Scanning Networks

Module 03

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

S c a n n in g N e tw o rk s
Module 03

Engineered by Hackers. Presented by Professionals.

CEH

©
M o d u le 03: Scanning Networks Exam 312-50

Ethical H acking and C ounterm easures v8

Module 03 Page 263

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

S e c u rity N ew s
Hone S e rv ic e s Company N e tw o rk s C o n ta c t

Oct 18 2012

r
■ 1
1
N f u js

S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e
The well known botnet Sality, which locates vulnerable voice-over-IP (VoIP) servers can be controlled to find the entire IPv4 address space without alerting, claimed a

new study, published by Paritynews.com on October 10, 2012.

Sality is a piece of malware whose primary aim is to infect web servers, disperse spam, and steal data. But the latest research disclosed other purposes of the same including

r

r

recognizing susceptible VoIP targets, which could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," sality has administered towards scanning possibly the whole IPv4 space devoid of being recognized. That's only the reason the technique uses very less number of packets that come from various sources.

The selection of the target IP addresses is generated in reverse-byte-order increments. Also, there are large amounts of bots contributing in the scan. http://www.spamfighter.com

l- l
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

S ecurity N ew s
Saliently Sality Botnet Trapped Scanning IPv4 Address Space

Source: http://www.spamfighter.com A semi-famous botnet, Sality, used for locating vulnerable voice‫־‬over‫־‬IP (VoIP) servers has been controlled toward determining the entire IPv4 address space without setting off alerts, claims a new study, published by Paritynews.com, on October 10, 2012. Sality is a piece of malware with the primary aim of infecting web servers, dispersing spam, and stealing data. But the latest research has disclosed other purposes, including recognizing susceptible VoIP targets that could be used in toll fraud attacks. Through a method called "reverse-byte order scanning," Sality can be administered toward scanning possibly the whole IPv4 space, devoid of being recognized. That's the only reason the technique uses a very small number of packets that come from various sources. The selection of the target IP addresses develops in reverse-byte-order increments. Also, there are many bots contributing in the scan. The conclusion is that a solitary network would obtain scanning packets "diluted" over a huge period of time (12 days in this case, from various

Module 03 Page 264

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

sources, University of California, San Diego (UCSD), claimed one of the researchers, Alistair King, as published by Softpedia.com on October 9, 2012). According to Alberto Dainotti, it's not that this stealth-scanning method is exceptional, but it's the first time that such a happening has been both noticed and documented, as reported by Darkreading.com on October 4, 2012. Many other experts hold faith that this manner has been accepted by other botnets. Nevertheless, the team at UCSD is not aware of any data verifying any event like this one. According to David Piscitello, Senior Security Technologist at ICANN, this indeed seems to be the first time that researchers have recognized a botnet that utilizes this scanning method by employing reverse-byte sequential increments of target IP addresses. The botnet use classy "orchestration" methods to evade detection. It can be simply stated that the botnet operator categorized the scans at around 3 million bots for scanning the full IPv4 address space through a scanning pattern that disperses coverage and partly covers, but is unable to be noticed by present automation, as published by darkreading.com on October 4, 2012.

Copyright © SPAMfighter 2003-2012

http://www.spamfighter.com/News-1799B-Salier1tlv-Salitv-Botnet-Trapped-Scanning-IPv4Address-Space.htm

Module 03 Page 265

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

M o d u le O b je c tiv e s
J J J J J J J J Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing Network Diagrams ^ J J J J J J J J Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers

CEH

IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule O b jectiv e s
Once an attacker identifies his/her target system and does the initial reconnaissance, as discussed in the footprinting and reconnaissance module, the attacker concentrates on getting a mode of entry into the target system. It should be noted that scanning is not limited to intrusion alone. It can be an extended form of reconnaissance where the attacker learns more about his/her target, such as what operating system is used, the services that are being run on the systems, and configuration lapses if any can be identified. The attacker can then strategize his/her attack, factoring in these aspects. This module will familiarize you with: 0 0 0 0 0 0 0 0 Overview of Network Scanning CEH Scanning Methodology Checking for Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing Network Diagrams 0 0 0 0 0 0 0 0 Use of Proxies for Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing

Module 03 Page 266

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

O v erview of N etw ork S can n in g
Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization

C EH
(•itifwd ttkujl lUckM

Sends TCP /IP probes

Gets network

S

&
A ttacker

information

O b jec tives o f N e tw o rk Scanning

To discover live hosts, IP address, and open ports of live hosts

To discover operating systems and system architecture

To discover services ru nning on hosts

To discover vu ln e ra b ilitie s in live hosts

O verview of N etw ork S can n in g
As we already discussed, footprinting is the first phase of hacking in which the attacker gains information about a potential target. Footprinting alone is not enough for hacking because here you will gather only the primary information about the target. You can use this primary information in the next phase to gather many more details about the target. The process of gathering additional details about the target using highly complex and aggressive reconnaissance techniques is called scanning. The idea is to discover exploitable communication channels, to probe as many listeners as possible, and to keep track of the ones that are responsive or useful for hacking. In the scanning phase, you can find various ways of intruding into the target system. You can also discover more about the target system, such as what operating system is used, what services are running, and whether or not there are any configuration lapses in the target system. Based on the facts that you gather, you can form a strategy to launch an attack. Types of Scanning 9 e 6 Port scanning - Open ports and services Network scanning - IP addresses Vulnerability scanning - Presence of known weaknesses

Module 03 Page 267

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

In a traditional sense, the access points that a thief looks for are the doors and windows. These are usually the house's points of vulnerability because of their relatively easy accessibility. W hen it comes to computer systems and networks, ports are the doors and windows of the system that an intruder uses to gain access. The more the ports are open, the more points of vulnerability, and the fewer the ports open, the more secure the system is. This is simply a general rule. In some cases, the level of vulnerability may be high even though few ports are open. Network scanning is one of the most important phases of intelligence gathering. During the network scanning process, you can gather information about specific IP addresses that can be accessed over the Internet, their targets' operating systems, system architecture, and the services running on each computer. In addition, the attacker also gathers details about the networks and their individual host systems. Sends TCP /IP probes

&

‫נ‬ Attacker

Gets network information

Network
FIGURE 3.1: Network Scanning Diagram

O bjectives of Network Scanning
If you have a large amount of information about a target organization, there are greater chances for you to learn the weakness and loopholes of that particular organization, and consequently, for gaining unauthorized access to their network. Before launching the attack, the attacker observes and analyzes the target network from different perspectives by performing different types of reconnaissance. How to perform scanning and what type of information to be achieved during the scanning process entirely depends on the hacker's viewpoint. There may be many objectives for performing scanning, but here we will discuss the most common objectives that are encountered during the hacking phase:
©

Discovering live hosts, IP address, and open ports of live hosts running on the network.

©

Discovering open ports: Open ports are the best means to break into a system or network. You can find easy ways to break into the target organization's network by discovering open ports on its network. Discovering operating systems and system architecture of the targeted system: This is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's vulnerabilities.

Module 03 Page 268

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

9

Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. Detecting the associated network service of each port

9

Module 03 Page 269

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

HHH
□ ‫שם‬

G i

Check for Live Systems

‫ן‬,.✓

Check for Open Ports

n

■ “ hi
Scan for Vulnerability

n L1 ^■
r ‫—י‬ Prepare Proxies

Scanning Beyond IDS

Banner Grabbing

wJ

W₪ m, U

Draw Network. Diagrams

Scanning Pen Testing

CEH S can n in g M eth o d o lo g y
The first step in scanning the network is to check for live systems.

Check for Live Systems

Scan for Vulnerability

ft

Check for Open Ports

r

Draw Network Diagrams

Scanning Beyond IDS

Q O

Prepare Proxies

Banner Grabbing

1

Scanning Pen Testing

This section highlights how to check for live systems with the help of ICMP scanning, how to ping a system and various ping sweep tools.

Module 03 Page 270

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

C hecking for Live System s ICMP Scanning
J J

CEH

Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply This scan is useful for locating active devices or determining if ICMP is passing through a firewall
ICMP Echo Request

t o

M
ICMP Echo Reply Destination (192.168.168.5) Zenmap
Sc!n Target. Too* grofilc Profile Ping scan

Source (192.168.168.3)

The ping scan output using Nmap:

192 168.16S.5 |nrr*p ■sn 192.16S.16S.S Services *

Command: Hosts Host

Nmap Outp14 Pciti ‫ ׳‬Hosts Topology H 0Jt Detail! nmap ‫־‬sn 192.166.163.5

Scans

‫ד־פ‬

192.165.168.1 192.16S.1663 192.165.'68.5 192.16S.66.13‫ז‬ S t a r t in g fJTap 6.01 ( h t tp :/ / n 1 rop.org ) at 2012-08 08 13:02 EOT Swap scan re p o rt fo r 192.168.168.5
most

i s up (0 .00 s la te n c y ).

‫ו־רד^־י־ו‬

Piter Hosts

M AC fld d re tt: (D e ll) M!ap dong: 1 I P address (1 host up) scanned in 0.10 secords

http://nmap.org
Copyright © by HHrWBCil. All Rights Reserved. Reproduction is Strictly Prohibited.

C h e c k in g for Live S ystem s ‫ ־‬IC M P S can n in g
ICMP Scanning
All required information about a system can be gathered by sending ICMP packets to it. Since ICMP does not have a port abstraction, this cannot be considered a case of port scanning. However, it is useful to determine which hosts in a network are up by pinging them all (the -P option does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the number of pings in parallel with the -L option. It can also be helpful to tweak the ping timeout value with the -T option.

ICMP Query
The UNIX tool ICM Pquery or ICMPush can be used to request the time on the system (to find out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS MARK REQUEST). After finding the netmask of a network card, one can determine all the subnets in use. After gaining information about the subnets, one can target only one particular subnet and avoid hitting the broadcast addresses. ICMPquery has both a timestamp and address mask request option: icmp query <-query-> [-B] [-f fromhost] [‫־‬d delay] [-T time] target

Module 03 Page 271

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

W here <query> is one of: -t: icmp timestamp request (default) -m: icmp address mask request -d: delay to sleep between packets is in microseconds. -T - specifies the number of seconds to wait for a host to respond. The default is 5. A target is a list of hostnames or addresses.

*iJN:::::::::::::::::::::::ft:::::::::::::
ICMP Echo Request

/*

V

V

‫־‬

/

ICMP Echo Reply

Source (192.168.168.3)

Destination (192.168.168.5)

FIGURE 3.2: ICMP Query Diagram

Ping Scan Output Using Nmap
Source: http://nmap.org Nmap is a tool that can be used for ping scans, also known as host discovery. Using this tool you can determine the live hosts on a network. It performs ping scans by sending the ICMP ECHO requests to all the hosts on the network. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall. The following screenshot shows the sample output of a ping scan using Zenmap, the official cross-platform GUI for the Nmap Security Scanner:

Zenmap
Scan Jo o ls Profile Help

Target

192.168.168.5 |nmap -sn 192.168.168.51 Services

v I Profile:

Ping scan

v

:Scan!

Cancel

Command: Hosts OS < Host IM I•* *"

Nmap Output Ports/Hosts nmap -sn 192.168.168.5

Topology Host Details Scans
V

Details

192.168.168.1 192.168.168.3 192.168.168.5 S t a r t in g Nmap 6 .0 1 ( h t t p :/ / n 1 ra p .o rg ) at 2012-08-08 •a? Nmap scan re p o rt fo r 1 9 2 .1 6 8 .1 6 8 .5 Host i s up (0 .0 6 s la t e n c y ) . M AC Add ress: ( D e ll) Nmap done: 1 IP ad d ress (1 host up) scanned in 0 .1 0 seconds

tM 192.168.168.13 .. v ------ — ----- ---------------1 Filter Hosts

FIGURE 3.3: Zenmap Showing Ping Scan Output

Module 03 Page 272

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

P in g S w eep
J Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet Attackers then use ping sweep to create an inventory of live systems in the subnet T h e ping s w e e p o u tp u t using N m a p
Zenmap Sen loots N * T*fqcc Help v Profile *| Scanj Canct l n l , M IC M P Echo Request

CEH

J

_l

a

a

a

’92.l6a.16S.l-S0

‫יי‬
192.168.168.5
^ M

Command |‫״‬m 8p ‫ גוו‬Pf PA21,23.9Q ,3J891 9 2 .1 6 8 .1 6 8 .1 5 0 1 Hojb OS 4 Ho* * * W itt 1 6 S .1 1N.16S.1tt3 knxei N‫׳‬n < * pOutput Port( / HoUi | Topology Hot! D etail* Scant nm ap m-PE PA 21.2J.80l3389 1 9 2 .1 6 8 .1 6 8 .1• 5 0 H S [0 4 * IC M P Echo Reply Startlra N»« 6.01 ( http ://roup, org ) at 2012 01 01 12:41 tor *tup scan report for 192.168.168.1 Host is us ( 0. 00) latency). Adflicn. ‫( ״‬Healett-Packard Com pany) “ **•p *can report for 192.168.16•.) ftovt It up (ft.Mt latency). *AC W r t t t i (Apple) w p scan report *or 192.168. 168.‫ל‬ ► tost is up (0.0010s latency). HA( Address: (Dell) f*1ap scan report for 192.168.168.13 Mo»t i* up <8.001 latency). «AC Addrew: » (Foxconnl snap scan report for 192.168.168.14 IC M P Echo Request

!.168.16 192.168.168.6

u

“3 1W.16S.1tt5 * 19J.ltt.1ttU

•» 1W.1tt1tt.14 V y » ► » It t lt t lt t lS ‫ד‬9‫ י‬it t 1 6 8 .1 7 !92.168163.15 1 9 2 .1 6 8 .1 6 8 2 6 19ilttltt23 v F*« Hosts

IC M P Echo Request

» Ml
192.168.168.7

Source 192.168.168.3
IC M P Echo Reply IC M P Echo Request

192.168.168.8

http://nmap. org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

P in g Sweep
A ping sweep (also known as an ICM P sweep) is a basic network scanning technique to determine which range of IP addresses map to live hosts (computers). W hile a single ping tells the user whether one specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts.

ICMP ECHO Reply
If a host is active, it returns an ICMP ECHO reply. Ping sweeps are among the oldest and slowest methods to scan a network. This utility is distributed across almost all platforms, and acts like a roll call for systems; a system that is live on the network answers the ping query that is sent by another system.

Module 03 Page 273

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

ICMP Echo Request 192.168.168.5 ICMP Echo Request

a

<

ICM P Echo Reply

192.168.168.6

ICMP Echo Request

>

W

Source
19 2.1 6 8 .1 6 8 .3

192.168.168.7

< ICMP Echo
ICMP Echo Request 192.168.168.8

FIGURE 3.4: Ping Sweep Diagram

TCP/IP Packet
To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings, a single packet is sent across the network to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a return packet from the target system. A good return packet is expected only when the connections are good and when the targeted system is active. Ping also determines the number of hops that lie between the two computers and the round-trip time, i.e., the total time taken by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if the packet bounces back when sent to the IP address, but not when sent to the name, then it is an indication that the system is unable to resolve the name to the specific IP address. Source: http://nmap.org Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP addresses of live hosts. This provides information about the live host IP addresses as well as their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on the network. The following screenshot shows the result of a ping sweep using Zenmap, the official cross-platform GUI for the Nmap Security Scanner:

Module 03 Page 274

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Zenmap
Sc!n Target Joolt Erofik {jdp "v] Proffe 11

192.168.168.1-50

Scan

Cancel

Command Hosts OS « Host * *
<■

|nmap -sn -PE •PA21,23,80.3389192.168.168.1-5( Sernces A Nmap Output Ports/ Hosts Topology Host Details Scans nmap -sn •PE-PA21.23.80.3389 192.168.168.1-50 %

Details

192.168.168.1 192.168.168.3 192.168.168.5 192.168.168.13 192.168.168.14 192.168.168.15 S ta rtin g Mrap 6.01 ( h tto ://n » a p .o rg ) at 2012-08-08 12:41 M ap scan report fo r 192.168.168.1 Host is up (0.00s la te n c y ). *AC Address; I (Hewlett-Packard Co«oany) Nm p scan report fo r 192.168.168.3 Host is up (0.00s la te n c y ). *AC A d d r m i * (Apple) Nnap scan report fo r 192.168.168.5 Host is up (0.0010s la te n c y ). M A C Address; ‫• י‬ ( D e ll) Nnap scan report fo r 192.168.168.13 Host is up (0.00s la te n c y ). M A C Address: • • (Foxconn) N»ap scan report fo r 192.168.168.14 Host is up (0.0020s la te n c y ). v

* fti

192.168.168.17 192.168.168.19 192-168.168-26

*

192.168.16828 Filter Hosts

v

FIGURE 3.5: Zenmap showing ping sweep output

Module 03 Page 275

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

P in g S w eep T ools
Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc.

CEH

SolarWinds Engineer Toolset's Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.

o S'** *Rjr* * 1C011 9 © 1:0:1 £ 1 0 0 cj Q io a u f tio a c j © to o ts C Hoatt ©100C7 fh o a c j ®M OOC9 Q r-at CH 0ac.11 •1 0 a a ; Chocu.11 # 10ac.u #100£1‫י‬ &1COC.U ® M oatr Choatu fhoac.» *•‫׳<״״‬

IP Range Angry IP Scanner JoeU H »lp to K.0J.S) Uctmiifc v [l»Pjnje SUrt v * M Pcm1i00c-| 80 •0US.1 1JX In/a) 1& UIM U h •l

_ !‫ם‬

x

M0*wme V W NUQ N3W R1RW f » ‫י״י׳‬9 1m Cm lm h/»l 4n h/1| 1•ra K»l KH K‫»׳‬l K*l h/1l |V*I Kv.| O ? mm K»1 h/»l !*/•I K«l

H 0W n*‫« ״‬ In/11 M M Mtt£lCMM1 HnOcwit ln/1l < vmixqn;\V(W9m H V •) In/i) In/•) In/•) In/•) ln/1) l*v‫״‬ •! I ‫׳‬V*I In/•! In/•] la/•) In/•) In/•) & «**•>‫ ׳‬A JI

1

|n/•) |n•) In/•) |n'•) In'•) In•) |n/•) In/•) |n/«| (»'•) In/•) In‫ ____________________)•׳‬v |

T h 0 *»«*‫״‬

Angry IP Scanner
http://www.angryip.org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

P in g Sweep Tools
Determining live hosts on a target network is the first step in the process of hacking or breaking into a network. This can be done using ping sweep tools. There are a number of ping sweep tools readily available in the market using which you can perform ping sweeps easily. These tools allow you to determine the live hosts by sending ICMP ECHO requests to multiple hosts at a time. Angry IP Scanner and Solarwinds Engineer's Toolset are a few commonly used ping sweep tools.

Angry IP Scanner
/j

Source: http://www.angryip.org

Angry IP Scanner is an IP scanner tool. This tool identifies all non-responsive addresses as dead nodes, and resolves hostname details, and checks for open ports. The main feature of this tool is multiple ports scanning, configuring scanning columns. Its main goal is to find the active hosts in the network by scanning all the IP addresses as well as ports. It runs on Linux, Windows, Mac OS X, etc. It can scan IP addresses ranging from 1.1.1.1 to 255.255.255.255.

Module 03 Page 276

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Range -Angry IP Scanner
S<an

£0‫י‬°

Commands

Favorites

loots

Help | |IF Range rJ C+ Start v ‫א‬ i| Ports [2000•.) 80 80.135.139.4... 135,139,445,... [n/a] 135,139,445,... [n/a] 80.135 [n/a] [n/a] [n/a] [n/a] =

IP Range | 10.0.0.1 Hostname | WIN-LXQN3WR3R9I IP €>10.0.0.1 010.0.0.2 @10.0.0.3 #10.0.0.4 €>10.0.0.5 © 10.0.0.6 €)10.0.0.7 C
m

| to | 10.0.0.50 # IP I | Netmask

Ping 1 ms Oms Oms

Hostname [n'a] W1N-MSS£LCK4IC41 WindowsS [n/a] W1N-LXQN3WR3R9M [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] litfa] [‫ ״‬/a] [n/a] [n/a] [iVa] [n/a] [nfa] l‫׳‬v‫׳‬a] Display: All Threads; 0

[n/a]
4 ms [n/a] 1 ms [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] 627 ms [n/a] [n/a] [n/a] [n/a]

0.0.0.8

€> 10.0.0.9 #10.0.0.10 #10.0.0.11 # # 1 0.0.0.12 I0.0.0.M

[n/a]
[n/a] [n/a] [n/a] [n/a]

#10.0.0.13 #10.0.0.15 #10.0.0.16 # 10.0.0.17 #10.0.0.18 #10.0.0.19 Ready

[n/a]
[n/a] [n/a] v

1

1

FIGURE 3.6: Angry IP Scanner Screenshot

Solarwinds E ngineer’s Toolset
Source: http://www.solarwinds.com The Solarwinds Engineer's Toolset is a collection of network engineer's tools. By using this toolset you can scan a range of IP addresses and can identify the IP addresses that are in use currently and the IP addresses that are free. It also performs reverse DNS lookup.
P in g S w e e p
E H e Edit Hel p ^I

u o o
F« | A I IP t DNS L ookup

Starting IP Address 1 1 9 2 . 1 6 8 . 1£ 81 0 Fnrimg IP AHrim tt ( 192 1 8 81 6 89 5 (

| Sra n

A

Srnn

fpAddress
1 9 2 IM IM 1 0 1 9 21 6 61 6 61 1 1 9 21 6 61 6 61 2 1 9 21 6 61 6 61 3 1 9 21 6 61 6 61 4 1 9 21 6 61 6 61 5 1 9 21 6 6 16816 1 9 21 6 6 . 1 6 61 7 1 9 21 6 61 6 6 . 1 6 1 9 21 6 61 6 61 9 1 9 21 6 61 6 62 0 1 9 21 6 61 6 6 . 2 1 1 9 21 6 61 6 6 . 2 2 1 9 21 6 61 6 62 3 1 9 21 6 61 6 62 4 1 9 21 6 61 6 62 5 1 9 21 6 61 6 62 6 1 9 21 6 61 6 6 . 2 7 1 9 21 6 61 6 6 . 2 6 1 9 21 6 61 6 62 9 1 9 21 6 61 6 63 0 1 9 21 6 61 6 63 1 1 9 21 6 61 6 63 2 < 1 Scan Complied Scan N _ *V*“ " » I J I ‫י‬ {_ #

Response T e n e Request Tired Out Request T mod Out Request Tmed Out RequOSt Tmed Out 3m e Reauest Tmed Out Reaues! Tmed Oat ‫■ייי‬ ^ Recues! Tmed Oul Request Tmed Oul Request Tmed Out Request Tmed Out Request Tmed Out Request T i m e d Out Request Tmed Out Request Tmed Out 2m s Request Tmed Out 2m s Request Tmed Oyt 3m e 3m s 2m s III DNS

^

^

=

,t

‫׳י‬ >

h

r

9 0

FIGURE 3.7: Solarwinds Engineer's Toolset Screenshot

Module 03 Page 277

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

P in g S w eep T ools
(C ont’d)
Colasoft Ping Tool
h ttp ://w w w . colasoft. com

CEH
PacketTrap MSP
http ://w w w .pa ckettra p .co m

^

Visual Ping Tester -Standard
h ttp ://w w w .p in g te s te r.n e t

f

Ping Sweep
h ttp://w w w .w hatsupgold.com

Ping Scanner Pro
http://w w w .digilextechnologies.com

Network Ping
h ttp://w w w .greenline-soft.com

Ultra Ping Pro
h ttp ://u ltra p in g . webs.com

‫ז‬

Ping Monitor
h ttp ://w w w .n ilia n d . com

*

PinglnfoView

h ttp ://w w w .n irs o ft.n e t

Pinkie
h ttp ://w w w .ip u p tim e .n e t

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

jfSSS P in g Sweep Tools (C ont’d)
ur -

In addition to Solarwinds Engineer's Toolset and Angry IP Scanner, there are many other tools that feature ping sweep capabilities. For example: 9 9 9 9 9 9 9 9 9 9 Colasoft Ping Tool available at http://www.colasoft.com Visual Ping Tester - Standarad available at http://www.pingtester.net Ping Scanner Pro available at http://www.digilextechnologies.com Ultra Ping Pro available at http://ultraping.webs.com PinglnfoView available at http://www.nirsoft.net PacketTrap MSP available at http://www.packettrap.com Ping Sweep available at http://www.whatsupgold.com Network Ping available at http://www.greenline-soft.com Ping Monitor available at http://www.niliand.com Pinkie available at http://www.ipuptime.net

Module 03 Page 278

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

* — 1 So far we discussed how to check for live systems. Open ports are the doorways for an attacker to launch attacks on systems. Now we will discuss scanning for open ports.

Check for Live Systems

Scan for Vulnerability

life

Check for Open Ports

r

Draw Network Diagrams

Scanning Beyond IDS

O Q ‫ל‬ ‫^־‬ ‫יז־‬

Prepare Proxies

Banner Grabbing

Scanning Pen Testing

This section covers the three-way handshake, scanning IPv6 networks, and various scanning techniques such as FIN scan, SYN scan, and so on.

Module 03 Page 279

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

T h ree-W ay H a n d s h a k e
Three-w ay Handshake Process
1. The Computer A (10.0.0.2) initiates a connection to the server (10.0.0.3) via a packet with only the SYN flag set 2. The server replies with a packet with both the SYN and the ACK flag set 3. For the final step, the client responds back to the server with a single ACK packet 4. If these three steps are completed without complication, then a TCP connection is established between the client and the server

(•rtifwd

CEH
itkitjl

TCP uses a three-way handshake to establish a connection between server and client

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

T hree-W ay H an d sh a k e
TCP is connection-oriented, which implies connection establishment is principal prior to data transfer between applications. This connection is possible through the process of the three-way handshake. The three-way handshake is implemented for establishing the connection between protocols.

The three-way handshake process goes as follows:
9 To launch a TCP connection, the source (10.0.0.2:62000) sends a SYN packet to the destination (10.0.0.3:21). 9 The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN/ACK packet back to the source. 9 9 This ACK packet confirms the arrival of the first SYN packet to the source. In conclusion, the source sends an ACK packet for the ACK/SYN packet sent by the destination. 9 This triggers an "O PEN " connection allowing communication between the source and the destination, until either of them issues a "FIN" packet or a "RST" packet to close the connection.

Module 03 Page 280

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

The TCP protocol maintains stateful connections for all connection-oriented protocols across the Internet, and works the same as an ordinary telephone communication, in which one picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other end until a person picks up the receiver and says, "Hello."

Bill

Three-way Handshake

Sheela
1 0 .0 .0 .3 :2 1

1 0 .0 .0 .2 :6 2 0 0 0 ‫ ^ ־‬................ ‫ י י‬....................

..‫* ״‬

Irvc

Client

Server

FIGURE 3.8: Three-way Handshake Process

E stablishing a TCP Connection
As we previously discussed, a TCP connection is established based on the three-way hand shake method. It is clear from the name of the connection method that the establishment of the connection is accomplished in three main steps. Source: http://support.microsoft.com/kb/172983 The following three frames will explain the establishment of a TCP connection between nodes NTW3 and BDC3:

Frame 1:
In the first step, the client, NTW3, sends a SYN segment (TCP ....S.). This is a request to the server to synchronize the sequence numbers. It specifies its Initial Sequence Number (ISN), which is incremented by 1 and that is sent to the server. To initialize a connection, the client and server must synchronize each other's sequence numbers. There is also an option for the

Module 03 Page 281

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Maximum Segment Size (MSS) to be set, which is defined by the length (len: 4), this option communicates the maximum segment size the sender wants to receive. The Acknowledgement field (ack: 0) is set to zero because this is the first part of the three-way handshake.
1 2.0785 NTW3 --> BDC3 TCP ___ S., len: 4, seq: 8221822-8221825, ack: 0,

win: 8192, src: 1037 dst: 139 (NBT Session) NTW3 --> BDC3 IP
TCP: dst: ....S., len: 4, seq: 8221822-8221825, 139 (NBT Session) ack: 0, win: 8192, src: 1037

TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session S TCP: Sequence Number = 8221822 (0x7D747E)

TCP: Acknowledgement Number = 0 (0x0) TCP: Data Offset = 24 (0x18)

TCP: Reserved = 0 (0x0000) TCP: Flags = 0x02 : ....S .

TCP: TCP: TCP: TCP: TCP: TCP:

..0....

= No urgent data not significant

...0.... = Acknowledgement field ....0... = No Push function .... 0 . . = No Reset 1. = Synchronize sequence numbers ............. 0 = No Fin .

TCP: Window = 8192

(0x2000)

TCP: Checksum = 0xF213 TCP: Urgent Pointer = 0 (0x0) TCP: Options

TCP: Option Kind

(Maximum Segment Size) = 2 (0x2)

TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 TCP: Frame Padding (0x5B4)

00000: 00010: 00020: 00030:

02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 00 2C 0D 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 20 00 F2 13 00 00 02 04 05 B4 20 20

.'.... '.;---- E . . , . .0___ K.k. . .k ...... }t~---- ' .

Module 03 Page 282

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Frame 2:
In the second step, the server, BDC3, sends an ACK and a SYN on this segment (TCP .A..S.). In this segment the server is acknowledging the request of the client for synchronization. At the same time, the server is also sending its request to the client for synchronization of its sequence numbers. There is one major difference in this segment. The server transmits an acknowledgement number (8221823) to the client. The acknowledgement is just proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and uses it as its acknowledgement number.
2 2.0786 BDC3 — > NTW3 8760, TCP .A..S., l e n : 4, seq: 1109645-1109648, dst: 1037 BDC3 --> NTW3 ack: 8221823, win: ack: IP 8760,

8221823, win: TCP: src:

src: 139 4, seq: dst:

(NBT Session)

.A..S., len: 139

1109645-1109648, 1037

(NBT Session)

TCP: Source Port =

NETBIOS Session Service

TCP: Destination Port = 0x040D TCP: Sequence Number = 1109645 (0xl0EE8D) (0x7D747F)

TCP: Acknowledgement Number = 8221823 TCP: Data Offset = 24 (0x18)

TCP: Reserved = 0 (0x0000) TCP: Flags = 0x12 TCP: TCP: TCP: TCP: TCP: TCP: ..0.... = ...1.... = : .A..S. No urgent data Acknowledgement field Push function Reset sequence numbers significant

....0... = No .... 0.. = No

...... 1. = Synchronize ....... 0 = No Fin

TCP: Window = 8760

(0x2238)

TCP: Checksum = 0x012D TCP: Urgent Pointer = 0 (0x0) TCP: Options TCP: Option Kind (Maximum Segment Size) = 2 (0x2)

TCP: Option Length = 4 (0x4) TCP: Option Value = 1460 TCP: Frame Padding (0x5B4)

00000
00010
0 00 20

02 00 02

60 8C 3B 85 Cl 02 60 8C 9E 18 8B 08 00 45 00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12 .,[.0_____L.k...k

...... E.

.............. }t'.

