Ce hv8 module 03 scanning networks

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S c a n n in g N e tw o rk s
Module 03

Engineered by Hackers. Presented by Professionals.

©

CEH

Ethical H acking and C ounterm easures v8
M o d u le 03: Scanning Networks
Exam 312-50

Module 03 Page 263

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.

Scanning Networks


S e c u rity N ew s
Hone

S e rv ic e s

Company

N e tw o rk s

C o n ta c t

Oct 18 2012

r

S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g
IP v 4 A d d r e s s S p a c e
The well known botnet Sality, which locates vulnerable voice-over-IP (VoIP) servers can
be controlled to find the entire IPv4 address space without alerting, claimed a

new study, published by Paritynews.com on October 10, 2012.

Sality is a piece of malware whose primary aim is to infect web servers, disperse
spam, and steal data. But the latest research disclosed other purposes of the same including

r

■
1

r

recognizing susceptible VoIP targets, which could be used in toll fraud attacks.
Through a method called "reverse-byte order scanning," sality has administered towards scanning
possibly the whole IPv4 space devoid of being recognized. That's only the reason the technique uses
very less number of packets that come from various sources.

The selection of the target IP addresses is generated in reverse-byte-order increments. Also, there are
large amounts of bots contributing in the scan.
http://www.spamfighter.com

l- l

1

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

S ecurity N ew s
N f u js

Saliently Sality Botnet Trapped Scanning IPv4 Address
Space

Source: http://www.spamfighter.com
A semi-famous botnet, Sality, used for locating vulnerable voice‫־‬over‫־‬IP (VoIP) servers has been
controlled toward determining the entire IPv4 address space without setting off alerts, claims a
new study, published by Paritynews.com, on October 10, 2012.
Sality is a piece of malware with the primary aim of infecting web servers, dispersing spam, and
stealing data. But the latest research has disclosed other purposes, including recognizing
susceptible VoIP targets that could be used in toll fraud attacks.
Through a method called "reverse-byte order scanning," Sality can be administered toward
scanning possibly the whole IPv4 space, devoid of being recognized. That's the only reason the
technique uses a very small number of packets that come from various sources.
The selection of the target IP addresses develops in reverse-byte-order increments. Also, there
are many bots contributing in the scan. The conclusion is that a solitary network would obtain
scanning packets "diluted" over a huge period of time (12 days in this case, from various

Module 03 Page 264


Scanning Networks


sources, University of California, San Diego (UCSD), claimed one of the researchers, Alistair
King, as published by Softpedia.com on October 9, 2012).
According to Alberto Dainotti, it's not that this stealth-scanning method is exceptional, but it's
the first time that such a happening has been both noticed and documented, as reported by
Darkreading.com on October 4, 2012. Many other experts hold faith that this manner has been
accepted by other botnets. Nevertheless, the team at UCSD is not aware of any data verifying
any event like this one.
According to David Piscitello, Senior Security Technologist at ICANN, this indeed seems to be
the first time that researchers have recognized a botnet that utilizes this scanning method by
employing reverse-byte sequential increments of target IP addresses. The botnet use classy
"orchestration" methods to evade detection. It can be simply stated that the botnet operator
categorized the scans at around 3 million bots for scanning the full IPv4 address space through
a scanning pattern that disperses coverage and partly covers, but is unable to be noticed by
present automation, as published by darkreading.com on October 4, 2012.

Copyright © SPAMfighter 2003-2012

http://www.spamfighter.com/News-1799B-Salier1tlv-Salitv-Botnet-Trapped-Scanning-IPv4Address-Space.htm

Module 03 Page 265

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Scanning Networks


M o d u le O b je c tiv e s

CEH

J

Overview of Network Scanning

J

Use of Proxies for Attack

J

CEH Scanning Methodology

J

Proxy Chaining

J

Checking for Live Systems

J

HTTP Tunneling Techniques

J

Scanning Techniques

J

SSH Tunneling

J

IDS Evasion Techniques

J

Anonymizers

J

Banner Grabbing

J

IP Spoofing Detection Techniques

J

Vulnerability Scanning

J

Scanning Countermeasures

J

Drawing Network Diagrams

J

Scanning Pen Testing

^

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule O b jectiv e s
Once an attacker identifies his/her target system and does the initial reconnaissance,
as discussed in the footprinting and reconnaissance module, the attacker concentrates on
getting a mode of entry into the target system. It should be noted that scanning is not limited
to intrusion alone. It can be an extended form of reconnaissance where the attacker learns
more about his/her target, such as what operating system is used, the services that are being
run on the systems, and configuration lapses if any can be identified. The attacker can then
strategize his/her attack, factoring in these aspects.
This module will familiarize you with:
0

Overview of Network Scanning

0

Use of Proxies for Attack

0

CEH Scanning Methodology

0

Proxy Chaining

0

Checking for Live Systems

0

HTTP Tunneling Techniques

0

Scanning Techniques

0

SSH Tunneling

0

IDS Evasion Techniques

0

Anonymizers

0

Banner Grabbing

0

IP Spoofing Detection Techniques

0

Vulnerability Scanning

0

Scanning Countermeasures

0

Drawing Network Diagrams

0


Module 03 Page 266


Scanning Networks


O v erview of N etw ork S can n in g

C EH
(•itifwd

Network scanning refers to a set of
procedures for identifying hosts, ports, and
services in a network
Network scanning is one of the components
of intelligence gathering an attacker uses to
create a profile of the target organization

ttkujl lUckM

Sends TCP
/IP probes

Gets network

S

&

information

A ttacker

O b jec tives o f N e tw o rk Scanning

To discover live hosts,

To discover operating

To discover services

To discover

IP address, and open
ports of live hosts

systems and system
architecture

ru nning on hosts

vu ln e ra b ilitie s in live
hosts

O verview of N etw ork S can n in g
As we already discussed, footprinting is the first phase of hacking in which the
attacker gains information about a potential target. Footprinting alone is not enough for
hacking because here you will gather only the primary information about the target. You can
use this primary information in the next phase to gather many more details about the target.
The process of gathering additional details about the target using highly complex and
aggressive reconnaissance techniques is called scanning.
The idea is to discover exploitable communication channels, to probe as many listeners as
possible, and to keep track of the ones that are responsive or useful for hacking. In the scanning
phase, you can find various ways of intruding into the target system. You can also discover
more about the target system, such as what operating system is used, what services are
running, and whether or not there are any configuration lapses in the target system. Based on
the facts that you gather, you can form a strategy to launch an attack.
Types of Scanning
9

Port scanning - Open ports and services

e

Network scanning - IP addresses

6

Vulnerability scanning - Presence of known weaknesses

Module 03 Page 267


Scanning Networks


In a traditional sense, the access points that a thief looks for are the doors and windows. These
are usually the house's points of vulnerability because of their relatively easy accessibility.
W hen it comes to computer systems and networks, ports are the doors and windows of the
system that an intruder uses to gain access. The more the ports are open, the more points of
vulnerability, and the fewer the ports open, the more secure the system is. This is simply a
general rule. In some cases, the level of vulnerability may be high even though few ports are
open.
Network scanning is one of the most important phases of intelligence gathering. During the
network scanning process, you can gather information about specific IP addresses that can be
accessed over the Internet, their targets' operating systems, system architecture, and the
services running on each computer. In addition, the attacker also gathers details about the
networks and their individual host systems.
Sends TCP
/IP probes

&

‫נ‬

Gets network
information

Network

Attacker
FIGURE 3.1: Network Scanning Diagram

O bjectives of Network Scanning
If you have a large amount of information about a target organization, there are
greater chances for you to learn the weakness and loopholes of that particular organization,
and consequently, for gaining unauthorized access to their network.
Before launching the attack, the attacker observes and analyzes the target network from
different perspectives by performing different types of reconnaissance. How to perform
scanning and what type of information to be achieved during the scanning process entirely
depends on the hacker's viewpoint. There may be many objectives for performing scanning,
but here we will discuss the most common objectives that are encountered during the hacking
phase:
©

Discovering live hosts, IP address, and open ports of live hosts running on the
network.

©

Discovering open ports: Open ports are the best means to break into a system or
network. You can find easy ways to break into the target organization's network by
discovering open ports on its network.
Discovering operating systems and system architecture of the targeted system: This is
also referred to as fingerprinting. Here the attacker will try to launch the attack based
on the operating system's vulnerabilities.

Module 03 Page 268


Scanning Networks


9

Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security
risks present in any system. You can compromise the system or network by exploiting
these vulnerabilities and threats.

9

Detecting the associated network service of each port

Module 03 Page 269


Scanning Networks


HHH
□ ‫שם‬

G i

Check for
Live Systems

‫✓.,ן‬

Check for
Open Ports

n

■ “ hi
Scan for
Vulnerability

Scanning
Beyond IDS

n
L1
^■

Banner
Grabbing

W₪ m,

r ‫—י‬

Draw Network.
Diagrams

Prepare
Proxies

wJ

U

Scanning
Pen Testing

CEH S can n in g M eth o d o lo g y
The first step in scanning the network is to check for live systems.

Scan for Vulnerability

Check for Live Systems

ft

Check for Open Ports

Scanning Beyond IDS

Banner Grabbing

r

Q O

1

Draw Network Diagrams

Prepare Proxies


This section highlights how to check for live systems with the help of ICMP scanning, how to
ping a system and various ping sweep tools.

Module 03 Page 270


Scanning Networks


C hecking for Live System s ICMP Scanning

CEH

J

Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return
an ICMP ECHO reply

J

This scan is useful for locating active devices or determining if ICMP is passing through a
firewall
ICMP Echo Request

t o

M
ICMP Echo Reply

Source (192.168.168.3)

The ping scan output
using Nmap:

Destination (192.168.168.5)

Zenmap
Sc!n

Too*

Target.

grofilc

192 168.16S.5

Command:
Hosts

Profile

Ping scan

|nrr*p ■sn 192.16S.16S.S
Services

Host

*

Nmap Outp14 Pciti ‫ ׳‬Hosts Topology H0Jt Detail!
nmap ‫־‬sn 192.166.163.5

Scans

‫ד־פ‬

192.165.168.1
192.16S.1663
192.165.'68.5

S t a r t in g fJTap 6.01 ( h t tp :/ / n 1
rop.org ) at 2012-08 08
13:02 EOT
Swap scan re p o rt fo r 192.168.168.5
most

192.16S.66.13‫ז‬

‫ו־רד^־י־ו‬

Piter Hosts

i s up (0 .00 s la te n c y ).

M
AC fld d re tt:
(D e ll)
M!ap dong: 1 I P address (1 host up) scanned in 0.10
secords

http://nmap.org
Copyright © by HHrWBCil. All Rights Reserved. Reproduction is Strictly Prohibited.

C h e c k in g for Live S ystem s ‫ ־‬IC M P S can n in g
ICMP Scanning
All required information about a system can be gathered by sending ICMP packets to it. Since
ICMP does not have a port abstraction, this cannot be considered a case of port scanning.
However, it is useful to determine which hosts in a network are up by pinging them all (the -P
option does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase
the number of pings in parallel with the -L option. It can also be helpful to tweak the ping
timeout value with the -T option.

ICMP Query
The UNIX tool ICM Pquery or ICMPush can be used to request the time on the system (to find
out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The
netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS
MARK REQUEST). After finding the netmask of a network card, one can determine all the
subnets in use. After gaining information about the subnets, one can target only one particular
subnet and avoid hitting the broadcast addresses.
ICMPquery has both a timestamp and address mask request option:
icmp query <-query-> [-B] [-f fromhost] [‫־‬d delay] [-T time] target

Module 03 Page 271


Scanning Networks


W here
<query> is one of:
-t: icmp timestamp request (default)
-m: icmp address mask request
-d: delay to sleep between packets is in microseconds.
-T - specifies the number of seconds to wait for a host to respond. The default is 5.
A target is a list of hostnames or addresses.

