Gathering Network & Host
Information: Scanning & Enumeration

Port Scanning



Well known ports
http://www.t1shopper.com/tools/port-scan/
Network Scanning
Not designed to do testing through a firewall
 Only as smart as their database


Vulnerability Scanning








1. Check for live systems
2. Check for open ports
3. Service identification
4. Banner Grabbing / OS Fingerprinting
5. Vulnerability scanning
6. Network Diagram
7. Prepare Proxies
8. Attack!

Ping Sweeps using an IP Ping Flood Tool
 Pinger,
 Friendly Pinger,
 WS_Ping_Pro,
 AngryIP

Detecting
 Use an IDS or IPS

nmap: Free; Open Source (Zenmap: GUI)
Ping sweeps: sends ICMP ECHO_REQUEST &
TCP ACK
Port scanning, service identification, IP address &
OS detection
Port states: Open, Closed, Unfiltered
http://www.youtube.com/watch?v=4WuglJA9H6o
http://www.youtube.com/watch?v=XaCzpqIU5-A (10 min)
www.nmap.org
Fport: identify unknown open ports and their
associated applications
Lsof: (list open files): Linux command
-report a list of all open files and the processes
that opened them
Switches:
-i: display the list of all network sockets
-r: display the routing table
-g: display multicast group membership
information for IPv4 and IPv6
-i: display a table of all network interfaces
Netstat
Displays protocol-related statistics and the state of
current TCP/IP connections
Switches:
-a: show both listening and non-listening sockets
-an: reported in numerical form
-l: show only listening sockets
-c: print routing information from the route
cache
-s: display summary statistics for each protocol
nmap scan types:
TCP Connect: -sT
XMAS tree scan: -sX
SYN stealth scan: -sS
Null scan: -sN
Does not work on Windows systems
ACK scan: -sA
UDP scan: -sU
Ex: Scan first 1024 ports: Nmap -sU -p 1-1024
<hosts>
Scan protocols in use: -vO
Control timing: -T
Paranoid, Sneaky, Polite, Normal,
Aggressive, Insane
Full / Connect: Noisy; Most easily caught by
IDS/IPS
SYN: ½ Open; stealth; sends SYN, then RST
XMAS: FIN, URG, PSH flags set
- Doesn’t work on Windows
FIN: FIN flag set
NULL: no flags set; doesn’t work on Windows
IDLE: uses a spoofed IP address
Bounce Attack scanning: connect to an FTP server
and request that server to start data transfer to
the third system



SYN
ACK
PSH


URG


the system is forwarding the buffered data
data in the packet must be processed quickly
FIN
data packet transaction has completed; no more
transmission is required
 Uses reverse mapping: closed ports reply with RST, open
ports ignore the probe


RST

the connection is being reset



NetScan Tools Pro
Hping2
Icmpenum




enumerate networks that have blocked ICMP Echo
packets but failed to block timestamp or information
packet
supports spoofing and promiscuous listening for
reply packets
SNMP Scanner
P0f : passive OS fingerprinting tool

NetCat (nc)
Provides outbound and inbound connections for
TCP and UDP ports.
 Provides special tunneling, such as UDP to TCP,
with the possibility of specifying all network
parameters.
 A good port scanner.
 Contains advanced usage options, such as buffered
send-mode (one line every N seconds), and
hexdump (to stderr or to a specified file) of
transmitted and received data.


NetCat (nc) common switches








nc –d: detach Netcat from the console.
nc -l -p [port]: create a simple listening TCP port;
adding u will put it in UDP mode.
nc -e [program]: redirect stdin/stdout from a
program.
nc -z: port scanning.
nc -g or nc -G: specify source routing flags.
nc -t: Telnet negotiation
nc -w [timeout]: set a timeout before Netcat
automatically quits.
nc -v: put Netcat into verbose mode


Bypasses normal network detection devices
Tools
ToneLoc
 THC-Scan
 PhoneSweep
 TeleSweep


Banner Grabbing (Windows)


"HEAD / HTTP/1.0"
Pressing enter twice, Adam gets the following
results:
 C:\> cmd
 Microsoft Windows XP [Version 5.1.2600] (C)
Copyright Microsoft Corp.
 C:\>pwdump pwd.txt

http://www.youtube.com/watch?v=1_ATtFGG2BA

Banner Grabbing (Linux)


