Certified Ethical Hacking

Chapter 3: Scanning Networks

Technology Brief
After Footprinting phase, you may have enough information about the target. Now
Scanning network phase requires some of this information to proceed further. Network
Scanning is a method of getting network information such as identification of hosts, port
information, and services by scanning networks and ports. The main Objective of
Network Scanning is: -
 To identify live hosts on a network
 To identify open & closed ports
 To identify operating system information
 To identify services running on a network
 To identify running processes on a network
 To identify the presence of Security Devices like firewalls
 To identify System architecture
 To identify running services
 To identify vulnerabilities

Figure 3-01 Scanning Network

Overview of Network Scanning

Scanning Network phase includes probing to the target network for getting information.
When a user probes another user, it can reveal much useful information from the reply is
received. In-depth identification of a network, ports and running services helps to create
a network architecture, and the attacker gets a clearer picture of the target.
TCP Communication
There are two types of Internet Protocol (IP) traffic. They are TCP (Transmission Control
Protocol) and UDP (User Datagram Protocol). TCP is connection oriented. Bidirectional
communication takes place after successful connection establishment. UDP is a simpler,
connectionless Internet protocol. Multiple messages are sent as packets in chunks using
UDP. Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery functions

IPSpecialist.net 151 14-May-2018

Certified Ethical Hacking

to IP packets. Because of UDP’s simplicity, UDP headers contain fewer bytes and
consume less network overhead than TCP. Following diagram shows the TCP header: -

Figure 3-02 TCP Header

Flag filed in the TCP header is of 9 bits. Which includes the following 6 TCP flags: -
Flag Use
SYN Initiates a connection between two hosts to facilitate communication.
ACK Acknowledge the receipt of a packet.
URG Indicates that the data contained in the packet is urgent and should process
immediately.
PSH Instructs the sending system to send all buffered data immediately.
FIN Tells the remote system about the end of the communication. In essence, this
gracefully closes a connection.
RST Reset a connection.
Table 3-01 TCP Flags

There is three-way handshaking while establishing a TCP connection between hosts. This
handshaking ensures successful, reliable and connection-oriented session between these
hosts. The process of establishment of a TCP connection includes three steps. As shown
in the figure below: -

IPSpecialist.net 152 14-May-2018

Certified Ethical Hacking

Figure 3-03 TCP Connection Handshaking

Consider Host A wants to communicate with Host B. TCP Connection establishes when
host A sends a Sync packet to host B. Host B upon receipt of Sync packet from Host A,
reply to Host A with Sync+Ack packet. Host A reply with Ack packet when it receives
Sync+Ack packet from host B. After successful handshaking results in the establishment
of TCP connection.
U.S Dept proposes TCP/IP model. Of Defence by combining OSI Layer Model and DOD.
The Transmission Control Protocol (TCP) and the Internet Protocol (IP) are two of the
network standards that define the Internet. IP defines how computers can get data to
each other over a routed, interconnected set of networks. TCP defines how applications
can create reliable channels of communication across such a network. IP defines
addressing and routing, while TCP defines how to have a conversation across the link
without garbling or losing data. Layers in TCP/IP model perform similar functions with
similar specifications like in OSI model. The only difference is they combine top three
layers into a single Application Layer.
Creating Custom Packet Using TCP Flags

Colasoft Packet Builder software enables to create the customized network packets. These
Customized Network packets can penetrate the network for attacks. Customization can
also use to create fragmented packets. You can download the software from
www.colasoft.com.

IPSpecialist.net 153 14-May-2018

Certified Ethical Hacking

Figure 3-04 Packet Builder Software

Colasoft packet builder offers Import and Export options for a set of packets. You can also
add a new packet by clicking Add/button. Select the Packet type from the drop-down
option. Available options are: -
 ARP Packet
 IP Packet
 TCP Packet
 UDP Packet

IPSpecialist.net 154 14-May-2018

Certified Ethical Hacking

Figure 3-05 Creating Custom Packet

After Selecting the Packet Type, now you can customize the packet, Select the Network
Adapter and Send it towards the destination.

