 Some of this stuff may be kind of basic for some of you, but some of it actually, we're going to touch on a few new things and then I'll kind of cover some new things we've got at the end. And I also want to apologize for the PowerPoint thing, but hey, you know, that's kind of what a lot of us end up going around doing some of these presentations I have to live with. Anyway, I'm assuming on this presentation, you all understand what an IP address is. You understand a little bit of basic system administration. I'm also going to make the assumption that when I talk about tools or refer to tools, that you know how to go and find them. I don't know how many emails that I've gotten from people saying, you know, hey, where do I get the so-and-so tool or whatever? Okay, I figure everyone probably knows how to use a search engine and whatnot. And they understand a little bit of the basic stuff about the usage of the tools. The presentation is more from a network point of view. I'll touch on host-based type stuff where it seems appropriate, but for the most part we're talking about the network itself. I think everyone probably, you know, simply not mad I got it reduced, but the NMRC.org website, I also have a nice day job at BindView who are very, very happy to hire hackers and whatnot. And so I get to do a lot of what I've been doing. Some people say, why haven't you been updating your website? Well, it's because I've been extremely happy working on the Razor team at BindView. They've been keeping me really busy. And so that kind of tends to be where my attention has been focused. As far as the network mapping stuff goes, first thing you need to know is a little bit about your target. There's different ways you'd go about that. I'm not going to cover actual breaking-in techniques. We're just going to be basically talking about how to do some type of stuff ahead of time. Public information where you can get a lot of stuff. We're going to cover some stuff on that, some techniques on network enumeration, and then we'll get into some mapping. Public information, obviously if you wanted to really research your target, you go out and you look at the public records and everything. You find out a lot of interesting things from public records and whatnot. Is Edgar still online where you can search it and everything? That was always over. Yeah. I know I talked at one point and I think about turning it off or something. I'd read something about that. But that's always something I always make sure I take a look at. Of course, who is? DNS and all the assorted tools that go with probing. DNS. Public postings. This is something that some people tend to forget about. A lot of times you'll find that people on mailing lists and in news groups and other places will actually post technical questions and in the process they're giving away pieces of their technology. What they have in there. I'm having problems with the so-and-so backup system. Okay, well I know now what kind of backup system it is and I know what operating systems maybe that runs on. That kind of information. Sometimes they get even more details than that. They put their sig files. They've got also their telephone numbers. So now I've got exchanges that I can word now because I know what their work numbers are and whatnot. So don't forget those areas. Network enumeration. Pretty much the goal that you have of network enumeration. We'll cover that here in a second. I want to get into on that ICMP. There's actually some fairly new things with ICMP thanks to a couple of talks I've had around here. And you can pretty much read the rest. I'm not going to stand up here and read slides to you. I do want to talk on ICMP. One thing that's been, you know, the first thing that everyone would do, they'd do the sweep with echo packets and get the responses back and now I know I had to host up. And so of course people started blocking that as the firewall. Another alternative to that would be to sweep with say something like time stamp packets or even info request packets, although that's not supported nearly as much. But if they're only blocking echo packets at the firewall then by sweeping for these different types then you can go ahead and get, find out if you've actually got a host up or not. So a lot of people have taken it a step farther. They're blocking a lot more. They're saying, okay, well I'm only going to allow in something like, I'm only going to allow in host reports and reachables. Maybe I'm going to allow in a source quench. And that's the only kind of stuff I'm going to allow to come into my network. Well another way I can get around that though is if they're allowing the host reports and reachables in I send in a forged host report and reachable. Just one that was unsolicited. I use an illegal header length and what will happen is if they've properly implemented ICMP in the IP stack, it'll say I've got an error now. I'm going to go ahead and reply back saying you've got a parameter problem and so then I get an ICMP back and boom I've actually now determined that that host is now up. And that was actually theory until I had a talk earlier this week and I got the guy's name in the last slide here because I really appreciate learning that information. The other thing I don't know specifically how much this goes across the various vendors. They all have their different ways that they do IP and everything and not everyone implements things the same way but we'll talk a little bit more about that here in a minute. It's scanning. Why scan? Hopefully everyone here already knows why you scan. You're looking for services running and what not. And pretty much everyone's using