The first step in mapping a target network will be to find the limits of the network and determine the defense. The attack will look for means of entry by building an inventory of the target network. This will give an indication of any vulnerability that can exploited and how well network perimeters are guarded. The attack will intrude with minimal footprint and lie low to access what measures are being taken by the target system to detect intrusion.
Two types of tool can be used for this purpose - War dialers and Ping utilities.
War Dialer
ICMP packets can be used to determine whether a target IP address is alive or not, by simply sending ICMP ECHO (ICMP type 8) packet to the target and waiting for ICMP ECHO reply (ICMP type 0) . If ICMP ECHO reply is received, it means the target is alive. No response could mean one of four scenario: target is down, query was lost in transit, the traffic is being filtered or the system is configured not to repsond.
It is worth noticed that while UNIX and Linux follow the RFC suggestions in their deployment of ping utility, Windows shows a variation. Windows systems keep the ICMP identifier as constant and use the sequence number filed to differentiate between machine in their ping utility. For each ICMP ECHO request the ICMP sequence number is a unique number. The gap between one ICMP sequence number filed value to another is 100 hex/256 decimal.
The implementation of the ping utility in Windows system sees the ICMP datagram field as signed values based on the OS system used. This is in constant with UNIX systems which uses the value of the utility instead. Therefore whenver an ICMP query datagram with an ICMP identifier field value of 256/512/768 isgenerated, it indicates that the underlying operating system is Windows based. This assumes significance as all security are operating system dependent and identifying which operating system runs on the target host can shorten the attack phase.
UNIX and related system set sequence number to 0 on its first query to a host and will increase this number only if sequential queries are sent to the system. In other words, each time the ping command is used, the value 0 will be returned to the first query sent.
Two types of tool can be used for this purpose - War dialers and Ping utilities.
War Dialer
A war dialer is a tool used to scan a large pool of telephone numbers to detect vulnerable modems to provide access to the target. A more aggressive version might attempt to determine the operating system and a very aggressive version might attempt to perform some automated break-in attempts. A real scanner will attempt to analyze the carrier information, the negotiation and presence of protocols and banners to attempt to analyze the operating system. It will then attempt to use default username/password combination for the system.
- THC Scan - is a free war dialer released by "van Hauser" of the Hacker's Choice (THC), a European hacker/phreaker group. What set THC Scan apart from commercial dialer is the flexibility of its internal configuration. An attacker can use THC Scan with THC Login Hacker to brute force system that have been discovered.
- ToneLoc
- TBA
A demon dialer is tool used to monitor a specific phone number and target its modem to gain access to the system.
Ping
Ping send out an ICMP echo request packet and wait for an ICMP echo reply from an active system. Alternatively, TCP/UDP packets are sent if incoming ICMP messages are blocked. ICMP is for error reporting, gathering network information, flow control and packet rerouting.
- Pinger - is one of the fastest ICMP sweep scanner
- WS_Ping ProPack
- NetScan Tools
- HPing
- icmpenum
ICMP packets can be used to determine whether a target IP address is alive or not, by simply sending ICMP ECHO (ICMP type 8) packet to the target and waiting for ICMP ECHO reply (ICMP type 0) . If ICMP ECHO reply is received, it means the target is alive. No response could mean one of four scenario: target is down, query was lost in transit, the traffic is being filtered or the system is configured not to repsond.
It is worth noticed that while UNIX and Linux follow the RFC suggestions in their deployment of ping utility, Windows shows a variation. Windows systems keep the ICMP identifier as constant and use the sequence number filed to differentiate between machine in their ping utility. For each ICMP ECHO request the ICMP sequence number is a unique number. The gap between one ICMP sequence number filed value to another is 100 hex/256 decimal.
The implementation of the ping utility in Windows system sees the ICMP datagram field as signed values based on the OS system used. This is in constant with UNIX systems which uses the value of the utility instead. Therefore whenver an ICMP query datagram with an ICMP identifier field value of 256/512/768 isgenerated, it indicates that the underlying operating system is Windows based. This assumes significance as all security are operating system dependent and identifying which operating system runs on the target host can shorten the attack phase.
UNIX and related system set sequence number to 0 on its first query to a host and will increase this number only if sequential queries are sent to the system. In other words, each time the ping command is used, the value 0 will be returned to the first query sent.
沒有留言:
張貼留言