Csi30th Int 3

Network Scanning
Introduction
Take back control of your network.
Keep it clean and secure.
Adrian Mikeliunas, CISSP

amikeliunas@worldbank.org
INT-3, June 13, 2005
Outline
• Definitions
• Types of Scans
• Methodology
• Tools
• Reports
• Observations
• Summary
INT-3 Network Scanning 2
Who Scans?
“From friendlier to foe”
• Information Security Personnel

• Systems Administrators [policy]
• Auditors, Consultants, or Ethical
Hackers [Penetration Testing]
• Unauthorized Personnel [boot CD]
• Compromised systems [worms, bots]
• Internal or External Hackers
What to Scan?
• Network Devices
– Firewalls, Routers, Wireless, Video Conferencing
• Servers
– Databases, Web Servers, File & Print, …
• Desktops, Laptops, PDAs
– Antivirus, Firewall, Patch levels
– Running Peer to Peer (P2P)?
• Wireless
– 802.11x, Encryption, SSID, WEP, WPA

When to Scan?
“Right before the attack…”
• During Business hours:

– Better network & admin support
– Non-compliant activities detected
• After business hours:

– Cleaner network traffic
– Busy time for intruders

Where to Scan from?
“Depends on what you can see…”
• Intranet
– You can view ALL your trusted devices
– Run from scanner server [database] & multiple
authorized clients
• Internet & Remote Locations
– Verify firewall rules, services available
• De-militarized Zone (DMZ)
– Verify hardened systems policies
• Specific subnet
– Troubleshooting, target a specific system

Why Scan?
”One step ahead from intruders…”
• Business Objectives • Security Life Cycle

– Network Inventory – Policy & Standards
– Vulnerability – Self-Assessment
Management – Design Architecture
– Risk Assessment – Deploy
– Regulations or Policy – Manage [patch]
Compliance – Educate
– Auditors or Certification
Requirements

How to scan?
• Obtain Scanner Tool
• Install & perform initial test
• Learn how to use it properly!
– Disable Denial of Service Tests, …
• Meet with project sponsor, clients, or
interested parties to propose:
– Scan Schedule & Policies
– Reporting frequency
– Who fixes vulnerabilities
– Who verifies work done
My Experience
• Scanning since 1998
– WB Group: http://www.worldbank.org
• Composed of five organizations: IBRD, IDA,
IFC, MIGA and ICSID
• Headquarters: Washington, DC & more than
100 country offices, more than 12,000 people.
– Other related organizations:
• http://home.developmentgateway.org
• http://www.gdln.org

Vulnerability Management
Discover
Verify Scan
Resolve Report

Scan Objectives
“Begin with the end in mind”
• Benign:
– Inventory
– Auditing
– Security Policy
• Malicious:
– Intruders
– Worms or trojans
– Misconfigured devices

Definitions
• Scanning
– The active process of analyzing your
networked systems to detect vulnerabilities
in order to fix them and improve security.
• Sniffing
– The passive process of analyzing network
packets and detect anomalies and
intruders.

Scanning Types
• Network Scan [fast]

– Identify connected or wireless systems for your IP
address ranges
• Port Scan (0-65535)
– Identify which ports look open and available
• Service Scan
– Connect to these ports and identify service
version/banner
• Vulnerability Scan [slow]
– Target specific services with specific codes to
analyze reaction and see if vulnerable

Scanning Methodologies
“Rules of Engagement”
• Regular Scheduled Scans

– Policy Requirement
– Institutional history is relevant
• Ad Hoc (“one time” scans)
– Incident Related
• Outsourced Scans
– Performed by 3rd party

Scheduled Scanning
• Regular Scheduled Scans:
– Based on a known asset list
– Based on a specific policy or “rules”
– Store scan results in a Database [history]
– Analyze results (Vulnerability Report)
– Reports sent to management & sys admins
– Follow up to verify fixes
• Outsourced Scans [Qualys.com]
– Auditor requested
– No security staff

One time Scans
• Ad Hoc based on exceptions

– Incident related
– Verification
• Tools:
– Superscan (W)
– MS Security Base Analyzer (W)
– Nmap (U/W)
– LanGuard (W)
U=Unix W=Windows
Superscan 4

