Your SlideShare is downloading. ×
CEH Lab Manual

S c a n n i n g

N e t w o r k s
M o d u le 03
M o d u le 0 3 - S c a n n in g N e tw o rk s

S c a n n in g a T a r g e t N e tw o rk
S c a n n in g a n e tw o rk re fe...
M o d u le 0 3 - S c a n n in g N e tw o rk s

Note that not all vulnerabilities will result in a system compromise. When ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Daisy Chaining Using P r o x y

W o rk b e n c h

■ HTTP Tunneling Using ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

S c a n n in g S y s te m a n d N e tw o rk
R e s o u r c e s U s in g A d ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

/ 7A
dvancedIPScanner
w onW s S
orks
indow erver
2003/ Server 2008andon
W s...
M o d u le 0 3 - S c a n n in g N e tw o rk s

Admin ^

S ta rt

WinRAR

Mozilla
Firefox

Command

Prompt
it t

Nc m

C om...
M o d u le 0 3 - S c a n n in g N e tw o rk s

L Y haveto guess a
_/ ou
rangeof IP address of
victimm
achine.

iik

O

jf ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

L of com
ists
puters
savingandloadingenable
youtoperformoperations
w aspeci...
M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ ״‬si *
m

&

S h u td o w n o p tio n s

File

Actions

Settings

View

H...
M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N...
M o d u le 0 3 - S c a n n in g N e tw o rk s

B a n n e r G ra b b in g t o D e te r m in e a
R e m o t e T a r g e t S y...
M o d u le 0 3 - S c a n n in g N e tw o rk s

■ You can also download the latest version of ID
http: / / www.grc.com/id/i...
M o d u le 0 3 - S c a n n in g N e tw o rk s

r©

ID Serve

ID Serve
Background
Entei or copy

In et Server Identificatio...
M o d u le 0 3 - S c a n n in g N e tw o rk s

Tool/U tility

Information Collected/Objectives Achieved
IP address: 202.75...
M o d u le 0 3 - S c a n n in g N e tw o rk s

F in g e rp r in tin g O p e n P o r ts U s in g t h e
A m ap Tool
.- b n a...
M o d u le 0 3 - S c a n n in g N e tw o rk s

■ A computer running Web Services enabled for port

80

■ Administrative pr...
M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ד‬
D : C E H -T o o ls C E H u 8 Module 03 S c a n n i n g N e t w o r k  ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N...
M o d u le 0 3 - S c a n n in g N e tw o rk s

M o n ito r in g T C P /IP C o n n e c t i o n s
U s in g t h e C u r r P o...
M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

To perform the lab, you need:
■ CurrPorts locat...
M o d u le 0 3 - S c a n n in g N e tw o rk s

FIG R 4.1T C ortsm w w allprocesses, ports, andIPaddresses
U E : lie urrP a...
M o d u le 0 3 - S c a n n in g N e tw o rk s

‫■ 5 3ד‬

TCP/UDP Ports List - Mozilla Firefox

m C
urrPorts allow you
s
to...
M o d u le 0 3 - S c a n n in g N e tw o rk s

TCP/UDP Ports List - Mozilla Firefox
ffi'g |d : Vico

[ j TCP/UDP Ports Lis...
M o d u le 0 3 - S c a n n in g N e tw o rk s

C urrP orts

r®
1 File J Edit
I

View

Options

I - ] “

'

*

m

Help
C tr...
M o d u le 0 3 - S c a n n in g N e tw o rk s

12. To close a TCP connection you think is suspicious, select the process
a...
M o d u le 0 3 - S c a n n in g N e tw o rk s

1-1° ‫’ - ׳‬

C u rrP on s
File

Edit

View

Options

Help
GH+I

P N etlnfo...
M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

S c a n n in g f o r N e tw o rk
V u ln e r a b ilitie s U s in g t h ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Audit the network
■ Detect vulnerable ports
■ Identify security vulnerabi...
M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab T asks

Follow die wizard-driven installation steps to install die GFI ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

GFI LanGuard 2012
I

-|

dashboard

Seen

Remedy

ActMty Monitor

Reports

...
M o d u le 0 3 - S c a n n in g N e tw o rk s

’‫ ° ן ־‬r x ‫־‬

GF! LanGuard 2012

• l«- I
>

Ds b a
a h o rd

S n
ca

Ra...
M o d u le 0 3 - S c a n n in g N e tw o rk s

&

yI

I

Ds b a
a h o id

S n
ca

Rm u
e cd te

,‫ ־‬I□ ‫־‬x

GFI Lar> uar...
M o d u le 0 3 - S c a n n in g N e tw o rk s

11. It shows all the V u ln e r a b ilit y
V

/ 7D
uringa full scan,

GFI L...
M o d u le 0 3 - S c a n n in g N e tw o rk s

m Acustomscanis a
netw audit basedon
ork
param w you
eters, hich
configure ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

m Ahighvulnerability
level is the result of
vulnerabilities or m
issing
pat...
M o d u le 0 3 - S c a n n in g N e tw o rk s

Tool/U tility

Information Collected/Objectives Achieved
Vulnerability Leve...
M o d u le 0 3 - S c a n n in g N e tw o rk s

E x p lo rin g a n d A u d itin g a N e tw o r k
U s in g N m a p
N /n a p ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Record and save all scan reports
/—j T o o ls
d e m o n stra te d in
th i...
M o d u le 0 3 - S c a n n in g N e tw o rk s

2. Click the

N m a p -Z e n m a p G U I

app to open the

S t 3 f t

l
_

...
M o d u le 0 3 - S c a n n in g N e tw o rk s

7. Click S c a n to start scantling the virtual machine.
Zn a
e mp
Scan

I ...
M o d u le 0 3 - S c a n n in g N e tw o rk s

T= I

Zenm ap
Scan

I o o ls

£ ro file

Help
Scan!

Target:
C om m and:

T...
M o d u le 0 3 - S c a n n in g N e tw o rk s

12. Click the T o p o lo g y tab to view Nmap’s topology for the provided I...
M o d u le 0 3 - S c a n n in g N e tw o rk s

14. Click the

Scans

tab to scan details for provided IP addresses.
1- 1 °...
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Upcoming SlideShare
Loading in...5
×

Ceh v8 labs module 03 scanning networks

546

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
546
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
132
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Ceh v8 labs module 03 scanning networks"

