CEHv8 Module 03 Scanning Networks PDF

Scanning Networks
Module 03
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
S c a n n in g N e tw o rk s
Module 03
Engineered by Hackers. Presented by Professionals.
CEH
M o d u le 03: Scanning Networks Exam 312-50
Ethical H acking and C ounterm easures v8
Module 03 Page 263
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N ew s
Hone S e rv ic e s Company N e tw o rk s C o n ta c t
Oct 18 2012
r
1
1
N f u js
S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e
The well known botnet Sality, which locates vulnerable voice-over-IP (VoIP) servers can be controlled to find the entire IPv4 address space without alerting, claimed a
new study, published by Paritynews.com on October 10, 2012.
Sality is a piece of malware whose primary aim is to infect web servers, disperse spam, and steal data. But the latest research disclosed other purposes of the same including
recognizing susceptible VoIP targets, which could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," sality has administered towards scanning possibly the whole IPv4 space devoid of being recognized. That's only the reason the technique uses very less number of packets that come from various sources.
The selection of the target IP addresses is generated in reverse-byte-order increments. Also, there are large amounts of bots contributing in the scan. http://www.spamfighter.com
l- l
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S ecurity N ew s
Saliently Sality Botnet Trapped Scanning IPv4 Address Space
Source: http://www.spamfighter.com A semi-famous botnet, Sality, used for locating vulnerable voiceoverIP (VoIP) servers has been controlled toward determining the entire IPv4 address space without setting off alerts, claims a new study, published by Paritynews.com, on October 10, 2012. Sality is a piece of malware with the primary aim of infecting web servers, dispersing spam, and stealing data. But the latest research has disclosed other purposes, including recognizing susceptible VoIP targets that could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," Sality can be administered toward scanning possibly the whole IPv4 space, devoid of being recognized. That's the only reason the technique uses a very small number of packets that come from various sources. The selection of the target IP addresses develops in reverse-byte-order increments. Also, there are many bots contributing in the scan. The conclusion is that a solitary network would obtain scanning packets "diluted" over a huge period of time (12 days in this case, from various
Module 03 Page 264
sources, University of California, San Diego (UCSD), claimed one of the researchers, Alistair King, as published by Softpedia.com on October 9, 2012). According to Alberto Dainotti, it's not that this stealth-scanning method is exceptional, but it's the first time that such a happening has been both noticed and documented, as reported by Darkreading.com on October 4, 2012. Many other experts hold faith that this manner has been accepted by other botnets. Nevertheless, the team at UCSD is not aware of any data verifying any event like this one. According to David Piscitello, Senior Security Technologist at ICANN, this indeed seems to be the first time that researchers have recognized a botnet that utilizes this scanning method by employing reverse-byte sequential increments of target IP addresses. The botnet use classy "orchestration" methods to evade detection. It can be simply stated that the botnet operator categorized the scans at around 3 million bots for scanning the full IPv4 address space through a scanning pattern that disperses coverage and partly covers, but is unable to be noticed by present automation, as published by darkreading.com on October 4, 2012.
Copyright SPAMfighter 2003-2012
http://www.spamfighter.com/News-1799B-Salier1tlv-Salitv-Botnet-Trapped-Scanning-IPv4Address-Space.htm
Module 03 Page 265
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le O b je c tiv e s
J J J J J J J J Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing Network Diagrams ^ J J J J J J J J Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers
CEH
IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule O b jectiv e s
Once an attacker identifies his/her target system and does the initial reconnaissance, as discussed in the footprinting and reconnaissance module, the attacker concentrates on getting a mode of entry into the target system. It should be noted that scanning is not limited to intrusion alone. It can be an extended form of reconnaissance where the attacker learns more about his/her target, such as what operating system is used, the services that are being run on the systems, and configuration lapses if any can be identified. The attacker can then strategize his/her attack, factoring in these aspects. This module will familiarize you with: 0 0 0 0 0 0 0 0 Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing Network Diagrams 0 0 0 0 0 0 0 0 Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing
Module 03 Page 266
O v erview of N etw ork S can n in g

Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization
C EH
(itifwd ttkujl lUckM
Sends TCP /IP probes
Gets network
&
A ttacker
information
O b jec tives o f N e tw o rk Scanning
To discover live hosts, IP address, and open ports of live hosts
To discover operating systems and system architecture
To discover services ru nning on hosts
To discover vu ln e ra b ilitie s in live hosts
O verview of N etw ork S can n in g

As we already discussed, footprinting is the first phase of hacking in which the attacker gains information about a potential target. Footprinting alone is not enough for hacking because here you will gather only the primary information about the target. You can use this primary information in the next phase to gather many more details about the target. The process of gathering additional details about the target using highly complex and aggressive reconnaissance techniques is called scanning. The idea is to discover exploitable communication channels, to probe as many listeners as possible, and to keep track of the ones that are responsive or useful for hacking. In the scanning phase, you can find various ways of intruding into the target system. You can also discover more about the target system, such as what operating system is used, what services are running, and whether or not there are any configuration lapses in the target system. Based on the facts that you gather, you can form a strategy to launch an attack. Types of Scanning 9 e 6 Port scanning - Open ports and services Network scanning - IP addresses Vulnerability scanning - Presence of known weaknesses
Module 03 Page 267
In a traditional sense, the access points that a thief looks for are the doors and windows. These are usually the house's points of vulnerability because of their relatively easy accessibility. W hen it comes to computer systems and networks, ports are the doors and windows of the system that an intruder uses to gain access. The more the ports are open, the more points of vulnerability, and the fewer the ports open, the more secure the system is. This is simply a general rule. In some cases, the level of vulnerability may be high even though few ports are open. Network scanning is one of the most important phases of intelligence gathering. During the network scanning process, you can gather information about specific IP addresses that can be accessed over the Internet, their targets' operating systems, system architecture, and the services running on each computer. In addition, the attacker also gathers details about the networks and their individual host systems. Sends TCP /IP probes
&
Attacker
Gets network information
Network
FIGURE 3.1: Network Scanning Diagram
O bjectives of Network Scanning

If you have a large amount of information about a target organization, there are greater chances for you to learn the weakness and loopholes of that particular organization, and consequently, for gaining unauthorized access to their network. Before launching the attack, the attacker observes and analyzes the target network from different perspectives by performing different types of reconnaissance. How to perform scanning and what type of information to be achieved during the scanning process entirely depends on the hacker's viewpoint. There may be many objectives for performing scanning, but here we will discuss the most common objectives that are encountered during the hacking phase:
Discovering live hosts, IP address, and open ports of live hosts running on the network.
Discovering open ports: Open ports are the best means to break into a system or network. You can find easy ways to break into the target organization's network by discovering open ports on its network. Discovering operating systems and system architecture of the targeted system: This is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's vulnerabilities.
Module 03 Page 268
Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. Detecting the associated network service of each port
Module 03 Page 269
HHH

G i
Check for Live Systems
,.
Check for Open Ports
hi
Scan for Vulnerability
n L1 ^
r Prepare Proxies
Scanning Beyond IDS
Banner Grabbing
wJ
W m, U
Draw Network. Diagrams
Scanning Pen Testing
CEH S can n in g M eth o d o lo g y

The first step in scanning the network is to check for live systems.
ft
Draw Network Diagrams
Scanning Beyond IDS
Q O
Prepare Proxies
Banner Grabbing
This section highlights how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools.
Module 03 Page 270
C hecking for Live System s ICMP Scanning

J J
CEH
Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply This scan is useful for locating active devices or determining if ICMP is passing through a firewall
ICMP Echo Request
t o
M
ICMP Echo Reply Destination (192.168.168.5) Zenmap
Sc!n Target. Too* grofilc Profile Ping scan
Source (192.168.168.3)
The ping scan output using Nmap:
192 168.16S.5 |nrr*p sn 192.16S.16S.S Services *
Command: Hosts Host
Nmap Outp14 Pciti Hosts Topology H 0Jt Detail! nmap sn 192.166.163.5
Scans
192.165.168.1 192.16S.1663 192.165.'68.5 192.16S.66.13 S t a r t in g fJTap 6.01 ( h t tp :/ / n 1 rop.org ) at 2012-08 08 13:02 EOT Swap scan re p o rt fo r 192.168.168.5
most
i s up (0 .00 s la te n c y ).
Piter Hosts
M AC fld d re tt: (D e ll) M!ap dong: 1 I P address (1 host up) scanned in 0.10 secords
http://nmap.org
Copyright by HHrWBCil. All Rights Reserved. Reproduction is Strictly Prohibited.
C h e c k in g for Live S ystem s IC M P S can n in g

ICMP Scanning
All required information about a system can be gathered by sending ICMP packets to it. Since ICMP does not have a port abstraction, this cannot be considered a case of port scanning. However, it is useful to determine which hosts in a network are up by pinging them all (the -P option does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the number of pings in parallel with the -L option. It can also be helpful to tweak the ping timeout value with the -T option.
ICMP Query
The UNIX tool ICM Pquery or ICMPush can be used to request the time on the system (to find out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS MARK REQUEST). After finding the netmask of a network card, one can determine all the subnets in use. After gaining information about the subnets, one can target only one particular subnet and avoid hitting the broadcast addresses. ICMPquery has both a timestamp and address mask request option: icmp query <-query-> [-B] [-f fromhost] [d delay] [-T time] target
Module 03 Page 271
W here <query> is one of: -t: icmp timestamp request (default) -m: icmp address mask request -d: delay to sleep between packets is in microseconds. -T - specifies the number of seconds to wait for a host to respond. The default is 5. A target is a list of hostnames or addresses.
*iJN:::::::::::::::::::::::ft:::::::::::::
ICMP Echo Request
/*
ICMP Echo Reply
Source (192.168.168.3)
Destination (192.168.168.5)
FIGURE 3.2: ICMP Query Diagram
Ping Scan Output Using Nmap

Source: http://nmap.org Nmap is a tool that can be used for ping scans, also known as host discovery. Using this tool you can determine the live hosts on a network. It performs ping scans by sending the ICMP ECHO requests to all the hosts on the network. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall. The following screenshot shows the sample output of a ping scan using Zenmap, the official cross-platform GUI for the Nmap Security Scanner:
Zenmap
Scan Jo o ls Profile Help
Target
192.168.168.5 |nmap -sn 192.168.168.51 Services
v I Profile:
Ping scan
:Scan!
Cancel
Command: Hosts OS < Host IM I* *"
Nmap Output Ports/Hosts nmap -sn 192.168.168.5
Topology Host Details Scans

V
Details
192.168.168.1 192.168.168.3 192.168.168.5 S t a r t in g Nmap 6 .0 1 ( h t t p :/ / n 1 ra p .o rg ) at 2012-08-08 a? Nmap scan re p o rt fo r 1 9 2 .1 6 8 .1 6 8 .5 Host i s up (0 .0 6 s la t e n c y ) . M AC Add ress: ( D e ll) Nmap done: 1 IP ad d ress (1 host up) scanned in 0 .1 0 seconds
tM 192.168.168.13 .. v ------ ----- ---------------1 Filter Hosts
FIGURE 3.3: Zenmap Showing Ping Scan Output
Module 03 Page 272
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCll All Rights Reserved. Reproduction is Strictly Prohibited.
P in g S w eep
J Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet Attackers then use ping sweep to create an inventory of live systems in the subnet T h e ping s w e e p o u tp u t using N m a p
Zenmap Sen loots N * T*fqcc Help v Profile *| Scanj Canct l n l , M IC M P Echo Request
CEH
_l
92.l6a.16S.l-S0
192.168.168.5
^ M
Command |m 8p Pf PA21,23.9Q ,3J891 9 2 .1 6 8 .1 6 8 .1 5 0 1 Hojb OS 4 Ho* * * W itt 1 6 S .1 1N.16S.1tt3 knxei Nn < * pOutput Port( / HoUi | Topology Hot! D etail* Scant nm ap m-PE PA 21.2J.80l3389 1 9 2 .1 6 8 .1 6 8 .1 5 0 H S [0 4 * IC M P Echo Reply Startlra N 6.01 ( http ://roup, org ) at 2012 01 01 12:41 tor *tup scan report for 192.168.168.1 Host is us ( 0. 00) latency). Adflicn. ( Healett-Packard Com pany) **p *can report for 192.168.16.) ftovt It up (ft.Mt latency). *AC W r t t t i (Apple) w p scan report *or 192.168. 168. tost is up (0.0010s latency). HA( Address: (Dell) f*1ap scan report for 192.168.168.13 Mot i* up <8.001 latency). AC Addrew: (Foxconnl snap scan report for 192.168.168.14 IC M P Echo Request
!.168.16 192.168.168.6
3 1W.16S.1tt5 * 19J.ltt.1ttU
1W.1tt1tt.14 V y It t lt t lt t lS 9 it t 1 6 8 .1 7 !92.168163.15 1 9 2 .1 6 8 .1 6 8 2 6 19ilttltt23 v F* Hosts
IC M P Echo Request
Ml
192.168.168.7
Source 192.168.168.3
IC M P Echo Reply IC M P Echo Request
192.168.168.8
http://nmap. org
P in g Sweep
A ping sweep (also known as an ICM P sweep) is a basic network scanning technique to determine which range of IP addresses map to live hosts (computers). W hile a single ping tells the user whether one specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts.
ICMP ECHO Reply

If a host is active, it returns an ICMP ECHO reply. Ping sweeps are among the oldest and slowest methods to scan a network. This utility is distributed across almost all platforms, and acts like a roll call for systems; a system that is live on the network answers the ping query that is sent by another system.
Module 03 Page 273
ICMP Echo Request 192.168.168.5 ICMP Echo Request
<
ICM P Echo Reply
192.168.168.6
ICMP Echo Request
>
Source
19 2.1 6 8 .1 6 8 .3
192.168.168.7
< ICMP Echo

ICMP Echo Request 192.168.168.8
FIGURE 3.4: Ping Sweep Diagram
TCP/IP Packet
To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings, a single packet is sent across the network to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a return packet from the target system. A good return packet is expected only when the connections are good and when the targeted system is active. Ping also determines the number of hops that lie between the two computers and the round-trip time, i.e., the total time taken by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if the packet bounces back when sent to the IP address, but not when sent to the name, then it is an indication that the system is unable to resolve the name to the specific IP address. Source: http://nmap.org Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP addresses of live hosts. This provides information about the live host IP addresses as well as their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on the network. The following screenshot shows the result of a ping sweep using Zenmap, the official cross-platform GUI for the Nmap Security Scanner:
Module 03 Page 274
Zenmap
Sc!n Target Joolt Erofik {jdp "v] Proffe 11
192.168.168.1-50
Scan
Cancel
Command Hosts OS Host * *

<
|nmap -sn -PE PA21,23,80.3389192.168.168.1-5( Sernces A Nmap Output Ports/ Hosts Topology Host Details Scans nmap -sn PE-PA21.23.80.3389 192.168.168.1-50 %
Details
192.168.168.1 192.168.168.3 192.168.168.5 192.168.168.13 192.168.168.14 192.168.168.15 S ta rtin g Mrap 6.01 ( h tto ://n a p .o rg ) at 2012-08-08 12:41 M ap scan report fo r 192.168.168.1 Host is up (0.00s la te n c y ). *AC Address; I (Hewlett-Packard Cooany) Nm p scan report fo r 192.168.168.3 Host is up (0.00s la te n c y ). *AC A d d r m i * (Apple) Nnap scan report fo r 192.168.168.5 Host is up (0.0010s la te n c y ). M A C Address; ( D e ll) Nnap scan report fo r 192.168.168.13 Host is up (0.00s la te n c y ). M A C Address: (Foxconn) Nap scan report fo r 192.168.168.14 Host is up (0.0020s la te n c y ). v
* fti
192.168.168.17 192.168.168.19 192-168.168-26
192.168.16828 Filter Hosts
FIGURE 3.5: Zenmap showing ping sweep output
Module 03 Page 275
P in g S w eep T ools
Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc.
CEH
SolarWinds Engineer Toolset's Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.
o S'** *Rjr* * 1C011 9 1:0:1 1 0 0 cj Q io a u f tio a c j to o ts C Hoatt 100C7 fh o a c j M OOC9 Q r-at CH 0ac.11 1 0 a a ; Chocu.11 # 10ac.u #1001 &1COC.U M oatr Choatu fhoac. *<
IP Range Angry IP Scanner JoeU H lp to K.0J.S) Uctmiifc v [lPjnje SUrt v * M Pcm1i00c-| 80 0US.1 1JX In/a) 1& UIM U h l
_ !
M0*wme V W NUQ N3W R1RW f 9 1m Cm lm h/l 4n h/1| 1ra Kl KH Kl K*l h/1l |V*I Kv.| O ? mm K1 h/l !*/I Kl
H 0W n* In/11 M M MttlCMM1 HnOcwit ln/1l < vmixqn;\V(W9m H V ) In/i) In/) In/) In/) ln/1) l*v ! I V*I In/! In/] la/) In/) In/) & **> A JI
|n/) |n) In/) |n') In') In) |n/) In/) |n/| (') In/) In ____________________)v |
T h 0 **
Angry IP Scanner
http://www.angryip.org
P in g Sweep Tools
Determining live hosts on a target network is the first step in the process of hacking or breaking into a network. This can be done using ping sweep tools. There are a number of ping sweep tools readily available in the market using which you can perform ping sweeps easily. These tools allow you to determine the live hosts by sending ICMP ECHO requests to multiple hosts at a time. Angry IP Scanner and Solarwinds Engineer's Toolset are a few commonly used ping sweep tools.
Angry IP Scanner
/j
Source: http://www.angryip.org
Angry IP Scanner is an IP scanner tool. This tool identifies all non-responsive addresses as dead nodes, and resolves hostname details, and checks for open ports. The main feature of this tool is multiple ports scanning, configuring scanning columns. Its main goal is to find the active hosts in the network by scanning all the IP addresses as well as ports. It runs on Linux, Windows, Mac OS X, etc. It can scan IP addresses ranging from 1.1.1.1 to 255.255.255.255.
Module 03 Page 276
IP Range -Angry IP Scanner

S<an
Commands
Favorites
loots
Help | |IF Range rJ C+ Start v i| Ports [2000.) 80 80.135.139.4... 135,139,445,... [n/a] 135,139,445,... [n/a] 80.135 [n/a] [n/a] [n/a] [n/a] =
IP Range | 10.0.0.1 Hostname | WIN-LXQN3WR3R9I IP >10.0.0.1 010.0.0.2 @10.0.0.3 #10.0.0.4 >10.0.0.5 10.0.0.6 )10.0.0.7 C
m
| to | 10.0.0.50 # IP I | Netmask
Ping 1 ms Oms Oms
Hostname [n'a] W1N-MSSLCK4IC41 WindowsS [n/a] W1N-LXQN3WR3R9M [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] litfa] [ /a] [n/a] [n/a] [iVa] [n/a] [nfa] lva] Display: All Threads; 0
[n/a]
4 ms [n/a] 1 ms [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] 627 ms [n/a] [n/a] [n/a] [n/a]
0.0.0.8
> 10.0.0.9 #10.0.0.10 #10.0.0.11 # # 1 0.0.0.12 I0.0.0.M
[n/a]
[n/a] [n/a] [n/a] [n/a]
#10.0.0.13 #10.0.0.15 #10.0.0.16 # 10.0.0.17 #10.0.0.18 #10.0.0.19 Ready
[n/a]
[n/a] [n/a] v
FIGURE 3.6: Angry IP Scanner Screenshot
Solarwinds E ngineers Toolset

Source: http://www.solarwinds.com The Solarwinds Engineer's Toolset is a collection of network engineer's tools. By using this toolset you can scan a range of IP addresses and can identify the IP addresses that are in use currently and the IP addresses that are free. It also performs reverse DNS lookup.
P in g S w e e p
E H e Edit Hel p Î
u o o
F | A I IP t DNS L ookup
Starting IP Address 1 1 9 2 . 1 6 8 . 1 81 0 Fnrimg IP AHrim tt ( 192 1 8 81 6 89 5 (
| Sra n
Srnn
fpAddress
1 9 2 IM IM 1 0 1 9 21 6 61 6 61 1 1 9 21 6 61 6 61 2 1 9 21 6 61 6 61 3 1 9 21 6 61 6 61 4 1 9 21 6 61 6 61 5 1 9 21 6 6 16816 1 9 21 6 6 . 1 6 61 7 1 9 21 6 61 6 6 . 1 6 1 9 21 6 61 6 61 9 1 9 21 6 61 6 62 0 1 9 21 6 61 6 6 . 2 1 1 9 21 6 61 6 6 . 2 2 1 9 21 6 61 6 62 3 1 9 21 6 61 6 62 4 1 9 21 6 61 6 62 5 1 9 21 6 61 6 62 6 1 9 21 6 61 6 6 . 2 7 1 9 21 6 61 6 6 . 2 6 1 9 21 6 61 6 62 9 1 9 21 6 61 6 63 0 1 9 21 6 61 6 63 1 1 9 21 6 61 6 63 2 < 1 Scan Complied Scan N _ *V* " I J I {_ #
Response T e n e Request Tired Out Request T mod Out Request Tmed Out RequOSt Tmed Out 3m e Reauest Tmed Out Reaues! Tmed Oat ^ Recues! Tmed Oul Request Tmed Oul Request Tmed Out Request Tmed Out Request Tmed Out Request T i m e d Out Request Tmed Out Request Tmed Out 2m s Request Tmed Out 2m s Request Tmed Oyt 3m e 3m s 2m s III DNS
,t
>
9 0
FIGURE 3.7: Solarwinds Engineer's Toolset Screenshot
Module 03 Page 277
P in g S w eep T ools
(C ontd)
Colasoft Ping Tool
h ttp ://w w w . colasoft. com
CEH
PacketTrap MSP
http ://w w w .pa ckettra p .co m
Visual Ping Tester -Standard

h ttp ://w w w .p in g te s te r.n e t
Ping Sweep
h ttp://w w w .w hatsupgold.com
Ping Scanner Pro

http://w w w .digilextechnologies.com
Network Ping
h ttp://w w w .greenline-soft.com
Ultra Ping Pro

h ttp ://u ltra p in g . webs.com
Ping Monitor
h ttp ://w w w .n ilia n d . com
PinglnfoView
S
h ttp ://w w w .n irs o ft.n e t
Pinkie
h ttp ://w w w .ip u p tim e .n e t
jfSSS P in g Sweep Tools (C ontd)

ur -
In addition to Solarwinds Engineer's Toolset and Angry IP Scanner, there are many other tools that feature ping sweep capabilities. For example: 9 9 9 9 9 9 9 9 9 9 Colasoft Ping Tool available at http://www.colasoft.com Visual Ping Tester - Standarad available at http://www.pingtester.net Ping Scanner Pro available at http://www.digilextechnologies.com Ultra Ping Pro available at http://ultraping.webs.com PinglnfoView available at http://www.nirsoft.net PacketTrap MSP available at http://www.packettrap.com Ping Sweep available at http://www.whatsupgold.com Network Ping available at http://www.greenline-soft.com Ping Monitor available at http://www.niliand.com Pinkie available at http://www.ipuptime.net
Module 03 Page 278
* 1 So far we discussed how to check for live systems. Open ports are the doorways for an attacker to launch attacks on systems. Now we will discuss scanning for open ports.
life
Scanning Beyond IDS
O Q ^
Prepare Proxies
Banner Grabbing
This section covers the three-way handshake, scanning IPv6 networks, and various scanning techniques such as FIN scan, SYN scan, and so on.
Module 03 Page 279
T h ree-W ay H a n d s h a k e
Three-w ay Handshake Process
1. The Computer A (10.0.0.2) initiates a connection to the server (10.0.0.3) via a packet with only the SYN flag set 2. The server replies with a packet with both the SYN and the ACK flag set 3. For the final step, the client responds back to the server with a single ACK packet 4. If these three steps are completed without complication, then a TCP connection is established between the client and the server
(rtifwd
CEH
itkitjl
TCP uses a three-way handshake to establish a connection between server and client
T hree-W ay H an d sh a k e
TCP is connection-oriented, which implies connection establishment is principal prior to data transfer between applications. This connection is possible through the process of the three-way handshake. The three-way handshake is implemented for establishing the connection between protocols.
The three-way handshake process goes as follows:

9 To launch a TCP connection, the source (10.0.0.2:62000) sends a SYN packet to the destination (10.0.0.3:21). 9 The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN/ACK packet back to the source. 9 9 This ACK packet confirms the arrival of the first SYN packet to the source. In conclusion, the source sends an ACK packet for the ACK/SYN packet sent by the destination. 9 This triggers an "O PEN " connection allowing communication between the source and the destination, until either of them issues a "FIN" packet or a "RST" packet to close the connection.
Module 03 Page 280
The TCP protocol maintains stateful connections for all connection-oriented protocols across the Internet, and works the same as an ordinary telephone communication, in which one picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other end until a person picks up the receiver and says, "Hello."
Bill
Three-way Handshake
Sheela
1 0 .0 .0 .3 :2 1
1 0 .0 .0 .2 :6 2 0 0 0 ^ ................ ....................
..*
Irvc
Client
Server
FIGURE 3.8: Three-way Handshake Process
E stablishing a TCP Connection

As we previously discussed, a TCP connection is established based on the three-way hand shake method. It is clear from the name of the connection method that the establishment of the connection is accomplished in three main steps. Source: http://support.microsoft.com/kb/172983 The following three frames will explain the establishment of a TCP connection between nodes NTW3 and BDC3:
Frame 1:
In the first step, the client, NTW3, sends a SYN segment (TCP ....S.). This is a request to the server to synchronize the sequence numbers. It specifies its Initial Sequence Number (ISN), which is incremented by 1 and that is sent to the server. To initialize a connection, the client and server must synchronize each other's sequence numbers. There is also an option for the
Module 03 Page 281
Maximum Segment Size (MSS) to be set, which is defined by the length (len: 4), this option communicates the maximum segment size the sender wants to receive. The Acknowledgement field (ack: 0) is set to zero because this is the first part of the three-way handshake.
1 2.0785 NTW3 --> BDC3 TCP ___ S., len: 4, seq: 8221822-8221825, ack: 0,
win: 8192, src: 1037 dst: 139 (NBT Session) NTW3 --> BDC3 IP
TCP: dst: ....S., len: 4, seq: 8221822-8221825, 139 (NBT Session) ack: 0, win: 8192, src: 1037
TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session S TCP: Sequence Number = 8221822 (0x7D747E)
TCP: Acknowledgement Number = 0 (0x0) TCP: Data Offset = 24 (0x18)
TCP: Reserved = 0 (0x0000) TCP: Flags = 0x02 : ....S .
TCP: TCP: TCP: TCP: TCP: TCP:
..0....
= No urgent data not significant
...0.... = Acknowledgement field ....0... = No Push function .... 0 . . = No Reset 1. = Synchronize sequence numbers ............. 0 = No Fin .
TCP: Window = 8192
(0x2000)
TCP: Checksum = 0xF213 TCP: Urgent Pointer = 0 (0x0) TCP: Options
TCP: Option Kind
(Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 TCP: Frame Padding (0x5B4)
00000: 00010: 00020: 00030:
02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 00 2C 0D 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 20 00 F2 13 00 00 02 04 05 B4 20 20
.'.... '.;---- E . . , . .0___ K.k. . .k ...... }t~---- ' .
Module 03 Page 282
Frame 2:
In the second step, the server, BDC3, sends an ACK and a SYN on this segment (TCP .A..S.). In this segment the server is acknowledging the request of the client for synchronization. At the same time, the server is also sending its request to the client for synchronization of its sequence numbers. There is one major difference in this segment. The server transmits an acknowledgement number (8221823) to the client. The acknowledgement is just proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and uses it as its acknowledgement number.
2 2.0786 BDC3 > NTW3 8760, TCP .A..S., l e n : 4, seq: 1109645-1109648, dst: 1037 BDC3 --> NTW3 ack: 8221823, win: ack: IP 8760,
8221823, win: TCP: src:
src: 139 4, seq: dst:
(NBT Session)
.A..S., len: 139
1109645-1109648, 1037
(NBT Session)
TCP: Source Port =
NETBIOS Session Service
TCP: Destination Port = 0x040D TCP: Sequence Number = 1109645 (0xl0EE8D) (0x7D747F)
TCP: Acknowledgement Number = 8221823 TCP: Data Offset = 24 (0x18)
TCP: Reserved = 0 (0x0000) TCP: Flags = 0x12 TCP: TCP: TCP: TCP: TCP: TCP: ..0.... = ...1.... = : .A..S. No urgent data Acknowledgement field Push function Reset sequence numbers significant
....0... = No .... 0.. = No
...... 1. = Synchronize ....... 0 = No Fin
TCP: Window = 8760
(0x2238)
TCP: Checksum = 0x012D TCP: Urgent Pointer = 0 (0x0) TCP: Options TCP: Option Kind (Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 TCP: Frame Padding (0x5B4)
00000
00010
0 00 20
02 00 02
60 8C 3B 85 Cl 02 60 8C 9E 18 8B 08 00 45 00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12 .,[.0_____L.k...k
...... E.
.............. }t'.
Module 03 Page 283
00030:
22 38 01 2D 00 00 02 04 05 B4 20 20
8 .-
Frame 3:
In the third step, the client sends an ACK on this segment (TCP .A....). In this segment, the client is acknowledging the request from the server for synchronization. The client uses the same algorithm the server implemented in providing an acknowledgement number. The client's acknowledgment of the server's request for synchronization completes the process of establishing a reliable connection, thus the three-way handshake.
3 2.787 NTW3 --> BDC3 8760, TCP .A , len: 0, seq: 8221823-8221823, 139 (NBT Session) ack: IP
1109646, win:
src: 1037
dst:
NTW3 --> BDC3
TCP:
.A...., len: dst: 139
0, seq:
8221823-8221823,
ack:
1109646, win:
8760,
src: 1037
(NBT Session)
TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 8221823 (0x7D747F) (0xl0EE8E)
TCP: Acknowledgement Number = 1109646 TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A....
TCP: TCP: TCP: TCP: TCP: TCP:
. .0 ....
= No urgent data
... 1 .... = Acknowledgement field

___ 0 ... = No .... 0 .. = No ..... 0. = No .......0 = No Push function Reset Synchronize Fin
TCP: Window = 8760
(0x2238)
TCP: Checksum = 0xl8EA TCP: Urgent Pointer = 0 (0x0) TCP: Frame Padding
00000: 00010: 00020: 00030:
02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10 22 38 18 EA 00 00 20 20 20 20 20 20
. '.... ' .;---- E . .( . .0___ O.k. . .k ...... }t---- P. 8 ___
Module 03 Page 284
Ethical Hacking and Countermeasures

Scanning Networks
TCP C om m unication Flags

Data contained in the packet should be processed immediately There will be no more transmissions Resets a connection
URG (Urgent)
F IN (Finish)
jm m m
PSH (Push) ACK (Acknowledgement) > SYN (Synchronize)
Sends all buffered data immediately
Acknowledges the receipt of a packet
Initiates a connection between hosts
Standard TCP communications are controlled by flags in the TCP packet header
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
TCP C om m unication Flags

Standard TCP communications monitor the TCP packet header that holds the flags. These flags govern the connection between hosts, and give instructions to the system. The following are the TCP communication flags: 9 9 Synchronize alias "SYN": SYN notifies transmission of a new sequence number Acknowledgement alias "ACK": next expected sequence number 9 9 Push alias "PSH ": System accepting requests and forwarding buffered data Urgent alias "U RG ": Instructs data contained in packets to be processed as soon as possible Q Q Finish alias "FIN": Announces no more transmissions will be sent to remote system Reset alias "RST": Resets a connection ACK confirms receipt of transmission, and identifies
SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process.
Module 03 Page 285
Ethical Hacking and Countermeasures Copyright by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.

