SEC280

Week 1
Case study on Port scans & sweeps
Jared's 11/3/2012

Brief description of what they are and are they dangerous to company!

Netw 280

To answer the main questions for the concerns of our network, NO. These items that have been heard about do not require immediate attention as they are considered normal. We are protected behind our firewall as well as if the employees do as asked at the end of their shift, we will have absolutely nothing to worry about. As more in likely that situation was handled when we brought the network online. Here is a brief rundown on your concerned areas:

Ping Sweeps and Port Scans are the two most common network probes that serve as important clues in sensing invasions or intrusions that can harm any type of network. Network probes are not actual intrusions, although, they could be potential causes of actual intrusions. Port scans and ping sweeps can lead to an intrusion of companies network system, however, with todays technological advancements, these activities can be detected and prevented.

Ping Sweeps; Ping sweeps are a set of ICMP Echo packets that are sent out to network of computers, actually a range of IP addresses, to see if there are any responses. As an intruder sends out the ping sweeps, he looks for responses so he can figure out which machines he can attack. Note that there are legitimate reasons for performing ping sweeps on a networka network administrator may be trying to find out which machines are alive on a network for diagnostic reasons. Ping sweeps are detectable using special tools as well. IPPL is an IP protocol logger that can log TCP, UDP and ICMP packets. It is

Netw 280

similar to SCANLOGD, where it sits in the background and listens for packets. Be careful when using IPPL thoughif you're on a busy Ethernet network, you might find that your IPPL log files may fill up rather quickly. (Usually found at /var/log/ippl/*) Ping sweeping is a device we use when want to get access to a computer either legally or illegally. Hackers that are trying to gain access to any computers within a company or home will use a Ping sweep to see if any computers are on. Network Administrators also use a Ping sweep to see which computers are on as well, but for fixing or making adjustments as needed within their network. IP companies also send a Ping sweep which helps them determine if there is a problem between their hub and our internet connection.

Ping screening can be controlled by using a proper firewall, and the computer user using common sense. The easiest way to stop a Ping sweep from seeing which computer they can access is to turn it off when not in use if on a network, or disconnect from the internet when it is not needed. A Ping sweep is not the immediate threat, but it can be detected if one is used.

Port Scans; Even though ping sweeps are common, port scans are probably the most common probes and relatively simple to perform. A very simple port scan can be programmed in a few minutes. However, this method can easily be detected and therefore is not used much. Another sneakier, stealthier kind of port scan is called the half -open SYN scan. In this scan, the port scanner connects to the port but shuts down the connection

Netw 280

right before a full connection occurs (hence the name half-open). Since a full connection never happened, the operating system of the target machine usually writes it off. Port Scans are usually used after a Ping screen has been successful finding a computer that is on. If a Hacker is using this device, they are trying to get access to the system to steal or harm the system in some way. Network administrators also use a Port Scan to see what ports are open on which computers to see if there is a security risk within their systems. IP companies will access a port that is open to see if they there is a good internet connection with their internet service.

The port scan that usually follows a Ping sweep can be an issue if the person trying to get in the computers is doing it illegally. A good firewall can help prevent any unnecessary ports from being opened or can detect a Ping sweep that is occurring within the system. A good firewall can show where the intrusion is coming from, and can give you the determination whether or not you or the Network Administrator will give the rights for that program to access the computer. Many software companies that have security updates usually contact you through startup on your software, informing you they have an update, most of the time its to close a known exploit. Possible screen shots depending on your system:

Netw 280

(Teo, 2000)Traces Left Behind by a Port Scan

Jul 18 02:42:25 target sshd[2370]: log: Connection from 192.168.0.1 port 2107 Jul 18 02:42:25 target sshd[2370]: fatal: Did not receive ident string. Jul 18 02:42:25 target wu.ftpd[2369]: connect from root@attacker Jul 18 02:42:25 target in.telnetd[2368]: connect from root@attacker Jul 18 02:42:26 target imapd[2366]: connect from root@attacker Jul 18 02:42:26 target in.pop3d[2367]: connect from root@attacker Jul 18 02:42:26 target ftpd[2369]: FTP session closed Jul 18 02:42:26 target telnetd[2368]: ttloop: read: Broken pipe Jul 18 02:42:28 target in.fingerd[2365]: connect from root@attacker

A Typical Nmap Scan

root@attacker# nmap -sS -O target.example.com Starting nmap V. 2.53 by fyodor@insecure.org/ ( http://www.insecure.org/nmap/ ) Interesting ports on target.example.com (192.168.0.2): (The 1507 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 110/tcp open pop-3 111/tcp open sunrpc 113/tcp open auth 143/tcp open imap2 515/tcp open printer 901/tcp open samba-swat 2049/tcp open nfs 6000/tcp open X11 7100/tcp open font-service TCP Sequence Prediction: Class=random positive increments Difficulty=2135704 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.14 Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

Netw 280 REFERENCES: Phillips, J. (2012, November 1). Foreman of Network Mainframes. (J. Phillips, Interviewer) Teo, L. (2000, Feb). Retrieved november 1, 2012, from Linux Journal: http://www.linuxjournal.com/article/4234?page=0,0