You are on page 1of 182

CEH Lab M anual

Scanning Networks
Module 03

Module 03 - Scanning Networks

Scanning a Target Network
Scanning a network refers to a set ofproceduresfor identifying hosts, po/ts, and services running in a network.

Lab Scenario
ICON KEY Valuable information s Test your knowledge Web exercise W orkbook review

H Q

Vulnerability scanning determines the possibility o f network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component o f any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port scanning, netw ork scanning, and vulnerability scan n in g ro identify IP/hostname, live hosts, and vulnerabilities.

Lab Objectives
The objective o f diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: ■ ■ ■ ■ Check live systems and open ports Perform banner grabbing and OS fingerprinting Identify network vulnerabilities Draw network diagrams o f vulnerable hosts

ZZ7 Tools dem on strated in this lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N etw orks

Lab Environment
111

die lab, you need: ■ A computer running with W indows S erver 2012, W indows S erver 2008. W indows 8 or W indows 7 with Internet access ■ A web browser ■ Administrative privileges to run tools and perform scans

Lab Duration
Time: 50 Minutes

Overview of Scanning Networks
Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down ou 1 attack surface considerably since we first began die penetration test widi everydiing potentially in scope.

C E H L ab M an u al P ag e S5

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial o f service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. O n die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few o f diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal o f potentially interesting information about an environment. 111 diis module we will look at several forms o f vulnerability assessment. We will study some commonly used scanning tools.

Lab Tasks
T AS K 1
O verview

Pick an organization diat you feel is worthy o f your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: ■ Scanning System and Network Resources Using A d v a n ce d IP S c a n n e r

■ Banner Grabbing to Determine a Remote Target System Using ID S e r v e ■ Fingerprint Open Ports for Running Applications Using the A m ap Tool ■ Monitor T C P /IP Connections Using die C urrP orts Tool ■ Scan a Network for Vulnerabilities Using GFI LanG uard 2 0 1 2
L__/ Ensure you have ready a copy of the additional readings handed out for this lab.

■ Explore and Audit a Network Using Nmap ■ Scanning a Network Using die N e tS c a n T o o ls Pro ■ Drawing Network Diagrams Using L A N Su rveyor ■ Mapping a Netw ork Using the Friendly P inger ■ Scanning a Netw ork Using die N e s s u s Tool ■ Auditing Scanning by Using G lobal N etw o rk Inventory ■ Anonymous Browsing Using P ro xy S w itc h e r

C E H L ab M an u al P ag e S6

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

■ Daisy Chaining Using P ro xy W orkb ench ■ H TTP Tunneling Using HTTPort ■ Basic N etw ork Troubleshooting Using the M egaP ing ■ Detect, Delete and Block Google Cookies Using G -Zapper ■ Scanning the Netw ork Using the C o la s o ft P a c k e t B uilder ■ Scanning Devices in a Network Using T h e Dude

Lab A nalysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information.

P L E A S E TA LK T O Y O U R I N S T R U C T O R IF Y OU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

C E H L ab M an u al P ag e 87

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Scanning System and Network Resources Using Advanced IP Scanner
ICON KEY / = ‫ ־‬Valuable information ✓ Test your knowledge

-Advanced IP Scanner is afree nefirork scanner thatgivesyon various types of information regarding local nehvork computers.

Lab S cenario
this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal o f running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.
111

S Web exercise C Q W orkbook review

Lab O bjectives
l —J Tools dem on strated in this lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N etw orks

The objective o f this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: ■ ■ ■ ■ Perform a system and network scan Enumerate user accounts Execute remote penetration Gather information about local network computers

Lab Environm ent
Q You can also download Advanced IP Scanner from http :/1 www. advanced-ipscanner.com. 111

die lab, you need: ■ Advanced IP Scanner located at Z:\\CEHv8 Module 03 Scanning
N etw orks\Scanning Tools A d van ced IP S can n er

■ You can also download the latest version o f A d v a n ce d IP S c a n n e r from the link http://www.advanced-ip-scanner.com

C E H L ab M an u al P ag e 88

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks


/ 7 Advanced IP Scanner works on Windows Server 2003/ Server 2008 and on Windows 7 (32 bit, 64 bit).

I f you decide to download the la te s t v e rsio n , then screenshots shown in the lab might differ

■ A computer running W indow s 8 as die attacker (host machine) ■ Another computer running W indow s server 2008 as die victim (virtual machine) ■ A web browser widi Internet a c c e s s ■ Double-click ipscan20.m si and follow die wizard-driven installation steps to install Advanced IP Scanner

■ A dm inistrative privileges to run diis tool

Lab D uration
Time: 20 Minutes

O verview o f N e tw o rk Scanning
Network scanning is performed to c o lle c t inform ation about live sy s te m s , open ports, and n etw ork vulnerabilities. Gathered information is helpful in determining th reats and vulnerabilities 111 a network and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to resources.

Lab Tasks
S TASK 1
1. Go to S tart by hovering die mouse cursor in die lower-left corner o f die desktop

Launching A d van ced IP S can n er

FIGURE 1.1: Windows 8- Desktop view

2. Click A d van ced IP S can n er from die S tart menu in die attacker machine (Windows 8).

C E H L ab M an u al P ag e 89

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Start
WinRAR Mozilla Firefox Command

A dm in

^

Prompt
it t

Fngago Packet builder

Nc m

2*

Computer

m With Advanced IP Scanner, you can scan hundreds of IP addresses simultaneously.

Microsoft Clip Organizer

Advanced IP Scanner

Sports

tS

m
Microsoft Office 2010 Upload...

iiilili
finance

Control Panel

• FIGURE 12. Windows 8- Apps

3. The A d van ced IP S can n er main window appears.

You can wake any machine remotely with Advanced IP Scanner, if the Wake-on‫־‬LAN feature is supported by your network card.

FIGURE 13: The Advanced IP Scanner main window

4. N ow launch die Windows Server 2008 virtual machine (victim ’s m achine).

C E H L ab M an u al P ag e 90

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

L __/ You have to guess a range of IP address of victim machine.

iik
FIGURE 1.4: The victim machine Windows server 2008 Radmin 2.x and 3.x Integration enable you to connect (if Radmin is installed) to remote computers with just one dick.

O

jf f lc k

10:09 FM J

a

5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t range field. 6. Click die S c a n button to start die scan.

The status of scan is shown at the bottom left side of the window.

7. A d van ced IP S can n er scans all die IP addresses within die range and displays the s c a n resu lts after completion.

C E H L ab M an u al P ag e 91

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Lists of computers saving and loading enable you to perform operations with a specific list of computers. Just save a list of machines you need and Advanced IP Scanner loads it at startup automatically.

Advanced IP Scanner
File Actions Settings View Heip

J► S c a r' J l
10.0.0.1- 10.0.0.10
R esits | Favorites |

r=£k=3 r f t o

IP c

d id 3 ? f i l :

Like us on 1 F a ce b o o k

Status 0 ‫ט‬

w
>£*

r

Manufacturer
10.0.a1 Nlctgear, Inc. D ell Inc M ic r o s o ft C o rp o ra tio n M ic r o s o ft C o rp o ra tio n Dell Inc

M A C ad d ress 00:09:5B:AE:24CC D0:67:ES:1A:16:36 00: 5:5D: A8:6E:C6 00:15:5D:A8:&E:03 D 1:3‫׳‬E:D9:C3:CE:2D

10.0.0.1

W IN -M SSE LC K 4 K 4 1 W INDO W S# W IN * L X Q N 3 W R 3 R 9 M W IN -D 39M R 5H 19E 4

10 0

. .a2

® & ®

10.0.03 10.0.05 10.0.07

1

15

m Group Operations: Any feature of Advanced IP Scanner can be used with any number of selected computers. For example, you can remotely shut down a complete computer class with a few dicks.

5*iv*, 0

d«J0,

S unknown

FIGURE 1.6: The Advanced IP Scanner main window after scanning

8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machine’s IP address and displays die status as alive 9. Right-click any o f die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down

M

T A S K

2

Extract Victim’ s IP Address Info

5‫־‬
F ie A ctions Settings View Helo

Advanced IP Scanner

Scan

II

i p c u u

*

*sS :

Wi F a ce b o o k

Like us on

10 .0 .0 . 1- 10 .0 .0.10
Resuts Favorites |
N am e

Status
10.0 .0.1

IHLMItHMM,
W IN D O W S 8


t* p ‫׳‬o re Copy

1 0 .0 .0 1 1

n

to ru fa c tu re r

MAC address
0G:09:5B:AE:24CC
D0t67:E5j1A:16«36

Netgear. Inc
M icrosoft Corporation
M ic r o s o ft C o rp o ra tio n

h i

W IN -L X Q N 3 W R 3 W IN ‫ ־‬D39MR5HL<

Add to ‘Favorites' Rescan selected S ive selected...
W d ke‫־‬O n ‫־‬L A N S h u t dcw n... A b o rt s h u t d c w n

!

00:15:‫צ‬U:A8:ofc:O t>
00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D

Dell Inc

Wake-on-LAN: You can wake any machine remotely with Advanced IP Scanner, if Wake-on-LAN feature is supported by your network card.

a

R a d rn ir 5 alive. 0 dead , 5 u n k n o w n

FIGURE 1.7: The Advanced IP Scanner main window with Alive Host list

10. The list displays properties o f the detected computer, such as IP address. Name, MAC, and NetBIOS information. 11. You can forcefully Shutdown, Reboot, and Abort Shutdown die selected victim m achine/IP address

C E H L ab M an u al P ag e 92

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

& File Actions Settings View Help
r Scan

Shutdown options
Use V/jndo'AS autheritifcation

‫״‬m s i * w\ F a ce b o o k 3
jre r MAC address 00;C9;5B:AE:24;CC Like us on

J ! ] .■ ]

Jse r narre: Dcss*rord:

Winfingerprint Input Options: ■ IP Range (Netmask and Inverted Netmask supported) IP ListSmgle Host Neighborhood

110.0.0.1-100.0.10 Results | Status Favorites |

rn e o c t (sec): [60 Message: Name

®

a

1 00.0.1
WIN-MSSELCK4K41 WIND0WS8 WIN-LXQN3WR3R9M WIN-D39MR5HL9E4
It ion It ion

D0:67:E5:1A:16:36
00:15:3C:A0:6C:06 00:I5:5D:A8:6E:03 D4:BE D$:C3:CE:2D

$ » a

I” Forced shjtdown
f " Reooot

S0Jr\c, Odcad, 5 unknown

FIGURE 1.8: The Advanced IP Scanner Computer properties window

12. N ow you have die IP a d d re s s . N am e, and o th er d e ta ils o f die victim machine. 13. You can also try Angry IP scanner located at D:\CEH-Tools\CEHv8
Module 03 Scanning Networks\Ping S w e e p Tools\Angry IP S can n er It

also scans the network for machines and ports.

Lab A nalysis
Document all die IP addresses, open ports and dieii running applications, and protocols discovered during die lab. T o o l/U tility In fo rm atio n C o llected /O b jectiv es A chieved Scan Inform ation: ■ ■ ■ ■ ■ ■ IP address System name MAC address NetBIOS information Manufacturer System status

A dvanced IP S canner

C E H L ab M an u al P ag e 93

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q uestions
1. Examine and evaluate the IP addresses and range o f IP addresses.

In te rn e t C o n n ectio n R eq u ired □ Y es P latform S u p p o rted 0 C lassroom 0 iLabs 0 No

C E H L ab M an u al P ag e 94

E thical H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Banner Grabbing to Determine a Remote Target System using ID Serve
ID S Serve is used to identify the make, model, and version of any website's server sofhrare.
I CON KEY

Lab Scenario
111 die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application 011 a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role o f servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve.

Valuable information

y*

Test your knowledge Web exercise

O

W orkbook review

Lab Objectives
The objective o f diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website.
111

diis lab you will learn to: ■ ■ Identify die domain IP address Identify die domain information

O Tools dem on strated in this lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N etw orks

Lab Environment
To perform die lab you need: ■ ID Server is located at D:\CEH-Tools\CEHv8 M odule 03 S can n in g
N etw orks\B an n er G rabbin g Tools\ID S e r v e

C E H L ab M an u al P ag e 95

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

■ You can also download the latest version o f ID S e r v e from the link http: / / w ww.grc.com /id/idserve.htm ■ ■ I f you decide to download the la te s t v e rsio n , then screenshots shown in the lab might differ Double-click id s e r v e to run ID S e r v e

■ Administrative privileges to run die ID S e rv e tool ■ Run this tool on W indows S erver 2012

Lab Duration
Time: 5 Minutes

Overview of ID Serve
ID Serve can connect to any server port on any dom ain or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and version, whether it's for FTP, SMTP, POP, NEW’S, or anything else.

Lab Tasks
TASK 1
Identify w e b site se rve r information

1. Double-click id serve located at D:\CEH-Tools\CEHv8 M odule 03 Scanning
N etw orks\Banner Grabbing Tools\ID S erve

2. 111 die main window o f ID S erve show in die following figure, select die S e v e r Q uery tab
0
ID Serve

'-ro

ID Serve
Background Server Query

Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Cap. | Q & A /H elp

Enter 01 copy / paste an Internet server URL 0* IP address here (example www rmcrosoft com)

ri

r!
Server

Query The Server

^

When an Internet URL or IP has been provided above press this button to rwtiate a query of the speahed server

If an IP address is entered instead of a URL, ID Serve will attempt to determine the domain name associated with the IP

^4
Copy

The server identified <se* as

goto ID Serve web page

E*it

FIGURE 21: Main window of ID Serve

3. Enter die IP address or URL address in Enter or Copy/paste an Internal
se rve r URL or IP a d d ress here:

C E H L ab M an u al P ag e 96

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

ID Serve
Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Corp. I Q & A /tje lp

ID Serve
Background Server Query
^

Enter or copy I paste an Internet serve* URL or IP address here (example www rmcrosoft com)
|www c e rtifie d h a c k e r com[

ID Serve can accept the URL or IP as a command-line parameter

Query The Server Server query processing

When an Internet URL 0* IP has been provided above, press this button 10 initiate a query 01 the specfod server

(%

The server identified ilsef as

Copy

Goto ID Serve web page

Ejjit

FIGURE 2 2 Entering die URL for query

4. Click Query T h e Server; it shows server query processed information
ID Serve

’- r ° ]

-

‫׳‬

ID Serve
Background Server Query

Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Cofp | Q & A /H elp
www

Enter or copy / paste an Internet server URL or IP address here (example

m »crosott com)

<T
Q ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information.

| w w w . c e r t if ie d h a c k e r . c o m |

r2

[

Query The Server

When an Internet URL 0* IP has been provided above, press this button to initiate a query of the speeded server

Server query processing Initiating server query Looking up IP address for domain www certifiedhacker com The IP address for the domain is 202.75 54 101 Connecting to the server on standard HTTP port: 80 Connected] Requesting the server's default page The server identfied itself as
M i c r o soft-11 S/6.0

a
Copy

Goto ID Serve web page

Exit

FIGURE 23: Server processed information

Lab A nalysis
Document all the IP addresses, their running applications, and die protocols you discovered during die lab.

C E H L ab M an u al P ag e 97

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved IP address: 202.75.54.101 Server C onnection: Standard H T 1 P port: 80 R esp o n se h ead ers retu rn e d from server:

ID Serve

■ ■ ■ ■ ■

H T T P /1.1 200 Server: M icrosoft-IIS/6.0 X -Pow ered-B y: PH P/4.4.8 T ran sfer-E n co d in g : chunked C o n ten t-T y p e: tex t/h tm l

P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D TO T H I S LAB.

