Beruflich Dokumente
Kultur Dokumente
Module 03
S c a n n in g N e tw o rk s
Module 03
CEH
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N ew s
Hone S e rv ic e s Company N e tw o rk s C o n ta c t
Oct 18 2012
r
1
1
N f u js
S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e
The well known botnet Sality, which locates vulnerable voice-over-IP (VoIP) servers can be controlled to find the entire IPv4 address space without alerting, claimed a
Sality is a piece of malware whose primary aim is to infect web servers, disperse spam, and steal data. But the latest research disclosed other purposes of the same including
recognizing susceptible VoIP targets, which could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," sality has administered towards scanning possibly the whole IPv4 space devoid of being recognized. That's only the reason the technique uses very less number of packets that come from various sources.
The selection of the target IP addresses is generated in reverse-byte-order increments. Also, there are large amounts of bots contributing in the scan. http://www.spamfighter.com
l- l
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S ecurity N ew s
Saliently Sality Botnet Trapped Scanning IPv4 Address Space
Source: http://www.spamfighter.com A semi-famous botnet, Sality, used for locating vulnerable voiceoverIP (VoIP) servers has been controlled toward determining the entire IPv4 address space without setting off alerts, claims a new study, published by Paritynews.com, on October 10, 2012. Sality is a piece of malware with the primary aim of infecting web servers, dispersing spam, and stealing data. But the latest research has disclosed other purposes, including recognizing susceptible VoIP targets that could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," Sality can be administered toward scanning possibly the whole IPv4 space, devoid of being recognized. That's the only reason the technique uses a very small number of packets that come from various sources. The selection of the target IP addresses develops in reverse-byte-order increments. Also, there are many bots contributing in the scan. The conclusion is that a solitary network would obtain scanning packets "diluted" over a huge period of time (12 days in this case, from various
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
sources, University of California, San Diego (UCSD), claimed one of the researchers, Alistair King, as published by Softpedia.com on October 9, 2012). According to Alberto Dainotti, it's not that this stealth-scanning method is exceptional, but it's the first time that such a happening has been both noticed and documented, as reported by Darkreading.com on October 4, 2012. Many other experts hold faith that this manner has been accepted by other botnets. Nevertheless, the team at UCSD is not aware of any data verifying any event like this one. According to David Piscitello, Senior Security Technologist at ICANN, this indeed seems to be the first time that researchers have recognized a botnet that utilizes this scanning method by employing reverse-byte sequential increments of target IP addresses. The botnet use classy "orchestration" methods to evade detection. It can be simply stated that the botnet operator categorized the scans at around 3 million bots for scanning the full IPv4 address space through a scanning pattern that disperses coverage and partly covers, but is unable to be noticed by present automation, as published by darkreading.com on October 4, 2012.
http://www.spamfighter.com/News-1799B-Salier1tlv-Salitv-Botnet-Trapped-Scanning-IPv4Address-Space.htm
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le O b je c tiv e s
J J J J J J J J Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing Network Diagrams ^ J J J J J J J J Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers
CEH
M odule O b jectiv e s
Once an attacker identifies his/her target system and does the initial reconnaissance, as discussed in the footprinting and reconnaissance module, the attacker concentrates on getting a mode of entry into the target system. It should be noted that scanning is not limited to intrusion alone. It can be an extended form of reconnaissance where the attacker learns more about his/her target, such as what operating system is used, the services that are being run on the systems, and configuration lapses if any can be identified. The attacker can then strategize his/her attack, factoring in these aspects. This module will familiarize you with: 0 0 0 0 0 0 0 0 Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing Network Diagrams 0 0 0 0 0 0 0 0 Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
(itifwd ttkujl lUckM
Gets network
&
A ttacker
information
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
In a traditional sense, the access points that a thief looks for are the doors and windows. These are usually the house's points of vulnerability because of their relatively easy accessibility. W hen it comes to computer systems and networks, ports are the doors and windows of the system that an intruder uses to gain access. The more the ports are open, the more points of vulnerability, and the fewer the ports open, the more secure the system is. This is simply a general rule. In some cases, the level of vulnerability may be high even though few ports are open. Network scanning is one of the most important phases of intelligence gathering. During the network scanning process, you can gather information about specific IP addresses that can be accessed over the Internet, their targets' operating systems, system architecture, and the services running on each computer. In addition, the attacker also gathers details about the networks and their individual host systems. Sends TCP /IP probes
&
Attacker
Network
FIGURE 3.1: Network Scanning Diagram
Discovering live hosts, IP address, and open ports of live hosts running on the network.
Discovering open ports: Open ports are the best means to break into a system or network. You can find easy ways to break into the target organization's network by discovering open ports on its network. Discovering operating systems and system architecture of the targeted system: This is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's vulnerabilities.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. Detecting the associated network service of each port
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
HHH
G i
,.
hi
Scan for Vulnerability
n L1 ^
r Prepare Proxies
Banner Grabbing
wJ
W m, U
ft
Q O
Prepare Proxies
Banner Grabbing
This section highlights how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply This scan is useful for locating active devices or determining if ICMP is passing through a firewall
ICMP Echo Request
t o
M
ICMP Echo Reply Destination (192.168.168.5) Zenmap
Sc!n Target. Too* grofilc Profile Ping scan
Source (192.168.168.3)
Scans
192.165.168.1 192.16S.1663 192.165.'68.5 192.16S.66.13 S t a r t in g fJTap 6.01 ( h t tp :/ / n 1 rop.org ) at 2012-08 08 13:02 EOT Swap scan re p o rt fo r 192.168.168.5
most
i s up (0 .00 s la te n c y ).
Piter Hosts
M AC fld d re tt: (D e ll) M!ap dong: 1 I P address (1 host up) scanned in 0.10 secords
http://nmap.org
Copyright by HHrWBCil. All Rights Reserved. Reproduction is Strictly Prohibited.
ICMP Query
The UNIX tool ICM Pquery or ICMPush can be used to request the time on the system (to find out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS MARK REQUEST). After finding the netmask of a network card, one can determine all the subnets in use. After gaining information about the subnets, one can target only one particular subnet and avoid hitting the broadcast addresses. ICMPquery has both a timestamp and address mask request option: icmp query <-query-> [-B] [-f fromhost] [d delay] [-T time] target
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
W here <query> is one of: -t: icmp timestamp request (default) -m: icmp address mask request -d: delay to sleep between packets is in microseconds. -T - specifies the number of seconds to wait for a host to respond. The default is 5. A target is a list of hostnames or addresses.
*iJN:::::::::::::::::::::::ft:::::::::::::
ICMP Echo Request
/*
Source (192.168.168.3)
Destination (192.168.168.5)
Zenmap
Scan Jo o ls Profile Help
Target
v I Profile:
Ping scan
:Scan!
Cancel
Details
192.168.168.1 192.168.168.3 192.168.168.5 S t a r t in g Nmap 6 .0 1 ( h t t p :/ / n 1 ra p .o rg ) at 2012-08-08 a? Nmap scan re p o rt fo r 1 9 2 .1 6 8 .1 6 8 .5 Host i s up (0 .0 6 s la t e n c y ) . M AC Add ress: ( D e ll) Nmap done: 1 IP ad d ress (1 host up) scanned in 0 .1 0 seconds
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCll All Rights Reserved. Reproduction is Strictly Prohibited.
P in g S w eep
J Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet Attackers then use ping sweep to create an inventory of live systems in the subnet T h e ping s w e e p o u tp u t using N m a p
Zenmap Sen loots N * T*fqcc Help v Profile *| Scanj Canct l n l , M IC M P Echo Request
CEH
_l
92.l6a.16S.l-S0
192.168.168.5
^ M
Command |m 8p Pf PA21,23.9Q ,3J891 9 2 .1 6 8 .1 6 8 .1 5 0 1 Hojb OS 4 Ho* * * W itt 1 6 S .1 1N.16S.1tt3 knxei Nn < * pOutput Port( / HoUi | Topology Hot! D etail* Scant nm ap m-PE PA 21.2J.80l3389 1 9 2 .1 6 8 .1 6 8 .1 5 0 H S [0 4 * IC M P Echo Reply Startlra N 6.01 ( http ://roup, org ) at 2012 01 01 12:41 tor *tup scan report for 192.168.168.1 Host is us ( 0. 00) latency). Adflicn. ( Healett-Packard Com pany) **p *can report for 192.168.16.) ftovt It up (ft.Mt latency). *AC W r t t t i (Apple) w p scan report *or 192.168. 168. tost is up (0.0010s latency). HA( Address: (Dell) f*1ap scan report for 192.168.168.13 Mot i* up <8.001 latency). AC Addrew: (Foxconnl snap scan report for 192.168.168.14 IC M P Echo Request
!.168.16 192.168.168.6
3 1W.16S.1tt5 * 19J.ltt.1ttU
IC M P Echo Request
Ml
192.168.168.7
Source 192.168.168.3
IC M P Echo Reply IC M P Echo Request
192.168.168.8
http://nmap. org
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P in g Sweep
A ping sweep (also known as an ICM P sweep) is a basic network scanning technique to determine which range of IP addresses map to live hosts (computers). W hile a single ping tells the user whether one specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
<
192.168.168.6
>
Source
19 2.1 6 8 .1 6 8 .3
192.168.168.7
TCP/IP Packet
To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings, a single packet is sent across the network to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a return packet from the target system. A good return packet is expected only when the connections are good and when the targeted system is active. Ping also determines the number of hops that lie between the two computers and the round-trip time, i.e., the total time taken by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if the packet bounces back when sent to the IP address, but not when sent to the name, then it is an indication that the system is unable to resolve the name to the specific IP address. Source: http://nmap.org Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP addresses of live hosts. This provides information about the live host IP addresses as well as their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on the network. The following screenshot shows the result of a ping sweep using Zenmap, the official cross-platform GUI for the Nmap Security Scanner:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Zenmap
Sc!n Target Joolt Erofik {jdp "v] Proffe 11
192.168.168.1-50
Scan
Cancel
|nmap -sn -PE PA21,23,80.3389192.168.168.1-5( Sernces A Nmap Output Ports/ Hosts Topology Host Details Scans nmap -sn PE-PA21.23.80.3389 192.168.168.1-50 %
Details
192.168.168.1 192.168.168.3 192.168.168.5 192.168.168.13 192.168.168.14 192.168.168.15 S ta rtin g Mrap 6.01 ( h tto ://n a p .o rg ) at 2012-08-08 12:41 M ap scan report fo r 192.168.168.1 Host is up (0.00s la te n c y ). *AC Address; I (Hewlett-Packard Cooany) Nm p scan report fo r 192.168.168.3 Host is up (0.00s la te n c y ). *AC A d d r m i * (Apple) Nnap scan report fo r 192.168.168.5 Host is up (0.0010s la te n c y ). M A C Address; ( D e ll) Nnap scan report fo r 192.168.168.13 Host is up (0.00s la te n c y ). M A C Address: (Foxconn) Nap scan report fo r 192.168.168.14 Host is up (0.0020s la te n c y ). v
* fti
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P in g S w eep T ools
Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc.
CEH
SolarWinds Engineer Toolset's Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.
o S'** *Rjr* * 1C011 9 1:0:1 1 0 0 cj Q io a u f tio a c j to o ts C Hoatt 100C7 fh o a c j M OOC9 Q r-at CH 0ac.11 1 0 a a ; Chocu.11 # 10ac.u #1001 &1COC.U M oatr Choatu fhoac. *<
IP Range Angry IP Scanner JoeU H lp to K.0J.S) Uctmiifc v [lPjnje SUrt v * M Pcm1i00c-| 80 0US.1 1JX In/a) 1& UIM U h l
_ !
M0*wme V W NUQ N3W R1RW f 9 1m Cm lm h/l 4n h/1| 1ra Kl KH Kl K*l h/1l |V*I Kv.| O ? mm K1 h/l !*/I Kl
H 0W n* In/11 M M MttlCMM1 HnOcwit ln/1l < vmixqn;\V(W9m H V ) In/i) In/) In/) In/) ln/1) l*v ! I V*I In/! In/] la/) In/) In/) & **> A JI
|n/) |n) In/) |n') In') In) |n/) In/) |n/| (') In/) In ____________________)v |
T h 0 **
Angry IP Scanner
http://www.angryip.org
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P in g Sweep Tools
Determining live hosts on a target network is the first step in the process of hacking or breaking into a network. This can be done using ping sweep tools. There are a number of ping sweep tools readily available in the market using which you can perform ping sweeps easily. These tools allow you to determine the live hosts by sending ICMP ECHO requests to multiple hosts at a time. Angry IP Scanner and Solarwinds Engineer's Toolset are a few commonly used ping sweep tools.
Angry IP Scanner
/j
Source: http://www.angryip.org
Angry IP Scanner is an IP scanner tool. This tool identifies all non-responsive addresses as dead nodes, and resolves hostname details, and checks for open ports. The main feature of this tool is multiple ports scanning, configuring scanning columns. Its main goal is to find the active hosts in the network by scanning all the IP addresses as well as ports. It runs on Linux, Windows, Mac OS X, etc. It can scan IP addresses ranging from 1.1.1.1 to 255.255.255.255.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
Commands
Favorites
loots
Help | |IF Range rJ C+ Start v i| Ports [2000.) 80 80.135.139.4... 135,139,445,... [n/a] 135,139,445,... [n/a] 80.135 [n/a] [n/a] [n/a] [n/a] =
IP Range | 10.0.0.1 Hostname | WIN-LXQN3WR3R9I IP >10.0.0.1 010.0.0.2 @10.0.0.3 #10.0.0.4 >10.0.0.5 10.0.0.6 )10.0.0.7 C
m
| to | 10.0.0.50 # IP I | Netmask
Hostname [n'a] W1N-MSSLCK4IC41 WindowsS [n/a] W1N-LXQN3WR3R9M [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] litfa] [ /a] [n/a] [n/a] [iVa] [n/a] [nfa] lva] Display: All Threads; 0
[n/a]
4 ms [n/a] 1 ms [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] 627 ms [n/a] [n/a] [n/a] [n/a]
0.0.0.8
[n/a]
[n/a] [n/a] [n/a] [n/a]
[n/a]
[n/a] [n/a] v
u o o
F | A I IP t DNS L ookup
| Sra n
Srnn
fpAddress
1 9 2 IM IM 1 0 1 9 21 6 61 6 61 1 1 9 21 6 61 6 61 2 1 9 21 6 61 6 61 3 1 9 21 6 61 6 61 4 1 9 21 6 61 6 61 5 1 9 21 6 6 16816 1 9 21 6 6 . 1 6 61 7 1 9 21 6 61 6 6 . 1 6 1 9 21 6 61 6 61 9 1 9 21 6 61 6 62 0 1 9 21 6 61 6 6 . 2 1 1 9 21 6 61 6 6 . 2 2 1 9 21 6 61 6 62 3 1 9 21 6 61 6 62 4 1 9 21 6 61 6 62 5 1 9 21 6 61 6 62 6 1 9 21 6 61 6 6 . 2 7 1 9 21 6 61 6 6 . 2 6 1 9 21 6 61 6 62 9 1 9 21 6 61 6 63 0 1 9 21 6 61 6 63 1 1 9 21 6 61 6 63 2 < 1 Scan Complied Scan N _ *V* " I J I {_ #
Response T e n e Request Tired Out Request T mod Out Request Tmed Out RequOSt Tmed Out 3m e Reauest Tmed Out Reaues! Tmed Oat ^ Recues! Tmed Oul Request Tmed Oul Request Tmed Out Request Tmed Out Request Tmed Out Request T i m e d Out Request Tmed Out Request Tmed Out 2m s Request Tmed Out 2m s Request Tmed Oyt 3m e 3m s 2m s III DNS
,t
>
9 0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P in g S w eep T ools
(C ontd)
Colasoft Ping Tool
h ttp ://w w w . colasoft. com
CEH
PacketTrap MSP
http ://w w w .pa ckettra p .co m
Ping Sweep
h ttp://w w w .w hatsupgold.com
Network Ping
h ttp://w w w .greenline-soft.com
Ping Monitor
h ttp ://w w w .n ilia n d . com
PinglnfoView
S
h ttp ://w w w .n irs o ft.n e t
Pinkie
h ttp ://w w w .ip u p tim e .n e t
In addition to Solarwinds Engineer's Toolset and Angry IP Scanner, there are many other tools that feature ping sweep capabilities. For example: 9 9 9 9 9 9 9 9 9 9 Colasoft Ping Tool available at http://www.colasoft.com Visual Ping Tester - Standarad available at http://www.pingtester.net Ping Scanner Pro available at http://www.digilextechnologies.com Ultra Ping Pro available at http://ultraping.webs.com PinglnfoView available at http://www.nirsoft.net PacketTrap MSP available at http://www.packettrap.com Ping Sweep available at http://www.whatsupgold.com Network Ping available at http://www.greenline-soft.com Ping Monitor available at http://www.niliand.com Pinkie available at http://www.ipuptime.net
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
* 1 So far we discussed how to check for live systems. Open ports are the doorways for an attacker to launch attacks on systems. Now we will discuss scanning for open ports.
life
O Q ^
Prepare Proxies
Banner Grabbing
This section covers the three-way handshake, scanning IPv6 networks, and various scanning techniques such as FIN scan, SYN scan, and so on.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
T h ree-W ay H a n d s h a k e
Three-w ay Handshake Process
1. The Computer A (10.0.0.2) initiates a connection to the server (10.0.0.3) via a packet with only the SYN flag set 2. The server replies with a packet with both the SYN and the ACK flag set 3. For the final step, the client responds back to the server with a single ACK packet 4. If these three steps are completed without complication, then a TCP connection is established between the client and the server
(rtifwd
CEH
itkitjl
TCP uses a three-way handshake to establish a connection between server and client
T hree-W ay H an d sh a k e
TCP is connection-oriented, which implies connection establishment is principal prior to data transfer between applications. This connection is possible through the process of the three-way handshake. The three-way handshake is implemented for establishing the connection between protocols.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The TCP protocol maintains stateful connections for all connection-oriented protocols across the Internet, and works the same as an ordinary telephone communication, in which one picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other end until a person picks up the receiver and says, "Hello."
Bill
Three-way Handshake
Sheela
1 0 .0 .0 .3 :2 1
1 0 .0 .0 .2 :6 2 0 0 0 ^ ................ ....................
..*
Irvc
Client
Server
Frame 1:
In the first step, the client, NTW3, sends a SYN segment (TCP ....S.). This is a request to the server to synchronize the sequence numbers. It specifies its Initial Sequence Number (ISN), which is incremented by 1 and that is sent to the server. To initialize a connection, the client and server must synchronize each other's sequence numbers. There is also an option for the
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Maximum Segment Size (MSS) to be set, which is defined by the length (len: 4), this option communicates the maximum segment size the sender wants to receive. The Acknowledgement field (ack: 0) is set to zero because this is the first part of the three-way handshake.
1 2.0785 NTW3 --> BDC3 TCP ___ S., len: 4, seq: 8221822-8221825, ack: 0,
win: 8192, src: 1037 dst: 139 (NBT Session) NTW3 --> BDC3 IP
TCP: dst: ....S., len: 4, seq: 8221822-8221825, 139 (NBT Session) ack: 0, win: 8192, src: 1037
TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session S TCP: Sequence Number = 8221822 (0x7D747E)
..0....
...0.... = Acknowledgement field ....0... = No Push function .... 0 . . = No Reset 1. = Synchronize sequence numbers ............. 0 = No Fin .