Module 03 Page 283

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

00030:

22 38 01 2D 00 00 02 04 05 B4 20 20

8 ‫״‬.-

Frame 3:
In the third step, the client sends an ACK on this segment (TCP .A....). In this segment, the client is acknowledging the request from the server for synchronization. The client uses the same algorithm the server implemented in providing an acknowledgement number. The client's acknowledgment of the server's request for synchronization completes the process of establishing a reliable connection, thus the three-way handshake.
3 2.787 NTW3 --> BDC3 8760, TCP .A , len: 0, seq: 8221823-8221823, 139 (NBT Session) ack: IP

1109646, win:

src: 1037

dst:

NTW3 --> BDC3

TCP:

.A...., len: dst: 139

0, seq:

8221823-8221823,

ack:

1109646, win:

8760,

src: 1037

(NBT Session)

TCP: Source Port = 0x040D TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 8221823 (0x7D747F) (0xl0EE8E)

TCP: Acknowledgement Number = 1109646 TCP: Data Offset = 20 (0x14)

TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A....

TCP: TCP: TCP: TCP: TCP: TCP:

. .0 ....

= No urgent data

... 1 .... = Acknowledgement field
___ 0 ... = No .... 0 .. = No ..... 0. = No .......0 = No Push function Reset Synchronize Fin

TCP: Window = 8760

(0x2238)

TCP: Checksum = 0xl8EA TCP: Urgent Pointer = 0 (0x0) TCP: Frame Padding

00000: 00010: 00020: 00030:

02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10 22 38 18 EA 00 00 20 20 20 20 20 20

. '.... ' .;---- E . .( . .0___ O.k. . .k ...... }t---- P. ‫ ״‬8 ___

Module 03 Page 284

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

TCP C om m unication Flags
Data contained in the packet should be processed immediately There will be no more transmissions Resets a connection

URG (Urgent)

F IN (Finish)

jm ₪ ₪ m m
PSH (Push) ACK (Acknowledgement) > SYN (Synchronize)

1

A

Sends all buffered data immediately

Acknowledges the receipt of a packet

Initiates a connection between hosts

Standard TCP communications are controlled by flags in the TCP packet header
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

TCP C om m unication Flags
Standard TCP communications monitor the TCP packet header that holds the flags. These flags govern the connection between hosts, and give instructions to the system. The following are the TCP communication flags: 9 9 Synchronize alias "SYN": SYN notifies transmission of a new sequence number Acknowledgement alias "ACK": next expected sequence number 9 9 Push alias "PSH ": System accepting requests and forwarding buffered data Urgent alias "U RG ": Instructs data contained in packets to be processed as soon as possible Q Q Finish alias "FIN": Announces no more transmissions will be sent to remote system Reset alias "RST": Resets a connection ACK confirms receipt of transmission, and identifies

SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process.

Module 03 Page 285

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Acknowledgement No Res TCP Flags Window Urgent Pointer Options \< ------------- 0-31 B its-------------- >
FIGURE 3.9: TCP Communication Flags

Offset

TCP Checksum

Module 03 Page 286

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Create Custom Packet Using TCP Flags
Colasoft Packet Builder

CEH

.$ ‫ ׳‬5 & 5 .xpcr:- Add Inser: Copy
F!

3ckte

Move U p|

Chcdcsum| Send ScndAII | Packet No. | ‫־‬

‫!«»***ג‬

-J Colasoft Packet Builder enables creating custom network packets to audit networks for various attacks J Attackers can also use it to create fragmented packets to bypass firewalls and IDS systems in a network

Packet Info: gackec tta c e r; — ^ BacJrcr Le=ath: Captnred Length: { g Delta Tine E ‫־‬d Ethernet Type I I j y i J f s t i a t i ‫ ״‬Mdress: JUfSouic? U d m 9 : Protocol: E- .J I ? - Internet Protocol ! ‫ ״‬Version 0 i • 0 ‫ ״‬Mea 1•: Length g>-0 Differentiated Services Plaid j j 0 S«rvlc«f Codepcint j > Tr«r.*por1 r u t -col w ill 1 903 c* tii* CE b it U Coaaaatios

< 1

M

= ‫כ‬

000004 64 60 0.100000 Second [0/14] 00:00:00:00:00:00 [0/6] 00:00:00:00 :00:00 [6/6] 0x0800 (Inter: [14/20] 4 xFO [U/1] O S < 2 0 Bytes) [1 < 0 0 00 oaoo [15/1! OxPF 0000 00.. [18/1] OxfC (Ignoi• .......... 0. [15/1] ............0 (Xu Conq«mtlon)

<

HwEdrtc

Total

60 byirt

http://www. colasoft.com

Copyright © by EG-Gaoncil. All Rights Reserved. Reproduction Is Strictly Prohibited

Create Custom P ackets u sin g TCP Flags
Source: http://www.colasoft.com Colasoft Packet Builder is a tool that allows you to create custom network packets and also allows you to check the network against various attacks. It allows you to select a TCP packet from the provided templates, and change the parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to the network.

Module 03 Page 287

Ethical Hacking and Countermeasures Copyright © by EC-COlMCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Colasoft Packet Builder
File Edit Send Help Insert

ImportExportw

&

3*

Add

#

Copy

1 £ ‫נ‬

Pas- Delete

®

X

I *

Move

Send

4*

Send All

* f c *

'w E I& B r S B
‫ו‬ Delta Time 0.100000 0.100000 0.100000 0.100000 Source 00:00:00:00:1 0.0.0.0 0.0.0.0:0 0.0.0.0:0

Decode Editor

Packet No.

4
No. 2 3

Packet Info: a Packet Number: <3‫־‬ *Packet Length: ! ‫״‬ ‫״‬ ^ Captured Length: H H Delta Time ₪-€> Ethernet Type II Destination Address: Source Address: Protocol: 0 •••© IP - Internet Protocol j —& Version : © Header Length E3‫ @״‬Differentiated Services Field | _~© Differentiated Services Codepoint O Transport Protocol will ignore the CE bit | ~~© Congestion

60 0.100000 Second
[0 / 1 4 ]

0 0 : 0 0 : 0 0 : 0 0 : 00:00 0 0 :0 0 :0 0 :0 0 :0 0 : 0 0

[ 0 /6 ]
[6 / 6 ]

0x0800 [14/20]

(Intern [14/1] OxFO (20 Bytea) [14 [15/1] OxFF [15/1] OxFC (Ignore) [15/1] (No Congestion)

0 0 0 00 0 0 0 0 0 0 0 00..

......... 0

...........0.

< L
jc%

Hex Editor

Total | 60 bytes

0000 0010 0020 0030 <

00 00 00 00

00 2C 00 00

00 00 00 00

00 00 00 00

00 40 00 00

00 00 00 00

00 40 00 00

00 11 1A 00

00 3A FF 00

00 CO BA 00

00 00 00 00

00 08 00 45 00 00 00 00 00 00 00 00 00 00 00 00

A ---0.0.s. V /

T >

: ...

FIGURE 3.10: Colasoft Packet Builder Screenshot

Module 03 Page 288

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S c a n n in g IP v 6 N e tw o rk

im ttiM

CEH
tUx*l lUckM

I I L
a

IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy

Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 2s4 addresses) provided by IPv6 in a subnet

Scanning in IPv6 network is more difficult and complex than the IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks

Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages

1

Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker can probe the "all hosts" link local multicast address

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

S canning IPv6 N etw ork
IPv6 increases the size of IP address space from 32 bits to 128 bits to support more levels of addressing hierarchy. Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 264 addresses) provided by IPv6 in a subnet. Scanning an IPv6 network is more difficult and complex than IPv4 and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks. Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: and other header lines in archived email or Usenet news messages to identify IPv6 addresses for subsequent port scanning. Scanning IPv6 network, however, offers a large number of hosts in a subnet; if an attacker can compromise one host in the subnet he can probe the "all hosts" link local multicast address.

Module 03 Page 289

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S c a n n in g Tool: N m a p
J J monitoring host or service uptime

C EH

Network administrators can use Nmap for network inventory, managing service upgrade schedules, and Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions

http://nmap.org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Scanning Tool: Nmap
Source: http://nmap.org Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal. Either a network administrator or an attacker can use this tool for their particular needs. Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime. Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems, and OS versions.

Module 03 Page 290

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Zenm gp

iMk ("> «• !j*»
*a«M M a w wa* 011CP p *t»

tel

t •M

Mi M lMM —« » » I « u n

-

N

T1 A . I V M » M » > N m »W > 1 ■‫ן ן * ן‬ MM D u tu n

0

‫ ן‬liSSJS T4 A ‫ •־‬tt2 141‫ י‬4 4 ‫י‬

•Ml t ll iw IM ^niHIDU
s ia t i

S t M t ln g m m 4.*1 < M 1 » : / / M W . K | ) •‫ ז‬m ) M M 11:1! M M M M r < Tia• B L .• M M • I M f l K • M r ! " ! t l a t l n g A V »lng Scan •t |»:22 W mwIm (1 • v t l Caag iatM * V *ing Scan at I S :2 2, • M » a l * t M ( I t a t a l M a t • ) : * i t ta tin g f a l l a l Cm r « » a lt ft iM a* I M a t . at lt:2 2 C a M ia t M ••‫־״‬a ll• ! CMS r * t a l» t la n 0* 1 M a t . at IS !2 2 . I H t

. *»»« HHM — rtt
w m ia • It* •

«1m « ■ ia ftM VC

B L Ur 1 0 %

KtMlN!.

V ■ *. Mtf)
M l V t c a •» M M I/ t i! • * « I.ftftlv2:

fe ftM M U a t l«n

aivaai

O ixavaj’M MM a o ‫״‬ ‫־‬ t 1M‫־‬ t< »a nitMM iu s WMaMfM MM PM 11M/Ka M 1 1 1 IU IM t Mmmmm aM MM ♦4s tea M 1 * 2 IM IU )
N u t r t ' M aoan M ‫־׳‬t •12 t<a < ‫ י״‬t t M U I M . S O i u a t T M a» M M ‫ ׳‬t M M 2 / t ( » m ! • l . I M . I M . S t n S f n ita w t i ^ i ^ f taout 22.72% M m ; I K :

In it ia t in g S m S ta a ltn Scan at 1S:22 Scanning m 1M I M S I* S S JS M ‫״‬ ‫־‬t » ]

M> M I ^ « 1 U 1 U N d w M a• '1 ‫■׳‬ * m 1««*t 1 •©•‫ ־״‬m 1 (Ii m i n P n l c e I r a * | t n t r « l *tK fO M ft— lllM ‫ ״‬H ‫ ׳‬oxo*•. wln*o«t V l* t a | » M | 7 f l l C P t: cp« ■ IcreM ^t ■iwM n . r i t t a : :• c m :/

IKjuatL M m lfM WVc• ‫׳‬1 ‫ *־׳‬t wi t I

11I/1 • t i l l l uM i r t l SV .» J


19:24 <•:•1.4*

■iMM.vilt•! ! I f l< 00:/

H ))/ t (» M IM .IM IM S *‫ י י‬S t • • !!* W an f l * l — : 1aa«t M . 4 M M M ) I K l 1* 24 <• M 4» '••al«»l«g» C a M ia t M S M S '• a lt * Scan at IS :24. M * l » a la M M 14SS1S fa t a l M ^ tt) ! n i t ia t in c S M v ic a •c m at I»!24 Scanning « •a^vlca• M 112 I M I M \ C a M lv t M M ^ v lc a m m at I S ! >4, 44 M t a la M M (g m U a • M 1

M M Hyj M h m t M 00+* M ‫־״‬t

9 •l*09mt,nr*9'_200$ *0 1 < » :/ • • i< r|M *t 0% a r t • ! !* m < r o t^ t i d i M M V ii t a V • 0? V I . M U M M M V I . n‫ ■׳‬b lM s■ ! I t t i — * I• !* 1 . M i (s1 *c« i m amc m •1 1« 21 ‫ג‬ ir t M r l Q iiU M f i 1 **‫׳‬ ‫־‬ ■T l ( M M 1«C«1)

W iM— • i CPt 1 100\/0:m itr0000\ !
-< . Mttios •nr:
M tS IO S M C:

Module 03 Page 291

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

H p in g 2 / H p in g 3
J J J Command line packet crafter for the TCP/IP protocol Tool for security auditing and testing firewall and networks Runs on both Windows and Linux operating systems

UrtifW

CEH
itkMl lUikw

http://www.hping.org

3 1 0 .0 .0 .2 -p 8 9 1 800 .2 1 9 .0 .0 .2 ) : A set, 4 0headers + 0data bytel len = 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id=2 6 © 85spoci^0 flags-R seq^O w ln 0 ‫ ־‬rtt= 1 .3ms ^ ‫ך־‬ len ^ 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id2 6 5 8 6sport-ee-flags-R seq1w in = 0rtt=6 .8 ms len = 4 0ip-1 0 .0 .0 .2 t t l = 1 2 8OF id = 2 6 0 8 7sport-8 GFflags=R Ieq ^ 2w in=o r 11=1.0 ‫לווו‬ len 4 0ip-1 0 .0 .0 .2 t t l 1 2 8OF id 2 6 0 8 8sport8 0flogs-R scq3w 1 n=0 rtr= 6 .9 ms len = 4 0ip=1 0 ^L0 .2 t t l = 1 2 8OF id 2 6 6 8 95porjt=8e ftcgsfR seq= 4w len=4 ) 1^=10.0 .8/?t t l = 1 2 8DF ld=2 6 B9 D sport80‫ ־‬flags=R seq= 5J in » 0 rtt- 0 .5 ms len= 4 6ip=1 0 .O.3 .2 t t l = 1 2 8OF id = 2 6 0 9 1sport= 8 0flags=R seq= 6w in = 0rtt=e.7ms len = 4 0ip=1 0 .O.0 .2 t t l = 1 2 8OF id 2 6 0 9 2 ‫ ־‬sport 8 0 ‫ ־‬flags^R seq= 7w ln = 8rtt=8 .8 ms len 4 0ip-1 0 .0 .0 .2 t t l 1 2 8OF id 2 6 0 9 35 port8 0flegs‫ ־‬R seq8w
footgbt:-# hping ■ A HPINC . . (ethl

ACK Scanning on p o rt 80
Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited.

H ping2/H ping3
Source: http://www.hping.org HPing2/HPing3 is a command-line-oriented TCP/IP packet assembler/analyzer that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Traceroute mode, and enables you to send files between covert channels. It has the ability to send custom TCP/IP packets and display target replies like a ping program does with ICMP replies. It handles fragmentation, arbitrary packets' body and size, and can be used in order to transfer encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and network/host scanning can be used to perform an anonymous probe for services. An attacker studies the behavior of an idle host to gain information about the target such as the services that the host offers, the ports supporting the services, and the operating system of the target. This type of scan is a predecessor to either heavier probing or outright attacks. Features: The following are some of the features of HPing2/HPing3: 0 0 Determines whether the host is up even when the host blocks ICMP packets Advanced port scanning and test net performance using different protocols, packet sizes, TOS, and fragmentation

Module 03 Page 292

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

9

Manual path MTU discovery Firewalk-like usage allows discovery of open ports behind firewalls Remote OS fingerprinting TCP/IP stack auditing

9
9 9

ICM P Scanning A ping sweep or Internet Control Message Protocol (ICM P) scanning is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up. This protocol is used by operating system, router, switch, internet-protocol-based devices via the ping command to Echo request and Echo response as a connectivity tester between different hosts. The following screenshot shows ICMP scanning using the Hping3 tool:
« v x root@bt: ~

File Edit View Terminal Help

root@bt:~# hpi ng3 -1 10 . 0 . 0 . 2 HPING 10.0.0.2 (e th l 10 .0 .0 .2 ): icmp mode set, 28 headers + 0 d len=28 ip=10.0 .0.2 ttl= 128 id=25908 icmp_seq=0 rtt=2.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25909 icmp_seq=l rtt=1.0 m s len=28 ip=10.0 .0.2 ttl= 128 id=25910 icmp_seq=2 rtt=1.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25911 icmp_seq=3 rtt=0.5 m s icmpseq=4 rtt=0.4 m s len=28 ip=10.0 .0.2 ttl= 128 id=2591% len=28 ip=10.0 .0.2 ttl= 128 id=25913 icmp seq=5 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25914 icmp seq=6 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25915 icmp seq=7 r t t = l . l m s len=28 ip=10.0 .0.2 ttl= 128 id=25916 icmp seq=8 rtt=0.9 m s len=28 ip=10.0 .0.2 ttl= 128 id=25917 icmp seq=9 r t t = l . l m s s len=28 ip=10.0 .0.^>ttl= 128 id=25918 icmp seq=10 rtt=0.8 m len=28 ip=10.0 .0.2 ttl= 128 id=25919 icmp_seq=ll rtt=1.2 m s len=28 ip=10.0 .0.2 ttl= 128 id=25920 icmp seq=12 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25921 icmp seq=13 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25922 icmp seq=14 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25923 icmp seq=15 rtt=0.7 m s len=28 ip=10.0 .0.2 ttl= 128 id=25924 icmp seq=16 rtt=0.8 m s len=28 ip=10.0 .0.2 ttl= 128 id=25925 icmp seq=17 rtt=1.0 m s
FIGURE 3.12: Hping3 tool showing ICMO scanning output

ACK Scanning on Port 80 You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple packet filtering will allow you to establish connection (packets with the ACK bit set), whereas a sophisticated stateful firewall will not allow you to establish a connection. The following screenshot shows ACK scanning on port 80 using the Hping3 tool:

Module 03 Page 293

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

• ‫ >׳‬v

*

ro o tab t: -

File Edit View Terminal Help

£ 0 0 t@ bt:~# hping3 -A 1 0 .0 .0 .2 •p 80 HPING 1 0 .0 .0 .2 ( e t h l 1 0 .0 .0 .2 ): A s e t, 40 headers + 0 d ata byte s len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26085 spar,t=80 flags= R seq=0 w in=0 rtt= 1 .3 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26086 sport=80 flags= R seq=l w in=0 rtt= 0 .8 ms ‫׳‬-‫'"׳׳‬ len=40 ip=10.0 .0 .2 ttl= 128 DF id=26087 sport=89 flags= R seq=2 w in=0 rtt= 1 .0 ms len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26088 sport=80 ^lags=R seq=3 w in=0 rtt= 0 .9 ms len=40 ip = 1 0 J0 .0 .2 ttl= 128 DF id=26089 sport=80 flags= R seq=4 w in=0 r,tt=p. 9 ros —^ Jj I •4■ ^ f j len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26O90 sport=80 flags= R seq=5 w in=0 rtt= 0 .5 ms len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26091 sport=80 flags= R seq=6 w in=0 rtt= 0 .7 ms len=40 ip= 10.0.O .2 ttl= 128 DF id=26092 sport=80 flags= R seq=7 w in=0 rtt= 0 .8 m s len=40 ip= 10.0.O .2 ttl= 128 DF id=26093 sport=80 flags= R seq=8 v
FIGURE 3.13: Hping3 tool showing ACK scanning output

Module 03 Page 294

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

‫־‬

H p in g C o m m a n d s
ICMP Ping SYN scan on port 50-60

UrtifM

c EH
ItkKJl Nm Im

hping3 -1 10.0.0.25

hping3 -8 50-56 -S 10.0.0.25 -V

ACK scan on port 80

FIN, PUSH and URG scan on port 80

hp±ng3 -A 10.0.0.25 -p 80

hping3 -F -p -U 10.0.0.25 -p 80

U D Psc a n o n port 80

Scan entire subnet for live host
h p i n g 3 -1 1 0 . 0 . 1 . x — rand - d e s t

hping3 -2 10.0.0.25 -p 80

-I ethO
Intercept all traffic containing HTTP signature

Collecting Initial Sequence Number

h p i n g 3 1 9 2 . 1 6 8 . 1 . 1 0 3 -Q -p 139

hping3 -9 HTTP -I ethO

Firewalls and Time Stamps
h p i n g 3 -S 7 2 . 1 4 . 2 0 7 . 9 9 -p 80 —
tc p - tim e s ta m p

SYN flooding a victim

hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 — flood

Copyright © by E CCM IC i l.All Rights Reserved. Reproduction is Strictly Prohibited.

Hping C om m ands
The following table lists various scanning methods and respective Hping commands:

Scan ICMP ping ACK scan on port 80 UDP scan on port 80 Collecting initial sequence number Firewalls and time stamps SYN scan on port 50-60 FIN, PUSH and URG scan on port 80 Scan entire subnet for live host Intercept all traffic containing HTTP signature SYN flooding a victim

Commands
hping3 -1 10.0.0.25 hping3 -A 10.0.0.25 -p 80 hping3 -2 10.0.0.25 -p 80 hping3 192.168.1.103 -Q -p 139 -s hping3 -S 72.14.207.99 -p 80 --tcptimestamp hping3 -8 50-56 -S 10.0.0.25 -V hping3 -F -p -U 10.0.0.25 -p 80 hping3 -1 10.0.1.x --rand-dest -I ethO hping3 9‫ ־‬HTTP -I ethO hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
TABLE 3.1: Hping Commands Table

Module 03 Page 295

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S c a n n in g T e c h n iq u e s
TCP Connect / Full Open Scan Stealth Scans IDLE Scan ICMP Echo Scanning/List Scan
T E C

SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning

H
N

I o
E

u
S

Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.

Scanning T echniques
Scanning is the process of gathering information about the systems that are alive and responding on the network. The port scanning techniques are designed to identify the open ports on a targeted server or host. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the intent of compromising it.

Different types of scanning techniques employed include:
© TCP Connect / Full Open Scan © Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan © © IDLE Scan ICMP Echo Scanning/List Scan

© SYN/FIN Scanning Using IP Fragments © © UDP Scanning Inverse TCP Flag Scanning

© ACK Flag Scanning

Module 03 Page 296

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

The following is the list of important reserved ports:
Name Port/Protocol Description

echo echo discard discard systat daytime daytime netstat qotd chargen chargen ftp-data ftp ssh telnet smtp time time rip nicname domain domain sql*net sql*net bootps bootps bootpc

7/tcp 7/udp 9/tcp 9/udp 11/tcp 13/tcp 13/udp 15/tcp 17/tcp 19/tcp 19/udp 20/tcp 21/tcp 22/tcp 23/tcp 25/tcp 37/tcp 37/udp 39/udp 43/tcp 53/tcp 53/udp 66/tcp 66/udp 67/tcp 67/udp 68/tcp Mail Timeserver Timeserver resource location who is domain name server domain name server Oracle SQL*net Oracle SQL*net bootp server bootp server bootp client Quote ttytst source ttytst source ftp data transfer ftp command Secure Shell sink null sink null Users

Module 03 Page 297

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

bootpc tftp tf tp gopher finger www-http www-http kerberos kerberos
P °P 2

68/udp 69/tcp 69/udp 70/tcp 79/tcp 80/tcp 80/udp 88/tcp 88/udp 109/tcp 110/tcp 111/tcp 111/udp 113/tcp 113/udp 114/tcp 114/udp 119/tcp 119/udp 123/tcp Port/Protocol 123/udp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp 143/tcp

bootp client Trivial File Transfer Trivial File Transfer gopher server Finger WWW WWW Kerberos Kerberos PostOffice V.2 PostOffice V.3 RPC 4.0 portmapper RPC 4.0 portmapper Authentication Service Authentication Service Audio News Multicast Audio News Multicast Usenet Network News Transfer Usenet Network News Transfer Network Time Protocol Description Network Time Protocol NETBIOS Name Service NETBIOS Name Service NETBIOS Datagram Service NETBIOS Datagram Service NETBIOS Session Service NETBIOS Session Service Internet Message Access Protocol

Pop 3 sunrpc sunrpc auth/ident auth audionews audionews nntp nntp ntp
Name

ntp netbios-ns netbios-ns netbios-dgm netbios-dgm netbios-ssn netbios-ssn imap

Module 03 Page 298

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

imap sql-net sql-net sqlsrv sqlsrv snmp snmp snmp-trap snmp-trap cmip-man cmip-man cmip-agent cmip-agent ire ire at-rtmp at-rtmp at-nbp at-nbp at-3 at-3 at-echo at-echo at-5 at-5 at-zis at-zis at-7

143/udp 150/tcp 150/udp 156/tcp 156/udp 161/tcp 161/udp 162/tcp 162/udp 163/tcp 163/udp 164/tcp 164/udp 194/tcp 194/udp 201/tcp 201/udp 202/tcp 202/udp 203/tcp 203/udp 204/tcp 204/udp 205/tcp 205/udp 206/tcp 206/udp 207/tcp

Internet Message Access Protocol SQL-NET SQL-NET SQL Service SQL Service

CMIP/TCP Manager CMIP CMIP/TCP Agent CMIP Internet Relay Chat Internet Relay Chat AppleTalk Routing Maintenance AppleTalk Routing Maintenance AppleTalk Name Binding AppleTalk Name Binding AppleTalk AppleTalk AppleTalk Echo AppleTalk Echo AppleTalk AppleTalk AppleTalk Zone Information AppleTalk Zone Information AppleTalk

Module 03 Page 299

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

at-7 at-8 at-8 ipx ipx imap3 imap3 aurp aurp netware-ip netware-ip Name rmt rmt 54erberos54-ds 54erberos54-ds isakmp fcp exec comsat/biff login who shell syslog printer printer talk talk ntalk

207/udp 208/tcp 208/udp 213/tcp 213/udp 220/tcp 220/udp 387/tcp 387/udp 396/tcp 396/udp Port/Protocol 411/tcp 411/udp 445/tcp 445/udp 500/udp 510/tcp 512/tcp 512/udp 513/tcp 513/udp 514/tcp 514/udp 515/tcp 515/udp 517/tcp 517/udp 518/udp

AppleTalk AppleTalk AppleTalk

Interactive Mail Access Protocol v3 Interactive Mail Access Protocol v3 AppleTalk Update-Based Routing AppleTalk Update-Based Routing Novell Netware over IP Novell Netware over IP Description Remote mt Remote mt

ISAKMP/IKE First Class Server BSD rexecd(8) used by mail system to notify users BSD rlogind(8) whod BSD rwhod(8) cmd BSD rshd(8) BSD syslogd(8) spooler BSD lpd(8) Printer Spooler BSD talkd(8) Talk New Talk (ntalk)

Module 03 Page 300

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ntalk netnews uucp uucp klogin klogin kshell kshell

518/udp

SunOS talkd(8)

532/tcp
540/tcp 540/udp 543/tcp 543/udp 544/tcp 544/udp

Readnews
uucpd BSD uucpd(8) uucpd BSD uucpd(8) Kerberos Login Kerberos Login Kerberos Shell Kerberos Shell krcmd Kerberos encrypted remote shell -kfall ECD Integrated PC board srvr NFS Mount Service PC-NFS DOS Authentication BW-NFS DOS Authentication Flexible License Manager Flexible License Manager Kerberos Administration Kerberos Administration kdc Kerberos authentication—tcp Kerberos

ekshell

545/tcp

pcserver mount pcnfs bwnfs flexlm flexlm 5 6erberos-adm 56erberos-adm kerberos kerberos 56erberos mas ter 56erberos mas ter krb_prop

600/tcp 635/udp 640/udp 650/udp 744/tcp 744/udp 749/tcp 749/udp 750/tcp 750/udp

751/udp

Kerberos authentication

751/tcp

Kerberos authentication

754/tcp

Kerberos slave propagation

Module 03 Page 301

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

999/udp

Applixware

socks socks kpop ms-sql-s ms-sql-s ms-sql-m ms-sql-m Name pptp pptp nf s nf s eklogin rkinit kx kauth lyskom sip sip xll xll ire af s af s

1080/tcp 1080/udp 1109/tcp 1433/tcp 1433/udp 1434/tcp 1434/udp Port/Protocol 1723/tcp 1723/udp 2049/tcp 2049/udp 2105/tcp 2108/tcp 2111/tcp 2120/tcp 4894/tcp 5060/tcp 5060/udp 6000-6063/tcp 6000-6063/udp 6667/tcp 7000-7009/udp 7000-7009/udp
TABLE 3.2: Reserved Ports Table

Pop with Kerberos Microsoft SQL Server Microsoft SQL Server Microsoft SQL Monitor Microsoft SQL Monitor Description Pptp Pptp Network File System Network File System Kerberos encrypted rlogin Kerberos remote kinit X over Kerberos Remote kauth LysKOM (conference system) Session Initiation Protocol Session Initiation Protocol X W indow System X W indow System Internet Relay Chat

Module 03 Page 302

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

TCP Connect / Full Open Scan
J J TCP Connect scan detects w hen a port is open by completing th e three-w ay handshake TCP Connect scan establishes a full connection and tears it down by sending a RST packet

CEH

M

Scan result when a port is open ^
)SYN Packet + Port (n SYN/ACK Packet. . .

m
Attacker

...........A « . t .‫׳‬ 5ST. .........

Target

Scan result when a port is closed

^

SYN Packet +Port (nj

^

f

,

*
Attacker

??.‫י‬ ‫־‬ .

H
Target
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

TCP Connect / Full Open Scan
Source: http://www.insecure.org TCP Connect / Full Open Scan is one of the most reliable forms of TCP scanning. The TCP connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed; otherwise, the port isn't reachable.

mm

0

TCP Three-way Handshake
In the TCP three-way handshake, the client sends a SYN flag, which is acknowledged

by a SYN+ACK flag by the server which, in turn, is acknowledged by the client with an ACK flag to complete the connection. You can establish a connection from both ends, and terminate from both ends individually.

Vanilla Scanning
In vanilla scanning, once the handshake is completed, the client ends the connection. If the connection is not established, then the scanned machine will be DoS'd, which allows you to make a new socket to be created/called. This confirms you with an open port to be scanned for a running service. The process will continue until the maximum port threshold is reached.

Module 03 Page 303

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

If the port is closed the server responds with an RST+ACK flag (RST stands for "Reset the connection"), whereas the client responds with a RST flag and here ends the connection. This is created by a TCP connect () system call and will be identified instantaneously if the port is opened or closed. Making separate connects() call for every targeted port in a linear fashion would take a long time over a slow connection. The attacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the attacker to set a low time-out period and watch all the sockets simultaneously.

,

u is d a v d it ia g e s
The drawback of this type of scan is easily detectable and filterable. The logs in the

target system will disclose the connection.

The Output
Initiating Connect () Scan against (172.17.1.23) Adding open port 19/tcp Adding open port 21/tcp Adding open port 13/tcp SYN Packet + Port (n) .............................. SYN / ACK Packet ACK + RST

Attacker
FIGURE 3.14: Scan results when a port is open

Target

SYN Packet + Port (n) ‫י‬................................. ■ ■ ‫■־‬ ■ ■ ■ ► RST

Attacker
FIGURE 3.15: Scan results when a port is closed

arget

Module 03 Page 304

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Zfnmap
S<!n Ttrgct J0ok £»of.lc tjflp ~vj Profile

nmap ‫ ו‬92.‫ ו‬63.‫ו‬68.‫ל‬

Commjnd Hosts Host

• •sT •v nmip 192-168.168.5
StrvKtt Nmip Output Potts/Hosts Topology Most D«t«!h Scans

• *sT •v nmjp 192.168.168.5
S t a r t in g Mrap 6.61 ( h ttp :/ / n * a p . 0rg ) a t 2012 08-10 12:04 d Ti I n i t i a t i n g ARP Ping Scan a t 12:04 Scanning 192.168.168.S (1 p o rt] Completed ARP Pin g Scan a t 12:04, 0.08s elapsed (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04 Completed P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04, 0.02s elapsed I n i t i a t i n g Connect Scan a t 12:04 Scanning 192.168.168.S [1000 p o rts ] D iscovered open p ort 80/tcp on 192.168.168.5 D iscovered open p ort 993/tcp on 192.168.168.S D iscovered open p ort 8080/tcp on 192.168.168.S D iscovered open p ort 2 S/tcp on 192.168.168.S D iscovered open p ort 139/tcp on 192.168.168.5 D iscovered open p ort 8888/tcp on 192.168.168.S Completed Connect Scan at 12:04, 4 8 .63s elapsed (1000 t o t a l p o rts ) N‫״‬ap scan rep ort f o r 192.168.168.S F a ile d to r e s o lv e given hostnaaie/IP: n«ap. Note th a t you c a n 't use '/■ask* AMD * 1*4,7,100•‘ s t y le IP ranges. I f the •achine o n ly has an IP v6 address* add the N»ap -6 ♦lag t o scan t h a t . Host i s up (0.000S7s la t e n c y ) , t o t itjto to i 980 f i l t e r e d p o rts POUT STATE SERVICE 2 S/tcp open M tp 80/tcp open h ttp 110/tcp open pop) 119/tcp open nntp 13S/tcp open asrpc 8081/tcp open b lack ice■ iceca p 8088/tcp open radan-http 8888/tcp open sun-antwerbook

192.168.168.5

M l Afl t i r C i l .

