Scanning, Sniffing, and Enumeration

<Transcribed from Holon X-Ray Training Series 3>

pyre addresses the class

“There are a few key concepts you need to learn to defend yourself as an Agent.  The first is “Keep Your Doors Locked”, the second is “Recognize When You Have Been Pwned”, and the third is “Identity is Everything”.  We’ll focus on the first concept in this lesson.

I’ll avoid an in-depth discussion of the following topics so we can get you into the field as quickly as possible, but the following concepts come out of the OSI model.  This model lays out the seven-layer path that all computer-to-computer network communications follow, from the 7th level Application Layer which holds the applications with which you and your computer work, down to the Physical Layer at Layer 1 which handles the electricity, wireless, and flashing lights at the base of your communications, and back up again on the computer on the other side.  This communication was standardized in layers so that hardware and software from different vendors could handle one or more layers and then seamlessly hand off to the next layer.

Core Concepts

IP Address

IP addresses live at Layer 3, the Network Layer, in the OSI model.  Every computer on a network has a unique IP address, which allows other devices on the network to find them.  There are two types of IP addresses in popular use today, IP version 4 (IPv4) and IPv6; I will focus on IPv4 today, but it is important for you to learn IPv6 to properly defend yourself.

IPv4 addresses take the format ###.###.###.###, which is made up of four numbers separated by periods.  Each number is made up of 8 bits (also known as an octet), which is 2^8, or 2x2x2x2x2x2x2x2 = 256.  This means that each number can be from 0 to 255 (the zero counts as one).  An example of a valid IP address is 192.168.132.254.  An invalid IP address is 10.0.311.1, because the 311 is higher than 255.

Subnet Mask

This is a complicated subject that you can begin to dive into here, https://en.wikipedia.org/wiki/Subnetwork.   To put it as simply as possible, IP addresses on a computer are paired with subnet masks, which identify groups of hosts on a network.  They are in the same format as IP addresses, with four 8-bit numbers separated by periods.  A valid subnet mask is 255.255.255.0.  The numbers on the left, 255, mean that every number in the IP address at that space is fixed/static and identifies ALL the hosts in that network.  As an example, for an IP address of 192.168.0.1 with a subnet mask of 255.255.255.0, every host on the current network MUST have the first three sets of numbers (octets) be the same in their IP address.  A computer with an IP address 192.168.10.2 would be on a different network because the third octet is different from our example.  The 0 in the subnet mask means you can assign any number in that slot (from 1 to 254 – more on why that second number is not 0 or 255 in a moment) to any computer in your network, so 192.168.0.150 with a subnet mask of 255.255.255.0 would also be on our network. 

Now for the reason why IP addresses with 0 and 255 are not used on IP addresses with subnet mask 255.255.255.0, as a simple example.  The 0 in the last octet of the IP address identifies the network, and 255 is the broadcast address.  If you want to send a message to a single computer, you sent it to its IP address.  If you want to send a message to ALL computers on the network, you send it to the broadcast address.  For more complicated subnet masks, the first address in the range identifies the network, and the last address in the range is the broadcast address.

There is a shorthand known as CIDR notation, which allows you to write IP addresses and subnet masks in a shorter format.  More about CIDR can be found at https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.  As an example, CIDR allows you to write the IP/subnet mask combination of 192.168.0.1 255.255.255.0 as 192.168.0.1/24.

Default Gateway

This is the IP address for the device on your local network that lets you get onto other networks, such as the Internet.  Your computer can freely communicate with other devices on the same network and knows how to find them (using ARP, see below), but your computer does not know how to reach devices on other networks, such as the web server www.google.com.  If you try to reach a computer that is not on your local network, your computer uses the Default Gateway setting and passes the request on to that computer (also called a router) to handle.  Your request then goes from router to router until it hits www.google.com.  It is standard for default gateways to be at the .1 address, such as 192.168.0.1, but it is not required.