Nmap. It's become pretty much everyone. It does some of the ping sweeps and stuff but some of the other features the fingerprinting is extremely interesting. That helps out a whole lot. Another real interesting thing that I like to use with Nmap is most of you know that it comes with a comes with a libpcap and so it goes into promiscuous mode during some of the scans which means that if I set it up to where I don't you can do the decoy thing and say okay I'm going to and then put in your real IP address in there. Depending on where you're scanning from you can say your IP address is someone down the hall and if you're on the same net you scan and since you're in promiscuous mode you still get all the responses back and they blame the guy down the hall or they blame the guy if you've got a cable modem they blame some other guy that you've managed to pick up. So that's kind of a neat little feature there so you can scan without revealing your address. TCP fingerprinting and I think pretty much everyone here probably knows what that is but for those that don't send out a flurry of packets with the various settings you get a bunch of different responses that come back and then these can be the types of responses can pretty much indicate the types of operating systems you're dealing with. Something that I found out fairly recently because I just started playing a lot with ICMP and TTL is that by sending in certain types of ICMP packets with various things switched in that you get fairly unique responses and they're fairly consistent responses and you can do somewhat of a OS type fingerprinting just with ICMP. This comes in handy if you're doing that thing where they've with the host or port unreachable you can actually then at that point you're going to be able to tell in some cases what type of OS you actually have sitting on the inside. The additional probes thing here the other thing you want to do is scan for possible security devices and one thing I like to talk about is throw away hosts. Let's say I'm doing a penetration test of some kind. Some of you may be doing them legitimately some of you may be doing your own freelance penetration testing but you get the idea you want to check out and see what this various security devices are. So sometimes you take a host that you know you don't care about that you have ownership of and you're going to go ahead and send in your packets and then maybe you're going to try the same thing again and then see if you get some type of different response. So what it is it involves looking for a lack of response to perhaps some type of security device that's on there. And of course then using some of the anti-SNF technology sweeping for promiscuous devices the other things that I would do is consider some of the odd ICMP things. This is one way how you would spot honeypots. If you've got something in there that looks like it's some type of somewhat open NT device and it turns out that it's really something else because the ICMP responses you're getting back are kind of indicating that it's a UNIX box. That's an example of where you've got maybe a honeypot or something like that where you can obviously avoid it or if you want to go in and play around and look like an idiot I guess you could do that to trick them or whatever. But anyway network mapping this involves basically determining the network layout. Trying to figure out exactly where the devices are where they're attached who's talking to what and what not. Firewalk is probably a little bit better tool it gets you a little bit better in there and then some of these other things we've already been talking about specifically ICMP is what I'm thinking about here. For doing some type of bypassing the firewall this is a slide I should have updated last night I don't know if any of you are a black hat but there's a great presentation on getting past checkpoint firewalls which is just absolutely that was wondrous that was absolutely great so forget this slide just go to that stuff it's really good stuff there are some things or at least what you're trying to probe because before you launch an attack against something on the other side of the firewall you at least need to try to know what the hell it is you're launching the attack against so using things like Firewalk to determine what services may be running an in map as well just trying to determine what kind of services are running you get roughly maybe an idea of what you've got there on the inside for the most part we usually only need these attackers you're only going to come in on one port for the most part unless you're doing something really odd ball and sophisticated for example most people leave open port 25 they leave port 80 and those are going to be kind of things you're looking for state table manipulation this has to do with the FTP thing that came out where I can with passive FTP I'm going to actually put entries into the state table and have a way into there that kind of was the lead up to what that black hat presentation was on checkpoint obviously if a site has intrusion detection you want to do something to avoid that if that is your call or cause the obviously if there's some way that you can manipulate the data that they're going to detect because for the most part network based ones are pattern matching so you can go ahead and maybe try and alter that data but the attack will still work that would be a good way to do it fragmented packets I know that a couple of years ago there was a big thing in black hat and a paper that was released that talked about a number of different ways to get past intrusion detection and one of them was using fragmented packets I think