Q uestions
1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections.

In te rn e t C o n n ectio n R eq u ired □ Yes Platform S upported 0 C lassroom 0 iLabs 0 No

C E H L ab M an u al P ag e 98

E thical H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Fingerprinting Open Ports Using the Amap Tool
.-bnap determines applications running on each openport.
ICON KEY
2 ^ Valuable
information Test vour knowledge

Lab Scenario
Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 111 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. 111 this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what ap plication s are running on each port found open.

g Q

Web exercise W orkbook review

Lab Objectives
C 5 Tools dem on strated in this lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N etw orks

The objective o f diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports. h i diis lab, you will learn to: ■ ■ Identify die application protocols running on open ports 80 Detect application protocols

Lab Environment
To perform die lab you need: ■ Amap is located at D:\CEH-Tools\CEHv8 M odule 03 S can n in g
N etw orks\B an n er G rabbin g ToolsVAMAP

■ You can also download the latest version o f AMAP from the link http: / / www.thc.org dic-amap. ■ I f you decide to download the la te s t v e rsio n , then screenshots shown in the lab might differ

C E H L ab M an u al P ag e 99

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

■ A computer running Web Services enabled for port 80 ■ Administrative privileges to run die A m ap tool ■ Run diis tool on W indows S erver 2012

Lab Duration
Time: 5 Minutes

Overview of Fingerprinting
Fingerprinting is used to discover die applications running on each open port found 0x 1 die network. Fingerprinting is achieved by sending trigger p a c k e ts and looking up die responses in a list o f response strings.
a t TASK 1

Lab Tasks
1. Open die command prompt and navigate to die Amap directory. 111 diis lab die Amap directory is located at D:\CEH-Tools\CEHv8 Module 03 Scanning
N etw orks\Banner Grabbing Tools\AMAP

Identify Application P rotocols Running on Port 80

2. Type am ap w w w .ce rtified h a ck er.co m 80, and press Enter.
33

Administrator: Command Prompt

[ D : \ C E H ~ T o o l s \ C E H u 8 M o d u l e 0 3 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g T o o l s \ A M A P > a n a p uw [ w . c o r t i f io d h a c h e r .c o m 80 Anap v 5 . 2 <w w w . t b c . o r g / t h c - a m a p > s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING n o d e J n id en tifie d *map v 5 . 2 p orts: 2 0 2 .? 5 .5 4 .1 0 1 :8 0 /tc p at 2012-08-28 12:20:53 < to ta l 1>.

fin ish ed

D :\C E H -T o o ls\C E H v 8 M odule 0 3 S c a n n i n g N e t w o r k \ B a n n e r G r a b b in g Tools\AM AP>

Syntax: amap [-A | ‫־‬ B | -P | -W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [‫־‬i <£ile>] [target port [port]...] FIGURE 3.1: Amap with host name www.ce1tifiedl1acke1.com with Port SO

3. You can see die specific application protocols running 011 die entered host name and die port 80. 4. Use die IP a d d ress to check die applications running on a particular port. 5. 111 die command prompt, type die IP address o f your local Windows Server 2008(virtual machine) am ap 10.0.0.4 75-81 (local W indows S erver 2008) and press Enter (die IP address will be different in your network).
✓ For Amap options, type amap -help.

6. Try scanning different websites using different ranges o f switches like amap www.certifiedhacker.com 1-200

C E H L ab M an u al P ag e 100

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

‫ד‬
D : \ C E H - T o o l s \ C E H u 8 M o d u le 0 3 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g T oo ls \A M A P > a m a p I f . 0 . 0 . 4 75-81 laroap 0 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W arning: C ould n o t c o n n e c t < u n rea c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p ,

Compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux and PalmOS

K N > W arn in g: K N > W arning: K N > W arn in g: K N > W arn in g: K N > W arning: K N >

d isa b lin g d isa b lin g d isa b lin g d isa b lin g d isa b lin g d isa b lin g

port port port port port port

<EUN <EUN <EUN <EUN <EUN <EUN

C ould n o t c o n n e c t Could n o t c o n n e c t Could n o t c o n n e c t C ould n o t c o n n e c t C ould n o t c o n n e c t

< u n reach ab le) to < u n rea c h a b le> to (u n r ea ch a b le) to

1 0 .0 .0 .4 :7 5 /tc p , 1 0 .0 .0 .4 :7 7 /tc p , 1 0 .0 .0 .4 :7 8 /tc p , 1 0 .0 .0 .4 :7 9 /tc p , 1 0 .0 .0 .4 :8 1 /tc p ,

< u n rea c h a b le> to < u n rea c h a b le> to natches h t t p - i i s n a t c h e s webmin

P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p U n id e n tified p o rts: kcp 1 0 .0 .0 .4 : 7 9 / t c p Linap 0 5 . 2 f i n i s h e d

1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :8 1 /tc p at 2012-08-28

1 0 .0 .0 .4 :7 6 /tc p < to ta l 6>.

1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 : 7 8 /

12:27:54

b : \ C E H - T o o l s \ C E H v 8 M o d u le 0 3 S c a n n i n g N e t w o r k N B a n n e r G r a b b i n g T o o ls \A M A P >

FIGURE 3.2: Amap with IP address and with range of switches 73-81

Lab A nalysis
Document all die IP addresses, open ports and their running applications, and die protocols you discovered during die lab. T o o l/U tility In fo rm atio n C o llected /O b jectiv es A chieved Id en tified o p en port: 80 W ebServers: ■ http-apache2‫־‬ ■ http-iis ■ webmin A m ap U n id en tified ports: ■ ■ ■ ■ ■ ■ 10.0.0.4:75/tcp 10.0.0.4:76/tcp 10.0.0.4:77/tcp 10.0.0.4:78/tcp 10.0.0.4:79/tcp 10.0.0.4:81/tc p

C E H L ab M an u al P ag e 101

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q uestions
1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results.

In te rn e t C o n n ectio n R eq u ired
0 Y es

□ No

P latform S upported 0 C lassroom □ iLabs

C E H L ab M an u al P ag e 102

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Monitoring TCP/IP Connections Using the CurrPorts Tool
CurrPorts is netirork monitoring soft!rare that displays the list of all currently opened TCP/ IP and UDPports onyour local computer.
I CON KEY
Valuable information Test your knowledge

Lab S cenario
111 the previous lab you learned how to check for open ports using the Amap tool. As an e th ic a l h a c k e r and p en e tra tio n te s te r , you m ust be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named TCP/ IP to format and transfer data. A 11 attacker can m onitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die inform ation 011 the network, he or she can create false packets in the TCP connection. As a n e tw o rk adm inistrator., your daily task is to check the TCP/IP c o n n e c tio n s o f each server you manage. You have to m onitor all TCP and U D P ports and list all the e s ta b lis h e d IP a d d r e s s e s o f the server using the C urrP orts tool.

w m

Web exercise Workbook review

H U Tools dem on strated in this lab are ava ila b le in D:\CEHTools\CEHv8 M odule 03 Scanning N etw orks

Lab O bjectives
The objective o f diis lab is to help students determine and list all the T C P /IP and U D P ports o f a local computer.
111

in this lab, you need to: ■ ■ ■ ■ Scan the system for currently opened TCP/IP and UDP ports Gather inform ation
011

die p o rts and p r o c e s s e s that are opened

List all the IP a d d r e s s e s that are currendy established connections Close unwanted TCP connections and kill the process that opened the ports
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C E H L ab M an u al P ag e 103

Module 03 - Scanning Networks

Lab Environment
To perform the lab, you need: ■ CurrPorts located at D:\CEH-Tools\CEHv8 M odule 03 S ca n n in g
N etw o rks\S can n in g Tools\C urrPorts

■ You can also download the latest version o f C urrP orts from the link http: / / www.nirsoft.11e t /u tils/cports.html ■ I f you decide to download the la te s t v e rsio n , then screenshots shown in the lab might differ

You can download CuuPorts tool from http://www.nirsoft.net.

a

■ A com puter running W in dow s S e r v e r 2 0 12 ■ Double-click c p o r ts .e x e to run this tool

■ Administrator privileges to run die C urrP orts tool

Lab Duration
Time: 10 Minutes

Overview Monitoring TCP/IP
Monitoring T C P /IP ports checks if there are multiple IP connections established Scanning T C P /IP ports gets information on all die opened TCP and UDP ports and also displays all established IP addresses on die server.

Lab Tasks
The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o rts .e x e to launch.
T AS K 1
D iscover TCP/IP Connection

1. Launch C urrports. It a u to m a tic a lly d is p la y s the process name, ports, IP and remote addresses, and their states.
CurrPorts
File Edit View Option* Help

r‫ ־‬1 ‫ ״‬1 * ‫י‬

x S D ® v ^ ! t a e r 4* a - *
Process Na.. (T enroare.ere f ct1 rome.ere chrome.e5re f ehrome.ere CT chrome.«e ^ f ir t fc x ere £fir«fcx«x• (£fir«fcx «(« fircfcx.cxc
f1 rcfcxc.cc

Proces...
2 m

2988 2988
2 m 2 m

firef cx c.<c
\s , httpd.exe

1368 1368 1368 1368 1368 1368
1000

\thttpd.exe Qlsass.occ 3 l» 5 5 a e
____ »_____ <1

1800 564 564 ■ > 1

Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP

Local... 4119 4120 4121 4123 414S 3981 3982 4013 4163 4166 4168 1070 1070 1028 1028

Loc..

Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.007 1000.7 100.0.7 100.0.7
00.0.0

Rem... 80 80 80 80 443 3982 3981 443 443 443 443

Rem... http http http http https

https httpj httpj http;

Rercte Address Remote Host Nam 173.194.36.26 bcm04501 -in‫־‬f26.1 173.194.3626 bom04s01 -in-f26.1 173.194.3626 bom04501‫־‬in‫־‬f26.1 215720420 a23-57-204-20.dep 173.194 3626 bomOdsOI -in-f26.1 WIN-D59MR5HL9F 12700.1 12700.1 WIN-D39MR5HL9E 173.1943622 bom01t01‫־‬in-f22.1 173.19436.15 bom04!01 •in-flS.1 173.194360 bcm04501 -in-f0.1« 74.125234.15 gra03s05in-f15.1e 0.0.0.0
=

0.0.0.0

0.0.0.0
= >
N irS o ft F re e w a re . ht1p;/A nrA «v.rirsoft.net

T

79 ~ctal Ports. 21 Remote Connections. 1 Selected

C E H L ab M an u al P ag e 104

E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

FIGURE 4.1: Tlie CuaPoits main window with all processes, ports, and IP addresses

/ / CurrPorts utility is a standalone executable, which doesn't require any installation process or additional DLLs.

2. CiirrPorts lists all die processes and their ID s, protocols used, local and remote IP address, local and remote ports, and remote host names. 3. To view all die reports as an HTM L page, click View ‫־‬ > HTML Reports ‫־‬A l l Items. M °- x ‫י‬ CurrPorts
F ile Ed it I V iew | O p tio n s H elp

X B 1
Process KJa 1 ^ I c h ro m e . C * c h ro m e l ^ c h ro m e .

Show Grid Lines Show Tooltips Mark Odd/Even Rows
HTML Report ‫ ־‬All I'errs

HTML Report - Selected terns Choose Columns Auto Size Columns
R‫״‬f r # { h

C * c h ro m e . ^ ch ro m c .

Address ).7 ).7 ).7 ).7 ).7

443

Rem.. http http http http https

( £ fir c fc x .c
g f-e fc x e

F5 1l i

.0 .1 .0 .1

3962 3981
443 443 443 443

( p f ir c f o x . e 1 (c

‫קז‬7‫ס‬

--- TV.V,0 .7

(Bfaefcxue JftfM co ta e
® fre fc x e te \h tto d .e x e

Vhttpd.exe Qlsassete

Q In the bottom left of the CurrPorts window, the status of total ports and remote connections displays.

1368 I368 1368 1800 1800 564 561

TCP TCP TCP TCP TCP TCP TCP

4163

4 1 5 6
4108

10.0.0.7 10.0.0.7 100.0.7

https https https https

1070 1070 1028 1028

o.ao.o
aaao

Remote Address 173.1943526 173.194.3526 173.194.3526 23.5720420 173.194.3526 127.0.0.1 127.0.0.1 173.1943622 173.19436.15 173.19436.0 741252*4.15 0.0.0.0
0. 0. 0.0

Remote Host Nam *
b c m Q 4 s 0 l-in ‫־‬f26.1 b c m 0 4 s0 l-in -f2 6 .1 bcm04s01 -in-f26.1 a23-57-204-20.dep S bom 04501-in‫־‬f26.1 W IN -D 39M R 5H L 9E W IN -D 39M R 5H L 9E

bem04s01-in-f22.1 bom04i01‫־‬in*f15.1 bom04s0l*in-f0.1< gruC3s05-1n‫־‬fl5.1e

79Tct«l Ports, 21 Remote Connection!, 1 Selected

NirSoft F re e w a re . h ttp ‫־‬ .//w w w .rirs o ft.n e t

FIGURE 4.2 The CunPorts with HTML Report - All Items

4. The HTM L Report automatically opens using die default browser.
E<e Ldr View History Bookm arks 1001 ‫ צ‬Hdp I TCP/UDPPorts List
^

j j f j_
' ‫־־־*־‬£• - Google P

( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/cp0 fts-xt>£,repcriJit ml

^
‫י‬

T C P /U D P P orts L ist
=

E3 To check the
countries of the remote IP addresses, you have to download the latest IP to Country file. You have to put the IpToCountry.csv‫״‬ file in the same folder as cports.exe.

Created bv using CurrPorts RcmoU‫׳‬ Port Name. https http http hltp hltp http hnp hltp hnp

P m « j .Nam• chxame rx c chiome.exc ch101 nc.exe daome.exe daome.exe daome.exe cfcrorae.exe chfomc.cxc chrome exe

P rotiti Protocol ID 2988 2988 2988 2988 2988 2988 2988 2988 2988 TCP TCP TCP TCP TCP TCP TCP TCP TCP

I.oral Port 4052 4059 4070 4071 4073 4083 4090 4103 4104

I Aral Port N a*e

Local Addivit

Remote Port 443 80 80 80 80 80 80 80 80

Rtmvl« Addrtit

10 0 0 7 10.0.0.7 10.0.0.7 10.0.0.7 100.0.7 10.0.0.7 100.0.7 100.0.7 10 0 0 7

173 194 36 4 173.194.36.17 173.194.36.31 173.194.36.31 173.194.36.15 173.194.36.31 173.194.36.4 173.194.36.25 173 194 36 25

bo bo bo bo! boi
bo! bo! bo bo

>

FIGURE 4.3: Hie Web browser displaying CunPorts Report - All Items

5. To save the generated CiirrPorts report from die web browser, click File ‫־‬ > Save Page As...Ctrl+S.

C E H L ab M an u al P ag e 105

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

TCP/UDP Ports List - Mozilla Firefox
‫ ו ז ק‬id * «1 ry> H ito r y B o o k m a ik t Took H rlp

‫ד‬3 5 ■

m CurrPorts allows you to save all changes (added and removed connections) into a log file. In order to start writing to the log file, check the ,Log Changes' option under the File menu

fJ c w l i b Window/ C p e n F ie . .

