Ceh v8 labs module 03 scanning networks
Upcoming SlideShare
Loading in...5
×
 

Ceh v8 labs module 03 scanning networks

on

  • 292 views

 

Statistics

Views

Total Views
292
Views on SlideShare
292
Embed Views
0

Actions

Likes
0
Downloads
69
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Ceh v8 labs module 03 scanning networks Ceh v8 labs module 03 scanning networks Document Transcript

  • CEH Lab Manual S c a n n i n g N e t w o r k s M o d u le 03
  • M o d u le 0 3 - S c a n n in g N e tw o rk s S c a n n in g a T a r g e t N e tw o rk S c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d s e rv ic e s ru n n in g in a n e tw o rk . L a b S c e n a r io I CON KEY Valuable information s Test your knowledge H Web exercise Q Workbook review Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port s c a n n in g , n e tw o rk s c a n n in g , and v u ln e ra b ility s c a n n in g ro identify IP/hostname, live hosts, and vulnerabilities. L a b O b j e c t iv e s The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: ■ Check live systems and open ports ■ Perform banner grabbing and OS fingerprinting ■ Identify network vulnerabilities ■ Draw network diagrams of vulnerable hosts ZZ7 T o o ls L a b E n v ir o n m e n t d e m o n stra te d in t h is la b a r e a v a ila b le in D:CEHT o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s 111 die lab, you need: ■ A computer running with W in d o w s S e r v e r 2 0 1 2 , W in d o w s W in d o w s 8 or W in d o w s 7 with Internet access S e rv e r 2008. ■ A web browser ■ Admiiiistrative privileges to run tools and perform scans L a b D u r a t io n Time: 50 Minutes O v e r v ie w o f S c a n n in g N e t w o r k s Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope. C E H Lab M anual Page S5 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment. 1 1 diis module we will look at several forms of vulnerability assessment. We will 1 study some commonly used scanning tools. Lab T asks TASK 1 Overview Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: ■ Scanning System and Network Resources Using A d v a n c e d IP S c a n n e r ■ Banner Grabbing to Determine a Remote Target System Using ID S e r v e ■ Fingerprint Open Ports for Running Applications Using the A m a p Tool ■ Monitor TCP/IP Connections Using die C u r r P o r t s ■ Scan a Network for Vulnerabilities Using G F I _/ L Ensureyouhave readyacopyof the additional readings handed out for this lab. Tool L an G u ard 2 0 1 2 ■ Explore and Audit a Network Using N m ap ■ Scanning a Network Using die N e t S c a n T o o ls Pro ■ Drawing Network Diagrams Using LA N S u rv ey o r ■ Mapping a Network Using the F r ie n d ly P in g e r ■ Scanning a Network Using die N essu s Tool ■ Auditing Scanning by Using G lo b a l ■ Anonymous Browsing Using P r o x y C E H Lab M anual Page 86 N e tw o rk In v e n to ry S w it c h e r E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ■ Daisy Chaining Using P r o x y W o rk b e n c h ■ HTTP Tunneling Using H T T P o r t ■ Basic Network Troubleshooting Using the M e g a P in g ■ Detect, Delete and Block Google Cookies Using G -Z a p p e r ■ Scanning the Network Using the C o la s o f t P a c k e t B u ild e r ■ Scanning Devices in a Network Using T h e Dude L a b A n a ly s is Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information. P LEA S E T A LK TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. C E H Lab M anual Page 87 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s S c a n n in g S y s te m a n d N e tw o rk R e s o u r c e s U s in g A d v a n c e d IP S canner I CON KEY / =‫ ־‬Valuable information ✓ Test your knowledge S Web exercise C Q Workbook review -A d v a n c e d IP S c a n n e r is a fr e e n e tir o r k s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f in fo rm a tio n re g a rd in g lo c a l n e tir o r k c o m p u te rs . L a b S c e n a r io this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. 111 L a b O b j e c t iv e s l J — T o o ls d e m o n stra te d in t h is la b a r e The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: ■ Perform a system and network scan a v a ila b le in D:CEH- ■ Enumerate user accounts T o o ls C E H v 8 ■ Execute remote penetration M o du le 0 3 S c a n n in g ■ Gather information about local network computers N e tw o rk s L a b E n v ir o n m e n t Q Y canalso ou dow A nload dvancedIP Scanner from http:/1w wadvanced-ipw. scanner.com . C E H Lab M anual Page 88 111 die lab, you need: ■ Advanced IP Scanner located at Z:C EH v8 M od ule 0 3 S c a n n in g N e tw o rk s S c a n n in g T o o ls A d v a n c e d IP S c a n n e r ■ You can also download the latest version of A d v a n c e d from the link http://www.advanced-ip-scanner.com IP S c a n n e r E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s / 7A dvancedIPScanner w onW s S orks indow erver 2003/ Server 2008andon W s 7(32bit, 64bit). indow ■ If you decide to download the in the lab might differ ■ A computer running W in d o w s 8 la t e s t v e r s io n , as die attacker (host machine) ■ Another computer running W in d o w s machine) ■ A web browser widi In te rn e t then screenshots shown se rve r 2008 as die victim (virtual access ■ Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps to install Advanced IP Scanner ■ A d m in is tra tiv e privileges to run diis tool L a b D u r a t io n Time: 20 Minutes O v e r v ie w o f N e t w o r k S c a n n in g Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any suspicious or u n a u th o rize d IP connections, which may enable data theft and cause damage to resources. Lab T asks S T A S K 1 1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die desktop L a u n c h in g A d v a n c e d IP Scann er FIG R 1 :W s8- D U E .1 indow esktopview 2. Click A d v a n c e d (Windows 8). C E H Lab M anual Page 89 IP S c a n n e r from die S ta r t menu in die attacker machine E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Admin ^ S ta rt WinRAR Mozilla Firefox Command Prompt it t Nc m C om puter m W A ith dvancedIP Scanner, youcanscan hundreds ofIP addresses sim ultaneously. M icrosoft Clip O rganizer tS Sports Fngago Packet b uilder 2* Advanced IP Scanner m C ontrol Panel M icrosoft O ffice 2010 Upload... i i i l i l i • finance FIG R 1 W s8- A U E 2. indow pps 3. The A d v a n c e d IP S c a n n e r main window appears. Y canw any ou ake m achinerem w otely ith A dvancedIP Scanner, if theW ake-on‫־‬LA feature N is supportedbyyour netw card. ork FIG R 1 : T A U E 3 he dvancedIPS cannerm w ain indow 4. Now launch die Windows Server 2008 virtual machine (v ic tim ’s C E H Lab M anual Page 90 m a c h in e ). E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L Y haveto guess a _/ ou rangeof IP address of victimm achine. iik O jf f lc k 10:09 F J M FIG R 1 :T victimm W sserver2 U E .4 he achine indow 008 a R in2.xand3.x adm Integrationenableyouto connect (ifR inis adm installed) to rem ote com puters w just one ith dick. 5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t ra n g e field. 6. Click die S c a n button to start die scan. The status of scanis show at the bottomleft n sideofthew . indow 7. displays the s c a n C E H Lab M anual Page 91 scans all die IP addresses within die range and r e s u lt s after completion. A d v a n c e d IP S c a n n e r E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L of com ists puters savingandloadingenable youtoperformoperations w aspecificlist of ith com puters.Just savealist ofm achines youneedand A dvancedIPScanner loads it at startupautom atically. A d v a n c e d IP Scanner File Actions J► Scar' View Heip IP c d id 3? f i l : Jl Like us on ■ 1 Facebook r=£k=3 r f t o 1.0 .11.0 .1 0 .0 -0 .0 0 R esits | Favorites | r Status w 0 MAC address 10.0.a2 DO:67:ES:1A:16:36 00: 5:5D: A8:6E:C6 M icrosoft Corporation Dell Inc 10.0.03 10.0.05 10.0.07 00:09:5B:AE:24CC Dell Inc Microsoft Corporation 10.0.a1 WIN-MSSELCK4K41 WINDOWS# WIN*LXQN3WR3R9M WIN-D39MR5H19E4 15 ® Manufacturer Nlctgear, Inc. 10.0.0.1 ‫*£> ט‬ ® & m G roup O perations: A featureofA ny dvanced IP Scanner can beused w anynum of ith ber selectedcom puters. For exam youcanrem ple, otely shut dow acom n plete com classw afew puter ith dicks. Settings 00:15:5D:A8:&E:03 D4:3E.-D9: C3:CE:2D 1 5a iv*, 0 d«J0, S unknown FIG R 1 :TheA U E .6 dvancedIPS cannerm w ain indowafterscanning 8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machine’s IP address and displays die status as alive M T A S K 2 Extract Victim’ s IP Address Info 9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut d o w n 5‫־‬ F ie A d v a n c e d IP Scanner A ctions Scan Settings View Helo II ip c u u * W i Like us on Facebook *sS: 1.0 .11.0 .1 0 .0 -0 .0 0 Resuts Favorites | Status Name 1.0 .1 0 .0 IHLMItHMM, WINDOWS8 hi WIN-LXQN3WR3 WIN‫ ־‬D39MR5HL< 1..1 0 01 0 — t* p ‫׳‬ore Copy Add to ‘Favorites' ! n MAC address to ru fa c tu re r Netgear. In c 00:09:5B:AE:24CC D0t67:E5j1A:16«36 M icrosoft Corporation M icrosoft Corporation □0:15 :‫צ‬U: A8:ofc:Ot> 00:15:SD:A8:6E:03 Dell Inc CW:BE:D9:C3:CE:2D Rescan selected Sive selected... Wdke‫־‬O n‫־‬LAN Shut dcwn... Abort shut dcwn W ake-on-L N Y A : ou canw anym ake achine rem w A otely ith dvancedIP Scanner, ifW ake-on-LA N featureis supportedby your netw card. ork Radrnir a 5 alive. 0 dead, 5 unknown FIG R 1 :T A U E .7 he dvancedIPS cannerm w w A H list ain indow ith live ost 10. The list displays properties of the detected computer, such as IP address. N a m e , M A C , and N e t B I O S information. 11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die selected victim machine/IP address C E H Lab M anual Page 92 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫ ״‬si * m & S h u td o w n o p tio n s File Actions Settings View Help r Scan W infingerprint Input O ptions: ■ IPR (N askand ange etm InvertedN ask etm supported) IPL m istS gle H N ost eighborhood J!] .■ ] Use Vtindcms authentifcation Like us on Facebook Jser narre: 3 9essM ord: 11 0.0.0.1-100.0.10 rn e o c t (sec): [60 Results | Favorites | Message: Status ® a » $ a jre r Name MAC address 00;C9;5B:AE:24;CC 1a0.0.1 WIN-MSSELCK4K41 W IND O W S WIN-LXQN3WR3R9M WIN-D39MR5HL9E4 D0:67:E5:1A:16:36 It ion I” 00:15:3C:A0:6C:06 It ion 00:13:3D:A8:6E:03 D4:BE:D9:C3:CE:2D Forced shjtdo/vn f " Reooot S alive, Odcad, 5 unknown FIG R 1 :TheA U E .8 dvancedIPS cannerC puterpropertiesw om indow 12. Now you have die machine. IP address. Nam e, and other 13. You can also try Angry IP scanner located at details of die victim D:CEH-ToolsCEHv8 Module 03 Scanning NetworksPing Sweep ToolsAngry IP Scanner It also scans the network for machines and ports. L a b A n a ly s is Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Scan Information: Advanced IP Scanner C E H Lab M anual Page 93 ■ ■ ■ ■ ■ ■ IP address System name MAC address NetBIOS information Manufacturer System status E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s 1. Examine and evaluate the IP addresses and range of IP addresses. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 94 0 iLabs Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s B a n n e r G ra b b in g t o D e te r m in e a R e m o t e T a r g e t S y s t e m u s i n g ID S e rv e ID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r s o fh v a re . I CON KEY Valuable information y* Test your knowledge Web exercise O Workbook review L a b S c e n a r io 1 1 die previous lab, you learned to use Advanced IP Scanner. This tool can also be 1 used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve. L a b O b j e c t iv e s The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website. 111 O T o o ls d e m o n stra te d in diis lab you will learn to: ■ Identify die domain IP address ■ Identify die domain information t h is la b a r e a v a ila b le in D:CEHT o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s C E H Lab M anual Page 95 L a b E n v ir o n m e n t To perform die lab you need: ■ ID Server is located at D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s B a n n e r G ra b b in g T o o ls ID S e r v e E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ■ You can also download the latest version of ID http: / / www.grc.com/id/idserve.htm S e rv e ■ then screenshots shown If you decide to download the in the lab might differ ■ Double-click id s e r v e to run la t e s t v e r s io n , ID S e r v e ■ Administrative privileges to run die ID ■ Run this tool on W in d o w s from the link S e rv e tool S erv er 2012 L a b D u r a t io n Time: 5 Minutes O v e r v ie w o f ID S e r v e ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and v e r s io n , whether it's for F T P , SMTP, POP, NEW’S, or anything else. Lab T asks TASK 1 Id en tify w e b s it e s e r v e r in fo rm atio n 1. Double-click id s e r v e located at D :C E H -T o o lsC E H v 8 M o d u le 0 3 S c a n n in g N e tw o rk s B a n n e r G ra b b in g T o o lsID S e r v e 2. 1 1 die main window of ID 1 S e v e r Q u e ry tab 0 S erv e show in die following figure, select die ID Serve ID Serve Background ri Enter 01 r! ‫ -׳‬r o In rn tServer Id n a nU ,vl .0 te e e tific tio tility 2 Personal SecurityFreew bySteveG so are ib n Copyright (c) 2003 by Gibson Research Corp Server Query | Q&A/Help copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com) Queiy The Server ^ When an Internet URL or IP has been provided above press this button to rwtiate a query of the speahed server Server If anIPaddressis enteredinsteadof aU L R, IDServew attem to ill pt determ thedom ine ain nam associatedw the e ith IP ^ 4 Copy The server identified <se* as goto ID Serve web page E*it FIG R 21: M w UE ain indowofIDS e erv 3. Enter die IP address 01‫־‬URL address in E n t e r o r C o p y /p a ste a n In te rn a l s e r v e r U R L o r IP a d d r e s s h e re : C E H Lab M anual Page 96 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s r© ID Serve ID Serve Background Entei or copy In et Server IdentificationU vl .0 tern tility, 2 Personal SecurityFreeware bySteve G ibson Cprig t(c) 2 0 b G s nR s a hCr . o y h 0 3 y ibo e e rc op Server Q uery I Q&A/tjelp I paste an Internet serve* URL or IP adtfress here (example www microsoft com) ^ [w w certifiedhacker com w [ IDServecanaccept the U Lor IP as a R com and-lineparam m eter W h e n an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the s p e c fo d server Query T h e S w v e i (% Server query processing The server identified itse l as G oto ID S eive web page Copy Ejjit FIG R 22 E U E nteringdieU Lforquery R 4. Click Query The Server; it shows server query processed information ID Serve ID Serve Background ,‫ ־‬m x ‫׳‬ In etServer IdentificationU vl .0 tern tility, 2 Personal SecurityFreeware bySteve G ibson Cprig t(c) 2 0 b G s nR s a hCfp o y h 0 3 y ibo e e rc o Server Query | Q&A/Help Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com) < | T www.certifiedhacker.com| Q IDServecanalso connect w non-w ith eb servers toreceiveand report that server'sgreeting m essage. Thisgenerally reveals the server's m ake, m version, andother odel, potentiallyuseful inform ation. r2 [ W h e n an Internet URL 0* IP has been piovided above, press this button to initiate a queiy of the speafied server Query The Server (3 Seiver query processing a M ic r o s o f t - I I S / 6 . 0 In tin serverq e itia g u ry Lo k gu IPaddressfo d m in w wcertified ackerc m o in p roa w h o T eIPaddressfo th d minis 2 2 55 11 h r eoa 0 .7 4 0 C n e tin toth servero sta d rdHTTPp rt: 8 o nc g e n na o 0 C n ected R u gth server's d fa ltp e o n ] eq estin e e u ag The server identrfied itse l as Copy Goto ID Serve web page Exit FIG R 23: S processedinform U E erver ation L a b A n a ly s is Document all die IP addresses, dieir running applications, and die protocols you discovered during die lab. C E H Lab M anual Page 97 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Tool/U tility Information Collected/Objectives Achieved IP address: 202.75.54.101 Server Connection: Standard HT1P port: 80 Response headers returned from server: ID Serve ■ ■ ■ ■ ■ H TTP/1.1 200 Server: Microsoft-IIS/6.0 X-Powered-By: PHP/4.4.8 Transfer-Encoding: chunked Content-Type: text/html PLEA SE T A LK TO YOUR IN S T R U C T O R IF YOU H AV E R E L A T E D TO TH IS LAB. QUESTIONS Q u e s t io n s 1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 98 0 iLabs Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F in g e rp r in tin g O p e n P o r ts U s in g t h e A m ap Tool .- b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a c h o p e n p o r t. I CON KEY 2 ^ Valuable information Test vour knowledge g Web exercise Q L a b S c e n a r io Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 1 1 the previous lab 1 we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. Workbook review 1 1 this lab, you will learn to use the Amap tool to perform port scanning and know 1 exacdy what a p p lic a t io n s are running on each port found open. L a b O b j e c t iv e s C 5 T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:CEHT o o ls C E H v 8 M o du le 0 3 The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports. hi diis lab, you will learn to: ■ Identify die application protocols running on open ports 80 ■ Detect application protocols S c a n n in g N e tw o rk s L a b E n v ir o n m e n t To perform die lab you need: ■ Amap is located at D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s B a n n e r G ra b b in g T o o lsV A M A P ■ You can also download the latest version of A M A P from the link http: / / www.thc.org dic-amap. ■ C E H Lab M anual Page 99 If you decide to download the in the lab might differ la t e s t v e r s io n , then screenshots shown E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ■ A computer running Web Services enabled for port 80 ■ Administrative privileges to run die A m a p tool ■ Run this tool on W in d o w s S e rv e r 2012 L a b D u r a t io n Time: 5 Minutes O v e r v ie w o f F in g e r p r in t in g Fingerprinting is used to discover die applications running on each open port found 0 x die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking 1 up die responses in a list of response strings. at T A S K 1 Id en tify A p p lic a tio n Lab T asks 1. Open die command prompt and navigate to die Amap directory. 1 1 diis lab 1 die Amap directory is located at D :C E H -T o o lsC E H v 8 M od ule 0 3 S c a n n in g N e tw o rk s B a n n e r G ra b b in g T o o lsA M A P P ro to c o ls R u n n in g on P o rt 8 0 2. Type a m a p w w w .c e r t if ie d h a c k e r .c o m 8 0 , and press E n te r. Administrator: Command Prompt 33 [D : C E H ~ T o o ls C E H u 8 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g T o o l s A M A P > a n a p uw [u . c e r t i f i o d h a c h e r . c o m 80 Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo Jn id en tifie d p o rts: 2 0 2 . ? 5 . 5 4 .1 0 1 : 8 0 / t c p < t o t a l 1>. M ap 0 5 .2 f i n i s h e d a t 2012-08-28 1 2 :2 0 :5 3 D : C EH -T 0 0 1 s C E H 08 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g Tool sAMAP> Syntax: am [-A| ‫־‬ ap B| -P|-W [-1buSR U ] H dqv] [[-m -o <file>] ] [-D<file>] [‫־‬t/‫־‬T sec] [-c cons] [-Cretries] [-pproto] [‫־‬i <file>] [target port [port]...] FIG R 3 :A apw hostnam w w 1tifiedl1ack 1.com ithPort S U E .1 m ith e w .ce e w O 3. You can see die specific a p p lic a tio n protocols running 011 die entered host name and die port 80. 4. Use die IP a d d re ss to check die applications running on a particular port. 5. 1 1 die command prompt, type die IP address of your local Windows Server 1 2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 ) and press E n t e r (die IP address will be different in your network). ✓ For A apoptions, m type am -help. ap C E H Lab M anual Page 100 6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫ד‬ D : C E H -T o o ls C E H u 8 Module 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g ToolsAMAP>amap I f . 0 . 0 . 4 75-81 laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode C piles on all U IX om N basedplatform - even s M SX C inon acO , ygw W s, A M inuxand indow R -L Palm S O P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W arn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e ) t o 1 0 .0 .0 .4 :7 5 /tc p , d isab lin g p o r t <EUN KH> W arn in g : Could n o t c o n n e c t < u n r e a c h a b l e > to K> H W arning: K> N 1 0 .0 .0 .4 :7 7 /tc p , d isab lin g p o r t <EUN Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t <EUN W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o |KN> W arn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o K> N 1 0 .0 .0 .4 :7 9 /tc p , d isab lin g p o r t <EUN 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 / kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>. Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b : C E H - T o o l s C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g ToolsAMAP> FIG R 3 :A apw IPaddressandw rangeofsw 7 -8 U E .2 m ith ith itches 3 1 L a b A n a ly s is Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Identified open port: 80 WebServers: ■ 11ttp-apache2 ‫־‬ ■ http-iis ■ webmin Amap C E H Lab M anual Page 101 Unidentified ports: ■ 10.0.0.4:75/tcp ■ 10.0.0.4:76/tcp ■ 10.0.0.4:77/tcp ■ 10.0.0.4:78/tcp ■ 10.0.0.4:79/tcp ■ 10.0.0.4:81/tcp E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s 1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required 0 Y es □ No Platform Supported 0 Classroom C E H Lab M anual Page 102 □ iLabs E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s M o n ito r in g T C P /IP C o n n e c t i o n s U s in g t h e C u r r P o r ts T o o l C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly o p e n e d T C P / IP I CON K E Y Valuable information Test your knowledge w Web exercise m Workbook review a n d U D P p o r ts o n y o u r lo c a l c o m p u te r. L a b S c e n a r io 111 the previous lab you learned how to check for open ports using the Amap tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection. As a a d m in is tra to r., your daily task is to check the T C P / IP of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the C u r r P o r t s tool. n etw o rk c o n n e c t io n s C J T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in L a b O b j e c t iv e s The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer. D:CEHT o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s 111 in this lab, you need to: ■ Scan the system for currently opened T C P / IP ■ Gather information 011 die p ro cesses ■ List all the IP a d d r e s s e s p o r ts and and UDP ports that are opened that are currendy established connections ■ Close unwanted TCP connections and kill the process that opened the ports C E H Lab M anual Page 103 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L a b E n v ir o n m e n t To perform the lab, you need: ■ CurrPorts located at D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s S c a n n in g T o o ls C u r r P o r t s ■ You can also download the latest version of http: / / www.nirsoft.11e t/utils/cports.html ■ If you decide to download the in the lab might differ ■ A computer running W in d o w s a Y candow ou nload CuuPorts tool from http://w w w .nirsoft.net. C u rrP o rts la t e s t v e r s io n , from the link then screenshots shown S erv er 2012 ■ Double-click c p o r t s .e x e to run this tool ■ Administrator privileges to run die C u rrP o rts tool L a b D u r a t io n Time: 10 Minutes O v e r v ie w M o n it o r in g T C P / IP Monitoring TCP/IP ports checks if there are m u ltip le IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server. Lab T asks The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o r t s .e x e to launch. TASK 1 1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports, IP and remote addresses, and their states. D is c o v e r T C P /IP C o n n e c tio n r‫י * 1 ״ 1 ־‬ C urrP orts File Edit View Option* Help xSD®v^!taer4*a-* Process Na.. Proces... Protocol L ocal... Local Address Rem... Rem... R e rc te Address Remote Host Nam ( T enrome.ere 2 m TCP 4119 Loc- 10.0.0.7 80 h ttp 173.194.36.26 bcm04501 -in ‫־‬f26.1 bcmOisOl -in-f26.1 f <+1 rome.ere 2988 TCP 4120 10.0.0.7 80 h ttp 173.194.3626 chrome.ere f 2988 TCP 4121 10.0.0.7 80 h ttp 173.194.3626 bom04501‫־‬in ‫־‬f26.1 chrome.exe 2 m TCP 4123 10.0.0.7 80 h ttp 215720420 a23-57-204-20.dep https CT chrome.exe 2 m TCP 414S 10.0.0.7 443 ^ f i r t f c x ere 1368 TCP 3981 127.0.0.1 3982 £ fir « fc x « x • 1368 TCP 3982 127.0.0.1 3981 (£ fir« fc x «(« 1368 TCP 4013 10.0.0.7 443 https fircfcx.cxc 1368 TCP 4163 100.0.7 443 h ttp j 173.194.36.15 bom04!01 in ‫־‬f15.1 f1 rcfcxc.cc 1368 TCP 4166 100.0.7 443 h ttp j 173.194.360 bcm04501 -in-f0.1« 443 h ttp ; 74.125234.15 gra03s05in-f15.1e 1368 TCP 4168 100.0.7 s , httpd.exe firef cx c<c 1000 TCP 1070 aaao th ttp d .e x e 1800 TCP 1070 Q lsass.occ 564 TCP 1028 3 l» 5 5 a e 564 ____ »_____ <1 ■1 1 TCP 1028 bom04501 -in-f26.1 WIN-D59MR5HL9F 12700.1 WIN-D39MR5HL9E 173.1943622 bom01t01-in-f22.1 0.0.0.0 = 0.0.0.0 0.0.0.0 = > T 7 ~ctal Ports. 2 Remote Connections. 1Selected 9 1 C E H Lab M anual Page 104 173.194 3626 12700.1 NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s FIG R 4.1T C ortsm w w allprocesses, ports, andIPaddresses U E : lie urrP ain indow ith 2. CiirrPorts lists all die / /C urrPorts utilityis a standaloneexecutable, w doesn't requireany hich installationprocess or additional D L L s. and their IDs, protocols used, lo c a l local and remote ports, and r e m o te h o s t p ro ce sse s a n d r e m o te IP a d d r e s s , n am e s. 3. To view all die reports as an HTML page, click V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬A ll It e m s . M °- x ‫י‬ C urrP orts File Edit I View | Options X B 1 Help Show Grid Lines Process K a1^ I Show Tooltips J Mark Odd/Even Rows chrome. C* chromel HTML Report ‫ ־‬All I'errs ^ chrome. HTML Report - Selected terns C* chrome. Choose Columns ^ chromc. (£ firc fc x .c Remote Host Nam * 173.1943526 ).7 http 173.194.3526 ).7 http 173.194.3526 bcmQ4s0l-in‫. 2 ־‬ f61 bcm04s0l-in-f26.1 bcm04s01 - n f 6 1 i-2. ).7 http 23.5720420 a23-57-204-20.dep S https 173.194.3526 bom04501-in‫. 2 ־‬ f61 127.0.0.1 WIN-D39MR5HL9E ).7 R‫״‬fr#{h 127.0.0.1 WIN-D39MR5HL9E 443 https 173.1943622 bem04s01-in-f22.1 10.0.0.7 443 https 173.19436.15 bom04i01‫־‬in*f15.1 10.0.0.7 443 https 173.19436.0 bcm04s0l*in-f0.1< 100.0.7 1l i (B fa e fc x u e 1368 TCP J ftfM c o ta e I368 TCP 45 16 ® fr e fc x e te 1368 TCP 4158 --- 4163 h t t o d . e x e 1800 TCP 443 https 741252*4.15 gruC3s05-1n‫־‬M5.1e 1800 TCP 1070 Q ls a s s e te 564 TCP 1028 561 TCP 3981 .0.1 oo .a .o 1070 V h ttp d .e x e 3962 T. , .7 V0 V F5 ‫ס7קז‬ 443 .0.1 (p firc fo x .e 1 (c Q In thebottomleft of theC urrPorts w , the indow status of total ports and rem connections ote displays. Remote Address http Address A uto Size Columns g f-e fc x e Rem.. ).7 1028 0.0.0.0 0 .0 .0 .0 aaao NirSoft Freeware, http.//w w w .rirs o ft.n e t 79Tct«l Ports, 21 Remote Connection!, 1 Selected FIG R 4.2T C U E he urrPortsw H LR - A Item ith TM eport ll s 4. The HTML Report a u t o m a t ic a lly opens using die default browser. E<e Ldr View History Bookmarks 1001 Hdp ‫צ‬ I TCP/UDP Ports List ^ j j f j__ ( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/ cp0fts-xt>£,repcriJit ml ' ‫•£־־־*־‬ - Google P ^ ‫י‬ T C P /U D P P o r ts L is t = E3 To checkthe countries of therem IP ote addresses, youhaveto dow thelatest IPto nload C ountryfile. Y haveto ou put the IpToC ountry.csv‫״‬ fileinthe sam folder as e cports.exe. C re a te d b v u sing C u rrP o rts P m « j .Nam• P ro titi ID P ro to co l I.o ra l I A ra l P o rt P o rt X lB t L o c a l A d d iv it Remote P o rt Rcm oU ‫׳‬ P o rt R tm v l« A d d r t it Name . chxame rx c 2988 TCP 4052 10 0 0 7 443 https 173 194 36 4 chiome.exc 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo bo ch101nc.exe 2988 TCP 4070 10.0.0.7 80 http 173.194.36.31 bo daom e.exe 2988 TCP 4071 10.0.0.7 80 h ltp 173.194.36.31 bo! daom e.exe 2988 TCP 4073 1 00.0.7 80 hup 173.194.36.15 boi daom e.exe 2988 TCP 4083 10.0.0.7 80 http 173.194.36.31 bo! cfcrorae.exe 2988 TCP 4090 100.0.7 80 hnp 173.194.36.4 bo! chfomc.cxc 2988 TCP 4103 100.0.7 80 hup 173.194.36.25 bo chrome exe 2988 TCP 4104 10 0 0 7 80 hnp 173 194 36 25 bo > FIG R 4 :HieW brow d lay gC ortsR - A Item U E .3 eb ser isp in urrP eport ll s 5. To save the generated CurrPorts report from die web browser, click F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S . C E H Lab M anual Page 105 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫■ 5 3ד‬ TCP/UDP Ports List - Mozilla Firefox m C urrPorts allow you s to saveall changes (added andrem connections) oved into alogfile. In order to start w to thelogfile, riting checkthe ,LogC hanges' optionunder the F ile m enu «ry> Hitory 1 ‫ ו ז ק‬id * Bookmaikt Took Hrlp fJcw l i b CW*T N*w‫’ ׳‬Mnd<*1* Ctrt*N Cpen Fie.. CcrUO » ‫׳‬Dcsttop/q)D1ts-x64/rEpor: html f1 C * S*.« Page As.. Ctr1*S Send LinkPag* Setup-. PrmtPi&Kw E rrt. ti* !, r o t i f j j >111• !.o ra l I o r a l P o rt P o rt !'!‫ ־‬o to co l Name Remote Local A d d rv u K em otc P o rt P o ri chiom c.exe 2988 TCP 4052 cfc10 me.exe 2988 TCP 4059 10.0.0.7 chrome.exe 2988 TCP 4070 10.0.0.7 chrome.exe 2988 TCP 4071 10.0.0.7 chrome exe 2988 TCP 4073 chrome exe 2988 TCP 408; K e u io l* A d d n i t Name ID 2Z B default, the logfile y" y is savedas cports.loginthe sam folder w e here cports.exeis located. Y ou canchangethe default log filenam bysettingthe e L ogFilenam entryinthe e cports.cfgfile. P i f ' Google https 173.194.36.4 boj 80 http 173.194.36.17 bo: 80 hnp 173.194.36.31 bo: 80 http 173.194.36.31 boi 100 0 7 80 http 173 194 36 15 boi 100 0 7 80 http 173 194 36 31 bo! 10.0.0.7 443 ch*omc exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi chiome.exe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boj daom e.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03 FIG R 4 : T W brow toS eC U E .4 he eb ser av urrPortsR - A Item eport ll s 6. To view only die selected report as HTML page, select reports and click V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬S e l e c t e d Ite m s . 1-1° ‫ ׳‬x- C urrP orts File X Edit | View | Options S (3 Help Show Grid L‫א חו‬ Process Na P I ^ B aw The logfile e are! isupdatedonlyw you hen refreshtheports list m anually, orw the hen A R uto efreshoptionis turnedon. Show Tooltips C chrome. Mark Odd/Even Rows Address ).7 ).7 O'chrome “ ® ,fir e fc x e (gfircfcxe: HTML Report ■ Selected terns Choose Columns Auto Size Columns Rem... Remote Address Remote Host Nam h ttp 175.19436.26 bom04s01-1n‫־‬f26.1 bom04s01-1n-f26.1 80 h ttp 173.1943626 80 h ttp 173.1943626 bcm04s01-in‫־‬f26.1f ■0.7 HTML Report - All Items C c h ro m e f Rem... 80 80 h ttp 215720420 323-57-204-20.dep P7 .0.1 445 h ttp : F Ctrl ♦■Plus Refresh F5 fircfcx e< v .0.1 bcm04s01-in-f26.1 WIN-D39MR5HL9E 127JX011 3981 173.1943526 127.0.0.1 3982 WIN-D39MR5HL9E J>.7 443 https 173.1943622 bom04s01 -in-f22.1 h ttp ; 173.194.36.15 bomOlsOl -in ‫־‬f1 5.1 L f ircfox.cxc 1368 TCP 4163 1000.7 443 fircfcx.cxc 1368 TCP 4166 1000.7 443 h ttp : 173.194360 bomOlsOI -in ‫־‬f0.1c ^ firc fc x .c x c 1368 TCP -4168 100.0.7 443 https 74125234.15 gruC3s05 in -f 15.1c httpd.exe 1000 TCP 1070 0.0.0.0 1000 TCP 1070 Q lsa sse xe httpd.exe 564 TCP 1028 Q b a s te x e « -------a .-------- 564 14nn TCP T rn 1028 ‫י«׳*־ו־‬ 79 ~ctel Ports. 21 Remote Connections, 3 Selected a Y canalsorightou clickonthe W pageand eb savethe report. C E H Lab M anual Page 106 0.0.0.0 s 00.0.0 ___ 0.0.0.0 AAA A AAAA Hi1 Soft Freew are. http.‫ ,׳,׳‬w w .r irsoft.net w FIG R 4 :C U E .5 urrPortsw H M R - S ith T L eport electedItem s 7. Tlie selected re p o rt automatically opens using the d e fa u lt b r o w s e r . E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s TCP/UDP Ports List - Mozilla Firefox ffi'g |d : Vico [ j TCP/UDP Ports List In the filters dialog bos, youcanaddone or m filter strings ore (separatedbyspaces, sem icolon, or C L ). RF ^ 1 n J~x ‫־‬ I Hatory Bookmaiks Toob Help | + P W c/'/C /lherv‫׳‬Admin 1strotor/Dr5fctop/'cport5‫־‬r64/rcpo‫די‬i«0T1l (?‫ ־‬Google |,f t I T C P /V D P P o rts L is t C reated b y m in g C iir r P o m P rocess N e am P rocess ID ol Local I> ca Local K u R o «m t« em te Port P rotocol Port Port A ddress Port N e am .Nm ae K vuiotc A ddress R o H N e em te ost am State dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC 1 m. £26.1 e 100.net Established c: fire fo x exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom 04s01 tn - fl 5. Ie l0 0 .n e t Established C: 1800 TCP 1070 Listening C: h ttp d cc x FIG R 4 : T W brow d lay gC U E .6 he eb ser isp in uaPortsw H M R - S ith T L eport electedItem s / / The Syntaxfor Filter S [include | exclude]: tring: [local | rem | both | ote process]: [tcp | udp | tcpudp] : [IPR | Ports ange R ange]. 8. To save the generated CurrPorts report from the web browser, click F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S TCP/‫׳‬UDP Ports List ‫ ־‬M ozilla Firefox Edfe Vir* ‫׳‬ r= > r* ‫י‬ Hutory Boolvfmki Took HWp N**‫׳‬T*b Clfl*T |+ | Open Fie... Ctrl»0 S*.« P a g e A ;. fi 1r/Desktop/cpo»ts x6Crepwthtml an*N * Ctrl-S Sir'd linkPage :er.p. Pnnt Preview P rm L . fic it Offline N e am Local Local T o ral Po rt Pori Nam e A ddress ID Rem ote Port Kcm ole Po rt Nam e R ote em A ddress Rem ote Ilo t l .N io it 2988 TCP 4148 1 0 0 0 .7 443 https 1 73 .19 43 6 26 boxu04s01 -ui-1‘26. Ie l0 0 .n e t Established C fiiefox-cxc 1368 TCP 4163 100.0.7 443 https 173.19436 15 bom04s01-1a-115.lel00.net Established C http de xe 10 80 TCP 1 ‫0׳‬ 0 chtoxne.exe ‫ ש‬C m om and-line option: /stext < 11enam m F e> eans savethelist of all opened TCP/UDPports into a regular text file. C E H Lab M anual Page 107 FIG R 4 :TheW b v toSawQ U E .7 eb rcn ser irrPortsw H M R - S ith T L eport electedItem s 9. To view the p r o p e r t ie s of a port, select die port and click F ile ‫>־‬ P r o p e r tie s . E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s C urrP orts r® 1 File J Edit I View Options I - ] “ ' * m Help C trM P N ctlnfo Close Selected TCP Connections Ctri+T Local Address Alt^Entei Process Properties b&i C m om and-line option: 1 C tiU P Remote Address Remote Host Nam ‫1 י׳‬ http 173.194.3626 bom04301 - in-f26.1 10.0.0.7 CtiUS Properties Rem.. 80 80 http 1‫6263.491.3׳־‬ bom04501 ‫ ־‬in-f26.1 10.0.0.7 80 http 1^3.194.36.26 10J3J3.7 Save Selected Items Rem... 10.0.0.7 Kill Processes Of Selected Ports 80 http 23.57.204.20 https bom04s01-in-f26.1 a23*57204-20‫.־‬dep ■ 443 127.0.0.1 3982 Open Log File 127.0.0.1 3031 Clear Log File 10.0.0.7 443 httpc 10.0.0.7 443 https 173.194.3615 bom04s01-m-f15.1 10.0.0.7 /stab <Filenam m e> eans savethelist of all opened TCP/UDP ports intoa tab-delim text file. ited 10.00.7 Log Changes 443 https 173.194.360 bom04s01 m‫־‬f0.1c 10.0.0.7 443 https 74.12523415 gru03s05-in‫־‬f15.1 e CtrU O Advanced Options Exit j 1 .e x e ttjd 1800 TCP 1070 h tto d .e x e 1800 TCP lsass.exe 564 TCP 1028 Q lsass-exe $64 TCP 1028 ‫״‬ bom 04s01-in-f2M WIN-D39MR5Hl9f 127.0L0L1 WIM-D30MRSH10F 1‫2263.491 1 ־‬ , bom04e01-m‫־‬f22.1 0 D S )S ) 1070 □ 1Ti 194.36.26 127.aa1 oaao :: aao.o 0D S J J J r. > ‫ ־‬T NirSoft Freeware, h ttp :'w w w .n irso ft.n e t |7 9 Tctel Ports, 21 Remote Connections, 1 Selected FIG R 4 :C U E .8 unPoitstoviewproperties foraselectedport 10. The P r o p e r t ie s window appears and displays all the properties for the selected port. 11. Click O K to close die P r o p e r t ie s window Properties C m om and-line option: /shtm <Filenam m l e> eans savethelist of all opened TCP/UDP ports into an H Lfile(H TM orizontal). Process Nam e: Process ID: Protocol: Local Port: Local Port Nam e: Local Address: Remote Port: Remote Port Nam e: Remote Address: Remote Host Nam e: State: Process Path: Product Nam e: File Description: File Version: Com pany: Process Created O n: User Nam e: Process Services: Process Attributes: Added O n: Module Filename: Remote IP Country: Window Title: * firefox.exe 1368 TCP 4166 10.0.0.7 443 |https________________ 1 7 .194.36.0 13 bom 04s01-in-f0.1e100.net Established C:Program Files (x86)M zilla Firefoxfirefox.exe 0 Firefox Firefox 1 .0 4 .1 Mozilla Corporation 8/2 /2 1 2:36:28 PM 5 02 WIN-D39MR5HL9E4Administrator 8/2 /2 1 3:32:58 PM 5 02 O K FIG R 4 :TheC U E .9 urrPortsPropertiesw indowfortheselectedport C E H Lab M anual Page 108 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 12. To close a TCP connection you think is suspicious, select the process and click F ile ‫ >־‬C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ). S T A S K 2 -_,»r C urrPorts ‫ד‬ C lo s e T C P C o n n e c tio n IPNetlnfo Ctrt+1 Close Selected TCP Connections C trl-T Local Address Save Selected Items AH- Enter Ctrl— P Process Properties Remote Address Remote Host Nam ‫ י ׳‬I http 173.19436.26 bom04s01-in‫־‬f26.1 80 http 173.19436.26 bom04s01-in‫־‬f26.1 10.0.0.7 CtH-S Properties Rem... 6 10.0.0.7 OSelected Ports f Rem... 10.0.0.7 80 http 173.19436.26 bom04sC1 in-f26.1 10.0.0.7 Kill Processes 80 http 23.5730430 023-57 204 2C.dep = https 0 10.0.0.7 43 4 Log Changes 127.00.1 3932 Cpen Log File 127.00.1 A d/snced Options 10.0.0.7 CtH+G Exit ^ 3931 43 4 43 4 43 4 43 4 10.0.0.7 Clear Log File 10.0.0.7 httpd.exe 1£03 TCP 1070 httpd.exe 1800 TCP 564 TCP 1028 Q toS fcC N e 564 TCP 127.0.0.1 WIN-D39MR5HL9£ 173.19436.22 bom04s01 -in-f22.1 https 173.19436.15 bom04s01-in-f15.1 https 173.19436.0 bom04s01 ■in-f0.1s https 74.125.234.15 gru03s05-in-f151e 1Q28 ^ J III bom04s01 in ‫־‬f26.1 WIN-D39MR5HL9e http: 1070 □ is a s s ^ x e 173.19436.26 127.0.0.1 0D.0.0 0.0.0.0 r om o o .a a o r I> ‫־‬r J IlirSort fre e w a re . r-tto :‫׳‬v/Yv*/n rso tt.n et 7? Tot«! Porte, 21 Remote Connection! 1 Selected FIG R 4 0 ,H C U E .1 : ie unPoitsC S lose electedT PC C onnectionsoptionw indow 13. To k ill the p ro ce sse s of a port, select die port and click F i le ‫ >־‬K ill P r o c e s s e s o f S e l e c t e d P o r ts . I ~ I ‫* 'ם‬ C urrP orts f i TASK 3 File j Edit View Options Help PNetlnfo K ill P r o c e s s a♦ n! Close Selected TCP Connection* C*rt*‫־‬T Loral Address CtrKP Remote Host Nam * 173.14436.26 bom04t01*in-f26.1 80 http 173.194.3626 bomC4t01-in‫־‬f26.1 80 http 173.194.3626 bomC4j01 -in-f26.1 10.0.0.7 Process Properties Remote Addrect http 10.0.0.7 A t-E n te r Rem.. 80 10.0.0.7 Clri-S 5ave Selected Items P ro p e rties Rem... 10.0.07 kin Processes Of Selected Ports 80 http 215720420 a23-57-204-20.dep s https 173.1943636 bcmC4s01-in-f26.1 127.0.0.1 WIN-D39MR5HL9E 10.0.0.7 443 Log Changes 127.0.0.1 3962 Open Log File 127.0.0.1 3981 127.0.0.1 WIN-D39MR5HL9E Clear Log file 10.0.0.7 443 https 173.1943632 bomC4s01-in-f22.1 10.0.07 443 https 173.19436.15 bom04s01‫־‬in‫־‬f15.1 10.0.0.7 443 https 173.19436.0 bom04$0l‫־‬in‫־‬f0.1e 10.0.0.7 443 https 74125334.15 gru03s05-1n-M5.1e Advanced Options Exit V httod.exe 1800 TCP 1800 TCP 1070 □ lw s s .e r e 564 TCP 1028 □ 561 TCP O. . .Q QO 1070 V h ttp d .e x e 1028 ‫ר‬ k a tc *re 0.0.0.0 oa .a o ___ / )A A A II 79 Tctel Ports, 21 Remote Connections, 1 Selected MirSoft Freeware. http-Jta/ww.rirsoft.net FIG R 4 1 T C ortsK P U E .1 : he urrP ill rocessesofS electedPortsO W ption indow 14. To e x it from the CurrPorts utility, click F ile window c l o s e s . C E H Lab M anual Page 109 ‫ >־‬E x it . The CurrPorts E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 1-1° ‫’ - ׳‬ C u rrP on s File Edit View Options Help GH+I P N etlnfo Close Selected TCP Connections CtrK T .. Local Address Rem.. Rem‫״‬ Remcte Address Remcte Host Nam 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1 10.0.0.7 80 http 173.1943626 bom04s01-in‫־‬f26.1r 10.0.0.7 80 http 21 57.204.20 a23-57-204-20.de 10.0.0.7 443 httpt 173.194.3626 bom04t01-in-f26.1| lo g Changes 127.0.0.1 3082 127.0.0.1 WIN-D3QMR5H19P Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E 10.0.0.7 443 https 173.19436.22 bomC4101-in-f22.1 10.0.0.7 443 https 173.194.36.1S bemC4i01 in ‫־‬f15.1 10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1q 10.0.0.7 443 https 74.125.234.15 gru03s05in-f15.1e K il Processes O f Selected Ports hid C m om and-line option: /sveihtm <Filenam l e> S thelist of all opened ave TCP/UDP ports into H Lfile(V TM ertical). Save Selected Items Ctifc-S A t-E a te r Properties CtH«‫־‬P Procccc Properties Clear Log File Advanced O ption! C tH -0 Ext 1 th ttp d .e x e 1800 TCP 1070 0.0.0.0 J 0.0.0.0 = th ttp d .e x e 1800 TCP 1070 = Q lsa s& e xe 564 TCP 1028 0.0.00 0.0.0.0 H ls a is - a c ■ ‫־־‬ 564 TCP rrn 1028 /‫ ו‬a / a = AAAA __ 79 ‫ ז‬ctal Ports. 21 Remote Connections. 1 Selected Nil Soft free were. Mtpy/vvwvv.r it soft.net FIG R 4 2 T C U E .1 : he urrPoitsE optionw xit indow L a b A n a ly s is Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab. feU In com andline, the I m syntaxof /close com and:/close <L m ocal A ddress> <Local Port> <R oteA em ddress> <R ote Port‫.* נ‬ em Tool/U tility Profile Details: Network scan for open ports CurrPorts C E H Lab M anual Page 110 Information Collected/Objectives Achieved Scanned Report: ■ Process Name ■ Process ID ■ Protocol ■ Local Port ■ Local Address ■ Remote Port ■ Remote Port Name ■ Remote Address ■ Remote Host Name E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s Q C urrPorts allow you s toeasilytranslate all m enus, dialogboxes, and strings to other languages. 1 Analyze the results from CurrPorts by creating a filter string that displays . only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser. ‫.