(0x2000)
TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 TCP: Frame Padding (0x5B4)
02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 00 2C 0D 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 20 00 F2 13 00 00 02 04 05 B4 20 20
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Frame 2:
In the second step, the server, BDC3, sends an ACK and a SYN on this segment (TCP .A..S.). In this segment the server is acknowledging the request of the client for synchronization. At the same time, the server is also sending its request to the client for synchronization of its sequence numbers. There is one major difference in this segment. The server transmits an acknowledgement number (8221823) to the client. The acknowledgement is just proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and uses it as its acknowledgement number.
2 2.0786 BDC3 > NTW3 8760, TCP .A..S., l e n : 4, seq: 1109645-1109648, dst: 1037 BDC3 --> NTW3 ack: 8221823, win: ack: IP 8760,
(NBT Session)
1109645-1109648, 1037
(NBT Session)
TCP: Destination Port = 0x040D TCP: Sequence Number = 1109645 (0xl0EE8D) (0x7D747F)
TCP: Reserved = 0 (0x0000) TCP: Flags = 0x12 TCP: TCP: TCP: TCP: TCP: TCP: ..0.... = ...1.... = : .A..S. No urgent data Acknowledgement field Push function Reset sequence numbers significant
(0x2238)
TCP: Checksum = 0x012D TCP: Urgent Pointer = 0 (0x0) TCP: Options TCP: Option Kind (Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 TCP: Frame Padding (0x5B4)
00000
00010
0 00 20
02 00 02
60 8C 3B 85 Cl 02 60 8C 9E 18 8B 08 00 45 00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12 .,[.0_____L.k...k
...... E.
.............. }t'.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
00030:
22 38 01 2D 00 00 02 04 05 B4 20 20
8 .-
Frame 3:
In the third step, the client sends an ACK on this segment (TCP .A....). In this segment, the client is acknowledging the request from the server for synchronization. The client uses the same algorithm the server implemented in providing an acknowledgement number. The client's acknowledgment of the server's request for synchronization completes the process of establishing a reliable connection, thus the three-way handshake.
3 2.787 NTW3 --> BDC3 8760, TCP .A , len: 0, seq: 8221823-8221823, 139 (NBT Session) ack: IP
1109646, win:
src: 1037
dst:
TCP:
0, seq:
8221823-8221823,
ack:
1109646, win:
8760,
src: 1037
(NBT Session)
TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 8221823 (0x7D747F) (0xl0EE8E)
. .0 ....
= No urgent data
(0x2238)
TCP: Checksum = 0xl8EA TCP: Urgent Pointer = 0 (0x0) TCP: Frame Padding
02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10 22 38 18 EA 00 00 20 20 20 20 20 20
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
URG (Urgent)
F IN (Finish)
jm m m
PSH (Push) ACK (Acknowledgement) > SYN (Synchronize)
Standard TCP communications are controlled by flags in the TCP packet header
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process.
Acknowledgement No Res TCP Flags Window Urgent Pointer Options \< ------------- 0-31 B its-------------- >
FIGURE 3.9: TCP Communication Flags
Offset
TCP Checksum
CEH
3ckte
Move U p|
!***
-J Colasoft Packet Builder enables creating custom network packets to audit networks for various attacks J Attackers can also use it to create fragmented packets to bypass firewalls and IDS systems in a network
Packet Info: gackec tta c e r; ^ BacJrcr Le=ath: Captnred Length: { g Delta Tine E d Ethernet Type I I j y i J f s t i a t i Mdress: JUfSouic? U d m 9 : Protocol: E- .J I ? - Internet Protocol ! Version 0 i 0 Mea 1: Length g>-0 Differentiated Services Plaid j j 0 Srvlcf Codepcint j > Trr.*por1 r u t -col w ill 1 903 c* tii* CE b it U Coaaaatios
< 1
000004 64 60 0.100000 Second [0/14] 00:00:00:00:00:00 [0/6] 00:00:00:00 :00:00 [6/6] 0x0800 (Inter: [14/20] 4 xFO [U/1] O S < 2 0 Bytes) [1 < 0 0 00 oaoo [15/1! OxPF 0000 00.. [18/1] OxfC (Ignoi .......... 0. [15/1] ............0 (Xu Conqmtlon)
<
HwEdrtc
Total
60 byirt
http://www. colasoft.com
ImportExportw
&
3*
Add
Copy
Pas- Delete
I *
Move
Send
4*
Send All
* f c *
'w E I& B r S B
Delta Time 0.100000 0.100000 0.100000 0.100000 Source 00:00:00:00:1 0.0.0.0 0.0.0.0:0 0.0.0.0:0
Decode Editor
Packet No.
4
No. 2 3
Packet Info: a Packet Number: <3 *Packet Length: ! ^ Captured Length: H H Delta Time -> Ethernet Type II Destination Address: Source Address: Protocol: 0 IP - Internet Protocol j & Version : Header Length E3 @Differentiated Services Field | _~ Differentiated Services Codepoint O Transport Protocol will ignore the CE bit | ~~ Congestion
60 0.100000 Second
[0 / 1 4 ]
0 0 : 0 0 : 0 0 : 0 0 : 00:00 0 0 :0 0 :0 0 :0 0 :0 0 : 0 0
[ 0 /6 ]
[6 / 6 ]
0x0800 [14/20]
(Intern [14/1] OxFO (20 Bytea) [14 [15/1] OxFF [15/1] OxFC (Ignore) [15/1] (No Congestion)
0 0 0 00 0 0 0 0 0 0 0 00..
......... 0
...........0.
< L
jc%
Hex Editor
Total | 60 bytes
00 00 00 00
00 2C 00 00
00 00 00 00
00 00 00 00
00 40 00 00
00 00 00 00
00 40 00 00
00 11 1A 00
00 3A FF 00
00 CO BA 00
00 00 00 00
00 08 00 45 00 00 00 00 00 00 00 00 00 00 00 00
A ---0.0.s. V /
T >
: ...
S c a n n in g IP v 6 N e tw o rk
im ttiM
CEH
tUx*l lUckM
I I L
a
IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy
Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 2s4 addresses) provided by IPv6 in a subnet
Scanning in IPv6 network is more difficult and complex than the IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks
Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages
Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker can probe the "all hosts" link local multicast address
S c a n n in g Tool: N m a p
J J monitoring host or service uptime
C EH
Network administrators can use Nmap for network inventory, managing service upgrade schedules, and Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions
http://nmap.org
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Zenm gp
tel
t M
Mi M lMM I u n
T1 A . I V M M > N m W > 1 * MM D u tu n
Ml t ll iw IM ^niHIDU
s ia t i
S t M t ln g m m 4.*1 < M 1 : / / M W . K | ) m ) M M 11:1! M M M M r < Tia B L . M M I M f l K M r ! " ! t l a t l n g A V lng Scan t |:22 W mwIm (1 v t l Caag iatM * V *ing Scan at I S :2 2, M a l * t M ( I t a t a l M a t ) : * i t ta tin g f a l l a l Cm r a lt ft iM a* I M a t . at lt:2 2 C a M ia t M a ll ! CMS r * t a l t la n 0* 1 M a t . at IS !2 2 . I H t
. * HHM rtt
w m ia It*
1m ia ftM VC
B L Ur 1 0 %
KtMlN!.
V *. Mtf)
M l V t c a M M I/ t i! * I.ftftlv2:
fe ftM M U a t ln
aivaai
M> M I ^ 1 U 1 U N d w M a '1 * m 1*t 1 m 1 (Ii m i n P n l c e I r a * | t n t r l *tK fO M ft lllM H oxo*. wln*ot V l* t a | M | 7 f l l C P t: cp IcreM ^t iwM n . r i t t a : : c m :/
11I/1 t i l l l uM i r t l SV . J
19:24 <:1.4*
H ))/ t ( M IM .IM IM S * S t !!* W an f l * l : 1aat M . 4 M M M ) I K l 1* 24 < M 4 'allg C a M ia t M S M S ' a lt * Scan at IS :24. M * l a la M M 14SS1S fa t a l M ^ tt) ! n i t ia t in c S M v ic a c m at I!24 Scanning a^vlca M 112 I M I M \ C a M lv t M M ^ v lc a m m at I S ! >4, 44 M t a la M M (g m U a M 1
M M Hyj M h m t M 00+* M t
H p in g 2 / H p in g 3
J J J Command line packet crafter for the TCP/IP protocol Tool for security auditing and testing firewall and networks Runs on both Windows and Linux operating systems
UrtifW
CEH
itkMl lUikw
http://www.hping.org
3 1 0 .0 .0 .2 -p 8 9 1 800 .2 1 9 .0 .0 .2 ) : A set, 4 0headers + 0data bytel len = 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id=2 6 85spoci^0 flags-R seq^O w ln 0 rtt= 1 .3ms ^ len ^ 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id2 6 5 8 6sport-ee-flags-R seq1w in = 0rtt=6 .8 ms len = 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id = 2 6 0 8 7sport-8 GFflags=R Ieq ^ 2w in=o r 11=1.0 len 4 0ip-1 0 .0 .0 .2 t t l 1 2 8OF id 2 6 0 8 8sport8 0flogs-R scq3w 1 n=0 rtr= 6 .9 ms len = 4 0ip=1 0 ^L0 .2 t t l = 1 2 8OF id 2 6 6 8 95porjt=8e ftcgsfR seq= 4w len=4 ) 1^=10.0 .8/?t t l = 1 2 8DF ld=2 6 B9 D sport80 flags=R seq= 5J in 0 rtt- 0 .5 ms len= 4 6ip=1 0 .O.3 .2 t t l = 1 2 8OF id = 2 6 0 9 1sport= 8 0flags=R seq= 6w in = 0rtt=e.7ms len = 4 0ip=1 0 .O.0 .2 t t l = 1 2 8OF id 2 6 0 9 2 sport 8 0 flags^R seq= 7w ln = 8rtt=8 .8 ms len 4 0ip-1 0 .0 .0 .2 t t l 1 2 8OF id 2 6 0 9 35 port8 0flegs R seq8w
footgbt:-# hping A HPINC . . (ethl
ACK Scanning on p o rt 80
Copyright by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited.
H ping2/H ping3
Source: http://www.hping.org HPing2/HPing3 is a command-line-oriented TCP/IP packet assembler/analyzer that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Traceroute mode, and enables you to send files between covert channels. It has the ability to send custom TCP/IP packets and display target replies like a ping program does with ICMP replies. It handles fragmentation, arbitrary packets' body and size, and can be used in order to transfer encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and network/host scanning can be used to perform an anonymous probe for services. An attacker studies the behavior of an idle host to gain information about the target such as the services that the host offers, the ports supporting the services, and the operating system of the target. This type of scan is a predecessor to either heavier probing or outright attacks. Features: The following are some of the features of HPing2/HPing3: 0 0 Determines whether the host is up even when the host blocks ICMP packets Advanced port scanning and test net performance using different protocols, packet sizes, TOS, and fragmentation
Manual path MTU discovery Firewalk-like usage allows discovery of open ports behind firewalls Remote OS fingerprinting TCP/IP stack auditing
9
9 9
ICM P Scanning A ping sweep or Internet Control Message Protocol (ICM P) scanning is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up. This protocol is used by operating system, router, switch, internet-protocol-based devices via the ping command to Echo request and Echo response as a connectivity tester between different hosts. The following screenshot shows ICMP scanning using the Hping3 tool:
v x root@bt: ~
root@bt:~# hpi ng3 -1 10 . 0 . 0 . 2 HPING 10.0.0.2 (e th l 10 .0 .0 .2 ): icmp mode set, 28 headers + 0 d len=28 ip=10.0 .0.2 ttl= 128 id=25908 icmp_seq=0 rtt=2.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25909 icmp_seq=l rtt=1.0 m s len=28 ip=10.0 .0.2 ttl= 128 id=25910 icmp_seq=2 rtt=1.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25911 icmp_seq=3 rtt=0.5 m s icmpseq=4 rtt=0.4 m s len=28 ip=10.0 .0.2 ttl= 128 id=2591% len=28 ip=10.0 .0.2 ttl= 128 id=25913 icmp seq=5 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25914 icmp seq=6 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25915 icmp seq=7 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25916 icmp seq=8 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25917 icmp seq=9 r t t = l . l m s s len=28 ip=10.0 .0.^>ttl= 128 id=25918 icmp seq=10 rtt=0.8 m len=28 ip=10.0 .0.2 ttl= 128 id=25919 icmp_seq=ll rtt=1.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25920 icmp seq=12 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25921 icmp seq=13 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25922 icmp seq=14 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25923 icmp seq=15 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25924 icmp seq=16 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25925 icmp seq=17 rtt=1.0 m s
FIGURE 3.12: Hping3 tool showing ICMO scanning output
ACK Scanning on Port 80 You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple packet filtering will allow you to establish connection (packets with the ACK bit set), whereas a sophisticated stateful firewall will not allow you to establish a connection. The following screenshot shows ACK scanning on port 80 using the Hping3 tool:
>v
ro o tab t: -
0 0 t@ bt:~# hping3 -A 1 0 .0 .0 .2 p 80 HPING 1 0 .0 .0 .2 ( e t h l 1 0 .0 .0 .2 ): A s e t, 40 headers + 0 d ata byte s len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26085 spar,t=80 flags= R seq=0 w in=0 rtt= 1 .3 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26086 sport=80 flags= R seq=l w in=0 rtt= 0 .8 ms -'" len=40 ip=10.0 .0 .2 ttl= 128 DF id=26087 sport=89 flags= R seq=2 w in=0 rtt= 1 .0 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26088 sport=80 ^lags=R seq=3 w in=0 rtt= 0 .9 ms len=40 ip = 1 0 J0 .0 .2 ttl= 128 DF id=26089 sport=80 flags= R seq=4 w in=0 r,tt=p. 9 ros ^ Jj I 4 ^ f j len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26O90 sport=80 flags= R seq=5 w in=0 rtt= 0 .5 ms len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26091 sport=80 flags= R seq=6 w in=0 rtt= 0 .7 ms len=40 ip= 10.0.O .2 ttl= 128 DF id=26092 sport=80 flags= R seq=7 w in=0 rtt= 0 .8 m s len=40 ip= 10.0.O .2 ttl= 128 DF id=26093 sport=80 flags= R seq=8 v
FIGURE 3.13: Hping3 tool showing ACK scanning output
H p in g C o m m a n d s
ICMP Ping SYN scan on port 50-60
UrtifM
c EH
ItkKJl Nm Im
hping3 -1 10.0.0.25
hpng3 -A 10.0.0.25 -p 80
hping3 -F -p -U 10.0.0.25 -p 80
U D Psc a n o n port 80
hping3 -2 10.0.0.25 -p 80
-I ethO
Intercept all traffic containing HTTP signature
h p i n g 3 1 9 2 . 1 6 8 . 1 . 1 0 3 -Q -p 139
Hping C om m ands
The following table lists various scanning methods and respective Hping commands:
Scan ICMP ping ACK scan on port 80 UDP scan on port 80 Collecting initial sequence number Firewalls and time stamps SYN scan on port 50-60 FIN, PUSH and URG scan on port 80 Scan entire subnet for live host Intercept all traffic containing HTTP signature SYN flooding a victim
Commands
hping3 -1 10.0.0.25 hping3 -A 10.0.0.25 -p 80 hping3 -2 10.0.0.25 -p 80 hping3 192.168.1.103 -Q -p 139 -s hping3 -S 72.14.207.99 -p 80 --tcptimestamp hping3 -8 50-56 -S 10.0.0.25 -V hping3 -F -p -U 10.0.0.25 -p 80 hping3 -1 10.0.1.x --rand-dest -I ethO hping3 9 HTTP -I ethO hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
TABLE 3.1: Hping Commands Table
S c a n n in g T e c h n iq u e s
TCP Connect / Full Open Scan Stealth Scans IDLE Scan ICMP Echo Scanning/List Scan
T E C
SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning
H
N
I o
E
u
S
Scanning T echniques
Scanning is the process of gathering information about the systems that are alive and responding on the network. The port scanning techniques are designed to identify the open ports on a targeted server or host. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the intent of compromising it.
SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning
echo echo discard discard systat daytime daytime netstat qotd chargen chargen ftp-data ftp ssh telnet smtp time time rip nicname domain domain sql*net sql*net bootps bootps bootpc
7/tcp 7/udp 9/tcp 9/udp 11/tcp 13/tcp 13/udp 15/tcp 17/tcp 19/tcp 19/udp 20/tcp 21/tcp 22/tcp 23/tcp 25/tcp 37/tcp 37/udp 39/udp 43/tcp 53/tcp 53/udp 66/tcp 66/udp 67/tcp 67/udp 68/tcp Mail Timeserver Timeserver resource location who is domain name server domain name server Oracle SQL*net Oracle SQL*net bootp server bootp server bootp client Quote ttytst source ttytst source ftp data transfer ftp command Secure Shell sink null sink null Users
68/udp 69/tcp 69/udp 70/tcp 79/tcp 80/tcp 80/udp 88/tcp 88/udp 109/tcp 110/tcp 111/tcp 111/udp 113/tcp 113/udp 114/tcp 114/udp 119/tcp 119/udp 123/tcp Port/Protocol 123/udp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp 143/tcp
bootp client Trivial File Transfer Trivial File Transfer gopher server Finger WWW WWW Kerberos Kerberos PostOffice V.2 PostOffice V.3 RPC 4.0 portmapper RPC 4.0 portmapper Authentication Service Authentication Service Audio News Multicast Audio News Multicast Usenet Network News Transfer Usenet Network News Transfer Network Time Protocol Description Network Time Protocol NETBIOS Name Service NETBIOS Name Service NETBIOS Datagram Service NETBIOS Datagram Service NETBIOS Session Service NETBIOS Session Service Internet Message Access Protocol
Pop 3 sunrpc sunrpc auth/ident auth audionews audionews nntp nntp ntp
Name
imap sql-net sql-net sqlsrv sqlsrv snmp snmp snmp-trap snmp-trap cmip-man cmip-man cmip-agent cmip-agent ire ire at-rtmp at-rtmp at-nbp at-nbp at-3 at-3 at-echo at-echo at-5 at-5 at-zis at-zis at-7
143/udp 150/tcp 150/udp 156/tcp 156/udp 161/tcp 161/udp 162/tcp 162/udp 163/tcp 163/udp 164/tcp 164/udp 194/tcp 194/udp 201/tcp 201/udp 202/tcp 202/udp 203/tcp 203/udp 204/tcp 204/udp 205/tcp 205/udp 206/tcp 206/udp 207/tcp
Internet Message Access Protocol SQL-NET SQL-NET SQL Service SQL Service
CMIP/TCP Manager CMIP CMIP/TCP Agent CMIP Internet Relay Chat Internet Relay Chat AppleTalk Routing Maintenance AppleTalk Routing Maintenance AppleTalk Name Binding AppleTalk Name Binding AppleTalk AppleTalk AppleTalk Echo AppleTalk Echo AppleTalk AppleTalk AppleTalk Zone Information AppleTalk Zone Information AppleTalk
at-7 at-8 at-8 ipx ipx imap3 imap3 aurp aurp netware-ip netware-ip Name rmt rmt 54erberos54-ds 54erberos54-ds isakmp fcp exec comsat/biff login who shell syslog printer printer talk talk ntalk
207/udp 208/tcp 208/udp 213/tcp 213/udp 220/tcp 220/udp 387/tcp 387/udp 396/tcp 396/udp Port/Protocol 411/tcp 411/udp 445/tcp 445/udp 500/udp 510/tcp 512/tcp 512/udp 513/tcp 513/udp 514/tcp 514/udp 515/tcp 515/udp 517/tcp 517/udp 518/udp
Interactive Mail Access Protocol v3 Interactive Mail Access Protocol v3 AppleTalk Update-Based Routing AppleTalk Update-Based Routing Novell Netware over IP Novell Netware over IP Description Remote mt Remote mt
ISAKMP/IKE First Class Server BSD rexecd(8) used by mail system to notify users BSD rlogind(8) whod BSD rwhod(8) cmd BSD rshd(8) BSD syslogd(8) spooler BSD lpd(8) Printer Spooler BSD talkd(8) Talk New Talk (ntalk)
518/udp
SunOS talkd(8)
532/tcp
540/tcp 540/udp 543/tcp 543/udp 544/tcp 544/udp
Readnews
uucpd BSD uucpd(8) uucpd BSD uucpd(8) Kerberos Login Kerberos Login Kerberos Shell Kerberos Shell krcmd Kerberos encrypted remote shell -kfall ECD Integrated PC board srvr NFS Mount Service PC-NFS DOS Authentication BW-NFS DOS Authentication Flexible License Manager Flexible License Manager Kerberos Administration Kerberos Administration kdc Kerberos authenticationtcp Kerberos
ekshell
545/tcp
pcserver mount pcnfs bwnfs flexlm flexlm 5 6erberos-adm 56erberos-adm kerberos kerberos 56erberos mas ter 56erberos mas ter krb_prop
600/tcp 635/udp 640/udp 650/udp 744/tcp 744/udp 749/tcp 749/udp 750/tcp 750/udp
751/udp
Kerberos authentication
751/tcp
Kerberos authentication
754/tcp
999/udp
Applixware
socks socks kpop ms-sql-s ms-sql-s ms-sql-m ms-sql-m Name pptp pptp nf s nf s eklogin rkinit kx kauth lyskom sip sip xll xll ire af s af s
1080/tcp 1080/udp 1109/tcp 1433/tcp 1433/udp 1434/tcp 1434/udp Port/Protocol 1723/tcp 1723/udp 2049/tcp 2049/udp 2105/tcp 2108/tcp 2111/tcp 2120/tcp 4894/tcp 5060/tcp 5060/udp 6000-6063/tcp 6000-6063/udp 6667/tcp 7000-7009/udp 7000-7009/udp
TABLE 3.2: Reserved Ports Table
Pop with Kerberos Microsoft SQL Server Microsoft SQL Server Microsoft SQL Monitor Microsoft SQL Monitor Description Pptp Pptp Network File System Network File System Kerberos encrypted rlogin Kerberos remote kinit X over Kerberos Remote kauth LysKOM (conference system) Session Initiation Protocol Session Initiation Protocol X W indow System X W indow System Internet Relay Chat
CEH
m
Attacker
Target
*
Attacker
??. .