(Oeil)

R c t af l l l lf l i c ! frw;

C:\Progra• F i l e s (xS6)\N*ap Nm p done: 1 IP address ( I host up) scanned in 43.08 seconds Rax packets s e n t: 1 (288) | Rcvd: 1 (288)

FIGURE 3.16: Zenmap Screenshot

Module 03 Page 305

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Stealth Scan (Half-open Scan)
Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic

UrtifWtf

CEH

tthKJl lUckM

SYN (Port 80) SYN

+ACK

Stealth Scan Process

,^ s /

........................

□a
Sheela
10.0.0.3:80

© @ ® ®

The client sends a single SYN packet to the server on the appropriate port

Bill
10.0.0.2:2342

Port is open
lf the port is open then the server responds with a SYN/ACK packet

(ft
If the server responds with an RST packet, then the remote port is in the "closed" state Bill
10.0.0.2:2342

WN|P‫״‬rlSn|

r

‫“־‬

‫י‬

‫ *׳‬O j j
Sheela
10.0.0.3:80

The client sends the RST packet to close the initiation before a connection can ever be established

Port is closed

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Stealth Scan (Half-Open Scan)
Stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This is a scan type that sends a single frame with the expectation of a single response. The half-open scan partially opens a connection, but stops halfway through. This is also known as a SYN scan because it only sends the SYN packet. This stops the service from ever being notified of the incoming connection. TCP SYN scans or half-open scanning is a stealth method of port scanning. The three-way handshake methodology is also implemented by the stealth scan. The difference is that in the last stage, remote ports are identified by examining the packets entering the interface and terminating the connection before a new initialization was triggered. The process preludes the following: 9 To start initialization, the client forwards a single "SYN" packet to the destination server on the corresponding port. 9 The server actually initiates the stealth scanning process, depending on the response sent. 9 If the server forwards a "SYN/ACK" response packet, then the port is supposed to be in an "O PEN" state.

Module 03 Page 306

Ethical Hacking and Countermeasures Copyright © by EC-COlMCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

If the response is forwarded with an "RST" packet, then the port is supposed to be in a "CLOSED" state.
SYN (Port 80)

Bill
10.0.0.2:2342

Sheela
10.0.0.3:80

P o r t is o p e n
FIGURE 3.16: Stealth Scan when Port is Open

^
Bill
10.0.0.2:2342

.....

*

Sheela
10.0.0.3:80

Port is closed
FIGURE 3.17: Stealth Scan when Port is Closed

Zenmap Tool
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently. It contains a command creator that allows you to interact and create Nmap command lines. You can save the Scan results and view them in the future and they can be compared with another scan report to locate differences. The results of the recent scans can be stored in a searchable database. The advantages of Zenmap are as follows: 9 9 9 Q Q Interactive and graphical results viewing Comparison Convenience Repeatability Discoverability

Module 03 Page 307

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

cr

Zenmap
lo o k profile H elp

Is

Scan

nmap 192.168.168.5 Command Hosts OS w Host * -sT -v nmap 192.168.168.5 Services 4 Nmap Output Ports / Hosts

Profile

,Scan

Cancel

Topology

Host Detail*

Scans

* -sT -v nmap 192.168.168.5

*|

i

Details

*

192.168.168.5
S t a r t in g Nmap 6.01 ( h ttp :/ / n a a p .o rg ) a t 2012-0810 12:04 0 T ii I n i t i a t i n g ARP P in g Scan a t 12:04 S can ning 192.16 8 .1 6 8 .S [1 p o r t ] Completed ARP P in g Scan at 1 2:04, 0 .6 8 s e la p s e d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04 Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04, 0 .0 2 s e lap sed I n i t i a t i n g Connect Scan a t 12:04 Scan n in g 192.16 8 .1 6 8 .S [1000 p o r t s ) D isco ve re d open p o rt 8 0 /tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 993/tcp on 1 9 2 .16 8 .1 6 8 .S D isco ve re d open p o rt 8080/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 2 S/tcp on 192.16 8 .1 6 8 .S D isco ve re d open p o rt 139/tCp on 192.168.168.5 D isco ve re d open p o rt 8888/tcp on 192.168.168.5 Completed Connect Scan a t 1 2:04, 40.63s e la p s e d (1000 t o t a l p o r t s ) N*ap scan re p o rt f o r 192.16 8 .1 6 8 .S f a i l e d t o r e s o lv e g iv e n h o s tn a a e / IP : n rap . Note th a t you c a n 't use , /■ ask' ANO *1 -4 ,7 ,1 0 0 - ' s t y l e I P ra n g e s. I f th e M achine o n ly has an IP v 6 a d d re ss , add th e Neap •6 f l a g t o scan t h a t . Host i s up (O.O00S7S l a t e n c y ) . > < gt ihffwn; 980 f i l t e r e d p o rts PORT STATE SERVICE 2 S /tc p open s a tp open h t t p 8 0/tcp 110/tcp open pop 3 119/tcp open IMitp 135/tcp ooen ■srpc 8081/tcp open b la c k ic e - ic e c a p 8088/tcp open ra d a n - h ttp 8888/tcp open su n -answerbook ♦ ♦ ♦ • (D e ll)

Rtad flat! f i l e t frw; C :\Pro g ra■ F i l e s (x M )\ N ‫ ״‬ap H*ap done: 1 I P ad dress (1 h o st up) scanned in 43.08 seconds Rax p a ck e ts s e n t: 1 (286) | Rcvd: 1 (2 8 6 )
Filter Hosts

FIGURE 3.18: Zenmap Showing Scanning Results

Module 03 Page 308

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

X m a s S can
o
FIN, URG, PUSH FIN, URG, PUSH

UftNM

c El \
ftb.ul H.. fcM

No Response Attacker 10. 0 . 0.6 Server Attacker 10 . 0 . 0.6

mu : : : 1
Server

1

10.0.0.8:23

10.0.0.8:23

Port is open

Port is clo se d

J

In Xmas scan, attackers send a TCP frame to a remote device with URG, ACK, RST, SYN, PSH, and FIN flags set

J

FIN scan only with OS TCP/IP developed according to RFC 793

J

It will not work against any current version of Microsoft Windows

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

X m as Scan
-----Xmas Scan is a port scan technique with ACK, RST, SYN, URG, PSH, and FIN flags set to send a TCP frame to a remote device. If the target port is closed, then you will receive a remote system reply with a RST. You can use this port scan technique to scan large networks and find which host is up and what services it is offering. It is a technique to describe all TCP flag sets. W hen all flags are set, some systems hang; so the flags most often set are the nonsense pattern URG-PSH-FIN. This scan only works when systems are compliant with RFC 793.

BSD Netw orking Code
This method is based on BSD networking code; you can use this only for UNIX hosts and it does not support Windows NT. If this scan is directed at any Microsoft system, it shows all the ports on the host are opened.

Transm itting Packets
You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts packet and does not send any response, the port is open. If the target system sends RST flag, the port is closed.

Module 03 Page 309

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Advantage: It avoids the IDS and TCP three-way handshake. Disadvantage: It works on the UNIX platform only.

FIN, URG, PUSH

No Response Attacker 10.0 .0.6 Server

Port is open
FIGURE 3.19: Xmas Scan when Port is Open

10.0.0.8:23

FIN, URG, PUSH

RST Attacker 10 .0 .0.6 Server
10.0.0.8:23

P o rt is c lo s e d
FIGURE 3.20: Xmas Scan when Port is Closed

Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this tool you can save the frequently used scans as profiles to make them easy to run recurrently.
Zenmap
Scan Target: 100It Profile Help

nmap 192.I6S.168.} 1 • ‫״‬X •v r

‫צ‬
Nmip Output Pcrts/Hosts Topology Host Ottals S<ar« «-sX-v nmap 192.16S.168.3

V

Start

Command:

OS ▼ Host W * 192.168.16S.5 192.168.168.3

D etails

S tartin g Nmap 6.01 ( ’ * t 2612 08 10 12:39 Standarc 1i»e Initiating AKP Ping Scan at 12:39 Scanning 192.168.168.3 [1 port] Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution 0f 1 host, at 12:39 Coa191eted Parallel DNS resolution o* 1 host, at 12:39, 0.02s elapsed Initiating XMAS Scan at 12:3* Scanning 192.168.1*8.3 [10CO po«‫־‬ ts] Increasing cand dalay *or 192.168.168.3 from 0 to 5 due to 108 out of 358 dropped probes since last increase. Co*!91eted XMAS Scan at 12;39, 9.75s elapsed (1800 to ta l ports) Nra‫ כ‬scan report fo r 197.1*3.168.3 Failed ♦o resolve given hostrawe/IP: niwp. Note that you c a n 't use V ■»»?«• AHO *1-4,7,180•• s ty le IP ranges. I f the ■wchine only ha? an IPv6 address. add the Mnap -6 fla g to scan th at. Host is up (0.000023s la t e r c y ). Not shovn; 997 clo;ed ports PORT STATE SEUVICE 22/tcp o c e r lfilt e r e d j$n 88/tcp o p e r | f ilt e ‫־‬ed kertxrcs-sec 548‫ ׳‬tcp o p e r | f ilt e ‫־‬ed afp

M A CAMrtu;

Read tifltfl f l i p frggl C:\Progra■ * lie s <x!6)\taao 1 IP ad Jrest (1 host up) scanned in 12.19 seconds Rat. paccets sent: 13S3 (S4.1M KB) I Rcvd: 998 (39.908K8)

FIGURE 3.21: Zenmap Showing Xmas Scan Result

Module 03 Page 310

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S can
J J J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set FIN scan only with OS TCP/IP developed according to RFC 793 It will not work against any current version of Microsoft Windows J“ *

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

£ ‫ > ל‬FIN Scan
-----RST. FIN Scan is a type of port scan. The client sends a FIN packet to the target port, and if the service is not running or if the port is closed it replies to you with the probe packet with an

FIN

No Response

Attacker 10.0 .0.6

P o rt is open

10.0.0.8:23

FIGURE 3.22: FIN Scan when Port is Open

Module 03 Page 311

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Attacker 10. 0 . 0.6

Port is c lo s e d

FIGURE 3.23: FIN Scan when Port is Closed
Zenmap
Scan Target look E'ofile fcjdp [Scan:
Cancel

‫־‬E H

nmap 192.168.168.3 » ■ if •v nmap 192.168.168.3 Nmap Output Ports/Host* Topo*og> Host Detail! Scans « • i f -v nmap 192.168.168.3

Command: Hosts OS * Host * »

192.168.168.5 192.168.168.3
S t a r tin g Nm p 6.01 ( h ttp :/ / n M p .o rg ) at 2012 08 10 12:35 ‫••• י‬ Standard Ti«e I n i t i a t i n g ARP Ping Scan at 12:35 Scanning 192.168.168.3 [1 p o rt] Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 t o t a l h o sts) I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h ost, a t 12:35 Completed P a r a lle l ONS re s o lu tio n o f 1 h ost, at 12:35, 0.10s elapsed I n i t i a t i n g FIN Scan at 12:35 Scanning 192.168.16S.3 [1000 p o rts] In crea sin g send d elay fo r 192.168.168.3 fro• 0 to 5 due to 108 out o f 358 dropped probes sin ce la s t in crea se. In crea sin g send d elay f o r 192.168.168.3 froai 5 to 10 due to •ax_$uccessful_tryno in crease to 4 Completed FIN Scan at 12:35, 11.78s elapsed (1000 t o t a l p o rts ) *toap scan rep ort fo r 192.168.168.3 F a ile d to re s o lv e given hostnaaw/IP: naap. Note th at you c a n 't use */ m s i c AND 4, 7, 100*1‫ '•־‬s t y le IP ranges. I f the ■achine on ly has an IP v6 address, add the N*ap *6 f la g to scan t h a t . Host is up (0.0000050s la te n c y ). closed ports PORT STATE SERVICE 22/tcp o p e n |fiite r e d ssh 88/tcp o p e n jfilt e r e d k erberos•sec S48/tcp o p e n jfilt e r e d afp

U gl-itH M ?; 997

* A i.A M T M 1 ;

Rctti d i t l f l i t * ffg g j C:\Progra• F ile s (x86)\N«ap Nwap done: 1 IP address (1 host up) scanned in 14.28 seconds Rat• packets sen t: 1378 (55.108KB) | Rcvd: 998 (39.908KB)

FIGURE 3.24: Zenmap showing FIN Scan Result

Module 03 Page 312

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

NULL S can
Port is open
TCP Packet with NO Flag Set

CEH

9H
Attacker 10 .0 .0.6

^

No Response

In NULL scan, attackers send a TCP frame to a remote host with NO Flags NULL scan only works if OS' TCP/IP implementation is developed according to RFC 793 It will not work against any current version of Microsoft Windows

NULL Scan
NULL scans send TCP packets with all flags turned off. It is assumed that closed ports will return a TCP RST. Packets received by open ports are discarded as invalid. It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned. W hen any packets arrive at the server, BSD networking code informs the kernel to drop the incoming packet if a port is open, or returns an RST flag if a port is closed. This scan uses flags in the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans. Many network codes of major operating systems can behave differently in terms of responding to the packet, e.g., Microsoft versus UNIX. This method does not work for Microsoft operating systems. Command line option for null scanning with NMAP is "-sN"

Advantage:
It avoids IDS and TCP three-way handshake.

Disadvantage:
It works only for UNIX.

Module 03 Page 313

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Port is open
TCP Packet with NO Flag Set
^ > ‫י‬ C E 31

^

No Response

Attacker
10. 0. 0.6 FIGURE 3.25: NULL Scan when Port is Open

Server 10.0.0.8:23

Port is clo se d
TCP Packet with NO Flag Set
E

‫מ‬
f c _ 5

3

RST/ACK

Attacker
10 .0 .0.6 FIGURE 3.26: NULL Scan when Port is Closed Zenmap
S c jn Target: lo o k profile n m a p 192.168.168.3 * - tN •v n m a p 192.168.168.3 N m a p O u tp u t • P orts / Hosts T op o lo g y H o st Details Sta n s

Server 10.0.0.8:23

E lio ]
Scan

x

C om m and: H o sts O S - H o st

sN -v n m a p 192.168.168.3


IM

192.168.168.5 192.168.168.3

a

Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 ‫•י‬ Standard Tine Initiating ARP Ping Scan at 12:41 Scanning 192.168.16a.3 (1 port) Completed ARP Ping Scan at 12:41, 0.06s •lapsed <1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:41 Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed Initiating NULL Scan at 12:41 Scanning 192.168.168.3 [1000 ports) Increasing send delay for 192.168.168.3 froei 0 to 5 due to 21S out of 71S dropped probes since last increas*. Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports) Noap scan report for 192.168.168.3 Failed to resolve given hostnaae/lP: nmap. Note that you can't use ‘/•ask* AND •1-4,7,100‫ '־‬style IP ranges. If the ■achine only has an IPv6 address, add the Naap -6 flag to scan that. Host is up (0.00s latency). Not shown: 997 closed ports PORT STATt SERVICE 22/tcp open|filtered ssh 88/tcp openjfiltered kerberos-sec 548/tcp openjfiltered afp

M AC A fld rcn ;
Read data files fro■: C:\Progran files (x86)\Nmap N m jio done: 1 IP address (1 hostup) scannedin 10.66 seconds Ran packets sent: 1844(73.748KB) | Rcvd: 998 (39.908KB)

FIGURE 3.27: Zenmap showing NULL Scan Result

Module 03 Page 314

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ID LE S can
Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered "open" if an application is listening on the port One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port

CEH
A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored

Every IP packet on the Internet has a "fragment identification" number (IP ID)

The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and an "RST" (Reset) packet if the port is closed t f Command Prompt

OS increments the IP ID for each packet sent, thus probing an IP ID gives an attacker the number of packets sent since last probe

C : \ > n m a p -P n -p- -si wvrw.juggyboy.com w w w . c e r t i f i e d h a c k e r . c o m Starting Nmap ( h t tp://nmap.org ) Idlescan using zombie w w w . 3 u g gyboy.com (192.130.18.124:80); Class: Nmap scan report for 198.182.30.110 (The 40321 ports scanned b u t not Port State Service open 2 1 /tcp ftp open 25/tcp smtp open 80/tcp http Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds Incremental

3

Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

IDLE Scan
The idle scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available and offers complete blind scanning of a remote host. This is accomplished by impersonating another computer. No packet is sent from your own IP address; instead, another host is used, often called a "zombie," to scan the remote host and determine the open ports. This is done by expecting the sequence numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP of the zombie machine will show up.

Understanding TCP/IP
Source: http://nmap.org Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/IP expert to understand it. You need to understand the following basic facts: Q Most of the network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port; otherwise it is closed.

Module 03 Page 315

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

9

To determine whether a port is open, send a session establishment "SYN" packet to the port. The target machine responds with a session request acknowledgment "SYN|ACK" packet if the port is open and a Reset "RST" packet if the port is closed.

9

A machine that receives an unsolicited SYN|ACK packet responds with an RST. An unsolicited RST is ignored.

9

Every IP packet on the Internet has a "fragment identification" number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.

From these facts, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning.

Command Prompt

a
FIGURE 3.28: Nmap Showing Idle Scan Result

Module 03 Page 316

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ID LE S can : S tep 1
Every IP packet on the Internet has a fragment identification number (IP ID), which increases every time a host sends; IP packet

C EH

‫יי‬

4

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Attacker

RST Packet FIGURE 3.29: IPID Probe Request and Response

Zombie

Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In the first step, you can send a session establishment "SYN" packet or IPID probe to determine whether a port is open or closed. If the port is open, the "zombie" responds with a session request acknowledgment "SYN |ACK" packet containing the IPID of the remote host machine. If the port is closed, it sends a reset "RST" packet. Every IP packet on the Internet has a "fragment identification" number, which is incremented by one for every packet transmission. In the above diagram, the zombie responds with IPID=31337.

Module 03 Page 317

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ID LE S can : S tep 2 a n d 3
S te p 2
J J Send SYN packet to the target m achine (port 80) spoofing the IP address of the "zom bie"

CEH

If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends RST to the target

J

If the port is closed, the target will send RST to th e "zo m b ie" but zombie will not send anything back
SYN Packet to port 80 spoofing zombie IP address

4VC
Attacker

r t o s f f i S S * 5‫■ ״‬ " T ‫ ״‬e"
Zombie P o r t is o p e n

j
;

S te p 3
J Probe "zo m b ie" IPID again

m

IPID Probe SYN / ACK Packet

Response: IPID=31339 RST Packet

Attacker

IPID incremented by 2 since Step 1, so port 80 must be open

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

IDLE Scan: Step 2 and 3
Idle Scan: Step 2.1 (Open Port)
" Send a SYN packet to the target machine (port 80) spoofing the IP address of the "zombie." If the port is open, the target will send the SYN/ACK packet to the zombie and in response the zombie sends the RST to the target.

m

SYN Packet to port 80 spoofing zombie IP address

Attacker

QOO

Target

Zombie

Port

is

open

FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open

Idle Scan: Step 2.2 (C losed Port)
The target will send the RST to the "zombie" if the port is closed, but the zombie will
Module 03 Page 318 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

not send anything back.

m

SYN Packet to port 80 spoofing zombie IP address

Attacker
I4 ‫״״‬

................ ................

Target

Zombie

Port is clo sed

FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed

Idle Scan: Step 3
Probe the "zombie" IPI D again.
IPID Probe SYN / ACK Packet

Response: IPID=31339 RST Packet

Attacker

IPID incremented by 2 since Step 1, so port 80 must be open FIGURE 3.32: IPID Probe Request and Response

Zombie

Module 03 Page 319

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ICM P Echo Scanning/List Scan
J This is not really port scanning, since IC M P does not have a port abstraction J But it is som etim es useful to determ ine which hosts in a netw ork are up by pinging them all J nmap -P cert.org/24 152.148.0.0/16
Zenmap Scan loots Profile Help Targtc 1 9 2 .1 6 6 .1 ^ 6 nm ap tn 1 9 2.1 6 &1 .2 6 5«vkf1 Nm ap O utput Ports/Host' Topology HortDeta* $ c a »w nm ap 1W.168.U6 ‫״‬ Ota* v| Profile: [ [«j |$c*n Caned 1 ^ 2 U M V|n look £rofit* fc l« *p Target 19i.168.160J n,n»p * • v1 9 2 168.I66S S*rvK«» « - Profile Zenmap

CEH

J

This type of scan simply generates and prints a list of IPs/N am es w ithout actually pinging or port scanning them

J

A DNS nam e resolution will also be carried out

jj«ienj

Command Hettt 0$ < Ho*

Command M ott* OS - Moit

Nmap O utput PoiW/Hoitt Tepol&y, »< o «Detail Scam nmap-U.-vl9i.l6e.16W ‫׳י‬ D«taJ;

starting Nrwp «.01 ( t1 ttpl//n»ap.0rg ) at M l? M l ! IB: 17 » ‫־‬.tnnflnra rlrr Kimu dime: 1 IP ai/dr eu's (ln o tt u t> ) scanned in 16.37

Starting Wrap 6.61 < httpi/Zrwap.orf ) at M l? M l• 1J1M • • mara tl«f Initiating Paralltl 0NS resolution 0♦ 1 host. at U S* taepleted Parallel DM resolution of 1 host. at 13:S4, 8 .M 1 elapsed Ue.p *con report for l»2.1M.t6I.S Naap done; 1 IP address < • hosts up) scanned in ».M seconds Ml«r H0U1

filler H osts

V \
ICMP Echo Scanning/L ist Scan

L is t S c a n

A

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited

ICMP echo scanning is used to discover live machines by pinging all the machines in the target network. Attackers send ICMP probes to the broadcast or network address which is relayed to all the host addresses in the subnet. The live systems will send ICMP echo reply message to the source of ICMP echo probe. ICMP echo scanning is used in UNIX/Linux and BSD-based machines as the TCP/IP stack implementations in these operating system responds to the ICMP echo requests to the broadcast addresses. This technique cannot be used in Windows based networks as the TCP/IP stack implementation in windows machines is configured, by default, not to reply ICMP probes directed to the broadcast address. ICMP echo scanning is not referred to as port scanning since it does not have a port abstraction. ICMP echo scanning is useful to determine which hosts in a network are active by pinging them all. The active hosts in the network is displayed in Zenmap as "Host is up (0.020s latency)." You can observe that in the screenshot:

Module 03 Page 320

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Zenmap
Scan Target: Tools Profile Help Profile: Scan

^L-re—l

192.168.1.26 nmap -sn 192.168.1.26 Services Nmap Output

Cancel

Command: Hosts OS < Host

Ports/Hosts

Topology

Host Details

Scans *I i Details

nmap -sn 192.168.1.26

192.168.1.26

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-13 18:37 Standard Time Nmap scan report for 192.168.1.26 |Host is up (0.0020s latency) ■ ~ | Nmap done: 1 IP address (1 host up) scanned in 16.57 seconds

Filter Hosts

FIGURE 3.33: Zenmap showing ICMP Echo Scanning Result

In a list scan, discovery of the active host in the network is done indirectly. A list scan simply generates and prints a list of IPs/Names without actually pinging the host names or port scanning them. As a result, the list scan output of all the IP addresses will be shown as "not scanned," i.e., (0 hosts up). By default, a reverse DNS resolution is still being carried out on the host by Nmap for learning their names.
Zenmap
Scan Target lools Erofile {Help Profile:
Cancel

192.168.168.5 nmap -sL -v 192.168.168.5 Services Nmap Output

Command: Hosts OS - Host

Ports /Hosts

Topology

Host Details Scans "v j | Details

nmap-sL-v 192.168.168.5

S t a r t i n g Nmap 6 .0 1 ( h t t p :/ / n m a p .o r g ) a t 2012-08-10 1 3 :5 4 id a rd T itie I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 3 :5 4 C o m pleted P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 3 :5 4 , 0 .0 4 s e la p s e d Nmap sc an r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5 Nmap done: 1 I P a d d r e s s (0 h o s t s u p ) scan n e d i n O .06 seco n d s

Filter Hosts

FIGURE 3.34: Zenmap showing List Scanning Result

Advantage:
9 9 A list scan can perform a good sanity check. The incorrectly defined IP addresses on the command line or in an option file detected by the list scan. The detected errors should be repairedprior to running "active" scan. are any

Module 03 Page 321

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

UDP S c a n n in g
Are you open on UDP Port 29?

C EH
................................................... *■
No response if port is ...................

If Port is Closed, an ICM P Port unreachable message is received

% ...... Iss____j
Server

1

UDP Port Open
There is no three-way TCP handshake ke for UDP scan © The system does not respond with a message when the port is open

UDP Port Closed
e if a UDP packet is sent to closed port, the system responds with IC M P port unreachable message © Spywares, Trojan horses, and other malicious applications use UDP ports

UDP Scanning
UDP Raw ICMP Port Unreachable Scanning
UDP port scanners use the UDP protocol instead of TCP, and can be more difficult than TCP scanning. You can send a packet, but you cannot determine that the host is alive or dead or filtered. However, there is one ICMP that you can use to determine whether ports are open or closed. If you send a UDP packet to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. If any port returns an ICMP error, then it's closed, while the ports that didn't answer are either open or filtered by the firewall. This happens because open ports do not have to send an acknowledgement in response to a probe, and closed ports are not even required to send an error packet.

UDP Packets
Source: http://nmap.org W hen you send a packet to a closed UDP port, most of the hosts send an

ICM P_PORT_UNREACH error. Thus, you can find out if a port is NOT open. Neither UDP packets nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement the retransmission of packets that appear lost. UDP scanners interpret lost traffic as open ports.

Module 03 Page 322

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

In addition, this scanning technique is slow because of limiting the ICMP error message rate as compensation to machines that apply RFC 1812 section 4.3.2.8. A remote host will need to access the raw ICMP socket to distinguish closed from unreachable ports.

UDP RECVFROM () and WRITE () Scanning
W hile non-root users cannot read port unreachable errors directly; Linux informs you indirectly when they receive messages.

Example
For example, a second write () call to a closed port will usually fail. A lot of scanners, such as Netcat and Pluvial pscan.c do recvfrom () on non-blocking UDP sockets, usually return EAGAIN ("Try Again," errno 13) if the ICMP error has not been received, and ECONNREFUSED ("Connection refused," errno 111), if it has. This is the technique used for determining open ports when non-root users use -u (UDP). Root users can also use the I (lamer UDP scan) options to force this.

Advantage:
The UDP scan is less informal regarding an open port, since there's no overhead of a TCP handshake. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan. Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.

Disadvantage:
The UDP scan provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan (-sV) or the operating system fingerprinting option (-0). The UDP scan requires privileged access, so this scan option is only available on systems with the appropriate user permissions. Most networks have huge amounts of TCP traffic; as a result, the efficiency of the UDP scan is lost. The UDP scan will locate these open ports and provide the security manager with valuable information that can be used to identify these invasions achieved by the attacker on open UDP ports caused by spyware applications, Trojan horses, and other malicious software.
Are you open on UDP Port 29? No response if port is Open

□c
di
Server

If Port is Closed, an ICMP Port unreachable message is received Attacker

.....................................

FIGURE 3.35: UDP Scanning

Module 03 Page 323

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Zenmap
S<an Target Jo o li Profile tjelp
Pro file :

L 2_‫ו פ ו‬
Scant

x

n m ip 192.168.168.3

Cancel

Command; Hosts OS - Host »

* -sll -v nmap 192.168.168.3 Services
4

Nmap Output

Ports/Hosts 192.168.168.3

Topok>9 > Host Detaih

Scans v Details

192 168.168.5
192.168.168.3

S t a r t i n g Nmap 6 .0 1 ( h t t p :/ / n a 1a p .o r g ) a t 2012 08 10 12:47 S ta n d a rd Time I n i t i a t i n g ARP P in g S ca n a t 13:47 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .3 [1 p o r t ] Com pleted ARP P in g S can a t 1 2 :4 7 , 0 .0 6 s e la p s e d (1 t o t a l h o s t s ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 12:47 Com pleted P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 2 :4 7 , 0 .0 2 s e la p s e d I n i t i a t i n g LOP S ca n a t 12:47 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .9 [1000 p o r t s ) D is c o v e r e d open p o r t 53S3/udp on 1 9 2 .1 6 8 .1 6 8 .3 D is c o v e r e d open p o r t 137/udp on 1 9 2 .1 6 8 .1 6 8 .3 D is c o v e r e d open p o r t 123/udp on 1 9 2 .1 6 8 .1 6 8 .3 In c r e a s i n g send d e la y f o r 1 9 2 .1 6 8 .1 6 8 .3 * r o o t 0 t o SO due t o 216 o ut o f 719 dropped p ro b e s s in c e l a s t i n c r e a s e . Com pleted UOP S ca n a t 1 2 :4 7 , 1 9 .6 6s e la p s e d (1000 t o t a l p o r t s ) Nmap sc an r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .3 F a i l e d t o r e s o l v e g iv e n h o s tn a m e / IP : nmap. N ote t h a t you c a n ' t use , /m ask' AND •1-4,7,100-• s t y l e I P r a n g e s . I f th e m achine o n ly has an IP v 6 a d d r e s s , add t h e Nmap -6 f l a g t o sc an t h a t . H ost i s up (0 .0 0 0 0 6 3 s l a t e n c y ) . Not shown: 994 c lo s e d p o r t s PORT STATE S f R V IC f 88/udp o p e n | f i l t e r e d k e rb e ro s - s e c 123/udp open n tp 137/udp open n e t b io s - n s 138/udp o p e n | f i l t e r e d netb io s- d g m S353/udp open z e ro c o n f S8178/udp o p e n | f i l t e r e d unknown MAC A d d re s s : Read d a t a f i i c a fro ■ ; C :\ P ro g ra m F i l e s (x&6)\Nmap Nmap d on e: 1 I P a d d re s s (1 h o s t u p ) scann ed in 2 2 .0 9 seco n ds Ra» p a c k e t s s e n t : 1839 ( 5 2 . 4 01KB) I R cvd : 998 (S 6 .0 6 S K B )

Filter Host*

FIGURE 3.36: Zenmap showing UDP Scanning Result

1

• 1

c <

Module 03 Page 324

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Inverse TCP Flag Scanning

(•rtifwd

CEH
itkitjl

Attackers send TCP probe packets with various TCP flags (FIN,URG,PSH) set or with no flags, no response means port is open and RST/ACK means the port is closed

Probe Packet (FIN/URG/PSH/NULL)

No Response

Attacker

Port is open
Probe Packet (FIN/URG/PSH/NULL)

RST/ACK

Attacker

Port is closed

Copyright © by EG-Gtnncil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Inverse TCP Flag Scanning
— Attackers send the TCP probe packets by enabling various TCP flag (FIN, URG, PSH) or with no flags. W hen the port is open, the attacker doesn't get any response from the host, whereas when the port is closed, he or she receives the RST/ACK from the target host. The SYN packets that are sent to the sensitive ports of the targeted hosts are detected by using security mechanisms such as firewalls and IDS. Programs such as Synlogger and Courtney are available to log half-open SYN flag scan attempts. At times, the probe packets enabled with TCP flags can pass through filters undetected, depending on the security mechanisms installed. Probing a target using a half-open SYN flag is known as an inverted technique. It is called this because the closed ports can only send the response back. According to RFC 793, An RST/ACK packet must be sent for connection reset, when the port is closed onhost side. TCP flags set. Common flag configurations used for probe packet include: 9 9 9 A FIN probe with the FIN TCP flag set An XMAS probe with the FIN, URG, and PUSH TCP flags set A NULL probe with no TCP flags set Attackers take advantage of this feature to send TCP probe packets to each port of thetargethost with various

Module 03 Page 325

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

© A SYN/ACK probe All the closed ports on the targeted host will send an RST/ACK response. Since the RFC 793 standard is completely ignored in the operating system such as Windows, you cannot see the RST/ACK response when connected to the closed port on the target host. This technique is effective when used with UNIX-based operating systems.

