Portaledge: Enumeration Event Class

From SCADApedia

The Enumeration Event Class in Portaledge is comprised of events that are triggered when active enumeration occurs e.g. a system, device or network is scanned, has a service attached to, or is otherwise communicated with an a manner the is indicative of active enumeration.

Events will detect when the PI IP Flow Interface, Snort IDS, or other sensors that detect traffic indicative of active enumeration. Sensors on the network can also monitor for stealth enumeration techniques such as an ArpScan. Monitoring enumeration techniques is critical as enumeration is a typical first step in a penetration attempt and very indicative of penetration/attack activity. As control systems are very latency dependent active scanning and enumeration can also readily lead to Portaledge Availability Events.

Contents 1 Events 1.1 Syn Portscan Enumeration Event 1.2 TCP Portscan Enumeration Event 1.3 UDP Portscan Enumeration Event 1.4 FIN Portscan Enumeration Event 1.5 ACK Portscan Enumeration Event 1.6 Port Sweep Enumeration Event 1.7 Ping Sweep Host Enumeration Event 1.8 ICMP Scan Host Enumeration Event 1.9 ArpScan Host Enumeration Event 1.10 La Brea Tar Pit Scan Enumeration Event 1.11 Banner Grab Service Enumeration and OS Fingerprinting Event 1.12 SinFP OS Fingerprinting Enumeration Event 1.13 MSRPC OS Fingerprint Enumeration Event 1.14 Nmap\Queso OS Fingerprint Enumeration Event 1.15 XProbe OS Fingerprint Enumeration Event 1.16 Traceroute Enumeration Event 1.17 Windows NetBios Null Session Enumeration Event 1.18 Windows WMI Enumeration Event 1.19 Windows RPC DCE Services Enumeration Event 1.20 snmpwalk Enumeration Event 1.21 SMB Enumeration Event 1.22 RPC Services Enumeration Event 1.23 Citrix Published Applications Remote Enumeration Event 1.24 finger User Enumeration Event 2 Related Pages 3 External Links

Events

Syn Portscan Enumeration Event

Definition: The Syn Portscan Enumeration Event will trigger an alert when incomplete (Syn to Syn-Ack) TCP sessions are created across multiple ports on one or more hosts.

Description: A Syn Portscan sends a Syn packet to a target port and awaits the Syn-Ack reply, without ever fully establishing a full TCP session.

Triggers

• Syn Portscan: This trigger will raise an alarm if incomplete TCP sessions are tried against multiple ports on one or more hosts.

Interfaces

• IP Flow: Used to detect incomplete TCP connection.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

TCP Portscan Enumeration Event

Definition: The TCP Portscan Enumeration Event will trigger an alert when complete TCP sessions that immediately terminate are created across multiple ports on one or more hosts.

Description: A TCP Portscan completes the 3 way TCP connection establishment and then immediately terminates the session.

Triggers

• TCP Portscan: This trigger will raise an alarm if complete TCP to quick terminating session are tried against multiple ports on one or more hosts.

Interfaces

• IP Flow: Used to detect TCP connections.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

UDP Portscan Enumeration Event

Definition: The UDP Portscan Enumeration Event will trigger an alert when UDP packets are detected as having been sent to multiple ports on one or more hosts.

Description: As UDP is a connectionless protocol, UDP scanner sends a UDP packet at a port and wait for the ICMP port not available reply. If the reply is not received the port is assumed to be active.

Triggers

• UDP Portscan: This trigger will raise an alarm if UDP packets are detected that are directed at multiple ports across one or more hosts.

Interfaces

• IP Flow: Used to detect UDP communications.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

FIN Portscan Enumeration Event

Definition: The FIN Portscan Enumeration Event will trigger an alert when TCP FIN packets are detected as having been sent to multiple ports on one or more hosts.

Description: FIN portscan are used to bypass firewalls and work by sending TCP FIN packets to targeted ports. Closed ports reply with an RST packets, active ports do not reply.

Triggers

• FIN Portscan: This trigger will raise an alarm if TCP FIN packets are detected that are directed at multiple ports across one or more hosts.