H
Target
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
mm
by a SYN+ACK flag by the server which, in turn, is acknowledged by the client with an ACK flag to complete the connection. You can establish a connection from both ends, and terminate from both ends individually.
Vanilla Scanning
In vanilla scanning, once the handshake is completed, the client ends the connection. If the connection is not established, then the scanned machine will be DoS'd, which allows you to make a new socket to be created/called. This confirms you with an open port to be scanned for a running service. The process will continue until the maximum port threshold is reached.
If the port is closed the server responds with an RST+ACK flag (RST stands for "Reset the connection"), whereas the client responds with a RST flag and here ends the connection. This is created by a TCP connect () system call and will be identified instantaneously if the port is opened or closed. Making separate connects() call for every targeted port in a linear fashion would take a long time over a slow connection. The attacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the attacker to set a low time-out period and watch all the sockets simultaneously.
u is d a v d it ia g e s
The drawback of this type of scan is easily detectable and filterable. The logs in the
The Output
Initiating Connect () Scan against (172.17.1.23) Adding open port 19/tcp Adding open port 21/tcp Adding open port 13/tcp SYN Packet + Port (n) .............................. SYN / ACK Packet ACK + RST
Attacker
FIGURE 3.14: Scan results when a port is open
Target
Attacker
FIGURE 3.15: Scan results when a port is closed
arget
Zfnmap
S<!n Ttrgct J0ok of.lc tjflp ~vj Profile
sT v nmip 192-168.168.5
StrvKtt Nmip Output Potts/Hosts Topology Most Dt!h Scans
192.168.168.5
M l Afl t i r C i l .
(Oeil)
R c t af l l l lf l i c ! frw;
C:\Progra F i l e s (xS6)\N*ap Nm p done: 1 IP address ( I host up) scanned in 43.08 seconds Rax packets s e n t: 1 (288) | Rcvd: 1 (288)
UrtifWtf
CEH
tthKJl lUckM
+ACK
,^ s /
........................
a
Sheela
10.0.0.3:80
The client sends a single SYN packet to the server on the appropriate port
Bill
10.0.0.2:2342
Port is open
lf the port is open then the server responds with a SYN/ACK packet
(ft
If the server responds with an RST packet, then the remote port is in the "closed" state Bill
10.0.0.2:2342
WN|PrlSn|
*O j j
Sheela
10.0.0.3:80
The client sends the RST packet to close the initiation before a connection can ever be established
Port is closed
If the response is forwarded with an "RST" packet, then the port is supposed to be in a "CLOSED" state.
SYN (Port 80)
Bill
10.0.0.2:2342
Sheela
10.0.0.3:80
P o r t is o p e n
FIGURE 3.16: Stealth Scan when Port is Open
^
Bill
10.0.0.2:2342
.....
Sheela
10.0.0.3:80
Port is closed
FIGURE 3.17: Stealth Scan when Port is Closed
Zenmap Tool
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently. It contains a command creator that allows you to interact and create Nmap command lines. You can save the Scan results and view them in the future and they can be compared with another scan report to locate differences. The results of the recent scans can be stored in a searchable database. The advantages of Zenmap are as follows: 9 9 9 Q Q Interactive and graphical results viewing Comparison Convenience Repeatability Discoverability
cr
Zenmap
lo o k profile H elp
Is
Scan
nmap 192.168.168.5 Command Hosts OS w Host * -sT -v nmap 192.168.168.5 Services 4 Nmap Output Ports / Hosts
Profile
,Scan
Cancel
Topology
Host Detail*
Scans
*|
Details
192.168.168.5
S t a r t in g Nmap 6.01 ( h ttp :/ / n a a p .o rg ) a t 2012-0810 12:04 0 T ii I n i t i a t i n g ARP P in g Scan a t 12:04 S can ning 192.16 8 .1 6 8 .S [1 p o r t ] Completed ARP P in g Scan at 1 2:04, 0 .6 8 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04 Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04, 0 .0 2 s e lap sed I n i t i a t i n g Connect Scan a t 12:04 Scan n in g 192.16 8 .1 6 8 .S [1000 p o r t s ) D isco ve re d open p o rt 8 0 /tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 993/tcp on 1 9 2 .16 8 .1 6 8 .S D isco ve re d open p o rt 8080/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 2 S/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 139/tCp on 192.168.168.5 D isco ve re d open p o rt 8888/tcp on 192.168.168.5 Completed Connect Scan a t 1 2:04, 40.63s e la p s e d (1000 t o t a l p o r t s ) N*ap scan re p o rt f o r 192.16 8 .1 6 8 .S f a i l e d t o r e s o lv e g iv e n h o s tn a a e / IP : n rap . Note th a t you c a n 't use , / ask' ANO *1 -4 ,7 ,1 0 0 - ' s t y l e I P ra n g e s. I f th e M achine o n ly has an IP v 6 a d d re ss , add th e Neap 6 f l a g t o scan t h a t . Host i s up (O.O00S7S l a t e n c y ) . > < gt ihffwn; 980 f i l t e r e d p o rts PORT STATE SERVICE 2 S /tc p open s a tp open h t t p 8 0/tcp 110/tcp open pop 3 119/tcp open IMitp 135/tcp ooen srpc 8081/tcp open b la c k ic e - ic e c a p 8088/tcp open ra d a n - h ttp 8888/tcp open su n -answerbook (D e ll)
Rtad flat! f i l e t frw; C :\Pro g ra F i l e s (x M )\ N ap H*ap done: 1 I P ad dress (1 h o st up) scanned in 43.08 seconds Rax p a ck e ts s e n t: 1 (286) | Rcvd: 1 (2 8 6 )
Filter Hosts
X m a s S can
o
FIN, URG, PUSH FIN, URG, PUSH
UftNM
c El \
ftb.ul H.. fcM
mu : : : 1
Server
10.0.0.8:23
10.0.0.8:23
Port is open
Port is clo se d
In Xmas scan, attackers send a TCP frame to a remote device with URG, ACK, RST, SYN, PSH, and FIN flags set
X m as Scan
-----Xmas Scan is a port scan technique with ACK, RST, SYN, URG, PSH, and FIN flags set to send a TCP frame to a remote device. If the target port is closed, then you will receive a remote system reply with a RST. You can use this port scan technique to scan large networks and find which host is up and what services it is offering. It is a technique to describe all TCP flag sets. W hen all flags are set, some systems hang; so the flags most often set are the nonsense pattern URG-PSH-FIN. This scan only works when systems are compliant with RFC 793.
Advantage: It avoids the IDS and TCP three-way handshake. Disadvantage: It works on the UNIX platform only.
Port is open
FIGURE 3.19: Xmas Scan when Port is Open
10.0.0.8:23
P o rt is c lo s e d
FIGURE 3.20: Xmas Scan when Port is Closed
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently.
Zenmap
Scan Target: 100It Profile Help
nmap 192.I6S.168.} 1 X v r
Nmip Output Pcrts/Hosts Topology Host Ottals S<ar -sX-v nmap 192.16S.168.3
Start
Command:
D etails
S tartin g Nmap 6.01 ( * t 2612 08 10 12:39 Standarc 1ie Initiating AKP Ping Scan at 12:39 Scanning 192.168.168.3 [1 port] Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution 0f 1 host, at 12:39 Coa191eted Parallel DNS resolution o* 1 host, at 12:39, 0.02s elapsed Initiating XMAS Scan at 12:3* Scanning 192.168.1*8.3 [10CO po ts] Increasing cand dalay *or 192.168.168.3 from 0 to 5 due to 108 out of 358 dropped probes since last increase. Co*!91eted XMAS Scan at 12;39, 9.75s elapsed (1800 to ta l ports) Nra scan report fo r 197.1*3.168.3 Failed o resolve given hostrawe/IP: niwp. Note that you c a n 't use V ? AHO *1-4,7,180 s ty le IP ranges. I f the wchine only ha? an IPv6 address. add the Mnap -6 fla g to scan th at. Host is up (0.000023s la t e r c y ). Not shovn; 997 clo;ed ports PORT STATE SEUVICE 22/tcp o c e r lfilt e r e d j$n 88/tcp o p e r | f ilt e ed kertxrcs-sec 548 tcp o p e r | f ilt e ed afp
M A CAMrtu;
Read tifltfl f l i p frggl C:\Progra * lie s <x!6)\taao 1 IP ad Jrest (1 host up) scanned in 12.19 seconds Rat. paccets sent: 13S3 (S4.1M KB) I Rcvd: 998 (39.908K8)
S can
J J J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set FIN scan only with OS TCP/IP developed according to RFC 793 It will not work against any current version of Microsoft Windows J *
FIN
No Response
P o rt is open
10.0.0.8:23
Port is c lo s e d
E H
nmap 192.168.168.3 if v nmap 192.168.168.3 Nmap Output Ports/Host* Topo*og> Host Detail! Scans i f -v nmap 192.168.168.3
192.168.168.5 192.168.168.3
S t a r tin g Nm p 6.01 ( h ttp :/ / n M p .o rg ) at 2012 08 10 12:35 Standard Tie I n i t i a t i n g ARP Ping Scan at 12:35 Scanning 192.168.168.3 [1 p o rt] Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 t o t a l h o sts) I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h ost, a t 12:35 Completed P a r a lle l ONS re s o lu tio n o f 1 h ost, at 12:35, 0.10s elapsed I n i t i a t i n g FIN Scan at 12:35 Scanning 192.168.16S.3 [1000 p o rts] In crea sin g send d elay fo r 192.168.168.3 fro 0 to 5 due to 108 out o f 358 dropped probes sin ce la s t in crea se. In crea sin g send d elay f o r 192.168.168.3 froai 5 to 10 due to ax_$uccessful_tryno in crease to 4 Completed FIN Scan at 12:35, 11.78s elapsed (1000 t o t a l p o rts ) *toap scan rep ort fo r 192.168.168.3 F a ile d to re s o lv e given hostnaaw/IP: naap. Note th at you c a n 't use */ m s i c AND 4, 7, 100*1 's t y le IP ranges. I f the achine on ly has an IP v6 address, add the N*ap *6 f la g to scan t h a t . Host is up (0.0000050s la te n c y ). closed ports PORT STATE SERVICE 22/tcp o p e n |fiite r e d ssh 88/tcp o p e n jfilt e r e d k erberossec S48/tcp o p e n jfilt e r e d afp
U gl-itH M ?; 997
* A i.A M T M 1 ;
Rctti d i t l f l i t * ffg g j C:\Progra F ile s (x86)\Nap Nwap done: 1 IP address (1 host up) scanned in 14.28 seconds Rat packets sen t: 1378 (55.108KB) | Rcvd: 998 (39.908KB)
NULL S can
Port is open
TCP Packet with NO Flag Set
CEH
9H
Attacker 10 .0 .0.6
No Response
In NULL scan, attackers send a TCP frame to a remote host with NO Flags NULL scan only works if OS' TCP/IP implementation is developed according to RFC 793 It will not work against any current version of Microsoft Windows
NULL Scan
NULL scans send TCP packets with all flags turned off. It is assumed that closed ports will return a TCP RST. Packets received by open ports are discarded as invalid. It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned. W hen any packets arrive at the server, BSD networking code informs the kernel to drop the incoming packet if a port is open, or returns an RST flag if a port is closed. This scan uses flags in the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans. Many network codes of major operating systems can behave differently in terms of responding to the packet, e.g., Microsoft versus UNIX. This method does not work for Microsoft operating systems. Command line option for null scanning with NMAP is "-sN"
Advantage:
It avoids IDS and TCP three-way handshake.
Disadvantage:
It works only for UNIX.
Port is open
TCP Packet with NO Flag Set
^ > C E 31
No Response
Attacker
10. 0. 0.6 FIGURE 3.25: NULL Scan when Port is Open
Server 10.0.0.8:23
Port is clo se d
TCP Packet with NO Flag Set
E
f c _ 5
RST/ACK
Attacker
10 .0 .0.6 FIGURE 3.26: NULL Scan when Port is Closed Zenmap
S c jn Target: lo o k profile n m a p 192.168.168.3 * - tN v n m a p 192.168.168.3 N m a p O u tp u t P orts / Hosts T op o lo g y H o st Details Sta n s
Server 10.0.0.8:23
E lio ]
Scan
C om m and: H o sts O S - H o st
sN -v n m a p 192.168.168.3
IM
192.168.168.5 192.168.168.3
Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 Standard Tine Initiating ARP Ping Scan at 12:41 Scanning 192.168.16a.3 (1 port) Completed ARP Ping Scan at 12:41, 0.06s lapsed <1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:41 Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed Initiating NULL Scan at 12:41 Scanning 192.168.168.3 [1000 ports) Increasing send delay for 192.168.168.3 froei 0 to 5 due to 21S out of 71S dropped probes since last increas*. Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports) Noap scan report for 192.168.168.3 Failed to resolve given hostnaae/lP: nmap. Note that you can't use /ask* AND 1-4,7,100 'style IP ranges. If the achine only has an IPv6 address, add the Naap -6 flag to scan that. Host is up (0.00s latency). Not shown: 997 closed ports PORT STATt SERVICE 22/tcp open|filtered ssh 88/tcp openjfiltered kerberos-sec 548/tcp openjfiltered afp
M AC A fld rcn ;
Read data files fro: C:\Progran files (x86)\Nmap N m jio done: 1 IP address (1 hostup) scannedin 10.66 seconds Ran packets sent: 1844(73.748KB) | Rcvd: 998 (39.908KB)
ID LE S can
Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered "open" if an application is listening on the port One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port
CEH
A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored
Every IP packet on the Internet has a "fragment identification" number (IP ID)
The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and an "RST" (Reset) packet if the port is closed t f Command Prompt
OS increments the IP ID for each packet sent, thus probing an IP ID gives an attacker the number of packets sent since last probe
C : \ > n m a p -P n -p- -si wvrw.juggyboy.com w w w . c e r t i f i e d h a c k e r . c o m Starting Nmap ( h t tp://nmap.org ) Idlescan using zombie w w w . 3 u g gyboy.com (192.130.18.124:80); Class: Nmap scan report for 198.182.30.110 (The 40321 ports scanned b u t not Port State Service open 2 1 /tcp ftp open 25/tcp smtp open 80/tcp http Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds Incremental
IDLE Scan
The idle scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available and offers complete blind scanning of a remote host. This is accomplished by impersonating another computer. No packet is sent from your own IP address; instead, another host is used, often called a "zombie," to scan the remote host and determine the open ports. This is done by expecting the sequence numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP of the zombie machine will show up.
Understanding TCP/IP
Source: http://nmap.org Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/IP expert to understand it. You need to understand the following basic facts: Q Most of the network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port; otherwise it is closed.
To determine whether a port is open, send a session establishment "SYN" packet to the port. The target machine responds with a session request acknowledgment "SYN|ACK" packet if the port is open and a Reset "RST" packet if the port is closed.
A machine that receives an unsolicited SYN|ACK packet responds with an RST. An unsolicited RST is ignored.
Every IP packet on the Internet has a "fragment identification" number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.
From these facts, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning.
Command Prompt
a
FIGURE 3.28: Nmap Showing Idle Scan Result
ID LE S can : S tep 1
Every IP packet on the Internet has a fragment identification number (IP ID), which increases every time a host sends; IP packet
C EH
Attacker
Zombie
Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In the first step, you can send a session establishment "SYN" packet or IPID probe to determine whether a port is open or closed. If the port is open, the "zombie" responds with a session request acknowledgment "SYN |ACK" packet containing the IPID of the remote host machine. If the port is closed, it sends a reset "RST" packet. Every IP packet on the Internet has a "fragment identification" number, which is incremented by one for every packet transmission. In the above diagram, the zombie responds with IPID=31337.
ID LE S can : S tep 2 a n d 3
S te p 2
J J Send SYN packet to the target m achine (port 80) spoofing the IP address of the "zom bie"
CEH
If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends RST to the target
If the port is closed, the target will send RST to th e "zo m b ie" but zombie will not send anything back
SYN Packet to port 80 spoofing zombie IP address
4VC
Attacker
r t o s f f i S S * 5 " T e"
Zombie P o r t is o p e n
j
;
S te p 3
J Probe "zo m b ie" IPID again
Attacker
Attacker
QOO
Target
Zombie
Port
is
open
FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open
Attacker
I4
................ ................