C W *T Ctr1*N C crU O » f1 ‫׳‬D cstto p/q )D 1 ts-x64/ rEpor: h tm l C • ! 1 ‫ ־‬Google

P

*

S * .« Page A s.. Ctr1*S Send L in k Pag* Setup-. P rm tP i& K w

Errt.
tl*

!, r o t i f j j

>111•
ID

r ro to c o l

!.o ral P o rt

I o r a l P o rt Name

L ocal A d d r v u

Rem ote P o ri

Kemotc P o rt Nam e

Keu1ul« A d d n i t

chiom e.cxc

2988 2988 2988 2988 2988 2988 2988 2988 2988

TCP TCP TCP TCP TCP TCP TCP TCP TCP

4052 4059 4070 4071 4073 408; 4090 4103 4104

10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 100 0 7 100 0 7 100 0 7 10.0.0.7 10.0.0.7

443 80 80 80 80 80 80 80 80

https http hnp http http http http http http

173.194.36.4 173.194.36.17 173.194.36.31 173.194.36.31 173 194 36 15 173 194 36 31 173 194 36 4 173.194.36.25 173.194.36.25

bo j bo : bo: boi boi boi boi boi b03

c f c 1 0 me.exe
chrome.exe

chrome.exe chrome exe

2Zy" By default, the log file is saved as cports.log in the same folder where cports.exe is located. You can change the default log filename by setting the LogFilename entry in the cports.cfg file.

chrome exe chrome exe chiome.cxe daome.exe

FIGURE 4.4: The Web browser to Save CurrPorts Report - All Items

6. To view only die selected report as HTM L page, select reports and click
V ie w ‫ >־‬HTML R ep o rts ‫ ־‬S e le c te d Item s.
CurrPorts
File Edit | View | Option) Help

1- 1° ‫ ׳‬x -

X S

(3

Show Grid L‫אחו‬ Mark Odd/Even Rows HTML Report - All Items Address ).7 ).7 Rem... 80 80 80 80 443 3982 3981 443 443 443 443 Rem... http http http http http: Remote Address Remote Host Nam 175.19436.26 bom04s01-1n‫־‬f26.1 173.1943626 bom04s01-1n‫־‬f26.1 173.1943626 bcm04s01-in‫־‬f26.1f 215720420 323-57-204-20.dep 173.1943526 bcm04s0l-in-f26.1 12700.1 WIN-D39MR5HL9E 12700.1 WIN-D39MR5HL9E 173.1943622 bom04s01 -in-f22.1 173.194,36.15 bomOlsOI -in‫־‬f15.1 173.194360 bomOlsOI -in‫־‬f0.1c gruC3s05 in-f 15.1c 74125234.15 0.0.0.0 s 0.0.0.0
AAAA

Process Na P I Show Tooltips

^ Be aware! The log file is updated only when you refresh the ports list manually, or when the Auto Refresh option is turned on.

C
C

chrome.
c h ro m e f

H T M L Report ■ Selected te rn s

O ' c h ro m e “

F ■0.7
Ctrl♦■P lus P7 .0.1 .0.1 F5 J>.7 1000.7 1000.7 100.0.7 0.0.0.0 00.0.0 __
AAAA

®,firefcxe
(g fir c f c x e :

Choose Columns Auto Size Columns
Refresh

fircfcx e<v fircfox.exe fircfcx.cxc ^fircfcx.ccc httpd.exe ^ httpd.exe Qlsassexe Q ls a w a c « ---------a . -------

1368 1368 1368 1000 1000 564 564
14nn

TCP TCP TCP TCP TCP TCP TCP
T rn

4163 4166 416S 1070 1070 1028 1028
‫*־ו־‬ ‫«׳‬ ‫י‬

https http; http: https

79 'ctel Ports. 21 Remote Connections, 3 Selected

H irS o ft F re e w a re . h ttp . ‫׳‬,‫׳‬,w w w . r ir s o ft.n e t

a You can also rightclick on the Web page and
save the report.

FIGURE 4.5: CurrPorts with HTML Report - Selected Items

7.

The selected rep ort automatically opens using the d e fa u lt b row ser.

C E H L ab M an u al P ag e 106

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

TCP/UDP Ports List - Mozilla Firefox
ffi'g |d : V ‫־‬ » c v » Hatory Bookmaiks Toob Help
[

I

1 ‫ ־‬n J~x

] TCP/UDP Ports List
^

| +
(? ‫ ־‬GoogleP |,f t I

In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF).

W c /'/C /l h e r v ‫׳‬Admin 1 strotor/Dr 5fctop/'cport5 ‫־‬r 64/rcp o ‫די‬i«0T1l

T C P / V D P Ports L is t

Created by ining CiirrPom I>ocal Local Port Address .Name 10.0.0.7 10 0 0 7 Remote Port Name https https

Process Name

Process Local Protocol ID Port TCP TCP TCP 4148 4163 1070

Reuiotv Port 443 443

Kvuiotc Address

Remote Host Name

State

dbiome.cxc 2988 firefox exe hUpd cx c 1368 1800

. £26.1e 100.net Established 173.194.36-26 bom04sC 1 m

c:
C:

173 194 36 15 bom04s01 tn-fl 5. Iel00.net Established C: Listening

FIGURE 4.6: The Web browser displaying CuaPorts with HTML Report - Selected Items / / The Syntax for Filter String: [include | exclude]: [local | remote | both | process]: [tcp | udp | tcpudp] : [IP Range | Ports Range].

8. To save the generated CurrPorts report from the web browser, click
File ‫ >־‬S a v e P a g e A s...C trl+ S
TCP/‫׳‬UDP Ports List ‫ ־‬Mozilla Firefox E dfe Vir* H utory Boolvfmki Took H W p N**‫׳‬T*b Open Fie... S*.« PageA;.
Sir'd l in k -

‫׳‬

r= > r* ‫י‬ fi *

Clrl-T

|+ | »r/Deslctop/cpo»ts x 6 A <repwthtml

an*N
Ctrl»0

C trl-S

Page :er.p. Pnnt Preview PrmL. ficit Offline Name Local Kcmole Toral Remote Port Port Address Port Name Name 1000.7 100.0.7 443 443 https https

ID
TCP TCP TCP

Local Pori 4148 4163

Remote Address

Remote Ilotl .Nioit

chtoxne.exe 2988 fiiefox-cxc httpdexe 1368

173.1943626 boxu04s01 -ui-1‘ 26. Iel00.net

Established C

173.19436 15 bom04s01-1a-115.lel00.net Established C

1800

1 0‫׳‬0

‫ ש‬Command-line option: /stext <F11ename> means save the list of all opened TCP/UDP ports into a regular text file.

FIGURE 4.7: The Web brcnvser to Saw QirrPorts with HTML Report - Selected Items

9. To view the p ro p e rtie s o f a port, select die port and click File ‫>־‬
P ro p erties.

C E H L ab M an u al P ag e 107

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

r® 1 File J Edit I View Options Help CtrM Ctri+T PNctlnfo Close Selected TCP Connections Kill Processes Of Selected Ports Save Selected Items Properties Process Properties Log Changes Open Log File Clear Log File Advanced Options Exit \ j 1 ttjd.exe \httod.exe □ lsass.exe Qlsass-exe 1800 1800 564 $64 TCP TCP TCP TCP 1070 1070 1028 1028 CtrUO CtiUS Alt^Entei CtiUP 1

CurrPorts

I - ] “ '

*

m

b&i Command-line option: /stab <Filename> means save the list of all opened TCP/UDP ports into a tab-delimited text file.

Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.00.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7

Rem... 80 80 80 80 443 3982 3031 443 443 443 443

Rem.. http http http http https

httpt https https https

Remote Address Remote Host Nam ‫ י׳‬1 173.194.3626 bom04301 - in-f26.1 1‫׳־‬3.194.3626 bom04501 ‫ ־‬in-f26.1 1^3.194.36.26 bom04s01-in-f26.1 23.57.204.20 a23*57204-20‫־‬.dep ■ 1T i 194.36.26 bom04s01-in-f2M 127.aa1 WIN-D39MR5Hl9f 127.0L0L1 WIM-D30MRSH10F 1‫־‬ ,1 194.3622 bom04e01-m‫־‬f22.1 173.194.3615 bom04s01-in-f15.1 173.194.360 bom04s01 m‫־‬f0.1c 74.12523415 gru03s05-in‫־‬f15.1e
0DS)S)

oaao aao.o

::
0DSJJJ

r.
> NirSoft Freeware, http:/wvrw.nircoft.net

‫״‬

‫־‬T

|79 Tctel Ports, 21 Remote Connections, 1 Selected

FIGURE 4.8: CunPorts to view properties for a selected port

10. The P ro p e rtie s window appears and displays all the properties for the selected port. 11. Click OK to close die P ro p e rtie s window
Properties
Process N am e: Process ID: Protocol: Local Port: Local Port N am e: Local A ddress: R em ote Port: R em ote Port N am e: 1 0.0 .0 .7 4 43 fire fo x .e x e 1368 TC P 4166

*

Command-line option: / shtml <Filename> means save the list of all opened TCP/UDP ports into an HTML file (Horizontal).

|https_________________
1173.1 9 4 .3 6 .0 bo m 04s01-in -f0.1 e 1 0 0.n e t E s tab lis h e d C:\Program Files (x 86 )\M 0 z illa F ire fo x \fire fo x .e x e Flrefox Firefox 14.0.1 M o z illa Corporation 8 /2 5 /2 0 1 2 2 :36 :2 8 PM W IN -D 3 9 M R 5 H L 9 E 4 \A d m in is tra to r

R em ote A ddress: R em ote H ost N am e: State: Process Path: Product N am e: File D escription: File Version: Com pany: Process C reated On: U s e r N am e: Process S e rv ice s : Process Attributes: Added On: M o d u le F ile n a m e : R em ote IP Country: W in d o w Title:

8 /2 5 /2 0 1 2 3:32 :5 8 PM

O K FIGURE 4.9: Hie CunPorts Properties window for the selected port

C E H L ab M an u al P ag e 108

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

S TASK

12. To close a TCP connection you think is suspicious, select the process and click File ‫ >־‬C lo s e S e le c te d T C P C o n n e c tio n s (or Ctrl+T).
2
CurrPorts
IPNetlnfo Close Selected TCP Connections Kill Processes O f Selected Ports SaveSelected Items Properties Process Properties Log Changes Cpen Log File Clear Log File Ad/snced Options Exit ^ httpd.exe httpd.exe □isass^xe QtoSfcCNe
^ J III

C lo se TCP Connection

-_,»r
Rem... 60 80 80 80 Rem... http http http http https Remote Address 173.19436.26 173.19436.26 173.19436.26 23.5730430 173.19436.26 127.0.0.1 127.0.0.1 173.19436.22 173.19436.15 173.19436.0 74.125.234.15 0.0.0.0 r o.aao r I> HirSoft freeware. r-tto:‫׳‬v/Yv*/n rsott.net

‫ד‬

C lrf♦■‫ו‬ Ctrl-T Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.00.1 127.00.1 10.0.0.7 10.0.0.7 10.0.0.7 0D.0.0 om o Remote Host Nam ‫ י׳‬I bom04s01-in‫־‬f26.1 bom04s01-in‫־‬f26.1 bom04sC1 in-f26.1 023-57 204 2C.dep = bom04s01 in‫־‬f26.1 WIN-D39MR5HL9e WIN-D39MR5HL9£ bom04s01 -in-f22.1 bom04s01-in-f15.1 bom04s01 ■in-f0.1s gru03s05-in-f151e

CtH-S AH- Enter Ctrl— P

4 4 3
3932 3931 443

Ctrl+0

4 4 3 4 4 3 443

http: https https https

1£03 1800 564 564

TCP TCP TCP TCP ­‫״ ד‬

1070 1070 1028 1Q 28

7? Tot«! Porte, 21 Remote Connection! 1 Selected

FIGURE 4.10; ,Hie CunPoits Close Selected TCP Connections option window

13. To kill the p r o c e s s e s o f a port, select die port and click F ile ‫ >־‬Kill
P r o c e s s e s o f S e le c te d Ports.
CurrPorts
File j Edit View Options Help

I ~ I‫* ' ם‬

fi

TASK

3

P N e tln f o C lo s e Se lected T C P C o n n e c tio n !

an♦!
Clil^T Loral Addrect 10.0.07 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 O .Q .Q .O Rem... 80 80 80 80 443 3962 3981 443 443 443 443 fam.. http http http http https Remote Addrect 173.14436.26 173.194.3626 173.194.3626 215720420 173.1943636 127.0.0.1 127.0.0.1 173.1943632 173.19436.15 173.19436.0 74125334.15 0.0.0.0 Remote Host Nam * bom04t01*in-f26.1 bomC4t01-in‫־‬f26.1 bomC4j01 -in-f26.1 a23-57-204-20.dep s bcmC4s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bomC4s01-in-f22.1 bom04s01‫־‬in‫־‬f15.1 bom04s0l‫־‬in‫־‬f0.1e gru03s05-1n-M5.1e

Kill P ro ce s s

kin Processes Of Selected Ports Save Selected Items
P r o p e r tie c P r o c e s s P r o p e r t ie s

Ctrt-S A t -E n t e r

CtrKP

Log Changes Open Log File Clear Log file Advanced Options
Exit

https https https https

V htt3d.exe Vbttpd.exe □l«ss.ete □ katc *1*

1800 1800 564 561 II

TCP TCP TCP TCP

1070 1070 1028 1028
___

o.aao
/)A A A

‫ר‬

79 Tctel Ports, 21 Remote Connections, 1 Selected

M irSoft F re e w a re . h ttp -J ta /w w .rirs o ft.n e t

FIGURE 4.11: The CurrPorts Kill Processes of Selected Ports Option Window

14. To e x it from the CurrPorts utility, click File ‫ >־‬Exit. The CurrPorts window c lo s e s .

C E H L ab M an u al P ag e 109

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

CurrPons
File Edit View Options Help QH+I CtrKT .. Local Address 10.0.0.7 10D.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 0.0.0.0 = 0.0.00 /‫ ו‬a /\ a Rem... 80 80 80 80 443 3987 3981 443 443 443 443 Rem‫״‬ http http http http https Remcte Address 173.194.36.26 173.194.3626 173.194.3626 21572Q420 173.194.3626 127DD.1 127X10.1 173.194.36-22 173.194.36.1S 173.194.36i) 74.125.234.15 0.0.0.0 = 0.0.0.0 = AAAA PNetlnfo Close Selected TCP Connections Kil Processes Of Selected Ports

1- 1° ‫ ׳‬- ’

h id Command-line option: / sveihtml <Filename> Save the list of all opened TCP/UDP ports into HTML file (Vertical).

Save Selected Items Properties Process Properties log Changes Open Log File Clear Log File Advanced Option! Ext \thttpd.exe \thttpd.exe Qlsas&cxe H lsais-ae ■ ‫־־‬ 1800 1800 564 564 TCP TCP TCP TCP rrn

Ctrfc-S At-Eater CtH«‫־‬P

CtH-0 1 1070 1070 1028 1028

https https https https

Remcte Host Nam bom04s01-in-f26.1 bom04s01-in-f26.1 bom04s01-in‫־‬f26.1r a23-57-204-20.deJ bom04t01-in-f26.1| WIN-D39MR5H19P WIN-039MR5HL9E bomC4101-in-f22.1 bomC4i01 in‫־‬f15.1 bcmC4s01 in f0.1q gru03sG5in-f15.1e

itnt

__

79 T ctal Ports. 21 Remote Connections. 1 P ie c e d

Nil Soft fre e w ere. Mtpy/vvwvv.r it soft.net

FIGURE 4.12: The CurrPoits Exit option window

Lab Analysis
Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab.
feUI In command line, the syntax of / close command :/close < Local Address> <Local Port> < Remote Address > < Remote Port ‫ * נ‬.

