Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Scanning Networks - SCF Faculty Site Homepage

advertisement 
3.1 Understand the term port scanning, network scanning, and vulnerability scanning
Exam Focus: Understand the term port scanning, network scanning, and vulnerability scanning.
Objective includes:


Understand the objectives of scanning.
Learn the CEH scanning methodology.
Scanning
Scanning refers to a set of procedures used to identify hosts, ports, and services in a network.
Along with enumeration, it is the first phases of hacking. A hacker uses scanning as a method of
intelligence gathering to create a profile of the target organization.
Types of scanning:



Port scanning: is a software application designed to probe a server or host for open
ports, by a series of messages sent by an attacker trying to break into a computer to know
about network services of the computer.
Vulnerability scanning: is automated software designed to proactively assess
computers, computer systems, networks or applications for weaknesses
Network scanning: is a procedure used to identify the active hosts on a network.
Port scanning
Port scanning is the process by which an attacker connects to TCP and UDP ports to find the
services and applications running on the target system. In port scanning, data packets are sent to
a port to gather information about it.
Port scanning tools:

Floppyscan: is a hacking tool that is used for port scanning. It uses a floppy disk for
performing port scanning a computer. Floppyscan uses Bootsup mini Linux that displays
a blue screen. Floppyscan uses the nmap tool to port scan the network. After performing
the port scanning, it sends the results by e-mail to a remote server.

Icmpenum: is a port scanner that uses not only ICMP Echo packets to probe networks,
but also ICMP timestamp and ICMP information packets. Besides this, it supports
spoofing and promiscuous listening for reply packets. This tool is useful to enumerate
networks that have blocked ICMP Echo packets.
Vulnerability scanning
Vulnerability scanning is a process in which a Penetration Tester uses various tools to assess
computers, computer systems, networks, or applications for weaknesses. There are different
types of vulnerability scanners available today, distinguished from one another by a focus on
particular targets. While the functionality varies between different types of vulnerability
scanners, they share a common core purpose of enumerating the vulnerabilities present in one or
more targets. Vulnerability scanners are a core technology component of vulnerability
management.
SAINT:
SAINT (Security Administrator's Integrated Network Tool is a vulnerability scanning tool. It
collects information about the type of OS running on a system and the ports that are open. The
network vulnerabilities can be detected by attackers on any remote target in a non-intrusive
manner.
Network scanning
Network scanning includes using a port scanner to identify all hosts. All these hosts are
connected to an organization's network. The network services operating on those hosts are FTP,
HTTP, and IIS, and Apache for the HTTP service. The outcome of the scan is a list of active
hosts and services, printers, switches, and routers. Network scanning can also disrupt network
operations as it consumes bandwidth.
Network scanning tools:


VisioLANsurveyor: automatically discovers the network and generates comprehensive
and easy-to-view network maps that can be exported into Microsoft Office. The
following are the features of LANsurveyor:
o It automatically discovers and diagrams the network topology.
o It produces network maps in Microsoft Office Visio.
o It detects new devices and modifications in the network topology.
o It performs inventory management for hardware and software assets.
o It directly addresses PCI compliance and other regulatory requirements.
Netcat: is a freely available networking utility that reads and writes data across network
connections using the TCP/IP protocol. Netcat has the following features:
o It provides outbound and inbound connections for TCP and UDP ports.
o It provides special tunneling, such as UDP to TCP, with the possibility of
specifying all network parameters.
o It is also a good port scanner.
o
o
It contains advanced usage options, such as buffered send-mode (one line every N
seconds), and hexdump (to stderr or to a specified file) of transmitted and
received data.
It is an optional RFC854 telnet code parser and responder.
The common Netcat switches are as follows:
Commands
Description
nc -d
It is used to detach Netcat from the console.
nc -l -p [port]
It is used to create a simple listening TCP port; adding u will put it in
UDP mode.
nc -e
[program]
It is used to redirect stdin/stdout from a program.
nc -z
It is used for port scanning.
nc -g or nc -G It is used to specify source routing flags.

nc -t
It is used for Telnet negotiation.
nc -w
[timeout]
It is used to set a timeout before Netcat automatically quits.
nc -v
It is used to put Netcat into verbose mode.
Security Manager Plus: is a network security scanner that is used to report on network
vulnerabilities, help remediate them, and ensure compliance. It is also used to protect a
network from security threats and malicious attacks with vulnerability scanning, patch
management, open ports detection, and vulnerability reporting capabilities.
Objectives of scanning





To detect the live systems running on the network
To discover which ports are active/running
To discover the O/S running on the target system (also known as fingerprinting)
To discover the services running/listening on the system
To discover the IP address of the target system
CEH scanning methodology
1.
2.
3.
4.
5.
6.
Check for live systems.
Check for open ports.
Grab system banners.
Scan for vulnerability.
Draw network diagrams.
Prepare proxies.
Scanning tools
The following are some important scanning tools:






Global Network Inventory: It is a flexible software and hardware inventory system that
can be used as an audit scanner in agent-free and zero deployment environments. Global
Network Inventory can audit remote computers and even network appliances, including
switches, network printers, document centers, etc.
Advanced Port Scanner: It is used to check a computer for open ports that can be used
in attacks against the computer. It uses the multi-thread technique to scan ports very fast.
It also contains descriptions for common ports. Advanced Port Scanner can also perform
scanning on predefined port ranges.
MegaPing: It is used to provide all essential network utilities for information system
specialists, system administrators, or individuals. It also includes comprehensive security
scanner, host and port monitor, and network utilities. All these scanners can scan
individual computers, domains, any range of IP addresses, selected types of computers
inside domains, and a user specified host lists.
Network Inventory Explorer: It allows administrators to quickly generate complete
hardware and software inventory of all Windows-based computers and SNMP network
devices. It can create the inventory database with the hardware installed on remote
computers. It also creates reports on the availability of particular software programs.
SuperScan: It is a TCP/UDP port scanner. It also works as a ping sweeper and hostname
resolver. It can ping a given range of IP addresses and resolve the hostname of the remote
system. It can also be used as an enumeration tool for the following:
o NetBIOS information
o User and Group Accounts information
o Network shares
o Trusted Domains
o Services probing
Other tools such as: AWPTA, AWSPS UDP scanner,
Net Tools Suite Pack, Netifera, Network Inventory Explorer<, Nscan, Komodia's
PacketCrafter, xCat Portscan, IP Tools, PhatScan and many others
3.2 Understand ping sweeping, firewalk tool, and nmap command switches
Exam Focus: Understand ping sweeping, firewalk tool, and nmap command switches. Objective
includes:



