SlideShare a Scribd company logo

Modul 2 - Footprinting Scanning Enumeration.ppt

Download as PPT, PDF
C
cemporku

Footprinting Scanning Enumeration

Education
1 of 81
1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya
2 Intelligence Gathering Techniques  3 Major Steps Foot Printing Scanning Enumeration  Similar to Military Gather information on the target Analyze weaknesses Construct and launch attack
3 Gathering Process Overview  You can’t attack what you don’t know
4 Hacking Step
5 Hacking Step …
6 Gathering Process overview Hosts Ports Services Vulnerabilities
7 Footprinting
8 Footprinting  Footprinting is the ability to obtain essential information about an organization. Commonly called network reconnaissance.  Result Gather information includes: –The technologies that are being used such as, Internet, Intranet, Remote Access and the Extranet. –To explored the security policies and procedures –take an unknown quality and reduce it –Take a specific range of domain names, network blocks and individual IP addresses of a system that is directly connected to the Internet  This is done by employing various computer security techniques, as: • DNS queries  nslookup, dig, Zone Transfer • Network enumeration • Network queries • Operating system identification • Organizational queries  When used in the computer security lexicon, "footprinting" generally refers to one of the pre-attack phases; tasks performed prior to doing the actual attack. Some of the tools used for footprinting areSam Spade, nslookup, traceroute, Nmap and neotrace. • Ping sweeps • Point of contact queries • Port Scanning • Registrar queries (WHOIS queries) • SNMP queries • World Wide Web spidering
9 DNS Query
10 Network Query Tools * Ping * NSlookup * Whois * IP block search * Dig * Traceroute * Finger * SMTP VRFY * Web browser keep-alive * DNS zone transfer * SMTP relay check * Usenet cancel check * Website download * Website search * Email header analysis * Email blacklist * Query Abuse address
11 Information to Gather  Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems  Defender’s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you’re giving away, what weaknesses you have
12 OS Identification
13 Point of Contact
14 Tools - Linux  Some basic Linux tools - lower level utilities Local System hostname ifconfig who, last Remote Systems ping traceroute nslookup, dig whois arp, netstat (also local system) Other tools lsof
15 Tools – Linux (2)  Other utilities wireshark (packet sniffing) nmap (port scanning) - more later Ubuntu Linux Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois
16 Tools - Windows  Windows Sam Spade (collected network tools) Wireshark (packet sniffer) Command line tools ipconfig Many others…
17 Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms 2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms 3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms 4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms 6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms 7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms 8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms 17.173 ms 9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms 248.838 ms 10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms 11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms 12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306 ms 17.248 ms 13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms
18 Traceroute - Network Mapping cw swb Internet Routers
19 Traceroute - Network Mapping cw swb Internet Routers
20 Traceroute - Network Mapping Firewall DMZ cw swb VPN Internet Routers
21 Traceroute - Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers
22 Traceroute - Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers
23 Traceroute - Network Mapping Sun Linux Firewall NT Hosts Inside DMZ www ftp cw swb VPN Internet Routers
24 Traceroute - Network Mapping Sun Linux Firewall NT Hosts Inside DMZ www ftp cw swb VPN Internet Routers Linux 2.0.38 xxx.xx.48.2 AIX 4.2.1 xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 Checkpoint Firewall-1 Nortel VPN xxx.xx.22. 7 Cisco 7206 204.70.xxx.xxx Nortel CVX1800 151.164.x.xxx IDS?
25 Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194 Whois
26 Scanning
27 Introduction  Scanning can be compared to a thief checking all the doors and windows of a house he wants to break into.  Scanning- The art of detecting which systems are alive and reachable via the internet and what services they offer, using techniques such as ping sweeps, port scans and operating system identification, is called scanning. The kind of information collected here has to do with the following: 1) TCP/UDP services running on each system identified. 2) System architecture (Sparc, Alpha, x86) 3) Specific IP address of systems reachable via the internet. 4) Operating System type.
