Scanning Networks
Module 03
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S c a n n in g N e tw o rk s
...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S e c u rity N ew s
Hone

S e...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

sources, University of Califo...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

M o d u le O b je c tiv e s

...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

O v erview of N etw ork S can...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

In a traditional sense, the a...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

9

Identifying the vulnerabil...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

HHH
□ ‫שם‬

G i

Check for
Li...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

C hecking for Live System s I...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

W here
<query> is one of:
-t:...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P in g S w eep

CEH

J

Ping ...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ICMP Echo Request
192.168.168...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Zenmap
Sc!n

Joolt

Target

E...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P in g S w eep T ools

SolarW...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Range -Angry IP Scanner
S<...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P in g S w eep T ools

CEH

(...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

* — 1 So far we discussed how...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH

T h ree-W ay H a n d s h...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

The TCP protocol maintains st...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Maximum Segment Size (MSS) to...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Frame 2:
In the second step, ...
Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

00030:

8 ‫-.״‬

22 38 01 2D ...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

TCP C om m unication Flags
D...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Acknowledgement No

Offset

...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Create Custom Packet Using
T...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Colasoft Packet Builder
File...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

S c a n n in g IP v 6 N e tw...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

S c a n n in g Tool: N m a p...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Zenm gp

iMk ("> !j*»
«•
*a«...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

H p in g 2 / H p in g 3
J

T...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

9

Manual path MTU discovery...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

• v
‫>׳‬

*

ro o tab t: -

...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

‫־‬

c EH

H p in g C o m m ...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

S c a n n in g T e c h n iq ...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

The following is the list of...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

bootpc

68/udp

bootp client...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

imap

143/udp

Internet Mess...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

at-7

207/udp

AppleTalk

at...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

ntalk

518/udp

SunOS talkd(...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

999/udp

Applixware

socks

...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

TCP Connect / Full Open Scan...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

If the port is closed the se...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Zfnmap
S<!n

J0ok

Ttrgct

£...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Stealth Scan (Half-open Scan...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

If the response is forwarded...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Is

Zenmap

cr

Scan

lo o k...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

c El 

X m a s S can
o

UftN...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Advantage:
It avoids the IDS...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

S can
J

In FIN scan, attack...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Attacker
10. 0 . 0.6

Port i...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

CEH

NULL S can
Port is open...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

Port is open
TCP Packet with...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

ID LE S can

CEH

Most netwo...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

9

To determine whether a po...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

C EH

ID LE S can : S tep 1
...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

ID LE S can : S tep 2 a n d ...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Scanning Networks

not send anything back.
SYN ...
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Upcoming SlideShare
Loading in...5
×

Ce hv8 module 03 scanning networks

1,176

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,176
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
296
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Ce hv8 module 03 scanning networks"