  1. 1. CEH Lab Manual S c a n n i n g N e t w o r k s M o d u le 03
  2. 2. M o d u le 0 3 - S c a n n in g N e tw o rk s S c a n n in g a T a r g e t N e tw o rk S c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d s e rv ic e s ru n n in g in a n e tw o rk . L a b S c e n a r io I CON KEY Valuable information s Test your knowledge H Web exercise Q Workbook review Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port s c a n n in g , n e tw o rk s c a n n in g , and v u ln e ra b ility s c a n n in g ro identify IP/hostname, live hosts, and vulnerabilities. L a b O b j e c t iv e s The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: ■ Check live systems and open ports ■ Perform banner grabbing and OS fingerprinting ■ Identify network vulnerabilities ■ Draw network diagrams of vulnerable hosts ZZ7 T o o ls L a b E n v ir o n m e n t d e m o n stra te d in t h is la b a r e a v a ila b le in D:CEHT o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s 111 die lab, you need: ■ A computer running with W in d o w s S e r v e r 2 0 1 2 , W in d o w s W in d o w s 8 or W in d o w s 7 with Internet access S e rv e r 2008. ■ A web browser ■ Admiiiistrative privileges to run tools and perform scans L a b D u r a t io n Time: 50 Minutes O v e r v ie w o f S c a n n in g N e t w o r k s Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope. C E H Lab M anual Page S5 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. M o d u le 0 3 - S c a n n in g N e tw o rk s Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment. 1 1 diis module we will look at several forms of vulnerability assessment. We will 1 study some commonly used scanning tools. Lab T asks TASK 1 Overview Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: ■ Scanning System and Network Resources Using A d v a n c e d IP S c a n n e r ■ Banner Grabbing to Determine a Remote Target System Using ID S e r v e ■ Fingerprint Open Ports for Running Applications Using the A m a p Tool ■ Monitor TCP/IP Connections Using die C u r r P o r t s ■ Scan a Network for Vulnerabilities Using G F I _/ L Ensureyouhave readyacopyof the additional readings handed out for this lab. Tool L an G u ard 2 0 1 2 ■ Explore and Audit a Network Using N m ap ■ Scanning a Network Using die N e t S c a n T o o ls Pro ■ Drawing Network Diagrams Using LA N S u rv ey o r ■ Mapping a Network Using the F r ie n d ly P in g e r ■ Scanning a Network Using die N essu s Tool ■ Auditing Scanning by Using G lo b a l ■ Anonymous Browsing Using P r o x y C E H Lab M anual Page 86 N e tw o rk In v e n to ry S w it c h e r E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. M o d u le 0 3 - S c a n n in g N e tw o rk s ■ Daisy Chaining Using P r o x y W o rk b e n c h ■ HTTP Tunneling Using H T T P o r t ■ Basic Network Troubleshooting Using the M e g a P in g ■ Detect, Delete and Block Google Cookies Using G -Z a p p e r ■ Scanning the Network Using the C o la s o f t P a c k e t B u ild e r ■ Scanning Devices in a Network Using T h e Dude L a b A n a ly s is Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information. P LEA S E T A LK TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. C E H Lab M anual Page 87 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. M o d u le 0 3 - S c a n n in g N e tw o rk s S c a n n in g S y s te m a n d N e tw o rk R e s o u r c e s U s in g A d v a n c e d IP S canner I CON KEY / =‫ ־‬Valuable information ✓ Test your knowledge S Web exercise C Q Workbook review -A d v a n c e d IP S c a n n e r is a fr e e n e tir o r k s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f in fo rm a tio n re g a rd in g lo c a l n e tir o r k c o m p u te rs . L a b S c e n a r io this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. 111 L a b O b j e c t iv e s l J — T o o ls d e m o n stra te d in t h is la b a r e The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: ■ Perform a system and network scan a v a ila b le in D:CEH- ■ Enumerate user accounts T o o ls C E H v 8 ■ Execute remote penetration M o du le 0 3 S c a n n in g ■ Gather information about local network computers N e tw o rk s L a b E n v ir o n m e n t Q Y canalso ou dow A nload dvancedIP Scanner from http:/1w wadvanced-ipw. scanner.com . C E H Lab M anual Page 88 111 die lab, you need: ■ Advanced IP Scanner located at Z:C EH v8 M od ule 0 3 S c a n n in g N e tw o rk s S c a n n in g T o o ls A d v a n c e d IP S c a n n e r ■ You can also download the latest version of A d v a n c e d from the link http://www.advanced-ip-scanner.com IP S c a n n e r E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. M o d u le 0 3 - S c a n n in g N e tw o rk s / 7A dvancedIPScanner w onW s S orks indow erver 2003/ Server 2008andon W s 7(32bit, 64bit). indow ■ If you decide to download the in the lab might differ ■ A computer running W in d o w s 8 la t e s t v e r s io n , as die attacker (host machine) ■ Another computer running W in d o w s machine) ■ A web browser widi In te rn e t then screenshots shown se rve r 2008 as die victim (virtual access ■ Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps to install Advanced IP Scanner ■ A d m in is tra tiv e privileges to run diis tool L a b D u r a t io n Time: 20 Minutes O v e r v ie w o f N e t w o r k S c a n n in g Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any suspicious or u n a u th o rize d IP connections, which may enable data theft and cause damage to resources. Lab T asks S T A S K 1 1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die desktop L a u n c h in g A d v a n c e d IP Scann er FIG R 1 :W s8- D U E .1 indow esktopview 2. Click A d v a n c e d (Windows 8). C E H Lab M anual Page 89 IP S c a n n e r from die S ta r t menu in die attacker machine E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  7. 7. M o d u le 0 3 - S c a n n in g N e tw o rk s Admin ^ S ta rt WinRAR Mozilla Firefox Command Prompt it t Nc m C om puter m W A ith dvancedIP Scanner, youcanscan hundreds ofIP addresses sim ultaneously. M icrosoft Clip O rganizer tS Sports Fngago Packet b uilder 2* Advanced IP Scanner m C ontrol Panel M icrosoft O ffice 2010 Upload... i i i l i l i • finance FIG R 1 W s8- A U E 2. indow pps 3. The A d v a n c e d IP S c a n n e r main window appears. Y canw any ou ake m achinerem w otely ith A dvancedIP Scanner, if theW ake-on‫־‬LA feature N is supportedbyyour netw card. ork FIG R 1 : T A U E 3 he dvancedIPS cannerm w ain indow 4. Now launch die Windows Server 2008 virtual machine (v ic tim ’s C E H Lab M anual Page 90 m a c h in e ). E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  8. 8. M o d u le 0 3 - S c a n n in g N e tw o rk s L Y haveto guess a _/ ou rangeof IP address of victimm achine. iik O jf f lc k 10:09 F J M FIG R 1 :T victimm W sserver2 U E .4 he achine indow 008 a R in2.xand3.x adm Integrationenableyouto connect (ifR inis adm installed) to rem ote com puters w just one ith dick. 5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t ra n g e field. 6. Click die S c a n button to start die scan. The status of scanis show at the bottomleft n sideofthew . indow 7. displays the s c a n C E H Lab M anual Page 91 scans all die IP addresses within die range and r e s u lt s after completion. A d v a n c e d IP S c a n n e r E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  9. 9. M o d u le 0 3 - S c a n n in g N e tw o rk s L of com ists puters savingandloadingenable youtoperformoperations w aspecificlist of ith com puters.Just savealist ofm achines youneedand A dvancedIPScanner loads it at startupautom atically. A d v a n c e d IP Scanner File Actions J► Scar' View Heip IP c d id 3? f i l : Jl Like us on ■ 1 Facebook r=£k=3 r f t o 1.0 .11.0 .1 0 .0 -0 .0 0 R esits | Favorites | r Status w 0 MAC address 10.0.a2 DO:67:ES:1A:16:36 00: 5:5D: A8:6E:C6 M icrosoft Corporation Dell Inc 10.0.03 10.0.05 10.0.07 00:09:5B:AE:24CC Dell Inc Microsoft Corporation 10.0.a1 WIN-MSSELCK4K41 WINDOWS# WIN*LXQN3WR3R9M WIN-D39MR5H19E4 15 ® Manufacturer Nlctgear, Inc. 10.0.0.1 ‫*£> ט‬ ® & m G roup O perations: A featureofA ny dvanced IP Scanner can beused w anynum of ith ber selectedcom puters. For exam youcanrem ple, otely shut dow acom n plete com classw afew puter ith dicks. Settings 00:15:5D:A8:&E:03 D4:3E.-D9: C3:CE:2D 1 5a iv*, 0 d«J0, S unknown FIG R 1 :TheA U E .6 dvancedIPS cannerm w ain indowafterscanning 8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machine’s IP address and displays die status as alive M T A S K 2 Extract Victim’ s IP Address Info 9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut d o w n 5‫־‬ F ie A d v a n c e d IP Scanner A ctions Scan Settings View Helo II ip c u u * W i Like us on Facebook *sS: 1.0 .11.0 .1 0 .0 -0 .0 0 Resuts Favorites | Status Name 1.0 .1 0 .0 IHLMItHMM, WINDOWS8 hi WIN-LXQN3WR3 WIN‫ ־‬D39MR5HL< 1..1 0 01 0 — t* p ‫׳‬ore Copy Add to ‘Favorites' ! n MAC address to ru fa c tu re r Netgear. In c 00:09:5B:AE:24CC D0t67:E5j1A:16«36 M icrosoft Corporation M icrosoft Corporation □0:15 :‫צ‬U: A8:ofc:Ot> 00:15:SD:A8:6E:03 Dell Inc CW:BE:D9:C3:CE:2D Rescan selected Sive selected... Wdke‫־‬O n‫־‬LAN Shut dcwn... Abort shut dcwn W ake-on-L N Y A : ou canw anym ake achine rem w A otely ith dvancedIP Scanner, ifW ake-on-LA N featureis supportedby your netw card. ork Radrnir a 5 alive. 0 dead, 5 unknown FIG R 1 :T A U E .7 he dvancedIPS cannerm w w A H list ain indow ith live ost 10. The list displays properties of the detected computer, such as IP address. N a m e , M A C , and N e t B I O S information. 11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die selected victim machine/IP address C E H Lab M anual Page 92 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  10. 10. M o d u le 0 3 - S c a n n in g N e tw o rk s ‫ ״‬si * m & S h u td o w n o p tio n s File Actions Settings View Help r Scan W infingerprint Input O ptions: ■ IPR (N askand ange etm InvertedN ask etm supported) IPL m istS gle H N ost eighborhood J!] .■ ] Use Vtindcms authentifcation Like us on Facebook Jser narre: 3 9essM ord: 11 0.0.0.1-100.0.10 rn e o c t (sec): [60 Results | Favorites | Message: Status ® a » $ a jre r Name MAC address 00;C9;5B:AE:24;CC 1a0.0.1 WIN-MSSELCK4K41 W IND O W S WIN-LXQN3WR3R9M WIN-D39MR5HL9E4 D0:67:E5:1A:16:36 It ion I” 00:15:3C:A0:6C:06 It ion 00:13:3D:A8:6E:03 D4:BE:D9:C3:CE:2D Forced shjtdo/vn f " Reooot S alive, Odcad, 5 unknown FIG R 1 :TheA U E .8 dvancedIPS cannerC puterpropertiesw om indow 12. Now you have die machine. IP address. Nam e, and other 13. You can also try Angry IP scanner located at details of die victim D:CEH-ToolsCEHv8 Module 03 Scanning NetworksPing Sweep ToolsAngry IP Scanner It also scans the network for machines and ports. L a b A n a ly s is Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Scan Information: Advanced IP Scanner C E H Lab M anual Page 93 ■ ■ ■ ■ ■ ■ IP address System name MAC address NetBIOS information Manufacturer System status E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  11. 