Module 03 - Scanning Networks

Scan beyond IDS and Firewall

Scanning beyond IDS and firewall is a process of sending intended packets to the target system
in order to exploit IDS/firewall limitations.

Lab Scenario
As a professional ethical hacker or a pen tester, the next step after discovering the OS of the
target IP address(es) is to perform network scanning without being detected by the network
security perimeters such as the firewall and IDS. IDSs and firewalls are efficient security
mechanisms; however, they still have some security limitations. You may be required to launch
attacks to exploit these limitations using various IDS/firewall evasion techniques such as packet
fragmentation, source routing, IP address spoofing, etc. Scanning beyond the IDS and firewall
allows you to evaluate the target network’s IDS and firewall security.

Lab Objectives
= Scan beyond IDS/firewall using various evasion techniques
= Create custom packets using Colasoft Packet Builder to scan beyond the IDS/firewall
= Create custom UDP and TCP packets using Hping3 to scan beyond the IDS/firewall
= Browse anonymously using Proxy Switcher
= Browse anonymously using CyberGhost VPN

Lab Environment
To carry out this lab, you need:

= Windows 11 virtual machine

= Windows Server 2019 virtual machine
= Parrot Security virtual machine
= Web browsers with an Internet connection
= Administrator privileges to run the tools

Lab Duration
Time: 40 Minutes

CEH Lab Manual Page 282 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

Overview of Scanning beyond IDS and Firewall

An Intrusion Detection System (IDS) and firewall are the security mechanisms intended to
prevent an unauthorized person from accessing a network. However, even IDSs and firewalls
have some security limitations. Firewalls and IDSs intend to avoid malicious traffic (packets)
from entering into a network, but certain techniques can be used to send intended packets to
the target and evade IDSs/firewalls.

Techniques to evade IDS/firewall:

= Packet Fragmentation: Send fragmented probe packets to the intended target, which
re-assembles it after receiving all the fragments
= Source Routing: Specifies the routing path for the malformed packet to reach the
intended target

= Source Port Manipulation: Manipulate the actual source port with the common source
port to evade IDS/firewall
= IP Address Decoy: Generate or manually specify IP addresses of the decoys so that the
IDS/firewall cannot determine the actual IP address

= IP Address Spoofing: Change source IP addresses so that the attack appears to be

coming in as someone else
= Creating Custom Packets: Send custom packets to scan the intended target beyond the
firewalls
= Randomizing Host Order: Scan the number of hosts in the target network in a random
order to scan the intended target that is lying beyond the firewall
= Sending Bad Checksums: Send the packets with bad or bogus TCP/UPD checksums to
the intended target

= Proxy Servers: Use a chain of proxy servers to hide the actual source of a scan and
evade certain IDS/firewall restrictions

= Anonymizers: Use anonymizers that allow them to bypass Internet censors and evade
certain IDS and firewall rules

Lab Tasks
Task 1: Scan beyond IDS/Firewall using Various Evasion Techniques

Nmap offers many features to help understand complex networks with enabled security
mechanisms and supports mechanisms for bypassing poorly implemented defenses. Using
Nmap, various techniques can be implemented, which can bypass the IDS/firewall security
mechanisms.
Here, we will use Nmap to evade IDS/firewall using various techniques such as packet
fragmentation, source port manipulation, MTU, and IP address decoy.
1. Turn on the Windows 11 and Parrot Security virtual machines.

CEH Lab Manual Page 283 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

2. Switch to the Windows 11 virtual machine. By default, Admin user profile is selected,
type Pa$$woOrd in the Password field and press Enter to login.
Note: If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.

Note: Networks screen appears, click Yes to allow your PC to be discoverable by other
PCs and devices on the network.
3. Navigate to Control Panel > System and Security > Windows Defender Firewall >
Turn Windows Defender Firewall on or off, enable Windows Defender Firewall and click
OK, as shown in the screenshot.
Pr Canteriae serge

ControlPanel » System and Secunty » Windows Defender Firewall > Customize Settings

Customize settings for each type of network

‘You can modiy the firewall ating: foreach typeof network that you use
Private -
Orem on Windows Defender Freva
Block al ng connections, including
these in the lit of allowed apps
Notify me when Windows Defender Firewall anew app
GO Tem ctr winds Defender Frewal mended)
Public network settings
GY Oleer cn Windows Defender Frenal
Block allincoming connections. including
there in the lt of allewed
apps
GW Notty me when Windows Defend Fixewall blocks #new opp
]_ OTe att incon Detender Firewall not recommended)

ox

mob
OS CB 8 =
2 ae

CEH Lab Manual Page 284 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 Module 03 - Scanning Networks

4. Minimize the Control Panel window, click Search icon ( [9] on the Desktop. Type
wireshark in the search field, the Wireshark appears in the results, click Open to launch
it.

2 wireshark!

‘All Apps Documents Web More

Best match,

a y |
Search the web Wireshark

Wireshark - See web results

)

wireshark download Opes

b:

wireshark oui Run as administrator

OO.

Open fle location

Op

wireshark portable
Pin to Start
wireshark tutorial avareaiae
0

wireshark filter by ip Uninstall

wireshark mac lookup
wireshark download for windows

5. The Wireshark Network Analyzer window appears, Start capturing packets by double-
clicking the available ethernet or interface (here, Ethernet).
Note: If Software Update window appears, click Remind me later.

org
ts fher: (Nemes asus ie =) erfoes shown
Ethemet iL zs
‘Adapter
for loopback traffic capture A

CEH Lab Manual Page 285 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

Switch to the Parrot Security virtual machine.

In the login page, the attacker username will be selected by default. Enter password as
toor in the Password field and press Enter to log in to the machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
Note: If a Question pop-up window appears asking you to update the machine, click No
to close the window.
Click the MATE Terminal icon in the top-left corner of the Desktop to open a Terminal
window.
A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
10. In the [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
11. Now, type cd and press Enter to jump to the root directory.

12. In the terminal window, type nmap -f [Target IP Address], (here, the target machine is
Windows 11 [10.10.1.11]) and press Enter.

Note: -f switch is used to split the IP packet into tiny fragment packets.
Note: Packet fragmentation refers to the splitting of a probe packet into several smaller
packets (fragments) while sending it to a network. When these packets reach a host,
IDSs and firewalls behind the host generally queue all of them and process them one by
one. However, since this method of processing involves greater CPU consumption as
well as network resources, the configuration of most of IDSs makes it skip fragmented
packets during port scans.
13. Although Windows Defender Firewall is turned on in the target system (here, Windows
11), you can still obtain the results displaying all open TCP ports along with the name of
services running on the ports, as shown in the screenshot.

CEH Lab Manual Page 286 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 Module 03 - Scanning Networks

jord for attacker

ll
7 https://nmap.org 6 60:42 EDT
Nmap scan report for 10.16,1.11
st is up
(no- response
/tcp open http
cp open msrp
139/tcp open netbios
445/tcp open microsoft-ds
tcp open ms-wbt-server
78:89:75:64 (Unknown
anned in

14. Switch to the Windows 11 virtual machine (target machine). You can observe the
fragmented packets captured by the Wireshark, as shown in the screenshot.
Pr Gaptiing
fom Eonar en aee se |
Fie Edt View Go Copture Telephony Tools Heh
.
. +
fo. te aah Ife
Doan 477-7203 0 37190 > 5548 [SIN Seq WntD4 Len HSSA60
offa0, TDaffed) [Ress
4569 off-s, 10-ffed) [Ress
8374 477.274549 60 37799 + 1687 SYN] Seq-0 Hin=1626 Leno 15-1460
60 Frageented , Reassenb
62 Frapeented
t 660 37799 + 27352 [SM] Seg-O Win-1024 Lend MSS-I460
Frageented
granted
. 60 37799 » Boi [SYN] SeG-0 Win-1624 Lene Ms5=1460
. Fragrented Tl
&: 3.
P8383 477.179032
*
be
« proto
BE s3e9 477 60 37799 + 32704 [Sv] Seqro Mine1024 Lenwe MiSe14s0 q
. 69 Frageented IF ) oFf0, I T
&: ff28, 1D
pe 69 37799 + b04e [svi] Searo lineie2¢ Léneo rssei4e8
* 6, off-0, 10-7006; eno
8 6, off=B, 10-7006) (Reas en
Ph 230s 477.283016 win1024 Leno nSs=2460
466 PG, offal
184667 10.0.1 of Fa
998 477.18406719.19.1.33 0 37799 = 3007 [Sm] Seave Win-ie26 Lenve rsseiseo
Frame 1: 42 bytes on wire (336 ide

01 be bs 7
be Oa és
[OZ crenes sve copsren pegs» 0915 (00.059)
Packet: 8415 Deployed Prof tall
15. Switch to the Parrot Security virtual machine.
16. In the Parrot Terminal window, type nmap -g 80 [Target IP Address], (here, target IP
address is 10.10.1.11) and press Enter.

CEH Lab Manual Page 287 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

Note: In this command, you can use the -g or --source-port option to perform source
port manipulation.
Note: Source port manipulation refers to manipulating actual port numbers with
common port numbers to evade IDS/firewall: this is useful when the firewall is
configured to allow packets from well-known ports like HTTP, DNS, FTP, etc.
17. The results appear, displaying all open TCP ports along with the name of services
running on the ports, as shown in the screenshot.