  1. 1. Scanning Networks Module 03
  2. 2. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker S c a n n in g N e tw o rk s Module 03 Engineered by Hackers. Presented by Professionals. © CEH Ethical H acking and C ounterm easures v8 M o d u le 03: Scanning Networks Exam 312-50 Module 03 Page 263 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker S e c u rity N ew s Hone S e rv ic e s Company N e tw o rk s C o n ta c t Oct 18 2012 r S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e The well known botnet Sality, which locates vulnerable voice-over-IP (VoIP) servers can be controlled to find the entire IPv4 address space without alerting, claimed a new study, published by Paritynews.com on October 10, 2012. Sality is a piece of malware whose primary aim is to infect web servers, disperse spam, and steal data. But the latest research disclosed other purposes of the same including r ■ 1 r recognizing susceptible VoIP targets, which could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," sality has administered towards scanning possibly the whole IPv4 space devoid of being recognized. That's only the reason the technique uses very less number of packets that come from various sources. The selection of the target IP addresses is generated in reverse-byte-order increments. Also, there are large amounts of bots contributing in the scan. http://www.spamfighter.com l- l 1 Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. S ecurity N ew s N f u js Saliently Sality Botnet Trapped Scanning IPv4 Address Space Source: http://www.spamfighter.com A semi-famous botnet, Sality, used for locating vulnerable voice‫־‬over‫־‬IP (VoIP) servers has been controlled toward determining the entire IPv4 address space without setting off alerts, claims a new study, published by Paritynews.com, on October 10, 2012. Sality is a piece of malware with the primary aim of infecting web servers, dispersing spam, and stealing data. But the latest research has disclosed other purposes, including recognizing susceptible VoIP targets that could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," Sality can be administered toward scanning possibly the whole IPv4 space, devoid of being recognized. That's the only reason the technique uses a very small number of packets that come from various sources. The selection of the target IP addresses develops in reverse-byte-order increments. Also, there are many bots contributing in the scan. The conclusion is that a solitary network would obtain scanning packets "diluted" over a huge period of time (12 days in this case, from various Module 03 Page 264 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker sources, University of California, San Diego (UCSD), claimed one of the researchers, Alistair King, as published by Softpedia.com on October 9, 2012). According to Alberto Dainotti, it's not that this stealth-scanning method is exceptional, but it's the first time that such a happening has been both noticed and documented, as reported by Darkreading.com on October 4, 2012. Many other experts hold faith that this manner has been accepted by other botnets. Nevertheless, the team at UCSD is not aware of any data verifying any event like this one. According to David Piscitello, Senior Security Technologist at ICANN, this indeed seems to be the first time that researchers have recognized a botnet that utilizes this scanning method by employing reverse-byte sequential increments of target IP addresses. The botnet use classy "orchestration" methods to evade detection. It can be simply stated that the botnet operator categorized the scans at around 3 million bots for scanning the full IPv4 address space through a scanning pattern that disperses coverage and partly covers, but is unable to be noticed by present automation, as published by darkreading.com on October 4, 2012. Copyright © SPAMfighter 2003-2012 http://www.spamfighter.com/News-1799B-Salier1tlv-Salitv-Botnet-Trapped-Scanning-IPv4Address-Space.htm Module 03 Page 265 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker M o d u le O b je c tiv e s CEH J Overview of Network Scanning J Use of Proxies for Attack J CEH Scanning Methodology J Proxy Chaining J Checking for Live Systems J HTTP Tunneling Techniques J Scanning Techniques J SSH Tunneling J IDS Evasion Techniques J Anonymizers J Banner Grabbing J IP Spoofing Detection Techniques J Vulnerability Scanning J Scanning Countermeasures J Drawing Network Diagrams J Scanning Pen Testing ^ Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule O b jectiv e s Once an attacker identifies his/her target system and does the initial reconnaissance, as discussed in the footprinting and reconnaissance module, the attacker concentrates on getting a mode of entry into the target system. It should be noted that scanning is not limited to intrusion alone. It can be an extended form of reconnaissance where the attacker learns more about his/her target, such as what operating system is used, the services that are being run on the systems, and configuration lapses if any can be identified. The attacker can then strategize his/her attack, factoring in these aspects. This module will familiarize you with: 0 Overview of Network Scanning 0 Use of Proxies for Attack 0 CEH Scanning Methodology 0 Proxy Chaining 0 Checking for Live Systems 0 HTTP Tunneling Techniques 0 Scanning Techniques 0 SSH Tunneling 0 IDS Evasion Techniques 0 Anonymizers 0 Banner Grabbing 0 IP Spoofing Detection Techniques 0 Vulnerability Scanning 0 Scanning Countermeasures 0 Drawing Network Diagrams 0 Scanning Pen Testing Module 03 Page 266 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker O v erview of N etw ork S can n in g C EH (•itifwd Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization ttkujl lUckM Sends TCP /IP probes Gets network S & information A ttacker O b jec tives o f N e tw o rk Scanning To discover live hosts, To discover operating To discover services To discover IP address, and open ports of live hosts systems and system architecture ru nning on hosts vu ln e ra b ilitie s in live hosts O verview of N etw ork S can n in g As we already discussed, footprinting is the first phase of hacking in which the attacker gains information about a potential target. Footprinting alone is not enough for hacking because here you will gather only the primary information about the target. You can use this primary information in the next phase to gather many more details about the target. The process of gathering additional details about the target using highly complex and aggressive reconnaissance techniques is called scanning. The idea is to discover exploitable communication channels, to probe as many listeners as possible, and to keep track of the ones that are responsive or useful for hacking. In the scanning phase, you can find various ways of intruding into the target system. You can also discover more about the target system, such as what operating system is used, what services are running, and whether or not there are any configuration lapses in the target system. Based on the facts that you gather, you can form a strategy to launch an attack. Types of Scanning 9 Port scanning - Open ports and services e Network scanning - IP addresses 6 Vulnerability scanning - Presence of known weaknesses Module 03 Page 267 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker In a traditional sense, the access points that a thief looks for are the doors and windows. These are usually the house's points of vulnerability because of their relatively easy accessibility. W hen it comes to computer systems and networks, ports are the doors and windows of the system that an intruder uses to gain access. The more the ports are open, the more points of vulnerability, and the fewer the ports open, the more secure the system is. This is simply a general rule. In some cases, the level of vulnerability may be high even though few ports are open. Network scanning is one of the most important phases of intelligence gathering. During the network scanning process, you can gather information about specific IP addresses that can be accessed over the Internet, their targets' operating systems, system architecture, and the services running on each computer. In addition, the attacker also gathers details about the networks and their individual host systems. Sends TCP /IP probes & ‫נ‬ Gets network information Network Attacker FIGURE 3.1: Network Scanning Diagram O bjectives of Network Scanning If you have a large amount of information about a target organization, there are greater chances for you to learn the weakness and loopholes of that particular organization, and consequently, for gaining unauthorized access to their network. Before launching the attack, the attacker observes and analyzes the target network from different perspectives by performing different types of reconnaissance. How to perform scanning and what type of information to be achieved during the scanning process entirely depends on the hacker's viewpoint. There may be many objectives for performing scanning, but here we will discuss the most common objectives that are encountered during the hacking phase: © Discovering live hosts, IP address, and open ports of live hosts running on the network. © Discovering open ports: Open ports are the best means to break into a system or network. You can find easy ways to break into the target organization's network by discovering open ports on its network. Discovering operating systems and system architecture of the targeted system: This is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's vulnerabilities. Module 03 Page 268 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker 9 Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. 