Understand ping sweep techniques.
Understand the firewalk tool.
Gain knowledge on Nmap command switches.
Ping sweeping
Ping sweeping is a technique used to ping a batch of devices and to get the list of active devices.
While not the most accurate, the simplest way to determine whether systems are live, is to
perform a ping sweep of the IP address range. All systems that respond with a ping reply are
considered live on the network. A ping sweep is also known as Internet Control Message
Protocol (ICMP) scanning, as ICMP is the protocol used by the ping command.
This technique is favored by hackers, as otherwise, pinging every address on the network would
be a very time consuming and tedious task. Ping sweeping on the other hand, can be run in
parallel, such that all systems are scanned at the same time. As one might imagine, this
technique can scan an entire network in a short period of time. Upon pinging, the remote system
sends an ICMP ECHO reply message, which indicates that the remote system is alive. If the
attacker does not get any response, it means that the target does not exist, the target system is
slow, or the ICMP protocol is disabled.
Ping sweep tools





Angry IP Scanner
SolarWinds Engineer's Toolset
Colasoft Ping Tool
Ping Scanner Pro
SolarWinds Standard Edition





Ultra Ping Pro
Utility Ping
PingInfoView
Visual Ping Tester
PacketTrap pt360
Ping scan
During ping scan, ICMP ECHO requests are sent to a host. When the host is live, it will return an
ICMP ECHO reply. This scan is useful for the following purposes:


Locating active devices
Determining if ICMP is passing through a firewall
Source
Destination
Summary
192.168.168.3 192.168.168.5 ICMP: Echo
192.168.168.5 192.168.168.3 ICMP: Echo Reply
Detecting ping sweeps
Almost any Intrusion Detection System (IDS) such as Snort, Genius, BlackICE and others will
detect a ping, as will an Intrusion Prevention System (IPS) system. Once detected, the tools will
alert the security administrator to a ping sweep occurring on the network. Most firewall and
proxy servers block ping responses so a hacker can't accurately determine whether systems are
available using a ping sweep alone. More intense port scanning must be used if systems don't
respond to a ping sweep. Just because a ping sweep doesn't return any active hosts on the
network doesn't mean they aren't available"you need to try an alternate method of identification.
Remember, hacking takes time, patience, and persistence.
Firewalk
Firewalk is a scanning tool like traceroute that attempts to determine what layer 4 protocols a
given IP forwarding device will pass. It sends out TCP or UDP packets with a TTL one greater
than the targeted gateway. The gateway will forward the packets to the next hop where they will
expire and elicit an ICMP_TIME_EXCEEDED message if the gateway allows the traffic. If the
gateway host does not allow the traffic, the response message will not be sent.
Firewalking
Firewalking is a technique for gathering information about a remote network protected by a
firewall. This technique can be used effectively to perform information gathering attacks. In this
technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past
the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next
hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to
the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP
"administratively prohibited" message should be returned to the attacker. A malicious attacker
can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use
firewalking, the attacker needs the IP address of the last known gateway before the firewall and
the IP address of a host located behind the firewall. The main drawback of this technique is that
if an administrator blocks ICMP packets from leaving the network, it is ineffective.
Nmap and its command switches
Nmap is an active, information gathering tool. The nmap utility, also commonly known as a port
scanner, is used to view the open ports on a Linux computer. It is used by administrators to
determine which services are available for external users. This utility helps administrators in
deciding whether to disable the services that are not being used in order to minimize any security
risk. Network administrators can use Nmap for the following purposes:



Maintaining network inventory
Managing service upgrade
Monitoring host or service uptime
Common NMAP switches







-sT TCP Connect() scan
-sS SYN scan
-sF FIN scan
-sX Xmas-Tree scan
-sN NULL scan
-sI Dumb scan (also called an idle scan)
-sA ACK scan
Some more NMAP options are as follows:






P0: Do not try to ping hosts before scanning them.
-PP: Uses the ICMP timestamp request (ICMP type 13) packet to find listening hosts.
-6: Enables IPv6 support.
-oN logfilename: Sends the output in the human-readable format to the file of your
choice.
-oX logfilename: Same as -oN, but this time send it to the logfile in the XML format.
-oG logfilename: Same as -oN, but stores all the results on a single line for querying
through the Grep program.


--append_output: Appends the output to the existing log files instead of overwriting
them.
-p: Specifies the port number(s) to scan.
3.3 Understand scans
Exam Focus: Understand scans. Objective includes:














SYN
Stealth
XMAS
NULL
IDLE
FIN
ICMP Echo
List
TCP Connect
Full Open
FTP Bounce
UDP
Reverse Ident
RPC
TCP SYN scanning
TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full
TCP connection is never opened. The steps of TCP SYN scanning are as follows:
1.
2.
3.
4.
An attacker sends a SYN packet to the target port.
If the port is open, the attacker receives the SYN/ACK message.
Now the attacker breaks the connection by sending an RST packet.
If the RST packet is received, it indicates that the port is closed.
This type of scanning is hard to trace because the attacker never establishes a full 3-way
handshake connection and most sites do not create a log of incomplete TCP connections.
TCP SYN/ACK scanning
In TCP SYN/ACK scanning, an attacker sends a SYN/ACK packet to the target port. If the port
is closed, the victim assumes that this packet was mistakenly sent by the attacker, and sends the
RST packet to the attacker. If the port is open, the SYN/ACK packet will be ignored and the port
will drop the packet. TCP SYN/ACK scanning is stealth scanning, but some intrusion detection
systems can detect TCP SYN/ACK scanning.
Stealth scan
Stealth scanning techniques are used by attackers to bypass firewall rules, logging mechanism,
and hide themselves as usual network traffic.
The client sends a single SYN packet to the server on the appropriate port. The server responds
with a SYN/ACK packet if the port is open. The remote port is in the 'closed' state if the server
responds with a RST packet. To close the initiation before a connection can ever be established,
the client sends the RST packet.
Xmas scan
Xmas scan sends a TCP frame to a remote device with the following flags set:





URG
ACK
RST
SYN
FIN
Xmas Tree scanning
Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree scanning, all packets are
turned on. If the target port is open, the service running on the target port discards the packets
without any reply. According to RFC 793, if the port is closed, the remote system replies with
the RST packet. Active monitoring of all incoming packets can help system network
administrators detect Xmas Tree scan.
NULL scan
The NULL scan only works if OS' TCP/IP implementation is made according to RFC 793. It
does not work against any current version of Microsoft Windows. Attackers send a TCP frame to
a remote host with NO flags in the NULL scan.
IDLE scan
The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only totally
stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes quite
impossible to detect the hacker.
Steps during IDLE scan
The following steps are taken during an IDLE scan:
1. Send the SYN/ACK packet to the zombie machine in order to probe its IP ID number.
Every IP packet on the Internet has a fragment identification number (IP ID) that is a 4
digit number. When a host sends IP packet, IP ID increases every time.
2. Zombie not expecting a SYN/ACK packet will send the RST packet, disclosing the IP ID.
3. Analyze the RST packet from the zombie machine in order to extract IP ID.
4. Send the SYN packet to the target machine (port 80) spoofing the IP address of the
"zombie".
5. The target will send RST to the "zombie" if the port is closed, but zombie will not send
anything back.
6. Probe "zombie" IP ID again.
FIN scan
The FIN scan sends a TCP frame with the FIN flag set to a remote device. The FIN scan only
works with OS TCP/IP that is developed according to RFC 793. The FIN scan does not work
against any current version of Microsoft Windows.
TCP FIN scanning
TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to
the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by
the attacker and sends the RST packet to the attacker. If the port is open, the FIN packet will be
ignored and the port will drop that packet. TCP FIN scanning is useful only for identifying ports
of non-Windows operating systems, because Windows operating systems send only RST packets
irrespective of whether the port is open or closed.
ICMP echo scanning
ICMP echo scanning can be used to find which hosts in a network are up by pinging them all.
Since ICMP does not have a port abstraction, ICMP port scanning is not really port scanning.
ICMP Source Quench
ICMP Source Quench is an Internet Control Message Protocol message which requests the
sender to decrease the traffic rate of messages to a router or host. This message may be generated
if the router or host does not have sufficient buffer space to process the request, or may occur if
the router or host's buffer is approaching its limit.
TCP FTP proxy (bounce attack) scanning
In TCP FTP proxy (bounce attack) scanning, a scanner connects to an FTP server and requests
the server to start data transfer to the third system. The scanner now uses the PORT FTP
command to declare whether or not the data transfer process is listening to the target system at
the certain port number. The scanner then uses the LIST FTP command to list the current
directory. This result is sent over the server. If the data transfer is successful, it is clear that the
port is open. If the port is closed, the attacker receives the connection refused ICMP error
message.
List scan
The list scan simply lists the IP addresses that would normally be actively scanned. The list scan
does not ping the host names or it does not send TCP ACK to the default port number.
TCP Connect/ Full Open scan
The TCP Connect scan completes three-way handshake to detect when a port is open. It
establishes a full connection and sends a RST packet to tear the connection down.
UDP port scanning
In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port
is closed, the server replies that the remote port is unreachable. If the remote port is open, no
such error is generated. Since so many firewalls block TCP port scanning, UDP port scanning
may be useful to retrieve information about open ports. Certain IDS and firewalls can detect
UDP port scanning easily.
Reverse ident scan
In the reverse ident scan, the attacker takes advantage of the ident protocol to get the username of
the owner of any process. The ident protocol allows for the disclosure of the username of the
owner of any process connected via TCP, even if that process has not initiated the connection.
RPC scan
The RPC (Remote Procedure Call) scan is used to find the RPC applications. After getting the
RPC application port with the help of another port scanner, the RPC port scanner sends a null
RPC packet to all the RPC service ports that are open into the target system.
IP protocol scan
The IP protocol scan is used for searching additional IP protocols, such as ICMP, TCP, and
UDP. The IP protocol scan locates uncommon IP protocols that may be in use on a system. Such
protocols are often found on routers and switches configured with additional IP protocol support,
such as EGP or IGP. If a hacker locates these additional protocols, this helps in determining if
the destination device is a workstation, a printer, or a router. A hacker can do IP scanning easily
with the nmap -sO switch.
Inverse TCP flag scanning
Attackers send TCP probe packets with FIN, URG, and PSH TCP flags set or with no flags. No
response implies that the port is open and RST/ACK implies that the port is closed.
ACK flag scanning
Attackers send an ACK probe packet with a random sequence number. No response implies that
the port is filtered (stateful firewall is present) and RST response implies that the port is not
filtered.
Scanning countermeasures
The following are scanning countermeasures:







Configure a firewall and IDS rules to detect and block probes.
Use a custom rule set to lock down the network.
Hide sensitive information from public view.
Block unwanted ports at the firewall.
Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages
at boarder routers and firewalls.
Ensure that routing and filtering mechanisms cannot be bypassed using specific source
ports or source-routing techniques.
Understand the network configuration and its accessible ports by launching TCP and
UDP port scans along with ICMP probes against your own IP address space.
IDS evasion techniques
The following are IDS evasion techniques:




Use fragmented IP packets.
Spoof your IP address when launching attacks and sniff responses from the server.
Use source routing if possible.
Connect to proxy servers or compromised trojaned machines in order to launch attacks.
IP fragmentation tools
IP fragmentation is the process of breaking up a single IP datagram into multiple packets of
smaller size. Datagrams can be fragmented into pieces small enough to pass over a link with a
smaller Maximum Transmission Unit (MTU) than the original datagram size. IP fragmentation
exploits (attacks) use the fragmentation protocol within IP as an attack vector.
Here are a few IP fragmentation tools:


Fragtest: Determines the types of the fragmented ICMP messages that are processed and
responded to by the remote host.
Fragroute: Is a tool that is used to fragment packets before transmission. It can intercept,
modify, or rewrite traffic that is destined for any specific host and can be used to perform
attacks such as fragmentation, overlap, overwrite, etc. This tool is used for testing
vulnerability in IDSs and firewalls. It is also used by attackers for evading an IDS since
in most of the cases fragmented packets can bypass IDSs and firewalls.
3.4 Learn TCP communication flag types, and gain knowledge on War dialing techniques
Exam Focus: Learn TCP communication flag types, and gain knowledge on War dialing
techniques. Objective includes:



Understand the three way handshake.
Learn TCP communication flag types.
Gain knowledge on War dialing techniques.
Three-way handshake method
The three-way handshake method is used by the TCP protocol to establish a connection between
a client and the server. It involves three steps:
1. In the first step of the three-way handshake method, a SYN message is sent from a client
to the server.
2. In the second step of the three-way handshake method, SYN/ACK is sent from the server
to the client.
3. In the third step of the three-way handshake method, ACK (usually called SYN-ACKACK) is sent from the client to the server. At this point, both the client and server have
received an acknowledgment of the TCP connection.
TCP communication flags
TCP communication flags are used to communicate between two systems using TCP protocols.
An attacker can use these flags to know whether or not a particular port is open. There are
following types of TCP communication flags:






SYN Synchronize: This flag initiates a connection between hosts.
ACK Acknowledge: This flag establishes a connection between hosts.
PSH Push: This flag indicates that the system is forwarding buffered data.
URG Urgent: This flag indicates that data in packets must be processed quickly.
FIN Finish: This flag indicates that there should not be any more transmissions.
RST Reset: This flag resets the connection.
Sequence number
A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over
the network, it is broken into fragments (packets) at the source and reassembled at the destination
system. Each packet contains a sequence number that is used by the destination system to
reassemble the data packets in the correct order. Each time a system boots, it has an initial
sequence number (ISN), e.g. 1. After every second, the ISN is incremented by 128,000. When
the system connects to another system and establishes a connection, the ISN is incremented by
64,000. For example, if a host has the ISN 1,254,332,454 and the host sends one SYN packet, the
ISN value will be incremented by 1, i.e., the new ISN will be 1,254,332,455.
Conditions
Increment in the ISN value
Transfer of a SYN packet
1
Transfer of a FIN packet
1
Transfer of an ACK packet
0
Transfer of a SYN/ACK packet 1
Transfer of a FIN/ACK packet
1
Passage of 1 second
128,000
Establishment of one connection 64,000
HPING3
HPING3 is a multi-purpose tool that can be used for various types of port scanning including idle
scanning. The commands used for various types of scanning are as follows:









ICMP Ping: hping3 -1 192.168.1.1
ACK scan on port 8080: hping3 -A 192.168.1.1 -p 8080
UDP scan on port 8080: hping3 -2 192.168.1.1 -p 8080
Collecting initial sequence number: hping3 192.168.1.100 -Q -p 139 -s
SYN scan on port 50-100: hping3 -8 50-100 -S 192.168.1.1 -V
FIN, PUSH, and URG scan on port 80: hping3 -F -p -U 192.168.1.1 -p 80
Scan entire subnet for host: hping3 -1 192.168.1.1.x --rand-dest -I eth0
Intercept all traffic containing HTTP signature: hping3 -9 HTTP -I eth0
IDLE scan: hping3 192.168.1.1 -r
War dialer
A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable
modems to provide unauthorized access to the system. THC-Scan, ToneLoc, and PhoneSweep
are some good examples of war dialer tools. There are various War dialing tools, such as THC
Scan, TeleSweep Secure, ToneLoc, iWar, ShokDial, Visual NetTools, etc.
War dialing
War dialing is a technique in which an attacker uses a modem to automatically scan a list of
telephone numbers, usually by dialing every number in a local area code to search for computers,
Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes,
hobbyists for exploration, and crackers malicious hackers who specialize in computer security
for password guessing. Sandtrap can detect War dialing attempts and immediately inform the
administrator being called, connected, through HTTP POST to a Web server.
War dialing occurs in the following situations:






When your modems reveal banners with their identity
When there is unknown open access to a legacy system
When your authorized modems are susceptible to a break-in using a war dialer
When someone inside your organization has attached a modem to your network
When you are at risk by not conducting regular audits across your organization
When your modems still have default manufacturer passwords
The following are War dialing tools:










WarVOX
PhoneSweep
THC Scan
TeleSweep Secure
PAW/ PAWS
ToneLoc
iWar
Plax Network Suite
ShokDial
Visual NetTools
Countermeasures of War dialing





Developing and implementing security policies
Conducting a manual reconnaissance of the network
Using phone numbers completely different from internal PBX numbers
Checking auto answer configurations on the modem
Logging all successful and failed login attempts

Documenting floor plans and all your equipment
3.5 Understand banner grabbing using fingerprinting and other techniques and tools
Exam Focus: Understand banner grabbing using fingerprinting and other techniques and tools.
Objective includes:




Understand banner grabbing.
Understand OS fingerprinting.
Understand active stack fingerprinting.
Understand passive fingerprinting and other techniques and tools.
Banner grabbing
Banner grabbing is an enumeration technique used to glean information about computer systems
on a network and the services running its open ports. Administrators can use this to take
inventory of the systems and services on their network. An intruder, however, can use banner
grabbing in order to find network hosts that are running versions of applications and operating
systems with known exploits. Some examples of service ports used for banner grabbing are those
used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail
Transfer Protocol (SMTP); ports 80, 21, and 25, respectively. Tools commonly used to perform
banner grabbing are Telnet, which is included with most operating systems, and Netcat.
For example, one could establish a connection to a target host running a Web service with netcat,
then send a bad html request in order to get information about the service on the host:
[root@prober] nc www.targethost.com 80
HEAD / HTTP/1.1
HTTP/1.1 200 OK
Date: Mon, 11 May 2009 22:10:40 EST
Server: Apache/2.0.46 (Unix) (Red Hat/Linux)
Last-Modified: Thu, 16 Apr 2009 11:20:14 PST
ETag: "1986-69b-123a4bc6"
Accept-Ranges: bytes
Content-Length: 1110
Connection: close
Content-Type: text/html
The administrator can now catalog this system or an intruder now knows what version of Apache
to look for exploits.
Banner grabbling tools
The following are banner grabbling tools:

ID Serve: It is used to identify the make, model, and version of server software of any
Web site. It is also used to identify non-HTTP (non-Web) Internet servers such as FTP,
SMTP, POP, NEWS, etc.

