Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Ce hv8 module 03 scanning networks

2.629 visualizaciones

Publicado el

CHE v8 Module 03

Publicado en: Tecnología
  • Sé el primero en comentar

Ce hv8 module 03 scanning networks

  1. 1. Module 03
  2. 2. Ethi(a| Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Scanning Networks Module 03 Engineered by Hackers. Presented by Professionals. Ethical Hacking and Countermeasures V8 Module 03: Scanning Networks Exam 312-50 Module 03 Page 263 Ethical Hacking and Countermeasures Copyright © by ICC” All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Exam 312-50 (ertified Ethical Hacker Scanning Networks 3: ; a in : _ii *4 ; L‘l zw 1:‘. ~‘2L= € . .,l -. .13. . . ‘T Hall 7 Oct 18 2012 Saliently Sality Botnet Trapped Scanning IPv4 Address Space The well known botnet Sality, which locates vulnerable voice-over-IP (VoIP) servers can be controlled to find the entire IPv4 address space without alerting, claimed a new study, published by Paritynews. com on October 10, 2012. Sality is a piece of malware whose primary aim is to infect web servers, disperse spam, and steal data. But the latest research disclosed other purposes of the same including recognizing susceptible Vo| P targets, which could be used in toll fraud attacks. 7 Through a method called "reverse-byte order scanning, " sality has administered towards scanning possibly the whole IPv4 space devoid of being recognized. That's only the reason the technique uses i very less number of packets that come from various sources. l The selection of the target IP addresses is generated in rcvcrsc»bytc—order increments. Also, there are large amounts of bots contributing in the scan. I http: //www. spamflgh! eI. com ii! « .1‘ $3 7. I! -1xu‘l: inl -M151 1. /2 I ’. t it . 'l'l we; lIIilhli1e1iH~1=I| ‘HiIiiatli-Ill‘lqilmllsfiilil-til‘! HI-Ifllfiiiaail Security News Saliently Sality Botnet Trapped Scanning IPv4 Address Space Source: htt : www. s amfi hter. com A semi-famous botnet, Sality, used for locating vulnerable voice-over-IP (Vo| P) servers has been controlled toward determining the entire IPv4 address space without setting off alerts, claims a new study, published by Paritynews. com, on October 10, 2012. Sality is a piece of malware with the primary aim of infecting web servers, dispersing spam, and stealing data. But the latest research has disclosed other purposes, including recognizing susceptible VolP targets that could be used in toll fraud attacks. Through a method called "reverse-byte order scanning, " Sality can be administered toward scanning possibly the whole IPv4 space, devoid of being recognized. That's the only reason the technique uses a very small number of packets that come from various sources. The selection of the target IP addresses develops in reverse-byte-order increments. Also, there are many bots contributing in the scan. The conclusion is that a solitary network would obtain scanning packets "di| uted” over a huge period of time (12 days in this case, from various Module 03 Page 264 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks sources, University of California, San Diego (UCSD), claimed one of the researchers, Alistair King, as published by Softpedia. com on October 9, 2012). According to Alberto Dainotti, it's not that this stealth-scanning method is exceptional, but it's the first time that such a happening has been both noticed and documented, as reported by Darkreading. com on October 4, 2012. Many other experts hold faith that this manner has been accepted by other botnets. Nevertheless, the team at UCSD is not aware of any data verifying any event like this one. According to David Piscitello, Senior Security Technologist at ICANN, this indeed seems to be the first time that researchers have recognized a botnet that utilizes this scanning method by employing reverse-byte sequential increments of target IP addresses. The botnet use classy ”orchestration” methods to evade detection. It can be simply stated that the botnet operator categorized the scans at around 3 million bots for scanning the full IPv4 address space through a scanning pattern that disperses coverage and partly covers, but is unable to be noticed by present automation, as published by darkreading. com on October 4, 2012. Copyright © SPAMfighter 2003-2012 : www. s amfi hter. com News-17993-Salientl -Salit -Botnet-Tra Address-Space. htm Module 03 Page 265 Ethical Hacking and Countermeasures Copyright © by M All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker T_'l_lic - «‘. _l. ugh-_—A Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing Network Diagrams 1} "~i= -I"-i 3:? "= +:: Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing '. '11iii: ii‘ll -Ill"! i 1 1. Module Objectives '* Once an attacker identifies his/ her target system and does the initial reconnaissance, as discussed in the footprinting and reconnaissance module, the attacker concentrates on getting a mode of entry into the target system. It should be noted that scanning is not limited to intrusion alone. It can be an extended form of reconnaissance where the attacker learns more about his/ her target, such as what operating system is used, the services that are being run on the systems, and configuration lapses if any can be identified. The attacker can then strategize his/ her attack, factoring in these aspects. This module will familiarize you with: Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning IIIILILIKLKIIEII‘ Drawing Network Diagrams Module 03 Page 266 Kllllltlilllllll . 'll we; VIIilhiile1iH~1=i| ‘HiIEHOII-ill‘lailvilllfiilil-Iii‘! HI-Ifllfiiiaail Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing Ethical Hacking and Countermeasures Copyright ((3 by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks P ‘*1-i_1.'*: *i’l= ='. ‘~* -i_? f_‘l= .i". w-); ..": - _~‘ir~+—. r.%. ,.r_i_r. i‘l-, n.IL: :l “ilil ti, . .13. . . Network scanning refers to a set of ‘ _ . 1 Sends TCP , procedures for Identifying hosts, ports, and ‘ ; ) / |p probes ‘iii 3 Services in a network 4 . ... ... ... ... ... ... ... .. > C_ ,3 ’ ‘ . » -‘ 4 . ... ... ... ... ... ... ... . . . , Network scanning is one of the components l ’, '—3") — Ge“ "ei“{°'k , , of intelligence gathering an attacker uses to ' '"'°""a"°" L; create a profile of the target organization Attacker Objectives of Network Scanning 7 To discover live hosts, To discover operating To discover services To discover IP address, and open systems and system running on hosts vulnerabilities in live ports of live hosts architecture hosts i _ rLr ' ",1 .4 5 LA l_. Lg»: M M -v ’ '. '1‘A'iil: l?lI -Iixl i ‘5 '1 . .1'i ~; iIIiiiziiisittamnaillztacir-rr[-lair-ulifi-ii-iii‘Jui-inliiiiaéi Overview of Network Scanning M As we already discussed, footprinting is the first phase of hacking in which the attacker gains information about a potential target. Footprinting alone is not enough for hacking because here you will gather only the primary information about the target. You can use this primary information in the next phase to gather many more details about the target. The process of gathering additional details about the target using highly complex and aggressive reconnaissance techniques is called scanning. The idea is to discover exploitable communication channels, to probe as many listeners as possible, and to keep track of the ones that are responsive or useful for hacking. In the scanning phase, you can find various ways of intruding into the target system. You can also discover more about the target system, such as what operating system is used, what services are running, and whether or not there are any configuration lapses in the target system. Based on the facts that you gather, you can form a strategy to launch an attack. Types of Scanning ‘.1 Port scanning - Open ports and services ‘:9 Network scanning - IP addresses ': I Vulnerability scanning - Presence of known weaknesses Module 03 Page 267 Ethical Hacking and Countermeasures Copyright © by [C-Clllllliill All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks In a traditional sense, the access points that a thief looks for are the doors and windows. These are usually the house's points of vulnerability because of their relatively easy accessibility. When it comes to computer systems and networks, ports are the doors and windows of the system that an intruder uses to gain access. The more the ports are open, the more points of vulnerability, and the fewer the ports open, the more secure the system is. This is simply a general rule. In some cases, the level of vulnerability may be high even though few ports are open. Network scanning is one of the most important phases of intelligence gathering. During the network scanning process, you can gather information about specific IP addresses that can be accessed over the Internet, their targets’ operating systems, system architecture, and the services running on each computer. In addition, the attacker also gathers details about the networks and their individual host systems. Sends TCP a / IP probes — Gets network information Attacker FIGURE 3.1: Network Scanning Diagram @ Objectives of Network Scanning If you have a large amount of information about a target organization, there are greater chances for you to learn the weakness and loopholes of that particular organization, and consequently, for gaining unauthorized access to their network. Before launching the attack, the attacker observes and analyzes the target network from different perspectives by performing different types of reconnaissance. How to perform scanning and what type of information to be achieved during the scanning process entirely depends on the hacker’s viewpoint. There may be many objectives for performing scanning, but here we will discuss the most common objectives that are encountered during the hacking phase: 0 Discovering live hosts, IP address, and open ports of live hosts running on the network. 0 Discovering open ports: Open ports are the best means to break into a system or network. You can find easy ways to break into the target organization's network by discovering open ports on its network. 