Advantages
Q Avoids many IDS and logging systems, highly stealthy

Disadvantages
9 Q Needs raw access to network sockets, thus requiring super-user privileges Mostly effective against hosts using a BSD-derived TCP/IP stack (not effective against Microsoft Windows hosts in particular)
Probe Packet (FIN/URG/PSH/NULL)

No Response

Attacker

P o rt is o p e n
FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open

Target Host

Probe Packet (FIN/URG/PSH/NULL)

RST/ACK

Attacker
P o rt is clo se d
FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed

Target Host

Module 03 Page 326

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ACK F la g S c a n n in g

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

ACK Flag Scanning
A stealthy technique is used for identifying open TCP ports. In this technique a TCP packet with ACK flag ON is sent to the remote host and then the header information of the RST packets sent by remote host are analyzed. Using this technique one can exploit the potential vulnerabilities of BSD derived TCP/IP stack. This technique gives good results when used with certain operating systems and platforms. ACK scanning can be performed in two ways: Q TTL field ananlysis

© W IN D O W field analysis Using TTL value one can determine the number of systems the TCP packet traverses. You can send an ACK probe packet with random sequence number: no response means port is filtered (state full firewall is present) and RST response means the port is not filtered,
nmap -sA -P0 10.10.0.25 Starting nmap 5.21 ( http://nmap.org) at 2010-05-16 12:15 EST

All 529 scanned ports on 10.10.0.25 are: filtered

Module 03 Page 327

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Stateful Firewall is Present
Probe Packet (ACK)

‫♦א‬
Attacker

No Response

Target Host

FIGURE 3.39: ACK Flag Scanning when Stateful Firewall is Present

No Firewall
IT LT I .......................................

Probe Packet (ACK)

RST

Attacker

Target Host

FIGURE 3.40: ACK Flag Scanning when No Firewall is Present

Zenmap
S<!n T.rgrt: lo o k Profit♦ Help v Profile Scan

nmip 192.168.168.5 * ■ sA ■ v •Pn nmap 194168.168.5 Services

Cancel

Command: Hosts

Nmap Output Ports/Hosts Topology Host Detaib Scans * -sA -v -Pn nmap 192.166.16ft■} Oeta.14

S t a r t in g M a p 6.01 ( h ttp :/ / n x a p .o rg ) a t 2012-08-10 13:09 Stand ard T in* I n i t i a t i n g ARP Pin g Scan at 13:10 Scanning 192.16*.160.5 [1 p o r t ] Completed ARP Pin g Scan at 13:10, 0.07s elapsed (1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, at 13:10 Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, at 13:10, 0.10s elapsed I n i t i a t i n g ACK Scan a t 13:10 Scanning 192.16*.168.5 [1000 p o rts ] Coaipleted ACK Scan at 13:10, 21.38s elapsed (1000 t o t a l p o r t s ) Naap scan re p o rt f o r 192.16*.168.5 F a ile d to re s o lv e g ive n h o stn a a c / lP : naap. Note th a t you c a n ’ t use , /■ask' ANO •1-4,7,100-• s t y le I P ranges. I f th e ■achine o n ly has an IPv6 ad d re ss, add th e Nnap ■6 f l a g to scan t h a t .
H ost is
up

1 0 .W 1 e s

la te n t■ ,) ,________________________________

I A l l 1000 scanned p o rts on 192.168.168.S a re f i l t e r e d l

MAC Address:
Read data f i l e ! frg■; C :\Pro g r• • F i l e s ( x 86)\ m m p done; l I P address (1 host up) scanned in 23.90 seconds Rax packets se n t: 2001 (80.O28K8) | Rcvd: 1 (288)

filter Hosts

FIGURE 3.41: Zenmap showing ACK Flag Scanning Result

Module 03 Page 328

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Scanning Tool: NetScan Tools Pro

CEH

myfe&uUsdaub&e - NetScanToob© Pro 11.00

2 fit

Edt

Accesatolly

r»J>

Manual 1 5 ‫ד‬0‫ כ‬- networkCcnrecton E-dxrts 9 Automated Tools ( Rsfren □ciicUyFulPfKess Paths 193C 10' ° ‫־‬ I PsccrrectAl 1CP ]

‫ך‬
Jjrp 0‫ ד‬Autorrcited ]

‫ ח‬£t«cW fUcftrftwh MfiC to l^a‫־‬ufa‫ ״‬-re‫־‬

‫י‬ ”] Usccrrect nermte 1CP

TCF.UOP Cocr«CQonEnfant List

1 nec1 nfo.exe sycr.osz• cxs
flMworit Inlctf«e» and 5\<tnl'r‫״‬ .

0 .0 .0 .0
O .O .0.0 0.0.0.0
0.0.0.0

Local IP

!yicti

STatca N s tw o rkln to r'n rci \ v t‫־‬ Hw M erloctt*

inee 1 nfo.exe

0 .0 .0 .0
0.0.0.0 0.0.0.0 O .O .0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

3bacr?.«x« IVChOK.IXI S<»STC.cxe D U lK V U l.tx t 8coeS«zv.«xt 5tot5c1v.exe s'«rS:rv.cxe IM S 2OS2 2092 2092 TC TC TC TC

s
‫־׳‬O V O * C O1 © o b l.‫ ״‬r.w o-< r1yT.»»
Hawro L1 >Mvay locto

0 .0 .0 .0
127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1

C M Sfuv»
ftxkr* Iffvd Tocte txtema! tods

Syat•®

S 7 3 c«i
Svs .w

Local lore | http | 80 )cpxag( 135 )MS (UlCEOSOCt-dS' ) S (b la c k ja c k )LT23 (pptp )oyMrcanyvnccc( 2638 lc » lh p ( 2069( ‫ח‬ 4£‫)) ר‬pcsync-https web5( 9090«( ‫ ) »ל»ע‬ofll )unknown! 31038 )MS71 !unknown )unknown| 04572 )34S73 !unknown lk1 1 1 .p l 60 | http | 00 IhttpI 00 httpI| 80

Reaote 1 r 0.0.0.0

1 0 2

0.0. 0 .0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

0 .0 .D.O 127.0.0.1 ‫ ג‬2‫ ד‬. 0.0.1 127.0.0.1 127.0.0.1

Progmli^o

http://www.netscantoo1s.com lo o p Copyright 6 by EG-CSUICil. Ail Rights Reserved. Reproduction is Strictly Prohibited-

Scanning Tool: NetScan Tools Pro
Source: http://www.netscar1 tools.com NetScan Tools Pro is an investigation tool. It allows you to troubleshoot, monitor, discover, and detect devices on your network. You can gather information about the local LAN as well as Internet users, IP addresses, ports, etc. using this tool. You can find vulnerabilities and exposed ports in your system. It is the combination of many network tools and utilities. The tools are categorized by functions such as active, passive, DNS, and local computer.

Active Discovery and Diagnostic Tools: Used for testing and locating devices that are
connected to your network.

Passive Discovery Tools: Monitors the activities of the devices that are connected to your
network and also gathers information from third parties.

DNS Tools: Used to detect problems with DNS. Local Computer and General Information Tools: Provides details about your local computer's
network.

Benefits:
9 The information gathering process is made simpler and faster by automating the use of many network tools

Module 03 Page 329

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

9

Produces the result reports in your web browser clearly

myresultsdatabase - NetScanTools® Pro 11.00
• File Edit Accessibility View Help

Welcome Automated Tools Manual Tools (all) Refresh 0 Display Full Process Paths 1 sec 10 sec Disconnect All TCP I Disconnect Remote TCP Double-click ₪Enable TCP Disconnects

Manual Tools - Network Connection Endpoints

Add Note Jump To Automated
IP v 4 © IP v 6 0

0
O Enable AutoRefresh MAC Address to Manufacturer

‫־‬J—

Reports ‫ ח‬Add to Favorites

TCP/UDP Connection Endpoint List Network Connection Endpoints

Process inetinf0 .exe svchost.exe System inetinf 0 .exe System dbsrv9.exe svchost.exe SemSvc.exe SemSvc.exe agent.exe DkService.exe StorServ.exe StorServ.exe StorServ.exe System System System System <

PID
1100

Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
'rr n

Local IP
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0

Local Port 80 (http) 13S (epmap) 445 (microsoft-ds) 1025 (blackjack) 1723 (pptp) 2638 (sybaseanywhere) 2869 (icslap) 8443 (pcsync-https) 9090 (websm) 9876 (sd) 31038 (unknown) 34571 (unknown) 34572 (unknown) 34573 (unknown) 80 (http) 80 (http) 80 (http) 80 (http)
on

Remote IP
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0

A

Network Interfaces and Statistics

252 4
1100

Li)

Network Interfaces - Wireless

m

Network Shares - SMB

Favorite Tools Active Discovery Tools Passive Discovery Tools DNS Tools Packet Level Tools External Tools Program Info For Help, press F I

4 1216 932 4068 4068 920 1388 2092 2092 2092
0 0 0 0 n

127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
‫ ו‬0 ‫> ל״‬ ‫ ר‬n ‫ו‬

127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 1‫׳‬ < ‫״‬ ‫ ל‬f tf t ‫ו‬ >
NUM

‫נ‬

FIGURE 3.42: NetScan Tools Pro Screenshot

Module 03 Page 330

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S c a n n in g T ools
PRTG Network Monitor
h ttp ://w w w .p a essle r. com http ://w w w .m ag netosoft.com

C EH
Global Network Inventory Scanner

Net Tools
i —N. I 1 W I

SoftPerfect Network Scanner
h ttp ://w w w .softperfect.co m

http://m absoft.com

IP Tools

Advanced Port Scanner
h ttp://w w w .radm in.com

E-

h ttp ://w w w . ks-soft. net

MegaPing
http ://w w w .m ag netosoft.com

‫טטט‬ □ □‫ם‬

Netifera
http ://netifera.com

Network Inventory Explorer
h ttp ://w w w . 10-s trike.com

Free Port Scanner
http://w w w .n sau dito r.com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

“ =*~=‫־‬ ■ Scanning tools ping computers, scan for listening TCP/UDP ports, and display the type of resources shared on the network (including system and hidden). The attacker may attempt to launch attacks against your network or network resources based on the information gathered with the help of scanning tools. A few of the scanning tools that can detect active ports on the systems are listed as follows:

9 PRTG Network Monitor available at http://www.paessler.com 9 Net Tools available at http://mabsoft.com 9 IP Tools available at http://www.ks-soft.net 9 MegaPing available at http://www.magnetosoft.com 9 Network Inventory Explorer available at http://www.10-strike.com
9 9 Global Network Inventory Scanner available at http://www.magnetosoft.com SoftPerfect Network Scanner available at http://www.softperfect.com

9 Advanced Port Scanner available at http://www.radmin.com 9 Netifera available at http://netifera.com 9 Free Port Scanner available at http://www.nsauditor.com

Module 03 Page 331

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Do Not Scan These IP Addresses
(Unless you want to get into trouble)
RANGE 128
128.37.0.0 Army Yuma Proving Ground 1283800 Naval Surface Warfare Center 128.43.0.0 Defence Research Establishment-Ottawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 1288000 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Right Facility 128.155.0.0 NASA Langley Research Center 128.156.0.0 NASA Lewis Network Control Center 12815700 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128 159 0 0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128 1610 0 NASA Ames Research Center 128 183.0 0 NASA Goddard Space Flight Center 128202 0 0 50th Space Wing 128 216 0 0 MacDifl Air Force Bose 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. Ar Force Academy 129.53.0.0 - 129 53.255 255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology 129.99.0.0 NASA Ames Research Center 129.131.0.0 Naval Weapons Center 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IW 129.165.0.0 NASA Goddard Space Fight Center 129.167.0.0 NASA Marshall Space Right Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198 0.0 Air Force Fight Test Center 129.209.0.0 Army BaiSstcs Research Laboratory 129.229.0.0 U.S. Army Corps of Engmeers 129.251.0.0 United States Ar Force Academy

C EH

RANGE 132
132.3.0.0 Williams Air Force Base 132.5.0.0 - 132.5.255.255 49th Fighter Wing 132.6.0.0 Ankara Air Station 132.7.0.0 -132.7.255.255 SSG/SINO 132.9.0.0 28th Bomb Wing 132.10.0.0 319 Comm Sq 132.11.0.0 Hellenikon Air Base 132.12.0.0 Myrtle Beach Air Force Base 132.13.0.0 Bentwaters Royal Air Force Base 132.14.0.0 Air Force Concentrator Netwcrk 132.15.0.0 Kadena Air Base 132.16.0.0 Kunsan Air Base 132.17.0.0 Lindsey Air Station 132.18.0.0 McGuire Air Force Base 132.19.0.0 100CS (NET-MILDENHALL) 132.20.0.0 35th Communications Squadron 132.21.0.0 Plattsburgh Ar Force Base 132.22.0.0 23Communication9 Sq 132.24.0.0 Dower Air Force Base 132 25.0.0 786 CS/SCBM 132.27 0 0 •132 27.255.255 39CS/SCBBN 132.28.0.0 14TH COMMUNICATION SQUADRON

RANGE 130
1304000 NASA Johnson Space Center 130.90.0.0 Mather Ar Force Base 1301090.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S-Army Corps of Engneers 130 167.0.0 NASA Headquarters

RANGE 131
131.60.0 Langley Ar Force Base 131.10.0.0 Barksdale Ar Force Base 131.17.0.0 Sheppard Ar Fcrce Base 131.21.0.0 Hahn Ar Base 31.32.0.0 37 Communications Squadron 1 3 1 3500 Fairchild Ar Force Base 131.36.0.0 Yokota Ar Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Ar Force Base 131.39.0.0 354CS/SCSN

132.30.0.0 Lqes Air Face Base
132.31.0.0 Lcnng Air Force Bose 132.33.0.0 60CS/SCSNM 132.34.0.0 Cannon Air Face Base 132.35.0.0 Altus Air Force Base 132.37.0.0 75 ABW 132.38.0.0 Goodfellow AFB 132.39.0.0 K.I. Sawyer Air Force Base

RANGE

129

1292300 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 1295000 NASA Marshall Space Flight Center 129.51.0.0 Patrick Air Force Base 129.52.0.0 Wright-Patterson Air Force Base

For a complete list, see the file in DVD IP ADDRESSES YOU SHOULD NOT SCAN.txt

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Do Not Scan T hese IP A ddresses (Unless you want to get into trouble)
The IP addresses listed in the following table are associated with the critical information resource centers of the US. Scanning these IP addresses will be considered an attempt to break the US's information security. Therefore, do not scan these IP addresses unless you want to get into trouble.

RANGE 6
6.* - Army Information Systems Center

129.51.0.0 Patrick Air Force Base
129.52.0.0 Wright-Patterson Air Force Base 129.53.0.0 - 129.53.255.255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology

RANGE 7
7.*.*.* Defense Information Systems Agency, VA

RANGE 11

Module 03 Page 332

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

11.*.*.* D0 D Intel Information Systems, Defense Intelligence Agency, Washington DC

129.99.0.0 NASA Am es Research Center
129.131.0.0 Naval Weapons Center 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IVV 129.165.0.0 NASA Goddard Space Flight Center 129.167.0.0 NASA Marshall Space Flight Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198.0.0 Air Force Flight Test Center 129.209.0.0 Army Ballistics Research Laboratory 129.229.0.0 U.S. Army Corps of Engineers 129.251.0.0 United States Air Force Academy

RANGE 21
21. - US Defense Information Systems Agency

RANGE 22
22.* - Defense Information Systems Agency

RANGE 24
24.198.*.*

RANGE 25
25.*.*.* Royal Signals and Radar Establishment, UK

RANGE 26

26.* - Defense Information Systems Agency

RANGE 29
29.* - Defense Information Systems Agency

RANGE 130
130.40.0.0 NASA Johnson Space Center 130.90.0.0 Mather Air Force Base 130.109.0.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S.Army Corps of Engineers 130.167.0.0 NASA Headquarters

RANGE 30
30.* - Defense Information Systems Agency

RANGE 49

49.* - Joint Tactical Command

RANGE 50
50.* - Joint Tactical Command

RANGE 55
55.* - Army National Guard Bureau

RANGE 131
131.6.0.0 Langley Air Force Base 131.10.0.0 Barksdale Air Force Base

RANGE 55

Module 03 Page 333

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

55.* - Army National Guard Bureau 55.* - Army National Guard Bureau

131.17.0.0 Sheppard A ir Force Base
131.17.0.0 Sheppard Air Force Base 131.21.0.0 Hahn Air Base 31.32.0.0 37 Communications Squadron 131.35.0.0 Fairchild Air Force Base 131.36.0.0 Yokota Air Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Air Force Base 131.39.0.0 354CS/SCSN

RANGE 62
62.0.0.1 - 62.30.255.255 Do not scan!

RANGE 64
64.70.*.* Do not scan 64.224.* Do not Scan 64.225.* Do not scan 64.226.* Do not scan

RANGE 128
128.37.0.0 Army Yuma Proving Ground 128.38.0.0 Naval Surface Warfare Center 128.43.0.0 Defence Research EstablishmentOttawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Flight Facility 128.155.0.0 NASA Langley Research Center

RANGE 132
132.3.0.0 Williams Air Force Base 132.5.0.0 - 132.5.255.255 49th Fighter Wing 132.6.0.0 Ankara Air Station

132.7.0.0 - 132.7.255.255 SSG/SINO 132.9.0.0 28th Bomb Wing 132.10.0.0 319 Comm Sq 132.11.0.0 Hellenikon Air Base 132.12.0.0 Myrtle Beach Air Force Base 132.13.0.0 Bentwaters Royal Air Force Base 132.14.0.0 Air Force Concentrator Network 132.15.0.0 Kadena Air Base 132.16.0.0 Kunsan Air Base 132.17.0.0 Lindsey Air Station 132.18.0.0 McGuire Air Force Base 132.19.0.0 100CS (NET-MILDENHALL)

Module 03 Page 334

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Research Center 128.183.0.0 NASA Goddard Space Flight Center 128.202.0.0 50th Space Wing 128.216.0.0 MacDill Air Force Base 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. Air Force Academy RANGE 129 129.23.0.0 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 129.50.0.0 NASA Marshall Space Flight Center

132.20.0.0 35th C o m m u n ica tio n s Sq u a d ro n 132.21.0.0 Plattsburgh Air Force Base 132.21.0.0 Plattsburgh Air Force Base 132.22.0.0 23Communications Sq 132.24.0.0 Dover Air Force Base 132.25.0.0 786 CS/SCBM 132.27.0.0- 132.27.255.255 39CS/SCBBN 132.28.0.0 14TH COMMUNICATION SQUADRON 132.30.0.0 Lajes Air Force Base 132.31.0.0 Loring Air Force Base 132.33.0.0 60CS/SCSNM 132.34.0.0 Cannon Air Force Base 132.35.0.0 Altus Air Force Base 132.37.0.0 75 A BW 132.38.0.0 Goodfellow AFB 132.39.0.0 K.l. Sawyer Air Force Base

TABLE 3.3: Do Not Scan These IP Addresses Table

Module 03 Page 335

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Port Scanning Countermeasures
Configure firewall and IDS rules to detect and block probes Use custom rule set to lock down the network and block unwanted ports at the firewall

C EH
(•itifwd Ukujl lUck•*

Hide sensitive information from public view

Filter all ICMP messages (i.e. inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and k routers

j

Ensure that mechanism used for routing and filtering at the routers

W /

and firewalls respectively cannot be bypassed using particular source ports or source-routing methods £

Perform TCP and UDP scanning along with ICMP probes against your organization’s IP address space to check the network configuration and its available ports

Ensure that the router, IDS, and firewall firmware are updated to their latest releases

Ensure that the anti scanning and anti spoofing rules are configured

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Port Scanning C ounterm easures
As discussed previously, port scanning provides a lot of useful information such as IP addresses, host names, open ports, etc. to the attacker. Open ports especially provide an easy means for the attacker to break into the security. But there is nothing to worry about, as you can secure your system countermeasures: 9 The firewall should be good enough to detect probes an attacker sends to scan the network. So the firewall should carry out stateful inspection if it has a specific rule set. Some firewalls do a better job than others in detecting stealth scans. Many firewalls have specific options to detect SYN scans, while others completely ignore FIN scans. or network against port scanning by applying the following

Q

Network intrusion detection systems should detect the OS detection method used by tools such as Nmap, etc. Snort (http://.snort.org) is an intrusion detection and prevention technology that can be of great help, mainly because signatures are frequently available from public authors. Only necessary ports should be kept open; the rest of the ports should be filtered as the intruder will try to enter through any open port. This can be accomplished with the custom rule set. Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at border routers and firewalls.

Module 03 Page 336

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

9

Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques.

9

Test your own IP address space using TCP and UDP port scans as well as ICMP Probes to determine the network configuration and accessible ports.

9

If a commercial firewall is in use, then ensure that the firewall is patched with the latest updates, antispoofing rules have been correctly defined, and fastmode services are not used in Check Point Firewall-1 environments.

Module 03 Page 337

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH Scanning M ethodology
So far we have discussed how to check for live systems and open ports, the two common network vulnerabilities. An IDS is the security mechanism intended to prevent an attacker from entering a secure network. But, even the IDS has some limitations in offering security. Attackers are trying to launch attacks by exploiting limitations of IDS.

Check for Live Systems

Scan for Vulnerability

fft

Check for Open Ports

t

Draw Network Diagrams

Scanning Beyond IDS

prepare Proxies

Banner Grabbing

Scanning Pen Testing

This section highlights IDS evasion techniques and SYN/FIN scanning.

Module 03 Page 338

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

IDS E v a sio n T e c h n iq u e s
Use fragmented IP packets

CEH

m

Spoof your when launching attacks and sniff responses from server Use source routing (if possible) Connect to > or compromised trojaned machines to launch attacks

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Q Q

— Q©1 ‫י‬

IDS Evasion T echniques ‫־‬
Most of the IDS evasion techniques rely on the use fragmented probe packets that

#

_ _

#

reassemble once they reach the target host. IDS evasion can also occur with the use of spoofed fake hosts launching network scanning probes.

Use fragmented IP packets
Attackers use different fragmentation methods to evade the IDS. These attacks are similar to session splicing. W ith the help of fragroute, all the probe packets flowing from your host or network can be fragmented. It can also be done with the help of a port scanner with fragmentation feature such as Nmap. This is accomplished because most IDS sensors fail to process large volumes of fragmented packets, as this involves greater CPU consumption and memory at the network sensor level.

Use source routing (if possible)
Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. It is assumed that the source of the packet knows about the layout of the network and can specify the best path for the packet.

Module 03 Page 339

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

SYN/FIN Scanning Using IP Fragments
It is not a new scanning method but a modification of the earlier methods

CEH
The TCP header is split up into several packets so that the packet filters are not able to detect what the packets intend to do

&

Command Prompt
SYN/FIN (Small IP Fragments) + Port (n)

C:\>nmap -sS -T4 -A -f -v 192.168.168.5
Starting Nmap 6.01 ( h t t p :// n m a p .org ) at 2012-08-11 11:03 EDT Initiating SY N Stealth Scan at 11:03 Scanning 192.168.168.5 [1000 ports] Discovered open p o r t 139/tcp on 192.168.168.5 Discovered open p o r t 445/tcp on 192.168.168.5 Discovered open p o r t 135/tcp on 192.168.168.5 Discovered open p o r t 912/tcp on 192.168.168.5 C o mpleted SY N Stealth Scan at 11:03, 4.75s e l apsed (1000 total ports)

RST (if port Is closed)

Attacker

Target

S Y N /FIN S c a n n in g

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

SYN/FIN Scanning Using IP Fragm ents
SYN/FIN scanning using IP fragments is a modification of the earlier methods of scanning; the probe packets are further fragmented. This method came into existence to avoid the false positive from other scans, due to a packet filtering device present on the target machine. You have to split the TCP header into several packets instead of just sending a probe packet for avoiding the packet filters. Every TCP header should include the source and destination port for the first packet during any transmission: (8 octet, 64 bit), and the initialized flags in the next, which allow the remote host to reassemble the packet upon receipt through an Internet protocol module that recognizes the fragmented data packets with the help of field equivalent values of protocol, source, destination, and identification.

Fragmented Packets
The TCP header, after splitting into small fragments, is transmitted over the network. But, at times you may observe unpredictable results such as fragmentation of the data in the IP header after the reassembly of IP on the server side. Some hosts may not be capable of parsing and reassembling the fragmented packets, and thus may cause crashes, reboots, or even network device monitoring dumps.

Module 03 Page 340

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Firewalls
Some firewalls may have rule sets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented due to the adverse effect on performance. Since several intrusions detection systems employ signature-based methods to indicate scanning attempts based on IP and/or the TCP headers, fragmentation is often able to evade this type of packet filtering and detection. There is a probability of network problems on the target network. SYN/FIN (Small IP Fragments) + Port (n) .......................................» < ........................................ RST (if port is closed) _

Attacker
FIGURE 3.43: SYN/FIN Scanning

Target

Nmap command prompts for SYN/FIN scan.

m

Command Prompt

C:\>Omap -sS -T4 -A -f -v :192 .168 .16:8 . !
Starting Nmap 6.01 ( http://nmap.org } at: 2D12-P8-11• 11: 03 jSDT........ .......... Initiating SYN Stealth Scan at 11:03 Scanning 192.168.168.5 [10 00 ports] Discovered open port 139/tcp on 192.168.168. Discovered open port 445/tcp on 192.168.168. Discovered open port 135/tcp. On 192.168.168. Discovered open port 912/tcp On 192.168.168. Completed SYN Stealth Scan at 11:03, 4.75s elapsed (1000 total ports)

FIGURE 3.44: Nmap showing SYN/FIN Scanning Result

Module 03 Page 341

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

® ‫מ‬ | “ ' Check for
Live Systems

ft
y j
Check for Open Ports

1 1

HUH 1 a□ c
Scanning Beyond IDS

‫ב‬ _

k 1

-i ‫־‬
_____ Banner Grabbing

_

r

) ______

r ‫ר‬- J ‫ך‬
.

n _

M l ^ Scan for
Vulnerability

M Draw Network ‫ ן‬1 /
Diagrams

-----Prepare! Proxies

Scanning Pen Testing

Copyright © by EG-Gouncil. All Rights Reserved. Reproduction Is Strictly Prohibited.

=‫יי־‬

:ir CEH Scanning M ethodology
So far we have discussed how to check for live systems, open ports, and scan beyond

IDS. All of these are the doorways for an attacker to break into a network. Another important tool of an attacker is banner grabbing, which we will discuss next.

Check for Live Systems

Scan for Vulnerability

1 9 1

Check for Open Ports

r

Draw Network Diagrams

Scanning Beyond IDS

Q f c i prepare Proxies

^

Banner Grabbing

Scanning Pen Testing

This section highlights banner grabbing, the need to perform banner grabbing, various ways of banner grabbing, and the tools that help in banner grabbing.

Module 03 Page 342

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

B a n n e r G ra b b in g
J Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive.

A ctive Banner Grabbing
® Specially crafted packets are sent to remote OS and the response is noted ®

Passive Banner Grabbing
Banner grabbing from error messages:
Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system

® The responses are then compared with a database to determine the OS © Response from different OSes varies due to differences in TCP/IP stack implementation

® Sniffing the network traffic:
Capturing and analyzing packets from the target enables an attacker to determine OS used by the remote system e B an n e r grabbing from page extensions: Looking for an extension in the URL may assist in determining the application version Example: .aspx = > IIS server and Windows platform

‫ח‬

BQ B □ ‫□ם‬

Why B ann er G rabbing?
Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on a system to further carry out additional attacks
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Banner Grabbing
Banner grabbing or OS fingerprinting is a method to determine the operating system running on a remote target system. Banner grabbing is important for hacking as it provides you with a greater probability of success in hacking. This is because most of the vulnerabilities are OS specific. Therefore, if you know the OS running on the target system, you can hack the system by exploiting the vulnerabilities specific to that operating system. Banner grabbing can be carried out in two ways: either by spotting the banner while trying to connect to a service such as FTP or downloading the binary file/bin/ls to check the architecture with which it was built. Banner grabbing is performed using the fingerprinting technique. A more advanced

fingerprinting technique depends on stack querying, which transfers the packets to the network host and evaluates packets based on the reply. The first stack querying method was designed considering the TCP mode of communication, in which the response of the connection requests is evaluated. The next method was known as ISN (Initial Sequence Number) analysis. This identifies the differences in the random number generators found in the TCP stack. A new method, using the ICMP protocol, is known as ICM P response analysis. It consists of sending the ICMP messages to the remote host and evaluating the reply. The latest ICMP messaging is

Module 03 Page 343

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

known as temporal response analysis. Like others, this method uses the TCP protocol. Temporal response analysis looks at the retransmission timeout (RTO) responses from a remote host. There are two types of banner grabbing techniques available; one is active and the other is passive.

Active Banner Grabbing
Active banner grabbing is based on the principle that an operating system's IP stack has a unique way of responding to specially crafted TCP packets. This arises because of different interpretations that vendors apply while implementing the TCP/IP stack on the particular OS. In active banner grabbing, a variety of malformed packets are sent to the remote host, and the responses are compared to a database. For instance, in Nmap, the OS fingerprint or banner grabbing is done through eight tests. The eight tests are named T l, T2, T3, T4, T5, T6, T7, and PU (port unreachable). Each of these tests is illustrated as follows, as described in www.packetwatch.net:

T l: In this test, a TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP
port.