Scanning Methodology
The Scanning Methodology includes the following step: -
 Checking for live systems
 Discovering open ports
 Scanning beyond IDS
 Banner grabbing
 Scanning Vulnerabilities
 Network Diagram
 Proxies

Figure 3-06 Scanning Pentesting

Checking for Live Systems

Initially, you must know about the hosts which are living in a targeted network. Finding
live hosts in a network is done by ICMP Packets. The target replies ICMP Echo packets
with ICMP echo reply. This response verifies that the host is live.

IPSpecialist.net 155 14-May-2018

Certified Ethical Hacking

Figure 3-07 ICMP Echo Request & Reply Packets

The host having IP address 192.168.0.2/24 is trying to identify if the Host 192.168.0.1/24 is
live by sending the ICMP Echo packets targeted to the destination IP address 192.168.0.1.

Figure 3-08 ICMP Echo Reply Packets

If the destination host successfully responds to ICMP Echo packets, the host is live.
If the host is not live, Observe the following response of ICMP Echo packets.

Figure 3-09 ICMP Echo Reply Packets

IPSpecialist.net 156 14-May-2018

Certified Ethical Hacking

ICMP Scanning
ICMP Scanning is a method of identifying live hosts by sending ICMP Echo requests to a
host. ICMP Echo reply packet from host verify the host is live. Ping Scanning is a useful
tool for not only identification of live host, but also for determining ICMP packet are
passing through firewalls, and TTL value.

Figure 3-10 ICMP Scanning

Ping Sweep
Ping Sweep determines live host on a large scale. Ping Sweep is a method of sending
ICMP Echo Request packets to a range of IP addresses instead of sending one by one
requests and observing the response. Live hosts respond with ICMP Echo Reply packets.
Thus, instead of probing individually, we can probe a range of IPs using Ping Sweep.
There are several tools available for Ping Sweep. Using these ping sweep tools such as
SolarWinds Ping Sweep tool or Angry IP Scanner, you can ping the range of IP addresses.
Additionally, they can perform reverse DNS lookup, resolve hostnames, bring MAC
addresses, and Scan ports.

IPSpecialist.net 157 14-May-2018

Certified Ethical Hacking

Figure 3-11 Ping Sweep

Check for Open Ports

SSDP Scanning
Simple Service Discovery Protocol (SSDP) is a protocol used for discovery of network
services without the assistance of server-based configuration like Dynamic Host
Configuration Protocol (DHCP) and Domain Name System (DNS) and static network
host configuration. SSDP protocol can discover Plug & Play devices, with UPnP (Universal
Plug and Play). SSDP protocol is compatible with IPv4 and IPv6.
Scanning Tool
1. Nmap
Another way to ping a host is by performing a ping using nmap. Using Windows or Linux
command prompt, enter the following command: -

nmap –sP –v <target IP address>

Upon successful response from the targeted host, If the command successfully finds a live
host, it returns a message indicating that the IP address of the targeted host is up, along
with the media access control (MAC) address and the network card vendor.
Apart from ICMP Echo Request packets and using ping sweep, nmap also offers a quick
scan. Enter the following command for quick scan: -

nmap –sP –PE –PA<port numbers> <starting IP/ending IP>

For example,
IPSpecialist.net 158 14-May-2018
Certified Ethical Hacking

nmap –sP –PE –PA 21,23,80,3389 <192.168.0.1-50>

Figure 3-12 Nmap

Nmap in a nutshell, offers Host discovery, Port discovery, Service discovery. Operating
system version information. Hardware (MAC) address information, Service version
detection, Vulnerability & exploit detection using Nmap scripts (NSE).

Lab 3-1: Hping Commands:

Case Study: Using Zenmap application, Performing Nmap scanning with its different
options. We are using a Windows 7 PC for scanning the network.