DHCP

The Dynamic Host Configuration Protocol (DHCP) is used to automatically assign network parameters (IP address, subnet mask, default gateway, DNS, among other parameters) when your computer joins a network.  This allows you to get onto the network at your local coffee shop without knowing the parameters needed for communication on that network.

DNS

The Domain Name System (DNS) is used to provide user-friendly names to IP addresses.  This is what lets you type www.google.com into your browser, and your computer knows that it needs to reach out to 172.217.11.36. 

To help you understand how DNS works, I’ll start from your computer and work my way out.  When you try to go to www.google.com, your computer,

  1. Checks its local DNS cache to see if you have gone to www.google.com recently.  If you have been there, then it just uses that IP address.   This cache entry is deleted after its TTL – Time To Live time has passed – this feature is used to keep entries from getting old and provide protection in case Google decides to move www.google.com to another IP address.
  2. If the name is not in your local cache, then a process is followed that is explained in detail at https://en.wikipedia.org/wiki/Domain_Name_System under Operation.

Ports

Now that you know how to identify computers on your network by their IP address, let’s look at how we open their doors so we can communicate with them

Ports are the doors on a computer that give access to a program running on that port.  When a program runs on a port, it is said to be ‘listening’ on that port for incoming requests from other computers.  An example would be an email server program listening for requests for new email.

Ports are made up of 16-bit values, or 2^16, and thus can be from 0 to 65,535.  There are a set of ports from 0 to 1023 that have been set aside as “well-known” or system ports.  Many of these ports have been permanently assigned to specific services, such as running web servers (port 80), SSL web servers (port 443), and DNS (port 53).  The ports from 1024 to 49,151 are registered ports – companies reach out to IANA (Internet Assigned Numbers Authority) to be assigned one of these ports for their software.  Ports 49152–65535 are dynamic or private ports that are up for grabs.

When your computer connects to a port, it does so in a predefined series of steps called a protocol.  Protocols let computers speak the same language when they want to do a job such as requesting a web page or downloading new email.  These protocols will also be stacked so that you see protocols from different layers of the OSI model in a single interaction.

One set of protocols handles the software with which you interact, such as http for web page interaction, and DNS for matching up IP addresses with friendly names.  These protocols operate at Layer 7, the Application Layer of the OSI model.

When your computer interacts with ports, those Layer 7 protocols ride on another set of protocols a few layers down in Layer 4, the Transport Layer (skipping a few layers for simplicity).  These are TCP and UDP protocols.  TCP and UDP handle the breaking up of a data stream into chunks called packets.  TCP is used for communication and services that require reliable connections – it does a 3-way handshake for the initial connection, puts packets in order, and does error checking.  Web page delivery and file transfers use TCP.  UDP is used for communications that require speed, where reliability is not an issue.  UDP is used for things like streaming audio or online gaming.

You can see a list of ports and whether they use TCP or UDP at https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Firewalls (Windows, Linux, Mac)

Now that you know about all these open doors, it’s time to close them all except the ones you need

Firewalls are used to lock down access to ports.  Many computers come with a set of ports that are open by default so they can communicate with other computers on your network.  Unfortunately, this means that an attacker can also use those ports to communicate with your computer.  If there is a flaw in the protocol used on that port, the attacker could use that flaw to completely take over your computer.

Firewalls block or allow access using rules.  Most firewalls have three types of rules:

  • Inbound/Input rules block or allow access to ports from the outside world, i.e. other devices on your network.  For example, this type of rule allows other computers to have access to a web server running on port 80.
  • Outbound rules block or allow your computer to reach out to other computers.  For example, allow your computer to reach out to any web server on TCP port 80 or check email on TCP port 110.
  • Forwarding rules block or allow traffic to flow between network interfaces for computers that have multiple interfaces.  This could be a computer that sits on two networks or one that has a wireless interface and a wired Ethernet interface.  Your laptop or work/home computer likely will not need this type of rule.