*iJN:::::::::::::::::::::::ft:::::::::::::
ICMP Echo Request

/*

V

V

‫־‬

/

ICMP Echo Reply

Source (192.168.168.3)

Destination (192.168.168.5)

FIGURE 3.2: ICMP Query Diagram

Ping Scan Output Using Nmap
Source: http://nmap.org
Nmap is a tool that can be used for ping scans, also known as host discovery. Using this tool you
can determine the live hosts on a network. It performs ping scans by sending the ICMP ECHO
requests to all the hosts on the network. If the host is live, then the host sends an ICMP ECHO
reply. This scan is useful for locating active devices or determining if ICMP is passing through a
firewall.
The following screenshot shows the sample output of a ping scan using Zenmap, the official
cross-platform GUI for the Nmap Security Scanner:

Zenmap
Scan

Jo o ls

Target

Profile

Help

192.168.168.5

Command:
Hosts

v I Profile:

Ping scan

v

:Scan!

Cancel

|nmap -sn 192.168.168.51
Services

OS < Host
IM

192.168.168.3

*"

192.168.168.5

Topology Host Details Scans

nmap -sn 192.168.168.5

V

Details

192.168.168.1

I•*

Nmap Output Ports/Hosts

tM 192.168.168.13
..
v
------ —
----- ---------------1
Filter Hosts

S t a r t in g Nmap 6 .0 1 ( h t t p :/ / n 1 p .o rg ) at 2012-08-08
ra
•a?
Nmap scan re p o rt fo r 1 9 2 .1 6 8 .1 6 8 .5
Host i s up (0 .0 6 s la t e n c y ) .
M
AC Add ress:
( D e ll)
Nmap done: 1 IP ad d ress (1 host up) scanned in 0 .1 0
seconds

FIGURE 3.3: Zenmap Showing Ping Scan Output

Module 03 Page 272

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll

Scanning Networks


P in g S w eep

CEH

J

Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP
ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply

J

Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of
hosts present in the subnet

_l

Attackers then use ping sweep to create an inventory of live systems in the subnet

a

a

a

T h e ping s w e e p o u tp u t using N m a p
Zenmap
Sen loots N *
T*fqcc

l n

l , M

Help

’92.l6a.16S.l-S0

IC M P Echo Request
v

Profile

*| Scanj

Canct

Command |‫״‬m ‫ גוו‬Pf PA21,23.9Q
8p
,3J891 2 6 .1 8 - 0
9 .1 8 6 .1 5 1
Hojb

knxei

OS 4 Ho*
*

W itt 1 S1
6.

*

1N.16S.1tt3

“3 1W.16S.1tt5
*

19J.ltt.1ttU

•» 1W.1tt1tt.14
V

It t lt t lt t lS

y

‫ י9ד‬it t 1 8 7
6 .1

»

!92.168163.15

►

1 2 6 .1 8 6
9 .1 8 6 2

»

19ilttltt23 v

IC M P Echo Request

N‫׳‬n * Output Port( / HoUi | Topology Hot! D
<p
etail* Scant
nm m-PE PA
ap
21.2J.80l3389 1 2 6 .1 8 • 0
9 .1 8 6 .1 5

‫יי‬
192.168.168.5

H

S [0 4 *
IC M P Echo Reply

Startlra N»« 6.01 ( http ://roup, org ) at 2012 01 01
12:41 tor
*tup scan report for 192.168.168.1
Host is us ( 0. 00) latency).
Adflicn.
‫( ״‬Healett-Packard Com
pany)
“
**•p *can report for 192.168.16•.)
ftovt It up (ft.Mt latency).
*AC W r t t t i
(Apple)
w p scan report *or 192.168. 168.‫ל‬
►
tost is up (0.0010s latency).
HA( Address:
(Dell)
f*1ap scan report for 192.168.168.13
Mo»t i* up <8.001 latency).
«AC Addrew:
» (Foxconnl
snap scan report for 192.168.168.14

u

^ M

!.168.16
192.168.168.6

IC M P Echo Request

Source
192.168.168.3

» Ml
192.168.168.7

IC M P Echo Reply
IC M P Echo Request

F*« Hosts

192.168.168.8

http://nmap. org

P in g Sweep
A ping sweep (also known as an ICM P sweep) is a basic network scanning technique
to determine which range of IP addresses map to live hosts (computers). W hile a single ping
tells the user whether one specified host computer exists on the network, a ping sweep consists
of ICMP ECHO requests sent to multiple hosts.

ICMP ECHO Reply
If a host is active, it returns an ICMP ECHO reply. Ping sweeps are among the oldest and slowest
methods to scan a network. This utility is distributed across almost all platforms, and acts like a
roll call for systems; a system that is live on the network answers the ping query that is sent by
another system.

Module 03 Page 273


Scanning Networks


ICMP Echo Request
192.168.168.5
ICMP Echo Request

a

<

ICM P Echo Reply

ICMP Echo Request

Source

192.168.168.6

>

W

192.168.168.7

19 2.1 6 8 .1 6 8 .3

< ICMP Echo
ICMP Echo Request
192.168.168.8

FIGURE 3.4: Ping Sweep Diagram

TCP/IP Packet
To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings,
a single packet is sent across the network to a specific IP address. This packet contains 64 bytes,
i.e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a
return packet from the target system. A good return packet is expected only when the
connections are good and when the targeted system is active. Ping also determines the number
of hops that lie between the two computers and the round-trip time, i.e., the total time taken
by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if
the packet bounces back when sent to the IP address, but not when sent to the name, then it is
an indication that the system is unable to resolve the name to the specific IP address.
Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP
addresses of live hosts. This provides information about the live host IP addresses as well as
their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on
the network. The following screenshot shows the result of a ping sweep using Zenmap, the
official cross-platform GUI for the Nmap Security Scanner:

Module 03 Page 274


Scanning Networks


Zenmap
Sc!n

Joolt

Target

Erofik

{jdp

192.168.168.1-50

Command
Hosts

"v]

Scan

Cancel

%

Details

11

Proffe

|nmap -sn -PE •PA21,23,80.3389192.168.168.1-5(
Sernces

OS « Host
*

192.168.168.3

<■

A

192.168.168.5

nmap -sn •PE-PA21.23.80.3389 192.168.168.1-50

192.168.168.1

*

Nmap Output Ports/ Hosts Topology Host Details Scans

192.168.168.13
192.168.168.14
192.168.168.15
*

192.168.168.17

fti

192.168.168.19
192-168.168-26

*

192.168.16828
Filter Hosts

v

S ta rtin g Mrap 6.01 ( h tto ://n » a p .o rg ) at 2012-08-08
12:41
M ap scan report fo r 192.168.168.1
Host is up (0.00s la te n c y ).
*AC Address; I
(Hewlett-Packard Co«oany)
Nm p scan report fo r 192.168.168.3
*AC A d d r m i
* (Apple)
Nnap scan report fo r 192.168.168.5
M C Address;
A
‫• י‬
( D e ll)
Nnap scan report fo r 192.168.168.13
M C Address: •
A
•
(Foxconn)
N»ap scan report fo r 192.168.168.14
v

FIGURE 3.5: Zenmap showing ping sweep output

Module 03 Page 275


Scanning Networks


P in g S w eep T ools

SolarWinds Engineer Toolset's Ping Sweep enables
scanning a range of IP addresses to identify which
IP addresses are in use and which ones are
currently free. It also performs reverse DNS lookup.

Angry IP Scanner pings each IP address to check if
it's alive, then optionally resolves its hostname,
determines the MAC address, scans ports, etc.

o
S'**
*Rjr* * 1C011

*•‫׳<״״‬

x

JoeU H
»lp
to K.0J.S)

M0*wme V NUQ R1RW f »
W N3W
9
© 1:0:1
£ 1 0 0 cj
Q io a u
f tio a c j
© to o ts
C Hoatt
©100C7
fh o a c j
®M
OOC9
Q r-at
CH0ac.11
•1 0 a a ;
Chocu.11
# 10ac.u
#100£1‫י‬
&1COC.U
® M oatr
Choatu
fhoac.»

_ !‫ם‬

IP Range Angry IP Scanner

CEH

‫9י״י׳‬
1m
Cm
lm
h/»l
4n
h/1|
1•ra
K»l
KH
K‫»׳‬l
K*l
h/1l
|V*I
Kv.|
O ? mm
K»1
h/»l
!*/•I
K«l

[l»Pjnje

Uctmiifc v

SUrt

v *
M

H n*‫« ״‬
0W
In/11
M Mtt£lCMM1
M
HnOcwit
ln/1l
< ixqn;V(W9m
vm
H •)
V
In/i)
In/•)
In/•)
In/•)
ln/1)
l*v‫״‬
•!
I
‫׳‬V*I
In/•!
In/•]
la/•)
In/•)
In/•)
&
«**•>‫ ׳‬A
JI

Pcm1i00c-|
80
•0US.1
1JX
In/a)
1& UIM U
h •l

1

|n/•)
|n•)
In/•)
|n'•)
In'•)
In•)
|n/•)
In/•)
|n/«|
(»'•)
In/•)
In‫ ____________________)•׳‬v |

T h 0 *»«*‫״‬

Angry IP Scanner
http://www.angryip.org

P in g Sweep Tools
Determining live hosts on a target network is the first step in the process of hacking
or breaking into a network. This can be done using ping sweep tools. There are a number of
ping sweep tools readily available in the market using which you can perform ping sweeps
easily. These tools allow you to determine the live hosts by sending ICMP ECHO requests to
multiple hosts at a time. Angry IP Scanner and Solarwinds Engineer's Toolset are a few
commonly used ping sweep tools.

Angry IP Scanner
/j

Source: http://www.angryip.org

Angry IP Scanner is an IP scanner tool. This tool identifies all non-responsive addresses as dead
nodes, and resolves hostname details, and checks for open ports. The main feature of this tool
is multiple ports scanning, configuring scanning columns. Its main goal is to find the active hosts
in the network by scanning all the IP addresses as well as ports. It runs on Linux, Windows, Mac
OS X, etc. It can scan IP addresses ranging from 1.1.1.1 to 255.255.255.255.

Module 03 Page 276


Scanning Networks


IP Range -Angry IP Scanner
S<an

£0‫°י‬

Commands

Favorites

IP Range | 10.0.0.1

loots

Help

| to | 10.0.0.50

Hostname | WIN-LXQN3WR3R9I

| |IF Range

# IP I | Netmask

rJ

v

C+ Start

‫א‬
i|

IP

Ping

Hostname

Ports [2000•.)

€>10.0.0.1

1 ms

[n'a]

80

010.0.0.2

Oms

W1N-MSS£LCK4IC41

80.135.139.4...

@10.0.0.3

Oms

WindowsS

135,139,445,...

#10.0.0.4

[n/a]

[n/a]

[n/a]

€>10.0.0.5

4 ms

W1N-LXQN3WR3R9M

135,139,445,...