11. M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s 1. Examine and evaluate the IP addresses and range of IP addresses. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 94 0 iLabs Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  12. 12. M o d u le 0 3 - S c a n n in g N e tw o rk s B a n n e r G ra b b in g t o D e te r m in e a R e m o t e T a r g e t S y s t e m u s i n g ID S e rv e ID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r s o fh v a re . I CON KEY Valuable information y* Test your knowledge Web exercise O Workbook review L a b S c e n a r io 1 1 die previous lab, you learned to use Advanced IP Scanner. This tool can also be 1 used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve. L a b O b j e c t iv e s The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website. 111 O T o o ls d e m o n stra te d in diis lab you will learn to: ■ Identify die domain IP address ■ Identify die domain information t h is la b a r e a v a ila b le in D:CEHT o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s C E H Lab M anual Page 95 L a b E n v ir o n m e n t To perform die lab you need: ■ ID Server is located at D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s B a n n e r G ra b b in g T o o ls ID S e r v e E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. M o d u le 0 3 - S c a n n in g N e tw o rk s ■ You can also download the latest version of ID http: / / www.grc.com/id/idserve.htm S e rv e ■ then screenshots shown If you decide to download the in the lab might differ ■ Double-click id s e r v e to run la t e s t v e r s io n , ID S e r v e ■ Administrative privileges to run die ID ■ Run this tool on W in d o w s from the link S e rv e tool S erv er 2012 L a b D u r a t io n Time: 5 Minutes O v e r v ie w o f ID S e r v e ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and v e r s io n , whether it's for F T P , SMTP, POP, NEW’S, or anything else. Lab T asks TASK 1 Id en tify w e b s it e s e r v e r in fo rm atio n 1. Double-click id s e r v e located at D :C E H -T o o lsC E H v 8 M o d u le 0 3 S c a n n in g N e tw o rk s B a n n e r G ra b b in g T o o lsID S e r v e 2. 1 1 die main window of ID 1 S e v e r Q u e ry tab 0 S erv e show in die following figure, select die ID Serve ID Serve Background ri Enter 01 r! ‫ -׳‬r o In rn tServer Id n a nU ,vl .0 te e e tific tio tility 2 Personal SecurityFreew bySteveG so are ib n Copyright (c) 2003 by Gibson Research Corp Server Query | Q&A/Help copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com) Queiy The Server ^ When an Internet URL or IP has been provided above press this button to rwtiate a query of the speahed server Server If anIPaddressis enteredinsteadof aU L R, IDServew attem to ill pt determ thedom ine ain nam associatedw the e ith IP ^ 4 Copy The server identified <se* as goto ID Serve web page E*it FIG R 21: M w UE ain indowofIDS e erv 3. Enter die IP address 01‫־‬URL address in E n t e r o r C o p y /p a ste a n In te rn a l s e r v e r U R L o r IP a d d r e s s h e re : C E H Lab M anual Page 96 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  14. 14. M o d u le 0 3 - S c a n n in g N e tw o rk s r© ID Serve ID Serve Background Entei or copy In et Server IdentificationU vl .0 tern tility, 2 Personal SecurityFreeware bySteve G ibson Cprig t(c) 2 0 b G s nR s a hCr . o y h 0 3 y ibo e e rc op Server Q uery I Q&A/tjelp I paste an Internet serve* URL or IP adtfress here (example www microsoft com) ^ [w w certifiedhacker com w [ IDServecanaccept the U Lor IP as a R com and-lineparam m eter W h e n an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the s p e c fo d server Query T h e S w v e i (% Server query processing The server identified itse l as G oto ID S eive web page Copy Ejjit FIG R 22 E U E nteringdieU Lforquery R 4. Click Query The Server; it shows server query processed information ID Serve ID Serve Background ,‫ ־‬m x ‫׳‬ In etServer IdentificationU vl .0 tern tility, 2 Personal SecurityFreeware bySteve G ibson Cprig t(c) 2 0 b G s nR s a hCfp o y h 0 3 y ibo e e rc o Server Query | Q&A/Help Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com) < | T www.certifiedhacker.com| Q IDServecanalso connect w non-w ith eb servers toreceiveand report that server'sgreeting m essage. Thisgenerally reveals the server's m ake, m version, andother odel, potentiallyuseful inform ation. r2 [ W h e n an Internet URL 0* IP has been piovided above, press this button to initiate a queiy of the speafied server Query The Server (3 Seiver query processing a M ic r o s o f t - I I S / 6 . 0 In tin serverq e itia g u ry Lo k gu IPaddressfo d m in w wcertified ackerc m o in p roa w h o T eIPaddressfo th d minis 2 2 55 11 h r eoa 0 .7 4 0 C n e tin toth servero sta d rdHTTPp rt: 8 o nc g e n na o 0 C n ected R u gth server's d fa ltp e o n ] eq estin e e u ag The server identrfied itse l as Copy Goto ID Serve web page Exit FIG R 23: S processedinform U E erver ation L a b A n a ly s is Document all die IP addresses, dieir running applications, and die protocols you discovered during die lab. C E H Lab M anual Page 97 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  15. 15. M o d u le 0 3 - S c a n n in g N e tw o rk s Tool/U tility Information Collected/Objectives Achieved IP address: 202.75.54.101 Server Connection: Standard HT1P port: 80 Response headers returned from server: ID Serve ■ ■ ■ ■ ■ H TTP/1.1 200 Server: Microsoft-IIS/6.0 X-Powered-By: PHP/4.4.8 Transfer-Encoding: chunked Content-Type: text/html PLEA SE T A LK TO YOUR IN S T R U C T O R IF YOU H AV E R E L A T E D TO TH IS LAB. QUESTIONS Q u e s t io n s 1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 98 0 iLabs Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. M o d u le 0 3 - S c a n n in g N e tw o rk s F in g e rp r in tin g O p e n P o r ts U s in g t h e A m ap Tool .- b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a c h o p e n p o r t. I CON KEY 2 ^ Valuable information Test vour knowledge g Web exercise Q L a b S c e n a r io Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 1 1 the previous lab 1 we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. Workbook review 1 1 this lab, you will learn to use the Amap tool to perform port scanning and know 1 exacdy what a p p lic a t io n s are running on each port found open. L a b O b j e c t iv e s C 5 T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:CEHT o o ls C E H v 8 M o du le 0 3 The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports. hi diis lab, you will learn to: ■ Identify die application protocols running on open ports 80 ■ Detect application protocols S c a n n in g N e tw o rk s L a b E n v ir o n m e n t To perform die lab you need: ■ Amap is located at D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s B a n n e r G ra b b in g T o o lsV A M A P ■ You can also download the latest version of A M A P from the link http: / / www.thc.org dic-amap. ■ C E H Lab M anual Page 99 If you decide to download the in the lab might differ la t e s t v e r s io n , then screenshots shown E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. M o d u le 0 3 - S c a n n in g N e tw o rk s ■ A computer running Web Services enabled for port 80 ■ Administrative privileges to run die A m a p tool ■ Run this tool on W in d o w s S e rv e r 2012 L a b D u r a t io n Time: 5 Minutes O v e r v ie w o f F in g e r p r in t in g Fingerprinting is used to discover die applications running on each open port found 0 x die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking 1 up die responses in a list of response strings. at T A S K 1 Id en tify A p p lic a tio n Lab T asks 1. Open die command prompt and navigate to die Amap directory. 1 1 diis lab 1 die Amap directory is located at D :C E H -T o o lsC E H v 8 M od ule 0 3 S c a n n in g N e tw o rk s B a n n e r G ra b b in g T o o lsA M A P P ro to c o ls R u n n in g on P o rt 8 0 2. Type a m a p w w w .c e r t if ie d h a c k e r .c o m 8 0 , and press E n te r. Administrator: Command Prompt 33 [D : C E H ~ T o o ls C E H u 8 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g T o o l s A M A P > a n a p uw [u . c e r t i f i o d h a c h e r . c o m 80 Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo Jn id en tifie d p o rts: 2 0 2 . ? 5 . 5 4 .1 0 1 : 8 0 / t c p < t o t a l 1>. M ap 0 5 .2 f i n i s h e d a t 2012-08-28 1 2 :2 0 :5 3 D : C EH -T 0 0 1 s C E H 08 M o d u le 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g Tool sAMAP> Syntax: am [-A| ‫־‬ ap B| -P|-W [-1buSR U ] H dqv] [[-m -o <file>] ] [-D<file>] [‫־‬t/‫־‬T sec] [-c cons] [-Cretries] [-pproto] [‫־‬i <file>] [target port [port]...] FIG R 3 :A apw hostnam w w 1tifiedl1ack 1.com ithPort S U E .1 m ith e w .ce e w O 3. You can see die specific a p p lic a tio n protocols running 011 die entered host name and die port 80. 4. Use die IP a d d re ss to check die applications running on a particular port. 5. 1 1 die command prompt, type die IP address of your local Windows Server 1 2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 ) and press E n t e r (die IP address will be different in your network). ✓ For A apoptions, m type am -help. ap C E H Lab M anual Page 100 6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  18. 18. M o d u le 0 3 - S c a n n in g N e tw o rk s ‫ד‬ D : C E H -T o o ls C E H u 8 Module 03 S c a n n i n g N e t w o r k B a n n e r G r a b b i n g ToolsAMAP>amap I f . 0 . 0 . 4 75-81 laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode C piles on all U IX om N basedplatform - even s M SX C inon acO , ygw W s, A M inuxand indow R -L Palm S O P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W arn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t <EUN KN> W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e ) t o 1 0 .0 .0 .4 :7 5 /tc p , d isab lin g p o r t <EUN KH> W arn in g : Could n o t c o n n e c t < u n r e a c h a b l e > to K> H W arning: K> N 1 0 .0 .0 .4 :7 7 /tc p , d isab lin g p o r t <EUN Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t <EUN W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o |KN> W arn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o K> N 1 0 .0 .0 .4 :7 9 /tc p , d isab lin g p o r t <EUN 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 / kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>. Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b : C E H - T o o l s C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g ToolsAMAP> FIG R 3 :A apw IPaddressandw rangeofsw 7 -8 U E .2 m ith ith itches 3 1 L a b A n a ly s is Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Identified open port: 80 WebServers: ■ 11ttp-apache2 ‫־‬ ■ http-iis ■ webmin Amap C E H Lab M anual Page 101 Unidentified ports: ■ 10.0.0.4:75/tcp ■ 10.0.0.4:76/tcp ■ 10.0.0.4:77/tcp ■ 10.0.0.4:78/tcp ■ 10.0.0.4:79/tcp ■ 10.0.0.4:81/tcp E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  19. 