T2: It involves sending a TCP packet with no flags enabled to an open TCP port. This type of
packet is known as a NULL packet.

T3: It involves sending a TCP packet with the URG, PSH, SYN, and FIN flags enabled to an open
TCP port.

T4: It involves sending a TCP packet with the ACK flag enabled to an open TCP port. T5: It involves sending a TCP packet with the SYN flag enabled to a closed TCP port. T6: It involves sending a TCP packet with the ACK flag enabled to a closed TCP port. T7: It involves sending a TCP packet with the URG, PSH, and FIN flags enabled to a closed TCP
port.

PU (Port Unreachable): It involves sending a UDP packet to a closed UDP port. The objective is
to extract an "IC M P port unreachable" message from the target machine. The last test that Nmap performs is named TSeq for TCP Sequencability test. This test tries to determine the sequence generation patterns of the TCP initial sequence numbers, also known as TCP ISN sampling, the IP identification numbers (also known as IPID sampling), and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port. The objective is to find patterns in the initial sequence of numbers that the TCP

implementations choose while responding to a connection request. These can be categorized into many groups such as the traditional 64K (many old UNIX boxes), random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), or True "random" (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a "time-dependent" model where the ISN is incremented by a fixed amount for each time period.

Module 03 Page 344

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Source: www.insecure.org, "M ost operating systems increment a system-wide IPI D value for each packet they send. Others, such as OpenBSD, use a random IPI D and some systems (like Linux) use an IPI D of 0 in many cases where the ‫׳‬Don't Fragment‫ ׳‬bit is not set. Windows does not put the IPI D in network byte order, so it increments by 256 for each packet. Another number that can be sequenced for OS detection purposes is the TCP timestamp option values. Some systems do not support the feature; others increment the value at frequencies of 2HZ, 100HZ, or 1000HZ and still others return 0.

P assive Banner Grabbing
Source: http://honeynet.org Like active banner grabbing, passive banner grabbing is also based on the differential implementation of the stack and the various ways an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study for telltale signs that can reveal an OS. The four areas that are typically noted to determine the operating system are:
9 9 9 9

TTL - W hat the operating system sets the Time To Live on the outbound packet W indow Size - hat the operating system sets the W indow size DF - Does the operating system set the Don't Fragment bit OS - Does the operating system set the Type of Service, and if so, at what

Passive fingerprinting has to be neither fully accurate nor be limited to these four signatures. However, by looking at several signatures and combining information, accuracy can be improved. The following is the analysis of a sniffed packet dissected by Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/). 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:OxO ID:56257 ***F **A * Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78 Based on the four criteria, the following are identified:
9 9

TTL: 45 W indow Size: 0x7D78 (or 32120 in decimal) DF: The Don't Fragment bit is set TOS: 0x0

9
9

Database Signatures
This information is then compared to a database of signatures. Considering the TTL used by the remote host, it is determined from the sniffer trace that the TTL is set at 45. This indicates that it went through 19 hops to get to the target, so the original TTL must have been set at 64.
Module 03 Page 345 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Based on this TTL, it appears that the packet was sent from a Linux or FreeBSD box (however, more system signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the remote host. If the trace needs to be done stealthily, the traceroute time-tolive (default 30 hops) can be set to be one or two hops less than the remote host (-m option). Setting traceroute in this manner reveals the path information (including the upstream provider) without actually touching the remote host.

Window Sizes
The next step is to compare window sizes. The window size is another effective tool that determines specifically what window size is used and how often the size is changed. In the previous signature, it is set at 0x7D78, a default window size is commonly used by Linux. In addition, FreeBSD and Solaris tend to maintain the same window size throughout a session. However, Cisco routers and Microsoft Windows/NT window sizes are constantly changing. The window size is more accurate if measured after the initial three-way handshake (due to TCP slow start).

Session Based
Most systems use the DF bit set, so this is of limited value. However, this does make it easier to identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of limited value, since it seems to be more session-based than operating-system-based. In other words, it is not so much the operating system that determines the TOS, but the protocol used. Therefore, based on this information, specifically TTL and window size, one can compare the results to the database of signatures and, with a degree of confidence, determine the OS (in this case, Linux kernel 2.2.x). Just as with active fingerprinting, passive fingerprinting has some limitations. First, applications that build their own packets (such as Nmap, hunt, nemesis, etc.) will not use the same signatures as the operating system. Second, it is relatively simple for a remote host to adjust the TTL, window size, DF, or TOS setting on packets. Passive fingerprinting can be used for several other purposes. Crackers can use "stealthy" fingerprinting. For example, to determine the operating system of a potential target, such as a web server, one need only request a web page from the server, and then analyze the sniffer traces. This bypasses the need for using an active tool that various IDS systems can detect. Also, passive fingerprinting may be used to identify remote proxy firewalls. Since proxy firewalls rebuild connections for clients, it may be possible to ID proxy firewalls based on the signatures that have been discussed. Organizations can use passive fingerprinting to identify rogue systems on their network. These would be systems that are not authorized on the network.

Why Banner Grabbing?
Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system possesses and the exploits that might work on a system to further carry out additional attacks.

Module 03 Page 346

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

B a n n e r G r a b b in g T ools
-J ID Serve is used to identify the make, model, and version of any web site^ server software
J

J

It is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.

Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site

ID Serve
© BSwve
■■ ‫ך‬
a

Netcraft
y

II I

0

r\r0
| 011e1y |

Iniemet Server Ideniiftcahon Utility vl 02

P e r s o n a lS e c u r i t yFreewarebySteveGibt e n C o p y u g Nf c l‫י‬ ‫מ‬ yft t w nR e t « a c i 1Cap&03
0 «A /b*p « » 5

_

a copy /pit•

lr»— ‫ר‬ * t» URL w IP M fctoft « !‫«| «*־‬vjfr< l• wm mctotdl tan(

1 |certmedl1nc»Br com ~|‫־‬ ‫ ר׳‬/ I ^‫ ־־־‬7 ~ 7‫־־־־‬ . Whtrv •rtlrl*tn«iURl 0 •IPKh b ** 1 >p0'«l*d «bov« AW1 > w a < r v w *t j pM M lbd| 0 A to n M ll< lja y^tW VNMl(r^

I

( 3 ; ILasi-Wcamed Aed I i. J8n < 1 0 1 1 (/‫־‬ •MDb UMI oorta jETaa «37StSt' 80:ct11 1?dC53" [Seivef McfDsorms/bO I !:.•Pnv^o 1-fly A S P M F jl

‫»ז‬ * ‫י‬ ‫ך‬ yy p o w x ‫״‬ !

& « »

$ 2 0 1 0 1 0S w v •«*6r * 9 ®

h ttp ://w w w . grc. com

h ttp ://to o lb a r. n etcra ft. com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

B anner G rab b in g Tools
Banner grabbing can be done even with the help of tools. Many tools are available in the market. These tools make banner grabbing an easy task. The following are examples of banner grabbing tools: \ ‫׳ ׳‬j

ID Serve
Source: http://www.grc.com

ID Serve is used to identify the make, model, and version of any website's server software; it is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.

Module 03 Page 347

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

© ID S *™
I I | ^ P [, y P

I- q - F B U:4J
Internet Server Identification utility v l 02 Personal Security Freeware by Steve Gibson CopyrigN Ic) 2003 by Gfcson Research Cap

Background

Se!v«rOue1 y

|

O&A/Help

Enter a copy / paste pa-.te an Interne! terver rerver URL a g IP adiesi addess here (exam ple W W WmaosoW mcrotollcom) com )
r tifm d h n c k e r co m ^ Irn |ceftil 1Bdhncker cow

m m

|
When an Inlem er URL or IP has been provided above press the button to nbate a query 0 1 the specfod server

(2

Query The Server

*‫י‬

ft

Server query processng

Last-Moditied Wed. 12 Jan 2U11U b Accept-Ranges none ETaa •Q 76b5t18b2cb1 17d05r
Server M1aosotH IS /6 0 X-Poweted-By A S P N E T

U b tiM I

The server rdenbhedlsel as

C 0 ( V

(j0 10ID Serve web page

FIGURE 3.45: ID Serve Screenshot

Netcraft
Source: http://toolbar.netcraft.com Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site.
‫ ח‬ETC R A FT
Site re p o rt for certifledhacker.com
Netcraft Toolbar
•j H om o SH o h t t p / c c r tA « < jh jd ‫ ׳ » ׳‬.e o m L as t ro b o o t 1 d a y 990 E 2 ) U p tim o

g r4 p f>

Domain
IP w M m k i C o u n try D M • fln t see a 2 0 2 7 5 .5 4 .1 0 1 D Mr

com

Notbkx k Sit• r a n k
N « n M K « rv » r O N S e d m ln

im VAW» i>L Hosting
270S0I ncO .rtoyo ar1yfooc.com « d n « n 9 n 0 Y « a rty f« M com

• Download Now! • Itepwt dPhtsh
• Top Rtportwc

• PNMHtCauntMt
• Pinshiest nusleis
• M od Popular W*Dc<to»

00c*m fc«K 2 0 0 2

• I

lO W M 'S

Domain
O rg itk a tio •

dxoMS.com 1 ‫־‬#ftA *flh»d‫ ׳ • ׳‬com. certrtetiTiacfcer.com.
c e ‫־‬t t W h j c V « r com.

Reverse
DNS N « m i ( 1v 1 r o r g a n is a tio n

ns 1 .noyear1yfees.com
S u c c t t t !d o * IT S ervices, O a m a n sa ra Java. R etakng Jaya. S e lan go r. 4 7 4 0 0 .

• Tell a f nena

92345. united States T o o lb a r Support . FAQ * Glossary • Contact Us a Report ‫ ג‬Bug T u to ria ls • Installing ‫ • מ‬Tooioar • using me Toolbar • Getting ‫♦וזז‬Most Reporting a Pkish A b ou t N e tc r a ft Mo»crs«Hom# • About Nttcrafl Check another site: H ostin g H isto ry Net block O wner IM V M S DC Hostmg TM VADS DC Hostmg TM VADS DC Hosting TM VADS OC Hostmo TM VADS DC Hosting I P Address OS

Malaysia

W eb Server Microsoftn s/eo Microsoft IIS/6.0 Microsoft• IIS/6.0 Microsoft• 115/6.0 Microsoftns/fl.o

Last changed

202.7$.‫צ‬4.101 wtnoows server 2003 202.75.54.101 Windows Server 2003 202.75.54.101 Windows Server 2003 202.75.54.101 Window* Server 2003 ?07.7S.S4.101 Windows Server

1 /-Ju>~2012
9 )on 2012 9-M*v-2012 O-Apr-2012 10-Feb• 2012

FIGURE 3.46: Netcraft Screenshot

Module 03 Page 348

Ethical Hacking and Countermeasures Copyright © by

EC-C0l1nCll

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

B a n n e r G r a b b in g T ools
(Cont’d)
1. # nc - w www.juggyboy.com 80 -press[Enter] 2 . GET / HTTP/1.0 -Press [Enter] twice
f * rE t f * V‫ ■״‬i m m

CEH

r o o te b t:- # rc -v* w w v .jioayboy.eoa © DNS fw d/rei/ mismatch• www.jugcydoy.toa

8

This utility reads and writes data across network connections, using the TCP/IP protocol

.iww. ju g g y b o y c o a 1295 . 1 7 8 .1 5 2 . 2 6 : 30

GET / MTTP/1.9

HTTP/1.1 296 OK Connection: elose Date: Mon, 13 Aug 2912 12:14:10 GMT content-Length: 210 ‫|נ‬ Content-Type: t e x t / r f p l ^ I *r C o n t e n U « c a t # r n : h t t p : 7/16.4 « . 26. ‫ מ‬/ b « f a u ItIh t n Last•M od itied : Wed. 19 Apr 2366 22:09:12 GMT Acceot•Ranges: none ETaa: 9‫ ־‬b46bc3fd53c61:7a49‫־‬ S e rv e r : M ic r o s o ft - IIS / 6 .0 M lrr 0 ( 0 ft O f f ic * W * b (* r v t r ! 5.8 Pub X Powered-By: ASP.MET

Server identified as Microsoft-1 IS/6.0

tra c k
http://netcat.sourceforge.net L

1. telnet www.certifiedhacker.com 80 -press[Enter]

Telnet
This technique probes HTTP servers to determine the Server field in the HTTP response header

2 .GET / HTTP/1.0 -Press [Enter] twice
C . \ W in d o w A iy 5 t e m 3 2 \ c m d .c x e

n t- U n g th :

HT TP /

21H

4

0

1 . 1‫ ׳‬J

Forbi dde

»»: H i P M c n f t - l I S / h . M

Server identified as Microsoft-1 IS/6.0

ChtmlXheadXtit le>Error<StitleX/‫׳‬ headXbodyXheadXtitle>Di»»ecto 1*v Listing D od</t it lo ></)tead> <hndyXhl )Directory Listing Den 1ed</‫־‬ hl >This UlrtUftl Director

oc3 not allow contents to be listed. < / ‫׳‬body> < /'body> < /y htnl>

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

B anner G rabbing Tools (C ont’d)
L* ‫ש‬ Netcat
Source: http://netcat.sourceforge.net

Netcat is a networking utility that reads and writes data across network connections, with the help of the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. It provides access to the following key features: © © Outbound and inbound connections, TCP or UDP, to or from any ports. Featured tunneling mode, which also allows special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface), and the remote host allowed to connect to the tunnel. © Built-in port-scanning capabilities, with randomizer. hexdump (to stderr or to a specified file) of transmitted and received data. Optional RFC854 telnet codes parser and responder. You can use the Netcat tool for grabbing the banner of a website by following this process. Here, the banner grabbing is done on the www.Juggyboy.com web server for gathering the server fields such as server type, version, etc.

© Advanced usage options, such as buffered send-mode (one line every N seconds) and

Module 03 Page 349

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

© # nc -vv www.juggyboy.com 80 - press[Enter] e GET / HTTP/1.0 - Press [Enter] twice

From the screenshot, you can observe the area highlighted in red color is a server version (Microsoft-IIS/6.0).

f ile Edit y tew Jferminal Help

r o o t @ b t : - # n c - v v w w w . ju g g y b o y .c o m 80 DNS f w d / r e v m is m a t c h : w w w . ju g g y b o y .c o m ! * w 2 k 3 -w e b 2 6 . p r o d . n e t s o l h o s t . c o n w w w . ju g g y b o y .c o m [ 2 0 5 . 1 7 8 . 1 5 2 . 2 6 ] 80 (w w w ) o p e n GET / H T T P /1 .0 H T T P / 1 . 1 200 OK C o n n e c tio n : c lo s e D a t e : M o n , 13 A ug 2012 C o n t e n t - L e n g t h : 2165 M

1 2 : 1 4 : 1G GMT

C o n te n t- T vp e : t e x t / C o n t e n t ^ f f o c a t i t i n : h t t p : / / 1 0 . 4 9 . 3 9 . 26 / d e f a u l t .h t n i L a s t - M o d i f i e d : W e d , 19 A p r 2006 2 2 : 0 9 : 1 2 GMT A c ce p t■ R a n g e s: none E T a q : ‫־־‬G b 4 6 b e 3 f d 6 3 c 6 1 : 7 3 4 9 ‫־‬ ‫־‬ S e r v e r : M ic r o s o f t - IIS / 6 .0 M i c r o s o f t O f f i c e W e b S e r v e r : 5 . 0 Pub X * P o w e re d - B y : A S P .N E T

^

Is

I

■ft* 1^ ^

Ix

FIGURE 3.47: Netcat showing Banner Grabbing Result

Telnet
This technique probes HTTP servers to determine the Server field in the HTTP response header. For instance, if you want to enumerate a host running http (tcp 80), then you have to follow this procedure: © First, open the command prompt window. Go to Start ‫ >־‬Run, type cmd, and press Enter or click OK. © © © In the command prompt window, request telnet to connect to a host on a specific port: C:\telnet www.certifiedhacker.com 80 and press Enter. Next, you will get a blank screen where you have to type GET / HTTP/1.0 and press Enter twice. In the final step, the http server responses with the server version, say Microsoft-IIS/6.0. From the screenshot you can see the area highlighted in red color is the server version details.

C:\Windows\system32\cmd.exe HTTP/1.1 403 Forbidden Content-Length: 218
C o n t e n t —T u r iR : tu x t/ h tm l

Server: Microsoft-IIS/6.0 X-Pouered-By: ftSP.NET Date: Sat, 11 flug 2012 09:57:07 GMT uonneccion: cxose <htmlXheadXtitle>Error</'titleX/beadXbodyXbeadXtitle>Directory Listing D ed</t it le X/bead> <bodyXhl>Directory Listing Denied</hl>This Uirtual Director oes not allou contents to be listed.</body></bodyX/htnl> Connection to host lost.

FIGURE 3.48: Command Prompt showing http server responses with the server version

Module 03 Page 350

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

B an n er G rab b in g C o u n te rm e a su re s: D isab lin g or C h an g in g B an n er
Display false banners to misguide the attackers

C EH

Turn off 0 1 unnecessary services on the network host to limit the information tion disclosure disclos

IIS users can use these tools to disable or change banner information
~ IIS Lockdown Tool (http://microsoft.com) ~ ServerMask (http://www.port80software.com)

Apache 2.x with mod_headers module - use a directive in httpd. conf file to change banner information Header set Server "New Server Name"

iture Alternatively, change the ServerSignature line to ServerSignature Off in httpd.conf file

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

B anner G rab b in g C o u n term easu res: D isabling or ----- C hanging B anners
Attackers use banner grabbing techniques and find out sensitive information such as device types, operating systems, application version, etc. used by the victim. With the help of the gathered information, the attacker exploits the vulnerabilities that are not updated with the security patches and launches the attacks. So, to protect your system against banner grabbing attacks, a few countermeasures can be adopted and they are listed as follows:

Disabling or Changing Banner
9 9 9 Display false banners to misguide attackers Turn off unnecessary services on the network host to limit information disclosure IIS users can use these tools to disable or change banner information: S S
9

IIS Lockdown Tool (http://microsoft.com) ServerMask (http://www.port80software.com)

Apache 2.x with mod_headers module - use a directive in httpd. conf file to change banner information Header set Server "New Server Name"

9

Alternatively, change the ServerSignature line to ServerSignature Off in the
httpd.conf file

Module 03 Page 351

Ethical Hacking and Countermeasures Copyright © by

EC-COlMCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Hiding File Extensions from Web Pages

C EH

File extensions reveal information about the

g

g ig
file extensions

2

underlying server technology that an attacker can utilize to launch attacks

IIS users use tools such as PageXchanger to manage the

Hide file extensions to mask the web technology

Apache users can use mod_negotiation directives

Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of the servers

It is even better if the file extensions are not at all used
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

H iding File Extensions from Web P ages
File extensions extensions is a good provide information about the underlying server technology; attackers can use this information to search vulnerabilities and launch attacks. Hiding file practice to mask technology-generating dynamic pages. Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of the servers. Apache users can use mod_negotiation directives. IIS users use tools such as PageXchanger to manage the file extensions. Doing without file extensions altogether is an even better idea.

Module 03 Page 352

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH Scanning M ethodology
So far, we have discussed how to check for live systems, open ports, scan beyond IDS, and the use of banner grabbing. All these concepts help an attacker or security administrator to find the loopholes that may allow an attacker into their network. Now we will discuss vulnerability scanning, a more detailed tests to determine vulnerabilities in a network, and its resources.

Check for Live Systems

^

a;

Scan for Vulnerability

ft

Check for Open Ports

r

Draw Network Diagrams

f^

j

Scanning Beyond IDS

Jfe J

Prepare Proxies

Banner Grabbing

Scanning Pen Testing

This section describes vulnerability scanning and various vulnerability scanning tools.
Module 03 Page 353 Ethical Hacking and Countermeasures Copyright © by EC-COlMCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

V u ln e r a b ility S c a n n in g
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and netw< order to determine how a system can be exploited

1 ■‫י‬ w‫־‬ ■

m ‫חח‬

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Q
^

V ulnerability Scanning
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and

network in order to determine how a system can be exploited. Similar to other security tests such as open port scanning and sniffing, the vulnerability test also assists you in securing your network by determining the loopholes or vulnerabilities in your current security mechanism. This same concept can also be used by attackers in order to find the weak points of the target network. Once they find any weak points, they can exploit them and get in to the target network. Ethical hackers can use this concept to determine the security weaknesses of their target business and fix them before the bad guys find and exploit them. Vulnerability scanning can find the vulnerabilities in: Q 9 9 9 Network topology and OS vulnerabilities Open ports and running services Application and services configuration errors Application and services vulnerabilities

Module 03 Page 354

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Vulnerability Scanning Tool: N essu s
Nessus is the vulnerability and configuration assessment product

F e a tu re s

C

w

Agentless auditing Compliance checks Content audits Customized reporting High-speed vulnerability discovery In-depth assessments Mobile device audits Patch management integration Scan policy design and execution
t o -1 *w «w 1xn M \Ma n n «M |> vrtn j <M Iran MM S«‫׳‬mo ‫•<•*׳' ומז׳זזיי‬N mil «M T T P «►

Sa ‫ל‬a ssa
, ‫ץ‬

a a >a ,a

ww * d(THwJ■■( mtwimi own W tw *n 1 » 1SM BH ag itT ! totu C a n m 4Aa*H th •W tokxnfaipM y

/)ttp ://w w w . ten able, com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

V ulnerability Scanning Tool: N essus
Source: http://www.tenable.com Nessus is a vulnerability scanner— a program that searches for bugs in software. This tool allows a person to discover a specific way to violate the security of a software product. The vulnerability, in various levels of detail, is then disclosed to the user of the tool. The various steps this tool follows are: e e e 0 0 Data gathering Host identification Port scan Plug-in selection Reporting of data

To obtain more accurate and detailed information from Windows-based hosts in a Windows domain, the user can create a domain group and account that have remote registry access privileges. After completing this task, he or she gets access not only to the registry key settings but also to the Service Pack patch levels, Internet Explorer vulnerabilities, and services running on the host.

Module 03 Page 355

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

It is a client-server application. The Nessus server runs on a UNIX system, keeps track of all the different vulnerability tests, and performs the actual scan. It has its own user database and secures authentication methods, so that remote users using the Nessus client can log in, configure a vulnerability scan, and send it on its way. Nessus includes NASL (Nessus Attack Scripting Language), a language designed to write security tests. The various features of Nessus are: 9 Each security test is written as a separate plug-in. This way, the user can easily add tests without having to read the code of the Nessus engine. Q It performs smart service recognition. It assumes that the target hosts will respect the IANA assigned port numbers. 9 The Nessus Security Scanner is made up of two parts: A server, which performs the attack, and a client, which is the front end. The server and the client can be run on different systems. That is, the user can audit his whole network from his personal computer, whereas the server performs its attacks from the main frame, which may be located in a different area.
Q nessus Reports Reports M obile Scans Policies Users Configurator •**1 | H* | | uf«ul g

Scan LAN 1 !

Vvtrmntmy Su m m ary | H ortSunm yY

Rj/vwq • L*ncfw d Aug

1 3 ,2 0 1 21 9 :0 7 * Add Flit* 9 Clear F H te c*

Filters NoFltea

FIGURE 3.49: Nessus Screenshot

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Vulnerability Scanning Tool: GFI LanGuard
0
J inventory, change management, risk analysis, and proving compliance J Features: e Selectively creates custom vulnerability checks
jrnutootiiedApp»c*... 0conptfen

UrtifW4

c EH
ItkKJl Nm Im

0
GFI LanGuard assists in asset
Hte‫׳‬

GPI LanGuard 2012 >

* -

D*Mo*d

Scm

ReTMdutr

M onitcr

Rtpcrtt

Configuritkn

§ ‫״‬ Gme

,£ Oienee

# C cw txjen

‫־־‬£ M 3 r>

'AJryraMtm

Patch es

. 4

< ‫־‬ F P o rt* rts

Soft•*( Soft»a«

w *

Harare

1 4

*‫־‬ E n rtto r t w r t
t j ixahoet w3N*EBOc«c»1 -

p Enore Network -1 computer<

J‫־‬L « *l ‫ס‬ ‫•״״‬ ‫״‬v » 0 e « S C « ^ ■

---- - 1
Ow S ₪ ₪ ₪ im
_________________
0eonotten ‫*וזוז‬

© Identifies security vulnerabilities and takes remedial action « » Creates different types of scans and vulnerability tests Helps ensure third-party security applications offer optimum protection

nj-mtbtli

J 'l I ,-‫־־׳־׳‬
Luntutn < U ‫׳‬waU*.y

Lcn p u u e‫*•׳‬r 0pe*»x1mm*

0

9 Performs network device vulnerability checks

0,

http://www. gfi.com
- Copyright © by fC-CNDCil. All Rights Reserved. Reproduction is Strictly Prohibited.

V ulnerability Scanning Tool: GFI L anG uard
Source: http://www.gfi.com

GFI LanGuard acts as a virtual security consultant. It offers patch management, vulnerability assessment, and network auditing services. It also assists you in asset inventory, change management, risk analysis, and proving compliance.

Features:
9 9 9 9 9 Selectively creates custom vulnerability checks Identifies security vulnerabilities and takes remedial action Creates different types of scans and vulnerability tests Helps ensure third party security applications offer optimum protection Performs network device vulnerability checks

Module 03 Page 357

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

1 1 11

A

o

AudriSlitu•

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

E B

*

GFI LanGuard 2012

I“ J-P I *
Configuration Utilities

■<‫׳־»׳‬
Group

Dashboard

S<an

Remediate

Activity Monitor

Reports

Uj ’

Discuss tvs versaon

§•

Q .

Overview

IS

0Computers

rtHory

& ip '*Jnerabfees
Seanty Sensors

(J
Patches Port• Software Hardware

Syitem Information

5* Entire Network * J locdhost: WIN-MSSELOC4C41 - 1 } ‫ ׳‬local DomOT: WORKGROUP

Entire Network -1 computer
Vdnerabity Level

S SW IN H S S a C M M l

I0 computers
Most Vulnerable Computers ■ WINMSSELCK4K41

Software Updates

Firewall Issues

Credent!•!• Setup

Service Packs and Up—

# l0 . computers ....
Vulnerabilities 1 computers VuherabAty Trend Over Trie

— UP

T o u t “H * ■

Common Talks

O
■ ■Insta■ n progress ■Urwrstal ** progress Ocomputvtl) 0 computer{*) 0 C0mpa«r<»)

Computer ViJnerabAty Ott&fcubon

Computers By Operating System

H nasusslL.
Addmoncomodera Custom scar

■ Not IrtStalM
■ D*ptoy*n«rt Error!

1computes)
0 COmpuMrfS)

■Hgr• ■M «*sn ■tow ■H A

icompuc

0 comput..
Ocomput. Ocomput.

S a a n rig a tiDeploy aocrt

O
1 Computers By Operatr>g...| Computers By Network ... 1

1 Agent Status | Audt Status |

FIGURE 3.50: GFI LanGuard Screenshot

Module 03 Page 358

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Vulnerability Scanning Tool: SAINT

Features:
‫ ט‬Identify vulnerabilities on network devices » Detect and fix possible weaknesses in the network security » Prevent common system vulnerabilities a Demonstrate compliance with current government and industry regulations e Perform compliance audits with policies defined by FDCC, USGCB,

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

V ulnerability Scanning Tool: SAINT
Source: http://www.saintcorporation.com SAINT is an integrated network tools for security administrators. Using this tool, you can find security vulnerabilities across the network including devices, operating systems, desktop applications, web applications, databases, etc. in a non-intrusive manner. It also enables you to gather information such as operating system types and open ports, etc. It allows you to scan and exploit targets with an IPv4, IPv6, and/or URL address.

Features:
9 Detects and fixes possible weaknesses in your network's security Anticipates and prevents common system vulnerabilities Demonstrates compliance with current government and industry regulations such as PCI DSS, NERC, FISMA, SOX, GLBA, HIPAA, and COPPA

9
0

9

Performs compliance audits with policies defined by FDCC, USGCB, and DISA

Module 03 Page 359

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Iriium • t> « * •* U rn •AWT•*•* n»l»U1IW KM Vulnerability By Count! •r VnNfiMn

« 1 * & 0
* CrmcMi f n u t m t A / f i oi Cone•m ‫* * * * * •י‬
H 0 *t * 10.7.0. IS d 10-7-Q-14 ^ 1Q.7.Q.2

Vulnerability Scanner

%

V

O p (■ • * *• > kM M ■ c%—■ 1 M •• 1

r e a ‫ וי‬a
rz ri

• S 4 1 4
4

2 1 1 4 1 4
4

a s
0

TOUI 4 1
17 14

* 4 * * ‫י‬

10.7. Q. 11 10-7-0-101 10-7.0.12 10.7.0. m 10.7.0.140

4 10 7.0 104

1 1 2 2 0 0 0 0 1
0 0 1

a 10.7.0.S

> 10.7.0.150 10,7.0

‫י‬.m

4 * ^

10.7 o i a o 10-7.0.31 10.7.0.111 10.7.0.112 10.7.0.119 10.7.0.146

2 2 0 0 2 2 2 1 2
0 0

6 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0

1 • S ‫נ‬ ‫נ‬ ‫נ‬ 2 2 2 2 2 2
I

1 1
0

J 10.7.0.7

I 1 1 1

_______

FIGURE 3.51: SAINT Screenshots

Module 03 Page 360

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Network Vulnerability Scanners
Retina CS
- o http ://go.eeye.com

CEH

OpenVAS

I

\

h ttp ://w w w . open \/as. org

Core Impact Professional
h ttp ://w w w . coresecurity, com

gm
L Jp S rJ

Security Manager Plus
http://w w w .m anageengine.com

MBSA
h ttp ://w w w . m icrosoft. com

W

Nexpose
h ttp ://w w w . rapid7.com

111 i ]

Shadow Security Scanner
h ttp ://w w w . safety-lab.com

B E 3 F
■Ml

QualysGuard
h ttp ://w w w .qualys.com

Nsauditor Network Security Auditor
h ttp :/ / ww vj . nsauditor. com

Security Auditor's Research Assistant (SARA)
http ://w w w -arc. com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

N etw ork V ulnerability S canners
Network vulnerability scanners are the tools that assist you in identifying the vulnerabilities in the target network or network resources. These scanners help you in vulnerability assessment and network auditing. Using these scanners, you can find vulnerabilities in networks, wired or wireless, operating systems, security configuration, server tuning, open ports, applications, etc. A few network vulnerability scanners and their home sites are mentioned as follows, using which you can perform network scanning: 9 9 Q Q 9 Q 9 e 9 9 Retina CS available at http://go.eeve.com Core Impact Professional available at http://www.coresecurity.com MBSA available at http://www.microsoft.com Shadow Security Scanner available at http://www.safetv-lab.com Nsauditor Network Security Auditor available at http://www.nsauditor.com OpenVAS available at http://www.openvas.org Security Manager Plus available at http://www.manageengine.com Nexpose available at http://www.rapid7.com QualysGuard available at http://www.qualys.com Security Auditor's Research Assistant (SARA) available at http://www-arc.com
Ethical Hacking and Countermeasures Copyright © by

Module 03 Page 361

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

CEH Scanning M ethodology
So far, we discussed various scanning concepts such as sources to be scanned, tools that can be used for scanning, and vulnerability scanning. Now we will discuss the network diagram, an important diagram that enables you to analyze the complete network topology.

