SlideShare a Scribd company logo

Dynamic Port Scanning

A
amiable_indian

Dynamic Port Scanning - AR, HK

Technology
1 of 40
Dynamic Port Scanning An integration of ARP poisoning into port scanning to dynamically spoof source IP Copyright © 2006 AR < [email_address] > ( http://www.securebits.org )
Who am I ? ,[object Object],[object Object]
AGENDA 0x10 Introduction to the Idea of DPS 0x20 Overview of Current Spoofing Techniques 0x30 Integrating ARP Poisoning into Port Scanning 0x40 1-Packet-Based TCP Stealth Scans and Their Uses. 0x50 Putting It into Practice [The Tool of Trade] 0x60 DEMO 0x70 Preventing DPS in Private LANs 0x80 Conclusion 0x90 References 0xa0 Thanks & Greetings – Questions & Answers
0x10 Introduction to the Idea of DPS 0x11 Definition: Dynamic Port Scanner [DPS] integrates ARP-Poisoning and Spoofing into Port Scanning to dynamically spoof the source IP of TCP or UDP scan packets. The &quot;dynamic spoofing&quot; means that for each TCP or UDP scan packet, there is a dynamically and randomly generated IP used as the source IP address for the scan packet. DPS can be considered as &quot; Virtual &quot; Distributed Scan, where the scan appears as coming from many scanning machines. DPS is best suited for &quot; inside &quot; penetration-testing or attack.
0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 2] The Use of Decoys # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 3] Distributed Port Scanning
1] Normal Source-IP Spoofing (1) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 0x20 Overview of Current Spoofing Techniques This is the simplest among all other technique. All the attacker needs to do is to spoof the source IP of the scanning machine to any other IP without worrying about anything else. That spoofed IP is used for all scan packets. Also, that spoofed IP can by any valid IP address and does not have to be within the subnet IP range of the scanning machine .
Advantages: 1- Freedom of Spoofing 2- No wasted initiated packets 3- No tracing of the original scanner Disadvantages: 1- No replies !! 2- No results !! 0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing (2) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300
2] The Use of Decoys (1) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 0x20 Overview of Current Spoofing Techniques Decoy scan works by sending more than one packet per port. All of these packets carry spoofed source IPs except one packet, which carries the original scanner IP address. By doing so, the attacker guarantees at least one reply packet which is the reply to the scan packet carrying the correct IP address. All other replies will not reach the scanning machine.
2] The Use of Decoys (2) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 Advantages: 1- Results are guaranteed 2- Freedom of spoofing Disadvantages: 1- Lots of wasted traffic 2- Original scanner is logged (Detection is not impossible) 0x20 Overview of Current Spoofing Techniques
3] Distributed Port Scanning (1) 0x20 Overview of Current Spoofing Techniques Distributed scan works by dividing the scanning scope among multiple attack platforms. In such case, each attack platform performs a normal scan for a small range of port numbers. Although this is not 100% spoofing mechanism, it increases the overhead of the system administrator on the other side to trace back the attacker [e.g. there could be hundreds of originating IPs.] Furthermore, those originating IPs could be compromised hosts of innocent people
3] Distributed Port Scanning (2) Advantages: 1- No useless traffic 2- Results are guaranteed 3- minimized scan time Disadvantages: 1- All scanners are logged/traced 2- Scanners must be under control 0x20 Overview of Current Spoofing Techniques
0x30 Integrating ARP Poisoning into Port Scanning 0x31 The Basic Idea 0x32 ARP-Cache Poisoning 0x33 ARP-Poisoning with Scanning 0x34 Advantages 0x35 Limitations
0x31 The Basic Idea ,[object Object],[object Object],0x30 Integrating ARP Poisoning into Port Scanning
0x32 ARP-Cache Poisoning (Quick Lesson) ,[object Object],[object Object],[object Object],[object Object],2.2.2.2 AA:AA:AA:AA:AA:AA 5.5.5.5 BB:BB:BB:BB:BB:BB ARP Cache: 10.10.10.10 is at AA:AA:AA:AA:AA:AA ARPOP_REQUEST Src 10.10.10.10 (AA:AA:AA:AA:AA:AA) Dst 5.5.5.5 (BB:BB:BB:BB:BB:BB) ARPOP_REPLY Src 10.10.10.10 (AA:AA:AA:AA:AA:AA) Dst 5.5.5.5 (BB:BB:BB:BB:BB:BB) 0x30 Integrating ARP Poisoning into Port Scanning
0x33 ARP-Poisoning with Scanning 10.1.0.74 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.1 1] 10.1.0.74 is NOT within the local net 2] Get the gateway IP and ARP for its MAC 3] Generate random IP (10.1.11.15) 4] Poison the gateway (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678  10.1.0.74:80 [SYN] 10.1.0.74:80  10.1.11.15:5678 [SYN/ACK] Target is outside local net 0x30 Integrating ARP Poisoning into Port Scanning
0x33 ARP-Poisoning with Scanning 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.30 1] 10.1.11.30 is within the local net 3] Generate random IP (10.1.11.15) 4] Poison the host (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678  10.1.11.30:80 [SYN] 10.1.11.30:80  10.1.11.15:5678 [SYN/ACK] Target is within local net 0x30 Integrating ARP Poisoning into Port Scanning
