The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2> Advanced Scanning</h2> Tuesday, September 29, 1998<p> We have received reports of two scanning techniques being used by intruders to map networks and identify systems:<p> <ul> <li>"Stealth" scanning</li> <li>Scanning to identify system or network architecture</li> </ul> In addition to the reports we have received, the Dahlgren Division of the Naval Surface Warfare Center has published information indicating that multiple intruders may be using these attacks in a coordinated effort. This information is available at <p><a href="http://www.nswc.navy.mil/ISSEC/CID/co-ordinated_analysis.txt">http://www.nswc.navy.mil/ISSEC/CID/co-ordinated_analysis.txt</a> <p> <h3>Stealth Scanning</h3> The "stealth" scans appear to have a common goal: to gather information about target sites while avoiding detection by using techniques that might be overlooked by intrusion detection systems and system administrators. These techniques include<p> <ul> <b><li>Inverse Mapping</li></b> <br/>In an 'Inverse Mapping' scan, intruders send packets that normally would go unnoticed or cause no unusual behavior to a list of addresses. For hosts that do not exist, however, routers will return an ICMP <i>host unreachable</i> message. By determining what hosts <i>do not</i> exist, an intruder can infer what hosts <i>do</i> exist, and so gain information about the structure of your network. <p>Any packet type can be used to generate the ICMP <i>host unreachable</i> message, but we have received reports that intruders are actively using RESET packets, SYN-ACK packets, and DNS response packets for which no query was ever made.<p> <b><li>Slow Scans</li></b> <br/>In a "slow scan" intruders scan the network at a slow rate that is likely to avoid detection. These types of scans are difficult to detect automatically, because you must maintain a history of all the packets you've received in order to detect new packets that may be related to old traffic. </p></p></ul> <h3>Scanning to Identify System or Network Architecture</h3> Intruders have also employed scanning techniques to identify the operating system used by a particular host, or to determine information about the structure of the target network. A tool recently released, called <i>queso</i>, relies on the variations in response to unexpected packets to determine the operating system of a particular host.<p> That is, <i>queso</i> sends unexpected packets to a host and examines the response. Because the packets are unexpected, there is no standard response, and so each operating system is free to respond in a unique way. By examining the responses to these unexpected packets, <i>queso</i> can determine the kinds of operating systems and TCP/IP stacks installed on your network. This information can be used by an intruder to optimize attacks on your network, or to identify sets of machines with particular vulnerabilities. <p>This is similar in effect to the scans described in <p><a href="http://www.cert.org/incident_notes/IN-98.01.irix.html">http://www.cert.org/incident_notes/IN-98.01.irix.html</a> <p>except that <i>queso</i> recognizes a variety of operating systems, whereas the scans described in Incident Note 98.01 recognized only IRIX. <p>The following excerpt from tcpdump shows a queso probe against a machine running Solaris 2.5.1. (Information in boldface type indicates the target system's first response packet.) <p><tt>server.24728 > solaris1.local.10.in-addr.arpa.telnet: S 1119794168:1119794168(0) win 4660</tt> <br/><b><tt>solaris1.local.10.in-addr.arpa.telnet > server.24728: S 442322772:442322772(0) ack 1119794169 win 9112 <mss 536> (DF)</tt></b> <br/><tt>server.24728 > solaris1.local.10.in-addr.arpa.telnet: R 1119794169:1119794169(0) win 0</tt> <br/><tt>server.24729 > solaris1.local.10.in-addr.arpa.telnet: S 1119794168:1119794168(0) ack 0 win 4660</tt> <br/><tt>solaris1.local.10.in-addr.arpa.telnet > server.24729: R 0:0(0) win 0 (DF)</tt> <br/><tt>server.24730 > solaris1.local.10.in-addr.arpa.telnet: F 1119794168:1119794168(0) win 4660</tt> <br/><tt>server.24731 > solaris1.local.10.in-addr.arpa.telnet: F 1119794168:1119794168(0) ack 0 win 4660</tt> <br/><tt>solaris1.local.10.in-addr.arpa.telnet > server.24731: R 0:0(0) win 0 (DF)</tt> <br/><tt>server.24732 > solaris1.local.10.in-addr.arpa.telnet: SF 1119794168:1119794168(0) win 4660</tt> <br/><tt>solaris1.local.10.in-addr.arpa.telnet > server.24732: S 442455494:442455494(0) ack 1119794169 win 9112 <mss 536> (DF)</tt> <br/><tt>server.24732 > solaris1.local.10.in-addr.arpa.telnet: R 1119794169:1119794169(0) win 0</tt> <br/><tt>server.24733 > solaris1.local.10.in-addr.arpa.telnet: P