9 Detecting the associated network service of each port Module 03 Page 269 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker HHH □ ‫שם‬ G i Check for Live Systems ‫✓.,ן‬ Check for Open Ports n ■ “ hi Scan for Vulnerability Scanning Beyond IDS n L1 ^■ Banner Grabbing W₪ m, r ‫—י‬ Draw Network. Diagrams Prepare Proxies wJ U Scanning Pen Testing CEH S can n in g M eth o d o lo g y The first step in scanning the network is to check for live systems. Scan for Vulnerability Check for Live Systems ft Check for Open Ports Scanning Beyond IDS Banner Grabbing r Q O 1 Draw Network Diagrams Prepare Proxies Scanning Pen Testing This section highlights how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools. Module 03 Page 270 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker C hecking for Live System s ICMP Scanning CEH J Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply J This scan is useful for locating active devices or determining if ICMP is passing through a firewall ICMP Echo Request t o M ICMP Echo Reply Source (192.168.168.3) The ping scan output using Nmap: Destination (192.168.168.5) Zenmap Sc!n Too* Target. grofilc 192 168.16S.5 Command: Hosts Profile Ping scan |nrr*p ■sn 192.16S.16S.S Services Host * Nmap Outp14 Pciti ‫ ׳‬Hosts Topology H0Jt Detail! nmap ‫־‬sn 192.166.163.5 Scans ‫ד־פ‬ 192.165.168.1 192.16S.1663 192.165.'68.5 S t a r t in g fJTap 6.01 ( h t tp :/ / n 1 rop.org ) at 2012-08 08 13:02 EOT Swap scan re p o rt fo r 192.168.168.5 most 192.16S.66.13‫ז‬ ‫ו־רד^־י־ו‬ Piter Hosts i s up (0 .00 s la te n c y ). M AC fld d re tt: (D e ll) M!ap dong: 1 I P address (1 host up) scanned in 0.10 secords http://nmap.org Copyright © by HHrWBCil. All Rights Reserved. Reproduction is Strictly Prohibited. C h e c k in g for Live S ystem s ‫ ־‬IC M P S can n in g ICMP Scanning All required information about a system can be gathered by sending ICMP packets to it. Since ICMP does not have a port abstraction, this cannot be considered a case of port scanning. However, it is useful to determine which hosts in a network are up by pinging them all (the -P option does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the number of pings in parallel with the -L option. It can also be helpful to tweak the ping timeout value with the -T option. ICMP Query The UNIX tool ICM Pquery or ICMPush can be used to request the time on the system (to find out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS MARK REQUEST). After finding the netmask of a network card, one can determine all the subnets in use. After gaining information about the subnets, one can target only one particular subnet and avoid hitting the broadcast addresses. ICMPquery has both a timestamp and address mask request option: icmp query <-query-> [-B] [-f fromhost] [‫־‬d delay] [-T time] target Module 03 Page 271 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker W here <query> is one of: -t: icmp timestamp request (default) -m: icmp address mask request -d: delay to sleep between packets is in microseconds. -T - specifies the number of seconds to wait for a host to respond. The default is 5. A target is a list of hostnames or addresses. *iJN:::::::::::::::::::::::ft::::::::::::: ICMP Echo Request /* V V ‫־‬ / ICMP Echo Reply Source (192.168.168.3) Destination (192.168.168.5) FIGURE 3.2: ICMP Query Diagram Ping Scan Output Using Nmap Source: http://nmap.org Nmap is a tool that can be used for ping scans, also known as host discovery. Using this tool you can determine the live hosts on a network. It performs ping scans by sending the ICMP ECHO requests to all the hosts on the network. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall. The following screenshot shows the sample output of a ping scan using Zenmap, the official cross-platform GUI for the Nmap Security Scanner: Zenmap Scan Jo o ls Target Profile Help 192.168.168.5 Command: Hosts v I Profile: Ping scan v :Scan! Cancel |nmap -sn 192.168.168.51 Services OS < Host IM 192.168.168.3 *" 192.168.168.5 Topology Host Details Scans nmap -sn 192.168.168.5 V Details 192.168.168.1 I•* Nmap Output Ports/Hosts tM 192.168.168.13 .. v ------ — ----- ---------------1 Filter Hosts S t a r t in g Nmap 6 .0 1 ( h t t p :/ / n 1 p .o rg ) at 2012-08-08 ra •a? Nmap scan re p o rt fo r 1 9 2 .1 6 8 .1 6 8 .5 Host i s up (0 .0 6 s la t e n c y ) . M AC Add ress: ( D e ll) Nmap done: 1 IP ad d ress (1 host up) scanned in 0 .1 0 seconds FIGURE 3.3: Zenmap Showing Ping Scan Output Module 03 Page 272 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker P in g S w eep CEH J Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply J Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet _l Attackers then use ping sweep to create an inventory of live systems in the subnet a a a T h e ping s w e e p o u tp u t using N m a p Zenmap Sen loots N * T*fqcc l n l , M Help ’92.l6a.16S.l-S0 IC M P Echo Request v Profile *| Scanj Canct Command |‫״‬m ‫ גוו‬Pf PA21,23.9Q 8p ,3J891 2 6 .1 8 - 0 9 .1 8 6 .1 5 1 Hojb knxei OS 4 Ho* * W itt 1 S1 6. * 1N.16S.1tt3 “3 1W.16S.1tt5 * 19J.ltt.1ttU •» 1W.1tt1tt.14 V It t lt t lt t lS y ‫ י9ד‬it t 1 8 7 6 .1 » !92.168163.15 ► 1 2 6 .1 8 6 9 .1 8 6 2 » 19ilttltt23 v IC M P Echo Request N‫׳‬n * Output Port( / HoUi | Topology Hot! D <p etail* Scant nm m-PE PA ap 21.2J.80l3389 1 2 6 .1 8 • 0 9 .1 8 6 .1 5 ‫יי‬ 192.168.168.5 H S [0 4 * IC M P Echo Reply Startlra N»« 6.01 ( http ://roup, org ) at 2012 01 01 12:41 tor *tup scan report for 192.168.168.1 Host is us ( 0. 00) latency). Adflicn. ‫( ״‬Healett-Packard Com pany) “ **•p *can report for 192.168.16•.) ftovt It up (ft.Mt latency). *AC W r t t t i (Apple) w p scan report *or 192.168. 168.‫ל‬ ► tost is up (0.0010s latency). HA( Address: (Dell) f*1ap scan report for 192.168.168.13 Mo»t i* up <8.001 latency). «AC Addrew: » (Foxconnl snap scan report for 192.168.168.14 u ^ M !.168.16 192.168.168.6 IC M P Echo Request Source 192.168.168.3 » Ml 192.168.168.7 IC M P Echo Reply IC M P Echo Request F*« Hosts 192.168.168.8 http://nmap. org Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. P in g Sweep A ping sweep (also known as an ICM P sweep) is a basic network scanning technique to determine which range of IP addresses map to live hosts (computers). W hile a single ping tells the user whether one specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts. ICMP ECHO Reply If a host is active, it returns an ICMP ECHO reply. Ping sweeps are among the oldest and slowest methods to scan a network. This utility is distributed across almost all platforms, and acts like a roll call for systems; a system that is live on the network answers the ping query that is sent by another system. Module 03 Page 273 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker ICMP Echo Request 192.168.168.5 ICMP Echo Request a < ICM P Echo Reply ICMP Echo Request Source 192.168.168.6 > W 192.168.168.7 19 2.1 6 8 .1 6 8 .3 < ICMP Echo ICMP Echo Request 192.168.168.8 FIGURE 3.4: Ping Sweep Diagram TCP/IP Packet To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings, a single packet is sent across the network to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a return packet from the target system. A good return packet is expected only when the connections are good and when the targeted system is active. Ping also determines the number of hops that lie between the two computers and the round-trip time, i.e., the total time taken by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if the packet bounces back when sent to the IP address, but not when sent to the name, then it is an indication that the system is unable to resolve the name to the specific IP address. Source: http://nmap.org Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP addresses of live hosts. This provides information about the live host IP addresses as well as their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on the network. The following screenshot shows the result of a ping sweep using Zenmap, the official cross-platform GUI for the Nmap Security Scanner: Module 03 Page 274 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker Zenmap Sc!n Joolt Target Erofik {jdp 192.168.168.1-50 Command Hosts "v] Scan Cancel % Details 11 Proffe |nmap -sn -PE •PA21,23,80.3389192.168.168.1-5( Sernces OS « Host * 192.168.168.3 <■ A 192.168.168.5 nmap -sn •PE-PA21.23.80.3389 192.168.168.1-50 192.168.168.1 * Nmap Output Ports/ Hosts Topology Host Details Scans 192.168.168.13 192.168.168.14 192.168.168.15 * 192.168.168.17 fti 192.168.168.19 192-168.168-26 * 192.168.16828 Filter Hosts v S ta rtin g Mrap 6.01 ( h tto ://n » a p .o rg ) at 2012-08-08 12:41 M ap scan report fo r 192.168.168.1 Host is up (0.00s la te n c y ). *AC Address; I (Hewlett-Packard Co«oany) Nm p scan report fo r 192.168.168.3 Host is up (0.00s la te n c y ). *AC A d d r m i * (Apple) Nnap scan report fo r 192.168.168.5 Host is up (0.0010s la te n c y ). M C Address; A ‫• י‬ ( D e ll) Nnap scan report fo r 192.168.168.13 Host is up (0.00s la te n c y ). M C Address: • A • (Foxconn) N»ap scan report fo r 192.168.168.14 Host is up (0.0020s la te n c y ). v FIGURE 3.5: Zenmap showing ping sweep output Module 03 Page 275 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker P in g S w eep T ools SolarWinds Engineer Toolset's Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup. Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc. o S'** *Rjr* * 1C011 *•‫׳<״״‬ x JoeU H »lp to K.0J.S) M0*wme V NUQ R1RW f » W N3W 9 © 1:0:1 £ 1 0 0 cj Q io a u f tio a c j © to o ts C Hoatt ©100C7 fh o a c j ®M OOC9 Q r-at CH0ac.11 •1 0 a a ; Chocu.11 # 10ac.u #100£1‫י‬ &1COC.U ® M oatr Choatu fhoac.» _ !‫ם‬ IP Range Angry IP Scanner CEH ‫9י״י׳‬ 1m Cm lm h/»l 4n h/1| 1•ra K»l KH K‫»׳‬l K*l h/1l |V*I Kv.| O ? mm K»1 h/»l !*/•I K«l [l»Pjnje Uctmiifc v SUrt v * M H n*‫« ״‬ 0W In/11 M Mtt£lCMM1 M HnOcwit ln/1l < ixqn;V(W9m vm H •) V In/i) In/•) In/•) In/•) ln/1) l*v‫״‬ •! I ‫׳‬V*I In/•! In/•] la/•) In/•) In/•) & «**•>‫ ׳‬A JI Pcm1i00c-| 80 •0US.1 1JX In/a) 1& UIM U h •l 1 |n/•) |n•) In/•) |n'•) In'•) In•) |n/•) In/•) |n/«| (»'•) In/•) In‫ ____________________)•׳‬v | T h 0 *»«*‫״‬ Angry IP Scanner http://www.angryip.org Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. P in g Sweep Tools Determining live hosts on a target network is the first step in the process of hacking or breaking into a network. This can be done using ping sweep tools. There are a number of ping sweep tools readily available in the market using which you can perform ping sweeps easily. These tools allow you to determine the live hosts by sending ICMP ECHO requests to multiple hosts at a time. Angry IP Scanner and Solarwinds Engineer's Toolset are a few commonly used ping sweep tools. Angry IP Scanner /j Source: http://www.angryip.org Angry IP Scanner is an IP scanner tool. This tool identifies all non-responsive addresses as dead nodes, and resolves hostname details, and checks for open ports. The main feature of this tool is multiple ports scanning, configuring scanning columns. Its main goal is to find the active hosts in the network by scanning all the IP addresses as well as ports. It runs on Linux, Windows, Mac OS X, etc. It can scan IP addresses ranging from 1.1.1.1 to 255.255.255.255. Module 03 Page 276 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker IP Range -Angry IP Scanner S<an £0‫°י‬ Commands Favorites IP Range | 10.0.0.1 loots Help | to | 10.0.0.50 Hostname | WIN-LXQN3WR3R9I | |IF Range # IP I | Netmask rJ v C+ Start ‫א‬ i| IP Ping Hostname Ports [2000•.) €>10.0.0.1 1 ms [n'a] 80 010.0.0.2 Oms W1N-MSS£LCK4IC41 80.135.139.4... @10.0.0.3 Oms WindowsS 135,139,445,... #10.0.0.4 [n/a] [n/a] [n/a] €>10.0.0.5 4 ms W1N-LXQN3WR3R9M 135,139,445,... © 10.0.0.6 [n/a] [n/a] [n/a] €)10.0.0.7 1 ms [n/a] 80.135 C 0.0.0.8 [n/a] [n/a] [n/a] €> 10.0.0.9 [n/a] [n/a] [n/a] #10.0.0.10 [n/a] [n/a] [n/a] #10.0.0.11 [n/a] [n/a] [n/a] # 1 0.0.0.12 [n/a] litfa] [n/a] #10.0.0.13 [n/a] [‫/ ״‬a] [n/a] # [n/a] [n/a] [n/a] #10.0.0.15 627 ms [n/a] [n/a] #10.0.0.16 [n/a] [iVa] [n/a] # 10.0.0.17 [n/a] [n/a] [n/a] #10.0.0.18 [n/a] [nfa] [n/a] #10.0.0.19 [n/a] l‫׳‬v‫׳‬a] = m I0.0.0.M Ready [n/a] Display: All Threads; 0 v 1 1 FIGURE 3.6: Angry IP Scanner Screenshot Solarwinds E ngineer’s Toolset Source: http://www.solarwinds.com The Solarwinds Engineer's Toolset is a collection of network engineer's tools. By using this toolset you can scan a range of IP addresses and can identify the IP addresses that are in use currently and the IP addresses that are free. It also performs reverse DNS lookup. u o o P in g S w e e p E e Edi H t H l ep Starting IP Address 1 9 . 6 . £ 1 1 21 81 8 0 ^I | Sran F« Fnri mg IP AHri mtt ( 9 1 8 1 89 ( 1 2 8 6 5 fpAddress Res pons T n e ee A | IPt AI Srnn D SL o u N o k p 1 2 IM IM 1 9 0 R eques Ti t red O t u 1 2 1 6 1 61 9 6 6 1 R eques T o O t t m d u 1 2 1 6 1 61 9 6 6 2 1 2 1 6 1 61 9 6 6 3 ^ ^ 1 2 1 6 1 61 9 6 6 4 Reques T e O t t md u = R q O tT e O t e u S m d u 3m e 1 2 1 6 1 61 9 6 6 5 1 2 1 61 8 6 9 6 6 1 ‫_י‬ { 1 2 1 61 6 1 9 6 . 6 7 1 2 1 6 1 61 9 6 6 . 