Reconnaissance

In order to be successful attacker must first gather information about attacked systems. Hacker is just like a commander that must know position of the enemy armament and numbers before launching successful attack.

Reconnaissance vectors

Reconnaissance attack can be active or passive. It is an attempt to gain information about targeted computers or networks that can be used as a preliminary step toward a further attack seeking to exploit the target system. Active reconnaissance involves port scans and OS scans, while passive reconnaissance relies on sniffing regular host traffic in order to gain information about its capabilities and vulnerabilities.

Passive reconnaissance

Hacker starts looking for information in DNS and whois databases, when he knows the domain that is registered to the target system he can use commands like nslookup, dig and whois to get plenty of information about the target. Such information is not related to victim domain and is just hosted in bigger ISP datacenter so we are not going to scan all range of IP addresses but just use IP’s of email and DNS and web server and launch active reconnaissance to the target system.

Active reconnaissance

Active reconnaissance can start with tools that actually send packets to discover target system. One of the tools that can be used is traceroute to find out IP addresses of routers and firewalls that protect victim hosts. In case something like a firewall blocks UDP packets along the path, we can use tcp traceroute tool to do the same type of reconnaissance when an attacker has all this information he can use more sophisticated tools like nmap and hping to perform active reconnaissance attack on a victim.

Nmap tool is capable to detect types of victims’ operation systems just using TCP fingerprinting. TCP fingerprinting uses advanced fingerprinting analyses of the TCP stack implementation. A TCP packet is crafted by switching on or off certain flags and sent to the remote machine. The remote operating system, based on its TCP stack implementation sends a response, with some specific flags turned on or off (most often used flags are the SYN, ACK and FIN flags).Depending on TCP responses collected for each crafted packet we can make an intelligent guess of the operating system from its database of TCP stack signatures.

Next step for attacker is to reveal which services are enabled on individual hosts and he will launch a port scan with nmap or old fashion connect scanner. After he gets all needed information he will use different technics to identify particular software that is working behind these ports. For this task usually he can use telnet , ftp or http client that can log info about let’s say a web server and is version what are the plugins that uses this web server like php, perl or other modules, after this he can launch a more powerful attacks like DDoS , buffer-overflow exploits and etc.

Other tools that could be used for active reconnaissance are

  • AMAP – Application Mapper. AMAP uses the results from NMAP to mine for more info.
  • Nessus – Vulnerability Scanner
  • Scanrand – Fast network scanner
  • Paratrace – TCP Traceroute that utilizes selected TTL messages

Mitigations

The most successful methods here is to use is a combination of firewalls and IPS/IDS which will notify us about active reconnaissance attacks and then we can decide to block or not access to particular service or subnet to avoid launching attacks like buffer overflow exploits or DoS floods.

Other useful methods to fight against unauthorized reconnaissance is to disable unused services which could be used to gather information about target systems and intermediate network devices that protect them. Strong encryption is also mandatory in order to prevent reconnaissance attacks and unauthorized access.

IPS Signatures

Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a signature-based technology can detect network intrusions. A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect known attacks and respond with actions that you define.

The sensor compares the list of signatures with network activity. When a match is found, the sensor takes an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and define new ones. IPS sensors update signatures online and they could receive new signatures as soon as the zero-day attack is detected and a signature is created.

The anomaly detection component of the sensor detects worm-infected hosts. This enables the sensor to be less dependent on signature updates for protection again worms and scanners, such as Code Red and SQL Slammer and so forth. The anomaly detection component lets the sensor learn normal activity and send alerts or take dynamic response actions for behavior that deviates from what it has learned as normal behavior. Anomaly detection initially conducts a “peacetime” learning process when the most normal state of the network is reflected. Anomaly detection then derives a set of policy thresholds that best fit the normal network.

Disable Unused Services

As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use UDP (User Datagram Protocol), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.

The TCP and UDP small services must be disabled. These services include:

  • echo (port number 7)
  • discard (port number 9)
  • daytime (port number 13)
  • chargen (port number 19)

Although abuse of the small services can be avoided or made less dangerous by anti-spoofing access lists, the services must be disabled on any device accessible within the network. The small services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software, the no service tcp-small-servers and no service udp-small-servers global configuration commands can be issued in order to disable them.