win 4660</tt> <br/><tt>server.24734 > solaris1.local.10.in-addr.arpa.telnet: S 1119794168:1119794168(0) win 4660</tt> <br/><tt>solaris1.local.10.in-addr.arpa.telnet > server.24734: S 442581319:442581319(0) ack 1119794169 win 9112 <mss 536> (DF)</tt> <br/><tt>server.24734 > solaris1.local.10.in-addr.arpa.telnet: R 1119794169:1119794169(0) win 0</tt> <p>The following excerpt, also from tcpdump, shows a <i>queso</i> probe against a machine running NT Workstation 4.0: <p><tt>server.5856 > ntwork1.nt.local.netbios-ssn: S 1276897729:1276897729(0) win 4660</tt> <br/><b><tt>ntwork1.nt.local.netbios-ssn > server.5856: S 285465669:285465669(0) ack 1276897730 win 8576 <mss 1460> (DF)</tt></b> <br/><tt>server.5856 > ntwork1.nt.local.netbios-ssn: R 1276897730:1276897730(0) win 0</tt> <br/><tt>server.5857 > ntwork1.nt.local.netbios-ssn: S 1276897729:1276897729(0) ack 0 win 4660</tt> <br/><tt>ntwork1.nt.local.netbios-ssn > server.5857: R 0:0(0) win 0</tt> <br/><tt>server.5858 > ntwork1.nt.local.netbios-ssn: F 1276897729:1276897729(0) win 4660</tt> <br/><tt>ntwork1.nt.local.netbios-ssn > server.5858: R 0:0(0) ack 1276897730 win 0</tt> <br/><tt>server.5859 > ntwork1.nt.local.netbios-ssn: F 1276897729:1276897729(0) ack 0 win 4660</tt> <br/><tt>ntwork1.nt.local.netbios-ssn > server.5859: R 0:0(0) win 0</tt> <br/><tt>server.5860 > ntwork1.nt.local.netbios-ssn: SF 1276897729:1276897729(0) win 4660</tt> <br/><tt>ntwork1.nt.local.netbios-ssn > server.5860: S 285465749:285465749(0) ack 1276897730 win 8576 <mss 1460> (DF)</tt> <br/><tt>server.5860 > ntwork1.nt.local.netbios-ssn: R 1276897730:1276897730(0) win 0</tt> <br/><tt>server.5861 > ntwork1.nt.local.netbios-ssn: P win 4660</tt> <br/><tt>ntwork1.nt.local.netbios-ssn > server.5861: R 0:0(0) ack 1276897729 win 0</tt> <br/><tt>server.5862 > ntwork1.nt.local.netbios-ssn: S 1276897729:1276897729(0) win 4660</tt> <br/><tt>ntwork1.nt.local.netbios-ssn > server.5862: S 285465789:285465789(0) ack 1276897730 win 8576 <mss 1460> (DF)</tt> <br/><tt>server.5862 > ntwork1.nt.local.netbios-ssn: R 1276897730:1276897730(0) win 0</tt> <p>Note that the responses of the two operating systems differ as early as the first response packet (highlighted above). By comparing these differences to a dictionary of known response characteristics, <i>queso</i> is often able to determine the type of operating system employed by the target machine. Users can also extend <i>queso</i> to distinguish other kinds of operating systems, or other devices that will respond to TCP/IP packets.<p> We have received reports of incidents in which intruders have launched coordinated scans that may have been used to discover information about the structure of the target network. By launching similar scans from two or more distinct networks against a single target network, and then comparing the different responses, intruders may be able to infer information about the structure of the target network. By using two or more networks to launch a scan against a third network, an intruder can <ul> <li>Discover alternate routes into your network</li> <li>Infer aspects of the topology of your network</li> <li>Increase the bandwidth available to launch a <a href="http://www.cert.org/tech_tips/denial_of_service.html">denial of service</a> attack</li> <li>Reduce the likelihood of detection</li> </ul> <h3>Conclusion</h3> Intruders are using a variety of techniques to gain information about networks and systems on those networks. Intruders can use this information to tailor their attacks to target networks or to find a set of machines that share a certain vulnerability.<p> Intruders have recently used a number of very large-scale scans of the Internet looking for certain vulnerabilities, such as those discussed in<p> <a href="http://www.cert.org/incident_notes/IN-98.02.html">http://www.cert.org/incident_notes/IN-98.02.html</a><p> The ability to determine the types of operating systems in use helps intruders to focus their attacks on certain types of machines, or to modify their attacks to suit the target.<p> Do not presume that the topology of your network, the operating systems in use, the products used to connect to the Internet, and other externally visible characteristics are a secret. When you evaluate the security of your network, remember that this information can be discovered by intruders who can use it to their advantage.<p> <h3>Acknowledgements</h3> Our thanks to Stephen Northcutt of the <a href="http://www.nswc.navy.mil">Naval Surface Warfare Center</a> for his assistance. <p> <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 1998 Carnegie Mellon University.</p> </p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p> |