Netcraft: It reports a site's operating system, Web server, and netblock owner, and if
present, a graphical view of the time since last reboot for every computer serving the site.
File extensions
File extensions provide information regarding the underlying server technology. This
information can be used by attackers to search vulnerabilities and launch attacks. Application
mappings such as .asp, .htm, or .foo, etc. are changed to mask the identity of the servers. IIS
users use tools such as PageXchanger in order to manage the file extensions.
Hiding file extensions is considered as a good practice for hiding the technology that generates
dynamic pages.
OS fingerprinting
OS fingerprinting is the easiest way to detect the operating system (OS) of a remote system. OS
detection is important because, after knowing the target system's OS, it becomes easier to hack
the system. The comparison of data packets that are sent by the target system is done by
fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system
is being used by the remote system. There are two types of fingerprinting techniques, which are
as follows:
1. Active fingerprinting
2. Passive fingerprinting
In active fingerprinting, ICMP messages are sent to the target system and the response message
of the target system shows which OS is being used by the remote system. In passive
fingerprinting, the number of hops reveal the OS of the remote system.
Methods of active OS fingerprinting
The most common methods of active OS fingerprinting are as follows:





ICMP error message quoting: Since different operating systems quote different types
of information in the ICMP error message, an attacker can easily identify the operating
system of a remote host by analyzing the ICMP error message quotes.
ICMP error message quenching: In this method, an attacker sends UDP packets to any
random unused port of a remote host. When the remote host replies with ICMP error
messages, an attacker can identify the operating system by counting the number of ICMP
replies sent from the remote host.
Window size: Many operating systems use a unique window size value in all outgoing
data packets, so the operating system of a remote host can be easily identified by an
attacker after analyzing the window size value.
Studying ISN: Many operating systems follow a particular sequence of ISN. Hence,
analyzing ISN is a good clue about the operating system for an attacker.
Sending FIN packets to open ports on the remote system: Some non-UNIX operating
systems do not respond to FIN packets. This may provide a good hint to an attacker about
which operating system is being used by the remote host.
Methods of passive OS fingerprinting
In passive OS fingerprinting, an attacker installs a sniffer on any third party such as a router on
which the victim communicates frequently. Now he studies the sniffer's log and responses, and
receives hints about the remote OS with the help of the following parameters:




TTL values: This is Time To Live Value for any packet sent by any host.
The window size: For many operating systems, the initial window size value is fixed.
Don't Fragment bit (DF): Some operating systems keep the DF bit on, and some do not.
Type of service: The type of service value varies from OS to OS.
When an attacker identifies these values from sniffer's logs, he matches them with his database
of known signatures of operating systems and receives a clue about which OS is running on the
remote computer.
Email header passive OS fingerprinting
Email header passive OS fingerprinting is a method by which an attacker can use the email
header for remote OS detection. The email header is analyzed to get information about the
remote OS. Email headers usually give information about the mail daemon of a remote
computer. Since a specific mail daemon is usually used for a particular OS, an attacker can easily
guess the OS of the remote computer with the help of the mail daemon information.
TCP/IP stack fingerprinting
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote
device during standard layer 4 network communications. The combination of parameters may
then be used to infer the remote operating system (OS fingerprinting), or incorporated into a
device fingerprint. Different operating systems, and different versions of the same operating
system, set different defaults for these values. By collecting and examining these values, one
may differentiate among various operating systems, and implementations of TCP/IP. The TCP/IP
fields that may vary include the following:








Initial packet size (16 bits)
Initial TTL (8 bits)
Window size (16 bits)
Max segment size (16 bits)
Window scaling value (8 bits)
"don't fragment" flag (1 bit)
"sackOK" flag (1 bit)
"nop" flag (1 bit)
httprint
httprint is a fingerprinting tool that is based on Web server characteristics to accurately identify
Web servers. It works even when a Web server may have been obfuscated by changing the
server banner strings, or by plug-ins such as mod_security or servermask. It can also be used to
detect Web-enabled devices that do not contain a server banner string, such as wireless access
points, routers, switches, cable modems, etc. httprint uses text signature strings for identification,
and an attacker can also add signatures to the signature database.
Countermeasures against OS fingerprinting
The following are the countermeasures against OS fingerprinting:





Using snort rules to detect the various OS fingerprinting attacks
Checking whether any new malicious connection has been established or not
Updating antivirus and firewall regularly
Changing the default values of various parameters that are used in passive OS
fingerprinting
Using secure communication with encrypted protocols
3.6 Learn vulnerability scanning using BidiBlah and other hacking tools
Exam Focus: Learn vulnerability scanning using BidiBlah and other hacking tools. Objective
includes:

BidiBlah
BiDiBLAH
BiDiBLAH is a vulnerability scanner that is used mainly in the footprinting step. It uses wellknown tools to perform scanning. Its hacking/vulnerability assessment tools include MetaSploit,
Nessus, and Google Hacking scripts.
Tabs in BiDiBLAH
There are five important tabs in the BiDiBLAH tool. These are as follows:





Subdomain tab: In this tab, a user needs to enter the Google API key. It uses keywords
to perform Google hacking.
Forwards tab: It searches the . bfdns extensions and uses their contents in the list of
names that will be used for the brute force attack.
Portscan tab: This tab is used for port scanning.
Nessus tab: In this tab, an attacker needs to select the Nessus server (IP or DNS name)
and Nessus username and password to perform vulnerability scanning with the Nessus
vulnerability scanner.
MetaSploit tab: In this tab, an attacker needs to enter the location of Metasploit
framework's Web interface. The attacker can test the Metasploit setup by clicking "load
exploits" in the MetaSploit tab. It will show the list of exploits.
Installing BiDiBLAH
The primary installation of the BiDiBLAH utility is straight forward. To install this utility, run it
in the install.exe format. After completion of the installation, make some changes to the
operating system to allow the utility to function. The first step is to load a raw packet driver. This
allows the BiDiBLAH utility to send the packets that are required for port scanning and banner
grabbing. When the raw packet driver is loaded, a protocol is added to the network card
configuration. The next step is to disable firewalls running on the system and configure
BiDiBLAH.
System requirements for installing BiDiBLAH






.NET framework 2.0
Nessus server
SPUD for sub domain discovery module
256 MB RAM or higher
Raw packet driver for Windows XP or compatible version
Office 2003 or higher
3.7 Understand proxy servers, anonymizers, HTTP tunneling techniques, and IP spoofing
techniques
Exam Focus: Understand proxy servers, anonymizers, HTTP tunneling techniques, and IP
spoofing techniques. Objective includes:





Understand how proxy servers are used in launching an attack.
Gain insights on working of anonymizers.
Identify HTTP tunneling techniques.
Identify IP spoofing techniques.
Understand various scanning countermeasures.
Proxy servers
A proxy server is a server (a computer system or an application program) that acts as an
intermediary for requests from clients seeking resources from other servers. A client connects to
the proxy server, requesting some service, such as a file, connection, Web page, or other
resource, available from a different server. The proxy server evaluates the request according to
its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is
validated by the filter, the proxy provides the resource by connecting to the relevant server and
requesting the service on behalf of the client. A proxy server may optionally alter the client's
request or the server's response, and sometimes it may serve the request without contacting the
specified server. In this case, it 'caches' responses from the remote server, and returns subsequent
requests for the same content directly. The unwanted content, such as ads or unsuitable material,
can be filtered out using specialized proxy servers.
Use of proxies for attack
Benefits of a proxy server
A proxy server has a variety of benefits, including:











Protecting the local network from outside access
Permitting the connection of a number of computers to the Internet with only one IP
address
Anonymizing Web surfing
Providing some protection against hacking attacks
Keeping machines behind it anonymous (mainly for security)
Speeding up access to resources (using caching)
Applying access policy to network services or content, e.g. to block undesired sites
Logging / auditing usage, i.e., to provide company employee Internet usage reporting
Bypassing security / parental controls
Scanning transmitted content before delivery for malware
Circumventing regional restrictions
Types of proxy servers
A proxy server that passes requests and replies unmodified is usually called a gateway or
sometimes tunneling proxy. A proxy server can be placed in the user's local computer or at
various points between the user and the destination servers on the Internet.
A reverse proxy is an Internet-facing proxy used as a front-end to control and protect access to a
server on a private network. It also performs tasks such as load-balancing, authentication,
decryption, and caching.
Multiproxy is a multifunctional personal proxy server that protects your privacy while on the
Internet. It can completely hide your IP address by dynamically connecting to non-transparent
anonymizing public proxy servers. You can also test a list of proxy servers and sort them by
connection speed and level of anonymity.
A multiproxy server
Proxy workbench types of proxy servers resides inside a network and monitor the connection,
and support proxy chaining.
SSLProxy is a transparent proxy that can translate between encrypted and unencrypted data
transport on socket connections. It also has a non-transparent mode for automatic encryptiondetection on netbios. SSLProxy is used to launch exploits using the SSL product, cover the
attack path, and evade IDS systems.
Anonymizers
Anonymizers are the services that help make a user's own Web surfing anonymous. An
anonymizer removes all the identifying information from a user's computer while the user surfs
the Internet. In this manner, it ensures the privacy of the user. After the user anonymizes a Web
access with an anonymizer prefix, every subsequent link selected is also automatically accessed
anonymously. Most anonymizers can anonymize at least the Web (http:), file transfer protocol
(ftp:), and gopher (gopher:) Internet services. The following are some common anonymizers:








Mowser
Anonymizer
Anonymous Web Surfing Tool
The Cloak
Hide Your IP Address
IDsecure
JAP Anonymity and Privacy
Guardster
Uses of anonymizers
The following are the uses of anonymizers:




It provides privacy and anonymity.
It protects from online attacks.
It accesses government restricted content.
It bypasses IDS and firewall rules.
Networked anonymizers
Networked anonymizers transfer communications between a user and destination computers
through a network of Internet computers. It has an advantage that traffic analysis becomes
complex due to complication of the communications. It has a disadvantage that any multi-node
network communications have some degree of risk at each node for compromise of
confidentiality.
Single-point anonymizers
Single-point anonymizers protect your identity by passing your surfing through a single Website.
It has an advantage that the arms-length communications protect user's IP address and related
identifying information. It has a disadvantage that it provides less resistance to the sophisticated
traffic analysis.
Limitations of anonymizers
Anonymizers have the following limitations:
1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser
needs to access the site directly to properly maintain secure encryption.
2. Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an
established independent direct connection from the user computer to a remote site.
3. Java: Any Java application accessed through an anonymizer will not be able to bypass
the Java security wall.
4. ActiveX: ActiveX applications have almost unlimited access to the user's computer
system.
5. JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.
TOR (The Onion Routing)
TOR (The Onion Routing) includes the following:






Anonymity: Offers anonymous communication over Internet.
Privacy: Ensures the privacy of both sender and receipt of a message.
Security: Offers multiple layers of security to a message.
Encryption: Uses public key encryption to encrypt and decrypt all data packets.
Proxy chain: Uses cooperating proxy routers throughout the network.
Tor proxy: A TOR client, the initiating onion router, determines the path of
transmission.
Psiphon
Psiphon is a censorship circumvention system. In countries where the Internet is censored,
Psiphon permits users to bypass firewalls and access blocked sites. Psiphon uses a secure,
encrypted HTTP tunnel connection in order to receive requests from psiphonite to psiphonode.
Psiphonode transports the result back to the requested psophonite. Psiphon acts as a Web proxy
for authenticated psiphonites, and bypasses the content-filtering systems of countries, such as
China, North Korea, Iran, Saudi Arabia, Egypt, and others.
HTTP tunneling
HTTP tunneling is a technique by which communications performed using various network
protocols are encapsulated using the HTTP protocol. Despite the restrictions imposed by a
firewall, the HTTP tunneling technology permits users to perform various Internet tasks. This is
made possible by sending data via HTTP (port 80). The HTTP protocol, therefore, acts as a
wrapper for a covert channel that the network protocol being tunneled uses to communicate. A
hacker using a HTTP tunneling tool can subvert the proxy by hiding potentially destructive
protocols, such as IM or chat, within an innocent-looking protocol packet. The following are the
http tunneling tools:


HTTPort: The HTTPort tool is used to create a transparent tunnel through a proxy server
or a firewall. It allows a user to use all sorts of Internet software from behind the proxy.
This tool bypasses HTTPS and HTTP proxies, transparent accelerators, and firewalls.
Backstealth: The Backstealth tool bypasses outbound restrictions of personal firewalls
by embedding an http client in a DLL.
HTTP tunneling is required in the following situation:


The organization has blocked all the ports in your firewall and only allows port 80/443.
You need to use FTP to connect to some remote server on the Internet
In this situation, you can send your packets through the HTTP protocol. HTTP-Tunnel and
HTTPort are HTTP tunneling tools.
Super Network Tunnel Tool
Super Network Tunnel Tool is a two-way http tunnel software that connects two computers. It
operates like VPN tunneling but sets up a connection by using the http protocol.
HTTPort tool
The HTTPort tool is used to create a transparent tunnel through a proxy server or firewall. It
allows a user to use all sorts of Internet software from behind the proxy. This tool bypasses
HTTPS and HTTP proxies, transparent accelerators, and firewalls.
IP spoofing techniques
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of
Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose
of concealing the identity of the sender or impersonating another computing system. The basic
protocol for sending data over the Internet and many other computer networks is the Internet
Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source
and destination address of the packet. The source address is normally the address that the packet
was sent from. By forging the header, an attacker can make it appear that the packet was sent by
a different machine. The machine that receives spoofed packets will send a response back to the
forged source address, which means that this technique is mainly used when the attacker does not
care about the response, or the attacker has some way of guessing the response. The various
countermeasures of the IP spoofing attack are as follows:


Filtering at the router: A network administrator can stop an IP spoofing attack by
filtering the border routers of a network. For this, he needs to implement an ACL (access
control list) that blocks private IP addresses on the downstream interface.
Encryption and authentication: A network administrator can use encryption and
authentication to reduce spoofing threats. These features are included in IPv6. He can
also eliminate all host-based authentication measures, which are often common for all
systems on the same subnet.
DoS attacks
IP spoofing is sometimes used in a DoS attack, which is used to consume bandwidth and
resources. For the effectiveness of the DoS attack, attackers spoof source IP addresses to make
tracing and stopping the DoS as difficult as possible.
Non-blind spoofing
Non-blind spoofing is a type of IP spoofing attack. This attack occurs when the attacker is on the
same subnet as the destination computer, or along the path of the destination traffic. Being on the
same subnet, it is easy for the attacker to determine the sequence number and acknowledgement
number of the data frames. In a non-blind spoofing attack, the attacker can redirect packets to the
destination computer using valid sequence numbers and acknowledge numbers. The result is that
the computer's browser session is redirected to a malicious Website or compromised legitimate
sites that may infect computer with malicious code or allow the attacker to perform other
malicious activities.
IP spoofing countermeasures
The following are IP spoofing countermeasures:





Limit access: Limits access to configuration information on a machine
Ingress filtering: Prevents packets from entering your network by using router filters
Sequence number: Uses random initial sequence numbers
Egress filtering: Prevents packets from leaving your network by using filters
Encryption: Encrypts all network traffic
ption: Encrypts all network traffic
Email spoofing
Email spoofing is a term used to describe (usually fraudulent) an email activity in which the
sender's address and other parts of the email header are altered to appear as though the email
originated from a different source. Email spoofing is a technique commonly used for spam email
and phishing to hide the origin of an email message. By changing certain properties of the email,
such as the From, Return-Path and Reply-To fields (which can be found in the message header),
ill-intentioned users can make the email appear to be from someone other than the actual sender.
The result is that, although the email appears to come from the address indicated in the From
field (found in the email headers) it actually comes from another source.
Occasionally (especially if the spam requires a reply from the recipient, such as the '419' scams),
the source of the spam email is indicated in the Reply-To field (or at least a way of identifying
the spammer); if this is the case and the initial email is replied to, the delivery will be sent to the
address specified in the Reply-To field, which could be the spammer's address. However, most
spam emails (especially malicious ones with a Trojan/virus payload, or those advertising a Web
site) forge this address too, and replying to it will annoy an innocent third party.
Prior to the advent of unsolicited commercial email as a viable business model, "legitimately
spoofed" email was common. For example, a visiting user might use the local organization's
smtp server to send email from the user's foreign address. Since most servers were configured as
open relays, this was a common practice. As spam email became an annoying problem, most of
these "legitimate" uses fell victim to anti-spam techniques.
Various methods of email spoofing
Because many spammers now use special software to create random sender addresses, even if
the user finds the origin of the email, it is unlikely that the email address will be active.
The technique is now used ubiquitously by mass-mailing worms as a means of concealing the
origin of the propagation. On infection, worms such as ILOVEYOU, Klez, and Sober will often
try to perform searches for email addresses within the address book of a mail client, and use
those addresses in the From field of emails that they send, so that these emails appear to have
been sent by the third party.
For example: User1 is sent an infected email and when the email is opened, it begins to spread.
The worm finds the addresses of User2 and User3 within the address book of User1 from the
computer of User1. Now, the worm sends an infected email to User2, but the email appears to
have been sent from User3.
This can be particularly problematic in a corporate setting, where email is sent to organizations
with content filtering gateways in place. These gateways are often configured with default rules
that send reply notices for messages that get blocked.
Newer variants of these worms have built on this technique by randomizing all or part of the
email address. A worm can employ various methods to achieve this, including:



Random letter generation
Built-in wordlists
Amalgamating addresses found in address books, for example:
o User1 triggers an email address spoofing worm, and the worm finds the addresses
user2@efgh.com, user3@ijkl.com, and user4@mnop.com within the users email
address book.
o The worm sends an infected message to user2@efgh.com, but the email appears
to have been sent from user3@mnop.com.
Scanning pen testing
Penetration testing a network for scanning attempts determines the network security posture by
identifying live systems, discovering open ports, and grabbing system banners from a remote
location simulating a network hacking attempt. The penetration testing report will support
administrators in the following:


Closing unused ports
Disabling unnecessary services



Hiding or customizing banners
Troubleshooting service configuration errors
Calibrating firewall rules
Steps during scanning pen testing
Take the following steps during scanning pen testing:
1. Check for the live hosts using tools, such as Angry IP Scanner, SolarWinds Engineer's
toolset, Colasoft Ping, Utility Ping, Nmap, Netscan, etc.
2. Check for open ports using tools, such as Nmap, Netscan Tools Pro, Net Tools Suite
Pack, UDP Scanner, etc.
3. Perform banner grabbing/ OS fingerprinting using tools, such as Telnet, Netcraft,
Xprobe, Satori, etc.
4. Scan for vulnerabilities using tools, such as Nessus, SAINT, GFI LANGuard, Core
Impact, Nsauditor, MBSA, etc.
5. Draw network diagrams of the vulnerability hosts using tools, such as LAN surveyor,
Ipsonar, CartoReso, NetMapper, etc.
6. Prepare proxies using tools, such Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy,
ProxyFinder, etc.
7. Document all the findings.
Chapter Summary
In this chapter, we learned about port scanning, network scanning, and vulnerability scanning. In
this chapter, we discussed about ping sweeping, firewalk tool, nmap command switches, and
various scans, such as SYN, Stealth, XMAS, NULL, IDLE, FIN, ICMP Echo, List, TCP
Connect, Full Open, FTP Bounce, UDP, and Reverse Ident. This chapter also focused on TCP
communication flag types, War dialing, vulnerability scanning using BidiBlah, proxy servers,
anonymizers, HTTP tunneling techniques, and IP spoofing techniques.
Glossary
Advanced Port Scanner
Advanced Port Scanner is used to check a computer for open ports that can be used in attacks
against the computer.
Anonymizers
Anonymizers are the services that help make a user's own Web surfing anonymous. An
anonymizer removes all the identifying information from a user's computer while the user surfs
the Internet.
Argus
Argus is a systems and network monitoring application. It is designed to monitor the status of
network services, servers, and other network hardware. It will send alerts when it detects
problems.
AVDS
AVDS (Automated Vulnerability Detection System) consists of one or more hardware
appliances that run dedicated online-connected software, testing for both internal and external
vulnerabilities on your network.
Banner grabbing
Banner grabbing is an enumeration technique used to glean information about computer systems
on a network and the services running its open ports.
Cookie
Cookie is a block of data which a Web server stores on the client computer. If no expiration date
is set for the cookie, it expires when the browser closes.
File extensions
File extensions provide information about the underlying server technology.
Firewalk
Firewalk is a scanning tool like traceroute that attempts to determine what layer 4 protocols a
given IP forwarding device will pass.
Firewalking
Firewalking is a technique for gathering information about a remote network protected by a
firewall.
Footprinting
Footprinting is an information gathering technique that is used to gather information about
computer systems.
Global Network Inventory
Global Network Inventory is a flexible software and hardware inventory system that can be used
as an audit scanner in agent-free and zero deployment environments.
HTTPort tool
The HTTPort tool is used to create a transparent tunnel through a proxy server or firewall. It
allows a user to use all sorts of Internet software from behind the proxy.
httprint
httprint is a fingerprinting tool that is based on Web server characteristics to accurately identify
Web servers.
ICMP
Internet Control Message Protocol
Icmpenum
Icmpenum is a port scanner that uses not only ICMP Echo packets to probe networks, but also
ICMP timestamp and ICMP information packets.
IP protocol
The IP protocol scan is used for searching additional IP protocols, such as ICMP, TCP, and
UDP.
Mail bombing
Mail bombing is an attack that is used to overwhelm mail servers and clients by sending a large
number of unwanted emails.
MegaPing
MegaPing is used to provide all essential network utilities for information system specialists,
system administrators, or individuals.
Network scanning
Network scanning is a procedure for identifying active hosts on a network, either for the purpose
of attacking them or for network security assessment.
OS Fingerprinting
Fingerprinting is the easiest way to detect the operating system (OS) of a remote system. OS
detection is important because, after knowing the target system's OS, it becomes easier to hack
into the system.
Ping sweeping
Ping sweeping is used to ping a batch of devices and to get the list of active devices.
Scanning
Scanning refers to a set of procedures used to identify hosts, ports, and services in a network.
Sequence number
A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over
the network, it is broken into fragments (packets) at the source and reassembled at the destination
system.
TCP communication flags
TCP communication flags are used to communicate between two systems using TCP protocols.
Vulnerability scanning
Vulnerability scanning is a process in which a Penetration Tester uses various tools to assess
computers, computer systems, networks or applications for weaknesses.
War dialer
A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable
modems to provide unauthorized access to the system.
War dialing
War dialing is a technique in which an attacker uses a modem to automatically scan a list of
telephone numbers, usually by dialing every number in a local area code to search for computers,
Bulletin board systems and fax machines.
Related documents
Chapter 3
Chapter 3
Brendan Innen Scan
Brendan Innen Scan
Chapter 10
Chapter 10
Normal Breast and Scanning Technique
Normal Breast and Scanning Technique
Worker Safety Bob Graham
Worker Safety Bob Graham
How to Send e-mail
How to Send e-mail
scanning - Ultra Scan Limited
scanning - Ultra Scan Limited
KRRC MSPowerPoint Prop Template 2008
KRRC MSPowerPoint Prop Template 2008
Download
advertisement