Protection Against Reconnaissance and Scan Attacks - Project Overview

Protection against Reconnaissance and Scan Attacks Robert Schmidt, Jordana Maciel Advisors: Sergio Elizalde, Jorge Crichigno Department of Integrated Information Technology (IIT) University of South Carolina December, 2024 1

Agenda Project description Background information Infrastructure Experiment Demo Conclusion 2

Project overview Objective Gain a fundamental understanding of reconnaissance in networking security and exploring strategies to mitigate scan attacks. Key Focus Areas Reconnaissance Reconnaissance Techniques Techniques: Mapping networks and identifying vulnerabilities by port scans and host sweeps. Configuration Configuration of of NGFW NGFW: Implementing modern firewalls and zone protection to counter unauthorized data collection. Significance Highlights the importance of proactive defense, preventing breaches before they happen Provides framework for securing reconnaissance activities networks against real-world 3

Background information Firewall: Network monitoring device that monitors traffic on the network, blocking traffic determined by placed firewall policies. NGFW: While very similar to a firewall, it offers far more comprehensive protection against cyber threats. Zones: Segment the network into smaller, manageable areas to enhance protection. Zone Protection Profiles: To prevent attackers from collecting network data, zone protection profiles with Reconnaissance Protection can be implemented. This helps defend against tactics like port scans and host sweeps. advanced and 4

Background information Scan network 192.168.50.0/24. -v1 = Employ more verbosity. -Pn = No host discovery, port scan only. Reconnaissance attacks are unauthorized attempts to map or discover networks to detect vulnerabilities Various techniques such as port scans, host sweeping, and OS fingerprinting are types of deployable scan attacks used to find vulnerabilities on the network. Common Tools Nmap Nmap: Network mapping tool, used for scanning networks, finding open ports, and discovering hosts. Nping Nping: : Packet generation tool, used for response analysis and response measurement. Hping3: Hping3: Network tool used for sending custom TCP packets to view target replies. It can also be used for flood attacks. Reconnaissance is often a precursor to different types of attacks to exploit any vulnerabilities found in a network. 5

Background information Nmap and Hping3 are open-source resources used for pen- testing and various forms of cyber attacks. Nmap scans for open hosts and ports by ping scanning, the command can be altered by a variety of flags to make the scan more aggressive, or harder to detect by the firewall. Hping3 allows a threat actor or pen-tester to generate and manipulate a variety of TCP, UDP, or ICMP packets. By flooding a network with these packets, we can better view how a network is protected. 6

Infrastructure Key Devices: DMZ server: Public-facing services (192.168.50.10) Web Server: Within the DMZ (192.168.50.80) Internal Client: Compromised client device (192.168.1.20) Virtual Router: Connects and segments security zones. (192.168.1.1 Default Gateway) Network Zones: Users_Network: (192.168.1.0/24): Hosts internal devices. Extranet: (192.168.50.0/24): DMZ for public-facing network services. Internet: External Devices outside of organizations control. System Topology 7

Experiment Scenario An internal client (192.168.1.20) is compromised and used by a threat actor to initiate a reconnaissance attack against a critical web server (192.168.50.80). The attacker plans on using Nmap to find vulnerabilities before attacking by using a Hping3 flood attack. Potential Damages if attack is not blocked DMZ DMZ Compromised Compromised: : Allowing the threat actor to take control of the DMZ server. Data Data Breach Breach: : Information in DMZ can be accessed or leaked. Service Service Disruption Disruption: : Hping3 can create a denial-of-service (DoS) attack, disabling public- facing services. 8

Experiment Nmap was utilized in our project to identify and spot open ports that may be vulnerable to attack. The Nmap s record-route feature was also used to find routing information to map out the network. Command 1 (TCP Port Scan): Command 1 (TCP Port Scan): nmap sP --ip-options R 192.168.50.80 Command 2 (IP Record Route): Command 2 (IP Record Route): nmap v1 Pn T4 --max-retries 1 192.168.50.80 Hping3 was used to create a flood attack on the vulnerable ports identified earlier with Nmap. A follow-up test will be conducted to view how the firewall handles oncoming ping requests. Command 3 (hping3 flood): Command 3 (hping3 flood): -S -p 80 --flood -c 50 192.168.50.80 All commands are tools that any pen tester or threat actor can use to infiltrate the target network. 9

Demo This demonstration will be hosted on Netlab, a virtual lab for training. Step Step 1 1: : Successfully executing a reconnaissance attack on the web server from the compromised machine due to no security policies being in place. Utilizing Nmap and Hping3 to attack the web server. Step Step 2 2: : The implementation of the zone protection policies in the NGFW. Showing the zone protection policies in place to prevent the attacks. Step Step 3 3: : A failed execution of the reconnaissance attack on the webserver from the compromised machine due to the security policies set in place. Showing the policy actively stopping the attack attempts and inspect the firewall logs. 10

Conclusion As shown in the completion of the demo we have successfully configured Generation Firewall protections against reconnaissance attacks. All attempts of reconnaissance were successfully prevented, mitigated, and validated by the threat logs. In addition, the compromised client s IP was exposed, as well as the type of commands which were run on the system. In conclusion, preventing attacks is accomplishable and viable through properly configured zone protection policies. Palo Alto s Next zone to configure reconnaissance 11