© 10.0.0.6

[n/a]

[n/a]

[n/a]

€)10.0.0.7

1 ms

[n/a]

80.135

C

0.0.0.8

[n/a]

[n/a]

[n/a]

€> 10.0.0.9

[n/a]

[n/a]

[n/a]

#10.0.0.10

[n/a]

[n/a]

[n/a]

#10.0.0.11

[n/a]

[n/a]

[n/a]

#

1
0.0.0.12

[n/a]

litfa]

[n/a]

#10.0.0.13

[n/a]

[‫/ ״‬a]

[n/a]

#

[n/a]

[n/a]

[n/a]

#10.0.0.15

627 ms

[n/a]

[n/a]

#10.0.0.16

[n/a]

[iVa]

[n/a]

#

10.0.0.17

[n/a]

[n/a]

[n/a]

#10.0.0.18

[n/a]

[nfa]

[n/a]

#10.0.0.19

[n/a]

l‫׳‬v‫׳‬a]

=

m

I0.0.0.M

Ready

[n/a]

Display: All

Threads; 0

v

1

1

FIGURE 3.6: Angry IP Scanner Screenshot

Solarwinds E ngineer’s Toolset
Source: http://www.solarwinds.com
The Solarwinds Engineer's Toolset is a collection of network engineer's tools. By using this
toolset you can scan a range of IP addresses and can identify the IP addresses that are in use
currently and the IP addresses that are free. It also performs reverse DNS lookup.
u o o

P in g S w e e p
E e Edi
H
t

H l
ep

Starting IP Address 1 9 . 6 . £ 1
1 21 81 8 0

^I

| Sran F«

Fnri
mg IP AHri
mtt ( 9 1 8 1 89 (
1 2 8 6 5

fpAddress

Res
pons T n
e ee

A

| IPt
AI

Srnn

D SL o u
N o k p

1 2 IM IM 1
9
0

R
eques Ti
t red O t
u

1 2 1 6 1 61
9 6 6 1

R
eques T o O t
t m d u

1 2 1 6 1 61
9 6 6 2
1 2 1 6 1 61
9 6 6 3

^

^

1 2 1 6 1 61
9 6 6 4

Reques T e O t
t md u

=

R q O tT e O t
e u S m d u
3m
e

1 2 1 6 1 61
9 6 6 5
1 2 1 61 8 6
9 6 6 1

‫_י‬
{

1 2 1 61 6 1
9 6 . 6 7
1 2 1 6 1 61
9 6 6 . 6

Reauest T e O t
m d u

#

Reaues! T e Oa ‫^ י‬
m d
t ‫■יי‬
Recues! T e O l
md u

1 2 1 6 1 61
9 6 6 9
1 2 1 6 1 62
9 6 6 0

Reques T e O t
t m d u

1 2 1 6 1 62
9 6 6.1

,t

R
eques T e O l
t m d u
Reques T e O t
t m d u

1 2 1 6 1 62
9 6 6 . 2

Reques T e O t
t m d u
R
eques Tm d O t
t i e
u

1 2 1 6 1 62
9 6 6 3
1 2 1 6 1 62
9 6 6 4

» IJ I

1 2 1 6 1 62
9 6 6 5

R
eques T e O t
t m d u
Reques T e O t
t md u

1 2 1 6 1 62
9 6 6 6

2m
s

1 2 1 6 1 62
9 6 6. 7

_ *V*“
"
Reques T e O t
t md u
2m
s

1 2 1 6 1 62
9 6 6 . 6
N

1 2 1 6 1 62
9 6 6 9

R
eques T
t me Oy
d
t
3m
e

1 2 1 6 1 63
9 6 6 0
1 21 6 1 63
9 6 6 1

3m
s

1 2 1 6 1 63
9 6 6 2

2m
s

‫׳י‬
III

<
1
Scan Compled
i

Scan

DNS

>

h

r

9
0

FIGURE 3.7: Solarwinds Engineer's Toolset Screenshot

Module 03 Page 277


Scanning Networks


P in g S w eep T ools

CEH

(C ont’d)
Colasoft Ping Tool

^

PacketTrap MSP

h ttp ://w w w . colasoft. com

http ://w w w .pa ckettra p .co m

Visual Ping Tester -Standard

f

Ping Sweep
h ttp://w w w .w hatsupgold.com

h ttp ://w w w .p in g te s te r.n e t

Ping Scanner Pro

Network Ping

http://w w w .digilextechnologies.com

h ttp://w w w .greenline-soft.com

‫ז‬

Ultra Ping Pro
h ttp ://u ltra p in g . webs.com

*

Ping Monitor
h ttp ://w w w .n ilia n d . com

PinglnfoView
S®

Pinkie

h ttp ://w w w .n irs o ft.n e t

h ttp ://w w w .ip u p tim e .n e t


jfSSS P in g Sweep Tools (C ont’d)
ur -

In addition to Solarwinds Engineer's Toolset and Angry IP Scanner, there are many
other tools that feature ping sweep capabilities. For example:
9

Colasoft Ping Tool available at http://www.colasoft.com

9

Visual Ping Tester - Standarad available at http://www.pingtester.net

9

Ping Scanner Pro available at http://www.digilextechnologies.com

9

Ultra Ping Pro available at http://ultraping.webs.com

9

PinglnfoView available at http://www.nirsoft.net

9

PacketTrap MSP available at http://www.packettrap.com

9

Ping Sweep available at http://www.whatsupgold.com

9

Network Ping available at http://www.greenline-soft.com

9

Ping Monitor available at http://www.niliand.com

9

Pinkie available at http://www.ipuptime.net

Module 03 Page 278


Scanning Networks


* — 1 So far we discussed how to check for live systems. Open ports are the doorways for an
attacker to launch attacks on systems. Now we will discuss scanning for open ports.

Check for Live Systems

life

Scan for Vulnerability

r

Check for Open Ports

Scanning Beyond IDS

O Q
‫יז־ ל‬
‫^־‬

Banner Grabbing

Draw Network Diagrams

Prepare Proxies


This section covers the three-way handshake, scanning IPv6 networks, and various scanning
techniques such as FIN scan, SYN scan, and so on.

Module 03 Page 279


Scanning Networks


CEH

T h ree-W ay H a n d s h a k e

(•rtifwd

itkitjl

TCP uses a three-way handshake to establish a connection between server and client
Three-w ay Handshake
Process
1. The Computer A (10.0.0.2) initiates
a connection to the server (10.0.0.3)
via a packet with only the SYN flag
set
2. The server replies with a packet
with both the SYN and the ACK flag
set
3. For the final step, the client
responds back to the server with a
single ACK packet
4. If these three steps are completed
without complication, then a TCP
connection is established between
the client and the server


T hree-W ay H an d sh a k e
TCP is connection-oriented, which implies connection establishment is principal prior
to data transfer between applications. This connection is possible through the process of the
three-way

handshake.

The

three-way

handshake

is implemented

for

establishing

the

connection between protocols.

The three-way handshake process goes as follows:
9

To launch a TCP connection, the source (10.0.0.2:62000) sends a SYN packet to the
destination (10.0.0.3:21).

9

The destination, on receiving the SYN packet, i.e., sent by the source, responds by
sending a SYN/ACK packet back to the source.

9

This ACK packet confirms the arrival of the first SYN packet to the source.

9

In conclusion, the source sends an ACK packet for the ACK/SYN packet sent by the
destination.

9

This triggers an "O PEN " connection allowing communication between the source and
the destination, until either of them issues a "FIN" packet or a "RST" packet to close the
connection.

Module 03 Page 280


Scanning Networks


The TCP protocol maintains stateful connections for all connection-oriented protocols across
the Internet, and works the same as an ordinary telephone communication, in which one picks
up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other
end until a person picks up the receiver and says, "Hello."

Bill

Three-way Handshake

1 0 .0 .0 .2 :6 2 0 0 0 ‫.................... י י ................ ^ ־‬

..‫* ״‬

Sheela
1 0 .0 .0 .3 :2 1

Irvc

Client

Server

FIGURE 3.8: Three-way Handshake Process

E stablishing a TCP Connection
As we previously discussed, a TCP connection is established based on the three-way
hand shake method. It is clear from the name of the connection method that the establishment
of the connection is accomplished in three main steps.
Source: http://support.microsoft.com/kb/172983
The following three frames will explain the establishment of a TCP connection between nodes
NTW3 and BDC3:

Frame 1:
In the first step, the client, NTW3, sends a SYN segment (TCP ....S.). This is a request to the
server to synchronize the sequence numbers. It specifies its Initial Sequence Number (ISN),
which is incremented by 1 and that is sent to the server. To initialize a connection, the client
and server must synchronize each other's sequence numbers. There is also an option for the

Module 03 Page 281


Scanning Networks


Maximum Segment Size (MSS) to be set, which is defined by the length (len: 4), this option
communicates the maximum segment size the sender wants to receive. The Acknowledgement
field (ack: 0) is set to zero because this is the first part of the three-way handshake.
1

2.0785 NTW3 --> BDC3 TCP ___ S., len: 4, seq: 8221822-8221825,

ack: 0,

win: 8192, src: 1037 dst: 139 (NBT Session) NTW3 --> BDC3 IP
TCP:

....S., len: 4, seq: 8221822-8221825,

dst:

139

ack: 0, win:

8192,

src: 1037

(NBT Session)

TCP: Source Port = 0x040D
TCP: Destination Port = NETBIOS Session S
TCP: Sequence Number = 8221822

(0x7D747E)

TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 24

(0x18)

TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02

: ....S .

TCP:

..0....

= No urgent data

TCP:

...0.... = Acknowledgement field

TCP:

....0... = No Push function
.... 0 . . = No Reset

TCP:

1. = Synchronize sequence numbers

.

TCP:

not significant

TCP:

............. 0 = No Fin

TCP: Window = 8192

(0x2000)

TCP: Checksum = 0xF213
TCP: Urgent Pointer = 0 (0x0)
TCP: Options

TCP: Option Kind

(Maximum Segment Size) = 2 (0x2)

TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460

(0x5B4)

TCP: Frame Padding

00000:

02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00

.'.... '.;---- E .

00010:

00 2C 0D 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B

. . .0___ K.k. . .k
,

00020:

02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02

...... }t~---- ' .

00030:

20 00 F2 13 00 00 02 04 05 B4 20 20

Module 03 Page 282


Scanning Networks


Frame 2:
In the second step, the server, BDC3, sends an ACK and a SYN on this segment (TCP .A..S.). In
this segment the server is acknowledging the request of the client for synchronization. At the
same time, the server is also sending its request to the client for synchronization of its
sequence numbers. There is one major difference in this segment. The server transmits an
acknowledgement number (8221823) to the client. The acknowledgement is just proof to the
client that the ACK is specific to the SYN the client initiated. The process of acknowledging the
client's request allows the server to increment the client's sequence number by one and uses it
as its acknowledgement number.
2

2.0786 BDC3 — > NTW3

8221823, win:

8760,

TCP:

139

src: 139

.A..S., len:

src:

TCP .A..S.,

TCP: Source Port =

(NBT Session)

4, seq:

(NBT Session)

l e n : 4, seq: 1109645-1109648,

dst:

dst: 1037 BDC3 --> NTW3

1109645-1109648,

ack:

8221823, win:

ack:
IP
8760,

1037

NETBIOS Session Service

TCP: Destination Port = 0x040D

(0xl0EE8D)

TCP: Acknowledgement Number = 8221823

(0x7D747F)

(0x18)

TCP: Flags = 0x12

: .A..S.

TCP:

..0.... =

TCP:

...1.... =

TCP:

....0... = No

Push function

TCP:

.... 0.. = No

Reset

TCP:

...... 1. = Synchronize

TCP:

....... 0 = No

TCP: Window = 8760

No urgent data
Acknowledgement field

significant

sequence numbers

Fin

(0x2238)

TCP: Checksum = 0x012D
TCP: Options
TCP: Option Kind

(Maximum Segment Size)

= 2 (0x2)

TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460

(0x5B4)

TCP: Frame Padding

00000

02

60 8C 3B 85 Cl 02 60 8C 9E 18 8B 08 00 45 00

00010

00

2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B

.,[.0_____L.k...k

0 00 20

02

D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12

.............. }t'.

