2 for a detailed description of stack fingerprinting. |
OS Identification Countermeasure
The technique for detecting and preventing an OS identification scan is the same as demonstrated in Chapter 2, depending on the role of the network device. A good policy is to block all traffic destined for a device; this will help in restricting OS identifications.
Cisco Banner Grabbing and Enumerating
| Popularity: | 10 |
| Simplicity: | 10 |
| Impact: | 1 |
| Risk Rating: | 7 |
If it looks and smells like a Cisco device, it probably is a Cisco devicebut not always. Finding the expected ports open doesn't always mean a positive identification, but you can do some probing to confirm your OS suspicions.
Cisco Finger and Virtual Terminal Ports: 2001, 4001, 6001 Cisco's finger service will respond with some useless information. The vtys of the Cisco (usually 5) will report back with a simple finger -l @<host>, but the results are less than informative (other than identifying the device as Cisco or if an admin is actively on the device).
Other less-than -informative identifiers are the management ports: 2001, 4001, and 6001. Using netcat, attackers can connect to a port and notice the port's response (mostly gibberish). But then if they connect with a browser (for example, 172.29.11.254:4001), the result might look something like this:
User Access Verification Password: Password: Password: % Bad passwords
Generating the preceding output will tip off the attacker to the likelihood that this device is a Cisco device.
Cisco XRemote Service (9001) Another of Cisco's common ports is the XRemote service port (TCP 9001). XRemote allows systems on your network to start client Xsessions to the router (typically through a dial-up modem). When an attacker connects to the port with netcat, the device will send back a common banner, as shown here:
C:\>nc -nvv 172.29.11.254 9001 (UNKNOWN) [172.29.11.254] 9001 (?) open -- Outbound XRemote service -- Enter X server name or IP address:
Cisco Banner Grabbing and Enumerating Countermeasure
One of the only steps you can take to prevent this kind of Cisco enumeration is to restrict access to the services through security ACLs. Using either the default "cleanup" rule or explicitly denying the traffic for logging purposes, you can do the following:
access-list 101 deny tcp any any 79 log or access-list 101 deny tcp any any 9001
EAN: N/A
Pages: 127