it was up until about maybe six months ago most of the vendors were still vulnerable to this I think there's a few more that are just now getting on board and are patching but that's still a valid thing to try did ISS does anyone know if the real secure stuff actually is handling fragmented packets now 5.0 supposedly vote of confidence there supposedly no it's not okay there we go use that then another way of avoiding intrusion detection which is something that I saw at my previous employer was that if there was a lot of false positives then the system administrators started losing confidence and we'll start distressing it distraction type things are also a real good thing hitting the thing with a ton of port scans and then you launch your little attack thing and you get in I mean you're just basically they're trying to track down all this other activity and then you get the slip in the one thing that I've actually seen another one would be to make sure that if you're going to be logged and this has to do mainly with the IDS stuff that looks at the scrapes through logs that's looking for various things if you make your entries into those logs look like normal log type entries then there's a very good chance that your stuff will go undetected I know that several years ago actually it's maybe less than that maybe a couple of years ago I know that IDS if you read through the manual and followed it exactly the way it was written it said okay you're going to have a lot of stuff in your logs and Shadow does not do stuff in real time it actually goes through and looks at logs so if I'm doing stuff and say if you see a lot of stuff with a source port of 80 that's all your web traffic so you may just want to skip and dump everything with a source port of 80 which is basically in the instructions so then all you have to do is say okay my attacks now are all going to be source port 80 and they're not going to catch any of them and they were wondering why they were having all these .gov and .mil website defacements and I think that was probably a pretty good indication right there of it um whenever you're getting all these little pieces of data from all these different sources you need to start pulling all this stuff together and you got to remember that even the smallest amount of data that you may collect against a target this can be reused this could possibly be reused in the future I do know there's people out there that will scan and scan and scan and scan and they build up these large databases of various sites with various ports open and stuff they may not use that stuff for a long time it's important to realize that whether you're attacking or defending that's very very important and a lot of things like if I have just one little spot where I can you know perhaps get in part way maybe I've got another spot somewhere else looking at each one of these various steps um while I go through here and I've kind of edited a lot of this I've done some screen depth so just basically what a live site would look like if you want to do some mapping on here and I'll kind of go through it here real quick do a who is against the target company I think I kind of mess that up the way I've got that type there doing a who is first thing I want to determine is get their uh get the servers uh their name servers um this a lot of times someone will it's fairly common for someone to have their ISP as a backup name server so sometimes if you're going after a zone dump to pull down all the addresses it's usually safer to go uh against the ISP uh however in this particular case this is actually a former employer uh I you know I just went out there they did not list the ISP okay they had their own stuff so I went ahead and started poking around and looking at that uh doing trace routes to the various boxes I've got these I don't know so it's okay I've got it highlighted there in uh in uh brighter white it looks like their ISP is southwestern bell as uh it goes in there now I do a trace route using some using the other box just to be sure my gosh they've got a second ISP there which uh CW.net which is a cable and wireless next thing I did was I went out and uh did a zone dump on them uh since they left that wide open as you can see I got back a huge amount of answers on that so now I've got a ton of stuff uh this using a tool called ICMP a num that I wrote I started I tried doing some ping sweeps just with echo and they had echo blocked so doing ping sweeps with uh time stamp I was able to basically enumerate uh enumerate a lot of hosts there. One interesting thing is that NT does not respond uh properly to a lot of these uh ICMP things so if you had a segment or yeah but for the most part if someone just a default saying if you install services uh the um for the most part if you uh a normal installation of NT if you go through and sweep them with ping uh normal echo packets you get back replies and then sweep them with uh time stamp all the ones that don't answer on the time stamp those are probably 95, 98 and NT boxes they fixed it in uh uh Wntuk looking over the public systems what they have in the DMZ particularly large companies that they have any kind of e-commerce presence don't just look at first WWW also look for WWW2 and you know I've even seen web dev dot whatever it's not there in the DMZ they gotta test it and so it'll be sitting out there and sometimes this will have uh a lot more lax uh security on it but looking through and exploring all those public systems a lot of times will give you uh a lot of uh a lot of good information um scanning this is a real I've got two scans that you can see here the first one uh with nmap as uh you