Procedure:
Performing ping scans the network 10.10.50.0/24, listing machines that respond to ping.
Command: nmap –sP 10.10.50.0/24

IPSpecialist.net 159 14-May-2018

Certified Ethical Hacking

Figure 3-13 Nmap ping Sweep

Now, scanning for Operating System details of target host 10.10.50.210. We can scan for all
host using command nmap –O 10.10.50.*
Command: nmap –O 10.10.50.210

IPSpecialist.net 160 14-May-2018

Certified Ethical Hacking

Figure 3-14 Nmap OS Scanning

2. Hping2 & Hping3

Hping is a command-line TCP/IP packet assembler and analyzer tool that is used to send
customized TCP/IP packets and display the target reply as ping command display the
ICMP Echo Reply packet from targeted host. Hping can also handle fragmentation,
arbitrary packets body, and size and file transfer. It supports TCP, UDP, ICMP and RAW-
IP protocols. Using Hping, the following parameters can be performed: -
 Test firewall rules.
 Advanced port scanning.
 Testing net performance.
 Path MTU discovery.
 Transferring files between even fascist firewall rules.
 Traceroute-like under different protocols.
 Remote OS fingerprinting & others.

IPSpecialist.net 161 14-May-2018

Certified Ethical Hacking

Figure 3-15 Hping3

Lab 3-2: Hping Commands:

Case Study: Using Hping commands on Kali Linux, we are pinging a Window 7 host with
different customized packets in this lab.

Commands:
To create an ACK packet:
root@kali:~# hping3 –A 192.168.0.1

Figure 3-16 Sending customized packet using the Hping3 command

To create SYN scan against different ports:

root@kali:~# hping3 -8 1-600 –S 10.10.50.202

IPSpecialist.net 162 14-May-2018

Certified Ethical Hacking

Figure 3-17 Sending customized packet using the Hping3 command

To create a packet with FIN, URG, and PSH flags sets

root@kali:~# hping3 –F –P -U 10.10.50.202

Figure 3-18 Sending customized packet using the Hping3 command

The following are some options used with Hping command: -

-h --help Show help
-v --version Show Version
-c --count Packet Count
-I --interface Interface Name
--flood Send packets as fast as possible. Don't show replies.
-V --verbose Verbose Mode
-0 --rawip RAW IP Mode
-1 --icmp ICMP Mode

IPSpecialist.net 163 14-May-2018

Certified Ethical Hacking

-2 --udp UDP Mode

-8 --scan Scan Mode
-9 --listen Listen Mode
--rand-dest Random Destination Address Mode
--rand-source Random Source Address Mode
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-Q --seqnum Shows only TCP sequence number
-F --fin Set FIN flag
-S --syn Set SYN flag
-P --push Set PUSH flag
-A --ack Set ACK flag
-U --urg Set URG flag
--TCP- Enable the TCP timestamp option to guess the
timestamp HZ/uptime
Table 3-02 Hping3 Command Options

Scanning Techniques
Scanning techniques include UDP & TCP Scanning technique. Observe the following
figure showing the classification of Scanning techniques: -

Figure 3-19 Scanning Techniques

IPSpecialist.net 164 14-May-2018

Certified Ethical Hacking

TCP Connect / Full Open Scan

Full Open Scan is the type of Scanning technique in which Three-way handshaking
session initiates and completed. Full Open Scanning ensures the response that the
targeted host is live and the connection is complete. It is a major advantage of Full Open
Scanning. However, it can be detected, logged by security devices such as Firewalls and
IDS. TCP Connect / Full Open Scan does not require Super User Privileges.

Figure 3-20 TCP Connection Responses

While using Full Open Scanning and a Closed port is encountered, RST response is sent
to the incoming request to terminate the attempt. To perform Full Open Scan, you must
use -sT option for Connect Scan.
Type the command to execute Full Open Scan: -

nmap –sT <ip address or range>

For example, observe the output shown in the figure below, using Zenmap tool to
perform Full Open Scan.

IPSpecialist.net 165 14-May-2018

Certified Ethical Hacking

Figure 3-21 Full Open Scan

Stealth Scan (Half-open Scan)

Half-Open Scan is also known as Stealth Scan. To understand the Half-Open Scan
processes, Consider the scenario of two hosts, Host A & Host B. Host A is the initiator of
the TCP connection handshaking. Host A sends the Sync packet to initiate the
handshaking. Receiving host (Host B) replies with Sync+Ack packet. Host A, Instead of
Acknowledging the Host B with Ack packet, it responds with RST.