Scanning Networks
Acknowledgement No Res TCP Flags Window Urgent Pointer Options \< ------------- 0-31 B its-------------- >
FIGURE 3.9: TCP Communication Flags
Offset
TCP Checksum
Module 03 Page 286
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

Scanning Networks
Create Custom Packet Using TCP Flags

Colasoft Packet Builder
CEH
.$ 5 & 5 .xpcr:- Add Inser: Copy

F!
3ckte
Move U p|
Chcdcsum| Send ScndAII | Packet No. |
!***
-J Colasoft Packet Builder enables creating custom network packets to audit networks for various attacks J Attackers can also use it to create fragmented packets to bypass firewalls and IDS systems in a network
Packet Info: gackec tta c e r; ^ BacJrcr Le=ath: Captnred Length: { g Delta Tine E d Ethernet Type I I j y i J f s t i a t i Mdress: JUfSouic? U d m 9 : Protocol: E- .J I ? - Internet Protocol ! Version 0 i 0 Mea 1: Length g>-0 Differentiated Services Plaid j j 0 Srvlcf Codepcint j > Trr.*por1 r u t -col w ill 1 903 c* tii* CE b it U Coaaaatios
< 1
000004 64 60 0.100000 Second [0/14] 00:00:00:00:00:00 [0/6] 00:00:00:00 :00:00 [6/6] 0x0800 (Inter: [14/20] 4 xFO [U/1] O S < 2 0 Bytes) [1 < 0 0 00 oaoo [15/1! OxPF 0000 00.. [18/1] OxfC (Ignoi .......... 0. [15/1] ............0 (Xu Conqmtlon)
<
HwEdrtc
Total
60 byirt
http://www. colasoft.com
Copyright by EG-Gaoncil. All Rights Reserved. Reproduction Is Strictly Prohibited
Create Custom P ackets u sin g TCP Flags

Source: http://www.colasoft.com Colasoft Packet Builder is a tool that allows you to create custom network packets and also allows you to check the network against various attacks. It allows you to select a TCP packet from the provided templates, and change the parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to the network.
Module 03 Page 287
Ethical Hacking and Countermeasures Copyright by EC-COlMCil

Scanning Networks
Colasoft Packet Builder

File Edit Send Help Insert
ImportExportw
&
3*
Add
Copy
Pas- Delete
I *
Move
Send
4*
Send All
* f c *
'w E I& B r S B
Delta Time 0.100000 0.100000 0.100000 0.100000 Source 00:00:00:00:1 0.0.0.0 0.0.0.0:0 0.0.0.0:0
Decode Editor
Packet No.
4
No. 2 3
Packet Info: a Packet Number: <3 *Packet Length: ! ^ Captured Length: H H Delta Time -> Ethernet Type II Destination Address: Source Address: Protocol: 0 IP - Internet Protocol j & Version : Header Length E3 @Differentiated Services Field | _~ Differentiated Services Codepoint O Transport Protocol will ignore the CE bit | ~~ Congestion
60 0.100000 Second
[0 / 1 4 ]
0 0 : 0 0 : 0 0 : 0 0 : 00:00 0 0 :0 0 :0 0 :0 0 :0 0 : 0 0
[ 0 /6 ]
[6 / 6 ]
0x0800 [14/20]
(Intern [14/1] OxFO (20 Bytea) [14 [15/1] OxFF [15/1] OxFC (Ignore) [15/1] (No Congestion)
0 0 0 00 0 0 0 0 0 0 0 00..
......... 0
...........0.
< L
jc%
Hex Editor
Total | 60 bytes
0000 0010 0020 0030 <
00 00 00 00
00 2C 00 00
00 00 00 00
00 00 00 00
00 40 00 00
00 00 00 00
00 40 00 00
00 11 1A 00
00 3A FF 00
00 CO BA 00
00 00 00 00
00 08 00 45 00 00 00 00 00 00 00 00 00 00 00 00
A ---0.0.s. V /
T >
: ...
FIGURE 3.10: Colasoft Packet Builder Screenshot
Module 03 Page 288

Scanning Networks
S c a n n in g IP v 6 N e tw o rk
im ttiM
CEH
tUx*l lUckM
I I L
a
IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy
Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 2s4 addresses) provided by IPv6 in a subnet
Scanning in IPv6 network is more difficult and complex than the IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks
Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages
Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker can probe the "all hosts" link local multicast address
S canning IPv6 N etw ork

IPv6 increases the size of IP address space from 32 bits to 128 bits to support more levels of addressing hierarchy. Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 264 addresses) provided by IPv6 in a subnet. Scanning an IPv6 network is more difficult and complex than IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks. Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: and other header lines in archived email or Usenet news messages to identify IPv6 addresses for subsequent port scanning. Scanning IPv6 network, however, offers a large number of hosts in a subnet; if an attacker can compromise one host in the subnet he can probe the "all hosts" link local multicast address.
Module 03 Page 289

Scanning Networks
S c a n n in g Tool: N m a p
J J monitoring host or service uptime
C EH
Network administrators can use Nmap for network inventory, managing service upgrade schedules, and Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions
http://nmap.org
Scanning Tool: Nmap

Source: http://nmap.org Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. Either a network administrator or an attacker can use this tool for their particular needs. Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime. Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems, and OS versions.
Module 03 Page 290

Scanning Networks
Zenm gp
iMk ("> !j*

*aM M a w wa* 011CP p *t
tel
t M
Mi M lMM I u n
T1 A . I V M M > N m W > 1 * MM D u tu n
liSSJS T4 A tt2 141 4 4
Ml t ll iw IM ^niHIDU
s ia t i
S t M t ln g m m 4.*1 < M 1 : / / M W . K | ) m ) M M 11:1! M M M M r < Tia B L . M M I M f l K M r ! " ! t l a t l n g A V lng Scan t |:22 W mwIm (1 v t l Caag iatM * V *ing Scan at I S :2 2, M a l * t M ( I t a t a l M a t ) : * i t ta tin g f a l l a l Cm r a lt ft iM a* I M a t . at lt:2 2 C a M ia t M a ll ! CMS r * t a l t la n 0* 1 M a t . at IS !2 2 . I H t
. * HHM rtt
w m ia It*
1m ia ftM VC
B L Ur 1 0 %
KtMlN!.
V *. Mtf)
M l V t c a M M I/ t i! * I.ftftlv2:
fe ftM M U a t ln
aivaai
O ixavajM MM a o t 1M t< a nitMM iu s WMaMfM MM PM 11M/Ka M 1 1 1 IU IM t Mmmmm aM MM 4s tea M 1 * 2 IM IU )

N u t r t ' M aoan M t 12 t<a < t t M U I M . S O i u a t T M a M M t M M 2 / t ( m ! l . I M . I M . S t n S f n ita w t i ^ i ^ f taout 22.72% M m ; I K :
In it ia t in g S m S ta a ltn Scan at 1S:22 Scanning m 1M I M S I* S S JS M t ]
M> M I ^ 1 U 1 U N d w M a '1 * m 1*t 1 m 1 (Ii m i n P n l c e I r a * | t n t r l *tK fO M ft lllM H oxo*. wln*ot V l* t a | M | 7 f l l C P t: cp IcreM ^t iwM n . r i t t a : : c m :/
IKjuatL M m lfM WVc 1 *t wi t I
11I/1 t i l l l uM i r t l SV . J
19:24 <:1.4*
iMM.vilt! ! I f l< 00:/
H ))/ t ( M IM .IM IM S * S t !!* W an f l * l : 1aat M . 4 M M M ) I K l 1* 24 < M 4 'allg C a M ia t M S M S ' a lt * Scan at IS :24. M * l a la M M 14SS1S fa t a l M ^ tt) ! n i t ia t in c S M v ic a c m at I!24 Scanning a^vlca M 112 I M I M \ C a M lv t M M ^ v lc a m m at I S ! >4, 44 M t a la M M (g m U a M 1
M M Hyj M h m t M 00+* M t
9 l*09mt,nr*9'_200$ *0 1 < :/ i< r|M *t 0% a r t ! !* m < r o t^ t i d i M M V ii t a V 0? V I . M U M M M V I . n b lM s ! I t t i * I !* 1 . M i (s1 *c i m amc m 1 1 21 ir t M r l Q iiU M f i 1 ** T l ( M M 1C1)
W iM i CPt 1 100\/0:m itr0000\ !

-< . Mttios nr:
M tS IO S M C:
Module 03 Page 291
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCll

Scanning Networks
H p in g 2 / H p in g 3
J J J Command line packet crafter for the TCP/IP protocol Tool for security auditing and testing firewall and networks Runs on both Windows and Linux operating systems
UrtifW
CEH
itkMl lUikw
http://www.hping.org
3 1 0 .0 .0 .2 -p 8 9 1 800 .2 1 9 .0 .0 .2 ) : A set, 4 0headers + 0data bytel len = 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id=2 6 85spoci^0 flags-R seqÔ w ln 0 rtt= 1 .3ms ^ len ^ 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id2 6 5 8 6sport-ee-flags-R seq1w in = 0rtt=6 .8 ms len = 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id = 2 6 0 8 7sport-8 GFflags=R Ieq ^ 2w in=o r 11=1.0 len 4 0ip-1 0 .0 .0 .2 t t l 1 2 8OF id 2 6 0 8 8sport8 0flogs-R scq3w 1 n=0 rtr= 6 .9 ms len = 4 0ip=1 0 ^L0 .2 t t l = 1 2 8OF id 2 6 6 8 95porjt=8e ftcgsfR seq= 4w len=4 ) 1^=10.0 .8/?t t l = 1 2 8DF ld=2 6 B9 D sport80 flags=R seq= 5J in 0 rtt- 0 .5 ms len= 4 6ip=1 0 .O.3 .2 t t l = 1 2 8OF id = 2 6 0 9 1sport= 8 0flags=R seq= 6w in = 0rtt=e.7ms len = 4 0ip=1 0 .O.0 .2 t t l = 1 2 8OF id 2 6 0 9 2 sport 8 0 flags^R seq= 7w ln = 8rtt=8 .8 ms len 4 0ip-1 0 .0 .0 .2 t t l 1 2 8OF id 2 6 0 9 35 port8 0flegs R seq8w
footgbt:-# hping A HPINC . . (ethl
ACK Scanning on p o rt 80
Copyright by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited.
H ping2/H ping3
Source: http://www.hping.org HPing2/HPing3 is a command-line-oriented TCP/IP packet assembler/analyzer that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Traceroute mode, and enables you to send files between covert channels. It has the ability to send custom TCP/IP packets and display target replies like a ping program does with ICMP replies. It handles fragmentation, arbitrary packets' body and size, and can be used in order to transfer encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and network/host scanning can be used to perform an anonymous probe for services. An attacker studies the behavior of an idle host to gain information about the target such as the services that the host offers, the ports supporting the services, and the operating system of the target. This type of scan is a predecessor to either heavier probing or outright attacks. Features: The following are some of the features of HPing2/HPing3: 0 0 Determines whether the host is up even when the host blocks ICMP packets Advanced port scanning and test net performance using different protocols, packet sizes, TOS, and fragmentation
Module 03 Page 292

Scanning Networks
Manual path MTU discovery Firewalk-like usage allows discovery of open ports behind firewalls Remote OS fingerprinting TCP/IP stack auditing
9
9 9
ICM P Scanning A ping sweep or Internet Control Message Protocol (ICM P) scanning is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up. This protocol is used by operating system, router, switch, internet-protocol-based devices via the ping command to Echo request and Echo response as a connectivity tester between different hosts. The following screenshot shows ICMP scanning using the Hping3 tool:
v x root@bt: ~
File Edit View Terminal Help
root@bt:~# hpi ng3 -1 10 . 0 . 0 . 2 HPING 10.0.0.2 (e th l 10 .0 .0 .2 ): icmp mode set, 28 headers + 0 d len=28 ip=10.0 .0.2 ttl= 128 id=25908 icmp_seq=0 rtt=2.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25909 icmp_seq=l rtt=1.0 m s len=28 ip=10.0 .0.2 ttl= 128 id=25910 icmp_seq=2 rtt=1.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25911 icmp_seq=3 rtt=0.5 m s icmpseq=4 rtt=0.4 m s len=28 ip=10.0 .0.2 ttl= 128 id=2591% len=28 ip=10.0 .0.2 ttl= 128 id=25913 icmp seq=5 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25914 icmp seq=6 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25915 icmp seq=7 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25916 icmp seq=8 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25917 icmp seq=9 r t t = l . l m s s len=28 ip=10.0 .0.^>ttl= 128 id=25918 icmp seq=10 rtt=0.8 m len=28 ip=10.0 .0.2 ttl= 128 id=25919 icmp_seq=ll rtt=1.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25920 icmp seq=12 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25921 icmp seq=13 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25922 icmp seq=14 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25923 icmp seq=15 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25924 icmp seq=16 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25925 icmp seq=17 rtt=1.0 m s
FIGURE 3.12: Hping3 tool showing ICMO scanning output
ACK Scanning on Port 80 You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple packet filtering will allow you to establish connection (packets with the ACK bit set), whereas a sophisticated stateful firewall will not allow you to establish a connection. The following screenshot shows ACK scanning on port 80 using the Hping3 tool:
Module 03 Page 293

Scanning Networks
>v
ro o tab t: -
File Edit View Terminal Help
0 0 t@ bt:~# hping3 -A 1 0 .0 .0 .2 p 80 HPING 1 0 .0 .0 .2 ( e t h l 1 0 .0 .0 .2 ): A s e t, 40 headers + 0 d ata byte s len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26085 spar,t=80 flags= R seq=0 w in=0 rtt= 1 .3 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26086 sport=80 flags= R seq=l w in=0 rtt= 0 .8 ms -'" len=40 ip=10.0 .0 .2 ttl= 128 DF id=26087 sport=89 flags= R seq=2 w in=0 rtt= 1 .0 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26088 sport=80 ^lags=R seq=3 w in=0 rtt= 0 .9 ms len=40 ip = 1 0 J0 .0 .2 ttl= 128 DF id=26089 sport=80 flags= R seq=4 w in=0 r,tt=p. 9 ros ^ Jj I 4 ^ f j len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26O90 sport=80 flags= R seq=5 w in=0 rtt= 0 .5 ms len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26091 sport=80 flags= R seq=6 w in=0 rtt= 0 .7 ms len=40 ip= 10.0.O .2 ttl= 128 DF id=26092 sport=80 flags= R seq=7 w in=0 rtt= 0 .8 m s len=40 ip= 10.0.O .2 ttl= 128 DF id=26093 sport=80 flags= R seq=8 v
FIGURE 3.13: Hping3 tool showing ACK scanning output
Module 03 Page 294

Scanning Networks
H p in g C o m m a n d s
ICMP Ping SYN scan on port 50-60
UrtifM
c EH
ItkKJl Nm Im
hping3 -1 10.0.0.25
hping3 -8 50-56 -S 10.0.0.25 -V
ACK scan on port 80
FIN, PUSH and URG scan on port 80
hpng3 -A 10.0.0.25 -p 80
hping3 -F -p -U 10.0.0.25 -p 80
U D Psc a n o n port 80
Scan entire subnet for live host

h p i n g 3 -1 1 0 . 0 . 1 . x rand - d e s t
hping3 -2 10.0.0.25 -p 80
-I ethO
Intercept all traffic containing HTTP signature
Collecting Initial Sequence Number
h p i n g 3 1 9 2 . 1 6 8 . 1 . 1 0 3 -Q -p 139
hping3 -9 HTTP -I ethO
Firewalls and Time Stamps

h p i n g 3 -S 7 2 . 1 4 . 2 0 7 . 9 9 -p 80
tc p - tim e s ta m p
SYN flooding a victim
hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 flood
Copyright by E CCM IC i l.All Rights Reserved. Reproduction is Strictly Prohibited.
Hping C om m ands
The following table lists various scanning methods and respective Hping commands:
Scan ICMP ping ACK scan on port 80 UDP scan on port 80 Collecting initial sequence number Firewalls and time stamps SYN scan on port 50-60 FIN, PUSH and URG scan on port 80 Scan entire subnet for live host Intercept all traffic containing HTTP signature SYN flooding a victim
Commands
hping3 -1 10.0.0.25 hping3 -A 10.0.0.25 -p 80 hping3 -2 10.0.0.25 -p 80 hping3 192.168.1.103 -Q -p 139 -s hping3 -S 72.14.207.99 -p 80 --tcptimestamp hping3 -8 50-56 -S 10.0.0.25 -V hping3 -F -p -U 10.0.0.25 -p 80 hping3 -1 10.0.1.x --rand-dest -I ethO hping3 9 HTTP -I ethO hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
TABLE 3.1: Hping Commands Table
Module 03 Page 295

Scanning Networks
S c a n n in g T e c h n iq u e s
TCP Connect / Full Open Scan Stealth Scans IDLE Scan ICMP Echo Scanning/List Scan
T E C
SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning
H
N
I o
E
u
S
Copyright by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
Scanning T echniques
Scanning is the process of gathering information about the systems that are alive and responding on the network. The port scanning techniques are designed to identify the open ports on a targeted server or host. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the intent of compromising it.
Different types of scanning techniques employed include:

TCP Connect / Full Open Scan Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan IDLE Scan ICMP Echo Scanning/List Scan
SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning
ACK Flag Scanning
Module 03 Page 296

Scanning Networks
The following is the list of important reserved ports:

Name Port/Protocol Description
echo echo discard discard systat daytime daytime netstat qotd chargen chargen ftp-data ftp ssh telnet smtp time time rip nicname domain domain sql*net sql*net bootps bootps bootpc
7/tcp 7/udp 9/tcp 9/udp 11/tcp 13/tcp 13/udp 15/tcp 17/tcp 19/tcp 19/udp 20/tcp 21/tcp 22/tcp 23/tcp 25/tcp 37/tcp 37/udp 39/udp 43/tcp 53/tcp 53/udp 66/tcp 66/udp 67/tcp 67/udp 68/tcp Mail Timeserver Timeserver resource location who is domain name server domain name server Oracle SQL*net Oracle SQL*net bootp server bootp server bootp client Quote ttytst source ttytst source ftp data transfer ftp command Secure Shell sink null sink null Users
Module 03 Page 297

Scanning Networks
bootpc tftp tf tp gopher finger www-http www-http kerberos kerberos

P P 2
68/udp 69/tcp 69/udp 70/tcp 79/tcp 80/tcp 80/udp 88/tcp 88/udp 109/tcp 110/tcp 111/tcp 111/udp 113/tcp 113/udp 114/tcp 114/udp 119/tcp 119/udp 123/tcp Port/Protocol 123/udp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp 143/tcp
bootp client Trivial File Transfer Trivial File Transfer gopher server Finger WWW WWW Kerberos Kerberos PostOffice V.2 PostOffice V.3 RPC 4.0 portmapper RPC 4.0 portmapper Authentication Service Authentication Service Audio News Multicast Audio News Multicast Usenet Network News Transfer Usenet Network News Transfer Network Time Protocol Description Network Time Protocol NETBIOS Name Service NETBIOS Name Service NETBIOS Datagram Service NETBIOS Datagram Service NETBIOS Session Service NETBIOS Session Service Internet Message Access Protocol
Pop 3 sunrpc sunrpc auth/ident auth audionews audionews nntp nntp ntp
Name
ntp netbios-ns netbios-ns netbios-dgm netbios-dgm netbios-ssn netbios-ssn imap
Module 03 Page 298

Scanning Networks
imap sql-net sql-net sqlsrv sqlsrv snmp snmp snmp-trap snmp-trap cmip-man cmip-man cmip-agent cmip-agent ire ire at-rtmp at-rtmp at-nbp at-nbp at-3 at-3 at-echo at-echo at-5 at-5 at-zis at-zis at-7
143/udp 150/tcp 150/udp 156/tcp 156/udp 161/tcp 161/udp 162/tcp 162/udp 163/tcp 163/udp 164/tcp 164/udp 194/tcp 194/udp 201/tcp 201/udp 202/tcp 202/udp 203/tcp 203/udp 204/tcp 204/udp 205/tcp 205/udp 206/tcp 206/udp 207/tcp
Internet Message Access Protocol SQL-NET SQL-NET SQL Service SQL Service
CMIP/TCP Manager CMIP CMIP/TCP Agent CMIP Internet Relay Chat Internet Relay Chat AppleTalk Routing Maintenance AppleTalk Routing Maintenance AppleTalk Name Binding AppleTalk Name Binding AppleTalk AppleTalk AppleTalk Echo AppleTalk Echo AppleTalk AppleTalk AppleTalk Zone Information AppleTalk Zone Information AppleTalk
Module 03 Page 299

Scanning Networks
at-7 at-8 at-8 ipx ipx imap3 imap3 aurp aurp netware-ip netware-ip Name rmt rmt 54erberos54-ds 54erberos54-ds isakmp fcp exec comsat/biff login who shell syslog printer printer talk talk ntalk
207/udp 208/tcp 208/udp 213/tcp 213/udp 220/tcp 220/udp 387/tcp 387/udp 396/tcp 396/udp Port/Protocol 411/tcp 411/udp 445/tcp 445/udp 500/udp 510/tcp 512/tcp 512/udp 513/tcp 513/udp 514/tcp 514/udp 515/tcp 515/udp 517/tcp 517/udp 518/udp
AppleTalk AppleTalk AppleTalk
Interactive Mail Access Protocol v3 Interactive Mail Access Protocol v3 AppleTalk Update-Based Routing AppleTalk Update-Based Routing Novell Netware over IP Novell Netware over IP Description Remote mt Remote mt
ISAKMP/IKE First Class Server BSD rexecd(8) used by mail system to notify users BSD rlogind(8) whod BSD rwhod(8) cmd BSD rshd(8) BSD syslogd(8) spooler BSD lpd(8) Printer Spooler BSD talkd(8) Talk New Talk (ntalk)
Module 03 Page 300

Scanning Networks
ntalk netnews uucp uucp klogin klogin kshell kshell
518/udp
SunOS talkd(8)
532/tcp
540/tcp 540/udp 543/tcp 543/udp 544/tcp 544/udp
Readnews
uucpd BSD uucpd(8) uucpd BSD uucpd(8) Kerberos Login Kerberos Login Kerberos Shell Kerberos Shell krcmd Kerberos encrypted remote shell -kfall ECD Integrated PC board srvr NFS Mount Service PC-NFS DOS Authentication BW-NFS DOS Authentication Flexible License Manager Flexible License Manager Kerberos Administration Kerberos Administration kdc Kerberos authenticationtcp Kerberos
ekshell
545/tcp
pcserver mount pcnfs bwnfs flexlm flexlm 5 6erberos-adm 56erberos-adm kerberos kerberos 56erberos mas ter 56erberos mas ter krb_prop
600/tcp 635/udp 640/udp 650/udp 744/tcp 744/udp 749/tcp 749/udp 750/tcp 750/udp
751/udp
Kerberos authentication
751/tcp
Kerberos authentication
754/tcp
Kerberos slave propagation
Module 03 Page 301

Scanning Networks
999/udp
Applixware
socks socks kpop ms-sql-s ms-sql-s ms-sql-m ms-sql-m Name pptp pptp nf s nf s eklogin rkinit kx kauth lyskom sip sip xll xll ire af s af s
1080/tcp 1080/udp 1109/tcp 1433/tcp 1433/udp 1434/tcp 1434/udp Port/Protocol 1723/tcp 1723/udp 2049/tcp 2049/udp 2105/tcp 2108/tcp 2111/tcp 2120/tcp 4894/tcp 5060/tcp 5060/udp 6000-6063/tcp 6000-6063/udp 6667/tcp 7000-7009/udp 7000-7009/udp
TABLE 3.2: Reserved Ports Table
Pop with Kerberos Microsoft SQL Server Microsoft SQL Server Microsoft SQL Monitor Microsoft SQL Monitor Description Pptp Pptp Network File System Network File System Kerberos encrypted rlogin Kerberos remote kinit X over Kerberos Remote kauth LysKOM (conference system) Session Initiation Protocol Session Initiation Protocol X W indow System X W indow System Internet Relay Chat
Module 03 Page 302

Scanning Networks
TCP Connect / Full Open Scan

J J TCP Connect scan detects w hen a port is open by completing th e three-w ay handshake TCP Connect scan establishes a full connection and tears it down by sending a RST packet
CEH
Scan result when a port is open ^

)SYN Packet + Port (n SYN/ACK Packet. . .
m
Attacker
...........A . t . 5ST. .........
Target
Scan result when a port is closed
SYN Packet +Port (nj
*
Attacker
??. .
H
Target
TCP Connect / Full Open Scan

Source: http://www.insecure.org TCP Connect / Full Open Scan is one of the most reliable forms of TCP scanning. The TCP connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed; otherwise, the port isn't reachable.
mm
TCP Three-way Handshake

In the TCP three-way handshake, the client sends a SYN flag, which is acknowledged
by a SYN+ACK flag by the server which, in turn, is acknowledged by the client with an ACK flag to complete the connection. You can establish a connection from both ends, and terminate from both ends individually.
Vanilla Scanning
In vanilla scanning, once the handshake is completed, the client ends the connection. If the connection is not established, then the scanned machine will be DoS'd, which allows you to make a new socket to be created/called. This confirms you with an open port to be scanned for a running service. The process will continue until the maximum port threshold is reached.
Module 03 Page 303

Scanning Networks
If the port is closed the server responds with an RST+ACK flag (RST stands for "Reset the connection"), whereas the client responds with a RST flag and here ends the connection. This is created by a TCP connect () system call and will be identified instantaneously if the port is opened or closed. Making separate connects() call for every targeted port in a linear fashion would take a long time over a slow connection. The attacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the attacker to set a low time-out period and watch all the sockets simultaneously.
u is d a v d it ia g e s
The drawback of this type of scan is easily detectable and filterable. The logs in the
target system will disclose the connection.
The Output
Initiating Connect () Scan against (172.17.1.23) Adding open port 19/tcp Adding open port 21/tcp Adding open port 13/tcp SYN Packet + Port (n) .............................. SYN / ACK Packet ACK + RST
Attacker
FIGURE 3.14: Scan results when a port is open
Target
SYN Packet + Port (n) ................................. RST
Attacker
FIGURE 3.15: Scan results when a port is closed
arget
Module 03 Page 304

Scanning Networks
Zfnmap
S<!n Ttrgct J0ok of.lc tjflp ~vj Profile
nmap 92. 63.68.
Commjnd Hosts Host
sT v nmip 192-168.168.5
StrvKtt Nmip Output Potts/Hosts Topology Most Dt!h Scans
*sT v nmjp 192.168.168.5

S t a r t in g Mrap 6.61 ( h ttp :/ / n * a p . 0rg ) a t 2012 08-10 12:04 d Ti I n i t i a t i n g ARP Ping Scan a t 12:04 Scanning 192.168.168.S (1 p o rt] Completed ARP Pin g Scan a t 12:04, 0.08s elapsed (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04 Completed P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04, 0.02s elapsed I n i t i a t i n g Connect Scan a t 12:04 Scanning 192.168.168.S [1000 p o rts ] D iscovered open p ort 80/tcp on 192.168.168.5 D iscovered open p ort 993/tcp on 192.168.168.S D iscovered open p ort 8080/tcp on 192.168.168.S D iscovered open p ort 2 S/tcp on 192.168.168.S D iscovered open p ort 139/tcp on 192.168.168.5 D iscovered open p ort 8888/tcp on 192.168.168.S Completed Connect Scan at 12:04, 4 8 .63s elapsed (1000 t o t a l p o rts ) Nap scan rep ort f o r 192.168.168.S F a ile d to r e s o lv e given hostnaaie/IP: nap. Note th a t you c a n 't use '/ask* AMD * 1*4,7,100 s t y le IP ranges. I f the achine o n ly has an IP v6 address* add the Nap -6 lag t o scan t h a t . Host i s up (0.000S7s la t e n c y ) , t o t itjto to i 980 f i l t e r e d p o rts POUT STATE SERVICE 2 S/tcp open M tp 80/tcp open h ttp 110/tcp open pop) 119/tcp open nntp 13S/tcp open asrpc 8081/tcp open b lack ice iceca p 8088/tcp open radan-http 8888/tcp open sun-antwerbook
192.168.168.5
M l Afl t i r C i l .
(Oeil)
R c t af l l l lf l i c ! frw;
C:\Progra F i l e s (xS6)\N*ap Nm p done: 1 IP address ( I host up) scanned in 43.08 seconds Rax packets s e n t: 1 (288) | Rcvd: 1 (288)
FIGURE 3.16: Zenmap Screenshot
Module 03 Page 305

