Module 3 Scanning

Objective Definition of scanning Types and objectives of Scanning Understanding CEH Scanning methodology Checking live systems and open ports Understanding scanning techniques Different tools present to perform Scanning Understanding banner grabbing and OS fingerprinting Drawing network diagrams of vulnerable hosts Preparing proxies Understanding anonymizers Scanning countermeasures

One of the three components of intelligence gathering for an attacker The attacker finds information about the specific IP addresses Operating Systems system architecture services running on each computer The various types of scanning are as follows : Port Scanning Network Scanning Vulnerability Scanning Scanning - Definition

Types of Scanning Port Scanning A series of messages sent by someone attempting to break into a computer to learn about the computer’snetwork services Each associated with a "well-known" port number Network Scanning A procedure for identifying active hosts on a network Either for the purpose of attacking them or for network security assessment Vulnerability Scanning The automated process of proactively identifying vulnerabilities of computing systems present in a network

Objectives of Scanning To detect the live systems running on the network To discover which ports are active/running To discover the operating system running on the target system ( fingerprinting ) To discover the services running/listening on the target system To discover the IP address of the target system

Checking for Live Systems – ICMP Scanning Ping send out an ICMP Echo Request packet and awaits an ICMP Echo Reply message from an active machine. Alternatively, TCP/UDP packets are sent if incoming ICMP messages are blocked. Ping helps in assessing network traffic by time stamping each packet. Ping can also be used for resolving host names. Tools include Pinger, WS_Ping ProPack, NetScan Tools, HPing, icmpenum

Checking for open ports Port Scanning is one of the most popular reconnaissance techniques used by hackers to discover services that can be compromised. A potential target computer runs many 'services' that listen at ‘well-known’ 'ports'. By scanning which ports are available on the victim, the hacker finds potential vulnerabilities that can be exploited.

Port Scanner - Nmap Nmap is a free open source utility for network exploration It is designed to rapidly scan large networks Features Nmap is used to carry out port scanning, OS detection, version detection, ping sweep, and many other techniques It scans a large number of machines at one time It is supported by many operating systems It can carry out all types of port scanning techniques

TCP Communication Flags Standard TCP communications are controlled by flags in the TCP packet header The flags are as follows: Synchronize - also called "SYN” – Used to initiate a connection between hosts Acknowledgement - also called "ACK” – Used in establishing a connection between hosts Push - "PSH” – Instructs receiving system to send all buffered data immediately Urgent - "URG” – States that the data contained in the packet should be processed immediately Finish - also called "FIN" – Tells remote system that there will be no more transmissions Reset - also called "RST” – Also used to reset a connection

SYN Stealth / Half Open Scan It is often referred to as half open scan because it does not open a full TCP connection First a SYN packet is sent to a port of the machine, suggesting a request for connection, and the response is awaited If the port sends back a SYN/ACK packet, then it is inferred that a service at the particular port is listening. If an RST is received, then the port is not active/ listening. As soon as the SYN/ACK packet is received, an RST packet is sent, instead of an ACK, to tear down the connection The key advantage is that fewer sites log this scan

Stealth Scan Client sends a single SYN packet to the server on the appropriate port If the port is open then the server responds with a SYN/ACK packet If the server responds with an RST packet, then the remote port is in "closed” state The client sends RST packet to close the initiation before a connection can ever be established This scan also known as “half-open” scan

IDLE Scan: Basics Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25 A port is considered "open" if an application is listening on the port, otherwise it is closed One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and an "RST" (Reset) packet if the port is closed A machine which receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored Every IP packet on the Internet has a "fragment identification" number Many operating systems simply increment this number for every packet they send So probing for this number can tell an attacker how many packets have been sent since the last probe

IDLE Scan: Step 2.1 (Open Port)

IDLE Scan: Step 2.2 (Closed Port)

ICMP Echo Scanning/List Scan ICMP echo scanning This isn't really port scanning, since ICMP doesn't have a port abstraction But it is sometimes useful to determine which hosts in a network are up by pinging them all nmap -P cert.org/24 152.148.0.0/16 List Scan This type of scan simply generates and prints a list of IPs/Names without actually pinging or port scanning them A DNS name resolution will also be carried out

NMAP Scan Options Output options

Nessus Nessus is a vulnerability scanner , which looks for bugs in software An attacker can use this tool to violate the security aspects of a software product Features Plug-in-architecture NASL (Nessus Attack Scripting Language) Can test unlimited number of hosts simultaneously Smart service recognition Client-server architecture Smart plug-ins Up-to-date security vulnerability database

GFI LANGuard GFI LANGUARD analyzes the operating system and the applications running on a network and finds out the security holes present It scans the entire network, IP by IP, and provides information such as the service pack level of the machine and missing security patches, to name a few GFI LANGuard Features Fast TCP and UDP port scanning and identification Finds all the shares on the target network It alerts the pinpoint security issues Automatically detects new security holes Checks password policy Finds out all the services that are running on the target network Vulnerabilities database includes UNIX/CGI issues

Draw Network Diagrams of Vulnerable Hosts

Proxy Servers Proxy is a network computer that can serve as an intermediate for connection with other computers They are usually used for the following purposes: As a firewall, a proxy protects the local network from outside access As an IP addresses multiplexer, a proxy allows the connection of a number of computers to the Internet when having only one IP address Proxy servers can be used (to some extent) to anonymize web surfing Specialized proxy servers can filter out unwanted content, such as ads or 'unsuitable' material Proxy servers can afford some protection against hacking attacks

Happy Browser Tool (Proxy-based)

Some anonymizer sites Many anonymizer sites create an anonymized URL by appending the name of the site the user wishes to access to their own URL, e.g.: http://anon.free.anonymizer.com/http://www.yahoo.com/ Anonymizer.com Anonymize.net @nonymouse.com Iprive.com MagusNet Public Proxy MuteMail.com PublicProxyServers.com Rewebber.de SilentSurf.com Surfola.com Ultimate-anonymity.com

Anonymizers’ limitations HTTPS. Secure protocols like "https:" cannot be properly anonymized, since the browser needs to access the site directly to properly maintain the secure encryption. Plugins. If an accessed site invokes a third-party plugin, then there is no guarantee that they will not establish independent direct connections from the user computer to a remote site. Logs. All anonymizer sites claim that they don't keep a log of requests. Some sites, such as the Anonymizer, keep a log of the addresses accessed, but don't keep a log of the connection between accessed addresses and users logged in. Java. Any Java application that is accessed through an anonymizer will not be able to bypass the Java security wall. Active X. Active-X applications have almost unlimited access to the user's computer system. JavaScript. The JavaScript scripting language is disabled with url-based anonymizers

Why Do I Need HTTP Tunneling? Let’s say your organization has blocked all the ports in your firewall and only allows port 80/443 and you want to use FTP to connect to some remote server on the Internet In this case you can send your packets via http protocol

Httptunnel for Windows httptunnel creates a bidirectional virtual data connection tunnelled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired This can be useful for users behind restrictive firewalls If WWW access is allowed through an HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall On the server you must run hts. If I wanted to have port 80 (http) redirect all traffic to port 23 (telnet) then it would go something like: hts -F server.test.com:23 80 On the client you would run htc. If you are going through a proxy, the -P option is needed otherwise omit it. htc -P proxy.corp.com:80 -F 23 server.test.com:80 Then telnet localhost and it will redirect the traffic out to port 80 on the proxy server and on to port 80 of the server, then to port 23.

Module 3 Scanning

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Module 3 Scanning (20)

More from leminhvuong (20)

Recently uploaded (20)

Module 3 Scanning