know I did it polite and as you can see I got back a lot of answers there and then down towards the uh bottom here here's another one of nmap where I'm not uh I don't have the uh polite stuff going and for the same address it shows me that uh no ports are open okay I've got an IDS system now that's probably did something I got something in there that we hadn't triggered that this is an example of where you're doing the scanning and you know I do this from a box that I don't really care about uh whether they learn the IP address or not I want to actually try and trigger the uh stuff that's uh out there to secure the network to try to see what it is um here's a scan and I swear outside of changing the domain name I swear to god that was the hostname the hostname of the firewall was firewall that was uh do what now? yeah use router you know for the router you know this and that's what it was so it was pretty difficult to spot you know the firewall there oh firewall dot whatever and uh actually the VPN box was uh hostname VPN okay but uh for some and I thought well you know maybe I'll find the IDS that way but I know they actually didn't do that you know uh the reason I used two dash of ease verbose verbose you get more more stuff back you know because otherwise it wouldn't have filled up the screen you know so um if you look there and you see that uh some of this stuff is in a filtered state which means that when I scan them it means that something out there outside I'm scanning the firewall and I think about this I'm scanning the firewall but for some reason they're doing filtering outside the firewall that's really kind of odd and that right there it's just like a red flag that says you know they probably had some type of firewall problem they couldn't figure out how to do something so they had to just go out there and put some stuff in the router and you know okay 139 I think we know what that is uh 161 SNMP uh but the uh real telling one here is the uh 256 257 258 okay that's that right there that says that's a checkpoint okay that's that's what that tells me right there that's a checkpoint those are the ports that a checkpoint uh firewall uses if you're going to do remote management uh on the box and apparently they didn't know how to turn it off at the firewall they had to do it on the router outside so you couldn't manage the firewall from the outside which is a shame because I would have possibly simplified a lot of things but anyway so here's the um here's the mapping of how this went with this just to give you an idea uh ISPs are okay cable wireless and southwest from bell to very very fine and very secure uh ISPs and just slowly I go through there I determine you know where the boxes are who's pointing to what and it was fairly easy to determine what was in the DMZ and what was not and I was able to do just with a little bit of you know sending the packets in and doing the trace route thing here and there but not I could tell that in some cases I was getting one extra hop as I went in and I didn't know the exact layout internally where all this stuff's crossing over but I started figuring out that uh they had some level of redundancy there was kind of a default path for some of this stuff but in other cases they would they kind of had a redundant thing here and I could see why they did it after I started looking a little more because uh cable and wireless they're uh uh whoever the uh the big guy was uh you know UNED or whatever at that level uh they basically had two these these two ISPs went up to two completely different with a larger background provider so they're wanting they were working on getting you know a whole bunch of redundancy going there and pretty much at that point you start picking off and figuring out what boxes you got in there and then you get to the point where you've uh actually started uh getting some real real indication as to what the uh the various boxes are and like I said this is all this is all pretty much live live data so um you know now if I'm going to attack I've got a I've got a pretty good feel for what I'm going up against in there in the network um something I wanted to talk about as far as I'm going to touch on this attack stuff since it's kind of uh uh somewhat now hold on here send someone to voicemail um there's two types of attacks as far as distributed attacks go those are ones that do not require direct observation of the results and those attacks that do require direct observation of the results I'll give you some examples of what I mean by that uh basic model here we have this is commonly found in your uh distributed denial of service as you have a bunch of agents sitting out on computers that have been compromised uh the zombies that are sitting out there and then you have your uh servers that send all their stuff to the zombies by the way I want to say something about the zombie thing because I caught a lot of shit for uh zombie zapper okay because of the name I did not name that product marketing named that product because they read zombie somewhere in a trade magazine I just want to point that out while I've got you know a group of people I get in their opinion I might actually care about you know very scary I couldn't come with a better name but you know nonetheless I didn't name that anyway so you have your agents out there that receive their stuff from the various servers and usually some client that talks to the server that does this uh with the distributed denial of service you don't need to see the results of the uh you see the responses back from those packets that you're sending in to keep people from buying a book on Amazon for an hour and a half uh