28 Ping Sweeps ping sweep is a method that can establish a range of IP addresses which map to live hosts.  ICMP Sweeps (ICMP ECHO requests)  Broadcast ICMP  Non Echo ICMP  TCP Sweeps  UDP Sweeps
29 PING SWEEPS ICMP SWEEPS ICMP ECHO request ICMP ECHO reply Target alive Intruder Querying multiple hosts – Ping sweep is fairly slow Examples UNIX – fping and gping WINDOWS - Pinger
30 Broadcast ICMP Intruder Network ICMP ECHO request ICMP ECHO reply ICMP ECHO reply ICMP ECHO reply Can Distinguish between UNIX and WINDOWS machine UNIX machine answers to requests directed to the network address. WINDOWS machine will ignore it.
31 PING SWEEPS NON – ECHO ICMP Example ICMP Type 13 – (Time Stamp)  Originate Time Stamp - The time the sender last touched the message before sending  Receive Time Stamp - The echoer first touched it on receipt.  Transmit Time Stamp - The echoer last touched on sending it.
32 PING Sweeps TCP Sweeps Server Client C(SYN:PortNo & ISN) S (SYN & ISN) + ACK[ C (SYN+!) ] RESET (not active) S(ISN+1) When will a RESET be sent? When RFC does not appear correct while appearing. RFC = (Destination (IP + port number) & Source( IP & port number))
33 PING Sweeps Depends on ICMP PORT UNREACHABLE message. UDP data gram ICMP PORT UNREACHABLE Unreliable because • Routers can drop UDP packets •UDP services may not respond when correctly probed •Firewalls are configured to drop UDP •Relies on fact that non-active UDP port will respond Target System
34 PORT SCANNING Types:  TCP Connect() Scan  TCP SYN Scan( Half open scanning)  Stealth Scan  Explicit Stealth Mapping Techniques SYN/ACL , FIN, XMAS and NULL  Inverse Mapping Reset Scans, Domain Query Answers  Proxy Scanning / FTP Bounce Scanning  TCP Reverse Ident Scanning
35 Port Scanning Types  TCP Connect() Scan SYN packet SYN/ACK listening RST/ACK (port not listening) SYN/ACK A connection is terminated after the full length connection establishment process has been completed
36 Port Scanning Type  TCP SYN Scan (half open scanning) SYN packet SYN/ACK listening RST/ACK (port not listening) We immediately tear down the connection by sending a RESET
37 Port Scanning Type Stealth Scan A scanning technique family doing the following  Pass through filtering rules.  Not to be logged by the targeted system logging mechanism  Try to hide themselves at the usual site / network traffic. The frequently used stealth mapping techniques are.  SYN/ACK scan  FIN scans  XMAS scans  NULL scans
38 PORT Scanning Techniques:  Random Port scan  Slow Scan  Fragmentation Scanning  Decoy  Coordinated Scans
39 PORT Scanning “Random” Port Scan Randomizing the sequence of ports probed may prevent detection. Slow Scan Some hackers are very patient and can use network scanners that spread out the scan over a long period of time. The scan rate can be, for example, as low as 2 packets per day per target site. Fragmentation scanning In case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment. Decoy Some network scanners include options for Decoys or spoofed address in their attacks. Coordinated Scans If multiple IPs probe a target network, each one probes a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.
40 Operating System Detection  Banner Grabbing  DNS HINFO Record  TCP/IP Stack Fingerprinting
41 Operating System Detection
42 Operating System Detection  DNS HINFO Record The host information record is a pair of strings identifying the host’s hardware type and the operating system www IN HINFO “Sparc Ultra 5” “Solaris 2.6” One of the oldest technique
43 Operating System Detection  TCP/IP Finger Printing The ideas to send specific TCP packets to the target IP and observe the response which will be unique to certain group or individual operations. Types of probes used to determine the OS type The FIN Probe, The Bogus Flag Probe, TCP initial sequence number sampling, Don’t Fragment bit, TCP initial window, ACK value, ICMP error Message Quenching, ICMP message quoting, ICMP error message Echoing Integrity, Type of service, fragmentation handling, TCP options
44 Firewalking  Gather information about a remote network protected by a firewall  Purpose Mapping open ports on a firewall Mapping a network behind a firewall If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.
45 How does Firewalking work?  It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.  Traceroute is dependent on IP layer(TTL field), any transport protocol can be used the same way(TCP, UDP, and ICMP).