OS Fingerprinting


for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 <
request.txt done [where, hostlist.txt file contains the
list of IP addresses and request.txt is the output file]
Nmap & Queso
Netcraft

Web site that periodically polls Web servers to
determine the operating system version and the
Web-server software version; toolbar would notify a
phishing attack

Additional Tools:

Traceroute:
 measuring the route path and transit times of packets
across an (IP) network

Cheops:
 host/network discovery functionality as well as OS
detection of hosts

NeoTrace:
 shows you how packets get from your computer to
another computer on the Internet by displaying all
nodes between your computer and the trace target

Anonymizers



Limitations of anonymizers


Linux Proxy Server (IPChains, IPTables)
www.anonymizer.com, www.anonymize.com,
www.ipriv.com, www.mutemail.com, www.rewebber.de,
www.silentfurf.com, www.surfola.com
Secure protocols (HTTPS), JavaScript, Plugins, ActiveX
controls, Java applications
Tunneling: Using a protocol for other than its
intended purpose



Ptunnel & Itunnel: use ICMP
WinTunnel: uses TCP
HTTPort, Tunneld, BackStealth

Gathering






Usernames: hack SAM file; GetAcct
Machine names: use null sessions
Network resources: SuperScan
Shares: net view command
Services: SNMP port scanning
Tools



PsPasswd
PsFile
UserInfo

“Null” user has no username/password
C:\> net use \\192.21.7.1 \IPC$ “ “ /u: “ “
Admin SID: S-1-5-21….-500
Guest SID: S-1-5-21…..-501
Port 135, 137, 139, 445
Countermeasure

Disable SMB; Disable TCP port 139/445
 Editing the registry key
HKLM\SYSTEM\CurrentControlSet\Control \ LSA
and adding the value RestrictAnonymous
http://www.youtube.com/watch?v=4S_GCSBWSCs










Gathering information about host, routers,
devices etc. by querying ‘Management
Information Base’ (MIB).
Used for remote monitoring and managing
hosts, routers, and devices on a network
SNMP version 3 provides data encryption for
community strings
http://www.youtube.com/watch?v=MWIWuqouOEE

Tools: SNMPUtil, IP Network Browser, snmpwalk

snmpwalk example:


sysDescr.0 = STRING: "SunOS zeus.net.cmu.edu 4.1.3_U1
1 sun4m"
sysObjectID.0 = OID: enterprises.hp.nm.hpsystem.10.1.1
sysUpTime.0 = Timeticks: (155274552) 17 days, 23:19:05
sysContact.0 = STRING: ""
sysName.0 = STRING: "zeus.net.cmu.edu"
sysLocation.0 = STRING: ""
sysServices.0 = INTEGER: 72
Countermeasures:



Disable SNMP Service
Change default passwords (Public & Private)
Implementing Access control list filtering

Tools


Sam Spade, Host, Dis
NSLOOKUP
 nslookup
 > server <ipaddress>
 > set type = any
 > ls -d <target.com>

Windows Service Identifiers

User2SID, SID2User, DumpSec, Enum

SOCKS:




Optional proxy server protocol that uses sockets to
keep track of individual connections
Port 1080
IRC servers uses TCP, hence are a frequent
target
Port Redirection:



Used to bypass port filtering rules at routers and
firewalls
Linux: Datapipe
Windows: Fpipe

0 Echo Reply
3 Destination Unreachable
8 Echo Request
11 Time Exceeded
13 Timestamp Request
14 Timestamp Reply
15 Address mask request
17 Information request (obsolete)

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol








TYPE 3 & CODE 13


ICMP TYPE 3 and CODE 3


port unreachable message
ICMP TYPE 3 and CODE 0


a Network Administrator has prohibited
communication with the server by using a firewall
network unreachable error message
ICMP TYPE 0 and CODE 0

ICMP echo reply message


Gathering information about a remote network
protected by a firewall
Requirements





ICMP packets leaving the network should be
allowed
An attacker should know the IP address of a host
located behind the firewall
An attacker should know the IP address of the last
known gateway before the firewall
http://www.ethicalhacker.net/component/option,com_smf/Ite
mid,54/topic,4062.msg19362/
http://www.techrepublic.com/article/use-firewalk-in-linuxunix-toverify-acls-and-check-firewall-rule-sets/5055357