IPSpecialist.net 166 14-May-2018

Certified Ethical Hacking

Figure 3-21 Half-Open Scan

To perform this type of scan in nmap use the syntax:

nmap –sS <ip address or range>

Observe the result in the following figure: -

Figure 3-22 Half-Open Scan

Inverse TCP Flag Scanning

Inverse TCP Flag Scanning is the Scanning process in which Sender either send TCP
probe with TCP flags, i.e. FIN, URG, and PSH or without Flags. Probes with TCP flags is
known as XMAS Scanning. In case, if there is no flag set, it is known as Null Scanning.

IPSpecialist.net 167 14-May-2018

Certified Ethical Hacking

Xmas Scan
Xmas Scan is the type of scan in which contains multiple flags. Packet sent to the target
along with URG, PSH & FIN; or a packet having all flags creates an abnormal situation for
the receiver. Receiving system has to take a decision when this condition occurs. Closed
port responds with single RST packet. If the port is open, some systems respond as an
open port, but the modern system ignores or dropped these requests because the
combination of these flags is bogus. FIN Scan works only with Operating Systems with
RFC-793 based TCP/IP Implementation. FIN Scan does not work with any current version
of Windows typically Windows XP or later.

Figure 3-23 Xmas Scan

To perform this type of scan, use the syntax:

nmap –sX -v <ip address or range>

Lab 3-3: Xmas Scanning

Case Study: Using Xmas Scanning on Kali Linux, we are pining a Window Server 2016
host with firewall enabled & disabled state to observe the responses.

Procedure:
Open Windows Server 2016 & verify if the firewall is enabled.

IPSpecialist.net 168 14-May-2018

Certified Ethical Hacking

Figure 3-24 Windows Firewall settings

Open a terminal on your Kali Linux & enter the following command:

Figure 3-25 Xmas Scanning

Observe the output as shown above in the figure, all scanned ports are Open & Filtered.
It means the firewall is enabled. A firewall basically not respond these packet hence
assumed as Open & filtered ports.

IPSpecialist.net 169 14-May-2018

Certified Ethical Hacking

Now, go back to Windows Server 2016 and disable the Firewall.

Figure 3-26 Disabling Firewall

Now again, run the scan.

Figure 3-27 Xmas Scanning

In this case, the firewall is disabled, hence showing all ports as closed.

FIN Scan
FIN Scan is the process of sending the packet having only FIN flag set. These packets can
reliably pass the firewall. FIN Scan packets, when sent to the target, the port is considered
to be open if there is no response. If the port is closed, RST is returned.
To perform this type of scan, use the syntax:

IPSpecialist.net 170 14-May-2018

Certified Ethical Hacking

nmap –SF <ip address or range>

NULL Scan
NULL Scan is the process of sending the packet without any flag set. Responses are
similar to FIN and XMAS Scan. If Null Scan packet sends to an open port, it brings no
response. If Null Scan packet sends to the closed port, it brings RST packet. Performing
this scan is comparatively easier to be detected as there is logically no reason to send a
TCP packet without any flag.
To perform this type of scan, use the syntax:

nmap –sN <ip address or range>

ACK Flag Probe Scanning

ACK flag Scanning technique sends TCP packet with ACK flag set towards the target.
Sender Examine the header information because even when ACK packet has made its way
to the target, it replies with RST packet either the port is open or closed. After Analyzing
the header information such as TTL and WINDOW fields of RST packet, the attacker
identifies if the port is open or closed.

Figure 3-28 Ack Flag Probe Scanning

ACK Probe scanning also helps in identifying the filtering system. If RST packet receives
from the target, it means that packets toward this port are not filtering. If there is no
response, it means Stateful firewall is filtering the port.

IPSpecialist.net 171 14-May-2018

Certified Ethical Hacking

Figure 3-29 Ack Flag Probe Scanning Response

IDLE/IPID Header Scan

IDLE / IPID Header Scan is a unique and effective technique to identify the target host
port status. Using this scan is capable of remaining low profile. Idle scanning describes
the hiding ability of attacker. Attacker hides its identity by instead of sending the packet
through its system, the scanning process done by bouncing packets from Zombie's
system. If target investigates the threat, it traces Zombie instead of tracing the attacker.
Before understanding the Step required for IDLE/IPID Scan, you must know recall some
important point: -
 To determine an Open port, send SYN packet to the port.
 Target machine responds with SYN+ACK packet if the port is open.
 Target Machine responds with RST packet if the port is closed.
 The unsolicited SYN+ACK packet is either ignored, responded with RST.
 Every IP packet has Fragment Identification Number (IPID).
 OS increments IPID for each packet.