Scanning Networks
Stealth Scan (Half-open Scan)

Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic
UrtifWtf
CEH
tthKJl lUckM
SYN (Port 80) SYN
+ACK
Stealth Scan Process
,^ s /
........................
a
Sheela
10.0.0.3:80
The client sends a single SYN packet to the server on the appropriate port
Bill
10.0.0.2:2342
Port is open
lf the port is open then the server responds with a SYN/ACK packet
(ft
If the server responds with an RST packet, then the remote port is in the "closed" state Bill
10.0.0.2:2342
WN|PrlSn|
*O j j
Sheela
10.0.0.3:80
The client sends the RST packet to close the initiation before a connection can ever be established
Port is closed
Stealth Scan (Half-Open Scan)

Stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This is a scan type that sends a single frame with the expectation of a single response. The half-open scan partially opens a connection, but stops halfway through. This is also known as a SYN scan because it only sends the SYN packet. This stops the service from ever being notified of the incoming connection. TCP SYN scans or half-open scanning is a stealth method of port scanning. The three-way handshake methodology is also implemented by the stealth scan. The difference is that in the last stage, remote ports are identified by examining the packets entering the interface and terminating the connection before a new initialization was triggered. The process preludes the following: 9 To start initialization, the client forwards a single "SYN" packet to the destination server on the corresponding port. 9 The server actually initiates the stealth scanning process, depending on the response sent. 9 If the server forwards a "SYN/ACK" response packet, then the port is supposed to be in an "O PEN" state.
Module 03 Page 306
Ethical Hacking and Countermeasures Copyright by EC-COlMCil

Scanning Networks
If the response is forwarded with an "RST" packet, then the port is supposed to be in a "CLOSED" state.
SYN (Port 80)
Bill
10.0.0.2:2342
Sheela
10.0.0.3:80
P o r t is o p e n
FIGURE 3.16: Stealth Scan when Port is Open
^
Bill
10.0.0.2:2342
.....
Sheela
10.0.0.3:80
Port is closed
FIGURE 3.17: Stealth Scan when Port is Closed
Zenmap Tool
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently. It contains a command creator that allows you to interact and create Nmap command lines. You can save the Scan results and view them in the future and they can be compared with another scan report to locate differences. The results of the recent scans can be stored in a searchable database. The advantages of Zenmap are as follows: 9 9 9 Q Q Interactive and graphical results viewing Comparison Convenience Repeatability Discoverability
Module 03 Page 307

Scanning Networks
cr
Zenmap
lo o k profile H elp
Is
Scan
nmap 192.168.168.5 Command Hosts OS w Host * -sT -v nmap 192.168.168.5 Services 4 Nmap Output Ports / Hosts
Profile
,Scan
Cancel
Topology
Host Detail*
Scans
* -sT -v nmap 192.168.168.5
*|
Details
192.168.168.5
S t a r t in g Nmap 6.01 ( h ttp :/ / n a a p .o rg ) a t 2012-0810 12:04 0 T ii I n i t i a t i n g ARP P in g Scan a t 12:04 S can ning 192.16 8 .1 6 8 .S [1 p o r t ] Completed ARP P in g Scan at 1 2:04, 0 .6 8 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04 Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04, 0 .0 2 s e lap sed I n i t i a t i n g Connect Scan a t 12:04 Scan n in g 192.16 8 .1 6 8 .S [1000 p o r t s ) D isco ve re d open p o rt 8 0 /tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 993/tcp on 1 9 2 .16 8 .1 6 8 .S D isco ve re d open p o rt 8080/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 2 S/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 139/tCp on 192.168.168.5 D isco ve re d open p o rt 8888/tcp on 192.168.168.5 Completed Connect Scan a t 1 2:04, 40.63s e la p s e d (1000 t o t a l p o r t s ) N*ap scan re p o rt f o r 192.16 8 .1 6 8 .S f a i l e d t o r e s o lv e g iv e n h o s tn a a e / IP : n rap . Note th a t you c a n 't use , / ask' ANO *1 -4 ,7 ,1 0 0 - ' s t y l e I P ra n g e s. I f th e M achine o n ly has an IP v 6 a d d re ss , add th e Neap 6 f l a g t o scan t h a t . Host i s up (O.O00S7S l a t e n c y ) . > < gt ihffwn; 980 f i l t e r e d p o rts PORT STATE SERVICE 2 S /tc p open s a tp open h t t p 8 0/tcp 110/tcp open pop 3 119/tcp open IMitp 135/tcp ooen srpc 8081/tcp open b la c k ic e - ic e c a p 8088/tcp open ra d a n - h ttp 8888/tcp open su n -answerbook (D e ll)
Rtad flat! f i l e t frw; C :\Pro g ra F i l e s (x M )\ N ap H*ap done: 1 I P ad dress (1 h o st up) scanned in 43.08 seconds Rax p a ck e ts s e n t: 1 (286) | Rcvd: 1 (2 8 6 )
Filter Hosts
FIGURE 3.18: Zenmap Showing Scanning Results
Module 03 Page 308

Scanning Networks
X m a s S can
o
FIN, URG, PUSH FIN, URG, PUSH
UftNM
c El \
ftb.ul H.. fcM
No Response Attacker 10. 0 . 0.6 Server Attacker 10 . 0 . 0.6
mu : : : 1
Server
10.0.0.8:23
10.0.0.8:23
Port is open
Port is clo se d
In Xmas scan, attackers send a TCP frame to a remote device with URG, ACK, RST, SYN, PSH, and FIN flags set
FIN scan only with OS TCP/IP developed according to RFC 793
It will not work against any current version of Microsoft Windows
X m as Scan
-----Xmas Scan is a port scan technique with ACK, RST, SYN, URG, PSH, and FIN flags set to send a TCP frame to a remote device. If the target port is closed, then you will receive a remote system reply with a RST. You can use this port scan technique to scan large networks and find which host is up and what services it is offering. It is a technique to describe all TCP flag sets. W hen all flags are set, some systems hang; so the flags most often set are the nonsense pattern URG-PSH-FIN. This scan only works when systems are compliant with RFC 793.
BSD Netw orking Code

This method is based on BSD networking code; you can use this only for UNIX hosts and it does not support Windows NT. If this scan is directed at any Microsoft system, it shows all the ports on the host are opened.
Transm itting Packets

You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts packet and does not send any response, the port is open. If the target system sends RST flag, the port is closed.
Module 03 Page 309

Scanning Networks
Advantage: It avoids the IDS and TCP three-way handshake. Disadvantage: It works on the UNIX platform only.
FIN, URG, PUSH
No Response Attacker 10.0 .0.6 Server
Port is open
FIGURE 3.19: Xmas Scan when Port is Open
10.0.0.8:23
FIN, URG, PUSH
RST Attacker 10 .0 .0.6 Server

10.0.0.8:23
P o rt is c lo s e d
FIGURE 3.20: Xmas Scan when Port is Closed
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently.
Zenmap
Scan Target: 100It Profile Help
nmap 192.I6S.168.} 1 X v r
Nmip Output Pcrts/Hosts Topology Host Ottals S<ar -sX-v nmap 192.16S.168.3
Start
Command:
OS Host W * 192.168.16S.5 192.168.168.3
D etails
S tartin g Nmap 6.01 ( * t 2612 08 10 12:39 Standarc 1ie Initiating AKP Ping Scan at 12:39 Scanning 192.168.168.3 [1 port] Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution 0f 1 host, at 12:39 Coa191eted Parallel DNS resolution o* 1 host, at 12:39, 0.02s elapsed Initiating XMAS Scan at 12:3* Scanning 192.168.1*8.3 [10CO po ts] Increasing cand dalay *or 192.168.168.3 from 0 to 5 due to 108 out of 358 dropped probes since last increase. Co*!91eted XMAS Scan at 12;39, 9.75s elapsed (1800 to ta l ports) Nra scan report fo r 197.1*3.168.3 Failed o resolve given hostrawe/IP: niwp. Note that you c a n 't use V ? AHO *1-4,7,180 s ty le IP ranges. I f the wchine only ha? an IPv6 address. add the Mnap -6 fla g to scan th at. Host is up (0.000023s la t e r c y ). Not shovn; 997 clo;ed ports PORT STATE SEUVICE 22/tcp o c e r lfilt e r e d j$n 88/tcp o p e r | f ilt e ed kertxrcs-sec 548 tcp o p e r | f ilt e ed afp
M A CAMrtu;
Read tifltfl f l i p frggl C:\Progra * lie s <x!6)\taao 1 IP ad Jrest (1 host up) scanned in 12.19 seconds Rat. paccets sent: 13S3 (S4.1M KB) I Rcvd: 998 (39.908K8)
FIGURE 3.21: Zenmap Showing Xmas Scan Result
Module 03 Page 310

Scanning Networks
S can
J J J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set FIN scan only with OS TCP/IP developed according to RFC 793 It will not work against any current version of Microsoft Windows J *
> FIN Scan

-----RST. FIN Scan is a type of port scan. The client sends a FIN packet to the target port, and if the service is not running or if the port is closed it replies to you with the probe packet with an
FIN
No Response
Attacker 10.0 .0.6
P o rt is open
10.0.0.8:23
FIGURE 3.22: FIN Scan when Port is Open
Module 03 Page 311

Scanning Networks
Attacker 10. 0 . 0.6
Port is c lo s e d
FIGURE 3.23: FIN Scan when Port is Closed

Zenmap
Scan Target look E'ofile fcjdp [Scan:
Cancel
E H
nmap 192.168.168.3 if v nmap 192.168.168.3 Nmap Output Ports/Host* Topo*og> Host Detail! Scans i f -v nmap 192.168.168.3
Command: Hosts OS * Host *
192.168.168.5 192.168.168.3
S t a r tin g Nm p 6.01 ( h ttp :/ / n M p .o rg ) at 2012 08 10 12:35 Standard Tie I n i t i a t i n g ARP Ping Scan at 12:35 Scanning 192.168.168.3 [1 p o rt] Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 t o t a l h o sts) I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h ost, a t 12:35 Completed P a r a lle l ONS re s o lu tio n o f 1 h ost, at 12:35, 0.10s elapsed I n i t i a t i n g FIN Scan at 12:35 Scanning 192.168.16S.3 [1000 p o rts] In crea sin g send d elay fo r 192.168.168.3 fro 0 to 5 due to 108 out o f 358 dropped probes sin ce la s t in crea se. In crea sin g send d elay f o r 192.168.168.3 froai 5 to 10 due to ax_$uccessful_tryno in crease to 4 Completed FIN Scan at 12:35, 11.78s elapsed (1000 t o t a l p o rts ) *toap scan rep ort fo r 192.168.168.3 F a ile d to re s o lv e given hostnaaw/IP: naap. Note th at you c a n 't use */ m s i c AND 4, 7, 100*1 's t y le IP ranges. I f the achine on ly has an IP v6 address, add the N*ap *6 f la g to scan t h a t . Host is up (0.0000050s la te n c y ). closed ports PORT STATE SERVICE 22/tcp o p e n |fiite r e d ssh 88/tcp o p e n jfilt e r e d k erberossec S48/tcp o p e n jfilt e r e d afp
U gl-itH M ?; 997
* A i.A M T M 1 ;
Rctti d i t l f l i t * ffg g j C:\Progra F ile s (x86)\Nap Nwap done: 1 IP address (1 host up) scanned in 14.28 seconds Rat packets sen t: 1378 (55.108KB) | Rcvd: 998 (39.908KB)
FIGURE 3.24: Zenmap showing FIN Scan Result
Module 03 Page 312

Scanning Networks
NULL S can
Port is open
TCP Packet with NO Flag Set
CEH
9H
Attacker 10 .0 .0.6
No Response
In NULL scan, attackers send a TCP frame to a remote host with NO Flags NULL scan only works if OS' TCP/IP implementation is developed according to RFC 793 It will not work against any current version of Microsoft Windows
NULL Scan
NULL scans send TCP packets with all flags turned off. It is assumed that closed ports will return a TCP RST. Packets received by open ports are discarded as invalid. It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned. W hen any packets arrive at the server, BSD networking code informs the kernel to drop the incoming packet if a port is open, or returns an RST flag if a port is closed. This scan uses flags in the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans. Many network codes of major operating systems can behave differently in terms of responding to the packet, e.g., Microsoft versus UNIX. This method does not work for Microsoft operating systems. Command line option for null scanning with NMAP is "-sN"
Advantage:
It avoids IDS and TCP three-way handshake.
Disadvantage:
It works only for UNIX.
Module 03 Page 313

Scanning Networks
Port is open
^ > C E 31
No Response
Attacker
10. 0. 0.6 FIGURE 3.25: NULL Scan when Port is Open
Server 10.0.0.8:23
Port is clo se d
E
f c _ 5
RST/ACK
Attacker
10 .0 .0.6 FIGURE 3.26: NULL Scan when Port is Closed Zenmap
S c jn Target: lo o k profile n m a p 192.168.168.3 * - tN v n m a p 192.168.168.3 N m a p O u tp u t P orts / Hosts T op o lo g y H o st Details Sta n s
Server 10.0.0.8:23
E lio ]
Scan
C om m and: H o sts O S - H o st
sN -v n m a p 192.168.168.3
IM
192.168.168.5 192.168.168.3
Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 Standard Tine Initiating ARP Ping Scan at 12:41 Scanning 192.168.16a.3 (1 port) Completed ARP Ping Scan at 12:41, 0.06s lapsed <1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:41 Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed Initiating NULL Scan at 12:41 Scanning 192.168.168.3 [1000 ports) Increasing send delay for 192.168.168.3 froei 0 to 5 due to 21S out of 71S dropped probes since last increas*. Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports) Noap scan report for 192.168.168.3 Failed to resolve given hostnaae/lP: nmap. Note that you can't use /ask* AND 1-4,7,100 'style IP ranges. If the achine only has an IPv6 address, add the Naap -6 flag to scan that. Host is up (0.00s latency). Not shown: 997 closed ports PORT STATt SERVICE 22/tcp open|filtered ssh 88/tcp openjfiltered kerberos-sec 548/tcp openjfiltered afp
M AC A fld rcn ;
Read data files fro: C:\Progran files (x86)\Nmap N m jio done: 1 IP address (1 hostup) scannedin 10.66 seconds Ran packets sent: 1844(73.748KB) | Rcvd: 998 (39.908KB)
FIGURE 3.27: Zenmap showing NULL Scan Result
Module 03 Page 314

Scanning Networks
ID LE S can
Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered "open" if an application is listening on the port One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port
CEH
A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored
Every IP packet on the Internet has a "fragment identification" number (IP ID)
The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and an "RST" (Reset) packet if the port is closed t f Command Prompt
OS increments the IP ID for each packet sent, thus probing an IP ID gives an attacker the number of packets sent since last probe
C : \ > n m a p -P n -p- -si wvrw.juggyboy.com w w w . c e r t i f i e d h a c k e r . c o m Starting Nmap ( h t tp://nmap.org ) Idlescan using zombie w w w . 3 u g gyboy.com (192.130.18.124:80); Class: Nmap scan report for 198.182.30.110 (The 40321 ports scanned b u t not Port State Service open 2 1 /tcp ftp open 25/tcp smtp open 80/tcp http Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds Incremental
Copyright by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
IDLE Scan
The idle scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available and offers complete blind scanning of a remote host. This is accomplished by impersonating another computer. No packet is sent from your own IP address; instead, another host is used, often called a "zombie," to scan the remote host and determine the open ports. This is done by expecting the sequence numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP of the zombie machine will show up.
Understanding TCP/IP
Source: http://nmap.org Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/IP expert to understand it. You need to understand the following basic facts: Q Most of the network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port; otherwise it is closed.
Module 03 Page 315

Scanning Networks
To determine whether a port is open, send a session establishment "SYN" packet to the port. The target machine responds with a session request acknowledgment "SYN|ACK" packet if the port is open and a Reset "RST" packet if the port is closed.
A machine that receives an unsolicited SYN|ACK packet responds with an RST. An unsolicited RST is ignored.
Every IP packet on the Internet has a "fragment identification" number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.
From these facts, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning.
Command Prompt
a
FIGURE 3.28: Nmap Showing Idle Scan Result
Module 03 Page 316

Scanning Networks
ID LE S can : S tep 1
Every IP packet on the Internet has a fragment identification number (IP ID), which increases every time a host sends; IP packet
C EH
Attacker
RST Packet FIGURE 3.29: IPID Probe Request and Response
Zombie
Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In the first step, you can send a session establishment "SYN" packet or IPID probe to determine whether a port is open or closed. If the port is open, the "zombie" responds with a session request acknowledgment "SYN |ACK" packet containing the IPID of the remote host machine. If the port is closed, it sends a reset "RST" packet. Every IP packet on the Internet has a "fragment identification" number, which is incremented by one for every packet transmission. In the above diagram, the zombie responds with IPID=31337.
Module 03 Page 317

Scanning Networks
ID LE S can : S tep 2 a n d 3
S te p 2
J J Send SYN packet to the target m achine (port 80) spoofing the IP address of the "zom bie"
CEH
If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends RST to the target
If the port is closed, the target will send RST to th e "zo m b ie" but zombie will not send anything back
SYN Packet to port 80 spoofing zombie IP address
4VC
Attacker
r t o s f f i S S * 5 " T e"
Zombie P o r t is o p e n
j
;
S te p 3
J Probe "zo m b ie" IPID again
IPID Probe SYN / ACK Packet
Response: IPID=31339 RST Packet
Attacker
IPID incremented by 2 since Step 1, so port 80 must be open
IDLE Scan: Step 2 and 3

Idle Scan: Step 2.1 (Open Port)
" Send a SYN packet to the target machine (port 80) spoofing the IP address of the "zombie." If the port is open, the target will send the SYN/ACK packet to the zombie and in response the zombie sends the RST to the target.
Attacker
QOO
Target
Zombie
Port
is
open
FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open
Idle Scan: Step 2.2 (C losed Port)

The target will send the RST to the "zombie" if the port is closed, but the zombie will
Module 03 Page 318 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

Scanning Networks
not send anything back.
Attacker
I4
................ ................
Target
Zombie
Port is clo sed
FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed
Idle Scan: Step 3

Probe the "zombie" IPI D again.
IPID Probe SYN / ACK Packet
Response: IPID=31339 RST Packet
Attacker
IPID incremented by 2 since Step 1, so port 80 must be open FIGURE 3.32: IPID Probe Request and Response
Zombie
Module 03 Page 319

Scanning Networks
ICM P Echo Scanning/List Scan

J This is not really port scanning, since IC M P does not have a port abstraction J But it is som etim es useful to determ ine which hosts in a netw ork are up by pinging them all J nmap -P cert.org/24 152.148.0.0/16
Zenmap Scan loots Profile Help Targtc 1 9 2 .1 6 6 .1 ^ 6 nm ap tn 1 9 2.1 6 &1 .2 6 5vkf1 Nm ap O utput Ports/Host' Topology HortDeta* $ c a w nm ap 1W.168.U6 Ota* v| Profile: [ [j |$c*n Caned 1 ^ 2 U M V|n look rofit* fc l *p Target 19i.168.160J n,np * v1 9 2 168.I66S S*rvK - Profile Zenmap
CEH
This type of scan simply generates and prints a list of IPs/N am es w ithout actually pinging or port scanning them
A DNS nam e resolution will also be carried out
jjienj
Command Hettt 0$ < Ho*
Command M ott* OS - Moit
Nmap O utput PoiW/Hoitt Tepol&y, < o Detail Scam nmap-U.-vl9i.l6e.16W DtaJ;
starting Nrwp .01 ( t1 ttpl//nap.0rg ) at M l? M l ! IB: 17 .tnnflnra rlrr Kimu dime: 1 IP ai/dr eu's (ln o tt u t> ) scanned in 16.37
Starting Wrap 6.61 < httpi/Zrwap.orf ) at M l? M l 1J1M mara tlf Initiating Paralltl 0NS resolution 0 1 host. at U S* taepleted Parallel DM resolution of 1 host. at 13:S4, 8 .M 1 elapsed Ue.p *con report for l2.1M.t6I.S Naap done; 1 IP address < hosts up) scanned in .M seconds Mlr H0U1
filler H osts
V \
ICMP Echo Scanning/L ist Scan
L is t S c a n
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited
ICMP echo scanning is used to discover live machines by pinging all the machines in the target network. Attackers send ICMP probes to the broadcast or network address which is relayed to all the host addresses in the subnet. The live systems will send ICMP echo reply message to the source of ICMP echo probe. ICMP echo scanning is used in UNIX/Linux and BSD-based machines as the TCP/IP stack implementations in these operating system responds to the ICMP echo requests to the broadcast addresses. This technique cannot be used in Windows based networks as the TCP/IP stack implementation in windows machines is configured, by default, not to reply ICMP probes directed to the broadcast address. ICMP echo scanning is not referred to as port scanning since it does not have a port abstraction. ICMP echo scanning is useful to determine which hosts in a network are active by pinging them all. The active hosts in the network is displayed in Zenmap as "Host is up (0.020s latency)." You can observe that in the screenshot:
Module 03 Page 320
Zenmap
Scan Target: Tools Profile Help Profile: Scan
^L-rel
192.168.1.26 nmap -sn 192.168.1.26 Services Nmap Output
Cancel
Command: Hosts OS < Host
Ports/Hosts
Topology
Host Details
Scans *I i Details
nmap -sn 192.168.1.26
192.168.1.26
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-13 18:37 Standard Time Nmap scan report for 192.168.1.26 |Host is up (0.0020s latency) ~ | Nmap done: 1 IP address (1 host up) scanned in 16.57 seconds
Filter Hosts
FIGURE 3.33: Zenmap showing ICMP Echo Scanning Result
In a list scan, discovery of the active host in the network is done indirectly. A list scan simply generates and prints a list of IPs/Names without actually pinging the host names or port scanning them. As a result, the list scan output of all the IP addresses will be shown as "not scanned," i.e., (0 hosts up). By default, a reverse DNS resolution is still being carried out on the host by Nmap for learning their names.
Zenmap
Scan Target lools Erofile {Help Profile:
Cancel
192.168.168.5 nmap -sL -v 192.168.168.5 Services Nmap Output
Command: Hosts OS - Host
Ports /Hosts
Topology
Host Details Scans "v j | Details
nmap-sL-v 192.168.168.5
S t a r t i n g Nmap 6 .0 1 ( h t t p :/ / n m a p .o r g ) a t 2012-08-10 1 3 :5 4 id a rd T itie I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 3 :5 4 C o m pleted P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 3 :5 4 , 0 .0 4 s e la p s e d Nmap sc an r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5 Nmap done: 1 I P a d d r e s s (0 h o s t s u p ) scan n e d i n O .06 seco n d s
Filter Hosts
FIGURE 3.34: Zenmap showing List Scanning Result
Advantage:
9 9 A list scan can perform a good sanity check. The incorrectly defined IP addresses on the command line or in an option file detected by the list scan. The detected errors should be repairedprior to running "active" scan. are any
Module 03 Page 321

Scanning Networks
UDP S c a n n in g
Are you open on UDP Port 29?
C EH
................................................... *
No response if port is ...................
If Port is Closed, an ICM P Port unreachable message is received
% ...... Iss____j
Server
UDP Port Open

There is no three-way TCP handshake ke for UDP scan The system does not respond with a message when the port is open
UDP Port Closed

e if a UDP packet is sent to closed port, the system responds with IC M P port unreachable message Spywares, Trojan horses, and other malicious applications use UDP ports
UDP Scanning
UDP Raw ICMP Port Unreachable Scanning
UDP port scanners use the UDP protocol instead of TCP, and can be more difficult than TCP scanning. You can send a packet, but you cannot determine that the host is alive or dead or filtered. However, there is one ICMP that you can use to determine whether ports are open or closed. If you send a UDP packet to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. If any port returns an ICMP error, then it's closed, while the ports that didn't answer are either open or filtered by the firewall. This happens because open ports do not have to send an acknowledgement in response to a probe, and closed ports are not even required to send an error packet.
UDP Packets
Source: http://nmap.org W hen you send a packet to a closed UDP port, most of the hosts send an
ICM P_PORT_UNREACH error. Thus, you can find out if a port is NOT open. Neither UDP packets nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement the retransmission of packets that appear lost. UDP scanners interpret lost traffic as open ports.
Module 03 Page 322

Scanning Networks
In addition, this scanning technique is slow because of limiting the ICMP error message rate as compensation to machines that apply RFC 1812 section 4.3.2.8. A remote host will need to access the raw ICMP socket to distinguish closed from unreachable ports.
UDP RECVFROM () and WRITE () Scanning

W hile non-root users cannot read port unreachable errors directly; Linux informs you indirectly when they receive messages.
Example
For example, a second write () call to a closed port will usually fail. A lot of scanners, such as Netcat and Pluvial pscan.c do recvfrom () on non-blocking UDP sockets, usually return EAGAIN ("Try Again," errno 13) if the ICMP error has not been received, and ECONNREFUSED ("Connection refused," errno 111), if it has. This is the technique used for determining open ports when non-root users use -u (UDP). Root users can also use the I (lamer UDP scan) options to force this.
Advantage:
The UDP scan is less informal regarding an open port, since there's no overhead of a TCP handshake. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan. Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.
Disadvantage:
The UDP scan provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan (-sV) or the operating system fingerprinting option (-0). The UDP scan requires privileged access, so this scan option is only available on systems with the appropriate user permissions. Most networks have huge amounts of TCP traffic; as a result, the efficiency of the UDP scan is lost. The UDP scan will locate these open ports and provide the security manager with valuable information that can be used to identify these invasions achieved by the attacker on open UDP ports caused by spyware applications, Trojan horses, and other malicious software.
Are you open on UDP Port 29? No response if port is Open
c
di
Server
If Port is Closed, an ICMP Port unreachable message is received Attacker
.....................................
FIGURE 3.35: UDP Scanning
Module 03 Page 323

Scanning Networks
Zenmap
S<an Target Jo o li Profile tjelp
Pro file :
L 2_
Scant
n m ip 192.168.168.3
Cancel
Command; Hosts OS - Host
* -sll -v nmap 192.168.168.3 Services

4
Nmap Output
Ports/Hosts 192.168.168.3
Topok>9 > Host Detaih
Scans v Details
192 168.168.5
192.168.168.3
S t a r t i n g Nmap 6 .0 1 ( h t t p :/ / n a 1a p .o r g ) a t 2012 08 10 12:47 S ta n d a rd Time I n i t i a t i n g ARP P in g S ca n a t 13:47 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .3 [1 p o r t ] Com pleted ARP P in g S can a t 1 2 :4 7 , 0 .0 6 s e la p s e d (1 t o t a l h o s t s ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 12:47 Com pleted P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 2 :4 7 , 0 .0 2 s e la p s e d I n i t i a t i n g LOP S ca n a t 12:47 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .9 [1000 p o r t s ) D is c o v e r e d open p o r t 53S3/udp on 1 9 2 .1 6 8 .1 6 8 .3 D is c o v e r e d open p o r t 137/udp on 1 9 2 .1 6 8 .1 6 8 .3 D is c o v e r e d open p o r t 123/udp on 1 9 2 .1 6 8 .1 6 8 .3 In c r e a s i n g send d e la y f o r 1 9 2 .1 6 8 .1 6 8 .3 * r o o t 0 t o SO due t o 216 o ut o f 719 dropped p ro b e s s in c e l a s t i n c r e a s e . Com pleted UOP S ca n a t 1 2 :4 7 , 1 9 .6 6s e la p s e d (1000 t o t a l p o r t s ) Nmap sc an r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .3 F a i l e d t o r e s o l v e g iv e n h o s tn a m e / IP : nmap. N ote t h a t you c a n ' t use , /m ask' AND 1-4,7,100- s t y l e I P r a n g e s . I f th e m achine o n ly has an IP v 6 a d d r e s s , add t h e Nmap -6 f l a g t o sc an t h a t . H ost i s up (0 .0 0 0 0 6 3 s l a t e n c y ) . Not shown: 994 c lo s e d p o r t s PORT STATE S f R V IC f 88/udp o p e n | f i l t e r e d k e rb e ro s - s e c 123/udp open n tp 137/udp open n e t b io s - n s 138/udp o p e n | f i l t e r e d netb io s- d g m S353/udp open z e ro c o n f S8178/udp o p e n | f i l t e r e d unknown MAC A d d re s s : Read d a t a f i i c a fro ; C :\ P ro g ra m F i l e s (x&6)\Nmap Nmap d on e: 1 I P a d d re s s (1 h o s t u p ) scann ed in 2 2 .0 9 seco n ds Ra p a c k e t s s e n t : 1839 ( 5 2 . 4 01KB) I R cvd : 998 (S 6 .0 6 S K B )
Filter Host*
FIGURE 3.36: Zenmap showing UDP Scanning Result
c <
Module 03 Page 324

Scanning Networks
Inverse TCP Flag Scanning
(rtifwd
CEH
itkitjl
Attackers send TCP probe packets with various TCP flags (FIN,URG,PSH) set or with no flags, no response means port is open and RST/ACK means the port is closed
Probe Packet (FIN/URG/PSH/NULL)
No Response
Attacker
Port is open
RST/ACK
Attacker
Port is closed
Copyright by EG-Gtnncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Inverse TCP Flag Scanning

