Information Security all in one place!

Posts tagged “IP address

Network Scanning: Concerns and Countermeasures


Network Scanning Concerns and Countermeasures

Daniel Saucier (Student of the InfoSec Industry, March 2012) – Network vulnerability scanning can not be more important than it is, right now in this day and age of internet computing. As technology grows the architectures are not catching up quite as fast as most would like. This article written below assumes you have basic networking knowledge, and assumes no responsibility for actions taken from this article. It’s sole purpose is to educate the savvy portion of the internet community with different protection types and threat preventive measures for today’s networking environments.

Different IP network scanning methods allow you to test and effectively identify vulnerable network components. Here is a list of effective scanning techniques and there applications: These options can be found in most advanced configuration options on most downloadable network scanners.

ICMP scanning and Probing:

>| By launching an ICMP ping sweep, you can effectively identified poorly protected hosts ( as security conscious administrator such as myself, filter inbound ICMP messages) and perform a degree of OS fingerprinting and reconnaissance by analyzing responses to the ICMP probe.

Half-open SYN flag TCP port scanning:

>| A SYN port scan is often the most effective type of port scan to launch directly against a target IP network space. SYN scanning is very fast, which allows large networks to be scanned rather quickly.

Inverse TCP port scanning:

>| Inverse scanning types (particularly FIN, XMAS, and NULL) take advantage of idiosyncrasies in certain TCP/IP stack implementations. This scanning type is not useful for large networks. Use this scan type for testing individual host or small network segments‘ security. Make sure your code is as up to date as possible and apply any manual workarounds to protect gear from this type of scan. Some if not all of these type of scans identify weak components because of the cost of business.

Third-party TCP port scanning:

>| Using a combination of vulnerable network components and TCP spoofing, third-party TCP port scans can be effectively launched. Scanning in this fashion has two benenfits: hiding the true source of the TCP scan and assessing the filters and levels of trust between hosts. Although time-consuming to undertake, this can be proved to be very effective when applied correctly.

UDP port scanning:

>| Identifying accessible UDP services can be undertaken easily, only if ICMP type 3 Code 3 (“Destination port unreachable”) messages are allowed back through filtering mechanisms that protect target systems. UDP services can sometimes be used to gather useful data or directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in particular). Make sure you are locking these down!!

IDS evasion and filter circumvention:

>| Intrusion detection systems and other security mechanisms can be rendered ineffective by using multiple spoofed decoy hosts when scanning or by fragmenting probe packets using Nmap or fragroute. Filters such as firewalls, routers, and even software (IPsec) can sometimes be bypassed using specific source TCP or UDP port, source routing, or stateful attacks.

Using the different scanning methods mentioned above you can harden you network pretty well, however. Change is always a factor, what if you need to undertake a major network overhaul and start exposing different types of protocols to the network. The following list will help you when considering modifications to your components and minimize risk of re-exposing vulnerable services.

>| This list could be used as a baseline, guideline in some cases on any network configuration.

  1. Filter inbound ICMP message types at the border, or perimeter if you DMZ any servers on any routers and firewalls. This will force an attackers to use full-blown out TCP scans against all of your IP addresses to map effectively.
  2. Filter all outbound ICMP type 3 “unreachable” messages at the edge routers and firewalls to prevent UDP port scanning and firewalking from being effective. Firewalking – process of identifying firewalls in the scanning enumerations
  3. Consider configuring Internet firewalls so they can identify ports scans and throttle the connections accordingly. You can configure such as Check Point, NetScreen, and Watchguard appliances to name a few to prevent fast port scans and SYN floods from being launched against your network. However, this can back fire if the attacker is using a spoofed source address, resulting in DoS. PortSentry as an Open Source option is pretty effective as well in identifying scanns against your network.
  4. Asses the way that your network firewall or IDS devices handle fragmented IP packets by using tools such as fragtest and fragroute. Such devices can be taken down by being flooded with high volumes of fragments being processed. Bring your findings to the vendors attention……
  5. Ensure that your routing and filtering appliances (both routers and firewalls) can’t be bypassed using specific source ports or source routing techniques.
  6. If you run FTP services; ensure that your firewalls aren’t vulnerable to stateful circumvention attacks relating to malformed PORT and PASV commands
  7. If a commercial firewall is being used, ensure the following:
  • Latest code is installed, consider replacement is you can not comply
  • Antispoofing rules have been correctly defined so that the device doesn’t accept packets with private spoofed source addresses on its external interfaces