Interfaces

• IP Flow: Used to detect TCP FIN communications.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

ACK Portscan Enumeration Event

Definition: The ACK Portscan Enumeration Event will trigger an alert when ACK packets are detected as having been sent to multiple ports on one or more hosts.

Description: ACK scans are not used to determine if a port is active but rather if it is filtered by a firewall.

Triggers

• ACK Portscan: This trigger will raise an alarm if ACK packets are detected that are directed at multiple ports across one or more hosts.

Interfaces

• IP Flow: Used to detect UDP communications.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

Port Sweep Enumeration Event

Definition: The Port Sweep Enumeration Event will trigger an alert when any of the above port scanning techniques attempts to identify single port across multiple IPs.

Description: A port sweep is a port scan that searches for the availability of a single port across multiple hosts using any of the common portscanning techniques.

Triggers

• Port Sweep: This trigger will raise an alarm if any type of portscan is detected at a unique port across multiple hosts.

Interfaces

• IP Flow: Used to detect portscans.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

Ping Sweep Host Enumeration Event

Definition: The Ping Sweep Enumeration Event will trigger an alert when ICMP ping traffic is detected by the PI IP Flow interface or by a network IDS sensor.

Description: A Ping Sweep sends ICMP ECHO request (ping) packets to a list of specified hosts to see if an active/live host resides at the specified IP address by monitoring ICMP ECHO reply packets.

Triggers

• Ping Sweep: This trigger will raise an alarm if ICMP ECHO request (ping) packets to multiple endpoints are detected.

Interfaces

• IP Flow: Used to detect ICMP ECHO request (ping) traffic.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

ICMP Scan Host Enumeration Event

Definition: The ICMP Scan Enumeration Event will trigger an alert when gratuitous non ECHO ICMP packets are detected across multiple hosts.

Description: ICMP Information Request, Timestamp Request, CMP Address Mask Request, ICMP error message packets (and others) can be used to enumerate hosts utilizing methodologies not as commonly employed as ping sweeping. These methodologies rely on the replies to the various ICMP packets to detect if a host is alive.

Triggers

• ICMP Scan: This trigger will raise an alarm if any type of gratuitous non ECHO ICMP packets are detected across multiple hosts.

Interfaces

• IP Flow: Used to detect portscans.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

ArpScan Host Enumeration Event

Definition: The ArpScan Enumeration Event will trigger an alert when ARPScanning is detected.

Description: ArpScanning is a technique by which active hosts on a local network segment may be detected by sending gratuitous ARP requests. Active hosts a determined by noting the ARP replies.

Triggers

• ARPScan: This trigger will raise an alarm if ARPScanning traffic is detected.

Interfaces

• IP Flow: Used to characterize ARP traffic.
• ARPWatch into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

La Brea Tar Pit Scan Enumeration Event

Definition: The La Brea Tar Pit Scan Enumeration Event will trigger an alert when bogus ACK and ACK-winprobe packets are detected targeting one or more hosts.

Description: A LaBrea Tarpit scans sens fake ACK and ACK-windowprobe packets to targets to determine a "tarpitted" host. A tarpitted host is a machine that has been configured to send confusing and misleading results to port scanners and slow the penetration of attackers and worms.

Triggers

• Tarpit Scan: This trigger will raise an alarm if Tarpit scanning traffic is detected.

Interfaces

• IP Flow: Used to characterize the bogus ACK packets indicative of a Tarpit scanning traffic.
• ARPWatch into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

Banner Grab Service Enumeration and OS Fingerprinting Event

Definition: The Banner Grab Event will trigger an alert when short complete TCP sessions are detected across services on a single host in a short timeframe or against multiple hosts in a short time frame that terminate after the exchange of the banner data.

Description: Banner Grabbing is a technique by which a specific service, or OS may be identified by examine the "banner" portion provided by the service when a connection is created.

Triggers

• Banner Grab: This trigger will raise an alarm if Banner Grabbing traffic is detected.

Possible banner grabs exist for the:

• SSH Service
• Telnet Service
• HTTP Server
• FTP Service
• Other known services on known ports.