0 Discovering operating systems and system architecture of the targeted system: This is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's vulnerabilities. Module 03 Page 268 Ethical Hacking and Countermeasures Copyright © by [DH All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 6 Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. 6 Detecting the associated network service of each port Module 03 Page 269 Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks >. :aI'. [.’ll‘ll"1"['_! '_‘_‘[' 'I| :.lT'q| Ilkluhflili I -. up ".3 ‘D [D _f‘ _n_l_n_l_n_l_ T1. , , [_F~ 7 < LJ b t m A ! . Q ‘T’ — E J ’ Check for Check for Scanning Banner Live Systems Open Ports Beyond IDS Grabbing ' 1; I . ’ l Draw Network Prepare Scanning 3 —‘~, J Diagrams Proxies Pen Testing K __. F _( Scan for Vulnerability U. -2-. ~.-‘: iua-I-:11‘-'. -' . ;llIill: lilk! i(= H=h'A: :-Ii(%. I'lI-1-ll. -lift. nllfiflvufqiflfll-‘HiF'i(—s- _. CEH Scanning Methodology —~ The first step in scanning the network is to check for live systems. ‘is’ Check for Live Systems Scan for Vulnerability fl Check for Open Ports zl Draw Network Diagrams ® Scanning Beyond IDS Prepare Proxies Banner Grabbing I 1 Scanning Pen Testing M, This section highlights how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools. Ethical Hacking and Countermeasures Copyright ((3 by [C-Cllllllfill Module 03 Page 270 All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks ~: ,a. .-. ..41-. ::i. .m 3:». 1.1»: -.v >‘l'*;1i(= -)_1;1_+. -‘F ~ A. ‘ _. , l I I _'i J, J‘ 9:_'l_l: ;5. ' .3 '~’? *=. ,l_l Li _IClLi 1: Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply This scan is useful for locating active devices or determining if ICMP is passing through a firewall 1' _ rm f 3 . ICMP Echo Request , /‘ , .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . . ., 5 , ~. l V film)‘ , . . .. ... ... ... ... ... ... ... ... ... ... .. I . ... ... ... ... ... ... ... ... ... ... ... ... .. . . _ V 7 ICMP Echo Reply my Source [192.168.168.3) Destination (19Z.168.168.5) Zcnmas The ping scan output using Nmap: ~ mun: vww ~ gm u. ... ,o. :;u nu. 'Iu. u iv. ..-W. lloslD<I: -I. cw». Dem). rut -mm (“E J at 2012 M as ¢ i92.ms.1ea. s nun’) v. r M-4Hrc1( http-'/ /nmap. org . ; J‘. .«. .>. -. '2.-rm-*. ii-. a-'i “pg? Checking for Live Systems - ICMP Scanning . * ICMP Scanning All required information about a system can be gathered by sending ICMP packets to it. Since ICMP does not have a port abstraction, this cannot be considered a case of port scanning. However, it is useful to determine which hosts in a network are up by pinging them all (the -P option does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the number of pings in parallel with the -L option. It can also be helpful to tweak the ping timeout value with the -T option. ICMP Query The UNIX tool | CMPquery or lCMPush can be used to request the time on the system (to find out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS MARK REQUEST). After finding the netmask of a network card, one can determine all the subnets in use. After gaining information about the subnets, one can target only one particular subnet and avoid hitting the broadcast addresses. | CMPquery has both a timestamp and address mask request option: icmp query <-query-> [-B] [-f fromhost] [-d delay] [-T time] target Module 03 Page 271 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Where <query> is one of: -t: icmp timestamp request (default) -m: icmp address mask request -d: delay to sleep between packets is in microseconds. -T — specifies the number of seconds to wait for a host to respond. The default is 5. A target is a list of hostnames or addresses. 4’ ‘si . ICMP Echo Request K E I . ‘ E 1€. J;“#7 . .. ... ... ... ... ... ... ... ... ... .. V . ... ... ... ... ... ... ... ... ... ... ... .. . . i - ICMP Echo Reply ti Source (192.168.168.3) Destination (192.l68.16B.5) FIGURE 3.2: ICMP Query Diagram Ping Scan Output Using Nmap Source: http: [[nmap. org Nmap is a tool that can be used for ping scans, also known as host discovery. Using this tool you can determine the live hosts on a network. It performs ping scans by sending the ICMP ECHO requests to all the hosts on the network. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall. The following screenshot shows the sample output of a ping scan using Zenmap, the official cross-platform GUI for the Nmap Security Scanner: Zenmap Scgn lools Eroiile flelp Target: 192.1E>3.i63.5 V Profile: Ping scan v Scan Command: nmap-snl92.Ic'. £.l . Hosts Services Nmapoutpui Ports / Hosts Topology HostDetai| s Scans 05 4 Ho“ . nmap -sn I92.I63.i6E.5 V Details *1 192.I68.168.1 V 192.168.1683 gagging '. '-ap 6.81 ( rittp: vr~ao. c"g ) at 2012-08-08 192_163_163.5 may scan report -‘or 192.168.1685 Host is up (9.905 latency). '4 192.168.168.13 MAC Address: (Dell) , ,, , ,, , ,, . _ V Nmap ggng-, 1 IP aoocess (1 host up) scanned in 0.18 seconds v Filter! -losts FIGURE 3.3: Zenmap Showing Ping Scan Output Module 03 Page 272 Ethical Hacking and Countermeasures Copyright © by EC-Cflillicll All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 4. i__ d I .7.“ wt , :*I‘V[; J;; ;‘ p-Lg‘ VI’) Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of , . hosts present in the subnet Attackers then use ping sweep to create an inventory of live systems in the subnet The ping sweep output using Nmap Zenmap . . . ) }. v,; ,-g "‘ Ptchofletiuest :5? v Fi: 'iIe v 4 i- M‘ 191.168.1685 . .‘. . 1 (’ K r w. .- , ti. .. «. v. . r ‘"". “l“? 'l. "."". " ) .1 (3 . ,. , r - , I(MP mio iii-ply " _ . . . , .. III] II . . d ' 192.168.1685 -. "““" . .,. ... ». ... - -. lja , '. -,_-.1 v ‘“ "" "‘ ‘ ’ ICMP EchoRequest " I. .. . .."; "' 5°“'"’ . 191.159.1631 - - H 192.168.1683 I niIfslV. AI _V ‘V -v ‘ , icivw Ethoiieply _ r . . . g 5 . . . . ~ . v I! s1:r. .-: iiill. " 1" " lCMPEchoRequest ) 41 192.168.168.13 http: //nmap. org I! -ixiinina -Iixl 3 ‘5 '1 . .-ll ru; llIillfilii§1i(4~1=II‘1Q5Iiiitlllill‘l! il0IlIl~$1'il'Ill"UIIllil5ill= i4l l __l Ping Sweep —‘ A ping sweep (also known as an ICMP sweep) is a basic network scanning technique to determine which range of IP addresses map to live hosts (computers). While a single ping tells the user whether one specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts. ICMP ECHO Reply if a host is active, it returns an ICMP ECHO reply. Ping sweeps are among the oldest and slowest methods to scan a network. This utility is distributed across almost all platforms, and acts like a roll call for systems; a system that is live on the network answers the ping query that is sent by another system. Module 03 Page 273 Ethical Hacking and Countermeasures Copyright © by EC-clllllliill All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks . . . . . . . . . .. .. . , ii - # lCMPEcho Request ’ r C‘ ' 192.168.1685 ICMPEclio Request _ P‘ K _ . ... ... ... ... ... ... .. . . . ) LG) ' 3 AAAA ICAM-P-EchoRep| y ISZJGSIISH I-tllllll-PEcho‘Request‘ Source 192.168.168.3 m'168‘m‘7 ICMP Echo Reply y : ,- v . . . . . . . . . . . . . . . . . . . . . .. I , ICMP Echo Request 1' 192.168.1683 FIGURE 3.4: Ping Sweep Diagram TCP/ IP Packet To understand ping, you should be able to understand the TCP/ IP packet. When a system pings, a single packet is sent across the network to a specific IP address. This packet contains 64 bytes, i. e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a return packet from the target system. A good return packet is expected only when the connections are good and when the targeted system is active. Ping also determines the number of hops that lie between the two computers and the round-trip time, i. e., the total time taken by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if the packet bounces back when sent to the IP address, but not when sent to the name, then it is an indication that the system is unable to resolve the name to the specific IP address. Source: httgzflnmagorg Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP addresses of live hosts. This provides information about the live host IP addresses as well as their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on the network. The following screenshot shows the result of a ping sweep using Zenmap, the official cross-platform GUI for the Nmap Security Scanner: Module 03 Page 274 Ethical Hacking and Countermeasures Copyright © by EC-Gollllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Scanning Networks 01 Module 03 Page 275 Iccl: Bic’ ‘e I511:-E I: -3.17 F ‘ter Hem tie’? Startiv-: '. -up 6.-"1 I »zt: " -: .c-5 ) it 12:41 '. -in scar repcct ‘cc 192.16fl.16R.1 east is 1.: l‘‘. -.'': 1.wter‘v: ;). -‘; »3(. Ad0". t.u1 "19 5(! 'T rest"! ‘C’ 192.163.1683 N33! is I-D <'-: .u. ': later-11.). NE l, <}a'; t.'i1.: . (#9919) '. ’.D scar reps". ‘C’ 192.16fi.168.S Hcst is 1.3 -‘. -'v'1«'s lnterci). PA; -’tg_¢1rg§y Dell) '. *.s: J scan . -¢; >:'t ‘cs 192.168.168.13 Mast is to latency). PA; Addrggy (Fc-cc-an) '. -29 s<a- reps"! ‘C’ 192.168.168.14 Mast in L? (-i-. :. s lJ{t"C_i). FIGURE 3.5: Zenmap showing ping sweep output Exam 312-50 Certified Ethical Hacker Scrw Och‘: 2011-0-i-OR i"'c. -lett-F’a<x. a-a Cc*: M.) Ethical Hacking and Countermeasures Copyright © by Ell-Cflllllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 (ertified Ethical Hacker ' if: I 1 V1 : ll I _i r -. 4.. .. ; :'tiigi >‘mi; =;i; Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc. Solarwinds Engineer Too| set's Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS Iookup, r' um ArV1’ill‘Cti: rr»v: - Angry IP Scanner Solarwinds Engineer’: Toolset http: //www. ungryip. org http: //www. salarwinds. com '. '1£iil: ii‘ll'I3i'l : '5 ‘i . .'ll r.11IIillzli1e1iH~1=I| ‘HiIiiatln-Ill‘lqilviilisfiilil-til‘! HI-Ifllfiiialil Ping Sweep Tools "/ Determining live hosts on a target network is the first step in the process of hacking or breaking into a network. This can be done using ping sweep tools. There are a number of ping sweep tools readily available in the market using which you can perform ping sweeps easily. These tools allow you to determine the live hosts by sending ICMP ECHO requests to multiple hosts at a time. Angry IP Scanner and Solarwinds Engineer's Toolset are a few commonly used ping sweep tools. Angry IP Scanner Sourcezhtt : www. an r i . or Angry IP Scanner is an IP scanner tool. This tool identifies all non-responsive addresses as dead nodes, and resolves hostname details, and checks for open ports. The main feature of this tool is multiple ports scanning, configuring scanning columns. Its main goal is to find the active hosts in the network by scanning all the IP addresses as well as ports. It runs on Linux, Windows, Mac OS X, etc. It can scan IP addresses ranging from 1.1.1.1 to 255.255.255.255. Module 03 Page 276 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. Ethical Hacking and Countermeasures Scanning Networks llll. .i. . . _( inn Qc to gammands I3 = ..ng¢ 1035.1 Fat_aut: : it Hi siivaine ‘. '.