2008 Oct 18
| Network Mapping |
Port Scanning |
War Dialing Attacks |
War Dialing Defense |
After reconnaissance an attacker wants to acquire an inventory of the systems on your network. This includes finding out the IP addresses and network topology, discovering, critical hosts, sevrers. routers, firewalls, etc. The attcaker will start with probing those systems which can be reached: internet gateway(s), DMZ systems, web servers, mail, FTP, and DNS servers. The next step is the internal network.
If the attacker (e.g. malicious employees or vendors) are already inside then the probing starts with the internal network. They will start scanning and mapping the internal network right away. An attacker may have inside network access via a modem discoverd through war-dailing.
A usual first step is to ping all possible addresses in the network to find active hosts. Ping uses the ICMP Echo Request packet which is sent to every possible address in the network as discovered during the reconnaissance phase. If a reply comes back, that address has an active machine. No response usually means nothing is there.
Many networks block incoming ICMP messages, so an attacker could also try to send a TCP or UDP packet to a common port such as TCP port 80, looking for Web servers.
To understand the topology the technique known as tracerouting is used to determine the various routers and gateways that comprise the network infrastructure. Tracerouting uses the Time-To-Live (TTL) field in the IP Header. When a router receives an IP packet it first decrements the TTL field. If it becomes zero, the router sends back an ICMP Time Exceeded message to the originator and drops the packet. This prevents packets from the circling the internet forever.
An attacker (as well as legitimate users) start with a series of packets with various TTL values, giving a trace of the routers. The packets with an initial TTL value of 1 drop the packet and respond with ICMP Time Exceeded allowing the sender to get the IP address of the router. This process is repeated with TTL's of 2, then 3 and so on. Most unix varieties of a program called traceroute and called tracert on Windows (but uses ICMP packets), which do this.
Cheops, available free, is one of the most capable and easiest to use network mapping tools. It is written by Mark Spencer, and runs on Linux. auutomating the process of developing a netwrok invinetory and topology. It draws a graphic image of the information from ping and tracerouting of a network.
Filter out the underlying messages that the network mapping tools use via fiewalls and packet filtering in routers. At the gateway to the internet block incoming ICMP messages except those you wish the public (including attackers) to be able to use. Block the DMX database server. You may need to allow pings only from your ISP. Also filter ICMP Time Exceed messages from leaving your network. This will hamper internal administration to some extent.
The next step of an attack, after determining what machines exist and their network topology, is to determine which ports are open on each system. These ports are related to active services running on a system. Free port scanning tools include:
| Tool | Author | OS | Download |
|---|---|---|---|
| Nmap | Fyodor | Unix | www.insecure.org/Nmap |
| (gui) | Win NT | www.insecure.org/Nmap | |
| (port) | Win NT | www.eeye.com/html/Databases/Software/Nmapnt.html | |
| Strobe | Julian Assange | Unix | packetstorm.securify.com/UNIX/scanners |
| Ultrascan | Win NT | packetstorm.securify.com/UNIX/scanners |
Two terms are used for scanning phone lines: war dialr and demon dialer. They refer to scanning a large pool of telephone numbes looking for modem access. Some people use the first terms for teh scanning and the second for attacking the modem lines found, starting with password guessing. Sofwtare for PC remote access can be large security holes (files, network shares, screen, etc.).
|
|
Phone numbers to call can be found in:
Some PBX (Private Branch eXchange) systems have a special number to call which gives a second dial tone and allows calls to go out which are charged to the company. Some may require a password. This is rarer today.
This line of product created a kind of standard.
|
|
A document which states that modems are not allowed without written approval from a centrl security team. All dial-up remote access must use a centralized modem pool, which is subject to audit to ensure its security. Users must be trained in the modem policy and the use of controlled remote access services.
The policy must state that the possibility of a deviation when there is a justificable business need, signed by a person responsible for the modem and subject to approval by the security team. Difficult to guess passwords must be used or an authentication token.
A PBX can be configured so that particular lines only support outgoing calls. No incoming calls are allowed or possible.
Conduct your own war-dialing exercise against your own telephone numbers looking for undocumented modems. Shut them down before it is too late. Do this every 3-6 months. Use the free war dialiers or commercial ones including: PhoneSweep from Sanstorm Enterprises and TeleSweep from SecureLogix.
Also considrr scanning digital PBC lines, because a D2A line converter is available from Radio Shack for under $100. Find out if there are special or direct lines which do not go through the PBX - see the company phone bills.
Finally, conduct desk-to-desk and room-to-room checks. Have dinner for the team and make the search. Use a buddy system to make sure that everything has been checked and documented.
2005-2008