6 Reauest T e O t m d u # Reaues! T e Oa ‫^ י‬ m d t ‫■יי‬ Recues! T e O l md u 1 2 1 6 1 61 9 6 6 9 1 2 1 6 1 62 9 6 6 0 Reques T e O t t m d u 1 2 1 6 1 62 9 6 6.1 ,t R eques T e O l t m d u Reques T e O t t m d u 1 2 1 6 1 62 9 6 6 . 2 Reques T e O t t m d u R eques Tm d O t t i e u 1 2 1 6 1 62 9 6 6 3 1 2 1 6 1 62 9 6 6 4 » IJ I 1 2 1 6 1 62 9 6 6 5 R eques T e O t t m d u Reques T e O t t md u 1 2 1 6 1 62 9 6 6 6 2m s 1 2 1 6 1 62 9 6 6. 7 _ *V*“ " Reques T e O t t md u 2m s 1 2 1 6 1 62 9 6 6 . 6 N 1 2 1 6 1 62 9 6 6 9 R eques T t me Oy d t 3m e 1 2 1 6 1 63 9 6 6 0 1 21 6 1 63 9 6 6 1 3m s 1 2 1 6 1 63 9 6 6 2 2m s ‫׳י‬ III < 1 Scan Compled i Scan DNS > h r 9 0 FIGURE 3.7: Solarwinds Engineer's Toolset Screenshot Module 03 Page 277 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker P in g S w eep T ools CEH (C ont’d) Colasoft Ping Tool ^ PacketTrap MSP h ttp ://w w w . colasoft. com http ://w w w .pa ckettra p .co m Visual Ping Tester -Standard f Ping Sweep h ttp://w w w .w hatsupgold.com h ttp ://w w w .p in g te s te r.n e t Ping Scanner Pro Network Ping http://w w w .digilextechnologies.com h ttp://w w w .greenline-soft.com ‫ז‬ Ultra Ping Pro h ttp ://u ltra p in g . webs.com * Ping Monitor h ttp ://w w w .n ilia n d . com PinglnfoView S® Pinkie h ttp ://w w w .n irs o ft.n e t h ttp ://w w w .ip u p tim e .n e t Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. jfSSS P in g Sweep Tools (C ont’d) ur - In addition to Solarwinds Engineer's Toolset and Angry IP Scanner, there are many other tools that feature ping sweep capabilities. For example: 9 Colasoft Ping Tool available at http://www.colasoft.com 9 Visual Ping Tester - Standarad available at http://www.pingtester.net 9 Ping Scanner Pro available at http://www.digilextechnologies.com 9 Ultra Ping Pro available at http://ultraping.webs.com 9 PinglnfoView available at http://www.nirsoft.net 9 PacketTrap MSP available at http://www.packettrap.com 9 Ping Sweep available at http://www.whatsupgold.com 9 Network Ping available at http://www.greenline-soft.com 9 Ping Monitor available at http://www.niliand.com 9 Pinkie available at http://www.ipuptime.net Module 03 Page 278 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker * — 1 So far we discussed how to check for live systems. Open ports are the doorways for an attacker to launch attacks on systems. Now we will discuss scanning for open ports. Check for Live Systems life Scan for Vulnerability r Check for Open Ports Scanning Beyond IDS O Q ‫יז־ ל‬ ‫^־‬ Banner Grabbing Draw Network Diagrams Prepare Proxies Scanning Pen Testing This section covers the three-way handshake, scanning IPv6 networks, and various scanning techniques such as FIN scan, SYN scan, and so on. Module 03 Page 279 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker CEH T h ree-W ay H a n d s h a k e (•rtifwd itkitjl TCP uses a three-way handshake to establish a connection between server and client Three-w ay Handshake Process 1. The Computer A (10.0.0.2) initiates a connection to the server (10.0.0.3) via a packet with only the SYN flag set 2. The server replies with a packet with both the SYN and the ACK flag set 3. For the final step, the client responds back to the server with a single ACK packet 4. If these three steps are completed without complication, then a TCP connection is established between the client and the server Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. T hree-W ay H an d sh a k e TCP is connection-oriented, which implies connection establishment is principal prior to data transfer between applications. This connection is possible through the process of the three-way handshake. The three-way handshake is implemented for establishing the connection between protocols. The three-way handshake process goes as follows: 9 To launch a TCP connection, the source (10.0.0.2:62000) sends a SYN packet to the destination (10.0.0.3:21). 9 The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN/ACK packet back to the source. 9 This ACK packet confirms the arrival of the first SYN packet to the source. 9 In conclusion, the source sends an ACK packet for the ACK/SYN packet sent by the destination. 9 This triggers an "O PEN " connection allowing communication between the source and the destination, until either of them issues a "FIN" packet or a "RST" packet to close the connection. Module 03 Page 280 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker The TCP protocol maintains stateful connections for all connection-oriented protocols across the Internet, and works the same as an ordinary telephone communication, in which one picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other end until a person picks up the receiver and says, "Hello." Bill Three-way Handshake 1 0 .0 .0 .2 :6 2 0 0 0 ‫.................... י י ................ ^ ־‬ ..‫* ״‬ Sheela 1 0 .0 .0 .3 :2 1 Irvc Client Server FIGURE 3.8: Three-way Handshake Process E stablishing a TCP Connection As we previously discussed, a TCP connection is established based on the three-way hand shake method. It is clear from the name of the connection method that the establishment of the connection is accomplished in three main steps. Source: http://support.microsoft.com/kb/172983 The following three frames will explain the establishment of a TCP connection between nodes NTW3 and BDC3: Frame 1: In the first step, the client, NTW3, sends a SYN segment (TCP ....S.). This is a request to the server to synchronize the sequence numbers. It specifies its Initial Sequence Number (ISN), which is incremented by 1 and that is sent to the server. To initialize a connection, the client and server must synchronize each other's sequence numbers. There is also an option for the Module 03 Page 281 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker Maximum Segment Size (MSS) to be set, which is defined by the length (len: 4), this option communicates the maximum segment size the sender wants to receive. The Acknowledgement field (ack: 0) is set to zero because this is the first part of the three-way handshake. 1 2.0785 NTW3 --> BDC3 TCP ___ S., len: 4, seq: 8221822-8221825, ack: 0, win: 8192, src: 1037 dst: 139 (NBT Session) NTW3 --> BDC3 IP TCP: ....S., len: 4, seq: 8221822-8221825, dst: 139 ack: 0, win: 8192, src: 1037 (NBT Session) TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session S TCP: Sequence Number = 8221822 (0x7D747E) TCP: Acknowledgement Number = 0 (0x0) TCP: Data Offset = 24 (0x18) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x02 : ....S . TCP: ..0.... = No urgent data TCP: ...0.... = Acknowledgement field TCP: ....0... = No Push function .... 0 . . = No Reset TCP: 1. = Synchronize sequence numbers . TCP: not significant TCP: ............. 0 = No Fin TCP: Window = 8192 (0x2000) TCP: Checksum = 0xF213 TCP: Urgent Pointer = 0 (0x0) TCP: Options TCP: Option Kind (Maximum Segment Size) = 2 (0x2) TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 (0x5B4) TCP: Frame Padding 00000: 02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 .'.... '.;---- E . 00010: 00 2C 0D 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B . . .0___ K.k. . .k , 00020: 02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 ...... }t~---- ' . 00030: 20 00 F2 13 00 00 02 04 05 B4 20 20 Module 03 Page 282 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker Frame 2: In the second step, the server, BDC3, sends an ACK and a SYN on this segment (TCP .A..S.). In this segment the server is acknowledging the request of the client for synchronization. At the same time, the server is also sending its request to the client for synchronization of its sequence numbers. There is one major difference in this segment. The server transmits an acknowledgement number (8221823) to the client. The acknowledgement is just proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and uses it as its acknowledgement number. 2 2.0786 BDC3 — > NTW3 8221823, win: 8760, TCP: 139 src: 139 .A..S., len: src: TCP .A..S., TCP: Source Port = (NBT Session) 4, seq: (NBT Session) l e n : 4, seq: 1109645-1109648, dst: dst: 1037 BDC3 --> NTW3 1109645-1109648, ack: 8221823, win: ack: IP 8760, 1037 NETBIOS Session Service TCP: Destination Port = 0x040D TCP: Sequence Number = 1109645 (0xl0EE8D) TCP: Acknowledgement Number = 8221823 TCP: Data Offset = 24 (0x7D747F) (0x18) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x12 : .A..S. TCP: ..0.... = TCP: ...1.... = TCP: ....0... = No Push function TCP: .... 0.. = No Reset TCP: ...... 1. = Synchronize TCP: ....... 0 = No TCP: Window = 8760 No urgent data Acknowledgement field significant sequence numbers Fin (0x2238) TCP: Checksum = 0x012D TCP: Urgent Pointer = 0 (0x0) TCP: Options TCP: Option Kind (Maximum Segment Size) = 2 (0x2) TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 (0x5B4) TCP: Frame Padding 00000 02 60 8C 3B 85 Cl 02 60 8C 9E 18 8B 08 00 45 00 00010 00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B .,[.0_____L.k...k 0 00 20 02 D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12 .............. }t'. Module 03 Page 283 ...... E. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Scanning Networks Exam 312-50 Certified Ethical Hacker 00030: 8 ‫-.״‬ 22 38 01 2D 00 00 02 04 05 B4 20 20 Frame 3: In the third step, the client sends an ACK on this segment (TCP .A....). In this segment, the client is acknowledging the request from the server for synchronization. The client uses the same algorithm the server implemented in providing an acknowledgement number. The client's acknowledgment of the server's request for synchronization completes the process of establishing a reliable connection, thus the three-way handshake. 3 2.787 NTW3 --> BDC3 1109646, win: TCP: 8760, src: 1037 .A...., len: src: 1037 dst: TCP .A 0, seq: 139 , len: 0, seq: 8221823-8221823, dst: 139 (NBT Session) 8221823-8221823, ack: ack: NTW3 --> BDC3 1109646, win: IP 8760, (NBT Session) TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 8221823 (0x7D747F) TCP: Acknowledgement Number = 1109646 TCP: Data Offset = 20 (0xl0EE8E) (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A.... TCP: . .0 .... = No urgent data TCP: ... 1 .... = Acknowledgement field TCP: ___ 0 ... = No Push function TCP: .... 0 .. = No Reset TCP: ..... 0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8760 (0x2238) TCP: Checksum = 0xl8EA TCP: Urgent Pointer = 0 (0x0) TCP: Frame Padding 00000: 02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 . '.... ' .;---- E . 00010: 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B . ( .0___ O.k. . .k . 