‘lii-_ACIl 3;’. P.3R§l Ping lms P loci: ICC-‘F P ‘lama-.1 V out .9. Lil Range — Angry IP Scanner t2 P . : P. .:i’q: .. ‘ Sun Hcztname n .1 M-l. 'SSElCit. 'i_. :i ‘. ‘.‘irdo~: E n c’, ii-L '. C'J§'. ‘.FEi-‘C<‘. ‘ n E: n 2: n .1 n ef n e; n .2: In ei n a: In if n 1; n if in ii 71 .1 [ii : ' lives}. I Patti {:1-: .i 133.4,. 5, ;9,J. If, .. 1:5 '3;, .u5_ In =2 . =,i, i§S Iv-'11 lrvaf In =2 lira: Ir-‘II lira’ In =2 lv-'3? lmi rm‘ FIGURE 3.6: Angry IP Scanner Screenshot Solarwinds Engineer’s Toolset Source: http: [[www. so| arwinds. com The Solarwinds Engineer's Toolset is a collection of network engineer's tools. By using this toolset you can scan a range of IP addresses and can identify the IP addresses that are in use currently and the IP addresses that are free. It also performs reverse DNS Iookup. Module 03 Page 277 5.12 Fen 2» . ..-. iv “adieu . g.. , uuuwu '. <.Ql :3 -s2 . Io. ‘ 1:: '9: ‘>' 1»' ' ‘1 '<: 14;. 1:: 1? - . - ml . .r. —.. —.i. .i. -.1 FIGURE 3.7: Solarwinds Engineer's Toolset Screenshot tit-Ii: Sterling IP Address 1242112 lE~‘~. ‘ 1»: Fnrlnnu IP Add"-an 'i~<. - ll-. )- rm, «~47 Ping Sweep Vi-st: »~s- ‘true invs V S: -an Fne lAIllP' 3 -'. > LLCIJK2 Exam 312-50 Certified Ethical Hacker L_. L)U‘ . . Shun Ethical Hacking and Countermeasures Copyright © by EC-CUIIIIGII All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks ' I . . ~ ~ ' - - A I l. ‘ I , ."l_uci Chiyl/ ..x. .lc l_, l p: .:. ‘I . ‘ T‘‘‘'_' ‘" “J ” -_'r, I_ (0~t. )_. it(: §i -. .u- V» . . . 1 we Colasoft Ping Tool PacketTrap MSP http: //www. calaso]t. coni Iiltp: //www. packettrap. ram . _j ‘Q4 _rv_n_ _ Visual Ping Tester - Standard Ping Sweep . http: //www. pingtester. riet _ hltp: //www. whutsupgold. rom T? ‘ ti ’ N “ Ping Scanner Pro ' Network Ping http: //www. digilextedinologiesxom ” hltp: //www. greenline-saftxom Ultra Ping Pro ' Ping Monitor K‘? > Imp: //uitrapi'na, webs. roni him: //www. niliand. com Pinglnfoview ‘‘ Pinkie imp: //www. nirsafnnzi httn: //wwwipupiime. net '. '1‘A'lil: lTll -Iixl i ‘5 '1 . .-ll ~;1IItlizliisittamriaillztaclr-la[-1-iii-nits}-ii-iii‘Jui-inliiiiaiéi if Ping Sweep Tools (Cont’d) In addition to Solarwinds Engineer's Toolset and Angry IP Scanner, there are many other tools that feature ping sweep capabilities. For example: ‘:9 Colasoft Ping Tool available at http: [[www. co| asoft. com :9 Visual PingTester—Standarad available at htt 2 www. in tester. net ‘:1 Ping Scanner Pro available at httg: [[www. digiIextechnologiescom Ultra Ping Pro available at htt : ultra in . webs. com Pinglnfoview available at http: [[www. nirsoft. net PacketTrap MSP available at httpzzgwww. packettrapcom Ping Sweep available at htt : www. whatsu old. com Network Ping available at http: [[www. greenline-soft. com Ping Monitor available at http: [[www. niIiand. com 2' Pinkie available at htt : www. i u time. net II (I (L it (E Lt Module 03 Page 278 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Exam 312-50 (ertified Ethical Hacker Scanning Networks ->«rt. ’l ~‘I -l’-'. i'. !'. .u__ Un: ~I". 'I| i I U-I-"_; l* Hi-in I F. ) D [3 1_ _n_i_n_l_n_i_ — l ’ . 7:" _ 5 L3 l_'_', i ~ L; ea. s - ~ 7’ Check for Check for Scanning Banner ‘J Live Systems Open Ports Beyond IDS Grabbing _(3_' Draw Network Prepare Scanning Diagrams Proxies Pen Testing K __. F _( | ):_~, l Scan for Vulnerability U. -2-. ~.-‘: iua-I-:11‘-'. -' . ;i‘Iiii: iikdi(= }~‘Hn'A: :-Ii(%. i'lI-1-1|. -Iilt. rll$flvuT! ix‘l3l-‘fliF'v(—u % L CEH Scanning Methodology _' I, So far we discussed how to check for live systems. Open ports are the doorways for an attacker to launch attacks on systems. Now we will discuss scanning for open ports. ti‘ . - Check for Live Systems Scan for Vulnerability fl Check for Open Ports . ® Scanning Beyond IDS Draw Network Diagrams Y #4 ’—~: Prepare Proxies Banner Grabbing 7, Scanning Pen Testing ta This section covers the three—way handshake, scanning IPv6 networks, and various scanning techniques such as FIN scan, SYN scan, and so on. Module 03 Page 279 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited. Er
  19. 19. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks "iii; 1.-’= —I= ->— lnl’= .l*—* Si‘lL= K_i_i-5_l: Li_i*: J.}. -;; -‘ ‘iii: til _ -_ ,4‘. .. TCP uses a three-way handshake to establish a connection between server and client Three-way Handshake *3 / ~ , ,,. Process y. ... .p ' I 1. The ComputerA (10.0.0.2) initiates 3:" "I " “M sheeia a connection to the server (10.0.03) 10.D.0.2:21 4---r-e-7:. ’-I-ll---a-"------Q-V 1o. o.o.3:z1 via a packet with only the SYN flag I We set . ..5_”, t’_c: ¢?3t: '/fig to ,2“, with you 2 The server replies with a packet s‘e 1 sv; .,"; '['(-2’: v.. ’_"_ff: t.. ,', ,,, W with both the SYN and the ACK flag P 1'7 set m‘. . _ . Y _ _ oy_‘e'5"a: °°i1_‘_ . ... . " pg . E 3 For the final step, the client ‘am op? ‘-'l: _°. .-“{'S‘Qt1“‘ ‘ET responds back to the server with a Step 2 A ______ i'; 'p: ;)(, k‘-W‘ ‘ single ACK packet 5” 4. If these three steps are completed '----:1-. ..? f’, _'hani(,5h without complication, then a TCP s‘eP 3 M’ ‘(K connection is established between ‘ _ Q” “ M3‘ _ the client and the server Client Server '. '1£iil: i:‘ll'I3;'l : '5 ‘i . .'l'l rs; lIIiilzli1e1iH~1=I| ‘HiIiiatln-ill‘(qil0:iIi~$1Iil-iii‘! HI-Ifllfiiiaail Three-Way Handshake TCP is connection-oriented, which implies connection establishment is principal prior to data transfer between applications. This connection is possible through the process of the three-way handshake. The three-way handshake is implemented for establishing the connection between protocols. The three-way handshake process goes as follows: ti To launch a TCP connection, the source (10.0.0.2:62000) sends a SYN packet to the destination (l0.0.0.3:21). ‘.9 The destination, on receiving the SYN packet, i. e., sent by the source, responds by sending a SYN/ ACK packet back to the source. ‘:3 This ACK packet confirms the arrival of the first SYN packet to the source. ‘:9 In conclusion, the source sends an ACK packet for the ACK/ SYN packet sent by the destination. ‘:1 This triggers an "OPEN" connection allowing communication between the source and the destination, until either of them issues a "FIN" packet or a "RST" packet to close the connection. Module 03 Page 280 Ethical Hacking and Countermeasures (opyright © by [C-Cllllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks The TCP protocol maintains stateful connections for all connection-oriented protocols across the Internet, and works the same as an ordinary telephone communication, in which one picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other end until a person picks up the receiver and says, ''Hello. ’’ (LE / ~ (‘_‘‘ . _'. ... .‘k « I. ... .;. 1/ 1 Bill Sheela _ Three-way Handshake _ 10.0.0.2:62000‘. ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '» ‘ 10.0.0.3:21 Ir -. ;_ an/ ( ACK/1C 9/ 14 S ' E fa‘ . "-H) Client Server FIGURE 3.8: Three-way Handshake Process Establishing a TCP Connection As we previously discussed, a TCP connection is established based on the three-way hand shake method. It is clear from the name of the connection method that the establishment of the connection is accomplished in three main steps. Source: http: [[sugport. microsoft. com[kb[172983 The following three frames will explain the establishment of a TCP connection between nodes NTW3 and BDC3: Frame 1: In the first step, the client, NTW3, sends a SYN segment (TCP . ... S.). This is a request to the server to synchronize the sequence numbers. It specifies its Initial Sequence Number (ISN), which is incremented by 1 and that is sent to the server. To initialize a connection, the client and server must synchronize each other's sequence numbers. There is also an option for the Module 03 Page 281 Ethical Hacking and Countermeasures Copyright © by [C-GUIIIIGII All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Maximum Segment Size (MSS) to be set, which is defined by the length (len: 4), this option communicates the maximum segment size the sender wants to receive. The Acknowledgement field (ack: 0) is set to zero because this is the first part of the three-way handshake. l 2.0785 NTW3 ——> BDC3 TCP . ... S., len: 4, seq: 8221822—822l825, ack: 0, win: 8192, src: 1037 dst: 139 (NBT Session) NTW3 ——> BDC3 IP TCP: .. ..S. , len: 4, seq: 8221822—822l825, ack: 0, win: 8192, src: 1037 dst: 139 (NBT Session) TCP: Source Port = OxO40D TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 8221822 (0x7D747E) TCP: Acknowledgement Number = O (OX0) TCP: Data Offset = 24 (Oxl8) TCP: Reserved = 0 (OXOOOO) TCP: Flags = 0x02 : .. ..S. TCP: .. O.. ... = No urgent data TCP: .. .O. ... = Acknowledgement field not significant TCP: .. ..0.. . = No Push function TCP: .. ...0.. = No Reset TCP: . . . . ..1. = Synchronize sequence numbers TCP: . . . . . . .0 = No Fin TCP: Window = 8192 (OXZOOO) TCP: Checksum = OxF2l3 TCP: Urgent Pointer = O (OX0) TCP: Options TCP: Option Kind (Maximum Segment Size) = 2 (OX2) TCP: Option Length = 4 (OX4) TCP: Option Value = 1460 (0x5B4) TCP: Frame Padding 00000: 02 60 8C 9E 18 SB 02 60 8C 3B 85 Cl 08 00 45 00 . ‘.. ... ‘.; ... .E. 00010: 00 2C DD 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B . ,.. @.. ..K. k.. .k 00020: 02 D3 04 OD 00 8B 00 7D 74 7E 00 00 00 00 60 02 . . . . . .. )t~. OOO30: 20 00 F2 l3 O0 O0 O2 04 05 B4 20 20 . . . . . . . .. Module 03 Page 282 Ethical Hacking and Countermeasures Copyright © by El: -council All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Frame 2: In the second step, the server, BDC3, sends an ACK and a SYN on this segment (TCP . A.. S.). In this segment the server is acknowledging the request of the client for synchronization. At the same time, the server is also sending its request to the client for synchronization of its sequence numbers. There is one major difference in this segment. The server transmits an acknowledgement number (8221823) to the client. The acknowledgement is just proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and uses it as its acknowledgement number. 