Target
Zombie
FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed
Attacker
IPID incremented by 2 since Step 1, so port 80 must be open FIGURE 3.32: IPID Probe Request and Response
Zombie
CEH
This type of scan simply generates and prints a list of IPs/N am es w ithout actually pinging or port scanning them
jjienj
starting Nrwp .01 ( t1 ttpl//nap.0rg ) at M l? M l ! IB: 17 .tnnflnra rlrr Kimu dime: 1 IP ai/dr eu's (ln o tt u t> ) scanned in 16.37
Starting Wrap 6.61 < httpi/Zrwap.orf ) at M l? M l 1J1M mara tlf Initiating Paralltl 0NS resolution 0 1 host. at U S* taepleted Parallel DM resolution of 1 host. at 13:S4, 8 .M 1 elapsed Ue.p *con report for l2.1M.t6I.S Naap done; 1 IP address < hosts up) scanned in .M seconds Mlr H0U1
filler H osts
V \
ICMP Echo Scanning/L ist Scan
L is t S c a n
ICMP echo scanning is used to discover live machines by pinging all the machines in the target network. Attackers send ICMP probes to the broadcast or network address which is relayed to all the host addresses in the subnet. The live systems will send ICMP echo reply message to the source of ICMP echo probe. ICMP echo scanning is used in UNIX/Linux and BSD-based machines as the TCP/IP stack implementations in these operating system responds to the ICMP echo requests to the broadcast addresses. This technique cannot be used in Windows based networks as the TCP/IP stack implementation in windows machines is configured, by default, not to reply ICMP probes directed to the broadcast address. ICMP echo scanning is not referred to as port scanning since it does not have a port abstraction. ICMP echo scanning is useful to determine which hosts in a network are active by pinging them all. The active hosts in the network is displayed in Zenmap as "Host is up (0.020s latency)." You can observe that in the screenshot:
Zenmap
Scan Target: Tools Profile Help Profile: Scan
^L-rel
Cancel
Ports/Hosts
Topology
Host Details
Scans *I i Details
192.168.1.26
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-13 18:37 Standard Time Nmap scan report for 192.168.1.26 |Host is up (0.0020s latency) ~ | Nmap done: 1 IP address (1 host up) scanned in 16.57 seconds
Filter Hosts
In a list scan, discovery of the active host in the network is done indirectly. A list scan simply generates and prints a list of IPs/Names without actually pinging the host names or port scanning them. As a result, the list scan output of all the IP addresses will be shown as "not scanned," i.e., (0 hosts up). By default, a reverse DNS resolution is still being carried out on the host by Nmap for learning their names.
Zenmap
Scan Target lools Erofile {Help Profile:
Cancel
Ports /Hosts
Topology
nmap-sL-v 192.168.168.5
S t a r t i n g Nmap 6 .0 1 ( h t t p :/ / n m a p .o r g ) a t 2012-08-10 1 3 :5 4 id a rd T itie I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 3 :5 4 C o m pleted P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 3 :5 4 , 0 .0 4 s e la p s e d Nmap sc an r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5 Nmap done: 1 I P a d d r e s s (0 h o s t s u p ) scan n e d i n O .06 seco n d s
Filter Hosts
Advantage:
9 9 A list scan can perform a good sanity check. The incorrectly defined IP addresses on the command line or in an option file detected by the list scan. The detected errors should be repairedprior to running "active" scan. are any
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
UDP S c a n n in g
Are you open on UDP Port 29?
C EH
................................................... *
No response if port is ...................
% ...... Iss____j
Server
UDP Scanning
UDP Raw ICMP Port Unreachable Scanning
UDP port scanners use the UDP protocol instead of TCP, and can be more difficult than TCP scanning. You can send a packet, but you cannot determine that the host is alive or dead or filtered. However, there is one ICMP that you can use to determine whether ports are open or closed. If you send a UDP packet to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. If any port returns an ICMP error, then it's closed, while the ports that didn't answer are either open or filtered by the firewall. This happens because open ports do not have to send an acknowledgement in response to a probe, and closed ports are not even required to send an error packet.
UDP Packets
Source: http://nmap.org W hen you send a packet to a closed UDP port, most of the hosts send an
ICM P_PORT_UNREACH error. Thus, you can find out if a port is NOT open. Neither UDP packets nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement the retransmission of packets that appear lost. UDP scanners interpret lost traffic as open ports.
In addition, this scanning technique is slow because of limiting the ICMP error message rate as compensation to machines that apply RFC 1812 section 4.3.2.8. A remote host will need to access the raw ICMP socket to distinguish closed from unreachable ports.
Example
For example, a second write () call to a closed port will usually fail. A lot of scanners, such as Netcat and Pluvial pscan.c do recvfrom () on non-blocking UDP sockets, usually return EAGAIN ("Try Again," errno 13) if the ICMP error has not been received, and ECONNREFUSED ("Connection refused," errno 111), if it has. This is the technique used for determining open ports when non-root users use -u (UDP). Root users can also use the I (lamer UDP scan) options to force this.
Advantage:
The UDP scan is less informal regarding an open port, since there's no overhead of a TCP handshake. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan. Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.
Disadvantage:
The UDP scan provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan (-sV) or the operating system fingerprinting option (-0). The UDP scan requires privileged access, so this scan option is only available on systems with the appropriate user permissions. Most networks have huge amounts of TCP traffic; as a result, the efficiency of the UDP scan is lost. The UDP scan will locate these open ports and provide the security manager with valuable information that can be used to identify these invasions achieved by the attacker on open UDP ports caused by spyware applications, Trojan horses, and other malicious software.
Are you open on UDP Port 29? No response if port is Open
c
di
Server
.....................................
Zenmap
S<an Target Jo o li Profile tjelp
Pro file :
L 2_
Scant
n m ip 192.168.168.3
Cancel
Nmap Output
Ports/Hosts 192.168.168.3
Scans v Details
192 168.168.5
192.168.168.3
S t a r t i n g Nmap 6 .0 1 ( h t t p :/ / n a 1a p .o r g ) a t 2012 08 10 12:47 S ta n d a rd Time I n i t i a t i n g ARP P in g S ca n a t 13:47 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .3 [1 p o r t ] Com pleted ARP P in g S can a t 1 2 :4 7 , 0 .0 6 s e la p s e d (1 t o t a l h o s t s ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 12:47 Com pleted P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 2 :4 7 , 0 .0 2 s e la p s e d I n i t i a t i n g LOP S ca n a t 12:47 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .9 [1000 p o r t s ) D is c o v e r e d open p o r t 53S3/udp on 1 9 2 .1 6 8 .1 6 8 .3 D is c o v e r e d open p o r t 137/udp on 1 9 2 .1 6 8 .1 6 8 .3 D is c o v e r e d open p o r t 123/udp on 1 9 2 .1 6 8 .1 6 8 .3 In c r e a s i n g send d e la y f o r 1 9 2 .1 6 8 .1 6 8 .3 * r o o t 0 t o SO due t o 216 o ut o f 719 dropped p ro b e s s in c e l a s t i n c r e a s e . Com pleted UOP S ca n a t 1 2 :4 7 , 1 9 .6 6s e la p s e d (1000 t o t a l p o r t s ) Nmap sc an r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .3 F a i l e d t o r e s o l v e g iv e n h o s tn a m e / IP : nmap. N ote t h a t you c a n ' t use , /m ask' AND 1-4,7,100- s t y l e I P r a n g e s . I f th e m achine o n ly has an IP v 6 a d d r e s s , add t h e Nmap -6 f l a g t o sc an t h a t . H ost i s up (0 .0 0 0 0 6 3 s l a t e n c y ) . Not shown: 994 c lo s e d p o r t s PORT STATE S f R V IC f 88/udp o p e n | f i l t e r e d k e rb e ro s - s e c 123/udp open n tp 137/udp open n e t b io s - n s 138/udp o p e n | f i l t e r e d netb io s- d g m S353/udp open z e ro c o n f S8178/udp o p e n | f i l t e r e d unknown MAC A d d re s s : Read d a t a f i i c a fro ; C :\ P ro g ra m F i l e s (x&6)\Nmap Nmap d on e: 1 I P a d d re s s (1 h o s t u p ) scann ed in 2 2 .0 9 seco n ds Ra p a c k e t s s e n t : 1839 ( 5 2 . 4 01KB) I R cvd : 998 (S 6 .0 6 S K B )
Filter Host*
c <
(rtifwd
CEH
itkitjl
Attackers send TCP probe packets with various TCP flags (FIN,URG,PSH) set or with no flags, no response means port is open and RST/ACK means the port is closed
No Response
Attacker
Port is open
Probe Packet (FIN/URG/PSH/NULL)
RST/ACK
Attacker
Port is closed
A SYN/ACK probe All the closed ports on the targeted host will send an RST/ACK response. Since the RFC 793 standard is completely ignored in the operating system such as Windows, you cannot see the RST/ACK response when connected to the closed port on the target host. This technique is effective when used with UNIX-based operating systems.
Advantages
Q Avoids many IDS and logging systems, highly stealthy
Disadvantages
9 Q Needs raw access to network sockets, thus requiring super-user privileges Mostly effective against hosts using a BSD-derived TCP/IP stack (not effective against Microsoft Windows hosts in particular)
Probe Packet (FIN/URG/PSH/NULL)
No Response
Attacker
P o rt is o p e n
FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open
Target Host
RST/ACK
Attacker
P o rt is clo se d
FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed
Target Host
ACK F la g S c a n n in g
W IN D O W field analysis Using TTL value one can determine the number of systems the TCP packet traverses. You can send an ACK probe packet with random sequence number: no response means port is filtered (state full firewall is present) and RST response means the port is not filtered,
nmap -sA -P0 10.10.0.25 Starting nmap 5.21 ( http://nmap.org) at 2010-05-16 12:15 EST
Attacker
No Response
Target Host
No Firewall
IT LT I .......................................
RST
Attacker
Target Host
Zenmap
S<!n T.rgrt: lo o k Profit Help v Profile Scan
Cancel
Command: Hosts
Nmap Output Ports/Hosts Topology Host Detaib Scans * -sA -v -Pn nmap 192.166.16ft} Oeta.14
S t a r t in g M a p 6.01 ( h ttp :/ / n x a p .o rg ) a t 2012-08-10 13:09 Stand ard T in* I n i t i a t i n g ARP Pin g Scan at 13:10 Scanning 192.16*.160.5 [1 p o r t ] Completed ARP Pin g Scan at 13:10, 0.07s elapsed (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, at 13:10 Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, at 13:10, 0.10s elapsed I n i t i a t i n g ACK Scan a t 13:10 Scanning 192.16*.168.5 [1000 p o rts ] Coaipleted ACK Scan at 13:10, 21.38s elapsed (1000 t o t a l p o r t s ) Naap scan re p o rt f o r 192.16*.168.5 F a ile d to re s o lv e g ive n h o stn a a c / lP : naap. Note th a t you c a n t use , /ask' ANO 1-4,7,100- s t y le I P ranges. I f th e achine o n ly has an IPv6 ad d re ss, add th e Nnap 6 f l a g to scan t h a t .
H ost is
up
1 0 .W 1 e s
la te n t ,) ,________________________________
MAC Address:
Read data f i l e ! frg; C :\Pro g r F i l e s ( x 86)\ m m p done; l I P address (1 host up) scanned in 23.90 seconds Rax packets se n t: 2001 (80.O28K8) | Rcvd: 1 (288)
filter Hosts
CEH
2 fit
Edt
Accesatolly
rJ>
Manual 1 5 0 - networkCcnrecton E-dxrts 9 Automated Tools ( Rsfren ciicUyFulPfKess Paths 193C 10' I PsccrrectAl 1CP ]
Jjrp 0 Autorrcited ]
0 .0 .0 .0
O .O .0.0 0.0.0.0
0.0.0.0
Local IP
!yicti
inee 1 nfo.exe
0 .0 .0 .0
0.0.0.0 0.0.0.0 O .O .0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
3bacr?.x IVChOK.IXI S<STC.cxe D U lK V U l.tx t 8coeSzv.xt 5tot5c1v.exe s'rS:rv.cxe IM S 2OS2 2092 2092 TC TC TC TC
s
O V O * C O1 o b l. r.w o-< r1yT.
Hawro L1 >Mvay locto
0 .0 .0 .0
127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
C M Sfuv
ftxkr* Iffvd Tocte txtema! tods
Syat
S 7 3 ci
Svs .w
Local lore | http | 80 )cpxag( 135 )MS (UlCEOSOCt-dS' ) S (b la c k ja c k )LT23 (pptp )oyMrcanyvnccc( 2638 lc lh p ( 2069( 4)) pcsync-https web5( 9090( ) ofll )unknown! 31038 )MS71 !unknown )unknown| 04572 )34S73 !unknown lk1 1 1 .p l 60 | http | 00 IhttpI 00 httpI| 80
Reaote 1 r 0.0.0.0
1 0 2
0.0. 0 .0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Progmli^o
Active Discovery and Diagnostic Tools: Used for testing and locating devices that are
connected to your network.
Passive Discovery Tools: Monitors the activities of the devices that are connected to your
network and also gathers information from third parties.
DNS Tools: Used to detect problems with DNS. Local Computer and General Information Tools: Provides details about your local computer's
network.
Benefits:
9 The information gathering process is made simpler and faster by automating the use of many network tools
Welcome Automated Tools Manual Tools (all) Refresh 0 Display Full Process Paths 1 sec 10 sec Disconnect All TCP I Disconnect Remote TCP Double-click Enable TCP Disconnects
0
O Enable AutoRefresh MAC Address to Manufacturer
Process inetinf0 .exe svchost.exe System inetinf 0 .exe System dbsrv9.exe svchost.exe SemSvc.exe SemSvc.exe agent.exe DkService.exe StorServ.exe StorServ.exe StorServ.exe System System System System <
PID
1100
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
'rr n
Local IP
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
Local Port 80 (http) 13S (epmap) 445 (microsoft-ds) 1025 (blackjack) 1723 (pptp) 2638 (sybaseanywhere) 2869 (icslap) 8443 (pcsync-https) 9090 (websm) 9876 (sd) 31038 (unknown) 34571 (unknown) 34572 (unknown) 34573 (unknown) 80 (http) 80 (http) 80 (http) 80 (http)
on
Remote IP
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
252 4
1100
Li)
Favorite Tools Active Discovery Tools Passive Discovery Tools DNS Tools Packet Level Tools External Tools Program Info For Help, press F I
S c a n n in g T ools
PRTG Network Monitor
h ttp ://w w w .p a essle r. com http ://w w w .m ag netosoft.com
C EH
Global Network Inventory Scanner
Net Tools
i N. I 1 W I
http://m absoft.com
IP Tools
E-
MegaPing
http ://w w w .m ag netosoft.com
Netifera
http ://netifera.com
=*~= Scanning tools ping computers, scan for listening TCP/UDP ports, and display the type of resources shared on the network (including system and hidden). The attacker may attempt to launch attacks against your network or network resources based on the information gathered with the help of scanning tools. A few of the scanning tools that can detect active ports on the systems are listed as follows:
9 PRTG Network Monitor available at http://www.paessler.com 9 Net Tools available at http://mabsoft.com 9 IP Tools available at http://www.ks-soft.net 9 MegaPing available at http://www.magnetosoft.com 9 Network Inventory Explorer available at http://www.10-strike.com
9 9 Global Network Inventory Scanner available at http://www.magnetosoft.com SoftPerfect Network Scanner available at http://www.softperfect.com
9 Advanced Port Scanner available at http://www.radmin.com 9 Netifera available at http://netifera.com 9 Free Port Scanner available at http://www.nsauditor.com
C EH
RANGE 132
132.3.0.0 Williams Air Force Base 132.5.0.0 - 132.5.255.255 49th Fighter Wing 132.6.0.0 Ankara Air Station 132.7.0.0 -132.7.255.255 SSG/SINO 132.9.0.0 28th Bomb Wing 132.10.0.0 319 Comm Sq 132.11.0.0 Hellenikon Air Base 132.12.0.0 Myrtle Beach Air Force Base 132.13.0.0 Bentwaters Royal Air Force Base 132.14.0.0 Air Force Concentrator Netwcrk 132.15.0.0 Kadena Air Base 132.16.0.0 Kunsan Air Base 132.17.0.0 Lindsey Air Station 132.18.0.0 McGuire Air Force Base 132.19.0.0 100CS (NET-MILDENHALL) 132.20.0.0 35th Communications Squadron 132.21.0.0 Plattsburgh Ar Force Base 132.22.0.0 23Communication9 Sq 132.24.0.0 Dower Air Force Base 132 25.0.0 786 CS/SCBM 132.27 0 0 132 27.255.255 39CS/SCBBN 132.28.0.0 14TH COMMUNICATION SQUADRON
RANGE 130
1304000 NASA Johnson Space Center 130.90.0.0 Mather Ar Force Base 1301090.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S-Army Corps of Engneers 130 167.0.0 NASA Headquarters
RANGE 131
131.60.0 Langley Ar Force Base 131.10.0.0 Barksdale Ar Force Base 131.17.0.0 Sheppard Ar Fcrce Base 131.21.0.0 Hahn Ar Base 31.32.0.0 37 Communications Squadron 1 3 1 3500 Fairchild Ar Force Base 131.36.0.0 Yokota Ar Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Ar Force Base 131.39.0.0 354CS/SCSN
RANGE
129
1292300 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 1295000 NASA Marshall Space Flight Center 129.51.0.0 Patrick Air Force Base 129.52.0.0 Wright-Patterson Air Force Base
For a complete list, see the file in DVD IP ADDRESSES YOU SHOULD NOT SCAN.txt
Do Not Scan T hese IP A ddresses (Unless you want to get into trouble)
The IP addresses listed in the following table are associated with the critical information resource centers of the US. Scanning these IP addresses will be considered an attempt to break the US's information security. Therefore, do not scan these IP addresses unless you want to get into trouble.
RANGE 6
6.* - Army Information Systems Center
RANGE 7
7.*.*.* Defense Information Systems Agency, VA
RANGE 11
RANGE 21
21. - US Defense Information Systems Agency
RANGE 22
22.* - Defense Information Systems Agency
RANGE 24
24.198.*.*
RANGE 25
25.*.*.* Royal Signals and Radar Establishment, UK
RANGE 26
RANGE 29
29.* - Defense Information Systems Agency
RANGE 130
130.40.0.0 NASA Johnson Space Center 130.90.0.0 Mather Air Force Base 130.109.0.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S.Army Corps of Engineers 130.167.0.0 NASA Headquarters
RANGE 30
30.* - Defense Information Systems Agency
RANGE 49
RANGE 50
50.* - Joint Tactical Command
RANGE 55
55.* - Army National Guard Bureau
RANGE 131
131.6.0.0 Langley Air Force Base 131.10.0.0 Barksdale Air Force Base
RANGE 55
55.* - Army National Guard Bureau 55.* - Army National Guard Bureau
RANGE 62
62.0.0.1 - 62.30.255.255 Do not scan!