19. M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s 1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required 0 Y es □ No Platform Supported 0 Classroom C E H Lab M anual Page 102 □ iLabs E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. M o d u le 0 3 - S c a n n in g N e tw o rk s M o n ito r in g T C P /IP C o n n e c t i o n s U s in g t h e C u r r P o r ts T o o l C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly o p e n e d T C P / IP I CON K E Y Valuable information Test your knowledge w Web exercise m Workbook review a n d U D P p o r ts o n y o u r lo c a l c o m p u te r. L a b S c e n a r io 111 the previous lab you learned how to check for open ports using the Amap tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection. As a a d m in is tra to r., your daily task is to check the T C P / IP of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the C u r r P o r t s tool. n etw o rk c o n n e c t io n s C J T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in L a b O b j e c t iv e s The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer. D:CEHT o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s 111 in this lab, you need to: ■ Scan the system for currently opened T C P / IP ■ Gather information 011 die p ro cesses ■ List all the IP a d d r e s s e s p o r ts and and UDP ports that are opened that are currendy established connections ■ Close unwanted TCP connections and kill the process that opened the ports C E H Lab M anual Page 103 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. M o d u le 0 3 - S c a n n in g N e tw o rk s L a b E n v ir o n m e n t To perform the lab, you need: ■ CurrPorts located at D : C E H -T o o ls C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s S c a n n in g T o o ls C u r r P o r t s ■ You can also download the latest version of http: / / www.nirsoft.11e t/utils/cports.html ■ If you decide to download the in the lab might differ ■ A computer running W in d o w s a Y candow ou nload CuuPorts tool from http://w w w .nirsoft.net. C u rrP o rts la t e s t v e r s io n , from the link then screenshots shown S erv er 2012 ■ Double-click c p o r t s .e x e to run this tool ■ Administrator privileges to run die C u rrP o rts tool L a b D u r a t io n Time: 10 Minutes O v e r v ie w M o n it o r in g T C P / IP Monitoring TCP/IP ports checks if there are m u ltip le IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server. Lab T asks The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o r t s .e x e to launch. TASK 1 1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports, IP and remote addresses, and their states. D is c o v e r T C P /IP C o n n e c tio n r‫י * 1 ״ 1 ־‬ C urrP orts File Edit View Option* Help xSD®v^!taer4*a-* Process Na.. Proces... Protocol L ocal... Local Address Rem... Rem... R e rc te Address Remote Host Nam ( T enrome.ere 2 m TCP 4119 Loc- 10.0.0.7 80 h ttp 173.194.36.26 bcm04501 -in ‫־‬f26.1 bcmOisOl -in-f26.1 f <+1 rome.ere 2988 TCP 4120 10.0.0.7 80 h ttp 173.194.3626 chrome.ere f 2988 TCP 4121 10.0.0.7 80 h ttp 173.194.3626 bom04501‫־‬in ‫־‬f26.1 chrome.exe 2 m TCP 4123 10.0.0.7 80 h ttp 215720420 a23-57-204-20.dep https CT chrome.exe 2 m TCP 414S 10.0.0.7 443 ^ f i r t f c x ere 1368 TCP 3981 127.0.0.1 3982 £ fir « fc x « x • 1368 TCP 3982 127.0.0.1 3981 (£ fir« fc x «(« 1368 TCP 4013 10.0.0.7 443 https fircfcx.cxc 1368 TCP 4163 100.0.7 443 h ttp j 173.194.36.15 bom04!01 in ‫־‬f15.1 f1 rcfcxc.cc 1368 TCP 4166 100.0.7 443 h ttp j 173.194.360 bcm04501 -in-f0.1« 443 h ttp ; 74.125234.15 gra03s05in-f15.1e 1368 TCP 4168 100.0.7 s , httpd.exe firef cx c<c 1000 TCP 1070 aaao th ttp d .e x e 1800 TCP 1070 Q lsass.occ 564 TCP 1028 3 l» 5 5 a e 564 ____ »_____ <1 ■1 1 TCP 1028 bom04501 -in-f26.1 WIN-D59MR5HL9F 12700.1 WIN-D39MR5HL9E 173.1943622 bom01t01-in-f22.1 0.0.0.0 = 0.0.0.0 0.0.0.0 = > T 7 ~ctal Ports. 2 Remote Connections. 1Selected 9 1 C E H Lab M anual Page 104 173.194 3626 12700.1 NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  22. 22. M o d u le 0 3 - S c a n n in g N e tw o rk s FIG R 4.1T C ortsm w w allprocesses, ports, andIPaddresses U E : lie urrP ain indow ith 2. CiirrPorts lists all die / /C urrPorts utilityis a standaloneexecutable, w doesn't requireany hich installationprocess or additional D L L s. and their IDs, protocols used, lo c a l local and remote ports, and r e m o te h o s t p ro ce sse s a n d r e m o te IP a d d r e s s , n am e s. 3. To view all die reports as an HTML page, click V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬A ll It e m s . M °- x ‫י‬ C urrP orts File Edit I View | Options X B 1 Help Show Grid Lines Process K a1^ I Show Tooltips J Mark Odd/Even Rows chrome. C* chromel HTML Report ‫ ־‬All I'errs ^ chrome. HTML Report - Selected terns C* chrome. Choose Columns ^ chromc. (£ firc fc x .c Remote Host Nam * 173.1943526 ).7 http 173.194.3526 ).7 http 173.194.3526 bcmQ4s0l-in‫. 2 ־‬ f61 bcm04s0l-in-f26.1 bcm04s01 - n f 6 1 i-2. ).7 http 23.5720420 a23-57-204-20.dep S https 173.194.3526 bom04501-in‫. 2 ־‬ f61 127.0.0.1 WIN-D39MR5HL9E ).7 R‫״‬fr#{h 127.0.0.1 WIN-D39MR5HL9E 443 https 173.1943622 bem04s01-in-f22.1 10.0.0.7 443 https 173.19436.15 bom04i01‫־‬in*f15.1 10.0.0.7 443 https 173.19436.0 bcm04s0l*in-f0.1< 100.0.7 1l i (B fa e fc x u e 1368 TCP J ftfM c o ta e I368 TCP 45 16 ® fr e fc x e te 1368 TCP 4158 --- 4163 h t t o d . e x e 1800 TCP 443 https 741252*4.15 gruC3s05-1n‫־‬M5.1e 1800 TCP 1070 Q ls a s s e te 564 TCP 1028 561 TCP 3981 .0.1 oo .a .o 1070 V h ttp d .e x e 3962 T. , .7 V0 V F5 ‫ס7קז‬ 443 .0.1 (p firc fo x .e 1 (c Q In thebottomleft of theC urrPorts w , the indow status of total ports and rem connections ote displays. Remote Address http Address A uto Size Columns g f-e fc x e Rem.. ).7 1028 0.0.0.0 0 .0 .0 .0 aaao NirSoft Freeware, http.//w w w .rirs o ft.n e t 79Tct«l Ports, 21 Remote Connection!, 1 Selected FIG R 4.2T C U E he urrPortsw H LR - A Item ith TM eport ll s 4. The HTML Report a u t o m a t ic a lly opens using die default browser. E<e Ldr View History Bookmarks 1001 Hdp ‫צ‬ I TCP/UDP Ports List ^ j j f j__ ( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/ cp0fts-xt>£,repcriJit ml ' ‫•£־־־*־‬ - Google P ^ ‫י‬ T C P /U D P P o r ts L is t = E3 To checkthe countries of therem IP ote addresses, youhaveto dow thelatest IPto nload C ountryfile. Y haveto ou put the IpToC ountry.csv‫״‬ fileinthe sam folder as e cports.exe. C re a te d b v u sing C u rrP o rts P m « j .Nam• P ro titi ID P ro to co l I.o ra l I A ra l P o rt P o rt X lB t L o c a l A d d iv it Remote P o rt Rcm oU ‫׳‬ P o rt R tm v l« A d d r t it Name . chxame rx c 2988 TCP 4052 10 0 0 7 443 https 173 194 36 4 chiome.exc 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo bo ch101nc.exe 2988 TCP 4070 10.0.0.7 80 http 173.194.36.31 bo daom e.exe 2988 TCP 4071 10.0.0.7 80 h ltp 173.194.36.31 bo! daom e.exe 2988 TCP 4073 1 00.0.7 80 hup 173.194.36.15 boi daom e.exe 2988 TCP 4083 10.0.0.7 80 http 173.194.36.31 bo! cfcrorae.exe 2988 TCP 4090 100.0.7 80 hnp 173.194.36.4 bo! chfomc.cxc 2988 TCP 4103 100.0.7 80 hup 173.194.36.25 bo chrome exe 2988 TCP 4104 10 0 0 7 80 hnp 173 194 36 25 bo > FIG R 4 :HieW brow d lay gC ortsR - A Item U E .3 eb ser isp in urrP eport ll s 5. To save the generated CurrPorts report from die web browser, click F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S . C E H Lab M anual Page 105 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  23. 23. M o d u le 0 3 - S c a n n in g N e tw o rk s ‫■ 5 3ד‬ TCP/UDP Ports List - Mozilla Firefox m C urrPorts allow you s to saveall changes (added andrem connections) oved into alogfile. In order to start w to thelogfile, riting checkthe ,LogC hanges' optionunder the F ile m enu «ry> Hitory 1 ‫ ו ז ק‬id * Bookmaikt Took Hrlp fJcw l i b CW*T N*w‫’ ׳‬Mnd<*1* Ctrt*N Cpen Fie.. CcrUO » ‫׳‬Dcsttop/q)D1ts-x64/rEpor: html f1 C * S*.« Page As.. Ctr1*S Send LinkPag* Setup-. PrmtPi&Kw E rrt. ti* !, r o t i f j j >111• !.o ra l I o r a l P o rt P o rt !'!‫ ־‬o to co l Name Remote Local A d d rv u K em otc P o rt P o ri chiom c.exe 2988 TCP 4052 cfc10 me.exe 2988 TCP 4059 10.0.0.7 chrome.exe 2988 TCP 4070 10.0.0.7 chrome.exe 2988 TCP 4071 10.0.0.7 chrome exe 2988 TCP 4073 chrome exe 2988 TCP 408; K e u io l* A d d n i t Name ID 2Z B default, the logfile y" y is savedas cports.loginthe sam folder w e here cports.exeis located. Y ou canchangethe default log filenam bysettingthe e L ogFilenam entryinthe e cports.cfgfile. P i f ' Google https 173.194.36.4 boj 80 http 173.194.36.17 bo: 80 hnp 173.194.36.31 bo: 80 http 173.194.36.31 boi 100 0 7 80 http 173 194 36 15 boi 100 0 7 80 http 173 194 36 31 bo! 10.0.0.7 443 ch*omc exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi chiome.exe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boj daom e.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03 FIG R 4 : T W brow toS eC U E .4 he eb ser av urrPortsR - A Item eport ll s 6. To view only die selected report as HTML page, select reports and click V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬S e l e c t e d Ite m s . 1-1° ‫ ׳‬x- C urrP orts File X Edit | View | Options S (3 Help Show Grid L‫א חו‬ Process Na P I ^ B aw The logfile e are! isupdatedonlyw you hen refreshtheports list m anually, orw the hen A R uto efreshoptionis turnedon. Show Tooltips C chrome. Mark Odd/Even Rows Address ).7 ).7 O'chrome “ ® ,fir e fc x e (gfircfcxe: HTML Report ■ Selected terns Choose Columns Auto Size Columns Rem... Remote Address Remote Host Nam h ttp 175.19436.26 bom04s01-1n‫־‬f26.1 bom04s01-1n-f26.1 80 h ttp 173.1943626 80 h ttp 173.1943626 bcm04s01-in‫־‬f26.1f ■0.7 HTML Report - All Items C c h ro m e f Rem... 80 80 h ttp 215720420 323-57-204-20.dep P7 .0.1 445 h ttp : F Ctrl ♦■Plus Refresh F5 fircfcx e< v .0.1 bcm04s01-in-f26.1 WIN-D39MR5HL9E 127JX011 3981 173.1943526 127.0.0.1 3982 WIN-D39MR5HL9E J>.7 443 https 173.1943622 bom04s01 -in-f22.1 h ttp ; 173.194.36.15 bomOlsOl -in ‫־‬f1 5.1 L f ircfox.cxc 1368 TCP 4163 1000.7 443 fircfcx.cxc 1368 TCP 4166 1000.7 443 h ttp : 173.194360 bomOlsOI -in ‫־‬f0.1c ^ firc fc x .c x c 1368 TCP -4168 100.0.7 443 https 74125234.15 gruC3s05 in -f 15.1c httpd.exe 1000 TCP 1070 0.0.0.0 1000 TCP 1070 Q lsa sse xe httpd.exe 564 TCP 1028 Q b a s te x e « -------a .-------- 564 14nn TCP T rn 1028 ‫י«׳*־ו־‬ 79 ~ctel Ports. 21 Remote Connections, 3 Selected a Y canalsorightou clickonthe W pageand eb savethe report. C E H Lab M anual Page 106 0.0.0.0 s 00.0.0 ___ 0.0.0.0 AAA A AAAA Hi1 Soft Freew are. http.‫ ,׳,׳‬w w .r irsoft.net w FIG R 4 :C U E .5 urrPortsw H M R - S ith T L eport electedItem s 7. Tlie selected re p o rt automatically opens using the d e fa u lt b r o w s e r . E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  24. 24. M o d u le 0 3 - S c a n n in g N e tw o rk s TCP/UDP Ports List - Mozilla Firefox ffi'g |d : Vico [ j TCP/UDP Ports List In the filters dialog bos, youcanaddone or m filter strings ore (separatedbyspaces, sem icolon, or C L ). RF ^ 1 n J~x ‫־‬ I Hatory Bookmaiks Toob Help | + P W c/'/C /lherv‫׳‬Admin 1strotor/Dr5fctop/'cport5‫־‬r64/rcpo‫די‬i«0T1l (?