Step: 01
 Send Sync+Ack packet to Zombie to get its IPID Number.
 Zombie is not waiting for Sync+Ack, hence respond with RST packet. Its Reply
discloses the IPID.
 Extract IPID from Packet.

Figure 3-30 Step#01 Idle Scanning

IPSpecialist.net 172 14-May-2018

Certified Ethical Hacking

Step: 02
 Send Sync packet to target spoofing the IP address of Zombie.
 IP port is open; Target reply with Sync+Ack to Zombie & Zombie reply back to target
with RST packet.

Figure 3-31 Step#02 Idle Scanning

 If the port is closed; Target reply with RST to Zombie & Zombie reply nothing back to
target. IPID of Zombie is not incremented.

Figure 3-32 Step#02 Idle Scanning

Step: 03
 Send Sync+Ack packet to Zombie again, to get & compare its IPID Numbers to IPID
extracted in step 01 (i.e. 1234).
 Zombie responds with RST packet. Its Reply discloses the IPID.
 Extract IPID from Packet.
 Compare the IPID.
 Port is open if IPID is incremented by 2.

Figure 3-33 Step#03 Idle Scanning

IPSpecialist.net 173 14-May-2018

Certified Ethical Hacking

 Port is close if IPID is incremented by 1.

UDP Scanning
Like TCP-based scanning techniques, there are also UDP Scanning methods. Keeping in
mind, UDP is a connectionless protocol. UDP does not have flags. UDP packets are
working with ports; no connection orientation requires. No response if the targeted port
is open however if the port is closed, the response message of "Port unreachable"
returned. Most of the Malicious Programs, Trojans, Spywares uses UDP ports to access
the target.

Figure 3-34 UDP Scanning Response

To perform this type of scan in nmap use the syntax:

nmap –sU –v <ip address or range>

Observe the result in the following figure: -

IPSpecialist.net 174 14-May-2018

Certified Ethical Hacking

Figure 3-35 UDP Port Scanning

Scanning Tool
NetScan Tools Pro is an application which collects information, perform network
troubleshooting, monitors, discover and diagnose with its integrated tools designed for
Windows Operating system offering a focused examination of IPv4, IPv6, Domain names,
Email and URL using Automatic and Manual Tool.

IPSpecialist.net 175 14-May-2018

Certified Ethical Hacking

Figure 3-36 UDP Port Scanning

Scanning Tools for Mobile

There are several basic and advanced network tools available for the Mobile device on
application stores. The following are some effective tools for network Scanning.

Network Scanner
“Network Scanner” tool offering IP Calculator, DNS lookup, Whois tool, Traceroute &
Port Scanner option.

IPSpecialist.net 176 14-May-2018

Certified Ethical Hacking

Figure 3-37 Scanning Tool for Mobile

Fing- Network Tool

Figure 3-38 Scanning Tool for Mobile

IPSpecialist.net 177 14-May-2018

Certified Ethical Hacking

Network Discovery Tool

Figure 3-39 Scanning Tool for Mobile

Port Droid Tool

Figure 3-40 Scanning Tool for Mobile

IPSpecialist.net 178 14-May-2018

Certified Ethical Hacking

Scanning Beyond IDS

The attacker uses Fragmentation and Small packets to evade Security devices such as
Firewalls, IDS, and IPS. The basic technique that is most commonly & popularly used is
splitting the payload into the smaller packet. IDS must have to reassemble these
incoming packet stream to inspect and detect the attack. The small packet is further
modified to be more complicated to reassemble and detect by packet reassemble.
Another way of using fragmentation is by sending these fragmented packets out of order.
These fragmented out of order packets are sent with pauses to create a delay. These
packets are sent using proxy servers, or through compromised machines to launch
attacks.
OS Fingerprinting & Banner Grabbing
OS Fingerprinting is a technique, used to identify the information of Operating System
running on a target machine. By gathering information about running operating system,
attacker determines the vulnerabilities and possible bugs that an operating system may
possess. The two types of OS Fingerprinting are as follows: -
1. Active OS Fingerprinting
2. Passive OS Fingerprinting
Banner Grabbing is similar to OS fingerprinting, but actually, Banner grabbing is
determining the services that are running on the target machine. Typically, Telnet is used
to retrieve information of banner.
Active OS Fingerprinting or Banner Grabbing
NMPA can perform Active Banner grabbing with ease. NMAP, as we know, is a powerful
networking tool which supports many features and commands. Operating System
detection capability allows to send TCP and UDP packet and observe the response from
the targeted host. A detailed assessment of this response bring some clues regarding
nature of an operating system disclosing the type an OS.
To perform OS detection with nmap perform the following: -