46 What Firewalking needs?  The IP address of the last known gateway before the firewall takes place. Serves as WAYPOINT  The IP address of a host located behind the firewall. Used as a destination to direct packet flow
47 Getting the Waypoint  If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded(the firewall itself can be determined)  Firewall becomes the waypoint.
48 Getting the Destination  Traceroute the same machine with a different traceroute-probe using a different transport protocol.  If we get a response That particular traffic is allowed by the firewall We know a host behind the firewall.  If we are continuously blocked, then this kind of traffic is blocked.  Sending packets to every host behind the packet- filtering device can generate an accurate map of a network’s topology.
49 How to identify/avoid threats?  Long-standing rule for Unix System administrators to turn off any services that aren’t in use  For personal workstations! Hackers have access to utilities to scan the servers but so do you!. Hackers look in for open ports. So we can our servers first and know what the hackers will see and close any ports that shouldn’t be open.
50 Some tools to help us  Nmap It is a utility that scans a particular server and informs us which ports are open.  Ethereal It is a utility that will scan the network and help us decode what is going on. We can watch the network traffice and find out if hackers can see anything that will help them break into our systems.
51 Enumeration
52 52 Introduction to Enumeration  Enumeration extracts information about: –Resources or shares on the network –User names or groups assigned on the network –Last time user logged on –User’s password  Before enumeration, you use Port scanning and footprinting –To Determine OS being used  Intrusive process
53 53 NBTscan  NBT (NetBIOS over TCP/IP) –is the Windows networking protocol –used for shared folders and printers  NBTscan –Tool for enumerating Microsoft OSs
54 54 Null Session Information  Using these NULL connections allows you to gather the following information from the host: –List of users and groups –List of machines –List of shares –Users and host SIDs (Security Identifiers) •From brown.edu (link Ch 6b)
55 55 Demonstration of Null Sessions  Start Win 2000 Pro  Share a folder  From a Win XP command prompt –NET VIEW ip-address Fails –NET USE ip-addressIPC$ "" /u:"" •Creates the null session •Username="" Password="" –NET VIEW ip-address Works now
56 56 Demonstration of Enumeration  Download Winfo from link Ch 6g  Run it – see all the information!
57 57 NetBIOS Enumeration Tools  Net view command –Shows whether there are any shared resources on a network host
58 58 NetBIOS Enumeration Tools (continued)  Net use command –Used to connect to a computer with shared folders or files
59 Net use
60
61 61 Additional Enumeration Tools  NetScanTools Pro  DumpSec  Hyena  NessusWX
62 62 NetScanTools Pro  Produces a graphical view of NetBIOS running on a network  Enumerates any shares running on the computer  Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name  Costs about $250 per machine (link Ch 6i)
63 63
64 64
65 65 DumpSec  Enumeration tool for Microsoft systems  Produced by Foundstone, Inc.  Allows user to connect to a server and “dump” the following information –Permissions for shares –Permissions for printers –Permissions for the Registry –Users in column or table format –Policies and rights –Services
66 DumpSec
67 67 Hyena  Excellent GUI product for managing and securing Microsoft OSs  Shows shares and user logon names for Windows servers and domain controllers  Displays graphical representation of: –Microsoft Terminal Services –Microsoft Windows Network –Web Client Network –Find User/Group
68 68
69 69 NessusWX  This is the client part of Nessus  Allows enumeration of different OSs on a large network  Running NessusWX –Be sure Nessus server is up and running –Open the NessusWX client application –To connect your client with the Nessus server •Click Communications, Connect from the menu on the session window •Enter server’s name •Log on the Nessus server
70 70
71 71
72 72 NessusWX (continued)  Nessus identifies –NetBIOS names in use –Shared resources –Vulnerabilities with shared resources •Also offers solutions to those vulnerabilities –OS version –OS vulnerabilities –Firewall vulnerabilities
73 73
74 74
75 75
76 76
77 77 Enumerating the *NIX Operating System  Several variations –Solaris –SunOS –HP-UX –Linux –Ultrix –AIX –BSD UNIX –FreeBSD –OpenBSD
78 78 UNIX Enumeration  Finger utility –Most popular tool for security testers –Finds out who is logged in to a *NIX system –Determine owner of any process  Nessus –Another important *NIX enumeration tool
79 79
80 80
81 Footprinting And Enumeration using netcraft.com