this is a little bit more of an advanced uh type thing ICMP and then we'll do this that's where I forged the uh the timestamp request into the target the timestamp replies come back and I sniff the replies and I forged the source address so that as the packets come back by that I'm actually going to be able to sniff the replies okay now obviously if it's you're forging to address in your same segment it's a lot easier uh or you'd have to compromise one of those rock hard secure ISPs like uh Mr. Bell to be able to do this kind of stuff okay this is the one that's really fun this is the one that I really really uh really like and uh we'll have to go through this step by step okay I've got my target and they've got a firewall out in front okay so they're all nice nice neat and secure uh first thing I do is I break into one of those uh rock solid ISPs is it just me I didn't have anything to drink last night at all okay there we go wow okay anyway you compromise one of those uh upstream ISPs now this upstream host here I am never going to send a packet from this upstream host in towards that target at all it's this upstream host is not going to be sending any packets for me it's not going to show up in any logs over there whatsoever I want to protect that guy okay he's gold alright alright next thing here I got my various attack nodes here and I got my master node controlling them and what I want to do here is if I want the attack nodes to do something to the target let's say if they're doing some type of probe they're going to scan whatever okay I control them with the master node and I send my stuff up there because these attack nodes what they're going to do they'll send in their stuff through the firewall now I may be what I'm doing is I may be using as far as a source address I could be using a source address that is a trusted partner in this whole business to business thing that everyone's doing with this whole e-commerce thing I may have the target may have is back that public records you know people that they're doing business with large customers of them large vendors for them they may have extra rules in the firewall and I'm pretty sure that especially the administrators in the audience will attest to that how often they've had to alright we'll go ahead and open up blah blah blah port for what's their faces because they make us a lot of money or we do a lot of business with it I know that I've seen it a dozen times so those are the source addresses that I want to have coming in on these attacks or these various probes so the replies are flying by now where they're flying by is that upstream host so I can now sniff the replies okay and then of course to kind of complete the picture put a link in here between the upstream host and the master node now what this allows me to do then is if I'm doing a scan for example okay I can tell the master node okay I'm going to send out to these attack nodes I'm going to do the scan replies come back I get the sniffed replies in the upstream host and then through a covert channel he communicates back to the master node this is all done with encryption and all that probably using ICMP or something like that to communicate and so I can also kind of expand upon this and I can say let's say that I want to do something that's going to involve a TCP three-way handshake for example so what I can do is I can send from the master node to the attack nodes the attack nodes go ahead and send in their attacks boom we pick it back up on the sniffers reply comes out I can send that information back to the master node and I can continue that whole cycle there I can actually have a conversation where I'm actually engaging in an attack and there is nothing in those logs over there whatsoever on the firewall or anything on the target it's going to reveal my true address so that's kind of the the whole idea behind this some other things that make this more fun is that as far as the upstream host goes when he's sending information up here to the master node he's going to use roughly the same type of technique that I'm using to grab these sniffed replies okay all these replies they're destined for some place over here the sniffler that's running here on the upstream host just knows what to pick up I'm going to do the same thing I don't send this stuff from the upstream host directly to the master node I send it to somewhere on his same segment or somewhere past him or he's going to pick it up sniffing and it's the same thing I'm going to do for sending from the master node to the attack nodes I'm not going to send directly to those IP addresses I'll send to those segments I'll send somewhere along the way obviously that's kind of complex if you own you need an ad then you're probably this is going to be a lot easier to set up but that's kind of the kind of the models, kind of the idea behind all this and well I don't have the software written for this okay sorry but I'm sure someone will come up with it I had I did a talk at SANS sometime last year right before the distributed denialist service I was talking about some of this stuff on a much smaller scale and then I get an email from someone after all the distributed denialist service from someone that saw the talk at SANS and said you know I think they looked at your presentation they ripped you off dude what you're doing so well probably I would expect the national evolution as the stuff moves along this is going to be I would think this would be the next type thing free stuff we're kind of getting towards the end of the presentation here the vendor that paid or my boss is a bind view so it's sort of the vendor that's supplying some software