Attackers send the TCP probe packets by enabling various TCP flag (FIN, URG, PSH) or with no flags. W hen the port is open, the attacker doesn't get any response from the host, whereas when the port is closed, he or she receives the RST/ACK from the target host. The SYN packets that are sent to the sensitive ports of the targeted hosts are detected by using security mechanisms such as firewalls and IDS. Programs such as Synlogger and Courtney are available to log half-open SYN flag scan attempts. At times, the probe packets enabled with TCP flags can pass through filters undetected, depending on the security mechanisms installed. Probing a target using a half-open SYN flag is known as an inverted technique. It is called this because the closed ports can only send the response back. According to RFC 793, An RST/ACK packet must be sent for connection reset, when the port is closed onhost side. TCP flags set. Common flag configurations used for probe packet include: 9 9 9 A FIN probe with the FIN TCP flag set An XMAS probe with the FIN, URG, and PUSH TCP flags set A NULL probe with no TCP flags set Attackers take advantage of this feature to send TCP probe packets to each port of thetargethost with various
Module 03 Page 325

Scanning Networks
A SYN/ACK probe All the closed ports on the targeted host will send an RST/ACK response. Since the RFC 793 standard is completely ignored in the operating system such as Windows, you cannot see the RST/ACK response when connected to the closed port on the target host. This technique is effective when used with UNIX-based operating systems.
Advantages
Q Avoids many IDS and logging systems, highly stealthy
Disadvantages
9 Q Needs raw access to network sockets, thus requiring super-user privileges Mostly effective against hosts using a BSD-derived TCP/IP stack (not effective against Microsoft Windows hosts in particular)
No Response
Attacker
P o rt is o p e n
FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open
Target Host
RST/ACK
Attacker
P o rt is clo se d
FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed
Target Host
Module 03 Page 326

Scanning Networks
ACK F la g S c a n n in g
ACK Flag Scanning

A stealthy technique is used for identifying open TCP ports. In this technique a TCP packet with ACK flag ON is sent to the remote host and then the header information of the RST packets sent by remote host are analyzed. Using this technique one can exploit the potential vulnerabilities of BSD derived TCP/IP stack. This technique gives good results when used with certain operating systems and platforms. ACK scanning can be performed in two ways: Q TTL field ananlysis
W IN D O W field analysis Using TTL value one can determine the number of systems the TCP packet traverses. You can send an ACK probe packet with random sequence number: no response means port is filtered (state full firewall is present) and RST response means the port is not filtered,
nmap -sA -P0 10.10.0.25 Starting nmap 5.21 ( http://nmap.org) at 2010-05-16 12:15 EST
All 529 scanned ports on 10.10.0.25 are: filtered
Module 03 Page 327

Scanning Networks
Stateful Firewall is Present

Probe Packet (ACK)
Attacker
No Response
Target Host
FIGURE 3.39: ACK Flag Scanning when Stateful Firewall is Present
No Firewall
IT LT I .......................................
Probe Packet (ACK)
RST
Attacker
Target Host
FIGURE 3.40: ACK Flag Scanning when No Firewall is Present
Zenmap
S<!n T.rgrt: lo o k Profit Help v Profile Scan
nmip 192.168.168.5 * sA v Pn nmap 194168.168.5 Services
Cancel
Command: Hosts
Nmap Output Ports/Hosts Topology Host Detaib Scans * -sA -v -Pn nmap 192.166.16ft} Oeta.14
S t a r t in g M a p 6.01 ( h ttp :/ / n x a p .o rg ) a t 2012-08-10 13:09 Stand ard T in* I n i t i a t i n g ARP Pin g Scan at 13:10 Scanning 192.16*.160.5 [1 p o r t ] Completed ARP Pin g Scan at 13:10, 0.07s elapsed (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, at 13:10 Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, at 13:10, 0.10s elapsed I n i t i a t i n g ACK Scan a t 13:10 Scanning 192.16*.168.5 [1000 p o rts ] Coaipleted ACK Scan at 13:10, 21.38s elapsed (1000 t o t a l p o r t s ) Naap scan re p o rt f o r 192.16*.168.5 F a ile d to re s o lv e g ive n h o stn a a c / lP : naap. Note th a t you c a n t use , /ask' ANO 1-4,7,100- s t y le I P ranges. I f th e achine o n ly has an IPv6 ad d re ss, add th e Nnap 6 f l a g to scan t h a t .
H ost is
up
1 0 .W 1 e s
la te n t ,) ,________________________________
I A l l 1000 scanned p o rts on 192.168.168.S a re f i l t e r e d l
MAC Address:
Read data f i l e ! frg; C :\Pro g r F i l e s ( x 86)\ m m p done; l I P address (1 host up) scanned in 23.90 seconds Rax packets se n t: 2001 (80.O28K8) | Rcvd: 1 (288)
filter Hosts
FIGURE 3.41: Zenmap showing ACK Flag Scanning Result
Module 03 Page 328

Scanning Networks
Scanning Tool: NetScan Tools Pro
CEH
myfe&uUsdaub&e - NetScanToob Pro 11.00
2 fit
Edt
Accesatolly
rJ>
Manual 1 5 0 - networkCcnrecton E-dxrts 9 Automated Tools ( Rsfren ciicUyFulPfKess Paths 193C 10' I PsccrrectAl 1CP ]
Jjrp 0 Autorrcited ]
tcW fUcftrftwh MfiC to lâufa -re
] Usccrrect nermte 1CP
TCF.UOP CocrCQonEnfant List
1 nec1 nfo.exe sycr.osz cxs

flMworit Inlctfe and 5\<tnl'r .
0 .0 .0 .0
O .O .0.0 0.0.0.0
0.0.0.0
Local IP
!yicti
STatca N s tw o rkln to r'n rci \ v t Hw M erloctt*
inee 1 nfo.exe
0 .0 .0 .0
0.0.0.0 0.0.0.0 O .O .0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
3bacr?.x IVChOK.IXI S<STC.cxe D U lK V U l.tx t 8coeSzv.xt 5tot5c1v.exe s'rS:rv.cxe IM S 2OS2 2092 2092 TC TC TC TC
s
O V O * C O1 o b l. r.w o-< r1yT.
Hawro L1 >Mvay locto
0 .0 .0 .0
127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
C M Sfuv
ftxkr* Iffvd Tocte txtema! tods
Syat
S 7 3 ci
Svs .w
Local lore | http | 80 )cpxag( 135 )MS (UlCEOSOCt-dS' ) S (b la c k ja c k )LT23 (pptp )oyMrcanyvnccc( 2638 lc lh p ( 2069( 4)) pcsync-https web5( 9090( ) ofll )unknown! 31038 )MS71 !unknown )unknown| 04572 )34S73 !unknown lk1 1 1 .p l 60 | http | 00 IhttpI 00 httpI| 80
Reaote 1 r 0.0.0.0
1 0 2
0.0. 0 .0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
0 .0 .D.O 127.0.0.1 2 . 0.0.1 127.0.0.1 127.0.0.1
Progmliô
http://www.netscantoo1s.com lo o p Copyright 6 by EG-CSUICil. Ail Rights Reserved. Reproduction is Strictly Prohibited-
Scanning Tool: NetScan Tools Pro

Source: http://www.netscar1 tools.com NetScan Tools Pro is an investigation tool. It allows you to troubleshoot, monitor, discover, and detect devices on your network. You can gather information about the local LAN as well as Internet users, IP addresses, ports, etc. using this tool. You can find vulnerabilities and exposed ports in your system. It is the combination of many network tools and utilities. The tools are categorized by functions such as active, passive, DNS, and local computer.
Active Discovery and Diagnostic Tools: Used for testing and locating devices that are
connected to your network.
Passive Discovery Tools: Monitors the activities of the devices that are connected to your
network and also gathers information from third parties.
DNS Tools: Used to detect problems with DNS. Local Computer and General Information Tools: Provides details about your local computer's
network.
Benefits:
9 The information gathering process is made simpler and faster by automating the use of many network tools
Module 03 Page 329

Scanning Networks
Produces the result reports in your web browser clearly
myresultsdatabase - NetScanTools Pro 11.00

File Edit Accessibility View Help
Welcome Automated Tools Manual Tools (all) Refresh 0 Display Full Process Paths 1 sec 10 sec Disconnect All TCP I Disconnect Remote TCP Double-click Enable TCP Disconnects
Manual Tools - Network Connection Endpoints
Add Note Jump To Automated

IP v 4 IP v 6 0
0
O Enable AutoRefresh MAC Address to Manufacturer
Reports Add to Favorites
TCP/UDP Connection Endpoint List Network Connection Endpoints
Process inetinf0 .exe svchost.exe System inetinf 0 .exe System dbsrv9.exe svchost.exe SemSvc.exe SemSvc.exe agent.exe DkService.exe StorServ.exe StorServ.exe StorServ.exe System System System System <
PID
1100
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
'rr n
Local IP
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
Local Port 80 (http) 13S (epmap) 445 (microsoft-ds) 1025 (blackjack) 1723 (pptp) 2638 (sybaseanywhere) 2869 (icslap) 8443 (pcsync-https) 9090 (websm) 9876 (sd) 31038 (unknown) 34571 (unknown) 34572 (unknown) 34573 (unknown) 80 (http) 80 (http) 80 (http) 80 (http)
on
Remote IP
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
Network Interfaces and Statistics
252 4
1100
Li)
Network Interfaces - Wireless
Network Shares - SMB
Favorite Tools Active Discovery Tools Passive Discovery Tools DNS Tools Packet Level Tools External Tools Program Info For Help, press F I
4 1216 932 4068 4068 920 1388 2092 2092 2092

0 0 0 0 n
127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1

0 > n
127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 1 < f tf t >

NUM
FIGURE 3.42: NetScan Tools Pro Screenshot
Module 03 Page 330

Scanning Networks
S c a n n in g T ools
PRTG Network Monitor
h ttp ://w w w .p a essle r. com http ://w w w .m ag netosoft.com
C EH
Global Network Inventory Scanner
Net Tools
i N. I 1 W I
SoftPerfect Network Scanner

h ttp ://w w w .softperfect.co m
http://m absoft.com
IP Tools
Advanced Port Scanner

h ttp://w w w .radm in.com
E-
h ttp ://w w w . ks-soft. net
MegaPing
http ://w w w .m ag netosoft.com
Netifera
http ://netifera.com
Network Inventory Explorer

h ttp ://w w w . 10-s trike.com
Free Port Scanner

http://w w w .n sau dito r.com
=*~= Scanning tools ping computers, scan for listening TCP/UDP ports, and display the type of resources shared on the network (including system and hidden). The attacker may attempt to launch attacks against your network or network resources based on the information gathered with the help of scanning tools. A few of the scanning tools that can detect active ports on the systems are listed as follows:
9 PRTG Network Monitor available at http://www.paessler.com 9 Net Tools available at http://mabsoft.com 9 IP Tools available at http://www.ks-soft.net 9 MegaPing available at http://www.magnetosoft.com 9 Network Inventory Explorer available at http://www.10-strike.com
9 9 Global Network Inventory Scanner available at http://www.magnetosoft.com SoftPerfect Network Scanner available at http://www.softperfect.com
9 Advanced Port Scanner available at http://www.radmin.com 9 Netifera available at http://netifera.com 9 Free Port Scanner available at http://www.nsauditor.com
Module 03 Page 331

Scanning Networks
Do Not Scan These IP Addresses

(Unless you want to get into trouble)
RANGE 128
128.37.0.0 Army Yuma Proving Ground 1283800 Naval Surface Warfare Center 128.43.0.0 Defence Research Establishment-Ottawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 1288000 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Right Facility 128.155.0.0 NASA Langley Research Center 128.156.0.0 NASA Lewis Network Control Center 12815700 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128 159 0 0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128 1610 0 NASA Ames Research Center 128 183.0 0 NASA Goddard Space Flight Center 128202 0 0 50th Space Wing 128 216 0 0 MacDifl Air Force Bose 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. Ar Force Academy 129.53.0.0 - 129 53.255 255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology 129.99.0.0 NASA Ames Research Center 129.131.0.0 Naval Weapons Center 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IW 129.165.0.0 NASA Goddard Space Fight Center 129.167.0.0 NASA Marshall Space Right Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198 0.0 Air Force Fight Test Center 129.209.0.0 Army BaiSstcs Research Laboratory 129.229.0.0 U.S. Army Corps of Engmeers 129.251.0.0 United States Ar Force Academy
C EH
RANGE 132
132.3.0.0 Williams Air Force Base 132.5.0.0 - 132.5.255.255 49th Fighter Wing 132.6.0.0 Ankara Air Station 132.7.0.0 -132.7.255.255 SSG/SINO 132.9.0.0 28th Bomb Wing 132.10.0.0 319 Comm Sq 132.11.0.0 Hellenikon Air Base 132.12.0.0 Myrtle Beach Air Force Base 132.13.0.0 Bentwaters Royal Air Force Base 132.14.0.0 Air Force Concentrator Netwcrk 132.15.0.0 Kadena Air Base 132.16.0.0 Kunsan Air Base 132.17.0.0 Lindsey Air Station 132.18.0.0 McGuire Air Force Base 132.19.0.0 100CS (NET-MILDENHALL) 132.20.0.0 35th Communications Squadron 132.21.0.0 Plattsburgh Ar Force Base 132.22.0.0 23Communication9 Sq 132.24.0.0 Dower Air Force Base 132 25.0.0 786 CS/SCBM 132.27 0 0 132 27.255.255 39CS/SCBBN 132.28.0.0 14TH COMMUNICATION SQUADRON
RANGE 130
1304000 NASA Johnson Space Center 130.90.0.0 Mather Ar Force Base 1301090.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S-Army Corps of Engneers 130 167.0.0 NASA Headquarters
RANGE 131
131.60.0 Langley Ar Force Base 131.10.0.0 Barksdale Ar Force Base 131.17.0.0 Sheppard Ar Fcrce Base 131.21.0.0 Hahn Ar Base 31.32.0.0 37 Communications Squadron 1 3 1 3500 Fairchild Ar Force Base 131.36.0.0 Yokota Ar Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Ar Force Base 131.39.0.0 354CS/SCSN
132.30.0.0 Lqes Air Face Base

132.31.0.0 Lcnng Air Force Bose 132.33.0.0 60CS/SCSNM 132.34.0.0 Cannon Air Face Base 132.35.0.0 Altus Air Force Base 132.37.0.0 75 ABW 132.38.0.0 Goodfellow AFB 132.39.0.0 K.I. Sawyer Air Force Base
RANGE
129
1292300 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 1295000 NASA Marshall Space Flight Center 129.51.0.0 Patrick Air Force Base 129.52.0.0 Wright-Patterson Air Force Base
For a complete list, see the file in DVD IP ADDRESSES YOU SHOULD NOT SCAN.txt
Do Not Scan T hese IP A ddresses (Unless you want to get into trouble)
The IP addresses listed in the following table are associated with the critical information resource centers of the US. Scanning these IP addresses will be considered an attempt to break the US's information security. Therefore, do not scan these IP addresses unless you want to get into trouble.
RANGE 6
6.* - Army Information Systems Center
129.51.0.0 Patrick Air Force Base

129.52.0.0 Wright-Patterson Air Force Base 129.53.0.0 - 129.53.255.255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology
RANGE 7
7.*.*.* Defense Information Systems Agency, VA
RANGE 11
Module 03 Page 332

Scanning Networks
11.*.*.* D0 D Intel Information Systems, Defense Intelligence Agency, Washington DC
129.99.0.0 NASA Am es Research Center

129.131.0.0 Naval Weapons Center 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IVV 129.165.0.0 NASA Goddard Space Flight Center 129.167.0.0 NASA Marshall Space Flight Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198.0.0 Air Force Flight Test Center 129.209.0.0 Army Ballistics Research Laboratory 129.229.0.0 U.S. Army Corps of Engineers 129.251.0.0 United States Air Force Academy
RANGE 21
21. - US Defense Information Systems Agency
RANGE 22
22.* - Defense Information Systems Agency
RANGE 24
24.198.*.*
RANGE 25
25.*.*.* Royal Signals and Radar Establishment, UK
RANGE 26
RANGE 29
RANGE 130
130.40.0.0 NASA Johnson Space Center 130.90.0.0 Mather Air Force Base 130.109.0.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S.Army Corps of Engineers 130.167.0.0 NASA Headquarters
RANGE 30
RANGE 49
49.* - Joint Tactical Command
RANGE 50
50.* - Joint Tactical Command
RANGE 55
55.* - Army National Guard Bureau
RANGE 131
131.6.0.0 Langley Air Force Base 131.10.0.0 Barksdale Air Force Base
RANGE 55
Module 03 Page 333

Scanning Networks
55.* - Army National Guard Bureau 55.* - Army National Guard Bureau
131.17.0.0 Sheppard A ir Force Base

131.17.0.0 Sheppard Air Force Base 131.21.0.0 Hahn Air Base 31.32.0.0 37 Communications Squadron 131.35.0.0 Fairchild Air Force Base 131.36.0.0 Yokota Air Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Air Force Base 131.39.0.0 354CS/SCSN
RANGE 62
62.0.0.1 - 62.30.255.255 Do not scan!
RANGE 64
64.70.*.* Do not scan 64.224.* Do not Scan 64.225.* Do not scan 64.226.* Do not scan
RANGE 128
128.37.0.0 Army Yuma Proving Ground 128.38.0.0 Naval Surface Warfare Center 128.43.0.0 Defence Research EstablishmentOttawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Flight Facility 128.155.0.0 NASA Langley Research Center
RANGE 132
132.3.0.0 Williams Air Force Base 132.5.0.0 - 132.5.255.255 49th Fighter Wing 132.6.0.0 Ankara Air Station
132.7.0.0 - 132.7.255.255 SSG/SINO 132.9.0.0 28th Bomb Wing 132.10.0.0 319 Comm Sq 132.11.0.0 Hellenikon Air Base 132.12.0.0 Myrtle Beach Air Force Base 132.13.0.0 Bentwaters Royal Air Force Base 132.14.0.0 Air Force Concentrator Network 132.15.0.0 Kadena Air Base 132.16.0.0 Kunsan Air Base 132.17.0.0 Lindsey Air Station 132.18.0.0 McGuire Air Force Base 132.19.0.0 100CS (NET-MILDENHALL)
Module 03 Page 334

Scanning Networks
128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Research Center 128.183.0.0 NASA Goddard Space Flight Center 128.202.0.0 50th Space Wing 128.216.0.0 MacDill Air Force Base 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. Air Force Academy RANGE 129 129.23.0.0 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 129.50.0.0 NASA Marshall Space Flight Center
132.20.0.0 35th C o m m u n ica tio n s Sq u a d ro n 132.21.0.0 Plattsburgh Air Force Base 132.21.0.0 Plattsburgh Air Force Base 132.22.0.0 23Communications Sq 132.24.0.0 Dover Air Force Base 132.25.0.0 786 CS/SCBM 132.27.0.0- 132.27.255.255 39CS/SCBBN 132.28.0.0 14TH COMMUNICATION SQUADRON 132.30.0.0 Lajes Air Force Base 132.31.0.0 Loring Air Force Base 132.33.0.0 60CS/SCSNM 132.34.0.0 Cannon Air Force Base 132.35.0.0 Altus Air Force Base 132.37.0.0 75 A BW 132.38.0.0 Goodfellow AFB 132.39.0.0 K.l. Sawyer Air Force Base
TABLE 3.3: Do Not Scan These IP Addresses Table
Module 03 Page 335

Scanning Networks
Port Scanning Countermeasures

Configure firewall and IDS rules to detect and block probes Use custom rule set to lock down the network and block unwanted ports at the firewall
C EH
(itifwd Ukujl lUck*
Hide sensitive information from public view
Filter all ICMP messages (i.e. inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and k routers
Ensure that mechanism used for routing and filtering at the routers
W /
and firewalls respectively cannot be bypassed using particular source ports or source-routing methods
Perform TCP and UDP scanning along with ICMP probes against your organizations IP address space to check the network configuration and its available ports
Ensure that the router, IDS, and firewall firmware are updated to their latest releases
Ensure that the anti scanning and anti spoofing rules are configured
Port Scanning C ounterm easures

As discussed previously, port scanning provides a lot of useful information such as IP addresses, host names, open ports, etc. to the attacker. Open ports especially provide an easy means for the attacker to break into the security. But there is nothing to worry about, as you can secure your system countermeasures: 9 The firewall should be good enough to detect probes an attacker sends to scan the network. So the firewall should carry out stateful inspection if it has a specific rule set. Some firewalls do a better job than others in detecting stealth scans. Many firewalls have specific options to detect SYN scans, while others completely ignore FIN scans. or network against port scanning by applying the following
Network intrusion detection systems should detect the OS detection method used by tools such as Nmap, etc. Snort (http://.snort.org) is an intrusion detection and prevention technology that can be of great help, mainly because signatures are frequently available from public authors. Only necessary ports should be kept open; the rest of the ports should be filtered as the intruder will try to enter through any open port. This can be accomplished with the custom rule set. Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at border routers and firewalls.
Module 03 Page 336

Scanning Networks
Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques.
Test your own IP address space using TCP and UDP port scans as well as ICMP Probes to determine the network configuration and accessible ports.
If a commercial firewall is in use, then ensure that the firewall is patched with the latest updates, antispoofing rules have been correctly defined, and fastmode services are not used in Check Point Firewall-1 environments.
Module 03 Page 337

Scanning Networks
CEH Scanning M ethodology

So far we have discussed how to check for live systems and open ports, the two common network vulnerabilities. An IDS is the security mechanism intended to prevent an attacker from entering a secure network. But, even the IDS has some limitations in offering security. Attackers are trying to launch attacks by exploiting limitations of IDS.
fft
Scanning Beyond IDS
prepare Proxies
Banner Grabbing
This section highlights IDS evasion techniques and SYN/FIN scanning.
Module 03 Page 338

Scanning Networks
IDS E v a sio n T e c h n iq u e s
Use fragmented IP packets
CEH
Spoof your when launching attacks and sniff responses from server Use source routing (if possible) Connect to > or compromised trojaned machines to launch attacks
Q Q
Q1
IDS Evasion T echniques

Most of the IDS evasion techniques rely on the use fragmented probe packets that
_ _
reassemble once they reach the target host. IDS evasion can also occur with the use of spoofed fake hosts launching network scanning probes.
Use fragmented IP packets

Attackers use different fragmentation methods to evade the IDS. These attacks are similar to session splicing. W ith the help of fragroute, all the probe packets flowing from your host or network can be fragmented. It can also be done with the help of a port scanner with fragmentation feature such as Nmap. This is accomplished because most IDS sensors fail to process large volumes of fragmented packets, as this involves greater CPU consumption and memory at the network sensor level.
Use source routing (if possible)

Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. It is assumed that the source of the packet knows about the layout of the network and can specify the best path for the packet.
Module 03 Page 339

Scanning Networks
SYN/FIN Scanning Using IP Fragments

It is not a new scanning method but a modification of the earlier methods
CEH
The TCP header is split up into several packets so that the packet filters are not able to detect what the packets intend to do
&
Command Prompt
SYN/FIN (Small IP Fragments) + Port (n)
C:\>nmap -sS -T4 -A -f -v 192.168.168.5

Starting Nmap 6.01 ( h t t p :// n m a p .org ) at 2012-08-11 11:03 EDT Initiating SY N Stealth Scan at 11:03 Scanning 192.168.168.5 [1000 ports] Discovered open p o r t 139/tcp on 192.168.168.5 Discovered open p o r t 445/tcp on 192.168.168.5 Discovered open p o r t 135/tcp on 192.168.168.5 Discovered open p o r t 912/tcp on 192.168.168.5 C o mpleted SY N Stealth Scan at 11:03, 4.75s e l apsed (1000 total ports)
RST (if port Is closed)
Attacker
Target
S Y N /FIN S c a n n in g
SYN/FIN Scanning Using IP Fragm ents

SYN/FIN scanning using IP fragments is a modification of the earlier methods of scanning; the probe packets are further fragmented. This method came into existence to avoid the false positive from other scans, due to a packet filtering device present on the target machine. You have to split the TCP header into several packets instead of just sending a probe packet for avoiding the packet filters. Every TCP header should include the source and destination port for the first packet during any transmission: (8 octet, 64 bit), and the initialized flags in the next, which allow the remote host to reassemble the packet upon receipt through an Internet protocol module that recognizes the fragmented data packets with the help of field equivalent values of protocol, source, destination, and identification.
Fragmented Packets
The TCP header, after splitting into small fragments, is transmitted over the network. But, at times you may observe unpredictable results such as fragmentation of the data in the IP header after the reassembly of IP on the server side. Some hosts may not be capable of parsing and reassembling the fragmented packets, and thus may cause crashes, reboots, or even network device monitoring dumps.
Module 03 Page 340

Scanning Networks
Firewalls
Some firewalls may have rule sets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented due to the adverse effect on performance. Since several intrusions detection systems employ signature-based methods to indicate scanning attempts based on IP and/or the TCP headers, fragmentation is often able to evade this type of packet filtering and detection. There is a probability of network problems on the target network. SYN/FIN (Small IP Fragments) + Port (n) ....................................... < ........................................ RST (if port is closed) _
Attacker
FIGURE 3.43: SYN/FIN Scanning
Target
Nmap command prompts for SYN/FIN scan.
Command Prompt
C:\>Omap -sS -T4 -A -f -v :192 .168 .16:8 . !

Starting Nmap 6.01 ( http://nmap.org } at: 2D12-P8-11 11: 03 jSDT........ .......... Initiating SYN Stealth Scan at 11:03 Scanning 192.168.168.5 [10 00 ports] Discovered open port 139/tcp on 192.168.168. Discovered open port 445/tcp on 192.168.168. Discovered open port 135/tcp. On 192.168.168. Discovered open port 912/tcp On 192.168.168. Completed SYN Stealth Scan at 11:03, 4.75s elapsed (1000 total ports)
FIGURE 3.44: Nmap showing SYN/FIN Scanning Result
Module 03 Page 341

Scanning Networks
| ' Check for

Live Systems
ft
y j
1 1
HUH 1 a c
Scanning Beyond IDS
k 1
-i
_____ Banner Grabbing
) ______
r - J
.
n _
M l ^ Scan for
Vulnerability
M Draw Network 1 /
Diagrams
-----Prepare! Proxies
Copyright by EG-Gouncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
:ir CEH Scanning M ethodology

So far we have discussed how to check for live systems, open ports, and scan beyond
IDS. All of these are the doorways for an attacker to break into a network. Another important tool of an attacker is banner grabbing, which we will discuss next.
1 9 1
Scanning Beyond IDS
Q f c i prepare Proxies
Banner Grabbing
This section highlights banner grabbing, the need to perform banner grabbing, various ways of banner grabbing, and the tools that help in banner grabbing.
Module 03 Page 342

Scanning Networks
B a n n e r G ra b b in g
J Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive.
A ctive Banner Grabbing

Specially crafted packets are sent to remote OS and the response is noted
Passive Banner Grabbing

Banner grabbing from error messages:
Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system
The responses are then compared with a database to determine the OS Response from different OSes varies due to differences in TCP/IP stack implementation
Sniffing the network traffic:

Capturing and analyzing packets from the target enables an attacker to determine OS used by the remote system e B an n e r grabbing from page extensions: Looking for an extension in the URL may assist in determining the application version Example: .aspx = > IIS server and Windows platform
BQ B
Why B ann er G rabbing?

Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on a system to further carry out additional attacks
Banner Grabbing
Banner grabbing or OS fingerprinting is a method to determine the operating system running on a remote target system. Banner grabbing is important for hacking as it provides you with a greater probability of success in hacking. This is because most of the vulnerabilities are OS specific. Therefore, if you know the OS running on the target system, you can hack the system by exploiting the vulnerabilities specific to that operating system. Banner grabbing can be carried out in two ways: either by spotting the banner while trying to connect to a service such as FTP or downloading the binary file/bin/ls to check the architecture with which it was built. Banner grabbing is performed using the fingerprinting technique. A more advanced
fingerprinting technique depends on stack querying, which transfers the packets to the network host and evaluates packets based on the reply. The first stack querying method was designed considering the TCP mode of communication, in which the response of the connection requests is evaluated. The next method was known as ISN (Initial Sequence Number) analysis. This identifies the differences in the random number generators found in the TCP stack. A new method, using the ICMP protocol, is known as ICM P response analysis. It consists of sending the ICMP messages to the remote host and evaluating the reply. The latest ICMP messaging is
Module 03 Page 343

Scanning Networks
known as temporal response analysis. Like others, this method uses the TCP protocol. Temporal response analysis looks at the retransmission timeout (RTO) responses from a remote host. There are two types of banner grabbing techniques available; one is active and the other is passive.
Active Banner Grabbing

Active banner grabbing is based on the principle that an operating system's IP stack has a unique way of responding to specially crafted TCP packets. This arises because of different interpretations that vendors apply while implementing the TCP/IP stack on the particular OS. In active banner grabbing, a variety of malformed packets are sent to the remote host, and the responses are compared to a database. For instance, in Nmap, the OS fingerprint or banner grabbing is done through eight tests. The eight tests are named T l, T2, T3, T4, T5, T6, T7, and PU (port unreachable). Each of these tests is illustrated as follows, as described in www.packetwatch.net:
T l: In this test, a TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP
port.
T2: It involves sending a TCP packet with no flags enabled to an open TCP port. This type of
packet is known as a NULL packet.
T3: It involves sending a TCP packet with the URG, PSH, SYN, and FIN flags enabled to an open
TCP port.
T4: It involves sending a TCP packet with the ACK flag enabled to an open TCP port. T5: It involves sending a TCP packet with the SYN flag enabled to a closed TCP port. T6: It involves sending a TCP packet with the ACK flag enabled to a closed TCP port. T7: It involves sending a TCP packet with the URG, PSH, and FIN flags enabled to a closed TCP
port.
PU (Port Unreachable): It involves sending a UDP packet to a closed UDP port. The objective is
to extract an "IC M P port unreachable" message from the target machine. The last test that Nmap performs is named TSeq for TCP Sequencability test. This test tries to determine the sequence generation patterns of the TCP initial sequence numbers, also known as TCP ISN sampling, the IP identification numbers (also known as IPID sampling), and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port. The objective is to find patterns in the initial sequence of numbers that the TCP
implementations choose while responding to a connection request. These can be categorized into many groups such as the traditional 64K (many old UNIX boxes), random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), or True "random" (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a "time-dependent" model where the ISN is incremented by a fixed amount for each time period.
Module 03 Page 344

Scanning Networks
Source: www.insecure.org, "M ost operating systems increment a system-wide IPI D value for each packet they send. Others, such as OpenBSD, use a random IPI D and some systems (like Linux) use an IPI D of 0 in many cases where the Don't Fragment bit is not set. Windows does not put the IPI D in network byte order, so it increments by 256 for each packet. Another number that can be sequenced for OS detection purposes is the TCP timestamp option values. Some systems do not support the feature; others increment the value at frequencies of 2HZ, 100HZ, or 1000HZ and still others return 0.
P assive Banner Grabbing

Source: http://honeynet.org Like active banner grabbing, passive banner grabbing is also based on the differential implementation of the stack and the various ways an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study for telltale signs that can reveal an OS. The four areas that are typically noted to determine the operating system are:
9 9 9 9
TTL - W hat the operating system sets the Time To Live on the outbound packet W indow Size - hat the operating system sets the W indow size DF - Does the operating system set the Don't Fragment bit OS - Does the operating system set the Type of Service, and if so, at what
Passive fingerprinting has to be neither fully accurate nor be limited to these four signatures. However, by looking at several signatures and combining information, accuracy can be improved. The following is the analysis of a sniffed packet dissected by Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/). 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:OxO ID:56257 ***F **A * Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78 Based on the four criteria, the following are identified:
9 9
TTL: 45 W indow Size: 0x7D78 (or 32120 in decimal) DF: The Don't Fragment bit is set TOS: 0x0
9
9
Database Signatures
This information is then compared to a database of signatures. Considering the TTL used by the remote host, it is determined from the sniffer trace that the TTL is set at 45. This indicates that it went through 19 hops to get to the target, so the original TTL must have been set at 64.
Module 03 Page 345 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

Scanning Networks
Based on this TTL, it appears that the packet was sent from a Linux or FreeBSD box (however, more system signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the remote host. If the trace needs to be done stealthily, the traceroute time-tolive (default 30 hops) can be set to be one or two hops less than the remote host (-m option). Setting traceroute in this manner reveals the path information (including the upstream provider) without actually touching the remote host.
Window Sizes
The next step is to compare window sizes. The window size is another effective tool that determines specifically what window size is used and how often the size is changed. In the previous signature, it is set at 0x7D78, a default window size is commonly used by Linux. In addition, FreeBSD and Solaris tend to maintain the same window size throughout a session. However, Cisco routers and Microsoft Windows/NT window sizes are constantly changing. The window size is more accurate if measured after the initial three-way handshake (due to TCP slow start).
Session Based
Most systems use the DF bit set, so this is of limited value. However, this does make it easier to identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of limited value, since it seems to be more session-based than operating-system-based. In other words, it is not so much the operating system that determines the TOS, but the protocol used. Therefore, based on this information, specifically TTL and window size, one can compare the results to the database of signatures and, with a degree of confidence, determine the OS (in this case, Linux kernel 2.2.x). Just as with active fingerprinting, passive fingerprinting has some limitations. First, applications that build their own packets (such as Nmap, hunt, nemesis, etc.) will not use the same signatures as the operating system. Second, it is relatively simple for a remote host to adjust the TTL, window size, DF, or TOS setting on packets. Passive fingerprinting can be used for several other purposes. Crackers can use "stealthy" fingerprinting. For example, to determine the operating system of a potential target, such as a web server, one need only request a web page from the server, and then analyze the sniffer traces. This bypasses the need for using an active tool that various IDS systems can detect. Also, passive fingerprinting may be used to identify remote proxy firewalls. Since proxy firewalls rebuild connections for clients, it may be possible to ID proxy firewalls based on the signatures that have been discussed. Organizations can use passive fingerprinting to identify rogue systems on their network. These would be systems that are not authorized on the network.
Why Banner Grabbing?

Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system possesses and the exploits that might work on a system to further carry out additional attacks.
Module 03 Page 346

Scanning Networks
B a n n e r G r a b b in g T ools
-J ID Serve is used to identify the make, model, and version of any web site^ server software
J
It is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.
Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site
ID Serve
BSwve

a
Netcraft
y
II I
r\r0
| 011e1y |
Iniemet Server Ideniiftcahon Utility vl 02
P e r s o n a lS e c u r i t yFreewarebySteveGibt e n C o p y u g Nf c l yft t w nR e t a c i 1Cap&03

0 A /b*p 5
a copy /pit
lr * t URL w IP M fctoft !| *vjfr< l wm mctotdl tan(
1 |certmedl1ncBr com ~| / I ^ 7 ~ 7 . Whtrv rtlrl*tniURl 0 IPKh b ** 1 >p0'l*d bov AW1 > w a < r v w *t j pM M lbd| 0 A to n M ll< lja y^tW VNMl(r^
( 3 ; ILasi-Wcamed Aed I i. J8n < 1 0 1 1 (/ MDb UMI oorta jETaa 37StSt' 80:ct11 1?dC53" [Seivef McfDsorms/bO I !:.Pnvô 1-fly A S P M F jl
* yy p o w x !
&
$ 2 0 1 0 1 0S w v *6r * 9
h ttp ://w w w . grc. com
h ttp ://to o lb a r. n etcra ft. com Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
B anner G rab b in g Tools

Banner grabbing can be done even with the help of tools. Many tools are available in the market. These tools make banner grabbing an easy task. The following are examples of banner grabbing tools: \ j
ID Serve
Source: http://www.grc.com
ID Serve is used to identify the make, model, and version of any website's server software; it is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.
Module 03 Page 347

Scanning Networks
ID S *
I I | ^ P [, y P
I- q - F B U:4J
Internet Server Identification utility v l 02 Personal Security Freeware by Steve Gibson CopyrigN Ic) 2003 by Gfcson Research Cap
Background
Se!vrOue1 y
O&A/Help
Enter a copy / paste pa-.te an Interne! terver rerver URL a g IP adiesi addess here (exam ple W W WmaosoW mcrotollcom) com )
r tifm d h n c k e r co m ^ Irn |ceftil 1Bdhncker cow
m m
|
When an Inlem er URL or IP has been provided above press the button to nbate a query 0 1 the specfod server
(2
Query The Server
ft
Server query processng
Last-Moditied Wed. 12 Jan 2U11U b Accept-Ranges none ETaa Q 76b5t18b2cb1 17d05r

Server M1aosotH IS /6 0 X-Poweted-By A S P N E T
U b tiM I
The server rdenbhedlsel as
C 0 ( V
(j0 10ID Serve web page
FIGURE 3.45: ID Serve Screenshot
Netcraft
Source: http://toolbar.netcraft.com Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site.
ETC R A FT
Site re p o rt for certifledhacker.com
Netcraft Toolbar
j H om o SH o h t t p / c c r tA < jh jd .e o m L as t ro b o o t 1 d a y 990 E 2 ) U p tim o
g r4 p f>
Domain
IP w M m k i C o u n try D M fln t see a 2 0 2 7 5 .5 4 .1 0 1 D Mr
com
Notbkx k Sit r a n k
N n M K rv r O N S e d m ln
im VAW i>L Hosting

270S0I ncO .rtoyo ar1yfooc.com d n n 9 n 0 Y a rty f M com
Download Now! Itepwt dPhtsh

Top Rtportwc
PNMHtCauntMt
Pinshiest nusleis
M od Popular W*Dc<to
00c*m fcK 2 0 0 2
lO W M 'S
Domain
O rg itk a tio
dxoMS.com 1 #ftA *flhd com. certrtetiTiacfcer.com.

c e t t W h j c V r com.
Reverse
DNS N m i ( 1v 1 r o r g a n is a tio n
ns 1 .noyear1yfees.com
S u c c t t t !d o * IT S ervices, O a m a n sa ra Java. R etakng Jaya. S e lan go r. 4 7 4 0 0 .
Tell a f nena
92345. united States T o o lb a r Support . FAQ * Glossary Contact Us a Report Bug T u to ria ls Installing Tooioar using me Toolbar Getting Most Reporting a Pkish A b ou t N e tc r a ft MocrsHom# About Nttcrafl Check another site: H ostin g H isto ry Net block O wner IM V M S DC Hostmg TM VADS DC Hostmg TM VADS DC Hosting TM VADS OC Hostmo TM VADS DC Hosting I P Address OS
Malaysia
W eb Server Microsoftn s/eo Microsoft IIS/6.0 Microsoft IIS/6.0 Microsoft 115/6.0 Microsoftns/fl.o
Last changed
202.7$.4.101 wtnoows server 2003 202.75.54.101 Windows Server 2003 202.75.54.101 Windows Server 2003 202.75.54.101 Window* Server 2003 ?07.7S.S4.101 Windows Server
1 /-Ju>~2012
9 )on 2012 9-M*v-2012 O-Apr-2012 10-Feb 2012
FIGURE 3.46: Netcraft Screenshot
Module 03 Page 348
Ethical Hacking and Countermeasures Copyright by
EC-C0l1nCll

Scanning Networks
B a n n e r G r a b b in g T ools
(Contd)
1. # nc - w www.juggyboy.com 80 -press[Enter] 2 . GET / HTTP/1.0 -Press [Enter] twice
f * rE t f * V i m m
CEH
r o o te b t:- # rc -v* w w v .jioayboy.eoa DNS fw d/rei/ mismatch www.jugcydoy.toa
This utility reads and writes data across network connections, using the TCP/IP protocol
.iww. ju g g y b o y c o a 1295 . 1 7 8 .1 5 2 . 2 6 : 30
GET / MTTP/1.9
HTTP/1.1 296 OK Connection: elose Date: Mon, 13 Aug 2912 12:14:10 GMT content-Length: 210 | Content-Type: t e x t / r f p l ^ I *r C o n t e n U c a t # r n : h t t p : 7/16.4 . 26. / b f a u ItIh t n LastM od itied : Wed. 19 Apr 2366 22:09:12 GMT AcceotRanges: none ETaa: 9 b46bc3fd53c61:7a49 S e rv e r : M ic r o s o ft - IIS / 6 .0 M lrr 0 ( 0 ft O f f ic * W * b (* r v t r ! 5.8 Pub X Powered-By: ASP.MET
Server identified as Microsoft-1 IS/6.0
tra c k
http://netcat.sourceforge.net L
1. telnet www.certifiedhacker.com 80 -press[Enter]
Telnet
This technique probes HTTP servers to determine the Server field in the HTTP response header
2 .GET / HTTP/1.0 -Press [Enter] twice

C . \ W in d o w A iy 5 t e m 3 2 \ c m d .c x e
n t- U n g th :
HT TP /
21H
1 . 1 J
Forbi dde
: H i P M c n f t - l I S / h . M
Server identified as Microsoft-1 IS/6.0
ChtmlXheadXtit le>Error<StitleX/ headXbodyXheadXtitle>Diecto 1*v Listing D od</t it lo ></)tead> <hndyXhl )Directory Listing Den 1ed</ hl >This UlrtUftl Director
oc3 not allow contents to be listed. < / body> < /'body> < /y htnl>
B anner G rabbing Tools (C ontd)

L* Netcat
Source: http://netcat.sourceforge.net
Netcat is a networking utility that reads and writes data across network connections, with the help of the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. It provides access to the following key features: Outbound and inbound connections, TCP or UDP, to or from any ports. Featured tunneling mode, which also allows special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface), and the remote host allowed to connect to the tunnel. Built-in port-scanning capabilities, with randomizer. hexdump (to stderr or to a specified file) of transmitted and received data. Optional RFC854 telnet codes parser and responder. You can use the Netcat tool for grabbing the banner of a website by following this process. Here, the banner grabbing is done on the www.Juggyboy.com web server for gathering the server fields such as server type, version, etc.
Advanced usage options, such as buffered send-mode (one line every N seconds) and
Module 03 Page 349
EC-COUIICil

Scanning Networks
# nc -vv www.juggyboy.com 80 - press[Enter] e GET / HTTP/1.0 - Press [Enter] twice
From the screenshot, you can observe the area highlighted in red color is a server version (Microsoft-IIS/6.0).
f ile Edit y tew Jferminal Help
r o o t @ b t : - # n c - v v w w w . ju g g y b o y .c o m 80 DNS f w d / r e v m is m a t c h : w w w . ju g g y b o y .c o m ! * w 2 k 3 -w e b 2 6 . p r o d . n e t s o l h o s t . c o n w w w . ju g g y b o y .c o m [ 2 0 5 . 1 7 8 . 1 5 2 . 2 6 ] 80 (w w w ) o p e n GET / H T T P /1 .0 H T T P / 1 . 1 200 OK C o n n e c tio n : c lo s e D a t e : M o n , 13 A ug 2012 C o n t e n t - L e n g t h : 2165 M
1 2 : 1 4 : 1G GMT
C o n te n t- T vp e : t e x t / C o n t e n t ^ f f o c a t i t i n : h t t p : / / 1 0 . 4 9 . 3 9 . 26 / d e f a u l t .h t n i L a s t - M o d i f i e d : W e d , 19 A p r 2006 2 2 : 0 9 : 1 2 GMT A c ce p t R a n g e s: none E T a q : G b 4 6 b e 3 f d 6 3 c 6 1 : 7 3 4 9 S e r v e r : M ic r o s o f t - IIS / 6 .0 M i c r o s o f t O f f i c e W e b S e r v e r : 5 . 0 Pub X * P o w e re d - B y : A S P .N E T
Is
ft* 1^ ^
Ix
FIGURE 3.47: Netcat showing Banner Grabbing Result
Telnet
This technique probes HTTP servers to determine the Server field in the HTTP response header. For instance, if you want to enumerate a host running http (tcp 80), then you have to follow this procedure: First, open the command prompt window. Go to Start >Run, type cmd, and press Enter or click OK. In the command prompt window, request telnet to connect to a host on a specific port: C:\telnet www.certifiedhacker.com 80 and press Enter. Next, you will get a blank screen where you have to type GET / HTTP/1.0 and press Enter twice. In the final step, the http server responses with the server version, say Microsoft-IIS/6.0. From the screenshot you can see the area highlighted in red color is the server version details.
C:\Windows\system32\cmd.exe HTTP/1.1 403 Forbidden Content-Length: 218

C o n t e n t T u r iR : tu x t/ h tm l
Server: Microsoft-IIS/6.0 X-Pouered-By: ftSP.NET Date: Sat, 11 flug 2012 09:57:07 GMT uonneccion: cxose <htmlXheadXtitle>Error</'titleX/beadXbodyXbeadXtitle>Directory Listing D ed</t it le X/bead> <bodyXhl>Directory Listing Denied</hl>This Uirtual Director oes not allou contents to be listed.</body></bodyX/htnl> Connection to host lost.
FIGURE 3.48: Command Prompt showing http server responses with the server version
Module 03 Page 350
EC-C0UnCil

Scanning Networks
B an n er G rab b in g C o u n te rm e a su re s: D isab lin g or C h an g in g B an n er

Display false banners to misguide the attackers
C EH
Turn off 0 1 unnecessary services on the network host to limit the information tion disclosure disclos
IIS users can use these tools to disable or change banner information
~ IIS Lockdown Tool (http://microsoft.com) ~ ServerMask (http://www.port80software.com)
Apache 2.x with mod_headers module - use a directive in httpd. conf file to change banner information Header set Server "New Server Name"
iture Alternatively, change the ServerSignature line to ServerSignature Off in httpd.conf file
B anner G rab b in g C o u n term easu res: D isabling or ----- C hanging B anners

Attackers use banner grabbing techniques and find out sensitive information such as device types, operating systems, application version, etc. used by the victim. With the help of the gathered information, the attacker exploits the vulnerabilities that are not updated with the security patches and launches the attacks. So, to protect your system against banner grabbing attacks, a few countermeasures can be adopted and they are listed as follows:
Disabling or Changing Banner

9 9 9 Display false banners to misguide attackers Turn off unnecessary services on the network host to limit information disclosure IIS users can use these tools to disable or change banner information: S S
9
IIS Lockdown Tool (http://microsoft.com) ServerMask (http://www.port80software.com)
Apache 2.x with mod_headers module - use a directive in httpd. conf file to change banner information Header set Server "New Server Name"
Alternatively, change the ServerSignature line to ServerSignature Off in the

httpd.conf file
Module 03 Page 351
EC-COlMCil

Scanning Networks
Hiding File Extensions from Web Pages
C EH
File extensions reveal information about the
g ig
file extensions
underlying server technology that an attacker can utilize to launch attacks
IIS users use tools such as PageXchanger to manage the
Hide file extensions to mask the web technology
Apache users can use mod_negotiation directives
Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of the servers
It is even better if the file extensions are not at all used

H iding File Extensions from Web P ages

File extensions extensions is a good provide information about the underlying server technology; attackers can use this information to search vulnerabilities and launch attacks. Hiding file practice to mask technology-generating dynamic pages. Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of the servers. Apache users can use mod_negotiation directives. IIS users use tools such as PageXchanger to manage the file extensions. Doing without file extensions altogether is an even better idea.
Module 03 Page 352
EC-COUIICil

Scanning Networks

So far, we have discussed how to check for live systems, open ports, scan beyond IDS, and the use of banner grabbing. All these concepts help an attacker or security administrator to find the loopholes that may allow an attacker into their network. Now we will discuss vulnerability scanning, a more detailed tests to determine vulnerabilities in a network, and its resources.
a;
ft
f^
Scanning Beyond IDS
Jfe J
Prepare Proxies
Banner Grabbing
This section describes vulnerability scanning and various vulnerability scanning tools.
Module 03 Page 353 Ethical Hacking and Countermeasures Copyright by EC-COlMCil

Scanning Networks
V u ln e r a b ility S c a n n in g
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and netw< order to determine how a system can be exploited
1 w
Q
^
V ulnerability Scanning
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and
network in order to determine how a system can be exploited. Similar to other security tests such as open port scanning and sniffing, the vulnerability test also assists you in securing your network by determining the loopholes or vulnerabilities in your current security mechanism. This same concept can also be used by attackers in order to find the weak points of the target network. Once they find any weak points, they can exploit them and get in to the target network. Ethical hackers can use this concept to determine the security weaknesses of their target business and fix them before the bad guys find and exploit them. Vulnerability scanning can find the vulnerabilities in: Q 9 9 9 Network topology and OS vulnerabilities Open ports and running services Application and services configuration errors Application and services vulnerabilities
Module 03 Page 354
EC-COUIICil

Scanning Networks
Vulnerability Scanning Tool: N essu s

Nessus is the vulnerability and configuration assessment product
F e a tu re s
Agentless auditing Compliance checks Content audits Customized reporting High-speed vulnerability discovery In-depth assessments Mobile device audits Patch management integration Scan policy design and execution
t o -1 *w w 1xn M \Ma n n M |> vrtn j <M Iran MM Smo <*' N mil M T T P
Sa a ssa
,
a a >a ,a
ww * d(THwJ( mtwimi own W tw *n 1 1SM BH ag itT ! totu C a n m 4Aa*H th W tokxnfaipM y
/)ttp ://w w w . ten able, com

V ulnerability Scanning Tool: N essus

Source: http://www.tenable.com Nessus is a vulnerability scanner a program that searches for bugs in software. This tool allows a person to discover a specific way to violate the security of a software product. The vulnerability, in various levels of detail, is then disclosed to the user of the tool. The various steps this tool follows are: e e e 0 0 Data gathering Host identification Port scan Plug-in selection Reporting of data
To obtain more accurate and detailed information from Windows-based hosts in a Windows domain, the user can create a domain group and account that have remote registry access privileges. After completing this task, he or she gets access not only to the registry key settings but also to the Service Pack patch levels, Internet Explorer vulnerabilities, and services running on the host.
Module 03 Page 355

Scanning Networks
It is a client-server application. The Nessus server runs on a UNIX system, keeps track of all the different vulnerability tests, and performs the actual scan. It has its own user database and secures authentication methods, so that remote users using the Nessus client can log in, configure a vulnerability scan, and send it on its way. Nessus includes NASL (Nessus Attack Scripting Language), a language designed to write security tests. The various features of Nessus are: 9 Each security test is written as a separate plug-in. This way, the user can easily add tests without having to read the code of the Nessus engine. Q It performs smart service recognition. It assumes that the target hosts will respect the IANA assigned port numbers. 9 The Nessus Security Scanner is made up of two parts: A server, which performs the attack, and a client, which is the front end. The server and the client can be run on different systems. That is, the user can audit his whole network from his personal computer, whereas the server performs its attacks from the main frame, which may be located in a different area.
Q nessus Reports Reports M obile Scans Policies Users Configurator **1 | H* | | uful g
Scan LAN 1 !
Vvtrmntmy Su m m ary | H ortSunm yY
Rj/vwq L*ncfw d Aug
1 3 ,2 0 1 21 9 :0 7 * Add Flit* 9 Clear F H te c*
Filters NoFltea
FIGURE 3.49: Nessus Screenshot
EC-C0UnCil
Vulnerability Scanning Tool: GFI LanGuard

0
J inventory, change management, risk analysis, and proving compliance J Features: e Selectively creates custom vulnerability checks
jrnutootiiedAppc*... 0conptfen
UrtifW4
c EH
ItkKJl Nm Im
0
GFI LanGuard assists in asset
Hte
GPI LanGuard 2012 >
* -
D*Mo*d
Scm
ReTMdutr
M onitcr
Rtpcrtt
Configuritkn
Gme
, Oienee
# C cw txjen
M 3 r>
'AJryraMtm
Patch es
. 4
< F P o rt* rts
Soft*( Softa
w *
Harare
1 4
* E n rtto r t w r t
t j ixahoet w3N*EBOcc1 -
p Enore Network -1 computer<
JL *l v 0 e S C ^
---- - 1
Ow S im
_________________
0eonotten *
Identifies security vulnerabilities and takes remedial action Creates different types of scans and vulnerability tests Helps ensure third-party security applications offer optimum protection
nj-mtbtli
J 'l I ,-
Luntutn < U waU*.y
Lcn p u u e*r 0pe*x1mm*
9 Performs network device vulnerability checks
0,
http://www. gfi.com
- Copyright by fC-CNDCil. All Rights Reserved. Reproduction is Strictly Prohibited.
V ulnerability Scanning Tool: GFI L anG uard

Source: http://www.gfi.com
GFI LanGuard acts as a virtual security consultant. It offers patch management, vulnerability assessment, and network auditing services. It also assists you in asset inventory, change management, risk analysis, and proving compliance.
Features:
9 9 9 9 9 Selectively creates custom vulnerability checks Identifies security vulnerabilities and takes remedial action Creates different types of scans and vulnerability tests Helps ensure third party security applications offer optimum protection Performs network device vulnerability checks
Module 03 Page 357
1 1 11
AudriSlitu

Scanning Networks
E B
GFI LanGuard 2012
I J-P I *
Configuration Utilities
<
Group
Dashboard
S<an
Remediate
Activity Monitor
Reports
Uj
Discuss tvs versaon
Q .
Overview
IS
0Computers
rtHory
& ip '*Jnerabfees
Seanty Sensors
(J
Patches Port Software Hardware
Syitem Information
5* Entire Network * J locdhost: WIN-MSSELOC4C41 - 1 } local DomOT: WORKGROUP
Entire Network -1 computer

Vdnerabity Level
S SW IN H S S a C M M l
I0 computers
Most Vulnerable Computers WINMSSELCK4K41
Software Updates
Firewall Issues
Credent!! Setup
Service Packs and Up
# l0 . computers ....
Vulnerabilities 1 computers VuherabAty Trend Over Trie
UP
T o u t H *
Common Talks
O
Insta n progress Urwrstal ** progress Ocomputvtl) 0 computer{*) 0 C0mpar<)
Computer ViJnerabAty Ott&fcubon
Computers By Operating System
H nasusslL.
Addmoncomodera Custom scar
Not IrtStalM
D*ptoy*nrt Error!
1computes)
0 COmpuMrfS)
Hgr M *sn tow H A
icompuc
0 comput..
Ocomput. Ocomput.
S a a n rig a tiDeploy aocrt
O
1 Computers By Operatr>g...| Computers By Network ... 1
1 Agent Status | Audt Status |
FIGURE 3.50: GFI LanGuard Screenshot
Module 03 Page 358
EC-C0UnCil

Scanning Networks
Vulnerability Scanning Tool: SAINT
Features:
Identify vulnerabilities on network devices Detect and fix possible weaknesses in the network security Prevent common system vulnerabilities a Demonstrate compliance with current government and industry regulations e Perform compliance audits with policies defined by FDCC, USGCB,
V ulnerability Scanning Tool: SAINT

Source: http://www.saintcorporation.com SAINT is an integrated network tools for security administrators. Using this tool, you can find security vulnerabilities across the network including devices, operating systems, desktop applications, web applications, databases, etc. in a non-intrusive manner. It also enables you to gather information such as operating system types and open ports, etc. It allows you to scan and exploit targets with an IPv4, IPv6, and/or URL address.
Features:
9 Detects and fixes possible weaknesses in your network's security Anticipates and prevents common system vulnerabilities Demonstrates compliance with current government and industry regulations such as PCI DSS, NERC, FISMA, SOX, GLBA, HIPAA, and COPPA
9
0
Performs compliance audits with policies defined by FDCC, USGCB, and DISA
Module 03 Page 359
EC-COUIICil

Scanning Networks
Iriium t> * * U rn AWT** nlU1IW KM Vulnerability By Count! r VnNfiMn
1 * & 0
* CrmcMi f n u t m t A / f i oi Conem * * * * *
H 0 *t * 10.7.0. IS d 10-7-Q-14 ^ 1Q.7.Q.2
Vulnerability Scanner
O p ( * * > kM M c% 1 M 1
r e a a
rz ri
S 4 1 4
4
2 1 1 4 1 4
4
a s
0
TOUI 4 1
17 14
* 4 * *
10.7. Q. 11 10-7-0-101 10-7.0.12 10.7.0. m 10.7.0.140
4 10 7.0 104
1 1 2 2 0 0 0 0 1
0 0 1
a 10.7.0.S
> 10.7.0.150 10,7.0
.m
4 * ^
10.7 o i a o 10-7.0.31 10.7.0.111 10.7.0.112 10.7.0.119 10.7.0.146
2 2 0 0 2 2 2 1 2
0 0
6 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0
1 S 2 2 2 2 2 2
I
1 1
0
J 10.7.0.7
I 1 1 1
_______
FIGURE 3.51: SAINT Screenshots
Module 03 Page 360
EC-C0UnCil

Scanning Networks
Network Vulnerability Scanners

Retina CS
- o http ://go.eeye.com
CEH
OpenVAS
h ttp ://w w w . open \/as. org
Core Impact Professional

h ttp ://w w w . coresecurity, com
gm
L Jp S rJ
Security Manager Plus

http://w w w .m anageengine.com
MBSA
h ttp ://w w w . m icrosoft. com
Nexpose
h ttp ://w w w . rapid7.com
111 i ]
Shadow Security Scanner

h ttp ://w w w . safety-lab.com
B E 3 F
Ml
QualysGuard
h ttp ://w w w .qualys.com
Nsauditor Network Security Auditor

h ttp :/ / ww vj . nsauditor. com
Security Auditor's Research Assistant (SARA)

http ://w w w -arc. com
N etw ork V ulnerability S canners

Network vulnerability scanners are the tools that assist you in identifying the vulnerabilities in the target network or network resources. These scanners help you in vulnerability assessment and network auditing. Using these scanners, you can find vulnerabilities in networks, wired or wireless, operating systems, security configuration, server tuning, open ports, applications, etc. A few network vulnerability scanners and their home sites are mentioned as follows, using which you can perform network scanning: 9 9 Q Q 9 Q 9 e 9 9 Retina CS available at http://go.eeve.com Core Impact Professional available at http://www.coresecurity.com MBSA available at http://www.microsoft.com Shadow Security Scanner available at http://www.safetv-lab.com Nsauditor Network Security Auditor available at http://www.nsauditor.com OpenVAS available at http://www.openvas.org Security Manager Plus available at http://www.manageengine.com Nexpose available at http://www.rapid7.com QualysGuard available at http://www.qualys.com Security Auditor's Research Assistant (SARA) available at http://www-arc.com
Module 03 Page 361
EC-COUIICil

Scanning Networks

So far, we discussed various scanning concepts such as sources to be scanned, tools that can be used for scanning, and vulnerability scanning. Now we will discuss the network diagram, an important diagram that enables you to analyze the complete network topology.
1 9 1
J*
Scanning Beyond IDS
3 0
r-^r-n
Prepare Proxies
Banner Grabbing
This section highlights the importance of the network diagram, how to draw the network diagram or maps, how attackers can use these launching attacks, and the tools that can be used to draw network maps.
Module 03 Page 362 Ethical Hacking and Countermeasures Copyright by
EC-COUIICil

Scanning Networks
Drawing Network D iagram s

J architecture to an attacker J Network diagram shows logical or physical path to a potential target
(rtifwtf
CEH
ilk 4 1 > Hhw
Drawing target's network diagram gives valuable information about the netw ork and its
Intranet
DMZ
Intranet
D raw ing N etw ork D iagram s

The mapping of networks into diagrams helps you to identify the topology or the architecture of the target network. The network diagram also helps you to trace out the path to the target host in the network. It also allows you to understand the position of firewalls, routers, and other access control devices. Based on the network diagram, the attacker can analyze the target network's topology and security mechanisms. It helps an attacker to see the firewalls, IDSs, and other security mechanisms of the target network. Once the attacker has this information, he or she can try to figure out the vulnerabilities or weak points of those security mechanisms. Then the attacker can find his or her way into the target network by exploiting those security weaknesses. The network diagram also helps network administrators manage their networks. Attackers use network discovery or mapping tools to draw network diagrams of target networks. The following figure depicts an example of a network diagram:
Module 03 Page 363
EC-COUIICil