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved Profile D etails: Network scan for open ports S canned Report: ■ ■ ■ ■ ■ ■ ■ ■ ■ Process Name Process ID Protocol Local Port Local Address Remote Port Remote Port Name Remote Address Remote H ost Name

C urrP orts

C E H L ab M an u al P ag e 110

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

PL E A S E TA LK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q uestions
Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages.

1. Analyze the results from CurrPorts by creating a filter string that displays

only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser.
‫כ‬.

Determine the use o f each o f die following options diat are available under die options menu o f CurrPorts: a. Display Established

b. Mark Ports O f Unidentified Applications c. Display Items Widiout Remote Address

d. Display Items With Unknown State In te rn e t C o n n ectio n R eq u ired □ Yes P latform S u p p o rted 0 C lassroom 0 !Labs 0 No

C E H L ab M an u al P ag e 111

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab

Scanning for Network Vulnerabilities Using the GFI LanGuard 2012
GFI LA N gw rd scans networks andports to detect, assess, and correct any security vulnerabilities that arefound.
I CON KEY
Valuable information ✓ Test your knowledge Web exercise

Lab S cenario
You have learned in die previous lab to monitor TCP IP and UDP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious T C P/U D P ports owned by unidentified applications. To prevent attacks pertaining to TC P/IP; you can select one or more items, and dien close die selected connections. Your company’s w e b serve r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. An evil attacker uses diis vulnerability and places a b ack d oor on th e server. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one. As a se cu rity adm inistrator and penetration te s te r for your company, you need to conduct penetration testing in order to determine die list o f th re a ts and vulnerabilities to the network infrastructure you manage. 111 diis lab, you will be using GFI LanGuard 2 0 12 to scan your network to look for vulnerabilities.

Q

W orkbook review

Z U Tools dem on strated in this lab are a va ila b le in D:\CEHTools\CEHv8 M odule 03 S canning N etw orks

Lab O bjectives
The objective o f diis lab is to help students conduct vulnerability scanning, patch management, and network auditing.
111

diis lab, you need to: ■ Perform a vulnerability scan

C E H L ab M an u al P ag e 112

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

■ Audit the network ■ ■
Q You can download GFI LANguard from http: / /wwwgfi. com.

Detect vulnerable ports Identify sennit}‫ ־‬vulnerabilities Correct security vulnerabilities with remedial action

Lab Environm ent
To perform die lab, you need: ■ GFI Languard located at D:\CEH-Tools\CEHv8 M odule 03 Scanning
N etw orksW ulnerability Scan ning Tools\GFI LanGuard

■ You can also download the latest version o f GFI L an gu ard from the link h ttp ://www.gfi.com/la 1111etsca 11 ■ I f you decide to download the la te s t v e rsio n , then screenshots shown in the lab might differ

■ A computer running W indow s 2 0 12 S erver as die host machine ■ ■
Q GFI LANguard compatibly works on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/ Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2).

W indows S erver 2008 running in virtual machine

Microsoft ■NET Fram ew ork 2.0
S can n er

■ Administrator privileges to run die GFI LANguard N etw ork S ecu rity ■ ■ It requires die user to register on the GFI w e b site http: / / www.gii.com/la 1111etsca11 to get a lic e n se key Complete die subscription and get an activation code; the user will receive an em ail diat contains an activation c o d e

Lab D uration
Time: 10 Minutes

O verview o f Scanning N e tw o rk
As an adminisuator, you often have to deal separately widi problems related to vulnerability issues, patch m an agem ent, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture o f a network setup, provide risk an alysis, and maintain a secure and com pliant n etw ork state faster and more effectively.
C -J GFI LANguard includes default configuration settings that allow you to run immediate scans soon after the installation is complete.

Security scans or audits enable you to identify and assess possible risks within a network. Auditing operations imply any type o f ch eck in g performed during a network security audit. These include open port checks, missing Microsoft p a tch e s and vulnerabilities, service infomiation, and user or p ro c e s s information.

C E H L ab M an u al P ag e 113

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab Tasks
Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server. 1.
B T AS K 1
Scanning for V ulnerabilities

Navigate to W in dow s S e rv e r 2 0 12 and launch the S ta rt m enu by hovering the mouse cursor in the lower-left corner o f the desktop

Zenmap file installs the following files: ■ Nmap Core Files ■ Nmap Path ■ WinPcap 4.1.1 ■ Network Interface Import ■ Zenmap (GUI frontend) ■ Neat (Modern Netcat) ■ Ndiff
Windows Marager Google

FIGURE 5.1: Windows Server 2012 - Desktop view

2. Click the GFI LanG uard 2 0 12 app to open the GFI LanG uard 2 0 12 window

bm

r
N nd

*

V

e

FT‫־‬

£

S I
2 )G

0
FIGURE 5.2 Windows Server 2012 - Apps

3. The GFI LanGuard 2012 main w in d ow appears and displays die N etw ork Audit tab contents.
/ / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges.

C E H L ab M an u al P ag e 114

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

GFI LanGuard 2012
I - | dashboard Seen R em edy ActMty Monitor Reports Configuration UtSties W D13CIA3 this ■ ‫י‬

Welcome to GFI LanGuard 2012
GFI LanGuard 2012 is ready to audit your network iw rtireta& dites

L o ca l C o m p u te r V u ln e ra b ility L ev el

options which provide quick access to scanning modes are: ■ Quick scan ■ Full scan

ea The default scanning

u s• ‫־‬ N an a 9# *gents‫ ־‬or Launch a scan‫ ־‬options 10 , the entile network.

JP
9

V iew Dashboard
Invest!gate netvuor* wjinprawiir, status and a u til results

Rem odiate Security Issues
M< Deploy missing patches untnsta«w w uih0rt»d30*1‫׳‬a‫״‬e. turn on ondviius and more

{'Mow cafh'e.

— iihjIJ■ :

C u n e n t V u ln e ra b ility L ev el is: High

%

M anage A g e n ts
Enable agents to automate ne*vroric secant? au d i and to tfstribute scanning load across client macrones

■ Launch a custom scan
Launch a Scan

■ Set up a schedule scan
LATES1 NLWS V# 1( V*, ? *-A jq -7 01 7 - Patch MmuxirTimri - N n pi t x k u l a ^ n t e d 74 A q 701? Patch Mnrvtgnnnnl

Manually set-up andtnuser an aoerSess ne*rrxfcseajrit/ audit

-I

I D I -XI } u n j p W ‫־‬t>m ? !1 7 ( ft m » la r ‫ ־‬l w

mr‫»־‬

Added MCOort fo r APS81? IS . M ohr. Arrvhm !) 5 2 Pro and Standivri

tr.vi • n -

24-AJO-2012 - Patch M4 u u « m < - A dd'd n u w l

10(

APS812-1S.

Mobm Acrobat

10.1.4 Pro

mtd

St— a - 0 - - M j u t

FIGURE 5.3: Hie GFI LANguard mam window m Custom scans are recommended: ■ When performing a onetime scan with particular scanning parameters/profiles ■ When performing a scan for particular network threats and/or system information ■ To perform a target computer scan using a specific scan profile

4.

Click die Launch a S c a n option to perform a network scan.
GFI LanGuard 2012
Ooshboerd Scan Remediate A d M ty Monitor Reports Configuration Ut*ties «t D i»e 1«s thb version

Welcome to GFI LanGuard 2012
G FI LanGuard 2012 1& ready to audit your network V * * A m a b M w s

L o ca l C o m p u te r V u ln e ra b ility L ev el u se ‫־‬van a ;# Agents ‫ ־‬or Launch a scan‫ ־‬options 10 auoa the entire network.

JP
9

V iew Dashboard
Investigate network! wjineraMit, status an d auai results

R em ediate Security Issues
Deploy missing patches uninsia■ un8uv>o<Ue4soS«rare. turn on antivirus ana more

t -

‫יז‬.‫&־‬

^ -‫־־־‬

iim j M

:

C u n e n t V u ln e ra b ility Lovel is; High

%

M anage A g e n ts
Enable agents to automate noteror* secant* aud* and to tfstnbute scanning load across client machines

Launch a Scan
Manually *<rt-up andtnooer an ag erttest rw‫׳‬tw j‫»׳‬. »ta in t / audit L A I L S I NLWS <j V* ?4 -A jq-?01? - f a i t h M<au»)«nenl - N r . p n x k jrf ! ^ p o r t e d P O F-X D u m ^r M e n a 2 ‫ ל‬TOb meu l a - R m i 2 4 A jq -2012 Patch Management Added support fo r A P S 812-16. Adobe Acrobat 9 5 2 Pro and Standard -»‫־‬ « ‫־‬ -

24-A ju -2012 - Patch MdHdumuiri - Added s u v o it lor A PS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ‫■ »־‬

^ If intrusion detection software (IDS) is running during scans, GFI LANguard sets off a multitude of IDS warnings and intrusion alerts in these applications.

FIGURE 5.4: The GFI LANguard main window indicating die Launch a Custom Scan option

5.

Launch a N ew s c a n window will appear

i. ii. iii.

111 die Scan Target option, select lo ca lh o st from die drop-down list 111 die Profile option, select Full S ca n from die drop-down list 111 die Credentials option, select currently logged on u ser from die drop-down list

6. Click Scan.

C E H L ab M an u al P ag e 115

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

GF! LanGuard 2012
•> l « - I
ta u a d ia t n e S a n SCar‫ ־‬aro2t: b a te : O t0 e n :‫־‬fck»/T«rt(r ockcC on uso‫־‬ Scar Qaccre... S o n ■ n d t i O vrrvle w SOM R r u l t i O rta 1 l< V v M pooac: jf- J S ^ n ?axrrard: II ‫—י‬ II v *

’‫ ן ־‬° r x ‫־‬
C onf!guraU on III41m C J, Uiscuu ttm1

D ashboard

Scan

Ranrdijle

A ctiv.tyM onitor

R eports

m For large network environments, a Microsoft SQL Server/MSDE database backend is recommended instead of the Microsoft Access database.

FIGURE 5.5: Selecting an option for network scanning

7.

Scanning will start; it will take some time to scan die network. See die following figure

m Quick scans have relatively short scan duration times compared to full scans, mainly because quick scans perform vulnerability checks of only a subset of the entire database. It is recommended to run a quick scan at least once a week.

8. After completing die scan, die s c a n result will show in die left panel

C E H L ab M an u al P ag e 116

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

&
ccaftoct 4

G FI Lar>Guard2012
y I I Dashboard Scan Rcfnrdutr Actwty Monitor Reports Configuration Lttrfrtm

, ‫ ־‬I□

‫ ־‬x

tauKkalnikin
Scan Target V K a te : ... | F a lS a r j£c1'«arr: C j-rr& t bcaed on iser v Eaasword: H

II
Scan R r a k i D etail*

Scan R n a k i o vrrv irw •team ta rg e t: lo r.ilho s t

-

y \

10 0 0 7 | WM-D39MRSIIL9I41 (WiixJwwa .

*

Scan completed!
SutnmwY 8f *ear resuts 9eneraf0<1 du T >51

m

Types of scans: Scan a single computer: Select this option to scan a local host or one specific computer. Scan a range of computers: Select this option to scan a number of computers defined through an IP range. Scan a list of computers: Select this option to import a list of targets from a file or to select targets from a network list. Scan computers in test file: Select this option to scan targets enumerated in a specific text file. Scan a domain or workgroup: Select this option to scan all targets connected to a domain or workgroup.
Scanner Ac tM ty Wkxkm ‫*ו^יז‬ CanptJar VJU H > ra W Jt« !a

V u ln e r a b ility l e v e l: The average vulnefabilty B.e (or ttus sea‫ ־‬nr s 1

H jjjjtfiia fl

R e s u lts s ta tis tic s : Audit operations processed; LKssina software updates: Other vulneraNlthcs: Potential vulnerabilities:

2 0< 2 0 C ‫׳‬tc a i‫׳‬H g r>
1313 Crecol'-.qh) 3

1>703 a u * operations processed

• Citar *nan? p ifc tv * scar fhe ! ‫ז<יו‬4‫ ו‬: ate 101 f r s q v aftw m r■ w unr is atvaM or not found

----------- 12- 1

i

FIGURE 5.7: The GFI LanGuard Custom scan wizard

9. To check die Scan Result Overview, click IP a d d ress o f die machinein die right panel 10. It shows die V ulnerability A s se s s m e n t and N etw ork & S o ftw a re Audit: click V ulnerability A sse ssm e n t

ESCafiTaroiC: ocafost Q ederufe:

GFI LanGuard 2012
J | ^ | Daihboaid Sean R annU ( A d M y M o r ilo r Reports Configuration Ut44«s W, Dis c u m tvs vtssaan

Piofe: v j . . . | |F‫ ״‬IS 1‫״ ־‬ Userrvaae: II ?a££0.‫׳‬rd: J ••• 1 ___ ^ _____1 * 1 •

C j‫ ־‬end, bcaec on user

1Results Details
# | V a n t n r y t : lornlh ost 0 1 0 0 ‫ ר ־‬V |WIW-OJ9MtOHL9L4| (W im km s J ] j . ‫־‬ • , < 1> w a H 1ty W ^ n r r n t | n Net-war* & Softwire Audit V u ln e ra b ility le v e l: f►•* corrvwar dues not have a Vuhe'a Hty te .e l •VII. * : | ‫[ ׳‬YVM-03 9 MR%ML<H4 | (Windows Server ?01 ? 164 )

Y/fcat dim

iraan?