כ‬ Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports Of Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 111 0 !Labs E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Lab S c a n n in g f o r N e tw o rk V u ln e r a b ilitie s U s in g t h e G F I L a n G u a rd 2 0 1 2 G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity v u ln e r a b ilitie s th a t a re fo u n d . I CON K E Y Valuable information ✓ Test your knowledge Web exercise Q Workbook review Z U T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:CEH- L a b S c e n a r io You have learned in die previous lab to monitor T C P IP and U D P ports 011 your local computer or network using C u rrP o rts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by u n id e n tifie d applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections. Your company’s w e b s e r v e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to le a p fro g and attack odier servers 011 the ISP network from diis compromised one. As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to conduct penetration testing in order to determine die list of t h r e a t s and v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities. T o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s L a b O b j e c t iv e s The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing. 111 diis lab, you need to: ■ Perform a vulnerability scan C E H Lab M anual Page 112 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ■ Audit the network ■ Detect vulnerable ports ■ Identify security vulnerabilities Q Y candow ou nload GFI L N A guard from http://w w com w gfi. . ■ Correct security vulnerabilities with remedial action L a b E n v ir o n m e n t To perform die lab, you need: ■ GFI Languard located at D :C EH -T o o lsC E H v 8 M o d u le 0 3 S c a n n in g N e tw o rk sW u ln e ra b ility S c a n n in g T o o lsG F I L a n G u a rd ■ You can also download the latest version of link http://www.gfi.com/la1111etsca11 ■ If you decide to download the in the lab might differ ■ A computer running W in d o w s ■ ■ Microsoft ■NET F r a m e w o r k Q G LN FI A guard com patiblyw on orks M icrosoft W s Server indow 2008Standard/Enterprise, W s Server 2003 indow Standard/E nterprise, W s 7U ate, indow ltim M icrosoft S all B m usiness Server 2008Standard, S all B m usiness Server 2003 (S 1), and S all B P m usiness Server 2000(S 2). P la t e s t v e r s io n , 2012 S e rv e r W in d o w s S e r v e r 2 0 0 8 running G F I L a n g u a rd from the then screenshots shown as die host machine in virtual machine 2 .0 ■ Administrator privileges to run die G F I LA N g u a rd N e tw o rk S e c u r it y Scann er ■ It requires die user to register on the G F I w e b s it e http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y ■ Complete die subscription and get an activation code; the user will receive an e m a il diat contains an a c tiv a tio n c o d e L a b D u r a t io n Time: 10 Minutes O v e r v ie w o f S c a n n in g N e t w o r k As an administrator, you often have to deal separately widi problems related to v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively. C-J GFI L N A guard includesdefault Security scans or audits enable you to identify and assess possible r is k s within a configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a allowyoutorun im ediate m scans soonafter the network security audit. These include o p e n port checks, missing Microsoft p a t c h e s installationis com plete. and v u ln e ra b ilitie s , service infomiation, and user or p r o c e s s information. C E H Lab M anual Page 113 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Lab T asks Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. B TASK 1 1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by hovering the mouse cursor in the lower-left corner of the desktop S c a n n in g for V u ln e r a b ilitie s Zenm fileinstalls ap the follow files: ing ■ N apC F m ore iles ■ N apPath m ■W inPcap 4 .1.1 ■ N orkInterface etw Im port ■ Zenm (G I frontend) ap U ■ N (M N eat odern etcat) ■N diff FIG R 5 :W sS 2012- D U E .1 indow erver esktopview 2. Click the window G F I L an G u ard 2 0 1 2 Windows app to open the G FI L an G u ard 2 0 1 2 Google Marager bm r ♦ * £ SI Nnd V e FT‫־‬ 2)12 0 FIG R 5.2W sS 2012- A UE indow erver pps 3. The GFI LanGuard 2012 m ain A u d it tab contents. w in d o w appears and displays die N e tw o rk / / To executeascan successfully, G FI LA guardm rem N ust otely logonto target com puters w adm ith inistrator privileges. C E H Lab M anual Page 114 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s GFI LanGuard 2012 I -| dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties W D13CIA3 this ■ ‫י‬ W elcome to GFI LanG uard 2012 GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites Local Computer Vulnerability Level e a The default scanning us• ‫־‬ Nana9#*gents‫־‬or Launch a scan‫ ־‬options 10, the entile network. options w provide hich quickaccess to scanning m are: odes ■ Q scan uick ■ Full scan ■ Launcha customscan ■ Set up aschedule scan JP 9 % M < { 'M o w c a f h 'e . — iim jIW - . Cunent Vulnerability Level is: High V ie w D a s h b o a rd Inve30gate netvuor*wjinerawiir, status and audi results R e m o diate S e cu rity Iss u e s Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and m ore M anage A g e n ts Enable agents to automate netooric secant? audit and totfstribute scanning load across client machines L a u n c h a S can Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt. I LATES1 NLWS 1 ‫־‬ V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp fe»g 1! Ttft ■ u lar ‫ ־‬l w mr‫»־‬ m 1 ( 74 A q 701? Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd tr.v •ni V*, 24-AJO-2012 -Patch M4uu«m< -Aiktod kuxkI 1 1APS812-1S. Mobm A uob* 10.1.4 Pro mtd St—a-0 - -M j ut 0 FIG R 5 :T G L N m w U E .3 he FI A guard am indow m C ustomscans are recom ended: m ■ W perform a hen ing onetim scanw e ith particular scanning param eters/profiles ■ W perform ascan hen ing for particular netw ork threats and/or system inform ation ■ Toperformatarget com scanusinga puter specific scanprofile 4. Click die L a u n c h a Scan option to perform a network scan. GFI LanGuard 2012 Doshboerd > I «‫ ־‬I Scan Remediate AdMty Monitor Reports Configuration Ut*oes «t Di»e1«s thb version W elcome to GFI LanG uard 2012 1 GFI LanGuard 2012 &ready to audit your network k* *AmafrMws Local Computer Vulnerublllty Level use ‫ ־‬a;# Agents‫־‬or Launch a scan‫ ־‬options 10 auoa van the entire network. JP 9 t - ‫&־.יז‬ ^-‫־־־‬ iim jIM : Cunent Vulnerability Luvul is; High % V ie w D a s h b o a rd Investigate network!wjineraMit, status andauairesults R e m e diate S e cu rity Issu e s Deploy missing patches unirwta■urau*>0rf2e430**are. turn on antivirus ana m ore. M anage A g e n ts Enable agents to automate neteror* secant* aud* and totfstnbute scanning load across client machines L a u n c h a Scan Manually * rt- p andtnwer anagerttest network»taint/ autirl < u LAI LSI NLWS <j ?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 ‫ ל‬TOb V* 24A jq2012 mla e u IW 3 1 Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard -‫־‬»« ‫־‬ 24-Aju-2012 -Patch Md11r u ! 1t*t -Added support t rAPS812-16. Adobe Acrobat 10.1.4 Pro and Stand f d - F=ad ‫■»־‬ ft« o cf ^ If intrusiondetection softw (ID is running are S) duringscans, G FI LA guard sets off a N m ultitude of ID w S arnings andintrusionalerts inthese applications. FIG R 5 :T G L N m w indicatingtheL aC U E .4 he FI A guard ain indow aunch ustomS option can 5. Launch a N ew sca n i. ii. iii. window will appear 1 1 die Scan Target option, select lo c a lh o s t from die drop-down list 1 1 1 die Profile option, select F u ll 1 1 1 die Credentials option, select 1 drop-down list Scan from die drop-down list c u rre n tly lo g g ed on u s e r from die 6. Click S c a n . C E H Lab M anual Page 115 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ’‫ ° ן ־‬r x ‫־‬ GF! LanGuard 2012 • l«- I > Ds b a a h o rd S n ca Ranrdijle A ctiv.tyM n r o ito R p rts eo Cn u Un o f!g ra o C Uiscuuttm1 J, Jt Urn ta u a d ia tn e S a n Scar‫־‬a02‫׳‬t: b a te : P10•*: jf-J S^n v M Ot0en:‫־‬fck»/T«rt(r ockcCon uso‫־‬ v * ?axrrard: V IIZ * 1 1 ‫״‬ Scar Qaccre... Son ■ n d ti Ovrrvlew SOM R ru lti Dcta ll< m For largenetw ork environm aM ents, icrosoft SQ Server/M E L SD database backendis recom endedinsteadof m theM icrosoft A ccess database. FIG R 5 : S ganoptionfornetw scanning U E .5 electin ork 7. Scanning will s ta rt; it will take some time to scan die network. See die following figure m Q scans have uick relativelyshort scan durationtim com to es pared full scans, m because ainly quickscans perform vulnerabilitychecks of only asubset of the entire database. It is recom endedto runa m quickscanat least once a w eek. 8. After completing die scan, die s c a n C E H Lab M anual Page 116 re s u lt will show in die left panel E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s & yI I Ds b a a h o id S n ca Rm u e cd te ,‫ ־‬I□ ‫־‬x GFI Lar> uard2012 G A ty M n r R p rts C n u tio ctw o ito eo o fig ra n L fr ttr tm ta u K k a lm k in Kte a: ScanTarget ccaftoct V H ... | FalSar jsandffc: C tbcaed on iser j-rr& Eaaswofd: II V Scan R r u ik i ovrrvm n Scan R r a k i Details 4 Scan target: locatbo»t - y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJ vws . m T of scans: ypes Scana singlecom puter: Select this optionto scanalocal host or one specificcom puter. Scanarange of com puters: Select this optionto scananum ber of com puters defined throughanIPrange. Scanalist of com puters: Select this optionto im alist of targets port fromafileor to select targets fromanetw ork list. Scancom puters intest file: Select this optionto scantargets enum erated inaspecific text file. Scanadom or ain w orkgroup: Select this optionto scanall targets connectedto adom ain or w orkgroup. * S ca n c o m p le te d ! Summ 8f *ear resufs 9eneraf0fl <Jut>51 ary V u ln e ra b ility le v e l: The average vulnerabilty le.ei lor ttus sea‫־‬nr s 1 Results statistics: Audit operations processed; 1>703 aw*! operations processed Missing scftwaie updates: Other vulnerabilities: 20 <20 C tcai‫׳‬Hgr> ‫׳‬ 1313 Crecol'-.qh) Potential vulnerabilities: 3 • Scanner ActMty Wkxkm ‫*ו^יז‬ W fa :ili« !* W CanptJer VJUH> ra W J t« !a Citar n » 1‫ ״‬t41:ate 101 r r s q v 1 i K t - n •can wunr is*lvatd or not found i ----------12- 1 FIG R 5 :T G L uardC scanw U E .7 he FI anG ustom izard 9. To check die Scan Result Overview, click IP right panel 10. It shows die V u ln e ra b ility A s s e s s m e n t click V u ln e ra b ility A s s e s s m e n t ad d ress of die machiiiein die an d N e tw o rk & S o ftw a re A udit: GFI LanGuard 2012 E- J |^ | Daihboard Sean R nrw U r AdMyMorilor Reports PceSe v j. . . | |F‫״‬IS1‫״־‬ ocafost Q3~t.. i3iT.i Cj‫־‬end, bcaec UtMws W, Dis c u m tvs vtssaan * ‫*ו‬ Userrvaae: oue nsr Configuration ?a££‫.׳‬C rd: II J ••• 1 ___^ ____ 1 1Results Details # V a n t n r y t : lornlhost | - 1000 | ‫ר־‬V |WIW l)J9MIC>Mt9L4l (Window. « , ‫־‬ • J] j ‫[ ׳‬W»UJ39MRSHL9f4| (Windows Server ?01? 164) < 1>rrafcj1 W ^ n r r n t | ty n N ar* & Softwire Audit et-w Vulnerability level: T • corrvwar dues not have a Vuhe'aHty te.el •VII. * : ►* Y/lttt dim irean? Po s s ib le reaso n s: t. Th• •can b not Inched yet 2.O ectbn of m sC issing paiches and vane‫ ׳‬abiEe* 8 s U * ‫» »ליינ‬ca1‫׳‬nir aerode used to performthe scan. mta 3‫ ־‬The credentials used 10 scan this confute‫ ג 0 ׳‬not »1: * 9 * «cnty ecamer 10 retrieve an required tafomwtion 10• escmatra we Vjheraoity Level An account wth s M i r r a , • :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fa of most rt Scaruicr ActMty Window flteetlKMQL liv dl(l• lr ^ kh) u. M . ‫״‬ •■V> I c tfiiS '< I — ldriI ftwwl I FIG R 5 : S gV U E .8 electin ulnerabilityA ent option ssessm C E H Lab M anual Page 117 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 11. It shows all the V u ln e r a b ilit y V / 7D uringa full scan, GFI L N A guard scans target com puters to retrieve setupinform and ation identifyall security vulnerabilities including: ■M M issing icrosoft updates ■ Systemsoftw are inform including ation, unauthori2ed applications, incorrect antivirus settings and outdatedsignatures ■ Systemhardw are inform including ation, connectedm s and odem U Bdevices S A ssessm en t indicators by category ‫־־‬T ^ P GFI LanGuard 2012 L d > Dashboard «‫־‬ Scan Rernediate Activity Men!tor Reports Configuration UUkbes W, ‫־‬ x Di 8cub 8 •»a v«a«on._ l a — d i a Merc Scan Bar Target; »roS»: H i scar- v | | .. . 3 $ Jgynang: c/fomess [am r#y iC jjetf onuser Q Password: or 5 V1 Scmi Rr»ulU Ov*rvt*%» Sc4nR*M1ft>0«UNk <0 $ u a U r « « t : l1 ) u lm l V u ln e ra b ility A sse ssm e n t f S I S ItM J(m R-K M M U H U M ](W M tom . - s«tea ene of the folowno wjfcerabilry 01*99'** ‫ייה»*ל‬ • Yuhefablty Assessment A ‫ * *־י‬security wirerablofa (3) J l MeCtomSearity Vuherabirtes (6) *qn security Vumeratxaties (3) Xbu you toanalyze the ‫־ ״‬security vjre tb i'.a 4 t A 10 j , low Searity Viinerablitfes (4J PofanBd Vuherabltea (3) Meshc service Packs and U3cate =&u>s (1} ^ ■ Jedium Security VulneraNKies )6 ( ,‫ וגי‬toanajy7e thsrredun !earitytfjrerabises . Low Security Vulnerabilities 1 ( 4 ycu to a‫ ׳‬iy» thelc« 9eculty # Msarvs Security Updates (3) - _* Hee*ak & Software Ault ^ . 1 5 Potential vulnerabilities )1( Xb>.s you to a-elvre tiie inform ationsecurity aJ‫־־‬o « 1 Ufesing S vtca P acks and Updala RolHipc (1) U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 « : 3 O tfic] Bras FIG R 5 :L ofV U E .9 ist ulnerabilityA ssessm categ ries ent o 12. Click N e tw o rk in die right panel, and then click S y s te m S t a t u s , which shows all die system patching statuses P a tc h in g & S o ftw a re A u d it 1 ‫״‬r ‫1 ״‬ - C r i L in O u a rd 2012 to■ > •4 - 1 Dashboard Sran Re‫*»״‬Aate Activity Monitor Rrpoits Configuration JM M et <U) ' D iic in t llm vm*an la u a d ia New Sean Scar ’ • o e ‫־‬ - Ho ft*. - 11 '‫־״‬ v |• ^ O afattab: |0 rrentf> o g c « or u er Sari ‫1 ־‬ SCM R « M b Overview - 9 P315/.ord: Jse n re ; 1Rem its Detais Scan ta rve t iocalhost - 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - System Patching Status m Select one of tte Mtahg systemwtchro M U S -4 (U‫!־‬f(hilY to n T e il Duetothelarge am ofinform ount ation retnevedfromscanned targets, full scans often tendto belengthy. It is recom endedtorunafull m scanat least onceevery2 w eeks. * *hevyV1eMe( ) e Sclt 1 r it t3 *at X rvfcdun Security VUrtrabilBe• (6) X *nrM • ) J aa t•(‫ג‬ ) t SricPrn i1t3datr Roittn (1) e en m v i f •1su1sSeu1UyUl>0at«*(3) I ‫ ״‬aa fracutI foy ^tar rO tr . X Minting Service P acks ■ nit llpduir Rciaup* )1( • AI3v»1 you to andyM f*r rrs «‫־‬K! server parW r>f»—j i w ‫ יי»־‬Sec“ ' >ty1h»ab4U»» (4) S % ■ Alotwt Mu U nWy.'t u!« mistfio mcuICv update I - Jb j Alan* you to analyie the rwn-security ipaaws rfamssen rtor&Atrc A '0 m Missing Non-Security Updates )16( Ports U )Mk Missing Security Updates (, J J% staled Security Updates )2( A q syou‫ ■־ ט‬c tJic knitaifedsecurity!edatehfanala t> nay 1 2 J !astaaed Non-SecurityUpdates )1( % *»- f i Software a system mibnnaaon Alo‫״י‬you to analyze thenstslicd nor-securty5 Scanner A ctm ty Wmdow X Starting security scan of host VIM.I)MMRSMl«4[100.0 T g !■nr: I M k U PM 10 : ry Scan thread 1(idle) S a tllia i IM t ' . ! :‫ י‬t «. 3 ™ FIG R 5 0 S patchingstatusreport U E .1 : ystem 13. Click P o rts, and under diis, click O p en C E H Lab M anual Page 118 T C P P o rts E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s m Acustomscanis a netw audit basedon ork param w you eters, hich configure onthe flybefore launchingthe scanning process. V anous param canbe eters custom duringthis type ized of scan, including: ■ T of scanningprofile ype (L the typeof checks e., to execute/type ofdata toretrieve) ■ Scantargets ■ Logoncredentials & S n ca • l«- I > jbcahoK V I ... I |MSw1 Oc0en‫־‬dfe. . |0xt«rtK ocKcCon us® ‫־‬ - J l ‫)*־‬h Sacuity »jh*r<t14t*» (!) M«Jum Sttuity VllnefdMIUe( « } Law Seeunty VUnerabttiei (4} ^ 0 • ft) so iDf*crpno‫ :״‬Mytxrtrrt trerwfrr Protocol {^‫> ליודז‬ sr-wr: http (kt/ er r « t Tfonjfcr rvotocoOI 5 (Cwucto- D w»i1u‫ ״‬l ‫«׳‬sOl)0«‫־‬ ‫כג‬ CC £ 1 ►**CTt*0‫׳‬V HMKCR 5M»1‫ ׳‬S*rM» S*‫׳‬VCT r « » ‫״‬n] ^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM V a n * Lrtnamn] B £ !027 piM otOor: !r#l»1fo, 1( tM *e‫ ׳‬v<e h no* t1 & ‫»׳‬Urt(d :*•>*« &• Croj^r: Ctandwone, Ditdflpy *rd others / Sev»C s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* ratfc ;< » o w : Ctotafipy Network x, Oath a owers / Ser ■ ^9 10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _ X 1 * = ____1 ___ II • viAwjBM y **OMtwrnt POCWlOai Viiic'attittet (3) f) ! b-*e ea MsangSecuity Updates (3) f it : imw cJ aO m 3 ::- 2 |C«SObacn: M Protect. MSrtQ, t ‫״‬te 1 . M>)eic ‫ * » -י- »-־‬c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4 e V ‫׳‬ - 9 « £ 9 ^ # Moang Service Pocks 0‫״‬d tp d str lo tto s CO # ‫•ויי‬ - ^ 1- 1■■ C Uiscuu tin 1 J, s S w asG ord: Uenvaae: 9 sr.Mi f .‫׳ר‬get‫ ־‬torn lhot ‫ ־‬R : ; • B GF! LanGuard 2 1 02 £ 1 M n r R p rts C rrfig ra *!vty o ito eo o u Rancdijlr l2^l|t«croor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^ 1433 [CesccCcr: Microsoft SQL Server database r a ‫ ־‬j r w : a stc Server /S«‫>־‬ic*: LTknown] rsn *•ernoHc 8 Software Audit 1 *. ( ( System Patchrg Status ]‫333־‬ I . S n P a W| e HPr e a •V Coen LC» Ports (5) I A Hardware .if Software II System [nfbmodon YVlndvw a — er ActKRy *' f..<»t‫»*׳‬ceve‫ ׳‬y v a n thread 1 (tdlr) S o ‫ ״‬nr rad ‫) י‬dp ( | 5 0 ‫ ־‬r *‫ .׳‬vl ! ;<*) error• FIG R 5 1 TCP/U PPortsresult U E .1 : D 14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of die system information 15. Click P a s s w o r d P o lic y r‫ °־־‬n n GH LanGuard 2012 E B > 1 4 -1 Dathboaid Scan fn m ijlr Act*«y Monitor Reports Corriiguratioo Ualiwt W . 1)1*1 lew •«« vnun launch a Mewsean ScarTarget ocaKx: P0.‫ ־‬t: « v |... I (‫׳‬SjIScan &ederate: Z~M~CTt, bcced on toe‫־‬ 3 ?aaiwd: • 1 U1J V 1 __ Scaf 0 0 ‫.-.^כפ‬ Scan R rta tf Overview % Sf A open IX P Ports (5) r1ard*«e *50 ‫־1־ ׳‬fr»ane | Systsn Infer‫׳‬T h M arj a 9ki‫ .׳‬W |l HW.fxC. !■>• 1 ■>> L_J The next jobafter a netw securityscanis to ork identifyw areas and hich system requireyour s im ediateattention. D m o this byanalyzingand correctlyinterpretingthe inform collectedand ation generatedduringanetw ork securityscan. , Scan le a k ! Detalie J *‫!־*׳‬run poaaw d length: chars J **‫״!־‬unoaa'w ordsgeiodays J >Mgw rfl mtary: n o h ttay 0 Vaxnuri EMSSiwrd age: 42days J J ! f a s « p f f r m ‫ ׳‬force 0 • S«r.c1ll> Audit Policy (OtO Wf Re0**v ft Net&OS M ao*3) ‫) ״‬ % Computet tj| 610Lpt (28) & Users (4) •!_ LoggedCnUsers (11) ^ Sesscre (2) % J<rvcc5 {148} ■U Processes (76) , Remote TOO (Tme Of Oay) Scanner AcUv«y Window ‫ ״ ׳ ••־‬I I > - ‫ ׳‬V 1‫״‬n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41‫'׳' ! ־‬ « A ’ ) I ‫'"׳י י‬ FIG R 5.12Inform ofP ordP UE ation assw ohcy 16. Click G ro u p s: it shows all die groups present in die system C E H Lab M anual Page 119 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s m Ahighvulnerability level is the result of vulnerabilities or m issing patches w average hose severityis categorizedas high. * > ‫־‬ Ds b a a h o rd Sun ftftnca&e vl W **Scan CrM e re s t ‫ר‬ Password: *1 ■ ':e r a cc Sc*• RevuJU DeUik 1R«f»*lt» Overview % * tt Control AucUat* Cws abx1 ■ft * P n t t a w i *i.s u1to‫׳‬ •ft 0J 0«»1 fcw # cm ra •X cm aw dc w C0«nUOPPwts(5) r A Hentesrc • . 1 Soffaart • ^ Symrm tnk‫׳‬m»t»n ( y ‫ו׳ <׳‬ V • a O 'tejM‫^ויו^ו‬ • a CfctrtutedCCMUser* ‫ י‬a Guests • a K>pe‫ ׳‬V •a ‫ יי‬a E5JUSRS • a r.etY>=‫<׳‬Ccnfig.rstcn ‫-״‬a Pr‫־‬fty1r5rcc 'r~ users a •a • a PM^lSers » a RES Ehdpcut Servers •« ‫ז‬a *k SN r~ W -4* Pd«wo1‫ ) ׳‬Pdiy - i» Sxunty Ault Pokey (Off) & *n t Log Straefcrs # ‫ ־‬lUotetry f t NetflCCS Narres (3) % Adrritstrators Computer l* gop(aI i rus2) I W 4} Cp‫־‬rators Psrfertrsnce Log Users •?. -OXfC0‫ ״‬users (1 ‫)נ‬ Ascheduled scanis a netw audit scheduledto ork run autom aticallyona specificdate/tim and at a e specific frequency. Scheduledscans canbe set toexecuteonce or periodically. U9 U3U V ttK — 1 C B ltt W JR H -igemane: [cuT€r*f eooed cn user ‫ -׳‬o T GFI LanGuard 2 1 02 A tm M n r R p rts C n u tio c rty o ito eo o fig ra n % S«ss»ns (2) %51 8:*) «4 »‫ל‬ ) a **?Operators Ht ®rocrase* (76) PCS Manage‫»״‬ent s « vers ‫ ג‬en»te too ‫ מיוחן‬Of 0»y) W w rt* ‫. - ״‬ S*rf« 1 l1f1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*) *r«*d S * fe ) | & u « | FIG R 5 3 Inform ofG U E .1 : ation roups 17. Click die D a sh b o a rd tab: it shows all the scanned network information 1 °n ^ ‫׳‬ GFI LanGuard 2012 I Dashboardl >« 5‫ ״‬I q Sun Km•*•(• !t Activity Monitor Reports i ' ^ f# C emctm Gmp it 6mel1n*ork •w«v Configuration 1 ViAirrnhlfces UUkbe; 4 ‫ ־./זי‬OitcuMlna vwawn.- fei *J V * t Pale►** ► aH v ( SdNiare E n tire N e tw o rk -1 c o m p u te r f j UKJ»-c«t: ttlh-03»M a.5rt.4£-» Security Seniors ‫^' ־‬ucj1!)<»w>:y10«j<1iR<x1> It is recom ended to m use scheduled scans: ■ Toperform periodical/regular netw vulnerability ork scans autom aticallyand usingthe sam scanning e profiles andparam eters • To tngger scans autom aticallyafter office hours andto generate alerts andautodistributionof scan resultsviaem ail ■ To autom aticallytrigger auto-rem ediation options, (e.g., A uto dow anddeploy nload m updates) issing m rS wnwarn iwuw• 1 0 cX ‫1 ־‬ « T|H tcrs ^ Service Packs and U Most M rarane cawoJSfS V. S C 3 y ‫ ^ ׳‬L 3 6 4 Oaxrputers VulncraWWies 1co‫״‬pot«r9 ‫ כ‬O _ I o o ‫ ז‬K-p-w! Lratra-onied Aco*c 0 coneuteis Malware Protection ... cj Cco‫־‬pu‫־‬crj Ault SMTUt : _ 0 « ‫! »י ״י ד‬ j • ‫ ו‬com puters Agent Hemtn Issues 0C n u 8 8 0p1C ,AiirraNity Trend Owe' tme w C pu V 4 era feyCBtnbulivi om ter 1 > b Maraqe saerts *41 •»?i ■ .KTJlii... Z a-cn. j r sa. H . Sc-= a d rsfrar. !TfaraaLgi p yy r .g Sec :ppdy-.ai - Cp :-jr_ ^m 1 *aer*Stofcg|>3tStafcg| : o ‫ ־‬fu t M By Gperatng System o Computes S■O 0«ath■ ■| Compjters By rfeUai... | . FIG R 5 4 scannedreportofthenetvrork U E .1 : L a b A n a ly s is Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process. C E H Lab M anual Page 120 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Tool/U tility Information Collected/Objectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open TCP Ports Scan Results Details for Password Policy GFI LanGuard 2012 Dashboard - Entire Network ■ Vulnerability Level ■ Security Sensors ■ Most Vulnerable Computers ■ Agent Status ■ Vulnerability Trend Over Time ■ Computer Vulnerability Distribution ■ Computers by Operating System P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s 1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 121 0 iLabs E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s E x p lo rin g a n d A u d itin g a N e tw o r k U s in g N m a p N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g . I C O N K E Y Valuable information Test vour knowledge S Web exercise ‫ט‬ L a b S c e n a r io 1 1 die previous lab you learned to use GFI LanGuard 2012 to scan a network to 1 find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Workbook review Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network. L a b O b j e c t iv e s Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime. hi diis lab, you need to: ■ Scan TCP and UDP ports ■ Analyze host details and dieir topology ■ Determine the types of packet filters C E H Lab M anual Page 122 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ■ Record and save all scan reports /—j T o o ls d e m o n stra te d in th is la b a r e ■ Compare saved results for suspicious ports L a b E n v ir o n m e n t a v a ila b le in D:CEH- To perform die lab, you need: T o o ls C E H v 8 ■ Nmap located at D :C E H -T o o lsC EH v 8 M o du le 0 3 M o d u le 0 3 S c a n n in g N e tw o rk s S c a n n in g T o o lsN m ap S c a n n in g N e tw o rk s ■ You can also download the latest version of N m a p from the link http: / / nmap.org. / ■ If you decide to download die la t e s t die lab might differ .Q Zenm w on ap orks W s after including indow W s 7, and S indow erver 2003/2008. ■ A computer running W in d o w s ■ W in d o w s S e r v e r 2 0 0 8 v e r s io n , S e rv e r 2012 dien screenshots shown in as a host machine running on a virtual machine as a guest ■ A web browser widi Internet access ■ Administrative privileges to run die Nmap tool L a b D u r a t io n Time: 20 Minutes O v e r v ie w o f N e t w o r k S c a n n in g Network addresses are scanned to determine: ■ What services a p p lic a t io n n a m e s and v e r s i o n s diose hosts offer ■ What operating systems (and OS versions) diey run ■ The type of p a c k e t characteristics T AS K 1 In te n s e S c a n f ilt e r s / f ir e w a lls that are in use and dozens of odier Lab T asks Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W in d o w S e r v e r 2 0 1 2 ). 1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left corner of the desktop FIG R 6 :W sS 2012—esktopview U E .1 indow erver D C E H Lab M anual Page 123 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 2. Click the N m a p -Z e n m a p G U I app to open the S t 3 f t l _ Zenm fileinstalls ap Zenm ap window A d m in is tra to r Server Manager Windows PowrShell Google Hy^-V Manager ■ N apC F m ore iles ■ N apPath m ■W inPcap4 .1.1 ■ N orkInterface etw Im port ■ Zenm (G I frontend) ap U ■ N (M N eat odern etcat) S fe m * ‫וי‬ Control Panel » ■vp*v Virtual Machine.. ■ Ndiff CWto* the following f l s ie: Nmap Zenmap w o Command Prompt e *‫ח‬ Frtfo* © Me^sPing HTTPort iSW M K U 1 FIG R 6.2W sS er2012- A UE indow erv pps 3. The N m ap - Z e n m a p G U I window appears. ! N ap S m yntax: nm ap [S T can ype(s)] [O ptions] {target specification} Inport scan techniques, onlyone m m beused at a ethod ay tim except that U P scan e, D (‫־‬sU andanyone of the ) SC scantypes (‫־‬sY -sZ TP , ) m be com w any ay bined ith one ofthe TC scantypes. P / FIG R 6 :TheZ apm w U E .3 enm ain indcw 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4) t!1e j a r g e t: text field. You are performing a network inventory for r o J the virtual machine. 5. 1 1 tliis lab, die IP address would be 1 your lab environment 6 . 111 the p ro file C E H Lab M anual Page 124 1 0 .0 .0 .4 ; it will be different from text field, select, from the drop-down list, the you want to scan. 11 diis lab, select In t e n s e S c a n . 1 P r o file : ty p e o f E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 7. Click S c a n to start scantling the virtual machine. Zn a e mp Scan I o o ls Target: P ro file 1 10.0.0.4| C om m and: Profile: Intense scan nm a p -T4 -A - v 10.0.0.4 H o s t! W N ap attem hile m pts toproduce accurateresults, keepinm that all ofits ind insights are basedon packets returned bythe target m achines or the firew in front ofthem alls ‫ ° ׳-׳‬r x Help Services icc> | Nm ap O utput Ports f Hosts | T o po lo gy | Host Details | Scans OS < Host FIG R 6 : T Z apm w w T andP entered U E .4 he enm ain indow ith arget rofile !S "The sixport states recognized byN ap: m ■O pen ■C losed ■ Filtered ■U nfiltered ■ O | Filtered pen ■ C |U losed nfiltered 8. Nmap scans the provided IP address with the s c a n r e s u lt below the N m a p O u tp u t Scan I o o ls E rofile C om m and: ‫ז ם י‬ X ‫ן‬ H elp 10.0.0.4 ‫׳י‬ Profile: Intense scan Scan: nm a p -T4 -A - v 10.C0.4 N n ■ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans OS < Host ‫׳׳‬ n m ap -T4 •A ■v 10.00.4 ^ | | Details 10.0.0.4 S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g N ap accepts m m ultiple host specifications onthe com andline, and m theydon't needto be ofthe sam type. e ^ Zenm ap Target: and displays In te n s e s c a n tab. ) at 2012 0 8 24 NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬ o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4 (1 t o t a l t 1 5 :3 5 1 5 :3 5 , 1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72 Filter Hosts FIG R 6 :TheZ apm w w theN apO tabforIntenseS U E .5 enm ain indow ith m utput can 9. After the scan is c o m p le t e , Nmap shows die scanned results. C E H Lab M anual Page 125 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s T= I Zenm ap Scan I o o ls £ ro file Help Scan! Target: C om m and: The options available to control target selection: ■ -iL<inputfilenam e> ■ -1R<numhosts> ■ -exclude <host1 [,<host2>[,...]] > ■ -excludefile <exclude file> Q The follow ing options control host discovery: ■ -sL(list S can) ■ -sn(N port scan) o ■ -Pn (N ping) o ■ ■S<port list> (T P P C SY P N ing) ■ -PA<port list> (T P C A Ping) CK ■ -PU<port list> (U P D Ping) ■ -PY<port list>(SC P T IN TPing) T ■ -PE;-PP;-PM(IC P M PingT ypes) ■ -PO<protocol list> (IP Protocol Ping) ■ -PR(A PPing) R ■— traceroute (T path race tohost) ■ -n(N D Sresolution) o N ■ -R(D Sresolutionfor N all targets) ■ -system (U -dns se systemD S resolver) N ■ -dns-servers <server1 [,<server2>[,. > ..]] (Servers touse for reverse D Squeries) N ‫י‬ Details nm a p -T4 -A - v 10.C.0.4 a N m ap O utp ut | Ports / Hosts | T o p o lo g ) n m ap •T4 •A ■v 10.0.0.4 OS < Host 1 3 9 /tc p 10.0.0.4 open 445/tcp ‫׳׳‬ Cancel open 5 3 5 7 /tc p open (SSOP/UPnP) JH ost Details | Scans ‫פ כ‬ n e t b io s - s s n n c t b io s s sn h ttp M i c r o s o f t HTTPAPI h t t p d 2 .0 |_http‫־‬m«thods: No Allow or Public h«ad«r in OPTIONS re s p o n s e ( s t a tu s code 5 03 ) | _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ 0 1 5 : 5D: ;0 7 :1 0 ( M ic r o s o f t ) MAC Address: ( D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : / o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l 0 ‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 ) ‫ח‬ N ttw o rK D is t a n c e ; 1 hop TCP S c u u c tic e P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s Filter Hosts FIG R 6 :T Z apm w w theN apO tabforIntenseS U E .6 he enm ain indow ith m utput can 10. Click the results. P o r ts / H o s ts 11. Nmap also displays die the scan. tab to display more information on the scan P o rt, P r o to c o l, S t a t e . S e r v ic e , Zn a e mp Scan Target: I o o ls P ro file ‫״״‬ of T ‫ ־‬T Scan Cancel nm a p -T4 -A - v 10.0.0.4 Services OS V e r s io n H elp 10.0.0.4 C om m and: and Nm gp Out p u ( Tu[ . ul ut j y Hu^t Details Sk m :. < Host M in o a o ft W ind ow s RPC 13S Up open rm tp c 139 tcp open n etbios-ssn 445 tcp open n etbios-ssn 5337 tcp open h ttp M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD 49152 tcp open m srpc M ic ro s o ft W indow s RPC 49153 tcp open m srpc M ic ro s o ft W ind ow s RPC 49154 tcp open m srpc M ic ro s o ft W ind ow s RPC 49155 tcp open m srpc M ic ro s o ft W ind ow s RPC 49156 10.0.0.4 open m srpc M ic ro s o ft W ind ow s RPC tcp FIG R 6 :TheZ apm w w thePorts/H tabforIntenseS U E .7 enm ain indow ith osts can C E H Lab M anual Page 126 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP address in the In t e n s e s c a n Profile. 7^t B default, N ap y m perform ahost discovery s andthenaport scan against eachhost it determ to be online. ines FIG R 6 :TheZ apm w w T U E .8 enm ain indow ith opologytabfor IntenseS can 13. Click the H o s t D e t a ils tab to see die details of all hosts discovered during the intense scan profile. Zn a e mp Scan lo o ls Target: P rofile 10.0.0.4 C om m and: Hosts 7^ ‫ ׳‬B default, N ap y m determ your D S ines N servers (for rD S N resolution) fromyour resolv.conffile(U IX or N ) the R egistry(W in32). Scan Conccl nm a p -T4 -A - v 10.0.0.4 || Services I I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t Scan? O.O.C.4 OS < Host -‫־׳‬ r^ r°r* 1 Help 10.0.0.4 H Host Status State: up O pen p o rtc Q Filtered ports: 0 Closed ports: 991 Scanned ports: 1000 U p tim e : 22151 Last b oo t: Fri A u g 24 09:27:40 2012 # B Addresses IPv4: 10.0.0.4 IPv6: N o t available M AC: 00:15:50:00:07:10 - Operating System Nam e: M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1 Accuracy: Ports used Filter Hosts FIG R 6 :TheZ apm w w H D tabforIntenseS U E .9 enm ain indow ith ost etails can C E H Lab M anual Page 127 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 14. Click the Scans tab to scan details for provided IP addresses. 1- 1 ° ‫ ׳‬x Zenm ap Scan Tools C om m and: Profile: Services | Cancel N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an; Status < Host Com‫׳‬r»ard Unsaved nmap -T4-A •v 10.00.4 1 0 0 .0 4 i f ■ A pp e nd Scan a InN ap, option-p m <port ranges> m scan eans onlyspecifiedports. Intense scan nm a p •T4 •A -v 100.0.4 Hosts OS Help 10.0.0.4 Target: a N ap offers options m for specifyingw ports hich are scannedandw hether the scanorder is random2edor sequential. ! Profile » Remove Scan Cancel Scan FIG R 6 0 TheZ apm w w S tabforIntenseS U E .1 : enm ain indow ith can can 15. Now, click the S e r v i c e s tab located in the right pane of the window. This tab displays the li s t of services. 16. Click the h ttp service to list all the HTTP Hostnames/lP Ports, and their s t a t e s (Open/Closed). Zn a e mp Scan Tools Target: ‫ד * מ ° י ־ז‬ Help 10.0.0.4 Comman d: Hosts Profile v] Profile: Intense scan v| Scan | nm ap •T4 -A -v 10.0.0.4 | Services ad d re sse s. Cancel ‫ו‬ N m ap O utput Ports / Hosts Topology | H o c tD rtJ iik | S ^ jn t < Hostname A Port < Protocol « State « Version Service i 10.0.04 5357 tcp open M icroso ft HTTPAPI hctpd 2.0 (SSI msrpc n etb io s5 5 ‫־‬n Q InN ap, option-F m m fast (lim port) eans ited scan. <L FIG R 6 1 TheZ apm w w S icesoptionforIntenseS U E .1 : enm ain indow ith erv can C E H Lab M anual Page 128 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 17. Click the m srp c service to list all the Microsoft Windows RPC. Zn a e mp Scan I o o ls Target: InN ap, O — m ption port-ratio cratioxdedmal num betw 0and 1 ber een > m S all ports in eans cans nm ap-services filew a ith ratiogreater thanthe one given. <ratio> m be ust betw 0.0and 1 een .1 P ro file 10.0.0.4 C om m and: ‫ י ם1 ־ ז‬x ‫׳‬ H elp ‫י‬ Profile: Intense scan Scan] nm a p -T4 -A - v 10.0.0.4 Services Nm ap O utput Ports / Hosts T o po lo gy | Host Details ^Scans 4 H o stnam e *‫ ־‬Port < P rotocol * State « Version Service • 49156 Up open M icro so ft W in d o ro RPC 100.0.4 49155 tcp open M ic ro s o ft W indow s RPC • 100.0.4 49154 tcp open M ic ro s o ft W indow s RPC • 100 .04 49153 tcp open M ic ro s o ft W indow s RPC • 1 0 0 .0 4 49152 tcp open M ic ro s o ft W indow s RPC • netbios-ssn 100.0.4 • h ttp 100.0.4 135 tcp open M ic ro s o ft W indow s RPC FIG R 6.12T Z apm w w m S iceforIntenseS UE he enm ain indow ith srpc erv can 18. Click the service to list all NetBIOS hostnames. n e t b io s - s s n TT T Zn a e mp Scan I c o ls Target: Hosts H e lp 10.0.0.4 C om m and: InN ap, O -r m ption m don't random2e eans i ports. E ro file Scan Cancel nm a p -T4 -A - v 10.0.0.4 || Services hid Service | Nm ap O utput Ports f Hosts T o po lo gy Host D e oils 10 J 0.0 msrpc 445 tcp open 100.0.4 h ttp 139 tcp Scans open FIG R 6 3 TheZ apm w w netbios-ssnS iceforIntenseS U E .1 : enm ain indow ith erv can TASK 2 X m as Scan C E H Lab M anual Page 129 19. sends a T C P fra m e to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS TCP/IP developed X m as scan E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s according to RFC 793. The current version of Microsoft Windows is not supported. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P y ‫ ׳‬X as scan(-sX sets m ) the FIN PSH andU G , , R flags, lightingthe packet up likeaC as tree. hristm m The option—axm retries <num tries> specifies the m um axim num ofport scanprobe ber retransm issions. 21. On the P r o file tab, enter Xm as Scan in the P r o file n a m e text field. P ro file E d ito r nm ap -T4 -A -v 10.0.0.4 Profile Scan | Ping | Scripting | Target | Source[ O thct | Tim ing Help Description P ro file In fo rm a tio n Profile name D * « n ip t 10n XmasScanj The description is a fu ll description 0♦ v»hac the scan does, w h ich m ay be long. m The option-hosttim <tim givesup eout e> on slowtarget hosts. Caned 0 Save Cl a1yci FIG R 6 5 T Z apP E w w theP tab U E .1 : he enm rofile ditor indow ith rofile C E H Lab M anual Page 130 E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 22. Click the S c a n tab, and select s c a n s : drop-down list. UDPscanis activated w the -sUoption. It can ith be com w aTC bined ith P scantype suchas SY scan N (‫־‬sS to checkboth ) protocols duringthe sam e run. from the X m a s T r e e s c a n (‫־‬s X ) TCP 1_T□ ' x P ro file E d ito r !m a p -T4 -A -v 10.0.0.4 Profile Scan | Ping | Scripting | Target) Source | O ther Help Tim ing Enable all arf/anced/aggressive o ptio ns S u n optk>m Target? (optional): 10.00.4 TCP scan: None Non-TCP scans: FI Enable OS detection (-0 ). version dete ction (-5V), script scanning (s and traceroute (‫־־‬traceroute). C M None T im in g tem plate: ACK scan (-sA) ‫ ׳‬FIN scan (s F ) M aim on scan (-sM ) □ Version detection (-sV) N ull scan (-sN) ‫ח‬ Idle Scan (Zom bie) (-si) TCP SYN scan (-5S) □ FTP bounce atta ck ( ‫־‬b) TCP co nn ect >can (‫»־‬T) □ ‫ם‬ Q N ap detects rate m lim and slow dow iting s n accordinglyto avoid floodingthe netw w ork ith useless packets that the target m achinedrops. Disable reverse DNS resc . W ind ow scan )‫ ־‬sW ( IPv6 support (■6) | Xmas Tree scan (‫־‬sX) Cancel 0 Save Changes FIG R 6 6 TheZ apP E w w theS tab U E .1 : enm rofile ditor indow ith can 23. Select N o n e in die N o n -T C P s c a n s : drop-down list and T 4 ) in the T im in g t e m p la t e : list and click S a v e C h a n g e s A g g r e s s iv e (‫־‬ 1 |‫י ^ ם‬ ‫־‬ P ro file F riito r nm ap •sX •T4 ■A ■v 10.0.0.4 Profile Scar Ping | Scripting [ Target Help Source | O ther | Tim ing Enable all ad/anced/aggressive o ptio ns Scan o p tio n * Q Y canspeedup ou your U Pscans by D scanningm hosts in ore parallel, doingaquickscan of just the popular ports first, scanningfrombehind the firew andusing‫־־‬ all, host-tim to skipslow eout hosts. Target? (optional): 1D.0D.4 TCP scan: Xmas Tle e scan (-sX) |v | Non-TCP scans: None [v‫] ׳‬ T im in g tem plate: Aggressive (-T4) Enable OS detection (-0 ). version d ete ction (-5V), script scanning (‫־‬ s Q and tra c e ro u te (—traceroute). [v | @ Enab le all a d va n ced / ag g ressve options (-A) □ O perating system detection (-0) O Version detection (-sV) □ Idle Scan (Zom bie) ( - 51) □ FTP bounce atta ck ( ‫־‬b) O Disable reverse DNS resolution (‫־‬n) ‫ח‬ IPv6 support (-6) Cancel 0 Save Changes FIG R 6 7 T Z apP E w w theS tab U E .1 : he enm rofile ditor indow ith can 24. Enter the IP address in die T a r g e t : field, select the from the P r o file : field and click S c a n . C E H Lab M anual Page 131 X m as sca n opdon E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Zenm ap Scan Tools Target: InN ap, option -sY m (SCTPINITscan) is often referredto as half-open scanning, becauseyoudonf t openafull SC P T association. Y sendan ou INITchunk, asifyouw ere goingto open areal associationandthenw ait for aresponse. Help 10.0.0.4 C om m and: ( Profile Hosts |v | Profile- | Xmas Scan |v | |S can | Cancel | nm ap -sX -T 4 - A -v 1 0 0 .0 / || Services 0 5 < H ost | N m ap O u tp u t P o rts /H o s ts | T o po lo gy H ost Details j Scans V A 1 | Details] Filter Hosts FIG R 6 8 T Z apm w w T andP entered U E .1 : he enm ain indow ith arget rofile 25. Nmap scans the target IP address provided and displays results on the N m a p O u tp u t tab. £Q! W scanning hen system com w s, pliant ith this R text, anypacket FC not containingSY , R T N S, or A bits resultsin a CK returnedR , if theport is ST closed, andnoresponse at all, iftheport is open. Tools T a rg e t C om m and: Hosts * P ro file H elp v l 10.0.0.4 OS « Host Profile. Xmas Scan |Scani| nm ap -sX -T 4 -A -v 1 0 0 .0 / Services N ‫׳‬n a p O u tp u t Ports / Hosts | T o po lo gy H ost Details | Scans nm a p -sX -T4 -A -v 10.0.0.4 10.0.0.4 S t a r t i n g Nmap 6 .0 1 a The option, -sA(T P C A scan) is usedtom CK ap out firew rulesets, all determ w ining hether they are stateful or not and w ports are filtered. hich izc Zenm ap Scan ( h ttp ://n m a p .o r g ) a t 2 0 1 2 - 0 8 -2 4 N<F‫ ל‬lo a d e d 93 s c r ip t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g S can a t 1 6 :2 9 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts ) Initiating Scrvice scon ot 16:30 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g MSE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) . FIG R 6 9 T Z apm w w theN apO tab U E .1 : he enm ain indow ith m utput 26. Click the S e r v i c e s tab located at the right side of die pane. It all die services of that host. C E H Lab M anual Page 132 d is p la y s E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫0־‬ Zenm ap Scan I o o ls P ro file 10.0.0.4 Target: C om m and: Hosts = 1 H elp ^ P ro file Xmas Scan ‫| 'י‬ | Scan | nm ap -sX -T 4 -A -v 10.0.0.4 | Services | N m ap O u tp u t Ports / Hosts | T o p o lo g y | H o st Details | Scans nm a p -sX T4 -A -v 10.0.0.4 S t a r t i n g Nmap 6 .0 1 ( h ttp ://n m a p .o rg Details ) a t 2 0 1 2 * 0 8 -2 4 : L oa de d 0 3 * c r i p t c f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P l r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f l n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d ‫ח‬ m Nnap scan report for 10.0.0.4 H ost is u p ( 0 .0 0 0 2 0 s l a t e n c y ) . V FIG R 6 0 Z apM w w S icesT U E .2 : enm ain indow ith erv ab S T A S K 3 Null S c a n The optionN Scan ull (-sN does not set anybits ) (T Pflagheaderis 0). C 27. N u ll s c a n works only if the operating system’s TCP/IP implementation is developed according to RFC 793.111 a 111 scan, attackers send a TCP 111 frame to a remote host with NO Flags. 28. To perform a 111 scan for a target IP address, create a new profile. 