You can get more information on configuring your firewall at one of the following sites.  Note that you should not mess with these rules unless you are absolutely sure you know what you are doing, otherwise you will be completely cut off from email, the web, your loved ones, and society.  Before changing these rules, see the section on Scanning below so you can see what you have open.

How to configure the firewall for the major operating systems:

Mac

Linux

Windows

Scanning

Scanning is a tool used by attackers and defenders alike.  Scanning allows you to determine who else is on your network (by IP address) and check to see what ports they have open.

My scanning tool of choice is Nmap because it is available for most operating systems and it is full of options.  You can get it from their website at https://nmap.org.  For a great read, check out NMAP Network Scanning by Gordon “Fyodor” Lyon, or browse the Nmap website.

Scanning can take time, so break it into four steps.  You can do a Nmap ping scan (-sP) of the network if you are in a hurry or are doing a very large network; advanced users can feed the output of the scan to a file, use grep and awk to clean it up, and then use that file as your host list, with the -iL filename command.

  1. Scan for interesting hosts
  2. TCP port scanning (can take minutes to hours)
  3. UDP port scanning (can take several hours or days, depending on the size of the network; only do it when you have time)
  4. Application enumeration

Host Scan

First, you need to find the IP addresses of devices in the range you are scanning.  If you are scanning your local network, you can examine your own IP address to get an idea of the range of IP addresses.  On Windows, open a command prompt and type ipconfig.  Look for the IPv4 Address (usually on the Wireless LAN Adapter for a wireless connection or the Ethernet Adaptor for a wired connection) and its subnet mask.  On a Mac or Linux open a terminal window and use ifconfig.

nmap -T4 -sP IPrange -oA outputfile

  1. T4 is the speed of the scan, and you have the option of 1-5.  4 is fast and not as likely to lose packets as a setting of 5.
  2. sP is the ping scan.  This is used for host discovery.  Nmap sends an ICMP echo request, a TCP ACK or SYN packet to port 80, and ARP.  Some of these are only used if you are a privileged user.
  3. IPrange is the range of hosts you are scanning.  Options include single hosts (192.168.0.10), CIDR notation (192.168.0.0/24), ranges (192.168.0.1-254), a comma list of hosts, or an input file with one host per line using the argument -iL.
  4. oA outputs the scan results into several different formats, with the filename being “outputfile”

TCP Scan

nmap -T4 -p0-65535 IPRange

  1. T4 – fast scanning
  2. P0-65535 – scan all ports; you can also use a list of ports to speed up your scan, e.g. 20,21,25,110-150
  3. IPrange is the range of hosts you are scanning.  Options include single hosts (192.168.0.10), CIDR notation (192.168.0.0/24), ranges (192.168.0.1-254), a comma list of hosts, or an input file with one host per line using the argument -iL.
  4. Note that scanning can take some time.  Hit the spacebar to see progress.

UDP Scan

Note that this can take more than a week to complete this scan on a large network, so only use it if you have time

nmap -v -sUV IPRange -host-timeout 900000 -T4

Enumeration

Enumeration is used to determine what software is running on a port.  This tool is useful because some system administrators run services on unusual ports to thwart attackers, such as running web services (port 80) on an email port (110).  A computer may also be behind a port-forwarding firewall, so some of the ports that are discovered are actually on the firewall and not the target computer.  Nmap will probe the port and check the responses against its database.  For speed, use the results of previous scans to target specific open ports. 

  1. TCP Scan: nmap -A -O -T4 -p0-65535 IPrange
    1. Note that this scan can take over an hour to scan 8 devices. 
    1. A – version detection – runs a series of queries against the port to determine what software is running
    1. T4 – fast scanning
    1. P0-65535 – scan all ports; you can also use a list of ports to speed up your scan, e.g. 20,21,25,110-150
    1. IPrange is the range of hosts you are scanning.  Other options include single hosts, CIDR notation (192.168.0.0/24), ranges (192.168.0.1-254), and a comma list of hosts.