RANGE 64
64.70.*.* Do not scan 64.224.* Do not Scan 64.225.* Do not scan 64.226.* Do not scan
RANGE 128
128.37.0.0 Army Yuma Proving Ground 128.38.0.0 Naval Surface Warfare Center 128.43.0.0 Defence Research EstablishmentOttawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Flight Facility 128.155.0.0 NASA Langley Research Center
RANGE 132
132.3.0.0 Williams Air Force Base 132.5.0.0 - 132.5.255.255 49th Fighter Wing 132.6.0.0 Ankara Air Station
132.7.0.0 - 132.7.255.255 SSG/SINO 132.9.0.0 28th Bomb Wing 132.10.0.0 319 Comm Sq 132.11.0.0 Hellenikon Air Base 132.12.0.0 Myrtle Beach Air Force Base 132.13.0.0 Bentwaters Royal Air Force Base 132.14.0.0 Air Force Concentrator Network 132.15.0.0 Kadena Air Base 132.16.0.0 Kunsan Air Base 132.17.0.0 Lindsey Air Station 132.18.0.0 McGuire Air Force Base 132.19.0.0 100CS (NET-MILDENHALL)
128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Research Center 128.183.0.0 NASA Goddard Space Flight Center 128.202.0.0 50th Space Wing 128.216.0.0 MacDill Air Force Base 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. Air Force Academy RANGE 129 129.23.0.0 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 129.50.0.0 NASA Marshall Space Flight Center
132.20.0.0 35th C o m m u n ica tio n s Sq u a d ro n 132.21.0.0 Plattsburgh Air Force Base 132.21.0.0 Plattsburgh Air Force Base 132.22.0.0 23Communications Sq 132.24.0.0 Dover Air Force Base 132.25.0.0 786 CS/SCBM 132.27.0.0- 132.27.255.255 39CS/SCBBN 132.28.0.0 14TH COMMUNICATION SQUADRON 132.30.0.0 Lajes Air Force Base 132.31.0.0 Loring Air Force Base 132.33.0.0 60CS/SCSNM 132.34.0.0 Cannon Air Force Base 132.35.0.0 Altus Air Force Base 132.37.0.0 75 A BW 132.38.0.0 Goodfellow AFB 132.39.0.0 K.l. Sawyer Air Force Base
C EH
(itifwd Ukujl lUck*
Filter all ICMP messages (i.e. inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and k routers
Ensure that mechanism used for routing and filtering at the routers
W /
and firewalls respectively cannot be bypassed using particular source ports or source-routing methods
Perform TCP and UDP scanning along with ICMP probes against your organizations IP address space to check the network configuration and its available ports
Ensure that the router, IDS, and firewall firmware are updated to their latest releases
Ensure that the anti scanning and anti spoofing rules are configured
Network intrusion detection systems should detect the OS detection method used by tools such as Nmap, etc. Snort (http://.snort.org) is an intrusion detection and prevention technology that can be of great help, mainly because signatures are frequently available from public authors. Only necessary ports should be kept open; the rest of the ports should be filtered as the intruder will try to enter through any open port. This can be accomplished with the custom rule set. Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at border routers and firewalls.
Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques.
Test your own IP address space using TCP and UDP port scans as well as ICMP Probes to determine the network configuration and accessible ports.
If a commercial firewall is in use, then ensure that the firewall is patched with the latest updates, antispoofing rules have been correctly defined, and fastmode services are not used in Check Point Firewall-1 environments.
fft
prepare Proxies
Banner Grabbing
IDS E v a sio n T e c h n iq u e s
Use fragmented IP packets
CEH
Spoof your when launching attacks and sniff responses from server Use source routing (if possible) Connect to > or compromised trojaned machines to launch attacks
Q Q
Q1
_ _
reassemble once they reach the target host. IDS evasion can also occur with the use of spoofed fake hosts launching network scanning probes.
CEH
The TCP header is split up into several packets so that the packet filters are not able to detect what the packets intend to do
&
Command Prompt
SYN/FIN (Small IP Fragments) + Port (n)
Attacker
Target
S Y N /FIN S c a n n in g
Fragmented Packets
The TCP header, after splitting into small fragments, is transmitted over the network. But, at times you may observe unpredictable results such as fragmentation of the data in the IP header after the reassembly of IP on the server side. Some hosts may not be capable of parsing and reassembling the fragmented packets, and thus may cause crashes, reboots, or even network device monitoring dumps.
Firewalls
Some firewalls may have rule sets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented due to the adverse effect on performance. Since several intrusions detection systems employ signature-based methods to indicate scanning attempts based on IP and/or the TCP headers, fragmentation is often able to evade this type of packet filtering and detection. There is a probability of network problems on the target network. SYN/FIN (Small IP Fragments) + Port (n) ....................................... < ........................................ RST (if port is closed) _
Attacker
FIGURE 3.43: SYN/FIN Scanning
Target
Command Prompt
ft
y j
Check for Open Ports
1 1
HUH 1 a c
Scanning Beyond IDS
k 1
-i
_____ Banner Grabbing
) ______
r - J
.
n _
M l ^ Scan for
Vulnerability
M Draw Network 1 /
Diagrams
-----Prepare! Proxies
IDS. All of these are the doorways for an attacker to break into a network. Another important tool of an attacker is banner grabbing, which we will discuss next.
1 9 1
Q f c i prepare Proxies
Banner Grabbing
This section highlights banner grabbing, the need to perform banner grabbing, various ways of banner grabbing, and the tools that help in banner grabbing.
B a n n e r G ra b b in g
J Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive.
The responses are then compared with a database to determine the OS Response from different OSes varies due to differences in TCP/IP stack implementation
BQ B
Banner Grabbing
Banner grabbing or OS fingerprinting is a method to determine the operating system running on a remote target system. Banner grabbing is important for hacking as it provides you with a greater probability of success in hacking. This is because most of the vulnerabilities are OS specific. Therefore, if you know the OS running on the target system, you can hack the system by exploiting the vulnerabilities specific to that operating system. Banner grabbing can be carried out in two ways: either by spotting the banner while trying to connect to a service such as FTP or downloading the binary file/bin/ls to check the architecture with which it was built. Banner grabbing is performed using the fingerprinting technique. A more advanced
fingerprinting technique depends on stack querying, which transfers the packets to the network host and evaluates packets based on the reply. The first stack querying method was designed considering the TCP mode of communication, in which the response of the connection requests is evaluated. The next method was known as ISN (Initial Sequence Number) analysis. This identifies the differences in the random number generators found in the TCP stack. A new method, using the ICMP protocol, is known as ICM P response analysis. It consists of sending the ICMP messages to the remote host and evaluating the reply. The latest ICMP messaging is
known as temporal response analysis. Like others, this method uses the TCP protocol. Temporal response analysis looks at the retransmission timeout (RTO) responses from a remote host. There are two types of banner grabbing techniques available; one is active and the other is passive.
T l: In this test, a TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP
port.
T2: It involves sending a TCP packet with no flags enabled to an open TCP port. This type of
packet is known as a NULL packet.
T3: It involves sending a TCP packet with the URG, PSH, SYN, and FIN flags enabled to an open
TCP port.
T4: It involves sending a TCP packet with the ACK flag enabled to an open TCP port. T5: It involves sending a TCP packet with the SYN flag enabled to a closed TCP port. T6: It involves sending a TCP packet with the ACK flag enabled to a closed TCP port. T7: It involves sending a TCP packet with the URG, PSH, and FIN flags enabled to a closed TCP
port.
PU (Port Unreachable): It involves sending a UDP packet to a closed UDP port. The objective is
to extract an "IC M P port unreachable" message from the target machine. The last test that Nmap performs is named TSeq for TCP Sequencability test. This test tries to determine the sequence generation patterns of the TCP initial sequence numbers, also known as TCP ISN sampling, the IP identification numbers (also known as IPID sampling), and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port. The objective is to find patterns in the initial sequence of numbers that the TCP
implementations choose while responding to a connection request. These can be categorized into many groups such as the traditional 64K (many old UNIX boxes), random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), or True "random" (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a "time-dependent" model where the ISN is incremented by a fixed amount for each time period.
Source: www.insecure.org, "M ost operating systems increment a system-wide IPI D value for each packet they send. Others, such as OpenBSD, use a random IPI D and some systems (like Linux) use an IPI D of 0 in many cases where the Don't Fragment bit is not set. Windows does not put the IPI D in network byte order, so it increments by 256 for each packet. Another number that can be sequenced for OS detection purposes is the TCP timestamp option values. Some systems do not support the feature; others increment the value at frequencies of 2HZ, 100HZ, or 1000HZ and still others return 0.
TTL - W hat the operating system sets the Time To Live on the outbound packet W indow Size - hat the operating system sets the W indow size DF - Does the operating system set the Don't Fragment bit OS - Does the operating system set the Type of Service, and if so, at what
Passive fingerprinting has to be neither fully accurate nor be limited to these four signatures. However, by looking at several signatures and combining information, accuracy can be improved. The following is the analysis of a sniffed packet dissected by Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/). 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:OxO ID:56257 ***F **A * Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78 Based on the four criteria, the following are identified:
9 9
TTL: 45 W indow Size: 0x7D78 (or 32120 in decimal) DF: The Don't Fragment bit is set TOS: 0x0
9
9
Database Signatures
This information is then compared to a database of signatures. Considering the TTL used by the remote host, it is determined from the sniffer trace that the TTL is set at 45. This indicates that it went through 19 hops to get to the target, so the original TTL must have been set at 64.
Module 03 Page 345 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
Based on this TTL, it appears that the packet was sent from a Linux or FreeBSD box (however, more system signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the remote host. If the trace needs to be done stealthily, the traceroute time-tolive (default 30 hops) can be set to be one or two hops less than the remote host (-m option). Setting traceroute in this manner reveals the path information (including the upstream provider) without actually touching the remote host.
Window Sizes
The next step is to compare window sizes. The window size is another effective tool that determines specifically what window size is used and how often the size is changed. In the previous signature, it is set at 0x7D78, a default window size is commonly used by Linux. In addition, FreeBSD and Solaris tend to maintain the same window size throughout a session. However, Cisco routers and Microsoft Windows/NT window sizes are constantly changing. The window size is more accurate if measured after the initial three-way handshake (due to TCP slow start).
Session Based
Most systems use the DF bit set, so this is of limited value. However, this does make it easier to identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of limited value, since it seems to be more session-based than operating-system-based. In other words, it is not so much the operating system that determines the TOS, but the protocol used. Therefore, based on this information, specifically TTL and window size, one can compare the results to the database of signatures and, with a degree of confidence, determine the OS (in this case, Linux kernel 2.2.x). Just as with active fingerprinting, passive fingerprinting has some limitations. First, applications that build their own packets (such as Nmap, hunt, nemesis, etc.) will not use the same signatures as the operating system. Second, it is relatively simple for a remote host to adjust the TTL, window size, DF, or TOS setting on packets. Passive fingerprinting can be used for several other purposes. Crackers can use "stealthy" fingerprinting. For example, to determine the operating system of a potential target, such as a web server, one need only request a web page from the server, and then analyze the sniffer traces. This bypasses the need for using an active tool that various IDS systems can detect. Also, passive fingerprinting may be used to identify remote proxy firewalls. Since proxy firewalls rebuild connections for clients, it may be possible to ID proxy firewalls based on the signatures that have been discussed. Organizations can use passive fingerprinting to identify rogue systems on their network. These would be systems that are not authorized on the network.
B a n n e r G r a b b in g T ools
-J ID Serve is used to identify the make, model, and version of any web site^ server software
J
It is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.
Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site
ID Serve
BSwve
a
Netcraft
y
II I
r\r0
| 011e1y |
a copy /pit
1 |certmedl1ncBr com ~| / I ^ 7 ~ 7 . Whtrv rtlrl*tniURl 0 IPKh b ** 1 >p0'l*d bov AW1 > w a < r v w *t j pM M lbd| 0 A to n M ll< lja y^tW VNMl(r^
( 3 ; ILasi-Wcamed Aed I i. J8n < 1 0 1 1 (/ MDb UMI oorta jETaa 37StSt' 80:ct11 1?dC53" [Seivef McfDsorms/bO I !:.Pnv^o 1-fly A S P M F jl
* yy p o w x !
&
$ 2 0 1 0 1 0S w v *6r * 9
h ttp ://to o lb a r. n etcra ft. com Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
ID Serve
Source: http://www.grc.com
ID Serve is used to identify the make, model, and version of any website's server software; it is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.
ID S *
I I | ^ P [, y P
I- q - F B U:4J
Internet Server Identification utility v l 02 Personal Security Freeware by Steve Gibson CopyrigN Ic) 2003 by Gfcson Research Cap
Background
Se!vrOue1 y
O&A/Help
Enter a copy / paste pa-.te an Interne! terver rerver URL a g IP adiesi addess here (exam ple W W WmaosoW mcrotollcom) com )
r tifm d h n c k e r co m ^ Irn |ceftil 1Bdhncker cow
m m
|
When an Inlem er URL or IP has been provided above press the button to nbate a query 0 1 the specfod server
(2
ft
U b tiM I
C 0 ( V
Netcraft
Source: http://toolbar.netcraft.com Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site.
ETC R A FT
Site re p o rt for certifledhacker.com
Netcraft Toolbar
j H om o SH o h t t p / c c r tA < jh jd .e o m L as t ro b o o t 1 d a y 990 E 2 ) U p tim o
g r4 p f>
Domain
IP w M m k i C o u n try D M fln t see a 2 0 2 7 5 .5 4 .1 0 1 D Mr
com
Notbkx k Sit r a n k
N n M K rv r O N S e d m ln
PNMHtCauntMt
Pinshiest nusleis
M od Popular W*Dc<to
00c*m fcK 2 0 0 2
lO W M 'S
Domain
O rg itk a tio
Reverse
DNS N m i ( 1v 1 r o r g a n is a tio n
ns 1 .noyear1yfees.com
S u c c t t t !d o * IT S ervices, O a m a n sa ra Java. R etakng Jaya. S e lan go r. 4 7 4 0 0 .
Tell a f nena
92345. united States T o o lb a r Support . FAQ * Glossary Contact Us a Report Bug T u to ria ls Installing Tooioar using me Toolbar Getting Most Reporting a Pkish A b ou t N e tc r a ft MocrsHom# About Nttcrafl Check another site: H ostin g H isto ry Net block O wner IM V M S DC Hostmg TM VADS DC Hostmg TM VADS DC Hosting TM VADS OC Hostmo TM VADS DC Hosting I P Address OS
Malaysia
W eb Server Microsoftn s/eo Microsoft IIS/6.0 Microsoft IIS/6.0 Microsoft 115/6.0 Microsoftns/fl.o
Last changed
202.7$.4.101 wtnoows server 2003 202.75.54.101 Windows Server 2003 202.75.54.101 Windows Server 2003 202.75.54.101 Window* Server 2003 ?07.7S.S4.101 Windows Server
1 /-Ju>~2012
9 )on 2012 9-M*v-2012 O-Apr-2012 10-Feb 2012
EC-C0l1nCll
B a n n e r G r a b b in g T ools
(Contd)
1. # nc - w www.juggyboy.com 80 -press[Enter] 2 . GET / HTTP/1.0 -Press [Enter] twice
f * rE t f * V i m m
CEH
This utility reads and writes data across network connections, using the TCP/IP protocol
.iww. ju g g y b o y c o a 1295 . 1 7 8 .1 5 2 . 2 6 : 30
GET / MTTP/1.9
HTTP/1.1 296 OK Connection: elose Date: Mon, 13 Aug 2912 12:14:10 GMT content-Length: 210 | Content-Type: t e x t / r f p l ^ I *r C o n t e n U c a t # r n : h t t p : 7/16.4 . 26. / b f a u ItIh t n LastM od itied : Wed. 19 Apr 2366 22:09:12 GMT AcceotRanges: none ETaa: 9 b46bc3fd53c61:7a49 S e rv e r : M ic r o s o ft - IIS / 6 .0 M lrr 0 ( 0 ft O f f ic * W * b (* r v t r ! 5.8 Pub X Powered-By: ASP.MET
tra c k
http://netcat.sourceforge.net L
Telnet
This technique probes HTTP servers to determine the Server field in the HTTP response header
n t- U n g th :
HT TP /
21H
1 . 1 J
Forbi dde
: H i P M c n f t - l I S / h . M
ChtmlXheadXtit le>Error<StitleX/ headXbodyXheadXtitle>Diecto 1*v Listing D od</t it lo ></)tead> <hndyXhl )Directory Listing Den 1ed</ hl >This UlrtUftl Director
oc3 not allow contents to be listed. < / body> < /'body> < /y htnl>
Netcat is a networking utility that reads and writes data across network connections, with the help of the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. It provides access to the following key features: Outbound and inbound connections, TCP or UDP, to or from any ports. Featured tunneling mode, which also allows special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface), and the remote host allowed to connect to the tunnel. Built-in port-scanning capabilities, with randomizer. hexdump (to stderr or to a specified file) of transmitted and received data. Optional RFC854 telnet codes parser and responder. You can use the Netcat tool for grabbing the banner of a website by following this process. Here, the banner grabbing is done on the www.Juggyboy.com web server for gathering the server fields such as server type, version, etc.
Advanced usage options, such as buffered send-mode (one line every N seconds) and
EC-COUIICil
From the screenshot, you can observe the area highlighted in red color is a server version (Microsoft-IIS/6.0).
1 2 : 1 4 : 1G GMT
Is
ft* 1^ ^
Ix
Telnet
This technique probes HTTP servers to determine the Server field in the HTTP response header. For instance, if you want to enumerate a host running http (tcp 80), then you have to follow this procedure: First, open the command prompt window. Go to Start >Run, type cmd, and press Enter or click OK. In the command prompt window, request telnet to connect to a host on a specific port: C:\telnet www.certifiedhacker.com 80 and press Enter. Next, you will get a blank screen where you have to type GET / HTTP/1.0 and press Enter twice. In the final step, the http server responses with the server version, say Microsoft-IIS/6.0. From the screenshot you can see the area highlighted in red color is the server version details.
Server: Microsoft-IIS/6.0 X-Pouered-By: ftSP.NET Date: Sat, 11 flug 2012 09:57:07 GMT uonneccion: cxose <htmlXheadXtitle>Error</'titleX/beadXbodyXbeadXtitle>Directory Listing D ed</t it le X/bead> <bodyXhl>Directory Listing Denied</hl>This Uirtual Director oes not allou contents to be listed.</body></bodyX/htnl> Connection to host lost.
FIGURE 3.48: Command Prompt showing http server responses with the server version
EC-C0UnCil
C EH
Turn off 0 1 unnecessary services on the network host to limit the information tion disclosure disclos
IIS users can use these tools to disable or change banner information
~ IIS Lockdown Tool (http://microsoft.com) ~ ServerMask (http://www.port80software.com)
Apache 2.x with mod_headers module - use a directive in httpd. conf file to change banner information Header set Server "New Server Name"
iture Alternatively, change the ServerSignature line to ServerSignature Off in httpd.conf file
Apache 2.x with mod_headers module - use a directive in httpd. conf file to change banner information Header set Server "New Server Name"
EC-COlMCil
C EH
g ig
file extensions
Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of the servers
EC-COUIICil
a;
ft
f^
Jfe J
Prepare Proxies
Banner Grabbing
This section describes vulnerability scanning and various vulnerability scanning tools.
Module 03 Page 353 Ethical Hacking and Countermeasures Copyright by EC-COlMCil
V u ln e r a b ility S c a n n in g
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and netw< order to determine how a system can be exploited
1 w
Q
^
V ulnerability Scanning
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and
network in order to determine how a system can be exploited. Similar to other security tests such as open port scanning and sniffing, the vulnerability test also assists you in securing your network by determining the loopholes or vulnerabilities in your current security mechanism. This same concept can also be used by attackers in order to find the weak points of the target network. Once they find any weak points, they can exploit them and get in to the target network. Ethical hackers can use this concept to determine the security weaknesses of their target business and fix them before the bad guys find and exploit them. Vulnerability scanning can find the vulnerabilities in: Q 9 9 9 Network topology and OS vulnerabilities Open ports and running services Application and services configuration errors Application and services vulnerabilities
EC-COUIICil
F e a tu re s
Agentless auditing Compliance checks Content audits Customized reporting High-speed vulnerability discovery In-depth assessments Mobile device audits Patch management integration Scan policy design and execution
t o -1 *w w 1xn M \Ma n n M |> vrtn j <M Iran MM Smo <*' N mil M T T P
Sa a ssa
,
a a >a ,a
To obtain more accurate and detailed information from Windows-based hosts in a Windows domain, the user can create a domain group and account that have remote registry access privileges. After completing this task, he or she gets access not only to the registry key settings but also to the Service Pack patch levels, Internet Explorer vulnerabilities, and services running on the host.