1 11 Click P r o file ‫ >־‬N e w P ro file o r C o m m a n d C trl+ P Zn a e mp [ New Prof Je or Command 9 | Hosts || £d it Selected Prof <e Scrvncct C trk P | nas Scan v Scan | Cancel | Q rl+E Nmap Output P ortj / Hosts | T opology] Ho»t D e t a S c e n t OS « Host w 10.0.0.4 m The option, -sZ (SC PCOOKIEECH T O scan) isanadvanceSC P T COOKIEECHOscan. It takes advantageof the fact that SC Pim entations T plem shouldsilentlydroppackets containingCOO IE K ECHOchunks onopen ports but sendanA O T BR if the port is closed. FIG R 6 1 TheZ apm w w theN P orC m option U E .2 : enm ain indow ith ew rofile om and C E H Lab M anual Page 133 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 29. On die P r o file tab, input a profile name text field. N u ll S c a n in the L ^ I P ro file E d ito r a The option, -si <zom bie host>[:<probeport>] (idle scan) is anadvanced scan m that allow for a ethod s trulyblindTC port scan P of the target (m eaningno packets are sent tothe target fromyour real IP address). Instead, aunique side-channel attackexploits predictableIP fragm entationIDsequence generationonthe zom bie host togleaninform ation about the openports on thetarget. P r o file n a m e nm ap -sX -T4 -A -v 10.0.0.4 Profile Help Scan | Ping | Scripting | Target | Source | O ther | Tim ing^ Profile name P ro file In fo rm a tio n Profile name This is h o w the profile v/ill be id e n tf ied in the d ro p-d o w n co m b o box in th e scan tab. | N u ll Scanj~~| Description FIG R 622: TheZ apP E w theP tab UE enm rofile ditor ith rofile 30. Click die m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. tab in the P r o file E d it o r window. Now select the option from the T C P s c a n : drop-down list. Scan S c a n (‫־‬sN ) N ull P ro file E d ito r n m a p -6X -T4 -A -v 10.0.0.4 P ro file] Scan | p!ng | S cnp tm g j larget | Source Jth e r Help Tim ing P rof le name Scan o ptio ns Targets (optional): TCP scan: Xmas Tree scan (-sX) This is how the profile w ill be id entified n th e d ro p-d o w n co m b o box n th e scan tab. 1C.0.0.4 Non-TCP scans: T im in g tem plate: |v None ACK seen ( sA) [Vj Enable all advanced/aggressu F N scan (‫ ־‬sF) □ O perating system detection (‫ ־‬M aim on t « n (•?M) □ Version dete ction (■sV) N u ll scan (•sN) (71 Idle Scan (Zom bie) (•si) TCP SYN scan(-sS) O TCP conn ect scan (‫־‬sT) FTP bounce attack (-b) (71 Disable reverse D N S resolutior W in cow scan (‫ ־‬sW) The option, -r (D on't random ports): B ize y default, N ap random m izes the scannedport order (except that certain com onlyaccessibleports m arem near the oved beginning for efficiency reasons). T his random izationis norm ally desirable, but youcan specify-r for sequential (sortedfromlow to est highest) port scanning instead. C E H Lab M anual Page 134 Xmas Tree !can (-sX) 1 1 IPy 6 support (-6) Cancel Save Changes FIG R 6 3 TheZ apP E w theS tab U E .2 : enm rofile ditor ith can 31. Select N one from the N o n -T C P from the T im in g A g g r e s s iv e (-T 4 ) 32. Click S a v e Changes scan s: drop-down field and select drop-down field. t e m p la t e : to save the newly created profile. E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s '-IT - ' P ro file E d ito r n m a p -sN -sX -74 -A -v 10.0.0.4 InN ap, option— m version-all (T everysingle ry probe) is analias for -version-intensity9 , ensuringthat everysingle probeis attem against pted eachport. Profile Scan |Scan[ Help P in g | Scripting | Target | S o ir e e [ C th ci | Timing Disable reverse DNS resolution Scan o ptio ns N e er do reverse DNS. This can slash scanning times. Targets (opbonal): 10.0.04 TCP scan: N u l scan (•sN) V Non-TCP scans: None V T im ing tem plate: Aggressive (-T4) V C O perating system dete ction (-0 ) [ Z Version detection (-5V) I Idle Scan (Z om b ie) (-si) Q FTP bounce attack (-b) I ! Disable reverse D N S resolution (-n) □ IPv6 support (-6) £oncel The option,-‫־‬topports <n> scans the <n> highest-ratioports foundin the nm ap-services file. <n> m be 1or greater. ust E r j Save Change* m FIG R 6 4 TheZ apP E w theS tab U E .2 : enm rofile ditor ith can 33. 1 1 the main window of Zenmap, enter die t a r g e t IP a d d r e s s to scan, 1 select the N u ll S c a n profile from the P r o file drop-down list, and then click S c a n . Zn a e mp Scfln I o o ls T a rg et Hosts P ro f 1 ‫:•י‬ N u ll Scan nm a p -sN •sX •T4 -A *v 10.00.4 Services N m ap O u tp jt Ports / Hosts T o po lo gy | H ost Detais ( Scans < P ort < P rcto ccl < State < Service < Version O S < H o st *U Help | 10.0.0.4 C o m m a n d: Q The option-sR(R C P scan), m w in ethod orks conjunctionw the ith variousport scanm ethods ofN ap. It takes all the m TCP/UDPports found openandfloods themw ith SunR programN LL PC U com ands inanattem to m pt determ w ine hether theyare R ports, andif so, w PC hat programandversion num theyserveup. ber E ro file 10.00.4 Filter Hosts FIG R 6 5 T Z apm w w T andP entered U E .2 : he enm ain indow ith arget rofile 34. Nmap scans the target IP address provided and displays results in O u tp u t tab. C E H Lab M anual Page 135 N m ap E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s B Q Tools Target P rofile v Profile: N u ll Scan nm a p -s N -T 4 -A -v 10.C.0.4 Services Hosts N m ap O utp ut | P o rts / Hosts ] T o po lo gy [ H o st Details | Scans ‫פן‬ nm a p -sN •T4 • A - v 10.0.04 OS < H ost IM Cancel Help 10.0.0.4 C o m m a n d: u Scan! Zn a e mp Scan S ta r t in g Mmap 6 .0 1 ( h t t p : / / n 1r a p . o r g ) at 2012 0 8 24 N S t: Loaded 93 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ] C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t . 2t 1 5 :4 7 C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 , 0 .2 8 s e la p s e d i n i t i a t i n g n u l l sca n a t 1 6 :4 7 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e . C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7 I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la D s e c Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) . The option-versiontrace (T version scan race activity) causesN ap to m pnnt out extensive debugginginfo aboutw hat versionscanningis doing. It is a subset ofw you hat getw — ith packet-trace, Details 10.00.4 ‫ח‬ Filter Hosts FIG R 6 6 T Z apm w w theX apO tab U E .2 : he enm ain indow ith m utput 35. Click the tab to view the details of hosts, such as and C lo s e d P o r ts H o s t D e t a ils H ost S ta tu s , A d d re ss e s . O pen P o rts, ‫[-׳‬nrx Zn a e mp Scan Tools £ r o fle C o m m a n d: Profile: Cancel N u ll Scan nm ap -s N -T 4 •A -v 10.0.0.4 Hosts Sen/ices N m a p O utp ut | P o r ts / Hosts | T o p o lo g y H ost Details | Scans - 1.0 .4 0 .0 ! OS « Host * Help 10.0.0.4 Ta rg et ' 10.0.0.4 B Host Status State: up O pen ports: ports: Closed ports: 0 0 ie 1000 Scanned ports: 1000 Up tirr e : N o t available Last b oo t: N o t available S Addresses IPv4: 10.0.0.4 IPv6: N o t a vailable M AC: 00:15:5D:00:07:10 • C o m m e n ts Filter Hosts FIG R 627: TheZ apm w w theH D tab UE enm ain indow ith ost etails T A S K 4 A C K F la g S c a n C E H Lab M anual Page 136 36. Attackers send an A C K probe packet with a random sequence number. No response means the port is filtered and an R S T response means die port is not filtered. E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 37. To perform an A C K F la g S c a n for a target IP address, create a new profile. Click P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P . !^□T Zn a e mp m The script: — scriptupdatedboptionupdates the script database foundin scripts/script.db, w is hich usedbyN apto m determ the available ine default scripts and categories. It is necessaryto update the database onlyif youhaveaddedor rem N scripts from oved SE thedefault scriptsdirectory orifyouhavechangedthe categories ofanyscript. T optionisgenerally his used byitself: nm ‫־־‬ ap script-updatedb. C om m and: fj?l Edit Selected Profile !!m o p ■v» ■ n* ‫• **־‬v Hs ot* OS 4 Host IM Services ] 0 Ctrl+E N m ip O jtp u t Porte / Ho«t« T o p o lo g y | H o d Details E JSc an t 4 P o ‫׳‬t 4 P ro to co l 4 S t a tt 4 S e rv ice 4 Version 10.0.0.4 Filter Hosts FIG R 6 8 TheZ apm w w theN P orC m option U E .2 : enm ain indow ith ew rofile om and 38. On the P r o file tab, input A C K F la g S c a n in the P r o file n a m e text field. ‫־‬r a n P ro file E d ito r nm a p -sN -T4 -A -v 10.0.0.4 Profile [scan | Ping | Scripting | Target | S o ire e [ C thei | Tim ing Help Description P ro file In fo rm a tio n Profile name |A C K PagScanj The d e scrp tio n is a fu ll description o f wh at the scan does, w h ich m ay be long. Description The options: ‫״‬m inparallelism<num probes>; -m ax-parallelism <num probes> (A djust probe parallelization) control the total num of ber probes that m be ay outstandingfor ahost group. Theyareusedfor port scanningandhost discovery. B default, y N apcalculates aneverm changingideal parallelism basedon netw ork perform ance. £an cel 0 Save Changes FIG R 6 9 TheZ apP E W w theP tab U E .2 : enm rofile ditor indow ith rofile 39. To select the parameters for an ACK scan, click the S c a n tab in die P ro file E d it o r window, select A C K s c a n (‫־‬s A ) from the N o n -T C P s c a n s : drop-down list, and select N o n e for all die other fields but leave the T a r g e t s : field empty. C E H Lab M anual Page 137 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s !- !□ ‫י‬ Profile Editor n m a p -sA -sW -T4 -A -v 10.0.0.4 The option: — min-rtttimeout <time>, --max-rtttimeout <time>, — initialrtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes. Profile | Scan Ping S cnpting x ‫׳‬ [ScanJ T3rg=t Source Other H e lp Tim ing E a lea a v ne ,a ges e nb ll da c d gr siv o tio s pn Scan o ptio ns Targets (optional): 10004 TCP scan: ACK scan (‫־‬sA) Non-TCP scans: Enable OS detection (-0 ), version detection (-5V), script scanning (■ sC), and traceroute (‫־־‬ttaceroute). None T im in g tem plate: |v | ACK s c a n ( sA) [34 Enable all advanced/aggressi FIN scan (-sF) □ O perating system detection (- M a im o n scan (-sM ) □ Version detection (-5V) N u ll scan (-sNl O Idle Scan (Zom bie) (‫־‬si) TCP SYN scan (-5S) □ FTP bounce attack (‫־‬b) TCP conn ect scan (-sT) f l Disable reverse DNS resolutior Vbincov scan (-sW) 1 1 IPv6 su pp ort (-6) Xmas Tree scan (-5X) £ancel Q Save Changes FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab 4 0 . N o w c li c k t h e Ping t a b a n d c h e c k IPProto probes (‫־‬PO) t o p r o b e t h e I P a d d r e s s , a n d t h e n c li c k Sa v e Changes. Profile Editor [Scan] n m a p -sA -sNJ -T4 -A -v -PO 100.0.4 G The Option: -maxretries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simply lost on the network. Profile Scan Ping S cnp tin g| Target | Source jOther Tim ing H e lp IC Pt « t m r q * M im£a p # u:t Ping o ptio ns □ Send an ICMP tim e stam p probe to see targets are up. i D on't p ing before scanning (‫־‬Pn) I I ICMP p ing (‫־‬PE) Q ICMP tim e stam p request (-PP) I I ICMP netmask request [-PM) □ ACK ping (-PA) □ SYN p ing (-PS) Q UDP probes (-PU) 0 jlPProto prcb«s (-PO)i ( J SCTP INIT ping probes (-PY) Cancel Save Changes FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab 4 1 . 111 t h e Zenm ap m a i n w i n d o w , i n p u t d i e I P a d d re ss o f th e m a c h i n e ( in d i i s L a b : 10.0.0.3), s e l e c t A C K Flag Sca n f r o m ta rg e t Profile: d r o p - d o w n lis t, a n d t h e n c li c k Scan. C EH Lab Manual Page 138 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫־ם‬ Zenmap Scan Tools Target: Profile Help 10.0.0.4 C o m m a n d: v Profile: ‫פב‬ ACK Flag Scan Scan Cancel nm a p -sA -PO 10.0.0.4 H osts Services N m ap O u tp u t Ports / Hosts I T o p o lo g y ] H ost Details Scans J £ 3 The option: -‫־‬hosttimeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. This may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. D e ta ils Filter Hosts FIGURE 6.32: The Zenmap main window with the Target and Profile entered 42. N m a p s c a n s d ie ta rg e t I P a d d re ss p ro v id e d a n d d is p la y s r e s u l t s o n Nmap Output ta b . Sc$n Tools £ r o fle C o m m a n d: * Profile: ACK Flag Scan Cancel nm a p -s A -P 0 1C.0.0.4 Hosts OS ‫ן‬ Help 10.0.0.4 Target: The option: — scandelay <time>; --max-scandelay <time> (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting. X Zenmap r Sen/ices < Host N m ap O u tp u t j P o r ts /H o s ts [ T o po lo gy H ost Details Scans nm a p -sA -PO 10D.0.4 Details 10.0.0.4 S t a r tin g ^map 6 .0 1 ( h ttp :/ / n m a p .o r g ) at 2012-08-24 1 7 :0 3 India Standard Tine Nmap s c a n re p o rt fo r 1 0 .0 .0 .4 Host is u9 (0.00000301 latency). A ll 1000 scanned ports on 10.0.0.4 are unfiltered WAC A d d r e s s : Nmap d o n e : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 1 IP a d d ress (1 host (M ic r o s o ft ) up) scannec in 7 .5 7 second s Filter Hosts FIGURE 6.33: The Zenmap main window with the Nmap Output tab 4 3 . T o v i e w m o r e d e ta i ls r e g a r d i n g t h e h o s t s , c li c k d i e Host Details t a b C EH Lab Manual Page 139 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Zenmap Scan Tools Target: Q The option: — minrate <number>; — max-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time. P rofile H e lp [~v~| 10.0.0.4 C o m m a n d: Hosts ACK Flag Scan Scan Cancel nm a p -s A -P O !0.0.04 || Services | N m ap O u tp u t J Ports / Hosts J Topo lo gy H o s tD e ta ls Scans ‫40.0.01 ; ־‬ OS « Host * Profile: 10.0.0.4 5 H o st S tatus State IS O pen portc: Filtered ports: Closed ports: S ea m e d ports: 1000 U p t im e B N o t available Last b o o t N o t available A d d re s s e s IPv4: 1a0.0.4 IPv6: N o t available M AC: 0Q15:50:00:07:10 ♦ Comments Filter Hosts FIGURE 6.34: The Zenmap main window with the Host Details tab L a b A n a ly s is D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d T y p es o f S can u sed : ■ In te n s e scan ■ X m as scan ‫י‬ N u ll sc a n ■ A C K F la g s c a n I n te n s e S c a n —N m a p O u tp u t ■ ■ N m ap A R P P in g S c a n - 1 h o s t P a ra lle l D N S r e s o lu ti o n o f 1 h o s t ■ S Y N S te a lth S c a n • D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4 o 1 3 5 / tc p , 1 3 9 / tc p , 4 4 5 / tc p , . .. ■ M A C A d d re ss ■ O p e r a tin g S y s te m D e ta ils ■ N e tw o r k D is ta n c e ■ T C P S e q u e n c e P re d ic tio n ■ I P I D S e q u e n c e G e n e ra tio n ■ C EH Lab Manual Page 140 U p tim e G u e s s ■ S e rv ic e I n f o Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Q u e s t io n s 1. A n a ly z e a n d e v a lu a te t h e r e s u lts b y s c a n n i n g a ta r g e t n e t w o r k u s in g ; a. b. 2. S te a l th S c a n ( H a l f - o p e n S c a n ) nm ap -P P e r f o r m I n v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d s e r v ic e s f o r a t a r g e t m a c h i n e i n d i e n e tw o r k . I n te r n e t C o n n e c tio n R e q u ire d □ Y es 0 No P la tfo rm S u p p o rte d 0 C EH Lab Manual Page 141 C la s s ro o m 0 iL a b s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Scanning a Network Using the NetScan Tools Pro NetScanToolsPro is an integratedc lle n of internetinformationgatheringand o ctio netirork tro b s o tin utilitiesforNehrork P/vfessionals. u le h o g ICON KEY 2 3 ‫ ־‬Valuable information L a b S c e n a r io Y o u h a v e a lr e a d y n o t i c e d i n d i e p r e v i o u s la b h o w y o u c a n g a d i e r i n f o r m a t i o n s u c h as A R P p in g scan, M A C a d d re s s , o p e ra tin g s y s te m d e ta ils , I P ID sequence Test your knowledge g e n e r a t io n , s e r v ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d ‫ס‬ Web exercise sin g le p a c k e t t o th e ta r g e t f r o m th e i r o w n I P a d d r e s s ; in s te a d , d i e y u s e a zombie m W orkbook review ACK Flag Scan 111 N m a p . A 1 1 a tt a c k e r c a n s im p ly s c a n a ta r g e t w i d i o u t s e n d i n g a host t o p e r f o r m th e sc a n re m o te ly a n d i f a n intrusion detection report is g e n e r a t e d , i t w ill d is p la y d i e I P o f d i e z o m b i e h o s t a s a n a tta c k e r . A tta c k e r s c a n e a s ily k n o w h o w m a n y p a c k e t s h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k i n g d i e I P p a c k e t fragment identification number ( I P I D ) . A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u l d b e a b le t o d e t e r m i n e w h e d i e r a T C P p o r t is o p e n t o s e n d a SYN ( s e s s io n e s t a b li s h m e n t ) p a c k e t t o t h e p o r t . T h e ta r g e t m a c h i n e w ill r e s p o n d w i d i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f d ie p o r t is o p e n a n d RST (re s e t) i f d i e p o r t is c lo s e d a n d b e p r e p a r e d t o b l o c k a n y s u c h a tta c k s 0 1 1 t h e n e t w o r k 111 d iis l a b y o u w ill le a r n t o s c a n a n e t w o r k u s i n g NetScan Tools Pro. Y o u a ls o n e e d t o d i s c o v e r n e tw o r k , g a d i e r i n f o r m a t i o n a b o u t I n t e r n e t o r lo c a l L A N n e tw o rk d e v ic e s , I P a d d r e s s e s , d o m a i n s , d e v ic e p o r t s , a n d m a n y o t h e r n e t w o r k s p e c ific s . L a b O b j e c t iv e s T h e o b je c tiv e o f d iis la b is a s s is t t o tr o u b l e s h o o t , d ia g n o s e , m o n i t o r , a n d d i s c o v e r d e v ic e s 0 1 1 n e tw o r k . 1 1 1 d iis la b , y o u n e e d to : ■ D i s c o v e r s I P v 4 / I P v 6 a d d r e s s e s , h o s t n a m e s , d o m a i n n a m e s , e m a il a d d re sse s, a n d U R L s D e t e c t lo c a l p o r t s C EH Lab Manual Page 142 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s S 7Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 03 Scanning Networks L a b E n v ir o n m e n t T o p e r f o r m d i e la b , y o u n e e d : ■ N e t S c a n T o o l s P r o l o c a t e d a t D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsNetScanTools Pro ■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N etScan Tools Pro f r o m t h e l i n k h t t p : / / w w w . 1 1 e t s c a n t o o l s . c o m / n s t p r o m a i 1 1 .h t m l ■ I f y o u d e c id e t o d o w n l o a d d i e l a t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r ■ A c o m p u t e r r u n n i n g Windows Server 2012 ■ A d m in i s t r a ti v e p r iv ile g e s t o r u n d i e NetScan Tools Pro t o o l L a b D u r a t io n T im e : 1 0 M i n u te s O v e r v ie w o f N e t w o r k S c a n n in g N e t w o r k s c a n n i n g is d i e p r o c e s s o f e x a m i n in g d i e activity on a network, w h i c h c a n i n c l u d e m o n i t o r i n g data flow a s w e ll a s m o n i t o r i n g d i e functioning o f n e t w o r k d e v ic e s . N e t w o r k s c a n n i n g s e r v e s t o p r o m o t e b o d i d i e security a n d p e r f o r m a n c e o f a n e tw o r k . N e t w o r k s c a n n i n g m a y a ls o b e e m p l o y e d f r o m o u ts id e a n e t w o r k in o r d e r t o i d e n t if y p o te n t ia l network vulnerabilities. N e tS c a n T o o l P r o p e r f o r m s th e fo llo w in g to n e tw o r k sc a n n in g : ■ ■ S TASK 1 Scanning the Network Monitoring n e t w o r k d e v i c e s a v a il a b il it y Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n i n g Lab T asks I n s ta ll N e t S c a n T o o l P r o i n y o u r W i n d o w S e r v e r 2 0 1 2 . F o ll o w d i e w i z a r d - d r i v e n in s ta l la t io n s te p s a n d in s ta ll NetScan Tool Pro. 1. L a u n c h t h e Sta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p ^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses.. C EH Lab Manual Page 143 4 '1J# W in d o w s S e r * f 201 2 *tata rmnfamCvcidilcOetoceitc a ie Xi e e EMtuaian copy, luld M>: FIGURE /.l: Windows Server 2012- Desktop view 2. C l i c k t h e N etScan Tool Pro a p p t o o p e n t h e N etScan Tool Pro w i n d o w Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Administrator A S ta rt Server Manager Windows PowwShel Googfe Chrome H jperV kb-uoa NetScanT... Pro Demo h m o ‫וי‬ f* Control Pan*l Hjrpw-V Mdchir*. Q V ('nmittnd I't. n.".‫־‬ e w rr *I © 20‫2 ז‬ n x-x-ac 9 FIGURE 7.2 Windows Server 2012 - Apps 3. I f y o u a r e u s i n g t h e D e m o v e r s i o n o f N e t S c a n T o o l s P r o , t h e n c li c k Start the DEMO £L) Database Name be created in the Results Database Directory and it will have NstProDataprefixed and it will have the file extension .db3 4. T h e Open or C reate a N ew Result Database-NetScanTooIs Pro w i n d o w w ill a p p e a r s ; e n t e r a n e w d a t a b a s e n a m e i n D atabase Name (enter new name here) 5. S e t a d e f a u l t d i r e c t o r y r e s u l t s f o r d a t a b a s e file l o c a t i o n , c li c k Continue Open or Create a New Results Database - NetScanTools® Pro *‫ו‬ N etScanToote P ro a u to m a b c a ly s a v e s resu lts n a d a ta b a s e . T h e d a ta b a s e «s re q u re d . C r e a te a n e w R esu lts D a ta b a s e , o p en a p re viou s R e s d t s D a ta b a s e , or u s e this s o ftw a re r T r a n n g M ode with a tem po rary R esu lts D a tab a s e . ■‫״‬T rain rtg M ode Qutdc S t a r t: P re s s C r e a te Training M ode D a ta b a s e then p re ss C o ntinue. D a ta b a s e N am e (e n te r n e w n am e h e re ) A N E W R e s u lts D a ta b a s e w l b e a u to m a b c a ly p re fixed with ,NstProO ata-' a n d w i en d w ith ,. d b ? . N o sp ace s o r periods a r e allowed Test| w h en e n te r n g a n e w d a ta b a s e nam e. S e le c t A n o th er R esu lts D a tab a s e R esu lts D a ta b a s e File Location R esu lts D a ta b a s e D irectory ‫ *״‬C re a te Trainmg M ode D a ta b a s e C : ^jJsersAdministrator d o c u m e n ts P ro je ct N am e (o pb on al) S e t D e fau lt D irectory A n a ly s t In form ation (o pb on al, c a n b e c isp laye d r rep o rts if desired) N am e Title Mobile Number O rganization i—' USB Version: start the software by locating nstpro.exe on your USB drive ‫ ־‬it is normally in the /nstpro directory p Telep h on e Number Email A d dress U p d a te A n a lys t In form a bon U s e L a s t R e s u lts D a ta b a s e Continue E x it Program FIGURE 7.3: setting a new database name for XetScan Tools Pro 6. T h e N etScan Tools Pro m a i n w i n d o w w ill a p p e a r s a s s h o w i n d i e fo llo w in g fig u re C EH Lab Manual Page 144 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s test • NetScartTools* Pro Demo Version Build 8-17-12 based o n version 11.19 file — IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9 Eflit A«es51b!11ty View IP«6 Help 1 Wefccrwto NrtScanTooh#f^5 [W o Vbtfen 1 TH fattwaiv n a drro ro< k>* •re* t00“i C t 1 u Th■ du ro M i a be ccn«e>ted to j W vtfden todi hav• niror luiti H m x x d '•on ■hr A Jo i^ e d cr Vtao.a tads cr 1» ‫ »|כ‬groined by fuidian on the kft panel R03 iso- root carract :‫ «־‬ta‫״‬oet. orwn icon :coa I8!en to net« 11k traff c. ttu ; icon tooo ‫*®•ו‬ oca sy*em. end groy !con loots contact •hid p51t> w * a w Fleet ' i t FI Autom ated too is ( i p v 6 .g o o g l e .c o m ) wfyoj '«,to vie‫ ״‬C <?a te rg h * local help !ncLdng Gerttirg Suited tfa & & m xi M3nu3l lo ci: 13III fw o rn e tools o r ::1 (internal loopback address *LCrre Dtt<ov<r/tools Pass ‫׳‬ve 0 ‫ י‬scow 1y ro ois o t « 0015‫ז‬ P 3 « tt 1*vn toon tx tm u l >00is proown into FIGURE 7.4: Main window of NetScan Tools Pro S e l e c t Manual Tools (all) o n t h e l e f t p a n e l a n d c li c k A R P Ping. A 7. w i n d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P i n g T o o l . C li c k OK 8. test File fd it AccettibHity View IM NetScanToois® Pro Demo Version Build 8 17 12 based on version 11.19 ‫ז - •°־היד‬ MHp Klrt'iianTooltS Pio ' J Automata!! Tool Manual Tool( M l About the ARP Ping Tool • use rhK tool to ‫ ' .*חקי‬an IPv4 address on your subnet usino ARP packers. »s<it on your LAN to find the 1a*>:‫ £*'׳‬tkne o ' a device to an ARP_REQl)EST jacket evai if 3ie d&r ce s hidden and • A R P Pina require*,‫ ג‬target IPv4 address on your LAN. does not respc *d to ‫־׳‬ egu a Pn g . • D o n 't miss th is special fe a t u re in th is to o l: Identify duplicate IPv4 address b y ‘singing‘ a ssecfic IPv4 address. If more th a - Gne Cevice (tw o or rrore MAC addresses} responds, you areshow n the a d d ie a o f each o f the deuces. D o n 't fo r g e t to r!ght d k * in th e results for a menu with more options. mac im £ 7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN • ARP Scan (MAC U a D em o I im ita tio n s. • None. ij Ca«h« F m n it d ♦ Co*n«t»o« Monit. c Tooll A11 Dhiuveiy To‫׳‬ 1 vc Piss ‫״‬re Otttovety T« o n s roots p 3c« t Level root brcemai toots Pro 0r3m Into | ( <x Help pres* FI FIGURE 7.5: Selecting manual tools option 9. S e l e c t t h e Send Bro adcast A RP, then U nicast A R P r a d i o b u t t o n , e n t e r t h e I P a d d r e s s i n Target IPv4 Address, a n d c li c k Send Arp C EH Lab Manual Page 145 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s test File Q Send Broadcast ARP, and then Unicast ARP this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box Fdit Accessibility View ,- !‫ ״‬s i NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19 IPv6 Help A u tow ted Tools U9e ARP Padtets to Pnc an [Pv« adjf c55 on y a r ►.lanual Tools lalf) subnet. E Send B‫־‬ ooCC35t ARP, then O send B-oaCcae: O arp U ito st ARP Dupi:a;-5 S ‫־‬c ‫מ‬ - cnly (f:0. 0 0 0 OFd l^ A * S e * th for Dipica te IP Addesoss T rg tIPv4A dett ae a U A n ® To Automated | Rpr? eo t Q Add to Psvorftoc I ndex 0 10.0.0.1 - •• • * ♦ cc 0.002649 Broadcast 1 10.0.0.1 ‫־‬ < * ♦ cc :. o : :» t o Unicast Sp to 2 10.0.0.1 - - ■ + ce 0.003318 tin Ic a a t 3 10.0.0.1 cc 0.002318 Onieaae 4 5 y ip iedr nAc ARP Ping 10.0.0.1 • cc 0.0:69*3 10.0.0.1 - f 10.0.0.1 AflP^can |MA£ S<»n) ■ |MAC an N jr b n to Send u Cache Forensic{ Cyde T ne (ms) Aaaress mac Address Response Tine (aaeci - • — ♦ • Type ur.ic a a t cc 0.007615 Cr.le a s t cc 0.002518 Cr.Ic a a t I“0 EJ 0 ‫ל‬ 1 0.0.0.1 - cr 0.M198C Tinic a a t WnPcap Interface P 8 10 .0 .0 .1 • • » • ‫'־ ♦ •־‬ cc 0.0:165$ Onieaae 3 Connwtwn Monitor |v | 10.0.0.1 - •••♦ ♦ ‫־‬ cc 0.0:231.8 Ur.ic a a t cc 0.002649 U n icast - *• cc 0.0:2649 U n icast Fawortte Tooli 10 Pj 11!x< Oiiovcry Tooli 10.0.0.1 11 Aa!re DHtovery Tool! 1 0.0.0.1 *• • * <» <> • 12 - cc 0.002318 U n icast 10.0.0.1 • • • • • • » «♦ ‫״‬ cc 0.002318 Unicast 14 10.0.0.1 • cc O.OS2649 15 trte m ji looit 10.0.0.1 13 O t« Tools P a « « level rools 10.0.0.1 Vnicaat Unicast f*‫־‬coram Into FPuiger 7.6: Result of ARP Ping 1 0. C li c k A R P Sca n (MAC Sca n ) i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t t h e A R P s c a n t o o l . C l i c k OK test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 File Fdit Accessibility View IPv6 Help !a T •A PP‫׳׳‬y J l ool! R i Automated Tool ‫ ש‬ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices. About the ARP Scan Tool • • • y Use U ib t o o l l o s e n d a n A R P R o q iM & t t o e v u ry IP v 4 ad d ress o n y o u r LAN. IPv4 connected d «v u et c s n n o th n to f tv r ‫ ־‬ARP 3acfc«C» and mu»t ru p o n d with t h • ! IP and MAC a d f i r • * • . Uncheck w e ResoKr? box for fssrti scan co‫׳‬r p i« o n ome. Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options. f>5 mo L im itation s. H one. p• ‫־‬ oadcast ic o s t lease ARPStan 1 mac sea le a s t le a s e ic a s t Ca<n« ForcnsKs le a s t le a s t le a s t ic a a t e a s t! Attn* Uncovefy 10‫׳‬ east ! relive l>K0v»ry l« le a s t icaat H 3«rt level Tool FIGURE 7.7: Selecting ARP Scan (MAC Scan) option 1 1. E n t e r t h e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending IPv4 Address t e x t b o x e s 1 2. C li c k Do Arp Scan C EH Lab Manual Page 146 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s test File Edil Accessibility View ‫“־היו‬ NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»00 11.19 IPv6 ‫י ־‬ ‫־‬ Help Manual Too 4 -ARP Scan (MAC Scan) $ in tonated Toots U9e thE tool a fine al kUnuai Tools laif) active IPv4 d r ie r s o‫י׳‬ youi n im -t. ajKc d oc Staraic F v 4 Accrea‫־‬ | :0. 0 [ J j ‫׳‬p 0 ‫ ־‬A 1 2 r a a l &4 gIPv4A * c 5 vn <jr 5 I ]Adsaaa dt^vKt 1 0 .0 .0 .1 n e t;c a r, la c . 10.0.0.2 ‫ ־‬The Connection ar Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database. W Adtireflfl 1 C 0 ‫׳‬ ( EC . &»11 lac ip v l M . . . ARP Ping can (MAC AC ASP Scan (M Scan) I / r M 4 n u r* c f3 re r B c a ta ■ * 1 vm-MSSCL. E n tr y Type l>5c•! dynam o 10. 0 .0 d y n azd c 1 0 .0 .0 wrtpeap Interfax i p I 10.0.0.7 u Scon OSsy T n c {•> ») Cache forennct (IZZ₪ 0 Resolve P s Connection Monitor Favorite Tools Active OhcC‫׳‬vify Tool! Pasiive Ofitovtry Too 1 1 o m Tools P3<Mt LPV8 Tools 1 ‫פב‬ exttmai toon r^ooram Into FIGURE 7.8 Result of ARP Scan (MAC Scan) 1 3 . C li c k DHCP Se rve r D iscovery i n t h e l e f t p a n e l , a w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t D H C P S e r v e r D i s c o v e r y T o o l . C li c k OK f*: test - NetScanTods® Pro Demo Version Build 8-17-12 based on version 11.19 f4 e Ed* Accessibility View IPv6 !‫־‬ n ' * Help RPScan IMAC Son , A to a dlool u mte M u 101!all an al 01 Alum! Hit* DHCP Sorv 1*f Discovery Tool • Cathe Forensic! ♦ Connection Monitc Use Uib 1004 to jitn n iy locate DHCP *ervur* < v l only) on your local network. It iho m th« IP P addr«u and o r « M C'qt ar« b«ng handed out by DHCP wwao. Ih it too! a n aw find unknown or rooue' DHO3 swverj. • Don't I otget to right dck n th* results for a menu with more options. Dano limitations. • None. cry Type lo c a l n a x le LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv. 1 0 .0 .0 naxic 10.0.0 O K PSfw r Oucorc a J DNS Tools-core -Tools « Pn u n r DutoveiyTc P « l r l level Tool External Too 11 FIGURE 7.9: Selecting DHCP Server Discovery Tool Option 14. S e l e c t a ll t h e D iscover Options c h e c k b o x a n d c li c k Discover DHCP Servers C EH Lab Manual Page 147 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s y test - NetScanTools* Pro Demo Version Build 8 -1 7-12 based o r version 11.19 I Aurcmated To0 5 1 Fnri DHCPServers an fa r Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations T~Tn 1 « ' AddItoie For Hdo. p‫ £ -׳‬F: e8 IM A ‫ ס׳יד״־ג‬A.‫־‬ omv‫־‬rd '‫־ ] ° * ״‬ Cache F orenwes Ode or mtrrfacc bdow then crcos Discover B Discover ( X P Server* .:n n cc t o n Monitor TM A d d re ss ‫[ ־‬ KIC A dd reas I n t « r f « r • D e s c r ip tio n L . Jfc j%‫» ־‬v 4 1 iD 1 Hyper-V V ir ta • ! Eth ern et Adapter #2 10.0.0.7 Stop ‫*״*־‬ QAddtoP®»«nre5 Wat Tim (sec) e DHCP S«1 1 » ‫ ׳‬Dfccovtry a DiscouB‫ ־‬Opttans DfIS Took - ! Took -Cote Rssordnc DHCP servers EHCr Server IP a ‫ ׳י‬H05tn3r1e V Subnet M5*r V Donor ftairc ‫׳‬ OWSTools ■Advanced Server Hd3LnoM Offered I? Offered Subnet Mask IP Address I 10.0.0.1 10.0.0.1 ‫ י‬SS.2SS.2SS.0 10.0.0.2 3 days, 0:0( ‫ ׳י‬d n s p ‫ ׳י‬Router P fa KTP Servers * F‫־‬worit« Tools A<tfc« Dii coveiy Tools Paislv* Discovery Tools DNS Tooll =*>«» t r r t l TooH W * rnjl Tools P10 g r« n into FIGURE 7.10: Result of DHCP Server Discovery 1 5 . C li c k Ping scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t P i n g S c a n n e r t o o l . C li c k OK test F8e EdK AtcesiibiRty A M jn g jJ T00K (4 1 1: Pn g m Graphi cal a IPv6 H«tp N«tSunT00i13 P 10 S? About the Ping Scanner (aka NetScanner) lool • ErV1«K«J firg m ,£0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons. NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 j.jA IC WtKOIM AUtOIMt«J ToO h Vltw • • use rim rooJ ro pmo . ranoe or lm of IPv4 addresses. rtvstool shows you cb rompute‫׳‬s ‫י‬ are active w tJiir! tr*rano^ii5t(tJ1* hav« to rapond to omo). Uso it *vith * * u t o f F adflf«s«s. To teeafl ee*‫׳‬ces n your subnrt mdudmg trios*blocking ping, you can um ARP Son tool. You can ■nport a text lest of IPv4 addresses to png Don't mres this speaal feature m this took use the Do SMB/NBNS scan ‫ ס‬qg: n « B » S resoonscs ‫כ‬ fiom unprotected W!ndo*s computers. Don't forget td nght didc m the results for a menu with more opaons. 1 > 10 Demo Im itations. • Packet Delay (time between sending each ping) is limited to a lower tamt of SO iMlBeconds. packet Delay can be as low as zero (0) ms ‫ מ‬the f ill version. In other words, the full version w i be a bit faster. Port Scanner .J P ’o am u o in Mod* * < >« ravontf 001‫:ז‬ M Ducoycnr to ‫׳‬ int Paijivt Discovery 10 DNS roou P a a e ti m l tool} t<tcma! Tools °rooram inro FIGURE 7.11: selecting Ping scanner Option 16. S e l e c t t h e U se Default System DNS r a d i o b u t t o n , a n d e n t e r t h e r a n g e o f I P a d d r e s s i n Sta rt IP a n d End IP b o x e s 1 7 . C li c k Start C EH Lab Manual Page 148 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s --«e test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19 6dK Accessibility View IPv6 Aurc mated To 015 Start iP 10.0.0.: £Q Traceroute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device. © ‫׳י‬ ‫חח‬ |‫ '•׳‬Lke Defadt Systen D N5j O Use Specific D NS: - 1*1 1307.53.8.8 vl l * End JP 10.0.0.S0 Fa Hdp, press F1 AKANrtSeannw □ Add»Po»<nre5 T a r g e t IP Hostname 10.0.0.1 ? 0:0 t e a : s c p i v tnK-KSSELOUKU 0 0:0 tchs toply 10.0.0.5 J? 0 1 0.5.0.2 my:-UQM3MRiR«M 0 0:0 Echs ta p ly 1 0 .0 .0 .7 0 Resolve TPs Time (m | Statao WIN-D39HRSHL9E4 0 0:0 Echs Reply MSttp.0/.25SWl Port Scanner Addtbnal Scan Tests: m Pro»ucuou5 Mode S<onr ^ 1 103 I oca ARP Scat □ D 3 S * ‫׳‬E.fc8S5car F‫־‬r » * Tools »01 □ Do Sulnel M ai: Sea‫!־‬ Arthit Oil cover? Tools EnaSfc Post-Scan Pais** Discovery Tools M O b lg of rton-Resso'dn; P s DNS Too 11 | M e m * Tools Pfogr•!* info irw : »vu«: I S*‫« ׳‬I L c rtl Tool I J Oeof IwpQUr t tn» FIGURE 7.12: Result of sail IP address 18. C li c k Port scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t d i e p o r t s c a n n e r t o o l . C li c k OK F test F ie Edit Acceuibilrty View ri1h 3 ‫ב‬I^ ■> M «nu«ITouu lair x ‫ך‬ Help Welcome • tw ateO Tooli ,‫׳‬u - _ l n l NetScanTod‘ $ Pro Demo Version Build 8-17-12 based on version 11.19 IPv6 unnei/N etSiannei 9 About the Poit Scanner Iool NEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN. • noo Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query tnrunced • • • P nq Scanner Port Scanner U P= f»»cu0j1 Mode ‘ use rtm ‫ ז‬ool to scan j taro** for ICP or ‫ יוגווו‬ports that . ‫ מו‬iKrrnang (open wirh senna* ‫ר‬ fcstenino). lypes of scanning supported ruli Connect TCP Scan (see notes below}. U0P port u'reachasle scan, combined tu> ful connect and uop scan, TCP SYN only scan and tcp son. Don't miss this special feature in this tool: After a target has bee scanned, an a‫״‬alfss .vineow will open in >our Oeh J t web browser. Don't fo rg e t ‫ מז‬nght c*<k n we resjits for 3 menu with more options. orrer Notes: settings that strongly affect scan speed: • Come:San Timeout. use 200c* less on a fact networkcorrection yjdhneaiby co r‫״‬p.te i. - « 3 ) 3003 ‫ ־‬seconds) or more ona dau: cameao‫.־׳‬ • Wot After Connect -J i s c-1 0 • o5 ‫־׳‬each port test worts before deodng that ih ; port is not 5c»»e. 1• • settirxcAXbv settee* ccmccxns. Try0, (hen (ry lire. Notice the dfference. • Se n s^ x°«<MC n e to tO q a o n c rs Domo KmlUtlons. • Hone. FIGURE 7.13: selecting Port scanner option 19. E n t e r t h e I P A d d r e s s i n t h e Target Hostnam e or IP Address f i e ld a n d s e l e c t t h e T C P Ports only r a d i o b u t t o n 2 0 . C li c k S ca n Range of Ports C EH Lab Manual Page 149 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 1-1°‫׳ ״ ־‬ test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19 fte Ed* Accessibility View 6‫י)ו‬ Help Manual Fools - Port Scanner ^ Automated Tool? Manual Toots (alij m T3r0ut HKTSire 3r P A:d‫£־‬S3 I1.- 1 00 0 Pore Range are! Sarvfcafc I 1 I • ■ 'T C P P o r t s I LDP P 3te O TCP4UJP Ports O t cpsyn ( B'd f a OlCPaMM □^to^ont• Start WARNING: the- to d scan? r * rargrfr- ports. Cy n Scan C irp lrtr. I Show Al S an r« d Ports, Actlvi 0! Not Sea‫ ״‬R.anoc of ! v s St * ‫י‬ A npTO AutOHHted | Cmo o nn Path P o rt | E d tc o n w ■ Part{ Let P o r t Dvac P r o to c o l 80 h te p TCP R r » u lt» O a t• ft• » .v » d P o r t A c tiv e Poit Scanner J Pro«ucuom Mode ‘ f3 o t* T o v r1 o ls A t* D c re T o < ‫ «׳‬ts o ry o ls Passr* D c v ryto ls is o e o DNS ro is o p«*«ttml loon txtem to ls ji o p g min ro ra ro MrPasp :-ir-^acr :‫־‬ 10.D.0. Comect T rcout ( 100D= !second] : watAfte'Conncc (ICOO -1 s*aofl : FIGURE 7.14: Result of Port scanner L a b A n a ly s is D o c u m e n t a ll d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d A R P S c a n R e s u lts : ■ IP v 4 A d d re ss ■ M A C A d d re ss ■ I / F M a n u fa c tu re r ■ E n try T y p e ■ N e tS c a n T o o ls p ro H o s tn a m e ■ L o c a l A d d re ss In f o r m a tio n fo r D is c o v e r e d D H C P S e rv e rs: ■ ■ I P v 4 A d d r e s s : 1 0 .0 .0 .7 I n t e r f a c e D e s c r i p t i o n : H y p e r-V V irtu a l E th e r n e t A d a p te r # 2 ■ S e r v e r H o s t n a m e : 1 0 .0 .0 .1 ■ O f f e r e d I P : 1 0 .0 .0 .7 ■ C EH Lab Manual Page 150 D H C P S e r v e r I P : 1 0 .0 .0 .1 ■ O f f e r e d S u b n e t M a s k : 2 5 5 .2 5 5 .2 5 5 .0 Ethical Hacking and Countermeasures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Q u e s t io n s 1. D o e s N e t S c a i i T o o l s P r o s u p p o r t p r o x y s e r v e r s o r fire w a lls ? In te rn e t C o n n e c tio n R e q u ire d □ Y es 0 No Pla tfo rm Supported 0 C lassroom C EH Lab Manual Page 151 0 iLabs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Drawing Network Diagrams Using LANSurveyor l^42s/nvejords o e a nehvorkan rodu a c m r h n iv nehvork d g i c v rs dp ces o pe e s e ia ram thatin g te OSILayer2 andLajer 3 t p lo ydata. te ra s oo g I CON K E Y 27 Valuable information L a b S c e n a r io A i l a tt a c k e r c a n g a t h e r i n f o r m a t i o n f r o m A R P S c a n , D H C P S e r v e r s , e tc . u s i n g N e t S c a n T o o l s P r o , a s y o u h a v e l e a r n e d i n d i e p r e v i o u s la b . U s i n g d iis i n f o r m a t i o n Test your knowledge ‫ס‬ a n a tt a c k e r c a n c o m p r o m i s e a D H C P s e r v e r 0 1 1 t h e n e tw o r k ; t h e y m i g h t d i s r u p t Web exercise B y g a in i n g c o n t r o l o f a D H C P s e r v e r , a tt a c k e r s c a n c o n f i g u r e D H C P c lie n ts w i t h m Workbook review n e t w o r k s e r v ic e s , p r e v e n t i n g D H C P c lie n ts f r o m c o n n e c t i n g t o n e t w o r k r e s o u r c e s . f r a u d u l e n t T C P / I P c o n f i g u r a t i o n i n f o r m a t i o n , in c l u d in g a n in v a lid d e f a u l t g a te w a y o r D N S s e r v e r c o n f i g u r a t io n . 111 d ii s la b , y o u w ill l e a r n t o d r a w n e t w o r k d ia g r a m s u s i n g L A N S u r v e y o r . T o b e a n e x p e r t network administrator a n d penetration te s te r y o u n e e d t o d is c o v e r n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e tw o r k s . L a b O b j e c t iv e s T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d is c o v e r a n d d ia g r a m n e t w o r k to p o l o g y a n d m a p a d is c o v e r e d n e t w o r k 1 1 1 d iis la b , y o u n e e d to : ■ D ra w ’ a m a p s h o w i n g d i e lo g ic a l c o n n e c t iv it y o f y o u r n e t w o r k a n d n a v ig a te a r o u n d d ie m a p ■ C EH Lab Manual Page 152 C r e a te a r e p o r t d i a t in c lu d e s a ll y o u r m a n a g e d s w itc h e s a n d h u b s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ZZy Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 03 Scanning Networks L a b E n v ir o n m e n t T o p e r f o r m d i e la b , y o u n e e d : ■ L A N S u r v e y o r l o c a t e d a t D:CEH-ToolsCEHv8 Module 03 Scanning NetworksNetwork Discovery and Mapping ToolsLANsurveyor ■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f LAN Surveyor f r o m d i e l i n k h ttp : / / w w w .s o la r w i11d s . c o m / ■ I f y o u d e c id e t o d o w n l o a d d i e la t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r ■ A c o m p u t e r r u n n i n g Windows Server 2012 ■ A w e b b ro w s e r w id i In te r n e t a ccess ■ A d m in i s t r a ti v e p riv ile g e s t o m i l d i e LANSurveyor t o o l L a b D u r a t io n T im e : 1 0 M i n u te s O v e r v ie w o f L A N S u r v e y o r S o la r W in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e r s y o u r n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e network diagram t h a t c a n b e e a sily e x p o r t e d t o M i c r o s o f t O f f i c e V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s t o network topology. I t s im p lifie s i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts , a d d r e s s e s r e p o r t i n g n e e d s f o r P C I c o m p l i a n c e a n d o t h e r r e g u l a to r y r e q u i r e m e n ts . TASK 1 Draw Network Diagram Lab T asks I n s ta ll L A N S u r v e y o r o n y o u r Windows Server 2012 F o l l o w d i e w i z a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll L A N S u r v y o r . 1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p 4 W indow s Server 2012 * I S M fcnar X ltl(Wmw CjnMditt (*akrtun lopy. lull) •40: FIGURE 8.1: Windows Server 2012 - Desktop view 2. C EH Lab Manual Page 153 C li c k t h e LANSurvyor a p p t o o p e n t h e LANSurvyor w i n d o w Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s LANsurveyor's Responder client Manage remote Window’s, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files S ta rt A d m in istra to r £ S e rw M o ra le r Windows G oo* H»p«V PowetShd Chrwne 1 •■,XU j . b m o 91 IANmny... ■ Panal Q w w :a e rwn«t h to p m ‫ף״‬ l i MegaPing NMScanL. Pto Demo *s FIGURE 8.2 Windows Server 2012 - Apps 3. R e v i e w t h e l i m i t a t i o n s o f t h e e v a l u a t i o n s o f t w a r e a n d t h e n c li c k Continue w ith Evaluation t o c o n t i n u e t h e e v a l u a t i o n S olarW in ds LA N surveyor TFile Edit Men aye Monitor Report Tods Window ‫י * ים י - ן‬ ‫י‬ Help s o la rw in d s ^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.) FIGURE 8.3: LANSurveyor evaluation window 4. T h e Getting Started w ith LANsurveyor d i a l o g b o x is d is p la y e d . C li c k S ta rt Scanning Network C EH Lab Manual Page 154 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s r Getting Started with LANsurveyor ■ a u so larw in d s7' What you can do with LANsurveyor. S can and map Layer 1. 2. 