Scanning Networks
In tra n e t
DM Z
In tra n e t
FIGURE 3.52: Network Diagram
Module 03 Page 364
EC-C0UnCil

Scanning Networks
Network D iscovery Tool: LANsurveyor

that integrates OSI Layer 2 and Layer 3 topology data
CEH
LANsurveyor discovers a netw ork and produces a com prehensive netw ork diagram
Features
A uto-generate N e tw o rk Maps Export N e tw o rk M aps to Visio A u to -d e te ct Changes Inventory M anagem ent N e tw o rk Regulatory Compliance N e tw o rk Topology Database M u lti-le v e l N e tw o rk Discovery
aao
LANsu
LANsurveyor
h ttp :/ /w w w .so la rw in d s .c o m Copyright by EC-CtinCil. All Rights Reserved. Reproduction is Strictly Prohibited.
N etw ork D iscovery Tool: LANsurveyor

Source: http://www.solarwinds.com LANsurveyor allows you to automatically discover and create a network map of the target network. It is also able to display in-depth connections like OSI Layer 2 and Layer 3 topology data such as displaying switch to switch, switch to node, and switch to router connection. You can export the network map created into Microsoft Office Visio. It can also keep track of changes that occur in the network. It allows the user to perform inventory management of hardware and software assets.
Module 03 Page 365
EC-COUIICil

Scanning Networks
i;. File
l
SolarWinds LANsurveyor - [Map 1]

Edit y * Manage Monitor . Report Tools Window Help
.
a
B X
! 3
so la rw in d s
100V.
i~
BH & S I Network Segments (1)
SO
IP Addresses (5) Domain Names (5) Node Names (5) IP Routers J5L LANsurveyor Responder Nodes : H SNMP Nodes SNMP Switches/Hubs l - C SIP (VoIP) Nodes Layer 2 Nodes ^ Active Directory DCs 1 ft. Groups
DEMONSTRATK
LANsurveyor
For Help, press F1
FIGURE 3.53: LANsurveyor Screenshot
Module 03 Page 366
EC-C0UnCil
Network D iscovery Tool: OpManager

physical servers, virtual servers, domain controllers, and other IT infrastructure devices
C EH
O p M anag er is a netw ork monitoring softw are that offers advanced fault and perform ance m anagem ent functionality across critical IT resources such as routers, W A N links, switches, firewalls, VoIP call paths,
Fe a tu re s
O p M arag t?) J J J J J J J J -l -l Availability and Uptime Monitoring Network Traffic Analysis IP Address Management Switch Port Mapper Network Performance Reporting Network Configuration Management Exchange Server Monitoring Active Directory Monitoring Hyper-V Monitoring SQL Server Monitoring
1 'ol|RtN1nr Uipt&M'AjhUapm !!ur&irlctirdNudr T
qmnoo < 1nln 1iv UvoJ K ip u o gvm a pailtmwirv wrn iptonto m m ci fro n t ta> Nm scMin! wur co rw iM r/tw ftdi x tl* aavca
SAMPLE MAP
5;
!
9s, \ r.
*TY '
\ : 3 * / jf- .
http://www.manageengine.com Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
N etw ork D iscovery Tool: O pM anager

Source: http://www.manageengine.com OpManager is basically a network performance management and monitoring tool that offers advanced fault and performance management functionality across critical IT resources such as routers, WAN links, switches, firewalls, VoIP call paths, physical servers, virtual servers, domain controllers, and other IT infrastructure devices. This tool is helpful in discovering the specific network automatically. It can also present a live network diagram of your network. Here are some of the features of OpManager: e e 0 e 0 9 e Availability and uptime monitoring Network traffic analysis IP address management Switch port mapper Network performance reporting Network configuration management Exchange server monitoring
Module 03 Page 367

Scanning Networks
9 9 9
Active directory monitoring Hyper-V monitoring SQL Server monitoring
FIGURE 3.54: OpManager showing Sample Map
Module 03 Page 368
EC-C0UnCil

Scanning Networks
Network D iscovery Tool: NetworkView

Ntvw< kV1cw ;NctwcrkV10v*1[ Re id* V*- lisu letf Arvlw
CEH
NetworkView is a network discovery and management tool for Windows
a i i s is 1 1
t q. *. +
- I N Q D s i S B a
Discover TCP/IP nodes and routes using DNS, SNMP, ports, NetBIOS, and W M I
h ttp ://w w w .n e tw o rk v ie w .c o m
N etw ork D iscovery Tool: NetworkView

Source: http://www.networkview.com NetworkView is a network discovery and management tool for Windows.
Its key features include:

9 9 e 9 9 Discover TCP/IP nodes and routes using DNS, SNMP, Ports, NetBIOS, and W M I Get MAC addresses and NIC manufacturer names Monitor nodes and receive alerts Document with printed maps and reports Control and secure your network with the SN M P M IB browser, the W M I browser, and the port scanner
Module 03 Page 369
EC-COUIICil

Scanning Networks
NetworkView - [NetworkViewl]
f t
- =
F1 l
Edit
View
Lists
logs
Window
Help
bis 1 1 t <*<*+- ;sxgxeii g n t 4s 8 :&

ft N etw orkV iew l |
-an a
1 11 1 ) 1 0111 2
a
Q
a s s q 0
B
III *Mi l i t 1( * Mioh fM W
N otY * I Tfcy*
** |A .~ L m m|^ # 1
*1
HR
^Txiww(m < 1 0 0 4 )]
50 Nodes For Help, press FI
Monitoring is Off
[Last monitoring: Unknown
0Polls
0 Mails Sent
Modified
FIGURE 3.55: NetworkView Screenshot
Module 03 Page 370
EC-C0linCil

Scanning Networks
Network D iscovery Tool: The Dude
EH
N etw ork D iscovery Tool: The Dude

Source: http://www.mikrotik.com The Dude will automatically scan all devices within specified subnets, draw and lay out a map of your networks, monitor services of your devices, and alert you in case any service has problems. A few features of the Dude include: Auto network discovery and layout Discovers any type or brand of device Device, link monitoring, and notifications
Allows you to draw your own maps and add custom devices Supports SNMP, ICMP, DNS, and TCP monitoring for devices that support it Direct access to remote control tools for device management Supports remote Dude server and local client
Module 03 Page 371
EC-COUIICil

Scanning Networks
admin@localhost -The Dude 4.0beta3
'
Sr>01
Qk o
'
WINMSSELCK4K41
fi
10006
10.0 0 2 f , WIN M SSELC M M lj
WINOOV1S8 WIN-LXQN3WA3R9M
WIN-O 3SMR5HL9C4
169254 189180 BS) Otenl ix 19.9ttpt/t< 191 bps Sv r 15ik i* ./ t i
FIGURE 3.56: The Dude Screenshots
Module 03 Page 372
EC-C0UnCil

Scanning Networks
Network D iscovery and M apping Tools

[_ j !i LAN State
r* * > h ttp ://w w w . 10-5trike.com
CEH
HP Network Node Manager i Software
h ttp ://w w w 8 .h p . com
FriendlyPinger
h ttp://w w w .kilievich.com
NetMapper
h ttp ://w w w .o pnet.com
(fT u le
j s i
Ipsonar
http://w w w .lu m eta.com
M
k M !
NetBrain Enterprise Suite

h ttp ://w w w .n etbrain tech .com
CartoReso
h ttp ://carto reso . campus, ecp.fr
11
Spiceworks-Network Mapper
h ttp ://w w w . spice w orks. com
Switch Center Enterprise

http://w w w .lan-secure.com
HR
NetCrunch
h ttp ://w w w .a d re m so ft. com
N etw ork D iscovery and M apping Tools

Network discovery and mapping tools allow you to view the map of your network. They help you detect rogue hardware and software violations. It notifies you whenever a particular host becomes active or goes down. Thus, you can also figure out the server outages or problems related to performance. This is the purpose of network discovery and mapping tools in terms of security. The same tools can be used by attackers to launch attacks on your network. Using these tools, the attacker draws the network diagram of the target network, analyzes the topology, find outs the vulnerabilities or weak points, and launches an attack by exploiting them. The attacker may use the following tools to create a map of the network: Q 9 Q Q 9 9 9 9 9 LANState available at http://www.10-strike.com FriendlyPinger avaialble at http://www.kilievich.com Ipsonar available at http://www.lumeta.com CartoReso available at http://cartoreso.campus.ecp.fr Switch Center Enterprise available at http://www.lan-secure.com HP Network Node Manager i Software available at http://www8.hp.com NetMapper available at http://www.opnet.com NetBrain Enterprise Suite available at http://www.netbraintech.com Spiceworks-Network Mapper available at http://www.spiceworks.com NetCrunch available at http://www.adremsoft.com
Module 03 Page 373
EC-COUIICil

Scanning Networks
fcjsk CEH Scanning M ethodology

^ So far, we have discussed various means of scanning and the sources to be scanned. Now we will discuss proxies and important mechanisms used by attackers to access the restricted sources and also to avoid their identity.
1 9 1
Scanning Beyond IDS
r-^r-n
; Prepare Proxies
Banner Grabbing
This section describes how to prepare proxies and how an attacker can use them to launch attacks.
Module 03 Page 374
EC-C0l1nCil

Scanning Networks
P ro x y S e r v e rs
A proxy is a network computer that can serve as an interm ediary for connecting with other computers
CEH
As an IP addresses multiplexer, a proxy allows the connection of a number of computers to the Internet while having only one IP address
Proxy servers can be used (to some extent) to anonymize web surfing
Proxy Servers
A proxy is a network computer that can serve as an intermediary for connecting with other computers. You can use a proxy server in many ways such as: 0 Asa firewall, a proxy protects the local network from the outside access 9 As an IP address multiplexer, a proxy allows a number of computers to connect to the Internet when you have only one IP address 9 To anonymize web surfing (to some extent) Q To filter out unwanted content, such as ads or "unsuitable" material (using specialized proxy servers) 9 To provide some protection against hacking attacks 9 To save bandwidth Let's see how a proxy server works. W hen you use a proxy to request a particular web page on an actual server, it first sends your request to the proxy server. The proxy server then sends your request to the actual server on
Module 03 Page 375

Scanning Networks
behalf of your request, i.e., it mediates between you and the actual server to send and respond to the request as shown in the following figure.
Attacker
Target Organization
FIGURE 3.57: Attacker using Proxy Server
In this process, the proxy receives the communication between the client and the destination application. In order to take advantage of a proxy server, client programs must be configured so they can send their requests to the proxy server instead of the final destination.
Module 03 Page 376
EC-C0UnCil
Why Attackers Use Proxy Servers?
CEH
(rtifWd ithiul lUckM
To mask the actual source o f th e a tta c k by im p e rs o n a tin g a fake source address o f th e proxy
To remotely access intranets and o th e r website resources th a t are n o rm a lly o ff lim its
To interrupt all the requests sent by an a tta cke r and tra n s m it th e m to a th ird d e s tin a tio n , hence v ic tim s w ill o n ly be able to id e n tify th e proxy server address I
A ttacke rs chain multiple proxy servers to avoid d e te c tio n
Why A ttackers Use Proxy Servers

For an attacker, it is easy to attack or hack a particular system than to conceal the attack source. So the main challenge for an attacker is to hide his identity so that no one can trace him or her. To conceal the identity, the attacker uses the proxy server. The main cause behind using a proxy is to avoid detection of attack evidence. With help of the proxy server, an attacker can mask his or her IP address so that he or she can hack the computer system without any fear of legal repercussion. When the attacker uses a proxy to connect to the destination, the proxy's source address will be recorded in the server logs instead of the actual source address of the attacker. In addition to this, the reasons for which attackers use proxy servers include: Q Attacker appears in a victim server's log files with a fake source address of the proxy rather than with the attacker's actual address 9 9 To remotely access intranets and other website resources that are normally off limits To interrupt all the requests sent by an attacker and transmit them to a third destination, hence victims will only be able to identify the proxy server address 9 To use multiple proxy servers for scanning and attacking, making it difficult for administrators to trace the real source of attack
Module 03 Page 377

Scanning Networks
U se o f P ro x ie s fo r A tta c k
Direct attack/ No proxies
CEH
! s * 5 Logged Proxy
Use of Proxies for Attack

Quite a number of proxies are intentionally open to easy access. Anonymous proxies hide the real IP address (and sometimes other information) from websites that the user visits. There are two types or anonymous proxies: One that can be used in the same way as the nonanonymous proxies and others that are web-based anonymizers. Let's see how many different ways that attackers can use proxies to commit attacks on the target.
Case 1: In the first case, the attacker performs attacks directly without using proxy. The attacker may be at risk to be traced out as the server logs may contain information about the IP
address of the source.
Direct attack/ No proxies
Target
FIGURE 3.58: Attacker Communicating with Target Directly (No Proxy)
Case 2: The attacker uses the proxy to fetch the target application. In this case, the server log
will show the IP address of the proxy instead of the attacker's IP address, thereby hiding his or
Module 03 Page 378
EC-COUIICil

Scanning Networks
her identity; thus, the attacker will be at minimum risk of being caught. This will give the attacker the chance to be anonymous on the Internet.
Attacker
Logged Proxy
Target
FIGURE 3.59: Attacker Communicating with Target through Proxy
Case 3: To become more anonymous on the Internet, the attacker may use the proxy chaining
technique to fetch the target application. If he or she uses proxy chaining, then it is highly difficult to trace out his or her IP address. Proxy chaining is a technique of using more numbers of proxies to fetch the target.
Attacker
FIGURE 3.60: Attacker using Proxy Chaining for the attack
Module 03 Page 379
EC-C0UnCil

Scanning Networks
P ro x y C h a in in g
M
.................... IP: 20.10.10.2 Port: 8012
Ha
M
.................... < IP: 20.10.15.4 Port: 8030
>
M
IP: 10.10.20.5 Port: 8023
User
Encrypted/unencrypted traffic
N
IP: 20.15.15.3 Port: 8054 IP: 15.20.15.2 Port: 8045
m
IP: 10.20.10.8 Port: 8028
Unencrypted traffic
1. User requests a resource from the destination 2. Proxy client at the user's system connects to a proxy server and passes the request to proxy server 3. The proxy server strips the user's identification information and passes the request to next proxy server 4. This process is repeated by all the proxy servers in the chain 5. At the end unencrypted request is passed to the web server
Proxy C haining
Proxy chaining helps you to become more anonymous on the Internet. Your anonymity on the Internet depends on the number of proxies used for fetching the target application. If you use a larger number of proxy servers, then you will become more anonymous on the Internet and vice versa. W hen the attacker first requests the proxy serverl, this proxy serverl in turn requests another proxy server2. The proxy serverl strips the user's identification information and passes the request to the next proxy server. This may again request another proxy server, server3, and so on, up to target server, where finally the request is sent. Thus, it forms the chain of the proxy server to reach the destination server as shown in the following figure:
m
IP: 20.10.10.2 Port: 8012 IP: 10.10.20.5 Port: 8023 IP: 20.10.15.4 Port: 8030
User
Encrypted/unencrypted traffic
................... . v IP: 20.15.15.3 Port: 8054
m
IP: 15.20.15.2 Port: 8045
................... V
M IP: 10.20.10.8 Port: 8028
............................... >
Unencrypted traffic
FIGURE 3.61: Proxy Chaining
Module 03 Page 380
EC-COUIICil

Scanning Networks
Proxy Tool: Proxy Workbench

Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram
U rtifW tf IthKJi lU c k M
CEH
Proxy Tool: Proxy W orkbench

Source: http://proxyworkbench.com Proxy Workbench is a proxy server that displays the data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram. The socket connection diagram is an animated graphical history of all of the events that took place on the socket connection. It is able to handle HTTPS (secure sockets) and POP3 natively.
Module 03 Page 381
EC-COUIICil

Scanning Networks
"Z. File View Tools Help
Proxy Workbench
0 5 -isU - 6
Montana :!avya [132 168 168 170) ^ SMTP Outgoing e-mad (25)
POP3 Incoming c nvjd (110)
m
Event So( 7 PageloH J ^ j 4 J ] W 491 bytes of iata has been chnft. 121449538
DetaJ! K * Deadl13183C 308)
Q HTTP Proxy Web (8080) 127.aa1 to 127.0.01 (locatost) fi P P P P P P P P P P P P P P P P P P P P P DeaJ 113:18:26-779)

Dead (11 1 8 2 5 7S2)
(127 0 01 20750)
Dead (111825 757) Dead (13:1825752)

Dead (13:1825.74$)
Dead (13:1825741) Dead (131825736) Dead (111825 711) Dead (131825 724)
Dead (131825717)
The connection request Jo the remote server has been successful

13: 14:49.817
locahost (127.00 1 80801
Dead (131825 684) Dead (131825 67$)

Dead (13:1825 671)
127001 fin
491 bytes of data has been

sent to the !emote *erver
locahost (127 0 0 1 80801
Dead (131825 662) Dead(131825 655) Dead (131825.647) Dead (131825641)

Dead(13:1825633)
B
(1270 01 20750) FVB has (**connected horn the remote ckent 131513209 the remote server has disconnected 1315:13208
Dead(131825625) Dead(111825620) Dead (111825.586) Dead (111825579) Dead (1118255741 P Dead (111825 566) P Dead (111825 558) P Dead (111825552) t l Dead 11118255431 Memay 8 KByte*
Real tnw data for Dead (13 18 30 308)

lU U U U J^ t i n t / ! J tt ji e ju ua ua i d ua
Socke
FIGURE 3.62: Proxy Workbench Screenshot
Module 03 Page 382
EC-C0UnCil

Scanning Networks
P ro x y Tool: P ro x ifie r
Prox-fie1 is a program that a ows r>etwork appicatons that do f> ot support working through proxy servers to operate through an HTTPS or SOCKS proxy or a chain of proxy servers
C|EH
m p j/w w wp r o a f r a o m
!B yK'CMAjV. M j arn: *s t2-d?rjSfit3y c*C
Proxy Tool: Proxifier

Source: http://www.proxifier.com Proxifier allows network applications that do not support working through proxy servers to operate through a SOCKS or HTTPS proxy and chains. It allows you to surf websites that are restricted or blocked by your government, organization, etc. by bypassing the firewalls rules.
Features:
e 9 Q You can access the Internet from a restricted network through a proxy server gateway It hides your IP address It can work through a chain of proxy servers using different protocols It allows you to bypass firewalls and any access control mechanisms
Module 03 Page 383
EC-COUIICil

Scanning Networks
Proxifier File Profile lo g ub View Help 1 &
1a
E l !1
1j
**
Application ^mstsc.EXE (5044) 64 cxplore.exe (4704) ie3plore.exe (5664) lsvchost.exe (376, System) 64 ^ svchcst.exe (376, System) 64 4$ !explore.exe (164)
Taiget 192.168.2.40:3389 www.l.google. com:80 [fe80::90bl:83b:c743:f49b]:80 IPv6 www.update.m crosoft.com lbl.www.ms.akadns.net443 www.microsoftcom:8080 Statistics
Tm e/ Status 01:25 01:14 Closed 01:12 00:44 00:42 Failed 00:21 Connecting
Rule: Proxy Default: proxy.example.net:1080 Proxy2: proxy.example.net:1080 Local: Test proxy chain Default: proxy.example.net:1080 Default: proxy.example.net:1080 HTTPS: proxy2.example.net:8080 Default: proxy.example.net:1080
Bytes Sent 2.75 KB 3.33 KB 958 172 131 KB
Bytes Received 4.06 KB 13.5 KB 376 262 754 KB
:8 0
www.update.microsoft.com:443
@txplore.ece (2776)
st Connections uA.Traff1t
0 0
0 0
[19.591 svchost o (37S. System) $4 -resolve y.-wupdaejniaraAconi DNS [19 59] r/chost exe (37S. System) *64 resolve w.vw update rm croso*t cot DNS [1959] svchost exe (37G. System} *84 www update microsoft com 442 matchmQ Defadt rde : usng proxy proxy.examptent:1080 [1959] svchost exe (376. System) *64 - www update microsoft c o t 44 open through proxy proxy example net 1080 [1959] svchost exe (375. System) *64 download.w1ndow3update.com 80 dose. 5S1 sert. 1183 bytea (1-15 KB)received, bfebme 00 05 [19 59] svchost exe (376. System) *64 resolve download wmdowsLpdate com DNS [1959] svchost exe (376. System) *64 resolve download.wndowsupdate.com : DNS [19 59] svchost exe (375. System) *64 download windowsupdate com 80 matchrtg DefaJt aie usng proxy proxy example net 1080 [1959] svchost exe (376. System) *64 dowrload.wnndowsupdate .com 80 open through proxy proxy example net 1080 [20 00] svchost exe (375. System) *64 download.w1ndowsupdate.com 80 dose. 175 bytes aert. 256 bytes recerved. tfebme 00:04 [20 00] explore exe (164) - lb 1 www ms akadns net 443 matching HTTPS rule using proxy proxy2 example net 8080 [2000: expkxeexe (2776) www nxrosoft com :8080 matchna Default aie ue>g proxy proxy example net 1080 120 00] explore exe (4704) www I aooale com 80 dose.1560 bvtes (1 52 KB) sert 13451 bytes (13 1 KB) received Ifetme00 59 [20 00] !explore exe (5664) - www I cooole com SO dose. 1456 byte (1 42 KB) ter( 26617 bytes (25.9 KB) received Ketime 01 11 [20 00] explore exe (5664) vyyvw J,Q0QQle.cQm-gO dose. 3530 bvtes (3 44 KB) sert 722 bytes received fcfeUneOI 11 [20 00] explore exe (4704) www I cooole com 80 dote. 3413 bytes (3 33KB)set 13881 bytes (13.5 KB) received Hettne 01 14 ]20 00; ewlore exe :1641 b 1 www ns akadns net 443 error Codd not conned ttwoutfi proxy prexy2 example net 8090 Readno proxy replay on a connedwn reouest faled wth e or 10054 [2000] svchost exe (376. System) *64 www update microgoft com 8C dose. 172 bytes sent. 262 bvtes received, tfetme 01:01 Ready 7 active connections Down 0 6/sec Up 0 B/sec
System DNS
FIGURE 3.63: Proxifier Screenshot
Module 03 Page 384
EC-C0UnCil

Scanning Networks
Proxy Tool: Proxy Sw itcher

Proxy Switcher hides your IP address from the websites you visit
C EH
File
Edit
Actions
View
Help
p l
State (Anonymous) Respo- _ * 603ms | Crxrtry | FRANCE
PKwy Scanner ^ New(0) High Anonymous (19) j.... SSL (26) Bite (30) Dead (7220) Basic Anonymity (212) -E" Private (53) Dangerous (148) My Proxy Servers (0)
91.121.21.164:3128
ns1homenux.ccm:3l28 hherphpo.hchdtmc.edu:80 170.57.24.100:80 81 180 75142 8080 66-162-61-85stabc:tvrteJe $ 194 160 765:80 arr,3c 3 mnedu sk 80 g 147.46.7.54:8088 ,J f 159226 3 227:80 121 52148 30 8080 208-74-174-142sayfanet 31
- 01 10ATC i n . , ______
Server
ProxySwltcherfO)
(Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous)
/_________ x
1092ms 1612ns 1653ms 1882ms 2200ns 2319ms 2324ms 2543ns 2641ms 268ins 269am
n - .
(FRANCE UNITED STATES UNITED STATES | REPUBLIC OF MOLDOVA UNITED STATES M i SLOVAKIA SLOVAKIA > : REPUBLIC OF KOREA { j CHINA B PAKISTAN UNITED STATES
DCDIIQI IT < > C MAI fV> \/A
I * ^ |
K w p A K v e IfA g oS w c h
98 181 57.227:9090 tested as [Eke-Anonymous] cocreo diresacallao 90b pe: 80 tested as [Dead] smtp spectrum networks net :80 tested as ((Bite-SSL)J f-kasklab50a.eti.pg gda pi :80 tested as [Eie-Anonymous] cofreo disacallao gob pe:80 tested as [(Qite-SSL)] Hiah Anonvmous/SSL 0/6
Q KKw w .proxysw itcher.com

*
Proxy Tool: Proxy Switcher

Source: http://www.proxyswitcher.com Proxy Switcher allows you to surf anonymously on the Internet without disclosing your IP address. It also helps you to access various sites that have been blocked in the organization. It avoids all sorts of limitations imposed by sites.
Features:
9 Q It hides your IP address It allows you to access restricted sites It has full support of password-protected servers
Module 03 Page 385
EC-COUIICil

Scanning Networks
S * Proxy Switcher PRO ( Direct Connection ) File Edit Actions View Help
@ l # l
X I
d a a a i i > j* a j ii
91.121.21 164:3128 ,f ns1.homenux.com:3128 & ,f if ,f
State (Anonymous) B i )19 ( (Anonymous) hherphpo.hchd.tmc.edu:80 (Anonymous) 170.57.24.100:80 (Anonymous) 81.180.75.142:8080 (Anonymous) 66-162-61 -85.static tvvtele (Anonymous) 194.160.76.5:80 (/Vionymous) amac3.minedu sk:80 (Anonymous) 147.46.7.54:8088 (Anonymous) 159.226.3.227:80 (/Vionymous) 121.52 148 30:8080 (Anonymous) (Anonymous) 208-74-174-142.sayfa.net:31 .# 01 10n 7 C M o .* -----------\ /A
Server
^Proxy Scanner 5 New # ! )0( High Anonymous SSL )26( .. E ? Elite )30( | B Dead )7220( Basic Anonymity )212( j.. f Private )53( Dangerous )148( My Proxy Servers )0( ;.. ProxySwitcher )0(
S r
Respo... * Country 603ms 1 FRANCE 1092m s I I FRANCE UNITED STATES 1612ms * UNITED STATES 1653m s 1882ms I I REPUBLIC OF MOLDOVA * UNITED STATES 2200ms SLOVAKIA 2319ms SLOVAKIA 2324ms REPUBLIC OF KOREA 2543ms CHINA 2641ms 2683ms K 9 PAKISTAN UNITED STATES 2698ms DCPI ip i irn c uni nn\/4 -
>
Disabled ~]
Keep Alive
1 1 Auto Switch
O w1 w uv.proxysw vjtcher.com
98 181.57.227:9090tested as [Bite-Anonymous] correo diresacallao gob pe:80tested as [Dead] smtp spectrum-networks net:80 tested as [(Bite-SSL)] f-kaskJab50a eti pg gda.pl :80 tested as [Bite-Anonymous] correo disacallao gob pe:80tested as [(Bite-SSL)] High Anonvmous/SSL 0/6
FIGURE 3.64: Proxy Switcher PRO Screenshot
Module 03 Page 386
EC-C0UnCil

Scanning Networks
P ro x y Tool: S o c k s C h a in
J SocksChain transm its the TCP/IP applications through a chain of proxy servers
im ttiM
CEH
tUx*l lUckM
Ufasoft SocksChain
View Tools Help firefox To [64.4.11.42]:80 3 connections m m ^ m m 1 0 ! 0 To [65.55.57.27]:80 2 connections To [123.176.32.147]:80 13 connections To [64.4.11.301:80 2 connections To [123.176.32.1361:80 1 connections
LdfLJ
To [175.41.150.21:80 1 connections To [207.46.49.1331:80 1 connections To [64.4.21.391:80 1 connections
9 To [65.54.82.157]:80 2 connections chrom e Through SE05411D17AFD6752EE36392EE4E42CAFB8A45D09=shadowhouse. S626F206838B0EA12CFCA5CE91 3 To www.certifiedhacker.com(202.75.54.101]:80 6 connections S I To safebrowsing.google.com[74.125224.73!:443 1 connections To safebrowsing-cache.google.com[74.125.224.67J:443 !c o n n ectio n s 1 7 1 ^ iexplore 0 PING
III
V
< DANGEROUS.SOCKS PR0T0C0L=S0CKS5 ADDRESS=65.S4.82.157:80
I>
D V U C E K O n ? ?0 C K 8b B 0 i.0 C 0 r^ 0 C K 2 JV D D K E 2 ^ e 2 ? 8 5 m:8 0
S blUG
http://ufasoft.com
Copyright by EC-Csuncil. All Rights Reserved. Reproduction is Strictly Prohibited
Proxy Tool: SocksC hain

Source: http://ufasoft.com SocksChain is a program that allows you to work with any Internet service through a chain of SOCKS or HTTP proxies to hide the real IP address. It can function as a usual SOCKS-server that transmits queries through a chain of proxies. It can be used with client programs that do not support the SOCKS protocol, but work with one TCP-connection, such as TELNET, HTTP, IRC, etc. It hides your IP from being displayed in the server's log or mail headers.
Module 03 Page 387
EC-COUIICil

Scanning Networks
K
File
Ufasoft SocksChain
m
B
View
Tools
Help
firefox Through SE0S411017AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9I 9 To [64.4.11.42]:80 3 connections 9 To [65.55.57.27]:80 2 connections To [123.176.32.1471:80 13 connections To [64.4.11.301:80 2 connections _ To [123.176.32.136):80 1connections To [175^41.150-21:80 1 connections
mTo [207.46.49.1331:80 1connections

91 To [64.4.21.39]:80 1 connections ' *. To [65.54.82.1571:80 2 connections 0 0 B
chrome Through $E05411D17AFD6752EE36392EE442CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE91 38 To www.certrf1edhacker.com[202.75.54.101]:80 6 connections 9 1 To safebrowsmg.google.com(74.125.224.73]:443 1 connections

9 E To safebrows1ng-c*che.google.com[74.125224.67]:443 1 connections
!explore PING
< I
> I
DANGEROUS.SOCKS PROTOCOL SOCKS5 ADDRESS=65.54.82.157:80
FIGURE 3.65: Ufasoft SocksChain Screenshot
Module 03 Page 388
EC-C0UnCil