18. Switch to the Windows 11 virtual machine (target machine). In the Wireshark window,
scroll-down and you can observe the TCP packets indicating that the port number 80 is
used to scan other ports of the target host, as shown in the screenshot.
PGi Femenonet me ences |
Fie Edt View Go Copture Analyze Stat
age RE ee
a 3 -)+

8500 620.217110 16,10,1.13 60 80 » 3260 [smi 5

2 2 80 - 2003 (sm) 5
69 80 = 32773 [sm]
60 80 + 1036 [Sy] Seq
sas 620.224995 60 80 > 711 [StH) Se
3505 620.227313 60 60 = 7435 [syi] Sean
£8506620.229915 60 80 + 9999 [Sri] Seq-0
8587 620.231705 60 80. 2269 [Syl] Seqz0 Win=1024 Lenae P
505 620.292489 60 50 + 9965 [Syl] Seqe0 win=1024 Lenee MsSe
8509 620.235228 60 80 + 722 [SYK Seq-0 Wi
as10 620.236998 60 80 > 3493 [Sy] Seqe0 Min
sii 620.228782 ye.20.1.11 Te
as12 620.241671 re
513 620.248340 18
514 620. 246041 Te
8515 620.249608 re 69 80 + 5985 [svi] Seq-0
asi6 620.251102 18.10.1.13 1 62 80 + 749 [SYN] Seq-0 Wi
517 620.252835 | 10.10.1.13 re 60 80 ~ 3021 [smi] 5
3518 620.250591 19.10.1.13 1 60 60 2 71024 Leb SSH
as19 620.25869716.10.1.13 1 60 80 > 3 Win=1024 Lened #551460
0.18.1 re 60 80 > 3007 [sy] 5
ree, 1. 60 80 + 3369 [svi] seqve t
10.10.1.13 1
10.10.1.23 Te
29.2 1 9351 [SM] Seqr® Wh
8525 620.270843 18. 1 60 80 + 32700 [S/W] Seq-® Mt
8526 620.272646 10.10.1.13 Te 60 0 > 631 [SYH] Sequ0 Wi Lene H5S=1460
8527 620.275396__10,10.1.13 To 60 80 + 406 [svi] seqre wi Lenve 15501460 4
interface OF _(S80F0368-6121-4108 ide
od
wud
[OZ sreres ve cptre nogen> [Lessee 19471: Depoved 0973 ,000.0%9 J] Prot: befall

CEH Lab Manual Page 288 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 Module 03 - Scanning Networks

19. Switch to the Parrot Security virtual machine.

20. Now, type nmap -mtu 8 [Target IP Address] (here, target IP address is 10.10.1.11) and
press Enter.
Note: In this command, -mtu: specifies the number of Maximum Transmission Unit
(MTU) (here, 8 bytes of packets).

Note: Using MTU, smaller packets are transmitted instead of sending one complete
packet at a time. This technique evades the filtering and detection mechanism enabled
in the target machine.

21. Switch to the virtual Windows 11 machine (target machine). In the Wireshark window,
scroll-down and you can observe the fragmented packets having maximum length as 8
bytes, as shown in the screenshot.
hone wy
Wireless
aaan

BE 12018 707.026659 60 Si625 + 16012 [SYN] SequO Win=1024 Len=@ M55=1460

1231 60 Fragrent ed IP protocel (proto=TCP 6, off=0,
60 Fragent fed IP protocol (proto-TcP 6, off-3,
60 51625 + 1034 [SYN] Seq-@ Nin-1824 Lena® MSS=1460
12314 7 60 Fragrent fed TP protocol. (p , off =0, Resssem
12915 787.000385 60 Frageent ed IP protocol (p [Reassenb
BE 22016 787.0103 60 51625 + 51103 [SYN] Seq- Win=1024 Len- "55-1468
60 Frageen ted IP protocol (proto-TCP 6, off=0, Reessemt
60 Frageent ed IP protocol (proto=TCP 6, off-6, Reassenb
69 91625 + 555 [SY] Seq-® Win-1024 Len-0 Mss-1460
60 Fragrent ed IP protocol (proto=TCP 6, off=0, I0=57% eonesnt
60 Frageent ed IP protocol (p

69 Frageent ed IP pr
60 Frageent ed TP pi
60 s1625 + 981 [SYM] Segue Wine1024 Lenee NsS~1450
160 Fragrent ed IP protocol. ( (CP 6, off=B, 108271) [Reassen
60 Frageent ed TP protocal (prota=TCP 6, off=8,
Pp azsst 787.050250 69 51625 + 765 [Sv] Segre Win-1828 Len-@ Hss=1460
12932 767.052081 60 Fragrent ed IP protocol (proto-TCP 6, off-0,
2933 787.05206 60 Fragrent ed TP protocol ( de
Pp 32034 7a7.052083 60 51623 + ‘3404 [Syn] Segre hine1024 Lenea Msse1468
60 Frogrent ed IP protocol ( 6, off-0, [D=e0d3) [Reassend
60 Frageent ed IP protocol (proto=TCP 6, off=8, Reessemb
12937 787.053894 60 51625 + 4079 [SYN] Seq-@ Win=1e24 Leri-® MSS=2468 4
race \Device\Wr_{33i 31-41CB-942F-ODSE4MEEEED), id @
0 75 64 08 eG cOCL oH

| [@ 7 CRAcxeret: <ive apture capazenn roopoorese> Packets: 16558 -Dplayed: 16558 (100. oe |

CEH Lab Manual Page 289 Ethical Hacking and Countermeasures Copyright © by E€-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 Module 03 - Scanning Networks

22. Switch to the Parrot Security virtual machine.

23. Now, type nmap -D RND:10 [Target IP Address] (here, target IP address is 10.10.1.11)
and press Enter.

Note: In this command, -D: performs a decoy scan and RND: generates random and
non-reserved IP addresses (here, 10).

Note: The IP address decoy technique refers to generating or manually specifying IP

addresses of the decoys to evade IDS/firewall. This technique makes it difficult for the
IDS/firewall to determine which IP address was actually scanning the network and which
IP addresses were decoys.
By using this command, Nmap automatically generates a random number of decoys for
the scan and randomly positions the real IP address between the decoy IP addresses.

24. Now, switch to the Windows 11 virtual machine (target machine). In the Wireshark
window, scroll-down and you can observe the packets displaying the multiple IP
addresses in the source section, as shown in the screenshot.
[Ging tometer Ty
opty Hel
o+
g Time Source Protocel Length Info 4
33099 990.661910 185.19.247.103 rer (60 61352 + 4224 [SYN] SeqeO Win=1024 Lemad NS5=1460
33188 990.683764 165.105.92.39 13 (69 61352 = 4224 [SYN] SeqrO Win=1824 Len=@ MSS=1460
35101 998.685967 167.36.247.98 TP {69 61352 + 4224 [SYN] Seqr@ Win=1424 Lennd MSS~1468
33102 990.688358 160.172.87.100 18 {60 61352 + 4224 [SYN] Seq-O Win-1824 Lend HS5~1468
33203 990.696783223.115.213.62 rer {60 61354 + 61532 [SYN] Sequ0 Win=1026 Lense NSS=1460
23104 990,593539 123.65.236.151 18 {60 61354 + 61532 [sii] Seqro Wine1024 Leno PSS~1460
33195 990.696100 142.242.127.101 ia {69 61354 + 61532 [SYN] Seq-0 Win-1024 Len-9 NSS-146@
33496 990.698630 72.126.234.74 re 460 61954 ~ 61592 [SYW] SequO Hin=1024 Lenae NSS=1468
33187 998.70@895 10.10.1.13, 13 ‘69 61354 + 61532 [SYN] Seq-@ Win=1024 LenB MSS=1468
33188 990,705238 _76.162.90.239 1 60 61354 + 61552 [57H] Seq-d Min-1026 Len=o 15-1450
33109 990.705475 194.146.205.28 re3 (60 61354 + 61532 [SYN] SeqeO Wine1028 Lens MSS=1460
35110 990.787309 185.19.267.103 10° (60 61354 + 61552 [SMU] SeqrO Win=1024 Leno NSS=14060
33111 990.709129 165.105.92.39 rer {60 61354 + 61532 [SiN] Seq-@ Win-1024 Len-@ MSS~1460
33112 990.710968 167.36.247.90 rep Lad henson Bepentocn prpteaaispa aid hasnt
33113 990.712772160.172.87.108 ree 469 61354 + 62532 [SY] Seq-@ Win=1024 Len-9 MSS=146e
35114 99¢.715152_223.115.213.62 ree 160 61354 + 1248 [SYN] Seq-O Winel824 Lenm@ HS5~1460
33115 990.717135 123.65.236.181 1 (60 61354 + 1248 [SYN] Seqe® Winel074 Lenad MS5~1460
33416 990,720512 142.242.127.101 ep (60 61354 = 1245 [SYM] Seq-O Min=1024 Lenco HSS=1469 a
33117 990.725437 72.116.254.74 re (60 61354 + 1245 [SYN] Seq~O Win-1026 Len-@ Ms5~1460 q
33118 990.725396 10.10.4.13, 1 160 61354 + 1248 [SYN] Sequ Win=1824 Lend MSS~1460
33119 990.727211 76.162.90.239 Te 60 61354 + 1248 [SYN] Seqe@ Min=lO24 Lense Hs5=1468
35126 990.729156 194.146.205.28 13 (60 61354 + 1248 [sy] Seqre ine1e24 Leno rs5~146e
33121 990.731033185.19.247.103 1e 160 61354 + 1248 [SYN] Seq-O Win-1024 Len-@ #55~1460
33122 990.733033165.105.92.39 1.3 60 61354 = 1248 [SYN] SeqeO Min=1024 Lena@ HS5=1460
33123 990,734952 1.8 {69 61354 + 1248 [SYN] Seqro Winel92¢ Lena NSS~1468
33124 990. 736856 1 {60 61354 + 1248 [SYN] Seq-@ Win-1824 Len-@ NSS~1460
33125 990. 738725 re 169 61954 > 6547 [SYN] Seqe@ Winal824 Lene MSS=1460
33126 990.740638 re3° (60 61354 + 6547 [Sm] Seqre Win=1824 Lenne MS5=1460 4
ia Address Resolut tocol (nr |