Check for Live Systems

Scan for Vulnerability

1 9 1

Check for Open Ports

J*

Draw Network Diagrams

Scanning Beyond IDS

3 0

r-^r-n

Prepare Proxies

Banner Grabbing

Scanning Pen Testing

This section highlights the importance of the network diagram, how to draw the network diagram or maps, how attackers can use these launching attacks, and the tools that can be used to draw network maps.
Module 03 Page 362 Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Drawing Network D iagram s
J architecture to an attacker J Network diagram shows logical or physical path to a potential target

(•rtifwtf

CEH
ilk 4 1 > ‫ ׳‬H«hw

Drawing target's network diagram gives valuable information about the netw ork and its

Intranet

DMZ

Intranet

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

D raw ing N etw ork D iagram s
The mapping of networks into diagrams helps you to identify the topology or the architecture of the target network. The network diagram also helps you to trace out the path to the target host in the network. It also allows you to understand the position of firewalls, routers, and other access control devices. Based on the network diagram, the attacker can analyze the target network's topology and security mechanisms. It helps an attacker to see the firewalls, IDSs, and other security mechanisms of the target network. Once the attacker has this information, he or she can try to figure out the vulnerabilities or weak points of those security mechanisms. Then the attacker can find his or her way into the target network by exploiting those security weaknesses. The network diagram also helps network administrators manage their networks. Attackers use network discovery or mapping tools to draw network diagrams of target networks. The following figure depicts an example of a network diagram:

Module 03 Page 363

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

In tra n e t

DM Z

In tra n e t

FIGURE 3.52: Network Diagram

Module 03 Page 364

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Network D iscovery Tool: LANsurveyor
that integrates OSI Layer 2 and Layer 3 topology data

CEH

LANsurveyor discovers a netw ork and produces a com prehensive netw ork diagram

Features
A uto-generate N e tw o rk Maps Export N e tw o rk M aps to Visio A u to -d e te ct Changes Inventory M anagem ent N e tw o rk Regulatory Compliance N e tw o rk Topology Database M u lti-le v e l N e tw o rk Discovery

aao

□LANsu

□LANsurveyor
h ttp :/ /w w w .so la rw in d s .c o m Copyright © by EC-CtinCil. All Rights Reserved. Reproduction is Strictly Prohibited.

N etw ork D iscovery Tool: LANsurveyor
Source: http://www.solarwinds.com LANsurveyor allows you to automatically discover and create a network map of the target network. It is also able to display in-depth connections like OSI Layer 2 and Layer 3 topology data such as displaying switch to switch, switch to node, and switch to router connection. You can export the network map created into Microsoft Office Visio. It can also keep track of changes that occur in the network. It allows the user to perform inventory management of hardware and software assets.

Module 03 Page 365

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker


i;. File
l

SolarWinds LANsurveyor - [Map 1]
Edit y * Manage Monitor ‫־־‬. Report Tools Window Help

*

.
a

B X

! 3

so la rw in d s ‫׳‬
100V.

•«r

±i~
♦ BH & S £ ♦ £ I— Network Segments (1)

SO

IP Addresses (5) Domain Names (5) Node Names (5) IP Routers J5L LANsurveyor Responder Nodes : H SNMP Nodes SNMP Switches/Hubs l - C SIP (VoIP) Nodes ® Layer 2 Nodes ^ Active Directory DCs 1 ‫ ־‬ft. Groups

DEMONSTRATK

□LANsurveyor
For Help, press F1

FIGURE 3.53: LANsurveyor Screenshot

Module 03 Page 366

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Network D iscovery Tool: OpManager
physical servers, virtual servers, domain controllers, and other IT infrastructure devices

C EH

O p M anag er is a netw ork monitoring softw are that offers advanced fault and perform ance m anagem ent functionality across critical IT resources such as routers, W A N links, switches, firewalls, VoIP call paths,

Fe a tu re s
O p M arag t?) J J J J J J J J -l -l Availability and Uptime Monitoring Network Traffic Analysis IP Address Management Switch Port Mapper Network Performance Reporting Network Configuration Management Exchange Server Monitoring Active Directory Monitoring Hyper-V Monitoring SQL Server Monitoring

1 'ol|RtN1nr ■Uipt&M'AjhUapm !!ur&irlctirdNudr T

qmnoo < 1nl«n 1iv« ‫״‬Uvo‫־‬J K ip u o gvm a pailtmwirv wrn iptonto m m ci fro n t ‫ »»י‬ta> Nm scMin! wur co r•w iM r/tw ftdi x tl* aavca

SAMPLE MAP

5‫;“ל׳־ץ‬
!

9s, \ r.

*TY ‫״‬ '
\ : 3 *‫־‬ / jf- .

*

http://www.manageengine.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

N etw ork D iscovery Tool: O pM anager
Source: http://www.manageengine.com OpManager is basically a network performance management and monitoring tool that offers advanced fault and performance management functionality across critical IT resources such as routers, WAN links, switches, firewalls, VoIP call paths, physical servers, virtual servers, domain controllers, and other IT infrastructure devices. This tool is helpful in discovering the specific network automatically. It can also present a live network diagram of your network. Here are some of the features of OpManager: e e 0 e 0 9 e Availability and uptime monitoring Network traffic analysis IP address management Switch port mapper Network performance reporting Network configuration management Exchange server monitoring

Module 03 Page 367

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

9 9 9

Active directory monitoring Hyper-V monitoring SQL Server monitoring

FIGURE 3.54: OpManager showing Sample Map

Module 03 Page 368

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Network D iscovery Tool: NetworkView
N«tvw< ‫׳‬kV1cw ;NctwcrkV10v*1[ Re id* V*- lisu letf Arvlw

CEH

J

NetworkView is a network discovery and management tool for Windows

a i i s is 1 1 • ‫כ‬

t q. *. +

T

-• I N Q D s i S B a

J

Discover TCP/IP nodes and routes using DNS, SNMP, ports, NetBIOS, and W M I

h ttp ://w w w .n e tw o rk v ie w .c o m

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

N etw ork D iscovery Tool: NetworkView
Source: http://www.networkview.com NetworkView is a network discovery and management tool for Windows.

Its key features include:
9 9 e 9 9 Discover TCP/IP nodes and routes using DNS, SNMP, Ports, NetBIOS, and W M I Get MAC addresses and NIC manufacturer names Monitor nodes and receive alerts Document with printed maps and reports Control and secure your network with the SN M P M IB browser, the W M I browser, and the port scanner

Module 03 Page 369

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

NetworkView - [NetworkViewl]
f t

- = «

F1 l«

Edit

View

Lists

logs

Window

Help

bis 1 1 • ‫ ס‬t <*<*+-« ;sxgxeii ‫ ״ »י‬g n ‫ ט ש‬t » 4s 8 :& ■
ft N etw orkV iew l |

-an a
1 11 1 ) 1 0111 2

a
Q

a s s q 0
B
» III— ■*Mi l i t 1‫( « ן » * י‬M«i»oh fM W

N otY •* I T«fcy*

**‫ |•ין‬A .~ « L m m|^ # • 1

*1 ‫מ‬

r

a

HR

a

^Txiw«w(m < —1 0 0 4 )]

50 Nodes For Help, press FI

Monitoring is Off

[Last monitoring: Unknown

0Polls

0 Mails Sent

Modified

FIGURE 3.55: NetworkView Screenshot

Module 03 Page 370

Ethical Hacking and Countermeasures Copyright © by

EC-C0linCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Network D iscovery Tool: The Dude

EH

N etw ork D iscovery Tool: The Dude
Source: http://www.mikrotik.com The Dude will automatically scan all devices within specified subnets, draw and lay out a map of your networks, monitor services of your devices, and alert you in case any service has problems. A few features of the Dude include: © © © Auto network discovery and layout Discovers any type or brand of device Device, link monitoring, and notifications

© Allows you to draw your own maps and add custom devices © © © Supports SNMP, ICMP, DNS, and TCP monitoring for devices that support it Direct access to remote control tools for device management Supports remote Dude server and local client

Module 03 Page 371

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

admin@localhost -The Dude 4.0beta3

_

U

X

+ •

'

O

*

S«r>01

Qk o ««

• ‫*־־ד‬

M

'

WINMSSELCK4K41

fi
‫י‬

‫י‬
10006

‫י‬
10.0 0 2‫לל‬ f , WIN M SSELC M M lj

WINOOV1S8 ‫י‬ WIN-LXQN3WA3R9M

WIN-O 3SMR5HL9C4

‫י‬
169254 189180 BS) Otenl ix 19.9ttpt/t< 191 bps S«v‫ ־‬r 15‫״‬ik i* ./ t i

FIGURE 3.56: The Dude Screenshots

Module 03 Page 372

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Network D iscovery and M apping Tools
[_ j !i LAN State
r* * ‫>־‬ h ttp ://w w w . 10-5trike.com

CEH
HP Network Node Manager i Software
h ttp ://w w w 8 .h p . com

£

FriendlyPinger
h ttp://w w w .kilievich.com

NetMapper
h ttp ://w w w .o pnet.com

(fT u le
j s i

Ipsonar
http://w w w .lu m eta.com

M
k M ■ !

NetBrain Enterprise Suite
h ttp ://w w w .n etbrain tech .com

CartoReso
h ttp ://carto reso . campus, ecp.fr

11

Spiceworks-Network Mapper
h ttp ://w w w . spice w orks. com

Switch Center Enterprise
http://w w w .lan-secure.com

HR

i —

|

NetCrunch
h ttp ://w w w .a d re m so ft. com

m

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

N etw ork D iscovery and M apping Tools
Network discovery and mapping tools allow you to view the map of your network. They help you detect rogue hardware and software violations. It notifies you whenever a particular host becomes active or goes down. Thus, you can also figure out the server outages or problems related to performance. This is the purpose of network discovery and mapping tools in terms of security. The same tools can be used by attackers to launch attacks on your network. Using these tools, the attacker draws the network diagram of the target network, analyzes the topology, find outs the vulnerabilities or weak points, and launches an attack by exploiting them. The attacker may use the following tools to create a map of the network: © Q 9 Q Q 9 9 9 9 9 LANState available at http://www.10-strike.com FriendlyPinger avaialble at http://www.kilievich.com Ipsonar available at http://www.lumeta.com CartoReso available at http://cartoreso.campus.ecp.fr Switch Center Enterprise available at http://www.lan-secure.com HP Network Node Manager i Software available at http://www8.hp.com NetMapper available at http://www.opnet.com NetBrain Enterprise Suite available at http://www.netbraintech.com Spiceworks-Network Mapper available at http://www.spiceworks.com NetCrunch available at http://www.adremsoft.com
Ethical Hacking and Countermeasures Copyright © by

Module 03 Page 373

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

fcjsk CEH Scanning M ethodology
^ So far, we have discussed various means of scanning and the sources to be scanned. Now we will discuss proxies and important mechanisms used by attackers to access the restricted sources and also to avoid their identity.

Check for Live Systems

Scan for Vulnerability

1 9 1

Check for Open Ports

r

Draw Network Diagrams

Scanning Beyond IDS

Q

r-^r-n

; Prepare Proxies

Banner Grabbing

Scanning Pen Testing

This section describes how to prepare proxies and how an attacker can use them to launch attacks.

Module 03 Page 374

Ethical Hacking and Countermeasures Copyright © by

EC-C0l1nCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P ro x y S e r v e rs
A proxy is a network computer that can serve as an interm ediary for connecting with other computers

CEH

As an IP addresses multiplexer, a proxy allows the connection of a number of computers to the Internet while having only one IP address

Proxy servers can be used (to some extent) to anonymize web surfing

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Proxy Servers
A proxy is a network computer that can serve as an intermediary for connecting with other computers. You can use a proxy server in many ways such as: 0 Asa firewall, a proxy protects the local network from the outside access 9 As an IP address multiplexer, a proxy allows a number of computers to connect to the Internet when you have only one IP address 9 To anonymize web surfing (to some extent) Q To filter out unwanted content, such as ads or "unsuitable" material (using specialized proxy servers) 9 To provide some protection against hacking attacks 9 To save bandwidth Let's see how a proxy server works. W hen you use a proxy to request a particular web page on an actual server, it first sends your request to the proxy server. The proxy server then sends your request to the actual server on

Module 03 Page 375

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

behalf of your request, i.e., it mediates between you and the actual server to send and respond to the request as shown in the following figure.

Attacker

Target Organization
FIGURE 3.57: Attacker using Proxy Server

In this process, the proxy receives the communication between the client and the destination application. In order to take advantage of a proxy server, client programs must be configured so they can send their requests to the proxy server instead of the final destination.

Module 03 Page 376

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Why Attackers Use Proxy Servers?

CEH
(•rtifWd ithiul lUckM

To mask the actual source o f th e a tta c k by im p e rs o n a tin g a fake source address o f th e proxy

To remotely access intranets and o th e r website resources th a t are n o rm a lly o ff lim its

To interrupt all the requests sent by an a tta cke r and tra n s m it th e m to a th ird d e s tin a tio n , hence v ic tim s w ill o n ly be able to id e n tify th e proxy server address I

A ttacke rs chain multiple proxy servers to avoid d e te c tio n

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Why A ttackers Use Proxy Servers
For an attacker, it is easy to attack or hack a particular system than to conceal the attack source. So the main challenge for an attacker is to hide his identity so that no one can trace him or her. To conceal the identity, the attacker uses the proxy server. The main cause behind using a proxy is to avoid detection of attack evidence. With help of the proxy server, an attacker can mask his or her IP address so that he or she can hack the computer system without any fear of legal repercussion. When the attacker uses a proxy to connect to the destination, the proxy's source address will be recorded in the server logs instead of the actual source address of the attacker. In addition to this, the reasons for which attackers use proxy servers include: Q Attacker appears in a victim server's log files with a fake source address of the proxy rather than with the attacker's actual address 9 9 To remotely access intranets and other website resources that are normally off limits To interrupt all the requests sent by an attacker and transmit them to a third destination, hence victims will only be able to identify the proxy server address 9 To use multiple proxy servers for scanning and attacking, making it difficult for administrators to trace the real source of attack

Module 03 Page 377

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

U se o f P ro x ie s fo r A tta c k
Direct attack/ No proxies

CEH

■! s ‫*®״‬ ‫־‬ 5 ‫־‬Logged Proxy

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Use of Proxies for Attack
Quite a number of proxies are intentionally open to easy access. Anonymous proxies hide the real IP address (and sometimes other information) from websites that the user visits. There are two types or anonymous proxies: One that can be used in the same way as the nonanonymous proxies and others that are web-based anonymizers. Let's see how many different ways that attackers can use proxies to commit attacks on the target.

Case 1: In the first case, the attacker performs attacks directly without using proxy. The attacker may be at risk to be traced out as the server logs may contain information about the IP
address of the source.

Direct attack/ No proxies

Target

FIGURE 3.58: Attacker Communicating with Target Directly (No Proxy)

Case 2: The attacker uses the proxy to fetch the target application. In this case, the server log
will show the IP address of the proxy instead of the attacker's IP address, thereby hiding his or

Module 03 Page 378

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

her identity; thus, the attacker will be at minimum risk of being caught. This will give the attacker the chance to be anonymous on the Internet.

Attacker

Logged Proxy

Target

FIGURE 3.59: Attacker Communicating with Target through Proxy

Case 3: To become more anonymous on the Internet, the attacker may use the proxy chaining
technique to fetch the target application. If he or she uses proxy chaining, then it is highly difficult to trace out his or her IP address. Proxy chaining is a technique of using more numbers of proxies to fetch the target.

Attacker

FIGURE 3.60: Attacker using Proxy Chaining for the attack

Module 03 Page 379

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P ro x y C h a in in g
M
.................... IP: 20.10.10.2 Port: 8012

Ha
M
.................... ‫<־‬ IP: 20.10.15.4 Port: 8030

>

M
IP: 10.10.20.5 Port: 8023

User
Encrypted/unencrypted traffic

N
IP: 20.15.15.3 Port: 8054 IP: 15.20.15.2 Port: 8045

m
IP: 10.20.10.8 Port: 8028

Unencrypted traffic

1. User requests a resource from the destination 2. Proxy client at the user's system connects to a proxy server and passes the request to proxy server 3. The proxy server strips the user's identification information and passes the request to next proxy server 4. This process is repeated by all the proxy servers in the chain 5. At the end unencrypted request is passed to the web server

M‫־‬

» *

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Proxy C haining
Proxy chaining helps you to become more anonymous on the Internet. Your anonymity on the Internet depends on the number of proxies used for fetching the target application. If you use a larger number of proxy servers, then you will become more anonymous on the Internet and vice versa. W hen the attacker first requests the proxy serverl, this proxy serverl in turn requests another proxy server2. The proxy serverl strips the user's identification information and passes the request to the next proxy server. This may again request another proxy server, server3, and so on, up to target server, where finally the request is sent. Thus, it forms the chain of the proxy server to reach the destination server as shown in the following figure:

m
IP: 20.10.10.2 Port: 8012 IP: 10.10.20.5 Port: 8023 IP: 20.10.15.4 Port: 8030

User
Encrypted/unencrypted traffic

................... . v IP: 20.15.15.3 Port: 8054

m
IP: 15.20.15.2 Port: 8045

................... V

M IP: 10.20.10.8 Port: 8028

............................... >

Unencrypted traffic

FIGURE 3.61: Proxy Chaining

Module 03 Page 380

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Tool: Proxy Workbench
Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram

U rtifW tf IthKJi lU c k M

CEH

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Proxy Tool: Proxy W orkbench
Source: http://proxyworkbench.com Proxy Workbench is a proxy server that displays the data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram. The socket connection diagram is an animated graphical history of all of the events that took place on the socket connection. It is able to handle HTTPS (secure sockets) and POP3 natively.

Module 03 Page 381

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

"Z. File View Tools Help

Proxy Workbench

0 5 -isU - ■6
Montana :!avya [132 168 168 170) ^ SMTP • Outgoing e-mad (25)
POP3 •Incoming c nvjd (110)

m
Event So( 7 PageloH J ^ j 4 J ► ] W 491 bytes of iata has been chnft. 121449538

DetaJ! K * Deadl13183C 308)

Q HTTP Proxy •Web (8080) ’ 127.aa1 to 127.0.01 (locatost) fi P P P P P P P P P P P P P P P P P P P P P DeaJ 113:18:26-779)
Dead (11 1 8 2 5 7S2)

(127 0 01 20750)

Dead (111825 757) Dead (13:1825752)
Dead (13:1825.74$)

Dead (13:1825741) Dead (131825736) Dead (111825 711) Dead (131825 724)
Dead (131825717)

The connection request Jo the remote server has been successful
13: 14:49.817

locahost (127.00 1 80801

Dead (131825 684) Dead (131825 67$)
Dead (13:1825 671)

127001 fi£«n

491 bytes of data has been
sent to the !emote *erver

locahost (127 0 0 1 80801

Dead (131825 662) Dead(131825 655) Dead (131825.647) Dead (131825641)
Dead(13:1825633)

B
(1270 01 20750) FVB has (**connected horn the remote ckent 131513209 the remote server has disconnected 1315:13208

Dead(131825625) Dead(111825620) Dead (111825.586) Dead (111825579) Dead (1118255741 P Dead (111825 566) P Dead (111825 558) P Dead (111825552) t l Dead 11118255431 Memay 8 KByte*

Real tnw data for Dead (13 18 30 308)
lU U U U J^ t i n t ‫׳‬/ ! J tt ji « ‫׳‬e ju ua ua i d ua

Socke‫״‬

FIGURE 3.62: Proxy Workbench Screenshot

Module 03 Page 382

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P ro x y Tool: P ro x ifie r
Prox-fie1 ‫ ־‬is a program that a ows r>etwork appicatons that do f> ot support working through proxy servers to operate through an HTTPS or SOCKS proxy or a chain of proxy servers

C|EH

m p j/w w wp r o a f« r a o m
!B yK'CMAjV. •M “j •arn: *s‫־‬ t2-d?rjSfit3y ‫״‬ ‫״‬ c*C‫נ‬ ‫ש‬ ‫ג‬

Proxy Tool: Proxifier
Source: http://www.proxifier.com Proxifier allows network applications that do not support working through proxy servers to operate through a SOCKS or HTTPS proxy and chains. It allows you to surf websites that are restricted or blocked by your government, organization, etc. by bypassing the firewalls rules.

Features:
e © 9 Q You can access the Internet from a restricted network through a proxy server gateway It hides your IP address It can work through a chain of proxy servers using different protocols It allows you to bypass firewalls and any access control mechanisms

Module 03 Page 383

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

^

Proxifier File Profile lo g ub View Help £1 &

1a

E l !■■££■1

1j

**

Application ^mstsc.EXE (5044) 64‫״‬ cxplore.exe (4704) ie3plore.exe (5664) lsvchost.exe (376, System) 64‫״‬ ^ svchcst.exe (376, System) 64‫״‬ 4$ !explore.exe (164)

Taiget 192.168.2.40:3389 www.l.google. com:80 [fe80::90bl:83b:c743:f49b]:80 IPv6 www.update.m crosoft.com lbl.www.ms.akadns.net443 www.microsoftcom:8080 • ‫ ״‬Statistics

Tm e/‫־‬ Status 01:25 01:14 Closed 01:12 00:44 00:42 Failed 00:21 Connecting

1

Rule: Proxy Default: proxy.example.net:1080 Proxy2: proxy.example.net:1080 Local: Test proxy chain Default: proxy.example.net:1080 Default: proxy.example.net:1080 HTTPS: proxy2.example.net:8080 Default: proxy.example.net:1080

Bytes Sent 2.75 KB 3.33 KB 958 172 131 KB

Bytes Received 4.06 KB 13.5 KB 376 262 754 KB

1

:8 0

www.update.microsoft.com:443

@txplore.ece (2776)
■st Connections uA.Traff1t

0 0

0 0

[19.591 svchost o « (37S. System) $4‫ ־‬-resolve y.-wupdaejniaraAconi DNS [19 59] r/chost exe (37S. System) *64 •resolve w.vw update rm croso*t cot DNS [1959] svchost exe (37G. System} *84 ‫ ־‬www update microsoft com 442 matchmQ Defadt rde : usng proxy proxy.exampten€t:1080 [1959] svchost exe (376. System) *64 - www update microsoft c o t 44‫ ־‬open through proxy proxy example net 1080 [1959] svchost exe (375. System) *64 download.w1ndow3update.com 80 dose. 5S1 sert. 1183 bytea (1-15 KB)received, bfebme 00 05 [19 59] svchost exe (376. System) *64 • resolve download wmdowsLpdate com DNS [1959] svchost exe (376. System) *64 resolve download.wndowsupdate.com : DNS [19 59] svchost exe (375. System) *64 ‫ ־‬download windowsupdate com 80 matchrtg DefaJt aie usng proxy proxy example net 1080 [1959] svchost exe (376. System) *64 ■dowrload.wnndowsupdate .com 80 open through proxy proxy example net 1080 [20 00] svchost exe (375. System) *64 download.w1ndowsupdate.com 80 dose. 175 bytes aert. 256 bytes recerved. tfebme 00:04 [20 00] explore exe (164) - lb 1 www ms akadns net 443 matching HTTPS rule using proxy proxy2 example net 8080 [2000: expkxeexe (2776) • www nxrosoft com :8080 matchna Default aie ue»>g proxy proxy example net 1080 120 00] explore exe (4704) • www I aooale com 80 dose.1560 bvtes (1 52 KB) sert 13451 bytes (13 1 KB) received Ifetme00 59 [20 00] !explore exe (5664) - www I cooole com SO dose. 1456 byte♦ (1 42 KB) ter( 26617 bytes (25.9 KB) received Ketime 01 11 [20 00] explore exe (5664) • vyyvw J,Q0QQle.cQm-gO dose. 3530 bvtes (3 44 KB) sert 722 bytes received fcfeUneOI 11 [20 00] explore exe (4704) • www I cooole com 80 dote. 3413 bytes (3 33KB)se‫״‬t 13881 bytes (13.5 KB) received Hettne 01 14 ]20 00; ewlore exe :1641 • b 1 www ns akadns net 443 error Codd not conned ttwoutfi proxy prexy2 example net 8090 Readno proxy replay on a connedwn reouest faled wth e‫ ״‬or 10054 [2000] svchost exe (376. System) *64 • www update microgoft com 8C dose. 172 bytes sent. 262 bvtes received, tfetme 01:01 Ready 7 active connections Down 0 6/sec Up 0 B/sec
System DNS

FIGURE 3.63: Proxifier Screenshot

Module 03 Page 384

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Tool: Proxy Sw itcher
Proxy Switcher hides your IP address from the websites you visit

C EH

File

Edit

Actions

View

Help

p l
State (Anonymous) Respo- _ * 603ms | Crxrtry | FRANCE

PKwy Scanner ^ ‫ ׳‬New(0) High Anonymous (19) j.... SSL (26) Bite (30) Dead (7220) Basic Anonymity (212) -E" Private (53) Dangerous (148) My Proxy Servers (0)

£ 91.121.21.164:3128
ns1homenux.ccm:3l28 hherphpo.hchdtmc.edu:80 170.57.24.100:80 81 180 75142 8080 66-162-61-85stabc:tvrteJe $ 194 160 765:80 arr,3c 3 mnedu sk 80 g 147.46.7.54:8088 ,J f 159226 3 227:80 121 52148 30 8080 208-74-174-142sayfanet 31
- 01 10ATC i n . , ______

Server

ProxySwltcherfO)

(Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous)
/»_________ x

1092ms 1612ns 1653ms 1882ms 2200ns 2319ms 2324ms 2543ns 2641ms 268ins 269am
‫ «׳‬n - .

(FRANCE UNITED STATES UNITED STATES | REPUBLIC OF MOLDOVA UNITED STATES M i SLOVAKIA SLOVAKIA > : REPUBLIC OF KOREA { j ■ CHINA B PAKISTAN ■ UNITED STATES
■ ■ DCDIIQI IT < ‫>־‬ C MAI fV‫>־‬ \/A

I * ^ |

K w p A K v e IfA g oS w « c h
98 181 57.227:9090 tested as [Eke-Anonymous] cocreo diresacallao 90b pe: 80 tested as [Dead] smtp spectrum ■networks net :80 tested as ((Bite-SSL)J f-kasklab50a.eti.pg gda pi :80 tested as [Eie-Anonymous] cofreo disacallao gob pe:80 tested as [(Qite-SSL)] Hiah Anonvmous/SSL 0/6

Q KKw w .proxysw itcher.com
* □

Proxy Tool: Proxy Switcher
Source: http://www.proxyswitcher.com Proxy Switcher allows you to surf anonymously on the Internet without disclosing your IP address. It also helps you to access various sites that have been blocked in the organization. It avoids all sorts of limitations imposed by sites.

Features:
9 © Q It hides your IP address It allows you to access restricted sites It has full support of password-protected servers

Module 03 Page 385

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

S * Proxy Switcher PRO ( Direct Connection ) File Edit Actions View Help

@ l # l

□ X I

d a a a i i > j* a j ii
£ 91.121.21 164:3128 ,f ns1.homenux.com:3128 & ,f if ,f £
State (Anonymous) B i )19 ( (Anonymous) hherphpo.hchd.tmc.edu:80 (Anonymous) 170.57.24.100:80 (Anonymous) 81.180.75.142:8080 (Anonymous) 66-162-61 -85.static tvvtele (Anonymous) 194.160.76.5:80 (/Vionymous) amac3.minedu sk:80 (Anonymous) 147.46.7.54:8088 (Anonymous) 159.226.3.227:80 (/Vionymous) 121.52 148 30:8080 (Anonymous) (Anonymous) 208-74-174-142.sayfa.net:31 .«# 01 10n 7 C M o .* -----------\ /A
Server

^Proxy Scanner 5 New # ! )0( High Anonymous SSL )26( ‫׳‬.. E ? Elite )30( | B Dead )7220( Basic Anonymity )212( j.. f Private )53( Dangerous )148( My Proxy Servers )0( ;.. ProxySwitcher )0(

S r

Respo... * Country 603ms 1 ‫ ו‬FRANCE 1092m s I I FRANCE UNITED STATES 1612ms * UNITED STATES 1653m s 1882ms I I REPUBLIC OF MOLDOVA * UNITED STATES 2200ms SLOVAKIA 2319ms SLOVAKIA 2324ms REPUBLIC OF KOREA 2543ms CHINA 2641ms 2683ms K 9 PAKISTAN ■ UNITED STATES 2698ms ■ ■ DCPI ip i irn c uni nn\/4 ­‫ר­י­ מ‬ ­-

>

‫׳‬E

m

Disabled ~]

Keep Alive

1 1 Auto Switch

O w1 w uv.proxysw vjtcher.com

98 181.57.227:9090tested as [Bite-Anonymous] correo diresacallao gob pe:80tested as [Dead] smtp spectrum-networks net:80 tested as [(Bite-SSL)] f-kaskJab50a eti pg gda.pl :80 tested as [Bite-Anonymous] correo disacallao gob pe:80tested as [(Bite-SSL)] High Anonvmous/SSL 0/6

FIGURE 3.64: Proxy Switcher PRO Screenshot

Module 03 Page 386

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P ro x y Tool: S o c k s C h a in
J SocksChain transm its the TCP/IP applications through a chain of proxy servers

im ttiM

CEH
tUx*l lUckM

Ufasoft SocksChain
View Tools Help firefox To [64.4.11.42]:80 3 connections m m ^ m m £1 0 © ! 0 To [65.55.57.27]:80 2 connections To [123.176.32.147]:80 13 connections To [64.4.11.301:80 2 connections To [123.176.32.1361:80 1 connections

LdfLJ

™ To [175.41.150.21:80 1 connections To [207.46.49.1331:80 1 connections To [64.4.21.391:80 1 connections

=

9 £ To [65.54.82.157]:80 2 connections chrom e Through SE05411D17AFD6752EE36392EE4E42CAFB8A45D09=shadowhouse. S626F206838B0EA12CFCA5CE91 3 ■ To www.certifiedhacker.com(202.75.54.101]:80 6 connections S I To safebrowsing.google.com[74.125224.73!:443 1 connections To safebrowsing-cache.google.com[74.125.224.67J:443 !c o n n ectio n s 1 7 1 ^ iexplore 0 PING
III
V

< DANGEROUS.SOCKS PR0T0C0L=S0CKS5 ADDRESS=65.S4.82.157:80

I>

D V U C E K O n ? ?0 C K 8b B 0 i.0 C 0 r^ 0 C K 2 JV D D K E 2 ^ e 2 ?» 8 5 ‫׳‬m:8 0
S blUG

http://ufasoft.com

Copyright © by EC-Csuncil. All Rights Reserved. Reproduction is Strictly Prohibited

Proxy Tool: SocksC hain
Source: http://ufasoft.com SocksChain is a program that allows you to work with any Internet service through a chain of SOCKS or HTTP proxies to hide the real IP address. It can function as a usual SOCKS-server that transmits queries through a chain of proxies. It can be used with client programs that do not support the SOCKS protocol, but work with one TCP-connection, such as TELNET, HTTP, IRC, etc. It hides your IP from being displayed in the server's log or mail headers.