0x33 ARP-Poisoning with Scanning (Mechanism Flowchart) 0x30 Integrating ARP Poisoning into Port Scanning Generate random source IP “ randomly-generated fake IP ” “ Gateway IP ” = “ ARP-Poisoning IP ” “ Target IP ” = “ ARP-Poisoning IP ” NO YES Prepare “ ARP REQ ” and “ ARP REP ” with following data: S_IP: “ randomly-generated fake IP ” D_IP: “ ARP-Poisoning IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Send the two ARP packets to “ ARP-Poisoning IP ” Send the TCP/UDP Scan packet with following data: S_PORT: random port number D_PORT: scanned port S_IP: “ randomly-generated fake IP ” D_IP: “ target IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Wait for the reply Is the “ Target IP ” within the local subnet?
0x33 ARP-Poisoning with Scanning ( Graphical Representation ) 0x30 Integrating ARP Poisoning into Port Scanning
0x34 Advantages ,[object Object],[object Object],[object Object],[object Object],0x30 Integrating ARP Poisoning into Port Scanning
0x35 Limitations ,[object Object],[object Object],[object Object],[object Object],0x30 Integrating ARP Poisoning into Port Scanning
0x40 1-Packet Based Stealth Scanning Techniques ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],NMAP DPS Group #1: SYN Group #2: ACK Group #2: NULL FIN PSH URG XMAS XMAS1 XMAS2 XMAS3
3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 Linux Windows Group #1: TCP SYN Scan (0X02) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN OPEN 0x40 1-Packet Based Stealth Scanning Techniques
3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #1: TCP SYN Scan (0X02)
3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 Linux Windows Group #2 TCP ACK Scan (0X10) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT UNFILTERED UNFILTERED 0x40 1-Packet Based Stealth Scanning Techniques
3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT FILTERED FILTERED 0x40 1-Packet Based Stealth Scanning Techniques Group #2 TCP ACK Scan (0X10)
3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN | FILTERED OPEN | CLOSED 0x40 1-Packet Based Stealth Scanning Techniques NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___] Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3
3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT OPEN | CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3 NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___]
0x40 1-Packet Based Stealth Scanning Techniques Example #1: ACK Scan: ACK NULL Scan: No Reply Example #3: ACK Scan: ACK URG Scan: RST_ACK SYN: RST_ACK Example #2: ACK Scan: ACK PSH Scan: RST_ACK SYN Scan: SYN_ACK Operating System: Linux Port Status: Open Operating System: Windows Port Status: Open Operating System: ------ Port Status: Closed Example #4: ACK Scan: No Reply XMAS Scan: No Reply Operating System: ------ Port Status: Filtered
0x50 Putting it into Practice [The Tool of Trade] ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Tool Usage 0x50 Putting it into Practice [The Tool of Trade]
Simple Network… Scanning Machine: OS : Linux IP : 10.1.11.20 MAC: 00:03:FF:A1:A0:89 Target Machine: OS : Linux IP : 10.1.11.81 Open Port: 80 0x50 Putting it into Practice [The Tool of Trade]
Scanning… 0x50 Putting it into Practice [The Tool of Trade]
The Victim… 0x50 Putting it into Practice [The Tool of Trade]
TODO List… ,[object Object],[object Object],[object Object],0x50 Putting it into Practice [The Tool of Trade]
0x60 DEMO DEMO
0x70 Preventing DPS in Private LANs Recent switches come with “Port-Disabling” option in case of detecting any malicious activities on that port. Among those activities is the change of IP Address of the machine attached to that port. Since DPS requires that packets are sent with “fake” IP addresses, a switch can detect this behavior and disable the switch port immediately. The only way to bypass such measure is to increase time-gap between packets sent with different IP addresses. If the time-gap is long enough so that the switch cache is timed-out, it could lead to a situation where that attacker can still use DPS, but, it will take longer time. 0x71 The deployment of Port-Disabling feature on switches
0x70 Preventing DPS in Private LANs “ arpwatch” is a software package that monitors MAC/IP pairs in the network and reports any suspicious behavior. It is always recommended that the sys admin installs it on different subnets to monitor MAC/IP pair changes on the network. 0x72 Installing ARPWatch package on the server(s)
0x70 Preventing DPS in Private LANs Static ARP entries can be the best measure to protect against ARP-Poisoning. However, it can be a nightmare. However, if the network is almost stable (i.e. changes of IPs and machines are minimal), the sys admin can maintain a small perl or shell script that runs once a day and probe the IP/MAC combination of live systems and add static entries for them on the servers, located on that subnet, as well as on the gateway [i.e. router]. Although DPS can use unallocated IPs in subnet, “arpwatch” should take care of reporting them in such case. 0x73 Configuring static ARP entries on the machines
0x08 References 0x01 Nmap Port Scanner tool, by Fyodor http://www.insecure.org/map 0x02 Libnet Packet Creation/Injection Platform, by Mike Schiffman http://www.packetfactory.net/projects/libnet/ 0x03 Building Open Source Network Security Tools , by Mike Schiffman . 0x04 The Art of Scanning, by Fyodor Phrack Magazine - Volume 7, Issue 51 September 01, 1997 - article 11 0x05 libpcap: the packet capturing library http://www.tcpdump.org/ 0x06 arpwatch tool http://ee.lbl.gov/ 0x07 EtherApe: a graphical network monitor http:// etherape.sourceforge.net /
THANKS & GREETINGS ,[object Object],[object Object],[object Object],[object Object]

