• No se han encontrado resultados

IV. DESARROLLO

4. D ESARROLLO Y ANÁLISIS DEL PRODUCTO ARTÍSTICO

4.3. Desarrollo de las piezas musicales

4.3.1. Legado ancestral

War dialing is the exploitation of an organization’s telephone, dial, and private branch exchange (PBX) system to infiltrate the internal network in order to abuse computing resources. It may be surprising to discuss war dialing here, since more PBX systems come with increased security configurations. However, the fact remains that there are many insecure modems that can be compromised to gain access to target systems (Figure 3-8).

The relevance of war dialers today arises from the fact that, although Internet connections have firewalls and intrusion detection systems installed, modems are still insecure. War dialers differ from daemon dialers in that the former targets a large pool of telephone numbers, while the latter targets a single phone number. As remote users are increasing, so are remote dial-in connections to networks. Some of these remote users may not be using security precautions, such as storing passwords or personal firewalls, thereby allowing intruders to access the main network.

War dialing is mostly used to detect fax, voice, busy tones, and anomalies that might be present in an orga- nization’s PBX system besides telephones.

War dialing is also used to do the following: • Enumerate current modem status

• Identify unsecured modems within an organization for the purpose of securing them

• Perform maintenance on devices on a PBX accessible by PSTN (e.g., fax machines and modems) • Locate phone lines on a PBX that are not being used

• Locate rogue modems with nefarious designs that may have been placed on a network • Locate misconfigured remote-access servers

Step 3: Fingerprint the Operating System

OS fingerprinting is a method used to determine the operating system that is running on a target system. It is an important scanning method, as the attacker will have a greater probability of success if the OS of the target system is known (many vulnerabilities are OS specific). The attacker can then formulate an attack strategy based on the OS of the target system.

Determining the OS on a remote host was originally carried out with a technique known as banner grab- bing. Banner grabbing can be carried out in two ways: either by spotting the banner while trying to connect to a service such as an FTP site or by downloading the binary file /bin/ls to check the architecture with which it was built.

A more advanced fingerprinting technique depends on stack querying, which transfers the packets to the net- work host and evaluates packets based on the reply. The first stack-querying method was designed with regard to the TCP mode of communication, in which the response of the connection requests is evaluated.

The next method was known as ISN (Initial Sequence Number) analysis. This identifies the differences in the random number generators found in the TCP stack.

ICMP response analysis is another method used to fingerprint an OS. It consists of sending ICMP messages to a remote host and evaluating the reply.

The following are two different types of fingerprinting: 1. Active stack fingerprinting

2. Passive fingerprinting

Active Stack Fingerprinting

Active stack fingerprinting is based on the principle that an operating system’s IP stack has a unique way of responding to specially crafted TCP packets. This arises because of different interpretations that vendors apply while implementing the TCP/IP stack on the particular OS. In active fingerprinting, a variety of malformed packets are sent to the remote host, and the responses are compared to a database.

For instance, the scanning utility Nmap uses a series of nine tests to determine an OS fingerprint. These tests are illustrated below to give an idea of how an active stack fingerprint is formed:

• Test 1: A TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP port.

• Test 2: A TCP packet with no flags enabled is sent to an open TCP port. This type of packet is known as a NULL packet.

• Test 3: A TCP packet with the URG, PSH, SYN, and FIN flags enabled is sent to an open TCP port. • Test 4: A TCP packet is sent with the ACK flag enabled to an open TCP port.

Copyright © by

All rights reserved. Reproduction is strictly prohibited

Scanning Methodology 3-11

• Test 5: A TCP packet is sent with the SYN flag enabled to a closed TCP port. • Test 6: A TCP packet is sent with the ACK flag enabled to a closed TCP port.

• Test 7: A TCP packet is sent with the URG, PSH, and FIN flags enabled to a closed TCP port. • Test 8: A UDP packet is sent to a closed UDP port. The objective is to extract an “ICMP port

unreachable” message from the target machine.

• Test 9: This test tries to determine the sequence generation patterns of the TCP initial sequence numbers (also known as TCP ISN sampling), the IP identification numbers (also known as IPID sampling), and the TCP time stamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port.

The objective of these tests is to find patterns in the initial sequence of numbers that the TCP implementations choose while responding to a connection request. These can be categorized into groups such as the traditional 64K (many old UNIX boxes), random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), or true random (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a time- dependent model where the ISN is incremented by a fixed amount for each time period.