8.  Investigate the use of reverse proxy services if high security is a must. Fragments and malforms are not getting  by these guys, thus mitigating low level recon.

Wrapping up this article I would like to mention; be aware of your own network configurations and its publicly accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space. It really is surprising how many companies large and small still do not undertake proper scanning exercises.

Happy Hardening!



Qualys: WAF to the Cloud

Security vendor Qualys is now throwing its hat into the commercial WAF ring with a new WAF service in the cloud. The goal of the QualysGuard WAF is to enable more organizations to leverage WAF technology to protect their applications.

“We’ve noticed that traditional WAFs are usually hardware appliances and usually difficult to use,” Ivan Ristic, director of Engineering at Qualys told “The problem is that even for companies that can afford WAF tools, they’re only using them for their most precious assets.”

According to Ristic, that all means there is a long tail of websites that aren’t being protected by a WAF. The Qualys WAF only requires that a network is in control of its domain name in order to begin the process of setting up the protection. Administrators simply need to make a DNS change to redirect traffic to go through the Qualys’ global network of proxy servers.

“We see all the traffic and we’re able to screen it,” Ristic said. “Once we’re sure that it’s not malicious we pass it to the actual real site.”

The same process works in reverse to check all outgoing traffic from an enterprise for any potential unauthorized information leakage.

Read More here:

ISC-CERT Warns of Brute Force SSH Attack Threat for SCADA Systems

The Industrial Control System Cyber Emergency Response Team (ISC-CERT)
has issued a warning to utilities that certain supervisory control and
data acquisition (SCADA) systems may be vulnerable to brute-force
attacks. The threat described in the alert targets SCADA systems with
secure shell (SSH) command-line access. The alert notes that
organizations have been reporting SSH scans of Internet-facing control
systems. ISC-CERT makes several recommendations for mitigation.


Utilities Facing Brute-Force Attack Threat:

Dark Reading Reports – By Kelly Jackson Higgins

Higgins –Another day, another SCADA threat: ICS-CERT is now warning utilities and other critical infrastructure providers about potential brute-force attacks against control systems with SSH command-line access.

For an industry that traditionally has been cloistered and unaccustomed to cybersecurity threats to its systems, it has been a rough few months, with several security researchers exposing and poking some serious holes in the products that run in power plants, manufacturing floors, hospitals, and even prisons. Most recently, Metasploit late last month added a new exploit to the Metasploit Framework for an attack demonstrated by Digital Bond against the GE D20 PLC device. Other SCADA product exploits by the Digital Bound researchers are also in the works for Metasploit, including ones for Rockwell Automation, Schneider Modicon, and Koyo/Direct LOGIC. Last summer, researcher Dillon Beresford demonstrated a backdoor in Siemens S7-300, S7-400, and S7-1200 devices that allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash.

ICS-CERT reported on Friday (PDF) that many organizations have been witnessing secure shell (SSH) scans of their Internet-facing control systems, including an electric utility that told ICS-CERT it had been hit by some brute force attempts against its networks that were “unsuccessful.” The attackers are probing Port 22/TCP, the default SSL listening port, to look for SSH. Once they get a response from the probe, they can execute a brute-force attack for login credentials in order to acquire remote access.