Triggers

• Banner Grab: This trigger will raise an alarm if Banner Grabbing traffic is detected.
• SSH Service Banner Grab: This trigger will raise an alarm if Banner Grabbing traffic is detected against the SSH service.
• Telnet Service Banner Grab: This trigger will raise an alarm if Banner Grabbing traffic is detected against the Telnet Service.
• HTTP Server Banner Grab: This trigger will raise an alarm if Banner Grabbing traffic is detected against the Web Server.
• FTP Service Banner Grab: This trigger will raise an alarm if Banner Grabbing traffic is detected against the FTP service.

Interfaces

• IP Flow: Used to characterize Banner Grabbing traffic as short sessions that terminate after the exchange of the banner data.

SinFP OS Fingerprinting Enumeration Event

Definition: The SinFP OS Fingerprint Enumeration Event will trigger an alert when the Snort IDS sends an alert to the Syslog. The syslog will in turn feed the event into the PI Syslog Interface.

Description: SinFP scan use up to 3 tests of up to 3 packets per test, against a single open port to identify the OS using artifacts in the stack.

Triggers

• SinFP Fingerprint: This trigger will raise an alarm when the Snort IDS sends the event to syslsog.

Interfaces

• Sort IDS into Syslog or Windows Event Log: Snort IDS appears at this time to be the only way of detecting this event.

MSRPC OS Fingerprint Enumeration Event

Definition: TheMSRPC OS Fingerprint Enumeration Event will trigger an alert when a null session is created to the RPC service on port 135.

Description: By querying the RPC services on a Windows box it is possible to fingerprint the OS version and service pack.

Triggers MSRPC Fingerprint: This trigger will raise an alarm if a session is created with the RPC services on port 135.

Interfaces IP Flow: Used to detect the creation of a session on the RPC services port 135.

Nmap\Queso OS Fingerprint Enumeration Event

Definition: The Field Device Availability Event will trigger an alert when one of the triggers reaches a threshold. Each trigger will have a threshold that the administrator may configure. Description: Nmap performs OS fingerprinting primarily by analyzing TCP/IP response packets for artifacts indicative of the TCP/IP stack that created the responses.

Triggers

• Nmap fingerprint: This trigger will raise an alarm if Nmap style OS fingerprinting is detected.

Interfaces

• IP Flow: Used to characterize Nmap OS fingerprinting traffic.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

XProbe OS Fingerprint Enumeration Event

Definition: The XProbe OS Fingerprint Enumeration Event will trigger an alert when gratuitous UDP packets are detected being sent to closed ports.

Description: Xprobe style fingerprinting send an UDP packet to an assumed close port and looks for artifacts in the ICMP packets to determine the OS that creates the replies. This style of fingerprinting uses very few packets to generate a fairly certain Os identification.

Triggers

• XProbe Fingerprint: This trigger will raise an alarm if UDP packets are detected that are being sent to a closed port on one or more hosts.

Interfaces

• IP Flow: Used to detect gratuitous UDP packets to closed ports.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

Traceroute Enumeration Event

Definition: This event will trigger if traceroute UDP packets are deteced.

Description: Traceroute uses the ttl field in packet to determine the route between a target and a host. Traceroute typically uses UDP packets aimed at ports ranging from 33434 to 33534.

Triggers

• Traceroute - This trigger will raise an alarm if UDP packets with destinations on the typical range are detected.

Interfaces

• IP Flow: Used to detect gratuitous UDP packets targeted at ports ranging from 33434 to 33534.

Windows NetBios Null Session Enumeration Event

Definition: This event will trigger if the creation of a NetBios Null Session is created to port 139 or 445.

Description: Through the creation of a NetBios Null session an attacker can enumerate various information on a Windows domain including; System on the domain, user accounts, domain administrators and other useful information.