SuperScan: Tools

SuperScan: Windows Enumeration

Microsoft® Baseline Security Analyzer
• Checks for
Security updates
on local or remote
systems
• Windows checks
• IIS checks
• SQL checks
• Desktop application checks
nmap
• The King of scanners
– Free open source utility for network
exploration or security auditing. (U/W)
– Used by Nessus & ISS Internet Scanner
– Flexible, Easy, Powerful, Portable
• Identifies Operating Systems, grabs banners
• UDP, TCP SYN & Connect scans
• Stealth FIN, Xmas Tree, or Null scans
• IP spoofing, Idlescan (blind TCP port scan)

nmap example
nmap A T4 F www.insecure.org
Starting nmap 3.40PVT16 ( http://www.insecure.org/nmap/ ) at 20030906 19:49 PDT
Interesting ports on www.insecure.org (205.217.153.53):
(The 1206 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99)
25/tcp open smtp Qmail smtpd
53/tcp open domain ISC Bind 9.2.1
80/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_07dev Perl/v5.6.1)
113/tcp closed auth
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 2.5.20
Uptime 108.307 days (since Wed May 21 12:27:44 2003)
Nmap run completed 1 IP address (1 host up) scanned in 34.962 seconds
nmap
Featured in the Matrix Reloaded!

LanGuard: one time scan

LanGuard: Verification

Enterprise Scanner Architecture
SCANNER
SERVER
CLIENT
CONSOLE
DB
LAN
Reports
INT-3 Network Scanning
DEVICES 26
Enterprise Scan Results/Reports
• Historical Trends
• Asset List
• Vulnerability Assessment
– CVE / CAN relation is strongly
recommended (for Criticality)
• Tools:
– ISS Site Protector
– Nessus/ Tenable

ISS Site Protector - login

ISS Target Selection

ISS Policy Selection 1/2

ISS Policy Selection 2/2

ISS Schedule

ISS Results

Nessus Login

Nessus
Policy
1/2
(Plugins)

Nessus
Policy
2/2
(Prefs.)

Nessus
Targets

Nessus
Scan

Nessus
Results

Nessus: Windows Client & results

Tenable: Enterprise

Tool Reference 1/2
• http://www.insecure.org NMAP (U/W)
• http://www.foundstone.com Superscan
• http://nessus.org (U/W)
• http://www.gfi.com (W) LanGuard
• http://www.microsoft.com/mbsa
MBSASetup-EN.msi
U=Unix W=Windows
Tool Reference 2/2
• http://www.tenablesecurity.com
Nessus+ (U/W)
• http://www.iss.net Site Protector,
Internet Scanner (W)
• http://www.sans.org/top20/ Reference
• http://knoppix.com
Knoppix: bootable CD with a collection of
GNU/Linux software (U), including
nmap & nessus.
U=Unix W=Windows

Csi30th Int 3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Csi30th Int 3

Uploaded by

Copyright:

Available Formats

Network Scanning

Adrian Mikeliunas, CISSP

• Information Security Personnel

INT-3 Network Scanning 4

• During Business hours:

• After business hours:

INT-3 Network Scanning 5

INT-3 Network Scanning 6

• Business Objectives • Security Life Cycle

INT-3 Network Scanning 7

INT-3 Network Scanning 9

INT-3 Network Scanning 10

INT-3 Network Scanning 11

INT-3 Network Scanning 12

• Network Scan [fast]

INT-3 Network Scanning 13

• Regular Scheduled Scans

INT-3 Network Scanning 14

INT-3 Network Scanning 15

• Ad Hoc based on exceptions

INT-3 Network Scanning 17

INT-3 Network Scanning 18

INT-3 Network Scanning 19

INT-3 Network Scanning 21

Featured in the Matrix Reloaded!

INT-3 Network Scanning 23

INT-3 Network Scanning 24

INT-3 Network Scanning 25

INT-3 Network Scanning 27

INT-3 Network Scanning 28

INT-3 Network Scanning 29

INT-3 Network Scanning 30

INT-3 Network Scanning 31

INT-3 Network Scanning 32

INT-3 Network Scanning 33

INT-3 Network Scanning 34

INT-3 Network Scanning 35

INT-3 Network Scanning 36

INT-3 Network Scanning 37

INT-3 Network Scanning 38

INT-3 Network Scanning 39

INT-3 Network Scanning 40

INT-3 Network Scanning 42

You might also like