3 network topology &] f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information. Export maps to Microsoft Vtito » V ie w exam ple mgp "2 Continuously scan your network automatically Onca aavod, a I cuatom ‫׳‬n ■a car be uotd m SelarV/nda not/.o‫׳‬k and opplcotor ap management software, learn more » V/atch a vdae nt'oto barn more » thwack LANsurveyor forum thwack is 8 community site orovidiro SobrtVrds js e ‫ ־‬with useful niomaton. toos and vauable reso jrces s » Qnfcne Manual For additional hep on using the LAIJsu‫־‬veyor read the LANSurveyor Administrator Gude » Evaluation Guide 1 Tha LAMaurvayor Evaiuabon Guida prcvdaa an irtr»d »cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and jsmg LAHsurveyor. » Support TheSohrwinds Supoorl W et»i» offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yo»r SohrWind* appleations v b t tne <]1a w js a i£ .g a 2 s , I I Don't show agah r ic q y y r ty Q vy»t9»». o r Jp o a ic Start Scanrir.g Neta 0 * 1: ] [ FIGURE 8.4: Getting Started with LANSurveyor Wizard 5. T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a n e t w o r k d i a g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End Address, a n d c li c k Sta rt Network Discovery C EH Lab Manual Page 155 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫מ־‬ Create A New Network Map Nt io P r ne eu ik aa e tr Eecin Acdres; E rd Address 10.00.1 10.D.0.254 Enter Ke>t Address Here Hops (Folowtrg cuter hopj requires SN M P rouier access! Rotfers. Switches and □ her SN M P Device Dijcovery ■-M* =&= ‫־‬ 0 S N M P v l D * v k # j • S M M P /I Community Strng(*) • [ ptfefc private Q S H W P v 2 c Devices • SN M Pv2 c Community Strngfs) • | pubiu. pmats —LANsurveyor's network □ SNK‫׳‬Pv3Devbe5 discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address I SNMPv3 Options.. Other IP Service Dixovery Ivi lANsuveya F e j pender; 1P j LAN survefor Responder Password: 0 IC M P (P r g ) 0 N e l8 IC S Clwvs M S P Clients I I A ctve Directory DCs Mapping Speed 0 Slower Faster Cnigrt nM^pr n of uaio aaeo* S v 0 c vt Cng ao. ae Koey of w‫׳‬i n | I D isco ver Configuafon.. Start Notv»o*k Dioco/cry Cored FIGURE 8.5: New Network Map window 6. T h e e n t e r e d I P a d d r e s s mapping process w ill d i s p l a y a s s h o w n i n t h e fo llo w in g fig u re Mapping Progress Searching for P nodes HopO: 10.0.0.1-10.0.0.254 SNMP Sends SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped 03 LANsurveyor rs capable o f discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, nonconsecutive VLANs Last Node Contacted: WIN-D39MR5HL9E4 Cancel FIGURE 8.6: Mapping progress window 7. C EH Lab Manual Page 156 LAN surveyor d is p la y s d i e m a p o f y o u r n e t w o r k Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s | ^ S c la A V in d s LA N su rv eyo r - [M a p 1] ■ Me Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers. ‫נ‬ & Edit h a> K H ‘> e ©. E tf=d ff £ -4 Manage j Monitor 1* Report 1 51 v id ‫* ״י|| ; ס‬ s Tools 3 a Avdow 0 * ft X - H ♦ ‫׳‬ s o la rw in d s • ‫׳‬ r& © | ‫־־‬ 1 1 1 Wti '.'SilLC M W I Wf.-WSC'tlXMK-O M hC as s = v Network Segments (1} P Addresses (4) Domain Names (4) Node Names (4) fP Reuter LANsurveyor Responder Nodes SNMP Nodes SNMP SvntchesHubs SIP (V IPJ Nodes Layer i Nodes Active Directory DCs Groups ff c a Help veisor W1N-DWlllR»lLSt4 WIN D3JI H J* « 5H O vervie w f*~| 0 ­ ‫552.0.0.( • -0.0.נ.נ‬ ■ ‫ ״‬UCONJWRSfWW V*4 ‫׳‬n n ' o• 10 1 09 M- Q3 R S N LX N W JN N 10006 12 FIGURE 8.7: Resulted network diagram L a b A n a ly s is D o c u m e n t all d ie I P a d d r e s s e s , d o m a i n n a m e s , n o d e n a m e s , I P r o u t e r s , a n d S N M P n o d e s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c liie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4 I P N o d e s D e ta ils : ■ I C M P P i n g S e n d 31‫־‬ ■ I C M P R e c e ip ts 4 ‫־‬ ■ L A N S u rv e y o r S N M P S en d - 62 ■ N odes M apped 4 ‫־‬ N e tw o r k s e g m e n t D e ta ils : ■ IP A d d re ss - 4 ■ C EH Lab Manual Page 157 D o m a in N a m e s - 4 ■ N ode N am es - 4 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB. RELATED TO Q u e s t io n s 1. D o e s L A N S u i v e y o r m a p e v e r y I P a d d r e s s t o its c o r r e s p o n d i n g s w it c h o r h u b p o rt? 2. C a n e x a m i n e n o d e s c o n n e c t e d v ia w ir e le s s a c c e s s p o i n t s b e d e t e c t e d a n d m apped? I n te rn e t C o n n e c tio n R e q u ire d □ Yes 0 No Platfo rm Supported 0 C lassroom C EH Lab Manual Page 158 0 iL a b s Ethical Hacking and Countermeasures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Mapping a Network Using Friendly Pinger Friendly Pingeris a user-frie d applicationfor netirork administration, m n rin , n ly o ito g andinvento ry. I CON K E Y 27 Valuable information L a b S c e n a r io 111 d i e p r e v i o u s la b , y o u f o u n d d i e S N A I P , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils u s i n g d i e t o o l L A N S u i v e y o r . I f a n a tt a c k e r is a b le t o g e t a h o l d o f th is in f o r m a t i o n , Test your knowledge ‫ס‬ h e o r s h e c a n s h u t d o w n y o u r n e t w o r k u s i n g S N M P . T h e y c a n a ls o g e t a lis t o f in t e r f a c e s 0 1 1 a r o u t e r u s i n g d i e d e f a u l t n a m e p u b li c a n d d is a b le d i e m u s i n g d i e r e a d - Web exercise w r ite c o m m u n it y . S N M P M I B s in c l u d e i n f o r m a t i o n a b o u t t h e i d e n t i t y o f t h e a g e n t's m Workbook review h o s t a n d a tt a c k e r c a n ta k e a d v a n ta g e o f d iis i n f o r m a t i o n t o in itia te a n a tta c k . U s in g d i e I C M P r e c o n n a i s s a n c e te c h n i q u e a n a tt a c k e r c a n a ls o d e t e r m i n e d i e t o p o l o g y o f d i e t a r g e t n e t w o r k . A tta c k e r s c o u l d u s e e i t h e r d i e I C M P ,’T i m e e x c e e d e d " 0 1 ‫־‬ " D e s tin a tio n u n re a c h a b le " m e ssa g e s. B o d i o f d ie s e I C M P m e s sa g e s c a n c a u se a h o s t t o im m e d i a te l y d r o p a c o n n e c t i o n . A s a n e x p e r t Network Administrator a n d Penetration T e ste r y o u n e e d t o d i s c o v e r n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e t w o r k s a n d b lo c k a tt a c k s b y d e p lo y i n g fire w a lls 0 1 1 a n e t w o r k t o filte r u n - w a n t e d tra ffic . Y o u s h o u l d b e a b le t o b l o c k o u t g o i n g S N M P tr a f f ic a t b o r d e r r o u t e r s o r fire w a lls. 111 d iis la b , y o u w ill l e a n i t o m a p a n e t w o r k u s i n g d ie t o o l F r i e n d ly P in g e r . L a b O b j e c t iv e s T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d i s c o v e r a n d d ia g r a m n e t w o r k t o p o l o g y a n d m a p a d is c o v e re d n e tw o r k h i d iis la b , y o u n e e d to : ■ ■ D i a g r a m t h e n e t w o r k to p o l o g y ■ D e t e c t n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o l o g y ■ C EH Lab Manual Page 159 D i s c o v e r a n e t w o r k u s i n g discovery te c h n i q u e s P e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L a b E n v ir o n m e n t ZZ7 Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 03 Scanning Networks T o p e r f o r m d i e la b , y o u n e e d : ■ F r i e n d ly P i n g e r l o c a t e d a r D:CEH-ToolsCEHv8 Module 0 3 Scanning NetworksNetwork Discovery and Mapping ToolsFriendlyPinger ■ Y o u can also download die latest version o f Friendly Pinger from the link http://www.kilierich.com/fpi11ge17download.htm ■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r ■ A c o m p u t e r r u n n i n g Windows Server 2 0 1 2 ■ A w e b b ro w s e r w id i I n te rn e t a ccess ■ A d m in i s t r a ti v e p riv ile g e s t o r u n d i e Friendly Pinger t o o l L a b D u r a t io n T im e : 1 0 M i n u te s O v e r v ie w o f N e t w o r k M a p p in g N e t w o r k m a p p i n g is d i e s t u d y o f d i e p h y s ic a l connectivity o f n e tw o r k s . N e t w o r k m a p p i n g is o f t e n c a r r ie d o u t t o discover s e r v e r s a n d o p e r a t i n g s y s te m s r u i n i n g o n n e tw o r k s . T h i s te c l u ii q u e d e te c ts n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o lo g y . Y o u c a n p e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts . F rie n d ly P in g e r p e r f o r m s th e fo llo w in g to m a p th e n e tw o rk : ■ Monitoring n e t w o r k d e v i c e s a v a il a b il it y ■ Notifies i f a n y s e r v e r w a k e s o r g o e s d o w n ■ Ping o f a ll d e v i c e s i n p a r a l l e l a t o n c e ■ Audits hardw are a n d softw are c o m p o n e n t s i n s t a l l e d o n t h e c o m p u t e r s o v e r th e n e tw o rk Lab T asks 0 x y o u r Windows Server 1 1. 2. F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll F r i e n d ly P in g e r . 3. task I n s ta ll F r i e n d ly P i n g e r L a u n c h t h e Sta rt m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n d i e lo w e r - le f t 1 Draw Network Map C EH Lab Manual Page 160 2012 c o rn e r o f th e d e s k to p Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s FIGURE 9.1: Windows Server 2012 - Desktop view 4. C li c k t h e Friendly Pinger a p p t o o p e n t h e Friendly Pinger w i n d o w S ta r t ^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods. A d m in is tra to r Sen*r M anager Windows PowerSMI r _ m C om piler W**r-V * Control Panol Uninstall % GOOQte Chrome ^ & Hyp«-V Mac f.inf . V M02111a Firefox Patti A ra^zer Pro !‫ר״‬ €> i l SeorchO. Fnendty PW^er o Eaplewr « Command Prompt £ 9 fl* IG ■ Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IPaddresses for scanning 2 .7 K m O rte f FIGURE 9.2 Windows Server 2012 - Apps 5. T h e Friendly Pinger w i n d o w a p p e a r s , a n d F r i e n d l y P i n g e r p r o m p t s y o u to w a tc h a n o n lin e d e m o n s tr a tio n . 6. C li c k No Friendly Pinger [Demo.map] file Edit View Pinq Notification Scan FWatchcr Inventory 1 □ & - y a fit ‫צ‬ £ V Denro H ‫ם‬ 1 & To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map Help ‫*־‬ * ‫׳‬ D em ons tra tio n m ap S - Internet M.ui S hull cut Sm v ti W oik Statio n Workstation (*mall) dick the client orco to add ‫ ג‬new device... ^ 2 1 /2 4 /3 7 & OG 00:35 FIGURE 9.3: FPinger Main Window C EH Lab Manual Page 161 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s S e l e c t File f r o m t h e m e n u b a r a n d s e l e c t d i e Wizard o p t i o n 7. r ‫ ם‬Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network □ L-!»j x ‫׳‬ Friendly Pinger [Demo.map] File | Edit View Ping WeA Notification Scan F/fatdier Inventory *‫ י‬C %!‫ צ‬ft ‫־‬ * x Help CtrUN Gtfr Open... Ct11+0 Reopen | Uadate CtrhU U Save.. C tfU S Sava At... Close fcV Save A j Image... ^ Print... ^ Lock... ^ Create Setup... 0 Options... ‫ ד‬m ‫ק‬ ‫ מ‬g t b Close All Ctrl* B 5T In la n d fr! S c iy c i F9 X L Frit Alt*■)( Imen-pr H ail S h o itcu l Se n w r ----- Hob Mdn np JJ W n f k S t A lio n a W in k S ta tiu n I1 1| ,1 r'r;m C dOd in lllld ie t ll itia L C] Map occupies the most part of the window. Rightclick it. In the appeared contest menu select "Add” and then ‫״‬Workstation". A Device configuration dialog window will appear. Specify the requested parameters: device name, address, description, picture FIGURE 9.4: FPinger Staiting Wizard 8. T o c r e a t e i n i t i a l m a p p i n g o f t h e n e t w o r k , t y p e a r a n g e o f IP addresses i n s p e c i f i e d f i e ld a s s h o w n i n t h e f o l l o w i n g f i g u r e c li c k Next --- Wizard Local IP address: 10.0.0.7 The initial map will be created by query from DNS-server the information about following IP-addresses: 1.0 .12 0 .0 •d You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 •5.1 •10 10 00 | I Tim eout The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged Timeout allows to increase searching, but you can miss some addresses. ? Help 4* gack = Mx ► et X Cancel FIGURE 9.5: FPinger Intializing IP address range 9. T h e n t h e w i z a r d w ill s t a r t s c a n n i n g o f IP addresses 111 d i e n e t w o r k , a n d li s t t h e m . 1 0 . C li c k Next C EH Lab Manual Page 162 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Wizard IP address Name 0 1.0 .2 0 .0 W1N-MSSELCK4K41 0 10.0.0.3 W indows8 0 10.0.0.5 W1N-LXQN3WR3R9M □ 10.0.0.7 W1N-D39MR5HL9E4 £L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window The inquiry is completed. 4 devices found. R em o ve tick from devices, which you d on t want to add on the map ? 4* Help B ack 3 ‫ ►־‬N ext X C ancel FPinger 9.6: FPmger Scanning of Address completed 11. Set the default options in the Wizard selection windows and click Next Wizard £0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server. Q e v i c e s ty p e: W orkstation Address OUse IP-address | ® Use DNS-name | Name ‫ח‬ Remove DNS suffix Add* ion OA dd devices to the new map (•> Add devices to the current map 7 Help !► Next X Cancel FIGURE 9.7: FPinger selecting the Devices type 12. T h e n t h e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p i n t h e FPinger w in d o w C EH Lab Manual Page 163 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s V _ Friendly Pinger [Default.map] File Edit View/ Ping NotificaTion Scan FWatcher inventory □1 x ‫י‬ Help H ‫>׳״‬ £ ft J* & g ‫ ם‬If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server. FIGURE 9.8 FPmger Client area with Network architecture 13. T o s c a n th e s e le c te d c o m p u te r in th e n e tw o r k , s e le c t d ie c o m p u te r a n d s e l e c t t h e Sca n t a b f r o m t h e m e n u b a r a n d c li c k Scan F rie n d ly P in g e r [D e fa u lt.m a p ] file ^ You may download the latest release: http: / / www. kilievich.com/ fpinger■ Lb Edit ‫ם‬ View - y Ping a Notification * e ? Scan M Scan.. click the clicnt area to add c new devicc.. Q Select ‫״‬File | Options, and configure Friendly Pinger to your taste. C EH Lab Manual Page 164 F W rtc h p Inventory Help F61 5* m 0 233:1 S i. 3/4/4 ^ 00:00:47 FIGURE 9.9: FPinger Scanning the computers in the Network 14. I t d is p la y s scanned details i n t h e Scanning w i z a r d Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Scanning Service Compute Command f a & ] HTTP W1N-MSSELCK... h ttp://W IN -M S S ELC X 4M 1 £ ] HTTP W1N-D39MR5H... http://W IN -D39M R5H L9E 4 £□ Double-click tlie device to open it in Explorer. S c a n n in g c o m p le te ^‫׳‬J Bescan Progress y ok ? Hlp e X Cancel FIGURE 9.10: FPinger Scanned results 1 5 . C l i c k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t i o n d e ta i ls o f th e s e le c te d c o m p u te r £□ Audit software and hardware components installed on tlie computers over the network Tracking user access and files opened on your computer via the network V Pk T ^ rr‫־‬ F rie n d ly P in g e r fD e fa u lt.m a p l Edit V1«w Ping 1 C a :* B S J ‫ג‬ m Notification S<*n FWat<hcr Irvcnto ‫* ׳‬ &^ r Ndp________________ y E l Inventory Option!.‫״‬ Ctil-F# FIGURE 9.11: FPinger Inventory tab 1 6. T h e General t a b o f t h e Inventory w i z a r d s h o w s d i e com puter name a n d i n s t a l l e d operating system C EH Lab Manual Page 165 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s W File Inventory E d it V ie w R eport O p tio n s H e lp la e: 0 ‫־‬S ? 1 1 ■ E W IN-D39MR5HL9E4 |g General[ Misc| M'j Hardware] Software{ _v) History| ^ K > Computer/User CQ Assignment of external commands (like telnet, tracert, net.exe) to devices Host name |W IN-D39MR5HL9E4 User name !Administrator W indows Name |W indows Server 2012 Release Candriate Datacenter Service pack C otecton tme Colecbon time 18/22 /2 0 12 11 :2 2:3 4 AM FIGURE 9.12: FPinger Inventory wizard General tab 1 7 . T h e M isc t a b s h o w s t h e Netw ork IP addresses. MAC addresses. File System , a n d Size o f t h e d is k s 5 Search of HTTP, FTP, e-mail and other network services x ' Inventory File E dit e ig ? V ie w R eport O p tio n s H e lp 0 ₪ *a a <^0 G*? fieneraj Misc hardware | Software | History | Network IP addresses 110.0.0.7 MAC addresses D4-BE-D9-C3-CE-2D J o ta l space 465.42 Gb Free space 382.12 Gb Display $ettng$ display settings [ 1366x768,60 H z, T rue Color (32 bit) Disk Function "Create Setup" allows to create a lite freeware version with your maps and settings Type Free, Gb Size, Gb £ 3 C Fixed 15.73 97.31 84 S D Fixed 96.10 97.66 2 NTFS — — A NTFS - File System ■— FIGURE 9.13: FPinger Inventory wizard Misc tab 18. T h e H ardw are t a b s h o w s t h e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r n e tw o rk e d c o m p u te rs C EH Lab Manual Page 166 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s TT File Edit View Report Options Help 0 ^ 1 3 1 0 H w 1N-D39MFS5HL9E4|| General Miscl M i H a rd w a re [^ ] Software History | >1 < 4x Intel Pentium III Xeon 3093 B Memory < 2 4096 Mb - Q j B IO S Q AT/AT COMPATIBLE D ELL | •6222004 02/09/12 - £ ) ‫ י‬Monitors Genetic Pn P Monitor - ■V D isplays ad ap ters B j ) lnte<R) HD Graphics Family E O ^ - -^ D isk drives q ST3500413AS (Serial: W2A91RH6) N etw ork ad ap ters | j | @netrt630x64.inf,%rtl8168e.devicedesc%^ealtekPQeGBE Family Controller S C S I and R A ID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller I J FIGURE 9.14: FPinger Inventory wizard Hardware tab 1 9 . T h e So ftw are t a b s h o w s d i e i n s t a l l e d s o f t w a r e o n d i e c o m p u t e r s Inventory File Edit View Report Options [£ Q ) 5 r WIN-D39MR5HL9E4 -----------H Help 0 ‫0 1 3 1 €י‬ G§* general | M ‫׳‬sc H«fdware| S Software | Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 O ff*** Prnnfirxi (Pnnli^hl ? flirt T e ta S Q Visualization of your computer network as a beautiful animated screen > History | QBr < A V Name Version Developer Homepage | ft Go FIGURE 9.15: FPinger Inventory wizard Software tab L a b A n a ly s is D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b . C EH Lab Manual Page 167 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 0 F o u n d IP a d d re ss: ■ 1 0 .0 .0 .2 ■ 1 0 .0 .0 .3 ■ 1 0 .0 .0 .5 ■ 1 0 .0 .0 .7 D e t a i l s R e s u l t o f 1 0 .0 .0 .7 : j F rie n d lv P in g e r » ■ C o m p u te r n a m e ■ O p e r a tin g s y s te m ■ IP A d d re ss ■ M A C a d d re ss ■ F ile s y s t e m ■ S iz e o f d i s k ■ H a rd w a re in fo rm a tio n ■ S o ftw a re in f o rm a tio n Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB. RELATED TO Q u e s t io n s 1. D o e s F P i n g e r s u p p o r t p r o x y s e r v e r s fire w a lls? 2. E x a m i n e th e p r o g r a m m i n g o f la n g u a g e u s e d i n F P in g e r . I n te r n e t C o n n e c tio n R e q u ire d □ Yes 0 No Pla tfo rm Supported 0 C lassroom C EH Lab Manual Page 168 0 iL a b s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Lab Scanning a Network Using the N essus Tool N s / sallowsyou tore o lyaudita nehvorkandd te n eif it has b e b k n esz m te e r/ in e n ro e into orm u e in s m nay.It alsoprovidesth ability tolocally audita sp is s d o e e ecific m c in for vulnerabilities. ah e I C O N 7 = 7‫־‬ K E Y L a b S c e n a r io Valuable information 111 t h e p r e v i o u s l a b , y o u l e a r n e d t o u s e F r i e n d l y P i n g e r t o m o n i t o r n e t w o r k Test your knowledge n e t w o r k , v i e w g r a p h i c a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e t h e i n f o r m a t i o n Web exercise d e v i c e s , r e c e i v e s e r v e r n o t i f i c a t i o n , p i n g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia t h e re la te d to n e tw o r k d e v ic e s , th e y c a n u s e i t as a n e n tr y p o i n t to a n e tw o r k f o r a c o m p r e h e n s iv e a tta c k a n d p e r f o r m m a n y ty p e s o f a tta c k s ra n g in g f r o m D o S a tta c k s m W orkbook review to u n a u th o r iz e d a d m in is tra tiv e access. I f a tta c k e rs a re a b le to get tr a c e r o u t e in f o r m a t io n , th e y m i g h t u s e a m e t h o d o lo g y s u c h as fire w a lk in g to d e t e r m i n e t h e s e r v i c e s t h a t a r e a l l o w e d t h r o u g h a f ir e w a ll. I f a n a tta c k e r g a in s p h y s ic a l a c c e s s to a s w itc h o r o t h e r n e tw o r k d e v ic e , h e o r s h e w ill b e a b l e t o s u c c e s s f u l l y i n s t a l l a r o g u e n e t w o r k d e v i c e ; t h e r e f o r e , a s a n a d m in is tra to r, y o u s h o u ld d is a b le u n u s e d p o r ts in th e c o n f ig u r a tio n o f th e d e v ic e . A l s o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o l o g i e s t o d e t e c t s u c h r o g u e d e v ic e s 0 1 1 th e n e tw o rk . A s a n e x p e r t ethical h ack er a n d penetration tester, y o u m u s t u n d e r s t a n d h o w vulnerabilities, com pliance specifications, a n d content policy violations a r e s c a n n e d u s i n g t h e Nessus t o o l . L a b O b j e c t iv e s T h i s l a b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n i n g t h e n e t w o r k f o r v u l n e r a b i l i t i e s , a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to : ■ ■ C EH Lab Manual Page 169 U s e th e N e s s u s to o l S c a n th e n e tw o r k f o r v u ln e r a b ilitie s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L a b E n v ir o n m e n t £ ‫ ז‬Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 03 Scanning Networks T o c a n y o u t d ie la b , y o u n e e d : ■ N e s s u s , l o c a t e d a t D:CEH-ToolsCEHv8 Module 03 Scanning N etw orksW ulnerability Scanning ToolsNessus ■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N e s s u s f r o m t h e l i n k h t t p : / / w w w . t e n a b l e .c o m / p r o d u c t s / n e s s u s / n e s s u s - d o w n l o a d a g re e m e n t ■ I f y o u d e c i d e t o d o w n l o a d t h e latest version, t h e n s c r e e n s h o t s s h o w n in th e la b m ig h t d if fe r ■ A c o m p u t e r r u n n i n g W indow s Server 2012 ■ A w e b b ro w s e r w ith I n te r n e t access ■ A d m in is tr a tiv e p riv ile g e s to r u n th e N e s s u s to o l L a b D u r a t io n T im e : 2 0 M i n u te s O v e r v ie w o f N e s s u s T o o l m Nessus is public Domain software related under the GPL. N e s s u s h e lp s s t u d e n t s t o le a r n , u n d e r s t a n d , a n d d e t e r m i n e vulnerabilities a n d w eaknesses o f a s y s te m a n d network 111 o r d e r t o k n o w h o w a s y s te m c a n b e exploited. N e t w o r k v u ln e r a b ilitie s c a n b e network topology a n d OS vulnerabilities, o p e n p o r t s a n d r u n n i n g s e r v ic e s , application and service c o n f i g u r a t i o n e r r o r s , a n d a p p li c a ti o n a n d service vulnerabilities. Lab T asks 8 TAs K 1 Nessus Installation 1. T o i n s t a l l N e s s u s n a v i g a t e t o D:CEH-ToolsCEHv8 Module 03 Scanning Netw orksW ulnerability Scanning ToolsNessus 2. D o u b l e - c l i c k t h e Nessus-5.0.1-x86_64.msi file . 3. T h e Open File - Secu rity Warning w i n d o w a p p e a r s ; c li c k Run O p e n File ‫ך5־ד‬ S e c u rit y W a r n in g Do you want to run this fie ? fJan e‫־‬ Pud sht‫:׳‬ 2 £ ‫.ר‬rK &r C /lk g rtA d m in irtrat0 rD etH 0 D 'v N e cs1 K -5 0 -6 IcnaMc Network Security Int. Type Windows Installer Package From; GU«raAdminottatotDoklopNo>uj*5.0.2-*66 64‫״‬ Run "^7 Nessus is designed to automate the testing and discovery of known security problems. CencH V Always esk cefcre opening the file Wh Jr fi:« from the Internet can be useful, this file type can potentially j ) harm >our computer. Only run scfbveic from p ubltihen yen bust. ^ What s the nsk? FIGURE 10.1: Open File ‫ ־‬Security Warning C EH Lab Manual Page 170 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 4. T h e N essus - InstallShield Wizard a p p e a r s . D u r i n g t h e i n s t a l l a t i o n p r o c e s s , th e w iz a r d p r o m p ts y o u f o r s o m e b a s ic in f o r m a tio n . F o llo w d i e i n s t r u c t i o n s . C l i c k Next. & Tenable Nessus (x64) ‫ ־‬InstallShield Wizard W elcome to th e InstallShield Wizard for Tenable N essus (x64) The InstalSh1eld(R) W izard w nstal Tenable Nessus (x64) on dl your computer. To continue, ddc Next. m The updated Nessus security checks database is can be retrieved with commands nessus-updatedplugins. W RN G Ths program is protected by copyright law and A IN : nternational treaties. < Back Next > Cancel FIGURE 10.2: The Nessus installation window 5. B e f o r e y o u b e g i n i n s t a l l a t i o n , y o u m u s t a g r e e t o t h e license agreem ent a s s h o w n i n t h e f o l l o w i n g f ig u r e . 6. S e l e c t t h e r a d i o b u t t o n t o a c c e p t t h e l i c e n s e a g r e e m e n t a n d c li c k Next. !‫;ל‬ Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more. Tenable Nessus (x64) - InstallShield Wizard License Agreement Please read the following kense agreement carefully. Tenable Network Security, Inc. NESSUS® software license Agreement This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you, the party licensing Software (“You‫ .)״‬This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F n p tw /.q ArtPFPMFUT auh 0 Print accept the terms in the kense agreement Nessus security scanner includes NASL (Nessus Attack Scripting Language). O I do not accept the terms n the kense agreement InstalShiekJ------------------------------------------< Back Next > Cancel FIGURE 10.3: Hie Nessus Install Shield Wizard 7. C EH Lab Manual Page 171 S e le c t a d e s t i n a t i o n f o l d e r a n d c li c k Next. Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Tenable Nessus (x64) - InstallShield Wizard Destination Folder C Next to instal to this folder, or ckk Change to instal to a different folder. lick £> Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis. Instal Tenable Nessus (x64) to: C:Program F*esTenableNessus Change... InstalShield < Back Next > Cancel FIGURE 10.4: Tlie Nessus Install Shield Wizard 8. T h e w i z a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll p r o g r a m f e a t u r e s w ill b e i n s t a l l e d . C h e c k Complete a n d c li c k Next. Tenable Nessus (x64) ‫ ־‬InstallShield Wizard Setup Type Choose the setup type that best smts your needs. Q Nessus probes a range of addresses on a network to determine which hosts are alive. FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type 9. T h e N e s s u s w i z a r d w ill p r o m p t y o u t o c o n f i r m t h e i n s t a l l a t i o n . C li c k Install C EH Lab Manual Page 172 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Tenable Nessus (x64) - InstallShield Wizard Ready to Install the Program The wizard is ready to begn nstalation. Nessus probes network services on each host to obtain banners that contain software and OS version information C Instal to begn the nstalatoon. lick If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard. InstalShield < Back Instal Cancel FIGURE 10.6: Nessus InstallShield Wizard 1 0 . O n c e i n s t a l l a t i o n is c o m p l e t e , c li c k Finish. Tenable Nessus (x64) ‫ ־‬InstallShield Wizard In stalS hield W izard Completed The InstalShield W izard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard. Q Path of Nessus home directory for windows programfilestanablenessus Cancel FIGURE 10.7: Nessus Install Shield wizard Nessus Major D irectories ■ C EH Lab Manual Page 173 T l i e m a j o r d i r e c t o r i e s o f N e s s u s a r e s h o w n i n t h e f o l l o w i n g ta b l e . Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Nessus Home Directory Nessus Sub-Directories Purpose conf Configuration files data Stylesheet templates nessusplugins Nessus plugins nassusus«rs<username>lcbs User knowledgebase saved on disk 1Windows Program FilesTenableNessus feUI During the installation and daily operation of Nessus, manipulating the Nessus service is generally not required -------------------------------- -1 > no33uslogs , Nessus log files --------------------1 TABLE 10.1: Nessus Major Directories 11. A f te r in s ta lla tio n N e s s u s o p e n s in y o u r d e fa u lt b ro w s e r. 1 2 . T h e W elcom e to Nessus s c r e e n a p p e a r s , c li c k d i e here l i n k t o c o n n e c t v ia S S L w e lc o m e to Nessus! PI m m c o n n e c t v i a S S L b y c lic k in c J h » r « . You are hkely to get a security alert from your web browser saying that the SS L certificate is invalid. You may either choose to temporarily accept the risk, or can obtain a valid S S L certificate from a registrar. Please refer to the Nessus documentation for more information. FIGURE 10.8: Nessus SSL certification 1 3 . C li c k OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s Security Alert — The Nessus Server Manager used in Nessus 4 has been deprecated ‫ע‬ J j You are about to view pages over a secure connection. Any information you exchange with this site cannot be viewed by anyone else on the web. ^In the future, do not show this warning OK More Info FIGURE 10.9: Internet Explorer Security Alert 14. C li c k t h e Continue to this w ebsite (not recommended) l i n k t o c o n tin u e C EH Lab Manual Page 174 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s * ^ & X Snagit g j II C crtfica te Error: M avigation... ' £t 1 There is a problem with this website's security certificate. The security certificate presented by this w ebsite w as not issued b y a trusted certificate authority. The security certificate presented by this websrte w as issued fo r a different w eb site s address. Sccu n ty certificate problem s m a y indicate an ottem pt to fool y o u o r intercept a n y data you send to the server. W c recommend that you close this webpage and do not continue to this website. d Click here to close this webpage. 0 Continue to this website (not recommended). M ore information FIGURE 10.10: Internet Explorer website’s security certificate 1 5. o n OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s . £Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers Security Alert 1 i) C. You are about to view pages over a secure connection tr Any information you exchange with this site cannot be viewed by anyone else on the web. H I In the future, do not show this warning 1 OK More Info FIGURE 10.11: Internet Explorer Security Alert 1 6 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l i c k t h e Get Started > b u t t o n . R ff W elcom e to N e s s u s ‫׳‬ m warning, a custom certificate to your organization must be used T W ik you foi liintrtllli •j tin• w uM 1 •> < h * H i > N m iii •v* tflknv y!> l < portoim u 1 1I *ah 3pe«d vukierntilNty diSEOvery. to detemr* *tven hcets are rumlna wttich se1v1r.es 1 A1 n lU 1a mtrlili mj, la 1m U w t« no Im l j« 1 )■ » ia •acurlly |W ■ w. I >L-umplianca chocks, to verify and prove that « v v , host on your network adheres to tho security pokey you 1 ‫ י‬Scan sehwliJnm, to automatically rui *cant at the freijwncy you ‫ ׳‬And morel !!•< stofted * FIGURE 10.11: Nessus Getting Started 1 7 . 111 Initial Account Setup e n t e r t h e c r e d e n t i a l s g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Next > C EH Lab Manual Page 175 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s p • o (* * ‫.״ » ״‬e c «• < * . > Wefconeu Neaus In itia l Account Setup First, w e need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete users, stop ongoing scans, and change the scanner configuration. loo*n: admin Confirm P«*Mword: < Prev | Next > | Because f/* admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be i that the admin user has the same privileges as the *root ‫( ״‬or administrator) user on the remote ho: FIGURE 10.12: Nessus Initial Account Setup 1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o o b t a i n a c t i v a t i o n c o d e , c li c k t h e http://www.nessus.org/register/ lin k . 19. C li c k t h e Using Nessus at Home i c o n i n Obtain an Activation Code > ■ el m If you are using Hie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it wfll normally not do without a valid Activation Code and plugins m i (A *CAftCM i n ‫ז‬ <9>T E N A B L E Network Security* I n Certift&ttH)!! Resource* Supicot if'tMhk■ ProdiKls * Protfua Ovenfe Nk s u i AudHai n lu 1 . '!‫ ׳ • •׳‬Plug** • Ml Obtain an Activation Code Using Nesaus at Work? Using Nessus at Home? A wuk1uV4cM * A Ham■( ■ml »m>*Cripr«l Is Dm jn l tth tm Mia ootj o f < ail u .Sjirplr Report! N«MUi FAQ Vk«le D»14CMFAQ in Dtptovmam 1> :001u Mowus Evukoiion Training FIGURE 10.13: Nessus Obtaining Activation Code 2 0 . 111 N essus for Home a c c e p t t h e a g r e e m e n t b y c l i c k i n g t h e Agree b u t t o n a s s h o w n in th e fo llo w in g fig u re . C EH Lab Manual Page 176 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Wckcme 1 Mawt 0 ■ Mom fc<Mama|t«nat1« l ow*« m ss t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat •otu u 1 . The Netare rtoaaafocd do*1 *c* gn* you i o : w to of 1K0 >yov to perform < v dedR 0 *S* Tw Nes*u» llrtual ( Product Ovenv* Faaiuraa Nossue 1 Nmhh Hom Fnd Mibscilpllon it a■alatile lot ptnoia) mm ‫ •י‬a I ( o• tf. * Is ink lot use by any commercial otqam/atn■ t !on 1 «t! q Buwwct c *«»*| or vw *Inm * iiw M n i tr.iinrvj Noasus ter Homa W*y to New#* ‘t‫־‬ ’ Nesius V « 1lf A!(n Trtontoa Ptoarjm tor 0< >1r(;■ n ttio f. ‫ » ז‬a ro a jJ •#! 1k* M m ii HowFbwJ Mtncri|40n lot lo » 1 «m | f c w cfe* ‘^7 ‫ ’••׳‬to k u « i *to turn• 0 •M 4ml bwjln iho < ‫#׳‬nlMd prooaat• 1 Jc N W III PluflM SU8VCWII0M ACM I Ml NI S41v(Ju Rapotto N m a i fAQ • *Suy^otW w m •‫•יי‬Ini 01 Ope‫״‬nlr*j SyvtMn otw ‫«׳״‬ Mbwaowi) m oa>«»« 1 to• ■ 1•vaeelto IVrjalAQor rtaouis fA<J lound cti arr, lenaUa mvCcI ncto«n| n n u n M o iy K» •• Ratoawonarf-aod S«4xc>|pt«n You agiaa 10 r«v * «*•<> «<«* to• to Tt^aUa to •ach ayatoan on which You have inttaltod a Prjntr'Kl Scama• • T‫<«» ׳‬pj Ojaniriton MiVAPthntandiuj 1 » pit^ifcrtcn ow cotnwcM »a* m N S*C»m 2141.1 Vau ara * *atimj 01!>trifi10n You m*» copy M M iwget * 4 •MMMaM T t N t V t »IM«M Md Tm1U» HonMF«*d s<Mot*«M rwgto to — < rt>to »1 to« *♦ ew‫׳‬w00‫׳‬tn teeing onV Upon eompte^oti ot #* d m t*» 1 *d rigM to * a lt> Pkj£n& ptmUtod by to* HomaFaad SubfeuipCanis « M<«I6 Dtotc** FAQ Deployment Options Ptc/w*‘. ;■wFwd SK.t‫־‬vjlp‫־‬i:»1 («. *(fle a b*e n * ‫־‬ox !tent# •*> toe Suts<‫־‬i * • , *0 ‫״‬ c«aa( an r«ftj (of 4nd pay 81) !« ‫■׳‬associated « P Tmi > Su&ttrfpaa• You awv not u&a tw H>r‫ *׳‬f sad Subscripted 91anted to You lot * ‫ ־‬inj p > 0M± to aacuf• Y«u>01 any third party's, laatwoifcs or to any etoa■ !■ up tw cl«M«o« taning h * rorvpioductrxi «nv»or1‫׳‬r> T e a M a m *r1• tofanuci a fr«* Sut«rp#on undat this Suction 21c|al t coti apmant C is t* Metsus Ftogm Deralopment and DiMnbttoan tenable I 1 « & ‫ ״‬JM ■am at lha Subbcitpttaoa 1 wtto and dovobp 1 0 FIGURE 10.14: Nessus Subscription Agreement 21 S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive. F ill i n t h e R egister a Hom eFeed s e c t i o n t o o b t a i n a n a c t i v a t i o n c o d e a n d c li c k Register. ENTER SEARCH TEXT GO! * TEN A BLE Network Security Partner* 1raining li fortification Resources Si port > paint | !e a lePout nb r dcs Product O v m v Iow Register a HomeFeed No s m s Auditor OuniSes N«84u « Ptu^lns Documentation Sample Repoita ‫ס‬ T0 May up todato with 1 m Nut.uit. pljgint you n w tl tt> ; 1* ■ etrnU iMlilte-11 to utilch an activation code wll be *ert Ye 1 h4v d «# jfe >1 U nil! not I 1 th a r td with any 3rd patty. N*5»u 9 FAQ Motde Devices FAQ ■ •m * ‫ ־‬a» Deployment Options con^ Nes3u3 Evaluation □ Check lo receive updates from Tenable Training | H pql^ter | FIGURE 10.15: Nessus Registering HomeFeed 2 2 . T h e Thank You for Registering w i n d o w a p p e a l s f o r Tenable Nessus HomeFeed. C EH Lab Manual Page 177 Ethical Hacking and Countermeasures Copyright C by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s . ‫׳‬V j . *> « Y«.to ‫י‬ ■ ENTER SEARCH IE■( TENABLE Network Security1 Products Solutions Services Partners iraimna & certification Resources Atout !enable Support Store > print | » sltare Q T en able P ro d u c ts nessus Product Overview Nessus Auditor Bundles Nessus Plugins Documentation 217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gpluginscustomers.nessus .org Sample Reports Thank You for Registering! Thank jrou tor reghlMlag your I eonbit‫ ׳‬Nt-viun HomeFeed An emal conraMng w a activation 604• hA* just boon Mint to you •l tie email K k tm you pravWed Tenable Charitable & !raining Organization Program Tenable N c t in il Security offers Nessus l ‫ ׳‬rot••won•( •*4 •uMcnpcon• •t no cod to ct1*ftut4• oroartaation• I Please note *at tie !enable Nessus HomeFeed h uvislU t- for iM home um oo»r If you wantto use Nasaus at your place of business, you nuat ouicnase the Nessus Proleaaowageed Akemaiet. you nay purchase a subscriptionto the Nessus PofimoHM Sarnica and scan in tM cioudl Tha N a ttu i Ponawlci Service does no( require any software download. For more mtetraabon on t w HomsFeed. Professional eed and Nessus Perimeter Sec.ice. please visit our Discussions Forum. Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining FIGURE 10.16: Nessus Registration Completed 2 3 . N o w lo g in to y o u r e m a il f o r th e a c tiv a tio n c o d e p r o v id e d a t th e tim e o f r e g is tr a tio n as s h o w n in th e fo llo w in g fig u re . <d P • uflKfccjr X _ uSmqSma yaH00.C0‫׳‬n ' • | Y - S > u Omu > m C1 a h o o ! m a il MIMDttalt 1b4e Homefeeo Activation CoO* ‫ י‬NMtut K ig L iio i 10 • aw‫■ . ■ ׳‬ounoooor* th«r* )Oulw rtanlairtj row N n w i m » w 1 * w sully gcannng Th* W««U» Hamafaad gubKiCton will >*er |M» Netful »you usa rusius n ‫ ג‬professorial 09301 10u ms •, 3onMme 0» r n‫׳‬cu ir-n‘1 4 *aorta - 1 <• % «w •‫ *י‬tiel*le 1■ ) * 4 lupntlw a ftcftsslcruiFoaa suBcagimi -‫ ״־‬is > •11t1wo»repsK<trasc3rr>»ri1(».f1if10t.‫ו‬ 0u ‫: ‘ •**׳‬ C « «u sn g 1nt srcceSires Stlpw. i 1 PtaawconW t If!• Nmmii n*tt »wn ^•9» ■ * ^ . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum" ‫• ***יי ״‬ w I cnm ««!• S O M TCt Ne inttmal Aixeii «‫ ״‬i w Mnaui *‫׳' - « *׳‬ M>t« tl'MU• inttiiiilnr camoi‫ •׳‬a t * 1 ‫•׳‬ You an Andottna ic-jlsti 1t»jr m ilv a n at t— «** ‫״‬e»a *aM e• in anamit* p‫ *».«»״״‬y p* tia uw. ana c*>»* > >* 1 ‫•יזו‬MatpUJ-<n» • M t x caaa toittiaiaftBfl FIGURE 10.17: Nessus Registration mail 2 4 . N o w e n t e r t h e a c t i v a t i o n c o d e r e c e i v e d t o y o u r e m a i l I D a n d c li c k Next. C EH Lab Manual Page 178 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F " • ‫ ן[®, - ״‬Wekcm* 10 Meuvt 9 P l u g in Feed R e g is t r a t io n As• information about new vulnerabilities 1 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins”) that enable 8 Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an Activation Code. IbsdJ Once the plugins liave been downloaded and compiled, the Nessus GUI will initialize and the Nessus server will start • To use Nessus at your workplace, pufdiaae a commetG d Prgfcaatonalfccd • To um NcMuti at In a non ■commercial homo environment, you can get HomeFeed (or free • Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below • To perform offline plugin updates, enter 'offline' In the field below 11 Activation Code Please enter your Activation Code:|9061-0266-9046-S6E4-l8£4| x| Optional Proxy Settings < Prev Next > FIGURE 10.18: Nessus Applying Activation Code 2 5 . T h e Registering w i n d o w a p p e a r s a s s h o w n i n d i e f o l l o w i n g s c r e e n s h o t . C * *-ho* P • 0 Cc**uttemH SC J w <‫<׳‬to efc • * m ft * o fx Bs~** ■ d 1 R e g is t e r in g . . . Registering the scanner with Tenable... FIGURE 10.19: Nessus Registering Activation Code 2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c li c k , Next: Download plugins > t o d o w n lo a d N e s s u s p lu g in s . m Nessus server configuration is managed via the GUI Tlie nessusdeonf file is deprecated In addition, prosy settings, subscription feed registration, and offline updates are managed via the GUI P • OC e*rt< *e««o« & C | ‫[ן‬x W etconetoNs u es s a =f ■ ‫־ ־‬ ‫׳ ־‬* ‫יי‬ ft * o R e g is t e r in g . . . Successfully registered the scanner with Tenable. Successfully created the user. | Next: Download plug!mi > | FIGURE 10.20: Nessus Downloading Plugins 2 7 . N e s s u s w ill s t a r t f e t c h i n g t h e p l u g i n s a n d i t w ill i n s t a l l t h e m , i t w ill t a k e tim e to in s ta ll p lu g in s a n d in itia liz a tio n N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t P le a a e w a it... FIGURE 10.21: Nessus fetching the newest plugin set 2 8 . H i e Nessus Log In p a g e a p p e a r s . E n t e r t h e Usernam e a n d Passw ord g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Log In. C EH Lab Manual Page 179 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s •TASK / .0 > 2 Network Scan Vulnerabilities tc nessus I «•«‫״‬ ‫׳‬ L Q For the item SSH user name, enter the name of the account that is dedicated to Nessus on each of the scan target systems. T E N A »L g i FIGURE 10.22: The Nessus Log In screen 2 9 . T h e Nessus Hom eFeed w i n d o w a p p e a r s . C li c k OK. ,1 / / / 1 n essu s inn r m m i v a u u r a h m k M to llm id TBtH il lr» nanatamO » M M to MMWuNMy i M W M u w may load 10(*iMoaAon J m i u h (eepenew. w l oaiiUtanter any oust fton* oroigMtaAofii M• to a PTOtoMknalFMd Subecrtpfcxi h • a< 190* -?0121)nM1 N M M s*.o r*/ nc OK I FIGURE 10.23: Nessus HomeFeed subscription 3 0 . A f t e r y o u s u c c e s s f u l l y l o g i n , t h e Nessus Daemon w i n d o w a p p e a r s a s m s h o w n in th e fo llo w in g s c r e e n s h o t. To add a new policy, dick Policies ‫ ^־־‬Add Policy. FIGURE 10.24: The Nessus main screen 3 1 . I f y o u h a v e a n Adm inistrator Role, y o u c a n s e e d i e U sers t a b , w h i c h li s t s a ll Users, t h e i r Roles, a n d t h e i r Last Logins. C EH Lab Manual Page 180 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s New policies are configured using tlie Credentials tab. FIGURE 10.25: The Nessus administrator view 3 2 . T o a d d a n e w p o li c y , c li c k Po licie s ‫ >־‬Add Policy. F il l i n t h e General p o l i c y s e c t i o n s , n a m e l y , B asic, Sca n , Network Congestion, Port Scanners, Port Sca n Options, a n d Performance. ^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully FIGURE 10.26: Adding Policies 3 3 . T o c o n f i g u r e d i e c r e d e n t i a l s o f n e w p o l i c y , c li c k d i e Credentials t a b s h o w n i n t h e l e f t p a n e o f Add Policy. C EH Lab Manual Page 181 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s m The most effective credentials scans are those for which the supplied credentials have root privileges. FIGURE 10.27: Adding Policies and setting Credentials 3 4 . T o s e l e c t t h e r e q u i r e d p l u g i n s , c li c k t h e Plugins t a b i n t h e l e f t p a n e o f Add Policy. P • m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC. . ‫״ ״ »׳‬ WO B tr!« Wlc/O c» U rir 188 1Axaunt 0 *‫7*י‬ W eo? +m O ‫יינייי‬ ‫• וי.. ין‬O U 'ta•• -J’U lnl I iiiiiIii«>I < C kttO rK o >uI. W ^ r» u«!j S it#1 o!v.b u « O ottK ct, an dfenw (a) 0 eral « n V G lT U B * y h * j en O K lS aj‫ *׳‬CK» y m-u LC Seaiftyc‫׳‬k»i px0 a Jurat UjcUS n C K acu ty h M O A« lfc**‫ ״‬ftM 2m* L * IknU. «r« ■* *»r> > o 1 B ir r>K 1 orPar20A . W iinftw ‫ עטי‬aiH MSu‫־‬ O eilm aia O 16 OCCHO T PW 0M n 1 ) 1 elo O 1 M C 1 KT Pra! Sf * ! H Hattr R DS 4 0 * tar« T P i cd urola o <J 1 0 CtcdPowF Vl 4■ 1 ‫ .ו‬uaeV 2M .irV a , jInentollB|0f.F | S 3w opn» T *m tc* rie att f* 1C re T Ppoll*22 1W. ‫* *ד57ז‬ » ik C O * ‫יי‬ ffj»w Uly ia W isAOioai*scrtr y e B lK 5 sc <*c pars * *ne TP 21 C.E2‫ 1מ>׳»!יא‬W v‫.