HostDevice Discovery

Host/Device Discovery

The first step in building an active target list is to try and figure out what devices are accessible on the network. There are entire books devoted to network host and device scanning for the simple reason that IT administrators rarely know everything that is connected on their network. There are entire product suites today that are marketed for nothing more than to scan your network actively, building an inventory mapping that is often useful for tracking down rogue or infected systems.

An attacker's typical first scanning step is to try and ping a large range of IP addresses to see if she gets any responses. Ping is a network diagnostic tool included on most operating systems that uses the ICMP protocol and allows an IT administrator to determine quickly if another host is active:

 Microsoft Windows XP [Version 5.1.2600] C:\>ping www.yahoo.com Pinging www.yahoo.akadns.net [68.142.197.68] with 32 bytes of data: Reply from 68.142.197.68: bytes=32 time=20ms TTL=54 Reply from 68.142.197.68: bytes=32 time=21ms TTL=54 Reply from 68.142.197.68: bytes=32 time=22ms TTL=55 Reply from 68.142.197.68: bytes=32 time=21ms TTL=54 Ping statistics for 68.142.197.68:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 20ms, Maximum = 22ms, Average = 21ms C:\> 

Even though ping is a legitimate tool for testing network and device connectivity, not all sites allow ICMP through their firewalls and routers. Many administrators would rather block reconnaissance scanning from potential attackers than allow diagnostic functionality. In cases where ICMP is blocked, an attacker can try several other types of scanning techniques detailed in the following sections, which describe tools and techniques that will help you develop a comprehensive list of active IP addresses.

Attack Standard ICMP Ping Sweeps

ICMP ping sweeps are a relatively easy way to find active hosts. Pinging consists of sending ICMP type 8 packets (ICMP ECHO REQUEST) to an IP address. If ICMP is not being blocked across the router or firewall, most hosts will respond with an ICMP type 0 packet (ICMP ECHO REPLY).

There are several easy-to-use tools for running ICMP ping sweeps. The first is fping (http://www.fping.com/), a *nix command-line tool that parallelizes ICMP scanning for multiple hosts. fping is a much faster alternative to the standard ping utility that ships with most operating systems. fping can read a range of target addresses either from a file or from the command line. In the following example, we use the commandline option -g to specify the range of hosts to scan. We also use the -a option to return only results from live hosts.

 [root@attacker]# fping -a -g 192.168.1.0/24 192.168.1.21 192.168.1.22 192.168.1.24 192.168.1.25 192.168.1.23 192.168.1.27 192.168.1.51 192.168.1.52 192.168.1.53 192.168.1.54 192.168.1.56 192.168.1.57 192.168.1.103 192.168.1.104 [root@attacker]# 

A more powerful *nix command-line scanning tool is Nmap (http://www. insecure .org/nmap). Nmap has a variety of options that few people explore completely. In order to simulate the previous scanning with fping , we would use Nmap with the -sP option, which designates a ping sweep. Nmap has so many options and so much functionality that its author, Fyodor, has even written an entire book on the subject entitled Nmap Network Scanning (not yet published). While you won't need to use nearly all of the Nmap options, a fairly decent online set of features can be obtained simply by typing nmap h at the command line or by reviewing Fyodor's online help at http://www.insecure.org/nmap/docs.html.

If you run Nmap from within the local subnet, Nmap will also identify the Ethernet Media Access Control (MAC) address in the output and tell you which vendor is associated with each device. The MAC address is a unique six-byte identifier assigned by the manufacturer of the network device and is most often associated with an IP address through the Address Resolution Protocol (discussed in the "ARP Pings " section). All MAC addresses follow a specific numbering convention per vendor for the first three octets, as controlled by the Institute of Electrical and Electronics Engineers (http:// standards.ieee.org/regauth/oui/index.shtml).

