Analysis on Recon Technology

Analysis on Recon Technology

In this article, we will learn some popular network detection technologies and write some Snort detection rules in practice.

Exercise 1: network discovery

Nmap is one of the most popular tools in the information security field so far. This popularity can be attributed to many factors. Of course, this is because of its efficiency. Although Nmap is generally used as a port scanner, it is far more than these functions. We will use this to practice basic network discovery. In the following example, we perform a ping scan to find devices in the network. Your lab environment may be in another network range, so be careful not to enter your actual target network range.

1 nmap-sp 192.168.x.0/24

In this example, we can see that there are six active hosts (the results may vary depending on your experiment environment ). This is the most basic Nmap scan. Next we will change the Snort to the IDS mode, edit the rule through sudo gedit/etc/snort/rules/local. rules, and then start it:

1 sudo snort-A console-q-c/etc/snort. conf-I eth0

Now run the Nmap ping scan again:

1 nmap-sp 192.168.x.0/24

Have you seen alert information in Snort? No? We can see what Nmap has done. We can run the same command and add a-packet-trace option. This option helps us to learn a variety of Nmap scanning methods. It will output all the requests and responses sent by Nmap to the screen. Enter this command in the terminal:

1 nmap-sp 192.168.95.0/24-packet-trace

We can see that Nmap sends an ARP request instead of the ICMP request used by ping. This is because you are scanning the internal network in the experiment environment. Nmap is smart enough to think that ARP is enough to work in this case. Next, we will see the response information from the machines on the network ,:

If you use the following command to force Nmap to use ping:

These options tell Nmap to use ICMP ping and disable ARP. Check your Snort output and we will see this result:

Here, there may be a false positive problem, because the current Snort rule will alert all ping requests, so that normal ICMP requests will also be falsely reported. For example:

Therefore, we need to screen the Nmap ping, which is different from the normal ping (that is, fingerprint recognition). We can use wireshark to capture some traffic and analyze it.

We use Nmap to make some ping traffic

1 nmap-sP 192.168.x.0/24 -- disable-arp-ping

Then, you can send some normal ping traffic on other machines.

1 ping 192.168.x.x

 

Then return to wireshark to stop capturing and filter the traffic for analysis.

1 ip. dst = 192.168.x.x & icmp

The filtered result is as follows:

We can see that the normal ping Length is 60, while Nmap sends 74, and the ICMP Echo Request Packet sent by Nmap does not contain payload data. We can modify our Snort rules based on these:

1 icmp any-> $ HOME_NET any (msg: "Possible Nmap ping sweep"; dsize: 0; sid: 1000005; rev: 1 ;)

Then we perform the test again and we will see the correct running result.

Exercise 2: Use Nmap for port scanning

Run the following command to perform basic TCP scanning:

1 nmap-sT 192.168.x.x -- packet-trace

You can see a series of open ports in the result. These ports are open on your target server. For example, port 21 is the ftp port, port 15 is the smtp port, and port 53 is the dns port.

Run the following command to perform a TCP connection scan:

1 nmap-sT 192.168.x.y, z

Note that Nmap does not attempt to scan all ports. By default, the system scans commonly used 1000 ports, such as port 80 used by the web service.

If we want to write Snort rules for such scans, for example, we want to detect port 23 used by telnet, we can use this rule:

1 tcp any-> $ HOME_NET 23 (msg: "TCP Port Scanning"; sid: 1000006; rev: 1 ;)

Then, if you scan the target server

1 nmap-sT 192.168.x.x

In Snort, you should see the following:

Another Alarm Method for port scanning is to identify the number of requests per unit time. We can use the Snort del detection_filter rule option. For example, we can use this rule:

1 tcp any-> $ HOME_NET any (msg: "TCP Port Scanning"; detection_filter: track by_src, count 30, seconds 60; sid: 1000006; rev: 2 ;)

This rule indicates that an alarm is triggered when more than 30 TCP connections are detected within 60 seconds.

Next we will comment out other rules to avoid interference and try scanning again. We will only scan port 21:

1 nmap-sT 192.168.x.x-p 21

There should be no alarm information in Snort

We perform a complete scan again:

1 nmap-sT 192.168.x.x

 

Now, Snort should output the following information:

Obviously, our rule takes effect, but it seems that there are too many alarm information. We need to optimize it. We can modify the rule and add the following statement:

1 event_filter gen_id 1, sig_id 1000006, type limit, track by_src, count 1, seconds 60

Just like this

This rule means that the alarm with sid 1000006 is output only once every 60 seconds. We re-run Snort and scan again. This time it will be the following output result

That's good. We don't have much interference with the output. This is what we need.

Exercise 3: concealed Scanning

Step 1-time

Nmap is a very fast scanner, which is both an advantage and a disadvantage, because sending a large number of packets in a short time will be recognized by IDS.

Of course, Nmap itself also provides some options for speed adjustment. We can use-T for the formulation, such as this command:

1 nmap-sT 192.168.x.x-p 80,135-T sneaky

Pay attention to the scanning time (the example uses about 45 seconds ):

If we use the insane type, this will be much faster, but it is obvious and easier to recognize. In addition, we can also use-scan-delay to specify the scanning delay time. For example, we can use such a command to delay the time by 5 seconds:

1 nmap-sT 192.168.x.x-p 80,135-scan-delay 5S

Five seconds for two ports and an initial delay of five seconds should be around 15 seconds.

We can also specify the unit of MS, for example:

1 nmap-sT 192.168.x.x-p 80,135-scan-delay 5 ms

This is 5 milliseconds, and it completes very quickly. The actual speed may be affected by the network environment and configuration.

Step 2-concealed TCP Scanning

Nmap provides some methods for concealed TCP scanning, such as SYN scanning:

1 nmap-sS 192.168.x.x

In addition, some other methods are implemented by using the subtle behavior in the TCP protocol.

Fingerprint recognition for this type of scanning is very easy. We only need to use wireshark for simple traffic analysis, and we make these traffic

1 2 3 nmap-sF 192.168.x.x nmap-sX 192.168.x.x nmap-sN 192.168.x.x

Then filter out the traffic.

1 ip. src = 192.168.x.x & ip. dst = 192.168.yy & tcp. port eq 21

We can see our scan traffic in the results.

 

By analyzing these traffic, we should be able to write such detection rules:

1 tcp any-> $ HOME_NET any (msg: "Nmap XMAS Tree Scan"; flags: FPU; sid: 1000007; rev: 1 ;)

Use this rule, and then scan again

1 nmap-sX 192.168.x.x-p 80

In Snort, we will see the following information:

Step 3-Camouflage Scanning

Generally, disguised scanning spoofs the source address, which makes it difficult to analyze logs. For example, we use the following scan command:

1 nmap-sS 192.168.x.x-D10.10.10.10, 11.11.11.11, 1.1.1.1, 8.8.8.8

If you use wireshark to capture traffic, the result will be as follows:

Obviously, this information is forged.

Through analysis, we can write such detection rules:

1 tcp! 192.168.x.0/24 any-> $ HOME_NET 80 (msg: "Suspicious IP address"; sid: 1000008; rev: 1 ;)

If this scan is performed again, the following information will be output in Snort:

The above are some investigation and detection technologies based on Snort rules. If we can skillfully customize the corresponding rules, we can better conduct network investigation.