Module 03 Page 283

...... E.


Scanning Networks


00030:

8 ‫-.״‬

22 38 01 2D 00 00 02 04 05 B4 20 20

Frame 3:
In the third step, the client sends an ACK on this segment (TCP .A....). In this segment, the client
is acknowledging the request from the server for synchronization. The client uses the same
algorithm the server implemented in providing an acknowledgement number. The client's
acknowledgment of the server's request for synchronization completes the process of
establishing a reliable connection, thus the three-way handshake.
3

2.787 NTW3 --> BDC3

1109646, win:

TCP:

8760,

src: 1037

.A...., len:

src: 1037

dst:

TCP .A

0, seq:
139

, len: 0, seq: 8221823-8221823,

dst:

139

(NBT Session)

8221823-8221823,

ack:

ack:

NTW3 --> BDC3

1109646, win:

IP

8760,

(NBT Session)

TCP: Source Port = 0x040D
TCP: Destination Port = NETBIOS Session Service

(0x7D747F)

TCP: Acknowledgement Number = 1109646

(0xl0EE8E)

(0x14)

TCP: Flags = 0x10

: .A....

TCP:

. .0 ....

= No urgent data

TCP:

... 1 .... = Acknowledgement field

TCP:

___ 0 ... = No

Push function

TCP:

.... 0 .. = No

Reset

TCP:

..... 0. = No

Synchronize

TCP:

.......0 = No

Fin

TCP: Window = 8760

(0x2238)

TCP: Checksum = 0xl8EA
TCP: Frame Padding

00000:

02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00

. '.... ' .;---- E .

00010:

00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B

. ( .0___ O.k. . .k
.

00020:

02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10

...... }t---- P.

00030:

22 38 18 EA 00 00 20 20 20 20 20 20

‫___ 8 ״‬

Module 03 Page 284




Scanning Networks

TCP C om m unication Flags
Data contained in

There will be no

Resets a

the packet should
be processed

more
transmissions

connection

immediately

F IN
(Finish)

URG
(Urgent)

jm ₪ ₪ m m
PSH
(Push)

Sends all
buffered data
immediately

ACK
(Acknowledgement)

Acknowledges
the receipt of a
packet

>

A

1

SYN
(Synchronize)

Initiates a
connection
between hosts

Standard TCP communications are controlled by flags in the TCP packet header
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

TCP C om m unication Flags
Standard TCP communications monitor the TCP packet header that holds the flags.
These flags govern the connection between hosts, and give instructions to the system. The
following are the TCP communication flags:
9

Synchronize alias "SYN": SYN notifies transmission of a new sequence number

9

Acknowledgement alias "ACK":

ACK confirms receipt of transmission, and identifies

next expected sequence number
9
9

Push alias "PSH ": System accepting requests and forwarding buffered data
Urgent alias "U RG ": Instructs data contained in packets to be processed as soon as
possible

Q

Finish alias "FIN": Announces no more transmissions will be sent to remote system

Q

Reset alias "RST": Resets a connection

SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use
these three flags for gathering illegal information from servers during the enumeration process.

Module 03 Page 285





Scanning Networks

Acknowledgement No

Offset

Res

TCP Flags

TCP Checksum

Window
Urgent Pointer

Options
<------------- 0-31 B its-------------- >
FIGURE 3.9: TCP Communication Flags

Module 03 Page 286





Scanning Networks

Create Custom Packet Using
TCP Flags

CEH

Colasoft Packet Builder

.$ Add Inser: Copy
‫5 & 5 ׳‬
.xpcr:-

3ckte

Move U |
p

Chcdcsum| Send ScndAII
| Packet No. | ‫־‬

-J Colasoft Packet Builder
enables creating custom
network packets to audit
networks for various
attacks
J

Attackers can also use it
to create fragmented
packets to bypass
firewalls and IDS systems
in a network

Packet Info:
gackec tta c e r;
— BacJrcr Le=ath:
^
Captnred Length:
{ g Delta Tine
E ‫־‬d Ethernet Type I I
j y i J f s t i a t i ‫ ״‬Mdress:
JUfSouic? U d m 9 :
Protocol:
E- .J I ? - Internet Protocol
! ‫ ״‬Version 0
i • 0 ‫ ״‬Mea 1•: Length
g>-0 Differentiated Services Plaid
j j 0
S«rvlc«f Codepcint
j > Tr«r.*por1 r u t -col w ill 1 903 c* tii* CE b it
U
Coaaaatios

‫!«»***ג‬

F!

<
1

HwEdrtc

M

000004
64
60
0.100000 Second
[0/14]
00:00:00:00:00:00
[0/6]
00:00:00:00 :00:00
[6/6]
0x0800
(Inter:
[14/20]
4
xFO
[U/1] O
S
< 0 Bytes) [1
2
<
0 0 00 oaoo [15/1! OxPF
0000 00..
[18/1] OxfC
(Ignoi•
.......... 0.
[15/1]
............0 (Xu Conq«mtlon)

=
‫כ‬

<

Total

60 byirt

http://www. colasoft.com

Copyright © by EG-Gaoncil. All Rights Reserved. Reproduction Is Strictly Prohibited

Create Custom P ackets u sin g TCP Flags
Source: http://www.colasoft.com
Colasoft Packet Builder is a tool that allows you to create custom network packets and also
allows you to check the network against various attacks. It allows you to select a TCP packet
from the provided templates, and change the parameters in the decoder editor, hexadecimal
editor, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet
Builder also supports saving packets to packet files and sending packets to the network.

Module 03 Page 287

Ethical Hacking and Countermeasures Copyright © by EC-COlMCil




Scanning Networks

Colasoft Packet Builder
File

Edit

Send

3*

&

ImportExportw

Help

Add

#

1‫נ‬
£

Insert

Copy

®

X

Pas- Delete

4*

I *

Send

Move

Packet No.

Decode Editor

Packet Info:
a Packet Number:
<3‫ ־‬Packet Length:
*
!‫ ״‬Captured Length:
‫^״‬
H H Delta Time
₪-€> Ethernet Type II
Destination Address:
Source Address:
Protocol:
0 •••© IP - Internet Protocol
j
—& Version
: © Header Length
E3‫ @״‬Differentiated Services Field
| _~© Differentiated Services Codepoint
O Transport Protocol will ignore the CE bit
| ~~© Congestion

*c
f*

'w E I& B r S B

Send All

4
No.
‫ו‬
2
3

60
0.100000 Second

Delta Time
0.100000
0.100000
0.100000
0.100000

Source
00:00:00:00:1
0.0.0.0
0.0.0.0:0
0.0.0.0:0

[0 / 1 4 ]

0 0 : 0 0 : 0 0 : 0 0 : 00:00

[ /6 ]
0

0 0 :0 0 :0 0 :0 0 :0 0 : 0 0

[6 / 6 ]

0x0800
[14/20]

(Intern

0 0 00
0 0 00
0 0 00..
00
...........0.

......... 0

[14/1] OxFO
(20 Bytea)
[14
[15/1] OxFF
[15/1] OxFC
(Ignore)
[15/1]
(No Congestion)

<
L
jc%

Total | 60 bytes

Hex Editor

0000
0010
0020
0030

00
00
00
00

<

00
2C
00
00

00
00
00
00

00
00
00
00

00
40
00
00

00
00
00
00

00
40
00
00

00
11
1A
00

00
3A
FF
00

00
CO
BA
00

00
00
00
00

00 08 00 45 00
00 00 00 00 00
00 00 00 00 00
00

A
---0.0.s.
V
/

T
>

: ...

FIGURE 3.10: Colasoft Packet Builder Screenshot

Module 03 Page 288





Scanning Networks

S c a n n in g IP v 6 N e tw o rk

CEH

im ttiM

tUx*l lUckM

I
I
L

IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of
addressing hierarchy

Traditional network scanning techniques will be computationally less feasible due to larger
search space (64 bits of host address space or 2s4 addresses) provided by IPv6 in a subnet

Scanning in IPv6 network is more difficult and complex than the IPv4 and also major
scanning tools such as Nmap do not support ping sweeps on IPv6 networks

Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received
from: and other header lines in archived email or Usenet news messages

a

1

Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker
can compromise one host in the subnet; attacker can probe the "all hosts" link local
multicast address


S canning IPv6 N etw ork
IPv6 increases the size of IP address space from 32 bits to 128 bits to support more
levels of addressing hierarchy. Traditional network scanning techniques will be computationally
less feasible due to larger search space (64 bits of host address space or 264 addresses)
provided by IPv6 in a subnet. Scanning an IPv6 network is more difficult and complex than IPv4
and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks.
Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from:
and other header lines in archived email or Usenet news messages to identify IPv6 addresses
for subsequent port scanning. Scanning IPv6 network, however, offers a large number of hosts
in a subnet; if an attacker can compromise one host in the subnet he can probe the "all hosts"
link local multicast address.

Module 03 Page 289





Scanning Networks

S c a n n in g Tool: N m a p

C EH

J

Network administrators can use Nmap for network inventory, managing service upgrade schedules, and

J

Attacker uses Nmap to extract information such as live hosts on the network, services (application name
and version), type of packet filters/firewalls, operating systems and OS versions

monitoring host or service uptime

http://nmap.org

Scanning Tool: Nmap
Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts
and services on a computer network, thus creating a "map" of the network. It sends specially
crafted packets to the target host and then analyzes the responses to accomplish its goal.
Either a network administrator or an attacker can use this tool for their particular needs.
Network administrators can use Nmap for network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Attackers use Nmap to extract information
such as live hosts on the network, services (application name and version), type of packet
filters/firewalls, operating systems, and OS versions.

Module 03 Page 290





Scanning Networks

Zenm gp

iMk ("> !j*»
«•
*a«M

M a w wa* 011CP p *t»

tel

t
•M

Mi M lMM

-

—« » » I « u n

N

T1 A . I V M » M » >
N m »W >

0

s ia t i

! " ! t l a t l n g A V »lng Scan •t |»:22
W mwIm
(1 • v t l
Caag iatM * V *ing Scan at I S :2 2, • M » a l * t M ( I t a t a l M a t • )
: * i t ta tin g f a l l a l Cm r « » a lt ft iM a* I M a t . at lt:2 2
C a M ia t M ••‫־״‬a ll• ! CMS r * t a l» t la n 0* 1 M a t . at IS !2 2 . I H t

aivaai

In it ia t in g S m S ta a ltn Scan at 1S:22
Scanning m 1M I M S I* S S JS M ‫] » ״‬
‫־‬t

w m ia

«1m «
■ ia ftM

fe ftM M U a t l«n

V *. Mtf)
■
M l V t c a •»
M M I/ t i! • * «
I.ftftlv2:

11I/1
• t i l l l uM i r t l SV .» J

IKjuatL ‫ *־׳ 1׳‬t wi t I
M m lfM WVc•

•
19:24 <•:•1.4*

H ))/ t (» M IM .IM IM S
*‫ י י‬S t • • !!* W an f l * l — : 1aa«t M . 4 M M M ) I K l 1* 24 <• M 4»
'••al«»l«g»
C a M ia t M S M S '• a lt * Scan at IS :24. M * l » a la M M 14SS1S fa t a l
M ^ tt)
! n i t ia t in c S M v ic a •c m at I»!24
Scanning « •a^vlca• M 112 I M I M
C a M lv t M M ^ v lc a m m at I S ! >4, 44 M t a la M M (g m U a • M 1

■iMM.vilt•! ! f <
I l 00:/

9
•l*09mt,nr*9'_200$ *01
< » :/ • • i< r|M *t
0% a r t • ! !* m < r o t^ t i d i M M V ii t a V • 0? V I . M U M
M M V I . n‫ ■׳‬b lM s■ ! I
t t i — * I• !* 1 . M i
(s1 *c« i m amc m •1 1« 21 ‫ג‬
ir t M r l Q iiU M f i 1 **‫׳‬
‫ ־‬T
■
l
( M M 1«C«1)

W • CPt 1 100/0:m
iM— i
itr0000 !
-< . Mttios •nr:

Module 03 Page 291

VC

M> M I ^ « 1 U 1 U N d w M a•
'1 ‫ ■׳‬m 1««*t 1 •©•‫ ־״‬m
*
1 (Ii m
i n
P n l c e I r a * | t n t r « l *tK fO M
ft— lllM ‫ ״‬H ‫ ׳‬oxo*•. wln*o«t V l* t a | » M | 7
f l l C P t: cp«
■ IcreM ^t ■iwM n . r i t t a : :• c m :/

O
ixavaj’M MM a ‫״‬t 1M‫ » ־‬a itMM iu s
o‫־‬
t< n
WMaMfM MM PM 1M/Ka M 11 IU IM t
1
1
Mmmmm aM MM ♦4s tea M 12 IM IU )
*

M mHyj 00+* M ‫־״‬t
M tM
M h

tu n

• It* •

KtMlN!.