Recommended

Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNaveen Sihag
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingMonika Deswal
 
What is NAC
What is NACWhat is NAC
What is NACIsrael Marcus
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 

Recommended

Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNaveen Sihag
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingMonika Deswal
 
What is NAC
What is NACWhat is NAC
What is NACIsrael Marcus
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber securitySumanPramanik7
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
The Dark Web
The Dark WebThe Dark Web
The Dark WebSuraj Jaundoo
 
Dmz
Dmz Dmz
Dmz أحلام انصارى
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Murat KARA
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxMahdiHasanSowrav
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 

More Related Content

What's hot

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber securitySumanPramanik7
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Murat KARA
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 

What's hot (20)

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber security
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Proxy servers
Proxy serversProxy servers
Proxy servers
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
The Dark Web
The Dark WebThe Dark Web
The Dark Web
 
Dmz
Dmz Dmz
Dmz
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Sql injection
Sql injectionSql injection
Sql injection
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 

Similar to Modul 2 - Footprinting Scanning Enumeration.ppt

Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxMahdiHasanSowrav
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsJoseph Bugeja
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffersleminhvuong
 
Snort
SnortSnort
Snortnazzf
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptxLlobarro2
 
Cyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_ContestCyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_Contestnkrafacyberclub
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 

Similar to Modul 2 - Footprinting Scanning Enumeration.ppt (20)

Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptx
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
 
Snort
SnortSnort
Snort
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Snort
SnortSnort
Snort
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
 
Cyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_ContestCyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_Contest
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 

More from cemporku

Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1cemporku
 
Week5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptWeek5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptcemporku
 
JARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptxJARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptxcemporku
 
Slide-01.pptx
Slide-01.pptxSlide-01.pptx
Slide-01.pptxcemporku
 
Keamanan Jaringan.ppt
Keamanan Jaringan.pptKeamanan Jaringan.ppt
Keamanan Jaringan.pptcemporku
 
Modul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.pptModul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.pptcemporku
 
Modul 5 VPN_2.ppt
Modul 5 VPN_2.pptModul 5 VPN_2.ppt
Modul 5 VPN_2.pptcemporku
 
Modul 5 VPN.ppt
Modul 5 VPN.pptModul 5 VPN.ppt
Modul 5 VPN.pptcemporku
 
Modul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.pptModul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.pptcemporku
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.pptcemporku
 
Minggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasiMinggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasicemporku
 
Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4cemporku
 

More from cemporku (12)

Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1
 
Week5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptWeek5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.ppt
 
JARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptxJARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptx
 
Slide-01.pptx
Slide-01.pptxSlide-01.pptx
Slide-01.pptx
 
Keamanan Jaringan.ppt
Keamanan Jaringan.pptKeamanan Jaringan.ppt
Keamanan Jaringan.ppt
 
Modul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.pptModul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.ppt
 
Modul 5 VPN_2.ppt
Modul 5 VPN_2.pptModul 5 VPN_2.ppt
Modul 5 VPN_2.ppt
 
Modul 5 VPN.ppt
Modul 5 VPN.pptModul 5 VPN.ppt
Modul 5 VPN.ppt
 
Modul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.pptModul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.ppt
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.ppt
 
Minggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasiMinggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasi
 
Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4
 

Recently uploaded

Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 

Recently uploaded (20)

Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 

Modul 2 - Footprinting Scanning Enumeration.ppt

  • 1. 1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya
  • 2. 2 Intelligence Gathering Techniques  3 Major Steps Foot Printing Scanning Enumeration  Similar to Military Gather information on the target Analyze weaknesses Construct and launch attack
  • 3. 3 Gathering Process Overview  You can’t attack what you don’t know
  • 8. 8 Footprinting  Footprinting is the ability to obtain essential information about an organization. Commonly called network reconnaissance.  Result Gather information includes: –The technologies that are being used such as, Internet, Intranet, Remote Access and the Extranet. –To explored the security policies and procedures –take an unknown quality and reduce it –Take a specific range of domain names, network blocks and individual IP addresses of a system that is directly connected to the Internet  This is done by employing various computer security techniques, as: • DNS queries  nslookup, dig, Zone Transfer • Network enumeration • Network queries • Operating system identification • Organizational queries  When used in the computer security lexicon, "footprinting" generally refers to one of the pre-attack phases; tasks performed prior to doing the actual attack. Some of the tools used for footprinting areSam Spade, nslookup, traceroute, Nmap and neotrace. • Ping sweeps • Point of contact queries • Port Scanning • Registrar queries (WHOIS queries) • SNMP queries • World Wide Web spidering
  • 10. 10 Network Query Tools * Ping * NSlookup * Whois * IP block search * Dig * Traceroute * Finger * SMTP VRFY * Web browser keep-alive * DNS zone transfer * SMTP relay check * Usenet cancel check * Website download * Website search * Email header analysis * Email blacklist * Query Abuse address
  • 11. 11 Information to Gather  Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems  Defender’s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you’re giving away, what weaknesses you have
  • 14. 14 Tools - Linux  Some basic Linux tools - lower level utilities Local System hostname ifconfig who, last Remote Systems ping traceroute nslookup, dig whois arp, netstat (also local system) Other tools lsof
  • 15. 15 Tools – Linux (2)  Other utilities wireshark (packet sniffing) nmap (port scanning) - more later Ubuntu Linux Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois
  • 16. 16 Tools - Windows  Windows Sam Spade (collected network tools) Wireshark (packet sniffer) Command line tools ipconfig Many others…
  • 17. 17 Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms 2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms 3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms 4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms 6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms 7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms 8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms 17.173 ms 9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms 248.838 ms 10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms 11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms 12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306 ms 17.248 ms 13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms
  • 18. 18 Traceroute - Network Mapping cw swb Internet Routers
  • 19. 19 Traceroute - Network Mapping cw swb Internet Routers
  • 20. 20 Traceroute - Network Mapping Firewall DMZ cw swb VPN Internet Routers
  • 21. 21 Traceroute - Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers
  • 22. 22 Traceroute - Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers
  • 23. 23 Traceroute - Network Mapping Sun Linux Firewall NT Hosts Inside DMZ www ftp cw swb VPN Internet Routers
  • 24. 24 Traceroute - Network Mapping Sun Linux Firewall NT Hosts Inside DMZ www ftp cw swb VPN Internet Routers Linux 2.0.38 xxx.xx.48.2 AIX 4.2.1 xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 Checkpoint Firewall-1 Nortel VPN xxx.xx.22. 7 Cisco 7206 204.70.xxx.xxx Nortel CVX1800 151.164.x.xxx IDS?
  • 25. 25 Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194 Whois
  • 27. 27 Introduction  Scanning can be compared to a thief checking all the doors and windows of a house he wants to break into.  Scanning- The art of detecting which systems are alive and reachable via the internet and what services they offer, using techniques such as ping sweeps, port scans and operating system identification, is called scanning. The kind of information collected here has to do with the following: 1) TCP/UDP services running on each system identified. 2) System architecture (Sparc, Alpha, x86) 3) Specific IP address of systems reachable via the internet. 4) Operating System type.