Possible rea s o n s : t. Tha •can b not Inched yet. 2 . OsCectbn o f missing patches and vuiner abif.es 8 3«at>«d * a ■ n a scannira profle used to perform the scan. 3‫ ־‬The credentfeia used 10 3c8n this compute' < ‫ נג‬nor »»:«* • * w a r t y ecamer 10 refrteve 81! required hformaton tor eum atro we VutteroBlty Level An account w th s a u n r r a , • :rs -e o e i or rne target computer is requred * Certan securty srttnqs on the remote CDtrputer Dtoct r * access of Ite security scanner. Betam s a fart of msst

Scaruicr A c tM ty Window

flte e tlK M Q L

H1 rv *d I (k ill•)

U ..‫ ״‬M

•' ■ < v > I Ic — t f i i s l d r i I ft w w l

FIGURE 5.8: Selecting Vulnerability Assessment option

C E H L ab M an u al P ag e 117

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

/ 7 During a full scan, GFI LANguard scans target computers to retrieve setup information and identify all security vulnerabilities including: ■ Missing Microsoft updates ■ System software information, including unauthori2ed applications, incorrect antivirus settings and outdated signatures ■ System hardware information, including connected modems and USB devices

11. It shows all the V u ln era b ility A s s e s s m e n t indicators by category -‫־‬Tbl‫ ־‬x ‫־‬ V GFI LanGuard Ld > « ‫־‬
2012 Dashboard Sun R&neddte Activity Men!tot Reports Configuration JUbties W, D18CUB8 •as v«a«on._ la a o d i a Merc Scan

Bar Target;
‫ | ׳ י‬j ... c/fomess [cu rfrS r twftfonutier

»roS»: MScarJgynang: Password: 5o r

3$

V 1
Stan R evifttO eU N a

Scan lU n u tti Overvttm ^ f $ u a U r « « t:lQ u lm l S IS ItM J ( m R - K M M U H U M ](W M to m . A ‫ * *־י‬security wirerablof a (3) Jl M e C to mScanty Vuherabirtes (6 ) j , low Searity Viinerablitfes (4J 4 PofanBd Vuherabltea (3)

Vulnerability Assessm ent
5«tea ene of the 4U01Mrx) wjfcerabilry ‫»*ל‬3‫יי‬

-

• «uhefeblty Astastrocnt

*qn security Vumerabtmes (3) X b u you to analyze the 1‫ ״‬0‫־‬secuirty v j r e t b i : a ^ ■Jedium Security VulneraMKies (6) ilo«.sycutoanaJy 7 e t h s r r « lu n 1 ec1 rityvurerai> i 5es Lo w Security Vulnerabilities 14( ^ . yeu to a‫׳‬15 iy » the lc« 9 ecu Ity Potential vuln erab ilitie s ) 1 ( Xb>.s y«u to a-elvre tiie information security aJ ‫־־‬o t tit-fung Stiivfca Packs and Updalo Rollups (1) U>»3ycutoane(yK th crm eiro iervm p K tsn Vm evn

A

t
#

Meshc service Packs and Usdate =&u>s (1} Msarvs Security Lfxlates (3)

-

_* Hec*alt&S0ftAareA1rft

.

thread I (Idle) |Scan Pvead 7 ( d t ' I 5 u n t 1 « : 3 O tfic]

B ras

FIGURE 5.9: List of Vulnerability Assessment categories

12. Click N etw ork & S o ftw a re Audit in die right panel, and dien click System Patching S tatu s, which shows all die system patching statuses LinOuard 1- ‫ ״‬r ‫ ״‬1 < U )' Rrpoiti to ■ > 1
C ri 2012 • 4 Dmhboard Sran Re‫*»״‬Aate Activity Monitor Configuration JM airt lliir in it n v n w m ta u a d ts New Scan Scar ’ • o e ‫־‬ h -‫״ ״ ״‬ O a fa tta b: |0 rren#» o g c « or u er ‫ ־‬1 - 11 '‫־״‬ J s e n re ; Pais/.ord: Sari Ho ft*. * |« &

Scan R esafe Overview 9 Scan ta r v e t iocalhost I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K M iia eb itv t o n T e i l A ‫־‬, C*' SecultY ViiieraMitte( (3) rv*4un security vUrcrabilBe• (6)

1 R em its Detais m

- 3 1 8 5 4

S ystem P a tc h in g S tatus
Select one of tte M ta h g system w tc h ro M U

Due to the large amount of information retneved from scanned targets, full scans often tend to be lengthy. It is recommended to run a full scan at least once every 2 weeks.

X X taw Security V\J*»ablt 11s (4) X c ‫״‬or»«nal vunrrahltif# (‫)ג‬
t f > W < 1Saq1 UyUD0«Ufctt)

M in ting Servlet‘ P a c k* ■•nit Update RoSupa (1)

AlsmyeutaaiYilyiethrrnaingap'verpttlMnfarmaw

*toarq Service Pata wv4 itodate RaJl«M {I)

Mk m J%

Missing Security Updates ( , J) Alowt Mu U nWy.'t U1« mlBtfiO Mcvltv updatat »1fo‫׳‬Tnalor Missing Non-Security Updates (16) Alan* you to analyie the rwn-security ipaatea rfam ssen staled Security Updates (2) JUave you ‫ ט‬an4 >2s tJlc ilitaifed security U>Ca‘ x h ftm ala■

I

‫\ ״‬f toar y - a ^ V flfc nuflt I
S % Ports U A *)-

fi

rtor&Atrc Software

a

system inlbnnaaon

J%

instated Non-Security Updates ( 1 ) Alo5‫ ״י‬you to analyze the nstalicd nor-setuity

Scanner A ctm ty VVaitkm Starting security scan of hoar WII1-I139MMSMI 9t 4[1 c 0.0 /] lane: I M I t U PM : 1 .v 'r y Scan thread 1 (idle) S c it r a a : I( d * :

X
g

*\m ~ ‫־‬ .! t » . 3

:rrgr*

FIGURE 5.10: System patching status report

13. Click Ports, and under diis, click Open TCP Ports

C E H L ab M an u al P ag e 118

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

m A custom scan is a network audit based on parameters, which you configure on the fly before launching the scanning process. Vanous parameters can be customized during this type of scan, including: ■ Type of scanning profile (Le., the type of checks to execute/type of data to retrieve) ■ Scan targets ■ Logon credentials

&
jbcahoK Q c0 en ‫־‬ .dfe. 9

GFl LanGuard 2012 •> l«- I
Scan R arm fcale £*! 1v t y M onitor Reports Corrfigura CJ,

1- 1 ■■
U i s c u u tins 1

V I .. . I |M S w 1 U envaae: SasGword:

‫•ויי‬

|0xt«rtK ocKcC on us®‫־‬

II
• ft) £ ^ B £ s ^ 9 9 ^ « £

1 __

* = _____

1
(kt/0er re»t Tfonjfcr PttitoroO]

v ‫־‬a«1 tn rprT-. lorn lho*r

so iDf*crpno‫ ״‬: Mytxrtrrt Trerwftr Protocol {^‫ > ליודז‬s r -w r : h ttp
5‫( כג‬C w u c to - DCC w»i1u‫ ״‬l ‫« ׳‬sOl)0«‫־‬ 1f ) ►**CTt*0‫׳‬V NMKOS 5 M » 1 ‫ ׳‬S*fM » I SOTOt r « » ‫״‬n]

‫־‬ • R : ; 10.0.0.7 |WIN-039MR5IIL9t4| (W m dvn _

^ 9

- • viA w jB M y**ow tw fnt
J l ‫)*־‬h Sacuity ‫״<«ו\י‬rfiltr* (1) ^ X ^ # B *. Mtdum Scanty Miner dMIUet (6} Law Seeunty VUnerabttiei (4} PoewtOii VOwaMitfeC (3) M sangSecuity Updates (3)

*4J P fia p to n : MooioftOS k t t * O m la v , VMntfcwt V a n fim it w : Lrtnamn] 10J7 piMotooon: !r#t»1 fo, 1 ( tM &*ervce h not t1‫»׳‬Urt(d :*•>*« caJO &• Croj^r: eiandwtjne, Oaufipy *rd others / Sev»c t-.H |Deunpecn: LSASS, If tha » m « is not ratafc* be-*ae catfc ;<■ trsjan: Ctotafipy Network x, Oath am3 etners / Ser : : - 2 |C«sobacn: Me Protect. MSrtQ, t " t e 1 v. M >)elc ‫־‬-» ‫י‬- » a)c ro( r •-U wJ D*m«r* COuU ttt uojan: BLA trojan . S e 4‫׳‬ 1241 | t « c r o o c : Ne35u5 Jcarity Scanner /S erver: 1r*no«nJ 1433 (O sac & cn : Microsoft SQL Server database r a ‫־‬ a j r w : srts c n Ser .er j S a -kx ; Ofcnown]

# Moang Service Pocks ond tp4?te R0 I1 O9 CO *•ernoHc 8 1Software Audit ( ( System Patchr g Status I . floe ‫ ״‬1 ‫׳>־‬P torts {Sj I

]‫־‬333

w Coen LC» Ports • ) 5( A Hardware 1 i f Software . System [nfbmodon w ooer ActKRy Wtaiduw

11

‫־‬1pr..«t4scev * ‫ ׳‬y v a n thread 1 (td lr)

Sea‫ ״‬wrfad ‫) י‬/ Ip ( | 5 0 ‫׳*־■ ־‬.vl ! :<*>)

error•

FIGURE 5.11: T C P/U D P Ports result

14. Click S y ste m Information in die light side panel; it shows all die details of die system information 15. Click P assw ord Policy
GH LanGuard 2012
E B > 1 4 - 1 Dathboatd Scan Ravrwifcalr ActHity Monitor Reports Configuration UaUwt W.

r‫ ־ ־‬° n n
1)1*1 lew •«« m u i i

tauach a Mew scan ScarTargtc a ih x : &ederate: Z~M~CTt, bcced on toe‫־‬ S a r Co'janu... Scan R e ta k t O vn vm n % open IX P Ports (5) Sf A | Scan I r a k i Deta lie J *‫!־*׳‬run poaawd length: 0charVaxnuri EMSSiwrd age: 42days * * ‫״!־‬unoaa'wordsgeiodays >Mgw0rd mtary: n o h ttay V v P0.‫־‬ «t : | . . . I (‫׳‬SjIScan L&c‫ ״‬iaBL ? aaiw d : 1 U1J 1 __ 3 •

___ * ‫ ׳‬I5 0 f r » g n e
Systsn Infotmabotj

‫־‬ta‫־‬d/.«e

J
J J

a 9ki\‫׳‬. W ,|l H W .\fx C .!■ ■ > > • > 1
• S * .u l(. Audit Policy (Off)

J ! Peace « p f f r e iw force

L_/ The next job after a network security scan is to identify which areas and systems require your immediate attention. Do this by analyzing and correctly interpreting the information collected and generated during a network security scan.

W f Re0**v f t Net&JOS Mamas (3)

% Computet
t j | 610Lpt (28) & Users (4) Logged Cn Users ( 11) ^ Sesscre (2) % J<rvce5 (148) ■U Processes (76) , Remote TOO (Tme O f Oay)

Scanner Activity Window

■t- ‫ ״ ׳‬I

1

,

V 1‫״‬n thrv*d I (k llr)

S c a n th e flU C *) i f< * 41‫' ׳ ' ! ־‬

A ) ’

I ‫'" ׳ י י‬

FIGURE 5.12 Information of Password Pohcy

16. Click Groups: it shows all die groups present in die system

C E H L ab M an u al P ag e 119

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

G FI L a n G u a r d 2 0 1 2

‫ ׳‬-T o Configuration !) 19CUB3 Ultt VWttKJR—

m A high vulnerability level is the result o f vulnerabilities or missing patches w hose average severity is categorized as high.

*

>‫־‬

D ashboard

Sun

ftftn c a & e

Actmrty M onitor

R eports

‫ר‬

vl W CrM e r e s t [c u T € r*f eooed cn user ■c c ':era

**S c a n -igemane: Password:

H

H
S c *• RevuJU D e U ik Control A u cU at* Cws abx 1 *f t ■f t* P n t t a w i u v rctg rv •f t0*Ji.s O •f tcmfcw aw# dccmwcm O (V'tey j M ‫>׳‬ t w it s '! *f t ■f tCfctrtutedCCMUser* & *n t Log Straefcrs ‫י‬f t •f tGuests

1 R tfv n lti Overview
r A % C 0 «nUOPPwts(5) Menfciore

• . 1 Softo•'(

• ^ S ym rmtnknranon
« S h » » ( 6) Sxunty AudtPotcy (Off) • 4• Pd«wo1 ‫ ) ׳‬Pd iy

# ‫ ־‬lUotetry f t NetflCCS Narres (3) % Computer

l*i groups(2a)I I W 4}
•? . -OXfC 0 ‫ ״‬users ( 1 ‫)נ‬

* ft ‫ יי‬ft
* ft ‫־״‬ft • ft
• ft ‫ ז‬a

K>pe‫ ׳‬V Adrritstrators E5JUSRS r^tv>:‫ < ׳‬Ccnfig.rstcn Cp‫־‬rators Psrfertrsnce Log Users P r‫־‬fty 1r 5rcc '\ r P M v lS e r s

~a users

A scheduled scan is a network audit scheduled to run automatically on a specific date/tim e and at a specific frequency. Scheduled scans can be set to execute once or periodically.

%

S«ss»ns (2)

% Servfcee (l•*©) H i ®rocrase* (76) ‫ ג‬en»te t o o ‫ מיו חן‬O f 0 »y)

♦a » a **?Operators
RES Ehdpcut Servers PCS Manage‫»״‬ent Servers

W w rt* ‫״‬

- .

S*rf« 1l 1f 1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*)

Soan *read S * fe ) | 8 ‫ י‬0‫| • ׳‬

FIGURE 5.13: Information of Groups

17. Click die D ashboard tab: it shows all the scanned network information
GFI LanGuard 2012

1 ° n ^ ‫׳‬
Configuration UUkbe; ‫זי‬/.‫־‬ O u c u M ln a varam ..

> 4 5‫ ״‬I q Crap
it 6mel1n*ork
f j UKJ»-c«t: ttlh-03»Ma.5rt.4£-»

I Dashbcurdl

Sun

Remedy!*

Activity Monitor

Reports

!t

f#
Ce m ctm

V»'
•w «v

1

to

*

4t

V
PeA*

ViAirrnhlfces

SdNiare

fei *J

v

(

Entire Network -1 com puter
Security S«1tors w n w a rn i w u w •

‫^' ־‬ucj1!)<»w >:y10«j<1iR <x1> I t is recommended to use scheduled scans:
m

___ H T«W 9M IM ^g ^ ‫ ז‬C S ^ lK I Lra tra -on ie d Aco*c O C co‫ ־‬pu‫־‬c r j A u l t Sure* 0 « ‫! »י ״י ד‬ : _ ; o 0 cancuters Malware Protection ... ‫ ו‬computers Agent Hemm Issues 0 C0npu18C8

rS \
Most M ra ra n e c aw oJSfS V. SC 3y ‫ ^ ׳‬L

1 0 cc<rpute5‫־‬ Service Packs and U-

■ T o perform periodical/regular network vulnerability scans automatically and using the same scanning profiles and parameters • T o tngger scans automatically after office hours and to generate alerts and autodistribution o f scan results via email ■ T o automatically trigger auto-remediation options, (e.g., Auto download and deploy missing updates)

Occrrputers Vulnerabilities 1C O ‫״‬p0t«r9 ,A iirraN ity Trend Owe' tm e

‫כ‬

364

Io

_

w
Maraqe saerts

Computer V14>erabfey CBtnbLiivi

: o ‫ ־‬f u t M By G peratng Syftem

S c = radrs fra r.tfg g n a M np .ra Z star can...
j

■ H Lsr-.‘ .K r x fl* n ...

Sec :w dg-.as.‫״‬

C^pm:-jr_

1*aer*Stofcg|\>3tStafcg|

C om putes S ■O0€>ath. ■ . | C onpjters By r te t» o rt.. I

o

1 v ,v o > 5 S e‫«׳‬

FIGURE 5.14: scanned report o f the network

Lab A nalysis
Dociunent all die results, dueats, and vulnerabilities discovered during die scanning and auditing process.

C E H L ab M an u al P ag e 120

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for O pen TCP Ports Scan Results Details for Password Policy

G F I L an G u ard 2012

D ash b o ard - E n tire N etw o rk ■ Vulnerability Level ■ Security Sensors ■ M ost Vulnerable Computers ■ Agent Status ■ Vulnerability Trend Over Time ■ Computer Vulnerability Distribution ■ Computers by Operating System

PLEASE TALK TO

Y O U R I N S T R U C T O R IF YO U R E L A T E D TO T H IS LAB.