׳‬v.e‫־‬C.17* MtiKtAwklinsj‫ ׳‬T P18 4 ‫) *ו.־‬tcfirttxnUxlum ‫* ני‬ T C.' 71 ‫ייי *יז‬ g FIGURE 10.28: Adding Policies and selecting Plugins 3 5 . T o c o n f i g u r e p r e f e r e n c e s , c li c k t h e Preferen ces t a b i n t h e l e f t p a n e o f Add Policy. 3 6 . I n t h e Plugin f ie ld , s e l e c t Database settings f r o m t h e d r o p - d o w n lis t. If the policy is successfully added, then the 3 7 . E n t e r t h e Login d e t a i l s g i v e n a t d i e t i m e o f r e g i s t r a t i o n . Nessus server displays the massage 3 8 . G i v e t h e D a t a b a s e S I D : 4587, D a t a b a s e p o r t t o u s e : 124, a n d s e l e c t a O r a c l e a u t l i ty p e : SY SD BA . 3 9 . C li c k Submit. C EH Lab Manual Page 182 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • CD Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 03 Scanning Networks FIGURE 10.29: Adding Policies and setting Preferences 4 0 . A m e s s a g e Po licy “ N etw o rk Scan _Po licy‫ ״‬w as successfu lly added d is p la y s a s s h o w n a s f o l l o w s . FIGURE 10.30: The NetworkScan Policy To scan the window, input the field name, type, policy, scan target, and target file. ‘ 4 1 . N o w , c li c k Sca n s ‫ >־‬Add t o o p e n t h e Add Sca n w i n d o w . 4 2 . I n p u t t h e f i e ld Name, Type, Policy, a n d S ca n Target 4 3 . 111 S ca n Targets, e n t e r d i e I P a d d r e s s o f y o u r n e t w o r k ; h e r e i n t h i s l a b w e a r e s c a n n i n g 1 0 .0 .0 .2 . 4 4 . C li c k Launch S ca n a t d i e b o t t o m - r i g h t o f t h e w i n d o w . Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r l a b e n v i r o n m e n t C EH Lab Manual Page 183 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Nessus lias the ability to save configured scan policies, network targets, and reports as a .nessus file. FIGURE 10.31: Add Scan 4 5 . T h e s c a n l a u n c h e s a n d starts scanning t h e n e t w o r k . FIGURE 10.32: Scanning in progress S ' Tools demonstrated in this lab are available in D:CEH• ToolsCEHv8 Module 03 Scanning Networks 4 6 . A f t e r t h e s c a n is c o m p l e t e , c li c k t h e Reports ta b . FIGURE 10.33: Nessus Reports tab 4 7 . D o u b l e - c l i c k Local Network t o v i e w t h e d e t a i l e d s c a n r e p o r t . fc ^ ‫י‬ ..-*— • ■d Bn■ B < Cvwii ' So-Mity gMtyi ‫—« ״‬ Hm n t ■w1 ■ I K IN W I 1 1 ‫״׳•*־׳‬ •M m m tn Z Me MUl-a* • —■ * «Qi *«- ».»» C«uMUrm tlmb«n rf UTMMB1 W . i■ — 1 ■ •MM• • ‫נ־י‬ ‫■׳‬ ‫< ז*ו‬ • < l« > v KTT* Im i T> M VIWMH »• Wt N « M < N ilr a W U IIM t W M « l £[ HM W M W lK M l HM tMM M .»~« •Tnl *m H9W •xfn 11 0 H lrrt> UhmlUn C M * * • w m m uv* no^jMren L 1»«-cruttn ‫׳‬i Un» hgr r J• O aH K Qn-a• U r . riCK) SnaUU- Iftte WiMom M m x M tC o t n m k U u iu im U B •MO. NHHl^«ll>H|«i iW .I» McmcC o 1o -*« it f i LMdicr^ntarnjlutPu < Funtut SID Ewneutan » C«M Infe FIGURE 10.34: Report of the scanned target C EH Lab Manual Page 184 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 4 8 . D o u b l e - c l i c k a n y result t o d i s p l a y a m o r e d e t a i l e d s y n o p s i s , d e s c r i p t i o n , s e c u r ity le v e l, a n d s o lu tio n . Q If you are manually creating "nessusrc" files, there are several parameters that can be configured to specify SSH authentications. FIGURE 10.35: Report of a scanned target 4 9 . C l i c k t h e Download Report b u t t o n i n t h e l e f t p a n e . 5 0 . Y o u c a n d o w n l o a d a v a il a b le r e p o r t s w i t h a .nessus e x t e n s i o n f r o m t h e d r o p - d o w n lis t. X Download R eport Download Format 1 Chapters C hap ter Selectio n N ot A llow ed G 3 To stop Nessus server, go to the Nessus Server Manager and click Stop Nessus Server button. Cancel Subm it FIGURE 10.36: Download Report with .nessus extension 5 1 . N o w , c li c k Log out. 5 2 . 111 t h e N e s s u s S e r v e r M a n a g e r , c li c k Stop Nessus Server. B ‫■׳־׳‬ >M P ■ *6 a ■69■ FIGURE 10.37: Log out Nessus L a b A n a ly s is D o c u m e n t all d i e r e s u lts a n d r e p o r t s g a d i e r e d d u r i n g d i e la b . C EH Lab Manual Page 185 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d S c a n T a rg e t M a c h in e : L o cal H o st Perfo rm ed Scan P o lic y : N e t w o r k S c a n P o l i c y N e ssu s T arg et I P Address: 1 0 .0 .0 .2 R esult: L o c a l H o s t v u l n e r a b i l i t i e s PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB. Q u e s t io n s 1. E v a lu a te th e O S p la tfo rm s th a t N e s s u s h a s b u ild s fo r. E v a lu a te w h e th e r N e s s u s w o r k s w ith th e s e c u r ity c e n te r. 2. D e te r m in e h o w th e N e s s u s lic e n s e w o r k s in a V M (V ir tu a l M a c h in e ) e n v iro n m e n t. In te rn e t C o n n e c tio n R e q u ire d 0 es □ No □ iL a b s Pla tfo rm Supported 0 C lassroom C EH Lab Manual Page 186 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s I CON K E Y a- s Valuable information Test your knowledge Web exercise m W orkbook review Auditing Scanning by using Global Network Inventory Global]Seh)• r Inventoryis u e asanauditscannerin ~ r d po m n and ok sd eo e l y e t a e t fe e vr n e ts It s a sco rp te b IP r n e d m in c n p r orsin le g n-r e n io m n . c n n !i rs y a g , o a , o / !ites g c m ues d fin db th GlobalNetirork Inventory h stfile. o p t r, e e y e o L a b S c e n a r io W ith th e d e v e lo p m e n t o f n e tw o rk te c h n o lo g ie s and a p p lic a tio n s , n e tw o r k a t t a c k s a r e g r e a t l y i n c r e a s i n g b o t h i n n u m b e r a n d s e v e r ity . A t t a c k e r s a lw a y s l o o k f o r service v u l n e r a b i l i t i e s a n d application v u l n e r a b i l i t i e s o n a n e t w o r k 01 s e r v e r s . I f a n a t t a c k e r f i n d s a f la w o r l o o p h o l e i n a s e r v i c e r u n o v e r t h e I n t e r n e t , t h e a t t a c k e r w ill i m m e d i a t e l y u s e t h a t t o c o m p r o m i s e t h e e n t i r e s y s t e m a n d o th e r d a ta fo u n d , th u s he n e t w o r k . S im ila r ly , i f t h e or she can a tta c k e r fin d s c o m p ro m is e o th e r a w o rk s ta tio n w ith s y s te m s 0 11 th e adm inistrative privileges w i t h f a u l t s i n t h a t w o r k s t a t i o n ’s a p p l i c a t i o n s , t h e y c a n e x e c u t e a n a rb itr a r y c o d e 0 1 im p la n t v iru s e s to in te n s ify th e d a m a g e to th e n e tw o rk . A s a k e y te c h n iq u e in n e tw o r k s e c u r ity d o m a in , in t r u s i o n d e te c tio n s y s te m s (ID S e s ) p la y a v ita l r o le o f d e te c tin g v a r io u s k in d s o f a tta c k s a n d s e c u r e th e n e t w o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n a s t h e root user, a n d s h o u l d b e c a u t i o u s o f p a t c h e s a n d u p d a t e s f o r a p p l i c a t i o n s f r o m v e n d o r s 0 1 s e c u r i t y o r g a n i z a t i o n s s u c h a s C ER T a n d CVE. S a f e g u a r d s c a n b e im p le m e n te d s o t h a t e m a il c lie n t s o f tw a re d o e s n o t a u to m a tic a lly o p e n o r e x e c u t e a t t a c h m e n t s . 1 1 1 t h i s l a b , y o u w ill l e a r n h o w n e t w o r k s a r e s c a n n e d u s i n g th e G lo b a l N e t w o r k I n v e n t o r y to o l. L a b O b j e c t iv e s T h i s l a b w ill s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e G l o b a l N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to : U s e th e G lo b a l N e tw o r k I n v e n to r y to o l C EH Lab Manual Page 187 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L a b E n v ir o n m e n t ZZ‫ ל‬Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 03 Scanning Networks T o c a n y o u t d ie la b , y o u n e e d : ■ G l o b a l N e t w o r k I n v e n t o r y t o o l l o c a t e d a t D:CEH-ToolsCEHv8 Module 03 Scanning NetworksScanning ToolsGlobal Network Inventory Scanner ■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f G l o b a l N e t w o r k I n v e n t o r y f r o m th is lin k h t t p : / /w w w .m a g n e to s o f t.c o m /p r o d u c ts /g lo b a l n e tw o rk in v e n to r y /g n i f e a tu re s .h tm / ■ I f y o u d e c i d e t o d o w n l o a d t h e l a t e s t v e r s i o n , t h e n screenshots s h o w n in th e la b m ig h t d iffe r ■ A c o m p u t e r r u n n i n g Windows Server 2012 a s a tt a c k e r ( h o s t m a c h i n e ) ■ A n o t h e r c o m p u t e r r u n n i n g Window Server 2008 a s v ic t im (v irtu a l m a c h in e ) ■ A w e b b ro w s e r w ith I n te r n e t acc e ss ■ F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s t o in s ta ll Global Network Inventory ■ A d m in i s t r a ti v e p r iv ile g e s t o r u n to o l s L a b D u r a t io n T im e : 2 0 M i n u te s O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y G l o b a l N e t w o r k I n v e n t o r y is o n e o f d i e de facto to o l s f o r security auditing a n d testing o f fire w a lls a n d n e tw o r k s , i t is a ls o u s e d t o e x p lo i t Idle Scanning. Lab T asks task 1 1. Scanning the network L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f d ie d e s k to p . FIGURE 11.1: Windows Server 2012 - Desktop view 2. C lic k d i e Global Network Inventory a p p t o o p e n d i e Global Network Inventory w in d o w . C EH Lab Manual Page 188 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 5 t 9 |‫£־׳‬ Server Manager fL Administrator Windows PcrwerShell m Control Panel *J Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file £ Mww&plcm Hn>er.V Manager Google Chrome * ‫וי‬ Hypr-V Wtual Machine. SQLServs * ■ F Command Prompt Mozfla £ 11 * 1*0 B S- Bui Search01.. PutBap Global Nec»ort © H FIGURE 112: Windows Server 2012 - Apps 3. T l i e Global Network Inventory M a i n w i n d o w a p p e a r s a s s h o w n i n d ie fo llo w in g fig u re . 4. T h e Tip of Day w i n d o w a ls o a p p e a r s ; c lic k Close. & S c a n only items that you need by customizing scan elements FIGURE 11.3 Global Network Inventory Maui Window 5. C EH Lab Manual Page 189 T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h i n e f r o m H v p e r - V M a n a g e r . Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s □ Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices FIGURE 11.4: Windows 2008 Virtual Machine 6. N o w s w it c h b a c k t o W i n d o w s S e r v e r 2 0 1 2 m a c h i n e , a n d a n e w A u d i t W i z a r d w i n d o w w ill a p p e a r . C lic k Next ( o r i n d i e t o o l b a r s e le c t Scan ta b a n d c lic k Launch audit wizard). New Audit Wizard Welcome to the New Audit Wizard T h s wizard will guide you through the process of creating a n ew inventory audit. VIEWS SCAN RE S UL TS , / N LU / N C D C HISTORIC RE S UL TS FOR ALL SCANS, INDIVIDUAL M CHINES, A O K SELECTED NUMBER O F ADDRESSES C EH Lab Manual Page 190 To continue, click Next. c Back Next > Cancel FIGURE 11.5: Global Network Inventory new audit wizard 7. S e le c t IP range s c a n a n d t h e n c lic k Next i n d i e Audit Scan Mode w iz a r d . Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s New Audit Wizard A u d it S c a n M o d e To start a new audfc scan you must choose the scenario that best fits how you w i be using this scan. Is ■ (^ M O Single address scan Choose this mode Q Fully customizable layouts and color schemes on all views and reports (•) IP range scan Choose this mode O Domain scan Choose this mode 0 i you want to audit a single computer i you want to audit a group of computers wttwn a sr>gle IP range i you want to audit computers that are part of the same doma»1(s) Host file scan Choose this mode to a u d t computers specified in the host file The most common scenario is to a u d t a group of computers without auditing an IP range or a domain O Export audit agent Choose this mode you want to audit computers using a domain login script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scnoi. i To continue, c ic k Next. 1 < Back N®d> Cancel ______ FIGURE 11.6: Global Network Inventory Audit Scan Mode 8. S e t a il IP range s c a n a n d t h e n c lic k Next in d ie IP Range Scan w iz a r d . 9. 111 d i e Authentication Settings w iz a r d , s e le c t Connect as a n d fill t h e Export data to HTML, XML, Microsoft Excel, and text formats Licenses are networkbased rather than userbased. In addition, extra licenses to cover additional addresses can be purchased at any time if required r e s p e c t e d c r e d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d c lic k Next. C EH Lab Manual Page 191 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s New Audit Wizard Authentication Settings £□ The program comes with dozens of customizable reports. New reports can be easily added through the user interface Specify the authentication settings to use to connect to a remote computer OConnect as cxrrertiy logged on user ( • ) Connect as Domain User name a d ^ iriS '3 (-‫•׳‬ Password ...........' To continue, dck Next <Back Nert > Caned FIGURE 11.8 Global Network Inventory Authentication settings 10. L iv e d i e s e ttin g s a s d e f a u l t a n d c lic k Finish t o c o m p l e t e d i e w iz a r d . New Audit Wizard Completing th e N ew Audit Wizard ( 7Ability to generate — reports on schedule after every scan, daily, weekly, or monthly You are ready to start a new IP range scan You can set the following options for this scan: @ Do not record unavailable nodes @ Open scan progress dialog when scan starts Rescan nodes that have been su ccessfJy scanned Rescan, but no more than once a day (§₪ T o configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently To complete this wizard, d ic k Finish. <Back finah Cancel FIGURE 11.9: Global Network Inventory final Audit wizard 11. I t d is p la y s d i e Scanning progress i n d i e Scan progress w in d o w . C EH Lab Manual Page 192 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s iJ Scan progress ‫מ‬ 0 1 2 3 4 5 6 7 8 9 10 ‫וו‬ ‫2ו‬ Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s) Address 10.0.0.2 10.0.0.3 10.0.0.4 ‫5.0.0.0 ו‬ ‫60 0.0 ו‬ 10.0.0.7 10.0.08 10.009 100010 100011 10.0.0.12 100013 10.0.014 Name Percent — E ! % E* W1N-ULY858KHQIP 852 E !* AOMINPC WIN-039MR5HL9E4 92*4 ! z ^ | 92* | z z _ W E* E* E* E* ' ' I @ Open this dialog sdien scan starts 1 A Tmestamp 06/22/1215 38:3 08/22/1215:36:23 08/22/1215:36:25 08/22/1215:36:23 = 06/22/1215:36:23 06/22/1215:36:22 08/22/1215:36:23 08/22/1215:36 24 06/22/1215:36 24 08/22/1215:36:24 08/22/1215:36:24 08/22/1215:36:24 06/22/1215:36:24 m‫ר‬ rtn Elapsed time: 0 min 6 sec @ Close this dialog when scan completes Scanned nodes: 0 /24 @ D o n l display completed scans . Sp l0 _ C l°” 1 / FIGURE 11.10: Global Network Inventory Scanning Progress 12. A f t e r c o m p l e t i o n , scanning results c a n b e v ie w e d a s s h o w n i n t h e f o llo w in g fig u re . Pi'v fie Globa' Network Inventory - Unregistered V ie w Stan Tools Reports H elp □]E r BlBW talri~»EI] u *‫? י‬ a Niirt - MpIa addresses ■ $ ‫ ־‬WORKGROUP NotBlOS |A S anes h Carr^ie♦ s>«en Q PiocMMn ^ ‫זרס‬H t t e » ofxt |A)* a » y t r ] t t S t e nrcmnaon mrrr . :-‫ ז‬Ne w r .‫־‬ tot Scar M W i ^ (^p#rat:r.r :■I 10.0JX7 (W IN-D39... ■m 1a0JX‫( ־‬W -U 8... « 1N LV JW l t rg- n ; i e rt Man beard Q ^ 5‫׳׳‬ 1 Logged or Memory mu Memorydeuces ‫ך‬ |Q g !•rwit |Tca p irit m ‫ ־י‬HoalN... ▼J Status ‫ ־י‬MAC A.. Verrfa ' 03 Mams ‫ ־‬FtoccJia ... *‫ ־‬Coimtert‫״־‬ » d Doran WORKGROUP [COUNT-2) IP A dd © « : ‘ 0.0 0.4 (C0UNT-11 T n «to ro :& 2 2 /2 0 1 2 3 36:49PM (COUNT-1) 0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column ‫ »■־‬C o ro j.. |v/N LLV05(| Succcii |C0-15 5DQ01 Micro:)*Ca V irccw ; Server | JIP A dde « .1 0 .a 0 .7 |C O U N T 1 ‫| ־‬ 1Trrcj »a36. 30 3 2012‫>22׳& . 3 ״‬PM (C0UNT «1] ‫׳‬ •» C«‫־‬K>j..[v/N€3SMn|Succ0M Tow ?Henr(t) [ |D4‫־‬ BE‫־‬D3‫־‬ C'|R«rtek r |lnts(Rl Co!e(fM' Serial; H2D2< 1 R tJu ltJfT iito ry d e p t^ L iJtu a rio rta c h a M re ^ s O isp la ye^ ro iJp ^ J^ ro u p s FIGURE 11.11: Global Network Inventory result window 13. N o w s e le c t Windows Server 2008 m a c h i n e f r o m v ie w r e s u lts t o v ie w in d iv id u a l re s u lts . C EH Lab Manual Page 193 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited : > H Detflcp
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Global Network Inventory ‫ ־‬Uniegislered Me view - in scan Tool( Report < l - l ° W * Help % u 1 |s^ P ig ¥ B|Q|^|a|D|B-B # ® , -10 ■ '‫מ-י‬ t* ss 3 □ 8 ‫־‬Loocad!ss^ Port a rre d o R N*rrc ^ B ‫ י^יי‬AH addresses B- <* WORKGROUP Orvces j| | System dots 3 NetBIOS Computer yysten Q § , Scan •unrary *rfcT1DC.07tV/1N-D^Tn | |^ ^ Hot fxes Shores L » ^cvps Po ;c3:cn> ^ '•';‫ ־׳י‬bosd ^ ,ft 0 :.:‫־‬ ,:tn3 '‫:. ׳‬ten Z»: ‫ *:ל•־- ־‬B ' ‫ ״‬tens■‫־‬ £Netr*of. adapter: 3e;jr** certer • | 3 ‫ ׳‬Startup ■ ^ Lbcre Morer) ■ |J Desktoo Logged cr B8 K3 »• ‘‫ מ‬C J 4 ‘fw¥-ULY3‫‘״‬ Type & * Global Network Inventory grid color scheme is completely customizable. You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors ‫״‬ HoitN » SMtu: ‫י‬ * Vanda MAC A » C JS * Proceisci wCornu w r » J Duiein * ‫׳‬o ^ e n a j p COUNT-11 JIPA ddrew 10XL0.7 (COUNT =1‫ן‬ TncU aro: G/22/2012 3:36:38 PM (COUNT-1) ■» C5T0J. jV/N 039MR Succe« R»y ed |D4‫־‬BE D 9 C |R cakk ntsfR] Corc(TM' Send: H202! ^esufc^jto^jegt^oj^ca^o^oc^cdfcj^ FIGURE 11.12 Global Network Inventory Individual machine results 14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d i e m a c h i n e s t h a t have been scan n ed 1- ‫ ־‬r ^ Global Network Inventory ‫ ־‬Unregistered fie VHvr Scan Tools Reports *5 ' n ▼ a x ‫ נכ‬k a N • am - ‫ !■ י‬A 1addrestM WORKGROUP ^ C 7 iN D lj1 M ^ - ^.‫־.־‬l Mcritofj |{jjjj y w cto i Sn aw - 1^-sa □ ]e t 1 1a □ * * S ‫״‬f Melo Dovcoi ( j [# J -: Tp-M<tyrte-r Logical dska NoifcKJS Q ^ S^eton dot• |^ :■ :• re ^ ;o C > &tszi Xk Hoi focce Q Sharoe ^ "Sntcn | j* Socuty ccrto■ mo J U w group( ^ Networx oocpteo Startup U*«ra |H Dcck!op LoggoCon^ MantcsrdJ *5 ®^ jan rm y Scanl#|| ] uperatmg :.,‫ !■ •׳‬Q ;!= ‫־‬ p !■ | =‫־‬ » :■I lOiXOi’^N-ULYC" ‫ ם‬To configure results history level choose Scan | Results history level from the main menu and set the desired history level Hcs4 H.. - Status d t ' o m a r : v t R r . i i - O U ‫ ׳ ־‬l .‫־‬JLrJ ^ ‫ ־״‬MAC A... ‫ ■״־‬barrio- ~ O S K s rw ‫ ־י‬Prco3350r.. ‫ ״י‬Corrmert■‫״‬ -‫־‬ P 3 d * e « : IC .0 .0 : CQUNT=1J _____________________________ Id Tn rg ra « p B /2 2 ;2 P lZ 3 -3 6 ^ P M [ C D U H r = l l rU-BF-D :|R^rri »C | ;*» Ccnpu |WM-039VIR|S1jrowt Total 4 ‫ו‬em(s) 1 ‫־‬ r lrvel(R)Core(TM; Seiial H?‫?ר‬ 1 ‫־‬ r ^c^lt^iiitorydepthj FIGURE 11.13: Global Inventory Scan Summary tab 15. T h e Bios s e c t i o n g iv e s d e ta ils o f B io s s e ttin g s . C EH Lab Manual Page 194 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited ‫י *י‬ ^ervces
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 1 '°' x ‫ז‬ ‫־‬ Global Network Inventory ‫ ־‬Unregistered view fit 5tan Tools 89 £ ‫׳ייי‬ □ Help 5‫״‬ SJ1'’‫ ־‬E T |5|□ ! H i ] H •El □ ? 1 ‫־ ז‬ ^ icwresufts * Report( X ^ J5 ‫־ד‬ ^ N a rrc Por. -annccfcrc Derive* _ ‫״‬ Q 2 System dots MdBIOS H * P A ll addresses B & ,o t k. P 5 ‫ ־‬W ORKG RO UP J. . ■ rr- ^ Shares q 3" )£• Mar :>c*od Opcra.i-1 0 Cvs.or .7 : Srcurti‫ ־‬ca te r jscr j a n Pocessots J^ S c ai aum anr ■f1 0 '( i‘ -3. f MT vN69 c 7 Hct fixes 1555 Mcrcry Q ■ > f,7. . • Startup >*‫י‬ fc l ■ |^ Desktop Lccocd or Memory devices ‫ יי‬rent ‘ {■ a Scan only items that you need by customizing scan elements 10. 0. 1‫>נ* ר‬V IN -IJI Y8... 10 *1‫ו‬ 1 »»/ Ud R «t u ttt h itto ry d«pth: Latt t o n fo r ta c ft a f lc r t t; Q 't p lt /« d group: All gro u p t FIGURE 11.14: Global Network Inventory Bios summary tab 16. T l i e Memory ta b s u m m a r i z e s d i e m e m o r y i n y o u r s c a n n e d m a c h i n e . £□ E-mail address Specifies the email address that people should use when sending email to you at this account. The email address must be in the format name(ftcompany— for example, someone@mycom pany.com Global Network Inventory - Unregistered Fie * View Scan Tools Reports • ‫ח‬ H e vw w r» u R < ** s« a ▼ □ ‫מ‬ a x « 4 ■» V "J* ‫*־‬w ■ p y ‫־‬ Mentors tf| y - . ‫■־ ■־־‬ • D»ve*t WORKGROUP L• j0> A ll *d d tess e* # i B l B & l m l H F i - ii i M 0© coofirokn * I N am * H % help |g j ® Logical d ak s c t*n o c t« [#] N *BI0S t M |I ‫׳׳■)׳‬ti‫״‬ Shw*1 ■ t5 • fff p - ‫-•:!־־־‬ Oak ± n Operating S,‫׳‬d-• UMfcro‫״‬ Q % - •> Network a d ^ c n ! 1 0 ‫ו׳*חווו‬ ‫י»ת‬ | 'J. b*r/1r*c ‫■׳‬satp |k ‫>י» ם‬ tru ‫»«י‬ IIwt j or MwitMV f l w f « ■m I0.C .0.4 (W IN -U L Y 8 ... Td a lP h ^ c d v e n w x / .M a d [D - S a la b le H -yrea... - Total vfc u a L. ~ A v a to e V rtja ... - lo t a ...- - ftvalable..■- V .C R t 5 F 0 U P [C r M J N '= ] J Hcsr Marre 3 9 ^ ^ ‫־‬MF 5 HL 9 E4 (C0U !iT=1) J ‫ ־‬hres-aap f t 2 ‫/22 ׳‬C12 3:36 3B PM (COUNT‫| ) ־‬ ‫׳‬ 3317 7 o b i 1 its u ;1 Results history depth: Last scan for each address O iip la /e d group: A ll groups FIGURE 11.15: Global Network Inventory Memory tab 1 7 . I n d i e N etBIO S s e c t io n , c o m p l e t e d e ta ils c a n b e v ie w e d . C EH Lab Manual Page 195 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ;-!or Global Network Inventory ‫ ־‬Unregistered F ie v ie w Son Tools Reports Help ! □ is ? i B i a i a s p 5 ! ■ !a & » B V*y* results Mencry Narre - Message subject Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject 4• & adess I drse B-fi‫־‬WRGOP OKR U 1. . . (W - 3. C C IND9 0’ ‫ד‬ Scan 3 Ta JT mrv Port conrwctre ♦ Memory device( hitdted«yt*sre Cl nvmmgrt S) Cl ®S S*drt/M ‫׳‬t«r Qf |."3‫ל‬ Startup |; & Services ■ Destdop logged on 19 1 0 ^ f^ U L Y « :: zJ Harr l l i n* 0 33* | , ‫ ׳‬v F5H. = 4 (COLNT= ) ‫י‬ )E 3 Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T3‫)־‬ *[V/K-039M Ro-LSE4<0>aJ> Lmqj? X Unque Fie Server Service Group Domain Name W C •SMR^LSE4<Ox20S‫־‬ K 3 WORKGROUP < 0x00> Woikstatcr Service Toid3i.enld Remits history depth ia<t scan ret earn naorett Rea fly t»< pt»/»d g ro u p : All g ro u p s FIGURE 11:16: Global Network Inventory NetBIOS tab 18. T h e User Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i t h d i e w o r k g r o u p . I‫1 ־‬ ‫ם‬ G'obel Network Inventory ‫ ־‬Unregistered F ie □ Name Specifies the friendly name associated with your e-mail address. When you send messages, this name appears in the From box of your outgoing messages V ie w Scan Tools Reports Help [□ E T |E p |g |B ) |• ‫ ־‬IB; * a H as a □ * $ I 3 Narr« *i* All address•: - i f WORKGROUP ? S iiilL » ia iJiw N S :‫׳‬ • ■a my c cyfvc n 2 Cn t sr— Q Pcc5r | Mrbad I^ M o ‫ מ‬Mtr cccs ojua rf rc30 ^ a a or J) e r , »c •I‫ :־‬k Vn‫ה‬ ‫־‬c c et ‫ר‬ Lc o bs ^ Dsr c ‫ י‬Pr o • Nte‫־‬oafo oicldk »d>* ■ rtc > et d dtc m # C ‫ כ‬jj] Ocan Csr Q > IO prli q ylcr n -n rm n vro o t c r 7‫י‬ Q ij0 « • ^ Dv c It ] NC C ^ Sae |J? Jxryw A _ea I, Ljj=o eic: # e lD t hrs - br o dr J Ctoitup ■ Deaktoo H o s tN c n e ‫- * / /־‬D39-4R5H L9E4(C OU N T-51 z i ' rre s c a n p : E /2 2 '2 0 1 2 3:36:38 FM ( COUN5- ‫] ל‬ z i G io jj ^ r w 'is ’rafcr: (C 0U N T =1) / / ! S 0 CEN R 5HL3E4'>Adrim$tratoi U5cr occcurt z i Gr^JD : C K ttK ited CUM Useis (COUN I - 1 1 W lS-O394R5HL3E4Ad1rini?trdt01 U ;e 1 accourt _ J G r» ^ o : Gue:»; C O U N T -1 ) Jk• Ul f l r<03‫ ־‬M R 5 H L g 5 4 ‫־‬ussl E d C 1 0 * .IIS J U S fiS z i G ro w U8#f accourt C O U N T■ !) % N T >‫ ־‬F lZcV^cpcrlSc«vor Pfftavure*1 r g VV«# krcv‫ ׳‬n gtcup oooounl U n i t (COUNT ■1) TU0I5 i cn|i| Rsad/ RcsuMts history depth: Lost scan foi each ooaes! Displayed group; All qioupa FIGURE 11.17: Global Network Inventory User groups section 19. T h e Logged on t a b s h o w s d e ta ile d lo g g e d o n d e ta ils o f d ie m a c h i n e . C EH Lab Manual Page 196 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Globa! Network Inventory ‫ ־‬Unregistered Me view 5<ar tools Reports Help §3-□Is ? Hc1®e/ V«w resuKs J *2 »‫ □ ־ י‬m ‫־‬ ‫ וג ב‬a id syiefi -•1a Q N e ir c _ & ‫׳״‬ Processors £ ^ L > j1 d j s v j m Scansuranaiy E % All addresses S f WORKGROUP ^ Port comedo* BICS '* {3 0 S Main beard | Sfia'es Nenoiy w ^ > Memory de/ces £■ l£‫ )־‬totaled software | ( | Hotfixes 2' ^ Di:-•. J . Q Ooefatro System System slots Q} C‫ ■ ־‬r . ‫־‬r ^ |.§) 1 - 1‫■ ״ ■ ״‬ S e a it) eerier _J■ U stty. Net ■. - Environment Services | 3.< n:u,__H L_2 s5 tlSB_J Users | j> Logged or J ;1dbix7"(wi‫׳‬N-D3g... & Port ‫ ־‬Specifies the port number you connect to on your outgoing email (SM TP) server. This port number is usually 25. ;■ '160.04 (WIN-ULY8... Ho a N o k WH-033NR5HL3E4 (COUNTS 1 NT SERV.CE > sDisServerl 10 M f H” SERVCE'MSSQLFDLounchct *, N‫ ־‬S£RVC£MS$QLSERVER f N‫ ־‬SERVCE'MSSQLSer/eiOLAPSeiviee * , N‫ ־‬SERVCE'RcportScrva £ A H D39MREHL9E4A<irnriatral:or Rd o/ 38/22/12 09:01:20 Results fcitory depth lost icon lor toch address Oowove^rou^lUroups FIGURE 11.18: Global Network Inventory Lowed on Section 2 0 . T h e Port connectors s e c t io n s h o w s p o r t s c o n n e c t e d i n d i e n e tw o r k . ST Globa' Network Inventory - Unregistered Scan File Toolt Report( Help 1S vipwr^ui: Outgoing mail (SMTP) ‫ ־‬Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages Nm ae H- wax NetBIOS a ‫ ש‬b # n L. All SddtKteS f r £* WORKGROUP ; c j n c u r r r jr , * P r connectors ot l-bntcrj JO ■ F ll^ T fMM‫״‬Di‫־־■־‬ » ‫־־ 9 ־‬ ‫־‬ Sharps £ Fiocessois WOS |S ) £ ^ J i. Logcal disks 0p«1fcrg S y r« r ^ Lfte M ji1 b0 f J < 1 User* •£‫־‬ ‫׳‬ hrr ‫י‬ Q Logged on Memory d evus D: ‫—ן‬ | may Networx 0d3?1cr: fcrvronm^nt | a Startup !r j S «m :« Desktop 0 ^10 ‫(.«־‬W‫׳‬fW‫׳‬N‫־‬ULY8"" Dorian. V/D^KOROU? (C0UNT=25I J h* Hre t‫׳‬T D9 RHJ E( ON-5 e• a : * . 3M5L34 UT2) C J 1■ ‫*״‬ttaro : &'22/2D12 33638 PM (COUNT = 26) ’7‫״‬H 3D ‫»כ7ז‬ ‫כ‬ ’7O D H ’7 3 0H t oh 70 ’731 01 ,73 0H ‫ ז‬alal 25 A s tri Sr lP r15CCnat eia o S5A optle Ky»1dot et 0 Pr MucPr oc oi UB S UB S UD C UB S Fes jts nistory deptn: Last scan foi ecdi cCtite>< D9. a 6‫־‬M le F/ S2 F/ S2 &>bs mu 5 1 *CHlM CO. b Aos.bt c#t u Disj ayecl arouo; All aroups FIGURE 11.19: Global Network Inventory Port connectors tab 2 1 . T h e Service s e c t io n g iv e d i e d e ta ils o f d ie s e r v ic e s in s ta l le d i n d i e m a c h i n e . C EH Lab Manual Page 197 Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s S To create a new custom report that includes more than one scan element, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, customize settings as desired, and click the OK button Globa! Network Inventory ‫ ־‬Unregistered Me view 5rar Tools Reports Help ‫ ־® בס]*$ - ־‬H e p H B ]® e | View re<ufts Usercroups * *9 2 □ m 1 Mainboard N e ir c | _ E % All addresses S f " » W O RKGRO UP Loaaedor D ^ Memory Port cornedas n Msrrcryde/ces System slots Qf | Hotfixes — ^ Secut) center i M = r & ‫׳״‬ • -•Eg Jsers NetBOS | R 1• 3 0 .‫ גי‬c t i u Svtte ‫״‬ ig ( Startup £ ' ■ Desktoo jjjj* 13 :‫ ויין‬u n i c i t | S c r r is o | • 1 ‫־‬y 'a a ’7 iw i‘N-D38’‫’ "״‬ ;■ '160.04 (WIN-ULY8... N♦ » - z i Domr* V»ORC13RO UP |CDUMI«l4/) _!J Hcs‫* ׳‬sLan^ WIM^»IR5HL9E4(COUNT■!47| rr^ an p 3/22!20H 3 3&38FM [COUNT =147) zi . Ldcte A c x b 2t U pcare S e r/ c e 41loma1‫׳‬e R u fM rg ‫' :־־‬P?! 1 -a n F ilei [vf‫־‬fc)Comrmn Fite'iAdobi g , £ p f teanon E>o=r1enee Manual R u m rg C‫ ־‬vV.mdowtsystem32svehott eye •k netsv . Automatic R j 'i ' i r g C «V.»Klowt^1srern32fivch0ftexe •k apphr Manual S tc ff e d C‫*־‬fcmdow1svstem32svc*r0ft.exe •k Local Manual R im r g C »V.m<tem(tsysiern32svcf10fr.exe •k netsv Manual S iq ^ ie d C ,V,mdowtS3i5tem32Ulg )= «‫<־‬ fcanon Host Helper Service ^ A p p fc a n o n Identtji A pflcanon Intonation . Apffcrariofi Layer 5 areway Service A pffcarion M anarjenenr Manual C »Mn<low?system32Nsvchotr exe •k n e tw 10taH47 toart:J Rd o/ Oowove^rou^lUroups Results fcitory depth lost icon lor to<h address FIGURE 11J20: Global Network Inventory Services Section 2 2 . T h e Network Adapters s e c t i o n s h o w s d i e Adapter IP a n d Adapter type. 1 ‫־‬ Global Network Inventory ‫ ־‬Unregistered Fie view I* ‫״‬ Stan Tools & A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory uses a blank password Help Q 'l l & < ‫״‬ ‫׳‬ 1 t*g a • □ e v '/cwrcsuR; rl - Reports ▼ ‫ ל‬X ^ j| ^ □E $ D c*c« [# J Conputer ‫ו*€>־ת‬ Narr< y Tort c«m ed oo B V^l All addr»<«#e H Scan ajrrrcrv y ~ * £ WORKGROUP h v®0 ■ 0 NetBIOS Q Q ^ | ^ SK3X3 Prooeaaora System alots 80S |‫׳‬jgj] |^ 4■ U3cr<rouF3 Mom boane Hotfixes Cporatrj Syotom ^ fjj JL• Ccc^rfy eerier IrwUkd •oftwuo 1 - Uacn Memory j* B ^ B?1 Startup Envtrontnonrt ?‫מ‬ Looocdon Memory devices |H I ‫׳‬J, Desktop Sorvcoo |v ■- m o ‫״‬M ( w n ' u’ ^ " . " ’ l - Tinettarp: ‫ך‬ 1j > 3 3 6 : 3 3 3 2 ‫ ־‬FM (COUNT-11 r2 2 g • W w iih w lE fo . |P4:BE:D9:C|100.D7 l2552EE.2g|1H.01 [vicreolt |E therrct QIC|N0 I otall ren^j Ra e^ ^esujt^jjto^jepth^as^a^o^seJ^ddrts^ FIGURE 11.21: Global Network Inventory Network Adapter tab L a b A n a ly s is D o c u m e n t all d i e I P a d d r e s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a tio n s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d ie la b . C EH Lab Manual Page 198 Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 .5 0 S c a n n e d I P A d d r e s s : 1 0 .0 .0 .7 ,1 0 .0 .0 .4 R e s u lt: ■ ■ M e m o ry N e tB IO S ■ U se rG ro u p ■ L ogged O n ■ P o rt c o n n e c to r ■ S e rv ic e s ■ In v e n to ry B io s ■ G lo b a l N e tw o r k S can su m m a ry ■ N e tw o rk A d a p te r PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB. Q u e s t io n s 1. C a n G lo b a l N e tw o r k In v e n to r y a u d it re m o te c o m p u te rs a n d n e tw o rk a p p lia n c e s , a n d i f y e s , h o w ? 2. H o w c a n y o u e x p o r t th e G lo b a l N e tw o r k a g e n t to a s h a re d n e tw o rk d ir e c to r y ? In te r n e t C o n n e c tio n R e q u ire d □ Yes 0 No P la tfo rm Supported 0 C lassro om C EH Lab Manual Page 199 0 iL a b s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s A nonym ous B row sing u sin g P roxy S w itc h e r Proxy Switcher allowsyou to automatically execute actions; based on the detected netnork connection. I C O N p=7 K E Y V a lu a b le in f o r m a t io n L a b S c e n a r io 111 t h e p r e v i o u s l a b , y o u g a t h e r e d i n f o r m a t i o n l i k e scan s u m m a ry , N e tB IO S d e t a ils , s e r v ic e s r u n n i n g o n a c o m p u t e r , e tc . u s i n g G l o b a l N e t w o r k I n v e n t o r y . Test your k n o w le d g e N e tB IO S p r o v id e s p ro g ra m s w ith a u n if o r m set o f c o m m a n d s f o r r e q u e s t in g d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t w Q W e b e x e r c is e W o r k b o o k r e v ie w s e s s io n s , a n d been send id e n tifie d o v e r T C P /IP s e r v ic e , t h e in d a ta g ra m s b e tw e e n nodes on M ic r o s o ft W in d o w s , w h ic h ( N e t B T ) s e r v ic e s , t h e N e t B I O S a tta c k e r c a n fin d a c o m p u t e r ’s I P a n e tw o r k . V u ln e r a b ility in v o lv e s one o f th e lia s N e tB IO S N a m e S e rv e r ( N B N S ) . W it h d iis a d d re s s by u s in g it s N e tB IO S n a m e , a n d v ic e v e r s a . T h e r e s p o n s e t o a N e t B T n a m e s e r v ic e q u e r y m a y c o n t a in ra n d o m d a ta fro m th e d e s tin a tio n c o m p u t e r ’s m e m o r y ; a n a tta c k e r c o u ld seek to e x p lo it th is v u ln e r a b ilit y b y s e n d in g th e d e s tin a tio n c o m p u t e r a N e t B T n a m e s e r v ic e q u e r y a n d t h e n l o o k i n g a n y ra n d o m d a ta f r o m c a r e fu lly a t th e re s p o n s e to d e te r m in e w h e t h e r t h a t c o m p u t e r 's m e m o r y is in c l u d e d . A s a n e x p e r t p e n e t r a t io n te s te r, y o u s h o u ld f o llo w t y p ic a l s e c u r ity p r a c tic e s , t o b lo c k s u c h In t e r n e t- b a s e d a tta c k s b lo c k th e p o r t 1 3 7 U s e r D a ta g r a m (U D P ) a t th e fir e w a ll. Y o u m u s t a ls o u n d e rs ta n d h o w n e tw o rk s a re P ro to c o l scanned u s in g P r o x y S w it c h e r . L a b O b je c t iv e s T h is la b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w S w it c h e r . I t w i l l te a c h y o u h o w to use P ro x y to : ■ ■ C E H Lab M anual Page 200 H id e y o u r IP a d d re s s f r o m th e w e b s ite s y o u v is it P r o x y s e rv e r s w itc h in g f o r im p r o v e d a n o n y m o u s s u r fin g E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L a b E n v ir o n m e n t T o c a n y o u t th e la b , y o u n e e d : a t D:CEH-ToolsCEHv8 Module 03 Scanning NetworksProxy ToolsProxy Sw itch er ■ 2 " Tools d em o nstrate d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 S canning N e tw o rks P r o x y S w it c h e r is lo c a t e d ■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P ro x y W o rk b e n c h fro m th is l i n k h t t p : / / w w w . p r o x y s w it c h e r . c o m / ■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r A ■ A w e b b ro w s e r w ith In te r n e t access ■ F o l lo w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll ■ A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls L a b c o m p u te r r u n n in g W indows Server 2012 ■ Proxy Sw itch er D u r a t io n T im e : 1 5 M in u te s O v e r v ie w o f P r o x y S w it c h e r P r o x y S w it c h e r a llo w s y o u t o a u t o m a t ic a lly e x e c u te a c tio n s , b a s e d o n th e d e te c te d n e t w o r k c o n n e c t io n . A s t h e n a m e in d ic a te s , P r o x y S w it c h e r c o m e s w i t h s o m e d e f a u l t a c t i o n s , f o r e x a m p l e , s e t t i n g p r o x y s e t t in g s f o r I n t e r n e t E x p l o r e r , F i r e f o x , a n d O p e ra . L a b T a s k s C l A u to m a tic change o f proxy c o n fig u ra tio n s (or any o th e r a ctio n ) based on n e tw o rk in fo rm a tio n W indows Server 2012 1. In s t a ll P r o x y W o r k b e n c h i n 2. P r o x y S w it c h e r is lo c a t e d a t 3. F o llo w D:CEH-ToolsCEHv8 Module 03 Scanning Netw orksProxy ToolsProxy S w itch e r o f th e 4. ( H o s t M a c h in e ) th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s W indow s operating system . T h is la b w i l l w o r k i n th e C E H la b e n v ir o n m e n t - o n W indow s S e rve r 2012, W indow s S e rve r 2008‫ י‬a n d W indow s 7 5. O p e n th e F ir e fo x b r o w s e r in y o u r c lic k C E H Lab M anual Page 201 Options W indows Server 2012, g o to Tools, and in d ie m e n u b a r. E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Google Moiillo Fitefox colt | HtJp Qownloatfs CW-I moderns c m * v ‫*«״‬A e fi * •!1• - cc u ■9 S< UpS^K. * C3 Often different ♦ u Yo Search Images Documents Web Developer Calendar Mote • Page Info internet connections require com pletely different proxy server settings and it's a real pain to change them m anually Sign n Cle«r Recent Ustsr. 01 + Sh1 “ ft*IW G o o g le Gocgie Search I'm feeling Lucky 6 11 A .««t> ng Piogam m ei Business SolUion* •Google P ir a c y t Te Aboul Google Google com F IG U R E 121 : F ire fo x o p tio n s tab 6. G o to d ie Network Advanced d i e Options Settings. p r o file in ta b , a n d d ie n c lic k w i z a r d o f F i r e f o x , a n d s e le c t Options ‫§י & ם‬ General Tabs General | MetworV Content % Applications p * k Privacy Secuiity 3 S>nc Advanced j Update | Encryption j Connection 3 k ‫׳‬ | Configure how h re fo i connects to the Internet P r o x y S w itc h e r fu lly c o m p a tib le w ith In te r n e t S g tn g i. Cached W eb Content E x p lo r e r , F ir e fo x , O p e ra Your vreb content cache > currently using 8.7 M B of disk space s a n d o th e r p ro g ra m s Clear Now I I Override a u to m ate cache m anagem ent Limit cache to | 1024-9] MB of space Offline Web Content and User Data Clear Nov/ You 1 application cache is c jiie n t l/ using 0 bytes 0 1 disk space E c p n .. x e tio s M Tell me when a wefccite aclrt to store Hat* fo r offline uce The follov/ing tvebsites aie a lowed to store data for offline use B a r eve.. OK Cancel Help F IG U R E 1 2 2 F ire fo x N e tw o rk Settin g s 7. C E H Lab M anual Page 202 S e le c t d i e Use System proxy settings r a d io b u t t o n , a n d c lic k OK. E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Connection Settings ‫ייי ־‬ Configure Poxies to Access the Internet O No prox^ '‫ )־‬Auto-detect proxy settings fo r this network (•) Use system proxy settings M a n u a l p roxy co n fig u ra tio n : f i proxy switcher supports following command line options: HTTP 5rojjy: 127.0.0.1 @ U je this prcxy server fo r all protocols SSLVoxy: P firt 127.0.0.1 P o rt SOCKS H o s t -d: Activate direct connection 127.0.0.1 FTP *ro xy. 127.0.0.1 O SOCKS v4 P o rt ® SOCKS v5 No Pro>y f o r localhcst, 127.0.0.1 Example: .mozilla.org, .net.nz, 192.168.1.0/24 O Autom atic proxy configuration URL: Reload OK Cancel Help F IG U R E 12.3: F ire fo x C o n n e c tio n Settin g s 8. N o w t o I n s t a ll P r o x y S w it c h e r S ta n d a r d , f o l l o w th e w iz a r d - d r iv e n in s t a lla t io n s te p s . 9. T o la u n c h P r o x y S w it c h e r S ta n d a r d , g o t o S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r in d ie lo w e r - le ft c o r n e r o f th e d e s k to p . TASK 1 Proxy Servers Downloading F IG U R E 1 2 4 : W m d cK vs S e rv e r 2012 - D e s k to p v ie w 10. C lic k d ie P roxy S w itc h e r S tandard a p p t o o p e n d ie Proxy S w itc h e r w in d o w . O R C lic k C E H Lab M anual Page 203 P roxy S w itc h e r f r o m d i e T r a y I c o n lis t . E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s A d m in is tra to r ^ S ta rt Server Manager £□ Proxy S w itch er is free to use w ith o ut lim itations for personal and com m ercial use Windows RowerShetl Google Chrome Hyper-V Marvager Global Network Inventory 91 S I W * Compute Control Panel Hyper-V Machine... Centof... y v 9 K Command Prompt M021I4 PKKVSw* Fsb . v rr £«p«- Frefox * <0 * Proxy Checker .‫►ר‬ ,‫י‬ CM *up F IG U R E 125 : W in d o w s S e rv e r 2012 - A p p s at* ‫ם‬ o i f th e s e rv e r b e c o m e s in a c c e s s ib le P r o x y S w itc h e r Customize... s S e rv e r. w ill tr y to fin d w o rk in g p ro x y s e rv e r ‫ ־‬a re d d is h A /Q b a c k g ro u n d w ill b e ja te t— 1 l A r - r ‫!1 / ״‬ ‫׳‬ D a ta c e n te r ^ D p ^ u ild 8400 d is p la y e d t ill a w o rk in g p ro x y s e rv e r is fo u n d . F IG U R E 126 : S e le ct P ro x y S w itc h e r 11. T h e P roxy L is t W izard w ill a p p e a r as s h o w n i n d ie f o llo w in g fig u r e ; c lic k N ext C E H Lab M anual Page 204 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Proxy List Wizard £3 ‫ ־‬P roxy S w itc h e r ssu pp orts fo r LAN, dialup, VPN and o th e r RAS c o n n e ctio n s W elcom e to th e Proxy S w itcher Using this wizard you can quickly complete common proxy list managment tasks. To continue, dick Next <Back @ Show Wizard on Startup Next > Cancel F IG U R E 12 7 : P ro x y L is t w iz a rd 1 2 . S e le c t d i e fro m Find N ew Server, Rescan Server, R echeck Dead Com m on Task, a n d c lic k r a d io b u t t o n Finish. Proxy List Wizard Uang this wizard you can qcackly complete common proxy lot managment tasks Cick finish to continue. & ‫ ־‬Proxy s w itc h in g from com m and line (can be used a t logon to a u to m a tic a lly s e t co n n e ctio n se tting s). C m o Tasks o mn (•) find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers 0 Show Wizard on Startup < Back Finish Caned F IG U R E 12.8: S e le c t co m m o n tasks 13. A C E H Lab M anual Page 205 lis t o f dow nloaded proxy servers w i l l s h o w i n d ie l e f t p a n e l. E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s I Proxy Switcher Unregistered ( Direct Connection ] File Edit A ction s V iew M Help ‫א‬ Filer Proxy Servers W h e n P r o x y S w itc h e r is r u n n in g in K u fh A U v e m o d e it trie s to m a in ta in w o rk in g p ro x y s e rv e r c o n n e c tio n b y s w itc h in g to d iffe r e n t p ro x y s e rv e r i f c u rre n t d ie s Roxy Scanner M * New (683) B ‫ &־‬high Aronymsus (0) SSL (0) £ : Bte(O) i ‫ מ‬Dead (2871) 2 Permanently (656?) 1 — Book. Anonymity (301) ‫ ־ 5 £—ן‬Pnva!e (15) V t t Dangerous (597) f~‫־‬ & My P0‫ / *׳‬Servere (0) :— PnwcySwitchcr (0) Serve* , ? 93.151.160.197:1080 £ 93.151.1€0.195:108Q 93.150.9.381C80 knnel-113-68vprforge.com , f 93 126.111210:80 £ 95.170.181 121 8080 < ? 95.159 368 ‫ו‬C 95.159.31.31:80 95.159 3M 4 80 , f 94.59.250 71:8118 * - ................ State Testino Teetirg Testing Lhtested Lhtested lht*ct*d Lhtested Lhtested Lhtested Lhtoetod _ Lt itcatgd___ _ ResDDnte 17082ns 17035n« 15631ns Countiy H RJSSIAN FEDERATION m a RJSSIAN FEDERATION RJSSIAN FEDERATION * A UNITED STATES m a RJSSIAN FEDERATION “ — “ ^ 5 SYR;AM ARAD REPUBLIC b ‫ ׳‬KAN AKAB KtPUBLIt SYRIAN ARAB REPUBLIC UNITED ARAB EMIRATES UNITED ARB EMIRATES C Caned S S te ta te fre Core PrcxyNet Progress MZ3 Conpbte 28 kb Fbu‫»׳‬d 1500 wviw.aliveoroxy .com ‫״‬mw .cyberayndrome .net Conpfcte w!w nrtime.com< D L & F IG U R E 1 2 9 : L is t o f d o w n lo a d e e d P r o s y S e rv e r 14. T o stop d o w n lo a d in g d ie p r o x y s e rv e r c lic k Proxy Switcher U nregistered ( Direct Connection ) File Edit Actions View L = Jg ' x 1 Help filer Fox/ Servers ‫ ־‬Proxy Scanner ♦ N#w (?195) W h e n a c tiv e p ro x y H s e rv e r b e c o m e s in a c c e s s ib le P r o x y S w itc h e r w ill p ic k d iffe r e n t s e rv e r fro m P r o x y S w it c h e r c a te g o r y I f th e a c tiv e p ro x y s e rv e r is c u r r e n tly a l i v e th e b a c k g ro u n d w ill b e g re e n y Serve* £ 001 147 48 1€‫«»* ־‬tw n«t Aicnymouo (0) I••••©‫ ׳‬SSL (0) | fc?Bte(0) B ~ # Dead (1857) =• • ' Permanently 16844] • • {2 Basic Anonymity (162) | ^ Private (1) j- ‫־‬ & Dangerous 696) h‫־‬ & My Proxy Servers (0J - 5 ‫ ׳}־‬ProocySwtcher (0) £ £ lml5+1S»-11065.a«vwd» 218152.121 184:8080 95.211.152.218:3128 95.110.159.54:3080 9156129 24 8)80 u>4 gpj 1133aneunc co p jf dsd»cr/2'20Jcvonfcrc com: 91.144.44.86:3128 £ 91.144.44.8$:&80‫נ‬ 92.62.225.13080: ‫ר־‬ £ £ £ Slate (Aliv«-$SL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (.*Jive-SSL) (Alive-SSL) (.Alive-SSL) (Alive-SSL) Resronte 13810nt 106Nh* 12259ns 11185ns 13401ns 11&D2ns 11610m 15331ns 11271ns 11259ns 11977ns « Couriry J HONG KONG | ITALY »: REPUBLIC OF KOREA “ NETHERLANDS !IT A LY ™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN “ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC r Cancel DsajleJ Keep Ali/e Auto Swtcf‫־‬ 108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out 2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because connection •jmed out. V F IG U R E 1 21 0: C lic k o n S ta rt b u tto n 1 5 . C lic k Basic Anonymity i n d ie r i g h t p a n e l; i t s h o w s a lis t o f d o w n lo a d e d p r o x y s e rv e rs . C E H Lab M anual Page 206 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s | _ ; o ^ Proxy Switcher Unregistered ( Direct Connection) File £z‫ ־‬W hen running in A u t o S w i t c h m ode Proxy S w itc h e r w ill s w itc h a c tiv e proxy servers regularly. S w itc h in g period can be s e t w ith a s lid e r fro m 5 m inu te s to 1 0 seconds Edit A ctions & s □ ► View Ia a a x g? Proxy Scanner j ~ # New (853) B ‫&־‬ Anonymous (0) h & SSL(0) Bte(0) ■ -& Dead (2872) ‫»־‬ Femanently (6925) 1513 ■ Help '‫־"׳ 1<" . ..‘י‬ < Pnvale (16) ;—£5 Danoerous (696) & My Proxy Sorvoro (0) -■‫־‬ ProxySwltcher (0) — K Server , f 91 14444 65 3128 <f 119252.170.34:80.. , f 114110*4.353128 f 41 164.142.154:3123 ,f 2‫8213 ?01 101941כי‬ , f 2D3 66 4* 28C , f 203 254 223 54 8080 <f 200253146.5 8080 <f 199231 211 1078080 , f 1376315.61:3128 i f 136233.112.23128 < 1 RespxKe 10160ns 59/2rre 10705ns 12035ns 11206ns 10635n • 11037ns 10790ns 10974m 10892m 11115ns State (Alve-SSU (Aive-SSU (Alve-SSL) (Alve-SSU Alve Alvo (Alve-SSL) Alve (Alve-SSU (Alve-SSU (Alve-SSU Countiy — Sv RAfi ARAB REPUBI INDONESIA ^ INDONESIA ► )E SOUTH AFRICA m BRAZIL H iT A IV /A M REPUBLIC OF KOREA BRAZIL pg gq b razil ‫ נ ס‬brazil ■ 1 Caned Keep Alive Cis^bled AUd Swtd‫־‬ 177 38.179.26 80 tested as [Alwe! 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive] 119252.170.34.80 tested as [(Alive-SSL)] 33/32 IS illi& S S itS iS k F IG U R E 1211: S e le ctin g d o w n lo a d e d P ro x y se rve r fro m B a s ic A n o n y m ity 1 6 . S e le c t o n e Proxy server IP address fTJ p r o x y s e rv e r, a n d c lic k d ie f lit a (3 File ,Actions View Server J••‫ * ל‬New )766( • rtgh Anonymous )0( & SSL)0< ; B te 0 )0 ‫( 1 1 ־־‬ f , 9 .1 4 4 5 1 3 1 4 4 .6 :3 2 ,.f 0 1 4 .4 .1U 0 .1 7 8 .ctabcrct lx s 4 5 ?, ‫־1ל־‬a mf.9 >tS1 9 &e e 5 . f , 2 8 5 .1 1 8 :3 3 1 .1 2 2 .1 4 0 0 & } ‫ : ־‬Dead )2381( a d d / re m o v e / e d it fu n c tio n s p ro x y m a n a g e r c o n ta in s fu n c tio n s u s e fu l fo r a n o n y m o u s s u rfin g an d .......... Pemanently )6925( 95.110159.545080 Basic Anonymity )467' h ‫ & ־‬Pn‫ ׳‬ate 116( j‫ & ־ ־‬Dangerous )696!‫׳‬ r ‫&־‬ Proxy Ser/ere )0( :— ProxySvtitcher )0( p ro x y a v a ila b ility te s tin g 3 i.5 6 .2 ‫־‬S.2-i.8GS:).. i f 9 .2 1 5 .2 8 1 3 5 1 1 2 1 :3 2 f u 4 j1 3 a T jn c Jc:• 5 jp 1 5 T S o o r , f 9 .8 .6 .1 3 0 0 1 2 5 7 :8 8 <f 8 .1 1 A.T 4 1 3 6 1 1 4 9 .3 2 $ 4 ‫82132.031.98.ד‬ ,f 9‫2 3 84 4 1 ו‬ 4 4 6 13 Ctaeblcd [[ Koep Alive 1~ l~a ! * Help 3 # □ n [a a. a a if j ‫׳‬ In a d d itio n to sta n d a rd ic o n . P ro x y S w itc h e r U n r e g is te r e d ( D ir e c t C o n n e c tio n ) Edit Px»y Scanner £5 ^ f r o m r i g h t p a n e l t o s w i c h d i e s e le c t e d 2 y State (Alve-SSU (Alve-SSL (Alve-SSU Alh/e (Alve-SSU (Alve-SSL:• (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSL) (Alve-SSU (AlveSSU (Alve-SSU A Ls | i He>ponte 10159ms 131 5‫־‬m 10154TBS 10436ns 13556ns n123me 10741ns 10233ns 10955ns 11251m 10931ns 15810ns 10154ns ‫| /י‬ Proxy S«rvera |X j Lointiy “ SYRIAN ARAB REPUBLIC [ J HONG KONG 1 | ITALY REPUBLIC OF IQOREA ;-S W E D E N 1 ITALY ------NETHERLANDS REPUBLIC OF KOREA “ HUNGARY ^ ^ IR A C S3£5 KENYA “ SYRAN ARAB REPUBLIC ][ Auto Swtch | 218 152. 121.I84:8030tested as ((Alve-SSL:] tested as [Alive] 2 8 5 .1 1 8 :8 3 1 .1 2 2 .1 4 0 0 h *» 4 5 -l 1-9 s n rie ie tia b it 8080te**d» ( lv -S L a 5 -1 9 0 5 e ie d a ma ‫׳‬A e S)] 0 1 4 .4 .1K .« tb e 3 r.c m 1 3te ts 0 [(Av S L 3 .1 7 8 > a .n t/ig to o :3 2 a d 5 Se S)] P‫־‬ ‫׳‬ F IG U R E 1 2 1 2 S e le ctin g th e p ro x y se rve r 1 7 . T h e s e le c t e d pro xy se rve r w ill c o n n e c t, a n d i t w ill s h o w d ie f o llo w in g c o n n e c t io n ic o n . C E H Lab M anual Page 207 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ‫ ־‬ITALY) p F ik File Edit Actions View $5 Proxy Scanner H * New !766) Ugh Anonymous (0) • g t SSL(O) H 2 ? a te (0» B - R Dead (2381) P»m*n#ntly (G975) • f y 003‫ .״‬Anonymity (4G7) Pnvate (16) | 0 ‫ ־־‬Dangerous (6961‫׳‬ l‫ & ״‬My Proxy Servere (0) :—ProxySviitcha 25 ‫(0) ־‬ Serve! ^ 9 1 .1 4 4 4 4 65:3123 001.147.48. ilS.etatic .re t.. , ? host54-159-110-95.server.. & 218.152.121.1(4:3080 , f dedserr2i23Jevonlme to n L 95 110159 54 8080 , ? 95 211 152 21( 3128 u54aDJl133a‫׳‬r»unfl,co.kr:l , f 91 82 £5 173:8080 g 86.111 144.194.3128 , ? 41.89.130^3128 £ 91 14444 86 3123 >I Dsebicd 1 Keep Alive 1 I~ l‫ ם‬f x Help State (Alve-SSU (Alve-SSU (Alve-SSU Alive (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (AlveSSU (Alve-SSU (Alve-SSU (Alve-SSU Response 10159ms 13115n* 10154ns 10436ms 13556ms 11123™• 10740ms 10233ms 10955ms 1l251r»a 10931ms 158101s 10154ns Comtiy SYRAN ARAB REPUBLIC [ J HONG KONG | |IT A LY > : REPJBLIC OF KOREA ■■SW ED EN I ITA tr UNI ILL) ARAD CMIRATCS “ NETHERLANDS REP JBLIC OF KOREA “ HUNGARY “ IRAG g g K E N rA “ SYRIAN ARAB REPUBLIC “ ‫״י‬ |[" Auto Switch 2l8.152.121.1&4:8030tested as [fAlve-SSL! 218.152.121.184:8030tested as (Alive] host54-159-110-95 9»rverdedicati arnba 8080 ‫ ג‬tested as RAIve-SSL)] 031.147.48.116.atotc.nctvigator.con>:3123tested09 [(Mrvc SSL)) ML E a u c An on ym ity F IG U R E 1213: S u c c e s fiil c o n n e c tio n o f selected p ro x y £□ S ta rtin g from version 3.0 Proxy S w itc h e r in co rp o ra te s in te rn a l pro xy server. It is useful w hen you w a n t to use o th e r a p p lic a tio n s (besides In te rn e t E xplorer) th a t s u p p o rt HTTP p ro xy v ia Proxy S w itc h e r. By d e fa u lt it w a its fo r c o n n e c tio n s on localhost:3 128 18. G o to a w e b b ro w se r ( F ir e fo x ) , a n d ty p e d ie f o llo w in g U R L h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d i e s e le c t e d p r o x y s e r v e r c o m i e t i v i t y ; i f i t i s s u c c e s s f u l l y c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g fig u r e . Detecting your location 3? r 1 0‫ ־‬C x 1 M07illa Firefox £ri!t ¥"■'‫ ״‬History BookmorH Iool*• Jjdp ' 0*r»<ring your kxatkm.. C * ‘I 4‫- ־‬I .UU-..J.UU,I Your possible IP address is: Location: Go®,I. f i f! 2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1 U nknow n Proxy Inform ation Proxy Server: DFTFCTFD Proxy IP: 95.110.159.67 Proxy Country: Unknown F IG U R E 121 4: D e te c te d P ro x y se rve r 19. O p e n a n o th e r ta b i n d ie w eb brow ser, a n d s u r f a n o n y m o s ly u s in g d iis p ro x y . C E H Lab M anual Page 208 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s proxy server Cerca con G oogle - Mozilla Fiiefox rlc Edit yie* Histoiy Bookmark: Tools Udp | pray ic ‫- «.־‬C e r a con Google Ottecbngyour location.. ^ < wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&cp^ 0&g?_<l-22t51.1t>f-taq-pro>fy‫־‬ 9 »scrvcr&pt-p8b1»- *Tu Ricerca G o o g le 03 Immagini Maps Play YouTube Mews Gmail Document! Calendar C P ‫ ־‬Gccgie * U tao proxy server A fte r th e an o n ym o u s p ro x y se rve rs h ave b eco m e Ricerca ava ila b le fo r sw itc h in g yo u c a n a ctiv a te a n y o n e to Proxy Wikipodia b e co m e in v is ib le fo r th e sites y o u v isit. Im agin■ m Maps 1 11 it.wkj ped a.org/tv k • Pioxy In informatica e telecomunica^ow un proxy 6 un programma che si mleipone tra un client ed un server farendo da trainee o neerfaccia tra 1 due host owero ... Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate Video Public Proxy Servers - Free Proxy Server List N oe os Shopping Ptu contanuti ivwiv publicpfoxyserveis conV Tiacua questa pagina Public Proxy Server* is a free and *!dependent proxy checking system. Our service helps you to protect your Ktently and bypass surfing restrictions since 2002. Proxy Servers -Sored By Rating -Proxy Servers Sorted By Country -Useful Links Proxy Server - Pest Secure, rree. Online Proxy ItaHa Camtm localit.l wvwproxyserver com‫• '׳‬Traduci questa pagma Tho boet fin‫ ״‬Pioxy Sarvef out there* Slop soarching a proxy list for pioxies that are never fa»1 or do noi even get onl«1e Proxy Server com has you covered from ... Proxoit Cuida alia naviaazione anonima I proxy server F IG U R E 1214: S u r f u sin g P ro x y se rve r L a b A n a ly s is D o c u m e n t a ll d ie IP addresses o f live (SSL) proxy servers a n d th e c o n n e c tiv ity y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility In f o r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d S e r v e r : L i s t o f a v a ila b le P r o x y s e r v e r s S e le c te d P r o x y S e r v e r I P A d d r e s s : 9 5 .1 1 0 .1 5 9 .5 4 P r o x y S w it c h e r S e le c te d P r o x y C o u n t r y N a m e : I T A L Y R e s u lte d P r o x y s e r v e r I P P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T O T H I S I F A d d r e s s : 9 5 .1 1 0 .1 5 9 .6 7 Y O U H A V E Q U E S T I O N S L A B . Q u e s t io n s 1. 2. C E H Lab M anual Page 209 E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r . E v a lu a t e w h y P r o x y S w it c h e r is n o t o p e n s o u r c e . E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es P la tfo r m 0 C E H Lab M anual Page 210 □ N o □ iL a b s S u p p o rte d C la s s r o o m Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Lab w 1 3 i D aisy Chaining using Proxy W orkbench Proxy Workbench is a uniquep/vxy server, idealfor developers, security experts, a n d twiners, which displays data in real time. I C O N K E Y 2 3 ‫ ־‬V a lu a b le L a b S c e n a r io Y o u h a v e le a r n e d i n d ie p r e v io u s la b h o w to in fo r m a tio n S w it c h e r a n d Test your k n o w le d g e ‫ס‬ W e b e x e r c is e m can pose as account o r O nce b ro w s e som eone bank a tta c k e r e ls e d e ta ils g a in s h id e y o u r a c tu a l IP a n o n y m o u s ly . S im ila r ly a n a tta c k e r w i t h u s in g o f an r e le v a n t a p ro x y in d iv id u a l s e rv e r by in f o r m a t io n and o r in te n t g a th e r in fo r m a t io n p e r fo r m in g he u s in g a P r o x y m a lic io u s she lik e s o c ia l e n g in e e rin g . can hack in to th a t W o r k b o o k r e v ie w in d iv id u a l’s m u lt ip le bank p ro x y account fo r o n lin e s e rv e rs f o r s c a n n in g a n d s h o p p in g . A tta c k e rs s o m e tim e s use a tta c k in g , m a k in g i t v e r y d i f f i c u lt f o r a d m in is tr a to r s t o tra c e d ie re a l s o u rc e o f a tta c k s . A s a n a d m i n i s t r a t o r y o u s h o u l d b e a b le t o p r e v e n t s u c h a t t a c k s b y d e p l o y i n g a n in t r u s io n d e te c tio n s y s te m w it h w h ic h y o u c a n c o lle c t n e t w o r k in f o r m a t io n a n a ly s is t o d e t e r m in e P roxy W o rk b e n c h L a b i f a n a tta c k o r in tr u s io n h a s o c c u rre d . Y o u fo r c a n a ls o u s e to u n d e rs ta n d h o w n e tw o r k s a re s c a n n e d . O b je c t iv e s T h is la b w i l l s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y W o r k b e n c h . I t w ill te a c h y o u h o w to : ■ U s e th e P r o x y W o r k b e n c h to o l ■ D a i s y c h a i n t h e W ’i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h i n e s L a b E n v ir o n m e n t T o c a r r y o u t th e la b , y o u n e e d : ■ C E H Lab M anual Page 211 a t D:CEH-ToolsCEHv8 M odule 03 Scanning N etw orksP roxy ToolsProxy W orkbench P r o x y W o r k b e n c h is lo c a t e d E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f fro m h ttp ://p ro x y w o rk b e n c h .c o m th is lin k ZZ7 Tools d em o nstrate d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 S canning N e tw o rks P ro x y W o rk b e n c h I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r A c o m p u te r r u n n in g W indow s Server 2012 A n o t h e r c o m p u te r r u n n in g v ic tim as a tta c k e r ( h o s t m a c h in e ) W indow Server 2008, and W indow s 7 as ( v ir t u a l m a c h in e ) A w e b b ro w s e r w ith In te rn e t access F o l l o w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll Proxy W orkbench A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls L a b D u r a t io n T im e : 2 0 M in u te s O v e r v ie w o f P ro x y W o rk b e n c h P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d i s p l a y s i t s d a t a i n r e a l t i m e . T h e d a t a f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d a c tiv e m o d e s . L a b C S ecu rity: Proxy servers provide a level o f s e c u rity w ith in a n e tw o rk . They can help preve nt s e c u rity a tta c k s as th e only w a y in to th e n e tw o rk fro m th e In te rn e t is via th e p ro xy serve r T a s k s I n s t a ll P r o x y W o r k b e n c h o n a ll p la t f o r m s o f d ie W in d o w s o p e r a t in g s y s te m ‫׳‬W indow s Server 2012. W indow s Server 2008. ‫ר‬ W indow s 7) D:CEH-ToolsCEHv8 M odule 03 S ca n n in g N e tw o rk s P ro x y T o o ls P ro x y W o rkb e n ch P r o x y W o r k b e n c h is lo c a t e d a t Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P roxy W o rkb e n ch fro m th is l i n k h t t p : / / p r o x y w o r k b e n c h . c o m 4. F o llo w o f th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s W in d o w s o p e ra tin g sy s te m _ T h is la b w i l l w o r k i n th e C E F I la b e n v ir o n m e n t - o n W in d o w s S e rve r 2012, W in d o w s S e rve r 2 0 0 8 ‫י‬ 6. and O p e n F ir e fo x b r o w s e r in y o u r W in d o w s S e rve r 2012, a n d c lic k C E H Lab M anual Page 212 and W in d o w s 7 a n d g o to T o o ls o p tio n s E th ic a l H ackin g and Counterm easures Copyright O by E C •Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Google Moiillo Fitefox colt | HtJp Qownloatfs CW-I moderns c m * v ‫*«״‬A e fi * •!1• - cc u ■9 S<* UpS^K. ♦ u Yo Search Images Documents Web Developer Calendar Mote • Page Info Sign n 5‫9 ״ ז י ה י 6 ז)«*1ו £ 1 «ז‬ Cle«r Recent U stsr. Cl 1+ Sh1 “ ft*IW G o o g le Gocgie Search I'm feeling Lucky 11 AtfM«t «Mg Piogammei Piracy t Te Bumoeti SolUion* •Google Aboul Google Google com F IG U R E 13.1: F ire fo x o p tio n s tab 7. t o A dvanced N e tw o rk t a b , a n d G o p r o file in d ie n c lic k d i e O ptions Settings. w i z a r d o f F i r e f o x , a n d s e le c t d i e Options ‫§י & ם‬ General f t T h e s o c k e ts p a n e l Tabs Content % Applications j General | MetworV Update | Encryption p Privacy Security 3 S>nc Advanced j sh o w s th e n u m b e r o f A liv e s o c k e t c o n n e c tio n s th a t P r o x y W o r k b e n c h is Connection | S g t n g i. Configure h o * h re fo i connects to the Internet m a n a g in g . D u r in g p e rio d s o f n o a c tiv ity th is w ill d ro p Cached Web Content b a c k to z e ro S e le c t Your w eb content cache 5‫י‬currently using 8.7 M B of disk space Clear Now I I Override a u to m ate cache m anagem ent Limit cache to | 1024-9] MB of space Offline Web Content and User Data Clear Nov/ You 1 application cache is c jiie n t l/ using 0 bytes of disk space E c p n .. x e tio s M Tell me when a wefccite aclrt to store data fo r offline uce The follow ing websites are a lowed to store data for offline use B a r eve.. OK Cancel Help F IG U R E 13.2 F ire fo x N e tw o rk Settin g s C E H Lab M anual Page 213 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s S T he s ta tu s bar show s th e d e ta ils o f Proxy W orkbench*s a c tiv ity . The firs t panel disp lays th e a m ou nt o f data Proxy W orkbench c u rre n tly has in m em ory. The a c tu a l am o un t of m em ory th a t Proxy W orkbench is consum ing is g e n e ra lly m uch m ore th a n th is due to overhead in m anaging it. 8. C heck 9. Type Manual proxy c o n fig u ra tio n 111 HTTP Proxy as 127.0.0.1 d ie o p t io n o f th e C onnection S e ttin g s a n d e n t e r d ie p o r t v a lu e as Use th is proxy se rve r fo r a ll p rotocols, w iz a r d . 8080‫ י‬a n d a n d c lic k check OK. Connection Settings Configure Proxies to Access th e Internet O No prox^ O A uto-detect proxy settings for this network O ii** system proxy settings (§) Manual proxy configuration: HTTP Proxy: Port 127.0.0.1 @ Use this proxy server for all protocols SSL Proxy: 127.0.0.1 Port 8080— £TP Proxy: 127.0.0.1 Port 8080y | PorJ: 8080v SO£KS H ost 127.0.0.1 D SOCKS v4 No Proxy fo r (S) SOCKS ^5 localhost, 127.0.0.1 Example .mozilla.org, .net.nz, 192.168.1.0/24 O Automatic proxy configuration URL Rgload OK Cancel Help F IG U R E 13.3: F ire fo x C o n n e c tio n Settin g s 10. W h ile c o n fig u r in g , i f y o u e n c o u n te r a n y 1 1 . L a u n c h th e S ta rt p o rt e rro r please ignore it m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t c o r n e r o f th e d e s k to p . S c a n c o m p u te rs b y I P ra n g e , b y d o m a in , s in g le c o m p u te rs , o r c o m p u te rs , d e fin e d b y th e G lo b a l N e tw o r k In v e n to r y h o s t file 4 W indows Server 2012 WaoomW1P iW 2 taeneCjickttr 0H iK tT r baLMcncowtuid M . O g. - ? • F IG U R E 13.4: W in d o w s S e rv e r 2012 - D e s k to p v ie w 1 2 . C lic k d ie C E H Lab M anual Page 214 Proxy W orkbench a p p t o o p e n d ie Proxy W orkbench w in d o w E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Server Manager S T h e e v e n ts p a n e l Windows PowerShell Google Chrome Hyper-V Manager Fa m • ‫וי‬ Control Pand HyperV Virtual Machine ‫״‬ SO I Server MO? 13 1 Firefox Searct101_ d is p la y s th e to ta l n u m b e r o f e v e n ts th a t P ro x y W o r k b e n c h h a s in m e m o ry . B y c le a rin g th e W d a ta ( F ile ‫ > ־‬C le a r A ll D a t a ) th is w ill d e c re a s e to z e ro i f th e re a re n o c o n n e c tio n s th a t a re A liv e Command Prompt £ H O Proxy Woricbenu. dobai Network Inventory Si Detkc F IG U R E 13.5: W in d o w s S e rv e r 2012 - A p p s 13. T h e Proxy W orkbench m a in w in d o w a p p e a rs as s h o w n i n d ie f o llo w in g fig u r e . Proxy Workbench File & The la s t panel d isp lays th e c u rre n t tim e as re ported by your o p eratin g system V ie w T o o ls H I H e lp m ‫ו ם‬ _‫עב ש‬ Monitorirg: WIND33MR5HL9E4 (10.0.0.7) K N JH Details for All Activity To From SMTP • Outgoing e-mal (25) ^ & ^ m | Started 173.194.36.24:80 (www g . HTTP 18:23:39.3^ 127.0.0.1:51201 74.125.31.106:80 (p5 4ao HTTP 18:23:59.0‫־‬ J l l 127.0.0.1:51203 173.194 36 21:443 (m aig HTTP 18:24:50.6( J d 127.0.0.1:51205 173.194.36.21 M 2 (m a ig . HTTP 18:24:59.8' J d 127.0.0.1:51207 173.194.36 21:443 (maig.. HTTP 18:25:08.9‫־‬ W 'l! ? 7 n n 1 ^ ‫ו ל ו‬ ‫ו‬ 173‫ ־‬K M TC. 71 •A n (m ‫־‬d ‫״‬ H T T P ____ 1 fi‫־‬jR - 1 fir 31 Od 7a 6£ 77 34 3b 6f 2f 6f 78 2d 43 70 2d 61 69 Od 0a SS 6c 20 72 30 31 JJ127 .0.0.1:51199 POP3 • Incoming e-mail (110) HTTP Proxji • Web (80B0) HTTPS Proxy • SecureWeb (443) FTP • File T!ansfer Protocol (21) Pass Through ■For Testing Apps (1000) 1 Protocol 3eal time data for All Activity 000032 000048 000064 000080 000096 000112 000128 000144 000160 000176 < Memory: 95 KByte Sockets: 1C O Events: 754 /I .1. . User—Agent : Mozilla/5.0 (¥ indows NT 6.2; V OU64; r v :14.0) G ecko/20100101 Fi refox/14.0.1..Pr oxy-Connection: koop-alivo. Host : mail. google. co m .... 2f 3a 69 4f 65 ?2 6f 6b 3a 6d 2e 4d 64 36 6b b5 66 73 79 65 65 20 6d Od Qa 31 20 6e 57 63 III u n ; 1iciu ic . u n ; 1 1 Si 0A 69 73 20 32 2f 6f 61 6c 73 6c 4e 76 31 34 60 6e 6c 69 2e 67 , 1 7angwrrx?n— Luyymy. u n ; . > J F IG U R E 13.6: P ro x v W o rk b e n c h m a in w in d o w 14. G o to C E H Lab M anual Page 215 T ools o n d i e t o o l b a r , a n d s e le c t C onfigure Ports E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Proxy Workbench File L^o o ls J Help View I U- 3 Save Data... 5 Configure Ports. Monitoring: W & The *Show th e real tim e data w in d o w ' a llo w s th e u ser to s p e c ify w h e th e r th e re al-tim e d ata pane should be displayed o r no t =tails for All Activity Failure Simulation... All Activity ^ SMTF POPd | T0 J 1 7 .0 5 1 9 2 .0 .1 1 9 Real Tim e 9‫• ח י 990־י‬ Options... tJ 127.0.0.1 51201 HTTPS Proxy • Secure Web |443) FTP • File T ransler Protocol (21) Pass Through ■For Testing Apps (1000) I Protocol | Started 1 3 9 .3 .2 :8 (ww.g HTTP 7 .1 4 6 4 0 » * .. 7 .1 5 1 0 :8 |p 4 o HTTP 4 2 .3 .1 6 0 t a 1 3 9 3 .2 :4 3(naig. HTTP 7 .1 4 6 1 4 1 3 9 3 .2 :4 3(na*g HTTP 7 .1 4 6 1 4 1 3 9 3 2 :4 3(naig HTTP 7 .1 4 6 1 4 1 ‫׳‬n ‫־‬c‫* ו ־‬n ‫ » ו*י׳ו‬H T 7 * ‫״ ל‬ TP 3d 1 7 .05 2 3 2 .0 .1 0 1 £ J 17 .0 5 2 5 2 .0 .1 1 0 ; 17 .05 2 7 jd 2 .0 .11 0 l1?7nn1- ‫11 ־‬ 5 R9 1 > k # HTTP T W ‫־־‬T ny TTWU(WW) ^ ^ m n ih m |10m ^ 1 :2 :3 .3 839} 1 :2 :5 .0 839‫־‬ 1 :2 :5 .6 840( 1 :2 :5 .8 849' 1 :2 :0 .9 858‫־‬ ■ m - w ip r Real time data for All Activity 000032 000048 000064 000080 000096 000112 000128 000144 000160 000176 Memory: 95 KByte Sockets: 100 Events: 754 / l.1 ..User-Agent : Mozilla/5.0 (W indows N 6.2; U T O U64; rv :14.0) G ecko/20100101 Fi refox/14.0.1. Pr oxy-Connection: keep-alive..Host : mail.google.co m... . I eiiim a ic UII 11c1u4c. uu 2f 3a 69 4f 65 72 6f 6b 3a 6d unuuic u i i 3 2e 1 2 4 0 d be 6 4 5 3 7 6 b 6 3 b 6 6 5 6 ?8 7 9 b 6 5 5 2 6 0 d O 0a d L‫« ׳‬ty1c u n 3 O 1 d 6f 7a 6f 7 7 3 3 4 b 6 2f £ 6 7 £ 8 2 4 d 3 7 2 0 d 6 6 1 9 O 0a d 0a 6 9 ?3 2 0 3 2 2f 6f 6 1 6c 1_<.yymy. u n 5 5 6c 2 0 7 2 3 0 3 1 6e 6c 2 e 7 3 6c 4e 7 6 3 1 3 4 6e 6 9 6 7 ‫ ׳‬ju i F IG U R E 13.7: P ro x y W o rk b e n c h C o n F IG U R E P o rts o p tio n 1 5 . 111 d i e C onfigure Proxy W orkbench i i i d ie le f t p a n e o f 8080 HTTP P roxy - Web P orts to lis te n on. HTTP 111 d i e l i g h t p a n e o C onfigure HTTP fo r p o rt 8080 16. C h e c k f p r o t o c o l a s s ig n e d t o p o r t 8 0 8 0 , a n d c l i c k Configure Proxy Workbench C L l P e o p le w h o b e n e fit fro m P r o x y W o rk b e n c h w i z a r d , s e le c t Proxy Ports Ports to listen on: Home users w ho have taken the first step in understanding the Internet and are starting to ask "B a t how does it work?” People who are curious about how their web browser, email client or FTP client communicates w ith the Internet. Protocol assigned to port 8080 Port [ Description 25 un 18080 443 21 1000 ; >>Don't use SMTP • Outgoing e-mail PHP3 - lnnnmino ft-maiI HTTP Proxy ■Web HTTPS Proxy ‫ ־‬Secure Web FTP ‫ ־‬File Transfer Protocol Pass Through ■Foe Testing Apps : ■✓ Pass Through HTTPS □ POP3 □ ‫ ח‬FTP People who are concerned about malicious programs sending sensitive information out in to the Internet. The inform ation that programs are sending can be readily identified. Internet software developers w ho are w riting programs to existing protocols. Software development fo r die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the eluent and server software simultaneously. Proxy Workbench w ill help identify non-compliant protocol :- T 1 ■ --> Internet Security experts w ill benefit fro m seeing the data flowing in real-time This wiH help them see w ho is doing what and when C E H Lab M anual Page 216 &dd- | Qetete | | Configure H T TP tor poet 8080.| W Sho^ this screen at startup Close F IG U R E 13.8: P r o s y W o rk b e n c h C o n fig u rin g H T T P fo r P o r t 8080 17. T h e HTTP P roperties proxy, e n te r y o u r Proxy Server, w in d o w a p p e a rs . N o w c h e c k W indow s Server 2003 a n d e n te r 8080 C onnect via an o th e r v ir t u a l m a c h in e I P a d d re s s i n in P o r t a n d d ie n c lic k OK E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s HTTP Properties General C On the web server, connect to port: (• Connect via another proxy Proxy server Port: ^ |10.0.0.7| Iftfififi M a n y p e o p le u n d e rs ta n d s o c k e ts m u c h b e tte r th e n th e y th in k . W h e n y o u s u r f th e w e b a n d g o to a w e b s ite c a lle d w w w a lta v is ta .c o m , y o u a re a c tu a lly d ire c tin g y o u r w e b b ro w s e r to o p e n a s o c k e t c o n n e c tio n to th e s e rv e r c a lle d " w w w .a lta v ia ta .c o m " w ith p o r t n u m b e r 80 OK Cancel F IG U R E 13.9: P r o s y W o rk b e n c h H T T P fo r P o r t 8080 C lose i n d i e C onfigure Proxy W orkbench c o n fig u ra tio n s e ttin g s 18. C lic k w iz a r d a fte r c o m p le tin g d ie Configure Proxy Workbench Proxy Ports 3orts to listen on: Protocol assigned to port 8080 Port | Description 25 10 1 T h e re a l tim e lo g g in g a llo w s y o u to re c o rd e v e ry th in g P ro x y W o r k b e n c h d o e s to a te x t 8080 443 2 1 1000 SMTP • Outgoing e-mail POP3 ‫ ־‬Incoming e-mail HTTP Proxy - Web HTTPS Proxy-Secure Web FTP ‫ ־‬File Transfer Protocol Pass Through - For T esting Apps □ <Don't use>____________ □ Pass Through □ HTTPS □ POP3 □FTP file . T h is a llo w s th e in fo r m a tio n to b e re a d ily im p o rte d in a sp re a d s h e e t o r d a ta b a se so th a t th e m o s t a d v a n c e d a n a ly s is c a n b e p e rfo rm e d o n th e d a ta Add delete Configure HTTP for port 8080 W Show this screen at startup Close F IG U R E 13.10: P ro x v W o rk b e n c h C o n fig u re d p ro x y 1 9 . R e p e a t d ie c o n f ig u r a t io n s te p s o f P r o x y W o r k b e n c h f r o m Step 1 1 to Step 1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s . C E H Lab M anual Page 217 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 2 0 . 111 W indow s Server 2008 ty p e d ie I P a d d re s s o f W in d o w s 7 V ir t u a l M a c h in e . 21. O p e n a F irefox W indow s Server 2008 b ro w s e r in a n d b ro w s e w e b pages. 2 2 . P r o x y W o r k b e n c h G e n e ra te s d ie t r a f f ic w i l l b e g e n e ra te d as s h o w n i n d ie & Proxy W orkbench changes th is . Not o nly is it an aw esom e proxy server, but you can see all o f th e data flo w in g through it, v is u a lly d isp la y a socket co n n e ctio n h is to ry and save it to HTML f o llo w in g fig u r e o f 2 3 . C h e c k d ie To W indow s Server 2008 C o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o 10.0.0.3 ( W in d o w s S e rv e r 2 0 0 8 v ir t u a l M a c h in e ) . Mcnfanj MN1r2CiU.‫20 0 1 4׳;־‬ 31 0 | | £ A T!> 4 O* ^ SHIP 0 > *»‫מ 1ו‬ .*!> ‫<»׳‬ ‫ן‬ w un Mo 144a laccc 0‫7 ל‬ I.(flff:iilfllWt IU f '/ilH II vr. u -‫י‬ <‫׳‬ 1 *1‫נ^י‬ ^1 C C) ■l^ff»-0^r»IH1(l Q• y H I R F W -S.o i» W.6 (4 3 T 41 6 FIP Hori^ra *<X0:d|71) V p*m (1 0 i !-f« r»»njA c n 3 1 1* «* o 0 »1 5 0 ‫זמ.גג‬ » 0525& 3 4 « 052*100 «05 261E ®0526217 K.W263K M ia n ta o 14441400 *0 0 )•CM 14441«cm 1404 HCW 1400 )■IB 144a IK M 1400 )•CM 144a m e 1444 ItOM 140a1«:w 144 a 1t a t u .‫«־‬ il :‫«־‬ .• •41 I >1 . ‫נ‬ > ‫י‬ 1 11 :‫נ־‬ 1•■ 1 ‫י‬ U .‫נ‬ lOQ W OlK «0M4S 1 •0 17 34 a n SotExterna0M&4 CSC[ 10 S . . : : i l 00 52 «::>*€ 4‫ י‬a ir u . - u 101112 t t ‫ י‬F10i . 101>4 r 23 *>:)w c>«3inr2*t 1:*dta-Caat0 0 .' 3 ]‫141׳‬ C : « 0 0 6 o: .ji-age >3 0 010 007 0 14 «t01 2 ‫?׳‬ . *‫״‬ »0;‫יי»י‬ 5 1»1 H B700 14,0127 ;71 m < 27 4 1 k 1 (6 052743( C60127M• (6 0527 5 7 9 (6052702 £05£ 7‫3 ט‬ ‫נ‬ 0605275S7 06»27» 0e « 2? 5 ae 06052»»l »0J2n01 21 >•‫►•*)«׳‬ 10 *»*• 35 ( 9 K z'S re ) acr.rte (*0127 1 4 0 1444 laQHl 144a 14CM 2 1 — ;v » » 06 052:7 W> . < * < * 1 1 9 9 n n :1 1 , 9 100)acta 0 .*1 • UK <3 Mafc t J V r 41 c W 1> c a te«it*1 KKrT 1444 ]•cto 11)* a 01 * 0 1J ‫נ‬ *J ‫י־‬ A ‫־ -׳ «־‬ ‫= •־‬ * « ‫? ׳•<״‬ 06052C92? CV9►*. ■ * 1 5 7 06®274B 56 06 052* ‫*׳* ? מ‬SfwAcwirw* 1 5 utre^rw r » 9 rM 0 ( a < rM . ‫נ מ ו‬ 'V**► 1191 * —' ■‫״‬ —* K052CTO «®27ug IV* 06052706 »02» $7‫נ‬ laaaixzo 1 0 )»# 00 * lira •'f J 06.K2S.31T 06052? ‫סט‬ « 0526 IK tiiir, :1 iw. (6 0526 7 4 3 *0010041 06052*173 IV J 31 J4 h■ »(a‫•״‬a ■< ‫׳‬ in • •►».-*)«‫«-•׳‬ ‫•י‬ Pt t<aM A f k» c h c F » h <c < a t V9 n * o n < s au szs t£S IS :4? V h 4 «x «d 06052• 3 5 C *3 M 1 > t ‫י‬ 12 10 1 T 31 20 10 30 78 4d 39 66 74 47 tl Od 70 4 2 635 6 20 u 64 30 32 30 31 4; 41 0• 38 20 >> 10 ?0 4 0 M 4c 5 ‫ל‬ 61 6‫*7 י‬ £1 30 6‫י‬ 20 IJ Ic 0. 72 47 65 32 64 3a 43 Q 1 tl 04 o 3 d 61 7a« 20 ?.( b I «m Cm 31 ro 0 ‫נ‬ 4c (1 7 i 2«( 0 Sf <4 ?2 W 2c 32 (3 3d (3 3d U 41 74 3» K »7 (1 30 I I 4 MH 5 F IG U R E 13.11: P ro x y W o ik b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2012 H o s t M a c h in e 2 4 . N o w lo g in in to W indow s Server 2008 V i r t u a l M a c h i n e , a n d c h e c k 10.0.0.7 ( W i n d o w s 7 V i r t u a l d ie To c o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o M a c h in e ) . Fe Vw Td H if ie o* r ip M irilcrrfj ‫ •׳‬hin i'iii/'l 3 |10 0 0 3| ‫וי‬ !'*!41. $ A r/M M |y 1 1 ‫ ■ ׳‬IF* F' t »v •W<*b(>]CH]) IT fm■ ^d¥)006«ff)ft •lr«Mfiin3 £J10.00.6»10 jtJ':a:fc3 114 £ J'].0 0.6 9 1 05 & mo 0.6 to 10 0.0 7 £ J 6 ; 0 : ‫־‬snt £J10 0 06 9 19 8 " W FrP-Fielienifei Ftolord 1 Nol Lit* • £ h !0 a.6 9 20 8 PdssThioj^i F01 Tastro^o*nOOOl fJ jh J'I 0 0.&9B22 £1100169824 £110 00 69826 £1100069828 £1*100.6 9 3 80 £110 0 0& 9H32 ^ ,iM T P •Outguny ••fr«l(25| PP O3 0» 1 1 niir C Qwpnmamm ■ 1 O2 1Q7 H QQI0 QQ H15R« -e jicWb43 TP ov S o e (41 |1 2 £ 7 A n d n o w , P ro x y W o r k b e n c h in c lu d e s c o n n e c tio n fa ilu re 1 1000701C O 1a0.a?;8D80 lQ0D7-mm 1aoa7.83E0 ‫שנט:70 00 ו‬ 1Q007:83E O 1ao.a?;83a1 1aoa7!ffiEa 1a0.a7:83EO 1Q0a7:fflffl 1000.7:8303 1a0.Q7.83EO mon7rmgo *1 fte c sFiHT Pey•/3BB d M o r P ica VH| 0]| p D So 2 t 6 :1:064 Sx iro 010080 IUr 21 0 G 01 0 2 s im u la tio n stra te g ie s. W h a t th is m e a n s is th a t y o u c a n ‫*90 ־ ־ ־‬ 060112 sim u la te a p o o r n e tw o rk , a 00 2 01C 060144 006 610 s lo w In te r n e t o r u n re s p o n s iv e se rv e r. T h is 060176 080192 is m a k e s it th e d e fin itiv e <0 CUT hint. Nrd 1 t.wd. f t 1 . 23 0 1 c t 2009 20•10 04 GMT. . C»cho-Cont roL max-oge-360 0. Connect io a k oe p - o livc 11‫ *!י׳‬f . 1i K •‫״‬ su w 0 ) tB 40 !00 F T 061B33 750 06tt»411 6 K 5 06.05 40109 Q 3 40 !0‫׳־‬U. (h 4 0 0 F <9 B 1 7 06.(E « 375 0 00.41.625 F 3 (£06 41437 0,0141 ms F 0606 *3 5 1 3 0 05 4 2 1 F 5 1 8 06.05 « 546 06.0541.281 F 05<E 40 578 (E05 40Bt3 F 06:0=4:655 0 05:41.828 F 6 06 05*3 906 (K O 4 5 3 F S1 9 06<e 41015 0605 4 4 6 F 1 0 0 05 4 7 8 F 6 1 1 06.0C4 *09 1 (KtR 4 TIB 1 as 05 4 ^ 1 Fj 1 1 HTTP H IIP HUP HTTP HITP HTTP HUP HUP HTTP HTTP HTTP HTTP H1IP d 2J 1 a 76 4d 39 66 74 47 6t Od 65 70 61 20 69 20 4d 6c 69 72 72 20 47 Id 6S 64 32 30 JJ 30 20 0 9 43 61 70 2d 61 65 73 3a 32 30 31 S4 0d 04 20 16 30 39 20 G« <3 61 fd 61 78 6« 60 65 (c 69 6‫ל‬ 20 S3 i l 74 ? ‫פ‬ 31 20 30 30 3a ic 61 73 74 .?rf 7 2 b'3 2c 20 32 3 33 33 2 0 .‫0 1 י‬ 63 2d 63 65 b0 61 74 Od 65 2d ■3 4 6? 65 3d bl 6• 0o Od 0o t ') T C P a p p lic a tio n te s te r T» 1mnate 01( R cIlb c Qr Mar a y 3ES KBylei J Start | Proxy Worfctxfyh 'h rb»f‫־‬ C m ^ !‫ ׳‬CK -oggrg 01( 613AM 6:15 AM A iL d F IG U R E 1 3 .12 P ro x y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2003 V irtu a l M a c h in e C E H Lab M anual Page 218 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s p o rt 80 2 5 . S e le c t O n d i e w e b s e r v e r , c o n n e c t t o in W indow s 7 v ir t u a l m a c h in e , OK a n d c lic k -TTTP Properties General | (• On the *tcb server, connect to port: C " Connect vb atoihcr proxy Pro<y :erver: 110.0.0.5 Port: [fiflffi H I I t a llo w s y o u to 's e e ' h o w y o u r e m a il c lie n t c o m m u n ic a te s w ith th e e m a il s e rv e r, h o w w e b p ag es a re d e liv e re d to y o u r b ro w s e r a n d w h y y o u r F T P c lie n t is n o t c o n n e c tin g to its s e rv e r OK il C«r>cd F IG U R E 13.13: C o n fig u rin g H T T P p ro p e rtie s in W in d o w s 7 2 6 . N o w C h e c k d ie tr a f f ic i n 10.0.0.7 ( W in d o w s 7 V ir t u a l M a c h in e ) c o lu m n s h o w s t r a f f ic g e n e ra te d f i o m “ TO” d ie d if f e r e n t w e b s ite s b r o w s e d i n W indow s Server 2008 " Unix p i? w a» r*e Wd iso ‫צ&ו7הו‬ V ur Toeli Help W n*Vlet»7naQa7} DcUI1 t a H T T P IW - W « b 1 0 0 881 f t A ctr»*y ll«5 m il► From *010.0 D32237 )0 1 0 0 0 32239 ^ SM P • T Ouiflonfl e ‫״‬id |2 | 5 K » ‫־‬C‫־‬C Ir«m^1*fflalf110l ‫ד‬CCC3to1 005 lll 0 10003to 2 3 5 3 .8 |m c 0 .8 .2 1 3 ‫־‬j.Br> ’00031# 6 7 2 91 6|abc g 81 0 7 oc 100031a 5 2 0 2 7|edn> )k| 0760 m 100031a 5 .2 .8 .1 3ledge Bus 8762 100031a 6 7 2 01 5|ab cm 81 2 6 c 100031a 2 27 2 0 1 1 Ibi.ta* 0 91 2 10003b) 2 5 1 88 .1 6 0 2 42 100031a 5 2 8 1 5|f«*1 076 0 ur 100031a 5 27.06.21; I1 1 u t> 8 d « .« 100031a 1 71 62 52 6M i c 5 6 5 1 d 100031a 1 7 1 62 53 |r«iv, 5 6 5 1 100031s 2 38 2 1 1 8lilt 0 51 4 100031a 2 31 68 5 |bkcmc 0 0 51 100031a 5 2 0 2 5|s etrrcd 0762 100031a 1 7 6 .2 6 6Iwmc 5 .1 6 2 .2 100031a 1 99 6 1 6 9 32 2 100031a 2 3 0 .8 .6 |1 e M 0 .1 6 5 5 p .< r 1000310 2 74614 3 !view* 0 8 2 100031a 6 2 51 05 Ix ffc m 63 3 9 - c 100Q3la 2 3 0 .8 .1 7Ib.scae 0 .1 6 5 7 100031a 02 2 71 6ledn vrtt 60 2 100031a 1 71 62 63 |tve±a 5 6 2 2 100031a 5 2 2 7 |r.«*tum 8722 100031a 1 07 2 6 1 6|icchk 9 00 2 100031a 1 7 1 62 6 6ledlnr^ 5 6 2 .4 100031a 6 2 51 22 |rrel1 6 3 4 4 b)< 100031a 2 3 1 60 1 6Idi M 0 0 5 7 rw 1000311 1 7 6 .2 5 3Im m 5 .1 6 5 .1 m a 100031a 6 7 2 91 3 |4 c fl0< 81 0 7 b ISL ­ ‫:י‬ .‫3*. גן‬ ‫62ד‬E0 I1 :-.h< . •571SS22G.aK:£0|adi )8100032239 ;0100032240 )0 10 0 0 32241 ) 0 10 0 0 3 2242 ‫»*<י 6 0»£2160287 * י‬ ‫» *0 * 0 *6216028789 י‬ 1337320612!6c0|ic>*1t.. 2027921012140 (t * K 1 06:0634.627 0&£634643 U sE ^ rl 1 laslSUto 06.05:35.436 FV»B ho? J'.ccrncc•... 0 £ < 6 2 « 3 fVt'B hai d : c f r r « l B/*5 C25 1 BylesS 1577 0 1555 0 C6X634S66 C6:(634$G6 06:C&34.336 ££.0634 S£3 06(636390 06(635624 060636624 c e c & x 21e FV>B bn d s O T iw l‫״‬ Km d : « r r « l 1556 1950 1131 FWB hat d n c r m l . ha* d if fr r w l I Q2 In the C onnectio n Tree, if a p ro to c o l o r a c lie n t/s e rv e r p a ir is se le cte d , th e D etails Pane d isp lays th e sum m ary in fo rm a tio n o f all o f th e s o c k e t c o n n e c tio n s th a t a re in progress fo r th e se le c te d ite m on th e C onnection Tree. '*wts c « > » w >» ® o 11 1► ;■ : > « Pictocoi HUP HTTP HTTP HTTP P*J»3 l « J i « r r « l . . . f■ hasdaxrrecJ... * ‫?״‬ 06C636030 C (& .X. 2l£ 6 0 fe » 354 » (6(636186 060&355W C M & X T tS )9100032246 )0 10 0 0 22 ‫נ‬c )610 0 0 3229 ) 0 10 0 0 3 224) HTTP HTTP HTTP 57‫ י‬iffi 2262(680|**» 5621 3 1‫ מ‬lOtCImet71c . h i TP 41 HTTP : 01106 9517&»<‫ו » 4>ן‬ « ‫־ ׳, ־‬ ••-. 1 1 :- |. . : 1 HI TP HI IP '» ra 2 D 5 1 2 e w 0 a * u HUP J0n>206120WI1«ht HTTP 06:0636483 06C03CW3 06.06 3U6U6 flf.r»3570? ',W10 0 0 3 2250 1«7820612S8000<ht ) 0 10 0 0 32251 ) 0 1 OOO 322C • ‫קי‬ HUP h i IP HTTP t e a . 56 786 060U363W C fr» X C 7 ? H TTP HI T P HI T P H P TT H TTP H P TT C6:0636124 C6:Cfc36.166 06:0636216 C£C&36‫££־‬ (6 (C!36 (66 (*(CJ&124 0606J6243 rv>V bm d iw riK l... ff .f fT V W * ® K » d n (rr « 1 . • > COOUJCW 1 8 ‫ ״י‬h o d im r M l. M hoi d iM r m i 06(636718 ^ I « n l 1a r r « l... 0606367*9 ‫8 *יי‬ 060636611 FVrtJ he! diccrriKl.. 0&0K36&2? PV.9‫־‬ hatiic e r r c c t.. C6C636366 06.C&36.606 060637.436 50100032243 )0 1 0 0 0 3 224( )0 10 0 0 3 2245 ‫־‬M 1000 32253 )0100032254 ) 0 10 0 0 32255 )01OOO322S )0 10 0 0 32257 )010.0.0.32258 ‫ ן‬ftfC|v».»w 828 > 1 -Sani2 a h b j 18 '»ra20612t<«)BCTht •3873206126t01icdn.. 397920G1;&£C|1‫ ־‬fce « ‫־‬ i»78206l260Hiceht 157.1652262660) l«fc 06(6368(6 t te d 2 r r« * ... « FVjB h s d.ccrrecl... 2110 447S 2710 1572 ‫ויי‬ 11« IA » 2‫3 ט‬ 1183 2i03 . MS , 3 33 3 0 0 0 0 0 0 112 0 0 0 0 0 0 0 0 2125 358 2(21 0 0 0 0 1124 1120 13 53 p e al line dsis is• HTTP P * • / ■ Web (9060) 000160 000176 000192 000206 61 72 64 69 4f i l 4e 32 32 74 ?4 Wi 30(« 5et. 55 000224 26 bar 2011 00 20 000240 ?2 3 CUT Conn* 3S 1 000256 ct*oc .iv s * . Co 61 60 000272 Btwt-Uim 2 h 0 75 3a 20 Od 4? 4? 22 O d 36 20 4d 3a 33 31 6 ? 6 ( 6■ 656a ?4 60 6 P 20 id 41 0a 56 0» 61 20 3• 2d 63 60 61 44 ?2 47 20 4c 63 33 20 61 20 4tJ 6) 65 6 5 ? 0 7 4 2 d 4 61 3 6 ‫־. ־ ג‬ SO if 74 32 3a 2043 50 3d 22 ?5 S220 42 5? 53 65 3•20 53 (1 74 30 3131 20 30 30 ?4 0 1 0a4 ) ii 6e (e 1 &c Cl ?3 65 CJ 0■ 43 t>0 67 30 32 20 *3 68 40 20 2c 3a 65 il 4 ‫ל‬ _* La F IG U R E 13.14: P r o s y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s 7 V ir tu a l M a c h in e L a b A n a ly s is D o c u m e n t a ll d ie IP addresses, open p o rts and running a p p lica tio n s, and p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b . C E H Lab M anual Page 219 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s T o o l/U tility In fo r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d P r o x y s e r v e r U s e d : 1 0 .0 .0 .7 P o rt s c a n n e d : 8080 P ro x y W o rk b e n c h R e s u lt: T r a f f ic c a p tu re d b y w in d o w s 7 v ir t u a l m a c h in e ( 1 0 .0 .0 .7 ) P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T O I F T H I S Y O U H A V E Q U E S T I O N S L A B . Q u e s t io n s 1. E x a m in e t h e C o n n e c t io n F a i lm e - T e r m i n a t io n a n d R e fu s a l. 2. E v a lu a te h o w r e a l- tim e lo g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h . In t e r n e t C o n n e c tio n 0 Y es P la tfo r m 0 C E H Lab M anual Page 220 R e q u ir e d □ N o S u p p o rte d C la s s r o o m □ iL a b s E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s HTTP T unneling U sing H TTPort H T T P o / f is a program f r o m H T T H o s f that mates a transparent tunnel through a p m x j server orf/renall I CON KEY L a b S c e n a r io V a lu a b le A tta c k e rs in fo r m a tio n th e y c a n e n te r th e s e Test vour k n o w le d g e a tta c k e r a r e a lw a y s i n can get a t t a c k e r s a r e a b le a h u n t f o r c lie n ts n e tw o rk s w it h p a c k e ts to la b , h ija c k in g W o r k b o o k r e v ie w s p o o fin g fir e w a ll to by dam age s p o o fin g a tta c k s , e tc ., w h ic h can p e rfo rm T r o ja n a tta c k s , and o r s te a l d a ta . T h e d ie IP r e g is tr y a d d re s s . to d o in a tta c k s , If th e p a s s w o rd W e b e x e r c is e Q IP a c a p tu r e n e t w o r k t r a f f ic , as y o u h a v e le a r n e d p r e v io u s 3 th e y th ro u g h t h a t c a n b e e a s ily c o m p r o m i s e d n e tw o rk . A n can p ro v e to be d is a s t r o u s a tta c k e r m a y u s e a n e tw o r k p r o b e fo r an o r g a n iz a tio n ’s t o c a p tu r e r a w p a c k e t d a ta a n d th e n u s e th is r a w p a c k e t d a ta t o r e tr ie v e p a c k e t i n f o r m a t io n s u c h as s o u rc e a n d d e s tin a tio n IP a d d re s s , s o u rc e and d e s tin a tio n p o rts , fla g s , header le n g th , c h e c k s u m , T im e t o L iv e ( T I L ) , a n d p r o t o c o l ty p e . T h e r e f o r e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b le t o i d e n t i f y a t t a c k s b y e x tr a c tin g in f o r m a t io n fro m c a p tu re d tr a ffic s u c h as s o u rc e a n d d e s tin a tio n I P a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th , s o u rc e c o m p a r e th e s e d e ta ils w i t h a n d d e s tin a tio n m o d e le d a t t a c k s ig n a tu r e s t o p o r t s , e tc . a n d d e te r m in e i f a n a tta c k h a s o c c u r r e d . Y o u c a n a ls o c h e c k t h e a t t a c k lo g s f o r t h e l i s t o f a t t a c k s a n d ta k e e v a s iv e a c t io n s . A ls o , y o u s h o u ld b e f a m ilia r w i t h th e H T T P can r is k s id e n tify a d d itio n a l s e c u r ity th a t t u n n e lin g te c h n iq u e b y w h ic h y o u m ay n o t be r e a d ily v is ib le by c o n d u c t in g s im p le n e t w o r k a n d v u ln e r a b ilit y s c a n n in g a n d d e t e r m in e th e e x t e n t to w h ic h a n e tw o r k ID S c a n i d e n t i f y m a lic io u s t r a f f i c w i t h i n a c o m m u n ic a t io n c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P L a b O b je c t iv e s T h is la b w i l l s h o w y o u h o w and n e tw o rk s c a n b e s c a n n e d a n d h o w to use H T T P ort H T T H o st L a b 11d i e 1 C E H Lab M anual Page 221 T u n n e lin g u s in g H T T P o r t . E n v ir o n m e n t la b , v o u n e e d d ie H T T P o r t to o l. E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s D:CEH-ToolsCEHv8 M odule 03 S canning N e tw o rk s T u n n e lin g T o o lsH T T P o rt ■ H T T P o r t i s lo c a t e d a t ■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f H T T P o rt fro m d ie lin k h t t p : / / w w w .t a 1 g e t e d . o r g / ■ £ " Tools d em o nstrate d in th is lab are ava ila b le in D:CEHToolsCEHv8 M odule 03 Scanning N e tw o rks I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n th e la b m i g h t d i f f e r W in d o w s S erver 2008 ■ I n s t a ll H T T H o s t o n ■ I n s t a ll H T T P o r t o il ■ F o l lo w t h e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d ■ A d m in is tra tiv e p riv ile g e s ■ T h is la b m ig h t n o t w o r k i f r e m o te s e r v e r f ilt e r s / b lo c k s H T T P W in d o w s S e rve r 2 0 1 2 V ir t u a l M a c h in e H o s t M a c h in e in s ta ll it. is r e q u i r e d t o r u n d i i s t o o l tu n n e lin g p a c k e ts L a b D u r a t io n T im e : 2 0 M in u te s O verview o f H TTPort HTTPort c re a te s a t r a n s p a r e n t t u n n e lin g t u n n e l d ir o u g h a p r o x y s e r v e r o r fir e w a ll. H T T P o r t a llo w s u s in g a ll s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h i n d d ie p r o x y . I t bypasses L a b Stopping IIS S ervices HTTP p ro xie s and HTTP, fire w a lls , and T a s k s B e fo r e r u n n in g d ie t o o l y o u n e e d t o s to p W ide W eb Publishing se rvices 2. tra n sp a re n t a ccelerators. G o to on A d m in is tra tiv e P rivileges c lic k a n d c lic k th e Stop IIS A dm in S ervice and World W indow s S erver 2008 v irtu a l m achine. S ervices IIS Adm in Service, r ig h t o p tio n . 01 HTTPort cre a te s a tra n sp a re n t tu nn el th ro ug h a proxy se rve r or fire w a ll. T his a llo w s you to use a ll so rts o f In te rn e t s o ftw a re fro m behind th e proxy. C E H Lab M anual Page 222 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s IIS Admin Scrvict Sioo th- service 5.estart thesevce Docrpton: Enabltc 6‫ « > ־ « 1 י‬to * d 1 n v j ! t ‫:: •־‬s 1 ‫־‬ ‫ «יי־ « * « : » ׳ ׳‬H5 ‫׳‬X 'J tK C »r*ou‫׳‬M1 n *or ‫ «ימ‬SK*® one FTP 0 :‫»־‬ i « ‫׳‬v«' n il * u « * to am f g.