‫ ־‬Google |,f t I T C P /V D P P o rts L is t C reated b y m in g C iir r P o m P rocess N e am P rocess ID ol Local I> ca Local K u R o «m t« em te Port P rotocol Port Port A ddress Port N e am .Nm ae K vuiotc A ddress R o H N e em te ost am State dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC 1 m. £26.1 e 100.net Established c: fire fo x exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom 04s01 tn - fl 5. Ie l0 0 .n e t Established C: 1800 TCP 1070 Listening C: h ttp d cc x FIG R 4 : T W brow d lay gC U E .6 he eb ser isp in uaPortsw H M R - S ith T L eport electedItem s / / The Syntaxfor Filter S [include | exclude]: tring: [local | rem | both | ote process]: [tcp | udp | tcpudp] : [IPR | Ports ange R ange]. 8. To save the generated CurrPorts report from the web browser, click F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S TCP/‫׳‬UDP Ports List ‫ ־‬M ozilla Firefox Edfe Vir* ‫׳‬ r= > r* ‫י‬ Hutory Boolvfmki Took HWp N**‫׳‬T*b Clfl*T |+ | Open Fie... Ctrl»0 S*.« P a g e A ;. fi 1r/Desktop/cpo»ts x6Crepwthtml an*N * Ctrl-S Sir'd linkPage :er.p. Pnnt Preview P rm L . fic it Offline N e am Local Local T o ral Po rt Pori Nam e A ddress ID Rem ote Port Kcm ole Po rt Nam e R ote em A ddress Rem ote Ilo t l .N io it 2988 TCP 4148 1 0 0 0 .7 443 https 1 73 .19 43 6 26 boxu04s01 -ui-1‘26. Ie l0 0 .n e t Established C fiiefox-cxc 1368 TCP 4163 100.0.7 443 https 173.19436 15 bom04s01-1a-115.lel00.net Established C http de xe 10 80 TCP 1 ‫0׳‬ 0 chtoxne.exe ‫ ש‬C m om and-line option: /stext < 11enam m F e> eans savethelist of all opened TCP/UDPports into a regular text file. C E H Lab M anual Page 107 FIG R 4 :TheW b v toSawQ U E .7 eb rcn ser irrPortsw H M R - S ith T L eport electedItem s 9. To view the p r o p e r t ie s of a port, select die port and click F ile ‫>־‬ P r o p e r tie s . E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  25. 25. M o d u le 0 3 - S c a n n in g N e tw o rk s C urrP orts r® 1 File J Edit I View Options I - ] “ ' * m Help C trM P N ctlnfo Close Selected TCP Connections Ctri+T Local Address Alt^Entei Process Properties b&i C m om and-line option: 1 C tiU P Remote Address Remote Host Nam ‫1 י׳‬ http 173.194.3626 bom04301 - in-f26.1 10.0.0.7 CtiUS Properties Rem.. 80 80 http 1‫6263.491.3׳־‬ bom04501 ‫ ־‬in-f26.1 10.0.0.7 80 http 1^3.194.36.26 10J3J3.7 Save Selected Items Rem... 10.0.0.7 Kill Processes Of Selected Ports 80 http 23.57.204.20 https bom04s01-in-f26.1 a23*57204-20‫.־‬dep ■ 443 127.0.0.1 3982 Open Log File 127.0.0.1 3031 Clear Log File 10.0.0.7 443 httpc 10.0.0.7 443 https 173.194.3615 bom04s01-m-f15.1 10.0.0.7 /stab <Filenam m e> eans savethelist of all opened TCP/UDP ports intoa tab-delim text file. ited 10.00.7 Log Changes 443 https 173.194.360 bom04s01 m‫־‬f0.1c 10.0.0.7 443 https 74.12523415 gru03s05-in‫־‬f15.1 e CtrU O Advanced Options Exit j 1 .e x e ttjd 1800 TCP 1070 h tto d .e x e 1800 TCP lsass.exe 564 TCP 1028 Q lsass-exe $64 TCP 1028 ‫״‬ bom 04s01-in-f2M WIN-D39MR5Hl9f 127.0L0L1 WIM-D30MRSH10F 1‫2263.491 1 ־‬ , bom04e01-m‫־‬f22.1 0 D S )S ) 1070 □ 1Ti 194.36.26 127.aa1 oaao :: aao.o 0D S J J J r. > ‫ ־‬T NirSoft Freeware, h ttp :'w w w .n irso ft.n e t |7 9 Tctel Ports, 21 Remote Connections, 1 Selected FIG R 4 :C U E .8 unPoitstoviewproperties foraselectedport 10. The P r o p e r t ie s window appears and displays all the properties for the selected port. 11. Click O K to close die P r o p e r t ie s window Properties C m om and-line option: /shtm <Filenam m l e> eans savethelist of all opened TCP/UDP ports into an H Lfile(H TM orizontal). Process Nam e: Process ID: Protocol: Local Port: Local Port Nam e: Local Address: Remote Port: Remote Port Nam e: Remote Address: Remote Host Nam e: State: Process Path: Product Nam e: File Description: File Version: Com pany: Process Created O n: User Nam e: Process Services: Process Attributes: Added O n: Module Filename: Remote IP Country: Window Title: * firefox.exe 1368 TCP 4166 10.0.0.7 443 |https________________ 1 7 .194.36.0 13 bom 04s01-in-f0.1e100.net Established C:Program Files (x86)M zilla Firefoxfirefox.exe 0 Firefox Firefox 1 .0 4 .1 Mozilla Corporation 8/2 /2 1 2:36:28 PM 5 02 WIN-D39MR5HL9E4Administrator 8/2 /2 1 3:32:58 PM 5 02 O K FIG R 4 :TheC U E .9 urrPortsPropertiesw indowfortheselectedport C E H Lab M anual Page 108 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  26. 26. M o d u le 0 3 - S c a n n in g N e tw o rk s 12. To close a TCP connection you think is suspicious, select the process and click F ile ‫ >־‬C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ). S T A S K 2 -_,»r C urrPorts ‫ד‬ C lo s e T C P C o n n e c tio n IPNetlnfo Ctrt+1 Close Selected TCP Connections C trl-T Local Address Save Selected Items AH- Enter Ctrl— P Process Properties Remote Address Remote Host Nam ‫ י ׳‬I http 173.19436.26 bom04s01-in‫־‬f26.1 80 http 173.19436.26 bom04s01-in‫־‬f26.1 10.0.0.7 CtH-S Properties Rem... 6 10.0.0.7 OSelected Ports f Rem... 10.0.0.7 80 http 173.19436.26 bom04sC1 in-f26.1 10.0.0.7 Kill Processes 80 http 23.5730430 023-57 204 2C.dep = https 0 10.0.0.7 43 4 Log Changes 127.00.1 3932 Cpen Log File 127.00.1 A d/snced Options 10.0.0.7 CtH+G Exit ^ 3931 43 4 43 4 43 4 43 4 10.0.0.7 Clear Log File 10.0.0.7 httpd.exe 1£03 TCP 1070 httpd.exe 1800 TCP 564 TCP 1028 Q toS fcC N e 564 TCP 127.0.0.1 WIN-D39MR5HL9£ 173.19436.22 bom04s01 -in-f22.1 https 173.19436.15 bom04s01-in-f15.1 https 173.19436.0 bom04s01 ■in-f0.1s https 74.125.234.15 gru03s05-in-f151e 1Q28 ^ J III bom04s01 in ‫־‬f26.1 WIN-D39MR5HL9e http: 1070 □ is a s s ^ x e 173.19436.26 127.0.0.1 0D.0.0 0.0.0.0 r om o o .a a o r I> ‫־‬r J IlirSort fre e w a re . r-tto :‫׳‬v/Yv*/n rso tt.n et 7? Tot«! Porte, 21 Remote Connection! 1 Selected FIG R 4 0 ,H C U E .1 : ie unPoitsC S lose electedT PC C onnectionsoptionw indow 13. To k ill the p ro ce sse s of a port, select die port and click F i le ‫ >־‬K ill P r o c e s s e s o f S e l e c t e d P o r ts . I ~ I ‫* 'ם‬ C urrP orts f i TASK 3 File j Edit View Options Help PNetlnfo K ill P r o c e s s a♦ n! Close Selected TCP Connection* C*rt*‫־‬T Loral Address CtrKP Remote Host Nam * 173.14436.26 bom04t01*in-f26.1 80 http 173.194.3626 bomC4t01-in‫־‬f26.1 80 http 173.194.3626 bomC4j01 -in-f26.1 10.0.0.7 Process Properties Remote Addrect http 10.0.0.7 A t-E n te r Rem.. 80 10.0.0.7 Clri-S 5ave Selected Items P ro p e rties Rem... 10.0.07 kin Processes Of Selected Ports 80 http 215720420 a23-57-204-20.dep s https 173.1943636 bcmC4s01-in-f26.1 127.0.0.1 WIN-D39MR5HL9E 10.0.0.7 443 Log Changes 127.0.0.1 3962 Open Log File 127.0.0.1 3981 127.0.0.1 WIN-D39MR5HL9E Clear Log file 10.0.0.7 443 https 173.1943632 bomC4s01-in-f22.1 10.0.07 443 https 173.19436.15 bom04s01‫־‬in‫־‬f15.1 10.0.0.7 443 https 173.19436.0 bom04$0l‫־‬in‫־‬f0.1e 10.0.0.7 443 https 74125334.15 gru03s05-1n-M5.1e Advanced Options Exit V httod.exe 1800 TCP 1800 TCP 1070 □ lw s s .e r e 564 TCP 1028 □ 561 TCP O. . .Q QO 1070 V h ttp d .e x e 1028 ‫ר‬ k a tc *re 0.0.0.0 oa .a o ___ / )A A A II 79 Tctel Ports, 21 Remote Connections, 1 Selected MirSoft Freeware. http-Jta/ww.rirsoft.net FIG R 4 1 T C ortsK P U E .1 : he urrP ill rocessesofS electedPortsO W ption indow 14. To e x it from the CurrPorts utility, click F ile window c l o s e s . C E H Lab M anual Page 109 ‫ >־‬E x it . The CurrPorts E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited
  27. 27. M o d u le 0 3 - S c a n n in g N e tw o rk s 1-1° ‫’ - ׳‬ C u rrP on s File Edit View Options Help GH+I P N etlnfo Close Selected TCP Connections CtrK T .. Local Address Rem.. Rem‫״‬ Remcte Address Remcte Host Nam 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1 10.0.0.7 80 http 173.1943626 bom04s01-in‫־‬f26.1r 10.0.0.7 80 http 21 57.204.20 a23-57-204-20.de 10.0.0.7 443 httpt 173.194.3626 bom04t01-in-f26.1| lo g Changes 127.0.0.1 3082 127.0.0.1 WIN-D3QMR5H19P Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E 10.0.0.7 443 https 173.19436.22 bomC4101-in-f22.1 10.0.0.7 443 https 173.194.36.1S bemC4i01 in ‫־‬f15.1 10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1q 10.0.0.7 443 https 74.125.234.15 gru03s05in-f15.1e K il Processes O f Selected Ports hid C m om and-line option: /sveihtm <Filenam l e> S thelist of all opened ave TCP/UDP ports into H Lfile(V TM ertical). Save Selected Items Ctifc-S A t-E a te r Properties CtH«‫־‬P Procccc Properties Clear Log File Advanced O ption! C tH -0 Ext 1 th ttp d .e x e 1800 TCP 1070 0.0.0.0 J 0.0.0.0 = th ttp d .e x e 1800 TCP 1070 = Q lsa s& e xe 564 TCP 1028 0.0.00 0.0.0.0 H ls a is - a c ■ ‫־־‬ 564 TCP rrn 1028 /‫ ו‬a / a = AAAA __ 79 ‫ ז‬ctal Ports. 21 Remote Connections. 1 Selected Nil Soft free were. Mtpy/vvwvv.r it soft.net FIG R 4 2 T C U E .1 : he urrPoitsE optionw xit indow L a b A n a ly s is Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab. feU In com andline, the I m syntaxof /close com and:/close <L m ocal A ddress> <Local Port> <R oteA em ddress> <R ote Port‫.* נ‬ em Tool/U tility Profile Details: Network scan for open ports CurrPorts C E H Lab M anual Page 110 Information Collected/Objectives Achieved Scanned Report: ■ Process Name ■ Process ID ■ Protocol ■ Local Port ■ Local Address ■ Remote Port ■ Remote Port Name ■ Remote Address ■ Remote Host Name E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  28. 28. M o d u le 0 3 - S c a n n in g N e tw o rk s P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s Q C urrPorts allow you s toeasilytranslate all m enus, dialogboxes, and strings to other languages. 1 Analyze the results from CurrPorts by creating a filter string that displays . only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser. ‫.כ‬ Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports Of Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 111 0 !Labs E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. M o d u le 0 3 - S c a n n in g N e tw o rk s Lab S c a n n in g f o r N e tw o rk V u ln e r a b ilitie s U s in g t h e G F I L a n G u a rd 2 0 1 2 G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity v u ln e r a b ilitie s th a t a re fo u n d . I CON K E Y Valuable information ✓ Test your knowledge Web exercise Q Workbook review Z U T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:CEH- L a b S c e n a r io You have learned in die previous lab to monitor T C P IP and U D P ports 011 your local computer or network using C u rrP o rts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by u n id e n tifie d applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections. Your company’s w e b s e r v e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to le a p fro g and attack odier servers 011 the ISP network from diis compromised one. As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to conduct penetration testing in order to determine die list of t h r e a t s and v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities. T o o ls C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s L a b O b j e c t iv e s The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing. 111 diis lab, you need to: ■ Perform a vulnerability scan C E H Lab M anual Page 112 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  30. 