CEH Lab Manual Page 290 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

25. Switch to the Parrot Security virtual machine.

26. In the terminal window type nmap -sT -Pn --spoof-mac 0 [Target IP Address] (here,
target IP address is 10.10.1.11) and press Enter.
Note: In this command --spoof-mac 0 represents randomizing the MAC address, -sT:
performs the TCP connect/full open scan, -Pn is used to skip the host discovery.
Note: MAC address spoofing technique involves spoofing a MAC address with the MAC
address of a legitimate user on the network. This technique allows you to send request
packets to the targeted machine/network pretending to be a legitimate host.

Not showr
>ORT

microsoft
ms -wbt
5:64 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 68.76 seconds

poof-mac 9
http 97 81:08 EDT
C address AD:22:£0:B0 o registered vendor)
specified some options that require ket access
These options will not be honored for TCP Connect scan
for 10.10.1.11
s latency)
tered tcp ports (no-response

msrpe
tcp. open netbio
tcp ope
9/tcp r

Nmap done: 1 IP address host up) scanned in 4.60 seconds

a ot

® nmap -sT -Pn --spoof-

CEH Lab Manual Page 291 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

27. Switch to the Windows 11 virtual machine (target machine). In the Wireshark window,
scroll-down and you can observe the captured TCP, as shown in the screenshot.

Edt View Go Capture Anshae Statistics Telephony Wireless Took Help

BESO UTRERCeOSTISSaaan
Tisai fr <u
‘Souce Destination Proto Length info

53897 1550.553984 z 55 [TCP Keep-Alive] 50185 ~ 443 [ACK] Seq=2409 Ack=7394 Win=26214..
55898 1550.673290 65 [TCP Keep-Alive ACK] 443 = S018 [ACK] Seqr7394 Ack=2410 Win-S..
53899 1550. 768316 i 55 [TCP Keep-Alive] $0189 + 443 [ACK] Seq~9854 Ack-7188 Win-26242..
53908 1550.945198 52.178. 10.1. 66 [TCP Keep-Alive ACK] 443 = 50109 [ACK] Seq=7108 Ack=9855 Win=5..
{880F8368-6131-41C8-342F-DDSBAMEESED), id ©
Address Resolution Protocol (request)

Oo ef di 43 id
(08 00 06 08
) 8 dl 481d

28. This concludes the demonstration of evading IDS and firewall using various evasion
techniques in Nmap.
29. Close all open windows and document all the acquired information.

Task 2: Create Custom Packets using Colasoft Packet Builder to

Scan beyond the IDS/Firewall

Colasoft Packet Builder is a tool that allows you to create custom network packets to assess
network security. You can also select a TCP packet from the provided templates and change the
parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet. In
addition to building packets, the Colasoft Packet Builder supports saving packets to packet files
and sending packets to the network.
Here, we will use the Colasoft Packet Builder tool to create custom TCP packets to scan the
target host by bypassing the IDS/firewall.
1. Turn on the Windows Server 2019 virtual machine.
2. In the Windows Server 2019 virtual machine, click Ctrl+Alt+Del to activate the machine.
By default, Administrator user profile is selected, type PaS$wOrd in the Password field
and press Enter to login.

CEH Lab Manual Page 292 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

Note: Networks screen appears, click Yes to allow your PC to be discoverable by other
PCs and devices on the network.

Administrator
fevseseed |
Administrator

Jason

Martin

Shiela

3. Click Search icon [2] on the Desktop. Type wireshark in the search field, the
Wireshark appears in the results, click Wireshark to launch it.

= oOo 6 Filters
Best match
Wireshark.

CEH Lab Manual Page 293 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

4. The Wireshark Network Analyzer main window appears; double-click the available
ethernet or interface (here, Ethernet) to start the packet capture.
Note: If a Software Update pop-up appears click on Remind me later.
Wvncrr mc
File Est V Analyze Statistics Telephony Wireless Tools Help

3)
Welcometo Wireshark
Capture
vara
te er: ( =) frac hoon
LocalAr
Loca

ke

5. Minimize the Wireshark window, click Search icon [o} on the Desktop. Type
colasoft in the search field, the Colasoft Packet Builder 2.0 appears in the results, click
Colasoft Packet Builder 2.0 to launch it.

Filters
Best match
Colasoft Packet Builder 2.0
Desktop app

P colasoft|

CEH Lab Manual Page 294 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

6. The Colasoft Packet Builder GUI appears; click on the Adapter icon, as shown in the
screenshot.
Note: If a pop-up appears, close the window.
Colasoh Packet Builder
File Edit Send Help
sce lee See: Me Se Hz 2. Colasoft
RT ape
No.| Delta Select
» default adapter for sending packet

7. When the Select Adapter window appears, check the Adapter settings and click OK.
8. To add or create a packet, click the Add icon in the Menu bar.
Colasoh Packet Builder
File Edit Send Help
@ Al @ € @
brport seit chee Adapter |About@ CY’Colason Cansa
AD Packet Atafiter
B Dede eo

CEH Lab Manual Page 295 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

9. In the Add Packet dialog box, select the ARP Packet template, set Delta Time as 0.1
seconds, and click OK.

Add Packet

Select Template: ARP Packet

Delta Time: O41

10. You can view the added packets list on the right-hand side of the window, under Packet
List.
Polaron Pack Bulder
Bile Edit Send Help
oe @ i ¢@¢\b ¢il\@#.s 2» @
Import Exporty Add Insert Copy Send Send All Adapter | About
Decode Editor [Packet
No. | + (iGplpaekaise
S¥" Packetbe Infe No.] Delta Time| Source , Destination
@ Packet Length
@P capture Length
[Mj deita Tine
©-@ Ethernet - 11
MY Destination Address FRIFFIFFLEFLERIFR (0/81
MB source Address 20:00:00:00:00:08 [5/5]
P Protocol Type
<P Haranare Type
@P Protocol Type
@ Hardware Size
@ Protocol Size
FP Opcode
WB Sender Hardnare Adress
Sender Ip
A Target Har
@ Tarset Ip
©-@ Extra Data
imber of bytes

11. Colasoft Packet Builder allows you to edit the decoding information in the two editors,
Decode Editor and Hex Editor, located in the left pane of the window.
= The Decode Editor section allows you to edit the packet decoding information by
double-clicking the item that you wish to decode.

CEH Lab Manual Page 296 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

= Hex Editor displays the actual packet contents in raw hexadecimal value on the left
and its ASCII equivalent on the right.
Calazoh Packet Builder
File Edit Send Help
@ @ €¢ @\H ¢ oe © @ @ Sy’ Colasoft Gansa
Import Export Add Insert | Copy P Checksum Send Send All Adapter About Packet Anaifter
(Facet. (PRRDelta Time | Source
@ Packet Length Decode
@ capture Length 60 Editor
[i oeite Tine @.108000000 Second
(6/181
|W) destination Address FRIFRSFE FFF [0/6]
“MD Source Address 20:20:00: 26 t6/6]
Protocol Type x06 12/2)
© Address Resolution Protocol 134/28)
Peraware Type 1 (Ethernet) [14/2
BP Protocol Type ex8e0 (17 4) [16/21
Hardware Size [18/1]
@ Protocol Size 19/1)
P opcode [20/21
MB Sender Harcnare Adress (22/8)
1 Sender Ip Adress
ip Terget Hardware Adress 00:00:00: 22:00 [32/6]
9 Target Ip Adress 0.6.0.8 [38/4]
© Extra Data (42/18)
[B)lunber of bytes 18 bytes [42/18]
© ECS - Frame check Sequence
@ Fes ex6FECI760 (Calculated!