  • 28. 28 Ping Sweeps ping sweep is a method that can establish a range of IP addresses which map to live hosts.  ICMP Sweeps (ICMP ECHO requests)  Broadcast ICMP  Non Echo ICMP  TCP Sweeps  UDP Sweeps
  • 29. 29 PING SWEEPS ICMP SWEEPS ICMP ECHO request ICMP ECHO reply Target alive Intruder Querying multiple hosts – Ping sweep is fairly slow Examples UNIX – fping and gping WINDOWS - Pinger
  • 30. 30 Broadcast ICMP Intruder Network ICMP ECHO request ICMP ECHO reply ICMP ECHO reply ICMP ECHO reply Can Distinguish between UNIX and WINDOWS machine UNIX machine answers to requests directed to the network address. WINDOWS machine will ignore it.
  • 31. 31 PING SWEEPS NON – ECHO ICMP Example ICMP Type 13 – (Time Stamp)  Originate Time Stamp - The time the sender last touched the message before sending  Receive Time Stamp - The echoer first touched it on receipt.  Transmit Time Stamp - The echoer last touched on sending it.
  • 32. 32 PING Sweeps TCP Sweeps Server Client C(SYN:PortNo & ISN) S (SYN & ISN) + ACK[ C (SYN+!) ] RESET (not active) S(ISN+1) When will a RESET be sent? When RFC does not appear correct while appearing. RFC = (Destination (IP + port number) & Source( IP & port number))
  • 33. 33 PING Sweeps Depends on ICMP PORT UNREACHABLE message. UDP data gram ICMP PORT UNREACHABLE Unreliable because • Routers can drop UDP packets •UDP services may not respond when correctly probed •Firewalls are configured to drop UDP •Relies on fact that non-active UDP port will respond Target System
  • 34. 34 PORT SCANNING Types:  TCP Connect() Scan  TCP SYN Scan( Half open scanning)  Stealth Scan  Explicit Stealth Mapping Techniques SYN/ACL , FIN, XMAS and NULL  Inverse Mapping Reset Scans, Domain Query Answers  Proxy Scanning / FTP Bounce Scanning  TCP Reverse Ident Scanning
  • 35. 35 Port Scanning Types  TCP Connect() Scan SYN packet SYN/ACK listening RST/ACK (port not listening) SYN/ACK A connection is terminated after the full length connection establishment process has been completed
  • 36. 36 Port Scanning Type  TCP SYN Scan (half open scanning) SYN packet SYN/ACK listening RST/ACK (port not listening) We immediately tear down the connection by sending a RESET
  • 37. 37 Port Scanning Type Stealth Scan A scanning technique family doing the following  Pass through filtering rules.  Not to be logged by the targeted system logging mechanism  Try to hide themselves at the usual site / network traffic. The frequently used stealth mapping techniques are.  SYN/ACK scan  FIN scans  XMAS scans  NULL scans
  • 38. 38 PORT Scanning Techniques:  Random Port scan  Slow Scan  Fragmentation Scanning  Decoy  Coordinated Scans
  • 39. 39 PORT Scanning “Random” Port Scan Randomizing the sequence of ports probed may prevent detection. Slow Scan Some hackers are very patient and can use network scanners that spread out the scan over a long period of time. The scan rate can be, for example, as low as 2 packets per day per target site. Fragmentation scanning In case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment. Decoy Some network scanners include options for Decoys or spoofed address in their attacks. Coordinated Scans If multiple IPs probe a target network, each one probes a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.
  • 40. 40 Operating System Detection  Banner Grabbing  DNS HINFO Record  TCP/IP Stack Fingerprinting
  • 42. 42 Operating System Detection  DNS HINFO Record The host information record is a pair of strings identifying the host’s hardware type and the operating system www IN HINFO “Sparc Ultra 5” “Solaris 2.6” One of the oldest technique
  • 43. 43 Operating System Detection  TCP/IP Finger Printing The ideas to send specific TCP packets to the target IP and observe the response which will be unique to certain group or individual operations. Types of probes used to determine the OS type The FIN Probe, The Bogus Flag Probe, TCP initial sequence number sampling, Don’t Fragment bit, TCP initial window, ACK value, ICMP error Message Quenching, ICMP message quoting, ICMP error message Echoing Integrity, Type of service, fragmentation handling, TCP options
  • 44. 44 Firewalking  Gather information about a remote network protected by a firewall  Purpose Mapping open ports on a firewall Mapping a network behind a firewall If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.
  • 45. 45 How does Firewalking work?  It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.  Traceroute is dependent on IP layer(TTL field), any transport protocol can be used the same way(TCP, UDP, and ICMP).
  • 46. 46 What Firewalking needs?  The IP address of the last known gateway before the firewall takes place. Serves as WAYPOINT  The IP address of a host located behind the firewall. Used as a destination to direct packet flow