00020: 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10 ...... }t---- P. 00030: 22 38 18 EA 00 00 20 20 20 20 20 20 ‫___ 8 ״‬ Module 03 Page 284 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks TCP C om m unication Flags Data contained in There will be no Resets a the packet should be processed more transmissions connection immediately F IN (Finish) URG (Urgent) jm ₪ ₪ m m PSH (Push) Sends all buffered data immediately ACK (Acknowledgement) Acknowledges the receipt of a packet > A 1 SYN (Synchronize) Initiates a connection between hosts Standard TCP communications are controlled by flags in the TCP packet header Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited TCP C om m unication Flags Standard TCP communications monitor the TCP packet header that holds the flags. These flags govern the connection between hosts, and give instructions to the system. The following are the TCP communication flags: 9 Synchronize alias "SYN": SYN notifies transmission of a new sequence number 9 Acknowledgement alias "ACK": ACK confirms receipt of transmission, and identifies next expected sequence number 9 9 Push alias "PSH ": System accepting requests and forwarding buffered data Urgent alias "U RG ": Instructs data contained in packets to be processed as soon as possible Q Finish alias "FIN": Announces no more transmissions will be sent to remote system Q Reset alias "RST": Resets a connection SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process. Module 03 Page 285 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Acknowledgement No Offset Res TCP Flags TCP Checksum Window Urgent Pointer Options <------------- 0-31 B its-------------- > FIGURE 3.9: TCP Communication Flags Module 03 Page 286 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Create Custom Packet Using TCP Flags CEH Colasoft Packet Builder .$ Add Inser: Copy ‫5 & 5 ׳‬ .xpcr:- 3ckte Move U | p Chcdcsum| Send ScndAII | Packet No. | ‫־‬ -J Colasoft Packet Builder enables creating custom network packets to audit networks for various attacks J Attackers can also use it to create fragmented packets to bypass firewalls and IDS systems in a network Packet Info: gackec tta c e r; — BacJrcr Le=ath: ^ Captnred Length: { g Delta Tine E ‫־‬d Ethernet Type I I j y i J f s t i a t i ‫ ״‬Mdress: JUfSouic? U d m 9 : Protocol: E- .J I ? - Internet Protocol ! ‫ ״‬Version 0 i • 0 ‫ ״‬Mea 1•: Length g>-0 Differentiated Services Plaid j j 0 S«rvlc«f Codepcint j > Tr«r.*por1 r u t -col w ill 1 903 c* tii* CE b it U Coaaaatios ‫!«»***ג‬ F! < 1 HwEdrtc M 000004 64 60 0.100000 Second [0/14] 00:00:00:00:00:00 [0/6] 00:00:00:00 :00:00 [6/6] 0x0800 (Inter: [14/20] 4 xFO [U/1] O S < 0 Bytes) [1 2 < 0 0 00 oaoo [15/1! OxPF 0000 00.. [18/1] OxfC (Ignoi• .......... 0. [15/1] ............0 (Xu Conq«mtlon) = ‫כ‬ < Total 60 byirt http://www. colasoft.com Copyright © by EG-Gaoncil. All Rights Reserved. Reproduction Is Strictly Prohibited Create Custom P ackets u sin g TCP Flags Source: http://www.colasoft.com Colasoft Packet Builder is a tool that allows you to create custom network packets and also allows you to check the network against various attacks. It allows you to select a TCP packet from the provided templates, and change the parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to the network. Module 03 Page 287 Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Colasoft Packet Builder File Edit Send 3* & ImportExportw Help Add # 1‫נ‬ £ Insert Copy ® X Pas- Delete 4* I * Send Move Packet No. Decode Editor Packet Info: a Packet Number: <3‫ ־‬Packet Length: * !‫ ״‬Captured Length: ‫^״‬ H H Delta Time ₪-€> Ethernet Type II Destination Address: Source Address: Protocol: 0 •••© IP - Internet Protocol j —& Version : © Header Length E3‫ @״‬Differentiated Services Field | _~© Differentiated Services Codepoint O Transport Protocol will ignore the CE bit | ~~© Congestion *c f* 'w E I& B r S B Send All 4 No. ‫ו‬ 2 3 60 0.100000 Second Delta Time 0.100000 0.100000 0.100000 0.100000 Source 00:00:00:00:1 0.0.0.0 0.0.0.0:0 0.0.0.0:0 [0 / 1 4 ] 0 0 : 0 0 : 0 0 : 0 0 : 00:00 [ /6 ] 0 0 0 :0 0 :0 0 :0 0 :0 0 : 0 0 [6 / 6 ] 0x0800 [14/20] (Intern 0 0 00 0 0 00 0 0 00.. 00 ...........0. ......... 0 [14/1] OxFO (20 Bytea) [14 [15/1] OxFF [15/1] OxFC (Ignore) [15/1] (No Congestion) < L jc% Total | 60 bytes Hex Editor 0000 0010 0020 0030 00 00 00 00 < 00 2C 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 11 1A 00 00 3A FF 00 00 CO BA 00 00 00 00 00 00 08 00 45 00 00 00 00 00 00 00 00 00 00 00 00 A ---0.0.s. V / T > : ... FIGURE 3.10: Colasoft Packet Builder Screenshot Module 03 Page 288 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks S c a n n in g IP v 6 N e tw o rk CEH im ttiM tUx*l lUckM I I L IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 2s4 addresses) provided by IPv6 in a subnet Scanning in IPv6 network is more difficult and complex than the IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages a 1 Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker can probe the "all hosts" link local multicast address Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. S canning IPv6 N etw ork IPv6 increases the size of IP address space from 32 bits to 128 bits to support more levels of addressing hierarchy. Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 264 addresses) provided by IPv6 in a subnet. Scanning an IPv6 network is more difficult and complex than IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks. Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: and other header lines in archived email or Usenet news messages to identify IPv6 addresses for subsequent port scanning. Scanning IPv6 network, however, offers a large number of hosts in a subnet; if an attacker can compromise one host in the subnet he can probe the "all hosts" link local multicast address. Module 03 Page 289 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks S c a n n in g Tool: N m a p C EH J Network administrators can use Nmap for network inventory, managing service upgrade schedules, and J Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions monitoring host or service uptime http://nmap.org Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Scanning Tool: Nmap Source: http://nmap.org Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. Either a network administrator or an attacker can use this tool for their particular needs. Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime. Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems, and OS versions. Module 03 Page 290 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Zenm gp iMk ("> !j*» «• *a«M M a w wa* 011CP p *t» tel t •M Mi M lMM - —« » » I « u n N T1 A . I V M » M » > N m »W > 0 s ia t i ! " ! t l a t l n g A V »lng Scan •t |»:22 W mwIm (1 • v t l Caag iatM * V *ing Scan at I S :2 2, • M » a l * t M ( I t a t a l M a t • ) : * i t ta tin g f a l l a l Cm r « » a lt ft iM a* I M a t . at lt:2 2 C a M ia t M ••‫־״‬a ll• ! CMS r * t a l» t la n 0* 1 M a t . at IS !2 2 . I H t aivaai In it ia t in g S m S ta a ltn Scan at 1S:22 Scanning m 1M I M S I* S S JS M ‫] » ״‬ ‫־‬t w m ia «1m « ■ ia ftM fe ftM M U a t l«n V *. Mtf) ■ M l V t c a •» M M I/ t i! • * « I.ftftlv2: 11I/1 • t i l l l uM i r t l SV .» J IKjuatL ‫ *־׳ 1׳‬t wi t I M m lfM WVc• • 19:24 <•:•1.4* H ))/ t (» M IM .IM IM S *‫ י י‬S t • • !!* W an f l * l — : 1aa«t M . 4 M M M ) I K l 1* 24 <• M 4» '••al«»l«g» C a M ia t M S M S '• a lt * Scan at IS :24. M * l » a la M M 14SS1S fa t a l M ^ tt) ! n i t ia t in c S M v ic a •c m at I»!24 Scanning « •a^vlca• M 112 I M I M C a M lv t M M ^ v lc a m m at I S ! >4, 44 M t a la M M (g m U a • M 1 ■iMM.vilt•! ! f < I l 00:/ 9 •l*09mt,nr*9'_200$ *01 < » :/ • • i< r|M *t 0% a r t • ! !* m < r o t^ t i d i M M V ii t a V • 0? V I . M U M M M V I . n‫ ■׳‬b lM s■ ! I t t i — * I• !* 1 . M i (s1 *c« i m amc m •1 1« 21 ‫ג‬ ir t M r l Q iiU M f i 1 **‫׳‬ ‫ ־‬T ■ l ( M M 1«C«1) W • CPt 1 100/0:m iM— i itr0000 ! -< . Mttios •nr: Module 03 Page 291 VC M> M I ^ « 1 U 1 U N d w M a• '1 ‫ ■׳‬m 1««*t 1 •©•‫ ־״‬m * 1 (Ii m i n P n l c e I r a * | t n t r « l *tK fO M ft— lllM ‫ ״‬H ‫ ׳‬oxo*•. wln*o«t V l* t a | » M | 7 f l l C P t: cp« ■ IcreM ^t ■iwM n . r i t t a : :• c m :/ O ixavaj’M MM a ‫״‬t 1M‫ » ־‬a itMM iu s o‫־‬ t< n WMaMfM MM PM 1M/Ka M 11 IU IM t 1 1 Mmmmm aM MM ♦4s tea M 12 IM IU ) * M mHyj 00+* M ‫־״‬t M tM M h tu n • It* • KtMlN!. N u t r t ' M aoan M ‫־׳‬t •12 t<a < t t M U I M . S ‫י״‬ O i u a t T M a» M M ‫ ׳‬t M M 2 / t ( » m ! • l . I M . I M . S t n S f n ita w t i ^ i ^ f taout 22.72% M m ; I K : MM D u . *»»« HHM — rtt S t M t ln g m m 4.*1 < M 1 » : / / M W . K | ) •‫ ז‬m ) M M 11:1! M M M M r < Tia• B L .• M M • I M f l K • M r B L Ur 1 % 0 1 ■‫ן ן * ן‬ •Ml t ll iw IM ^niHIDU ‫ ן‬liSSJS T4 A ‫ •־‬tt2 141‫י 4 4 י‬ M tS IO S M C: Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks H p in g 2 / H p in g 3 J Tool for security auditing and testing firewall and networks J itkMl lUikw Command line packet crafter for the TCP/IP protocol J CEH UrtifW Runs on both Windows and Linux operating systems http://www.hping.org 3 1. 00 -p 8 0 . .2 9 1 00 8 .2 1. 002: A set, 4 headers + 0data bytel 9. . ) 0 len = ip- 1. 00 t t l = 8OF id=2© spoci^0 flags-R seq^O w 4 0 . .2 1 0 2 685 ln 0 rtt= 1 m ‫־‬ .3 s ^ ‫ך־‬ len ^0ip- 1. 00 t t l = 8OF id -68 sport-ee-flags-R seq- w 4 0 . .2 1 2 256 1 in = rtt= 6 m 0 .8 s len = ip- 1. 00 t t l = 8OF id = 07sport- 8 4 0 . .2 1 0 2 28 6 GFflags=R Ieq ^ w 2 in=o r 11=1.0 ‫לווו‬ len -0 ip- 1. 00 t t l -2 OF id -68 sport -0flogs-R scq- w 4 0 . .2 18 208 8 3 1 rtr=6 ms n=0 .9 len = ip=1^ L 0 t t l = 8OF id -68 5porjt=8e ftcgsfR seq= w 4 0 .2 1 0 2 269 4 len=4 1^=10.0 /?t t l = 8D ld=2B9 sport80‫ ־‬flags=R seq= J ) .8 1 F 2 6D 5 in » rtt- 0 m 0 .5 s len= ip=1.O.3 t t l = 8OF id = 01sport = flags=R seq= w 4 0 .2 1 6 2 29 6 8 0 6 in = rtt=e .7 m 0 s len = ip=1.O.0 t t l = 8OF id 202 sport 8‫ ־‬flags^R seq= w 4 0 .2 1 0 2 69‫־‬ 0 7 ln = rtt= 8 m 8 .8 s len -0ip- 1. 00 t t l -2 OF id -69 5 4 0 . .2 18 203 port-0flegs‫ ־‬R seq- w 8 8 footgbt:-# hping ■ A HPINC . . (ethl ACK Scanning on p o rt 80 Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited. H ping2/H ping3 Source: http://www.hping.org HPing2/HPing3 is a command-line-oriented TCP/IP packet assembler/analyzer that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Traceroute mode, and enables you to send files between covert channels. It has the ability to send custom TCP/IP packets and display target replies like a ping program does with ICMP replies. It handles fragmentation, arbitrary packets' body and size, and can be used in order to transfer encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and network/host scanning can be used to perform an anonymous probe for services. An attacker studies the behavior of an idle host to gain information about the target such as the services that the host offers, the ports supporting the services, and the operating system of the target. This type of scan is a predecessor to either heavier probing or outright attacks. Features: The following are some of the features of HPing2/HPing3: 0 Determines whether the host is up even when the host blocks ICMP packets 0 Advanced port scanning and test net performance using different protocols, packet sizes, TOS, and fragmentation Module 03 Page 292 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 9 Manual path MTU discovery 9 Firewalk-like usage allows discovery of open ports behind firewalls 9 Remote OS fingerprinting 9 TCP/IP stack auditing ICM P Scanning A ping sweep or Internet Control Message Protocol (ICM P) scanning is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up. This protocol is used by operating system, router, switch, internet-protocol-based devices via the ping command to Echo request and Echo response as a connectivity tester between different hosts. The following screenshot shows ICMP scanning using the Hping3 tool: « v x root@bt: ~ File Edit View Terminal Help root@bt:~# hpi ng3 -1 10 . 0 . 0 . 2 HPING 10.0.0.2 (e th l 10 .0 .0 .2 ): icmp mode set, 28 headers + 0 d len=28 ip=10.0 .0.2 ttl= 128 id=25908 icmp_seq=0 rtt=2.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25909 icmp_seq=l rtt=1.0 m s len=28 ip=10.0 .0.2 ttl= 128 id=25910 icmp_seq=2 rtt=1.