It is a client-server application. The Nessus server runs on a UNIX system, keeps track of all the different vulnerability tests, and performs the actual scan. It has its own user database and secures authentication methods, so that remote users using the Nessus client can log in, configure a vulnerability scan, and send it on its way. Nessus includes NASL (Nessus Attack Scripting Language), a language designed to write security tests. The various features of Nessus are: 9 Each security test is written as a separate plug-in. This way, the user can easily add tests without having to read the code of the Nessus engine. Q It performs smart service recognition. It assumes that the target hosts will respect the IANA assigned port numbers. 9 The Nessus Security Scanner is made up of two parts: A server, which performs the attack, and a client, which is the front end. The server and the client can be run on different systems. That is, the user can audit his whole network from his personal computer, whereas the server performs its attacks from the main frame, which may be located in a different area.
Q nessus Reports Reports M obile Scans Policies Users Configurator **1 | H* | | uful g
Scan LAN 1 !
Filters NoFltea
EC-C0UnCil
UrtifW4
c EH
ItkKJl Nm Im
0
GFI LanGuard assists in asset
Hte
* -
D*Mo*d
Scm
ReTMdutr
M onitcr
Rtpcrtt
Configuritkn
Gme
, Oienee
# C cw txjen
M 3 r>
'AJryraMtm
Patch es
. 4
Soft*( Softa
w *
Harare
1 4
* E n rtto r t w r t
t j ixahoet w3N*EBOcc1 -
JL *l v 0 e S C ^
---- - 1
Ow S im
_________________
0eonotten *
Identifies security vulnerabilities and takes remedial action Creates different types of scans and vulnerability tests Helps ensure third-party security applications offer optimum protection
nj-mtbtli
J 'l I ,-
Luntutn < U waU*.y
0,
http://www. gfi.com
- Copyright by fC-CNDCil. All Rights Reserved. Reproduction is Strictly Prohibited.
GFI LanGuard acts as a virtual security consultant. It offers patch management, vulnerability assessment, and network auditing services. It also assists you in asset inventory, change management, risk analysis, and proving compliance.
Features:
9 9 9 9 9 Selectively creates custom vulnerability checks Identifies security vulnerabilities and takes remedial action Creates different types of scans and vulnerability tests Helps ensure third party security applications offer optimum protection Performs network device vulnerability checks
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
1 1 11
AudriSlitu
E B
I J-P I *
Configuration Utilities
<
Group
Dashboard
S<an
Remediate
Activity Monitor
Reports
Uj
Q .
Overview
IS
0Computers
rtHory
& ip '*Jnerabfees
Seanty Sensors
(J
Patches Port Software Hardware
Syitem Information
S SW IN H S S a C M M l
I0 computers
Most Vulnerable Computers WINMSSELCK4K41
Software Updates
Firewall Issues
Credent!! Setup
# l0 . computers ....
Vulnerabilities 1 computers VuherabAty Trend Over Trie
UP
T o u t H *
Common Talks
O
Insta n progress Urwrstal ** progress Ocomputvtl) 0 computer{*) 0 C0mpar<)
H nasusslL.
Addmoncomodera Custom scar
Not IrtStalM
D*ptoy*nrt Error!
1computes)
0 COmpuMrfS)
icompuc
0 comput..
Ocomput. Ocomput.
O
1 Computers By Operatr>g...| Computers By Network ... 1
EC-C0UnCil
Features:
Identify vulnerabilities on network devices Detect and fix possible weaknesses in the network security Prevent common system vulnerabilities a Demonstrate compliance with current government and industry regulations e Perform compliance audits with policies defined by FDCC, USGCB,
Features:
9 Detects and fixes possible weaknesses in your network's security Anticipates and prevents common system vulnerabilities Demonstrates compliance with current government and industry regulations such as PCI DSS, NERC, FISMA, SOX, GLBA, HIPAA, and COPPA
9
0
Performs compliance audits with policies defined by FDCC, USGCB, and DISA
EC-COUIICil
1 * & 0
* CrmcMi f n u t m t A / f i oi Conem * * * * *
H 0 *t * 10.7.0. IS d 10-7-Q-14 ^ 1Q.7.Q.2
Vulnerability Scanner
O p ( * * > kM M c% 1 M 1
r e a a
rz ri
S 4 1 4
4
2 1 1 4 1 4
4
a s
0
TOUI 4 1
17 14
* 4 * *
4 10 7.0 104
1 1 2 2 0 0 0 0 1
0 0 1
a 10.7.0.S
.m
4 * ^
2 2 0 0 2 2 2 1 2
0 0
6 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0
1 S 2 2 2 2 2 2
I
1 1
0
J 10.7.0.7
I 1 1 1
_______
EC-C0UnCil
CEH
OpenVAS
gm
L Jp S rJ
MBSA
h ttp ://w w w . m icrosoft. com
Nexpose
h ttp ://w w w . rapid7.com
111 i ]
B E 3 F
Ml
QualysGuard
h ttp ://w w w .qualys.com
EC-COUIICil
1 9 1
J*
3 0
r-^r-n
Prepare Proxies
Banner Grabbing
This section highlights the importance of the network diagram, how to draw the network diagram or maps, how attackers can use these launching attacks, and the tools that can be used to draw network maps.
Module 03 Page 362 Ethical Hacking and Countermeasures Copyright by
EC-COUIICil
(rtifwtf
CEH
ilk 4 1 > Hhw
Drawing target's network diagram gives valuable information about the netw ork and its
Intranet
DMZ
Intranet
EC-COUIICil
In tra n e t
DM Z
In tra n e t
EC-C0UnCil
CEH
LANsurveyor discovers a netw ork and produces a com prehensive netw ork diagram
Features
A uto-generate N e tw o rk Maps Export N e tw o rk M aps to Visio A u to -d e te ct Changes Inventory M anagem ent N e tw o rk Regulatory Compliance N e tw o rk Topology Database M u lti-le v e l N e tw o rk Discovery
aao
LANsu
LANsurveyor
h ttp :/ /w w w .so la rw in d s .c o m Copyright by EC-CtinCil. All Rights Reserved. Reproduction is Strictly Prohibited.
EC-COUIICil
i;. File
l
.
a
B X
! 3
so la rw in d s
100V.
i~
BH & S I Network Segments (1)
SO
IP Addresses (5) Domain Names (5) Node Names (5) IP Routers J5L LANsurveyor Responder Nodes : H SNMP Nodes SNMP Switches/Hubs l - C SIP (VoIP) Nodes Layer 2 Nodes ^ Active Directory DCs 1 ft. Groups
DEMONSTRATK
LANsurveyor
For Help, press F1
EC-C0UnCil
C EH
O p M anag er is a netw ork monitoring softw are that offers advanced fault and perform ance m anagem ent functionality across critical IT resources such as routers, W A N links, switches, firewalls, VoIP call paths,
Fe a tu re s
O p M arag t?) J J J J J J J J -l -l Availability and Uptime Monitoring Network Traffic Analysis IP Address Management Switch Port Mapper Network Performance Reporting Network Configuration Management Exchange Server Monitoring Active Directory Monitoring Hyper-V Monitoring SQL Server Monitoring
qmnoo < 1nln 1iv UvoJ K ip u o gvm a pailtmwirv wrn iptonto m m ci fro n t ta> Nm scMin! wur co rw iM r/tw ftdi x tl* aavca
SAMPLE MAP
5;
!
9s, \ r.
*TY '
\ : 3 * / jf- .
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
9 9 9
EC-C0UnCil
CEH
a i i s is 1 1
t q. *. +
- I N Q D s i S B a
Discover TCP/IP nodes and routes using DNS, SNMP, ports, NetBIOS, and W M I
h ttp ://w w w .n e tw o rk v ie w .c o m
EC-COUIICil
NetworkView - [NetworkViewl]
f t
- =
F1 l
Edit
View
Lists
logs
Window
Help
-an a
1 11 1 ) 1 0111 2
a
Q
a s s q 0
B
III *Mi l i t 1( * Mioh fM W
N otY * I Tfcy*
** |A .~ L m m|^ # 1
*1
HR
^Txiww(m < 1 0 0 4 )]
Monitoring is Off
0Polls
0 Mails Sent
Modified
EC-C0linCil
EH
Allows you to draw your own maps and add custom devices Supports SNMP, ICMP, DNS, and TCP monitoring for devices that support it Direct access to remote control tools for device management Supports remote Dude server and local client
EC-COUIICil
'
Sr>01
Qk o
'
WINMSSELCK4K41
fi
10006
WINOOV1S8 WIN-LXQN3WA3R9M
WIN-O 3SMR5HL9C4
EC-C0UnCil
CEH
HP Network Node Manager i Software
h ttp ://w w w 8 .h p . com
FriendlyPinger
h ttp://w w w .kilievich.com
NetMapper
h ttp ://w w w .o pnet.com
(fT u le
j s i
Ipsonar
http://w w w .lu m eta.com
M
k M !
CartoReso
h ttp ://carto reso . campus, ecp.fr
11
Spiceworks-Network Mapper
h ttp ://w w w . spice w orks. com
HR
NetCrunch
h ttp ://w w w .a d re m so ft. com
EC-COUIICil
1 9 1
r-^r-n
; Prepare Proxies
Banner Grabbing
This section describes how to prepare proxies and how an attacker can use them to launch attacks.
EC-C0l1nCil
P ro x y S e r v e rs
A proxy is a network computer that can serve as an interm ediary for connecting with other computers
CEH
As an IP addresses multiplexer, a proxy allows the connection of a number of computers to the Internet while having only one IP address
Proxy servers can be used (to some extent) to anonymize web surfing
Proxy Servers
A proxy is a network computer that can serve as an intermediary for connecting with other computers. You can use a proxy server in many ways such as: 0 Asa firewall, a proxy protects the local network from the outside access 9 As an IP address multiplexer, a proxy allows a number of computers to connect to the Internet when you have only one IP address 9 To anonymize web surfing (to some extent) Q To filter out unwanted content, such as ads or "unsuitable" material (using specialized proxy servers) 9 To provide some protection against hacking attacks 9 To save bandwidth Let's see how a proxy server works. W hen you use a proxy to request a particular web page on an actual server, it first sends your request to the proxy server. The proxy server then sends your request to the actual server on
behalf of your request, i.e., it mediates between you and the actual server to send and respond to the request as shown in the following figure.
Attacker
Target Organization
FIGURE 3.57: Attacker using Proxy Server
In this process, the proxy receives the communication between the client and the destination application. In order to take advantage of a proxy server, client programs must be configured so they can send their requests to the proxy server instead of the final destination.
EC-C0UnCil
CEH
(rtifWd ithiul lUckM
To mask the actual source o f th e a tta c k by im p e rs o n a tin g a fake source address o f th e proxy
To remotely access intranets and o th e r website resources th a t are n o rm a lly o ff lim its
To interrupt all the requests sent by an a tta cke r and tra n s m it th e m to a th ird d e s tin a tio n , hence v ic tim s w ill o n ly be able to id e n tify th e proxy server address I
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
U se o f P ro x ie s fo r A tta c k
Direct attack/ No proxies
CEH
! s * 5 Logged Proxy
Case 1: In the first case, the attacker performs attacks directly without using proxy. The attacker may be at risk to be traced out as the server logs may contain information about the IP
address of the source.
Target
Case 2: The attacker uses the proxy to fetch the target application. In this case, the server log
will show the IP address of the proxy instead of the attacker's IP address, thereby hiding his or
EC-COUIICil
her identity; thus, the attacker will be at minimum risk of being caught. This will give the attacker the chance to be anonymous on the Internet.
Attacker
Logged Proxy
Target
Case 3: To become more anonymous on the Internet, the attacker may use the proxy chaining
technique to fetch the target application. If he or she uses proxy chaining, then it is highly difficult to trace out his or her IP address. Proxy chaining is a technique of using more numbers of proxies to fetch the target.
Attacker
EC-C0UnCil
P ro x y C h a in in g
M
.................... IP: 20.10.10.2 Port: 8012
Ha
M
.................... < IP: 20.10.15.4 Port: 8030
>
M
IP: 10.10.20.5 Port: 8023
User
Encrypted/unencrypted traffic
N
IP: 20.15.15.3 Port: 8054 IP: 15.20.15.2 Port: 8045
m
IP: 10.20.10.8 Port: 8028
Unencrypted traffic
1. User requests a resource from the destination 2. Proxy client at the user's system connects to a proxy server and passes the request to proxy server 3. The proxy server strips the user's identification information and passes the request to next proxy server 4. This process is repeated by all the proxy servers in the chain 5. At the end unencrypted request is passed to the web server
Proxy C haining
Proxy chaining helps you to become more anonymous on the Internet. Your anonymity on the Internet depends on the number of proxies used for fetching the target application. If you use a larger number of proxy servers, then you will become more anonymous on the Internet and vice versa. W hen the attacker first requests the proxy serverl, this proxy serverl in turn requests another proxy server2. The proxy serverl strips the user's identification information and passes the request to the next proxy server. This may again request another proxy server, server3, and so on, up to target server, where finally the request is sent. Thus, it forms the chain of the proxy server to reach the destination server as shown in the following figure:
m
IP: 20.10.10.2 Port: 8012 IP: 10.10.20.5 Port: 8023 IP: 20.10.15.4 Port: 8030
User
Encrypted/unencrypted traffic
m
IP: 15.20.15.2 Port: 8045
................... V
............................... >
Unencrypted traffic
EC-COUIICil
U rtifW tf IthKJi lU c k M
CEH
EC-COUIICil
Proxy Workbench
0 5 -isU - 6
Montana :!avya [132 168 168 170) ^ SMTP Outgoing e-mad (25)
POP3 Incoming c nvjd (110)
m
Event So( 7 PageloH J ^ j 4 J ] W 491 bytes of iata has been chnft. 121449538
(127 0 01 20750)
Dead (13:1825741) Dead (131825736) Dead (111825 711) Dead (131825 724)
Dead (131825717)
127001 fin
B
(1270 01 20750) FVB has (**connected horn the remote ckent 131513209 the remote server has disconnected 1315:13208
Dead(131825625) Dead(111825620) Dead (111825.586) Dead (111825579) Dead (1118255741 P Dead (111825 566) P Dead (111825 558) P Dead (111825552) t l Dead 11118255431 Memay 8 KByte*
Socke
EC-C0UnCil
P ro x y Tool: P ro x ifie r
Prox-fie1 is a program that a ows r>etwork appicatons that do f> ot support working through proxy servers to operate through an HTTPS or SOCKS proxy or a chain of proxy servers
C|EH
m p j/w w wp r o a f r a o m
!B yK'CMAjV. M j arn: *s t2-d?rjSfit3y c*C
Features:
e 9 Q You can access the Internet from a restricted network through a proxy server gateway It hides your IP address It can work through a chain of proxy servers using different protocols It allows you to bypass firewalls and any access control mechanisms
EC-COUIICil
1a
E l !1
1j
**
Application ^mstsc.EXE (5044) 64 cxplore.exe (4704) ie3plore.exe (5664) lsvchost.exe (376, System) 64 ^ svchcst.exe (376, System) 64 4$ !explore.exe (164)
Taiget 192.168.2.40:3389 www.l.google. com:80 [fe80::90bl:83b:c743:f49b]:80 IPv6 www.update.m crosoft.com lbl.www.ms.akadns.net443 www.microsoftcom:8080 Statistics
Tm e/ Status 01:25 01:14 Closed 01:12 00:44 00:42 Failed 00:21 Connecting
Rule: Proxy Default: proxy.example.net:1080 Proxy2: proxy.example.net:1080 Local: Test proxy chain Default: proxy.example.net:1080 Default: proxy.example.net:1080 HTTPS: proxy2.example.net:8080 Default: proxy.example.net:1080
:8 0
www.update.microsoft.com:443
@txplore.ece (2776)
st Connections uA.Traff1t
0 0
0 0
[19.591 svchost o (37S. System) $4 -resolve y.-wupdaejniaraAconi DNS [19 59] r/chost exe (37S. System) *64 resolve w.vw update rm croso*t cot DNS [1959] svchost exe (37G. System} *84 www update microsoft com 442 matchmQ Defadt rde : usng proxy proxy.examptent:1080 [1959] svchost exe (376. System) *64 - www update microsoft c o t 44 open through proxy proxy example net 1080 [1959] svchost exe (375. System) *64 download.w1ndow3update.com 80 dose. 5S1 sert. 1183 bytea (1-15 KB)received, bfebme 00 05 [19 59] svchost exe (376. System) *64 resolve download wmdowsLpdate com DNS [1959] svchost exe (376. System) *64 resolve download.wndowsupdate.com : DNS [19 59] svchost exe (375. System) *64 download windowsupdate com 80 matchrtg DefaJt aie usng proxy proxy example net 1080 [1959] svchost exe (376. System) *64 dowrload.wnndowsupdate .com 80 open through proxy proxy example net 1080 [20 00] svchost exe (375. System) *64 download.w1ndowsupdate.com 80 dose. 175 bytes aert. 256 bytes recerved. tfebme 00:04 [20 00] explore exe (164) - lb 1 www ms akadns net 443 matching HTTPS rule using proxy proxy2 example net 8080 [2000: expkxeexe (2776) www nxrosoft com :8080 matchna Default aie ue>g proxy proxy example net 1080 120 00] explore exe (4704) www I aooale com 80 dose.1560 bvtes (1 52 KB) sert 13451 bytes (13 1 KB) received Ifetme00 59 [20 00] !explore exe (5664) - www I cooole com SO dose. 1456 byte (1 42 KB) ter( 26617 bytes (25.9 KB) received Ketime 01 11 [20 00] explore exe (5664) vyyvw J,Q0QQle.cQm-gO dose. 3530 bvtes (3 44 KB) sert 722 bytes received fcfeUneOI 11 [20 00] explore exe (4704) www I cooole com 80 dote. 3413 bytes (3 33KB)set 13881 bytes (13.5 KB) received Hettne 01 14 ]20 00; ewlore exe :1641 b 1 www ns akadns net 443 error Codd not conned ttwoutfi proxy prexy2 example net 8090 Readno proxy replay on a connedwn reouest faled wth e or 10054 [2000] svchost exe (376. System) *64 www update microgoft com 8C dose. 172 bytes sent. 262 bvtes received, tfetme 01:01 Ready 7 active connections Down 0 6/sec Up 0 B/sec
System DNS
EC-C0UnCil
C EH
File
Edit
Actions
View
Help
p l
State (Anonymous) Respo- _ * 603ms | Crxrtry | FRANCE
PKwy Scanner ^ New(0) High Anonymous (19) j.... SSL (26) Bite (30) Dead (7220) Basic Anonymity (212) -E" Private (53) Dangerous (148) My Proxy Servers (0)
91.121.21.164:3128
ns1homenux.ccm:3l28 hherphpo.hchdtmc.edu:80 170.57.24.100:80 81 180 75142 8080 66-162-61-85stabc:tvrteJe $ 194 160 765:80 arr,3c 3 mnedu sk 80 g 147.46.7.54:8088 ,J f 159226 3 227:80 121 52148 30 8080 208-74-174-142sayfanet 31
- 01 10ATC i n . , ______
Server
ProxySwltcherfO)
(Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous)
/_________ x
1092ms 1612ns 1653ms 1882ms 2200ns 2319ms 2324ms 2543ns 2641ms 268ins 269am
n - .