File Edit Send Help

eo Ff ¢€¢@\b 2 w@ | @
Import Export> Add Insert Copy Send All Adapter | About
Packet
No. | 1 [i Send
‘Send selected packets
to the wire
Prec tenets
@ capture Length 60
joetta Tine @.100000000 Second
© Ethernet - 11 [0/147
MB estination Address FRLFRSFRLERSER SFE tersi
Source Address 20:00:00:00:00:00 tes)
- Protocol Type exs06 ARP) 12/2
[© Address Resolution Protocol 14/28)
<P Haraware Type 1 (Ethernet) 14/2]
-@ Protocol Type ex800 ) [16/2]
|
© Hardware Size 6 rs/1]
@ Protocol Size 4 9/1
Opcode 1. (ARP Request) [2e/2)
MY sender Hardware Adress 00:00:20:00:00:00 [22/6
YJ Sender Ip Adress 0.0.0.0 [28/4]
iY Target Hardware Adress 20:00:00:00:00:00 152/61
J Target Ip Adress 0.6.0.6 1738/4]
© Extra Data (42/18)
[i] vunser of bytes 18 bytes 142/18)
© ECS - Frame Check Sequence
ex6FECI760 Cale

CEH Lab Manual Page 297 ical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

13. In the Send Selected Packets window, select the Burst Mode (no delay between
packets) option, and then click Start.

File Send Help

® #@#\¢@ @/\6 2 2 @ ° Colasoft Cansa
0 Packet Analiiter
Import Export Add Insert Copy Send All Adapter About
EY" Packet Info (PPacteris
No, Delta Time Source
[3 Nusber
BD-@ capture
recict tenet
Length
68
62
fj oetta Tine Send Selected Packets
[© Ethernet - 11
J Destination Address ptons
| FilPsource Acdress
P Protocol Type Adopter: icrosoft Corporation
[© Address Resolution Protocol
PP Hordware Type aust Mode (no delay between packets)
PP Protocol Type
© Hardware Size Diteop sending: 1
Protocol Size 1000, = miliseconds
Opcode Delay Between Loops:
fender Hardnare Adress
1 Sender Ip Adress Sending Information
MY Target Haraware Adress
J Target Ip Adress Total Packets:
© Extra Data
{i wurber of bytes Packets Sent:
[© ECS - Frane Check Sequence

File Edit Send Help

*#i¢@ Le)
Import Export> Add Insert Copy
Decode Editor
e¥" Backet Info
[Hig Nunber
Drees Lents
@ copture Length
6a
60
iBoeita Tine Send Selected Packets
net - II
estination Address Options
MY source Address
P Protocol Type ‘Adapter: Microsoft Corporation
1 Address Resolution Protacol
BPordvare type [gust
Mode (no delay between packets)
@ Protocol Type
| L@ herduare size lkoop sending: + lo ps (zero for infinite lop)
| @ Protocol Size Delay Between Loops: | 1000
Popcode mitseconds
Hardware Adress
1 Sender Ip Adress ‘Sending Information
MY Torget Hardware Adress
| Lag target 1p Adress Total Packets:
5-@ Extra Data
{i Munber of bytes Packets Sent:
-@ FCS - Frame Check Sequence

CEH Lab Manual Page 298 Ethical Hacking and Countermeasures Copyright © by EC-Cot
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

15. Now, when this ARP packet is broadcasted in the network, the active machines receive
the packet, and a few start responding with an ARP reply. To evaluate which machine is
responding to the ARP packet, you need to observe packets captured by the Wireshark
tool.
16. In the Wireshark window, click on the Filter field, type arp and press Enter. The ARP
packets will be displayed, as shown in the screenshot.
Note: Here, the host machine (10.10.1.19) is broadcasting ARP packets, prompting the
target machines to reply to the message.

File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help
Auae REQessetFssaaagwr
[aro
Time Source Destination Frotocal Length Info
15 4.608526 MS-LB-PhysServer=2. MS-NLB-PhysServer-20 ARP “42 bho has 10.20.22? Tell 26.
16 4.609449 MS-HLB-PhysServer-2.. MS-NLB-PhysServer-2~ ARP 42 10.10.1.2 15:5¢:
75 45,707985 _MS-LA-PhysServer-2.. Broadcast ARP
130 68.607723 _MS-NLB-PhysServer-2. MS-NLB-PhysServer-2. ARP
231 68.608136 _MS-NLB-PhysServer-2. MS-NLB-PhysServer-2_ ARP
194 106.744468 _MS-NLB-PhysServer-2.. Broadcast ARP
254 132.603262 _NS-NLB-PhysServer-2.. MS-NLB-PhysServer-2. ARP
255 132.603835 _NS-NLB-PhysServer-2. MS-NLB-PhysServer-2. ARP 42 10.10.1.2 is
391 166.776743 _NS-NLB-PhysServer-2. Broadcast ARP 42 ho has 10.10.2.
842 226.746653 _NS-NLB-PhysServer-2.. Broadcast ARP 42 tho has 10.10.1.2? Tell 10.10
884 237.117878 _MS-NLB-PhysServer-2. MS-NLB-PhysServer-2. ARP 42 tho has 10.10.1.2? Tell 10.10
885 237.119356 _MS-NLB-PhysServer-2.. MS-NLB-PhysServer-2. ARP 42 10.10.1.2 is at 02:15:50"
952 286.774322 _HS-HLB-PhysServer-2.. Broadcast ARP 42 tho has 10.10,1.2? Tell 10.10
1008 306.613797 _HS-NLB-PhysServer-2. MS-NLB-PhysServer-2_ ARP 42 tho has 10.10.1.2? Tell 10.10
1001 396.614127 _HS-NLB-PhysServer-2.. NS-NLB-PhysServer-2— ARP 42 10.10.1.2 is at 02:15:5d=
3061 346.815153 _MS-HLB-PhysServer-2.. Broadcast ARP 42 bho has 10.10.1.2? Tell 10.10.
1234 496.780909 _MS-HLB-PhysServer-2.. Broadcast ARP 42 who has 10.10,1.2? Tell 10.10
1512 453.104891 _HS-NLB-PhysServer-2. MS-NLB-PhysServer-2. ARP 42 who has 10.10.1.2? Tell 10.10
41313 453.105589 _HS-NLB-PhysServer-2. MS-NLB-PhysServer-2_ ARP 42 10.10.1.2 is at 02:15:54:
> Frame 15: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface \Device\NPF_{86268803-87F7-4808-BAI7-FFCOF7ESIFC2}, id @
> Ethernet IT, Src: MS-NLB-PhysServer-21 5d:19:1b:3f (@2:15:5d:19:1b:3#), Dst: MS-NLB-PhysServer-21 5d:19:1b:3d (@2:15:5d:19:1b:34)
> Address Resolution Protocol (request)

08 00 06 04 09 @1 62 15 Sd 19 1b 3f Ga Ga o1 13
@2 15 5d 19 1b 3d Ga Oa 01 02

17. Switch back to the Colasoft Packet Builder window, to export the packet, click Export >
Selected Packets....
Colasoft Packet Builder
File Edit Send Help
#ilee ¢ |e © @ |@ ®ColasoftCansa
Import | Export~|| Add insert Copy Checksum] Send Send All Adapter | About C5 Packet Arialier
ect |) RC
No.| Delta Time | Source Destination
Packet Length
Capture Length

Destination Address
MB source Address
P Protocol Type
Phardware Type
@P Protocol Type
@ Hardware Size

CEH Lab Manual Page 299 Ethical Hacking and Countermeasures Copyright © by EC-Cot
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

18. In the Save As window, select a destination folder in the Save in field, specify File name
and Save as type, and click Save.
| es) r 7
File Edt Send Help
@ #@#\¢@ @\a * ¢\|#
Send Send2 All Adapter
ww» |@
Import Export Add insert | Copy Ps:te Delete Checksum| | About
[le decode Ector No. | 1 | [igi paeket Lat
Packet Pa [Selected| 1
6-¥" Packet Info @ saveas x Destination

rp Cepture Lengthi « 4 TMD» ThisPC > Desktop v1) | Search Dest 2

{gj delte Tine Organize * New folder =~ @
Sv Wi thisec Name Date modified ype
B30 Objects Mo terns match your sere
Desktop
3%) Documents
} Downloads
dD Music
= Pictures
HH Videos
“Ea Local Disk (C9)
= CEH-Tools (\W!
ve >
File name: | Packets.cap ¥]
< Save as type libpeapl Wireshark Ethereal Tepdump.etc)(-cap peop) y
Hector

19. This saved file can be used for future reference.

20. Attackers can use this packet builder to create fragmented packets to bypass network
firewalls and IDS systems. They can also create packets and flood the victim with a very
large number of packets, which could result in DoS attacks.
21. This concludes the demonstration of creating a custom TCP packets to scan the target
host by bypassing the IDS/firewall.

22. Close all open windows and document all the acquired information.
23. Turn off the Windows Server 2019 virtual machine.

Task 3: Create Custom UDP and TCP Packets using Hping3 to Scan
beyond the IDS/Firewall

Hping3 is a scriptable program that uses the TCL language, whereby packets can be received
and sent via a binary or string representation describing the packets.
Here, we will use Hping3 to create custom UDP and TCP packets to evade the IDS/firewall in the
target network.

CEH Lab Manual Page 300 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibit
 Module 03 - Scanning Networks

Note: Before beginning this task, ensure that the Windows Defender Firewall in the Windows
11 machine is enabled.
1. Switch to the Windows 11 virtual machine.

2. Click Search icon [2], on the Desktop. Type wireshark in the search field, the
Wireshark appears in the results, click Open to launch it.

2D wireshark

‘All Apps Documents. Web More

Best match

Apps Wireshark
App
A Wireshark-win64
-3.6.3.exe
Search the web loge
© wireshark - see web results un as administrator
pen fle location
© Wireshark
Pinto start
a Pin to taskbar
wireshark oui Uninstall
wireshark tutorial
wireshark filters

GOord@oszes
3. The Wireshark Network Analyzer window appears, double-click the available ethernet
or interface (here, Ethernet) to start the packet capture.
Note: If a Software Update pop-up appears click on Remind me later.

ile Edit View Go

(ec OUEREAe|
TR [Aci dole fit

ing
th her: (Enero er
Ethemet aS
Adapterfor loopback traffic capture —__

CEH Lab Manual Page 301 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

Switch to the Parrot Security virtual machine.