30. M o d u le 0 3 - S c a n n in g N e tw o rk s ■ Audit the network ■ Detect vulnerable ports ■ Identify security vulnerabilities Q Y candow ou nload GFI L N A guard from http://w w com w gfi. . ■ Correct security vulnerabilities with remedial action L a b E n v ir o n m e n t To perform die lab, you need: ■ GFI Languard located at D :C EH -T o o lsC E H v 8 M o d u le 0 3 S c a n n in g N e tw o rk sW u ln e ra b ility S c a n n in g T o o lsG F I L a n G u a rd ■ You can also download the latest version of link http://www.gfi.com/la1111etsca11 ■ If you decide to download the in the lab might differ ■ A computer running W in d o w s ■ ■ Microsoft ■NET F r a m e w o r k Q G LN FI A guard com patiblyw on orks M icrosoft W s Server indow 2008Standard/Enterprise, W s Server 2003 indow Standard/E nterprise, W s 7U ate, indow ltim M icrosoft S all B m usiness Server 2008Standard, S all B m usiness Server 2003 (S 1), and S all B P m usiness Server 2000(S 2). P la t e s t v e r s io n , 2012 S e rv e r W in d o w s S e r v e r 2 0 0 8 running G F I L a n g u a rd from the then screenshots shown as die host machine in virtual machine 2 .0 ■ Administrator privileges to run die G F I LA N g u a rd N e tw o rk S e c u r it y Scann er ■ It requires die user to register on the G F I w e b s it e http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y ■ Complete die subscription and get an activation code; the user will receive an e m a il diat contains an a c tiv a tio n c o d e L a b D u r a t io n Time: 10 Minutes O v e r v ie w o f S c a n n in g N e t w o r k As an administrator, you often have to deal separately widi problems related to v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively. C-J GFI L N A guard includesdefault Security scans or audits enable you to identify and assess possible r is k s within a configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a allowyoutorun im ediate m scans soonafter the network security audit. These include o p e n port checks, missing Microsoft p a t c h e s installationis com plete. and v u ln e ra b ilitie s , service infomiation, and user or p r o c e s s information. C E H Lab M anual Page 113 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. M o d u le 0 3 - S c a n n in g N e tw o rk s Lab T asks Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. B TASK 1 1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by hovering the mouse cursor in the lower-left corner of the desktop S c a n n in g for V u ln e r a b ilitie s Zenm fileinstalls ap the follow files: ing ■ N apC F m ore iles ■ N apPath m ■W inPcap 4 .1.1 ■ N orkInterface etw Im port ■ Zenm (G I frontend) ap U ■ N (M N eat odern etcat) ■N diff FIG R 5 :W sS 2012- D U E .1 indow erver esktopview 2. Click the window G F I L an G u ard 2 0 1 2 Windows app to open the G FI L an G u ard 2 0 1 2 Google Marager bm r ♦ * £ SI Nnd V e FT‫־‬ 2)12 0 FIG R 5.2W sS 2012- A UE indow erver pps 3. The GFI LanGuard 2012 m ain A u d it tab contents. w in d o w appears and displays die N e tw o rk / / To executeascan successfully, G FI LA guardm rem N ust otely logonto target com puters w adm ith inistrator privileges. C E H Lab M anual Page 114 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  32. 32. M o d u le 0 3 - S c a n n in g N e tw o rk s GFI LanGuard 2012 I -| dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties W D13CIA3 this ■ ‫י‬ W elcome to GFI LanG uard 2012 GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites Local Computer Vulnerability Level e a The default scanning us• ‫־‬ Nana9#*gents‫־‬or Launch a scan‫ ־‬options 10, the entile network. options w provide hich quickaccess to scanning m are: odes ■ Q scan uick ■ Full scan ■ Launcha customscan ■ Set up aschedule scan JP 9 % M < { 'M o w c a f h 'e . — iim jIW - . Cunent Vulnerability Level is: High V ie w D a s h b o a rd Inve30gate netvuor*wjinerawiir, status and audi results R e m o diate S e cu rity Iss u e s Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and m ore M anage A g e n ts Enable agents to automate netooric secant? audit and totfstribute scanning load across client machines L a u n c h a S can Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt. I LATES1 NLWS 1 ‫־‬ V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp fe»g 1! Ttft ■ u lar ‫ ־‬l w mr‫»־‬ m 1 ( 74 A q 701? Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd tr.v •ni V*, 24-AJO-2012 -Patch M4uu«m< -Aiktod kuxkI 1 1APS812-1S. Mobm A uob* 10.1.4 Pro mtd St—a-0 - -M j ut 0 FIG R 5 :T G L N m w U E .3 he FI A guard am indow m C ustomscans are recom ended: m ■ W perform a hen ing onetim scanw e ith particular scanning param eters/profiles ■ W perform ascan hen ing for particular netw ork threats and/or system inform ation ■ Toperformatarget com scanusinga puter specific scanprofile 4. Click die L a u n c h a Scan option to perform a network scan. GFI LanGuard 2012 Doshboerd > I «‫ ־‬I Scan Remediate AdMty Monitor Reports Configuration Ut*oes «t Di»e1«s thb version W elcome to GFI LanG uard 2012 1 GFI LanGuard 2012 &ready to audit your network k* *AmafrMws Local Computer Vulnerublllty Level use ‫ ־‬a;# Agents‫־‬or Launch a scan‫ ־‬options 10 auoa van the entire network. JP 9 t - ‫&־.יז‬ ^-‫־־־‬ iim jIM : Cunent Vulnerability Luvul is; High % V ie w D a s h b o a rd Investigate network!wjineraMit, status andauairesults R e m e diate S e cu rity Issu e s Deploy missing patches unirwta■urau*>0rf2e430**are. turn on antivirus ana m ore. M anage A g e n ts Enable agents to automate neteror* secant* aud* and totfstnbute scanning load across client machines L a u n c h a Scan Manually * rt- p andtnwer anagerttest network»taint/ autirl < u LAI LSI NLWS <j ?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 ‫ ל‬TOb V* 24A jq2012 mla e u IW 3 1 Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard -‫־‬»« ‫־‬ 24-Aju-2012 -Patch Md11r u ! 1t*t -Added support t rAPS812-16. Adobe Acrobat 10.1.4 Pro and Stand f d - F=ad ‫■»־‬ ft« o cf ^ If intrusiondetection softw (ID is running are S) duringscans, G FI LA guard sets off a N m ultitude of ID w S arnings andintrusionalerts inthese applications. FIG R 5 :T G L N m w indicatingtheL aC U E .4 he FI A guard ain indow aunch ustomS option can 5. Launch a N ew sca n i. ii. iii. window will appear 1 1 die Scan Target option, select lo c a lh o s t from die drop-down list 1 1 1 die Profile option, select F u ll 1 1 1 die Credentials option, select 1 drop-down list Scan from die drop-down list c u rre n tly lo g g ed on u s e r from die 6. Click S c a n . C E H Lab M anual Page 115 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  33. 33. M o d u le 0 3 - S c a n n in g N e tw o rk s ’‫ ° ן ־‬r x ‫־‬ GF! LanGuard 2012 • l«- I > Ds b a a h o rd S n ca Ranrdijle A ctiv.tyM n r o ito R p rts eo Cn u Un o f!g ra o C Uiscuuttm1 J, Jt Urn ta u a d ia tn e S a n Scar‫־‬a02‫׳‬t: b a te : P10•*: jf-J S^n v M Ot0en:‫־‬fck»/T«rt(r ockcCon uso‫־‬ v * ?axrrard: V IIZ * 1 1 ‫״‬ Scar Qaccre... Son ■ n d ti Ovrrvlew SOM R ru lti Dcta ll< m For largenetw ork environm aM ents, icrosoft SQ Server/M E L SD database backendis recom endedinsteadof m theM icrosoft A ccess database. FIG R 5 : S ganoptionfornetw scanning U E .5 electin ork 7. Scanning will s ta rt; it will take some time to scan die network. See die following figure m Q scans have uick relativelyshort scan durationtim com to es pared full scans, m because ainly quickscans perform vulnerabilitychecks of only asubset of the entire database. It is recom endedto runa m quickscanat least once a w eek. 8. After completing die scan, die s c a n C E H Lab M anual Page 116 re s u lt will show in die left panel E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  34. 34. M o d u le 0 3 - S c a n n in g N e tw o rk s & yI I Ds b a a h o id S n ca Rm u e cd te ,‫ ־‬I□ ‫־‬x GFI Lar> uard2012 G A ty M n r R p rts C n u tio ctw o ito eo o fig ra n L fr ttr tm ta u K k a lm k in Kte a: ScanTarget ccaftoct V H ... | FalSar jsandffc: C tbcaed on iser j-rr& Eaaswofd: II V Scan R r u ik i ovrrvm n Scan R r a k i Details 4 Scan target: locatbo»t - y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJ vws . m T of scans: ypes Scana singlecom puter: Select this optionto scanalocal host or one specificcom puter. Scanarange of com puters: Select this optionto scananum ber of com puters defined throughanIPrange. Scanalist of com puters: Select this optionto im alist of targets port fromafileor to select targets fromanetw ork list. Scancom puters intest file: Select this optionto scantargets enum erated inaspecific text file. Scanadom or ain w orkgroup: Select this optionto scanall targets connectedto adom ain or w orkgroup. * S ca n c o m p le te d ! Summ 8f *ear resufs 9eneraf0fl <Jut>51 ary V u ln e ra b ility le v e l: The average vulnerabilty le.ei lor ttus sea‫־‬nr s 1 Results statistics: Audit operations processed; 1>703 aw*! operations processed Missing scftwaie updates: Other vulnerabilities: 20 <20 C tcai‫׳‬Hgr> ‫׳‬ 1313 Crecol'-.qh) Potential vulnerabilities: 3 • Scanner ActMty Wkxkm ‫*ו^יז‬ W fa :ili« !* W CanptJer VJUH> ra W J t« !a Citar n » 1‫ ״‬t41:ate 101 r r s q v 1 i K t - n •can wunr is*lvatd or not found i ----------12- 1 FIG R 5 :T G L uardC scanw U E .7 he FI anG ustom izard 9. To check die Scan Result Overview, click IP right panel 10. It shows die V u ln e ra b ility A s s e s s m e n t click V u ln e ra b ility A s s e s s m e n t ad d ress of die machiiiein die an d N e tw o rk & S o ftw a re A udit: GFI LanGuard 2012 E- J |^ | Daihboard Sean R nrw U r AdMyMorilor Reports PceSe v j. . . | |F‫״‬IS1‫״־‬ ocafost Q3~t.. i3iT.i Cj‫־‬end, bcaec UtMws W, Dis c u m tvs vtssaan * ‫*ו‬ Userrvaae: oue nsr Configuration ?a££‫.׳‬C rd: II J ••• 1 ___^ ____ 1 1Results Details # V a n t n r y t : lornlhost | - 1000 | ‫ר־‬V |WIW l)J9MIC>Mt9L4l (Window. « , ‫־‬ • J] j ‫[ ׳‬W»UJ39MRSHL9f4| (Windows Server ?01? 164) < 1>rrafcj1 W ^ n r r n t | ty n N ar* & Softwire Audit et-w Vulnerability level: T • corrvwar dues not have a Vuhe'aHty te.el •VII. * : ►* Y/lttt dim irean? Po s s ib le reaso n s: t. Th• •can b not Inched yet 2.O ectbn of m sC issing paiches and vane‫ ׳‬abiEe* 8 s U * ‫» »ליינ‬ca1‫׳‬nir aerode used to performthe scan. mta 3‫ ־‬The credentials used 10 scan this confute‫ ג 0 ׳‬not »1: * 9 * «cnty ecamer 10 retrieve an required tafomwtion 10• escmatra we Vjheraoity Level An account wth s M i r r a , • :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fa of most rt Scaruicr ActMty Window flteetlKMQL liv dl(l• lr ^ kh) u. M . ‫״‬ •■V> I c tfiiS '< I — ldriI ftwwl I FIG R 5 : S gV U E .8 electin ulnerabilityA ent option ssessm C E H Lab M anual Page 117 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  35. 