N u t r t ' M aoan M ‫־׳‬t •12 t<a < t t M U I M . S
‫י״‬
O i u a t T M a» M M ‫ ׳‬t M M 2 / t ( » m ! • l . I M . I M . S
t n S f n ita w
t i ^ i ^ f taout 22.72% M m ; I K :

MM D u

. *»»« HHM —
rtt

S t M t ln g m m 4.*1 < M 1 » : / / M W . K | ) •‫ ז‬m ) M M 11:1! M M
M M r < Tia•
B L .• M M • I M f l K • M r

B L Ur 1 %
0

1 ■‫ן ן * ן‬

•Ml t ll iw IM ^niHIDU

‫ ן‬liSSJS T4 A ‫ •־‬tt2 141‫י 4 4 י‬

M tS IO S M C:





Scanning Networks

H p in g 2 / H p in g 3
J

Tool for security auditing and testing firewall and networks

J

itkMl lUikw

Command line packet crafter for the TCP/IP protocol

J

CEH

UrtifW

Runs on both Windows and Linux operating systems
http://www.hping.org

3 1. 00 -p 8
0 . .2 9
1 00
8 .2
1. 002: A set, 4 headers + 0data bytel
9. . )
0
len = ip- 1. 00 t t l = 8OF id=2© spoci^0 flags-R seq^O w
4 0 . .2 1
0
2
685
ln 0 rtt= 1 m
‫־‬
.3 s
^ ‫ך־‬
len ^0ip- 1. 00 t t l = 8OF id -68 sport-ee-flags-R seq- w
4 0 . .2 1
2
256
1
in = rtt= 6 m
0 .8 s
len = ip- 1. 00 t t l = 8OF id = 07sport- 8
4 0 . .2 1
0
2
28
6
GFflags=R Ieq ^ w
2
in=o r 11=1.0 ‫לווו‬
len -0 ip- 1. 00 t t l -2 OF id -68 sport -0flogs-R scq- w
4
0 . .2 18
208
8
3
1 rtr=6 ms
n=0
.9
len = ip=1^ L 0 t t l = 8OF id -68 5porjt=8e ftcgsfR seq= w
4 0 .2 1
0
2
269
4
len=4 1^=10.0 /?t t l = 8D ld=2B9 sport80‫ ־‬flags=R seq= J
)
.8
1 F
2
6D
5
in » rtt- 0 m
0
.5 s
len= ip=1.O.3 t t l = 8OF id = 01sport = flags=R seq= w
4 0 .2 1
6
2
29
6
8
0
6
in = rtt=e .7 m
0
s
len = ip=1.O.0 t t l = 8OF id 202 sport 8‫ ־‬flags^R seq= w
4 0 .2 1
0
2
69‫־‬
0
7
ln = rtt= 8 m
8 .8 s
len -0ip- 1. 00 t t l -2 OF id -69 5
4
0 . .2 18
203 port-0flegs‫ ־‬R seq- w
8
8
footgbt:-# hping ■
A
HPINC
. .
(ethl

ACK Scanning on p o rt 80
Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited.

H ping2/H ping3
Source: http://www.hping.org
HPing2/HPing3 is a command-line-oriented TCP/IP packet assembler/analyzer that sends ICMP
echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Traceroute mode, and
enables you to send files between covert channels. It has the ability to send custom TCP/IP
packets and display target replies like a ping program does with ICMP replies. It handles
fragmentation, arbitrary packets' body and size, and can be used in order to transfer
encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and
network/host scanning can be used to perform an anonymous probe for services.
An attacker studies the behavior of an idle host to gain information about the target such as the
services that the host offers, the ports supporting the services, and the operating system of the
target. This type of scan is a predecessor to either heavier probing or outright attacks.
Features:
The following are some of the features of HPing2/HPing3:
0

Determines whether the host is up even when the host blocks ICMP packets

0

Advanced port scanning and test net performance using different protocols, packet
sizes, TOS, and fragmentation

Module 03 Page 292





Scanning Networks

9

Manual path MTU discovery

9

Firewalk-like usage allows discovery of open ports behind firewalls

9

Remote OS fingerprinting

9

TCP/IP stack auditing

ICM P Scanning
A ping sweep or Internet Control Message Protocol (ICM P) scanning is a process of sending an
ICMP request or ping to all hosts on the network to determine which one is up.
This protocol is used by operating system, router, switch, internet-protocol-based devices via
the ping command to Echo request and Echo response as a connectivity tester between
different hosts.
The following screenshot shows ICMP scanning using the Hping3 tool:
«

v

x root@bt: ~

File Edit View Terminal Help

root@bt:~# hpi ng3 -1 10 . 0 . 0 . 2
HPING 10.0.0.2 (e th l 10 .0 .0 .2 ): icmp mode set, 28 headers + 0 d
len=28 ip=10.0 .0.2 ttl= 128 id=25908 icmp_seq=0 rtt=2.2 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25909 icmp_seq=l rtt=1.0 m
s
s
s
icmpseq=4
rtt=0.4 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=2591%
len=28 ip=10.0 .0.2 ttl= 128 id=25913 icmp seq=5 r t t = l . l m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25914 icmp seq=6 rtt=0.9 m
s
s
s
s
s
len=28 ip=10.0 .0.^>ttl= 128 id=25918 icmp seq=10 rtt=0.8 m
len=28 ip=10.0 .0.2 ttl= 128 id=25919 icmp_seq=ll rtt=1.2 m
s
s
s
s
s
s
s
FIGURE 3.12: Hping3 tool showing ICMO scanning output

ACK Scanning on Port 80
You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple
packet filtering will allow you to establish connection (packets with the ACK bit set), whereas a
sophisticated stateful firewall will not allow you to establish a connection.
The following screenshot shows ACK scanning on port 80 using the Hping3 tool:

Module 03 Page 293





Scanning Networks

• v
‫>׳‬

*

ro o tab t: -

File Edit View Terminal Help

£ 0 0 t@ bt:~# hping3 -A 1 0 .0 .0 .2 •p 80
HPING 1 0 .0 .0 .2 ( e t h l 1 0 .0 .0 .2 ): A s e t, 40 headers + 0 d ata byte
s
len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26085 spar,t=80 flags= R seq=0 w
in=0 rtt= 1 .3 ms
len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26086 sport=80 flags= R seq=l w
in=0 rtt= 0 .8 ms
‫'"׳׳-׳‬
len=40 ip=10.0 .0 .2 ttl= 128 DF id=26087 sport=89 flags= R seq=2 w
in=0 rtt= 1 .0 ms
len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26088 sport=80 ^lags=R seq=3 w
in=0 rtt= 0 .9 ms
len=40 ip = 1 0 J0 .0 .2 ttl= 128 DF id=26089 sport=80 flags= R seq=4 w
in=0 r,tt=p. 9 ros —^
Jj
I •4■ ^
f j
len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26O90 sport=80 flags= R seq=5 w
in=0 rtt= 0 .5 ms
len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26091 sport=80 flags= R seq=6 w
in=0 rtt= 0 .7 ms
len=40 ip= 10.0.O .2 ttl= 128 DF id=26092 sport=80 flags= R seq=7 w
in=0 rtt= 0 .8 m
s
len=40 ip= 10.0.O .2 ttl= 128 DF id=26093 sport=80 flags= R seq=8 v
FIGURE 3.13: Hping3 tool showing ACK scanning output

Module 03 Page 294





Scanning Networks

‫־‬

c EH

H p in g C o m m a n d s

UrtifM

ItkKJl Nm Im

ICMP Ping

SYN scan on port 50-60

hping3 -1 10.0.0.25

hping3 -8 50-56 -S 10.0.0.25 -V

ACK scan on port 80

FIN, PUSH and URG scan on port 80

hp±ng3 -A 10.0.0.25 -p 80

hping3 -F -p -U 10.0.0.25 -p 80

U D Psc a n o n port 80

Scan entire subnet for live host
h p i n g 3 -1 1 0 . 0 . 1 . x — rand - d e s t

hping3 -2 10.0.0.25 -p 80

-I ethO

Collecting Initial Sequence Number

Intercept all traffic containing HTTP
signature

h p i n g 3 1 9 2 . 1 6 8 . 1 . 1 0 3 -Q -p 139

hping3 -9 HTTP -I ethO

Firewalls and Time Stamps

SYN flooding a victim

h p i n g 3 -S 7 2 . 1 4 . 2 0 7 . 9 9 -p 80 —

hping3 -S 192.168.1.1 -a
192.168.1.254 -p 22 — flood

tc p - tim e s ta m p

Copyright © by E CM i All Rights Reserved. Reproduction is Strictly Prohibited.
C- IC l.

Hping C om m ands
The following table lists various scanning methods and respective Hping commands:

Scan

Commands

ICMP ping

hping3 -1 10.0.0.25

ACK scan on port 80

hping3 -A 10.0.0.25 -p 80

UDP scan on port 80

hping3 -2 10.0.0.25 -p 80

Collecting initial sequence number

hping3 192.168.1.103 -Q -p 139 -s

Firewalls and time stamps

hping3 -S 72.14.207.99 -p 80 --tcptimestamp

SYN scan on port 50-60

hping3 -8 50-56 -S 10.0.0.25 -V

FIN, PUSH and URG scan on port 80

hping3 -F -p -U 10.0.0.25 -p 80

Scan entire subnet for live host

hping3 -1 10.0.1.x --rand-dest -I ethO

Intercept all traffic containing HTTP
signature

hping3 9‫ ־‬HTTP -I ethO

SYN flooding a victim

hping3 -S 192.168.1.1 -a 192.168.1.254
-p 22 --flood
TABLE 3.1: Hping Commands Table

Module 03 Page 295





Scanning Networks

S c a n n in g T e c h n iq u e s
TCP Connect / Full Open Scan
Stealth Scans
IDLE Scan
ICMP Echo Scanning/List Scan
T
E
C

H
N

SYN/FIN Scanning Using IP Fragments
UDP Scanning

I
o

Inverse TCP Flag Scanning

E

ACK Flag Scanning

u
S

Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.