nmap -O <ip address>

IPSpecialist.net 179 14-May-2018

Certified Ethical Hacking

Figure 3-41 OS Fingerprinting

Passive OS Fingerprinting or Banner Grabbing

Passive OS Fingerprinting requires detail assessment of traffic. You can perform Passive
banner grabbing by analyzing network traffic along with special inspection of Time to
Live (TTL) value and Window Size. TTL value and Window Size are inspected from a
header of TCP packet while observing network traffic. Some of the common values for
operating systems are: -
Operating System TTL TCP Window Size
Linux 64 5840
Google customized Linux 64 5720
FreeBSD 64 65535
Windows XP 128 65535
Windows Vista, 7 and Server 2008 128 8192
Cisco Router (iOS 12.4) 255 4128
Table 3-03 Passive OS Fingerprinting Values

Banner Grabbing Tools

There are some tools available for banner grabbing. Some of them are: -
 ID Server
 Netcraft
 Netcat
 Telnet

IPSpecialist.net 180 14-May-2018

Certified Ethical Hacking

 Xprobe
 pof
 Maltego
Mind Map

Draw Network Diagrams

To gain access to a network, deep understanding of the architecture of that network and
detailed information is required. Having valuable network information such as security
zones, security devices, routing devices, number of hosts, etc. helps an attacker to
understand the network diagram. Once Network diagram is designed, it defines logical
and physical path leading to the appropriate target within a network. Network diagram
visually explains the network environment and provide an even more clear picture of that
network. Network Mappers are the network mapping tools, which uses scanning and
other network tools and techniques and draw a picture of a network. The thing that is
important to care about is, these tools generate traffic which can reveal the presence of
attacker or pentester on the network.
Network Discovery Tool
OpManager is an advanced network monitoring tool which offers fault management,
supporting over WAN links, Router, Switch, VoIP & servers. It can also perform
performance management. Network View is an advanced network discovery tools. It can

IPSpecialist.net 181 14-May-2018

Certified Ethical Hacking

perform discovery of routes, TCP/IP nodes using DNS, ports, and other network
protocols. List of some popular tools are: -
1. Network Topology Mapper
2. OpManager
3. Network View
4. LANState Pro

Drawing Network Diagrams

Solar Wind Network Topology Mapper can discover network & create a comprehensive
network topology diagram. It also offers additional features like editing nodes manually,
exporting diagram to Visio, multi-level network discovery, etc. Mapped topology can
display Node name, IP Address, Hostname, System Name, Machine type, Vendor, System
location, & other information.

Lab 3-4: Creating Network Topology Map using Tool

Creating Network Topology Map
With Solar Wind Network Topology Mapper tool, start scanning the network by clicking
on New Network Scan/button.

Figure 3-42 Network Topology Mapper Tool

Provide Network Information, Configure Discovery Settings, provide necessary

credentials if required.

IPSpecialist.net 182 14-May-2018

Certified Ethical Hacking

Figure 3-43 Configuring Scan

Once you configure all settings, Start the scan.

Figure 3-44 Scanning Network

After complete scan process, it will show a list of detected devices to add into topology
diagram. Select all or required devices to add to the topology.

IPSpecialist.net 183 14-May-2018

Certified Ethical Hacking

Figure 3-45 Discovered Devices List

Topology view of the scanned network. Now you can add nodes manually, export it to
Vision and use other features of the tool.