Click the MATE Terminal icon in the top-left corner of the Desktop to open a Terminal
window.
A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
In the [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
Now, type cd and press Enter to jump to the root directory.
In the Parrot Terminal window, type hping3 [Target IP Address] --udp --rand-source --
data 500 (here, the target machine is Windows 11 [10.10.1.11]) and press Enter.

Note: Here, --udp specifies sending the UDP packets to the target host, --rand-source
enables the random source mode and --data specifies the packet body size.
Note: The MAC addresses might differ when you perform this task.

10. Switch to the Windows 11 virtual machine and observe the random UDP packets
captured by Wireshark.
Note: You can double-click any UDP packet and observe the detail.
11. Expand the Data node in the Packet Details pane and observe the size of Data and its
Length (the length is the same as the size of the packet body that we specified in Hping3
command, i.e., 500).

CEH Lab Manual Page 302 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 Module 03 - Scanning Networks

[Bl Gputiing From Ethemer =

4
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help
= aaak
a
Source Destnation Protacal Length Info
2490. 496.200032 10.10.1.11 20.191.46.109 T° 54 50071 > 443 [ACK 00 Ac 262656 Le!
2490. 496.422619 174.36.120.199 10.10.1.11 oe 542 1367 + @ Len-500
2490... 497.423047 234.23, 240.15 10.10.1.11 we 542 1368 + @ Len-500
2490.. 498.422774 154.3.0.137 10,10.1.11 we 542 1369 = @ Len-s00
2490.. 499.423218 224.25.77.178 30.10.1.11 ue 542 1370 + @ Len=s00
2490.. 499.866871 fe50::1:1 #f02::1 ICMPvé 110 Router Advertisement from @2:15:5d:13:1d:7e
2490. 499.8775 #80: :deb2:9b3b:549... f¥02: 16 TCHPVE _—99 Multicast Listener Report Message v2
2490.. 499.879255 #80: :596a:Sdce:bi:.. #¥02::16 TOWPvE 120 Multicast Listener Report Message v2
2490.. 500.237421 fe80::deb2:9b3b:549. #¥02::16 TOIPVG 99 Multicast Listener Report Message v2
2490. 500.423366 118.55.174.68 19.10.1.11 ue 542 1371 + @ Len-500
2490.. 500.429189 MS-NLB-PhysServer-2.. Mcrosof_01:60:00 ARP 42 who has 10.10,1.11? Tell 10.10.1.13
2490. 500.429203 Hicrosof_01:80:00 _HS-NLB-PhysSever-2_ ARP 42 10.10.1.11 is at 00:15:54 00
2490,. 500.843331 fe80::596a:9dcerb1:.. #F02::16 TcHPvé 119 Multicast Listener Report Message v2
2490.. 501.422905 | 122.82.144,149 10,10.1.11 we 542 1372 + @ Len=500
2490. 502.423317 143.27.228.55 30.10.1.11 uve 542 1373 + @ Len-s00
2490. 503.423391 102.143.174.106 10.10.1.12 woe 542 1374 + @ Len=500
249. 504.423379 129.0.209.38 10.10.1.11 we 542 1375 > @ Len=500
2490.. 505.423264 240.143.99.152 10.10.1.11 we 542 1376 + @ Len500
2490.. 506.423337 137.83.144.120 10.10.1.11 we 542 137 = @ Len-seo
2490. 507.423380 10.232.35.158 10.10.1.11 oe 542 1378 + @ Len=500 I
2490. 508.414214 _ 10.10.1.14 224.0.0.251 NOUS __418 Standard query response @x0000 TXT, cache flush PTR _adb._tep..
[> Frane 249042; 542 bytes on wire (4336 bits), 542 bytes captured (4336 bits) on interface \Device wPF_(s8063588-F693-a023-098e-occzaADEIi14), if
Ethecnet II, See: MS-NLB-PhysServer-21, 5d:13:1d:61 (@2:15:5d:13:1d:81), Dst: Mlcrosof_01:80:00 (00:15:5d:01:80:00)
Internet Protocol Version 4, Src: 102.143.174.106, Dst: 10.10.1.11
User Datagram Protocol, Src Port: 1374, Dst Port: @
Rata (500 bytes)
Data: Sasasasesssasasasesasasasesesasasesesesasssesesessseseseses
[Length: 500]

@@ 15 Sd @1 80 00 2 15 5d 13 1d 6108004500] JE
@2 10 €5 ce 00 00 40 11 73 00 66 af ae 6a Oa Ga Fj |
@1 0b 05 Se 00 09 O1 fc 90 43 585858585858 -* -COKKOK
Y Ethernet: <ive capture
n progress> Packets: 249204 Displayed: 248204 (100.0%) Profile: Default
Goe@ouwead BF % sear © il
12. Switch to the Parrot Security virtual machine. In the Parrot Terminal window, first press
Control+C and type hping3 -S [Target IP Address] -p 80 -c 5 (here, target IP address is
10.10.1.11), and then press Enter.

Note: Here, -S specifies the TCP SYN request on the target machine, -p specifies
assigning the port to send the traffic, and -c is the count of the packets sent to the
target machine.
13. In the result, it is indicated that five packets were sent and received through port 80.

CEH Lab Manual Page 303 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

14. Switch to the target machine (i.e., Windows 11) and observe the TCP packets captured
via Wireshark.
|fer rca —
Bile Edit View Go Capture Analyze Statistics Telephony Wireless Tool Help
| ade REQeeeZPTaseaaa
Tne Source Destination Protocol Length Info
TcP 54 1874 RST a
2501. 691.282378 10.10.1.13 10.10.1.11 54 1875 + 88 [SYN] Seq=d Win=512
2501. 691,282437 _10.10.1.11 10.10.1.13 cP 58 80 + 1875 (SYM, ACK] Seq=0 Aci sin=65392 Len=@ NSS=1450
‘2501. 692.283556 10.10.1.13, 10.10.1.11 Te 54 1876 = 80 [SYN] Seq=O Win=512 Le
2501. 692.263660 _10.10.1.11 cP 58 80 + 1676 [SVM, ACK] SeqnO Acke1 Wins65392 Lenad MSS=1460
2501. 693.284367 10.10.1.13 10.10.1.12 54 1877 + 80 [SYN] Seq=@ Win=512 Len=0
2501. 693.284476 _10.10.1.11 10.10.1.13 rcp 58 80 + 1877 [SYN ACK] Seq=0 Acke1 Win=65392_Len=0 MSS=1460
2501. 694,284416 10.10.1.13 10.10.1.12 Ter 54 1878 > 80 [SYN] Seq=0 Win-512 Len=0
2501. 694.264523_10.10.1.11 10.10.1.13 cP 58 80 + 1878 [SYN, ACK] Seq=0 Acke1 Wins65392 Lena MSS=1460
2501. 695,104921 Nicrosof_01:80:00 NS-NLB-PhysServer-2.. ARP 42 Who has 10.10.1.13? Tell 10.10.1.12
2501 695.106724 jcrosef_@1:80:00 ARP 42 10.10.1.13 is at 02:15:5d:13:1:81
2501. 695.502002, Microsof 01:80:00 ARP 42 Who has [email protected]? Tell 10.10.1.13
2501. 695.502019 Microsof_@1:80:00 _MS-NLB-PhysServer-2. ARP 42 10.10.1.11 is at 00:15:5d:01:80:00
2501. 698.002239 fe80::1:1 Ffo2::1 TCNPVE 110 Router Advertisement from 02:15:5d:13:14:7e
2501. 698.012020 fe80::596a:9dce:bi:.. F¥02 ICMPvS 110 Multicast Listener Report Mes age v2
2501. 698.013163 fe80::deb2:9b3b:549.. F¥02 TOPYE 90 fulticast Listener Report Mes age v2 i
2501 698.152593 fe80::1:1 #F02::16 TCHPvS _90 Multicast Listener Report Hessage v2
Frame 250173: 54 bytes on wire (432 bits), 5 bytes captured (432 bits) on interface \Device\NPF_{5A9B3588-F693-4023-B9B6-DCC29AD81114}, id @ |
hernet II, Src: MS-NLB-PhysServer-21,5d:13:1d:81 (@2:15:5d:13:1d:61), Dst: Microsof_@1:80:00 (00:15:5d:01:80:00)
> Internet Protocol Version 4, Sre: 1 2.1.13, Dst: 10.

@0 15 5d 01 80 00 0 15 Sd 131d 8100004500] ]€
20 28 00 00 40 00 40 06 24 a5 02 G2 C1 0d G2 oa (8.8: $ j
@1 0 07 52 G8 50 3c 2c 73 ba 00 00 00 00 50.04 RPL, 5 P
[O 7% etemet: ve capture
n pogess> Packets: 250444 Diplayed: 250444 (100.0%) || Profle: Defaul]

ke

15. Switch to the Parrot Security virtual machine and try to flood the target machine (here,
Windows 11) with TCP packets.
16. In the Parrot Terminal window, type hping3 [Target IP Address] --flood (here, target IP
address is 10.10.1.11) and press Enter.
Note: --flood: performs the TCP flooding.
17. Once you flood traffic to the target machine, it will respond in the hping3 terminal.