Recommended

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning OverviewPublicly traded global multi-billion services company
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 

Recommended

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning OverviewPublicly traded global multi-billion services company
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
NMap
NMapNMap
NMapPritesh Raka
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Nmap
NmapNmap
NmapMegha Sahu
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache PoisoningSubhash Kumar Singh
 

More Related Content

What's hot

Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 

What's hot (20)

Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautam
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
NMAP
NMAPNMAP
NMAP
 
NMap
NMapNMap
NMap
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmap
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Nmap
NmapNmap
Nmap
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Nmap
NmapNmap
Nmap
 
N map presentation
N map presentationN map presentation
N map presentation
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Nmap
NmapNmap
Nmap
 

Viewers also liked

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 
Intro to Obj-C Design Patterns or Or how I learned to be less bad
Intro to Obj-C Design Patterns or Or how I learned to be less badIntro to Obj-C Design Patterns or Or how I learned to be less bad
Intro to Obj-C Design Patterns or Or how I learned to be less badHaris Amin
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundImperva
 
Top 3 MAC Spoofing Challenges You Cannot Afford to Ignore
Top 3 MAC Spoofing Challenges You Cannot Afford to IgnoreTop 3 MAC Spoofing Challenges You Cannot Afford to Ignore
Top 3 MAC Spoofing Challenges You Cannot Afford to IgnoreGreat Bay Software
 
Countermeasures to GPS Spoofing
Countermeasures to GPS SpoofingCountermeasures to GPS Spoofing
Countermeasures to GPS SpoofingRoger Johnston
 