NetBios Ports useful for enumeration:

• 135 TCP Location Service (RPC endpoint mapping)
• 135 UDP Location Service (RPC endpoint mapping)
• 137 TCP NETBIOS Name Service
• 137 UDP NETBIOS Name Service
• 138 TCP NETBIOS Datagram Service
• 138 UDP NETBIOS Datagram Service
• 139 TCP NETBIOS Session Service
• 139 UDP NETBIOS Session Service
• 445 TCP SMB/CIFS

Port 139 or 445 TCP must be open for the creation of a NetBios Null Session. The other ports may be required for various information gathering activites.

Triggers

• NetBios Null Session Creation- This trigger will raise an alarm if the creation of a NetBios Null Session is detected.

Interfaces

• IP Flow: Used to detect the creation of a NetBios Null Session on port 139 or 445.

Windows WMI Enumeration Event

Definition: This event will trigger if.... (this is in flux as I am not sure yet how to detect this).

Description: Window WMI services allow for the remote management of networked systems and can be used to enumerate; usb drives, SMB shares/files bios version, available ports and applications depending upon the configuration, and depending upon password requirements, as with some older version of Windows allow for non authenticated WMI session. WMI does not use a set port by default but is instead assigned a port by the DCOM service on port 135.

Triggers

• WMIl Session Creation- This trigger will raise an alarm if

Interfaces

• IP Flow:

Windows RPC DCE Services Enumeration Event

Definition: this event will trigger if a null session is created to port 135.

Description: By sending a lookup request to the dcom portmapper on port 135 it is possible to enumerate DCOM allocated ports.

Triggers

• snmpwalk - This trigger will raise an alarm if a null session is established with port 135.

Interfaces

• IP Flow: Used to detect the creation of a null RPC session.

snmpwalk Enumeration Event

Definition: this event will trigger if any session to port 161 or port 162 (standard SNMP ports) is created.

Description: SNMP is a network management protocol that is often left unsecured and uses TCP or UDP connections on ports 161 (general SNMP messages) and port 162 (SNMP trap messages). If the SNMP service is unsecure an attacker can snmpwalk the information available via the service. This will often reveal; OS fingerprint, port enumeration, process enumeration, shares enumeration, network interface enumeration, adresses of other hosts known by the system, and route enumeration. Some passwords, such as the HP Jet Direct password, may also be revealed using SNMPwalking.

Triggers

• snmpwalk - This trigger will raise an alarm if any session is established with port 161 or 162 via either TCP or UDP.

Interfaces

• IP Flow: Used to detect the creation of a session with the SNMP services.

SMB Enumeration Event

Definition: This event will trigger if any Null or Guest session to port 445 is created.

Description: By connecting to the SMB service on port 445 with a Null or Guest sessions it is possible to enumerate:

• the SMB shares
• user accounts
• available services
• some registry information
• domain SIDs

Triggers

• SMB Enumeration - This trigger will raise an alarm if any session is established with port 445.

Interfaces

• IP Flow: Used to detect the creation of a session with the SMB services.

RPC Services Enumeration Event

Definition: This event will trigger if any Null or Guest session to port 111 is created.

Description: An attacker can send DUMP requests to the RPC portmapper and enumerate what service are running on ONC RPC assigned ports. The portmapper service generally resides on port 111. This allows for the enumeration of both ports and services.

Triggers

• RPC Enumeration - This trigger will raise an alarm if any session is established with port 111.

Interfaces

• IP Flow: Used to detect the creation of a session with the RPC services.

Citrix Published Applications Remote Enumeration Event

Definition: this event will trigger if any session to port 1494 (standard Citrix ICA port) is created from the outside.

Description: Older version of Citrix are vulnerable to disclosure of the Citrix published application list.

• Citrix Application Enumeration- This trigger will raise an alarm if any session is established with port 1494 from an external IP.

Interfaces

• IP Flow: Used to detect the creation of a session with the finger service.

finger User Enumeration Event

Definition: this event will trigger if any session to port 79 (standard finger port) is created.

Description: Through querying the finger service (if enabled) an attackey can enumerate the user accounts on a system.

Triggers

• finger - This trigger will raise an alarm if any session is established with port 79.

Interfaces

• Syslog: Used to gather data from the firewall logs.

Related Pages

Portaledge

Portaledge Event Taxonomy

External Links