18. Switch to the Windows 11 (target machine) and stop the packet capture in the
Wireshark window after a while by click Stop Capturing Packets icon in the toolbar.
19. Observe the Wireshark window, which displays the TCP packet flooding from the host
machine. The attacker employs TCP SYN flooding technique to perform a DoS attack on
the target.

CEH Lab Manual Page 304 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

Note: You can double-click the TCP packet stream to observe the TCP packet
information.
ae
file Edt View Go Coptue Analyze Satistcs Telephony Wireless Tools Help
ECOUERE QeeeFareaaang
[aooiy a delay ter _ <Cuiy
Tine Protocol Length
1636. 886.573432 1010.1. 10.2. 3 © [<tlone>] Seqn140782326 Wine512 Len=o
1636.. 885.573433 10.10.1. . 13 © [<llone>] Seqn731031585 Wine512 Leno
1636. 885.57343210.10.1. 1. © [aione>] Seqn361491443 Wine5i2 Leno
1636. 886,573435 10.10.1. 1. © [<tlone>] Sequ237846215 Wine512 Len=0
1636.. 885.573435 10.10.1. 10.10.1.11 13 © [clone>] Seqr3380595987 Wine512 Leneo
1636. 686.573440 10,10.1. 10.10,1.11 1. @ [clone>] Seqr3652552106 Wine512 Leneo
1636. 856.573461 10.10.1. 30.10.1.11 rep @ [<tlone>] Seq=4042540798 Win=512 Len-0
1636. 886.573448 10.10.1.. 30.10.1.11 re? @ [<llone>] Seqn464668074 Wine512 Len=0
1636. 886.573447 10.10.1. 30.10.1.11 3 © [<tione>] Seqn692367079 Wine5i2 Leno
1636. 886.573448 1010.1. 30.20.1.11 rep © [clone>] Seqn458505587 Wine512 Len=0
1636. 886.573449 10.10.1. 20.10,1.11 cP 54 4829 > @ [<lione>] Seqn2650925648 Wine512 Len=0
1636. 886.573448 10. 30.10.1.11 cP 54 4832 + @ [clone>] Seq-2497054562 Win-512 Len-0
+1636... 886.573451 10, 10.1.13 10.10.3.11 1.8 ‘54 4833 + @ [<one>] Sequs14se2897 Wine5i2 Len=@
1636. 886.573455 10.10.1.13 30.10.1.11 cP 54 4828 + @ [<Nlone>] Seqn459949943 Win=512 Len=o
1636. 886.573463 10.10.1313 30.10.1.11 cP 54 4834 + @ [<llone>] Seqr3544162732 Wine512 Len=d
1636. 886.573852 10.10.1.13, 30.10.1.11 rer 54 4336 + @ [<lone>] Seqn3787292763 Wine512 Len-@
1636. 886.573852 10.10.1.13 30,10.2.1 rep 54 4835 > @ [<llone>] Seqn473293480 Win=512 Len=O
1636. 886.573853 10.10.1.13, 30.10.1.11 rep 54 4839 > @ [<Nlone>] Seqn1771317137 Win512 Len=o
1636. 886.57385310.10.1.13 20.10.1.11 rer 54 4837 + @ [<Hlone>] Seqr223622606 Win-512 Len-0
1636.. 886.573852 10.10.1.13 30,10.1.11 rer 54 4841 = @ [<Hlone>] Seqn451956971 Win-512 Len-O
1636.. 886.573852__10.10.1.13 30.16,1.12 ree 54 4849 + @ [<lone>] Seq=3907195365 Win=S12 Len=o
Frame 1636825: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{5A983588-F693-4023-6986-DCC29ADB1114}, id
Ethernet II, Src: MS-NUB-PhysServer-21_5d: 81 (02:15: 1d:81), Dst: Microsof_01:80:08 (00:15:
Internet Protocol Version 4, Src: 10.10.1.13, Dst: [email protected]

20. The TCP packet stream displays the complete information of TCP packets such as the
source and destination of the captured packet, source port, destination port, etc.
"emer

(Mk Wireshark»
Packet 1636825 Ethemet a x
1636. 886.5 > Frame 1636825: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{SA983508-F6)
1636. 886. > Ethernet IZ, Sec: M5-WLB-PhysServer-21, 5d:13:1d:81 (@2:15:5d:13:1d:81), Dst: Microsof_@1:60:00 (00:15:5d:01:29]
1636. 886.5 > Internet Protocol Version 4, Src: 10.10.
1636. 886.5
1636. 886. Source Port: 4833
1636.. 886. Destination Port: @
anes aoe
1636. 886. [Stream index: 2282]
1636. 886. [conversation completeness: Incomplete (@)]
1636. 886. [TCP Segment Len: 0]
1636. 886. Sequence Number: 418502697 (relative sequence number)
i636. 86. Sequence Number (raw): 799490118
si ext Sequence Number: 414502897 (relative sequence nunber)]
11636... 686.
‘1630. oie Acknowledgnent number (raw): 137554872
ee Header Length: 20 bytes (5)
1636. 886.
11636. 686.5 [Celeulated window size: 512)
[iindow size scaling factor: -1 (unknown)]
Checksum: @x2100 [unverified]
= [checksum Status: Unverified]
Frame 16368, Urgent Pointer: @ Deiii4}, id
Ethernet IZ, | > [Tinestanps]
Internet |
[e008 00 15 5d or Go 00 2 15 Sd 13 id &i 08 00 [oo
80 28 dd2 46el
1 01 000 6800 402F 06a7 4087 46Se Ga08 0a32 01eb b8Od Ga50 0200

0 15
@e1 00 28 de.
605) 1 Ob 12 e1 00 00 3 a7 40.46 08 32.cb OB 5008 GaP

CEH Lab Manual Page 305 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

21. Turn off the Windows Firewall in the Windows 11 by navigating to Control Panel >
System and Security > Windows Defender Firewall > Turn Windows Defender
Firewall on or off.
22. This concludes the demonstration of evading the IDS and firewall using various evasion
techniques in Hping3.
23. You can also use other packet crafting tools such as NetScanTools Pro
(https://www.netscantools.com), Colasoft packet builder (https://www.colasoft.com),
etc. to build custom packets to evade security mechanisms.
24. Close all open windows and document all the acquired information.
25. Turn off the Parrot Security virtual machine.

Task 4: Browse Anonymously using Proxy Switcher

Proxy Switcher allows you to surf the Internet anonymously without disclosing the IP address of your
system, and helps to access various blocked sites in the organization. It avoids all types of limitations
imposed by target sites.
Here, we will use Proxy Switcher to browse the Internet anonymously.
1. In the Windows 11 virtual machine, navigate to E:\CEH-Tools\CEHv12 Module 03
Scanning Networks\Proxy Tools\Proxy Switcher and double-click
ProxySwitcherStandard.exe.

Note: If a User Account Control window appears, click Yes.

[ES Proxy Switcher
© new & (a) o® @ @ U WN Sort = View

< > ~ 4% BB« CEH-Tools » CEH-Tools » CEHv12 Module03 Scanning Networks > Proxy Tools > Proxy Switcher v

Name ° Date modified Type Size

Ye Quick access
5) ProxySwitcherStandard 7/20/2022 11:26 PM Application 5,117 KB.
Wi Desktop —#
& Downloads #
Documents #
WH Pictures 2
‘Da CEH-Tools
@ Music
EB Videos

CEH Lab Manual Page 306 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

2. Follow the installation steps to install Proxy Switcher using all default settings.
3. Once the installation is complete, uncheck all options in the final step of the wizard, and
click Finish.

Setup - ProxySwitcher Standard 7.3.0 -

Completing the ProxySwitcher

Standard Setup Wizard

Setup has finished installing ProxySwitcher Standard on your

computer. The application may be launched by selecting the
installed shortcuts.

Click Finish to exit Setup.

C) Set ProxySwitcher Standard to start automatically’

CO Show Anonymous Surfing Tutorial
CO Show System Proxy Settings Tutorial
OC Launch ProxySwitcher Standard

CEH Lab Manual Page 307 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

4. Now, launch the Firefox browser.

Note: If a Default Browser pop-up appears, click Not now.

5. Click the Open menu icon in the top-right corner of the browser window and click Settings.

Swe]

Sync and save data Sign in

New tab Ctrl+T

New window Ctrl+N

New private window Ctrl+Shift+P

Bookmarks >

History >
Downloads Ctrl+J

Passwords

Add-ons and themes Ctrl+Shift+A

Print... Ctrl+P

Save page as... Ctrl+S.

Find in page... Ctrl+F

Zoom - 10% + #

More tools >

Help >

Exit Ctrl+Shift+Q
ke al

CEH Lab Manual Page 308 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
 Module
03 - Scanning Networks

6. In the Settings wizard, scroll down to the end of the page and click Settings... under the
Network Settings section.
B setings x) ele:
@ Firefox aboutpreferences

& General

@ Home Browsing
Q search Gi Use autoscroling
& Security
A Privacy @ Use smooth scrolling

Q sync
show a touch keyboard when necessary
Always use the cursor keys to navigate within pages
More rom Mozilla Search or tet when you stat ying
@& Enable picture-in-picture video controls Learn more.
i Control media via keyboard, headset, or virtual interface Leam more
Recommend extensions as you browse Leain more
Gi Recommend features as you browse Learn more

Network Settings

© Firefox Support

7. The Connection Settings window appears; under the Configure Proxy Access to the Internet
section, ensure that the Use system proxy settings radio button is selected. Click OK and
close the Firefox browser window.
Connection Settings x

Configure Proxy Access to the Internet.

wo 08
fat detect pron seings for his eyore
Ose sytem pron stings
‘Manual proxy configuration
TTP Proxy Bor
Igo use this proxy for HTTP:
HITPPS Pr Port

O soxxs v
Automatic proxy configuration URL

No proxy for

Example: mozilla.org, .netinz, 192.168.1.0/24

Connectionsto localhost, 127.0.0.1/8, and ::1 are never proxied.