«« S or ftp. :, the servce e c jx c «. an, 1rio t u ve•tur. *v r hmt tapd * 2 16 -3 — se1/ *v9!t»porv dfpeo; o• *mI ‫׳׳‬ee* K a-n- * '*,FurcBon Discovery Provide Host P-rcoco Decovery Resource PJ>lc3ten ■ ^ - v Poicy Cent C C rOO Key aid Cerbfeate Mens9»trp-t £,hjma1 :rtc'frc• Devi:• Access CfchyMr-v m u txchanoa s w a <|1 Hyoer-VGue»t Shutdown Se‫׳‬v o »e < £^Hyp*r«VUtatoeat Stive* '^,hvsf'-v Tir* Syndvonuaton Save• ‫•'־׳‬X‫ « ׳‬V0iuneSh«30WC00VR«UMCDr I CeKri3bcn | 5:afc_s hostcroca.. , Stated P-behes t... Started The serve... Started P-o-rde*X... E'aolas 9a P0‫־‬ vd81 a .. . started fvovdes a .. . Started Va-iton th... 5hr ted Syrdvcnj . SUr'tid cocfdnjte _ 1urted fa I tottait. S tJt________ £.32 a‫־‬d Au0!:p tPMC *C ‫־‬ eyUg M Jet od C Interactive services Detection fe 4 Internet Cornecton Shwrng CCS) IP helper £,IPsec PoIcy Agent :£ JkctR.t1* v ‫ <־‬trbuted Transaction Coordnsso‫־‬ £ ^Irtt-tover To»og>•Discovery1 “tepee?iwicroajft KETFrans0‫ ״‬rk N GB<v3 0.50727_kfr■ ;*Microsoft .rcrFraroenorkNGei v: 0.50727_>« '■*, M0090* Fb‫ ־׳‬Channel ^stfo'Ti Res^Cstcn Se* e ^ M T M*t 6 CSI ]ntigtor Service C0 ^Vbon*! Software Shacton Copy P'ordfi Q,MoJU Manteimce Save• P.-llv Res-re R«3rt ‘ St* lid jn... Started . 5:cited AITmks ►3te , Started -- ‫... 0 ־‬ Started Proprf br% t .... Stated 8‫ ־‬t.. wb ,‫ן‬ ! * " W ragn «... Th*M00IU.. _J Stana*.- J ~ ‫ץ‬ >t:p jcrvce IL Acrrr StrVtt on L C CaiOutt* OO F IG U R E 14.1: S to p p in g I I S A d m in S e rv ic e in W in d o w s S e rv e r 2008 3. A d m in is tra tiv e P rivileges G o to Publishing Services, & It bypasses HTTPS and HTTP proxies, tra n sp a re n t a c c e le ra to rs , and fire w a lls . It has a b u ilt-in SOCKS4 server. *te Action jjen S ervices r ig h t - c lic k a n d c lic k d ie W orld W ide Web Stop o p tio n . Kels E f [> N^ltwl ‫ רי‬Ab- IB rrf | E Servwj C J) lom I S « v « « (lo ca l) v;‫ ״‬tid Wide Web PwbW-mg SrrvK 2 8 11 1 .1 1 CwJOCor ‫־‬ SfcvOU I S !a w S’ Mijs. Coov CfetYea Mar^aoerent S e ‫<׳־‬ ce MWU0K*... TUtWtbM.. % Vrd C«so aion: (V» ‫׳‬d f Web a n ‫־‬w r< r r end » ‫ ח :דדלמי׳ו־כ‬rr y .y ■ f c :‫ ־‬rr‫ ״‬r lnforrr~-.cn 5e r a * ‫ ־‬Hjrage- Mo'eOcS a... AudO ^ «v‫׳‬xto/.9 Aucto ErekJrtit s J s e 0 j P1cr> *0M ‫...זו‬ '1 1 >9 / . 1 0 3 0 8 ».9 / ‫ י צ‬n e servce Rf*t»r; ‫ «י‬t t ' t e Ha'sOeid... ‫־‬he W a P l.. ^ Y ‫ ־‬to/.S Cotor SySteri ‫<־‬ £ (M fld M Dectoymeot Sevces Serve ^ M m s Driver Fourdaoon -Lee ‫״‬cce Diver “ ‫ ׳ * ־‬xr- Ha-aoesr... Ha‫־׳‬aoe; u... 1■ «Y‫./׳ ־‬s & ‫ ׳ ׳‬Repo ‫ יט ׳‬Semoe ‫־ .־״‬d . Ab ‫־‬ .-sero... Ste tec i^ %Yrd Thssevfc... Thssevfc... Stated ViW owsF.. . Stated Adds, m .‫״‬ od■ ftovd » a ... Stated & » a b « n s... Stated ‫•יזל‬ V J« o ‫» ״‬B... M ints‫ *׳‬S.. . Stated Stated stated ? ‫׳‬e i: Cotecto % V'tkr/.$ ®‫׳‬e it uw ^!Y rd o/.s F»e.dl $*Yrd>/.e CngU i/ler I CJt«Yrtto/.9 1 1 «v‫־׳‬d0/9 ModJes trwtalei aat ‫ק י׳«יו״«5ו׳‬ ‫מי׳‬ C i« v‫׳‬xto/.® BioceM Activation Seivd 30 ^ ■V'cto/n 5«mote M ‫׳‬V e‫*«״‬nt M try Ud ... no I ^ r Re*»t a it m ^ %Y‫׳‬Yfew,« uoflat* *■ » ^ * v r H n p webP'oxvAuto-oaeovJ ^ . v ‫- »׳‬Autocar *c < Perfcrwsrce Aflao*‫׳‬ •'08>'‫׳‬taecr 1 stated KrHTTPl... ^***TMC... 06 0 H n y r B fi Pre‫* ^־‬ ‫״‬ Stated bet) JE3 SJB £ x a r d e ; A Sarri8•: / £ -T ‫;'׳‬g .‫ ,־‬y 1 • ■er: -vb1 ‫:־‬c ' o'c - :c ?‫־‬n; ' r ‫׳‬c t.:• r: ; 0 ‫־ ^ 0־‬ ‫־‬ F IG U R E 1 4 2 : S to p p in g W o r ld W id e W e b S e rv ic e s in W in d o w s S e rv e r 2008 ‫ ט‬It supp orts stro n g tra ffic e n cryp tio n , w h ic h m akes proxy logging useless, and suppo rts NTLM and o th e r a u th e n tic a tio n schem es. C E H Lab M anual Page 223 “ CEH-Tools" Z:CEHv8 M odule 03 Scanning N etw orksT unneling ToolsH TTH ost 4. O p e n M a p p e d N e tw o r k D r iv e 5. O pen 6. T lie 7. O n d ie H TTHost H TTH ost fo ld e r a n d d o u b le c lic k htthost.exe . w i z a r d w i l l o p e n ; s e le c t d i e O ptions Passw ord fie ld , O ptions ta b . t a b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t Personal w h i c h s h o u l d b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s la b , d ie p e r s o n a l p a s s w o r d is k a g ic.'? m E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 8. C h e c k d ie R evalidate DNS nam es and Log C onnections o p t io n s a n d c lic k A pply HTTHost 1.8.5 N etw ork B ind lis te n in g to : P o rt: B ind e x t e r n a l to : |0.0.0.0 [80 10.0.0.0 Allow a c c e s s fr o m : P e r s o n a l p a s s w o rd : 10.0.0.0 [‫־‬ P a s s th r o u g h u n r e c o g n iz e d r e q u e s t s to : H o s t n a m e o r IP : O rig in a l IP h e a d e r fie ld : |81 | x ‫ ־‬O rig in a l‫ ־‬IP M ax. local b u ffe r: & To s e t up H TTPort need to p o in t yo u r b ro w s e r to 127.0.0.1 P o rt: 1127.0.0.1 T im e o u ts : ‫3־‬ |0= ‫2־‬ 1 R e v a lid a te DNS n a m e s Apply Log c o n n e c tio n s ‫־‬ S ta tis tic s ] A p p lic a tio n log | ^ 3 p tio n s jj" S e c u r'ty | S e n d a G ift) F IG U R E 14.3: H T T H o s t O p tio n s tab 9. N o w le a v e HTTHost in ta c t, a n d d o n ’t t u r n o f f W indow s S erver 2008 V i r t u a l M a c h in e . 10. N o w s w itc h to fio m a n d in s t a ll H T T P o r t D:CEH-ToolsCEHv8 M odule 03 Scanning N etw orksTunneling ToolsH TTPort & H TTPort goes w ith th e predefined m apping "E x te rn a l HTTP p ro xy‫ ״‬o f local po rt W indow s Server 2012 H ost M achine, a n d d o u b le - c lic k 1 1 . F o llo w d ie w iz a r d - d r iv e n 1 2 . L a u n c h th e S ta rt h ttp o rt3 sn fm .e xe in s ta lla tio n steps. m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t c o r n e r o f th e d e s k to p . F IG U R E 14.4: W in d o w s S e rv e r 2012 - D e s k to p ^ ie w 1 3 . C lic k d ie C E H Lab M anual Page 224 HTTPort 3.SNFM a p p t o o p e n d ie HTTPort 3.SNFM w in d o w . E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 5 t3 ft Administrator Server Manager T ools d e m on stra te d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 Scanning N e tw o rks Windows PowerShell i. m Con>puter Control Panel *‫נ‬ Hyper-V Manager HTTPort 3.SNPM » 91 1 Wyper-V Virtual Machine... SOI Server incaknor Cent•!.‫״‬ Google Chrome n V Command Prompt £ F‫־־‬ ‫־‬ M 021IU Firefox Nctwodc © if Proxy Workbea. MegaPng -T ■ ‫יי ■ ״ ״‬“ *8 F IG U R E 14.5: W in d o w s S e rv e r 2012 - A p p s 14. T h e HTTPort 3.SNFM w in d o w a p p e a rs as s h o w n i n d ie fig u r e d ia t f o llo w s . HTTPort 3.SNFM '‫ ־‬r° S y s te m j Proxy :j por^ m a p p in g | A bout | R e g iste r | HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s : Port: F o r e a c h s o ftw a re to Proxy re q u ire s a u th e n tic a tio n c re a te c u s to m , g iv e n a ll th e U se rn a m e : a d d re sse s fro m w h ic h it P assw ord! o p e ra te s . F o r a p p lic a tio n s th a t a re d y n a m ic a lly c h a n g in g th e p o rts th e re Misc. o p tio n s S o c k s 4 - p ro x y m o d e , in U ser-A gent: w h ic h th e s o ftw a re w ill B ypass m o d e : IE 6 .0 c re a te a lo c a l s e rv e r S o c k s (1 2 7 .0 .0 .1 ) U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s : Port: I------------------------------ P ? 4 P assw ord: I-------------- — This b u tto n h elp s S tart F IG U R E 14.6: H T T P o r t M a in W in d o w 1 5 . S e le c t d i e Proxy ta b a n d e n te r d ie h ost nam e or IP address o f ta rg e te d m a c h in e . W indow s Server 2008 Port num ber 80 1 6 . H e r e as a n e x a m p le : e n t e r address, a n d e n te r 1 7 . Y o n c a n n o t s e t d ie 1 8 . 111 d i e Usernam e and Password U ser personal rem ote host a t d ie n e n te r d ie ta r g e te d v ir t u a l m a c h in e IP f ie ld s . s e c tio n , c lic k H ost m achine IP address s ta rt and d ie n sto p and a n d p o r t , w h ic h s h o u ld b e 80. C E H Lab M anual Page 225 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d as ‘*m agic‫״‬ In real w o rld environm ent, people som e tim e s use passw ord p ro te c te d pro xy to m ake com pany em ployees to ac c e s s th e In terne t. r|a HTTPort3.SNFM | 3 S y s te m ' ‫־‬ x Proxy | p 0 rt m a p p in g | A bout | R e g iste r | HTTP p roxy to b y p a s s (b la n k = direct o r firewall) H ost n a m e o r IP a d d re s s : Port: | 1 0 .0 .0 .4 |8 0 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Misc. o p tio n s U se r-A g en t: B y p ass m o d e : | IE 6 .0 | R e m o te h o s t U se p e rs o n a l re m o te h o s t a t (b la n k * u s e public) H ost n a m e o r IP a d d re s s : *ort: P a s sv » rd : |1 0 .0 .0 .4 I0 8 |............1 ? | <—T his b u tto n h e lp s S ta rt F IG U R E 14.7: H T T P o r t P ro x v settin g s rin d o w 2 0 . S e le c t d ie Port M apping Add ta b a n d c lic k t o c re a te N ew M apping HTTPort 3.SNFM 1 - 1 ° *‫ב‬ S y s te m | Proxy Port m a p p in g A bout | R e g iste r J Static T C P /IP p o rt m a p p in g s (tu n n e ls ) 1 ‫1 םייים‬ Q New m a p p in g Q Local po rt 1-0 Q (3 R e m o te h o s t — re m o te , h o s t, n a m e □ R e m o te port H T T H o s t s u p p o rts th e r e g is tra tio n , b u t it is fre e 1_0 a n d p a s s w o rd - fre e - y o u w ill b e is s u e d a u n iq u e ID , w h ic h y o u c a n c o n ta c t th e S e le c t a m a p p in g to s e e sta tistic s : s u p p o rt te a m a n d a sk y o u r No s ta t s - s e le c t a m a p p in g n /a x n /a B /sec n /a K q u e s tio n s . LEDs: ‫□□□ם‬ O Proxy Built-in SOCKS4 se rv e r W R un SOCKS s e rv e r (p o rt 108 0 ) A vailable in "R e m o te H ost" m o d e : r Full SOCKS4 s u p p o rt (BIND) ? | 4— This b u tto n h e lp s F IG U R E 14.8: H T T P o r t cre a tin g a N e w M a p p in g 2 1 . S e le c t C E H Lab M anual Page 226 N ew M apping Node, a n d r ig h t- c lic k N ew Mapping, a n d c lic k Edit E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s HTTPort 3.SNFM S y s te m | Proxy T33 m a p p in g | A bout | R e g iste r | Static T C P /IP p o rt m a p p in g s (tu n n e ls ) New m a o □ Local p Edit 0 ■ 0 R e m o te h o s t re m o te , h o s t, n a m e (=J R e m o te po rt ‫ש‬ Tools d em o nstrate d in th is lab are ava ila b le in D:CEHToolsCEHv8 M odule 03 Scanning N e tw o rks Add R em o v e L_o S e le c t a m a p p in g to s e e sta tistic s : LEDs: □ □□□ O Proxy No s ta ts - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 s e rv e r R un SOCKS s e rv e r (p o rt 1080) W A vailable in " R e m o te H ost" m o d e : r Full SOCKS4 s u p p o rt (BIND) ? | T his b u tto n h e lp s 4— F IG U R E 14.9: H T T P o r t E d itin g to assign a m a p p in g ftp c e rtifie d hacker, 2 2 . R e n a m e th is t o c lic k E dit a n d e n te r P o r t v a lu e t o a n d s e le c t R em ote h o st node ftp .c e rtifie d h a c k e r.c o m 2 3 . N o w r ig h t c lic k o n 2 4 . N o w r ig h t c lic k o n R em ote p o rt 1 r* 1 S y s te m | Proxy Local p o rt node; th e n lig h t- 21 to n o d e to E dit E dit HTTPort 3.SNFM - a n d r e n a m e i t as a n d e n te r d ie p o r t v a lu e t o 1° r x 21 • Port m a p p in g | A bout | R e g iste r | r Static T C P /IP p o rt m a p p in g s (tu n n e ls ) 1 =1 - /s •.•‫.=•׳‬ Add 0 ‫ ־‬Local p o rt R em o v e 5 -2 1 0 R e m o te h o s t ftp .c e rtifie d h a c k e r.c o m R e m o te port I—21 S In th is kind o f environm en t, th e fe d e ra te d search w e b p a rt of M ic ro s o ft Search Server 2008 w ill n o t w o rk out-ofthe-box because w e o n ly suppo rt non-passw ord p ro te c te d proxy. = V S e le c t a m a p p in g to s e e s ta tistic s : No s ta ts - inactive n /a x n /a B /sec dulit‫־‬in W R un n /a K LEDs: ‫□□□ם‬ O Proxy server 1 SOCKS s e rv e r (p o rt 1 080) A vailable in " R e m o te H ost" m o d e : I” J Full SOCKS4 s u p p o rt (BIND) ? | T his b u tto n h e lp s F IG U R E 14.10: H IT P o r t S ta tic T C P / IP p o rt m a p p in g 2 5 . C lic k C E H Lab M anual Page 227 S ta rt o n d ie Proxy ta b o f H T T P o r t t o m i l d ie H T T P tu n n e lin g . E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s HTTPort 3.SNFM ‫־‬r a : S y s te m ^ o x y | Port m a p p in g | A bout | R e g iste r | - HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s : Port: |1 0 .0 .0 .4 [80 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Misc. o p tio n s B y p ass m o d e : U ser-A gent: IE 6 .0 ‫נ ד‬ [ R e m o te h o s t U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s : Port: P assw ord: |10.0.0.4 [So ‫*״***ן‬ ? | ^— T his b u tto n h e lp s ( J3 H T T P is th e b a sis fo r W e b s u rfin g , so i f y o u c a n fr e e ly s u r f th e W e b fro m F IG U R E 14.11: H T T P o r t to start tu n n e lin g w h e re y o u axe, H T T P o r t w ill b rin g y o u th e re s t o f th e In te r n e t a p p lic a tio n s . 2 6 . N o w s w it c h t o d ie A p p lic a tio n s log W indow s S erver 2008 v ir t u a l m a c h in e a n d c lic k d ie ta b . 2 7 . C h e c k d ie la s t lin e i f L is te n e r liste n in g a t 0.0.0.0:80, a n d d i e n i t is m i m i n g p r o p e r ly . HTTHost 1 A 5 A p p lic a tio n lo g : Q T o m a k e a d a ta tu n n e l th ro u g h th e p a s s w o rd p ro te c te d p ro x y , s o w e c a n m a p e x te rn a l w e b s ite to lo c a l p o rt, a n d fe d e ra te th e s e a rc h re s u lt. M A IN : H T T H O S T 1 . 8 . 5 P ER S O N A L G IF T W A R E D E M O s t a r t i n g ^ M A IN : P r o je c t c o d e n a m e : 9 9 re d b a llo o n s M A IN : W r it t e n b y D m it r y D v o in ik o v M A IN : ( c ) 1 9 9 9 - 2 0 0 4 , D m it r y D v o in ik o v M A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n ( s ) M A IN : n e tv /o r k s t a r t e d M A IN : R S A k e y s in it ia liz e d M A IN : lo a d in g s e c u r ity f i l t e r s . . . M A IN : lo a d e d f i l t e r " g r a n t . d l l " ( a llo w s a ll c o n n e c tio n s w ith in M A IN : lo a d e d f i l t e r " b l o c k . d l l " ( d e n ie s al I c o n n e c tio n s w ith ir M A IN : d o n e , t o t a l 2 f i l t e r ( s ) lo a d e d M A IN : u s in g t r a n s f e r e n c o d i n g : P r im e S c r a m b le r 6 4 / S e v e n T e g r a n t . d l l: f ilt e r s c o n e c tio n s b lo c k . d ll: f ilt e r s c o n e c tio n s !L IS T E N E R : lis t e n in g a t C.C.0.C:sT| z] S ta tis tic s ( Application log O p t io n s S e c u r ity | S e n d a G ift F IG U R E 14.12 H T T H o s t A p p lic a tio n lo g se ctio n 2 8 . N o w s w it c h t o d ie W indow s S erver 2012 h o s t m a c h in e a n d t u r n ON d ie W indow s F irew all 2 9 . G o t o W in d o w s F ir e w a ll w it h C E H Lab M anual Page 228 A dvanced S e cu rity E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s O utbound rules f r o m d i e l e f t p a n e o N ew Rule i n d i e r i g h t p a n e o f d i e w i n d o w . 3 0 . S e le c t f d ie w in d o w , a n d d ie n c lic k ■ -:°‫־ - ־‬ Windows Firewall v/ith Advanced Security Fie Action View Help W dwFrw1w Av in o s ic. 1 ith d! 5 Q Inon R in bu d u ■ Outbound Rules | Outbound Ruin Name Cnetio Sc r R © BranchC ache Horted Ca<t* Cbent IHTT... onc n euity u ©B'anchCache Content R«t1i«val (HTTP.O... ‫ ^ •ן‬Monitoring ©BranchCache Hosted Cache Se»ve1(HTTP. ©BranchC ache Peer Dncovery (WSDOut) © C o ‫׳‬e Networking •DNS <U0P-0ut) © Core Networking- D 1 m >v> -e Config... © Core Networking ‫ ־‬Dynamic Host Config... ©CoreNetworkng ‫ ־‬Grcup Policy (ISA5S‫~־‬ © Core Networking - 5‫׳‬cup Poky (NP-Out) ©CoreNetworkeig - Group Policy CTCP-O-. © Core Networking - Internet Group Mana... £ ‫ ז‬T ools d em o nstrate d in th is lab are ava ila b le in D:CEHToolsCEHv8 M odule 03 Scanning N e tw o rks Group BranchCache- Content Retr... BranchCache - Hosted Cech BranchCache - Hosted C ad i. BranchCache - PeerOtscove... Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking © Core Networking ‫ ־‬IPHT7PS (TCP-Out] © Core Networking- IP v ffM C u l) © Core Networkng ‫ ־‬Mulbcost listener Do-. © Core Networking - Mulocast Listener Qu~ © Core Network*!g -Mufceost listener Rep~ © Core Networking •Mutecjst Listener Rep... © Core Networking - Neighbor Dncovery A... Core Networking © Core Networking *fc1 (j‫־׳‬oo‫ ׳‬Ceccvery S... Core Networking © Core Networkrig ‫ ־‬Packet loo Big (ICMP-. Core Networking © Core Networking Par3meterProblem (1- Core Networking © Core Networking - ficutet Advertnement... Care Networking © Core Networking - P.cuur Soictaeon (1C.. Core Networking © Core Networkng - Itird o iLOP-Outl Core Networking "■ i T Profile Al Al Al Al Al Al Al tnatfed A No No No No Vet ■ Yes rei Deane■! Domain Dcm5»1 Al Al Al Al Ves Yes Yes Yes O utbound Rule* New Rule... V Filter by Profile V Filter by State 7 F rb Gop ilte y r u View O Refresh Export List... Q Help Yes Ves Ves Yes Al Al Al Al Al Al Al Al Ves Yec Ves Ves Ves Ves Vet Al Al Yes Vet ‫-ז‬ r" ....... v' F IG U R E 14.13: W in d o w 's F ire w a ll w ith A d v a n c e d S e c u n ty w in d o w in W in d o w s S e rv e r 2008 3 1 . 111 d i e N ew Outbound Rule W izard, s e c tio n a n d c lic k s e le c t d i e Port Rule Type o p t io n in d ie N ext New O utb o u n d Rule Wizard ■ p R u le T y p e Select the type cf firewall rule to create Steps. ■ j Rule Type What :ype d rue wodd you like to create? w Protocol and Ports « Action « « S Tools d em o nstrate d in th is lab are ava ila b le in Z: Mapped N e tw o rk D rive in V irtu a l M achines Profle flame O Program Rde Bidt controls connections for a program. ‫ >§י‬Port | RJe W controls connexions for a TCP or UDP W . O Predefined: | BranrhCacne - Content Retrieval (Ueee HTTP) v 1 RUe t a controls connections for a Windows experience O Custom Cu3tomrJe < Beck Next > 11 Cancel F IG U R E 14.14: W in d o w s F ire w a ll se lectin g a R u le T y p e C E H Lab M anual Page 229 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 32. N o w s e le c t All re m o te ports in P rotocol and Ports d ie s e c tio n , a n d c lic k N ext New Outbound Rule Wizard P ro to co l and Porta Specify the protocols and ports to which ths r ie apofes Steps + Ru• 'yp• D e t* rl a p / oTCPo UDP? o s ‫־‬s ue o f t r 4 Pcoo andPrs rtcl ot < TCP !•> 4 OUP D Acaor 4 Poie rfl 4 Q Name Does tnis nie aoply tc all remote ports or specific renote port*9 H T T P o r t d o e s n 't r e a lly !? m o te p o d s c a re f o r th e p ro x y as s u c h , O Specific re o p rts m te o : i t w o rk s p e r fe c tly w ith Example 80.443.5000-5010 fire w a lls , tra n s p a re n t a c c e le ra to rs , N A T s a n d b a s ic a lly a n y th in g th a t le ts H T T P p r o to c o l th ro u g h . <ax Ec Ned > Cancel F IG U R E 14.15: W in d o w s F ire w a ll assig n in g P ro to c o ls an d P o rts 3 3 . 111 d i e A c tio n s e c t i o n , s e le c t d ie B lo ck th e c o n n e c tio n '’ o p t io n a n d c lic k N ext New O utbound Rule Wizard Action Q Youn toinstall h o eed tth st onaPC, w is g erally ho en accessib onth Internet le e typicallyyour "hom PC. This e" m a s th if yon sta da e n at rte W server o th h m PC, eb n e o e everyo ee m st b a leto n lse u e b co nnect toit. There aretw o sh w p ers for h ost o o sto p tth n h m PCs o e Specify the acton to be taken when ‫ ס‬connect!:>n notches the condticno specified in the n ie . Steps: 4 HUe Type What acbon ohodd b« taken whon a connexion match08 tho opochod conoticno7 4 Protocol and Porta O A ttv co n n low n ectio 4 Action 4 Profile 4 Name Tho nclxJes cornoctiona that 0‫ סו‬piotectod wth IPaoc 09 wel cs t103‫׳‬c otc not. O A Itic cwviediui If M secuie low Is Ths ncbdes only conredions that have been authent1:ated by usng IPsec. Comecticns wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes r the Correction Security RuteTode. '• ) C E H Lab M anual Page 230 H o c k th e c o n n e c tio n E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F IG U R E 14.16: Windows Firewall setting an Action P rofile s e c t i o n , Domain, Public. P rivate 3 4 . 111 d i e Q N A T /firew all issues: You need to enable an inco m in g p ort. For H TThost it w ill ty p ic a lly be 8 0(h ttp ) or 44 3(https), but any po rt can be used - IF the HTTP p ro xy a t w o rk sup p orts it ‫־‬ som e proxys are c o nfig ured to a llo w o n ly 80 and 443. s e le c t a ll th re e a n d d ie n c lic k o p tio n s . The r u le w ill a p p ly to : N ext * New O utb o u n d Rule Wizard Profile Specify the prof les for which this rule applies Skin * When does #‫ מו‬rule apply7 Ru*Typ# 4 3rtclancPrs coo ot # *cbor 171 Daman Vpfces *I en a computer is connected to Is corporate doman. 3rcfile 0 Private 3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home orworcpi ce B Public Vp*‫״‬ c3 0‫ ד‬a ccmputcr io cconcctcd to a pjblc nctwoiK kcooon c Eacx Next > Cancel F IG U R E 14.17: W in d o w s F ire w a ll P ro file setting s ZZy Tools d em o nstrate d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 S canning N e tw o rks 35. T y p e P ort 21 B locked i n d ie Nam e fie ld , a n d c lic k Finish New O utbound Rule Wizard N am e S 06dfy the rams and desorption of this lie. None |?or. 2 ' B b d c e J Desaiption (optional): £ 3 T h e d e fa u lt T C P p o r t fo r F T P c o n n e c tio n is p o r t < Back Finish Cancel 2 1. S o m e tim e s th e lo c a l In te r n e t S e rv ic e P r o v id e r b lo c k s th is p o r t a n d th is w ill re s u lt in F T P C®W<EAfl*1MaW&al Page 231 E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F IG U R E 14.18: W in d o w s F ire w a ll assig n in g a n am e to P o e t 3 6 . T h e n e w m le Port 21 B locked is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f i g u r e . 1-1“ 1 * : Windows Firewall with Advanced Security Fie Action View Hdp Windows Firewall with Adv; C nfcound Rules Na C Outbound Rules [O^Port 2 Blocked 1 Connection SecuntyRul ©BranchCache Content Rctrcvtl (HTTP-0.. BranchCache •Content Retr.. t Monitoring ^ Branch(a 1he Hotted Cache Client (H it . Branch( at hr •Hotted ( ach ^ 0 BianchCach* Hosted Cache $erv*1(HTTP... BranchCach• •HuiteJCach ©BranchCache Peer Cn<o.er/ //SD Cut) BranchCache •Peer Discove.. © Core Networking ‫ ־‬DNS(UDP-OutJ Core Networking © C o ir Networking- Dynamic Hod Config.. Core Networking © Core Networking -Dynamic Host Corvfig... Core Networking H T T P o r t d o e s n 't re a lly c a re f o r th e p ro x y as su ch : i t w o rk s p e r fe c tly w ith fire w a lls , tra n s p a re n t © Core Networking -Group Pcfccy CLSASS-- Core Networking @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) © Core Networking - Group Poicy (TCP-O-. Core Networking b a s ic a lly a n y th in g th a t le ts © Core Networking - internet Group Mana... th e H T T P p ro to c o l © Core Ndwwiing- lPHTTPS(TCP-OutJ © Core Networking (Pw6-0ut) th ro u g h . New Rule... A l :1 V Al V Fliter by Stirte V Filter by Group A l A l A l A l Filter by Profit• View (Oj Refresh [a» Export List... Dmin oa Li Domain Help A l A l Po 2 B ck d rt 1 lo e Al Core Networking Cote Networking Core Networking 4 ct u * A l A l A l A l © Core Networking Listener Do‫ ״‬Core Networking © Core Networking Muh < yt* listener O j‫ .״‬Core Networking © Cote Networking -Mul!< aU Iktenet Rep. Core Networking © Cor« Networking •Vuh cast .!s:«n«r Rep. Cor• Networking © Core Networking rfcignfccf Discovery A... Core Networking tmg ‫ ־‬Meaghbct Discoveiy 5 , Core Networking © C or.1 NetmD1 © C 016 Nstworking - Pe.ktlT v. Big K M P .. © Core Networking - Parameter Protolem (I.. sement... © Core Networking ‫ ־‬Router A<hert1 © Core Networking -Router SoKckation (1C... Outbound Rules Domain Cr Ntwr in oe e ok g a c c e le ra to rs , N A T s a n d Actions Disable Rule Gfe Copy X D«l«t« (£ | Propeitie* U Help Al A l Al CortNttwQiking Core Networking A l A l A l Core Networking Core Networking F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le 3 7 . R i g h t - c l i c k d i e n e w l y c r e a t e d r u l e a n d s e le c t * P roperties W indows Firewall w ith Advanced Security File Action * ‫►י‬ View ^ Hdp q ! g f Windows Firewall with Adv; f t inbound Rules O Outbound Rules Cnetio S c rityRl onc n eu u X Mn r g / oitoin I Actions Name Group Profie * O.P01t21 Blocked Ervsl Outbound Rules - New Rule... Disable Rale ^BranchCache Content Retrieval (HTTP-O‫ .״‬Branc hCac he ‫ ־‬Cor in te rc e p ts th a t c o n n e c tio n a n d ru n s it th ro u g h a tu n n e l th ro u g h th e p ro x y . Filter by Profile ► V Filter by State ► Delete V Fliter by Group ► Vi*w ► © Core Networbng •D>neo>c Most Config... © Cote Networbng •Group Policy (ISASS-... ©Core Networking Group Policy (NP-Out) © Core Networbng Group PolKy(TCP-0.© Core Networbng •Internet Group kbiu.. H T T P o r t th e n V Copy Core Networking Hdp ©Core Networbng IPHTTPS(TCP-0ut) © Core Networbng -IPv6 (1 P»‫<־$׳‬XjtJ © C oie Netwoibng -Mufticsst Listener Do... © Core Networbng - Multicast Listener Qu... S Cut ©BranchCache Hosted Cechc Saver(HTTP_ BranchCache ‫ ־‬Ho: ©BranchCache Peet Disccvay (WSD-Ckjt) BranchCache - Pee Core Networking © Cote Networbng - Df5 (U0P-0ut) © Core Networking D>rwm : Host Ccnfig. Lore Networking ©BranchCache Hosted Cache Ciem(HTT‫.״‬ BranchCache - Hos Properties jO! Refresh Core Networking Dom*n Yet ^ Export Litt... Core Networking Dom»n Ves Q Help Core Networking Dom»n Yes Core Networking Al Yet Port 21 Blocked Core Networking Al Yes ♦ Disable Rule Core Networking Al Yes Core Networking Al Yes 4 Core Networking Al Yes • Copy 41 ©CoreNerwcrbng -MJbcsst Listener Rep... Core Networking © Cote Netwoibng - Mulbcest Listener Rep... Core Networking © Core Networbng - Neighbor Discovery A‫ .״‬Core Networking Al Yes X Delete Al Yes Al Yes © Core Networbng Neighbor Discovery S... Core Networking I^ C cie Netwoibng ■Packet Too Big (ICMP... Core Networking Al Yes 0 Help Al Yb © Cote Networbng •Parameter Problem (1 ‫ ״‬Core Networking - Al Yes © Core Networbng Reuter Atf^trtscment.- Core Networking © Core Netwoibng * Rcotei Sol*‫׳‬tation (1C~ Core Networking Al YCS Al Yes - c ‫״‬t Properties r ... n -.----- 11— the properties dialog box foi the tuner it ^le»un F IG U R E 14.20: W in d o w s F ire w a ll n e w ru le p ro p e rtie s P rotocols and P orts t a b . C h a n g e d i e R em ote Port S p e cific P orts a n d e n t e r d i e Port num ber a s 21 3 8 . S e le c t d i e £ 7 E n a b le s y o u to b yp a ss y o u r H T T P p ro x y in ca se it b lo c k s y o u fro m th e In te r n e t C E H Lab M anual Page 232 3 9 . L e a v e d i e o t h e r s e t t in g s a s d i e i r d e f a u l t s a n d c l i c k A pply o p tio n to d ie n c lic k OK. E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s * ‫ד‬ Port 21 Blocked Properties jerteral_________Pngams and Services Protocolt and Fore | Scope | Advancec Remote Conpjiefs j Local Princpab FVwocob and po*s Prctocdtype: Prctocd runber Loco port All Potto Exampb. 80. 443.5003-5010 S e ifeP ts pc a [2 1 Remote port Example. 80. 443.5003-5010 hten‫־‬et Gortnd Message Protocol (CMP)«ting*: I Custonizo. i— ‘ W it h H T T P o r t , y o u c a n u se v a rio u s In te r n e t s o ftw a re fr o m b e h in d th e p ro x y , e .g ., e - m a il, in s ta n t m e sse n g e rs, P 2 P file sh a rin g , IC Q , N e w s , F T P , IR C e tc . T h e b a s ic id e a is th a t y o u se t u p y o u r In te r n e t s o ftw a re F IG U R E 14.21: F ire w a ll P o r t 21 B lo c k e d P ro p e rtie s ftp ftp .c e rtifie d h a c k e r.c o m i n t h e c o m m a n d p r o m p t a n d p r e s s Enter. T h e c o n n e c t i o n i s b l o c k e d i n W indow s Server 2008 by fire w a ll 40. T yp e £ 3 H T T P o r t d o e s n e ith e r fre e z e n o r h a n g . W h a t y o u a re e x p e rie n c in g is k n o w n as ‫ ״‬b lo c k in g o p e ra tio n s ” F IG U R E 14.22: ftp c o n n e c tio n is b lo ck e d 4 1 . N o w o p e n d ie c o m m a n d p r o m p t m a c h in e a n d ty p e 7 ^ ftp 127.0.0.1 0 11 d i e W indow s S erver 2012 h o s t a n d p re s s E nter H T T P o r t m a k e s it p o s s ib le to o p e n a c lie n t sid e o f a T C P / IP c o n n e c tio n a n d p ro v id e it to a n y s o ftw a re . T h e k e y w o rd s h e re a re : "c lie n t " a n d "a n y s o ftw a re ". C E H Lab M anual Page 233 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F IG U R E 14.23: E x e c u tin g ftp co m m a n d L a b A n a ly s is D o c u m e n t a ll d i e I P a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility In f o r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d P r o x y s e r v e r U s e d : 1 0 .0 .0 .4 H T T P o rt P o rt s c a n n e d : 80 R e s u lt: f t p P L E A S E T A L K T O Y O U R 1 2 7 .0 .0 .1 c o n n e c t e d t o I N S T R U C T O R R E L A T E D T O T H I S I F Y O U 1 2 7 .0 .0 .1 H A V E Q U E S T I O N S L A B . Q u e s t io n s 1. H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a il c lie n t ( O u d o o k , M e s s e n g e r , e tc . ) ? 2. E x a m in e i f s o ft w a r e d o e s n o t a llo w e d it in g d ie a d d re s s t o c o n n e c t to . In t e r n e t C o n n e c tio n 0 Y es P la tfo r m 0 C E H Lab M anual Page 234 R e q u ir e d □ N o □ iL a b s S u p p o rte d C la s s r o o m E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s B asic N etw ork T roubleshooting Using M egaPing MegaPing is an ultimate toolkit thatprovides complete essential utilitiesfor information system administrators a n d I T solutionproviders. i con / k e y / V a lu a b le L a b S c e n a r io Y o u h a v e le a r n e d in th e p r e v io u s la b t h a t H T T P t u n n e l i n g is a t e c h n i q u e w h e r e in f o r m a t io n c o m m u n ic a tio n s s w ith in n e tw o rk p r o t o c o ls Test your These W e b e x e r c is e w eb access m W o r k b o o k r e v ie w s e rv e rs p ro v e to be a a tt a c k e r u s u a lly e x p lo it s d ie W W W to th e s y s te m . O nce u p lo a d s a p r e c o m p ile d a h ig h d a ta tr a ffic to th e SRC c o n n e c tio n v e r s io n o f th e p o r t o f th e s y s te m 0 11 p o r t 8 0 o f t h e h o s t W W W c a p tu re s th e t r a f f ic in H T T P v a lu e s e rv e r r u n n in g IIS has H T T P s e r v e r s e t u p th e a tta c k e r th e n s ta rts a c lie n t lis te n s c a p tu re d u s in g th e H T T P 0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r . p r o t o c o l. F o r a n y c o m p a n ie s t o e x is t k n o w le d g e a re been ta rg e t fo r a tta c k e rs . The a n d g a in s c o m m a n d l i n e e s ta b lis h e d , th e t u n n e l s e r v e r ( lits ) . W i t h a tta c k e r th e lits 0 11 h is o r h e r s y s te m a n d d ir e c ts its r u n n in g and th e lit s r e d ir e c ts s e rv e r. T h is lits p ro c e s s tr a ffic . lits p ro c e s s h e a d e rs a n d fo rw a rd s it to The th e W W W s e rv e r p o r t 8 0 , a f t e r w h i c h t h e a t t a c k e r t r ie s t o l o g i n t o t h e s y s t e m ; o n c e a c c e s s is g a in e d h e o r s h e s e ts u p a d d i t i o n a l t o o l s t o f u r t h e r e x p l o i t t h e n e t w o r k . M e g a P in g s e c u r ity s c a n n e r c h e c k s y o u r n e t w o r k f o r p o t e n t ia l v u ln e r a b ilit ie s t h a t m ig h t b e u s e d t o a tt a c k y o u r n e t w o r k , a n d s a v e s in f o r m a t io n i n s e c u r ity r e p o r t s . 11 t h is 1 la b you w ill le a r n to use M e g a P in g to check fo r v u ln e r a b ilit ie s and t r o u b l e s h o o t is s u e s . L a b O b je c t iv e s T h is la b g iv e s a n i n s ig h t i n t o p i n g in g t o a d e s t in a t io n a d d r e s s lis t . I t te a c h e s h o w to : ■ ■ T ra c e ro u te ■ C E H Lab M anual Page 235 P in g a d e s tin a tio n a d d re s s lis t P e rfo rm N e tB IO S s c a n n in g E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L a b E n v ir o n m e n t T o c a n y o u t d ie la b , y o u n e e d : D:CEH-ToolsCEHv8 M odule 03 S canning N e tw o rk s S c a n n in g T oolsM egaP in g ■ M e g a P in g is lo c a t e d a t ■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f C D Tools d em o nstrate d in th is lab are a va ila b le in D:CEH• ToolsCEHv8 M odule 03 S canning N e tw o rks fro m th e lin k h ttp : / / w w w .m a g n e to s o ft.c o m / ■ I f y o u d e c id e t o d o w n l o a d t h e la te s t ve rs io n , th e n s c re e n s h o ts s h o w n i n th e la b m ig h t d if f e r ■ A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls ■ TCP/IP ■ P IN G M egaping s e t t i n g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib l e D N S T h is la b w i l l w o r k i n th e C E H 2012, W in d o w s 2008, sta n d s fo r and la b e n v ir o n m e n t , o n s e rv e r W in d o w s S e rve r W in d o w s 7 P a c k e t In te r n e t G ro p e r. L a b D u r a t io n T im e : 1 0 M in u te s O v e r v ie w o f P in g T h e p in g c o m m a n d s e n d s p a c k e ts t o d ie In te rn e t C ontrol M essage P rotocol (ICMP) ta r g e t h o s t a n d w a its fo r an ICMP response. re s p o n s e p ro c e s s , p in g m e a s u re s d ie tim e f r o m d ie round-trip tim e , L a b TASK 1 1. D u r in g e c h o re q u e s t d iis re q u e s t- tr a n s m is s io n t o r e c e p tio n , k n o w n as a n d r e c o r d s a n y lo s s p a c k e ts . T a s k s L a u n c h th e S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le ft c o r n e r o f th e d e s k to p . IP Scanning F IG U R E 13.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w 2. C E H Lab M anual Page 236 C lic k d ie M egaPing a p p t o o p e n d ie MegaPing w in d o w . E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F IG U R E 15.2: W in d o w s S e rv e r 2012 - A p p s 3. TQ i^M e g aP ing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o n n ^ 1‫ ־‬u1^ ^ ^ g 55 MegaPing (Unregistered) File View * Tools - □ ' x ‫ד‬ Hdp DNS Lookup Name ‫ &י־‬DNSLidrtosfe Q Fngcr 1 Network Time S gg Ping C Q A ll S c a n n e rs c a n sca n g g Traceroute in d iv id u a l c o m p u te rs , a n y Who 1 1 ^ ra n g e o f I P ad d re sse s, Network R#toufc#t <• Process Info < > Systam Info £ IP Scanner $ NetBIOS Scanner • ? Share Scanner '4 ^ Security Scanner -J? Port Scanner Jit Host Monitor d o m a in s , a n d se le c te d ty p e o f c o m p u te rs in s id e d o m a in s *S Lbt Ho>ts F ig u r e 15.3: M e g a P in g m a in w in d o w s 4. S e c u r ity s c a n n e r S e le c t a n y o n e o f d ie 5. S e le c t p ro v id e s th e fo llo w in g C o n fig u ra tio n in fo , o p e n 6. Y o u c a n s e le c t t h e fro m d ie le f t p a n e o f d ie w in d o w . IP range i n d i e From a n d To 1 0 .0 .0 .1 t o 10.0.0.254. C l i c k S ta rt a n d ty p e in th e t h is la b t h e I P r a n g e is f r o m in fo rm a tio n : N e t B IO S n a m e s, IP s c a n n e r, o p tio n s IP range fie ld ; i n d e p e n d in g o n y o u r n e t w o r k . T C P a n d U D P p o rts , T ra n s p o rts , S h a re s , U s e rs , G r o u p s , S e rv ic e s , D r iv e r s , L o c a l D r iv e s , S e s s io n s , R e m o te T im e o f D a te , P r in te r s C E H Lab M anual Page 237 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s MegaPing (Unregistered) fs r File V«‫/*׳‬ Took ^ 3‫^>׳‬ ^< _ ‫־‬ ° r Help DNS List I W U ‫ ״ ! ״‬U X .Hosts r ^ v ^ e g — r « a P - 1 'S W W * t DNS Lookup Name ^ Finger Network Time I3 Scanner t 8a Ping 8 iraccroutc ^ Whois I Network Resources IP Sconncr SKtngj Select ► Scam•‫׳׳‬ “ I | 10 0 0 1 10 0 0 254 | 1 SM 1 <§> Process Info ^ System Info ■*iiaui.111 ■ £ NetBIOS Scanner Y* Share Scanner j & Security Scanncr ^ Port Scanner ^ Host Monitor F IG U R E 15.4: M e g a P in g I P S c a n n in g IP a d d re sse s I t w i l l lis t d o w n a ll th e ( T im e t o L iv e ) , S ta tu s u n d e r d ia t ra n g e w it h th e ir (d e a d o r a liv e ) , a n d d ie s ta tis tic s TTL o f th e d e a d a n d a liv e h o s ts . MegaPing (Unregistered) Pie View Tools 11 g CD N e t w o r k u t ilit ie s : Help ft A < > i , DN: List Hosts D N S lis t h o s t, D N S lo o k u p Q Finger S y n c h ro n i2 e r, P in g , a Network Time T ra c e ro u te , W h o is , a n d i t Ping IP5i«nnw ,p, DNS Lookup Name n a m e , N e tw o r k T im e Traceroute F in g e r. HVhols 1 5 Network Resources “ % rocess Info ^ System Info X IP Scanner $ IP Scanner Satnge Setect. |R5rg‫־‬ » 10 . 0 0 . 1 10 0 0 A tte s t Name TTL Statj* y * Share Scanner $ Security Sconner l. Jj? Port Scanner Start o— l — Tme .=1 10.0.0.1 NetBIOS Scanner 254 I F S ca re Status: ZoTDCTCC 25^ accroco33 m 15 8 C 3 CS 0 54 g g £ 1a0.04 1 iao.o.6 0 1ao.o.7 0 128 A ive 128 Afcve Show MAC Adess dr se 128 A kvt HssSas ot tt To!d. 254 1a0.0.10 j q 10.0.0.100 D e lDest.. Active ^ 1CL0.0.I0I D « t- Faicd: 250 10.0.0.102 JSi Host Monitor £ Afivc □ Dest — De«t._ £ iclo .o.io j j l 10.0.0.1m Dest — g Dest._ 4 1a0.0.105 Rcpon F IG U R E 15.5: M e g a P in g I P S c a n n in g R e p o r t S T A S K 2 NetBIOS Scanning C E H Lab M anual Page 238 8. NetB IO S S c a n n e r f r o m t h e l e f t p a n e a n d t y p e i n t h e I P r a n g e i n t h e From a n d To f i e l d s . 111 t h i s l a b , t h e IP ra n g e is f r o m 10.0.0.1 t o 1 0.0.0 .2 54 C l i c k S ta rt S e le c t th e E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s W T IP I f/egaPing (Unregistered) File View Tools Hdp rP- A J* | DNS List Hosts N c G C S Ssonrcr ,5 DNS Lookup Name , g 3 ‫ ס‬M egaPing can scan yo u r e n tire n e tw o rk and provide in fo rm a tio n such as open shared resources, open ports, se rvice s/drivers a c tiv e on th e co m p u te r, key re g is try en trie s, users and groups, tru s te d dom ains, p rin te rs, and more. Finger Network Time t S P1n9 Traceroute « £ Whols Network Resource <> Process Info $ System Info ^ IP Scanncr i! Share Scanner ^ Security Scanner ^ Port Scanner Host Monitor NetBIOS Scanner F IG U R E 15.6: M e g a P in g N e t B IO S S c a n n in g 9. N etB IO S s c a n w a d a p te r a d d re sse s The i l l lis t a ll th e h o s ts w i t h t h e ir N etB IO S nam es and MegaPing (Unregistered) VA tf Me Tori? Help JL JL 4S & *8 8 & “ 8 & ‫ ־‬Scan results can be saved in HTML or TXT reports, w h ic h can be used to secure your n e tw o rk ■fo r ‫־‬ exam ple, by s h u ttin g dow n unnecessary ports, clo sin g shares, etc. JJ, D SL tHs N is ots j!LD SL o u Nm N okp a • Q F gr in e !3 NtwrkT e 1 e o im & K«BIT$ Scarrer ^ N 90$ Scanrer et MnBIOS Scarrra e t i p,n9 g*3 Traceroute ^ Whole % ] |1 .0.0. 1 | 0 |Rerg5 0 . 0 .254 Z ro e Quemg NetBOS Names on o ec Process Info Stop ‫י‬E pr x ad 1Names ‫״״‬J ^ System Info ^ IP Scanner Name STctus WIN-ULY833KHQ.. A l* « 100.0.4 $m ggnn1 » 2 ) NetBIOS Names 4 Share Scanner jp Security Scanner /y ‫״‬ 10 NstEtOS Scanner aJatLS‫־‬ - O Network Resources W g f Adopter Address WORKGROUP □cmam iac.0.6 ADMIN• PC fr] NetBIOS Nome: 2 ( Host M unitur Summary 00 15-5D 00-07 . . Microsoft ‫״‬ A Port Scanner Expand 3 6 W B Adapter Addre« Alive Sots Told. 131 Actvc 0-55-00‫־‬ 01-00-7.. M<T0?cfr ‫״‬ 4^ Domain WORKGROUP 100.0.7 3 =a!od 123 WIN-D39MRSHL.. A lv# » j | ] NetBIOS Names X f Adapter Address 3 D4-BE-D9-C3-CE.. Report NetBIOS Scanner F IG U R E 15.7: M e g a P in g N e t B IO S S c a n n in g R e p o r t 10. R ig h t- c lic k th e I P a d d r e s s . 111 t h i s l a b , t h e s e l e c t e d I P i s 1 0 . 0 . 0 . 4 ; i t w i l l b e d iffe r e n t in y o u r n e tw o r k . 5 TAs K 3 1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e T ra c e ro u te o p tio n . T ra ce ro u te C E H Lab M anual Page 239 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s v MegaPing (Unregistered) File View ^ ‫ם‬ O th e r fe a tu re s in c lu d e m u ltith re a d e d d e s ig n th a t a llo w s to p ro c e s s a n y Tools DNS List Hosts Network Time n u m b e r o f re q u e s ts in a n y to o l a t th e sam e tim e , real- $ t®* Pin9 A Traceroute 4 $ Whois tim e n e tw o rk c o n n e c tio n s Rom: Range v | Process Info System Info Satus 10 0 0 0 254 Start NetElOS S eine r s ta tis tic s , re a l- tim e p ro c e s s ^ in fo r m a tio n a n d u sag e, Carotored ? M addresses m M secs * D Share Scanner Security Scanner n e tw o r k c o n n e c tio n s , a n d ^ o p e n n e tw o rk file s , syste m Names _______ B 0 B ■ •‫ ־‬IP Scanner ^ ‫׳‬J ^ NetBIOS Scanner in fo rm a tio n , in c lu d in g NetBIOS Scanner S9<tngs M *3 0 S Scarner Soeci: Network Resources s ta tu s a n d p ro to c o ls re a l- tim e n e tw o rk M Finger 3 I NetBICS Scarre‫־‬ ; j , DNS Lookup Name g I Hdp Nome * Export To File NetBIOS f■ AdapeerA g l Host Monitor B A Hoete Slate Open Share Total: 254 View Hotfix Detab Active Apply Hot Fixes i - J | NetBIOS S ? Adopter A ^ Comain tr a y s u p p o rt, a n d m o re Failed251 ‫־‬ 3 Copy selected item 10.0.0.7 NetBIGS ‫ף‬ Copy selected row ■3 Adopter A £ Dcpand b Summary ‫?׳‬ Merge Hosts A Comain - j j 10.0.0.5 Port Scanner 3 0 ( jj Copy all result; Save As Traceroute Tnccroutcs the selection F IG U R E 15.8: M e g a P in g T ra c e ro u te 1 2 . I t w i l l o p e n th e T ra c e ro u te w in d o w , a n d w i l l tra c e d ie I P a d d re s s s e le c t e d . MegaPing (Unregistered) Fie Vie■a Tools Help S. JL 4$ 11*« 8 5 8 Jj, DNS List Ho>b Tracerout* J!L DNS Lookup Nam• & T ools d em o nstrate d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 S canning N e tw o rks | J Finger i l l Network Time ^ -O aa TaeoteS tth t r cr u e o ** Whois Ds e o : etr b n 1 5 .4 00 Network Resources Ztestrawn Jdrcs5 Jst □ Resolve I4an‫־‬s Process Info System Info ■ ^ □ Select A l IP Scanner NetBIOS Scanner Add *jp Share Scannei Ddctc Security Scanner ‫>׳‬ y Port Scanner jtA Ho»t Monitor Time hoo 9 > ‫י‬ 91 1 m £ 1 ‫ ־‬A ' * 4 1 Name Dstafc WIN-ULY8S8KHUIP [1_ Complete. ‫ו‬ 10.0.0.4 <»73/1210t44tf ADMIN PC [10.0.0.6] 0 Complete. 10.0.0.6 08/23/12 IQ4SJ1 Repoit | F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o r t S TAs K 4 P ort Scanning 1 3 . S e le c t P o r t S c a n n e r f r o m d ie l e f t p a n e a n d a d d w w w .c e rtifie d h a c k e r.c o m 111 c l i c k t h e S ta rt b u t t o n . 14. A f t e r c lic k in g th e S ta rt th e D e s tin a tio n A d d re ss L is t b u t t o n i t to g g le s t o a n d th e n S top 1 5 . I t w i l l lis t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d ie k e y w o r d , r is k , a n d p o r t n u m b e r . C E H Lab M anual Page 240 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫ז ״י - ך‬ MegaPing (Unregistered) File View Tools A A £ G J 8s 8s <5 J ' b -jj, DNS List Hosts ,5, DNS Lookup Name ^ Finger 54 Network Time f t Ping M e g a P in g s e c u rity g g Traceroute sc a n n e r c h e c k s y o u r ^ Whois n e tw o rk fo r p o te n tia l Network Resources v u ln e ra b ilitie s th a t m ig h t -^ & r H I J & G O J‫!׳‬ ^ AotScamcr jftjf F01 Sc*1r*‫׳‬ TCP an: UCP PrttowlB Scan Type m m < ‫־‬ »V**tv30‫׳‬fl‫<»־׳‬ ‫׳‬n -1 1 A/!h»1»S Pab P ick m Info □St* A *dl U IP Sc«nn«< ' f f NetBIOS Sc *nnei a n d s a v e s in fo rm a tio n in Share Seanner 4P S«cjntyScanner s e c u rity re p o rts S0 10 Desindo^ A i^nt U> a System Into u se to a tta c k y o u r n e tw o rk , v ‫ן‬ Help w | »!