they're short and they paid my plane ticket out here you know I should at least go ahead and plug the product I work on during the day the SANS came out with a list of the top 10 security things that you all need to check for I think all it was was just Aliso attackers now had Aliso I'll just try these first they've got the list here and Hacker Shield has a security scanner has an update an on-clusive update you can download Hacker Shield for free off the net and load in this thing and it's good for 30 days and I think it's like a 25 IP addresses and what not Vlad the scanner is what the bind view razor team put together it's a security scanner that only does the SANS top 10 okay so it is somewhat limited but it is freeware it's open source you can get it out off the razor website it has some pretty cool stuff in it one of the things it has in it it has a pretty nice and neat CGI scanner it doesn't do any of the evasion stuff that Whisker does and until I talked to RFP I thought that we were doing more checks than he was but no it's 1.4 it's either just come out or we'll be out there very soon it's going to have probably 10 times as many which you know I'll have to snarf more stuff from him to get this up to speed but that's a pretty cool thing that's in there the other thing that's in there is we're calling it kind of a protocol scanner and it's to test the user IDs and passwords so they have weak user IDs and passwords and Vlad does all that all log in pop3 imap what else does it do I'm missing a couple here SMB Todd where are you SSH there's like 6 or 7 of them that it does the SSH one is kind of cool because I don't think there's very many like dictionary style things that you can use to go ahead and go after SSH just you know user IDs and passwords and whatnot the thing actually automated we don't have a huge amount of default accounts and passwords listed in the supplied databases but obviously you could all supply your own and the final thing which is kind of a fun tool is called DSPOOF and if I'm getting scanned or I'm getting a packet coming in and I'm thinking hey is this thing really you know a forged packet or is it the real thing or not it should be kind of a good way to kind of tell and what this does DSPOOF actually checks the TTL and sends a packet out and tries to determine the real TTL from where I received the packet from obviously you're not going to say okay I got the packet I suspect is forged let's say it has a TTL in it of say 50 okay now I'm going to check that and test it by sending a query packet out to that address and get a response back and look at that TTL if they match then it's probably the real thing if not then maybe the thing is forged especially if it's way off so it's kind of a way that you can check it's kind of a fun thing with that TTL anyway these tools just got put up there on the Razor website and encourage you to all go out there and download them and have some fun with them be careful with Vlad the scanner if you're the kind of person that just likes to point it at whatever okay the protocol scanner thing is actually going to be considered intrusion into the system you're trying users but pretty much everything else is just you're looking to see if a file is there if a service is writing or something I wanted to say thanks to a couple of people here I'm not sure how to pronounce Ophan Arkin's name I hope I just pronounced it correctly some of the ICMP stuff I've been discussing up until Friday when I got over here to DEF CON was theory and he's already been doing a whole lot of research on that so a lot of the theory stuff he was able to pull something out of his backpack and says no dude I've already checked this out and here's some more information on it so look for d-spoof to get updated with even more exciting stuff and then Donald MacLachlan was the one that put me on the path about the whole tricks all the tricks with TTL and whatnot and so he deserves some credit on that as well I want to make sure that I mentioned those guys' names and as far as follow up goes obviously the NMRC website and I promise I'm going to start updating the thing a little bit better than I have been I know that I've been bad about that but also look out on the Razor website half of what I've been working on usually ends up out there anyway and probably some of the things that we work on on Razor that aren't exactly politically correct to be stuck out on on the Razor website will probably end up on the NMRC website so that's kind of a thing to know and then I got my email addresses there that's pretty much it if you've got some questions feel free to fire away yes the comment was about wanting some comments on how some people will modify their kernels or modify whatever so that when you're getting an in-map scan that's trying to do a fingerprint maybe it's doing something you know maybe it's saying oh I'm not really this OS I'm actually a printer or something else like that yeah I mean that's where I think this ICMP stuff that often has come up with is going to be pretty interesting and matter of fact one of the things I want to get back home is probably to work on a scanner of some type that actually uses ICMP to do fingerprinting that's what I mean as far as like as far as spotting a honeypot if you've got something that shows up on the in-map is one thing but then you look at some of the responses coming back from ICMP and it just says this is a completely different IP stack that maybe I've got something funky happening there any other questions okay I guess not I want to thank each and every one thank you for coming visiting my website I appreciate it a lot thank you and bless it big