SlideShare una empresa de Scribd logo

Ch 5: Port Scanning

Sam Bowne
Sam Bowne

Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610. Instructor: Sam Bowne Class website: https://samsclass.info/123/123_S17.shtml

Educación
1 de 50
Descargar para leer sin conexión
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last revised 10-4-17
KonBoot ● Get into any account without the password ● Works on Windows and Linux ● No longer free ● Link Ch 5r
From the Projects: UBCD ● Proj 13 ● Create new administrator user on a Windows computer ● Based on Win XP Pre-Boot Environment; causes BSOD on some modern systems
Linux-Based UBCD ● Proj X7 ● Promote normal user to administrator user on a Windows computer ● Works well on modern systems
Objectives ● Describe port scanning ● Describe different types of port scans ● Describe various port-scanning tools ● Explain what ping sweeps are used for ● Explain how shell scripting is used to automate security tasks 4
Introduction to Port Scanning ● Port Scanning ● Finds out which services are offered by a host ● Identifies vulnerabilities ● Open services can be used on attacks ● Identify a vulnerable port ● Launch an exploit ● Scan all ports when testing ● Not just well-known ports 5
6
6
6
6
11
Introduction to Port Scanning (continued) ● Port scanning programs report ● Open ports ● Closed ports ● Filtered ports ● Best-guess assessment of which OS is running 7
Is Port Scanning Legal? ● The legal status of port scanning is unclear ● If you have permission, it's legal ● If you cause damage of $5,000 or more, it may be illegal ● For more, see links Ch 5a and Ch 5b 8
Normal TCP Handshake Client SYN ! Server Client " SYN/ACK Server Client ACK ! Server After this, you are ready to send data 9
SYN Port Scan Client SYN ! Server Client " SYN/ACK Server Client RST ! Server The server is ready, but the client decided not to complete the handshake 10
Types of Port Scans ● SYN scan ● Stealthy scan, because session handshakes are never completed ● That keeps it out of some log files ● Three states ● Closed ● Open ● Filtered 11
Types of Port Scans ● Connect scan ● Completes the three-way handshake ● Not stealthy--appears in log files ● Three states ● Closed ● Open ● Filtered 12
Types of Port Scans ● NULL scan ● All the packet flags are turned off ● Two results: ● Closed ports reply with 
 RST ● Open or filtered ports give 
 no response 13
Types of Port Scans ● XMAS scan ● FIN, PSH and URG flags are set ● Works like a NULL scan – a closed port responds with an RST packet ● FIN scan ● Only FIN flag is set ● Closed port responds with an RST packet 14
Windows Machines ● NULL, XMAS and FIN scans don't work on Windows machines ● Win 2000 Pro and Win Server 2003 shows all ports closed ● Win XP Pro all ports open/filtered ● See the NMAP tutorial (link Ch 5c) 15
Types of Port Scans ● Ping scan ● Simplest method sends ICMP ECHO REQUEST to the destination(s) ● TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) ● Any response shows the target is up 16
Types of Port Scans (continued) ● ACK scan ● Used to get information about a firewall ● Stateful firewalls track connection and block unsolicited ACK packets ● Stateless firewalls just block incoming SYN packets, so you get a RST response ● UDP scan ● Closed port responds with ICMP “Port Unreachable” message ● Rarely used--but much improved in latest Nmap version (2010) 17
Using Port-Scanning Tools ● Nmap ● Nessus and OpenVAS (the GPL-licensed fork of Nessus) ● A complete vulnerabilty scanner, more than a port scanner 23
Nmap ● Originally written for Phrack magazine ● One of the most popular tools ● GUI versions ● Xnmap and Ubuntu's NmapFE ● Open source tool ● Standard tool for security professionals 24
The Matrix Reloaded ● Trinity uses Nmap ● Video at link Ch 4e 25
26
Nessus ● First released in 1998 ● No longer free, free version is called OpenVAS(GreenBone) ● Uses a client/server technology ● Can conduct tests from different locations ● Can use different OSs for client and network 29
Nessus (continued) ● Finds services running on ports ● Finds vulnerabilities associated with identified services 32
31
30 OpenVAS (Greenbone)
31
32
Conducting Ping Sweeps ● Ping sweeps ● Identify which IP addresses belong to active hosts ● Ping a range of IP addresses ● Problems ● Computers that are shut down cannot respond ● Networks may be configured to block ICMP Echo Requests ● Firewalls may filter out ICMP traffic 34
FPing ● Ping multiple IP addresses simultaneously ● www.fping.com/download ● Command-line tool ● Input: multiple IP addresses ● To enter a range of addresses ● -g option ● Input file with addresses ● -f option ● See links Ch 5k, 5l 35
36
37
Hping ● Used to bypass filtering devices ● Allows users to fragment and manipulate IP packets ● www.hping.org/download ● Powerful tool ● All security testers must be familiar with tool ● Supports many parameters (command options) ● See links Ch 5m, Ch 5n 38
39
40
41
Broadcast Addresses ● If you PING a broadcast address, that can create a lot of traffic ● Normally the broadcast address ends in 255 ● But if your LAN is subnetted with a subnet mask like 255.255.255.192 ● There are other broadcast addresses ending in 63, 127, and 191 42
Smurf Attack ● Pinging a broadcast address on an old network resulted in a lot of ping responses ● So just put the victim's IP address in the "From" field ● The victim is attacked by a flood of pings, none of them directly from you ● Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks ● Windows XP and Ubuntu don't respond to broadcast PINGs ● See links Ch 5o, 5p 43
Broadcast Ping at CCSF
Crafting IP Packets ● Packet components ● Source IP address ● Destination IP address ● Flags ● Crafting packets helps you obtain more information about a service ● Tools ● Fping ● Hping 45
Understanding Shell Scripting ● Modify tools to better suit your needs ● Script ● Computer program that automates tasks ● Time-saving solution 46
Scripting Basics ● Similar to DOS batch programming ● Script or batch file ● Text file ● Contains multiple commands ● Repetitive commands are good candidate for scripting ● Practice is the key 47
48
Scapy ● Packet-crafting python utility ● Proj 9, 10, 17, X11, X12, X13
Python ● Write your own tools ● Using this book in CNIT 124
50