Trick

If you ever get a result with no hosts found, or discover that some hosts are missing, then scan the entire network without pinging first using the option -P0.  If a computer’s firewall blocks the initial ping scan, then Nmap will not scan through the list of open ports, even if the computer is operational.

Sniffing

Packet sniffing, or sniffing, lets you see everything that your computer sees at every layer of the OSI model.  The most popular visual tool for sniffing is Wireshark, which you can download at https://www.wireshark.org/.  There is also the command line tool tcpdump on *nix systems.

Modern switches are designed so that you only see traffic that is intended for your computer, as well as broadcast traffic that is sent to the broadcast IP of your network.  If you want to see traffic that is destined for other systems, then you will need to find some way to copy packets to you, through a SPAN port, port mirroring, or network tap, or by inserting yourself in the path through a man-in-the-middle attack.

On Windows systems you need special software called WinPcap to enable the packet capture.  This is installed automatically when you install Wireshark.

Running

When you run Wireshark, it will give you the option of selecting an existing saved packet capture file (PCAP) or a network interface.  Choose your network interface.

Your screen will begin filling with sweet packets.  Here are the default columns:

  1. The No. column shows the packets in the order in which they are seen
  2. The Time column shows the seconds that have elapsed since you started your packet capture
  3. The Source tells who sent the packet
  4. The Destination tells where the packet is going
  5. The Protocol is the protocol seen, (e.g. TCP, UDP, DNS)
  6. Length is the number of bytes in the packet/frame
  7. Info gives some basic information about what is seen in the packet

If you click on a packet/frame you will see more details in the bottom half of the screen.  Note that it lays things out in the order of the OSI model, from the lowers layers at the top to the highest layers at the bottom.  It only shows those layers that are appropriate for the selected packet/frame.

Filters

When running Wireshark for the first time you will find a lot of noise clutters up your view of useful information (unless you are specifically looking for that clutter).  The Display Filter bar at the top of the window allows you to home in on data of interest.  It does not modify the packet data that is stored, only changes what is displayed.  Note that there is also a packet capture filter which allows you to only capture the packets of interest.  

I typically get rid of ARP traffic because it is very chatty, unless I am looking to enumerate other active hosts on the same network.  ARP is generated by a computer on the local network looking for the Layer 2 MAC address (the hardware address that uniquely identifies all networked devices) behind an IP address so it can communicate with it.  I also get rid of ICMP traffic – this is used for error messages and other useful things but can be noisy.  For this filter, use: !(arp or icmp).  Note that these are from the Protocol column.  Continue adding to this filter until you can better-discern patterns in the packet traffic.

Tools

There are all sorts of useful tools, such as being able to follow a TCP conversation or SSL stream (under the Analyze menu, then Follow-TCP Stream or SSL Stream), seeing how much traffic is generated between two hosts (Statistics menu, then Conversations).

Google is your friend – look up anything that you find interesting 

Network Miner is a free tool that will grab useful items out of a packet capture

Remote Packet Capture

If you have SSH access to a computer, you can also do a remote packet capture.  On Windows systems, Wireshark makes it difficult to set up remote connections – the ability to save the connections was removed several years ago, and you have to dig through menus to find the option.  You can use PuTTY’s companion tool plink.exe as an alternative.  PuTTY can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/ (stay away from putty.org – it is not legitimate), and plink will be installed with it.  Run plink using the following command:

“C:\Program Files\PuTTY\plink.exe” -ssh -batch -T -pw $password $user@$IPAddress -P $port | “C:\Program Files\Wireshark\Wireshark.exe” -k -i –

  • $password is the SSH password
  • $user is the username for the SSH connection
  • $IPAddress is the IP address of the SSH server
  • $port is the port used for SSH, in case it is not the default of 22
  • Wireshark will automatically load and will start displaying packets.  The command prompt will display any error messages and will remain locked until Wireshark is closed.

Linux is a little easier, just run the command:

ssh -l $user $IPAddress tshark -w – not tcp port 22 | wireshark -k -i –