This is a list of additional services that must be disabled if not in use:

  • Issue the no ip finger global configuration command in order to disable Finger service. Cisco IOS software releases later than 12.1(5) and 12.1(5)T disable this service by default.
  • Issue the no ip bootp server global configuration command in order to disable Bootstrap Protocol (BOOTP).
  • In Cisco IOS Software Release 12.2(8)T and later, issue the ip dhcp bootp ignore command in global configuration mode in order to disable BOOTP. This leaves Dynamic Host Configuration Protocol (DHCP) services enabled.
  • DHCP services can be disabled if DHCP relay services are not required. Issue the no service dhcp command in global configuration mode.
  • Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service.
  • Issue the no ip domain-lookup global configuration command in order to disable Domain Name System (DNS) resolution services.
  • Issue the no service pad command in global configuration mode in order to disable Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks.
  • HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure-server global configuration command.
  • Unless Cisco IOS devices retrieve configurations from the network during startup, the no service config global configuration command must be used. This prevents the Cisco IOS device from attempting to locate a configuration file on the network using TFTP.
  • Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover other CDP enabled devices for neighbor adjacency and network topology. CDP can be used by Network Management Systems (NMS) or during troubleshooting. CDP must be disabled on all interfaces that are connected to untrusted networks. This is accomplished with the no cdp enable interface command. Alternatively, CDP can be disabled globally with the no cdp run global configuration command. Note that CDP can be used by a malicious user for reconnaissance and network mapping.
  • Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to CDP. However, this protocol allows interoperability between other devices that do not support CDP. LLDP must be treated in the same manner as CDP and disabled on all interfaces that connect to untrusted networks. In order to accomplish this, issue the no lldp transmit and no lldp receive interface configuration commands. Issue the no lldp run global configuration command in order to disable LLDP globally. LLDP can also be used by a malicious user for reconnaissance and network mapping.

Strong Encryption

IPSec

IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (“peers”) such as Cisco routers.

IPsec is designed to provide interoperable, high-quality, and cryptographically based security. IPsec is defined in (RFC 2401). The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and upper-layer protocols (ULPs). Because these services are provided at the IP layer, they can be used by any higher-layer protocol (for example TCP, User Datagram Protocol [UDP], and Border Gateway Protocol [BGP]).

IPsec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm (or algorithms) to use for the service (or services), and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more paths between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IPSec provides the following network security services.

• Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.

• Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

• Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.

• Anti-Replay—The IPSec receiver can detect and reject replayed packets.

IPSec prevents routed traffic from being examined or tampered with while it travels across a network. This feature causes IP packets to be encrypted at a VPN gateway, routed across a network as encrypted information, and decrypted at the destination VPN gateway. In between the two VPN gateways, the packets are in encrypted form and therefore the packets’ contents cannot be read or altered. You define what traffic should be encrypted between the two VPN gateways, according to what data is more sensitive or critical.

If you want to protect traffic for protocols other than IP, you can encapsulate those other protocols into IP packets using GRE encapsulation, and then encrypt the IP packets.

MACsec

802.1AE is the IEEE MAC Security standard (also known as MACsec) which defines connectionless data confidentiality and integrity for media access independent protocols.

MACsec allows unauthorized LAN connections to be identified and excluded from communication within the network. In common with IPsec and SSL, MACsec defines a security infrastructure to provide data confidentiality, data integrity and data origin authentication.

MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Cisco switches like Catalyst 4500 series support 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host devices. The switches also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional).

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1X Extensible Authentication Protocol (EAP) framework. Only host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.

A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the client. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the client, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a client) using the current session key.

The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP authentication produces a master session key (MSK) shared by both partners in the data exchange. Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the switch is the authenticator, it is also the key server, generating a random 128-bit secure association key (SAK), which it sends it to the client partner. The client is never a key server and can only interact with a single MKA entity, the key server. After key derivation and generation, the switch sends periodic transports to the partner at a default interval of 2 seconds.

WebVPN (SSL VPN)

The SSL VPN feature (also known as WebVPN) provides support, in Cisco IOS software, for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support.

WebVPN lets users establish a secure, remote-access VPN tunnel to a security appliance using a web browser. Users do not need a software or hardware client. WebVPN provides secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the Internet. WebVPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security to provide the secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.