HAVE

QUESTIONS

Q uestions
1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when G FI LANguard is performing administrative tasks? If ves, how?

In tern e t C o n n ectio n R eq u ired □ Yes P latfo rm S u p p o rted

0 No

0 C lassroom

0 iLabs

C E H L ab M an u al P ag e 121

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Exploring and Auditing a Network Using Nmap
N/nap (Zenmap is the officialA',map GUI) is afree, open source (license) utilityfor netirork exploration and security auditing.
ICON K EY
Valuable inform ation T est vour knowledge

Lab S cenario
111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A 11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an ethical hacker and network adm inistrator for your company, your job is to carry out daily security tasks, such as network inventory, service upgrade schedules, and the monitoring o f host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.

S ‫ט‬

W eb exercise W orkbook review

Lab O bjectives
H ie objective o f diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host or service uptime and downtime. h i diis lab, you need to: ■ Scan TCP and U DP ports

■ Analyze host details and dieir topology ■ Determine the types o f packet filters

C E H L ab M an u al P ag e 122

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

■ Tools demonstrated i n this lab are available i n D:\CEHTools\CEHv8 Module 03 Scanning Networks
/— j

Record and save all scan reports Compare saved results for suspicious ports

Lab Environm ent
To perform die lab, you need: ■ Nmap located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\Nmap

■ You can also download the latest version o f Nmap from the link http: / / nmap.org. / ■ I f you decide to download die latest version, dien screenshots shown in die lab might differ

. Q Zenmap works on Windows after including Windows 7, and Server 2003/2008.

■ A computer running Windows Server 2012 as a host machine ■ Windows Server 2008 running on a virtual machine as a guest

■ A web browser widi Internet access ■ Administrative privileges to run die Nmap tool

Lab D uration
Time: 20 Minutes

O verview o f N e tw o rk Scanning
Netw ork addresses are scanned to determine: ■ W hat services application nam es and versions diose hosts offer ■ W hat operating systems (and OS versions) diey run ■ The type o f pack et filters/firew alls that are in use and dozens o f odier characteristics

T AS K 1

Lab Tasks
Follow the wizard-driven installation steps and install N m ap (Zenmap) scanner in die host machine (Window Server 2012). 1. Launch the Start menu by hovering die mouse cursor in the lower-left corner o f the desktop

Intense Scan

FIGURE 6.1: Windows Server 2012— Desktop view

C E H L ab M an u al P ag e 123

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

2. Click the Nmap-Zenmap GUI app to open the Zenm ap window
S t3 ft
Administrator

l__ Zenmap file installs the following files:

Server Manager

Windows PowrShell

Google Manager

Nmap Zenmap

■ Nmap Core Files ■ Nmap Path ■ WinPcap 4.1.1
■ N etw ork Interface Im port ■ Zenm ap (GUI frontend)

S fe

m
Control Panel

*
H y p *V Virtual Machine..

‫וי‬

o

w
Command Prompt F rtfo * *‫ח‬

e

©
Me^sPing HTTPort iS W M

■ Neat (Modem Netcat) ■ Ndiff
CWto*

K

1

U

FIGURE 6.2 Windows Server 2012 - Apps

3. The Nmap - Zenmap GUI window appears.

! Nmap Syntax: nmap [Scan Type(s)] [Options] {target specification}

FIGURE 6.3: The Zenmap main window / In port scan techniques, only one method may be used at a time, except that UDP scan (‫־‬sU) and any one of the SCI1P scan types (‫־‬sY, -sZ) may be combined with any one of the TCP scan types.

4. Enter the virtual machine Windows Server 2008 IP ad d ress (10.0.0.4) t !1e j a rge t: text field. You are performing a network inventory for
r o
J

th e v ir tu a l I11acllil1e. 5.

111 this lab, die IP address would be 10.0.0.4; it will be different from your lab environment profile you want to scan. 111 diis lab, select Intense Scan.

6. 111 the Profile: text field, select, from the drop-down list, the type of

C E H L ab M an u al P ag e 124

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

7. Click Scan to start scantling the virtual machine.
Zenmap
Scan Iools Profile Help Profile: Intense scan

‫׳‬- ‫ ׳‬°r x

Target: 110.0.0.4|
C om m and: nm a p -T4 -A - v 10.0.0.4

Host!

Services icc>

|

Nmap Output Ports f Hosts | Topology | Host Details | Scans

While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines or the firewalls in front of them.

OS < Host

FIGURE 6.4: The Zenmap main window with Target and Profile entered ! S " The six port states recognized by Nmap: ■ Open ■ Closed ■ Filtered ■ Unfiltered ■ Open | Filtered ■ Closed | Unfiltered
OS < Host ‫׳׳‬ 10.0.0.4
S to r tin g Nmap C . O l ( h ttp ://n m s p .o r g ) at 2012 0 8 24

8. N m ap scans the provided IP address with In ten se scan and displays the scan resu lt below the Nmap Output tab.
Zenmap
Scan I o o ls E rofile H elp
^ ‫ז ם י‬ X ‫ן‬

Target:

10.0.0.4
nm a p -T4 -A - v 10.C.0.4

‫׳י‬

Profile:

Intense scan

Scan:

C om m and:

Nn ■ ap Output [ports / Hosts | Topolog) | Host Details | Scans nmap -T4 •A -v 10.00.4 ^ | | Details

Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type.

NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬ o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4

(1 t o t a l t 1 5 :3 5 1 5 :3 5 ,

1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72

Filter Hosts

FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan

9. After the scan is com plete, N m ap shows die scanned results.

C E H L ab M an u al P ag e 125

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap
Scan Target: Iools £rofile Help

T=I
Scan! Cancel

The options available to control target selection: ■ -iL <inputfilename> ■ -1R <num hosts> ■ -exclude <host 1 > [,<host2> [,...]] ■ -excludefile <exclude file>
OS ‫׳׳‬

a

Command:

nmap -T4 -A -v 10.C.0.4 Nrr^p Output | Ports / Hosts | Topolog) Host Details | Scans

J

< Host
10.0.0.4

nmap •T4 •A ■v 10.0.0.4

‫פ כ‬

‫י‬

Details

n e tb io s -s s n 1 3 9 /tc p open 4 4 5 /tc p open n c tb io s ssn h ttp M ic ro s o ft HTTPAPI h ttp d 2.0 5 3 5 7 /tc p open (SSOP/UPnP) | _ h t t p ‫ ־‬m « th o d s : No A llo w o r P u b lic h « a d « r i n OPTIONS re s p o n s e ( s t a tu s code 5 03 ) | _ r r t t p - t it le : S ervice U na va ila b le
M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ ;0 7 :1 0 ( M ic r o s o f t ) MAC A d d r e s s : 0( 1 5 : 5D: D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : / o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l (?‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 )

‫ח‬

Nttwort Distance; 1 hop

Q The following options control host discovery: ■ -sL (list Scan) ■ -sn (No port scan) ■ -Pn (No ping) ■ ■PS <port list> (TCP SYN Ping) ■ -PA <port list> (TCP ACK Ping) ■ -PU <port list> (UDP Ping) ■ -PY <port list> (SCTP INTT Ping) ■ -PE;-PP;-PM (ICMP Ping Types) ■ -PO <protocol list> (IP Protocol Ping) ■ -PR (ARP Ping) ■ — traceroute (Trace path to host) ■ -n (No DNS resolution) ■ -R (DNS resolution for all targets) ■ -system-dns (Use system DNS resolver) ■ -dns-servers < server 1 > [,<server2 > [,. ..]] (Servers to use for reverse DNS queries)
Filter Hosts

TCP S eq u en ce P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s

FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan

10. Click the Ports/H osts tab to display more information on the scan results. 11. N m ap also displays die Port, Protocol, S tate. Service, and Version o f the scan.
Zenmap
Scan Target: Iools Profile Help
Scan

T‫־‬T
Cancel

10.0.0.4 nmap -T4 -A -v 10.0.0.4 Services
Nmgp Out p u ( Tu[.ul u1jy Hu^t Details Sk m : .

Command:

OS ‫״״‬

< Host
10.0.0.4 13S 139 445 5337 tcp tcp tcp tcp open open open open open open open open open rmtpc
netbios-ssn

Minoaoft Windows RPC

netbios-ssn
http

Microsoft HTTPAPI httpd 2.0 (SSD Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC

49152 tcp 49153 tcp 49154 tcp 49155 tcp 49156 tcp

msrpc
m srpc

msrpc msrpc msrpc

FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan

C E H L ab M an u al P ag e 126

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

12. Click the Topology tab to view N m ap’s topology for the provided IP address in the Intense scan Profile.

7 ^ t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line.

FIGURE 6.8: The Zenmap main window with Topology tab fot Intense Scan

13. Click the Host Details tab to see die details o f all hosts discovered during the intense scan profile.
Zenmap
Scan Target: lools Profile Help
Scan

r^r°rx 1
Conccl

10.0.0.4 nmap -T4 -A -v 10.0.0.4
|| Services I I Nm ap Output I Porte / H octt | Topologyf * Host Detail‫׳‬: Scan?
13.0.C .4

Command:
Hosts

OS < Host

7 ^ ‫ ׳‬By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32).

-‫־׳‬

10.0.0.4

H Host Status
S ta t e : O p e n p o rtc up Q

Filtered poits: Closed ports: Uptime: Last boot:
B Addresses

0 991 22151 Fri Aug 24 09:27:40 2012

Scanned ports: 1000

#

IPv4: IPv6:

10.0.0.4 Not available

MAC: 00:15:50:00:07:10
- O perating System

Name:
Accuracy:

Microsoft Windows 7 or Windows Seiver 2008 SP1

P o rts used

Filter Hosts

FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan

C E H L ab M an u al P ag e 127

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

14. Click the S cans tab to scan details for provided IP addresses.
Zenmap
Scan Tools Profile Help Profile: Intense scan Cancel

1- 1° ‫ ׳‬x

Nmap offers options for specifying winch ports are scanned and whether the scan order is random!2ed or sequential.

a

Target:

10.0.0.4 nmap •T4 •A -v 100.0.4 |[ Services |

Command: Hosts OS < Host

Nmap Output J Ports.' Hosts | Topology | Host Detail;| S:an; Sta!us Com‫׳‬r»ard Unsaved nmap -14-A •v 10.00.4

100.04

if■ Append Scan

»

Remove Scan

Cancel Scan

In Nmap, option -p <port ranges> means scan only specified ports.

a

FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan

15. Now, click the Services tab located in the right pane o f the window. This tab displays the list o f services. 16. Click the http service to list all the H TTP H ostnam es/lP a d d resses. Ports, and their s ta te s (Open/Closed).
Zenmap
Scan Target: Tools Profile Help v] Profile: Intense scan v| Scan | Cancel

‫ י ־ז‬° ‫ד * מ‬

10.0.0.4 nmap •T4 -A -v 10.0.0.4 | Services

Comman d: Hosts Service
msrpc
n e t b i o s 5 5 ‫־‬n

Nmap Output Ports / Hosts Topology HoctDrtaik | S^ant < Hostname A Port < Protocol « State « Version

|

‫ו‬
Microsoft HTTPAPI hctpd 2.0 (SSI

i

10.0.04

5357

tcp

open

Q In Nmap, option -F means fast (limited port) scan.

<L
FIGURE 6.11: The Zenmap main window with Services option for Intense Scan
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

C E H L ab M an u al P ag e 128

Module 03 - Scanning Networks

17. Click the m srpc service to list all the Microsoft Windows RPC.
Zenmap
Scan Target: Iools Profile Help ‫י‬ Profile: Intense scan Scan]

‫ ־ ז‬1‫ י ם‬x ‫׳‬

10.0.0.4 nmap -T4 -A -v 10.0.0.4 Services

In Nmap, Option — port-ratio <ratio><dedmal number between 0 and 1> means Scans all ports in nmap-services file with a ratio greater than the one given. <ratio> must be between 0.0 and 1.1

Command:

Nmcp Output Ports / Hosts Topology | Host Details ^Scans 4 Hostname *‫ ־‬Port < Protocol * State « Version • • 100.0.4 100.0.4 100.0.4 100.04 100.04 100.0.4 49156 Up 49155 tcp 49154 tcp 49153 tcp 49152 tcp 135 tcp open open open open open open M kroioft Windoro RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC

Service

http

netbios-ssn

• • • •

FIGURE 6.12 The Zenmap main window with msrpc Service for Intense Scan

18. Click the netbios-ssn service to list all NetBIOS hostnames.
Zenmap
Scan Target: Icols Erofile Help Scan Cancel

T T T

10.0.0.4 nmap -T4 -A -v 10.0.0.4 || Services | Nmap Output Ports f Hosts Topology Host Deoils Scans 100.0.4 100.0.4

Command: Hosts

h id In Nmap, Option -r means don't randomi2e ports.

Service

http msrpc

445 139

tcp tcp

open open

FIGURE 6.13: The Zenmap main window with netbios-ssn Service for Intense Scan

T AS K 2

Xmas Scan
C E H L ab M an u al P ag e 129

19. Xmas scan sends a TCP frame to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS T C P /IP developed

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

according to RFC 793. The current version o f Microsoft Windows is not supported. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click Profile ‫ >־‬New Profile or Command Ctrl+P
y ‫ ׳‬Xmas scan (-sX) sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

m The option — maxretries <numtries> specifies the maximum number of port scan probe retransmissions.

21. O n the Profile tab, enter Xmas Scan in the Profile nam e text field.
Profile Editor
‫!׳‬map -T4 -A -v 10.0.0.4

Profile Scan | Ping | Scripting | Target | Source[ Other | Timing
Profile Inform ation

Help

Description The description is a full description 0♦ v»hac the scan does, which may be long.

Profile name
D * c e r ip t io n

XmasScanj

m The option -hosttimeout <time> gives up on slow target hosts.

Caned

0

Save C h ang e s

FIGURE 6.15: The Zenmap Profile Editor window with the Profile tab

C E H L ab M an u al P ag e 130

E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

22. Click the Scan tab, and select Xmas Tree scan (‫־‬sX) from the TCP scan s: drop-down list.
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (‫־‬sS) to check both protocols during the same run.
Profile Editor
!map -T4 -A -v 10.0.0.4 Profile Scan | Ping | Scripting | Target | Source | Other Timing Sun optk>m Target? (optional): TCP scam Non-TCP scans: Timing template: 10.00.4 None None ACK scan (-sA) ‫ ׳‬FIN scan ( sF) Mamon scan (-sM) □ Version detection (-sV) ‫ח‬ □ □ ‫ם‬ Idle Scan (Zombie) (-si) FTP bounce attack (-b) Disable reverse DNS resc IPv6 support (■6) Null scan (-sN) TCP SYN scan (-5S) TCP connect >can (‫»־‬T) . Window scan (-sW) | Xmas Tree scan (‫־‬sX)
Help

1_T□ ' x

Enable all ad/anced/aggressive options Enable OS detection (-0). version detection (-5V), script scanning (sCM and traceroute (‫־־‬traceroute).

F I

Q Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine drops.

Cancel

0Save Changes

FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab

23. Select None in die Non-TCP scan s: drop-down list and A ggressive (‫־‬ T4) in the Timing tem plate: list and click Save Changes
Profile Friitor
nmap •sX •T4 -A ■v 10.0.0.4 Profile Scar Ping | Scripting [ Target Source | Other | Timing
Scan o p tio n *

1‫י ^ ם | ־‬

Help

Enable all ad/anced/aggressive options Enable OS detection (-0). version detection (-sV), script scanning (sQ and traceroute(--traceroute).

Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ‫־־‬ host-timeout to skip slow hosts.

Target? (optional): TCP scan: Non-TCP scans: Timing template:
@

1D.0D.4 Xmas Tlee scan (‫־‬sX) None Aggressive (-T4) |v | [v‫] ׳‬ [v |

E n a b le a ll a d v a n c e d / a g g r e s s v e o p t i o n s ( - A )

□ Operating system detection (•O) O Version detection (-sV) □ □ Idle Scan (Zombie) (- 51) FTP bounce attack (-b)

O Disable reverse DNS resolution (‫־‬n) ‫ח‬ IPv6 support (-6)

Cancel

0 Save Changes

FIGURE 6.17: The Zenmap Profile Editor window with the Scan tab

24. Enter the IP address in die T arget: field, select the Xmas scan opdon from the Profile: held and click Scan.

C E H L ab M an u al P ag e 131

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap
Scan Target: Tools Profile Help |v | Profile- | Xmas Scan |v | |Scan| Cancel |

10.0.0.4 nmap -sX -T4 -A -v 100.0/ || Services A |

Command: ( Hosts

Nmap Output Potts/Hosts | Topology Host Details j Scans
V 1

In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as if you were going to open a real association and then wait for a response.

05

< Host

| Details]

Filter Hosts

FIGURE 6.18: The Zenmap main window with Target and Profile entered

25. N m ap scans the target IP address provided and displays results on the Nmap Output tab.
£Q! When scanning systems, compliant with this RFC text, any packet not containing SYN, RST, or ACK bits results in a returned RST, if the port is closed, and no response at all, if the port is open.
Zenmap
Scan Target Tools Profile Help vl Profile. Xmas Scan |Scani|

iz c

10.0.0.4 nmap -sX -T4 -A -v 100.0/ Services

Command: Hosts
OS « Host * 10.0.0.4

N-nap Output Ports / Hosts | Topology Host Details | Scans
nm a p -sX -T4 -A -v 10.0.0.4

S t a r t i n g Nmap 6 .0 1
N < F ‫ ל‬lo a d e d 93

( h ttp ://n m a o .o r g
fo r s c a n n in g .

) a t 2 0 1 2 - 0 8 -2 4

s c r ip ts

The option, -sA (TCP ACK scan) is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

a

NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g S can a t 1 6 :2 9 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S c r v i c e scon o t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g MSE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .

FIGURE 6.19: The Zenmap main windowwith the Nmap Output tab

26. Click the S ervices tab located at the right side o f die pane. It displays all die services o f that host.

C E H L ab M an u al P ag e 132

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap
Scan Target: Iools Profile Help ^ Profile Xmas Scan

‫־‬

0

=

1

10.0.0.4 nmap -sX -T4 -A -v 10.0.0.4 | Services |

‫ | | 'י‬Scan |

Command: Hosts

Nmap Output Ports / Hosts | Topology | Host Dttails | Scans nmap -sX T4 -A -v 10.0.0.4
S t a r t i n g Nmap 6 .0 1 ( h ttp ://n m a p .o rg ) a t 2 0 1 2 * 0 8 -2 4

Details

: Loaded 03 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P i r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f 1 n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d ‫־׳‬o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XHAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i o t i n g S e r v i c e sca n at 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 e s e la p s e d
N nap scan re p o rt fo r 1 0 .0 .0 .4

‫ח‬
m

H ost is

u p ( 0 .0 0 0 2 0 s l a t e n c y ) .

V

FIGURE 6.20: Zenmap Main window with Services Tab

S

T A S K

3

Null Scan

27. Null scan works only if the operating system’s T C P /IP implementation is developed according to RFC 793.111 a 1 1 1 1 1 1 scan, attackers send a TCP frame to a remote host with N O Flags. 28. To perform a 1 1 1 1 1 1 scan for a target IP address, create a new profile. Click Profile ‫ >־‬New Profile or Command Ctrl+P

The option Null Scan (‫־‬sN) does not set any bits (TCP flag header is 0).
[ New ProfJe or Command 9 £d it Selected Prof<e

Zenmap
CtrkP | nas Scan Qrl+E

v

Scan

| Cancel |

|

Hosts

||

Scrvncct

Nmap Output P ortj / Hosts | T opology] Host D e t o S c e n t

OS « Host
w 10.0.0.4

m The option, -sZ (SCTP COOKIE ECHO scan) is an advance SCTP COOKIE ECHO scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports but send an ABORT if the port is closed.

FIGURE 6.21: The Zenmap main window with the New Profile or Command option

C E H L ab M an u al P ag e 133

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

29. O n die Profile tab, input a profile name Null Scan in the Profile nam e text field.
The option, -si <zombie host>[:<probeport>] (idle scan) is an advanced scan method that allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target.

a

Profile Editor
n m a p - s X - T 4 - X - v 1 0 .0 .0 .4

L ^ I

Profile Scan | Ping | Scripting | Target | Source | Othc | Timing^ Profile Information Profile name | Null Scanj~~|
D e s c r ip t io n

Help

Profile name This is how the profile v/ill be identf ied in the drop-down combo box in the scan tab.

FIGURE 622: The Zenmap Profile Editor with the Profile tab

m T he option, -b
< F T P relay h o st> (FT P bounce scan) allows a user to connect to one F T P server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse o n m any levels, so m ost servers have ceased supporting it.

30. Click die Scan tab in the Profile Editor window. N ow select the Null Scan (‫־‬sN) option from the TCP scan : drop-down list.
Profile Editor
nmap -eX -T4 -A -v 10.0.0.4 Profile] Scan | Ping | Scripting| larget | Source Jther Timing Scan options Targets (optional): TCP scan: Non-TCP scans: Timing template: 1C.0.04 Xmas Tree scan (-sX) None ACKscen ( sA) |v This is how the profile will be identified n the drop-down combo box n the scan tab.
H e lp

Prof le name

[Vj Enable all advanced/aggressu FN scan (‫־‬sF) □ Operating system detection (‫ ־‬Maimon «can (•?M) □ Version detection (■sV) (71 Idle Scan (Zombie) (•si) O FTP bounce attack (-b) Null scan (•sN) TCP SYN scan(-sS) TCP connect scan (‫־‬sT)

The option, -r (Don't randomize ports): By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead.

(71 Disable reverse DNSresolutior Win cow scan (‫־‬sW) Xma; Tree !can (-sX) 1 1 IPy6 support (-6)

Cancel

Save Changes

FIGURE 6.23: The Zenmap Profile Editor with the Scan tab

31. Select None from the Non-TCP scan s: drop-down field and select A ggressive (-T4) from the Timing tem plate: drop-down field. 32. Click Save C hanges to save the newly created profile.

C E H L ab M an u al P ag e 134

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Profile Editor
nmap -sN -sX -74 -A -v 10.0.0.4

'-IT - '
|Scan[
Help

In Nmap, option — version-all (Try every single probe) is an alias for -version-intensity 9, ensuring that every single probe is attempted against each port.

P r o f ile

S can

P i n g | S c r i p t in g | T a r g e t | S o i r e e [ C t h c i | T im in g

Disable reverse DNS resolution
N e \er do reverse DNS. This can slash scanning times.
V V V

Scan options Targets (opbonal): TCP scan: Non-TCP scans: Timing template:
1 0 .0 .0 .4

Nul scan (•sN) None Aggressive (-T4)

C Operating system detection (-0)

[Z
I

Version detection (-5V)
I d le S c a n ( Z o m b ie ) ( -s i)

Q FTP bounce attack (-b)
I ! D i s a b l e r e v e r s e D N S r e s o lu t io n ( - n )

IPv6 support (-6)

£oncel

E rj Save Change*

m The option,-‫־‬topports <n> scans the <n> highest-ratio ports found in the nmap-services file. <n> must be 1 or greater.

FIGURE 6.24: The Zenmap Profile Editor with the Scan tab

33. 111 the main window o f Zenmap, enter die ta rg e t IP a d d re ss to scan, select the Null Scan profile from the Profile drop-down list, and then click Scan.
Zenmap
Scfln Iools Erofile Help Prof1 ‫•י‬: Null Scan

Target | 10.0.0.4 Command: Hosts nmap -sN •sX •T4 -A *v 10.00.4 Services

Nmap Outpjt Ports / Hosts Topology | Host Detais ( Scans < Port

Q The option -sR (RPC scan), method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up.

OS

< H ost

< Prctoccl

< State

<

Service < Version

*U

10.00.4

Filter Hosts

FIGURE 6.25: The Zenmap main window with Target and Profile entered

34. N m ap scans the target IP address provided and displays results in Nmap Output tab.

C E H L ab M an u al P ag e 135

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap
Scan Target Tools Profile Help v Profile: Null Scan

B Q
Scan!

u
Cancel

10.0.0.4
n m a p - s N - T 4 - A - v 1 0 .C .0 .4

Com m and:

Hosts OS < Host IM 10.0.0.4

Services

Nmap Output | Ports/ Hosts ] Topology [ Host Details | Scans nmap -sN •T4 •A -v 10.0.04
S ta r t in g Mmap 6 .0 1 ( h t t p : / / n 1r a p . o r g ) at

‫פן‬
2012 0 8 24

Details

The option -versiontrace (Trace version scan activity) causes Nmap to pnnt out extensive debugging info about what version scanning is doing. It is a subset of what you get with — packet-trace,

N S t: Loaded 93 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ] C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 5 :4 7 C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 , 0 .2 8 s e la p s e ti i n i t i a t i n g n u l l sca n a t 1 6 :4 7 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e . C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7 I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la p s e c Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) .

‫ח‬

Filter Hosts

FIGURE 6.26: The Zenmap main window with the Nmap Output tab

35. Click the Host Details tab to view the details o f hosts, such as Host S tatu s, A ddresses. Open Ports, and Closed Ports ‫׳‬-[nrx ' Zenmap
Scan Target Tools £rofle Help Profile: Null Scan
Cancel

10.0.0.4
n m a p - s N - T 4 • A - v 1 0 .0 .0 .4

Com m and:

Hosts OS « Host * 10.0.0.4

Sen/ices

Nmap Output | Ports/ Hosts | Topology Host Details | Scans - 10.0.0.4! B Host Status State: Open ports: ports: Closed ports: Up tirre: Last boot: S Addresses IPv4: 10.0.0.4
IP v 6: N o t a v a ila b le

up 0 0 1000 Not available Not available

ie

Scanned ports: 1000

MAC: 00:15:5D:00:07:10
• C o m m e n ts

Filter Hosts

FIGURE 627: ‫׳‬Hie Zenmap main window with the Host Details tab
T A S K 4

ACK Flag Scan

36. Attackers send an ACK probe packet w ith a random sequence number. N o response means the port is filtered and an RST response means die port is not filtered.
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited

C E H L ab M an u al P ag e 136

Module 03 - Scanning Networks

37. To perform an ACK Flag Scan for a target IP address, create a new profile. Click Profile ‫ >־‬New Profile or Command Ctrl+P.
Zenmap

!^□T

m The script: — scriptupdatedb option updates the script database found in scripts/script.db, which is used by Nmap to determine the available default scripts and categories. It is necessary to update the database only if you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap — script-updatedb.

Command: Hoete OS < Host IM

fj?l Edit Selected Profile !!mop ■v» ■n* ‫ • **־‬v Services ]

Ctrl+E

0

E

Nmip Ojtput Porte / Hoete Topology | Hod Details J Scant
4 Po‫׳‬t 4 P rotocol 4 S ta tt 4 Service < V trsicn

10.0.0.4

Filter Hosts

FIGURE 6.28: The Zenmap main window with the New Profile or Command option

38. O n the Profile tab, input ACK Flag Scan in the Profile nam e text field.
Profile Editor
nmap -sN -T4 -A -v 10.0.0.4 Profile [scan | Ping | Scripting | Target | Soiree[ Cthei | Timing
Profile Information Help

‫־‬r a n

Description The descr ption is a full description of what the scan does, which may be long.

Profile name |ACK PagScanj
Description

The options: -minparallelism <numprobes>; -max-parallelism <numprobes> (Adjust probe parallelization) control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an everchanging ideal parallelism based on network performance.

£ancel

0

Save Changes

FIGURE 6.29: The Zenmap Profile Editor Window with the Profile tab

39. To select the parameters for an A CK scan, click the Scan tab in die Profile Editor window, select ACK sc a n (‫־‬sA) from the Non-TCP scan s: drop-dow n list, and select None for all die other fields but leave the T argets: field empty.

C E H L ab M an u al P ag e 137

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Profile Editor
n m a p - s A -s W - T 4 - A - v 1 0 .0 .0 .4

!-!□ ‫י‬

x
[ScanJ

‫׳‬

The option: — min-rtttimeout <time>, — max-rtttimeout <time>, — initialrtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes.

Profile | Scan Ping Scnpting T3rg=t Source Other Timing Scan options Targets (optional): TCP scan: Non-TCP scans: Timing template: 10004 ACK scan (-sA) None ACK scan( sA) |v |

Help
E n a b le a ll a d v a n c e d , a g g r e s s iv e o p tio n s

Enable OS detection (-0), version detection (-5V), script scanning (■ sC), and traceroute (‫־־‬ttaceroute).

[34 Enable all advanced/aggressi\ FIN scan (-sF) □ Operating system detection (- Maimon scan (-sM) □ Version detection (-5V) O Idle Scan (Zombie) (‫־‬si) □ FTP bounce attack (‫־‬b) Null scan (-sNl TCP SYN scan (-5S) TCP connect scan (-sT)

f l Disable reverse DNS resolutior Vbincov\ scan (-sW) 1 1 IPv6 support (-6) Xmas Tree scan (-5X)

£ancel

Q Save Changes

FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab

40. N ow click the Ping tab and check IPProto probes (-PO) to probe the IP address, and then click Save Changes.
Profile Editor
n m a p - s A -sNJ - T 4 - A - v - P O 1 0 0 .0 .4

[Scan]
Help
I C M P ta m « £ ta m p r# q u * :t

G The Option: -maxretries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simply lost on the network.

Profile Scan Ping Scnpting| Target | Source | Other Timing Ping options □ Don't ping before scanning (‫־‬Pn) I I ICMP ping (-PE) Q ICMP timestamp request (-PP) I I ICMP netmask request [-PM) □ ACK ping (-PA) □ SYN ping (-PS) Q UDP probes (-PU) 0 jlPProto prcb«s (-PO)i (J SCTP INIT ping probes (-PY)

Send an ICMP timestamp probe to see i targets are up.

Cancel

Save Changes

FIGURE 6.31: The Zenmap Profile Editor window with the Pmg tab

41. 111 the Zenm ap main window, input die IP address o f the target machine (in diis Lab: 10.0.0.3), select ACK Flag Scan from Profile: drop-down list, and then click Scan.

C E H L ab M an u al P ag e 138

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap
Scan Target: Tools Profile Help v Profile: ACK Flag Scan

‫־ם‬

10.0.0.4 nmap -sA -PO 10.0.0.4 Services

‫פב‬

Scan

Cancel

Command: Hosts

Nmap Output Ports / Hosts I Topology] Host Details Scans J
Details

£ 3 The option: -‫־‬hosttimeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. Tins may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time.