 [root@attacker]# nmap -sP 192.168.1.1-254 Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-19  20:51 CST Host 192.168.1.1 appears to be up. MAC Address: 00:13:10:D4:AF:44 (Cisco-Linksys) Host 192.168.1.21 appears to be up. MAC Address: 00:04:13:24:23:8D (Snom Technology AG) Host 192.168.1.22 appears to be up. MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Host 192.168.1.23 appears to be up. MAC Address: 00:15:62:86:BA:3E (Cisco Systems) Host 192.168.1.24 appears to be up. MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Host 192.168.1.25 appears to be up. MAC Address: 00:0B:82:06:4D:37 (Grandstream Networks) Host 192.168.1.27 appears to be up. MAC Address: 00:04:F2:03:15:46 (Polycom) Host 192.168.1.51 appears to be up. MAC Address: 00:04:13:23:34:95 (Snom Technology AG) Host 192.168.1.52 appears to be up. MAC Address: 00:15:62:EA:69:E8 (Cisco Systems) Host 192.168.1.53 appears to be up. MAC Address: 00:04:0D:50:40:B0 (Avaya) Host 192.168.1.54 appears to be up. MAC Address: 00:0E:08:DA:24:AE (Sipura Technology) Host 192.168.1.55 appears to be up. MAC Address: 00:E0:11:03:03:97 (Uniden SAN Diego R&D Center) Host 192.168.1.56 appears to be up. MAC Address: 00:0D:61:0B:EA:36 (Giga-Byte Technology Co.) Host 192.168.1.57 appears to be up. MAC Address: 00:01:E1:02:C8:DB (Kinpo Electronics) Host 192.168.1.103 appears to be up. MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Host 192.168.1.104 appears to be up. Nmap finished: 254 IP addresses (17 hosts up) scanned in 5.329 seconds 

For those who are graphically inclined, there are a variety of port and host scanning tools for Windows that can also do the job. SuperScan, shown in Figure 2-2, is a graphical tool that can quickly ping sweep a range of hosts (http://www.foundstone.com/resources/proddesc/ superscan .htm).

Figure 2-2: SuperScan from Foundstone quickly returns our ping sweep results.

Additionally, the ping and port sweep utility from SolarWinds (http://www.solarwinds.net) is another nice graphical ping Windows tool (see Figure 2-3).

Figure 2-3: SolarWinds Ping Sweep tool

Additionally, nessus (http://www.nessus.org), which runs on both Linux and Windows, is also a fully functional host and port scanner.

Other ICMP Ping Sweeps

In some cases, ICMP_ECHO REQUEST packets may be blocked by the ingress router preventing traditional ping sweeps; however, other ICMP packet types may not be filtered. The following is a list of potential ICMP packet types, other than just 8 (ECHO REQUEST), that you can use for host discovery:

There are several tools that can use the other ICMP types for scanning purposes. The aforementioned SuperScan can also scan with ICMP types 0, 13, 15, and 16, as shown in Figure 2-4.

Figure 2-4: SuperScan host probing other ICMP options

Other command-line tools that are useful for querying devices using nonstandard ICMP messages include icmpenum (http://www.nmrc.org/project/misc/icmpenum-1.1.1.tgz), icmpquery (http://www.angio.net/security/), and icmpush (http:// packetstormsecurity.org/UNIX/ scanners /icmpush22.tgz).

Security researcher Ofir Arkin wrote a great paper entitled "ICMP Usage in Scanning," which is available at http://www.sys-security.org/index.php?page=icmp. The paper goes beyond the scope of this book in describing in detail the various ways ICMP can be used for nefarious scanning purposes.

Countermeasurs Ping Sweeps Countermeasures

From a troubleshooting perspective, ICMP traffic can be an invaluable tool to an IT administrator for measuring and diagnosing the health of networked devices. From a security standpoint, indiscriminately allowing all ICMP traffic to any system can be a security risk. From an ingress router/firewall perspective, there's probably no good reason to allow all ICMP types from the Internet. Some Internet- facing applications may legitimately need to be able to respond to ICMP. However, from an internal perspective, many firewalls and intrusion prevention systems allow for granular control over ICMP requests and responses. From a host-based perspective, most personal firewalls also allow for blocking ICMP traffic.

Attack ARP Pings

The Address Resolution Protocol (ARP) marries the IP and Ethernet networking layers together (RFC 826). Ethernet-aware switches and hubs are typically unaware of the upper layer IP addressing schemes that are bundled in the frames they see. IP-aware devices and operating systems correspondingly need to communicate on the Ethernet layer. ARP provides the mechanism for hosts and devices to maintain mappings of IP and Ethernet addressing.