1unit2ndpart
1unit2ndpart1unit2ndpart
1unit2ndpartprksh89
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasureskaranwayne
 
RSA - WLAN Hacking
RSA - WLAN HackingRSA - WLAN Hacking
RSA - WLAN HackingJohn Rhoton
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LANArpit Suthar
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systemssamis
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2christian nieto
 

Viewers also liked (20)

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache Poisoning
 
Port scanning
Port scanningPort scanning
Port scanning
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
Intro to Obj-C Design Patterns or Or how I learned to be less bad
Intro to Obj-C Design Patterns or Or how I learned to be less badIntro to Obj-C Design Patterns or Or how I learned to be less bad
Intro to Obj-C Design Patterns or Or how I learned to be less bad
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
 
Hacking
HackingHacking
Hacking
 
Top 3 MAC Spoofing Challenges You Cannot Afford to Ignore
Top 3 MAC Spoofing Challenges You Cannot Afford to IgnoreTop 3 MAC Spoofing Challenges You Cannot Afford to Ignore
Top 3 MAC Spoofing Challenges You Cannot Afford to Ignore
 
Mac spoof avoider
Mac spoof avoiderMac spoof avoider
Mac spoof avoider
 
Countermeasures to GPS Spoofing
Countermeasures to GPS SpoofingCountermeasures to GPS Spoofing
Countermeasures to GPS Spoofing
 
1unit2ndpart
1unit2ndpart1unit2ndpart
1unit2ndpart
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
 
RSA - WLAN Hacking
RSA - WLAN HackingRSA - WLAN Hacking
RSA - WLAN Hacking
 
Firewall
FirewallFirewall
Firewall
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LAN
 
Computer Port IT Solutions JNTU Lecture
Computer Port IT Solutions JNTU LectureComputer Port IT Solutions JNTU Lecture
Computer Port IT Solutions JNTU Lecture
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systems
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Computer networks protocols
Computer networks protocolsComputer networks protocols
Computer networks protocols
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2
 

Similar to Dynamic Port Scanning

Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
A Survey on different Port Scanning Methods and the Tools used to perform the...
A Survey on different Port Scanning Methods and the Tools used to perform the...A Survey on different Port Scanning Methods and the Tools used to perform the...
A Survey on different Port Scanning Methods and the Tools used to perform the...Naomi Hansen
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESIRJET Journal
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Securitykktamang
 

Similar to Dynamic Port Scanning (20)

Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Day2
Day2Day2
Day2
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
 
Scanning
ScanningScanning
Scanning
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
A Survey on different Port Scanning Methods and the Tools used to perform the...
A Survey on different Port Scanning Methods and the Tools used to perform the...A Survey on different Port Scanning Methods and the Tools used to perform the...
A Survey on different Port Scanning Methods and the Tools used to perform the...
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURES
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Security
 

More from amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 

More from amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Recently uploaded

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Recently uploaded (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Dynamic Port Scanning