(FRANCE UNITED STATES UNITED STATES | REPUBLIC OF MOLDOVA UNITED STATES M i SLOVAKIA SLOVAKIA > : REPUBLIC OF KOREA { j CHINA B PAKISTAN UNITED STATES
DCDIIQI IT < > C MAI fV> \/A
I * ^ |
K w p A K v e IfA g oS w c h
98 181 57.227:9090 tested as [Eke-Anonymous] cocreo diresacallao 90b pe: 80 tested as [Dead] smtp spectrum networks net :80 tested as ((Bite-SSL)J f-kasklab50a.eti.pg gda pi :80 tested as [Eie-Anonymous] cofreo disacallao gob pe:80 tested as [(Qite-SSL)] Hiah Anonvmous/SSL 0/6
Features:
9 Q It hides your IP address It allows you to access restricted sites It has full support of password-protected servers
EC-COUIICil
S * Proxy Switcher PRO ( Direct Connection ) File Edit Actions View Help
@ l # l
X I
d a a a i i > j* a j ii
91.121.21 164:3128 ,f ns1.homenux.com:3128 & ,f if ,f
State (Anonymous) B i )19 ( (Anonymous) hherphpo.hchd.tmc.edu:80 (Anonymous) 170.57.24.100:80 (Anonymous) 81.180.75.142:8080 (Anonymous) 66-162-61 -85.static tvvtele (Anonymous) 194.160.76.5:80 (/Vionymous) amac3.minedu sk:80 (Anonymous) 147.46.7.54:8088 (Anonymous) 159.226.3.227:80 (/Vionymous) 121.52 148 30:8080 (Anonymous) (Anonymous) 208-74-174-142.sayfa.net:31 .# 01 10n 7 C M o .* -----------\ /A
Server
^Proxy Scanner 5 New # ! )0( High Anonymous SSL )26( .. E ? Elite )30( | B Dead )7220( Basic Anonymity )212( j.. f Private )53( Dangerous )148( My Proxy Servers )0( ;.. ProxySwitcher )0(
S r
Respo... * Country 603ms 1 FRANCE 1092m s I I FRANCE UNITED STATES 1612ms * UNITED STATES 1653m s 1882ms I I REPUBLIC OF MOLDOVA * UNITED STATES 2200ms SLOVAKIA 2319ms SLOVAKIA 2324ms REPUBLIC OF KOREA 2543ms CHINA 2641ms 2683ms K 9 PAKISTAN UNITED STATES 2698ms DCPI ip i irn c uni nn\/4 -
>
Disabled ~]
Keep Alive
1 1 Auto Switch
O w1 w uv.proxysw vjtcher.com
98 181.57.227:9090tested as [Bite-Anonymous] correo diresacallao gob pe:80tested as [Dead] smtp spectrum-networks net:80 tested as [(Bite-SSL)] f-kaskJab50a eti pg gda.pl :80 tested as [Bite-Anonymous] correo disacallao gob pe:80tested as [(Bite-SSL)] High Anonvmous/SSL 0/6
EC-C0UnCil
P ro x y Tool: S o c k s C h a in
J SocksChain transm its the TCP/IP applications through a chain of proxy servers
im ttiM
CEH
tUx*l lUckM
Ufasoft SocksChain
View Tools Help firefox To [64.4.11.42]:80 3 connections m m ^ m m 1 0 ! 0 To [65.55.57.27]:80 2 connections To [123.176.32.147]:80 13 connections To [64.4.11.301:80 2 connections To [123.176.32.1361:80 1 connections
LdfLJ
9 To [65.54.82.157]:80 2 connections chrom e Through SE05411D17AFD6752EE36392EE4E42CAFB8A45D09=shadowhouse. S626F206838B0EA12CFCA5CE91 3 To www.certifiedhacker.com(202.75.54.101]:80 6 connections S I To safebrowsing.google.com[74.125224.73!:443 1 connections To safebrowsing-cache.google.com[74.125.224.67J:443 !c o n n ectio n s 1 7 1 ^ iexplore 0 PING
III
V
I>
D V U C E K O n ? ?0 C K 8b B 0 i.0 C 0 r^ 0 C K 2 JV D D K E 2 ^ e 2 ? 8 5 m:8 0
S blUG
http://ufasoft.com
EC-COUIICil
K
File
Ufasoft SocksChain
m
B
View
Tools
Help
firefox Through SE0S411017AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9I 9 To [64.4.11.42]:80 3 connections 9 To [65.55.57.27]:80 2 connections To [123.176.32.1471:80 13 connections To [64.4.11.301:80 2 connections _ To [123.176.32.136):80 1connections To [175^41.150-21:80 1 connections
!explore PING
< I
> I
EC-C0UnCil
C EH
Anon ym ity
P rivacy
Ensures the privacy of both sender and
Security
Provides multiple , layers of security f to a message
recipient of a message
n
Encryptio n
Encrypts and decrypts all data packets using public key encryption
.
T o r Proxy
The initiating onion
View the Network Use a New Idertty B , Bandwidth ! ^ph O H#ip 0 About
Proxy Chain
Uses cooperating V proxy routers J throughout the network
Mcuogc Lug
3 Show ttii* winflow on ttirnn
SclU1g
Q cxt
https://www.torproject, org
relationships, and state security known as traffic analysis. You can use Tor to prevent websites from tracking you on the Internet. You can also connect to news sites and instant messaging services when these sites are blocked by your network administrator. Tor makes it difficult to trace your Internet activity as it conceals a user's location or usage.
Features:
9
9 9
Provides anonymous communication over the Internet Ensures the privacy of both sender and recipient of a message Provides multiple layers of security to a message Encrypts and decrypts all data packets using public key encryption Uses cooperating proxy routers throughout the network The initiating onion router, called a "Tor client" determines the path of transmission
9 9 9
EC-COUIICil
4)1
Vidalia Shortcuts Stop Tor
# #
Setup Relaying
Help Settings
About fc^ Ex it
Hide
EC-C0UnCil
P ro x y T ools
Burp Suite
h ttp ://w w w .p ortsw ig g er.n e t
CEH
Proxy
h ttp://w w w .analogx.com
Proxy Commander
http ://w w w . dlao. com
Proxy+
h ttp ://w w w .p ro xyp lus.c 1
Gproxy
h ttp ://g p a ssl.co m
11
! ! 1
FastProxySwitch
http://affinity-tools.com
Fiddler
http ://w w w .fiddler2.com
ProxyFinder
h ttp ://w w w .p r oxy-tool. com
Proxy Tools
In addition to these proxy tools, there are many more proxy tools intended to allow users to surf the Internet anonymously. A few are listed as follows: 9 9 9 9 9 Q 9 Burp Suite available at http://www.portswigger.net Proxy Commander available at http://www.dlao.com Proxy Tool Windows App available at http://webproxylist.com Gproxy available at http://gpassl.com Fiddler available at http://www.fiddler2.com Proxy available at http://www.analogx.com Protoport Proxy Chain available at http://www.protoport.com
EC-COUIICil
P ro x y T ools
(Contd)
ProxyFinder Enterprise
h ttp :/ /w w w .p ro x y -to o l. com
CEH
Socks Proxy Scanner
h tt p :/ / w w w . m ylan vie wer. com
ezProxy
Ml
h tt p :/ / w w w . ode. org
Mil
A
_
Charles
h ttp ://w w w .ch a rle sp ro xy.co m
UltraSurf
h ttp ://w w w .u ltra s u rf.u s
CC Proxy Server
h tt p :/ / w w w . youngzsoft.net
FoxyProxy Standard
http s://ad d on s.m o zilla.o rg
h
9 9 9 9 9 9 Q 9 Q 9
------ The list of proxy tools mentioned in the previous slide continues as follows:
EC-COUIICil
F r e e P ro x y S e r v e rs
A search in Google lists thousands of free proxy servers
(rtrfwtf
ClEH
IStkKJl lUckM
u a p s
vMk i
Proxy 4 Free - F re e Proxy S t r v t r t - protect Your Q n e Prrvacv aW1 wvtw proxy4tree ocmj Proxy 4 Free is a free proxy list and proxy checker c rowdtng you Mti r* be?free proxy serversfor over 9 years Qursor^sticaieo cnec3n5 systemmeasuresList Country Rating Access Tim ust of F r Proxy 5 t r v r t -Page 10 0 wwwproxy4tree cofnnistfive&proxyl htm i Free Proxy, Anontm izer, VPN. Proxy 4 Free Proxy uil, IP Test, *nccr-i* uemu HOMEADD YOUR PROXY U 3 1of tree Proxy servers Pgel0M0~
N w
ShopplOQ W ore Show seaicn tools
Hid*myMS.comipf0xy-JisV Fr proxy list md*x.lh lwg**t Mirn* database ofcu&fe proxy fvr :rin
H ide My A>8! F rtt Proxy ana Privacy Toots - sun Tne w co ...
nifl0mv0M.c0riv Wot!proxy fioo) M cAtgg SECURE cilo t. lolpkeec > M 1 s*fofcon1 . trA: . w t. civdit caid fraud, spywat. Us our It proxy to twl nonyrrsously crtn* ! F re e Proxy S e rv e r - surr ! r r ,\ r r A-nnymn. is rreeproxynerver net/ Surrm* wen anonymously with our tree proxy server Free Proxy Server TurbLHUu.
ssasssssasssr
= 2
Bar
iN w
y ir j
1 :1 '
Public Proxy Servers F ree Proxy Server l s i wvcttpuDlicproxyservers.conv Pu&lic Proxy Servers is a tree and 1 dependent proxy :he:an; 5sm Cur ser.ice neips you to protectyouriaentity ana Dypass surfing restnrSons s!rce 2002
( j O . )g ie
3 I
Search
Wo
Prosy 4 Free Free Proxy Servers Protect Your OMne Pnvacv *I wwpnMry4nrMC0rv proxy servers fo * w 9 )an Ow List County Rasng tcctii T r O k w j h u m ^NtfM _
Prosy 4 Free Fr Proy Servers Protect Your OMne Privacy _ wa piMfti* comu -CSCftM Smear Prony 4 Free *al
** 5 5 * * ** siw. * * *s
U tta ifie e Pfoxj server* l y 1 ai 1 8 www!*o*if4lrecorA1rweapreey1 Nn Frt Pron *noam&t VPN Pto! 4Fie Pror Ust P Test Aownn tCNU HOUE-400 YOUR PROXY list* rreePmcjSenwrs ?9*10(10Fr P'DBtv Lst -Puf'K proxy Server p PORT noe Mir Am * iwdemyMS cem^rwy* fr p ro ) 1 rO*1 tvsieicsstisi* *M K 4 l (/euCtcpreay serrTSorSr* fuaehaAm Free P r o g a a iilM U .T flBft au t T n g m e -m Art proxy tH Mc^lMSeCURlMMMxee>M#ftente*<Vw aeot cardtswd us ft* Iree proty 10 u**s*s*r1es> 1 ote i m i . ^ B e B -
---------------- I
f B
. . H
l| V W > Y
Prat Proxy Server _ Iu it t t t te . to W M c s m mr Tt*Mt4s**epnMy server -oear , m i r a M M i m w a M orowsieg too mae ** a* se e *me 1*soure*aM s**mc* _
.1
PiAftc Proxy Servers Free Proxy Server us! .4 ww|M<t*t#eaysevws ceev PuoscPro V im s it t Iim and n a m U ii p> o (**sang < C X 0 same *'iou 0proletl tour o sr ! mo & * si*v*j m iksm i s r a 3903
CEH
( (port 80)
<
EC-COUIICil
49
M
Router HTTP Proxy or Firewall HTTP Tunnel Servers receive and relay the data
M -
End Users use HTTP-Tunnel to transmit or receive data through Firewall &
The HTTP tunneling technique is used in network activities such as: 9 9 9 9 Streaming video and audio Remote procedure calls for network management For intrusion detection alerts Firewalls
EC-C0UnCil
FTP
v
HTTP Tunneling client running on local port
Q 1 Q a ! ...... Q
Internet
Suppose the organization has blocked all ports in your firewall and only allows port 80/443, and you want to use FTP to connect to some remote server on the Internet. In this case, you can send your packets via HTTP protocol as shown in the following figure:
EC-COUIICil
IN S ID E T H E N E T W O R K
FTP C lie n t
fL - s
ftp
S o ftw a re
v
HTTP T u n n e lin g c lie n t ru n n in g o n lo c a l p o rt
S 3 B
FIGURE 3.69: Effect of HTTP Tunneling on both Inside and Outside the Network
EC-C0UnCil
CEH
EC-COUIICil
ik
Start
# H - a
Setup Lot A dd
OragBox
& .
R in Heto
J1
About
Use Rin Game WthGameGuard Mode Q Use Real Remote Dn* Resolve Send Speed Recv Speed Server Total Threads(nctude cache)
[
IP
7
Ctent Stop
: |
EC-C0UnCil
http://www.http-tunnel.com
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
EC-COUIICil
%J
file Wy gettings He*p Log Help
Configuration
r A u to d rfa ct
Conhgue > EnierKey Mad Support Ex*
< NoPto*
c |
Connections
< 1 1 56 11> RIP Pnged serve* to keep use! togged n |<11 56 11> RetrievelP Log Window Geared
Advanced U*an
Fa advanced men only create cart act $4*100* lot r Thn option Mi *atficaly tove performance i t supported by fou ptoaty Th mi vol. ONLY I you Save a protry Tha cornaclcn lett doat not 1fJ #w opton r Ptoay *w CONNECT" camtnd
# 0
User Guides
** *!
N ewl%ym ar Pmtwr
$3.99 a m onth/year
Oil**Port MT TP Tcm* Inf a n t on Port 1080 l e iconrecbon! baai KX^D ktm Chingt *m I ^ u M p a t 1000 r * UM you h>4 HTTP I m l You n k n 10 1*cort9 # you wpfcMra and MUD HTTP T>mal
Chck Here h t t p t u n n e i
Munifo( I in 1* Anywli
Key not found Free Server Mode.
fioio
0 KB Up/0 KB Down
IP Retrieved(. 149]
EC-C0UnCil
B ssh - f u s e r @ c e r tifie d h a c k e r .c o m - L 5 0 0 0 :c e r t i f i e d h a c k e r . co m :25 -N - f => background mode, u s e r S c e r t i f i e d h a c k e r . com => user name and server you are logging into , -L 5000 :c e r t i f i e d h a c k e r . com : 25 => localport:host:remote-port, and -N => Do not execute the command on the remote system
This forwards the local port 5000 to port 25 on certifiedhacker.com encrypted Simply point your email client to use localhost:5000 as the SMTP server
SSH T unneling
SSH tunneling is another technique that an attacker can use to bypass firewall
restrictions. It also helps you hide your IP address on the Internet; therefore, no one can trace or monitor you. The prerequisite of SSH tunneling is raised from the problems caused by the public IP address, the means for accessing computers from anywhere in the world. The computers networked with the public IP address are universally accessible, so they could be attacked by anyone on the global Internet easily and can be victimized by attackers. The development of SSH tunneling solves the problems faced by the public IP address. An SSH tunnel is a link that proceeds traffic from an indiscriminate port on one machine to a remote machine through an intermediate machine. An SSH tunnel comprises an encrypted tunnel, so all your data is encrypted as it uses a secure shell to create the tunnel. Creating a tunnel for a privately addressed machine needs to implement three basic steps and also requires three machines. The three requisite machines are: 9 9 9 Local machine An intermediate machine with a public IP address Target machine with a private address to which the connection must be established
EC-COUIICil
You can create a tunnel as follows: 9 Start an SSH connection from local machine to the intermediate machine with public IP address. 9 Instruct the SSH connection to wait and observe traffic on the local port, and use intermediate machine to send the traffic to an explicit port on the target machine with a private address. This is called port acceleration or port forwarding. 9 On the local machine, select the application that you want to use for connection with the remote machine and configure it to use port forwarding on the local machine. Now, when you connect to the local port, it will redirect the traffic to the remote machine. To secure communication between computers, SSH uses private and public encryption keys. The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized computer. On initiating an SSH connection, each machine exchanges public keys, but only the computer that has the matching private key can attain access to the remote computer applications and information and can read encrypted communications with the public key. f t
Mail Client
< i
DB Server Mail Server ! 09 ........... ___ SSH P erim e ter Controls Server App Server W ebserver
DB Client %
I n*
A tta ck e r
<
SSH
3
Internet
*4
t
App Client
Web Client
f !'<
C lient
OpenSSH
Source: http://www.openssh.org OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. OpenSSH can be used to tunnel the traffic on local machine to a remote machine that you have an account on.
ssh -f user@certifiedhacker.com -L 2000: certifiedhacker.com: 25 -N -f = > backgroung mode user@ certif iedhacker.com=> user name and server you are logging into -L 2000: certifiedhacker.com: 25 = > I0calp0rt:h0st:rem0tep0rt -n = > Do not execute the command on the remote system
This essentially forwards the local port 2000 to port 25 on certifiedhacker.com encrypted. Simply point your email client to use localhost:2000 as the SMTP server.
EC-C0l1nCll
C EH
SSH Client includes powerful tunneling features including dynamic port forwarding through an integrated
^
Download Queue Log Log
Upload Queue
a i Download Queue
O
Name
St
] $
(3 Size
c.\prog1am files (xS6 }',b1 t/isetunnelier Type Date Modifed 2006-12-25 0... 2006-12-25 0... 2006-12-25 0 2006-12-25 0 2006-12-25 0... 2006-12-25 0... Attributes A A A A A A A A A A A A
s >
Q kM erm cexe
286,720 Application 1.265.664 Application 20.480 Application 1,597.440 Application 2,002.944 Application 2.150,400 Application 1,650,688 Application 372,736 Application
Nome k Log*
S/ glcl:tgc.oxo
i "7 log exe L sense exe sftpc.exe iis3h<J3tg3 0xe B7stetmc tutermc.ee
bv^Ad.oxo
I7 b v R in exe F b w m s bo* ; SCP.OXO
2009-12-25 0
2006-12-25 0... 2006-12-25 0... 2006 1 2-25 0...
* 1StcPuginSomple.cpp SlpRuginSompI# d l l E Z s f c p i . f i n e
7 CCMCtf.OXO
Turn 0 1lor.oxo 6.193.152 Application S ju n in31.exe 552.256 Application vtlOOtdx 6,066 T D S Fils xtermtde 6,066 T D SFilo
^sowoxecoxe
2006-12-25 0
2006-12-25 0...