Module 03 Page 387

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

K
File ¥

Ufasoft SocksChain

m
B

View

Tools

Help

firefox Through SE0S411017AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9I 9 £ To [64.4.11.42]:80 3 connections 9 £ To [65.55.57.27]:80 2 connections To [123.176.32.1471:80 13 connections « To [64.4.11.301:80 2 connections _ To [123.176.32.136):80 1connections ™ ‫ ■י‬To [175^41.150-21:80 1 connections

mTo [207.46.49.1331:80 1connections
91 To [64.4.21.39]:80 1 connections '■ *. To [65.54.82.1571:80 2 connections 0 0© B

chrome Through $E05411D17AFD6752EE36392EE4£42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE91 38 To www.certrf1edhacker.com[202.75.54.101]:80 6 connections 9 1 To safebrowsmg.google.com(74.125.224.73]:443 1 connections
9 E To safebrows1ng-c*che.google.com[74.125224.67]:443 1 connections

0

!explore PING

< I

• ‫״‬

> I

DANGEROUS.SOCKS PROTOCOL‫ ־‬SOCKS5 ADDRESS=65.54.82.157:80

FIGURE 3.65: Ufasoft SocksChain Screenshot

Module 03 Page 388

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Proxy Tool: TOR (The Onion Routing)

C EH

Anon ym ity

P rivacy
Ensures the privacy of both sender and

Security
Provides multiple , layers of security f to a message

Vidalia Control Panel

‫־‬

°

x

communication over Internet

recipient of a message

n
Encryptio n
Encrypts and decrypts all data packets using public key encryption

.
T o r Proxy
The initiating onion
View the Network Use a New Idertty B , Bandwidth ! ‫^זר‬ph O H#ip 0 About

Proxy Chain
Uses cooperating V proxy routers J throughout the network

1 router, called a "Tor
I client" determines the path of transmission

‫ ן‬Mcuogc Lug
3 Show ttii* winflow on ttirnn

SclU1g»

Q cxt

https://www.torproject, org

Copyright © by EG-Gouncil. All Rights Reserved. Reproduction is Strictly Prohibited.

Proxy Tool: TOR (The O nion Routing)
Source: https://www.torproject.org Tor is software and an open network that surveillance that threatens personal freedom helps you defend against a form ofnetwork and

and privacy, confidentialbusinessactivities

relationships, and state security known as traffic analysis. You can use Tor to prevent websites from tracking you on the Internet. You can also connect to news sites and instant messaging services when these sites are blocked by your network administrator. Tor makes it difficult to trace your Internet activity as it conceals a user's location or usage.

Features:

9
9 9

Provides anonymous communication over the Internet Ensures the privacy of both sender and recipient of a message Provides multiple layers of security to a message Encrypts and decrypts all data packets using public key encryption Uses cooperating proxy routers throughout the network The initiating onion router, called a "Tor client" determines the path of transmission

9 9 9

Module 03 Page 389

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Vidalia Control Panel 1~ 1‫ם‬
Status

x

4)1
Vidalia Shortcuts Stop Tor

Connected to the Tor network'

# # •
Setup Relaying

View the Network

Use a New Identty

, Bandwidth Graph = ]Message Log

O

Help Settings

About fc^ Ex it

@ Show the wndow on startup

Hide

FIGURE 3.66: Vidalia Control Panel showing the Status

Module 03 Page 390

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P ro x y T ools
Burp Suite
h ttp ://w w w .p ortsw ig g er.n e t

CEH
Proxy
h ttp://w w w .analogx.com

0

Proxy Commander
http ://w w w . dlao. com

Protoport Proxy Chain
h ttp ://w w w .p ro top ort.co m

Proxy Tool Windows App
h ttp ://w ebp ro xylist. com

Proxy+
h ttp ://w w w .p ro xyp lus.c 1

Gproxy
h ttp ://g p a ssl.co m

11
!‫י ן!ן‬ 1

FastProxySwitch
http://affinity-tools.com

Fiddler
http ://w w w .fiddler2.com

ProxyFinder
h ttp ://w w w .p r oxy-tool. com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

‫ ן‬Proxy Tools
In addition to these proxy tools, there are many more proxy tools intended to allow users to surf the Internet anonymously. A few are listed as follows: 9 9 9 9 9 Q 9 Burp Suite available at http://www.portswigger.net Proxy Commander available at http://www.dlao.com Proxy Tool Windows App available at http://webproxylist.com Gproxy available at http://gpassl.com Fiddler available at http://www.fiddler2.com Proxy available at http://www.analogx.com Protoport Proxy Chain available at http://www.protoport.com

Q Proxy+ available at http://www.proxyplus.cz 9 9 FastProxySwitch available at http://affinity-tools.com ProxyFinder available at http://www.proxy-tool.com

Module 03 Page 391

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P ro x y T ools
(Cont’d)
ProxyFinder Enterprise
h ttp :/ /w w w .p ro x y -to o l. com

CEH
Socks Proxy Scanner
h tt p :/ / w w w . m ylan vie wer. com

ezProxy
® Ml
h tt p :/ / w w w . ode. org

Mil
A
‫»_ך‬

Charles
h ttp ://w w w .ch a rle sp ro xy.co m

JAP Anonymity and Privacy
h ttp ://a n o n . inf. tu-dresden.de/index_ e n.h tm l

UltraSurf
h ttp ://w w w .u ltra s u rf.u s

CC Proxy Server
h tt p :/ / w w w . youngzsoft.net

FoxyProxy Standard
™ http s://ad d on s.m o zilla.o rg

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

h
9 9 9 9 9 9 Q 9 Q 9

Proxy Tools (C ont’d)
ProxyFinder Enterprise available at http://www.proxy-tool.com ezProxy available at http://www.oclc.org JAP Anonymity and Privacy available at http://anon.inf.tu-dresden.de/index en.html CC Proxy Server available at http://www.youngzsoft.net FoxyProxy Standard available at https://addons.mozilla.org Socks Proxy Scanner available at http://www.mylanviewer.com Charles available at http://www.charlesproxv.com UltraSurf available at http://www.ultrasurf.us WideCap available at http://widecap.ru ProxyCap available at http://www.proxycap.com

------ The list of proxy tools mentioned in the previous slide continues as follows:

Module 03 Page 392

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

F r e e P ro x y S e r v e rs
A search in Google lists thousands of free proxy servers

(•rtrfwtf

ClEH
IStkKJl lUckM

Google

1

Google

Free Proxy Servers

adoui 12.700.000 result? {0 20 seconds)

u a p s
vMk i

Proxy 4 Free - F re e Proxy S t r v t r t - protect Your Q n » e Prrvacv aW1 wvtw proxy4tree ocmj Proxy 4 Free is a free proxy list and proxy checker c rowdtng you Mti r■* be?•free proxy serversfor over 9 years Qursor^sticaieo cnec«3n5 systemmeasuresList Country Rating Access Tim• ust of F r » Proxy 5 t r v » r t -Page 10 ‫ ד‬0‫ז‬ wwwproxy4tree cofnnistfive&proxyl htm i Free Proxy, Anontm izer, VPN. Proxy 4 Free Proxy uil, IP Test, *nccr-i* uemu HOMEADD YOUR PROXY U 3 1of tree Proxy servers P»gel0M0~

Proxy 4 Free “ ‫״נג לו‬ ... ~

n

N «w
ShopplOQ W ore Show seaicn tools

Pr•• Pioa* List Public Proxy Servers UPJEQSU .id c l.fr Ass: 4

Hid*myMS.comipf0xy-JisV Fr•• proxy list md*x.lh• lwg**t ‫••׳‬Mirn* database ofcu&fe proxy »«fv«r» :rin•

1■

H ide My A>8! F rtt Proxy ana Privacy Toots - sun Tne w co ... «
nifl0mv0M.c0riv Wot!proxy fioo) M cAtgg SECURE cilo t. lolpkeec > M 1 s*fofcon1 . trA:‫׳ ־‬.‫ ־‬w t. civdit caid fraud, spywat•. Us• our It•• proxy to twl •nonyrrsously crtn* !■» F re e Proxy S e rv e r - surr ! r r ,\ r r A-nnymn. ‫•׳‬is rreeproxynerver net/ Surrm* wen anonymously with our tree proxy server Free Proxy Server TurbLHUu.

ssasssssasssr

= 2—

Bar

iN w

y ir j

1 :1 '

Public Proxy Servers F ree Proxy Server l s i wvcttpuDlicproxyservers.conv Pu&lic Proxy Servers is a tree and 1‫ח‬ dependent proxy :he:an; 5«sm Cur ser.ice neips you to protectyouriaentity ana Dypass surfing restnrSons s!r»ce 2002

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

e

a

F ree Proxy Servers
— Besides proxy tools discussed previously, you can find a number of free proxy sites available on the Internet that can help you to access restricted sites without revealing your IP address. Just type Free Proxy Servers in the Google search engine and you will get numerous proxy server websites.

( j O . )g ie

Free Proxy Servers

4

H

3 I

Search

*x*4 1 3 T(w000r*»u«1 K> ?0 sea»«>

O

W«o

Prosy 4 Free Free Proxy Servers Protect Your OMne Pnvacv ■*I •wwpnMry4nrMC0rv proxy servers fo * w 9 )•an Ow List County Rasng tcctii T r» O k w j h u m ^•NtfM _

Prosy 4 Free •Fr•• Pro»y Servers• Protect Your OMne Privacy ■ » _ «wa piMfti*• comu -CSCftM ■ Smear Prony 4 Free «*al

“** 5 5 * ‫יי‬ ‫•׳•״*״‬ **«‫•׳‬ siw. •«•‫* * *׳‬s

U tta ifie e Pfoxj server* •l y 1 ai 1 8 www!*o*if4lr»ecorA1rweapreey1 Nn« Fr«t Pron *•noam&t VPN Pto!» 4Fie• Pror» Ust P Test A»ownn» tCNU HOUE-400 YOUR PROXY list* rreePmcjSenwrs ?•9*10(10Fr•• P'DBtv Lst -Puf'K proxy Server• p PORT noe Mir Am• * iwdemyMS cem^rwy*•• fr•• p ro ■ ) »»1 rO*1 tvsieicsstisi*•‫ *־׳‬M K 4 l« (/euCtcpreay serrTSorSr* fuaehaAm Free P r o g a a iilM U .T flBft •au t T n g m e -m Art proxy t‫׳‬H Mc^lMSeCURlMMM«xe«e>M»#«ftente*<«»Vw« aeot cardtswd us• ft* Iree proty 10 u**s*s*r1‫״‬e«s> 1 ote i m i . ^ B e B -

---------------- I

f B

— ‫׳‬. . H

• ‫־‬

-

l| ‫ ׳‬V W > Y

Prat Proxy Server _ Iu it t t t te . to W M c s m mr Tt*Mt«4s**epnMy server -oear • ‫זי‬,» ‫ר‬m i r a M M i m w a M orowsieg too ma»e ‫♦»*•*׳ נ‬ « a* se» •e *•me» 1*soure*aM s•**•mc* _

.1

I

1

PiAftc Proxy Servers Free Proxy Server us! .4 ww■|M<t*t#«eayse«vws ceev PuoscPro•‫ ז‬V im s it t Iim and n a m U ii p> o» (**sang ‫<ו‬ »‫ יי«ו‬C X 0 same• ‫ ייז*'׳‬iou • 0proletl tour ■ o sr• ■ ! mo & ‫ »*• ז י‬si*v*j m iksm i s r a 3903

FIGURE 3.67: Google Search showing Free Proxy Servers

Module 03 Page 393

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

HTTP Tunneling Techniques
J HTTP Tunneling technology allows users to despite the restrictions imposed by firewalls

CEH

Encapsulates data inside

( (port ‫ן‬ 80)

,‫ ייו‬f ! * ‫ > יו‬....... •< Router HTTP Proxy or Firewall

<

• • ■ ■ • < Internet....... ft > * * !‫> יי‬ Router

End Users use HTTPTunnel to transmit or receive data through Firewall

?

1

1

1

Previously inaccessible servers and services

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

HTTP T unneling T echniques
HTTP Tunneling is another technique that allows you to use the Internet despite restrictions imposed by the firewalls. The HTTP protocol acts as wrapper for communication channels. An attacker uses HTTP tunnel software to perform HTTP tunneling. It is a client-server-based application used to communicate through the HTTP protocol. This software creates an HTTP tunnel between two machines, using a web proxy option. The technique involves sending POST requests to an "HTTP server" and receiving replies. The attacker uses the client application of HTTP tunnel software installed on his or her system to communicate with other machines. All requests sent through the HTTP tunnel client application go through the HTTP protocol.

Module 03 Page 394

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Racks of HTTP Tunnel Servers

‫א‬ ‫א‬ 49

M
Router HTTP Proxy or Firewall HTTP Tunnel Servers receive and relay the data

M -

End Users use HTTP-Tunnel to transmit or receive data through Firewall &

_ 1 • • u ! j Previously inaccessible servers and services

FIGURE 3.68: HTTP Tunneling Process

The HTTP tunneling technique is used in network activities such as: 9 9 9 9 Streaming video and audio Remote procedure calls for network management For intrusion detection alerts Firewalls

Module 03 Page 395

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Why do I N eed HTTP Tunneling
J J Organizations firewall all ports except 80 and 443, and you may want to use FTP HTTP tunneling will enable use of FTP via HTTP protocol

INSIDE THE NETWORK

a

FTP

v
HTTP Tunneling client running on local port

P ort I P ort P ort P ort P ort 1 P ort 1 P ort 11 P o r t P ort
D ata is se n t via HTTP

23 21 79 25 110 500 69 80 443

□ □ □ ‫ם‬ Q 1 Q □ a ! ......•‫נ‬ Q

OUTSIDE THE NETWORK

©
Http tunneling server software running

Internet

V

I

FTP data is encapsulated in http packet

Firewall rules only allow port 80 and 443

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Why do I N eed HTTP T unneling?
HTTP tunneling allows you to use the Internet despite having firewall restrictions such as blocking specific firewall ports to restrict specific protocol communication. HTTP tunneling helps you to overcome this firewall restriction communication through HTTP protocol. The attacker may use this technique for the following reasons: 9 9 9 9 9 It assures the attacker that no one will monitor him or her while browsing It helps the attacker to bypass firewall restrictions It ensures secure browsing The attacker can hide his or her IP address from being trapped It assures that it is highly impossible for others to identify him or her online by sending specific protocol

Suppose the organization has blocked all ports in your firewall and only allows port 80/443, and you want to use FTP to connect to some remote server on the Internet. In this case, you can send your packets via HTTP protocol as shown in the following figure:

Module 03 Page 396

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

IN S ID E T H E N E T W O R K

o

‫ן‬ FTP C lie n t

fL - s
ftp

Port Port Port Port Port Port Port Port Port

23 21 79 25 110 500 69 80 443

S o ftw a re

v
HTTP T u n n e lin g c lie n t ru n n in g o n lo c a l p o rt

‫ם‬ ‫ם‬ ‫ם‬ ‫ם‬ ‫ם‬ ‫ם‬ ‫ם‬ S 3 B

FTP d a ta is e n c a p s u la te d in h tt p p a c k e t Firewall rules only allow port 80 and 443

FIGURE 3.69: Effect of HTTP Tunneling on both Inside and Outside the Network

Module 03 Page 397

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

HTTP T unneling Tool: Super Network Tunnel

CEH

HTTP T unneling Tool: Super N etw ork T unnel
Source: http://www.networktunnel.net Super Network Tunnel is a professional HTTP tunneling software, which includes HTTP tunnel client and server software. It is like secure VPN software that allows you to access your Internet programs without being monitored by your work, school, or the government, and gives you an extra layer of protection against hackers, spyware, or ID theft. It can bypass any firewall.

Module 03 Page 398

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ik
Start

# • H - a
Setup Lot A dd


OragBox

§& .
R in Heto

J1
About

• TotalSendBytes Tota/Recvfiytes Serve! Cwent Connections: My Local IP 10 9 0 7 4

[

Use Rin Game WthGameGuard Mode Q Use Real Remote Dn* Resolve Send Speed Recv Speed Server Total Threads(nctude cache)
[

+

IP

View System Today Log
Only Important Messages

T h ts o p e r a t in g system i s &4‫ ־‬b 1 t, SKT s u p p o rt tu n n e l b o th 3 2 b 1 t *rid &4b1t p r o g r a • ,

u td e x c e p t u s e kook e n g in e , y ou • I s o c*n eon

7‫י‬
Ctent Stop

Log &>d Status |

■■

|

.

■ ■: |

In Vbta.You can use dragdroo box to fragdrop program or program shortcut

FIGURE 3.70: Super Network Tunnel Screenshot

Module 03 Page 399

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

End u ser w ith HTTP-tunnel

HTTP Proxy o r Firewall

http://www.http-tunnel.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

‫ ־‬HTTP T unneling Tool: HTTP-Tunnel
W _ ‫׳‬/ Source: http://www.http-tunnel.com HTTP Tunnel acts as a SOCKS server, allowing you to access the Internet by bypassing firewall restrictions. It is very secure software. Using this software does not allow others to monitor your Internet activities. It hides your IP address; therefore, it does not allow tracing of your system. It allows you the unlimited transfer of data. It runs in your system tray acting as a SOCKS server, managing all data transmissions between the computer and the network.

Module 03 Page 400

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

%J
file Wy gettings He*p Log Help

HTTP-Tunnel Client v4.4.4000
FVow y Servei

Configuration

‫־‬3

r A u to d rfa ct
Conhgue •> ■ EnierKey Mad Support Ex*

< •NoPto*

c |

f* Spec#yPto*v Serve* N«neAP

Connections

| Speed Tett | Diagnostic51About |

r

< 1 1 56 11> RIP Pnged serve* to keep use! togged n |<11 56 11> RetrievelP Log Window Geared

r Mvwnae |H*fc}on $UH(4> Accei 1 Rwtactoro Turn 9*1 O N 10 * to * 2 IP ! to u m

t o H T T P T 1*n a l c k t r i L n v • t « O f f I you oriy *Mrt 10 u n H T T PT u‫׳‬ mal how pvogrami * m n g o n t w PC

r

AI0M » « 4 >eo»vo IP* •o comect foHTTP Tunnrt

Advanced U*an

Fa advanced men only create cart act $4*100* lot r Thn option Mi *atficaly ‫ ״‬t»ove performance i t • supported by fou ptoaty Th■ mi vol. ONLY I you Save a protry Tha cornaclcn lett doat not 1fJ #w opton r Ptoay *w ‘CONNECT" camtnd

# 0

User Guides

‫ג‬ **• *!

N ewl%ym ar« Pmtwr ‫■י‬
$3.99 a m onth/year

Oil**Port MT TP Tcm•* Inf a n t on Port 1080 l e iconrecbon! baai KX^D ktm Chingt *m I ^ u M p a t 1000 r * UM you h>«4 HTTP I m l You n« k n 10 1*cort9 #• you wpfc«Mra and •MUD HTTP T>mal

Chck Here h t t p t u n n e i

Munifo( I in 1* Anywli
Key not found Free Server Mode.

fioio

0 KB Up/0 KB Down

IP Retrieved(. 149]

FIGURE 3.71: HTTP-Tunnel Client and Configuration Windows

Module 03 Page 401

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

B ssh - f u s e r @ c e r tifie d h a c k e r .c o m - L 5 0 0 0 :c e r t i f i e d h a c k e r . co m :25 -N - f => background mode, u s e r S c e r t i f i e d h a c k e r . com => user name and server you are logging into , -L 5000 :c e r t i f i e d h a c k e r . com : 25 => localport:host:remote-port, and -N => Do not execute the command on the remote system

This forwards the local port 5000 to port 25 on certifiedhacker.com encrypted Simply point your email client to use localhost:5000 as the SMTP server

6

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

SSH T unneling
SSH tunneling is another technique that an attacker can use to bypass firewall

restrictions. It also helps you hide your IP address on the Internet; therefore, no one can trace or monitor you. The prerequisite of SSH tunneling is raised from the problems caused by the public IP address, the means for accessing computers from anywhere in the world. The computers networked with the public IP address are universally accessible, so they could be attacked by anyone on the global Internet easily and can be victimized by attackers. The development of SSH tunneling solves the problems faced by the public IP address. An SSH tunnel is a link that proceeds traffic from an indiscriminate port on one machine to a remote machine through an intermediate machine. An SSH tunnel comprises an encrypted tunnel, so all your data is encrypted as it uses a secure shell to create the tunnel. Creating a tunnel for a privately addressed machine needs to implement three basic steps and also requires three machines. The three requisite machines are: 9 9 9 Local machine An intermediate machine with a public IP address Target machine with a private address to which the connection must be established

Module 03 Page 402

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

You can create a tunnel as follows: 9 Start an SSH connection from local machine to the intermediate machine with public IP address. 9 Instruct the SSH connection to wait and observe traffic on the local port, and use intermediate machine to send the traffic to an explicit port on the target machine with a private address. This is called port acceleration or port forwarding. 9 On the local machine, select the application that you want to use for connection with the remote machine and configure it to use port forwarding on the local machine. Now, when you connect to the local port, it will redirect the traffic to the remote machine. To secure communication between computers, SSH uses private and public encryption keys. The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized computer. On initiating an SSH connection, each machine exchanges public keys, but only the computer that has the matching private key can attain access to the remote computer applications and information and can read encrypted communications with the public key. f t
Mail Client

< i
DB Server Mail Server ‫!□□ם‬ □09 ........... ___ ► SSH P erim e ter Controls Server App Server W ebserver

DB Client %

I n*
A tta ck e r

<
SSH

3
Internet

*4

t
App Client

Web Client

f ‫״‬ !'‫•<׳‬

‫׳‬

C lient

P erim e ter Controls

FIGURE 3.72: SSH Tunneling Process

OpenSSH
Source: http://www.openssh.org OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. OpenSSH can be used to tunnel the traffic on local machine to a remote machine that you have an account on.
ssh -f user@certifiedhacker.com -L 2000: certifiedhacker.com: 25 -N -f = > backgroung mode user@ certif iedhacker.com=> user name and server you are logging into -L 2000: certifiedhacker.com: 25 = > I0cal‫־‬p0rt:h0st:rem0te‫־‬p0rt -n = > Do not execute the command on the remote system

This essentially forwards the local port 2000 to port 25 on certifiedhacker.com encrypted. Simply point your email client to use localhost:2000 as the SMTP server.

Module 03 Page 403

Ethical Hacking and Countermeasures Copyright © by

EC-C0l1nCll

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

SSH T unneling Tool: Bitvise
Bitvise SSH Server provides secure remote login capabilities to Windows workstations and servers proxy, and also remote administration for the SSH Server
?1 Bitvise SFTP - localhost:22
I Window Local Remote Upload Queue

C EH

SSH Client includes powerful tunneling features including dynamic port forwarding through an integrated

^
Download Queue Log Log

Upload Queue

a i Download Queue

O
Name

St

£] $

(3 Size

c.\prog1am files (xS6 }',b1 t/isetunnelier Type Date Modifed 2006-12-25 0... 2006-12-25 0... 2006-12-25 0 2006-12-25 0 2006-12-25 0... 2006-12-25 0... Attributes A A A A A A A A A A A A

o

s >

{* • fciprograrr Files (x36)/bitvise winsshd
Size Typ e 0 File Folder 167.936 Application 1BB.415 Application 200.095 Application 294,912 Application 15,961 C *• ♦ Sour... 20.•IBO Applicati. 610.304 application 2.760 70‫ !׳‬Application 055 15‫ ־‬/Vppilcotlon 2.211.B4Q Application 192.512 Application 352.256 Application 2.330.016 Application 3.461,120 Application 446,464 Application 2.666.496 Applicati... 3.768 Interface f t Start Dete Modifed 2006-12-25 0.. 2006-12-25 0... 20060 25‫־‬12‫־‬.. 2006-12-25 0 2006-12-25 0.. 2006-12-25 0.. 2009-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0 . . 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12^25 0.. 2006-12-25 0.. 2006-12-25 0..

Q kM erm cexe

286,720 Application 1.265.664 Application 20.480 Application 1,597.440 Application 2,002.944 Application 2.150,400 Application 1,650,688 Application 372,736 Application

Nome k Log*

S/ glcl:tgc.oxo
i "7 log exe L sense exe ■ sftpc.exe iis3h<J3tg3 0xe B7‫־‬stetmc □tutermc.e»e

‫ ׳ י‬bv^Ad.oxo
I7 ‫ ־‬b v R in exe F b w m s bo* ■ ; SCP.OXO

I

2009-12-25 0
2006-12-25 0... 2006-12-25 0... 2006‫ ־‬1 2-25 0...

° * 1StcPuginSomple.cpp »SlpRuginSompI# d l l E Z s f c p i . f i n e
■7 CCMCtf.OXO

Turn 0 1lor.oxo 6.193.152 Application S ju n in31.exe 552.256 Application vtlOOtdx 6,066 T D S Fils xtermtde 6,066 T D SFilo

M

^sowoxecoxe

2006-12-25 0
2006-12-25 0...

f 7 itM tlgt win
■ ‫ ׳‬to to m 003

Pumrsiexe
‫י‬

■7WirSSHDoc I!WrttshdAdStateCheck exe ‫י‬WinsshdCfgMartp dH j Wr'sshdCtgMeoip i d l
^ Binary ‫ ! _ [ ״‬Resume | Overwrite f t Start I f Binary * _ Resurre

j

Li Overwrite

http://www. bitvise. com
Copyright © by EC-CMMCil. All Rights Reserved. Reproduction is Strictly Prohibited.

SSH T unneling Tool: Bitvise
Source: http://www.bitvise.com Bitvise is client server-based application used for SSH tunneling. The server provides you secure remote login capabilities to Windows workstations and servers. With Bitvise SSH Server, you can administer the W indow s server remotely. The Bitvise server even has the ability to encrypt the data during transmission so that no one can sniff your data during transmission. Bitvise SSH Client includes graphical as well as command line SFTP support, an FTP-to-SFTP bridge, tunneling features that can be helpful for port forwarding and remote administration.

Module 03 Page 404

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

.‫ וי‬Bitvise SFTP - localhost:22
Window Browse Local Remote Upload Queue Download Queue Log

|J) Upload Queue 12 Download Queue
1 3 ( ‫׳‬.‫׳‬4 £< Size

-_/^Log R e m o te Files

o

O

S

c:\program files (x86)Vb1tvise tunrieher Type Date Modifed 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-26 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... Attributes A A A A A A A A A A A A

‫׳‬

S

O Name 1 Logs ‫י‬

*2

‫ } ל‬fit

/c /program files (x86)/b!tvise winsshd Size Type □ate Modited 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0.. 2006-12-25 0. . 2006-12-25 0.. 2006-12-25 0 2006-12-25 0.. 2006-12-25 0

Name ntvterrnc.exe ff gldstgs.exe I 7 log.exe ■ sexecexe F sftpcexe sshdstgs.exe F stermc.exe Q toterm cexe ; ‫ ' ׳‬Tunnelier.exe J | u n 1rstexs vtlOC.tds xlerm.lds

286.720 Application 1.265.664 Application 20.480 Application 1.597.440 Application 2.002.944 Application 2.‫ ו‬50.400 Application 1.650.688 Application 372.736 Application 6,193.152 Application 352.256 Application 6.066 6.066 T D S File T O S File

0 File Folder
167,936 Application 188.416 Application 208,896 Application 294.912 Application 15,961 C♦♦ Sour... 23.480 Applicati... 610,304 Application 2.763,704 Application 45,056 Application 2.211,840 Application 192,512 Application 352,256 Application 2.338,816 Application 3.461.120 Application 445,464 Application 2.666.496 Applicati... 3,768 □ Overwrite Interlace Start ]

bvPwd exe

• bvRun.exe ■ bvterms exe ■ ' scp.exe c~ SttpPlugmSample.cpp SftpPluginSample.dll ■ ' sftps.exe F F sshdctrl.exe sshdexecexe

‫ ' י‬sshdstgs.exe F toterm exe F uninstexe F wctg exe F W inSSH D .exe ■ WinsshdActStateCheck exe WinsshdCfgManip.dll i WinsshdCtgManip idl

S fB in arv

; Resume

J Overwrite _ [ & Start

JPjDindiy

*

Resume

FIGURE B.73: Bitvise Tool Screenshot

Module 03 Page 405

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

A n o n y m iz e rs
J An anonymizer rem oves all the identifying inform ation from the user's computer while the user surfs the Internet J J Anonymizers make activity on the Internet untraceable Anonymizer tools allow you to bypass Internet censored websites

C EH

W h y use Anonym izer?

Copyright © by EG-G*nncil. All Rights Reserved. Reproduction Is Strictly Prohibited.

A nonym izers
An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (go p her:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities.

Why Use an Anonym izer?
The reasons for using anonymizers include:

Module 03 Page 406

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

9

Ensures privacy: It protects your identity by making your web navigation activities
untraceable. Your privacy is maintained until and unless you disclose your personal information on the web by filling out forms, etc.

9

Accesses government-restricted content: Most governments prevent their citizens from
accessing certain websites or content in order to avoid them from accessing inappropriate information or sensitive information. But these people can access even these types of resources by an anonymizer located outside the country.

9

Protect you from online attacks: Anonymizers protect you from all instances of online
pharming attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers.

9

Bypass IDS and firewall rules: Bypassing of firewalls is mostly done in organizations or
schools by employees or students accessing websites they are not supposed to access. An anonymizer service gets around your organization's firewall by setting up a connection between your computer and the anonymizer service. By doing such, firewalls can see only the connection from you to anonymizer's web address. The anonymizer will then connect to Twitter or any website you wanted to access with the help of an Internet connection and sends the content back to you. not to Twitter or other sites. For your organization, it looks like your system is connected to an anonymizer's web address, but

Anonymizers, apart from protecting users' identities, can also attack the website and no one can actually detect where the attack came from.

Types of A nonym izers
An anonymizer is a service through which one can hide their identity when using certain services of the Internet. It basically works by encrypting the data from your computer, so that is cannot be understood by Internet service providers or anyone who might try to access it. Basically, anonymizers are of two types: 9 9 - ____~ Networked anonymizers Single-point anonymizers

N e tw o rk e d A n o n y m iz e rs
___
These type of anonymizer first transfers your information through a network of Internet computers before sending it to the website. Since the information passes through several Internet computers, it becomes more cumbersome for anyone trying to track your information to establish the connection between you and anonymizer.

Example: If you want to visit any web page you have to make a request. The request will first
pass through A, B, and C Internet computers prior to going to the website. Then after being opened, the page will be transferred back through C, B, and A and then to you.

Advantage: Complication of the communications makes traffic analysis complex

Module 03 Page 407

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Disadvantage: Any multi-node network communications have some degree of risk at each node
for compromising confidentiality

___
'— ^

S in g le -p o in t A n o n y m iz e rs
Single-point anonymizers first transfer your information through a website before

sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity.

Advantage: IP address and related identifying information are protected by the arms-length
communications

Disadvantage: It offers less resistance to sophisticated traffic analysis

Module 03 Page 408

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

C ase: B loggers W rite Text B ackw ards to B ypass Web F ilte rs in C h in a

Bloggers and journalists in China are using a novel approach to bypass In tern et filters in their country - th ey w rite backwards or from right to left

*

W

“ IF H BOTHERS YOU THAT THE CHINA SCVEMflENT DOES IT ! IT SHOULD 9CTVCR YOU WHEN YOU* CABLE COMPANY DOCS IT 1 "

‫״‬

*adablebvh ns~ b e in g s k ../ Urr>an 5 0 **are
ering

'h e r ^rZle m
chi‫־״‬
packets co aSr»bet,

^ 0 r cracvJ‫־‬ ‘ananr0en‫ ׳‬etC Oero°cra’

I Rights Reserved. Rep rod u ctio n is S trictly Prohibited.