CEH Lab Manual Page 309 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

8. Click Searchicon ( (9), on the Desktop. Type proxyswitcher in the search field,
the ProxySwitcher Standard appears in the result, click open to launch it.

2 proxyswitc

All Apps Documents Web More

Best match

| a ProxySwitcher
a switcher Standard
Standari Mie
we

Apps ProxySwitcher Standard

App
§@ ProxySwitcherStandard.exe

sie ProxySwitcher Standard (Safe

mode)
Run as administrator

se Upgrade ProxySwitcher Standard pen file location

BB anytime...
Pin to Start
Search the web
Pin to taskbar
2D proxyswitcher - See web results Uninstall

Folders
ProxySwitcherStandard - in
Downloads

ProxySwitcherStandard - in
Downloads

9. The ProxySwitcher Standard loads, and its icon appears on Taskbar.

10. Click the Taskbar icon in the bottom-right corner of the desktop and the click ProxySwitcher
Standard icon to launch the application.

12:00 AM
FY) sy2022 D

CEH Lab Manual Page 310 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

11. The Please Register window appears; click the Start 15 Day Trial button to proceed.
Piease Reaver

4 Buy Your Personal Key to Unlock All Features

Enter Product Key

Purchase Product Key

Sten 15 Day Trial

12. The Common Tasks Wizard window appears; under Welcome to the Proxy Switcher, click
Next.
reconnect
File Edit Actions View Help
7. BX|GO0| 8) G87)5\ 97 A
Response

CEH Lab Manual Page 311 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

13. Ensure that the Find New Server, Rescan Servers, Recheck Dead radio button is selected
under the Common Tasks section, and click Finish.
BE racy sotcner Unregreed Ore Commectony

7 ex GOSGE7 5 #4
Prony Scanner ‘state Response

Using tis wizard you can ack complete common proxy Ist
managment tasks.
(ck Fish to contre,
Comenan Tate
(© Fr New Servers, Rescan Servers, Recheck Dead
Fr 100 New Prony Servers
(OF New Prony Severs Located ina Spectic Courtny

CEH Lab Manual Page 312 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

14. Proxy Switcher window appears, showing a list of proxy servers in the right pane, as shown
in the following screenshot.

Gb pF Aso | ator| x
State Response
pa! Testing 1360im
103.2521.197 3128 Testing 208m
oF 103.25245.1602019 Testing 21000me
i 198.235 02078282 Testing 22531

Note: The list of proxy servers might vary in your lab environment.

Note: It takes some time for the list to load

(CEH Lab Manual Page 313 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

15. Observe the sea bar below the server section; once it is completed, click the Download
Proxy Lists icon ( ) to download the proxy list.

xX GO S/SS7) 5/9"Ail 4 |pmm=

Bou ser sever sate Response

16. Wait until all the proxy servers are downloaded. This can take a significant amount of time.

CEH Lab Manual Page 314 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module
03 - Scanning Networks

17. If you have enough downloaded proxy servers, you can click the Stop Download &) icon to
cancel the download.
fx Proxy Satcher Unegutered [Direct Conmecton)
Fle Edit Actions View Help
7 FX GO| SSS 7) S| 9 7 Au v |pcromn |x
IB Proxy Scanner Server ‘State ‘Response ‘Country ‘Uptime Last Tested Last Updated
15 1 New (96) of 91.239.181.1904153 Untested ‘mm POLAND < minute
B CORE ® (i 99.216522174153 Untested (Ril SERBIA AND MONTENEGRO <inute
1S
nest
High Anonymous(0)
Bite
|etonerasiom
oS 98.248.2.1605678
oF 84268.197:9593,
eed
Untested
Untested
Fa(Ses UNITED
Serer STATES
(Turkey
wo wowreneseo aa
<< minute
<minute
IP ( Dead 202) oS 746.138.3608 Untestes (Rl SERBIA AND MONTENEGRO minute
Pemanerty(71) | 7060230834116 Untested (fim UNITED STATES: ecaiel
1 Basic Anonymty68) SF 62.112
194 224-26057 Untested < minute
(© Ne$SL (111) oS 41:128-72625678 Untested < minute
Be Private 95) 9 37208.1202558540 Untested minute
(B Dangerous 215) 369553.1855678 Untested < minute
@ My Proxy Servers) | 5 36 9236.42.4153 Untested inte
|B PronySwtcher(0) oS 3692198515678 Untested minute
(oS 202,188.49 14238172
Smuiasm Untested
end Toeeraz
PEOPLES DeNOCRATC REPUB < minute
ae
of 2014362654145 Untested < minute
ie 201.251.155 249-5678 Untested SS ARGENTINA < minute
2007197100 Untested < minute
(sf 200.27.110.2957702 Untested < minute
of 193.158.12:138-4153 Untested < minute
of 190.181.140905673 Untested < minute
of 199.195.175.93:5673 Untested minute
oS 108.165. 254 122:12328 Untested < minute
9 1958299 425673 Untested < minute
1 195.199.196.13:1080 Untested < minute
of 182.2336.824153 Untested < minute
of 182.16.171.6551459 Untested < minute
Sw 274153 Untested < minute
sg 180,180.12.51:4145 Untested <minute
vere
‘Core Proxy Network,
sate ogee cx
‘Complete ey
wor avepeony com Complete Es
weew cyberayndrome net Complete TL
wow antime com Complete [coe
User-Defined Lists ‘Complete Sees
‘Spysme Complete —————
SocksSlist. com Complete Picea |
reesn Sows
GatherProxy com Complete a
Complete fexomanennaal
Complete EE
‘Complete a

CEH Lab Manual Page 315 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

18. Click the Basic Anonymity folder in the left-hand pane to display a list of alive proxy servers,
as shown in the screenshot.

(BX/BO OS SS7) 6 9% Au 4 |prmmn

Response County

CEH Lab Manual Page 316 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

19. Select one proxy server IP address in the right- ane. To switch to the selected proxy
server, click the Switch to Selected Proxy Server ( ) icon.

20. When the proxy server is connected, it will show the connection icon as be)
Note: The proxy selected in this lab might vary in your lab environment.

Nn SSL (101)
Dangerous 217)

21. Launch the Mozilla Firefox web browser and enter the URL
http://www.proxyswitcher.com/check.php to check the selected proxy-server
connectivity. If the connection is successful, the following information is displayed in the
browser:
Note: The information displayed above may differ in your lab environment.
x) +
O B proxyswitcher.com/checkphp

Your possible IP address is: “eel

Location: “>

DETECTED
107.174.121.140
UNITED STATES |

(CEH Lab Manual Page 317 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

22. If the connection is unsuccessful, try selecting another proxy from Proxy Switcher, and
repeat Step 19.

23. To ensure that the proxy is assigned, open a new tab and_ browse
https://www.google.com/. In the search field, type What is my ip and press Enter.
24. If About this page webpage appears, check I’m not a robot checkbox and verify the
CAPTCHA by selecting images as per the given guidelines.
. The proxy IP address is displayed, which infers that the legitimate address is masked, and the
proxy is in use.
Detecting your location. XG whatiemyip-PenelusuranGe X - oo x
€ c 08 ,google.com/search?q=what +ismy +ip8source=hp&ei= MgHZYinzitbDatsPo6OK6AWAfISIg=AJIKO: UF @ =

Google what is my ip x Q Foy

QSerua QGambar (Video Berita ) Buku; Lainnya Alat

Sekitar 3,990.000.000 hasil (0,43 detik)

‘What's my IP

107.174.121.140
Your public IP address

> Lear more about IP addresses

hitps:/whatismyipaddress.com > ip-saya +

Apa Alamat IP Saya - Lihat Alamat Publik Anda - IPv4 & IPv6
Cari tanu apa yang diungkapkan oleh alamat IPv4 dan IPv6 publik Anda tentang
IP Lookup
Lookup details about an IP address including location, ISP
Telusuran lainnya dari whatismyipaddress.com »

hitps:/www.whatismyip.com ¥ Terjemankan halaman ini

What Is My IP? Quickly See My IP Address and My IP Location
‘See the IP address assigned to your device. Show my IP city, state, and country. What is An IP
DvAddress?JPv4.JPv6, cubic JP explained, |

Note: The displayed IP address might differ in your lab environment.

CEH Lab Manual Page 318 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

26. Open a new tab in your web browser and surf anonymously using this proxy.
Detecting your locstion.. XG whatismy ip-Penelusuran Go x // Certfied Hacker
c oa ccertifiedhacker.com

certifiedhacker.com

a T mn s
HOME ABOUT PORTFOLIO BLOG CONTACT

SNE How
Sting toCrestea
Patch Wie Sth +
pen]

27. This concludes the demonstration of anonymously surfing the Internet using Proxy Switcher.
28. Close all open windows and document all the acquired information.
29. Navigate to Control Panel > Programs > Programs and Features and uninstall the Proxy
Switcher application.