2 2.0786 BDC3 ——> NTW3 TCP . A.. S., len: 4, seq: ll09645—llO9648, ack: 8221823, win: 8760, src: 139 (NBT Session) dst: 1037 BDC3 ——> NTW3 IP TCP: .A. .S. , len: 4, seq: llO9645—ll09648, ack: 8221823, win: 8760, src: 139 (NBT Session) dst: lO37 TCP: Source Port = NETBIOS Session Service TCP: Destination Port = 0xO40D TCP: Sequence Number = ll09645 (OX10EE8D) TCP: Acknowledgement Number = 8221823 (0X7D747F) TCP: Data Offset = 24 (Oxl8) TCP: Reserved 2 0 (OXOOOO) TCP: Flags = 0X12 : .A. .S. TCP: .. O.. ... = No urgent data TCP: .. .l. ... = Acknowledgement field significant TCP: .. ..O. .. = No Push function TCP: .. ...0.. = No Reset TCP: . . . . .. l. = Synchronize sequence numbers TCP: . . . . . . .O = No Fin TCP: Window = 8760 (0X2238) TCP: Checksum = OX012D TCP: Urgent Pointer = 0 (OX0) TCP: Options TCP: Option Kind (Maximum Segment Size) = 2 (OX2) TCP: Option Length = 4 (OX4) TCP: Option Value = l460 (OX5B4) TCP: Frame Padding 00000: 02 60 80 3B 85 Cl 02 60 8C 9E l8 8B 08 00 45 00 . .; ... ‘ . . . . . .E. 00010: 00 2C 5B 00 40 00 80 O6 93 4C 83 6B 02 D3 83 6B . ,[. @.. ..L. k.. .k 00020: 02 D6 00 8B 04 GD 00 l0 EE 8D 00 7D 74 7F 60 12 . . . . . . . . . .. }t‘ Module 03 Page 233 Ethical Hacking and Countermeasures Copyright © by EC-Gallllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 00030: 22 38 01 2D 00 00 O2 04 05 B4 20 20 "8.— . . . . . . Frame 3: In the third step, the client sends an ACK on this segment (TCP . A.. ..). In this segment, the client is acknowledging the request from the server for synchronization. The client uses the same algorithm the server implemented in providing an acknowledgement number. The client's acknowledgment of the server's request for synchronization completes the process of establishing a reliable connection, thus the three-way handshake. 3 2.787 NTW3 ~—> BDC3 TCP . A.. .., len: 0, seq: 8221823—8221823, ack: 1109646, win: 8760, src: 1037 dst: 139 (NBT Session) NTW3 ——> BDC3 IP TCP: .A. ... , len: 0, seq: 8221823—8221823, ack: 1109646, win: 8760, src: 1037 dst: 139 (NBT Session) TCP: Source Port = 0X040D TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 8221823 (0X7D747F) TCP: Acknowledgement Number = 1109646 (0xl0EE8E) TCP: Data Offset = 20 (OX14) TCP: Reserved = 0 (0X0000) TCP: Flags = 0x10 : .A. ... TCP: ..0.. ... = No urgent data TCP: .. .l. ... = Acknowledgement field significant TCP: .. ..0.. . = No Push function TCP: .. ... O.. = No Reset TCP: . . . . ..0. = No Synchronize TCP: . . . . . . .O = No Fin TCP: Window = 8760 (0x2238) TCP: Checksum = 0X18EA TCP: Urgent Pointer = O (OX0) TCP: Frame Padding 00000: 02 60 BC 9E 18 8B 02 60 BC 3B 85 C1 08 00 45 00 . ‘.. ... ‘.; ... .E. 00010: 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B . (.. @.. ..O. k.. .k 00020: 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE BE 50 10 . . . . . .. )t. ... P. 00030: 22 38 18 EA 00 00 20 20 20 20 20 20 "8.. .. Module 03 Page 234 Ethical Hacking and Countermeasures Copyright © by EC-Gallllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks I t . "- I r . l - ' - ‘ 5 » . " -l i ' n; ' --Li. -if. 5,1“. -ll_| ;'. ._l' +2] IIr_l-)_r_r A_-7_ -.13 F» ‘. _-I , n_ ' - . .1 3. , .. Source Port Destination Port Data contained in There will be no Resets a = - the packet should more connection 5eque, ,,, No be processed transmissions ; : ‘ - = immediatelv Acknowledgement No form Res rcv Flags Window URG FIN ' ‘+31 5 ’ ' ' (uwgng) (F| n|gh) l_r , ; TCP Checksum Urgent Pointer Options em u-3:. Bits m PSH ACK 1 .51 . ' (Pulh) (Aoknorwladgamont) r. .. r. . . r J y K Sends all Acknowledges Initiates a V buffered data the receipt of a connection . immediately packet between hosts ‘ ' Standard TCP communications are controlled by flags in the TCP packet header '. '1‘4'lil: ifll'I31'li'5 ‘i . .'ll rs:1IIillzliie1iH~1=I| ‘HiIiiatln-Ill‘lqil0:iIi~$1Iil-Iii‘! HI-Ifllfiiiaiil [. _ ca _ J TCP Communication Flags _mJ Standard TCP communications monitor the TCP packet header that holds the flags. These flags govern the connection between hosts, and give instructions to the system. The following are the TCP communication flags: tr Synchronize alias ”SYN”: SYN notifies transmission of a new sequence number ‘:9 Acknowledgement alias ”ACK": ACK confirms receipt of transmission, and identifies next expected sequence number 9 Push alias ”PSH”: System accepting requests and forwarding buffered data ‘:3 Urgent alias ”URG”: Instructs data contained in packets to be processed as soon as possible ‘.9 Finish alias ”FIN”: Announces no more transmissions will be sent to remote system ‘:3 Reset alias ”RST”: Resets a connection SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process. Module 03 Page 285 Ethical Hacking and Countermeasures Copyright (D by [C-Clllllliill All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Source Port Destination Port Sequence No Acknowledgement No ioffset Res TCP Flags Window TCP Checksum Urgent Pointer Options la 0-31 Bits TH FIGURE 3.9: TCP Communication Flags Module 03 Page 286 Ethical Hacking and Countermeasures Copyright © by EC-Gallllcil All Rights Reserved. Reproduction is Strictly Prohibited,
  26. 26. Ethical Hacking and Countermeasures Exam 312-50 (ertified Ethical Hacker Scanning Networks mg i’. ". fl ‘ 'L- -- _l: —r= .,l. |I— I}-‘Helm - -. _t _(''l‘* _ 7i__L3I . .I _. - ‘ -, I i. - h , I _ , |, 'l" )3‘ -. .13. , ‘.. ;aiasonv. xmLImiae« - '3 “ l’ _» g I ‘ pmut. . . -I M. .. 4 tn. .. l —l___) M» lc. .I. s r I M YT1 Colasoft Packet Builder ’ Z; """ " '”' " enables creating custom ff network packets to audit - ' ' " ‘ A networks for various f i attacks J Attackers can also use it to create fragmented packets to bypass firewalls and IDS systems in a network htrp: //www. caIasoft. com --. -.. .'. .l. .;. ,u= ‘—‘ ~’ . ;v Ill?4ll‘i(~¥'11lI'A¢{'H1(€'I(-, .,I, IilI. II1$T| l"li‘lLl-‘ll -‘ii: -'I r—; - C 2‘ l Create Custom Packets using TCP Flags Source: httQ: [[www. co| asoft. com Colasoft Packet Builder is a tool that allows you to create custom network packets and also allows you to check the network against various attacks. It allows you to select a TCP packet from the provided templates, and change the parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to the network. L) Module 03 Page 287 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Scanning Networks me (am Send Help (3-1 Icy! In ~34‘ import Expor' Add Insert copy ~. ‘;‘ Decode Edrtov — ‘F Packet Into: - Ethernet THE 11 13 ; , ' , , , , , , , Delete 00:) -30.3 CID 07‘ CW. ‘ 0'. ‘ D0 00 60 O0 O0 40 0'. ‘ i0 11 SA CID O0 00 D0 00 IA FF 0!‘ O0 GO 00 D0 D0 00 . .3 I3 Exam 312-50 Certified Ethical Hacker Colasoft Packet Builder . .3 "1 g_a " ‘ Move Up Checksum Send Send All = lo Pa(| reINo. 4 .9; Pockets No. I l 54 3 so 3 C‘.1C‘C". ‘C‘C‘ Second I) u I) 60 bytes FIGURE 3.10: Colasoft Packet Builder Screenshot Module 03 Page 288 '3i'l. "I", "», T*', ‘a'l'l'. ’ - , .: J Se| e(Ied l Delta Time Source 0.100000 0000.00.00: 0.100000 000.0 0100000 00 0 3-D Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks ; t"I sa ‘u. v« r Illa ~‘: l_= i ll _ . , 4.. .. I '. 'l' '1 ("'1 :7 IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 25‘ addresses) provided by IPv6 in a subnet Scanning in IPv6 network is more difficult and complex than the IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages Scanning lPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker can probe the ''all hosts" link local multicast address '. 'lu‘I5l: ii‘lI -lit‘: H 1 _ , ,L4.l, ~.tiIlawns1:(= mt-I: ;irI: (=mi-1- I-suit-I-ILM-irqi Hut-I in-‘Ilia-i Scanning IPv6 Network IPv6 increases the size of IP address space from 32 bits to 128 bits to support more levels of addressing hierarchy. Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 264 addresses) provided by IPv6 in a subnet. Scanning an IPv6 network is more difficult and complex than IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks. Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: and other header lines in archived email or Usenet news messages to identify IPv6 addresses for subsequent port scanning. Scanning IPv6 network, however, offers a large number of hosts in a subnet; if an attacker can compromise one host in the subnet he can probe the ''all hosts" link local multicast address. Module 03 Page 289 Ethical Hacking and Countermeasures Copyright © by [C-clllllllill All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks :3 I‘-l'= ii I E1 I I_'l. § I 33" I-1 I-_1.-I i, “: ,i”. !3'3._T, ill}: rl — — . ,,1.. ... Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptimc Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/ firewalls, operating systems and OS versions , ,., .,: l‘m. :vI-I-. -.rr I! -Ixu’I: ine -Iixl i ‘f '1 . .-l'l r. ;llliilfilii§1i(4~1=lI‘iRiIifitlt-inl‘l'lil0I| Il~$1Iil'iil"U| IIill5lll= i4l Scanning Tool: Nmap Source: httpzzznmagorg Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. Either a network administrator or an attacker can use this tool for their particular needs. Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime. Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/ firewalls, operating systems, and OS versions. Module 03 Page 290 Ethical Hacking and Countermeasures Copyright © by EC-clllllllill All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks . .. . .‘| .I1I. 'i' >7. . ..» . ,. . . . . .- . --u ee xn l . .> mu «mu . m. -a 'l II: Iu| u , ~.. .:. r.~ . —. FIGURE 3.11: Zenmap Screenshots Module 03 Page 291 Ethical Hacking and Countermeasures Copyright © by Eli-Cflliilcil All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks I. J. I. _ . .. — — — . ,,1.. ... iii) ? _'I_'L5‘l. -‘I l7’. -i_Ii~_<, ’-'3‘ ‘. Command line packet crafter for the TCP/ IP protocol Tool for security auditing and testing firewall and networks Runs on both Windows and Linux operating systems H. ” , . i 4. 91-1=f'7‘ is-idea l'-. . l-li'il: x-. -riiiin-i: « : -lie-'. -aniinnza-ii-pi-u ll I! -ixiinina -Iixl 3 ‘f '1 . .