Scanning Networks
Proxy Tool: TOR (The Onion Routing)
C EH
Anon ym ity
P rivacy
Ensures the privacy of both sender and
Security
Provides multiple , layers of security f to a message
Vidalia Control Panel
communication over Internet
recipient of a message
n
Encryptio n
Encrypts and decrypts all data packets using public key encryption
.
T o r Proxy
The initiating onion
View the Network Use a New Idertty B , Bandwidth ! ^ph O H#ip 0 About
Proxy Chain
Uses cooperating V proxy routers J throughout the network
1 router, called a "Tor

I client" determines the path of transmission
Mcuogc Lug
3 Show ttii* winflow on ttirnn
SclU1g
Q cxt
https://www.torproject, org
Copyright by EG-Gouncil. All Rights Reserved. Reproduction is Strictly Prohibited.
Proxy Tool: TOR (The O nion Routing)

Source: https://www.torproject.org Tor is software and an open network that surveillance that threatens personal freedom helps you defend against a form ofnetwork and
and privacy, confidentialbusinessactivities
relationships, and state security known as traffic analysis. You can use Tor to prevent websites from tracking you on the Internet. You can also connect to news sites and instant messaging services when these sites are blocked by your network administrator. Tor makes it difficult to trace your Internet activity as it conceals a user's location or usage.
Features:
9
9 9
Provides anonymous communication over the Internet Ensures the privacy of both sender and recipient of a message Provides multiple layers of security to a message Encrypts and decrypts all data packets using public key encryption Uses cooperating proxy routers throughout the network The initiating onion router, called a "Tor client" determines the path of transmission
9 9 9
Module 03 Page 389
EC-COUIICil

Scanning Networks
Vidalia Control Panel 1~ 1

Status
4)1
Vidalia Shortcuts Stop Tor
Connected to the Tor network'
# #
Setup Relaying
View the Network
Use a New Identty
, Bandwidth Graph = ]Message Log
Help Settings
About fc^ Ex it
@ Show the wndow on startup
Hide
FIGURE 3.66: Vidalia Control Panel showing the Status
Module 03 Page 390
EC-C0UnCil

Scanning Networks
P ro x y T ools
Burp Suite
h ttp ://w w w .p ortsw ig g er.n e t
CEH
Proxy
h ttp://w w w .analogx.com
Proxy Commander
http ://w w w . dlao. com
Protoport Proxy Chain

h ttp ://w w w .p ro top ort.co m
Proxy Tool Windows App

h ttp ://w ebp ro xylist. com
Proxy+
h ttp ://w w w .p ro xyp lus.c 1
Gproxy
h ttp ://g p a ssl.co m
11
! ! 1
FastProxySwitch
http://affinity-tools.com
Fiddler
http ://w w w .fiddler2.com
ProxyFinder
h ttp ://w w w .p r oxy-tool. com
Proxy Tools
In addition to these proxy tools, there are many more proxy tools intended to allow users to surf the Internet anonymously. A few are listed as follows: 9 9 9 9 9 Q 9 Burp Suite available at http://www.portswigger.net Proxy Commander available at http://www.dlao.com Proxy Tool Windows App available at http://webproxylist.com Gproxy available at http://gpassl.com Fiddler available at http://www.fiddler2.com Proxy available at http://www.analogx.com Protoport Proxy Chain available at http://www.protoport.com
Q Proxy+ available at http://www.proxyplus.cz 9 9 FastProxySwitch available at http://affinity-tools.com ProxyFinder available at http://www.proxy-tool.com
Module 03 Page 391
EC-COUIICil

Scanning Networks
P ro x y T ools
(Contd)
ProxyFinder Enterprise
h ttp :/ /w w w .p ro x y -to o l. com
CEH
Socks Proxy Scanner
h tt p :/ / w w w . m ylan vie wer. com
ezProxy
Ml
h tt p :/ / w w w . ode. org
Mil
A
_
Charles
h ttp ://w w w .ch a rle sp ro xy.co m
JAP Anonymity and Privacy

h ttp ://a n o n . inf. tu-dresden.de/index_ e n.h tm l
UltraSurf
h ttp ://w w w .u ltra s u rf.u s
CC Proxy Server
h tt p :/ / w w w . youngzsoft.net
FoxyProxy Standard
http s://ad d on s.m o zilla.o rg
h
9 9 9 9 9 9 Q 9 Q 9
Proxy Tools (C ontd)

ProxyFinder Enterprise available at http://www.proxy-tool.com ezProxy available at http://www.oclc.org JAP Anonymity and Privacy available at http://anon.inf.tu-dresden.de/index en.html CC Proxy Server available at http://www.youngzsoft.net FoxyProxy Standard available at https://addons.mozilla.org Socks Proxy Scanner available at http://www.mylanviewer.com Charles available at http://www.charlesproxv.com UltraSurf available at http://www.ultrasurf.us WideCap available at http://widecap.ru ProxyCap available at http://www.proxycap.com
------ The list of proxy tools mentioned in the previous slide continues as follows:
Module 03 Page 392
EC-COUIICil

Scanning Networks
F r e e P ro x y S e r v e rs
A search in Google lists thousands of free proxy servers
(rtrfwtf
ClEH
IStkKJl lUckM
Google
Google
Free Proxy Servers
adoui 12.700.000 result? {0 20 seconds)
u a p s
vMk i
Proxy 4 Free - F re e Proxy S t r v t r t - protect Your Q n e Prrvacv aW1 wvtw proxy4tree ocmj Proxy 4 Free is a free proxy list and proxy checker c rowdtng you Mti r* be?free proxy serversfor over 9 years Qursor^sticaieo cnec3n5 systemmeasuresList Country Rating Access Tim ust of F r Proxy 5 t r v r t -Page 10 0 wwwproxy4tree cofnnistfive&proxyl htm i Free Proxy, Anontm izer, VPN. Proxy 4 Free Proxy uil, IP Test, *nccr-i* uemu HOMEADD YOUR PROXY U 3 1of tree Proxy servers Pgel0M0~
Proxy 4 Free ... ~
N w
ShopplOQ W ore Show seaicn tools
Pr Pioa* List Public Proxy Servers UPJEQSU .id c l.fr Ass: 4
Hid*myMS.comipf0xy-JisV Fr proxy list md*x.lh lwg**t Mirn* database ofcu&fe proxy fvr :rin
H ide My A>8! F rtt Proxy ana Privacy Toots - sun Tne w co ...
nifl0mv0M.c0riv Wot!proxy fioo) M cAtgg SECURE cilo t. lolpkeec > M 1 s*fofcon1 . trA: . w t. civdit caid fraud, spywat. Us our It proxy to twl nonyrrsously crtn* ! F re e Proxy S e rv e r - surr ! r r ,\ r r A-nnymn. is rreeproxynerver net/ Surrm* wen anonymously with our tree proxy server Free Proxy Server TurbLHUu.
ssasssssasssr
= 2
Bar
iN w
y ir j
1 :1 '
Public Proxy Servers F ree Proxy Server l s i wvcttpuDlicproxyservers.conv Pu&lic Proxy Servers is a tree and 1 dependent proxy :he:an; 5sm Cur ser.ice neips you to protectyouriaentity ana Dypass surfing restnrSons s!rce 2002
F ree Proxy Servers

Besides proxy tools discussed previously, you can find a number of free proxy sites available on the Internet that can help you to access restricted sites without revealing your IP address. Just type Free Proxy Servers in the Google search engine and you will get numerous proxy server websites.
( j O . )g ie
Free Proxy Servers
3 I
Search
*x*4 1 3 T(w000r*u1 K> ?0 sea>
Wo
Prosy 4 Free Free Proxy Servers Protect Your OMne Pnvacv *I wwpnMry4nrMC0rv proxy servers fo * w 9 )an Ow List County Rasng tcctii T r O k w j h u m ^NtfM _
Prosy 4 Free Fr Proy Servers Protect Your OMne Privacy _ wa piMfti* comu -CSCftM Smear Prony 4 Free *al
** 5 5 * * ** siw. * * *s
U tta ifie e Pfoxj server* l y 1 ai 1 8 www!*o*if4lrecorA1rweapreey1 Nn Frt Pron *noam&t VPN Pto! 4Fie Pror Ust P Test Aownn tCNU HOUE-400 YOUR PROXY list* rreePmcjSenwrs ?9*10(10Fr P'DBtv Lst -Puf'K proxy Server p PORT noe Mir Am * iwdemyMS cem^rwy* fr p ro ) 1 rO*1 tvsieicsstisi* *M K 4 l (/euCtcpreay serrTSorSr* fuaehaAm Free P r o g a a iilM U .T flBft au t T n g m e -m Art proxy tH Mc^lMSeCURlMMMxee>M#ftente*<Vw aeot cardtswd us ft* Iree proty 10 u**s*s*r1es> 1 ote i m i . ^ B e B -
---------------- I
f B
. . H
l| V W > Y
Prat Proxy Server _ Iu it t t t te . to W M c s m mr Tt*Mt4s**epnMy server -oear , m i r a M M i m w a M orowsieg too mae ** a* se e *me 1*soure*aM s**mc* _
.1
PiAftc Proxy Servers Free Proxy Server us! .4 ww|M<t*t#eaysevws ceev PuoscPro V im s it t Iim and n a m U ii p> o (**sang < C X 0 same *'iou 0proletl tour o sr ! mo & * si*v*j m iksm i s r a 3903
FIGURE 3.67: Google Search showing Free Proxy Servers
Module 03 Page 393

Scanning Networks
HTTP Tunneling Techniques

J HTTP Tunneling technology allows users to despite the restrictions imposed by firewalls
CEH
Encapsulates data inside
( (port 80)
, f ! * > ....... < Router HTTP Proxy or Firewall
<
< Internet....... ft > * * !> Router
End Users use HTTPTunnel to transmit or receive data through Firewall
Previously inaccessible servers and services
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
HTTP T unneling T echniques

HTTP Tunneling is another technique that allows you to use the Internet despite restrictions imposed by the firewalls. The HTTP protocol acts as wrapper for communication channels. An attacker uses HTTP tunnel software to perform HTTP tunneling. It is a client-server-based application used to communicate through the HTTP protocol. This software creates an HTTP tunnel between two machines, using a web proxy option. The technique involves sending POST requests to an "HTTP server" and receiving replies. The attacker uses the client application of HTTP tunnel software installed on his or her system to communicate with other machines. All requests sent through the HTTP tunnel client application go through the HTTP protocol.
Module 03 Page 394
EC-COUIICil

Scanning Networks
Racks of HTTP Tunnel Servers
49
M
Router HTTP Proxy or Firewall HTTP Tunnel Servers receive and relay the data
M -
End Users use HTTP-Tunnel to transmit or receive data through Firewall &
_ 1 u ! j Previously inaccessible servers and services
FIGURE 3.68: HTTP Tunneling Process
The HTTP tunneling technique is used in network activities such as: 9 9 9 9 Streaming video and audio Remote procedure calls for network management For intrusion detection alerts Firewalls
Module 03 Page 395
EC-C0UnCil

Scanning Networks
Why do I N eed HTTP Tunneling

J J Organizations firewall all ports except 80 and 443, and you may want to use FTP HTTP tunneling will enable use of FTP via HTTP protocol
INSIDE THE NETWORK
FTP
v
HTTP Tunneling client running on local port
P ort I P ort P ort P ort P ort 1 P ort 1 P ort 11 P o r t P ort

D ata is se n t via HTTP
23 21 79 25 110 500 69 80 443
Q 1 Q a ! ...... Q
OUTSIDE THE NETWORK
Http tunneling server software running
Internet
FTP data is encapsulated in http packet
Firewall rules only allow port 80 and 443
Why do I N eed HTTP T unneling?

HTTP tunneling allows you to use the Internet despite having firewall restrictions such as blocking specific firewall ports to restrict specific protocol communication. HTTP tunneling helps you to overcome this firewall restriction communication through HTTP protocol. The attacker may use this technique for the following reasons: 9 9 9 9 9 It assures the attacker that no one will monitor him or her while browsing It helps the attacker to bypass firewall restrictions It ensures secure browsing The attacker can hide his or her IP address from being trapped It assures that it is highly impossible for others to identify him or her online by sending specific protocol
Suppose the organization has blocked all ports in your firewall and only allows port 80/443, and you want to use FTP to connect to some remote server on the Internet. In this case, you can send your packets via HTTP protocol as shown in the following figure:
Module 03 Page 396
EC-COUIICil

Scanning Networks
IN S ID E T H E N E T W O R K
FTP C lie n t
fL - s
ftp
Port Port Port Port Port Port Port Port Port
23 21 79 25 110 500 69 80 443
S o ftw a re
v
HTTP T u n n e lin g c lie n t ru n n in g o n lo c a l p o rt
S 3 B
FTP d a ta is e n c a p s u la te d in h tt p p a c k e t Firewall rules only allow port 80 and 443
FIGURE 3.69: Effect of HTTP Tunneling on both Inside and Outside the Network
Module 03 Page 397
EC-C0UnCil

Scanning Networks
HTTP T unneling Tool: Super Network Tunnel
CEH
HTTP T unneling Tool: Super N etw ork T unnel

Source: http://www.networktunnel.net Super Network Tunnel is a professional HTTP tunneling software, which includes HTTP tunnel client and server software. It is like secure VPN software that allows you to access your Internet programs without being monitored by your work, school, or the government, and gives you an extra layer of protection against hackers, spyware, or ID theft. It can bypass any firewall.
Module 03 Page 398
EC-COUIICil

Scanning Networks
ik
Start
# H - a
Setup Lot A dd
OragBox
& .
R in Heto
J1
About
TotalSendBytes Tota/Recvfiytes Serve! Cwent Connections: My Local IP 10 9 0 7 4
Use Rin Game WthGameGuard Mode Q Use Real Remote Dn* Resolve Send Speed Recv Speed Server Total Threads(nctude cache)
[
IP
View System Today Log

Only Important Messages
T h ts o p e r a t in g system i s &4 b 1 t, SKT s u p p o rt tu n n e l b o th 3 2 b 1 t *rid &4b1t p r o g r a ,
u td e x c e p t u s e kook e n g in e , y ou I s o c*n eon
7
Ctent Stop
Log &>d Status |
: |
In Vbta.You can use dragdroo box to fragdrop program or program shortcut
FIGURE 3.70: Super Network Tunnel Screenshot
Module 03 Page 399
EC-C0UnCil

Scanning Networks
End u ser w ith HTTP-tunnel
HTTP Proxy o r Firewall
http://www.http-tunnel.com
HTTP T unneling Tool: HTTP-Tunnel

W _ / Source: http://www.http-tunnel.com HTTP Tunnel acts as a SOCKS server, allowing you to access the Internet by bypassing firewall restrictions. It is very secure software. Using this software does not allow others to monitor your Internet activities. It hides your IP address; therefore, it does not allow tracing of your system. It allows you the unlimited transfer of data. It runs in your system tray acting as a SOCKS server, managing all data transmissions between the computer and the network.
Module 03 Page 400
EC-COUIICil

Scanning Networks
%J
file Wy gettings He*p Log Help
HTTP-Tunnel Client v4.4.4000

FVow y Servei
Configuration
r A u to d rfa ct
Conhgue > EnierKey Mad Support Ex*
< NoPto*
c |
f* Spec#yPto*v Serve* NneAP
Connections
| Speed Tett | Diagnostic51About |
< 1 1 56 11> RIP Pnged serve* to keep use! togged n |<11 56 11> RetrievelP Log Window Geared
r Mvwnae |H*fc}on $UH(4> Accei 1 Rwtactoro Turn 9*1 O N 10 * to * 2 IP ! to u m
t o H T T P T 1*n a l c k t r i L n v t O f f I you oriy *Mrt 10 u n H T T PT u mal how pvogrami * m n g o n t w PC
AI0M 4 >eovo IP* o comect foHTTP Tunnrt
Advanced U*an
Fa advanced men only create cart act $4*100* lot r Thn option Mi *atficaly tove performance i t supported by fou ptoaty Th mi vol. ONLY I you Save a protry Tha cornaclcn lett doat not 1fJ #w opton r Ptoay *w CONNECT" camtnd
# 0
User Guides
** *!
N ewl%ym ar Pmtwr
$3.99 a m onth/year
Oil**Port MT TP Tcm* Inf a n t on Port 1080 l e iconrecbon! baai KX^D ktm Chingt *m I ^ u M p a t 1000 r * UM you h>4 HTTP I m l You n k n 10 1*cort9 # you wpfcMra and MUD HTTP T>mal
Chck Here h t t p t u n n e i
Munifo( I in 1* Anywli
Key not found Free Server Mode.
fioio
0 KB Up/0 KB Down
IP Retrieved(. 149]
FIGURE 3.71: HTTP-Tunnel Client and Configuration Windows
Module 03 Page 401
EC-C0UnCil

Scanning Networks
B ssh - f u s e r @ c e r tifie d h a c k e r .c o m - L 5 0 0 0 :c e r t i f i e d h a c k e r . co m :25 -N - f => background mode, u s e r S c e r t i f i e d h a c k e r . com => user name and server you are logging into , -L 5000 :c e r t i f i e d h a c k e r . com : 25 => localport:host:remote-port, and -N => Do not execute the command on the remote system
This forwards the local port 5000 to port 25 on certifiedhacker.com encrypted Simply point your email client to use localhost:5000 as the SMTP server
SSH T unneling
SSH tunneling is another technique that an attacker can use to bypass firewall
restrictions. It also helps you hide your IP address on the Internet; therefore, no one can trace or monitor you. The prerequisite of SSH tunneling is raised from the problems caused by the public IP address, the means for accessing computers from anywhere in the world. The computers networked with the public IP address are universally accessible, so they could be attacked by anyone on the global Internet easily and can be victimized by attackers. The development of SSH tunneling solves the problems faced by the public IP address. An SSH tunnel is a link that proceeds traffic from an indiscriminate port on one machine to a remote machine through an intermediate machine. An SSH tunnel comprises an encrypted tunnel, so all your data is encrypted as it uses a secure shell to create the tunnel. Creating a tunnel for a privately addressed machine needs to implement three basic steps and also requires three machines. The three requisite machines are: 9 9 9 Local machine An intermediate machine with a public IP address Target machine with a private address to which the connection must be established
Module 03 Page 402
EC-COUIICil

Scanning Networks
You can create a tunnel as follows: 9 Start an SSH connection from local machine to the intermediate machine with public IP address. 9 Instruct the SSH connection to wait and observe traffic on the local port, and use intermediate machine to send the traffic to an explicit port on the target machine with a private address. This is called port acceleration or port forwarding. 9 On the local machine, select the application that you want to use for connection with the remote machine and configure it to use port forwarding on the local machine. Now, when you connect to the local port, it will redirect the traffic to the remote machine. To secure communication between computers, SSH uses private and public encryption keys. The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized computer. On initiating an SSH connection, each machine exchanges public keys, but only the computer that has the matching private key can attain access to the remote computer applications and information and can read encrypted communications with the public key. f t
Mail Client
< i
DB Server Mail Server ! 09 ........... ___ SSH P erim e ter Controls Server App Server W ebserver
DB Client %
I n*
A tta ck e r
<
SSH
3
Internet
*4
t
App Client
Web Client
f !'<
C lient
P erim e ter Controls
FIGURE 3.72: SSH Tunneling Process
OpenSSH
Source: http://www.openssh.org OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. OpenSSH can be used to tunnel the traffic on local machine to a remote machine that you have an account on.
ssh -f user@certifiedhacker.com -L 2000: certifiedhacker.com: 25 -N -f = > backgroung mode user@ certif iedhacker.com=> user name and server you are logging into -L 2000: certifiedhacker.com: 25 = > I0calp0rt:h0st:rem0tep0rt -n = > Do not execute the command on the remote system
This essentially forwards the local port 2000 to port 25 on certifiedhacker.com encrypted. Simply point your email client to use localhost:2000 as the SMTP server.
Module 03 Page 403
EC-C0l1nCll

Scanning Networks
SSH T unneling Tool: Bitvise

Bitvise SSH Server provides secure remote login capabilities to Windows workstations and servers proxy, and also remote administration for the SSH Server
?1 Bitvise SFTP - localhost:22
I Window Local Remote Upload Queue
C EH
SSH Client includes powerful tunneling features including dynamic port forwarding through an integrated
^
Download Queue Log Log
Upload Queue
a i Download Queue
O
Name
St
] $
(3 Size
c.\prog1am files (xS6 }',b1 t/isetunnelier Type Date Modifed 2006-12-25 0... 2006-12-25 0... 2006-12-25 0 2006-12-25 0 2006-12-25 0... 2006-12-25 0... Attributes A A A A A A A A A A A A
s >
{* fciprograrr Files (x36)/bitvise winsshd

Size Typ e 0 File Folder 167.936 Application 1BB.415 Application 200.095 Application 294,912 Application 15,961 C * Sour... 20.IBO Applicati. 610.304 application 2.760 70 !Application 055 15 /Vppilcotlon 2.211.B4Q Application 192.512 Application 352.256 Application 2.330.016 Application 3.461,120 Application 446,464 Application 2.666.496 Applicati... 3.768 Interface f t Start Dete Modifed 2006-12-25 0.. 2006-12-25 0... 20060 2512.. 2006-12-25 0 2006-12-25 0.. 2006-12-25 0.. 2009-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0 . . 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12^25 0.. 2006-12-25 0.. 2006-12-25 0..
Q kM erm cexe
286,720 Application 1.265.664 Application 20.480 Application 1,597.440 Application 2,002.944 Application 2.150,400 Application 1,650,688 Application 372,736 Application
Nome k Log*
S/ glcl:tgc.oxo
i "7 log exe L sense exe sftpc.exe iis3h<J3tg3 0xe B7stetmc tutermc.ee
bvÂd.oxo
I7 b v R in exe F b w m s bo* ; SCP.OXO
2009-12-25 0
2006-12-25 0... 2006-12-25 0... 2006 1 2-25 0...
* 1StcPuginSomple.cpp SlpRuginSompI# d l l E Z s f c p i . f i n e
7 CCMCtf.OXO
Turn 0 1lor.oxo 6.193.152 Application S ju n in31.exe 552.256 Application vtlOOtdx 6,066 T D S Fils xtermtde 6,066 T D SFilo
^sowoxecoxe
2006-12-25 0
2006-12-25 0...
f 7 itM tlgt win

to to m 003
Pumrsiexe
7WirSSHDoc I!WrttshdAdStateCheck exe WinsshdCfgMartp dH j Wr'sshdCtgMeoip i d l

^ Binary ! _ [ Resume | Overwrite f t Start I f Binary * _ Resurre
Li Overwrite
http://www. bitvise. com

Copyright by EC-CMMCil. All Rights Reserved. Reproduction is Strictly Prohibited.
SSH T unneling Tool: Bitvise

Source: http://www.bitvise.com Bitvise is client server-based application used for SSH tunneling. The server provides you secure remote login capabilities to Windows workstations and servers. With Bitvise SSH Server, you can administer the W indow s server remotely. The Bitvise server even has the ability to encrypt the data during transmission so that no one can sniff your data during transmission. Bitvise SSH Client includes graphical as well as command line SFTP support, an FTP-to-SFTP bridge, tunneling features that can be helpful for port forwarding and remote administration.
Module 03 Page 404
EC-COUIICil

Scanning Networks
. Bitvise SFTP - localhost:22

Window Browse Local Remote Upload Queue Download Queue Log
|J) Upload Queue 12 Download Queue

1 3 ( .4 < Size
-_/^Log R e m o te Files
c:\program files (x86)Vb1tvise tunrieher Type Date Modifed 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... Attributes A A A A A A A A A A A A
O Name 1 Logs
*2
} fit
/c /program files (x86)/b!tvise winsshd Size Type ate Modited 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0. . 2006-12-25 0.. 2006-12-25 0 2006-12-25 0.. 2006-12-25 0
Name ntvterrnc.exe ff gldstgs.exe I 7 log.exe sexecexe F sftpcexe sshdstgs.exe F stermc.exe Q toterm cexe ; ' Tunnelier.exe J | u n 1rstexs vtlOC.tds xlerm.lds
286.720 Application 1.265.664 Application 20.480 Application 1.597.440 Application 2.002.944 Application 2. 50.400 Application 1.650.688 Application 372.736 Application 6,193.152 Application 352.256 Application 6.066 6.066 T D S File T O S File
0 File Folder
167,936 Application 188.416 Application 208,896 Application 294.912 Application 15,961 C Sour... 23.480 Applicati... 610,304 Application 2.763,704 Application 45,056 Application 2.211,840 Application 192,512 Application 352,256 Application 2.338,816 Application 3.461.120 Application 445,464 Application 2.666.496 Applicati... 3,768 Overwrite Interlace Start ]
bvPwd exe
bvRun.exe bvterms exe ' scp.exe c~ SttpPlugmSample.cpp SftpPluginSample.dll ' sftps.exe F F sshdctrl.exe sshdexecexe
' sshdstgs.exe F toterm exe F uninstexe F wctg exe F W inSSH D .exe WinsshdActStateCheck exe WinsshdCfgManip.dll i WinsshdCtgManip idl
S fB in arv
; Resume
J Overwrite _ [ & Start
JPjDindiy
Resume
FIGURE B.73: Bitvise Tool Screenshot
Module 03 Page 405
EC-C0UnCil

Scanning Networks
A n o n y m iz e rs
J An anonymizer rem oves all the identifying inform ation from the user's computer while the user surfs the Internet J J Anonymizers make activity on the Internet untraceable Anonymizer tools allow you to bypass Internet censored websites
C EH
W h y use Anonym izer?
Copyright by EG-G*nncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
A nonym izers
An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (go p her:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities.
Why Use an Anonym izer?