35. M o d u le 0 3 - S c a n n in g N e tw o rk s 11. It shows all the V u ln e r a b ilit y V / 7D uringa full scan, GFI L N A guard scans target com puters to retrieve setupinform and ation identifyall security vulnerabilities including: ■M M issing icrosoft updates ■ Systemsoftw are inform including ation, unauthori2ed applications, incorrect antivirus settings and outdatedsignatures ■ Systemhardw are inform including ation, connectedm s and odem U Bdevices S A ssessm en t indicators by category ‫־־‬T ^ P GFI LanGuard 2012 L d > Dashboard «‫־‬ Scan Rernediate Activity Men!tor Reports Configuration UUkbes W, ‫־‬ x Di 8cub 8 •»a v«a«on._ l a — d i a Merc Scan Bar Target; »roS»: H i scar- v | | .. . 3 $ Jgynang: c/fomess [am r#y iC jjetf onuser Q Password: or 5 V1 Scmi Rr»ulU Ov*rvt*%» Sc4nR*M1ft>0«UNk <0 $ u a U r « « t : l1 ) u lm l V u ln e ra b ility A sse ssm e n t f S I S ItM J(m R-K M M U H U M ](W M tom . - s«tea ene of the folowno wjfcerabilry 01*99'** ‫ייה»*ל‬ • Yuhefablty Assessment A ‫ * *־י‬security wirerablofa (3) J l MeCtomSearity Vuherabirtes (6) *qn security Vumeratxaties (3) Xbu you toanalyze the ‫־ ״‬security vjre tb i'.a 4 t A 10 j , low Searity Viinerablitfes (4J PofanBd Vuherabltea (3) Meshc service Packs and U3cate =&u>s (1} ^ ■ Jedium Security VulneraNKies )6 ( ,‫ וגי‬toanajy7e thsrredun !earitytfjrerabises . Low Security Vulnerabilities 1 ( 4 ycu to a‫ ׳‬iy» thelc« 9eculty # Msarvs Security Updates (3) - _* Hee*ak & Software Ault ^ . 1 5 Potential vulnerabilities )1( Xb>.s you to a-elvre tiie inform ationsecurity aJ‫־־‬o « 1 Ufesing S vtca P acks and Updala RolHipc (1) U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 « : 3 O tfic] Bras FIG R 5 :L ofV U E .9 ist ulnerabilityA ssessm categ ries ent o 12. Click N e tw o rk in die right panel, and then click S y s te m S t a t u s , which shows all die system patching statuses P a tc h in g & S o ftw a re A u d it 1 ‫״‬r ‫1 ״‬ - C r i L in O u a rd 2012 to■ > •4 - 1 Dashboard Sran Re‫*»״‬Aate Activity Monitor Rrpoits Configuration JM M et <U) ' D iic in t llm vm*an la u a d ia New Sean Scar ’ • o e ‫־‬ - Ho ft*. - 11 '‫־״‬ v |• ^ O afattab: |0 rrentf> o g c « or u er Sari ‫1 ־‬ SCM R « M b Overview - 9 P315/.ord: Jse n re ; 1Rem its Detais Scan ta rve t iocalhost - 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - System Patching Status m Select one of tte Mtahg systemwtchro M U S -4 (U‫!־‬f(hilY to n T e il Duetothelarge am ofinform ount ation retnevedfromscanned targets, full scans often tendto belengthy. It is recom endedtorunafull m scanat least onceevery2 w eeks. * *hevyV1eMe( ) e Sclt 1 r it t3 *at X rvfcdun Security VUrtrabilBe• (6) X *nrM • ) J aa t•(‫ג‬ ) t SricPrn i1t3datr Roittn (1) e en m v i f •1su1sSeu1UyUl>0at«*(3) I ‫ ״‬aa fracutI foy ^tar rO tr . X Minting Service P acks ■ nit llpduir Rciaup* )1( • AI3v»1 you to andyM f*r rrs «‫־‬K! server parW r>f»—j i w ‫ יי»־‬Sec“ ' >ty1h»ab4U»» (4) S % ■ Alotwt Mu U nWy.'t u!« mistfio mcuICv update I - Jb j Alan* you to analyie the rwn-security ipaaws rfamssen rtor&Atrc A '0 m Missing Non-Security Updates )16( Ports U )Mk Missing Security Updates (, J J% staled Security Updates )2( A q syou‫ ■־ ט‬c tJic knitaifedsecurity!edatehfanala t> nay 1 2 J !astaaed Non-SecurityUpdates )1( % *»- f i Software a system mibnnaaon Alo‫״י‬you to analyze thenstslicd nor-securty5 Scanner A ctm ty Wmdow X Starting security scan of host VIM.I)MMRSMl«4[100.0 T g !■nr: I M k U PM 10 : ry Scan thread 1(idle) S a tllia i IM t ' . ! :‫ י‬t «. 3 ™ FIG R 5 0 S patchingstatusreport U E .1 : ystem 13. Click P o rts, and under diis, click O p en C E H Lab M anual Page 118 T C P P o rts E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  36. 36. M o d u le 0 3 - S c a n n in g N e tw o rk s m Acustomscanis a netw audit basedon ork param w you eters, hich configure onthe flybefore launchingthe scanning process. V anous param canbe eters custom duringthis type ized of scan, including: ■ T of scanningprofile ype (L the typeof checks e., to execute/type ofdata toretrieve) ■ Scantargets ■ Logoncredentials & S n ca • l«- I > jbcahoK V I ... I |MSw1 Oc0en‫־‬dfe. . |0xt«rtK ocKcCon us® ‫־‬ - J l ‫)*־‬h Sacuity »jh*r<t14t*» (!) M«Jum Sttuity VllnefdMIUe( « } Law Seeunty VUnerabttiei (4} ^ 0 • ft) so iDf*crpno‫ :״‬Mytxrtrrt trerwfrr Protocol {^‫> ליודז‬ sr-wr: http (kt/ er r « t Tfonjfcr rvotocoOI 5 (Cwucto- D w»i1u‫ ״‬l ‫«׳‬sOl)0«‫־‬ ‫כג‬ CC £ 1 ►**CTt*0‫׳‬V HMKCR 5M»1‫ ׳‬S*rM» S*‫׳‬VCT r « » ‫״‬n] ^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM V a n * Lrtnamn] B £ !027 piM otOor: !r#l»1fo, 1( tM *e‫ ׳‬v<e h no* t1 & ‫»׳‬Urt(d :*•>*« &• Croj^r: Ctandwone, Ditdflpy *rd others / Sev»C s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* ratfc ;< » o w : Ctotafipy Network x, Oath a owers / Ser ■ ^9 10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _ X 1 * = ____1 ___ II • viAwjBM y **OMtwrnt POCWlOai Viiic'attittet (3) f) ! b-*e ea MsangSecuity Updates (3) f it : imw cJ aO m 3 ::- 2 |C«SObacn: M Protect. MSrtQ, t ‫״‬te 1 . M>)eic ‫ * » -י- »-־‬c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4 e V ‫׳‬ - 9 « £ 9 ^ # Moang Service Pocks 0‫״‬d tp d str lo tto s CO # ‫•ויי‬ - ^ 1- 1■■ C Uiscuu tin 1 J, s S w asG ord: Uenvaae: 9 sr.Mi f .‫׳ר‬get‫ ־‬torn lhot ‫ ־‬R : ; • B GF! LanGuard 2 1 02 £ 1 M n r R p rts C rrfig ra *!vty o ito eo o u Rancdijlr l2^l|t«croor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^ 1433 [CesccCcr: Microsoft SQL Server database r a ‫ ־‬j r w : a stc Server /S«‫>־‬ic*: LTknown] rsn *•ernoHc 8 Software Audit 1 *. ( ( System Patchrg Status ]‫333־‬ I . S n P a W| e HPr e a •V Coen LC» Ports (5) I A Hardware .if Software II System [nfbmodon YVlndvw a — er ActKRy *' f..<»t‫»*׳‬ceve‫ ׳‬y v a n thread 1 (tdlr) S o ‫ ״‬nr rad ‫) י‬dp ( | 5 0 ‫ ־‬r *‫ .׳‬vl ! ;<*) error• FIG R 5 1 TCP/U PPortsresult U E .1 : D 14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of die system information 15. Click P a s s w o r d P o lic y r‫ °־־‬n n GH LanGuard 2012 E B > 1 4 -1 Dathboaid Scan fn m ijlr Act*«y Monitor Reports Corriiguratioo Ualiwt W . 1)1*1 lew •«« vnun launch a Mewsean ScarTarget ocaKx: P0.‫ ־‬t: « v |... I (‫׳‬SjIScan &ederate: Z~M~CTt, bcced on toe‫־‬ 3 ?aaiwd: • 1 U1J V 1 __ Scaf 0 0 ‫.-.^כפ‬ Scan R rta tf Overview % Sf A open IX P Ports (5) r1ard*«e *50 ‫־1־ ׳‬fr»ane | Systsn Infer‫׳‬T h M arj a 9ki‫ .׳‬W |l HW.fxC. !■>• 1 ■>> L_J The next jobafter a netw securityscanis to ork identifyw areas and hich system requireyour s im ediateattention. D m o this byanalyzingand correctlyinterpretingthe inform collectedand ation generatedduringanetw ork securityscan. , Scan le a k ! Detalie J *‫!־*׳‬run poaaw d length: chars J **‫״!־‬unoaa'w ordsgeiodays J >Mgw rfl mtary: n o h ttay 0 Vaxnuri EMSSiwrd age: 42days J J ! f a s « p f f r m ‫ ׳‬force 0 • S«r.c1ll> Audit Policy (OtO Wf Re0**v ft Net&OS M ao*3) ‫) ״‬ % Computet tj| 610Lpt (28) & Users (4) •!_ LoggedCnUsers (11) ^ Sesscre (2) % J<rvcc5 {148} ■U Processes (76) , Remote TOO (Tme Of Oay) Scanner AcUv«y Window ‫ ״ ׳ ••־‬I I > - ‫ ׳‬V 1‫״‬n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41‫'׳' ! ־‬ « A ’ ) I ‫'"׳י י‬ FIG R 5.12Inform ofP ordP UE ation assw ohcy 16. Click G ro u p s: it shows all die groups present in die system C E H Lab M anual Page 119 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  37. 37. M o d u le 0 3 - S c a n n in g N e tw o rk s m Ahighvulnerability level is the result of vulnerabilities or m issing patches w average hose severityis categorizedas high. * > ‫־‬ Ds b a a h o rd Sun ftftnca&e vl W **Scan CrM e re s t ‫ר‬ Password: *1 ■ ':e r a cc Sc*• RevuJU DeUik 1R«f»*lt» Overview % * tt Control AucUat* Cws abx1 ■ft * P n t t a w i *i.s u1to‫׳‬ •ft 0J 0«»1 fcw # cm ra •X cm aw dc w C0«nUOPPwts(5) r A Hentesrc • . 1 Soffaart • ^ Symrm tnk‫׳‬m»t»n ( y ‫ו׳ <׳‬ V • a O 'tejM‫^ויו^ו‬ • a CfctrtutedCCMUser* ‫ י‬a Guests • a K>pe‫ ׳‬V •a ‫ יי‬a E5JUSRS • a r.etY>=‫<׳‬Ccnfig.rstcn ‫-״‬a Pr‫־‬fty1r5rcc 'r~ users a •a • a PM^lSers » a RES Ehdpcut Servers •« ‫ז‬a *k SN r~ W -4* Pd«wo1‫ ) ׳‬Pdiy - i» Sxunty Ault Pokey (Off) & *n t Log Straefcrs # ‫ ־‬lUotetry f t NetflCCS Narres (3) % Adrritstrators Computer l* gop(aI i rus2) I W 4} Cp‫־‬rators Psrfertrsnce Log Users •?. -OXfC0‫ ״‬users (1 ‫)נ‬ Ascheduled scanis a netw audit scheduledto ork run autom aticallyona specificdate/tim and at a e specific frequency. Scheduledscans canbe set toexecuteonce or periodically. U9 U3U V ttK — 1 C B ltt W JR H -igemane: [cuT€r*f eooed cn user ‫ -׳‬o T GFI LanGuard 2 1 02 A tm M n r R p rts C n u tio c rty o ito eo o fig ra n % S«ss»ns (2) %51 8:*) «4 »‫ל‬ ) a **?Operators Ht ®rocrase* (76) PCS Manage‫»״‬ent s « vers ‫ ג‬en»te too ‫ מיוחן‬Of 0»y) W w rt* ‫. - ״‬ S*rf« 1 l1f1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*) *r«*d S * fe ) | & u « | FIG R 5 3 Inform ofG U E .1 : ation roups 17. Click die D a sh b o a rd tab: it shows all the scanned network information 1 °n ^ ‫׳‬ GFI LanGuard 2012 I Dashboardl >« 5‫ ״‬I q Sun Km•*•(• !t Activity Monitor Reports i ' ^ f# C emctm Gmp it 6mel1n*ork •w«v Configuration 1 ViAirrnhlfces UUkbe; 4 ‫ ־./זי‬OitcuMlna vwawn.- fei *J V * t Pale►** ► aH v ( SdNiare E n tire N e tw o rk -1 c o m p u te r f j UKJ»-c«t: ttlh-03»M a.5rt.4£-» Security Seniors ‫^' ־‬ucj1!)<»w>:y10«j<1iR<x1> It is recom ended to m use scheduled scans: ■ Toperform periodical/regular netw vulnerability ork scans autom aticallyand usingthe sam scanning e profiles andparam eters • To tngger scans autom aticallyafter office hours andto generate alerts andautodistributionof scan resultsviaem ail ■ To autom aticallytrigger auto-rem ediation options, (e.g., A uto dow anddeploy nload m updates) issing m rS wnwarn iwuw• 1 0 cX ‫1 ־‬ « T|H tcrs ^ Service Packs and U Most M rarane cawoJSfS V. S C 3 y ‫ ^ ׳‬L 3 6 4 Oaxrputers VulncraWWies 1co‫״‬pot«r9 ‫ כ‬O _ I o o ‫ ז‬K-p-w! Lratra-onied Aco*c 0 coneuteis Malware Protection ... cj Cco‫־‬pu‫־‬crj Ault SMTUt : _ 0 « ‫! »י ״י ד‬ j • ‫ ו‬com puters Agent Hemtn Issues 0C n u 8 8 0p1C ,AiirraNity Trend Owe' tme w C pu V 4 era feyCBtnbulivi om ter 1 > b Maraqe saerts *41 •»?i ■ .KTJlii... Z a-cn. j r sa. H . Sc-= a d rsfrar. !TfaraaLgi p yy r .g Sec :ppdy-.ai - Cp :-jr_ ^m 1 *aer*Stofcg|>3tStafcg| : o ‫ ־‬fu t M By Gperatng System o Computes S■O 0«ath■ ■| Compjters By rfeUai... | . FIG R 5 4 scannedreportofthenetvrork U E .1 : L a b A n a ly s is Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process. C E H Lab M anual Page 120 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  38. 38. M o d u le 0 3 - S c a n n in g N e tw o rk s Tool/U tility Information Collected/Objectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open TCP Ports Scan Results Details for Password Policy GFI LanGuard 2012 Dashboard - Entire Network ■ Vulnerability Level ■ Security Sensors ■ Most Vulnerable Computers ■ Agent Status ■ Vulnerability Trend Over Time ■ Computer Vulnerability Distribution ■ Computers by Operating System P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB. Q u e s t io n s 1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab M anual Page 121 0 iLabs E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  39. 