-i"l ru; llIillfilii§1i(4~1=lI‘ARiIi(it)| -lal‘l! ;l0I| Il~$1'il'iil"U| IIfil5ill= i4l rc —: I-Ipingz/ I-Iping3 L-H-A Source: htt : www. h in . or HPing2/HPing3 is a command-line-oriented TCP/ IP packet assembler/ analyzer that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-lP protocols. It has Traceroute mode, and enables you to send files between covert channels. It has the ability to send custom TCP/ IP packets and display target replies like a ping program does with ICMP replies. It handles fragmentation, arbitrary packets’ body and size, and can be used in order to transfer encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and network/ host scanning can be used to perform an anonymous probe for services. An attacker studies the behavior of an idle host to gain information about the target such as the services that the host offers, the ports supporting the services, and the operating system of the target. This type of scan is a predecessor to either heavier probing or outright attacks. Features: The following are some of the features of HPing2/HPing3: ti Determines whether the host is up even when the host blocks ICMP packets '3 Advanced port scanning and test net performance using different protocols, packet sizes, TOS, and fragmentation Module 03 Page 292 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 0 Manual path MTU discovery 0 Firewalk-like usage allows discovery of open ports behind firewalls 0 Remote OS fingerprinting 0 TCP/ IP stack auditing ICMP Scanning A ping sweep or Internet Control Message Protocol (ICMP) scanning is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up. This protocol is used by operating system, router, switch, internet-protocol-based devices via the ping command to Echo request and Echo response as a connectivity tester between different hosts. The following screenshot shows ICMP scanning using the Hping3 tool: - root@bt: - . 'i‘ ' i‘ l iii‘: I : # hping3 -1 10.0 0.2 HPING 10.0.0.2 (ethl 10.0 0.2): icmp mode set, 28 headers + 0 d len=28 1p=10. .2 tt1=l28 id=25908 lcmp seq=0 rtt=2. ms len=28 ip=10. tt1=128 id=25909 1cmpiseq=1 rtt=1. ms len=28 ip=10. ttl=128 id=259l0 icmp seq=2 rtt=1. ms len=28 ip=10. tt1=128 id=2591l icmpiseq=3 rtt=0. ms len=28 ip=10. tt1=128 id=2591%: icmp, seq=4 rtt=0. ms len=28 ip=10. ttl= l28 id=2S9l3 icmp, seq=5 rtt=1. ms len=28 ip= l0. tt1=128 id=25914 icmp seq=6 rtt=0. ms len=28 ip=10. tt1=128 id=259l5 icmpiseq=7 rtt=1. ms len=28 ip=10. ttl=128 id=25916 tcmp seq=8 rtt=0. ms len=28 ip= l0. tt1=128 id=259l7 icmp seq=9 rtt=1. ms len=28 ip=10. tt1=128 id=259l8 1cmp seq=10 rtt= O. ms len=28 ip:10. ttl= l28 id=25919 icmp seq=11 rttzl. ms len=28 ip= l0. ttl=128 id=25920 lcmp seq=12 rtt=0. ms len:28 ip: l0. tt1=128 id:25921 icmp seq:13 rtt:0. ms len=28 ip= l0. ttl=128 id=25922 Lcmp seq:14 rtt:0. ms Len=28 ip=10. ttl=128 id=25923 icmp seq=15 rtt=0. ms len=28 ip:10. tt1=128 id=25924 tcmp seq=16 rtt:0. ms len:28 ip=10. tt1=128 id=25925 lcmp seq=17 rtt=1. ms i—*L. Di—| L.Oi—'-t. -OOlOi) GQGOGGGOGEDQGGOGOOG GGOGOGGOGGOOGOOOGG l)rJl)| ’)iJl)f)lJfJl)lJl)l)l)lJl)| ) (DO0JlO£)ll)(IJ FIGURE 3.12: Hping3 tool showing ICMO scanning output ACK Scanning on Port 80 You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple packet filtering will allow you to establish connection (packets with the ACK bit set), whereas a sophisticated stateful firewall will not allow you to establish a connection. The following screenshot shows ACK scanning on port 80 using the Hping3 tool: Module 03 Page 293 Ethical Hacking and CountermeasuresCopyright (Q by [G-Cfllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Scanning Networks - roo! @bt: ~ 3 hprnqi —A 10.0.0. l-lPIllCil(). O.U. Z (I: th110.0.0. S 1p= l0.0.0. rtt: l.3 ms .0.0. ms .0.0. ms -.0.0. ms .0.0. . ms lun= J0 in 3.0.0. 1r—0 rtt: ' ms lvH: J0 1p .0.0. ’ ms -.0.0.. ttl=128 DF ttl=128 DF ttl=128 DF ttl=128 DF 1112128 DF 1tl:128 Itl=1& fIl:128 Exam 312-50 Certified Ethical Hacker J0 headers + 0 data nyte sport=80 . 5eq= O id 26086 sport=80 seqzl v 1d=26087 sport=80 seq=2 ~ 1d=76088 sp3rt:80 1d=26089 sourt:80 1d=26000 so9rt=80 lluqG= R 1d:26091 sport:8O ll. tr()‘$: R rd= ?609? soort=80 flunu: R 1 FIGURE 3.13: Hping3 tool showing ACK scanning output Module 03 Page 294 Ethical Hacking and CountermeasuresCopyright (Q by [G-COIIGII All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking anti Countermeasures Scanning Networks Hping Commands ICMP Ping hping3 -1 10 o 0.25 ACK scan on port 80 hping3 -A 1o. o.o.2s -p so UDP scan on port 80 hping3 -2 1o. o 0.25 -p so Collecting Initial Sequence Number hping3 192.1sa.1.1o3 —q —p 139 ~. Firewalls and Time Stamps hping3 *5 72.14.207.99 7p 80 *7 cz: p—r. i.neseamp ru I Exam 312-50 Certified Ethical Hacker CEH v. ..mi. ¢ nu: ma SYN scan on port 50-60 hping3 ~B 50~56 -S 10.0.0.25 ~V FIN, PUSH and URG scan on port 80 hping3 -5 -p -u 10.0.0.25 -p so Scan entire subnet for live host hpxnga —1 10.0.l. x ——xana—ae. c -1 echo Intercept all traffic containing HTTP signature hping3 -9 HTTP -1 at: h0 SYN flooding a victim fi Copyright 0 by E-G21 All Rights Reserved. Reproduction is Strictly Prohibited. hping3 —s 192.1ss.1.1 —a 192.168.1.254 -p 22 --flood The following table lists various scanning methods and respective Hping commands: Hping Commands % Scan ICMP ping ACK scan on port 80 UDP scan on port 80 Collecting initial sequence number Firewalls and time stamps SYN scan on port 50-60 FIN, PUSH and URG scan on port 80 Scan entire subnet for live host Intercept all traffic containing HTTP signature SYN flooding a victim Commands hping3 -1 10.0.0.25 hping3 —A 10.0 0.25 —p 80 hping3 -2 10.0.0.25 —p 80 hping3 192.168.1.103 —Q —p 139 —s hping3 —S 72.14.207.99 —p 80 ——tcp— timestamp hping3 -8 50-56 —S 10.0.0.25 —V hping3 —F —p —U 10.0.0.25 —p 80 hping3 -1 10.0.1.x ——rand—dest —I eth0 hping3 -9 HTTP —I eth0 hping3 -S 192.168 1.1 —a 192.168.1.254 -p 22 --flood TABLE31:HmngComnmndsTaNe Module 03 Page 295 Ethical Hacking and Countermeasures Copyright ‘Q: by All Rights Reserved. RE'pfO(lIi(IlOlI rs Strictly Pioliibitecl.
  35. 35. Ethical Hacking and (ountermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Stealth Scans SYN Scan ICMP Echo Scanning/ List Scan Xmas 5113" SYN/ FIN Scanning Using IP Fragments Fm scan NULL Scan Inverse TCP Flag Scanning ACK Flag Scanning _ I I j Copyright ID by IFCXGH. All Rights Reserved. Reproduction is Strictly Prohibited. S C A N N I N’ G T E C E N I Q U E S Scanning Techniques Scanning is the process of about the systems that are alive and responding on the network. The are designed to identify the open ports on a targeted server or host. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the intent of compromising it. Different types of scanning techniques employed include: 0 TCP Connect / Full Open Scan 0 Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan 0 IDLE Scan 0 ICMP Echo Scanning/ List Scan 0 SYN/ FIN Scanning Using IP Fragments I UDP Scanning I Inverse TCP Flag Scanning I ACK Flag Scanning Module 03 Page 296 Ethical Hacking and Countermeasures Copyright (0 by All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Scanning Networks The following is the list of important reserved ports: Name Po—rt7/Protocol l echo 7 7/tcp l: j_, .. echo 7/udp discard 9/tcp discard 9*/ u; 11/tcp “L daY*'-ime 13/tcp daytime 13/ udp netstat T 15/tcp ¢I°td 17/tcp chargen 19/tcp chargen 19/ udp ftp-data 20/tcp A ftp 21/tcp nicname domain domain sq1*net 7 DL Module 03 Page 297 Exam 312-50 Certified Ethical Hacker Description sink null sink null Users Quote ttytst source ttytst source ftp data transfer ftp command Secure Shell Mail Timeserver Timeserver resource location who is domain name server domain name server Oracle SQL*net Oracle SQL*net bootp server bootp server bootp client Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker 13°01‘-PC E 68/ udp bootp client i’-ftp l 69/tc; Trivial File Transfer F‘ A tftp 69/udp E Trivial File Transfer 90911917 l 70/tcp E gopher server finger 79/tcp 1 Finger -_ WWW'; ttP 80/tcp WWW www-http I 80/u; WWW E kerberos 7 7 88/tcp Kerberos kerberos I 88/udp Kerberos P°P2 109/tcp PostOffice V.2 POP3 1210/tcp PostOffice V.3 SI-IIIIPC 111/tcp E RPC 4.0 portmapper SIIIIIPC 111/udp RPC 4.0 portmapper auth/ igent 113/tcp Authentication Service auth 113/udp Authentication Service audioneg 11;/ tcp Audio News Multicast —— audionews 7114/udp Audio News Multicast nntp 119/tcp Usenet Network News Transfer Wt? 115%; Usenet Network News Transfer nt; 123/tcp Network Time Protocol Name Port/ Protocol Description E MSP 123/udp Network Time Protocol netbios-ns 137/tcp NETBIOS Name Service netbios-ns 17372/udp E NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Service E netbi°S'd9m 138/udp NETBIOS Datagram Service netbios-ssn 139/tcp NETBIOS Session Service netbios-ssn 139/udp NETBIOS Session Service imap _L T4}; /tcp Internet Message Access Protocol Module 03 Page 293 Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Scanning Networks imap sql-Etet sql-net glsrv sqlsrv cmip-agent cmip-agent irc irc Module 03 Page 299 at-5 205/tcp at-5 205/ udp at-zis 206/tcp Exam 312-50 Certified Ethical Hacker Internet Message Access Protocol SQL-N ET SQL-N ET SQL Service SQL Service CMIP/ TCP Manager CMIP Cl/ llP/ TCP Agent CMIP Internet Relay Chat Internet Relay Chat AppIeTa| k Routing Maintenance App| eTalk Routing Maintenance App| eTa| k Name Binding App| eTa| k Name Binding App| eTa| k App| eTa| k App| eTa| k Echo AppleTa| k Echo App| eTa| k App| eTa| k App| eTa| k Zone Information App| eTa| k Zone Information App| eTa| k Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 207/udp 208/tcp 208/udp 213/tcp 213/udp 220/tcp 220/udp App| eTa| k App| eTa| k App| eTa| k no 9 ct rt I I Q ~l N T 0 Interactive Mail Access Protocol V3 5. Interactive Mail Access Protocol v3 5. 