The reasons for using anonymizers include:
Module 03 Page 406
EC-COUIICil

Scanning Networks
Ensures privacy: It protects your identity by making your web navigation activities
untraceable. Your privacy is maintained until and unless you disclose your personal information on the web by filling out forms, etc.
Accesses government-restricted content: Most governments prevent their citizens from

accessing certain websites or content in order to avoid them from accessing inappropriate information or sensitive information. But these people can access even these types of resources by an anonymizer located outside the country.
Protect you from online attacks: Anonymizers protect you from all instances of online
pharming attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers.
Bypass IDS and firewall rules: Bypassing of firewalls is mostly done in organizations or
schools by employees or students accessing websites they are not supposed to access. An anonymizer service gets around your organization's firewall by setting up a connection between your computer and the anonymizer service. By doing such, firewalls can see only the connection from you to anonymizer's web address. The anonymizer will then connect to Twitter or any website you wanted to access with the help of an Internet connection and sends the content back to you. not to Twitter or other sites. For your organization, it looks like your system is connected to an anonymizer's web address, but
Anonymizers, apart from protecting users' identities, can also attack the website and no one can actually detect where the attack came from.
Types of A nonym izers

An anonymizer is a service through which one can hide their identity when using certain services of the Internet. It basically works by encrypting the data from your computer, so that is cannot be understood by Internet service providers or anyone who might try to access it. Basically, anonymizers are of two types: 9 9 - ____~ Networked anonymizers Single-point anonymizers
N e tw o rk e d A n o n y m iz e rs
___
These type of anonymizer first transfers your information through a network of Internet computers before sending it to the website. Since the information passes through several Internet computers, it becomes more cumbersome for anyone trying to track your information to establish the connection between you and anonymizer.
Example: If you want to visit any web page you have to make a request. The request will first
pass through A, B, and C Internet computers prior to going to the website. Then after being opened, the page will be transferred back through C, B, and A and then to you.
Advantage: Complication of the communications makes traffic analysis complex
Module 03 Page 407
EC-C0UnCil

Scanning Networks
Disadvantage: Any multi-node network communications have some degree of risk at each node
for compromising confidentiality
___
' ^
S in g le -p o in t A n o n y m iz e rs
Single-point anonymizers first transfer your information through a website before
sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity.
Advantage: IP address and related identifying information are protected by the arms-length
communications
Disadvantage: It offers less resistance to sophisticated traffic analysis
Module 03 Page 408
EC-C0UnCil

Scanning Networks
C ase: B loggers W rite Text B ackw ards to B ypass Web F ilte rs in C h in a
Bloggers and journalists in China are using a novel approach to bypass In tern et filters in their country - th ey w rite backwards or from right to left
IF H BOTHERS YOU THAT THE CHINA SCVEMflENT DOES IT ! IT SHOULD 9CTVCR YOU WHEN YOU* CABLE COMPANY DOCS IT 1 "
*adablebvh ns~ b e in g s k ../ Urr>an 5 0 **are

ering
'h e r ^rZle m
chi
packets co aSrbet,
^ 0 r cracvJ ananr0en etC Oerocra
I Rights Reserved. Rep rod u ctio n is S trictly Prohibited.
<\ -
I f
F ilte rs in C h in a
C a s e : B lo g g e r s W r it e T e x t B a c k w a r d s to y p a s s W e b
China is well known for its implementation of the "packet filtering" technique. This technique detects TCP packets that contain controversial keywords such as Tibet, Democracy, Tiananmen, etc. To bypass Internet filters and dodge the censors, bloggers and journalists in China are writing the text backwards or from right to left. By doing so, though the content is still in human readable form, the text is successful in defeating web filtering software. Bloggers and journalists use vertical text converter tools to write the text backwards or from right to left and vertically instead of horizontally.
Module 03 Page 409

Scanning Networks
C ensorship Circum vention Tool: Psiphon

J Psiphon is a censorship circumvention system that allows users to bypass firewalls and access blocked sites in countries where the Internet is censored It uses a secure, encrypted HTTP tunnel connection to receive requests from psiphonite to psiphonode which in turn transports the results back to the requested psophonite It acts as a web proxy for authenticated psiphonites, even works on mobile devices
Psiphon 3
A .
CEH
0 0 proxy domestic web sites Qicrr. Version; 40 SSH connecting... t
Localhos! poit 1080is alreadyinuse

SCCfCS proxy is running on localhcst port 1081 5SH+ successfully connected HTTP proxy is rumhg cn localhost poit SOSO Preferred servers: 2 SSH disconnected. SSH *conrecting Localhos! poit 1030 is already in use SOCKS proxy is njnning on localMcst port 1081 SSH successfully connected HTTP proxy ia rumng cn localhooi poit 8030. SSH disconnected. Fix VPN Servces faled: irsutfciert privileoesto confiaure 0 stat servce IKEE VPN connecting... YPN succesûly connected. HTTP proxy is rumha cn localhost poit 8080. VPN disconnected. SSH connecting. .. Locahoss poit 108018 already in use SOCKS proxy it running on Incjilhcet port 1081 SSH succesûly comcctod. HTTP proxy is rumnq cn localhos! poit 8080. Unproxed autee iruixjifcoiit rem Urproxed. a 1970.y.ok.ernoi /id Unonxed: osnotorriq .com Unproxed a$0g akamai net Unproxed: wyvw.bqaiautc.com Uronxed: mypulsar.com SSH disconnected SSH* connecting... Locahos: poit 1080 is aready in use SOCKS proxy is running on localhost port 1081 Aboii Psphon 2
1 It bypass the content-filtering systems of countries like China, North Korea, Iran, Saudi Arabia, Egypt and others
Uncensored
http://psiphon.co
C o p yrigh t @ b y EG -G *ancil. All Rights Reserved. Rep rod u ctio n is S trictly Prohibited.
C e n so rsh ip C irc u m v e n tio n Tool: P sip h o n

Source: http://psiphon.ca Psiphon is a censorship circumvention system that allows users to bypass firewalls and access blocked sites in countries where the Internet is censored. It uses a secure, encrypted HTTP tunnel connection to receive requests from psiphonite to psiphonode, which in turn then transports the results back to the requested psophonite. It acts as a web proxy for authenticated psiphonites, and works on mobile browsers. It bypasses content-filtering systems of countries such as China, North Korea, Iran, Saudi Arabia, Egypt, and others.
Module 03 Page 410
EC-COUIICil

Scanning Networks
P
O
O SSH
Psiphon 3
H I ]
o vp n s 1h
SSH
@ Don! proxy domestic web sites Client Version: 40 SSH connecting Localhost port 1080 is already muse SOCKS proxy is runrwig on locahost port 1081. SSH successfully connected HTTP proxy is rumng on locahost port 8080 Preferred servers: 2 SSH disconnected SSH connecting... Localhost port 1080 is already muse SOCKS proxy is rurmng on locafriost port 1081 SSH successfully connected HTTP proxy is rurmng on locahost port 8080 SSH disconnected Fix VPN Services faded nsuffoent pm nleges to configure or start service IKEE VPN connecting... VPN successfully connected HTTP proxy is rurmng on locatiost port 8080 VPN disconnected SSH connectng... Localhost port 1080 is already n use SOCKS proxy is rurmng on locatiost port 1081. SSH successfully connected HTTP proxy is rurmng on locahost port 8080 Unproxied autosinaxabout .com Unproxied: a1979.g akamai net Unproxied: bsm otorm g com Unproxied: a90g akamai net Unproxied: w w w baja!auto com Unprowed mypulsar com SSH disconnected SSH connecting Localhost port 1080 is already in use SOCKS proxy is running on locatiost port 1081 About Ps*> hon 3
FIGURE 3.74: Psiphon Screenshot
Module 03 Page 411
Ethical Hacking and Countermeasures Copyright by EC-C0UIICil

Scanning Networks
Copyright by
CMIilCil. All Rights Reserved. Reproduction is Strictly Prohibited.
C e n so rsh ip C irc u m v e n tio n Tool: Y our-F reedom

Source: http://www.your-freedom.net Censorship circumvention tools allow you to access websites that are not accessible to you by bypassing firewalls. The Your Freedom services makes accessible what is unaccessible to you, and they hide your network address from those who don't need to know. This tool turns your PC into an uncensored, anonymous web proxy and an uncensored, anonymous SOCKS proxy that your applications can use, and if that's not enough, it can even get you connected to the Internet just as if you were using an unrestricted DSL or cable connection.
Module 03 Page 412
EC-COUIICil

Scanning Networks
Your Freedom
Status | Streams | Account Profile Ports Messages Vouchers
j
_ E L
Applications About
Freedom Server External IP Address Server located in Open streams Bytes sent Bytes received Send rate (bytes/sec) Receive rate (bytes/sec)
https://em s29.your-freedom .de 443 83.170.106 56 UK, United Kingdom 0 2973 704 279 111|
Configure
Stop connection
Restart connection
Update?
Exit
III
Uplink 1.0 k
Downlink 0.4 k
FIGURE 3.75: Your-Freedom Screenshot
Module 03 Page 413
EC-C0UnCil

Scanning Networks
How to C heck if Your W ebsite is B locked in C hina or Not?

J J Internet tools help identify if w eb users in China can access rem ote websites W h e n Ju st Ping and W e b S ite P u lse show "Packets lost" or "tim e-out" errors, chances are that the site is restricted
h ttp ://w w w . w ebsitep u lse . com Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
How to C h ec k if Your W eb site is B lo ck ed in C h in a or ----- Not?

If a "packets lost" error is received or there is a connection time-out message is displayed while connecting to your site, chances are that the site is blocked. To find out whether the website at xyz.com is accessible by Chinese web users, you can use tools such as just ping and WebSitePulse.
f
0 0
Ju s t p in g
Source: http://www.iust-ping.com Just ping is an online web-based ping tool that allows you to ping from various locations worldwide. It pings a website or IP address and displays the result as shown as follows:
Module 03 Page 414
EC-COUIICil

Scanning Networks
ju s t ^ p in g
UJHTCHm QU!
NAJCMNC CVtROMlM IlM NISk
Online web-baaed ping: Free online ping Iron SO locaiioaa worldwide
U-jhg
e g p in a : yahoo
| |p r .g 1
con or 6 6 . 9 4 . 2 3 4 . 1 3 3 < C heck h t t p
t n m .f A c m b o c k .c o m
fly!m. fiatook com /)
Singapore. U n k n o w n host: Singapore: vnr fa e e b o o k .c o m Anaterdaa2, Okay Netherlands Florida. U . S . A . : O k a y XaatcrdiaS. Okay He", h e r land* : H o n g Kor.rj , C hin* O k a y Sydney Okay Australia: UAtnchan. Okay Crnany: C o l o a n . SraanY:OkaY H a v Y ork, U.S.A. O k a y S tock ho la. Okay Sweden. S a n t a Clara. U.S.A.: V a ncouver. London. Kingdom. Madrid. Pad ova Auatin. U n i tod Spain: Italy: U.S.A.: Okay Okay Okay Okay Ok *y Okay Okay
90.5 84 6 90 6 181 5 183.8 97.5 103.3 82.1 123.9 28.3 33.3 94 .7
91 O 83.3 91 .0 195 5 183.0 98 .2 106.1 82.5 124.2 28.7 34.1 98.2 125.3 113.9 73. 90.9
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :face b O O c 66. 2 2 0 . 1 4 9 88 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :face b O O c 2 a 0 3 : 2 8 8 0 : 1 0 :lf02:fa c e : b O O c 6 9 .171.237.16 69.171 . 2 4 2 . 7 0 2 8 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :f a c a b O O c : : 69.171 . 2 3 7 . 3 2 2 a 0 3 2880 2110 3f02 69. 1 7 1 . 2 2 8 70 2 a 0 3 : 2 8 8 0 : 1 0 If03 faca.bOOc 23 face bOOc 25
84 0 90 5 18 2 . 8 193.3 97.2 103 3 81.* 123 2 O 33.a >4.4 124. 113 72 * 90 3
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 3 :face:bOOc 65 63 189.74 2a03 2 8 8 0 1 2110 3 f02 t *e b O O c 2 a 0 3 2880 10 If03 fac b O O c 25 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f02 face bOOc
124.7 112 6 73.2 90.
Natherlanda.
FIGURE 3.76: Just Ping Screenshot
WebsitePulse
Source: http://www.websitepulse.com WebsitePulse provides remote monitoring services. It simultaneously pops websites from around the globe.
I B I ^ a IV W*t4 Tt C w C Aww.we&nepuis<.<on -.noo<v(tna1e$tvn! s i x
W e b s ite P u ls e tskt I T easy |

. rw vic ll.*4 | MMi rot 0 Ffctfoii Extcmaxn tt Add-OM Chi0 <ttf1SOH Ctxra Exteos>oos Safan Extar won* WtfxJ0w3V15ta Gadget Facebook Apps AnCiouJ At)C 8. Apo
Tk* w#b S e iv tr aad W **dr M n tfc la S#rvk tnntfd bv 84% mUom an .. 1 ia 1 Tata > a t i Test results l Jh I m M Im T n M M i UCt Ut*4 H m hM M m U .H 4 I ChM 12-C42; l015?>tO(OT -00-00} ImImI lm > A ll M l fMted H n M A i; ft* T lt R V 3012-#-2 10 57 11 C (8MT CO 00) fca07/M*i<ata*fc4*w Sf.t7i.2J/-M 1 '** * A, j 1
Y < * J
W rtiU t
H n m n i T n i 3040 0*V CM N Ct '* tB y t* w . 3 MO *k OON n c 3-090 MC 0*
I n iM M t m i C M7 o Ca M K t h n tM : ftmm c s e i 1 C-.3M c O-MOmc 0.133 mc ]1311 M m
1 1
L IV E C H A T CWn, I 'f f E ! !
*tic* MU ( P N ^ c v m U ) n u (t
*e M Tfi (> #g,TfM nUt> rc*As
la N w H k tNs YTrbutr f r rr l r N Oar (feck Herr* 1mail m d h Save R rttA ) Pafona a acw l o t R c iw t a h v k k a
r #
Tm! Tm! * 0 v.
v
FIGURE 3.77: WebsitePulse Screenshot
Module 03 Page 415
EC-C0l1nCll
G-Zapper
G-Zapper - TRIAL VERSION
CEH
G Zapper
G-Zaocei = ntsctrg you! Search Piivacy Did you know - 3 0 0 gl9*teres a unique identifier in a cookie on your PC, which alow? them to track the kewkofdi yoo ssach fot. GZcppcr will ojtomalicdl/ dctcct and cban this cookie in your web b o w c . J j ; t jn G-Zaoce. ninini7 e the vinebw. and enjoy ycur enhanced search privacy
Google sets a cookie on user's system with a unique identifier that enables them to track user's web activities such as: e Search Keywords and habits Search results Websites visited
2'
A Google Trarkino ID exists on ym PC

You-aoogle V (hrefox 8536d45Ib367T738
Goxê instaled the cookie on Tuesday, July 03. 2012 12:10:32 AM

Y a * scaiche; ha/e teen tracked for *9 days I You ha2 #/Googie teaichet aved n Md7 illa Rrafox
Yoji irWtitj* wil h ofccutd fromprevious *ewcho* *ndG Z*pp*r wll m gulM î dean luhir cookie* To block and delete thGooge ceareh cook*, die*, the 8look Ccoki bjtton. (Gndl aid A0ier 1 > 1 ! be unavailable vitli the ojuke blocKcd)
10 delete the U xate cookie, click the Delete lookie button.
Information from Google cookies can be used as evidence in a court of law
h llc/jw w M d u rm w s D liw a (fi.c flm

| Cebtt Cootie J
^Block Coekie j ^Test Google j ^
Settings
h ttp ://w w w . d u m m yso ftw a re . com
Copyright by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
G Z ap p er
Source: http://www.dummysoftware.com G-Zapper is a utility to block Google cookies, clean Google cookies, and help you stay anonymous while searching online. It automatically detects and cleans Google cookies each time you use your web browser. It is compatible with W indow s 95/98/ME/NT/2000/XP/Vista/Windows7. It requires Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome and is compatible with Gmail, Adsense, and other Google services.
Module 03 Page 416

Scanning Networks
G-Zapper - TRIAL VERSION

What is GZapper GZapper Projecting you Search Privacy Did you know Google stores a unque idenMier r a cookie on you PC. which atows them to track the keywords you search lor G Zapper wi automatical}! detect and dean this cookie you web browse* Just run GZappet. mrmtte the window, and enjoy you enhanced search privacy
2'
A Google Tracking ID exists on yocr PC.
- You Google ID: (Frefox) 85%d451b86*738 Google instaled the cook* on: Tuesday. Jdy 03.2012 12:10:32 AM You searches have been backed 1 0149 days
^| You have 2 Google searches saved n Mozia Frefax

How to Use It To delete the Google cookie, clck the Delete Cookie button You identity w i be obscued fromprevious searches and G-Zappei wi regularly clean Mure cookies T0 block and delete the Google search cookie, cick the Block Cookie button (Gm ad and Adsense w i be unavaiabie with the cookie Mocked) http //www dum m vsoWware com
Sett rigs
Delete Cookie
Block Cookie
Test Google
FIGURE 3.78: G-Zapper-Trial Version Screenshot
Module 03 Page 417
EC-C0UnCil

Scanning Networks
Anonym izers
Mowser
h ttp ://w w w . m ow ser. com
E H
Spotflux
h ttp ://w w w .spo tflu x.co m
Anonymous W eb Surfing Tool

http://w w w .anonym ous-surfing.com
U-Surf
http://ultim ate-anonym ity.com
Hide Your IP Address

h ttp ://w w w . hideyouripaddress. net
WarpProxy
http ://silen t-su rf. com
ps4
Anonymizer Universal
h ttp ://w w w . anonymizer, com
Hope Proxy
h ttp ://w w w .h o pep ro xy. com
Guardster
http ://w w w . guardster. com
Hide M y IP s a flH l
http://www.pri\/acy-pro. com
* " V An anonymizer is a tool that allows you to mask your IP address to visit websites without being tracked or identified, keeping your activity private. It allows you to access blocked content on the Internet with omitted advertisements. A few anonymizers that are readily available in the market are listed as follows:
9 9 9 9 9
9
Mowser available at http://www.mowser.com Anonymous W eb Surfing Tool available at http://www.anonymous-surfing.com Hide Your IP Address available at http://www.hideyouripaddress.net Anonymizer Universal available at http://www.anonvmizer.com Guardster available at http://www.guardster.com Spotflux available at http://www.spotflux.com U-Surf available at http://ultimate-anonvmity.com WarpProxy available at http://silent-surf.com Hope Proxy available at http://www.hopeproxy.com Hide My IP available at http://www.privacy-pro.com
9 9 9 9
Module 03 Page 418
EC-COUIICil
Spoofing IP Address
IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be som eone else W h e n the victim replies to th e address, it goes back to the spoofed address and not to the attacker's real address
CE H
IP sp o o fin g using H ping2:
Hping2 www. -a 7.7. 7. 7
You will not be able to complete the three-way handshake and open a successful TCP connection by spoofing an IP address
-. Spoofing IP A d d resses
^ Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a fake IP in place of the attacker's assigned IP. W hen the attacker sends a connection request to the target host, the target host replys to the attacker's request. But the reply is sent to the spoofed address. W hen spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources.
IP spoofing using Hping2:

Hping2 w w w .cre tifie d h a ck e r.co m -a 7. 7. 7. 7 Using Hping2 you can perform IP spoofing. It helps you to send arbitrary TCP/IP packets to network hosts.
FIGURE 3.79: Attacker Sending Spoofed Packet to The Victim
Module 03 Page 419

Scanning Networks
IP Spoofing Detection Techniques: Direct TTL Probes

J compare TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked, it is a spoofed packet J This technique is successful when attacker is in a different subnet from victim
CEH
Send packet to host of suspect spoofed packet that triggers reply and
Sending a packet with spoofed 10.0.0.5 IP - T T L 13
Attacker
(Spoofed Address
Target
1 0 .0 .0 . 5)
10.0.0.5
Note: Normal traffic from one host can vary TTLs depending on traffic patterns
IP Spoofing D etectio n T e c h n iq u e s: D irect TTL P ro b e s

Initially send a packet to the host of suspect spoofed packet and wait for the reply. Check whether the TTL value in the reply matches with the TTL value of the packet that you are checking. Both will have the same TTL if they are the same protocol. Though, initial TTL values vary based on the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the commonly used initial values are 64 and 128 and for ICMP, the values are 128 and 255. If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. The hop count can be determined by deducting the TTL value in the reply from the initial TTL value. If the TTL in the reply is not matching with the TTL of the packet that you are checking, it is a spoofed packet. If the attacker knows the hop count between source and host, it will be very easy for the attacker to launch an attack. In this case, the test results in a false negative.
Module 03 Page 420
EC-COUIICil

Scanning Networks
Sending a packet with spoofed 10.0.0.5 IP - TTL 13
Attacker
(Spoofed Address 10.0.0.5)
>*.
y Nf
10.0.0.5
FIGURE 3.80: Using Direct TTL Probes for IP Spoofing Detection
Module 03 Page 421
EC-C0UnCil

Scanning Networks
IP Spoofing Detection Techniques: IP Identification Number

J Send probe to host of suspect spoofed traffic that triggers reply and compare IP ID with suspect traffic If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed This technique is successful even if the attacker is in the same subnet
J J
Send packet with spoofed IP 10.0.0.5; IP ID 2586
Attacker
. * 5 . *t ;. *
* T a 1 get
10.0.0.5
r3 H 1
IP Spoofing D etectio n T e ch n iq u es: IP Id e n tific a tio n N u m b er
Spoofed packets can be identified based on the identification number (IP ID) in the IP header that increases each time a packet is sent. This method is effective even when both the attacker and victim are on same subnet. To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply. If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet.
Sending a packet with spoofed 10.0.0.5 IP - IP ID 2586
Attacker
w
?
Target
10.0.0.5 FIGURE 3.81: Using IP Identification Number for IP Spoofing Detection

Module 03 Page 422 Ethical Hacking and Countermeasures Copyright by EC-COUIICil
IP Spoofing Detection Techniques: TCP Flow Control Method

J Attackers sending spoofed TCP packets, will not receive the target's SYN-ACK packets J Attackers cannot therefore be responsive to change in the congestion window size _l When received traffic continues after a window size is exhausted, most probably the packets are spoofed
CEH
Sending a SYN packet with spoofed 10.0.0.5 IP
Attacker
Target
. '& < *v \
10.0.0.5
Copyright by EC-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
IP Spoofing D etectio n T e ch n iq u es: TCP Flow C ontrol M ethod

The TCP can optimize the flow control on both the send and the receiver side with its algorithm. The algorithm accomplishes the flow control based on the sliding window principle. The flow of IP packets can be controlled by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. W hen the window size is set to zero, the sender should stop sending more data. In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker who is unaware of the ACK packet containing window size information continues to send data to the victim. If the victim receives data packets beyond the window size, then the packets must be treated as spoofed. For effective flow control method and early detection of spoofing, the initial window size must be very small. Most spoofing attacks occur during the handshake, as it is difficult to build multiple spoofing replies with the correct sequence number. Therefore, the flow control spoofed packet detection must be applied at the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting
Module 03 Page 423

Scanning Networks
the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If the sender sends an ACK with any data, then it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet but not ACK with data.
FIGURE 3.82: Using TCP Flow Control Method for IP Spoofing Detection
Module 03 Page 424
EC-C0UnCil

Scanning Networks
IP S p o o fin g C o u n te r m e a s u r e s
Limit access to configuration information on a machine
CE H
Use random initial sequence numbers
Copyright by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
IP Spoofing C o u n te rm e a su re s
In ethical hacking, the ethical hacker also known as the pen tester, has to perform an additional task that a normal hacker doesn't follow, i.e., applying countermeasures to the respective vulnerabilities determined through hacking. This is essential because knowing security loopholes in your network is worthless unless you take measures to protect them against real hackers. As mentioned previously, IP spoofing is one of the techniques that a hacker employs to break into the target network. Therefore, in order to protect your network from external hackers, you should apply IP spoofing countermeasures to your network security settings. The following are a few IP spoofing countermeasures that you can apply:
Avoid trust relationships

Attackers may spoof themselves as a trusted host and send malicious packets to you. If you accept those packets by considering that the packets are sent by your trusted host, then you may get infected. Therefore, it is advisable to test the packets even when they come from one of your trusted hosts. You can avoid this problem by implementing password authentication along with trust-relationship-based authentication.
Use firewalls and filtering mechanisms

You should filter all the incoming and outgoing packets to avoid attacks and sensitive information loss. The incoming packets may be the malicious packets coming from the attacker.
Module 03 Page 425
EC-COUIICil

Scanning Networks
If you do not employ any kind of incoming packet filtering mechanism such as a firewall, then the malicious packets may enter your private network and may cause severe loss. You can use access control lists (ACLs) to block unauthorized access. At the same time, there is also a possibility of insider attackers. These attackers may send sensitive information about your business to your competitors. This may also lead to great monetary loss or other issues. There is one more risk of outgoing packets, which is when an attacker succeeds in installing a malicious sniffing program running in hidden mode on your network. These programs gather and send all your network information to the attacker without giving any notification. This can be figured out by filtering the outgoing packets. Therefore, you should give the same importance to the scanning of outgoing packets as that of the incoming packet data scanning.
Use random initial sequence numbers

Most of the devices chose their ISN based on timed counters. This makes the ISNs predictable as it is easy for a malicious person to determine the concept of generating the ISN. An attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he or she can make a malicious connection to the server and sniff your network traffic. To avoid this, risk you should use random initial sequence numbers.
Ingress filtering
Prohibiting spoofed traffic from entering the Internet is the best way to block it. This can be achieved with the help of ingress filtering. Ingress filtering applied on routers enhances the functionality of the routers and blocks spoofed traffic. It can be implemented in many ways. Configuring and using access control lists (ACLs) that drop packets with source address outside the defined range is one way to implement ingress filtering.
Egress filtering
Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside.
Use encryption
If you want to attain maximum network security, then use strong encryption for all the traffic placed onto the transmission media without considering its type and location. This is the best solution for IP spoofing attacks. Attackers usually tend to find targets that can be compromised easily. If an attacker wants to break into encrypted network, then he or she has to face a whole slew of encrypted packets, which is a difficult task. Therefore, the attacker may try to find another target that can be easily compromised or may attempt other techniques to break into the network. Use the latest encryption algorithms that provide strong security.
SYN flooding countermeasures

Countermeasures against SYN flooding attacks can also help you to avoid IP spoofing attacks.
Module 03 Page 426
EC-C0UnCil

Scanning Networks
Besides these basic countermeasures, you can perform the following to avoid IP spoofing attacks: 9 9 9 9 You should limit the access to configuration information on a machine You should always disable commands like ping You should reduce TTL fields in TCP/IP requests You should use multilayered firewalls
Module 03 Page 427
EC-C0UnCil

Scanning Networks
Copyright by EG-Gouncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
CEH S canning M eth o d o lo g y

So far, we have discussed concepts such as what to scan, how to scan, how to detect vulnerabilities, and the respective countermeasures that are necessary to perform scanning pen testing. Now we will begin the action of scanning pen testing.
1 9 1
Scanning Beyond IDS
3 0
r-^r-n
Prepare Proxies
Banner Grabbing
f* *
This section highlights the need to scan pen testing and the steps to be followed for effective pen testing.
Module 03 Page 428
EC-COUIICil

Scanning Networks

0
J
CE H
0
Pen testing a network for scanning vulnerabilities determines the network's security posture by identifying live systems, discovering open ports, associating services and grabbing system banners to simulate a network hacking attempt
The penetration testing report will help system administrators to:
Close unused ports
Calibrate firewall rules
Disable unnecessary services
Troubleshoot service configuration errors
Hide or customize banners
S canning P en T e stin g
The network scanning penetration test helps you to determine the network security posture by identifying live systems, discovering open ports and associated services, and grabbing system banners from a remote location, simulating a network hacking attempt. You should scan or test the network in all possible ways to ensure that no security loophole is overlooked. Once you are done with the penetration testing, you should document all the findings obtained at every stage of testing so that it helps system administrators to: 9 9 9 9 9 Close unused ports if not necessary/unknown open ports found Disable unnecessary services Hide or customize banners Troubleshoot service configuration errors Calibrate firewall rules to impose more restriction
Module 03 Page 429
EC-COUIICil

Scanning Networks

(Contd)
START
CEH
Check for the live hosts using tools such as Nmap, Angry IP Scanner, SolarWinds Engineer's toolset, Colasoft Ping Tool, etc. Use tools such as Nmap, Angry IP Scanner, etc. e Check for open ports using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc.
V
Perform port scanning
... >
Use tools such as Nmap, Netscan Tools Pro, etc.
Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, etc. Scan for vulnerabilities using tools such as Nessus, GFI LANGuard, SAINTscanner, Core Impact Professional, Retina CS Management, MBSA, etc.
V
Perform banner grabbing ibing /OS fingerprinting Use tools such as Telnet, Netcraft, ID Serve, etc.
V
Scan for vulnerability > Use tools such as Nessus, SAINTscanner, GFI LANGuard, etc.
S canning P en T e stin g (C ontd)

Let's see step by step how a penetration test is conducted on the target network.
Stepl: Host Discovery

The first step of network penetration testing is to detect live hosts on the target network. You can attempt to detect the live host, i.e., accessible hosts in the target network, using network scanning tools such as Angry IP Scanner, Nmap, Netscan, etc. It is difficult to detect live hosts behind the firewall.
Step 2: Port Scanning

Perform port scanning using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc. These tools will help you to probe a server or host on the target network for open ports. Open ports are the doorways for attackers to install malware on a system. Therefore, you should check for open ports and close them if not necessary.
Step 3: Banner Grabbing or OS Finger Printing

Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, Netcat, etc. This determines the operating system running on the target host of a network and its version. Once you know the version and operating system running on the target system, find
Module 03 Page 430
EC-C0l1nCil

Scanning Networks
and exploit the vulnerabilities related to that OS. Try to gain control over the system and compromise the whole network. Step 4: Scan for Vulnerabilities Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus, GFI LANGuard, SAINT, Core Impact Professional, Ratina CS, M BSA, etc. These tools help you to find the vulnerabilities present in the target network. In this step, you will able to determine the security weaknesses/loopholes of the target system or network.
Module 03 Page 431
EC-C0UnCil

Scanning Networks

(Contd)
V
Draw network diagrams Use tools such as LAN surveyor, OpManager, etc.
Prepare proxies
Use tools such as Proxy Workbench, Proxifier, Proxy Switcher, etc.
Draw network diagrams of the vulnerable hosts using tools such as LAN surveyor, OpManager, NetworkView, The Dude, FriendlyPinger, etc. e e Prepare proxies using tools such as Proxy Workbench, Proxifier, Proxy Switcher, SocksChain, TOR, etc. Document all the findings
S canning P en T e stin g (C ontd)

Step 5: Draw Network Diagrams
Draw a network diagram of the target organization that helps you to understand the logical connection and path to the target host in the network. The network diagram can be drawn with the help of tools such as LAN surveyor, OpManager, LANState, FriendlyPinger, etc. The network diagrams provide valuable information about the network and its architecture.
Step 6: Prepare Proxies

Prepare proxies using tools such as Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy,
ProxyFinder, etc. to hide yourself from being caught.
Step 7: Document all Findings

The last but the most important step in scanning penetration testing is preserving all outcomes of tests conducted in previous steps in a document. This document will assist you in finding potential vulnerabilities in your network. Once you determine the potential vulnerabilities, you can plan the counteractions accordingly. Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.
Module 03 Page 432
EC-COUIICil

Scanning Networks
M odule Summary
The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts Attackers use various scanning techniques to bypass firewall rules and logging mechanism, and hide themselves as usual network traffic Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system Drawing target's network diagram gives valuable information about the network and its architecture to an attacker HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls Proxy is a network computer that can serve as an intermediary for connecting with other computers A chain of proxies can be created to evade a traceback to the attacker
M odule S u m m ary
Let's take a look at what you have learned in this module: The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network. Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. Attackers use various scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic. e Banner Grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system.
0
Drawing target's network diagram gives valuable information about the network and its architecture to an attacker. HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls. Proxy is a network computer that can serve as an intermediary for connecting with other computers. A chain of proxies can be created to evade a traceback to the attacker.
Module 03 Page 433
EC-COUIICil

CEHv8 Module 03 Scanning Networks PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CEHv8 Module 03 Scanning Networks PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Scanning Networks

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Engineered by Hackers. Presented by Professionals.

M o d u le 03: Scanning Networks Exam 312-50

Ethical H acking and C ounterm easures v8

Module 03 Page 263

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

new study, published by Paritynews.com on October 10, 2012.

Module 03 Page 264

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Copyright SPAMfighter 2003-2012

Module 03 Page 265

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing

Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 Page 266

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

O v erview of N etw ork S can n in g

Sends TCP /IP probes

O b jec tives o f N e tw o rk Scanning

To discover live hosts, IP address, and open ports of live hosts

To discover operating systems and system architecture

To discover services ru nning on hosts

To discover vu ln e ra b ilitie s in live hosts

O verview of N etw ork S can n in g

Module 03 Page 267

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Gets network information

O bjectives of Network Scanning

Module 03 Page 268

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Module 03 Page 269

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Check for Live Systems

Check for Open Ports

Scanning Beyond IDS

Draw Network. Diagrams

Scanning Pen Testing

CEH S can n in g M eth o d o lo g y

Check for Live Systems

Scan for Vulnerability

Check for Open Ports

Draw Network Diagrams

Scanning Beyond IDS

Scanning Pen Testing

Module 03 Page 270

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

C hecking for Live System s ICMP Scanning

The ping scan output using Nmap:

192 168.16S.5 |nrr*p sn 192.16S.16S.S Services *

Command: Hosts Host

Nmap Outp14 Pciti Hosts Topology H 0Jt Detail! nmap sn 192.166.163.5

C h e c k in g for Live S ystem s IC M P S can n in g

192 168.16S.5 |nrrp sn 192.16S.16S.S Services