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25911 icmp_seq=3 rtt=0.5 m s icmpseq=4 rtt=0.4 m s len=28 ip=10.0 .0.2 ttl= 128 id=2591% len=28 ip=10.0 .0.2 ttl= 128 id=25913 icmp seq=5 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25914 icmp seq=6 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25915 icmp seq=7 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25916 icmp seq=8 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25917 icmp seq=9 r t t = l . l m s s len=28 ip=10.0 .0.^>ttl= 128 id=25918 icmp seq=10 rtt=0.8 m len=28 ip=10.0 .0.2 ttl= 128 id=25919 icmp_seq=ll rtt=1.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25920 icmp seq=12 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25921 icmp seq=13 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25922 icmp seq=14 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25923 icmp seq=15 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25924 icmp seq=16 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25925 icmp seq=17 rtt=1.0 m s FIGURE 3.12: Hping3 tool showing ICMO scanning output ACK Scanning on Port 80 You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple packet filtering will allow you to establish connection (packets with the ACK bit set), whereas a sophisticated stateful firewall will not allow you to establish a connection. The following screenshot shows ACK scanning on port 80 using the Hping3 tool: Module 03 Page 293 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks • v ‫>׳‬ * ro o tab t: - File Edit View Terminal Help £ 0 0 t@ bt:~# hping3 -A 1 0 .0 .0 .2 •p 80 HPING 1 0 .0 .0 .2 ( e t h l 1 0 .0 .0 .2 ): A s e t, 40 headers + 0 d ata byte s len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26085 spar,t=80 flags= R seq=0 w in=0 rtt= 1 .3 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26086 sport=80 flags= R seq=l w in=0 rtt= 0 .8 ms ‫'"׳׳-׳‬ len=40 ip=10.0 .0 .2 ttl= 128 DF id=26087 sport=89 flags= R seq=2 w in=0 rtt= 1 .0 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26088 sport=80 ^lags=R seq=3 w in=0 rtt= 0 .9 ms len=40 ip = 1 0 J0 .0 .2 ttl= 128 DF id=26089 sport=80 flags= R seq=4 w in=0 r,tt=p. 9 ros —^ Jj I •4■ ^ f j len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26O90 sport=80 flags= R seq=5 w in=0 rtt= 0 .5 ms len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26091 sport=80 flags= R seq=6 w in=0 rtt= 0 .7 ms len=40 ip= 10.0.O .2 ttl= 128 DF id=26092 sport=80 flags= R seq=7 w in=0 rtt= 0 .8 m s len=40 ip= 10.0.O .2 ttl= 128 DF id=26093 sport=80 flags= R seq=8 v FIGURE 3.13: Hping3 tool showing ACK scanning output Module 03 Page 294 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks ‫־‬ c EH H p in g C o m m a n d s UrtifM ItkKJl Nm Im ICMP Ping SYN scan on port 50-60 hping3 -1 10.0.0.25 hping3 -8 50-56 -S 10.0.0.25 -V ACK scan on port 80 FIN, PUSH and URG scan on port 80 hp±ng3 -A 10.0.0.25 -p 80 hping3 -F -p -U 10.0.0.25 -p 80 U D Psc a n o n port 80 Scan entire subnet for live host h p i n g 3 -1 1 0 . 0 . 1 . x — rand - d e s t hping3 -2 10.0.0.25 -p 80 -I ethO Collecting Initial Sequence Number Intercept all traffic containing HTTP signature h p i n g 3 1 9 2 . 1 6 8 . 1 . 1 0 3 -Q -p 139 hping3 -9 HTTP -I ethO Firewalls and Time Stamps SYN flooding a victim h p i n g 3 -S 7 2 . 1 4 . 2 0 7 . 9 9 -p 80 — hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 — flood tc p - tim e s ta m p Copyright © by E CM i All Rights Reserved. Reproduction is Strictly Prohibited. C- IC l. Hping C om m ands The following table lists various scanning methods and respective Hping commands: Scan Commands ICMP ping hping3 -1 10.0.0.25 ACK scan on port 80 hping3 -A 10.0.0.25 -p 80 UDP scan on port 80 hping3 -2 10.0.0.25 -p 80 Collecting initial sequence number hping3 192.168.1.103 -Q -p 139 -s Firewalls and time stamps hping3 -S 72.14.207.99 -p 80 --tcptimestamp SYN scan on port 50-60 hping3 -8 50-56 -S 10.0.0.25 -V FIN, PUSH and URG scan on port 80 hping3 -F -p -U 10.0.0.25 -p 80 Scan entire subnet for live host hping3 -1 10.0.1.x --rand-dest -I ethO Intercept all traffic containing HTTP signature hping3 9‫ ־‬HTTP -I ethO SYN flooding a victim hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood TABLE 3.1: Hping Commands Table Module 03 Page 295 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks S c a n n in g T e c h n iq u e s TCP Connect / Full Open Scan Stealth Scans IDLE Scan ICMP Echo Scanning/List Scan T E C H N SYN/FIN Scanning Using IP Fragments UDP Scanning I o Inverse TCP Flag Scanning E ACK Flag Scanning u S Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited. Scanning T echniques Scanning is the process of gathering information about the systems that are alive and responding on the network. The port scanning techniques are designed to identify the open ports on a targeted server or host. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the intent of compromising it. Different types of scanning techniques employed include: © TCP Connect / Full Open Scan © Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan © IDLE Scan © ICMP Echo Scanning/List Scan © SYN/FIN Scanning Using IP Fragments © UDP Scanning © Inverse TCP Flag Scanning © ACK Flag Scanning Module 03 Page 296 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks The following is the list of important reserved ports: Name Port/Protocol Description echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp Users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp Quote chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp data transfer ftp 21/tcp ftp command ssh 22/tcp Secure Shell telnet 23/tcp smtp 25/tcp Mail time 37/tcp Timeserver time 37/udp Timeserver rip 39/udp resource location nicname 43/tcp who is domain 53/tcp domain name server domain 53/udp domain name server sql*net 66/tcp Oracle SQL*net sql*net 66/udp Oracle SQL*net bootps 67/tcp bootp server bootps 67/udp bootp server bootpc 68/tcp bootp client Module 03 Page 297 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks bootpc 68/udp bootp client tftp 69/tcp Trivial File Transfer tf tp 69/udp Trivial File Transfer gopher 70/tcp gopher server finger 79/tcp Finger www-http 80/tcp WWW www-http 80/udp WWW kerberos 88/tcp Kerberos kerberos 88/udp Kerberos P °P 2 109/tcp PostOffice V.2 Pop 3 110/tcp PostOffice V.3 sunrpc 111/tcp RPC 4.0 portmapper sunrpc 111/udp RPC 4.0 portmapper auth/ident 113/tcp Authentication Service auth 113/udp Authentication Service audionews 114/tcp Audio News Multicast audionews 114/udp Audio News Multicast nntp 119/tcp Usenet Network News Transfer nntp 119/udp Usenet Network News Transfer ntp 123/tcp Network Time Protocol Name Port/Protocol Description ntp 123/udp Network Time Protocol netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Service netbios-dgm 138/udp NETBIOS Datagram Service netbios-ssn 139/tcp NETBIOS Session Service netbios-ssn 139/udp NETBIOS Session Service imap 143/tcp Internet Message Access Protocol Module 03 Page 298 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks imap 143/udp Internet Message Access Protocol sql-net 150/tcp SQL-NET sql-net 150/udp SQL-NET sqlsrv 156/tcp SQL Service sqlsrv 156/udp SQL Service snmp 161/tcp snmp 161/udp snmp-trap 162/tcp snmp-trap 162/udp cmip-man 163/tcp CMIP/TCP Manager cmip-man 163/udp CMIP cmip-agent 164/tcp CMIP/TCP Agent cmip-agent 164/udp CMIP ire 194/tcp Internet Relay Chat ire 194/udp Internet Relay Chat at-rtmp 201/tcp AppleTalk Routing Maintenance at-rtmp 201/udp AppleTalk Routing Maintenance at-nbp 202/tcp AppleTalk Name Binding at-nbp 202/udp AppleTalk Name Binding at-3 203/tcp AppleTalk at-3 203/udp AppleTalk at-echo 204/tcp AppleTalk Echo at-echo 204/udp AppleTalk Echo at-5 205/tcp AppleTalk at-5 205/udp AppleTalk at-zis 206/tcp AppleTalk Zone Information at-zis 206/udp AppleTalk Zone Information at-7 207/tcp AppleTalk Module 03 Page 299 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks at-7 207/udp AppleTalk at-8 208/tcp AppleTalk at-8 208/udp AppleTalk ipx 213/tcp ipx 213/udp imap3 220/tcp Interactive Mail Access Protocol v3 imap3 220/udp Interactive Mail Access Protocol v3 aurp 387/tcp AppleTalk Update-Based Routing aurp 387/udp AppleTalk Update-Based Routing netware-ip 396/tcp Novell Netware over IP netware-ip 396/udp Novell Netware over IP Name Port/Protocol Description rmt 411/tcp Remote mt rmt 411/udp Remote mt 54erberos54-ds 445/tcp 54erberos54-ds 445/udp isakmp 500/udp ISAKMP/IKE fcp 510/tcp First Class Server exec 512/tcp BSD rexecd(8) comsat/biff 512/udp used by mail system to notify users login 513/tcp BSD rlogind(8) who 513/udp whod BSD rwhod(8) shell 514/tcp cmd BSD rshd(8) syslog 514/udp BSD syslogd(8) printer 515/tcp spooler BSD lpd(8) printer 515/udp Printer Spooler talk 517/tcp BSD talkd(8) talk 517/udp Talk ntalk 518/udp New Talk (ntalk) Module 03 Page 300 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks ntalk 518/udp SunOS talkd(8) netnews 532/tcp Readnews uucp 540/tcp uucpd BSD uucpd(8) uucp 540/udp uucpd BSD uucpd(8) klogin 543/tcp Kerberos Login klogin 543/udp Kerberos Login kshell 544/tcp Kerberos Shell kshell 544/udp Kerberos Shell ekshell 545/tcp pcserver 600/tcp ECD Integrated PC board srvr mount 635/udp NFS Mount Service pcnfs 640/udp PC-NFS DOS Authentication bwnfs 650/udp BW-NFS DOS Authentication flexlm 744/tcp Flexible License Manager flexlm 744/udp Flexible License Manager 5 6erberos-adm 749/tcp Kerberos Administration 56erberos-adm 749/udp Kerberos Administration kerberos 750/tcp kdc Kerberos authentication—tcp kerberos 750/udp Kerberos 56erberos mas ter 751/udp Kerberos authentication 56erberos mas ter 751/tcp Kerberos authentication krb_prop 754/tcp Kerberos slave propagation Module 03 Page 301 krcmd Kerberos encrypted remote shell -kfall Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 999/udp Applixware socks 1080/tcp socks 1080/udp kpop 1109/tcp Pop with Kerberos ms-sql-s 1433/tcp Microsoft SQL Server ms-sql-s 1433/udp Microsoft SQL Server ms-sql-m 1434/tcp Microsoft SQL Monitor ms-sql-m 1434/udp Microsoft SQL Monitor Name Port/Protocol Description pptp 1723/tcp Pptp pptp 1723/udp Pptp nf s 2049/tcp Network File System nf s 2049/udp Network File System eklogin 2105/tcp Kerberos encrypted rlogin rkinit 2108/tcp Kerberos remote kinit kx 2111/tcp X over Kerberos kauth 2120/tcp Remote kauth lyskom 4894/tcp LysKOM (conference system) sip 5060/tcp Session Initiation Protocol sip 5060/udp Session Initiation Protocol xll 6000-6063/tcp X W indow System xll 6000-6063/udp X W indow System ire 6667/tcp Internet Relay Chat af s 7000-7009/udp af s 7000-7009/udp TABLE 3.2: Reserved Ports Table Module 03 Page 302 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks TCP Connect / Full Open Scan J TCP Connect scan detects w hen a port is open by completing th e three-w ay handshake J TCP Connect scan establishes a full connection and tears it down by sending a RST packet CEH M Scan result when a port is open ^ )SYN Packet + Port (n m SYN/ACK Packet. . . ...........A « . t .‫......... . ׳‬ 5ST Target Attacker Scan result when a port is closed SYN Packet +Port (nj ^ * ??.‫.