387/tcp 387/udp 396/tcp 396/udp Port/ Protocol 411/tcp 411/ udp 445/tcp 445/ udp 500/udp 510/tcp 512/tcp 512/udp 513/tcp 513/ udp 514/tcp 514/ udp 515/tcp 515/ udp talk 517/tcp talk 517/udp 518/udp App| eTa| k Update-Based Routing App| eTa| k Update-Based Routing netware-ip Novell Netware over IP netware-ip Novell Netware over IP Description 3 Remote mt 9. Remote mt 54erberos54-ds 54erberos54-ds ISAKMP/ IKE First Class Server BSD rexecd(8) comsat/ biff used by mail system to notify users BSD r| ogind(8) whod BSD rwhod(8) cmd BSD rshd(8) BSD sys| ogd(8) shell syslog printer spooler BSD | pd(8) printer Printer Spooler BSD ta| kd(8) Talk New Talk (ntalk) mm 2 ntalk Module 03 Page 300 Ethical Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Scanning Networks ntalk 518/udp netnews 532/ top uucp 540/tcp Exam 312-50 Certified Ethical Hacker SunOS ta| kd(8) I Readnews uucpd BSD uucpd(8) l uucpd BSD uucpd(8) Kerberos Login l Kerberos Login Kerberos Shell l Kerberos Shell krcmd Kerberos encrypted remote shell —kfa| | pcserver 600/tcp 635/udp 640/udp 650/udp 744/tcp flexlm 744/udp 5 Gerberos -adm 749/tcp 56erberos-adm 749/udp kerberos 5 6erbe ros_mas ter 750/tcp 750/udp 751/udp 5 Gerbe ros_mas tar 751/tcp 754/tcp Module 03 Page 301 ECD Integrated PC board srvr NFS Mount Service l PC-NFS DOS Authentication BW-NFS DOS Authentication l Flexible License Manager Flexible License Manager | Kerberos Administration Kerberos Administration | kdc Kerberos authentication—tcp Kerberos Kerberos authentication Kerberos authentication Kerberos slave propagation Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 999/udp Applixware socks | H 1080/tcp sags 1080/udp H KPOP | 1109/tcp Pop with Kerberos ms-sql-s 1t'l3i3/tcp V K Microsoft SQL Server 1433/udp Microsoft SQL Server 1434/tcp Microsoft SQL Monitor 1434/udp Microsoft SQL Monitor Name Port/ Protocol Description pptp 1723/tcp S Pptp pptp i 1723/udp FE nfs 2049/tcp Network File System nfs 2049/udp Network FileSystem ek1°9‘in 2105/tcp Kerberos encrypted rlogin rkinit 21687tcp C Kerberos remote kinit kx C 2111/tcp C ixiover Kerberos kauth 2120/cp 7 I Remote kauth 1YSk°m 4894/tcp LysKOM (conference system) sip 5060/tcp Session Initiation Pro_tocol Sip 5060/udp Session Initiation Protocol X11 6000-6063/tcp X Window System x11 6000-6063/udp X Window System irc 6667/tcp Internet Relay Chat afs 7000—7(i)9Z1dp n 7°00-7°09/udp TABLE 3.2: Reserved Ports Table Module 03 Page 302 Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker y , I. . . . -' —‘ I ‘I ~ .3 ~ to )_I_l. J.l= -1'41. 3‘ ~. _I_l_l i; :=. _q_~. st <4r. _i_u_». ‘ . l_-'. ,I_ T -. .13. . . TCP Connect scan detects when a port is open by completing the three-way handshake TCP Connect scan establishes a full connection and tears it down by sending a RST ) , , §e packet Scan result when a port is open SYN Packet o Port (n) -~. urn: '. '1£iil: i:‘ll'I3l'l : '5 ‘i . .'ll r. ;lIIillzlile1iH~1=I| ‘Hililac): -Ill‘Iqilmllsfiilil-til‘! HI-Ifllfiilatil ‘T TCP Connect / Full Open Scan : ’ Source: htt : www. insecure. or TCP Connect / Full Open Scan is one of the most reliable forms of TCP scanning. The TCP connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed; otherwise, the port isn't reachable. TCP Three-way Handshake K-# In the TCP three-way handshake, the client sends a SYN flag, which is acknowledged by a SYN+ACK flag by the server which, in turn, is acknowledged by the client with an ACK flag to complete the connection. You can establish a connection from both ends, and terminate from both ends individually. Vanilla Scanning l a. . In vanilla scanning, once the handshake is completed, the client ends the connection. If the connection is not established, then the scanned machine will be DoS’d, which allows you to make a new socket to be created/ called. This confirms you with an open port to be scanned for a running service. The process will continue until the maximum port threshold is reached. Module 03 Page 303 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks If the port is closed the server responds with an RST+ACK flag (RST stands for ”Reset the connection”), whereas the client responds with a RST flag and here ends the connection. This is created by a TCP connect () system call and will be identified instantaneously if the port is opened or closed. Making separate connects() call for every targeted port in a linear fashion would take a long time over a slow connection. The attacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/ O allows the attacker to set a low time-out period and watch all the sockets simultaneously. ‘ 3‘ Disadvantages C) The drawback of this type of scan is easily detectable and filterable. The logs in the target system will disclose the connection. The Output Initiating Connect () Scan against (172.17.1.23) Adding open port 19/tcp Adding open port 21/tcp Adding open port 13/tcp SYN Packet + Port (n) %, ,/3 . . . . . . . . . ... .. . . . . . . . ... ... ..j. ( / § _, SYN / ACK Packet ‘ ‘ Q? ACK+RST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . _ . Attacker Target FIGURE 3.14: Scan results when a port is open (lpall P SYN Packet + Port (n) , l " RST 5 r - i a a a a a a a a - a I I I I I I a a a a a - - - e e e I ljl Attacker Ta rget FIGURE 3.15: Scan results when a port is closed Module 03 Page 304 Ethical Hacking and Countermeasures Copyright © by [C-GU| IIIGll All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Zenmap sqn Incl: grow. an, Target nmapl? .'l' I 5 v P-cic v $<an Command : .;r». nn-up I» r Mew. scmu-. nnup Output Fort: No'. !' Vcpclc). uonomi. Sum 33 - No.4 4 I11 mm-p N. S " ileum. Iv l‘? _‘lt'>2.lo3S su-Mn: M-an 6.81 n -u: .: I n 2ou~oI-to 11:0: 1 use lnitiatlrg .22: vi»: sun at 1: 64 Scanning 191 iu.1sI. s [1 90'! ) (oooxetea .9 mu Sun at :2 ea. 9.25: elapsed u tutu nests» Initiating P. -ane: 3-. s resolatlen :1 I has at :2 04 Cornletta Parallel ans re-sszcnan cl 1 non. at 12.04, (Len elapsed lnitiatirg (onnect sun u x) at Storming I-n.1sa.1sa. s xze-*0 r>c’tL] :3 . e. e-ea 699» new 5.: (<9 on I<n. Isa I6l. S 3ls<o. e'ed even pc"t as up on 192.1“ 160.5 3lstC. e’td Oven ac’! a. --p an oni91.1u. x6I.5 Dxs: o.e'ed oaen pc't :5 up on : n.1sa. |sa. s Di'. :o. e'td can no’! up on I91.I6l. l(>I.5 :1 more: cpen per: a up an x91.xsa. xsI. s (Mnletea rennet: sun at 12 M 143.53: ell; -see 0609 total 90»-nu nun sun rep z to» 19z. rsa. xs s uiiea to '¢'. :l. e | ).er hastna en» rw . -.-1) ‘I A,7.mv ttylf KP vanes. 14 we and the nu: ~¢ 41:; to new nut. nest 1'» up ¢e. c~<~l-an latcntti. ~q_[_)hg>. ..n; v . < nice-ea pent-. roar surr srnvxtt D. ‘tote that Hm Kan‘! use '/ IIXI (tune uni, nu . n me name“, . '!ALAm: cni Dell - |1nd_uu_uln_Lcr>-. ( Warn Viln i-Gav ‘cup U-gp_g9«»g x in aJ.1'ess ll host an xunnea in 43 a. .. nun; sent l(. ' ax I i<. a ii: ‘= setonds M-. uHcm FIGURE 3.16: Zenmap Screenshot Module 03 Page 305 Ethical Hacking and Countermeasures Copyright © by Eli-llflllllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. / ~ I _, ‘ Stealth Scan Process ‘L Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks at-. .—. . ml . n*l+«. ... . = ."_l_l= _i_l_L--:31:-)_i: . . ~w. i.. l.. ~. l- Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic _ , Bill The client sends a single SYN packet to the server 1o_0_o‘2:2342 on the appropriate port Port is open If the port is open then the server responds with a SYN/ ACK packet If the server responds with an RST packet, then the remote port is in the ''closed‘‘ state Bill Sheela l0.0.0.2:2342 10.0.0.3:8O The client sends the RST packet to close the initiation before a connection can ever be established 0 Port is closed I! -ixunina -Iixl 3 1 '1 . .1"l ru; llIillfilll!1i(H~1FII‘AK5Iiiitluill‘l! ;l0IlIl~$1'il! il"H| IIlll: lll3i‘l Stealth Scan (I-Ialf-Open Scan) Stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This is a scan type that sends a single frame with the expectation of a single response. The half-open scan partially opens a connection, but stops halfway through. This is also known as a SYN scan because it only sends the SYN packet. This stops the service from ever being notified of the incoming connection. TCP SYN scans or half-open scanning is a stealth method of port scanning. The three-way handshake methodology is also implemented by the stealth scan. The difference is that in the last stage, remote ports are identified by examining the packets entering the interface and terminating the connection before a new initialization was triggered. The process preludes the following: 8 To start initialization, the client forwards a single "SYN" packet to the destination server on the corresponding port. ‘:9 The server actually initiates the stealth scanning process, depending on the response sent. '3 If the server forwards a "SYN/ ACK” response packet, then the port is supposed to be in an "OPEN" state. Module 03 Page 306 Ethical Hacking and Countermeasures Copyright © by [C-cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks If the response is forwarded with an "RST“ packet, then the port is supposed to be in a "CLOSED" state. (-3 sm (Port so) 5;" {F ll‘. svmncx l W“ * i L‘ Bill Sheela 10.0.0.2:2342 10.0.0.3:80 Port is open FIGURE 3.16: Stealth Scan when Port is Open . ., .s. w.t? .o. rs .89). . . . l: I L Bill Sheela 10.0.0.222342 10.00.3280 Port is closed FIGURE 3.17: Stealth Scan when Port is Closed Zenmap Tool Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently. It contains a command creator that allows you to interact and create Nmap command lines. You can save the Scan results and view them in the future and they can be compared with another scan report to locate differences. The results of the recent scans can be stored in a searchable database. The advantages of Zenmap are as follows: 6 Interactive and graphical results viewing Comparison Convenience Repeatability (I: G (E (I Discoverability Module 03 Page 307 Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker Scanning Networks 5¢l| I005 270'‘! l.1¢ Tugc nrnapl92.166.l60.S E] was Comment I-s1-vnnupl92.I60.160.5 05 . 5.. .‘ g I-41 -vnmapl92.l60.l6lS I 192.160.1665 starting than 6.01 ( nttp: //n-ep. or| ) at 2012-I-10 12:01 use use a tile initiating ARP Ping Scan at 12:04 Scanning 101.160.1605 [1 port) Coeoleted Aw Ping Scan at 12:06, 0.fls eleosed (1 total Hosts) Initiating Parallel nus resolution of 1 host. at 12:01 toaoieted Perellel X resolution M 1 host. at 11:00, 0.025 elapsed Initiating (onnect Scan at 12:00 Scanning 191.160.1605 [IEO ports] Discovered open port I/ tcp on 192.160.1605 Discovered open port 993/tce on 192.160.1605 Discovered open port Xltcp on 102.160.1605 Discovered open port 25/tcn on 102.160.1605 Discovered open port 139/tcp on 102.160.1605 Discovered open port 0000/tce on 192.160.1605 coeoieted connect scan at 12:01, 40.0» elapsed (1000 total ports) Iheo scan report tor 102.160.1605 railed to resolve given nostnaee/ iv: need. Ilote that you can't use ‘least’ no '1-4.1.100-‘ style 1? ranges. it the eecnine only has an IPv6 address, add the then -6 flag to scan that. Most is up (0.000s7s ietency). I141‘. 