Scanning T echniques
Scanning is the process of gathering information about the systems that are alive and
responding on the network.
The port scanning techniques are designed to identify the open ports on a targeted server or
host. This is often used by administrators to verify security policies of their networks and by
attackers to identify running services on a host with the intent of compromising it.

Different types of scanning techniques employed include:
© TCP Connect / Full Open Scan
© Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan
©

IDLE Scan

©

ICMP Echo Scanning/List Scan

© SYN/FIN Scanning Using IP Fragments
©

UDP Scanning

©

Inverse TCP Flag Scanning

© ACK Flag Scanning

Module 03 Page 296





Scanning Networks

The following is the list of important reserved ports:
Name

Port/Protocol

Description

echo

7/tcp

echo

7/udp

discard

9/tcp

sink null

discard

9/udp

sink null

systat

11/tcp

Users

daytime

13/tcp

daytime

13/udp

netstat

15/tcp

qotd

17/tcp

Quote

chargen

19/tcp

ttytst source

chargen

19/udp

ttytst source

ftp-data

20/tcp

ftp data transfer

ftp

21/tcp

ftp command

ssh

22/tcp

Secure Shell

telnet

23/tcp

smtp

25/tcp

Mail

time

37/tcp

Timeserver

time

37/udp

Timeserver

rip

39/udp

resource location

nicname

43/tcp

who is

domain

53/tcp

domain name server

domain

53/udp

domain name server

sql*net

66/tcp

Oracle SQL*net

sql*net

66/udp

Oracle SQL*net

bootps

67/tcp

bootp server

bootps

67/udp

bootp server

bootpc

68/tcp

bootp client

Module 03 Page 297





Scanning Networks

bootpc

68/udp

bootp client

tftp

69/tcp

Trivial File Transfer

tf tp

69/udp

Trivial File Transfer

gopher

70/tcp

gopher server

finger

79/tcp

Finger

www-http

80/tcp

WWW

www-http

80/udp

WWW

kerberos

88/tcp

Kerberos

kerberos

88/udp

Kerberos

P °P 2

109/tcp

PostOffice V.2

Pop 3

110/tcp

PostOffice V.3

sunrpc

111/tcp

RPC 4.0 portmapper

sunrpc

111/udp

RPC 4.0 portmapper

auth/ident

113/tcp

Authentication Service

auth

113/udp

Authentication Service

audionews

114/tcp

Audio News Multicast

audionews

114/udp

Audio News Multicast

nntp

119/tcp

Usenet Network News Transfer

nntp

119/udp

Usenet Network News Transfer

ntp

123/tcp

Network Time Protocol

Name

Port/Protocol

Description

ntp

123/udp

Network Time Protocol

netbios-ns

137/tcp

NETBIOS Name Service

netbios-ns

137/udp

NETBIOS Name Service

netbios-dgm

138/tcp

NETBIOS Datagram Service

netbios-dgm

138/udp

NETBIOS Datagram Service

netbios-ssn

139/tcp


netbios-ssn

139/udp


imap

143/tcp

Internet Message Access Protocol

Module 03 Page 298





Scanning Networks

imap

143/udp

Internet Message Access Protocol

sql-net

150/tcp

SQL-NET

sql-net

150/udp

SQL-NET

sqlsrv

156/tcp

SQL Service

sqlsrv

156/udp

SQL Service

snmp

161/tcp

snmp

161/udp

snmp-trap

162/tcp

snmp-trap

162/udp

cmip-man

163/tcp

CMIP/TCP Manager

cmip-man

163/udp

CMIP

cmip-agent

164/tcp

CMIP/TCP Agent

cmip-agent

164/udp

CMIP

ire

194/tcp

Internet Relay Chat

ire

194/udp

Internet Relay Chat

at-rtmp

201/tcp

AppleTalk Routing Maintenance

at-rtmp

201/udp

AppleTalk Routing Maintenance

at-nbp

202/tcp

AppleTalk Name Binding

at-nbp

202/udp

AppleTalk Name Binding

at-3

203/tcp

AppleTalk

at-3

203/udp

AppleTalk

at-echo

204/tcp

AppleTalk Echo

at-echo

204/udp

AppleTalk Echo

at-5

205/tcp

AppleTalk

at-5

205/udp

AppleTalk

at-zis

206/tcp

AppleTalk Zone Information

at-zis

206/udp

AppleTalk Zone Information

at-7

207/tcp

AppleTalk

Module 03 Page 299





Scanning Networks

at-7

207/udp

AppleTalk

at-8

208/tcp

AppleTalk

at-8

208/udp

AppleTalk

ipx

213/tcp

ipx

213/udp

imap3

220/tcp

Interactive Mail Access Protocol v3

imap3

220/udp

Interactive Mail Access Protocol v3

aurp

387/tcp

AppleTalk Update-Based Routing

aurp

387/udp

AppleTalk Update-Based Routing

netware-ip

396/tcp

Novell Netware over IP

netware-ip

396/udp

Novell Netware over IP

Name

Port/Protocol

Description

rmt

411/tcp

Remote mt

rmt

411/udp

Remote mt

54erberos54-ds

445/tcp

54erberos54-ds

445/udp

isakmp

500/udp

ISAKMP/IKE

fcp

510/tcp

First Class Server

exec

512/tcp

BSD rexecd(8)

comsat/biff

512/udp

used by mail system to notify users

login

513/tcp

BSD rlogind(8)

who

513/udp

whod BSD rwhod(8)

shell

514/tcp

cmd BSD rshd(8)

syslog

514/udp

BSD syslogd(8)

printer

515/tcp

spooler BSD lpd(8)

printer

515/udp

Printer Spooler

talk

517/tcp

BSD talkd(8)

talk

517/udp

Talk

ntalk

518/udp

New Talk (ntalk)

Module 03 Page 300





Scanning Networks

ntalk

518/udp

SunOS talkd(8)

netnews

532/tcp

Readnews

uucp

540/tcp

uucpd BSD uucpd(8)

uucp

540/udp

uucpd BSD uucpd(8)

klogin

543/tcp

Kerberos Login

klogin

543/udp

Kerberos Login

kshell

544/tcp

Kerberos Shell

kshell

544/udp

Kerberos Shell

ekshell

545/tcp

pcserver

600/tcp

ECD Integrated PC board srvr

mount

635/udp

NFS Mount Service

pcnfs

640/udp

PC-NFS DOS Authentication

bwnfs

650/udp

BW-NFS DOS Authentication

flexlm

744/tcp

Flexible License Manager

flexlm

744/udp

Flexible License Manager

5 6erberos-adm

749/tcp

Kerberos Administration

56erberos-adm

749/udp

Kerberos Administration

kerberos

750/tcp

kdc Kerberos authentication—tcp

kerberos

750/udp

Kerberos

56erberos mas
ter

751/udp

Kerberos authentication

56erberos mas
ter

751/tcp

Kerberos authentication

krb_prop

754/tcp

Kerberos slave propagation

Module 03 Page 301

krcmd Kerberos encrypted
remote shell -kfall





Scanning Networks

999/udp

Applixware

socks

1080/tcp

socks

1080/udp

kpop

1109/tcp

Pop with Kerberos

ms-sql-s

1433/tcp

Microsoft SQL Server

ms-sql-s

1433/udp

Microsoft SQL Server

ms-sql-m

1434/tcp

Microsoft SQL Monitor

ms-sql-m

1434/udp

Microsoft SQL Monitor

Name

Port/Protocol

Description

pptp

1723/tcp

Pptp

pptp

1723/udp

Pptp

nf s

2049/tcp

Network File System

nf s

2049/udp

Network File System

eklogin

2105/tcp

Kerberos encrypted rlogin

rkinit

2108/tcp

Kerberos remote kinit

kx

2111/tcp

X over Kerberos

kauth

2120/tcp

Remote kauth

lyskom

4894/tcp

LysKOM (conference system)

sip

5060/tcp

Session Initiation Protocol

sip

5060/udp

Session Initiation Protocol

xll

6000-6063/tcp

X W indow System

xll

6000-6063/udp

X W indow System

ire

6667/tcp

Internet Relay Chat

af s

7000-7009/udp

af s

7000-7009/udp
TABLE 3.2: Reserved Ports Table

Module 03 Page 302





Scanning Networks

J

TCP Connect scan detects w hen a port is open by completing th e three-w ay handshake

J

TCP Connect scan establishes a full connection and tears it down by sending a RST
packet

CEH

M

Scan result when a port is open ^
)SYN Packet + Port (n

m

SYN/ACK Packet. . .

...........A « . t .‫......... . ׳‬
5ST

Target

Attacker

Scan result when a port is closed

SYN Packet +Port (nj

^

*

??.‫.י‬
‫־‬

Attacker

^

f

,

H
Target


Source: http://www.insecure.org
TCP Connect / Full Open Scan is one of the most reliable forms of TCP scanning. The TCP
connect() system call provided by an OS is used to open a connection to every interesting port
on the machine. If the port is listening, connect() will succeed; otherwise, the port isn't
reachable.

mm

0

TCP Three-way Handshake
In the TCP three-way handshake, the client sends a SYN flag, which is acknowledged

by a SYN+ACK flag by the server which, in turn, is acknowledged by the client with an ACK flag
to complete the connection. You can establish a connection from both ends, and terminate
from both ends individually.

Vanilla Scanning
In vanilla scanning, once the handshake is completed, the client ends the connection.
If the connection is not established, then the scanned machine will be DoS'd, which allows you
to make a new socket to be created/called. This confirms you with an open port to be scanned
for a running service. The process will continue until the maximum port threshold is reached.

Module 03 Page 303





Scanning Networks

If the port is closed the server responds with an RST+ACK flag (RST stands for "Reset the
connection"), whereas the client responds with a RST flag and here ends the connection. This is
created by a TCP connect () system call and will be identified instantaneously if the port is
opened or closed.
Making separate connects() call for every targeted port in a linear fashion would take a long
time over a slow connection. The attacker can accelerate the scan by using many sockets in
parallel. Using non-blocking, I/O allows the attacker to set a low time-out period and watch all
the sockets simultaneously.

,

u is d a v d it ia g e s
The drawback of this type of scan is easily detectable and filterable. The logs in the

target system will disclose the connection.

The Output
Initiating Connect () Scan against (172.17.1.23)
Adding open port 19/tcp
SYN Packet + Port (n)
..............................
SYN / ACK Packet
ACK + RST

Target

Attacker
FIGURE 3.14: Scan results when a port is open

SYN Packet + Port (n)
‫► ■ ■־ ■ .................................י‬
■ ■■
RST

arget

Attacker
FIGURE 3.15: Scan results when a port is closed

Module 03 Page 304





Scanning Networks

Zfnmap
S<!n

J0ok

Ttrgct

£»of.lc

tjflp

nmap ‫ל.86ו.36 ו.29 ו‬

Commjnd
Hosts

~vj Profile

• •sT •v nmip 192-168.168.5
StrvKtt

Host

Nmip Output Potts/Hosts Topology Most D«t«!h Scans

• *sT •v nmjp 192.168.168.5

192.168.168.5
S t a r t in g Mrap 6.61 ( h ttp :/ / n * a p . 0rg ) a t 2012 08-10 12:04
d Ti
I n i t i a t i n g ARP Ping Scan a t 12:04
Scanning 192.168.168.S (1 p o rt]
Completed ARP Pin g Scan a t 12:04, 0.08s elapsed (1 t o t a l h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04
Completed P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04, 0.02s elapsed
I n i t i a t i n g Connect Scan a t 12:04
Scanning 192.168.168.S [1000 p o rts ]
D iscovered open p ort 80/tcp on 192.168.168.5
D iscovered open p ort 993/tcp on 192.168.168.S
D iscovered open p ort 2 S/tcp on 192.168.168.S
D iscovered open p ort 139/tcp on 192.168.168.5
Completed Connect Scan at 12:04, 4 8 .63s elapsed (1000 t o t a l p o rts )
N‫״‬ap scan rep ort f o r 192.168.168.S
F a ile d to r e s o lv e given hostnaaie/IP: n«ap. Note th a t you c a n 't use '/■ask*
AMD * 1*4,7,100•‘ s t y le IP ranges. I f the •achine o n ly has an IP v6 address*
add the N»ap -6 ♦lag t o scan t h a t .
Host i s up (0.000S7s la t e n c y ) ,
t o t itjto to i 980 f i l t e r e d p o rts
POUT
STATE SERVICE
2 S/tcp
open M tp
80/tcp
open h ttp
110/tcp open pop)
119/tcp open nntp
13S/tcp open asrpc
8081/tcp open b lack ice■ iceca p
8088/tcp open radan-http
8888/tcp open sun-antwerbook

M l Afl i C l
tri.