י‬ ‫־‬ Attacker ^ f , H Target Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. TCP Connect / Full Open Scan Source: http://www.insecure.org TCP Connect / Full Open Scan is one of the most reliable forms of TCP scanning. The TCP connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed; otherwise, the port isn't reachable. mm 0 TCP Three-way Handshake In the TCP three-way handshake, the client sends a SYN flag, which is acknowledged by a SYN+ACK flag by the server which, in turn, is acknowledged by the client with an ACK flag to complete the connection. You can establish a connection from both ends, and terminate from both ends individually. Vanilla Scanning In vanilla scanning, once the handshake is completed, the client ends the connection. If the connection is not established, then the scanned machine will be DoS'd, which allows you to make a new socket to be created/called. This confirms you with an open port to be scanned for a running service. The process will continue until the maximum port threshold is reached. Module 03 Page 303 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks If the port is closed the server responds with an RST+ACK flag (RST stands for "Reset the connection"), whereas the client responds with a RST flag and here ends the connection. This is created by a TCP connect () system call and will be identified instantaneously if the port is opened or closed. Making separate connects() call for every targeted port in a linear fashion would take a long time over a slow connection. The attacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the attacker to set a low time-out period and watch all the sockets simultaneously. , u is d a v d it ia g e s The drawback of this type of scan is easily detectable and filterable. The logs in the target system will disclose the connection. The Output Initiating Connect () Scan against (172.17.1.23) Adding open port 19/tcp Adding open port 21/tcp Adding open port 13/tcp SYN Packet + Port (n) .............................. SYN / ACK Packet ACK + RST Target Attacker FIGURE 3.14: Scan results when a port is open SYN Packet + Port (n) ‫► ■ ■־ ■ .................................י‬ ■ ■■ RST arget Attacker FIGURE 3.15: Scan results when a port is closed Module 03 Page 304 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Zfnmap S<!n J0ok Ttrgct £»of.lc tjflp nmap ‫ל.86ו.36 ו.29 ו‬ Commjnd Hosts ~vj Profile • •sT •v nmip 192-168.168.5 StrvKtt Host Nmip Output Potts/Hosts Topology Most D«t«!h Scans • *sT •v nmjp 192.168.168.5 192.168.168.5 S t a r t in g Mrap 6.61 ( h ttp :/ / n * a p . 0rg ) a t 2012 08-10 12:04 d Ti I n i t i a t i n g ARP Ping Scan a t 12:04 Scanning 192.168.168.S (1 p o rt] Completed ARP Pin g Scan a t 12:04, 0.08s elapsed (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04 Completed P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04, 0.02s elapsed I n i t i a t i n g Connect Scan a t 12:04 Scanning 192.168.168.S [1000 p o rts ] D iscovered open p ort 80/tcp on 192.168.168.5 D iscovered open p ort 993/tcp on 192.168.168.S D iscovered open p ort 8080/tcp on 192.168.168.S D iscovered open p ort 2 S/tcp on 192.168.168.S D iscovered open p ort 139/tcp on 192.168.168.5 D iscovered open p ort 8888/tcp on 192.168.168.S Completed Connect Scan at 12:04, 4 8 .63s elapsed (1000 t o t a l p o rts ) N‫״‬ap scan rep ort f o r 192.168.168.S F a ile d to r e s o lv e given hostnaaie/IP: n«ap. Note th a t you c a n 't use '/■ask* AMD * 1*4,7,100•‘ s t y le IP ranges. I f the •achine o n ly has an IP v6 address* add the N»ap -6 ♦lag t o scan t h a t . Host i s up (0.000S7s la t e n c y ) , t o t itjto to i 980 f i l t e r e d p o rts POUT STATE SERVICE 2 S/tcp open M tp 80/tcp open h ttp 110/tcp open pop) 119/tcp open nntp 13S/tcp open asrpc 8081/tcp open b lack ice■ iceca p 8088/tcp open radan-http 8888/tcp open sun-antwerbook M l Afl i C l tri. • (Oeil) R t fll f i ! frw; c a ll l c C:Progra• F i l e s (xS6)N*ap Nm p done: 1 IP address ( I host up) scanned in 43.08 seconds Rax packets s e n t: 1 (288) | Rcvd: 1 (288) FIGURE 3.16: Zenmap Screenshot Module 03 Page 305 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Stealth Scan (Half-open Scan) Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic © The client sends a single SYN packet to the server on the appropriate port +ACK ........................ ,^ s / tthKJl lUckM □a SYN (Port 80) SYN Stealth Scan Process CEH UrtifWtf Bill Sheela 10.0.0.2:2342 10.0.0.3:80 Port is open @ lf the port is open then the server responds with a SYN/ACK packet ® If the server responds with an RST packet, then the remote port is in the "closed" state (ft WN|P‫״‬rlSn| r ‫“־‬ ‫י‬ ‫ *׳‬O j j Bill ® Sheela 10.0.0.2:2342 10.0.0.3:80 The client sends the RST packet to close the initiation before a connection can ever be established Port is closed Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Stealth Scan (Half-Open Scan) Stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This is a scan type that sends a single frame with the expectation of a single response. The half-open scan partially opens a connection, but stops halfway through. This is also known as a SYN scan because it only sends the SYN packet. This stops the service from ever being notified of the incoming connection. TCP SYN scans or half-open scanning is a stealth method of port scanning. The three-way handshake methodology is also implemented by the stealth scan. The difference is that in the last stage, remote ports are identified by examining the packets entering the interface and terminating the connection before a new initialization was triggered. The process preludes the following: 9 To start initialization, the client forwards a single "SYN" packet to the destination server on the corresponding port. 9 The server actually initiates the stealth scanning process, depending on the response sent. 9 If the server forwards a "SYN/ACK" response packet, then the port is supposed to be in an "O PEN" state. Module 03 Page 306 Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks If the response is forwarded with an "RST" packet, then the port is supposed to be in a "CLOSED" state. SYN (Port 80) Bill Sheela 10.0.0.2:2342 10.0.0.3:80 P o r t is o p e n FIGURE 3.16: Stealth Scan when Port is Open ^ ..... * Bill Sheela 10.0.0.2:2342 10.0.0.3:80 Port is closed FIGURE 3.17: Stealth Scan when Port is Closed Zenmap Tool Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently. It contains a command creator that allows you to interact and create Nmap command lines. You can save the Scan results and view them in the future and they can be compared with another scan report to locate differences. The results of the recent scans can be stored in a searchable database. The advantages of Zenmap are as follows: 9 Interactive and graphical results viewing 9 Comparison 9 Convenience Q Repeatability Q Discoverability Module 03 Page 307 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Is Zenmap cr Scan lo o k profile H elp nmap 192.168.168.5 Command Hosts Cancel *| Details * -sT -v nmap 192.168.168.5 Services OS w Host * ,Scan Profile Nmap Output 4 Ports / Hosts Topology Host Detail* Scans * -sT -v nmap 192.168.168.5 i 192.168.168.5 S t a r t in g Nmap 6.01 ( h ttp :/ / n a a p .o rg ) a t 2012-0810 12:04 0 T ii I n i t i a t i n g ARP P in g Scan a t 12:04 S can ning 192.16 8 .1 6 8 .S [1 p o r t ] Completed ARP P in g Scan at 1 2:04, 0 .6 8 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04 Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04, 0 .0 2 s e lap sed I n i t i a t i n g Connect Scan a t 12:04 Scan n in g 192.16 8 .1 6 8 .S [1000 p o r t s ) D isco ve re d open p o rt 8 0 /tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 993/tcp on 1 9 2 .16 8 .1 6 8 .S D isco ve re d open p o rt 8080/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 2 S/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 139/tCp on 192.168.168.5 D isco ve re d open p o rt 8888/tcp on 192.168.168.5 Completed Connect Scan a t 1 2:04, 40.63s e la p s e d (1000 t o t a l p o r t s ) N*ap scan re p o rt f o r 192.16 8 .1 6 8 .S f a i l e d t o r e s o lv e g iv e n h o s tn a a e / IP : n rap . Note th a t you c a n 't use , /■ ask' ANO *1 -4 ,7 ,1 0 0 - ' s t y l e I P ra n g e s. I f th e M achine o n ly has an IP v 6 a d d re ss , add th e Neap •6 f l a g t o scan t h a t . Host i s up (O.O00S7S l a t e n c y ) . > gt ihffwn; 980 f i l t e r e d p o rts < PORT STATE SERVICE 2 S /tc p open s a tp open h t t p 8 0/tcp 110/tcp open pop 3 119/tcp open IMitp 135/tcp ooen ■srpc 8081/tcp open b la c k ic e - ic e c a p 8088/tcp open ra d a n - h ttp 8888/tcp open su n -answerbook ♦ ♦ ♦ • (D e ll) Rtad flat! f i l e t frw; C :Pro g ra■ F i l e s (x M ) N ‫ ״‬ap H*ap done: 1 I P ad dress (1 h o st up) scanned in 43.08 seconds Rax p a ck e ts s e n t: 1 (286) | Rcvd: 1 (2 8 6 ) Filter Hosts FIGURE 3.18: Zenmap Showing Scanning Results Module 03 Page 308 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks c El X m a s S can o UftNM FIN, URG, PUSH FIN, URG, PUSH J 1 mu : : : 1 No Response Attacker 10. 0 . 0.6 ftb.ul H.. fcM Server 10.0.0.8:23 Port is open Server Attacker 10 . 0 . 0.6 10.0.0.8:23 Port is clo se d In Xmas scan, attackers send a TCP frame to a remote device with URG, ACK, RST, SYN, PSH, and FIN flags set J FIN scan only with OS TCP/IP developed according to RFC 793 J It will not work against any current version of Microsoft Windows Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. X m as Scan ------ Xmas Scan is a port scan technique with ACK, RST, SYN, URG, PSH, and FIN flags set to send a TCP frame to a remote device. If the target port is closed, then you will receive a remote system reply with a RST. You can use this port scan technique to scan large networks and find which host is up and what services it is offering. It is a technique to describe all TCP flag sets. W hen all flags are set, some systems hang; so the flags most often set are the nonsense pattern URG-PSH-FIN. This scan only works when systems are compliant with RFC 793. BSD Netw orking Code This method is based on BSD networking code; you can use this only for UNIX hosts and it does not support Windows NT. If this scan is directed at any Microsoft system, it shows all the ports on the host are opened. Transm itting Packets You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts packet and does not send any response, the port is open. If the target system sends RST flag, the port is closed. Module 03 Page 309 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Advantage: It avoids the IDS and TCP three-way handshake. Disadvantage: It works on the UNIX platform only. FIN, URG, PUSH No Response Attacker 10.0 .0.6 Server 10.0.0.8:23 Port is open FIGURE 3.19: Xmas Scan when Port is Open FIN, URG, PUSH RST Attacker 10 .0 .0.6 Server 10.0.0.8:23 P o rt is c lo s e d FIGURE 3.20: Xmas Scan when Port is Closed Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently. Zenmap Scan Target: 100It Profile Help ‫צ‬ nmap 192.I6S.168.} Command: V Start 1• ‫״‬X •v r Nmip Output Pcrts/Hosts Topology Host Ottals S<ar« W * D etails «-sX-v nmap 192.16S.168.3 OS ▼ Host 192.168.16S.5 192.168.168.3 S tartin g Nmap 6.01 ( ’ * t 2612 08 10 12:39 Standarc 1i»e Initiating AKP Ping Scan at 12:39 Scanning 192.168.168.3 [1 port] Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution 0- 1 host, at 12:39 f Coa191eted Parallel DNS resolution o* 1 host, at 12:39, 0.02s elapsed Initiating XMAS Scan at 12:3* Scanning 192.168.1*8.3 [10CO po«‫־‬ ts] Increasing cand dalay *or 192.168.168.3 from 0 to 5 due to 108 out of 358 dropped probes since last increase. Co*!91eted XMAS Scan at 12;39, 9.75s elapsed (1800 to ta l ports) Nra‫ כ‬scan report fo r 197.1*3.168.3 Failed ♦o resolve given hostrawe/IP: niwp. Note that you c a n 't use V ■»»?