  • 47. 47 Getting the Waypoint  If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded(the firewall itself can be determined)  Firewall becomes the waypoint.
  • 48. 48 Getting the Destination  Traceroute the same machine with a different traceroute-probe using a different transport protocol.  If we get a response That particular traffic is allowed by the firewall We know a host behind the firewall.  If we are continuously blocked, then this kind of traffic is blocked.  Sending packets to every host behind the packet- filtering device can generate an accurate map of a network’s topology.
  • 49. 49 How to identify/avoid threats?  Long-standing rule for Unix System administrators to turn off any services that aren’t in use  For personal workstations! Hackers have access to utilities to scan the servers but so do you!. Hackers look in for open ports. So we can our servers first and know what the hackers will see and close any ports that shouldn’t be open.
  • 50. 50 Some tools to help us  Nmap It is a utility that scans a particular server and informs us which ports are open.  Ethereal It is a utility that will scan the network and help us decode what is going on. We can watch the network traffice and find out if hackers can see anything that will help them break into our systems.
  • 52. 52 52 Introduction to Enumeration  Enumeration extracts information about: –Resources or shares on the network –User names or groups assigned on the network –Last time user logged on –User’s password  Before enumeration, you use Port scanning and footprinting –To Determine OS being used  Intrusive process
  • 53. 53 53 NBTscan  NBT (NetBIOS over TCP/IP) –is the Windows networking protocol –used for shared folders and printers  NBTscan –Tool for enumerating Microsoft OSs
  • 54. 54 54 Null Session Information  Using these NULL connections allows you to gather the following information from the host: –List of users and groups –List of machines –List of shares –Users and host SIDs (Security Identifiers) •From brown.edu (link Ch 6b)
  • 55. 55 55 Demonstration of Null Sessions  Start Win 2000 Pro  Share a folder  From a Win XP command prompt –NET VIEW ip-address Fails –NET USE ip-addressIPC$ "" /u:"" •Creates the null session •Username="" Password="" –NET VIEW ip-address Works now
  • 56. 56 56 Demonstration of Enumeration  Download Winfo from link Ch 6g  Run it – see all the information!
  • 57. 57 57 NetBIOS Enumeration Tools  Net view command –Shows whether there are any shared resources on a network host
  • 58. 58 58 NetBIOS Enumeration Tools (continued)  Net use command –Used to connect to a computer with shared folders or files
  • 60. 60
  • 61. 61 61 Additional Enumeration Tools  NetScanTools Pro  DumpSec  Hyena  NessusWX
  • 62. 62 62 NetScanTools Pro  Produces a graphical view of NetBIOS running on a network  Enumerates any shares running on the computer  Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name  Costs about $250 per machine (link Ch 6i)
  • 63. 63 63
  • 64. 64 64
  • 65. 65 65 DumpSec  Enumeration tool for Microsoft systems  Produced by Foundstone, Inc.  Allows user to connect to a server and “dump” the following information –Permissions for shares –Permissions for printers –Permissions for the Registry –Users in column or table format –Policies and rights –Services
  • 67. 67 67 Hyena  Excellent GUI product for managing and securing Microsoft OSs  Shows shares and user logon names for Windows servers and domain controllers  Displays graphical representation of: –Microsoft Terminal Services –Microsoft Windows Network –Web Client Network –Find User/Group
  • 68. 68 68
  • 69. 69 69 NessusWX  This is the client part of Nessus  Allows enumeration of different OSs on a large network  Running NessusWX –Be sure Nessus server is up and running –Open the NessusWX client application –To connect your client with the Nessus server •Click Communications, Connect from the menu on the session window •Enter server’s name •Log on the Nessus server
  • 70. 70 70
  • 71. 71 71
  • 72. 72 72 NessusWX (continued)  Nessus identifies –NetBIOS names in use –Shared resources –Vulnerabilities with shared resources •Also offers solutions to those vulnerabilities –OS version –OS vulnerabilities –Firewall vulnerabilities
  • 73. 73 73
  • 74. 74 74
  • 75. 75 75
  • 76. 76 76
  • 77. 77 77 Enumerating the *NIX Operating System  Several variations –Solaris –SunOS –HP-UX –Linux –Ultrix –AIX –BSD UNIX –FreeBSD –OpenBSD
  • 78. 78 78 UNIX Enumeration  Finger utility –Most popular tool for security testers –Finds out who is logged in to a *NIX system –Determine owner of any process  Nessus –Another important *NIX enumeration tool
  • 79. 79 79
  • 80. 80 80
  • 81. 81 Footprinting And Enumeration using netcraft.com