•

(Oeil)

R t fll f i ! frw;
c a ll l c

C:Progra• F i l e s (xS6)N*ap
Nm p done: 1 IP address ( I host up) scanned in 43.08 seconds
Rax packets s e n t: 1 (288) | Rcvd: 1 (288)

FIGURE 3.16: Zenmap Screenshot

Module 03 Page 305





Scanning Networks

Stealth Scan (Half-open Scan)
Attackers use stealth scanning techniques to bypass
firewall rules, logging mechanism, and hide
themselves as usual network traffic

©

The client sends a single SYN packet to the server
on the appropriate port

+ACK

........................

,^ s /

tthKJl lUckM

□a

SYN (Port 80)
SYN

Stealth Scan Process

CEH

UrtifWtf

Bill

Sheela

10.0.0.2:2342

10.0.0.3:80

Port is open

@

lf the port is open then the server responds with
a SYN/ACK packet

®

If the server responds with an RST packet, then
the remote port is in the "closed" state

(ft

WN|P‫״‬rlSn|

r

‫“־‬

‫י‬

‫ *׳‬O j j

Bill

®

Sheela

10.0.0.2:2342

10.0.0.3:80

The client sends the RST packet to close the initiation
before a connection can ever be established

Port is closed


Stealth Scan (Half-Open Scan)
Stealth scan sends a single frame to a TCP port without any TCP handshaking or
additional packet transfers. This is a scan type that sends a single frame with the expectation of
a single response. The half-open scan partially opens a connection, but stops halfway through.
This is also known as a SYN scan because it only sends the SYN packet. This stops the service
from ever being notified of the incoming connection. TCP SYN scans or half-open scanning is a
stealth method of port scanning.
The three-way handshake methodology is also implemented by the stealth scan. The difference is
that in the last stage, remote ports are identified by examining the packets entering the
interface and terminating the connection before a new initialization was triggered.
The process preludes the following:
9

To start initialization, the client forwards a single "SYN" packet to the destination server
on the corresponding port.

9

The server actually initiates the stealth scanning process, depending on the response
sent.

9

If the server forwards a "SYN/ACK" response packet, then the port is supposed to be in
an "O PEN" state.

Module 03 Page 306

Ethical Hacking and Countermeasures Copyright © by EC-COlMCil




Scanning Networks

If the response is forwarded with an "RST" packet, then the port is supposed to be in a
"CLOSED" state.
SYN (Port 80)

Bill

Sheela

10.0.0.2:2342

10.0.0.3:80

P o r t is o p e n
FIGURE 3.16: Stealth Scan when Port is Open

^

.....

*

Bill

Sheela

10.0.0.2:2342

10.0.0.3:80

Port is closed
FIGURE 3.17: Stealth Scan when Port is Closed

Zenmap Tool
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this
tool you can save the frequently used scans as profiles to make them easy to run recurrently. It
contains a command creator that allows you to interact and create Nmap command lines. You
can save the Scan results and view them in the future and they can be compared with another
scan report to locate differences. The results of the recent scans can be stored in a searchable
database.
The advantages of Zenmap are as follows:
9

Interactive and graphical results viewing

9

Comparison

9

Convenience

Q

Repeatability

Q

Discoverability

Module 03 Page 307





Scanning Networks

Is

Zenmap

cr

Scan

lo o k

profile

H elp

nmap 192.168.168.5
Command
Hosts

Cancel

*|

Details

* -sT -v nmap 192.168.168.5
Services

OS w Host

*

,Scan

Profile

Nmap Output
4

Ports / Hosts

Topology

Host Detail*

Scans

* -sT -v nmap 192.168.168.5

i

192.168.168.5
S t a r t in g Nmap 6.01 ( h ttp :/ / n a a p .o rg ) a t 2012-0810 12:04
0 T ii
I n i t i a t i n g ARP P in g Scan a t 12:04
S can ning 192.16 8 .1 6 8 .S [1 p o r t ]
Completed ARP P in g Scan at 1 2:04, 0 .6 8 s e la p s e d (1 t o t a l h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04
Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04, 0 .0 2 s e lap sed
I n i t i a t i n g Connect Scan a t 12:04
Scan n in g 192.16 8 .1 6 8 .S [1000 p o r t s )
D isco ve re d open p o rt 8 0 /tcp on 192.16 8 .1 6 8 .S
D isco ve re d open p o rt 993/tcp on 1 9 2 .16 8 .1 6 8 .S
D isco ve re d open p o rt 8080/tcp on 192.16 8 .1 6 8 .S
D isco ve re d open p o rt 2 S/tcp on 192.16 8 .1 6 8 .S
D isco ve re d open p o rt 139/tCp on 192.168.168.5
D isco ve re d open p o rt 8888/tcp on 192.168.168.5
Completed Connect Scan a t 1 2:04, 40.63s e la p s e d (1000 t o t a l p o r t s )
N*ap scan re p o rt f o r 192.16 8 .1 6 8 .S
f a i l e d t o r e s o lv e g iv e n h o s tn a a e / IP : n rap .
Note th a t you c a n 't use , /■ ask'
ANO *1 -4 ,7 ,1 0 0 - ' s t y l e I P ra n g e s. I f th e M achine o n ly has an IP v 6 a d d re ss ,
add th e Neap •6 f l a g t o scan t h a t .
Host i s up (O.O00S7S l a t e n c y ) .
> gt ihffwn; 980 f i l t e r e d p o rts
<
PORT
STATE SERVICE
2 S /tc p
open s a tp
open h t t p
8 0/tcp
110/tcp open pop 3
119/tcp open IMitp
135/tcp ooen ■srpc
8081/tcp open b la c k ic e - ic e c a p
8088/tcp open ra d a n - h ttp
8888/tcp open su n -answerbook
♦ ♦
♦
• (D e ll)

Rtad flat! f i l e t frw; C :Pro g ra■ F i l e s (x M ) N ‫ ״‬ap
H*ap done: 1 I P ad dress (1 h o st up) scanned in 43.08 seconds
Rax p a ck e ts s e n t: 1 (286) | Rcvd: 1 (2 8 6 )
Filter Hosts

FIGURE 3.18: Zenmap Showing Scanning Results

Module 03 Page 308





Scanning Networks

c El

X m a s S can
o

UftNM

FIN, URG, PUSH

FIN, URG, PUSH

J

1

mu : : : 1

No Response
Attacker
10. 0 . 0.6

ftb.ul H.. fcM

Server

10.0.0.8:23

Port is open

Server

Attacker
10 . 0 . 0.6

10.0.0.8:23

Port is clo se d

In Xmas scan, attackers send a TCP frame to a
remote device with URG, ACK, RST, SYN, PSH, and
FIN flags set

J

FIN scan only with OS TCP/IP developed according
to RFC 793

J

It will not work against any current version of
Microsoft Windows


X m as Scan
------

Xmas Scan is a port scan technique with ACK, RST, SYN, URG, PSH, and FIN flags set to

send a TCP frame to a remote device. If the target port is closed, then you will receive a remote
system reply with a RST. You can use this port scan technique to scan large networks and find
which host is up and what services it is offering. It is a technique to describe all TCP flag sets.
W hen all flags are set, some systems hang; so the flags most often set are the nonsense pattern
URG-PSH-FIN. This scan only works when systems are compliant with RFC 793.

BSD Netw orking Code
This method is based on BSD networking code; you can use this only for UNIX hosts
and it does not support Windows NT. If this scan is directed at any Microsoft system, it shows
all the ports on the host are opened.

Transm itting Packets
You can initialize all the flags when transmitting the packet to a remote host. If the
target system accepts packet and does not send any response, the port is open. If the target
system sends RST flag, the port is closed.

Module 03 Page 309





Scanning Networks

Advantage:
It avoids the IDS and TCP three-way handshake.
Disadvantage:
It works on the UNIX platform only.

FIN, URG, PUSH

No Response
Attacker
10.0 .0.6

Server
10.0.0.8:23

Port is open
FIGURE 3.19: Xmas Scan when Port is Open

FIN, URG, PUSH

RST
Attacker
10 .0 .0.6

Server
10.0.0.8:23

P o rt is c lo s e d
FIGURE 3.20: Xmas Scan when Port is Closed

Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this
tool you can save the frequently used scans as profiles to make them easy to run recurrently.
Zenmap
Scan
Target:

100It

Profile

Help

‫צ‬

nmap 192.I6S.168.}

Command:

V

Start

1• ‫״‬X •v r
Nmip Output Pcrts/Hosts Topology Host Ottals S<ar«

W
*

D
etails

«-sX-v nmap 192.16S.168.3

OS ▼ Host
192.168.16S.5
192.168.168.3

S tartin g Nmap 6.01 (
’ * t 2612 08 10 12:39
Standarc 1i»e
Initiating AKP Ping Scan at 12:39
Scanning 192.168.168.3 [1 port]
Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution 0- 1 host, at 12:39
f
Coa191eted Parallel DNS resolution o* 1 host, at 12:39, 0.02s elapsed
Initiating XMAS Scan at 12:3*
Scanning 192.168.1*8.3 [10CO po«‫־‬
ts]
Increasing cand dalay *or 192.168.168.3 from 0 to 5 due to 108 out of
358 dropped probes since last increase.
Co*!91eted XMAS Scan at 12;39, 9.75s elapsed (1800 to ta l ports)
Nra‫ כ‬scan report fo r 197.1*3.168.3
Failed ♦o resolve given hostrawe/IP: niwp. Note that you c a n 't use V
■»»?«• AHO *1-4,7,180•• s ty le IP ranges. I f the ■wchine only ha? an
IPv6 address. add the Mnap -6 fla g to scan th at.
Host is up (0.000023s la t e r c y ).
Not shovn; 997 clo;ed ports
PORT
STATE
SEUVICE
22/tcp o c e r lfilt e r e d j$n
88/tcp o p e r | f ilt e ‫־‬ed kertxrcs-sec
548‫ ׳‬tcp o p e r | f ilt e ‫־‬ed afp

MCAMrtu;
A

Read tifltfl f l i p frggl C:Progra■ * lie s <x!6)taao
1 IP ad Jrest (1 host up) scanned in 12.19 seconds
Rat. paccets sent: 13S3 (S4.1M KB) I Rcvd: 998 (39.908K8)

FIGURE 3.21: Zenmap Showing Xmas Scan Result

Module 03 Page 310





Scanning Networks

S can
J

In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set

J

FIN scan only with OS TCP/IP developed according to RFC 793

J

It will not work against any current version of Microsoft Windows

J“ *


£ ‫ > ל‬FIN Scan
------

FIN Scan is a type of port scan. The client sends a FIN packet to the target port, and if

the service is not running or if the port is closed it replies to you with the probe packet with an
RST.