For instance, any time a host or device needs to communicate with another IP-addressable device on your Ethernet network, ARP is used to determine the destination's MAC address to communicate directly through Ethernet. This occurs when the host sends an ARP request broadcast frame that is delivered to all local Ethernet devices on the network, requesting that whichever host has the IP address in question reply with its MAC address.

When scanning on a local Ethernet subnet, compiling a mapping of MAC addresses to IP addresses comes in handy, especially later in our hacking scenarios for various network man-in-the-middle and hijacking attacks (covered more in Chapter 5). By using an ARP broadcast frame to request MAC addresses through a large range of IP addresses on the local LAN, you can see which hosts are alive on the local network. This is also another effective way to get around blocked ICMP rules on a local network. Besides being a built-in feature of Nmap, there are also several graphical tools that can perform ARP pings, including the MAC Address Discovery tool from SolarWinds, shown in Figure 2-5.

Figure 2-5: MAC Address Discovery tool from SolarWinds

arping (http:// freshmeat .net/projects/arping/) is a command-line tool for ARP pinging IP addresses. It can also ping MAC addresses directly as well:

 [root@attacker]#  arping -I eth0 -c 2 192.168.100.17  ARPING 192.168.100.17 from 192.168.100.254 eth0 Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E] 8.419ms Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E] 2.095ms Sent 2 probes (1 broadcast(s)) Received 2 response(s) 

Countermeasurs ARP Ping Countermeasures

There's really not much you can do to prevent widespread ARP pinging because ARP is a necessary functional component of all Ethernet environments. The only way to minimize your exposure somewhat is to logically separate the critical portions of your VoIP environment from the rest of the network using VLANs. Also, some intrusion prevention systems can detect high rates of ARP broadcast requests (pointing to an attacker or misconfigured device) in order to quarantine the offending IP address from the network.

TCP/IP Handshake and Connection Flags

The header of each TCP/IP packet contains six control bits ( flags ) starting at byte 13: URG, ACK, PSH, RST, SYN, and FIN. These flags are used in setting up and controlling the TCP connection:

URG	Significant urgent pointer field
ACK	Significant acknowledgment field
PSH	Push function delivers data
RST	Reset the connection
SYN	Synchronize sequence numbers
FIN	No more data from sender

A typical TCP/IP connection setup is often called the three-way handshake due to the obvious reasons described next .

To begin a new TCP connection, the initiating host first sends a TCP packet with the SYN flag to the destination host, as shown in the following illustration. The destination host responds with a TCP packet with the SYN and ACK flags set. Finally, to complete the handshake, the original host sends an ACK packet and data begins transmitting.

When the host is finished sending data, it sends a FIN packet. The destination host sends back an ACK as well as a FIN packet, or in most cases, a single packet with both FIN and ACK flags set. The originating host then replies with an ACK packet.

Attack TCP Ping Scans

In the frequent case where all ingress ICMP traffic is being blocked by the target's firewall or router, there are several more ways of detecting active hosts for an external attacker. These methods involve taking advantage of the behavior of the TCP/IP handshake and other general TCP/IP connection flags (see the earlier sidebar, "TCP/IP Handshake and Connection Flags").

One such method is called a TCP ping , and it involves sending a TCP SYN-or ACK-flagged packet to a commonly used TCP port on the target host. A returned RST packet indicates that a host is alive on the target IP address. ACK packets are more useful in this technique in order to bypass some stateless firewalls that monitor only for incoming SYNs as the sign of a new connection to block. Nmap, by default, uses a SYN packet on port 80 to probe; however, from the command line, you can customize it to use an ACK packet on a different port(s) using the PT option:

  [root@attacker]#  # nmap -P0 -PT80 192.168.1.23 Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-19 21:28 CST Interesting ports on 192.168.1.23: (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:15:62:86:BA:3E (Cisco Systems) Nmap finished: 1 IP address (1 host up) scanned in 2.144 seconds 

Another utility that can be used for TCP pinging is hping 2 (http://www.hping.org). From the command line, type hping2 help to reveal all of the options:

 [root@attacker]# hping 192.168.1.104 -A -p 80 HPING 192.168.1.103 (eth0 192.168.1.103): A set, 40 headers + 0 data bytes len=40 ip=192.168.1.103 ttl=64 DF id=0 sport=80 flags=R seq=0 win=0 rtt=0.1 ms len=40 ip=192.168.1.103 ttl=64 DF id=1 sport=80 flags=R seq=1 win=0 rtt=0.1 ms len=40 ip=192.168.1.103 ttl=64 DF id=2 sport=80 flags=R seq=2 win=0 rtt=0.0 ms len=40 ip=192.168.1.103 ttl=64 DF id=3 sport=80 flags=R seq=3 win=0 rtt=0.1 ms len=40 ip=192.168.1.103 ttl=64 DF id=4 sport=80 flags=R seq=4 win=0 rtt=0.0 ms len=40 ip=192.168.1.103 ttl=64 DF id=5 sport=80 flags=R seq=5 win=0 rtt=0.0 ms len=40 ip=192.168.1.103 ttl=64 DF id=6 sport=80 flags=R seq=6 win=0 rtt=0.0 ms 

As you can see from the raw output, we received RST TCP packets from the target ( flags=R ) from port 80, indicating a live host.

Countermeasurs TCP Ping Scan Countermeasures

Some intelligent network security devices such as firewalls, intrusion prevention systems, network behavioral anomaly devices, and routers can help detect and block TCP pinging. Many of them may block the initial ACK or SYN packets entirely with the appropriate ACLs, while others may trigger on a certain threshold of scanning traffic, thereafter putting the offending host on a blacklist.

Attack SNMP Sweeps

Another effective way to discover active network equipment is through Simple Network Management Protocol (SNMP) scanning. SNMP is an application layer protocol that facilitates monitoring and management of network devices. In the next chapter, we go into more detail about how SNMP can be used to enumerate juicy information about a phone or server once you've found one that supports it. There are three versions of SNMP:

• SNMP v1 (RFC 1067)

• SNMP v2 (RFCs 14411452)

• SNMP v3 (RFCs 34113418)

SNMP v1 is most widely supported by many VoIP phones for backward compatibility purposes. There are many feature differences between the three versions, but the most important distinction is that SNMP v1 and v2 rely on a very simple form of authentication called community strings , essentially a cleartext password. SNMP v3 relies on stronger encryption such as AES and 3DES.

Unfortunately, many administrators forget to change the default community strings on their network devices. This makes it astonishingly simple for an attacker to glean all sorts of sensitive information using any number of simple SNMP clients . SNMP scans typically return a wealth of data because the default "public" community string is almost always used.

There is a comprehensive list of default SNMP community strings for various devices at the Phenoelit group 's site (http://www.phenoelit.de/dpl/dpl.html). Unfortunately, some VoIP vendors ship their phones with SNMP support, but do not give the user the ability to turn off this functionality easily or to even change the community strings.

SolarWinds has a graphical Windows SNMP scanning tool called SNMP Sweep, and Foundstone provides a free tool called SNScan, which is shown in Figure 2-6. Additionally, there are several command-line SNMP scanning utilities for *nix-based systems such as snmpwalk (http://net-snmp. sourceforge .net/docs/man/snmpwalk.html), Nomad (http://netmon.ncl.ac.uk/), Cheops (http://www.marko.net/cheops/), snmpenum (http://packetstormsecurity.org/UNIX/scanners/snmpenum.zip), and snmp-audit (http://www.musc.edu/~gadsden/tools/snmp-audit).

Figure 2-6: SNMP scanning using SNScan within an organization

Countermeasurs SNMP Sweeps Countermeasures

The easiest way to prevent simple reconnaissance attacks against SNMP-enabled network devices is simply to change the SNMP public and read/write community strings from their factory default. Most hacking and security scanners these days look for the default community strings that ship in a variety of products (typically "public" and "private"). Limit access to SNMP ports (UDP 161 and 162) through firewalls and ACLS (routers, switches) rules from authorized administrative IP addresses only. If SNMP v3 is available, also use it as an alternative.