* Jjf 5 J f) , H0 ‫ ז‬Monitor 81 2o r* To >e =S Scanning—(51 %) 99 Sccon ds Remain ‫ח‬g File Transfer [Control] TCP ftp TCP www-http World V.'1 Web HTTP de 3 Ce2 fc ,y 1 .* 2 .y ! .*5 ' rje echo ditcntd R* De a ctor UDP tcpmux TCP Port Servkc MultL. JOP compress.. Management Utility compten . CompreiMoo Proem UDP JOP JOP UOP j * Keyword Remote Job Entr> ‫׳‬ Echo Discard Eksatcd Elevated Ele.xed L* <m Law Low Low Law ■ F IG U R E 15.10 : M e g a P iiig P o r t S c a n n in g R e p o r t L a b A n a ly s is D o c u m e n t a ll d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility In f o r m a tio n IP C o lle c t e d / O b je c t iv e s A c h ie v e d S can R ange: 1 0 .0 .0 .1 — 1 0 .0 .0 . 2 5 4 P e r fo r m e d A c tio n s : ■ I P S c a n n in g ■ N e tB IO S ■ T ra c e ro u te ■ P o r t S c a n n in g S c a n n in g M e g a P in g R e s u lt: ■ L is t o f A c tiv e H o s t ■ C E H Lab M anual Page 241 N e tB io s N a m e ■ A d a p te r N a m e E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T O T H I S I F Y O U H A V E Q U E S T I O N S L A B . Q u e s t io n s 1. H o w d o e s M e g a P in g d e te c t s e c u r it y v u ln e r a b ilit ie s o n d ie n e t w o r k ? 2. E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g . In t e r n e t C o n n e c tio n R e q u ir e d □ Y es P la tfo r m 0 C E H Lab M anual Page 242 0 N o 0 iL a b s S u p p o rte d C la s s r o o m E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s L ab D e te c t, D elete a n d B lock G oogle C o o k ies U sing G -Z apper G-Zapper is a utility to block Goog/e cookies, dean Google cookies, a n d help yon stay anonymous while searching online. I CON KEY V a lu a b le L a b S c e n a r io Y o u have le a r n e d your n e tw o rk in d ie p r e v io u s la b d ia t M e g a P in g s e c u r ity scanner checks in f o r m a t io n Test your k n o w le d g e m . W e b e x e r c is e n e tw o rk , and in fo r m a t io n fo r p o t e n t ia l v u ln e r a b ilit ie s saves a b o u t a ll c o m p u t e r s W o r k b o o k r e v ie w in tru s te d th a t m ig h t s e c u r ity a n d n e tw o rk n e t w o r k a n d p r o v id e s in f o r m a t io n s e r v ic e s / d r iv e r s a c tiv e o in fo r m a t io n be re p o rts . used It a p p lia n c e s . I t s u c h as o p e n to a tta c k p r o v id e s your d e ta ile d s c a n s y o u r e n tir e s h a re d re s o u rc e s , o p e n p o rts , 0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r i e s , u s e r s a n d g r o u p s , d o m a in s , p r in t e r s , e tc . S can r e s u lts can be saved in H T M L o r T X T re p o r ts , w h ic h c a n b e u s e d t o s e c u re y o u r n e tw o r k . A s an a d m in is tr a to r , u n n e c e s s a ry p o rts , you c lo s in g can o r g a n iz e s h a re s , e tc . s a fe ty m e a s u re s b lo c k a tta c k e rs to by s h u ttin g fro m dow n in tr u d in g th e n e t w o r k . A s a n o th e r a s p e c t o f p r e v e n t io n y o u c a n u s e G - Z a p p e r , w h ic h b lo c k s G o o g le c o o k ie s , c le a n s G o o g le c o o k ie s , a n d h e lp s y o u s ta y a n o n y m o u s w h ile s e a r c h in g o n lin e . T h is w a y y o u c a n p r o t e c t y o u r id e n t i t y a n d s e a rc h h is t o r y . L a b O b je c t iv e s T h is la b e x p la in h o w G - Z a p p e r a u t o m a t ic a lly d e te c ts and c le a n s th e G o o g le c o o k ie e a c h t im e y o u u s e y o u r w e b b r o w s e r . L a b E n v ir o n m e n t T o c a r r y o u t th e la b , y o u n e e d : C E H Lab M anual Page 243 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s D:CEH-ToolsCEHv8 M odule 03 S canning N e tw o rk s A n o n ym ize rsG -Z a p p e r G - Z a p p e r is lo c a t e d a t S ’ Tools dem onstrate d in th is lab are available in D:CEHToolsCEHv8 M odule 03 Scanning N etw orks Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f G‫־‬Z a p p e r fro m th e lin k lit t p : / / w w w . d u m m y s o ftw a re .c o m / I f y o u d e c id e t o d o w n l o a d t h e la te s t v e rs io n , th e n s c re e n s h o ts s h o w n i n th e la b m ig h t d i f f e r In s ta ll G -Z apper in W in d o w s S e r v e r 2 0 1 2 b y f o llo w in g w iz a r d d r iv e n in s t a lla t io n s te p s A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls A L a b c o m p u te r r u n n in g W in d o w s S e rv e r 2012 D u r a t io n T im e : 1 0 M in u te s O v e r v ie w o f G - Z a p p e r G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d i e Google co o k ie i n s t a l l e d o n y o u r searches h a v e lo n g Z a p p e r a llo w s c o o k ie f r o m L a b S t ask 1 1. D e te ct & D elete you to y o u r P C , d is p la y d ie d a te i t w a s in s t a lle d , d e t e r m in e h o w been tra cke d , a u to m a tic a lly and de le te d isp la y o r e n tir e ly y o u r G o o g le b lo c k d ie s e a rc h e s . G - G o o g le s e a rc h f u t u r e in s t a lla t io n . T a s k s L a u n c h th e S ta rt m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t c o m e r o f t h e d e s k t o p . _____________________________________________________ Google Cookies ! 3 Windows Serve! 2012 * ttcua Stfwr JOtJ ReleaseCmadtte Oatacert* ftabslanuwy. 1uMM>: F IG U R E 16.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w 2. C E H Lab M anual Page 244 C lic k d ie G-Zapper a p p t o o p e n d ie G‫־‬Z apper w in d o w . E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Administrator £ S ta rt Server Manager Wruiows PowerShel V fLm 6 0* 09 Chrome Wjpw-V t/dru^e- Ancrym.. Surfog Tutonal # 1 1 HyperV Virtual M«tww SOL Sena □ Computer *J w Q Command Prompt G - Z a p p e r xs Control Pwl M v ii l.retox n $ 5 1 NetSca'iT... Pro Demo m G-Zapper Standard c o m p a tib le w ith W in d o w s 9 5 ,9 8 , M E , N T , 2 0 0 0 , X P , V is ta , W in d o w s 7. '-x-olglan 1 1 r* Maw F IG U R E 162 : W in d o w s S e rv e r 2012 - A p p s 3. The G -Zapper m a in w i n d o w w i l l a p p e a r a s s h o w n i n th e f o l l o w i n g s c re e n s h o t. G-Zapper ‫ ־‬TRIAL VERSION W h a t is G -Zapper G-Zapper - Protecting y o u Se arch Privacy Did you know •Google stores a unique identifier in a cookie on your PC , vrfich alo w s them to track the keywords you search fo r G-Zapper w i autom atically d etect and clean this cookie in your w eb browser. Ju s t run G-Zapper, m rw nee the w ndow , and en!oy your enhanced search privacy 2 ' I A Google Tracking ID oasts on your PC. Your G oogle ID (Chrome) 6b4b4d9fe5c60cc1 Google n sta le d the co okie on W ednesday. Septem ber 05.2012 01 54 46 AM L J G - Z a p p e r h e lp s p ro te c t y o u r id e n tity a n d s e a rc h Your searches h ave been tracked for 13 hours h is to ry . G - Z a p p e r w ill re a d th e G o o g le c o o k ie in s ta lle d «>| No Google searches found n Internet Explorer or Frefox o n y o u r P C , d is p la y th e d a te it w a s in s ta lle d , How to U se It d e te rm in e h o w lo n g y o u r s e a rch e s h a v e b e e n tra c k e d , « a n d d is p la y y o u r G o o g le To delete the G oogle cookie, d c k the D elete Cookie button Your identity w i be obscured from previous searches and G-Zapper w i re g Ja rly d e an future cookies. se a rch e s T 0 restore the Google search cookie d ick the Restore Cookie button htto //www dummvsoftwar e. com D elete Cookie Resto re Cookie T est Google Settings Register F IG U R E 16.3: G - Z a p p e r m a in w in d o w s 4. T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e D e le te C o o kie b u tto n ; a w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie lo c a t io n . C lic k C E H Lab M anual Page 245 OK E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫י‬ ■ ]j l F G-Zapper - TRIAL VERSION x ‫י‬ W h at is G-Zapper G-Zapper ‫ ־‬Pro tectn g your S e arch Privacy ■# Did you know ■Google stores a unique identifier n a cookie on y o u P C , v*»ch alo w s them 10 track the keywords you search for G-Zapper w i autom atically defect and d e an this co okie in your w eb browser. _.lm tJun_G 7an nftj the, w ndnw * in i ftninu.unui ^ n h ao cad joauacu_______ _______ G‫־‬Zapper © C ] A n e w c o o k ie w ill b e g e n e ra te d u p o n y o u r n e x t v is it to G o o g le , b re a k in g The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com The cookie was located a t (Firefox) C:UsersAdministratorApplication DataMozillaFirefoxProfiles5vcc40ns.defaultcookies.sqlite th e c h a in th a t re la te s y o u r se a rch e s. Howt OK T 0 block and delete the G oogle search cookie, click the B lo ck Cookie button (Gm ail and A dsense w i be u n avaJab le with the cookie blocked) http //www. dumm vsoftware com Delete Cookie Block Cookie T e st Google Register Settings F IG U R E 1 6 .4 : D e le tin g s e a rc h c o o k ie s 5. T o b lo c k th e G o o g le s e a rc h c o o k ie , c lic k d ie B lo c k c o o k ie b u tto n . A w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a lly b lo c k th e G o o g le c o o k ie . C l i c k Yes G‫־‬Zapper ■TRIAL VERSION '- m W h a t is G -Zapper G-Zapper - Pro tectn g y o u Se arch Privacy ‫ ס‬T he tin y tra y icon runs in th e background, ta k e s up very little space and can n o tify you by sound & a nim ate w hen th e Google c o o k ie is blocked. Did you know - G oogle stores a unique identifier in a cookie on your P C . w hich alo w s them to track the keywords you search for. G-Zapper will autom atically d etect and d e an this cookie in y o u w eb browser. p____ .L M iijn fi- Z a n rre t m rnnnre the, w nrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara_________ _______ Manually Blocking the Google Cookie Gmail and other Google services will be unavailable while th e cookie is manually blocked. If you use these services, we recom m end not blocking the cookie and instead allow G-Zapper to regularly clean th e cookie automatically. Are you sure you wish to manually block the Google cookie? How Yes No T 0 block and delete the Google search cookie, click the Blo ck Cookie bU ton (Gm ail and A dsense w l be unavaiaW e with the cookie blocked) http //www dummvsoftware, com Delete Cookie Block Cookie T est Google Settings Register F IG U R E 1 6 .5 : B lo c k G o o g le c o o k ie 6. I t w i l l s h o w a m e s s a g e d i a t th e G o o g le c o o k ie h a s b e e n b lo c k e d . T o v e r if y , c lic k C E H Lab M anual Page 246 OK E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s G‫־‬Zapper -TRIAL VERSION W h a t is G-Zapper G-Zappef - Protechng your Se arch Privacy 1 ^ 0 Did you know ■G oogle stores a unique kfentifiet in a cookie on your P C . w hich alo w s them to track the keywords you search for G-Zapper will autom atically d etect and d e a n this cookie n y o u w eb browser. Ju s t run G-Zapper, mmmize the w rxlo w , and enjoy your enhanced search privacy G‫־‬Zapper The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify. H ow t OK Your identity will be obscured from previous searches and G-Zapper w i regularly clean M u re cookies T0 restore the Google search cookie c lc k the Restore Cookie button & ‫ ־‬G-Zapper can also cle an your Google search h is to ry in In te rn e t E xplo re r and M ozilla Firefox. It's fa r to o easy fo r som eone using your PC to g e t a glim p se o f w h a t you've been searching for. http //www dum m vsoltware com R s o eC o i etr oke Delete Cookie Rgse eitr Settings Test Google F IG U R E 16.6: B lo c k G o o g le c o o k ie (2 ) 7. T o te s t th e G o o g le c o o k ie t h a t h a s b e e n b lo c k e d , c lic k th e T e s t G oogle b u tto n . 8. Y o iu d e fa u lt w e b b r o w s e r w ill n o w o p e n t o G o o g le ’s P re fe re n c e s p a g e . C lic k OK. AA goog... P - 2 (5 [ 0 ?references ‫יו‬ ♦You Search Images Maps Play YouTube News Gmal More ‫־‬ Google Preferences Sign in 1 Goflflls Account 5£tt303 Piefeiences Help I About Google Save Preferences Save your preference* when finished and !*turn to iw r c h Global Preferences (changoc apply to al Googio sorvtcos) Your cookies seem fo be disabled. Setting p referen ces will not w o rk until you enable co o kies in y ou r browser. BaHiflafcfllttg Interface Language Display Googio Tips and messages in: Engiisn If you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program Search I anguag* P iefei pages m itten in the*e language(*) □ Afrikaans b£ English □ Aai rbc L E p r n oU Iain . seat tla U Indonesian L I Setblan □ Soa lvk D Armenian I~ Estonian F I Japanese 0 Slovenian □ Belarusian U Bulgarian C Ftipino L Finnish □ Koiean U Latvian G Spanish L I Swahi F IG U R E 16.7: C o o k ie s d is a b le d m a ssag e 9. T o v i e w th e d e le t e d c o o k ie i n f o r m a t io n , c lic k d ie c lic k C E H Lab M anual Page 247 V ie w Log S e ttin g b u tto n , a n d i n t h e c le a n e d c o o k ie s l o g . E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s G-Zapper - TRIAL VERSION ‫ -׳‬m W h a t is G -Zapper G-Zapper Settings Sounds f* R a y sound effect w hen a cookie is deleted d efault w av Preview Browse C lear Log V ie w Log G oogle Analytics T iack rtg Q W Y o u c a n s im p ly ru n Blo ck Google Analytics fiom tia ck n g w eb sites that I visit. G - Z a p p e r, m in im iz e th e w in d o w , a n d e n jo y y o u r D eaned Cookies Log e n h a n c e d s e a rc h p r iv a c y W Enab le logging of cookies that h ave recently been cleaned. I” S a v e my G oogle ID in the d ean ed cookies log. OK Delete Cookie Resto re Cookie T e st Google R egister Settings F IG U R E 16.8: V ie w in g th e d e le te d lo g s 1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d . cookiescleaned - Notepad File S ' T ools d em o nstrate d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 S canning N e tw o rks Edit Format View t ‫ ־־[ם‬x Help (Firefox) C:UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Friday, August 31, 2012 10:42:13 A M (Chrome) C:UsersAdministratorAppDataLocalGoogleChromeUser Data DefaultCookies Friday, August 31, 2012 11:04:20 A M (Firefox) C:UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sqlite Friday, August 31, 2012 11:06:23 A M (Firefox) C:UsersAdministratorApplication DataMozillaFirefox Profiles5vcc40ns.defaultcookies.sq lite Wednesday, September 05, 2012 02:52:38 P | M F IG U R E 16.9: D e le te d lo g s R e p o r t L a b A n a ly s is D o c u m e n t a ll t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b . C E H Lab M anual Page 248 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s T o o l/U tility In fo r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d A c tio n P e rfo rm e d : ■ ■ D e le t e t h e c o o k ie s ■ G ‫־‬Z a p p e r D e t e c t d i e c o o k ie s B l o c k t h e c o o k ie s R e s u l t : D e le t e d c o o k ie s a re s t o r e d i n C :U s e r s A d m in is tr a to r A p p lic a tio n D a ta P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T O I F T H I S Y O U H A V E Q U E S T I O N S L A B . Q u e s t io n s 1. E x a m i n e h o w G - Z a p p e r a u t o m a t i c a l l y c le a n s G o o g l e c o o k ie s . 2. C h e c k t o s e e i f G - z a p p e i i s b l o c k i n g c o o k i e s o n s ite s o t h e r t h a n G o o g l e . In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es P la tfo r m 0 C E H Lab M anual Page 249 □ N o □ iL a b s S u p p o rte d C la s s r o o m E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Lab S canning th e N etw ork Using th e C olasoft P ack e t Builder The Colasoft Packet Builder is a useful toolfor creating custom netirork packets. I CON KEY V a lu a b le in fo r m a tio n L a b S c e n a r io 11 1 d i e p r e v i o u s l a b y o u h a v e l e a r n e d l i o w y o u c a n d e t e c t , d e le t e , a n d b l o c k c o o k ie s . A tta c k e rs Test your k n o w le d g e Q W e b e x e r c is e e x p lo it d ie XSS v u ln e r a b ilit y , m a lic io u s J a v a S c r ip t c o d e i n t o w h ic h in v o lv e s an a tta c k e r p u s h in g a w e b a p p lic a tio n . W h e n a n o d ie r u s e r v is its a p a g e w i d i d i a t m a lic io u s c o d e i n it , d ie u s e r ’s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r lia s 110 w a y o f t e l l i n g t h e d i f f e r e n c e b e t w e e n l e g i t i m a t e a n d m a l i c i o u s c o d e . I n j e c t e d c o d e is a n o d i e r m e c h a n i s m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i j a c k i n g : b y d e f a u l t Q W o r k b o o k r e v ie w c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n r e a d a u s e r ’ s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d i e a tt a c k e r . A s a n e x p e rt e th ic a l h a c k e r and p e n e tra tio n te s te r y o u s h o u l d b e a b le t o p r e v e n t s u c h a tt a c k s b y v a l id a t in g a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m fie ld s , a n d h id d e n f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a w e b a p p lic a t io n f ir e w a ll t o b l o c k th e e x e c u t io n o f m a lic io u s s c r ip t . A n o d i e r m e t h o d o f v u ln e r a b ilit y c h e c k in g is t o P acket B u ild e r . 111 t h i s la b , you w ill be le a r n s c a n a n e t w o r k u s in g th e C o la s o ft about s n iffin g n e tw o rk p a c k e ts , p e r f o r m in g A R P p o is o n in g , s p o o f in g th e n e t w o r k , a n d D N S p o is o n in g . ^ T T o o ls d em o nstrate d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 S canning N e tw o rks L a b O b je c t iv e s T h e o b je c t iv e o f d i is la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r it y p o li c y , p o li c y e n f o r c e m e n t , a n d p o l i c y a u d it s . L a b E n v ir o n m e n t 11 1 d i i s l a b , y o u n e e d : D:CEH-ToolsCEHv8 M odule 03 S canning N etw orksC ustom P acket C reatorC olasoft P a cke t B uilder C o la s o f t P a c k e t B u ild e r lo c a t e d a t ■ C E H Lab M anual Page 250 ■ A c o m p u te r r u n n in g W indow s Server 2012 as h o s t m a c h in e E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ■ W indow 8 ■ Y o u c a n a ls o d o w n l o a d d i e l a t e s t v e r s i o n o f B uilde r r u n n i n g o n v ir t u a l m a c h in e as ta r g e t m a c h in e fro m A dvanced C olasoft P acket d ie lin k h t t p : / / w w w .c o la s o ft.c o m / d o w n lo a d /p r o d u c ts /d o w n lo a d _ p a c k e t_ b u ild e r . php ■ I f y o u d e c id e t o d o w n l o a d d i e la te s t version, d ie n s c re e n s h o ts s h o w n in d ie la b m ig h t d if f e r . ■ L a b A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t io n n u u iin g i n h o s t m a c liin e D u r a t io n T im e : 1 0 M in u te s O v e r v ie w o f C o la s o f t P a c k e t B u ild e r C olasoft P acket B uild e r c r e a t e s a n d e n a b le s c u s t o m n e t w o r k p a c k e t s . T h i s t o o l c a n b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a tt a c k s a n d in t r u d e r s . C o la s o f t P a c k e t B u i l d e r f e a t u r e s a d e c o d i n g e d i t o r a l l o w i n g u s e r s t o e d i t s p e c i f i c p r o t o c o l f i e l d v a lu e s m u c h e a s ie r . U s e r s a r e a l s o a b le t o e d i t d e c o d i n g i n f o n n a t i o n i n t w o e d i t o r s : Hex Editor. U s e r s c a n s e l e c t a n y o n e o f IP P acket, ARP P acket, o r TCP Packet. L a b S t a s k and E thernet Packet, T a s k s 1 1. S canning N e tw o rk Decode E d ito r d ie p r o v id e d te m p la te s : In s t a ll a n d la u n c h d ie 2. L a u n c h th e S ta rt C olasoft P acket Builder. m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t c o r n e r o f th e d e s k to p . F IG U R E 17.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w 3. Q y o u c a n d o w n lo a d “ Y < C o la s o ft P a c k e t B u ild e r C l i c k t h e C o la s o ft P a c k e t B u ild e r 1.0 P a c k e r B u ild e r w i n d o w a p p to o p e n th e C o la s o ft fro m h ttp : / / w w w . c o la s o ft. co m . C E H Lab M anual Page 251 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Administrator S ta rt Windows PowerSM Googte Chrome Es m * compule r control 1 'and Manager V 91 9 Command Prompt U3LWv«r Irn-.aljt 0‫י־‬ Center. MfrtjpaC* Studc Sew Cotaoft Pacto?! Bunder t.O * * v Mochn#. *J e te r V s- e . 3 eM ua r»efax Nnwp 7«ftmap GUI $ o M CMtoo F IG U R E 17.2 W in d o w s S e rv e r 2012 - A p p s 4. T h e C o la s o f t P a c k e t B u ild e r m a in w i n d o w a p p e a rs . Colasoft Packet Builder Fie # Import Edt Send ^ 1- = 1 ‫ך־־‬ Help 1 S ?’ & Add Insert 1 ♦ Packet No. 4 $ Oecode Edro*‫־‬ No pxkec elected: Checksum Packet Lilt $ [A s^J ! 5 5 Colasoft Adapter Packets 0 Selected 0 1 Delta Time Sourer O p e ra tin g syste m re q u ire m e n ts : ^ fatal He«Edfcor >:0 0 0 byte* | W in d o w s S e rv e r 200 3 a n d < L 6 4 - b it E d itio n W in d o w s 2 0 0 8 a n d 6 4 - b it E d itio n W in d o w s 7 a n d 64-b it E d itio n F IG U R E 17.3: C o la s o ft P a c k e t B u ild e r m a in screen 5. B e fo re s ta r tin g o f y o u r ta s k , c h e c k d e fa u lt a n d d ie n c lic k th a t d ie A d a p te r s e t t in g s a re se t to OK. Select Adapter * A d ap ter: Ph ysical Address D 4 :BE:D 9 :C 3 :C E:2 D 0 Link Sp eed 100.0 l* )p s M ax Fram e Size 1500 b ytes IP Address 10.0.0.7/255.255.255.0 D efau lt G atew ay 1 .0 .1 0 .0 A d ap ter Sta tu s O perational OK C ancel Help F IG U R E 17.4: C o la s o ft P a c k e t B u ild e r A d a p te r settings C E H Lab M anual Page 252 E th ic a l H ackin g and Counterm easures Copyright < by EC-Council 0 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 6. T o add 0 1 c r e a t e d i e p a c k e t , c l i c k Add 111 d i e m e n u s e c t i o n . T h e re a re tw o w a y s to c re a te a p a c k e t - A d d a n d In s e rt. T h e d iffe re n c e File b e tw e e n th e s e is th e n e w ly Edit Send Help a d d e d p a c k e t's p o s itio n in th e P a c k e t L is t . T h e n e w ff 1 Import p a c k e t is lis te d as th e la s t 0 Export‫־־‬ ‫״‬ Insert Add p a c k e t in th e lis t i f ad d e d b u t a fte r th e c u rre n t p a c k e t [ ^ Decode Editor i f in s e rte d . F IG U R E 17.5: C o la s o ft P a c k e t B u ild e r cre a tin g d ie p ack et 7. A dd P a cke t W h e n an a n d c lic k d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d i e t e m p la t e OK. Q c o la s o f t P a c k e t B u ild e r s u p p o rts * .c s c p k t Add Packet (C a p s a 5 .x a n d 6 .x P a c k e t ‫־‬n n F ile ) a n d * c p f (C a p s a 4.0 Select Template: ARP Packet Delta Time: P a c k e t F ile ) fo rm a t. Y o u 0.1 m a y a ls o im p o rt d a ta fro m ‫. ״‬c a p (N e tw o r k A s s o c ia te s S n iffe r p a c k e t file s ), * .p k t (E th e r P e e k v 7 / T o k e n P e e k / Second A 1 ro P e e k v 9 / O m n iP e e k v 9 p a c k e t file s ), * .d m p (T C P D U M P ), a n d * ra w p k t (ra w p a c k e t file s ). OK Help Cancel F IG U R E 17.6: C o la s o ft P a c k e t B u ild e r A d d P a c k e t d ia lo g b o x 8. Y ou can v ie w d ie added p a c k e ts lis t 0 11 y o u r r i g h t - h a n d s id e o f y o u r w in d o w . Packets Packet List S t a s k 2 1 _______ U sl______ Delta Tims . S o u r c e 1 0.100000 Selected 1 D e s tin a tio n _______, 00:00:00:00:00:00 Decode E ditor F IG U R E 17.7: C o la s o ft P a c k e t B u ild e r P a c k e t L is t 9. C o la s o f t P a c k e t B u ild e r a llo w s y o u t o e d it d ie t w o e d it o r s : C E H Lab M anual Page 253 Decode E ditor and decoding in f o r m a t io n i n d ie H ex Editor. E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Decode Editor Q B u s t M o d e O p tio n : I f y o u c h e c k th is o p tio n , C o la s o ft P a c k e t B u ild e r se n d s p a c k e ts o n e a fte r a n o th e r w ith o u t in te rm is s io n . I f y o u w a n t to s e n d p a c k e ts a t th e o rig in a l d e lta tim e , d o n o t c h e c k th is o p tio n . Packet: B-© Ethernet Type I I le s tin a tio n Address: J© Source Address: j ! ^ P r o to c o l: - sj ARP - Address Resolution Protocol !••<>Hardware type: ••# ! ‫ (#ץ‬Protocol Type: j..© Hardware Address Length: ‫ ©..ן‬Protocol Address Length: ! Num:000001 Length:64 Captured:• [0/14] FF: FF: FF: FF: FF: FF [0/6] 00:00:00:00:00:00 [6/6] (ARP) [12. 0x0806 [14/28] (Ethernet) 1 0x0800 [16/2] 6 [18/1] 4 [19/1] (ARP Reque. 1 00:00:00:00:00:00 [22/6] 0.0.0.0 [28/4] 00:00:00:00:00:00 [32/6] 0.0.0.0 [38/4] [42/18] 18 bytes [42/18] |— <#1ype: -^J>S0urce Physics: j3 ‫ ״‬Source IP : D estination Physics: j D estination IP : - •© Extra Data: Number of Bytes: FCS: L # FCS: ■<l— 0xF577BDD9 1 1 1 j ‫>״‬J ...... ; ......,.... ‫־‬ .... F IG U R E 17.8: C o la s o ft P a c k e t B u ild e r D e c o d e E d ito r ^ Hex Editor 0000 FF FF FF 000E 00 01 08 001C 00 00 00 002A 00 00 00 0038 00 00 00 Total FF 00 00 00 00 FF 06 00 00 FF 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 60 bytes 06 00 00 00 .... V F IG U R E 17.9: C o la s o ft P a c k e t B u ild e r H e x E d ito r 1 0 . T o s e n d a ll p a c k e ts a t o n e t im e , c lic k 11. C h e c k d ie d ie n c lic k Burst Mode o p t io n i n d ie Send All f r o m d ie m e n u b a r. Send All Packets d ia lo g w in d o w , a n d Start. ‫ר‬ £ 0 1 O p tio n , L o o p S e n d in g : ^4 T h is d e fin e s th e re p e a te d Jown Checksum tim e s o f th e se n d in g e x e c u tio n , o n e tim e in d e fa u lt. P le a s e e n te r z e ro i f y o u w a n t to k e e p se n d in g p a c k e ts u n til y o u p a u se o r s to p it m a n u a lly . 1 1 Packet Analyzer Packets Packet List No. C o la s o f t C a p s a Send Send All Delta Time Source 0.100000 00:00:00:00:00:00 1 Selected 1 Destination FF:FF:FF:FF:FF:FF F IG U R E 17.10: C o la s o ft P a c k e t B u ild e r S e n d A ll b u tto n C E H Lab M anual Page 254 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s £ 3 S e le c t a p a c k e t fro m th e p a c k e t lis tin g to a c tiv a te S e n d A ll b u tto n F IG U R E 17.11: C o h s o ft P a c k e t B u ild e r S e n d A H P a c k e ts 12. C lic k S ta rt Send All Packets O p tions A d a p te r: Select... R e a lte k P C Ie G 8 E Fam rfy C o n tro ller □ B u rs t M ode (n o d e la y b e tw e e n p a ck e ts) □ Lo op S e n d n g : A 10 A 00 1000 - 1 D e la y B e tw e e n Lo o p s: loops (z e ro fo r in fin ite lo o p ) m illiseconds Sen d in g In fo rm a tio n £ 0 T h e p ro g re s s b a r T o tal P a c k e ts : 1 P a c k e ts S e n t: 1 p re s e n ts a n o v e r v ie w o f th e s e n d in g p ro c e s s y o u are e n g a g e d in a t th e m o m e n t. P ro g re ss: S ta r t S to p C lo se H elp F IG U R E 1 7 .12 C o la s o ft P a c k e t B u ild e r S e n d A H P a c k e ts 13. T o e x p o rt d ie p a c k e ts sent fro m d ie F ile m enu, s e le c t F ile ‫ ^־‬E x p o rt‫ ^־‬A ll Packets. C E H Lab M anual Page 255 E th ic a l H ackin g and Counterm easures Copyright < by EC-Council 0 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ‫ר״‬ Colas ‫ י‬li‫״‬ File Edit Send Import... All Packets... 1* ► Export 10 Help Selected Packets... ^ Exit + ^T Packet: X glete ketNo. |_ jJ I 0 1 ‫ ׳‬a Num: 00( ] 0/14[ ‫ן‬ FF: FF:1 El••© E thernet Type I I ^ D e s tin a tio n Address: Source Address: 00:00:( , F IG U R E 17.13: E x p o r t A ll P a c k e ts p o tio n Q Save As O p tio n , P a c k e ts S e n t T h is s h o w s th e n u m b e r o f x I 5avein‫:!"! ־‬o la e c -ft p a c k e ts s e n t s u c c e s s fu lly . f lf c l C o la s o ft P a c k e t B u ild e r Nome D«tc modified Type No items match your search. d is p la y s th e p a c k e ts se n t Rcccnt plocca u n s u c c e s s fu lly , to o , i f th e re is a p a c k e t n o t s e n t o u t. ■ Desktop < 3 Libraries lA f f Computer Network [> 1 ... r n _______ F n»m* 1U | Fjiekct• e « c p ld v j S»v• •c typ♦ (Colafloft Packot Rio (v6) (*.oocpkt) Sav• v | C«rc«l | F IG U R E 17.14: S e le c t a lo c a tio n to save th e ex p o rted file U Packets.cscpkt F IG U R E 17.15: C o la s o ft P a c k e t B u ild e r e x p o rtin g p ack et L a b A n a ly s is A n a l y z e a n d d o c u m e n t d i e r e s u l t s r e l a t e d t o t h e l a b e x e r c is e . T o o l/U tility In fo r m a tio n C o lle c t e d / O b je c t iv e s A c h ie v e d A d a p t e r U s e d : R e a lte k P C I e F a m ily C o n t r o lle r C o la s o ft P a c k e t S e le c t e d P a c k e t N a m e : A R P P a c k e ts B u ild e r R e s u lt : C a p tu r e d p a c k e ts a re s a v e d i n p a c k e ts .c s c p k t C E H Lab M anual Page 256 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T O I F T H I S Y O U H A V E Q U E S T I O N S L A B . Q u e s t io n s 1. A n a ly z e how C o la s o ft P a c k e t B u ild e r a ffe c ts y o u r n e tw o rk tr a ffic w h ile a n a ly z in g y o u r n e t w o r k . 2. E v a lu a te w h a t ty p e s o f in s t a n t m e s s a g e s C a p s a m o n it o r s . 3. D e te r m in e w h e t h e r d ie p a c k e t b u f f e r a ffe c ts p e r fo r m a n c e . I f y e s , th e n w h a t s te p s d o y o u ta k e t o a v o id o r r e d u c e it s e f f e c t o n s o ft w a r e ? In t e r n e t C o n n e c tio n R e q u ir e d □ Y es P la tfo r m 0 C E H Lab M anual Page 257 0 N o S u p p o rte d C la s s r o o m 0 iL a b s Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Lab S canning D evices in a N etw ork Using T h e Dude I CON KEY The D n d e automatically scans all devices within specified subnets, draws a n d lays out a w a p of y o ur networks, monitors services ofy ou r devices, a n d a/eftsyon in case 5 V a lu a b le in fo r m a tio n Test your k n o w le d g e W e b e x e r c is e some service hasp roblems. L a b S c e n a r io 11 t h e 1 p r e v io u s la b you le a r n e d ho w p a c k e ts can be c a p tu re d u s in g C o la s o ft P a c k e t B u ild e r . A tta c k e r s t o o W o r k b o o k r e v ie w c a n s n i f f c a n c a p t u r e a n d a n a ly z e p a c k e t s f r o m n e tw o rk n e tw o rk and o b ta in c o m m u n ic a tio n s p e c if ic in fo r m a t io n . The a tta c k e r b e tw e e n h o s ts a n d c lie n ts b y m o d if y in g s y s te m can a d is r u p t c o n fig u r a tio n s , o r t h r o u g h th e p h y s ic a l d e s t r u c t io n o f th e n e t w o r k . a n e x p e r t e th ic a l h a c k e r, y o u s h o u l d b e a b l e t o g a d i e r i n f o r m a t i o n 0 11 o rg a n iz a tio n s n e tw o rk to c h e c k fo r v u ln e ra b ilitie s and fix th e m b e fo re an a tta c k e r g e ts to c o m p ro m is e th e m a c h in e s using th o s e v u ln e ra b ilitie s . I f A s you d e te c t any a tta c k th a t has been p e rfo rm e d 0 11 a n e t w o r k , im m e d ia t e ly im p le m e n t p r e v e n t a tiv e m e a s u re s t o s to p a n y a d d itio n a l u n a u th o r iz e d a c c e s s . 11 t h i s 1 l a b y o u w i l l le a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k a n d th e t o o l w i l l a le r t y o u i f a n y a tt a c k h a s b e e n p e r f o r m e d L a b 0 11 t h e n e t w o r k . O b je c t iv e s T h e o b j e c t i v e o f t h i s l a b i s t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s 0 11 d i e n e tw o rk . V —J Tools d em o nstrate d in th is lab are a va ila b le in D:CEHToolsCEHv8 M odule 03 S canning N e tw o rks C E H Lab M anual Page 258 L a b E n v ir o n m e n t T o c a r r y o u t th e la b , y o u n e e d : D:CEH-T0 0 lsC EH v8 M odule 03 S canning N e tw o rk s N e tw o rk D is c o v e ry and M apping T o o lsT h e Dude ■ T h e D u d e is lo c a t e d a t ■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f The Dude fro m th e h ttp : / / w w w .m ik r o tik .c o m / th e d u d e .p h p E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • M o d u le 0 3 - S c a n n in g N e tw o rk s ■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c re e n s h o ts show n i n th e la b m ig h t d if f e r ■ ■ A c o m p u te r r u n n in g W in d o w s S e rv e r 2 0 1 2 D o u b le - c lic k d ie in s t a ll ■ L a b The Dude a n d f o l l o w w i z a r d - d r iv e n in s t a lla t io n s te p s t o The Dude A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls D u r a t io n T im e : 1 0 M in u te s O v e r v ie w o f T h e D u d e T h e D u d e n e t w o r k m o n i t o r is a n e w a p p lic a t io n d i a t c a n d r a m a t ic a lly i m p r o v e d ie w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t i c a l l y s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s o f y o u r d e v ic e s , a n d a l e r t y o u i n c a s e s o m e s e r v ic e l i a s p r o b l e m s . L a b 1. T a s k s S ta rt L a u n c h th e m e n u b y h o v e r in g th e m o u s e c u r s o r o n th e lo w e r - le f t c o r n e r o f th e d e s k to p . i| Windows Server 2012 Ser*? 2 1 M«a1 C dW DitaceM* 02 e an ate ____________________________________________________________________________Ev^mbonoopy BuildWX: F IG U R E E t a s k 1 18.1: Windows Server 2012 - Desktop view 1 1 1 t h e S ta rt m e n u , t o l a u n c h T h e Dude, c l i c k T he Dude i c o n . Launch The Dude Administrator S ta rt Server Maiwgcr Com puter b U ~ v - —1 ‫יי‬ com and m Prompi ^ 1n»0u0f M m n ttr. T x1 <J e Om n SS? * f> % 0 — l»p C E H Lab M anual Page 259 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F IG U R E 182 : W in d o w s S e rv e r 2012 - S ta rt m e n u 3. T h e m a in w in d o w o f fS w ill a p p e a r. ’ - l ° l adm in@ localhost - The Dude 4.0beta3 m m (§) The Dude 5references 9 Local Server Setting* H do jjy i2 m c * ‫״‬ X ‫י‬ m CJ O 71S E 1 Contert* * Ssttnst j Cikovot *70011 W ‫ ־.*. .•־‬Lay* irk( V J □ A3<*T3S USS A Admn# H 0 ‫»ו»י‬ H D*wic«» ?5? Flea □ Functona M Htfay Action* H □ 5 Lntu Lc0* £7 £7 Cecus £ 7 &‫׳‬em £7 Syslog E -A Notic? J - B Keftroric Maps B Lccd t- ! U n i r t i Cterl. w [.Ca 1MU«d Uj « /U 334 bw « S*‫׳ ״*־‬x215bc*.'UM2bc« F IG U R E 18.3: M a in w in d o w o f T h e D u d e 4. D is c o v e r C lic k th e ---- -------------® 5reference* ■ ■ — C !* a-ite‫־׳‬ Q Addra# list* A ‫׳‬vamro □ 0 ‫יו*ו‬ f‫“־‬l OmiaN f * . Ftea f= F_nccon8 1 B Haay Action* n 1 “ ^‫*י‬ □ Legs £ ? ActJcn £7 D efcus £7 Event £7 Sjobg R Mb N tie? o - Q Network M aos B Lccdl M c‫׳‬ . admin@localhost - The Dude 4.0beta3 9 Local Seiver a b u t t o n o n th e t o o lb a r o f d ie m a in w in d o w . *b rh tZ 3 ‫ 1 ״‬x E ® IIIIJH b * o -1+‫״‬ * Sottrco Dkov* ‫* | ־‬Too• ‫• .•־‬v ‫| ?יי׳‬lrk* _d 2 ‫י‬ '‫׳‬ Cfert. ix $59bus /tx 334bp* |!Corrected :«<* a215bc«<'u642bc« F IG U R E 18.4: S e le c t d is c o v e r b u tto n 5. C E H Lab M anual Page 260 The D e vice D is c o v e ry w in d o w a p p e a rs . E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s Device Discovery General Services Device Types Advanced Discover Cancel Enter subnet number you want to scan for devices Scan Networks: 1 10.0.0.0/24 Agent: |P£g? !- P Add Networks To Auto Scan Black List: |1 Device Nam Preference: |DNS. SNMP. NETBIOS. IP e Discovery M ode: (• fast (scan by ping) C reliable (scan each service) Recursive Hops: ‫פ ר ־ י ו‬ / ‫י‬ 2 I 4 I 6 I 8 I 10 I 14 I I I 20 50 F Layout M /tfter Discovery Com ap plete F IG U R E 18.6: D e v ic e d is c o v e ry w in d o w 6. 111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y d e fa u lt fro m IP f r o D iscover. and m d ie d ie A g e n t d ro p -d o w n S can N e tw o rk s r a n g e , s e l e c t DNS, SNMP, NETBIOS. l i s t , s e le c t D e vice N am e P re fe re n ce d r o p - d o w n lis t, a n d c lic k Device Discovery General Services Device Types Advanced number you want to scan for Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none 3 Device Nam Preference DNS. SNMP. NETBIOS. IP e Discovery M ode (• fast (scan by ping) C reliable (scan each service) 0 Recursive Hops: [1 ]▼] /—r ‫1 1 1 ו —ר‬ — — — -----------------------------------------2 4 6 8 10 14 20 SO I Layout M /tfter Discovery Com ap plete F IG U R E 18.7: S e le ctin g d e vic e n am e p re fe re n ce 7. O n c e t h e s c a n is c o m p l e t e , a ll t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r n e t w o r k w i l l b e d is p la y e d . C E H Lab M anual Page 261 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s adrmn@localhost 1 Lc 1 od d •a ft Snf !_ ahla 1■ s 1 +-_ Ccrtemt____________ f~l *ricteo Lata Ans4 dn . B *< 2 □ « ‫ ק‬Chats Oevteaa □ ‫ * -*׳‬Pie » F1io Q udn »t1n0 *40 e0* 7 H1 -‫׳*י״‬ □ ‫«00-י‬ £^6 7 • ‫י‬ ‫־‬f t ^ t The Dude 4.0beta3 C _e [o * | S c y I |Dcvf | ^oia tt 1 s ‫| -י‬l‫ ־‬s : ep hoe To a k Q y .t • WIN.D39MR5HLSE-: WW*IXY858KH04P (DU I 9 N tn c n t 63 % vM: 27% disk 75% AOMN M M C Ul flMr XU tttL * I ‫י‬ N . w in ? U 't '. ic . '. - t f s L f Uofcoa L?rv«n1 ‫^ נ - ב רז‬ asy*B □ to >« b 1m 0 ^ 29: [ 0 0m1 ‫י‬ ‫א‬ ‫ו‬ d n ‫ *ס״״^־ז‬Map* Q Local ‫ ק‬r ‫־‬fcnwortc» Q NotActfont H□ PjTriS Q adrrin 1 7 ,0 2 .0 .1 Q P t 638 5> Sennco Q Tcde V h.KH m^ I1K 0 )1 3M Qm - ‫׳‬x 3 2 5 ■ ‫ ׳‬oc« ‫ ׳‬w I 95bpj F IG U R E 8. Saver r 1 ( ( 4 (> * 3 9 t®c« > 1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n Select a device and place d ie mouse cursor o n i t to display the detailed in fo rm a tio n about d ia t device. C artvM 5 Ad<*«3a Lota A Admr* R Afl*rta □ Ca* ht Q 0 V0 81 8 0 ^ Plea Q Functions □ Ht v * * aoV•® □ Lnk* ‫ □ ־‬Lcoa ]J? Acton ♦ ‫% ״‬ • ~1Zo . [O * omT j o ^ StKj Dow ttu f o wv t f t t e O T . JLYKSO-Ci P IP• 100 0 9 Wcnxpc, rdvanur‘ M C ■- 1 A tt C 0 S*'42 m (7V U > i 1 Q r«0 0 a 1C2 coj fn&nory vrtuai memoiy. cfck S rT v .-‫׳‬Y5mip jc !‫ .*־״.ז‬w ’-3a 3 . C esacto- -fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M COUPATBU /M 60 WipxnsrFix) 01 V irc 0*5 I t o i a i 6 & End Ipwue 0028‫ ־‬J771 < C7 Detua £? Ewr L7S«bg Mb Mod*® rielwork Maps B local n NHwwk• B 2 N lc4B0r• 9U Q Parris H•*™ 170 2. . 01 □P N ‫׳‬c » Q> Samcas H J?* I? •# I !_•« a M■ «L' 14 ‫<ג‬ u :a 12:40 F IG U R E 12: X | mdiv 0 vnn-uiYKBocnP C V t m 2 4 5 Upa/tx 197bpa C E H Lab M anual Page 262 )« > • nn ■ • :‫ י‬u C K • U MJP Tocte 12:3 I ecu • lam 0 «■ a.'iaaeoip 9. ‫«נו‬ iwttdai e UU liriM M O ll- 1*•: ■ . W * ‫ ־‬n m ‫,־‬ . 1:ta 3 t «W -ll‫־‬ r8!a.H0TP n .1 5 4 ttp a /fc 3 3 k b c « 1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v i c e N o w , c lic k the d o w n a rro w fo r die L o ca l d ro p -d o w n lis t to see in fo rm a tio n o n H is to ry A c tio n s , T o o ls, F iles. Logs, and so on. E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s F IG U R E 1 8 .1 0 : S e le c tin g L o c a l i n f o r m a t i o n 10. Select o p tio n s fro m d ie d ro p -d o w n lis t to v ie w com plete in fo rm a tio n . ‫ ־ < _ ־‬X ‫,־‬ adm!r1@iocalha5t ‫ ־‬The Dude 4.0beta3 ® | | Preferences | f r Local Swar • O Stnj eBg e I~ • , M C ‫׳‬not? o Heb S « Ae dn NttwOlk Map Be‫׳‬nrfl dn1£1‫*׳‬d e »t hn d 104 Ner*e«k Map B‫׳‬nnc a je 32C 13024S fJrtocik Map btmrU 1l»a•‫׳‬ 1 « hne ‫־‬ 104 Netv«ak Map B‫׳‬r* cagd 3; 9 lv 'i: 0 1302S0 fM o w k Map b w Jw j* f« mhne 105 H ik Map Bw cagd 3? ? ttitc » ! .1• 0 w ‫׳‬ 130254 fM o cik Map H 1 ( 1 j« e mhne m (32K Merwak Map B e cagd 0 130258 fjnC*«k Map b c w : changtd i 104 tkmk Map Bemem changed 330 f c 130302 NttWClk Map Be lt# ills' jeO 10-3lJer«e(k Map Berotm changed 330 13.03.06 r«(.«c«k Map 0c1‫*׳‬s‫׳‬r. da'jed 104 liefMCik Map Beroen: changed 338 . 13.03.14 ta t« a k Map Bc1*‫׳‬Tcha'Sed 10 1 tieCMdk Map B fw t changed 33 6 we hne 13.03.20 Netwak Map B nrtcaod 102 I jefMCik Map Berne'S changed 332 wn h l 130324 heCaak Map B m c rxl 102 Net‫*־‬c«k Map Beroen! changed 337 Q Add's** Lilt( 4 ‫! ו1י 4יי‬ Q *s»t‫״‬U 130245 ‫ ו‬u 2u 3u au 5U cu □ O l• w r*1 LVvn.•* ‫ *׳‬Fto* Q I undior• □ IMy/on a tws 7U M U K» ‫ □ >־‬Logs fi U 9u 10 u ‫ וו‬u 12 u 1U 3 14 U 1U 5 £ A1 7 =0 < n £? Debug £ 7 E v « rf £? Stfog ‫ ם‬Mb Me** •6 U 7‫ ו‬u 16 U 1U 9 20 u Crr«<t«J 0 *rt «9 17kbpa/|x 1 I2kbp« S«nv‫ ־‬a 3?4Ktv* ■» H ?*ten a d ^ n ^ io c a lh o s t - The Dude 4,Obela3 ® fafaenoee oI O toca s«n Gt f j rBg L ‘ * ‫־‬ ‫־‬ a * ih ti^ rS S B S S X S A l ‫׳*״‬ _ ..L J U Conterts 3 Address Usts £ AcJ-rriS Q Ao-nls gws on Q Devicw 5!‫ ׳‬Fte» Q Functor• Q Ktolciy Actons ‫ם‬ ‫ס1 ־‬ Lrk» 1‫יה״‬ C7 Aden CfO u eo b r7 v 4 E« Lfb^*o fl S CJ Mr d. » i l l l Type, (* L v:c ^ 100a! 10. 2 00 1 1025 0 05 A V, Df VVHSOG /2 9T S Wt U RH tO MS L WHCSCI• S1 G W IUJO0M I w « s.c u !H5r 1 W K M W S8 w 0» *C w UZ-'t T‫,׳‬c«‫>־‬ i . rn j«-=le incte Mf Tc C iincte M-rle Wt Ce w‫•*־־‬ tnb c u-de vmo M‫* |״‬ *mcl* Cflrr ‫׳‬x2 91 kbpa/ tx276bf>t F IG U R E C E H Lab M anual Page 263 3 M * f‫^ ־ ־‬i T] □ ‫י‬ Mao Local Local Local Local Local Local Local Local Local Local Local Local S f l n 0 ‫־׳ ־‬t 2 l6 -‫׳‬rp * ■* ‫» ן 4 ׳ל2 ל‬ 9 ? 1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t io n E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s 11. A s described previously, you m ay select all die o th e r o p tio n s fro m the d ro p -d o w n lis t to v ie w d ie respective in fo rm a tio n . 12. O nce scanning is com plete, c lic k the b u tto n to disconnect. a d m in © lo c a lh o s t - Th e D u d e 4.0beta3 Fwfcwnooa • ‫ל‬ 9 Local Sorvor jC a d G' tn s *•to ” + ‫״‬ r C . O S*crgc k O noowf ‫ ״‬Too* M •*.‫״‬ L* , * [irk T R AdesUI8 dr s 8 £ AdnlrM □ t< Agert« □ Chate □ Gv e ecs r* =« 1 n Fra n _ c8 ‫י‬ ,1 W ik U L Y S S B K H Q IP tpu 2 2 % IM fT t S 0 % v.it 3 4 % disk 7 5 % W IN-D39NRSH1.91= 4 Q Htoy c n is r Atios H Llc ins =3 Lg e* ‫י‬ C Acton ‫־‬ f _ (ZJ Dbo cu ADMIN v WIN-2N95T0SGIEM ‫י‬ 1000 Even! O □ S/*log M Nodoo to Q IStwifcM s e o ip r < | B - l gcjj 1 ■ j [> ‫ ־‬r ‫ ־ ־ ^־־‬T ^ ‫־ ר ^ ל ^ ה־ רז‬ .1 WM-LXQ3VR3!WM n Z W k b w ' b 135 bps 5<?vrr r t i. 1 2 c p 5 't * 3 •15 *bps FIGURE 1 .1 :Connectionof system in network 82 s L a b A n a ly s is Analyze and docum ent die results related to die lab exercise. T o o l/U tility In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d IP A d d re s s R a n g e : 10.0.0.0 — 10.0.0.24 D e v ic e N a m e P re fe re n ce s: D N S , S N M P , The D ude N E T B IO S , IP O u tp u t: L is t o f connected system, devices in N e tw o rk C E H Lab M anual Page 264 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  • M o d u le 0 3 - S c a n n in g N e tw o rk s PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. In te r n e t C o n n e c tio n R e q u ire d □ Y es 0 No P la tfo r m S u p p o rte d 0 C la s s ro o m C E H Lab M anual Page 265 0 iLabs E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.