FIN

No Response

Attacker
10.0 .0.6

10.0.0.8:23

P o rt is open

FIGURE 3.22: FIN Scan when Port is Open

Module 03 Page 311





Scanning Networks

Attacker
10. 0 . 0.6

Port is c lo s e d

FIGURE 3.23: FIN Scan when Port is Closed

‫־‬E H

Zenmap
Scan

look

Target

E'ofile

fcjdp
[Scan:

nmap 192.168.168.3

Command:

Cancel

» ■ if •v nmap 192.168.168.3

Hosts
OS * Host
*

192.168.168.5

»

192.168.168.3

Nmap Output Ports/Host* Topo*og> Host Detail! Scans
« • i f -v nmap 192.168.168.3
S t a r tin g Nm p 6.01 ( h ttp :/ / n M p .o rg ) at 2012 08 10 12:35 ‫••• י‬
Standard Ti«e
I n i t i a t i n g ARP Ping Scan at 12:35
Scanning 192.168.168.3 [1 p o rt]
Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 t o t a l h o sts)
I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h ost, a t 12:35
Completed P a r a lle l ONS re s o lu tio n o f 1 h ost, at 12:35, 0.10s elapsed
I n i t i a t i n g FIN Scan at 12:35
Scanning 192.168.16S.3 [1000 p o rts]
In crea sin g send d elay fo r 192.168.168.3 fro• 0 to 5 due to 108 out o f
358 dropped probes sin ce la s t in crea se.
In crea sin g send d elay f o r 192.168.168.3 froai 5 to 10 due to
•ax_$uccessful_tryno in crease to 4
Completed FIN Scan at 12:35, 11.78s elapsed (1000 t o t a l p o rts )
*toap scan rep ort fo r 192.168.168.3
F a ile d to re s o lv e given hostnaaw/IP: naap. Note th at you c a n 't use */
m s i c AND 4, 7, 100*1‫ '•־‬s t y le IP ranges. I f the ■achine on ly has an
IP v6 address, add the N*ap *6 f la g to scan t h a t .
closed ports
PORT
STATE
SERVICE
22/tcp o p e n |fiite r e d ssh
88/tcp o p e n jfilt e r e d k erberos•sec
S48/tcp o p e n jfilt e r e d afp

U M 997
gl-itH ?;

* i.A T 1
A MM;

Rctti d i t l f l i t * ffg g j C:Progra• F ile s (x86)N«ap
Nwap done: 1 IP address (1 host up) scanned in 14.28 seconds
Rat• packets sen t: 1378 (55.108KB) | Rcvd: 998 (39.908KB)

FIGURE 3.24: Zenmap showing FIN Scan Result

Module 03 Page 312





Scanning Networks

CEH

NULL S can
Port is open
TCP Packet with NO Flag Set

9H

^

No Response

Attacker
10 .0 .0.6

In NULL scan, attackers send a TCP frame to a
remote host with NO Flags
NULL scan only works if OS' TCP/IP
implementation is developed according
to RFC 793
It will not work against any current version of
Microsoft Windows

NULL Scan
NULL scans send TCP packets with all flags turned off. It is assumed that closed ports
will return a TCP RST. Packets received by open ports are discarded as invalid.
It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned.
W hen any packets arrive at the server, BSD networking code informs the kernel to drop the
incoming packet if a port is open, or returns an RST flag if a port is closed. This scan uses flags in
the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans.
Many network codes of major operating systems can behave differently in terms of responding
to the packet, e.g., Microsoft versus UNIX. This method does not work for Microsoft operating
systems.
Command line option for null scanning with NMAP is "-sN"

Advantage:
It avoids IDS and TCP three-way handshake.

Disadvantage:
It works only for UNIX.

Module 03 Page 313





Scanning Networks

Port is open

C
E

^

31

^

>
‫י‬

No Response

Attacker

Server
10.0.0.8:23

10. 0.6
0.
FIGURE 3.25: NULL Scan when Port is Open

Port is clo se d

E

‫מ‬

3

RST/ACK

f c _ 5

Attacker

Server
10.0.0.8:23

10 .0 .0.6
FIGURE 3.26: NULL Scan when Port is Closed

E lio ]

Zenmap
S c jn

lo o k

Target:

n m a p 192.168.168.3

C om m and:
H o sts

IM

Scan

* - tN •v n m a p 192.168.168.3

O S - H o st

—

x

profile

N m a p O u tp u t
•

P orts / Hosts

T op o lo g y

H o st Details

Sta n s

sN -v n m a p 192.168.168.3

192.168.168.5
192.168.168.3

a

Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41
‫•י‬
Standard Tine
Initiating ARP Ping Scan at 12:41
Scanning 192.168.16a.3 (1 port)
Completed ARP Ping Scan at 12:41, 0.06s •lapsed <1 total hosts)
Initiating Parallel DNS resolution of 1 host, at 12:41
Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed
Initiating NULL Scan at 12:41
Scanning 192.168.168.3 [1000 ports)
Increasing send delay for 192.168.168.3 froei 0 to 5 due to 21S out
of 71S dropped probes since last increas*.
Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports)
Noap scan report for 192.168.168.3
Failed to resolve given hostnaae/lP: nmap. Note that you can't use
‘/•ask* AND •1-4,7,100‫ '־‬style IP ranges. If the ■achine only has
an IPv6 address, add the Naap -6 flag to scan that.
Host is up (0.00s latency).
Not shown: 997 closed ports
PORT
STATt
SERVICE
22/tcp open|filtered ssh
88/tcp openjfiltered kerberos-sec
548/tcp openjfiltered afp

M A fld rcn ;
AC
Read data files fro■: C:Progran files (x86)Nmap
N m jio done: 1 IP address (1 hostup)
scannedin 10.66 seconds
Ran packets sent: 1844(73.748KB)
| Rcvd: 998
(39.908KB)

FIGURE 3.27: Zenmap showing NULL Scan Result

Module 03 Page 314





Scanning Networks

ID LE S can

CEH

Most network servers listen on TCP ports, such as
web servers on port 80 and mail servers on port 25.
Port is considered "open" if an application is listening
on the port

A machine that receives an unsolicited SYN|ACK
packet will respond with an RST. An unsolicited RST
will be ignored

One way to determine whether a port is open is to
send a "SYN" (session establishment) packet to the
port

Every IP packet on the Internet has a "fragment
identification" number (IP ID)

The target machine will send back a "SYN|ACK"
(session request acknowledgment) packet if the port
is open, and an "RST" (Reset) packet if the port is
closed

OS increments the IP ID for each packet sent, thus
probing an IP ID gives an attacker the number of
packets sent since last probe

t f

Command Prompt

C : > n m a p -P n -p- -si wvrw.juggyboy.com w w w . c e r t i f i e d h a c k e r . c o m
Starting Nmap ( h t tp://nmap.org )
Idlescan using zombie w w w . 3 u g gyboy.com (192.130.18.124:80); Class:
Nmap scan report for 198.182.30.110
(The 40321 ports scanned b u t not
Port
State
Service
open
2 1 /tcp
ftp
open
25/tcp
smtp
open
80/tcp
http
Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds

Incremental

3

Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

IDLE Scan
The idle scan is a TCP port scan method that you can use to send a spoofed source
address to a computer to find out what services are available and offers complete blind
scanning of a remote host. This is accomplished by impersonating another computer. No packet
is sent from your own IP address; instead, another host is used, often called a "zombie," to scan
the remote host and determine the open ports. This is done by expecting the sequence
numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP
of the zombie machine will show up.

Understanding TCP/IP
Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/IP expert to
understand it. You need to understand the following basic facts:
Q

Most of the network servers listen on TCP ports, such as web servers on port 80 and
mail servers on port 25. A port is considered "open" if an application is listening on the
port; otherwise it is closed.

Module 03 Page 315





Scanning Networks

9

To determine whether a port is open, send a session establishment "SYN" packet to the
port. The target machine responds with a session request acknowledgment "SYN|ACK"
packet if the port is open and a Reset "RST" packet if the port is closed.

9

A machine that receives an unsolicited SYN|ACK packet responds with an RST. An
unsolicited RST is ignored.

9

Every IP packet on the Internet has a "fragment identification" number. Many operating
systems simply increment this number for every packet they send. So probing for this
number can tell an attacker how many packets have been sent since the last probe.

From these facts, it is possible to scan a target network while forging your identity so that it
looks like an innocent "zombie" machine did the scanning.

a

Command Prompt

FIGURE 3.28: Nmap Showing Idle Scan Result

Module 03 Page 316





Scanning Networks

C EH

ID LE S can : S tep 1
Every IP packet on the Internet has a
fragment identification number (IP
ID), which increases every time a
host sends; IP packet

‫יי‬

4


Attacker

RST Packet

Zombie

FIGURE 3.29: IPID Probe Request and Response

Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In the first step, you can send a session establishment "SYN" packet or IPID probe to determine
whether a port is open or closed. If the port is open, the "zombie" responds with a session
request acknowledgment "SYN |ACK" packet containing the IPID of the remote host machine. If
the port is closed, it sends a reset "RST" packet. Every IP packet on the Internet has a "fragment
identification" number, which is incremented by one for every packet transmission. In the
above diagram, the zombie responds with IPID=31337.

Module 03 Page 317





Scanning Networks

ID LE S can : S tep 2 a n d 3

CEH

S te p 2
J

Send SYN packet to the target m achine (port 80) spoofing the IP address of the "zom bie"

J

If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends
RST to the target

J

If the port is closed, the target will send RST to th e "zo m b ie" but zombie will not send anything back
SYN Packet to port 80
spoofing zombie IP address

4VC
Attacker

r t o s f f i S S * 5‫ ■ ״‬T e"
" ‫״‬
Zombie

S te p 3
J

P o r t is o p e n

m

j
;

IPID Probe SYN / ACK Packet

Probe "zo m b ie"
IPID again

Response: IPID=31339 RST Packet
IPID incremented by 2 since Step 1,
so port 80 must be open

Attacker


IDLE Scan: Step 2 and 3
Idle Scan: Step 2.1 (Open Port)
"

Send a SYN packet to the target machine (port 80) spoofing the IP address of the

"zombie." If the port is open, the target will send the SYN/ACK packet to the zombie and in
response the zombie sends the RST to the target.

m

QOO

Attacker

Target

Port

Zombie

is

open

FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open

Idle Scan: Step 2.2 (C losed Port)
The target will send the RST to the "zombie" if the port is closed, but the zombie will
Module 03 Page 318





Scanning Networks

not send anything back.

m

Attacker
I- ‫״״‬
4

Zombie

................ ................

Target

Port is clo sed

FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed

Idle Scan: Step 3
Probe the "zombie" IPI D again.
IPID Probe SYN / ACK Packet

Response: IPID=31339 RST Packet

Attacker

IPID incremented by 2 since Step 1,
so port 80 must be open

Zombie

FIGURE 3.32: IPID Probe Request and Response

Module 03 Page 319



Ce hv8 module 03 scanning networks

Ce hv8 module 03 scanning networks

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Destacado

Destacado (20)

Similar a Ce hv8 module 03 scanning networks

Similar a Ce hv8 module 03 scanning networks (20)

Último

Último (20)

Ce hv8 module 03 scanning networks