900 filtered ports KI! SIM! SIIVKI 25/tee mp Q/ N0 I11) ate! -1! ans eleslicevicecq re: -any II-Kim ev - (Den) Ine_Ian. mss. .1.cna <= Iro¢r- um (xu)I-no 1433; 1 XP address (1 nest un) scanned in 43.00 seconds In pockets sent: 1 (200) I lcvd: 1 (200) FIGURE 3.18: Zenmap Showing Scanning Results Module 03 Page 308 Ethical Hacking and Counterrneesuros Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Exam 312-50 (ertified Ethical Hacker Scanning Networks 6 ‘‘l " -‘ I _. ;. : .,r. _r= __: ~“~ >I~i+'= ._F; _i_l. ml, -1 u -. .13. . . I’ I’ £3 FlN, URG, PUSH ) T £3 FlN, URG. PU$H 4 ii: = 4 51:] ‘isxvj _ 4 . ... .. . ... ... . . . [(7 if _ 4 . ... ... ... . . ... ... ... .. . . 7 ‘ Anacke, Sen, ” Attacker Server 10_o>0>6 1o_o_0_3:23 10.0.0.6 10.00.8123 Port is open Port is closed In Xmas scan, attackers send a TCP frame to a remote device with URG, ACK, RST, SVN, PSH, and FIN flags set FIN scan only with OS TCP/ IP developed according ' ' ‘ ' to RFC 793 It will not work against any current version of Microsoft Windows I! -ixlinind -Iixl i ‘5 '1 . .-ii ». ;‘IIiiltllh1iH~1=lI‘HiIiiicll-laI‘l'Iil0I| Il~$1lil'Iii'IU| IIiTl5ii(= i4l Xmas Scan Xmas Scan is a port scan technique with ACK, RST, SYN, URG, PSH, and FIN flags set to send a TCP frame to a remote device. If the target port is closed, then you will receive a remote system reply with a RST. You can use this port scan technique to scan large networks and find which host is up and what services it is offering. It is a technique to describe all TCP flag sets. When all flags are set, some systems hang; so the flags most often set are the nonsense pattern URG-PSH-FIN. This scan only works when systems are compliant with RFC 793. BSD Networking Code ‘* This method is based on BSD networking code; you can use this only for UNIX hosts and it does not support Windows NT. If this scan is directed at any Microsoft system, it shows all the ports on the host are opened. Transmitting Packets — You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts packet and does not send any response, the port is open. If the target system sends RST flag, the port is closed. Module 03 Page 309 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Advantage: It avoids the IDS and TCP three-way handshake. Disadvantage: It works on the UNIX platform only. "I"I"l FIN, URG, PUSH ‘ , [Q “‘" < No Response Attacker Server 10.0.0.6 _ 10.0.0.8:23 Port IS open FIGURE 3.19: Xmas Scan when Port is Open I L? ) D FlN, URG, PUSH ‘ RST Attacker Server 10.0.0.6 1o. o.o. s:23 Port is closed l'I‘I"I FIGURE 3.20: Xmas Scan when Port is Closed Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently. Zenmap km mi-. Dltzllt mi, mm nrnapli1iV. ’It»E V nan. « Sun (ontmand = «, x . nu. pv; . ~ 1 “cm ‘Mm M»: “-upm pm. Mon: v. —., ..x. >,. ><7:'D«Al: $«am M: um « * -. - tnm: ‘;: :v I': v omits av iszmame: *4 WWW‘ . .1 29:1 in to 12.39 at 1 nm. n ma; - -. mu .2 up, 9 e: = eI. Iv: ea in :5: ISI 1 («an 2 Y4 : 4.. . . . in air! or M. 1m | I¢‘QDSe 1; = «:, c Ti: . mm um. -A-I iwnl 9: in ma i um. .. re rwap nu. ma vtm rnr'r rice > xlv r: -. »,. r. It the wv-the only nu an arm 2 ‘tan rc say that. '. ater: . stmu 7 (9 our He‘! !! H’ Ba (0 one -.1 . .»». m :9: 515 ND ere’ . !r'e4 l‘r V-{ Addrtn: mi 111: in u_LE. i9,( Worn ‘Ale; .1; v-. .. ». .;_m. .- I ; v . am-. 1.. .: up -. nnnm in x1.N secancs a. .. name‘: am: 1353 ['>-I mils I : :.1. sea «39.9nuKsI VII: -Haul FIGURE 3.21: Zenmap Showing Xmas Scan Result Module 03 Page 310 Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker +'“II‘i‘I : IIF+—. nl I: L=&. I In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set FIN scan only with OS TCP/ IP developed according to RFC 793 C 3 It will not work against any current version of Microsoft Windows 3 ‘V -v ‘N - ‘ . 4 . ... I’ ' W l l o espouse L . V Attacker Server . . l , . 10.0.0.6 1o. u.o. s:z3 - Port is open I — FIN = ’o/ ‘ . ... ... ... ... ... ... ... . . .> ; S ; 4 . ... .. . ... ... .. I Attacker 10.0.0.6 _ “ Port IS closed ' I! -ixiinina -Iixl i ‘5 '1 . .-II ru; lllillfilii§1i($1?lI‘AR5Ifiiitlllili‘l! ;i0IlIl~$1'il'| ll"H| I1iil: ili= i‘l FIN Scan FIN Scan is a type of port scan. The client sends a FIN packet to the target port, and if the service is not running or if the port is closed it replies to you with the probe packet with an RST. FIN , . i’l' _, _ NoResponse #4: Attacker Server 10.0.0.6 10.0.0.8:23 Port is open FIGURE 3.22: FIN Scan when Port is Open Module 03 Page 311 Ethical Hacking and Countermeasures Copyright © by [C-CUIIIIGII All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks , FIN S ----. ... --u--uuuuu----. . 1:. I rt: 1 <. ... ... ... ... ... ... ... . RST/ ACK ‘ rm"! Port Is closed FIGURE 3.23: FIN Scan when Port is Closed Zennvap S(| I [ooh Evnhlc nap Ylrget nnupi-'»f'>.1-‘ V am‘. v sun Command :7-,1 . nm. .--«. -- '- s Hush Se1»I<t'. HvvuKCu! ;u! Vow. mm Vcpcici. >4:-. :1~. mv ‘xuu . - 1: . nnu; -» -- ~ cu. ‘--. an-:1-g uup -,4-1 ~~: "m: -. ~ »n Inn a|1n11:1s an-11’: ‘are g 191 1 15: e: N? r: «"1 ex-5-. ea -1 222-1 no'. t'. Ir-.1;-21': v nllel ;41~: a . at 1: N e: 9- s w. '1 : n 1.‘ )<. $.10; e1-osea 1»; t 5:. » .2 —« 1 191.1sI.1eI. ) 1-: son: sexa. Iv 1¢2.1o .49: u :59; am» e»: :e 12:: '_r'. 'o axe to 4 ; Le: e: rxu . » 11.‘s; elapse: i1eoe zatai pa'l5 ‘me: stun —e —x I « I924I§. ~lb! ~’ res: e g; .e« 7: ~. ve :9 nlnp. ‘ate (nu: you can‘! use ' 10¢ ‘ 5: = -. n : « the Iachxne anly «us an .161.) "on B to 5 me (3105 cu! or we in: wt’ :59. 6 n2.1u.1s: .3 "on 5 to 1e cue to 1v. e a me ‘HA: —5 zcan um. «cs: 13 at 10 . ~.~e. ‘<o». ‘cram. 1. M} fihgtrj‘ an cxcsea Dc‘ls vosn sun suvxu :1 up are’ ‘ilrerea 1-. » as aw tr» ‘: Z!e'e: .e~: .~e—: s—-. e«_ 545 try Over‘ ‘iitewa 1‘: ‘14.Lld-1:11.11 Bnv_dau tug, Cr I v»: ,~. v “lea ~~u_a»w¢_ 1 : v 1'» V1 >: n ~ -, u .55. ‘wlp 1 1r 11.15 second’. -In 5 5:7‘. 1!'E §‘. l('c1!I i Rt. ) 9'45 vl~1.9(. ‘EkB¥ F.7i!1No'. (‘. FIGURE 3.24: Zenmap showing FIN Scan Result Module 03 Page 312 Ethical Hacking and Countermeasures Copyright © by EC-Gflllllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 (ertified Ethical Hacker ‘w“: u,. ;r. so-. .r. ... l. «: I.= «:. :. Port Is open Port Is closed 1 TCP Packet with N0 Flag Set ‘ TCP Packet with NO Flag Set Server 10.0.0.8:23 Server 10.0.0.8:23 . J Iuu‘lll! I.-1«<I1I-= Iit: lIlX= lo-1.1=l1IihIl| l!'it= I11l= I(o-=1 r-1u1ol(-. -i1-Hwnii-HoI: lI>=1:e _J ml! I..1-rain--1ull'-'. '1-1dtw IIOI-'4 1¢l'JlI-" H lulsltzmiamam-1n-in-itaulait-1g1=ii| n1-1-1-1nanny ' ‘ ' mus. 1.-1:4 Iu1'. 'l1II1i-1cw-1itv: p3=ll1Lio: nv--1I1Id=1mmum-1u. a1‘ l'lII: ni-1-IiFlllllu-I-I'. 'r .3, 3-. _. I- 1-1-xii . . NULL Scan NULL scans send TCP packets with all flags turned off. It is assumed that closed ports will return a TCP RST. Packets received by open ports are discarded as invalid. It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned. When any packets arrive at the server, BSD networking code informs the kernel to drop the incoming packet if a port is open, or returns an RST flag if a port is closed. This scan uses flags in the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans. Many network codes of major operating systems can behave differently in terms of responding to the packet, e. g., Microsoft versus UNIX. This method does not work for Microsoft operating systems. Command line option for null scanning with NMAP is "-sN” Advantage: It avoids IDS and TCP three-way handshake. Disadvantage: It works only for UNIX. Module 03 Page 313 Ethical Hacking and Countermeasures Copyright © by [C-Cllllllfill All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Port is open TCP Packet with N0 Flag Set No Response A j Attacker Server 10.0.0.6 10.0.0.8:23 FIGURE 3.25: NULL Scan when Port is Open Port is closed TCP Packet with NO Flag Set RST/ ACK Attacker Server 10.0.0.6 10.0.0.8:23 FIGURE 3.26: NULL Scan when Port is Closed Zenmap Sun gcor-. Qrrhlc urlp rsqex Hvllap I51 iv"; V vlclle V Sm. «rnvvIaIV: l l—-. Hr. imu. ,.1~1v» I» ; H. .1-, 3.. ... .-. Hum; <u. v,. .i Put. NI 1.: v. ;.l. ,. »4.; r[‘«-1.. .‘ ‘want 4,-, . N, .,, . I ‘, lJ . vvrn. «| I-. " V Dela .1 1;: -, um I _ tIIrt1r~§ . .-1 «H. "V; _- In lull mt-In 12:11 ' l‘ l’ l '; lnl2rI'1V lrltlntxng ; ...1» V1"; ~. .—. n at 1; 41 . lAiw: vl, ;l .111; x] C '51!-tr! .: - at ll -5}, v‘ '. rlnL'. r-I (X [Kalil] hunt-,1 ililllltlllg Vnlnllfll ‘F2 l11'| V‘ ’ X VI 'vl. Ill 1 4} ( 'il9lv-1 Pa-allcl C ’r‘'. l. .!Ln V I turn! II II 4|, u‘ ~‘_‘: elatzr-1 Ir1iim1n_- r. .-nm at 1.141 Dkaivrjvg 1-11.u. s.1un. ) 1:» -L, ls} lI‘rvr‘n‘.1”y_’ ' ‘min, ‘ l‘l). IhI. IDv|1.J ‘V. ’ -' In N 111! (1 11* I1? I4 7|’; I . Lr‘ i- dc". ".111! lax! l'w'r. r.e. <' ~rletI~1 1. i mm .2 1; -11, ii ». o1nr'. rl«lvu-total rm»: -.y 'i'«Lr uiall '-; ‘K ‘. ‘ I'~II. Il1H. IlrK. l 1.11»: z. -e‘. ;. e :1 in V -. m.. -.- : r , w.; l vm. H. .. M. .. . ... -1 . ,-, . ' 'n'. .' «. v.l»- Iv v. -_-. -,. 1‘ ln— -. ... -.1.. . illllj n. ~. an XP ' ‘as; F, Ila; It ‘. can that. P1"-Y . n Not _, no. . 2 ». $‘(H«'I Slllk IllVl(f :1 up 1l‘1l(e'-215'. ’ tcv —rI~'11te 1 -wrrw-. -. .-t 5-to tLL'«L-vl‘)1t-'~: a". WA(_fl(‘(1I‘_{15J' nr. ..1_a. n,g Hg, arm c 9-, , . - rne-. .-. 'r i ‘may Nr. cp_n. ,.m-; 1 re . : 0' .1 n -.2 .4-~ . y.. l lrv 1.~. ~- '. r<rl'. : a.. La; -Q . Levi! 1p-1-1 . ‘ (OBI I : t..1 11.5‘; -2‘- F>r~nHr*-. t'. FIGURE 3.27: Zenmap showing NULL Scan Result Module 03 Page 314 Ethical Hacking and Countermeasures Copyright © by [C-GU| IlIGll All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Exam 312-50 (ertified Ethical Hacker Scanning Networks U 1- mi : '- ‘*3.I. _l. ‘i ~i: l.