Recomendados

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

Recomendados

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissancen|u - The Open Security Community
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffingShyama Bhuvanendran
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 
Wireshark
WiresharkWireshark
WiresharkSourav Roy
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability TesterAditya Jain
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 

Más contenido relacionado

La actualidad más candente

Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability TesterAditya Jain
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 

La actualidad más candente (20)

Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printing
 
Wireshark
WiresharkWireshark
Wireshark
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability Tester
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Dos attack
Dos attackDos attack
Dos attack
 

Destacado

Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: CryptographySam Bowne
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewSam Bowne
 
Ch 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksCh 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksSam Bowne
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: EnumerationSam Bowne
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection SystemsSam Bowne
 
Ch 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsCh 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsSam Bowne
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareSam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)Sam Bowne
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecuritySam Bowne
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 

Destacado (20)

Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts Review
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: Cryptography
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking Overview
 
Ch 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksCh 3: Network and Computer Attacks
Ch 3: Network and Computer Attacks
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
 
Ch 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsCh 7: Programming for Security Professionals
Ch 7: Programming for Security Professionals
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malware
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 

Similar a Ch 5: Port Scanning

Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBakry3
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Socket Programming using Java
Socket Programming using JavaSocket Programming using Java
Socket Programming using JavaRahul Hada
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Paolo Saviano
 
CurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious CharactersCurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious Characterspieterh
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentationVarun Varshney
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)Andrew Denner
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security GLC Networks
 
Bsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessionsBsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessionsScott Tsai
 
Building a Small DC
Building a Small DCBuilding a Small DC
Building a Small DCAPNIC
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenterssuser4b98f0
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 Maxence Dunnewind
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Opersys inc.
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network GLC Networks
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...egypt
 

Similar a Ch 5: Port Scanning (20)

Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Socket Programming using Java
Socket Programming using JavaSocket Programming using Java
Socket Programming using Java
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
 
CurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious CharactersCurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious Characters
 
Node finder presentation
Node finder presentationNode finder presentation
Node finder presentation
 
Twisted
TwistedTwisted
Twisted
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on Mikrotik
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
 
Bsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessionsBsdtw17: lightning talks/wip sessions
Bsdtw17: lightning talks/wip sessions
 
Building a Small DC
Building a Small DCBuilding a Small DC
Building a Small DC
 
Lisa14
Lisa14Lisa14
Lisa14
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenter
 
Irc how to sept 2012
Irc how to sept 2012Irc how to sept 2012
Irc how to sept 2012
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
 

Más de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

Más de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Último

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 

Último (20)