39. M o d u le 0 3 - S c a n n in g N e tw o rk s E x p lo rin g a n d A u d itin g a N e tw o r k U s in g N m a p N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g . I C O N K E Y Valuable information Test vour knowledge S Web exercise ‫ט‬ L a b S c e n a r io 1 1 die previous lab you learned to use GFI LanGuard 2012 to scan a network to 1 find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Workbook review Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network. L a b O b j e c t iv e s Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime. hi diis lab, you need to: ■ Scan TCP and UDP ports ■ Analyze host details and dieir topology ■ Determine the types of packet filters C E H Lab M anual Page 122 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. M o d u le 0 3 - S c a n n in g N e tw o rk s ■ Record and save all scan reports /—j T o o ls d e m o n stra te d in th is la b a r e ■ Compare saved results for suspicious ports L a b E n v ir o n m e n t a v a ila b le in D:CEH- To perform die lab, you need: T o o ls C E H v 8 ■ Nmap located at D :C E H -T o o lsC EH v 8 M o du le 0 3 M o d u le 0 3 S c a n n in g N e tw o rk s S c a n n in g T o o lsN m ap S c a n n in g N e tw o rk s ■ You can also download the latest version of N m a p from the link http: / / nmap.org. / ■ If you decide to download die la t e s t die lab might differ .Q Zenm w on ap orks W s after including indow W s 7, and S indow erver 2003/2008. ■ A computer running W in d o w s ■ W in d o w s S e r v e r 2 0 0 8 v e r s io n , S e rv e r 2012 dien screenshots shown in as a host machine running on a virtual machine as a guest ■ A web browser widi Internet access ■ Administrative privileges to run die Nmap tool L a b D u r a t io n Time: 20 Minutes O v e r v ie w o f N e t w o r k S c a n n in g Network addresses are scanned to determine: ■ What services a p p lic a t io n n a m e s and v e r s i o n s diose hosts offer ■ What operating systems (and OS versions) diey run ■ The type of p a c k e t characteristics T AS K 1 In te n s e S c a n f ilt e r s / f ir e w a lls that are in use and dozens of odier Lab T asks Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W in d o w S e r v e r 2 0 1 2 ). 1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left corner of the desktop FIG R 6 :W sS 2012—esktopview U E .1 indow erver D C E H Lab M anual Page 123 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  41. 41. M o d u le 0 3 - S c a n n in g N e tw o rk s 2. Click the N m a p -Z e n m a p G U I app to open the S t 3 f t l _ Zenm fileinstalls ap Zenm ap window A d m in is tra to r Server Manager Windows PowrShell Google Hy^-V Manager ■ N apC F m ore iles ■ N apPath m ■W inPcap4 .1.1 ■ N orkInterface etw Im port ■ Zenm (G I frontend) ap U ■ N (M N eat odern etcat) S fe m * ‫וי‬ Control Panel » ■vp*v Virtual Machine.. ■ Ndiff CWto* the following f l s ie: Nmap Zenmap w o Command Prompt e *‫ח‬ Frtfo* © Me^sPing HTTPort iSW M K U 1 FIG R 6.2W sS er2012- A UE indow erv pps 3. The N m ap - Z e n m a p G U I window appears. ! N ap S m yntax: nm ap [S T can ype(s)] [O ptions] {target specification} Inport scan techniques, onlyone m m beused at a ethod ay tim except that U P scan e, D (‫־‬sU andanyone of the ) SC scantypes (‫־‬sY -sZ TP , ) m be com w any ay bined ith one ofthe TC scantypes. P / FIG R 6 :TheZ apm w U E .3 enm ain indcw 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4) t!1e j a r g e t: text field. You are performing a network inventory for r o J the virtual machine. 5. 1 1 tliis lab, die IP address would be 1 your lab environment 6 . 111 the p ro file C E H Lab M anual Page 124 1 0 .0 .0 .4 ; it will be different from text field, select, from the drop-down list, the you want to scan. 11 diis lab, select In t e n s e S c a n . 1 P r o file : ty p e o f E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  42. 42. M o d u le 0 3 - S c a n n in g N e tw o rk s 7. Click S c a n to start scantling the virtual machine. Zn a e mp Scan I o o ls Target: P ro file 1 10.0.0.4| C om m and: Profile: Intense scan nm a p -T4 -A - v 10.0.0.4 H o s t! W N ap attem hile m pts toproduce accurateresults, keepinm that all ofits ind insights are basedon packets returned bythe target m achines or the firew in front ofthem alls ‫ ° ׳-׳‬r x Help Services icc> | Nm ap O utput Ports f Hosts | T o po lo gy | Host Details | Scans OS < Host FIG R 6 : T Z apm w w T andP entered U E .4 he enm ain indow ith arget rofile !S "The sixport states recognized byN ap: m ■O pen ■C losed ■ Filtered ■U nfiltered ■ O | Filtered pen ■ C |U losed nfiltered 8. Nmap scans the provided IP address with the s c a n r e s u lt below the N m a p O u tp u t Scan I o o ls E rofile C om m and: ‫ז ם י‬ X ‫ן‬ H elp 10.0.0.4 ‫׳י‬ Profile: Intense scan Scan: nm a p -T4 -A - v 10.C0.4 N n ■ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans OS < Host ‫׳׳‬ n m ap -T4 •A ■v 10.00.4 ^ | | Details 10.0.0.4 S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g N ap accepts m m ultiple host specifications onthe com andline, and m theydon't needto be ofthe sam type. e ^ Zenm ap Target: and displays In te n s e s c a n tab. ) at 2012 0 8 24 NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬ o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4 (1 t o t a l t 1 5 :3 5 1 5 :3 5 , 1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72 Filter Hosts FIG R 6 :TheZ apm w w theN apO tabforIntenseS U E .5 enm ain indow ith m utput can 9. After the scan is c o m p le t e , Nmap shows die scanned results. C E H Lab M anual Page 125 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited
  43. 43. M o d u le 0 3 - S c a n n in g N e tw o rk s T= I Zenm ap Scan I o o ls £ ro file Help Scan! Target: C om m and: The options available to control target selection: ■ -iL<inputfilenam e> ■ -1R<numhosts> ■ -exclude <host1 [,<host2>[,...]] > ■ -excludefile <exclude file> Q The follow ing options control host discovery: ■ -sL(list S can) ■ -sn(N port scan) o ■ -Pn (N ping) o ■ ■S<port list> (T P P C SY P N ing) ■ -PA<port list> (T P C A Ping) CK ■ -PU<port list> (U P D Ping) ■ -PY<port list>(SC P T IN TPing) T ■ -PE;-PP;-PM(IC P M PingT ypes) ■ -PO<protocol list> (IP Protocol Ping) ■ -PR(A PPing) R ■— traceroute (T path race tohost) ■ -n(N D Sresolution) o N ■ -R(D Sresolutionfor N all targets) ■ -system (U -dns se systemD S resolver) N ■ -dns-servers <server1 [,<server2>[,. > ..]] (Servers touse for reverse D Squeries) N ‫י‬ Details nm a p -T4 -A - v 10.C.0.4 a N m ap O utp ut | Ports / Hosts | T o p o lo g ) n m ap •T4 •A ■v 10.0.0.4 OS < Host 1 3 9 /tc p 10.0.0.4 open 445/tcp ‫׳׳‬ Cancel open 5 3 5 7 /tc p open (SSOP/UPnP) JH ost Details | Scans ‫פ כ‬ n e t b io s - s s n n c t b io s s sn h ttp M i c r o s o f t HTTPAPI h t t p d 2 .0 |_http‫־‬m«thods: No Allow or Public h«ad«r in OPTIONS re s p o n s e ( s t a tu s code 5 03 ) | _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ 0 1 5 : 5D: ;0 7 :1 0 ( M ic r o s o f t ) MAC Address: ( D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : / o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l 0 ‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 ) ‫ח‬ N ttw o rK D is t a n c e ; 1 hop TCP S c u u c tic e P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s Filter Hosts FIG R 6 :T Z apm w w theN apO tabforIntenseS U E .6 he enm ain indow ith m utput can 10. Click the results. P o r ts / H o s ts 11. Nmap also displays die the scan. tab to display more information on the scan P o rt, P r o to c o l, S t a t e . S e r v ic e , Zn a e mp Scan Target: I o o ls P ro file ‫״״‬ of T ‫ ־‬T Scan Cancel nm a p -T4 -A - v 10.0.0.4 Services OS V e r s io n H elp 10.0.0.4 C om m and: and Nm gp Out p u ( Tu[ . ul ut j y Hu^t Details Sk m :. < Host M in o a o ft W ind ow s RPC 13S Up open rm tp c 139 tcp open n etbios-ssn 445 tcp open n etbios-ssn 5337 tcp open h ttp M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD 49152 tcp open m srpc M ic ro s o ft W indow s RPC 49153 tcp open m srpc M ic ro s o ft W ind ow s RPC 49154 tcp open m srpc M ic ro s o ft W ind ow s RPC 49155 tcp open m srpc M ic ro s o ft W ind ow s RPC 49156 10.0.0.4 open m srpc M ic ro s o ft W ind ow s RPC tcp FIG R 6 :TheZ apm w w thePorts/H tabforIntenseS U E .7 enm ain indow ith osts can C E H Lab M anual Page 126 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  44. 44. M o d u le 0 3 - S c a n n in g N e tw o rk s 12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP address in the In t e n s e s c a n Profile. 7^t B default, N ap y m perform ahost discovery s andthenaport scan against eachhost it determ to be online. ines FIG R 6 :TheZ apm w w T U E .8 enm ain indow ith opologytabfor IntenseS can 13. Click the H o s t D e t a ils tab to see die details of all hosts discovered during the intense scan profile. Zn a e mp Scan lo o ls Target: P rofile 10.0.0.4 C om m and: Hosts 7^ ‫ ׳‬B default, N ap y m determ your D S ines N servers (for rD S N resolution) fromyour resolv.conffile(U IX or N ) the R egistry(W in32). Scan Conccl nm a p -T4 -A - v 10.0.0.4 || Services I I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t Scan? O.O.C.4 OS < Host -‫־׳‬ r^ r°r* 1 Help 10.0.0.4 H Host Status State: up O pen p o rtc Q Filtered ports: 0 Closed ports: 991 Scanned ports: 1000 U p tim e : 22151 Last b oo t: Fri A u g 24 09:27:40 2012 # B Addresses IPv4: 10.0.0.4 IPv6: N o t available M AC: 00:15:50:00:07:10 - Operating System Nam e: M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1 Accuracy: Ports used Filter Hosts FIG R 6 :TheZ apm w w H D tabforIntenseS U E .9 enm ain indow ith ost etails can C E H Lab M anual Page 127 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited
  45. 45. M o d u le 0 3 - S c a n n in g N e tw o rk s 14. Click the Scans tab to scan details for provided IP addresses. 1- 1 ° ‫ ׳‬x Zenm ap Scan Tools C om m and: Profile: Services | Cancel N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an; Status < Host Com‫׳‬r»ard Unsaved nmap -T4-A •v 10.00.4 1 0 0 .0 4 i f ■ A pp e nd Scan a InN ap, option-p m <port ranges> m scan eans onlyspecifiedports. Intense scan nm a p •T4 •A -v 100.0.4 Hosts OS Help 10.0.0.4 Target: a N ap offers options m for specifyingw ports hich are scannedandw hether the scanorder is random2edor sequential. ! Profile » Remove Scan Cancel Scan FIG R 6 0 TheZ apm w w S tabforIntenseS U E .1 : enm ain indow ith can can 15. Now, click the S e r v i c e s tab located in the right pane of the window. This tab displays the li s t of services. 16. Click the h ttp service to list all the HTTP Hostnames/lP Ports, and their s t a t e s (Open/Closed). Zn a e mp Scan Tools Target: ‫ד * מ ° י ־ז‬ Help 10.0.0.4 Comman d: Hosts Profile v] Profile: Intense scan v| Scan | nm ap •T4 -A -v 10.0.0.4 | Services ad d re sse s. Cancel ‫ו‬ N m ap O utput Ports / Hosts Topology | H o c tD rtJ iik | S ^ jn t < Hostname A Port < Protocol « State « Version Service i 10.0.04 5357 tcp open M icroso ft HTTPAPI hctpd 2.0 (SSI msrpc n etb io s5 5 ‫־‬n Q InN ap, option-F m m fast (lim port) eans ited scan. <L FIG R 6 1 TheZ apm w w S icesoptionforIntenseS U E .1 : enm ain indow ith erv can C E H Lab M anual Page 128 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

×