= i . .l -, .13. , . Most network servers listen on TCP ports, such as 1 web servers on port 80 and mail servers on port 25. Port is considered “open" if an application is listening on the port A machine that receives an unsolicited SVN| ACl< packet will respond with an RST. An unsolicited RST will be ignored One way to determine whether a port is open is to send a “SVN" (session establishment) packet to the port Every IP packet on the Internet has a "fragment identification" number (IP ID) The target machine will send back a "SYN | ACK" (session request acknowledgment) packet if the port I is open, and an "RST" (Reset) packs-t if the port is closed ; OS increments the IP ID for each packet sent, thus probing an IP ID gives an attacker the number oi packets sent since last probe ‘a: Command Prompt '. '1llil: ii‘ll'I31'l: '5 ‘i . .'l'l r. ;VIIiilzli1e1iH~1=I| ‘Hililac): -ill‘lqilmllsfiilil-til‘! HI-Ifllfiiialil IDLE Scan The idle scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available and offers complete blind scanning of a remote host. This is accomplished by impersonating another computer. No packet is sent from your own IP address; instead, another host is used, often called a "zombie, ” to scan the remote host and determine the open ports. This is done by expecting the sequence numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP of the zombie machine will show up. Understanding TCP/ IP Source: http: [[nmap. org Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/ IP expert to understand it. You need to understand the following basic facts: ‘:9 Most of the network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port; otherwise it is closed. Module 03 Page 315 Ethical Hacking and Countermeasures Copyright © by [C-Cllllilfill All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and (ountermeasuies Exam 312-50 Certified Ethical Hacker Scanning Networks 0 To determine whether a port is open, send a session establishment ”SYN" packet to the port. The target machine responds with a session request acknowledgment "SYN| ACK“ packet if the port is open and a Reset "RST” packet if the port is closed. 0 A machine that receives an unsolicited SYN| ACK packet responds with an RST. An unsolicited RST is ignored. 0 Every IP packet on the Internet has a "fragment identification" number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe. From these facts, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning. map —Pr —p— I mm 3uq'g_-, bn, com 1ncu, certA€xed-ncker, com S: :z: Lrg }h: }) 1 1' flfrnap org) ldlezcar uni-q zonbxe www Juggybov, can ‘:19: no 16 1:4 EC}. C1“; lrcrenentnl )h: p for 195 1B'. ‘._3C. llC (Tl'e cu-r. ed but rot zkcvwr below are xx‘ state clozedl Part . 5er.1.c_e ftp : l[p l~'. tp _ )hap dare I [P addrezs (1 )-. o,: : up) zcu-red 11- 1931 23 zecor-d: . FIGURE 3.28: Nmap Showing Idle Scan Result Module 03 Page 316 Ethical Hacking and Countermeasures (opyright © by [G-COIIGII All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker Every IP packet on the Internet has a Send SYN/ ACK packet to the fragment identification number (IP zombie machine to , ii ID), which * '1-Iiil3ll'-Ali: -H=3.1'I= I-| ilIljC<h''N”11 1- ,8, Analyze the RST packet from " -> i«: u-‘. 'ilIn4.i-I: u « i-- . ‘ zombie machine to __-V» -lI»1-il-»llrI'aiiI4Il"'l| Q»? '. - l {A IPID Probe SYN / ACK Packet 4- ‘_3"_Iy , . W 3 C ,3 Response: IPID=31337 RST Packet Attacker '. '1lIil: ir‘ll'I31'l: '5 ‘i . .'l'l r. ;llIillzli151iH~1=I| ‘Hililac): -Ill‘Iqilvtillfiilil-Ill‘! HI-Ifllfiiiatil ' IDLE Scan: Step 1 z IPID Probe SYN / ACK Packet Response: lPlD=31337 RST Packet FIGURE 3.29: IPID Probe Request and Response Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number In the first step, you can send a session establishment "SYN" packet or IPID probe to determine whether a port is open or closed. If the port is open, the "zombie" responds with a session request acknowledgment "SYN | ACK" packet containing the IPID of the remote host machine. If the port is closed, it sends a reset "RST" packet. Every IP packet on the Internet has a "fragment identification" number, which is incremented by one for every packet transmission. In the above diagram, the zombie responds with IPID=31337. Module 03 Page 317 Ethical Hacking and Countermeasures Copyright © by [C-Cllllilfill All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks -'4': L’. ‘H 1 ij: I i ii. iii : '. «+; _r__. r_. __ Z , . __ . . _ . ___ . _ _ Step 2 Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie" If the port is open, the target will send SYN/ ACK Packet to the zombie and in response zombie sends RST to the target If the port is closed, the target will send RST to the "zombie” but zombie will not send anything back (Lu SYN Packet to port8O 1 #3 SYN Packet to portB0 spoofing zombie IP address i spoofing zombie IP address . ... ... ... ... ... ... ... ... ... ... ... ... ... ... . . .. . , It ‘ E l I‘; ‘ I D . as‘ . ... ... . . . Attacker ‘ , ' , . Attacker ‘ , ' --------- " 4‘ « ID I « r ‘ T389‘ ’ , ' "E _ ‘ ‘ , ‘ ‘<1 a Zombie "0" '5 0P9" 1 Zombie Port is closed Step 3 *3: ‘I I ‘)1 Probe "zombie" l/ ( , _», ‘ ~ 4- . _ _ ‘ IPID again Response: IPio=31339 RST Packet / ‘ ' Attacker IPID incremented byzsince Step 1, Zombie so port 80 must be open '. '1h'iil: ii‘lI -Iixl 3 ‘5 '1 . .11 ct! IIilizlitsittamrmillttacit-itI-I-sit-nits}-ii-iiI'M: -inliiiiaiéi IDLE Scan: Step 2 and 3 Idle Scan: Step 2.1 (Open Port) -(é Send a SYN packet to the target machine (port 80) spoofing the IP address of the ”zombie. ” If the port is open, the target will send the SYN/ ACK packet to the zombie and in response the zombie sends the RST to the target. SYN Packet to port 80 .3 spoofing zombie IP address _ SYN/ AC-K-‘P.3c"__ . ... . Attacker g N 't: i 1'. . ..-p"€ké{i>'D=3‘338 “"891 C .5 i ‘ R51 3 . n I - zombie a~ ort IS open FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open 1. Idle Scan: Step 2.2 (Closed Port) The target will send the RST to the ”zombie” if the port is closed, but the zombie will Module 03 Page 318 Ethical Hacking and Countermeasures Copyright © by [C-Clllliifill All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks not send anything back. SYN Packet to port 80 spoofing zombie IP address . ... ... ... ... ... ... ... ... ... ... ... ... ... ... .p Zombie Port is closed FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed , Idle Scan: Step 3 3- Probe the ”zombie" IPID again. 9 IPID Probe SYN / ACK Packet . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .p 4.. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... Response: lPlD=31339 RST Packet Attacker IPID incremented by 2 since Step 1, Zombie so port 80 must be open FIGURE 3.32: IPID Probe Request and Response Module 03 Page 319 Ethical Hacking and Countermeasures Copyright © by M All Rights Reserved. Reproduction is Strictly Prohibited.
  59. 59. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks A i_(i‘¢_‘A_iIf_: * it-4_‘ip '. ~‘l<'~l’-_| _l. _’. _|}: i_!1_', ’y' iii}-‘1l3'. fi‘-4’-_l‘_lJ. . V This is not really port scanning, since ICMP This type of scan simply generates and does not have a port abstraction prints a list of | Ps/ Names without actually But it is sometimes useful to determine plngmg °' W" 5Ca""l"g ‘hem W ‘ which ms“ in 3 "etW°"l‘ are up bV pinging A DNS name resolution will also be carried them all out nrnap -P <: ert. o:g/24 1S2.14E.0.0/16 remap Ilvim . . ix . mu: m . - . i nil-.1!‘ ICMP Echo Scanning . i ii ». z»; .i. I! -ixiinina -Iixl 3 ‘5 '1 . .-ii ~; iIIiiizliisiitamrmillztam-iu[-iqit-ultfi-ii-iiilk: -iniiiiiaél ICMP Echo Scanning/ List Scan ? ICMP echo scanning is used to discover live machines by pinging all the machines in the target network. Attackers send ICMP probes to the broadcast or network address which is relayed to all the host addresses in the subnet. The live systems will send ICMP echo reply message to the source of ICMP echo probe. ICMP echo scanning is used in UNIX/ Linux and BSD-based machines as the TCP/ IP stack implementations in these operating system responds to the ICMP echo requests to the broadcast addresses. This technique cannot be used in Windows based networks as the TCP/ IP stack implementation in windows machines is configured, by default, not to reply ICMP probes directed to the broadcast address. ICMP echo scanning is not referred to as port scanning since it does not have a port abstraction. ICMP echo scanning is useful to determine which hosts in a network are active by pinging them all. The active hosts in the network is displayed in Zenmap as ”Host is up (0.020s latency). ” You can observe that in the screenshot: Module 03 Page 320 Ethical Hacking and Countermeasures Copyright © by [C-Cllllilfill All Rights Reserved. Reproduction is Strictly Prohibited.
  60. 60. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Zenmap ”‘ ‘° Scgn Iools Erofile Help Target: l92.168.l.26 V Profile: V Scan Command: nmap -sn192.168.1.26 Hosts Services Nmap Output Ports / Hosts Topology Host Details Scans 05 4 Host . nmap ~sn192.168.1.26 v Details Starting wrap 6.91 ( http: //nlrap. org ) at 2012-08-13 18:37 Standard Tilre lllra scan reort For 192.168.1.26 Host is up (0.0828s latency). Nmap done: 1 IP address 1 host up) scanned in 16.57 seconds Filter Hosts FIGURE 3.33: Zenmap showing ICMP Echo Scanning Result In a list scan, discovery of the active host in the network is done indirectly. A list scan simply generates and prints a list of IPs/ Names without actually pinging the host names or port scanning them. As a result, the list scan output of all the IP addresses will be shown as "not scanned, ” i. e., (0 hosts up). By default, a reverse DNS resolution is still being carried out on the host by Nmap for learning their names. Zenmap Scan Idols Eroflle Help Target: 192.168.1635 V Profile: V ‘Scan Command: nmap -sL -v 192,163,161-2.5 Hosts Services Nmap Output Ports l Hosts Topology Host Details Scans 05 . Hon 4 nmap -5L ‘V 193.163.1635 V Details Starting u~ap 6.0) K htto: r'ap. c"g ) at 2012-08~10 13:54 -da‘d Ti’: Initiating Parallel CNS resolution of l host. at 13:54 Co'p1eted Parallel DNS resolution of l host. at 13:54, 0.045 elapsed Hvap scan report For 192.168.168.5 fijap gong: 1 IP address (0 hosts up) scanned in 6.06 seconds Filter Hosts FIGURE 3.34: Zenmap showing List Scanning Result Advantage: 6 A list scan can perform a good sanity check. 6 The incorrectly defined IP addresses on the command line or in an option file are detected by the list scan. The detected errors should be repairedprior to running any "active" scan. Module 03 Page 321 Ethical Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.

×