Structure of an SSH binary packet

Image via Wikipedia

This is just the latest in a string of painfully simple hacks to which critical infrastructure providers are vulnerable. Researchers Billy Rios and Terry McCorkle during the past year have been reporting bugs they find in industrial control systems products: They’ve found more than 1,000, of which 98 are easily exploitable. Among the most obvious bugs they found were via human management interface (HMI) applications that were accessible via the Internet, as well as file format and ActiveX flaws.It’s an attractive attack vector because many control-system devices on networks run SSH by default. ICS-CERT recommends monitoring network logs for port scans and access attempts. “Hundreds or thousands of login attempts over a relatively short time period is an indicator of a brute force attack because systems running SSH normally do not receive high volumes of login attempts,” the ICS-CERT alert says. “However, indication of an attack does not necessarily mean that the organization is the actual intended target. Scans are frequently executed against a wide range of IP addresses looking for any system meeting the attacker’s criteria (in this case, systems running SSH).”

McCorkle, who spoke at the Kaspersky Lab Security Analyst Summit in Cancun last week, says some of the vulnerabilities he and Rios reported will never get patched. “We reported all we did through ICS-CERT,” he said. “Some vendors never respond. Those [bugs] will sit there in limbo forever.”

Among the bugs they found: an open command via ActiveX control. “The state of ICS is kind of laughable. I honestly don’t know what else to say,” said McCorkle, who describes the ICS industry as living in 1990s-era security.

One of the ActiveX control flaws they found manages an HMI. “HMI’s are out there listening, and they give access to systems that are supposed to be segregated,” McCorkle said.

Meanwhile, the SSH brute-force threat reported by ICS-CERT is really nothing new, experts say. “Someone should welcome ICS to 2002. The advisory doesn’t even indicate that control system defaults are being tested,” says HD Moore, chief security officer at Rapid7.

The best defense is basically to run SSH on a nonstandard port, he says. “Running SSH on a nonstandard port stops nearly all of these attacks. If someone attacks SSH on a nonstandard port, you know it’s targeted,” Moore says. “For what it’s worth, this is how all of my own servers have been configured since ’99. It separates background noise from real attacks.”

Segregating the sensitive control systems with firewalls and VPNs and other layers is the best bet, he says. “It boils down to segmentation, still. The SCADA industry isn’t mature enough to place their products on the Internet,” Moore says.

Most of the time ICS systems are not firewalled, though, McCorkle says. “Power and water utilities do a better job [with this],” he said. “But it’s been proved that segmentation doesn’t [always] work: SIPERNET is segregated, and Stuxnet [bypassed those controls],” he said.

“If you want to it right, segmentation is very expensive. And if you do segmentation, you can get [overly] confident [such that] your controls are lacking,” he said.

Meanwhile, ICS vendors need to come up with a way to automatically issue patches for their critical systems. “Now when they release it, it’s totally on the customer,” McCorkle said. “There’s no automated way or a website to find the patches available for your products.”

Advisory: Backdoor in TRENDnet IP cameras

**Trendnet Responds: Comment left below from Trendnet in response to the most recent vulnerability.

TRENDnet has posted the resolution to the security breach on their IP cameras: You can check information on affected TRENDnet IP cameras at: You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras at blogger “someLuser” (yes that is his tag)has identified a security vulnerability in some TRENDnetIP cameras which permits inquisitive web users to access them without authentication. He discovered the vulnerability whilst exploring the firmware on his TV-IP110w camera using a tool called binwalk.

English: A candidate icon for Portal:Computer ...

Lengthy lists of freely accessible video streams are already circulating on the web. Random sampling by most testers found that most of the cameras were indeed freely accessible, providing views of offices, living rooms and children’s bedrooms. For demonstration purposes, someLuser has put together a Python script which uses server search engine Shodan to find cameras. Navigating to a camera web server URL displays the video stream recorded by the camera – this occurs whether or not a password has been set.

TRENDnet has already responded by providing a firmware update promising “improved security”, which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected – according to someLuser, the firmware for the company’s TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN and TV-IP110WN models has been updated. Anyone using one of these cameras should update the firmware without delay.

You can find the firmware for your device here