Pumrsiexe
Li Overwrite
EC-COUIICil
-_/^Log R e m o te Files
c:\program files (x86)Vb1tvise tunrieher Type Date Modifed 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... Attributes A A A A A A A A A A A A
O Name 1 Logs
*2
} fit
/c /program files (x86)/b!tvise winsshd Size Type ate Modited 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0. . 2006-12-25 0.. 2006-12-25 0 2006-12-25 0.. 2006-12-25 0
Name ntvterrnc.exe ff gldstgs.exe I 7 log.exe sexecexe F sftpcexe sshdstgs.exe F stermc.exe Q toterm cexe ; ' Tunnelier.exe J | u n 1rstexs vtlOC.tds xlerm.lds
286.720 Application 1.265.664 Application 20.480 Application 1.597.440 Application 2.002.944 Application 2. 50.400 Application 1.650.688 Application 372.736 Application 6,193.152 Application 352.256 Application 6.066 6.066 T D S File T O S File
0 File Folder
167,936 Application 188.416 Application 208,896 Application 294.912 Application 15,961 C Sour... 23.480 Applicati... 610,304 Application 2.763,704 Application 45,056 Application 2.211,840 Application 192,512 Application 352,256 Application 2.338,816 Application 3.461.120 Application 445,464 Application 2.666.496 Applicati... 3,768 Overwrite Interlace Start ]
bvPwd exe
bvRun.exe bvterms exe ' scp.exe c~ SttpPlugmSample.cpp SftpPluginSample.dll ' sftps.exe F F sshdctrl.exe sshdexecexe
' sshdstgs.exe F toterm exe F uninstexe F wctg exe F W inSSH D .exe WinsshdActStateCheck exe WinsshdCfgManip.dll i WinsshdCtgManip idl
S fB in arv
; Resume
JPjDindiy
Resume
EC-C0UnCil
A n o n y m iz e rs
J An anonymizer rem oves all the identifying inform ation from the user's computer while the user surfs the Internet J J Anonymizers make activity on the Internet untraceable Anonymizer tools allow you to bypass Internet censored websites
C EH
A nonym izers
An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (go p her:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities.
EC-COUIICil
Ensures privacy: It protects your identity by making your web navigation activities
untraceable. Your privacy is maintained until and unless you disclose your personal information on the web by filling out forms, etc.
Protect you from online attacks: Anonymizers protect you from all instances of online
pharming attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers.
Bypass IDS and firewall rules: Bypassing of firewalls is mostly done in organizations or
schools by employees or students accessing websites they are not supposed to access. An anonymizer service gets around your organization's firewall by setting up a connection between your computer and the anonymizer service. By doing such, firewalls can see only the connection from you to anonymizer's web address. The anonymizer will then connect to Twitter or any website you wanted to access with the help of an Internet connection and sends the content back to you. not to Twitter or other sites. For your organization, it looks like your system is connected to an anonymizer's web address, but
Anonymizers, apart from protecting users' identities, can also attack the website and no one can actually detect where the attack came from.
N e tw o rk e d A n o n y m iz e rs
___
These type of anonymizer first transfers your information through a network of Internet computers before sending it to the website. Since the information passes through several Internet computers, it becomes more cumbersome for anyone trying to track your information to establish the connection between you and anonymizer.
Example: If you want to visit any web page you have to make a request. The request will first
pass through A, B, and C Internet computers prior to going to the website. Then after being opened, the page will be transferred back through C, B, and A and then to you.
EC-C0UnCil
Disadvantage: Any multi-node network communications have some degree of risk at each node
for compromising confidentiality
___
' ^
S in g le -p o in t A n o n y m iz e rs
Single-point anonymizers first transfer your information through a website before
sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity.
Advantage: IP address and related identifying information are protected by the arms-length
communications
EC-C0UnCil
Bloggers and journalists in China are using a novel approach to bypass In tern et filters in their country - th ey w rite backwards or from right to left
IF H BOTHERS YOU THAT THE CHINA SCVEMflENT DOES IT ! IT SHOULD 9CTVCR YOU WHEN YOU* CABLE COMPANY DOCS IT 1 "
'h e r ^rZle m
chi
packets co aSrbet,
<\ -
I f
F ilte rs in C h in a
C a s e : B lo g g e r s W r it e T e x t B a c k w a r d s to y p a s s W e b
China is well known for its implementation of the "packet filtering" technique. This technique detects TCP packets that contain controversial keywords such as Tibet, Democracy, Tiananmen, etc. To bypass Internet filters and dodge the censors, bloggers and journalists in China are writing the text backwards or from right to left. By doing so, though the content is still in human readable form, the text is successful in defeating web filtering software. Bloggers and journalists use vertical text converter tools to write the text backwards or from right to left and vertically instead of horizontally.
CEH
1 It bypass the content-filtering systems of countries like China, North Korea, Iran, Saudi Arabia, Egypt and others
Uncensored
http://psiphon.co
C o p yrigh t @ b y EG -G *ancil. All Rights Reserved. Rep rod u ctio n is S trictly Prohibited.
EC-COUIICil
P
O
O SSH
Psiphon 3
H I ]
o vp n s 1h
SSH
@ Don! proxy domestic web sites Client Version: 40 SSH connecting Localhost port 1080 is already muse SOCKS proxy is runrwig on locahost port 1081. SSH successfully connected HTTP proxy is rumng on locahost port 8080 Preferred servers: 2 SSH disconnected SSH connecting... Localhost port 1080 is already muse SOCKS proxy is rurmng on locafriost port 1081 SSH successfully connected HTTP proxy is rurmng on locahost port 8080 SSH disconnected Fix VPN Services faded nsuffoent pm nleges to configure or start service IKEE VPN connecting... VPN successfully connected HTTP proxy is rurmng on locatiost port 8080 VPN disconnected SSH connectng... Localhost port 1080 is already n use SOCKS proxy is rurmng on locatiost port 1081. SSH successfully connected HTTP proxy is rurmng on locahost port 8080 Unproxied autosinaxabout .com Unproxied: a1979.g akamai net Unproxied: bsm otorm g com Unproxied: a90g akamai net Unproxied: w w w baja!auto com Unprowed mypulsar com SSH disconnected SSH connecting Localhost port 1080 is already in use SOCKS proxy is running on locatiost port 1081 About Ps*> hon 3
Copyright by
EC-COUIICil
Your Freedom
Status | Streams | Account Profile Ports Messages Vouchers
j
_ E L
Applications About
Freedom Server External IP Address Server located in Open streams Bytes sent Bytes received Send rate (bytes/sec) Receive rate (bytes/sec)
https://em s29.your-freedom .de 443 83.170.106 56 UK, United Kingdom 0 2973 704 279 111|
Configure
Stop connection
Restart connection
Update?
Exit
III
Uplink 1.0 k
Downlink 0.4 k
EC-C0UnCil
h ttp ://w w w . w ebsitep u lse . com Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Ju s t p in g
Source: http://www.iust-ping.com Just ping is an online web-based ping tool that allows you to ping from various locations worldwide. It pings a website or IP address and displays the result as shown as follows:
EC-COUIICil
ju s t ^ p in g
UJHTCHm QU!
NAJCMNC CVtROMlM IlM NISk
U-jhg
e g p in a : yahoo
| |p r .g 1
con or 6 6 . 9 4 . 2 3 4 . 1 3 3 < C heck h t t p
t n m .f A c m b o c k .c o m
Singapore. U n k n o w n host: Singapore: vnr fa e e b o o k .c o m Anaterdaa2, Okay Netherlands Florida. U . S . A . : O k a y XaatcrdiaS. Okay He", h e r land* : H o n g Kor.rj , C hin* O k a y Sydney Okay Australia: UAtnchan. Okay Crnany: C o l o a n . SraanY:OkaY H a v Y ork, U.S.A. O k a y S tock ho la. Okay Sweden. S a n t a Clara. U.S.A.: V a ncouver. London. Kingdom. Madrid. Pad ova Auatin. U n i tod Spain: Italy: U.S.A.: Okay Okay Okay Okay Ok *y Okay Okay
91 O 83.3 91 .0 195 5 183.0 98 .2 106.1 82.5 124.2 28.7 34.1 98.2 125.3 113.9 73. 90.9
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :face b O O c 66. 2 2 0 . 1 4 9 88 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :face b O O c 2 a 0 3 : 2 8 8 0 : 1 0 :lf02:fa c e : b O O c 6 9 .171.237.16 69.171 . 2 4 2 . 7 0 2 8 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :f a c a b O O c : : 69.171 . 2 3 7 . 3 2 2 a 0 3 2880 2110 3f02 69. 1 7 1 . 2 2 8 70 2 a 0 3 : 2 8 8 0 : 1 0 If03 faca.bOOc 23 face bOOc 25
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 3 :face:bOOc 65 63 189.74 2a03 2 8 8 0 1 2110 3 f02 t *e b O O c 2 a 0 3 2880 10 If03 fac b O O c 25 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f02 face bOOc
Natherlanda.
WebsitePulse
Source: http://www.websitepulse.com WebsitePulse provides remote monitoring services. It simultaneously pops websites from around the globe.
I B I ^ a IV W*t4 Tt C w C Aww.we&nepuis<.<on -.noo<v(tna1e$tvn! s i x
Tk* w#b S e iv tr aad W **dr M n tfc la S#rvk tnntfd bv 84% mUom an .. 1 ia 1 Tata > a t i Test results l Jh I m M Im T n M M i UCt Ut*4 H m hM M m U .H 4 I ChM 12-C42; l015?>tO(OT -00-00} ImImI lm > A ll M l fMted H n M A i; ft* T lt R V 3012-#-2 10 57 11 C (8MT CO 00) fca07/M*i<ata*fc4*w Sf.t7i.2J/-M 1 '** * A, j 1
Y < * J
W rtiU t
1 1
L IV E C H A T CWn, I 'f f E ! !
*tic* MU ( P N ^ c v m U ) n u (t
la N w H k tNs YTrbutr f r rr l r N Oar (feck Herr* 1mail m d h Save R rttA ) Pafona a acw l o t R c iw t a h v k k a
r #
Tm! Tm! * 0 v.
v
FIGURE 3.77: WebsitePulse Screenshot
EC-C0l1nCll
G-Zapper
G-Zapper - TRIAL VERSION
CEH
G Zapper
G-Zaocei = ntsctrg you! Search Piivacy Did you know - 3 0 0 gl9*teres a unique identifier in a cookie on your PC, which alow? them to track the kewkofdi yoo ssach fot. GZcppcr will ojtomalicdl/ dctcct and cban this cookie in your web b o w c . J j ; t jn G-Zaoce. ninini7 e the vinebw. and enjoy ycur enhanced search privacy
Google sets a cookie on user's system with a unique identifier that enables them to track user's web activities such as: e Search Keywords and habits Search results Websites visited
2'
Yoji irWtitj* wil h ofccutd fromprevious *ewcho* *ndG Z*pp*r wll m gulM ^i dean luhir cookie* To block and delete thGooge ceareh cook*, die*, the 8look Ccoki bjtton. (Gndl aid A0ier 1 > 1 ! be unavailable vitli the ojuke blocKcd)
Settings
G Z ap p er
Source: http://www.dummysoftware.com G-Zapper is a utility to block Google cookies, clean Google cookies, and help you stay anonymous while searching online. It automatically detects and cleans Google cookies each time you use your web browser. It is compatible with W indow s 95/98/ME/NT/2000/XP/Vista/Windows7. It requires Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome and is compatible with Gmail, Adsense, and other Google services.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
- You Google ID: (Frefox) 85%d451b86*738 Google instaled the cook* on: Tuesday. Jdy 03.2012 12:10:32 AM You searches have been backed 1 0149 days
Delete Cookie
Block Cookie
Test Google
EC-C0UnCil
Anonym izers
Mowser
h ttp ://w w w . m ow ser. com
E H
Spotflux
h ttp ://w w w .spo tflu x.co m
U-Surf
http://ultim ate-anonym ity.com
WarpProxy
http ://silen t-su rf. com
ps4
Anonymizer Universal
h ttp ://w w w . anonymizer, com
Hope Proxy
h ttp ://w w w .h o pep ro xy. com
Guardster
http ://w w w . guardster. com
Hide M y IP s a flH l
http://www.pri\/acy-pro. com
* " V An anonymizer is a tool that allows you to mask your IP address to visit websites without being tracked or identified, keeping your activity private. It allows you to access blocked content on the Internet with omitted advertisements. A few anonymizers that are readily available in the market are listed as follows:
9 9 9 9 9
9
Mowser available at http://www.mowser.com Anonymous W eb Surfing Tool available at http://www.anonymous-surfing.com Hide Your IP Address available at http://www.hideyouripaddress.net Anonymizer Universal available at http://www.anonvmizer.com Guardster available at http://www.guardster.com Spotflux available at http://www.spotflux.com U-Surf available at http://ultimate-anonvmity.com WarpProxy available at http://silent-surf.com Hope Proxy available at http://www.hopeproxy.com Hide My IP available at http://www.privacy-pro.com
9 9 9 9
EC-COUIICil
Spoofing IP Address
IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be som eone else W h e n the victim replies to th e address, it goes back to the spoofed address and not to the attacker's real address
CE H
You will not be able to complete the three-way handshake and open a successful TCP connection by spoofing an IP address
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
-. Spoofing IP A d d resses
^ Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a fake IP in place of the attacker's assigned IP. W hen the attacker sends a connection request to the target host, the target host replys to the attacker's request. But the reply is sent to the spoofed address. W hen spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Send packet to host of suspect spoofed packet that triggers reply and
Attacker
(Spoofed Address
Target
1 0 .0 .0 . 5)
10.0.0.5
Note: Normal traffic from one host can vary TTLs depending on traffic patterns
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
EC-COUIICil
Attacker
(Spoofed Address 10.0.0.5)
>*.
y Nf
10.0.0.5
EC-C0UnCil
J J
Attacker
(Spoofed Address 10.0.0.5)
. * 5 . *t ;. *
* T a 1 get
10.0.0.5
r3 H 1
Spoofed packets can be identified based on the identification number (IP ID) in the IP header that increases each time a packet is sent. This method is effective even when both the attacker and victim are on same subnet. To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply. If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet.
Sending a packet with spoofed 10.0.0.5 IP - IP ID 2586
Attacker
(Spoofed Address 10.0.0.5)
w
?
Target
CEH
Attacker
(Spoofed Address 10.0.0.5)
Target
. '& < *v \
10.0.0.5
Copyright by EC-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If the sender sends an ACK with any data, then it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet but not ACK with data.
FIGURE 3.82: Using TCP Flow Control Method for IP Spoofing Detection
EC-C0UnCil
IP S p o o fin g C o u n te r m e a s u r e s
Limit access to configuration information on a machine
CE H
IP Spoofing C o u n te rm e a su re s
In ethical hacking, the ethical hacker also known as the pen tester, has to perform an additional task that a normal hacker doesn't follow, i.e., applying countermeasures to the respective vulnerabilities determined through hacking. This is essential because knowing security loopholes in your network is worthless unless you take measures to protect them against real hackers. As mentioned previously, IP spoofing is one of the techniques that a hacker employs to break into the target network. Therefore, in order to protect your network from external hackers, you should apply IP spoofing countermeasures to your network security settings. The following are a few IP spoofing countermeasures that you can apply:
EC-COUIICil
If you do not employ any kind of incoming packet filtering mechanism such as a firewall, then the malicious packets may enter your private network and may cause severe loss. You can use access control lists (ACLs) to block unauthorized access. At the same time, there is also a possibility of insider attackers. These attackers may send sensitive information about your business to your competitors. This may also lead to great monetary loss or other issues. There is one more risk of outgoing packets, which is when an attacker succeeds in installing a malicious sniffing program running in hidden mode on your network. These programs gather and send all your network information to the attacker without giving any notification. This can be figured out by filtering the outgoing packets. Therefore, you should give the same importance to the scanning of outgoing packets as that of the incoming packet data scanning.
Ingress filtering
Prohibiting spoofed traffic from entering the Internet is the best way to block it. This can be achieved with the help of ingress filtering. Ingress filtering applied on routers enhances the functionality of the routers and blocks spoofed traffic. It can be implemented in many ways. Configuring and using access control lists (ACLs) that drop packets with source address outside the defined range is one way to implement ingress filtering.
Egress filtering
Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside.
Use encryption
If you want to attain maximum network security, then use strong encryption for all the traffic placed onto the transmission media without considering its type and location. This is the best solution for IP spoofing attacks. Attackers usually tend to find targets that can be compromised easily. If an attacker wants to break into encrypted network, then he or she has to face a whole slew of encrypted packets, which is a difficult task. Therefore, the attacker may try to find another target that can be easily compromised or may attempt other techniques to break into the network. Use the latest encryption algorithms that provide strong security.
EC-C0UnCil
Besides these basic countermeasures, you can perform the following to avoid IP spoofing attacks: 9 9 9 9 You should limit the access to configuration information on a machine You should always disable commands like ping You should reduce TTL fields in TCP/IP requests You should use multilayered firewalls
EC-C0UnCil
1 9 1
3 0
r-^r-n
Prepare Proxies
Banner Grabbing
f* *
This section highlights the need to scan pen testing and the steps to be followed for effective pen testing.
EC-COUIICil
CE H
0
Pen testing a network for scanning vulnerabilities determines the network's security posture by identifying live systems, discovering open ports, associating services and grabbing system banners to simulate a network hacking attempt
S canning P en T e stin g
The network scanning penetration test helps you to determine the network security posture by identifying live systems, discovering open ports and associated services, and grabbing system banners from a remote location, simulating a network hacking attempt. You should scan or test the network in all possible ways to ensure that no security loophole is overlooked. Once you are done with the penetration testing, you should document all the findings obtained at every stage of testing so that it helps system administrators to: 9 9 9 9 9 Close unused ports if not necessary/unknown open ports found Disable unnecessary services Hide or customize banners Troubleshoot service configuration errors Calibrate firewall rules to impose more restriction
EC-COUIICil
CEH
Check for the live hosts using tools such as Nmap, Angry IP Scanner, SolarWinds Engineer's toolset, Colasoft Ping Tool, etc. Use tools such as Nmap, Angry IP Scanner, etc. e Check for open ports using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc.
V
Perform port scanning
... >
Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, etc. Scan for vulnerabilities using tools such as Nessus, GFI LANGuard, SAINTscanner, Core Impact Professional, Retina CS Management, MBSA, etc.
V
Perform banner grabbing ibing /OS fingerprinting Use tools such as Telnet, Netcraft, ID Serve, etc.
V
Scan for vulnerability > Use tools such as Nessus, SAINTscanner, GFI LANGuard, etc.
EC-C0l1nCil
and exploit the vulnerabilities related to that OS. Try to gain control over the system and compromise the whole network. Step 4: Scan for Vulnerabilities Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus, GFI LANGuard, SAINT, Core Impact Professional, Ratina CS, M BSA, etc. These tools help you to find the vulnerabilities present in the target network. In this step, you will able to determine the security weaknesses/loopholes of the target system or network.
EC-C0UnCil
Prepare proxies
Draw network diagrams of the vulnerable hosts using tools such as LAN surveyor, OpManager, NetworkView, The Dude, FriendlyPinger, etc. e e Prepare proxies using tools such as Proxy Workbench, Proxifier, Proxy Switcher, SocksChain, TOR, etc. Document all the findings
EC-COUIICil
M odule Summary
The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts Attackers use various scanning techniques to bypass firewall rules and logging mechanism, and hide themselves as usual network traffic Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system Drawing target's network diagram gives valuable information about the network and its architecture to an attacker HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls Proxy is a network computer that can serve as an intermediary for connecting with other computers A chain of proxies can be created to evade a traceback to the attacker
M odule S u m m ary
Let's take a look at what you have learned in this module: The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network. Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. Attackers use various scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic. e Banner Grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system.
0
Drawing target's network diagram gives valuable information about the network and its architecture to an attacker. HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls. Proxy is a network computer that can serve as an intermediary for connecting with other computers. A chain of proxies can be created to evade a traceback to the attacker.
EC-COUIICil