<\» -

• I f

F ilte rs in C h in a

C a s e : B lo g g e r s W r it e T e x t B a c k w a r d s to ® y p a s s W e b

China is well known for its implementation of the "packet filtering" technique. This technique detects TCP packets that contain controversial keywords such as Tibet, Democracy, Tiananmen, etc. To bypass Internet filters and dodge the censors, bloggers and journalists in China are writing the text backwards or from right to left. By doing so, though the content is still in human readable form, the text is successful in defeating web filtering software. Bloggers and journalists use vertical text converter tools to write the text backwards or from right to left and vertically instead of horizontally.

Module 03 Page 409

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

C ensorship Circum vention Tool: Psiphon
J Psiphon is a censorship circumvention system that allows users to bypass firewalls and access blocked sites in countries where the Internet is censored It uses a secure, encrypted HTTP tunnel connection to receive requests from psiphonite to psiphonode which in turn transports the results back to the requested psophonite It acts as a web proxy for authenticated psiphonites, even works on mobile devices
Psiphon 3
A ‫־־‬.

CEH

J

0 0 ‫ זחכ‬proxy domestic web sites Qicrr. Version; 40 SSH♦ connecting... t

Localhos! poit 1080is alreadyinuse
SCCfCS proxy is running on localhcst port 1081 5SH+ successfully connected HTTP proxy is rumhg cn localhost poit SOSO Preferred servers: 2 SSH♦ disconnected. SSH • *■conrecting Localhos! poit 1030 is already in use SOCKS proxy is njnning on localMcst port 1081 SSH♦ successfully connected HTTP proxy ia rumng cn localhooi poit 8030. SSH♦ disconnected. Fix VPN Servces faled: irsutfciert privileoesto confiaure 0‫ ־‬stat servce IKEE VPN connecting... YPN succes^uly connected. HTTP proxy is rumha cn localhost poit 8080. VPN disconnected. SSH connecting. .. Locahoss poit 108018 already in use SOCKS proxy it running on Incjilhcet port 1081 SSH succes^uly comcctod. HTTP proxy is rumnq cn localhos! poit 8080. Unproxed• autee iruixjifcoiit rem Urproxed. a 1970.y.ok.ernoi /id Unonxed: osnotorriq .com Unproxed a$«0g akamai net Unproxed: wyvw.bqaiautc.com Uronxed: mypulsar.com SSH disconnected SSH* connecting... Locahos: poit 1080 is aready in use SOCKS proxy is running on localhost port 1081 ‫י‬ Aboii Psphon 2

J

1 It bypass the content-filtering systems of countries like China, North Korea, Iran, Saudi Arabia, Egypt and others

Uncensored

http://psiphon.co
C o p yrigh t @ b y EG -G *ancil. All Rights Reserved. Rep rod u ctio n is S trictly Prohibited.

C e n so rsh ip C irc u m v e n tio n Tool: P sip h o n
Source: http://psiphon.ca Psiphon is a censorship circumvention system that allows users to bypass firewalls and access blocked sites in countries where the Internet is censored. It uses a secure, encrypted HTTP tunnel connection to receive requests from psiphonite to psiphonode, which in turn then transports the results back to the requested psophonite. It acts as a web proxy for authenticated psiphonites, and works on mobile browsers. It bypasses content-filtering systems of countries such as China, North Korea, Iran, Saudi Arabia, Egypt, and others.

Module 03 Page 410

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

P
O
O SSH♦

Psiphon 3

H I□ ]

x

o vp n » s 1»h
®SSH ‫י‬

‫ן‬

@ Don! proxy domestic web sites Client Version: 40 SSH♦ connecting Localhost port 1080 is already muse SOCKS proxy is runrwig on locahost port 1081. SSH♦ successfully connected HTTP proxy is rumng on locahost port 8080 Preferred servers: 2 SSH♦ disconnected SSH♦ connecting... Localhost port 1080 is already muse SOCKS proxy is rurmng on locafriost port 1081 SSH♦ successfully connected HTTP proxy is rurmng on locahost port 8080 SSH♦ disconnected Fix VPN Services faded nsuffoent pm nleges to configure or start service IKEE VPN connecting... VPN successfully connected HTTP proxy is rurmng on locatiost port 8080 VPN disconnected SSH connectng... Localhost port 1080 is already n use SOCKS proxy is rurmng on locatiost port 1081. SSH successfully connected HTTP proxy is rurmng on locahost port 8080 Unproxied autosinaxabout .com Unproxied: a1979.g akamai net Unproxied: bsm otorm g com Unproxied: a90g akamai net Unproxied: w w w baja!auto com Unprowed mypulsar com SSH disconnected SSH♦ connecting Localhost port 1080 is already in use SOCKS proxy is running on locatiost port 1081 About Ps*> hon 3

FIGURE 3.74: Psiphon Screenshot

Module 03 Page 411

Ethical Hacking and Countermeasures Copyright © by EC-C0UIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Copyright © by

CMIilCil. All Rights Reserved. Reproduction is Strictly Prohibited.

C e n so rsh ip C irc u m v e n tio n Tool: Y our-F reedom
Source: http://www.your-freedom.net Censorship circumvention tools allow you to access websites that are not accessible to you by bypassing firewalls. The Your Freedom services makes accessible what is unaccessible to you, and they hide your network address from those who don't need to know. This tool turns your PC into an uncensored, anonymous web proxy and an uncensored, anonymous SOCKS proxy that your applications can use, and if that's not enough, it can even get you connected to the Internet just as if you were using an unrestricted DSL or cable connection.

Module 03 Page 412

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Your Freedom
Status | Streams | Account Profile Ports Messages Vouchers
j

_‫ ־‬E ° L
Applications About

Freedom Server External IP Address Server located in Open streams Bytes sent Bytes received Send rate (bytes/sec) Receive rate (bytes/sec)

https://em s29.your-freedom .de 443 83.170.106 56 UK, United Kingdom 0 2973 704 279 111|

Configure

Stop connection

Restart connection

Update?

Exit

III

Uplink 1.0 k

Downlink 0.4 k

FIGURE 3.75: Your-Freedom Screenshot

Module 03 Page 413

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

How to C heck if Your W ebsite is B locked in C hina or Not?
J J Internet tools help identify if w eb users in China can access rem ote websites W h e n Ju st Ping and W e b S ite P u lse show "Packets lost" or "tim e-out" errors, chances are that the site is restricted

h ttp ://w w w . w ebsitep u lse . com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

How to C h ec k if Your W eb site is B lo ck ed in C h in a or ----- Not?
If a "packets lost" error is received or there is a connection time-out message is displayed while connecting to your site, chances are that the site is blocked. To find out whether the website at xyz.com is accessible by Chinese web users, you can use tools such as just ping and WebSitePulse.
f
0 0•

Ju s t p in g
Source: http://www.iust-ping.com Just ping is an online web-based ping tool that allows you to ping from various locations worldwide. It pings a website or IP address and displays the result as shown as follows:

Module 03 Page 414

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

ju s t ^ p in g

UJHTCHm QU!
NAJCMNC CVtROMlM IlM NISk

Online web-baaed ping: Free online ping Iron SO locaiioaa worldwide

U-jhg
e g p in a : yahoo

| |p r .g 1 ‫׳‬
con or 6 6 . 9 4 . 2 3 4 . 1 3 3 < C heck h t t p

t n m .f A c m b o c k .c o m

fly!m. fiatook com /)

Singapore. U n k n o w n host: Singapore: v»nr fa e e b o o k .c o m Anaterdaa2, Okay Netherlands Florida. U . S . A . : O k a y XaatcrdiaS. Okay He", h e r land* : H o n g Kor.rj , C hin* O k a y Sydney Okay Australia: UAtnchan. Okay C«rnany: C o l o a n • . S«raanY:OkaY H a v Y ork, U.S.A. O k a y S tock ho la. Okay Sweden. S a n t a Clara. U.S.A.: V a ncouver. London. Kingdom. Madrid. Pad ova Auatin. U n i tod Spain: Italy: U.S.A.: Okay Okay Okay Okay Ok *y Okay Okay

M

3

90.5 84 6 90 6 181 5 183.8 97.5 103.3 82.1 123.9 28.3 33.3 94 .7

91 O 83.3 91 .0 195 5 183.0 98 .2 106.1 82.5 124.2 28.7 34.1 98.2 125.3 113.9 73.« 90.9

2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :face b O O c 66. 2 2 0 . 1 4 9 88 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :face b O O c 2 a 0 3 : 2 8 8 0 : 1 0 :lf02:fa c e : b O O c 6 9 .171.237.16 69.171 . 2 4 2 . 7 0 2 8 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 :f a c a b O O c : : 69.171 . 2 3 7 . 3 2 2 a 0 3 2880 2110 3f02 69. 1 7 1 . 2 2 8 70 2 a 0 3 : 2 8 8 0 : 1 0 If03 faca.bOOc 23 face bOOc 25

84 0 90 5 18 2 . 8 193.3 97.2 103 3 81.* 123• 2• O 33.a >4.4 124. € 113 72 * 90 3

2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 3 :face:bOOc 65 63 189.74 2a03 2 8 8 0 1 2110 3 f02 t *e• b O O c 2 a 0 3 2880 10 If03 fac• b O O c 25 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f02 face bOOc

A

124.7 112 6 73.2 90.€

Natherlanda.

FIGURE 3.76: Just Ping Screenshot

WebsitePulse
Source: http://www.websitepulse.com WebsitePulse provides remote monitoring services. It simultaneously pops websites from around the globe.
I B I ^ a IV W«*t4• T«t C «w C ■ A‫׳‬ww.we&n»epuis<.<o‫׳‬n • « •-.noo<v(t»na1e$t»»vn! ■ s i x

W e b s ite P u ls e tskt I T easy |‫י‬
‫ ז‬. » « ‫ ז‬rw vic ll.*4 ‫•■ | « ז‬MMi rot 0 Ffctfoii Extcmaxn tt Add-OM Chi0«‫ «י‬£<tt‫׳‬f1SO‫׳‬H Ctxra Exteos>oos Safan Extar won* WtfxJ0w3V15ta Gadget Facebook Apps AnCiouJ At)C 8. ■ Apo

Tk* w#b S e iv tr aad W **dr» M n tfc la« S#rvk» tnntfd bv ‫ ו‬84%‫ וי‬mUom an .. 1 ia «1 Tata > ■ « » a t « i Test results l« Jh I m M Im • T n M M i UCt U«t*4 H m hM M m U .H 4 « I ChM »12-C42‫;־‬ l015?>tO(O«T -00-00} ImImI lm > A ll M l fMted H n M A i; ft•*• T «lt R V 3012-«#-2‫ג‬ 10 57 11 C (8MT •CO 00) fca07/«M*i«<ata*fc4*w Sf.t7i.2J/-M 1 » » ‫״ '•»** »*ז‬ • ‫י‬ A, ‫ו‬j 1

Y < * J

W rtiU t

H n m n i T n i 3040 0*V CM N Ct '•* tB y t* w . 3 MO *k OON n c 3-090 MC 0»*•■

I n iM M t« m i C M7 »•‫־‬ o« Ca M K t h n tM • : ftmm• c s e i 1« C-.3M • • c O-MOmc 0.133 mc ]1311 M m

1 1

L IV E C H A T CWn, I 'f f E ! ■ !

*tic* MU ( P N ^ « c v m U ) n u (t

*e• M Tfi (> #g,TfM nUt> rc*As

la N w H k tNs YTrbutr f r rr l» r N Oar• (feck Herr* 1mail m d h Save R rttA ) Pafona a acw l o t R c iw t a h v k k a

r ‫♦׳‬#

Tm! Tm!• * 0‫ ׳‬v©‫״‬.

v
FIGURE 3.77: WebsitePulse Screenshot

Module 03 Page 415

Ethical Hacking and Countermeasures Copyright © by

EC-C0l1nCll

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

G-Zapper
G-Zapper - TRIAL VERSION

CEH

G ‫־‬Zapper
G-Zaocei ‫= ־‬ ‫׳‬ntsctrg you! Search Piivacy Did you know - 3 0 0 gl9*teres a unique identifier in a cookie on your PC, which alow? them to track the kewkofdi yoo ssach fot. G■Zcppcr will ojtomalicdl/ dctcct and cban this cookie in your web b o w c . J j ; t ■jn G-Zaoce». ninini7 e the ‫״‬ vinebw. and enjoy ycur enhanced search privacy

J

Google sets a cookie on user's system with a unique identifier that enables them to track user's web activities such as: « e « Search Keywords and habits Search results Websites visited

2'

A Google Trarkino ID exists on ym■‫ ־‬PC
You-aoogle V (hrefox 8536d45Ib367T738

Gox^e instaled the cookie on Tuesday, July 03. 2012 12:10:32 AM
Y a * scaiche; ha/e teen tracked for *9 days • I You ha2 #/‫־‬Googie teaichet «aved n Md7 illa Rrafox

Yoji irWtitj* wil h» ofc«cut»d fromprevious *ewcho* *ndG‫־‬ Z*pp*r wll m gulM ^i dean luhir• cookie* To block and delete th♦Googe ceareh cook*, die*‫׳‬, the 8look Ccoki• bjtton. (Gndl aid A0ier 1 > 1 !‫ וי׳יס‬be unavailable vitli the ojuke blocKcd)

10 delete the U xate cookie, click the Delete lookie button.

J

Information from Google cookies can be used as evidence in a court of law

h llc/j‫׳‬w w M d u rm w s D liw a (fi.c flm
| Cebtt Cootie J

^Block Coekie j ^Test Google j ^

Settings

h ttp ://w w w . d u m m yso ftw a re . com

Copyright © by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

G ‫־‬Z ap p er
Source: http://www.dummysoftware.com G-Zapper is a utility to block Google cookies, clean Google cookies, and help you stay anonymous while searching online. It automatically detects and cleans Google cookies each time you use your web browser. It is compatible with W indow s 95/98/ME/NT/2000/XP/Vista/Windows7. It requires Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome and is compatible with Gmail, Adsense, and other Google services.

Module 03 Page 416

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

G-Zapper - TRIAL VERSION
What is GZapper GZapper •Projecting you Search Privacy Did you know •Google stores a unque idenMier r a cookie on you PC. which atows them to track the keywords you search lor G Zapper wi automatical}! detect and dean this cookie ‫ מ‬you web browse* Just run G•Zappet. mrmtte the window, and enjoy you enhanced search privacy
2'

A Google Tracking ID exists on yocr PC.

- You Google ID: (Frefox) 85%d451b86*738 Google instaled the cook* on: Tuesday. Jdy 03.2012 12:10:32 AM You searches have been backed 1 0149 days

^| You have 2 Google searches saved n Mozia Frefax
How to Use It To delete the Google cookie, clck the Delete Cookie button You identity w i be obscued fromprevious searches and G-Zappei wi regularly clean Mure cookies T0 block and delete the Google search cookie, cick the Block Cookie button (Gm ad and Adsense w i be unavaiabie with the cookie Mocked) http //www dum m vsoWware com
Sett rigs

Delete Cookie

Block Cookie

Test Google

FIGURE 3.78: G-Zapper-Trial Version Screenshot

Module 03 Page 417

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Anonym izers
Mowser
h ttp ://w w w . m ow ser. com

E H
‫מ‬
Spotflux
h ttp ://w w w .spo tflu x.co m

Anonymous W eb Surfing Tool
http://w w w .anonym ous-surfing.com

U-Surf
http://ultim ate-anonym ity.com

Hide Your IP Address
h ttp ://w w w . hideyouripaddress. net

WarpProxy
http ://silen t-su rf. com

ps4

Anonymizer Universal
h ttp ://w w w . anonymizer, com

‫ט ט ט‬ □ □ E

Hope Proxy
h ttp ://w w w .h o pep ro xy. com

Guardster
http ://w w w . guardster. com

Hide M y IP s a flH l
http://www.pri\/acy-pro. com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

* ‫ " ־ ״‬V ™ ‫״ ־ ־‬ An anonymizer is a tool that allows you to mask your IP address to visit websites without being tracked or identified, keeping your activity private. It allows you to access blocked content on the Internet with omitted advertisements. A few anonymizers that are readily available in the market are listed as follows:

9 9 9 9 9
9

Mowser available at http://www.mowser.com Anonymous W eb Surfing Tool available at http://www.anonymous-surfing.com Hide Your IP Address available at http://www.hideyouripaddress.net Anonymizer Universal available at http://www.anonvmizer.com Guardster available at http://www.guardster.com Spotflux available at http://www.spotflux.com U-Surf available at http://ultimate-anonvmity.com WarpProxy available at http://silent-surf.com Hope Proxy available at http://www.hopeproxy.com Hide My IP available at http://www.privacy-pro.com

9 9 9 9

Module 03 Page 418

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

Spoofing IP Address
IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be som eone else W h e n the victim replies to th e address, it goes back to the spoofed address and not to the attacker's real address

CE H

IP sp o o fin g using H ping2:

Hping2 www. -a 7.7. 7. 7

You will not be able to complete the three-way handshake and open a successful TCP connection by spoofing an IP address
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

-. Spoofing IP A d d resses
^ Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a fake IP in place of the attacker's assigned IP. W hen the attacker sends a connection request to the target host, the target host replys to the attacker's request. But the reply is sent to the spoofed address. W hen spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources.

IP spoofing using Hping2:
Hping2 w w w .cre tifie d h a ck e r.co m -a 7. 7. 7. 7 Using Hping2 you can perform IP spoofing. It helps you to send arbitrary TCP/IP packets to network hosts.

FIGURE 3.79: Attacker Sending Spoofed Packet to The Victim

Module 03 Page 419

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Spoofing Detection Techniques: Direct TTL Probes
J compare TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked, it is a spoofed packet J This technique is successful when attacker is in a different subnet from victim

CEH

Send packet to host of suspect spoofed packet that triggers reply and

Sending a packet with spoofed 10.0.0.5 IP - T T L 13

‫•ע‬

Attacker
(Spoofed Address

Target

1 0 .0 .0 . 5)

10.0.0.5
Note: Normal traffic from one host can vary TTLs depending on traffic patterns
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

IP Spoofing D etectio n T e c h n iq u e s: D irect TTL P ro b e s
Initially send a packet to the host of suspect spoofed packet and wait for the reply. Check whether the TTL value in the reply matches with the TTL value of the packet that you are checking. Both will have the same TTL if they are the same protocol. Though, initial TTL values vary based on the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the commonly used initial values are 64 and 128 and for ICMP, the values are 128 and 255. If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. The hop count can be determined by deducting the TTL value in the reply from the initial TTL value. If the TTL in the reply is not matching with the TTL of the packet that you are checking, it is a spoofed packet. If the attacker knows the hop count between source and host, it will be very easy for the attacker to launch an attack. In this case, the test results in a false negative.

Module 03 Page 420

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Sending a packet with spoofed 10.0.0.5 IP - TTL 13

Attacker
(Spoofed Address 10.0.0.5)

>•«*‫־‬.•

• •

y Nf
10.0.0.5

v

FIGURE 3.80: Using Direct TTL Probes for IP Spoofing Detection

Module 03 Page 421

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Spoofing Detection Techniques: IP Identification Number
J Send probe to host of suspect spoofed traffic that triggers reply and compare IP ID with suspect traffic If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed This technique is successful even if the attacker is in the same subnet

J J

Send packet with spoofed IP 10.0.0.5; IP ID 2586

Attacker
(Spoofed Address 10.0.0.5)

. * ‫ מ‬5‫ ׳־‬. ‫— ז‬ ‫ *״‬t ;.‫״‬ • ‫״‬ *

‫*יי‬ T a 1 ‫־‬ get

10.0.0.5

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

r3 H 1

IP Spoofing D etectio n T e ch n iq u es: IP Id e n tific a tio n N u m b er

Spoofed packets can be identified based on the identification number (IP ID) in the IP header that increases each time a packet is sent. This method is effective even when both the attacker and victim are on same subnet. To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply. If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet.
Sending a packet with spoofed 10.0.0.5 IP - IP ID 2586

Attacker
(Spoofed Address 10.0.0.5)

w
‫״‘••?ץ‬

Target

10.0.0.5 FIGURE 3.81: Using IP Identification Number for IP Spoofing Detection
Module 03 Page 422 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Scanning Networks

Exam 312-50 Certified Ethical Hacker

IP Spoofing Detection Techniques: TCP Flow Control Method
J Attackers sending spoofed TCP packets, will not receive the target's SYN-ACK packets J Attackers cannot therefore be responsive to change in the congestion window size _l When received traffic continues after a window size is exhausted, most probably the packets are spoofed

CEH

Sending a SYN packet with spoofed 10.0.0.5 IP

Attacker
(Spoofed Address 10.0.0.5)

Target

*‫״״‬

.• • • '& < *v \ ® •

10.0.0.5
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

IP Spoofing D etectio n T e ch n iq u es: TCP Flow C ontrol M ethod
The TCP can optimize the flow control on both the send and the receiver side with its algorithm. The algorithm accomplishes the flow control based on the sliding window principle. The flow of IP packets can be controlled by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. W hen the window size is set to zero, the sender should stop sending more data. In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker who is unaware of the ACK packet containing window size information continues to send data to the victim. If the victim receives data packets beyond the window size, then the packets must be treated as spoofed. For effective flow control method and early detection of spoofing, the initial window size must be very small. Most spoofing attacks occur during the handshake, as it is difficult to build multiple spoofing replies with the correct sequence number. Therefore, the flow control spoofed packet detection must be applied at the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting

Module 03 Page 423

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If the sender sends an ACK with any data, then it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet but not ACK with data.

FIGURE 3.82: Using TCP Flow Control Method for IP Spoofing Detection

Module 03 Page 424

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

-

IP S p o o fin g C o u n te r m e a s u r e s
Limit access to configuration information on a machine

CE H

Use random initial sequence numbers

Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.

IP Spoofing C o u n te rm e a su re s
In ethical hacking, the ethical hacker also known as the pen tester, has to perform an additional task that a normal hacker doesn't follow, i.e., applying countermeasures to the respective vulnerabilities determined through hacking. This is essential because knowing security loopholes in your network is worthless unless you take measures to protect them against real hackers. As mentioned previously, IP spoofing is one of the techniques that a hacker employs to break into the target network. Therefore, in order to protect your network from external hackers, you should apply IP spoofing countermeasures to your network security settings. The following are a few IP spoofing countermeasures that you can apply:

Avoid trust relationships
Attackers may spoof themselves as a trusted host and send malicious packets to you. If you accept those packets by considering that the packets are sent by your trusted host, then you may get infected. Therefore, it is advisable to test the packets even when they come from one of your trusted hosts. You can avoid this problem by implementing password authentication along with trust-relationship-based authentication.

Use firewalls and filtering mechanisms
You should filter all the incoming and outgoing packets to avoid attacks and sensitive information loss. The incoming packets may be the malicious packets coming from the attacker.

Module 03 Page 425

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

If you do not employ any kind of incoming packet filtering mechanism such as a firewall, then the malicious packets may enter your private network and may cause severe loss. You can use access control lists (ACLs) to block unauthorized access. At the same time, there is also a possibility of insider attackers. These attackers may send sensitive information about your business to your competitors. This may also lead to great monetary loss or other issues. There is one more risk of outgoing packets, which is when an attacker succeeds in installing a malicious sniffing program running in hidden mode on your network. These programs gather and send all your network information to the attacker without giving any notification. This can be figured out by filtering the outgoing packets. Therefore, you should give the same importance to the scanning of outgoing packets as that of the incoming packet data scanning.

Use random initial sequence numbers
Most of the devices chose their ISN based on timed counters. This makes the ISNs predictable as it is easy for a malicious person to determine the concept of generating the ISN. An attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he or she can make a malicious connection to the server and sniff your network traffic. To avoid this, risk you should use random initial sequence numbers.

Ingress filtering
Prohibiting spoofed traffic from entering the Internet is the best way to block it. This can be achieved with the help of ingress filtering. Ingress filtering applied on routers enhances the functionality of the routers and blocks spoofed traffic. It can be implemented in many ways. Configuring and using access control lists (ACLs) that drop packets with source address outside the defined range is one way to implement ingress filtering.

Egress filtering
Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside.

Use encryption
If you want to attain maximum network security, then use strong encryption for all the traffic placed onto the transmission media without considering its type and location. This is the best solution for IP spoofing attacks. Attackers usually tend to find targets that can be compromised easily. If an attacker wants to break into encrypted network, then he or she has to face a whole slew of encrypted packets, which is a difficult task. Therefore, the attacker may try to find another target that can be easily compromised or may attempt other techniques to break into the network. Use the latest encryption algorithms that provide strong security.

SYN flooding countermeasures
Countermeasures against SYN flooding attacks can also help you to avoid IP spoofing attacks.

Module 03 Page 426

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Besides these basic countermeasures, you can perform the following to avoid IP spoofing attacks: 9 9 9 9 You should limit the access to configuration information on a machine You should always disable commands like ping You should reduce TTL fields in TCP/IP requests You should use multilayered firewalls

Module 03 Page 427

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Copyright © by EG-Gouncil. All Rights Reserved. Reproduction Is Strictly Prohibited.

CEH S canning M eth o d o lo g y
So far, we have discussed concepts such as what to scan, how to scan, how to detect vulnerabilities, and the respective countermeasures that are necessary to perform scanning pen testing. Now we will begin the action of scanning pen testing.

Check for Live Systems

Scan for Vulnerability

1 9 1

Check for Open Ports

r

Draw Network Diagrams

Scanning Beyond IDS

3 0

r-^r-n

Prepare Proxies

Banner Grabbing

f* *✓ ‫׳‬

Scanning Pen Testing

This section highlights the need to scan pen testing and the steps to be followed for effective pen testing.

Module 03 Page 428

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Scanning Pen Testing
0
J

CE H
0

Pen testing a network for scanning vulnerabilities determines the network's security posture by identifying live systems, discovering open ports, associating services and grabbing system banners to simulate a network hacking attempt

J

The penetration testing report will help system administrators to:

0

Close unused ports

Calibrate firewall rules

Disable unnecessary services

Troubleshoot service configuration errors

Hide or customize banners

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

S canning P en T e stin g
The network scanning penetration test helps you to determine the network security posture by identifying live systems, discovering open ports and associated services, and grabbing system banners from a remote location, simulating a network hacking attempt. You should scan or test the network in all possible ways to ensure that no security loophole is overlooked. Once you are done with the penetration testing, you should document all the findings obtained at every stage of testing so that it helps system administrators to: 9 9 9 9 9 Close unused ports if not necessary/unknown open ports found Disable unnecessary services Hide or customize banners Troubleshoot service configuration errors Calibrate firewall rules to impose more restriction

Module 03 Page 429

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Scanning Pen Testing
(Cont’d)
START

CEH

© Check for the live hosts using tools such as Nmap, Angry IP Scanner, SolarWinds Engineer's toolset, Colasoft Ping Tool, etc. Use tools such as Nmap, Angry IP Scanner, etc. e Check for open ports using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc.

V
Perform port scanning

... >

Use tools such as Nmap, Netscan Tools Pro, etc.

© Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, etc. » Scan for vulnerabilities using tools such as Nessus, GFI LANGuard, SAINTscanner, Core Impact Professional, Retina CS Management, MBSA, etc.

V
Perform banner grabbing ibing /OS fingerprinting Use tools such as Telnet, Netcraft, ID Serve, etc.

g

V
Scan for vulnerability ■ ‫־‬ > ■ Use tools such as Nessus, SAINTscanner, GFI LANGuard, etc.

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S canning P en T e stin g (C ont’d)
Let's see step by step how a penetration test is conducted on the target network.

Stepl: Host Discovery
The first step of network penetration testing is to detect live hosts on the target network. You can attempt to detect the live host, i.e., accessible hosts in the target network, using network scanning tools such as Angry IP Scanner, Nmap, Netscan, etc. It is difficult to detect live hosts behind the firewall.

Step 2: Port Scanning
Perform port scanning using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc. These tools will help you to probe a server or host on the target network for open ports. Open ports are the doorways for attackers to install malware on a system. Therefore, you should check for open ports and close them if not necessary.

Step 3: Banner Grabbing or OS Finger Printing
Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, Netcat, etc. This determines the operating system running on the target host of a network and its version. Once you know the version and operating system running on the target system, find

Module 03 Page 430

Ethical Hacking and Countermeasures Copyright © by

EC-C0l1nCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

and exploit the vulnerabilities related to that OS. Try to gain control over the system and compromise the whole network. Step 4: Scan for Vulnerabilities Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus, GFI LANGuard, SAINT, Core Impact Professional, Ratina CS, M BSA, etc. These tools help you to find the vulnerabilities present in the target network. In this step, you will able to determine the security weaknesses/loopholes of the target system or network.

Module 03 Page 431

Ethical Hacking and Countermeasures Copyright © by

EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

Scanning Pen Testing
(Cont’d)
V
Draw network diagrams Use tools such as LAN surveyor, OpManager, etc.

£ g ‫ןן‬

Prepare proxies

Use tools such as Proxy Workbench, Proxifier, Proxy Switcher, etc.

© Draw network diagrams of the vulnerable hosts using tools such as LAN surveyor, OpManager, NetworkView, The Dude, FriendlyPinger, etc. e e Prepare proxies using tools such as Proxy Workbench, Proxifier, Proxy Switcher, SocksChain, TOR, etc. Document all the findings

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S canning P en T e stin g (C ont’d)
‫ ׳־‬Step 5: Draw Network Diagrams
Draw a network diagram of the target organization that helps you to understand the logical connection and path to the target host in the network. The network diagram can be drawn with the help of tools such as LAN surveyor, OpManager, LANState, FriendlyPinger, etc. The network diagrams provide valuable information about the network and its architecture.

Step 6: Prepare Proxies
Prepare proxies using tools such as Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy,

ProxyFinder, etc. to hide yourself from being caught.

Step 7: Document all Findings
The last but the most important step in scanning penetration testing is preserving all outcomes of tests conducted in previous steps in a document. This document will assist you in finding potential vulnerabilities in your network. Once you determine the potential vulnerabilities, you can plan the counteractions accordingly. Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.

Module 03 Page 432

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures
Scanning Networks

Exam 312-50 Certified Ethical Hacker

M odule Summary

The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts Attackers use various scanning techniques to bypass firewall rules and logging mechanism, and hide themselves as usual network traffic Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system □ □ □ □ Drawing target's network diagram gives valuable information about the network and its architecture to an attacker HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls Proxy is a network computer that can serve as an intermediary for connecting with other computers A chain of proxies can be created to evade a traceback to the attacker

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule S u m m ary
Let's take a look at what you have learned in this module: The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network. Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. Attackers use various scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic. e Banner Grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system.
0

Drawing target's network diagram gives valuable information about the network and its architecture to an attacker. HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls. Proxy is a network computer that can serve as an intermediary for connecting with other computers. A chain of proxies can be created to evade a traceback to the attacker.

Module 03 Page 433

Ethical Hacking and Countermeasures Copyright © by

EC-COUIICil

All Rights Reserved. Reproduction is Strictly Prohibited.