  • 1. Dynamic Port Scanning An integration of ARP poisoning into port scanning to dynamically spoof source IP Copyright © 2006 AR < [email_address] > ( http://www.securebits.org )
  • 2.
  • 3. AGENDA 0x10 Introduction to the Idea of DPS 0x20 Overview of Current Spoofing Techniques 0x30 Integrating ARP Poisoning into Port Scanning 0x40 1-Packet-Based TCP Stealth Scans and Their Uses. 0x50 Putting It into Practice [The Tool of Trade] 0x60 DEMO 0x70 Preventing DPS in Private LANs 0x80 Conclusion 0x90 References 0xa0 Thanks & Greetings – Questions & Answers
  • 4. 0x10 Introduction to the Idea of DPS 0x11 Definition: Dynamic Port Scanner [DPS] integrates ARP-Poisoning and Spoofing into Port Scanning to dynamically spoof the source IP of TCP or UDP scan packets. The &quot;dynamic spoofing&quot; means that for each TCP or UDP scan packet, there is a dynamically and randomly generated IP used as the source IP address for the scan packet. DPS can be considered as &quot; Virtual &quot; Distributed Scan, where the scan appears as coming from many scanning machines. DPS is best suited for &quot; inside &quot; penetration-testing or attack.
  • 5. 0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 2] The Use of Decoys # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 3] Distributed Port Scanning
  • 6. 1] Normal Source-IP Spoofing (1) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 0x20 Overview of Current Spoofing Techniques This is the simplest among all other technique. All the attacker needs to do is to spoof the source IP of the scanning machine to any other IP without worrying about anything else. That spoofed IP is used for all scan packets. Also, that spoofed IP can by any valid IP address and does not have to be within the subnet IP range of the scanning machine .
  • 7. Advantages: 1- Freedom of Spoofing 2- No wasted initiated packets 3- No tracing of the original scanner Disadvantages: 1- No replies !! 2- No results !! 0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing (2) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300
  • 8. 2] The Use of Decoys (1) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 0x20 Overview of Current Spoofing Techniques Decoy scan works by sending more than one packet per port. All of these packets carry spoofed source IPs except one packet, which carries the original scanner IP address. By doing so, the attacker guarantees at least one reply packet which is the reply to the scan packet carrying the correct IP address. All other replies will not reach the scanning machine.
  • 9. 2] The Use of Decoys (2) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 Advantages: 1- Results are guaranteed 2- Freedom of spoofing Disadvantages: 1- Lots of wasted traffic 2- Original scanner is logged (Detection is not impossible) 0x20 Overview of Current Spoofing Techniques
  • 10. 3] Distributed Port Scanning (1) 0x20 Overview of Current Spoofing Techniques Distributed scan works by dividing the scanning scope among multiple attack platforms. In such case, each attack platform performs a normal scan for a small range of port numbers. Although this is not 100% spoofing mechanism, it increases the overhead of the system administrator on the other side to trace back the attacker [e.g. there could be hundreds of originating IPs.] Furthermore, those originating IPs could be compromised hosts of innocent people
  • 11. 3] Distributed Port Scanning (2) Advantages: 1- No useless traffic 2- Results are guaranteed 3- minimized scan time Disadvantages: 1- All scanners are logged/traced 2- Scanners must be under control 0x20 Overview of Current Spoofing Techniques
  • 12. 0x30 Integrating ARP Poisoning into Port Scanning 0x31 The Basic Idea 0x32 ARP-Cache Poisoning 0x33 ARP-Poisoning with Scanning 0x34 Advantages 0x35 Limitations
  • 13.
  • 14.
  • 15. 0x33 ARP-Poisoning with Scanning 10.1.0.74 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.1 1] 10.1.0.74 is NOT within the local net 2] Get the gateway IP and ARP for its MAC 3] Generate random IP (10.1.11.15) 4] Poison the gateway (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678  10.1.0.74:80 [SYN] 10.1.0.74:80  10.1.11.15:5678 [SYN/ACK] Target is outside local net 0x30 Integrating ARP Poisoning into Port Scanning
  • 16. 0x33 ARP-Poisoning with Scanning 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.30 1] 10.1.11.30 is within the local net 3] Generate random IP (10.1.11.15) 4] Poison the host (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678  10.1.11.30:80 [SYN] 10.1.11.30:80  10.1.11.15:5678 [SYN/ACK] Target is within local net 0x30 Integrating ARP Poisoning into Port Scanning