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 

Ch 5: Port Scanning

  • 1. Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last revised 10-4-17
  • 2. KonBoot ● Get into any account without the password ● Works on Windows and Linux ● No longer free ● Link Ch 5r
  • 3. From the Projects: UBCD ● Proj 13 ● Create new administrator user on a Windows computer ● Based on Win XP Pre-Boot Environment; causes BSOD on some modern systems
  • 4. Linux-Based UBCD ● Proj X7 ● Promote normal user to administrator user on a Windows computer ● Works well on modern systems
  • 5. Objectives ● Describe port scanning ● Describe different types of port scans ● Describe various port-scanning tools ● Explain what ping sweeps are used for ● Explain how shell scripting is used to automate security tasks 4
  • 6. Introduction to Port Scanning ● Port Scanning ● Finds out which services are offered by a host ● Identifies vulnerabilities ● Open services can be used on attacks ● Identify a vulnerable port ● Launch an exploit ● Scan all ports when testing ● Not just well-known ports 5
  • 7. 6
  • 8. 6
  • 9. 6
  • 10. 6
  • 11. 11
  • 12. Introduction to Port Scanning (continued) ● Port scanning programs report ● Open ports ● Closed ports ● Filtered ports ● Best-guess assessment of which OS is running 7
  • 13. Is Port Scanning Legal? ● The legal status of port scanning is unclear ● If you have permission, it's legal ● If you cause damage of $5,000 or more, it may be illegal ● For more, see links Ch 5a and Ch 5b 8
  • 14. Normal TCP Handshake Client SYN ! Server Client " SYN/ACK Server Client ACK ! Server After this, you are ready to send data 9
  • 15. SYN Port Scan Client SYN ! Server Client " SYN/ACK Server Client RST ! Server The server is ready, but the client decided not to complete the handshake 10
  • 16. Types of Port Scans ● SYN scan ● Stealthy scan, because session handshakes are never completed ● That keeps it out of some log files ● Three states ● Closed ● Open ● Filtered 11
  • 17. Types of Port Scans ● Connect scan ● Completes the three-way handshake ● Not stealthy--appears in log files ● Three states ● Closed ● Open ● Filtered 12
  • 18. Types of Port Scans ● NULL scan ● All the packet flags are turned off ● Two results: ● Closed ports reply with 
 RST ● Open or filtered ports give 
 no response 13
  • 19. Types of Port Scans ● XMAS scan ● FIN, PSH and URG flags are set ● Works like a NULL scan – a closed port responds with an RST packet ● FIN scan ● Only FIN flag is set ● Closed port responds with an RST packet 14
  • 20. Windows Machines ● NULL, XMAS and FIN scans don't work on Windows machines ● Win 2000 Pro and Win Server 2003 shows all ports closed ● Win XP Pro all ports open/filtered ● See the NMAP tutorial (link Ch 5c) 15
  • 21. Types of Port Scans ● Ping scan ● Simplest method sends ICMP ECHO REQUEST to the destination(s) ● TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) ● Any response shows the target is up 16
  • 22. Types of Port Scans (continued) ● ACK scan ● Used to get information about a firewall ● Stateful firewalls track connection and block unsolicited ACK packets ● Stateless firewalls just block incoming SYN packets, so you get a RST response ● UDP scan ● Closed port responds with ICMP “Port Unreachable” message ● Rarely used--but much improved in latest Nmap version (2010) 17
  • 23. Using Port-Scanning Tools ● Nmap ● Nessus and OpenVAS (the GPL-licensed fork of Nessus) ● A complete vulnerabilty scanner, more than a port scanner 23
  • 24. Nmap ● Originally written for Phrack magazine ● One of the most popular tools ● GUI versions ● Xnmap and Ubuntu's NmapFE ● Open source tool ● Standard tool for security professionals 24
  • 25. The Matrix Reloaded ● Trinity uses Nmap ● Video at link Ch 4e 25
  • 26. 26
  • 27. Nessus ● First released in 1998 ● No longer free, free version is called OpenVAS(GreenBone) ● Uses a client/server technology ● Can conduct tests from different locations ● Can use different OSs for client and network 29
  • 28. Nessus (continued) ● Finds services running on ports ● Finds vulnerabilities associated with identified services 32
  • 29. 31
  • 31. 31
  • 32. 32
  • 33. Conducting Ping Sweeps ● Ping sweeps ● Identify which IP addresses belong to active hosts ● Ping a range of IP addresses ● Problems ● Computers that are shut down cannot respond ● Networks may be configured to block ICMP Echo Requests ● Firewalls may filter out ICMP traffic 34
  • 34. FPing ● Ping multiple IP addresses simultaneously ● www.fping.com/download ● Command-line tool ● Input: multiple IP addresses ● To enter a range of addresses ● -g option ● Input file with addresses ● -f option ● See links Ch 5k, 5l 35
  • 35. 36
  • 36. 37
  • 37. Hping ● Used to bypass filtering devices ● Allows users to fragment and manipulate IP packets ● www.hping.org/download ● Powerful tool ● All security testers must be familiar with tool ● Supports many parameters (command options) ● See links Ch 5m, Ch 5n 38
  • 38. 39
  • 39. 40
  • 40. 41
  • 41. Broadcast Addresses ● If you PING a broadcast address, that can create a lot of traffic ● Normally the broadcast address ends in 255 ● But if your LAN is subnetted with a subnet mask like 255.255.255.192 ● There are other broadcast addresses ending in 63, 127, and 191 42
  • 42. Smurf Attack ● Pinging a broadcast address on an old network resulted in a lot of ping responses ● So just put the victim's IP address in the "From" field ● The victim is attacked by a flood of pings, none of them directly from you ● Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks ● Windows XP and Ubuntu don't respond to broadcast PINGs ● See links Ch 5o, 5p 43
  • 44. Crafting IP Packets ● Packet components ● Source IP address ● Destination IP address ● Flags ● Crafting packets helps you obtain more information about a service ● Tools ● Fping ● Hping 45
  • 45. Understanding Shell Scripting ● Modify tools to better suit your needs ● Script ● Computer program that automates tasks ● Time-saving solution 46
  • 46. Scripting Basics ● Similar to DOS batch programming ● Script or batch file ● Text file ● Contains multiple commands ● Repetitive commands are good candidate for scripting ● Practice is the key 47
  • 47. 48
  • 48. Scapy ● Packet-crafting python utility ● Proj 9, 10, 17, X11, X12, X13
  • 49. Python ● Write your own tools ● Using this book in CNIT 124
  • 50. 50