Figure 3-46 Topology

IPSpecialist.net 184 14-May-2018

Certified Ethical Hacking

Prepare Proxies
Proxy is the system that is stands in between attacker and the target. Proxy systems play
an important role in networks. Proxy systems are basically used by scanners to hide their
identity to be traced back to the target.

Figure 3-47 Proxy Server

Proxy Servers
Proxy server anonymizes the web traffic to provide anonymity. When a user sends a
request for any resources to the other publically available servers, proxy server act as an
intermediary for these requests. Users request is forwarded to proxy server first. the proxy
server will entertain these requests like a web page, file download, connection to another
server, etc. The most popular use of the proxy server is in terms of web proxy servers.
These Web proxy servers are used to provide access to world wide web by bypassing the
IP address blocking.
Uses Proxy server, in a nutshell, can be summarized as: -
 Hiding Source IP address for bypassing IP address blocking.
 Impersonating.
 Remote Access to Intranet.
 Redirecting all requests to the proxy server to hide identity.
 Proxy Chaining to avoid detection.
Proxy Chaining
Proxy Chaining is basically a technique of using multiple proxy servers. In addition to
proxy servers, one proxy server forwards the traffic to next proxy server. This process is
not recommended for production environments, or a long-term solution, however, this
technique leverages your existing proxy.

IPSpecialist.net 185 14-May-2018

Certified Ethical Hacking

Figure 3-48 Proxy Chaining

Proxy Tool
There is a number of proxy tools available as well as you can online search for a proxy
server and configure manually on your web browser. These tools include: -
1. Proxy Switcher
2. Proxy Workbench
3. TOR
4. CyberGhost

Proxy Switcher
Proxy Switcher tool scans for Available proxy servers. You can enable any proxy server to
hide your IP address. The following figure is showing the searching process of Proxy
servers using Proxy Switcher tool.

IPSpecialist.net 186 14-May-2018

Certified Ethical Hacking

Figure 3-49 Proxy Switcher

Proxy Tools for Mobile

There are several proxy applications available on google play store and App store for iOS
devices.
Application Download URL
Proxy Droid https://play.google.com
Net Shade https://itunes.apple.com
Table 3-04 Proxy Tools for Mobile

Introduction to Anonymizers
Anonymizer is a tool that completely hides or removes identity-related information to
make the activity untraceable. The basic purpose of using anonymizers are: -
 Minimizing risk
 Identity theft prevention
 Bypass restrictions and censorship
 Untraceable activity on the Internet
Censorship Circumvention Tool
 Tails
Tails (The Amnesic Incognito Live System) is a popular censorship circumvention tool
based on Debian GNU/Linux. It is basically a live operating system that can run on
almost every computer from USB or DVD. It is an operating system that is specially

IPSpecialist.net 187 14-May-2018

Certified Ethical Hacking

designed to help you to use the internet anonymously leaving no trace behind. Tails
preserve privacy and anonymity.
Anonymizers for Mobile
 Orbot
 Psiphon
 Open door

Figure 3-50 Anonymizers for Mobile

Spoofing IP Address
IP Address Spoofing is a technique, that is used to gain unauthorized access to machines
by spoofing IP address. An attacker illicitly impersonates any user machine by sending
manipulated IP packets with spoofed IP address. Spoofing process involves modification
of header with a spoofed source IP address, a checksum, and the order values. Packet-
switched networking causes the packets arriving at the destination in different order.
When these out of order packets are received at the destination, these packets are
resembled to extract the message.
IP spoofing can be detected by different techniques including Direct TTL probing
technique and through IP Identification Number. In the process of sending direct TTL
probes, packets are sent to the host that is suspected of sending spoofed packets and
responses are observed. By comparing TTL value from the reply from the suspected host,
IP spoofing can be detected. It will be a spoofed packet if TTL value is not same as in
spoofed packet. However, TTL values can vary in even normal traffic and this technique
identify the spoofing when the attacker is on a different subnet.

IPSpecialist.net 188 14-May-2018

Certified Ethical Hacking

Figure 3-51 Direct TTL Probing

Similarly, additional probes are sent to verify the IPID of the host. If IPID values are not
closer, suspect traffic is spoofed. This technique can be used in case if the attacker is
within a subnet.

Figure 3-52 Verifying IPID Number

IPSpecialist.net 189 14-May-2018