Task 5: Browse Anonymously using CyberGhost VPN

CyberGhost VPN hides the attacker's IP and replaces it with a selected IP, allowing him or her to
surf anonymously and access blocked or censored content. It encrypts the connection and does
not keep logs, thus securing data.
Here, we will use CyberGhost VPN to browse the Internet anonymously.
1. In the Windows 11 virtual machine, navigate to E:\CEH-Tools\CEHv12 Module 03
Scanning Networks\Proxy Tools\CyberGhost VPN and double-click
cgsetup_en_3ytCRpi38TVCHKPCCQm.exe.

Note: If a User Account Control window appears, click Yes.

CEH Lab Manual Page 319 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

CyberGhost
VPN

@® new * Oo g@ e w View oe

< . 4 « Proxy Tools >» CyberGhost

VPN

Name Type Size

Y We Quick acess
(@ cgsetup_en_3ytCRpi38TVCHKPCCjQm. Application 120 KB
GR Desktop *”

& Downloads #

Documents #
WR Pictures #
Music
ik Litem. Litem selected 119KB State: [(# Shared

2. Downloading CyberGhost installer... appears; once the CyberGhost Setup window

appears, click Accept.

TERMS AND CONDITIONS

Terms and Conditions

General Business Terms for CyberGhost VPN Service
Service description and prices of CyberGhost VPN

General Busi Terms for CyberGhost VPN Service

, INSTALLING OR DOWNLOADING Cybe VPN YO!
UNDERSTOOD THE TER IS AND AGREE
TO BE BOUND BY THEM AND TO FULLY COMPLY WITH THEM. YOU FURTHER AGREE
IMPLY WITH ALL APPLICABLE LAWS AND R' IONS Ri ARDING YOUR USE
Third party licenses

CEH Lab Manual Page 320 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

3. Follow the installation steps to install CyberGhost.

4. Ina Windows Security pop-up, click Install.

Windows Security
Would you like to install this device software?
Name: TAP-Windows Provider V9 Network adapters
ea) Publisher: OpenVPN Technologies, Inc.

@ Always trust software from “OpenVPN Don't Install

Technologies, Inc.".
©@ You should only install driver software from publishers you trust. How can | decide which
device software is safe to install?

5. Inthe Your privacy is our goal pop-up, click Agree and continue.

6. Once the installation is complete, the CyberGhost8 window appears, click on Click here
to create one link to create an account.

ber Ghost 8

Log In
Log in with the CyberGhost username and
password you received via email with your order
confirmation, or create a new account.

&
yo)

Don't have a CyberGhost account?

CEH Lab Manual Page 321 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

7. Create an account using your personal details and click on Sign Up.

CyberGhost 8

Create account
Create your account to activate your one-tap data
protection!

@gmail.com

Do you already have an account?

CEH Lab Manual Page 322 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

8. You will receive an activation email on your personal email. Open the email and click on
Activate Trial to start your trial version of CyberGhost.

P<]
Confirmation required

Confirm your e-mail to activate the

full, 1-day CyberGhost trial!
Check your inbox under
[email protected] for
the e-mail we have just sent.

o CyberGhost

Hey Ghostie,

Please click on the button below to activate your 1-day trial.

Thanks for keeping it safe & secure!

The CyberGhost team

CEH Lab Manual Page 323 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

9. Now, switch to the CyberGhost page and click on Start trial button.

Account confirmed

Change your location

Use services all around the
world as if you were a local.

Stream without boundaries

Use streaming services all
around the world,

Protect your privacy

Protect yourself from hacker
attacks.

CEH Lab Manual Page 324 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

10. The CyberGhost VPN window appears, click the Settings icon.

CyberGhost VPN

Connect to:

Best server location

CEH Lab Manual Page 325 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

11. The Settings window appears, click on CyberGhost VPN icon 1 © ji under Menu icon

Settings

SS General VPN protocol

Define a protocol for your VPN connection or choose ‘Automatic selection’ and let CyberGhost
|© CyberGhost VPN automatically detect the best one to use based on your network connection,
2 MyAccount Automatic selection

MTU size
If you are experiencing speed issues, we recommend changing this settingto “Small” or “Auto” which will
improve VPN performance.
Default v

Use TCP instead of UDP

Use TCP instead of UDP for the OpenVPN connection. Enabling this option can enhance your
connection’s reliability but it might also decrease the overall bandwidth speed transfer!
@ on
Use a random port to connect
Automatically test a wide range of ports to connect to (OpenVPN only), It gives you the ability to use the
VPN in airports and hotels, which typically restrict internet trafficto HTTP(s) connections.
& om
PAM ©] Send Feedback
Disable IPv6 connections when connected to the VPN
Pee @ Uporade now Disable ALL outgoing and incoming IPV6 connections, which are not routed over the VPN, while using th
VPN, Enable this only ifyou don't need ANY laclIPv6 connection,

CEH Lab Manual Page 326 Ethical Hacking and Countermeasures Copyright © by E6-Coumt
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

12. The CyberGhost VPN window appears; click on All servers from the left-hand pane.

Note: The list of the servers may vary in your lab environment

CyberGhost VPN Favori

Favorite

| We Favorites All servers

Dedicated 1p
For Gaming
For torrenting

For streaming

For streaming
BP vores ngtom
“ay 9

ME rited States
Privacy settings

Smart rules

Upgrade now

CEH Lab Manual Page 327 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

13. Click to select any proxy server from the available options in the All servers section (here,
Albania) and click on the power icon OF under Start a Connection as shown in the
screenshot.
r
All servers

Name ~ Distance Favorite

CyberGhost VPN
@ Use your own Dedicated Ip Msi#

¢ Algeria 6673km YY

a) Andorra eoisim 9Y

OP tigentina 1sstoKm
_ Connect to:
@ vvresis 3oezim YY kaa
@® wI0 wo3s2km 9Y >
Be
w
Austria 5375km
ea
VYbaiAy

Ee Bahamas 13.210km -¥Y

e) Bangladesh 1550km $Y
"
Note: If the CyberGhost window appears indicating that all free user slots are booked, then
close the window and select another proxy server from the “all servers” list.

CEH Lab Manual Page 328 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

14. CyberGhost attempts to establish a connection to the proxy server. On successfully

establishing a connection, Connected appears.
e
All servers
" ur CyberGhost VPN serve r P t your VP ef
Name A Distance Favorite
CyberGhost VPN
o Use your own Dedicated 1p Sa

@ w= s1ssim ff

€ se8 6673km YY

@ Andorra 6615km VY
~3) nigentva 15810km YY. ‘
ww

a Armenia 30e2km 9

@ Australia 10382km 7 %

cl
w
Austria 5375km we

© wsromes 13210km YY

e) Bangladesh 1550km TY

CEH Lab Manual Page 329 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

15. Minimize the CyberGhost window and launch the Mozilla Firefox web browser; type the
URL https://whatismyipaddress.com/location-feedback in the address bar and press
Enter.

Note: If a Will you allow whatismyipaddress.com to access your location? pop-up

appears, click Allow Location Access.
16. Scroll down to the Geographical Details section. Observe that the server IP address and
location has changed to 31.171.155.4 and Albania.

Update Your IP Address Location © ++

€o @ O & © hitps://whatismyipaddress.com/location-feedback 90% YY

My IP IP LOOKUP HIDE MY IP

Geolocation Details for 31.171.155.4

vac @ ProviderA @ Provisers @ Provider
38.9637 o 41.3275 41,3275
35.2433 198189 19.8189
462936
albania aibania
srane tiane
ganization 0 pk
Ise keminet shpk
SelectAccuracy vf selecc accuracy vB select Accuracy vB seiect Accuracy vB select accuracy v

UPDATE GEOLOCATION

(CEH Lab Manual Page 330 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

17. Open a new tab in the web browser and surf anonymously using this proxy.

Update Your IP Address Location // Certfied Hacker x + =e

c © & wwmcurtiednaccercom e ese

certifiedhacker.com

Jocortior

a i one RB a
HOME ABOUT PORTFOLIO BLOG CONTACT

SEI BH Howto Create a Wide Synth |

String Patch

18. Once you are done browsing, in the CyberGhost window, click the Power icon to disconnect
the proxy, as shown in the screenshot.
r
All servers
very single ur CyberGhost VPN se Tak urvP :
Name ~ Distance Favorite
CyberGhost VPN
@ x our00 descata w OD
[ ] Albania 5155km 9

€ Algeria 66r3km ¥¥

(7) Andorra 6615km

ateOD tagent
a 15810km Ww

a Armenia 3082km = ¥Y

@ Australia 10382km = YY >

S Austria 5375km YY

Ee Bahamas. 13210km —¥Y

@ ‘ersten 1s50km ¥¥
bk

CEH Lab Manual Page 331 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 03 - Scanning Networks

19. This concludes the demonstration of anonymously surfing the Internet using CyberGhost.

20. Close all open windows and document all the acquired information.

21. Navigate to Control Panel > Programs > Programs and Features and uninstall the
CyberGhost 8 application.

22. Turn off the Windows 11 virtual machine.

Lab Analysis
Analyze and document the results of this lab exercise.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Internet Connection Required

M Yes
Platform Supported

M1 Classroom

CEH Lab Manual Page 332 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.