  • 17. 0x33 ARP-Poisoning with Scanning (Mechanism Flowchart) 0x30 Integrating ARP Poisoning into Port Scanning Generate random source IP “ randomly-generated fake IP ” “ Gateway IP ” = “ ARP-Poisoning IP ” “ Target IP ” = “ ARP-Poisoning IP ” NO YES Prepare “ ARP REQ ” and “ ARP REP ” with following data: S_IP: “ randomly-generated fake IP ” D_IP: “ ARP-Poisoning IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Send the two ARP packets to “ ARP-Poisoning IP ” Send the TCP/UDP Scan packet with following data: S_PORT: random port number D_PORT: scanned port S_IP: “ randomly-generated fake IP ” D_IP: “ target IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Wait for the reply Is the “ Target IP ” within the local subnet?
  • 18. 0x33 ARP-Poisoning with Scanning ( Graphical Representation ) 0x30 Integrating ARP Poisoning into Port Scanning
  • 19.
  • 20.
  • 21.
  • 22. 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 Linux Windows Group #1: TCP SYN Scan (0X02) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN OPEN 0x40 1-Packet Based Stealth Scanning Techniques
  • 23. 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #1: TCP SYN Scan (0X02)
  • 24. 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 Linux Windows Group #2 TCP ACK Scan (0X10) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT UNFILTERED UNFILTERED 0x40 1-Packet Based Stealth Scanning Techniques
  • 25. 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT FILTERED FILTERED 0x40 1-Packet Based Stealth Scanning Techniques Group #2 TCP ACK Scan (0X10)
  • 26. 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN | FILTERED OPEN | CLOSED 0x40 1-Packet Based Stealth Scanning Techniques NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___] Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3
  • 27. 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT OPEN | CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3 NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___]
  • 28. 0x40 1-Packet Based Stealth Scanning Techniques Example #1: ACK Scan: ACK NULL Scan: No Reply Example #3: ACK Scan: ACK URG Scan: RST_ACK SYN: RST_ACK Example #2: ACK Scan: ACK PSH Scan: RST_ACK SYN Scan: SYN_ACK Operating System: Linux Port Status: Open Operating System: Windows Port Status: Open Operating System: ------ Port Status: Closed Example #4: ACK Scan: No Reply XMAS Scan: No Reply Operating System: ------ Port Status: Filtered
  • 29.
  • 30. Tool Usage 0x50 Putting it into Practice [The Tool of Trade]
  • 31. Simple Network… Scanning Machine: OS : Linux IP : 10.1.11.20 MAC: 00:03:FF:A1:A0:89 Target Machine: OS : Linux IP : 10.1.11.81 Open Port: 80 0x50 Putting it into Practice [The Tool of Trade]
  • 32. Scanning… 0x50 Putting it into Practice [The Tool of Trade]
  • 33. The Victim… 0x50 Putting it into Practice [The Tool of Trade]
  • 34.
  • 35. 0x60 DEMO DEMO
  • 36. 0x70 Preventing DPS in Private LANs Recent switches come with “Port-Disabling” option in case of detecting any malicious activities on that port. Among those activities is the change of IP Address of the machine attached to that port. Since DPS requires that packets are sent with “fake” IP addresses, a switch can detect this behavior and disable the switch port immediately. The only way to bypass such measure is to increase time-gap between packets sent with different IP addresses. If the time-gap is long enough so that the switch cache is timed-out, it could lead to a situation where that attacker can still use DPS, but, it will take longer time. 0x71 The deployment of Port-Disabling feature on switches
  • 37. 0x70 Preventing DPS in Private LANs “ arpwatch” is a software package that monitors MAC/IP pairs in the network and reports any suspicious behavior. It is always recommended that the sys admin installs it on different subnets to monitor MAC/IP pair changes on the network. 0x72 Installing ARPWatch package on the server(s)
  • 38. 0x70 Preventing DPS in Private LANs Static ARP entries can be the best measure to protect against ARP-Poisoning. However, it can be a nightmare. However, if the network is almost stable (i.e. changes of IPs and machines are minimal), the sys admin can maintain a small perl or shell script that runs once a day and probe the IP/MAC combination of live systems and add static entries for them on the servers, located on that subnet, as well as on the gateway [i.e. router]. Although DPS can use unallocated IPs in subnet, “arpwatch” should take care of reporting them in such case. 0x73 Configuring static ARP entries on the machines
  • 39. 0x08 References 0x01 Nmap Port Scanner tool, by Fyodor http://www.insecure.org/map 0x02 Libnet Packet Creation/Injection Platform, by Mike Schiffman http://www.packetfactory.net/projects/libnet/ 0x03 Building Open Source Network Security Tools , by Mike Schiffman . 0x04 The Art of Scanning, by Fyodor Phrack Magazine - Volume 7, Issue 51 September 01, 1997 - article 11 0x05 libpcap: the packet capturing library http://www.tcpdump.org/ 0x06 arpwatch tool http://ee.lbl.gov/ 0x07 EtherApe: a graphical network monitor http:// etherape.sourceforge.net /
  • 40.