«• AHO *1-4,7,180•• s ty le IP ranges. I f the ■wchine only ha? an IPv6 address. add the Mnap -6 fla g to scan th at. Host is up (0.000023s la t e r c y ). Not shovn; 997 clo;ed ports PORT STATE SEUVICE 22/tcp o c e r lfilt e r e d j$n 88/tcp o p e r | f ilt e ‫־‬ed kertxrcs-sec 548‫ ׳‬tcp o p e r | f ilt e ‫־‬ed afp MCAMrtu; A Read tifltfl f l i p frggl C:Progra■ * lie s <x!6)taao 1 IP ad Jrest (1 host up) scanned in 12.19 seconds Rat. paccets sent: 13S3 (S4.1M KB) I Rcvd: 998 (39.908K8) FIGURE 3.21: Zenmap Showing Xmas Scan Result Module 03 Page 310 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks S can J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set J FIN scan only with OS TCP/IP developed according to RFC 793 J It will not work against any current version of Microsoft Windows J“ * Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. £ ‫ > ל‬FIN Scan ------ FIN Scan is a type of port scan. The client sends a FIN packet to the target port, and if the service is not running or if the port is closed it replies to you with the probe packet with an RST. FIN No Response Attacker 10.0 .0.6 10.0.0.8:23 P o rt is open FIGURE 3.22: FIN Scan when Port is Open Module 03 Page 311 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Attacker 10. 0 . 0.6 Port is c lo s e d FIGURE 3.23: FIN Scan when Port is Closed ‫־‬E H Zenmap Scan look Target E'ofile fcjdp [Scan: nmap 192.168.168.3 Command: Cancel » ■ if •v nmap 192.168.168.3 Hosts OS * Host * 192.168.168.5 » 192.168.168.3 Nmap Output Ports/Host* Topo*og> Host Detail! Scans « • i f -v nmap 192.168.168.3 S t a r tin g Nm p 6.01 ( h ttp :/ / n M p .o rg ) at 2012 08 10 12:35 ‫••• י‬ Standard Ti«e I n i t i a t i n g ARP Ping Scan at 12:35 Scanning 192.168.168.3 [1 p o rt] Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 t o t a l h o sts) I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h ost, a t 12:35 Completed P a r a lle l ONS re s o lu tio n o f 1 h ost, at 12:35, 0.10s elapsed I n i t i a t i n g FIN Scan at 12:35 Scanning 192.168.16S.3 [1000 p o rts] In crea sin g send d elay fo r 192.168.168.3 fro• 0 to 5 due to 108 out o f 358 dropped probes sin ce la s t in crea se. In crea sin g send d elay f o r 192.168.168.3 froai 5 to 10 due to •ax_$uccessful_tryno in crease to 4 Completed FIN Scan at 12:35, 11.78s elapsed (1000 t o t a l p o rts ) *toap scan rep ort fo r 192.168.168.3 F a ile d to re s o lv e given hostnaaw/IP: naap. Note th at you c a n 't use */ m s i c AND 4, 7, 100*1‫ '•־‬s t y le IP ranges. I f the ■achine on ly has an IP v6 address, add the N*ap *6 f la g to scan t h a t . Host is up (0.0000050s la te n c y ). closed ports PORT STATE SERVICE 22/tcp o p e n |fiite r e d ssh 88/tcp o p e n jfilt e r e d k erberos•sec S48/tcp o p e n jfilt e r e d afp U M 997 gl-itH ?; * i.A T 1 A MM; Rctti d i t l f l i t * ffg g j C:Progra• F ile s (x86)N«ap Nwap done: 1 IP address (1 host up) scanned in 14.28 seconds Rat• packets sen t: 1378 (55.108KB) | Rcvd: 998 (39.908KB) FIGURE 3.24: Zenmap showing FIN Scan Result Module 03 Page 312 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks CEH NULL S can Port is open TCP Packet with NO Flag Set 9H ^ No Response Attacker 10 .0 .0.6 In NULL scan, attackers send a TCP frame to a remote host with NO Flags NULL scan only works if OS' TCP/IP implementation is developed according to RFC 793 It will not work against any current version of Microsoft Windows NULL Scan NULL scans send TCP packets with all flags turned off. It is assumed that closed ports will return a TCP RST. Packets received by open ports are discarded as invalid. It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned. W hen any packets arrive at the server, BSD networking code informs the kernel to drop the incoming packet if a port is open, or returns an RST flag if a port is closed. This scan uses flags in the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans. Many network codes of major operating systems can behave differently in terms of responding to the packet, e.g., Microsoft versus UNIX. This method does not work for Microsoft operating systems. Command line option for null scanning with NMAP is "-sN" Advantage: It avoids IDS and TCP three-way handshake. Disadvantage: It works only for UNIX. Module 03 Page 313 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks Port is open TCP Packet with NO Flag Set C E ^ 31 ^ > ‫י‬ No Response Attacker Server 10.0.0.8:23 10. 0.6 0. FIGURE 3.25: NULL Scan when Port is Open Port is clo se d TCP Packet with NO Flag Set E ‫מ‬ 3 RST/ACK f c _ 5 Attacker Server 10.0.0.8:23 10 .0 .0.6 FIGURE 3.26: NULL Scan when Port is Closed E lio ] Zenmap S c jn lo o k Target: n m a p 192.168.168.3 C om m and: H o sts IM Scan * - tN •v n m a p 192.168.168.3 O S - H o st — x profile N m a p O u tp u t • P orts / Hosts T op o lo g y H o st Details Sta n s sN -v n m a p 192.168.168.3 192.168.168.5 192.168.168.3 a Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 ‫•י‬ Standard Tine Initiating ARP Ping Scan at 12:41 Scanning 192.168.16a.3 (1 port) Completed ARP Ping Scan at 12:41, 0.06s •lapsed <1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:41 Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed Initiating NULL Scan at 12:41 Scanning 192.168.168.3 [1000 ports) Increasing send delay for 192.168.168.3 froei 0 to 5 due to 21S out of 71S dropped probes since last increas*. Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports) Noap scan report for 192.168.168.3 Failed to resolve given hostnaae/lP: nmap. Note that you can't use ‘/•ask* AND •1-4,7,100‫ '־‬style IP ranges. If the ■achine only has an IPv6 address, add the Naap -6 flag to scan that. Host is up (0.00s latency). Not shown: 997 closed ports PORT STATt SERVICE 22/tcp open|filtered ssh 88/tcp openjfiltered kerberos-sec 548/tcp openjfiltered afp M A fld rcn ; AC Read data files fro■: C:Progran files (x86)Nmap N m jio done: 1 IP address (1 hostup) scannedin 10.66 seconds Ran packets sent: 1844(73.748KB) | Rcvd: 998 (39.908KB) FIGURE 3.27: Zenmap showing NULL Scan Result Module 03 Page 314 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks ID LE S can CEH Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered "open" if an application is listening on the port A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port Every IP packet on the Internet has a "fragment identification" number (IP ID) The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and an "RST" (Reset) packet if the port is closed OS increments the IP ID for each packet sent, thus probing an IP ID gives an attacker the number of packets sent since last probe t f Command Prompt C : > n m a p -P n -p- -si wvrw.juggyboy.com w w w . c e r t i f i e d h a c k e r . c o m Starting Nmap ( h t tp://nmap.org ) Idlescan using zombie w w w . 3 u g gyboy.com (192.130.18.124:80); Class: Nmap scan report for 198.182.30.110 (The 40321 ports scanned b u t not Port State Service open 2 1 /tcp ftp open 25/tcp smtp open 80/tcp http Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds Incremental 3 Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited. IDLE Scan The idle scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available and offers complete blind scanning of a remote host. This is accomplished by impersonating another computer. No packet is sent from your own IP address; instead, another host is used, often called a "zombie," to scan the remote host and determine the open ports. This is done by expecting the sequence numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP of the zombie machine will show up. Understanding TCP/IP Source: http://nmap.org Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/IP expert to understand it. You need to understand the following basic facts: Q Most of the network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port; otherwise it is closed. Module 03 Page 315 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks 9 To determine whether a port is open, send a session establishment "SYN" packet to the port. The target machine responds with a session request acknowledgment "SYN|ACK" packet if the port is open and a Reset "RST" packet if the port is closed. 9 A machine that receives an unsolicited SYN|ACK packet responds with an RST. An unsolicited RST is ignored. 9 Every IP packet on the Internet has a "fragment identification" number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe. From these facts, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning. a Command Prompt FIGURE 3.28: Nmap Showing Idle Scan Result Module 03 Page 316 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks C EH ID LE S can : S tep 1 Every IP packet on the Internet has a fragment identification number (IP ID), which increases every time a host sends; IP packet ‫יי‬ 4 Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Attacker RST Packet Zombie FIGURE 3.29: IPID Probe Request and Response Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number In the first step, you can send a session establishment "SYN" packet or IPID probe to determine whether a port is open or closed. If the port is open, the "zombie" responds with a session request acknowledgment "SYN |ACK" packet containing the IPID of the remote host machine. If the port is closed, it sends a reset "RST" packet. Every IP packet on the Internet has a "fragment identification" number, which is incremented by one for every packet transmission. In the above diagram, the zombie responds with IPID=31337. Module 03 Page 317 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks ID LE S can : S tep 2 a n d 3 CEH S te p 2 J Send SYN packet to the target m achine (port 80) spoofing the IP address of the "zom bie" J If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends RST to the target J If the port is closed, the target will send RST to th e "zo m b ie" but zombie will not send anything back SYN Packet to port 80 spoofing zombie IP address 4VC Attacker r t o s f f i S S * 5‫ ■ ״‬T e" " ‫״‬ Zombie S te p 3 J P o r t is o p e n m j ; IPID Probe SYN / ACK Packet Probe "zo m b ie" IPID again Response: IPID=31339 RST Packet IPID incremented by 2 since Step 1, so port 80 must be open Attacker Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. IDLE Scan: Step 2 and 3 Idle Scan: Step 2.1 (Open Port) " Send a SYN packet to the target machine (port 80) spoofing the IP address of the "zombie." If the port is open, the target will send the SYN/ACK packet to the zombie and in response the zombie sends the RST to the target. SYN Packet to port 80 spoofing zombie IP address m QOO Attacker Target Port Zombie is open FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open Idle Scan: Step 2.2 (C losed Port) The target will send the RST to the "zombie" if the port is closed, but the zombie will Module 03 Page 318 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Scanning Networks not send anything back. SYN Packet to port 80 spoofing zombie IP address m Attacker I- ‫״״‬ 4 Zombie ................ ................ Target Port is clo sed FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed Idle Scan: Step 3 Probe the "zombie" IPI D again. IPID Probe SYN / ACK Packet Response: IPID=31339 RST Packet Attacker IPID incremented by 2 since Step 1, so port 80 must be open Zombie FIGURE 3.32: IPID Probe Request and Response Module 03 Page 319 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

×