Filter Hosts

FIGURE 6.32: The Zenmap main window with the Target and Profile entered

42. N m ap scans die target IP address provided and displays results on Nmap Output tab.

r
The option: — scandelay <time>; --max-scandelay <time> (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting.
OS *

Zenmap
Tools £rofle Help Profile: ACK Flag Scan

X

‫ן‬

Sc$n

Target:

10.0.0.4 nmap -sA -P0 10.0.0.4 Sen/ices

Cancel

Command: Hosts

Nmap Output j Ports/Hosts[ Topology Host Details Scans nmap -sA -PO 10D.0.4 Details

<

Host 10.0.0.4

S t a r t in g ^map 6 .0 1 ( h tt p : / / n m a p .o r g ) a t 2 0 12 -0 8-2 4 17 :03
I n d ia S ta n d a rd T i n e

Nmap s c a n r e p o r t f o r 1 0 .0 . 0 .4
H ost i s u9 (0 .0 0 0 0 0 3 0 1 la t e n c y ).

A l l 1000 scanned p orts on 1 0 .0 .0 .4 a re u n f ilt e r e d
WAC A d d re s s : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 ( M ic r o s o f t )
Nmap d o n e : 1 IP a d d re s s (1 h o s t u p ) s c a n n e c i n 7 .5 7 se co n d s

Filter Hosts

FIGURE 6.33: The Zenmap main window with the Nmap Output tab

43. To view more details regarding the hosts, click die Host Details tab

C E H L ab M an u al P ag e 139

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Zenmap
Scan Target: Tools Profile Help [~v~| Profile: ACK Flag Scan Scan Cancel

10.0.0.4 nmap -sA-PO !0.0.04 || Services |

Q The option: — minrate <number>; — mas-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time.

Command: Hosts OS « Host *

Nmap Output Ports / Hosts Topology HostDetals ‫; ־‬10.0.04

J

J

Scans

10.0.0.4

5 Host Status
btate Open portc: Filtered ports: Closed ports: Scanned ports: 1000 Uptime: Last boot
B A ddresses

IS
Not available Not available

IPv4: IPv6: MAC:

1a0.0.4 Not available 0Q15:50:00:07:10

♦ Com m ents

Filter Hosts

FIGURE 6.34: The Zenmap main window with the Host Details tab

Lab A nalysis
Document all die IP addresses, open and closed ports, sendees, and protocols you discovered during die lab. T o o l/U tility In fo rm atio n C o llected /O b jectiv es A chieved T y p es o f Scan used: ■ ■ ‫י‬ ■ Intense scan Xmas scan Null scan ACK Flag scan

In ten se Scan —N m a p O u tp u t ■ ■ ■ ARP Ping Scan - 1 host Parallel D N S resolution o f 1 host SYN Stealth Scan • Discovered open p o rt on 10.0.0.4 o 13 5 /tcp, 13 9 /tcp, 4 4 5 /tcp, ... MAC Address Operating System Details Uptime Guess N etw ork Distance TCP Sequence Prediction IP ID Sequence Generation Service Info

N m ap

■ ■ ■ ■ ■ ■ ■

C E H L ab M an u al P ag e 140

E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

YOUR INSTRUCTOR

IF YOU HAVE Q U E S T IO N S T H IS LAB.

RELATED

TO

Q uestions
1. Analyze and evaluate the results by scanning a target network using; a. Stealth Scan (Half-open Scan)

b. nmap - P 2. Perform Inverse TCP Flag Scanning and analyze hosts and services for a target machine in die network.

In te rn e t C o n n ectio n R eq u ired □ Yes P latform S u p p o rted 0 C lassroom 0 iLabs

0 No

C E H L ab M an u al P ag e 141

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Scanning a Network Using the NetScan Tools Pro
iN \etScanT001s Pro is an integrated collection of internet information gathering and netirork troubleshooting utilitiesfor Netirork P/vfessionals.
I CON 2 3 ‫ ־‬Valuable
inform ation T est your knowledge

KEY

Lab S cenario
You have already noticed in die previous lab how you can gadier information such as ARP ping scan, MAC address, operating system details, IP ID sequence generation, service info, etc. duough Intense Scan. Xmas Scan. Null Scan and ACK Flag Scan 111 Nmap. An attacker can simply scan a target without sending a single packet to the target from their own IP address; instead, they use a zombie host to perform the scan remotely and if an intrusion detection report is generated, it will display die IP o f die zombie host as an attacker. Attackers can easily know how many packets have been sent since die last probe by checking die IP packet fragment identification number (IP ID). As an expert penetration tester, you should be able to determine whether a TCP port is open to send a SYN (session establishment) packet to the port. The target machine will respond widi a SYN ACK (session request acknowledgement) packet if die port is open and RST (reset) if die port is closed and be prepared to block any such attacks 011 the network 111 this lab you will learn to scan a network using NetScan Tools Pro. You also need to discover network, gadier information about Internet or local LAN network devices, IP addresses, domains, device ports, and many other network specifics.

‫ס‬ m

W eb exercise W orkbook review

Lab O bjectives
The objective o f diis lab is assist to troubleshoot, diagnose, monitor, and discover devices 011 network.
111

diis lab, you need to: ■ Discovers IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs Detect local ports

C E H L ab M an u al P ag e 142

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

S 7Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

Lab Environm ent
To perform die lab, you need: ■ NetScaii Tools Pro located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\NetScanTools Pro

■ You can also download the latest version o f N etScan Tools Pro from the link http:/ / www.11etscantools.com /nstprom ai 11.html ■ I f you decide to download die latest version, dien screenshots shown in die lab might differ ■ A computer running Windows Server 2012 ■ Administrative privileges to run die NetScan Tools Pro tool

Lab D uration
Time: 10 Minutes

O verview o f N e tw o rk Scanning
Network scanning is die process o f examining die activity on a network, which can include monitoring data flow as well as monitoring die functioning of network devices. Network scanning serves to promote bodi die security and performance o f a network. Network scanning may also be employed from outside a network in order to identify potential network vulnerabilities. NetScan Tool Pro perform s the following to network scanning: ■ ■ Monitoring network devices availability Notifies IP address, hostnames, domain names, and p o rt scanning

S TASK 1
Scanning the Network

Lab Tasks
Install NetScan Tool Pro in your Window Server 2012. Follow die wizard-driven installation steps and install NetScan Tool Pro. 1. Launch the S tart menu by hovering die mouse cursor in the lower-left corner o f the desktop

^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses..

4 Windows Ser\*f 2012
'1* * ta ataierm X ni faemeCvcidilcOetoceitc EMtuaian copy, luld M>:

FIGURE /.l: Windows Server 2012- Desktop view

2. Click the N etScan Tool Pro app to open the N etScan Tool Pro window

C E H L ab M an u al P ag e 143

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Start
Server Manager Windows PowwShel Google Chrome H jp erV kWvwcr NetScanT... Pro Demo

Administrator A

h

m
Control Pan*l

o Mjrpw-V Mdchir*.

‫וי‬

f*

Q e
'»‫ **“־׳‬1■»***‫■׳‬

V
( onviund
I't. n.".‫־‬

w rr

©

*I
20 ‫ ז‬2

x-x-ac

n

9
FIGURE 7.2 Windows Server 2012 - Apps

3. I f you are using the D em o version o f NetScan Tools Pro, then click S tart th e DEMO
£L) Database Name be created in the Results Database Directory and it will have NstProDataprefixed and it will have the file extension .db3

4. The Open or C reate a New R esult D atabase-N etScanTooIs Pro window will appears; enter a new database name in D atabase Name (enter new nam e here) 5. Set a default directory results for database file location, click Continue
Open or Create a New Results Database - NetScanTools® Pro
NetScanToote Pro au to m a tica l saves results n a database. The database «s requred. Create a new Results Database, open a previous Resdts Database, or use this software r Tranng Mode with a temporary Results Database. ■ ‫״‬Trainrtg Mode Qutdc Start: Press Create Training Mode Database then press Continue. Database Name (enter new name here) Test| A NEW Results Database w l be automabcaly prefixed with MstProOata-' and w i end with ,.db?. No spaces or periods are allowed when enterng a new database name. Results Database File Location Results Database Directory ‫*״‬Create Trainmg Mode Database Project Name (opbonal) Set Default Directory C :^Msers\Administrator documents

*‫ו‬

Select Another Results Database

Analyst Information (opbonal, can be cisplayed r\ reports if desired) Name Telephone Number

Fitie

Mobile Number

i—' USB Version: start the software by locating nstpro.exe on your USB drive ‫ ־‬it is normally in the /nstpro directory p

Organization

Email Address

Update Analyst Information

Use Last Results Database

Continue

Exit Program

FIGURE 7.3: setting a new database name for XetScan Tools Pro

6. The N etScan Tools Pro main window will appears as show in die following figure
C E H L ab M an u al P ag e 144 E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

test • NetScanTools* Pro Demo Version Build 8-17-12 based on version 11.19
file Eflit A«es51b!11ty View IP«6 Help

_ - n |

V

-

— IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9 ( i p v 6 . g o o g l e . com) o r : : 1 (in te rn a l lo o p b a c k a d d r e s s

Wefccrwto NrtScanToobePiJ [ W o Vbtfen 11 TH 1 «a<Kw1n> n a d r r o r o < k > * •r e * T00“ i Cut Th■ duro carrnot be cj>« vt »>0 to a U v * d c n H m x x d '•o n ■hr A J o i^ e d cr Vtao.a la d s cr 10311 groined by fm d ia n on the k ft panel R03 iso- root carract :‫ «־‬ta‫״‬oet. orwn icon :coa I 8!en to noucrktniffc. ttu ; icon tooo ‫ * ® •ו‬we• y o j oca sy*em. end groy !con 100b contact ihid party Automated tools M3nu3l tool: 13III fw o rn e tools *LCrre Dttcover/tools Pass ‫״‬re 0 ‫ י‬scow 1 y ro ols Fleet ' i t FI '«&, to vie‫ ״‬e<? a t e r g h * local help ircLidng Gerttirg Suited >r a n d tia i

to d i hav• nir or luiti

Otis 0015 ‫ז‬
P 3«et le v * tools tx t m u l tools pro otam into

FIGURE 7.4: Main window of NetScan Tools Pro

7. Select Manual Tools (all) on the left panel and click ARP Ping. A window will appears few inform ation about die ARP Ping Tool. 8. Click OK
test
File fd it A<<f\11bil 1 ly V irw

NetScanToois® Pro Demo Version Build 8 17 12 based o r version 11.19
MHp

‫־היד‬°• - ‫ז‬
Klrt'iianTooltS P io 'J

IPv6

Automata!! Tool Manual Tool( Ml

A b o u t th e A R P P in g T o o l
• use th is to o l to "PiMti‘ an IPv4 address o n y o u r s u b n e t usino a r p paefcrts. •se !r on your
L A N to find the 1a4>: ' a tkne o ' a device to an ARP_REQl)EST jacket evai if ‫ «יכ‬d&r ce s hidden and does not respond to ‫־׳‬ egu a P n g . A R P P in a re q u ire * , ‫ ג‬t a r g e t I P v 4 address on your LA N . D o n 't m is s t h i s s p e c ia l f e a t u r e in t h i s t o o l: Identify d u p licate IPv4 add ress b y ‘sin g in g ‘ a s s e c f ic IPv4 add ress. If m ore th 2 - Gne d e v ic e ( tw o or rrore MAC addresses} responds, y o u are sh o w n th e m a c add ress o f e ec h o f t h e d e u c e s . D o n 't f o r g e t to r!ght d k * in t h e results for a m en u w ith m ore option s.


£ 7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN

im
ARP Scan (MAC

U a

D em o I im ita tio n s

None.

Ca«h« F m n it d

ij


C0* n « t» 0rt Monrt. Pjv<mKc Tooll A111 vc Dhccnrcry To‫׳‬ P iss ‫״‬re Oacovety T«

o risro o ts P 3 c « 1L e v e lto o l:
bcemai toots Pro 0r3m Into

| ( <x Hel p pres? FI

FIGURE 7.5: Selecting manual tools option

9. Select the Send B roadcast ARP, then U nicast ARP radio button, enter the IP address in T arget IPv4 A ddress, and click Send Arp

C E H L ab M an u al P ag e 145

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

test
File Fdit Accessibility View

NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19
Help

,- ! ‫ ״‬s i

IPv6

Q Send Broadcast ARP, and then Unicast ARP this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box

Automated Tools ►.Unual Tools lalf)

U9e ARP Padtets to Pnc an [Pv« adjfc55 on ya r
subnet.

E

Send & 0‫־‬acc35T ARP, then in to s t ARP D upi:a ;es S-‫־‬c ‫מ‬

O send B-oaCcae: arp cnly

O Se*th for Dipicate IP Addesoss

(f:00 .00 O l^FA a*
cc 0.0 0 2 6 4 9 cc :.o ::» to ce 0.0 0 3 3 1 8 cc cc cc cc cc cc cc cc cc cc cc cc 0.002318
0 .0 :6 9 * 3 0.0 0 7 6 1 5 O.OC25IC 0.00198C

‫ ® ו * ג‬To Aa tom* ted |

R e p o rt?
Q Add to Psvorftac
Type B road cast U n ic a st

U
ARP Ping

Target IPva A adett

index

ip

A ddress

mac

A ddress

R esponse T ine (a se c i

u
A flP ?c« ■an n |M |MA£ A C i< ‫ ״‬n)

ie n d A rc
Stop N j r b n to Send

0

1 2 3
4 5

1 0.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1
1 0 . 0 .0 . 1

‫־‬ •

•• • * ♦ < * ♦ - ■+

OnI c a a t
U n ic a st ur.ic a a t Cr.l e a s t Cr.I c a a t

Cache Forensic!

u

cvcte Tne (m s)

-

•• — ♦ *• • * <»

I“0 0 EJ
Co‫ ״‬n«t»on M onitor |v | Fawonte Tooli Aa!re DHtovery Tool! Pj 1 1 !x< Oiiovcry Tooli O t« Tools P a « « level rools trte m ji looit f*‫־‬coram Into

WnPcap I‫״‬Tcrfe<T P

f ‫ל‬ 8
3 10

10.0.0.1
1 0 .0 .0 .1 1 0 .0 .0 .1 1 0 . 0 .0 . 1

(In ic a a t Onicaat Ur.ica a t
U r.icaat

••» •‫'־ ♦•־‬ - •••« » ♦ -

o.ooiess 0.0:2318
0 .0 :2 6 * 9 0 .0 :2 6 4 9 0.002318 0.0 0 2 3 1 8 :.0 : 2 6 4 9

11
12

10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1
1 0 . 0 .0 . 1

a. ■* <» ♦

tin ic a a t (Tnic a a t
U n iea a t V n ica a t Cr. ic a a t

13 14 15

••••••» « ♦ ‫״‬ •

FPuiger 7.6: Result of ARP Ping

10. Click ARP Scan (MAC Scan) in the left panel. A window will appear with inform ation about the ARP scan tool. Click OK
test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
File Fdit Accessibility View IPv6 Help

1al Tools • ARP Pti• y J

Automated Toot

A bou t the A R P Scan T ool
• • • Use U ib tool lo send an ARP RoqiM&t to evury IPv4 addrtsA on your LAN. IPv4 connected devices cswtrt Arts from ARP . K u n and mu»t rupond with th«f IP •nd MAC *d fir•* •. Uncheck we ResoKre f>5 box for fssrti scan co‫׳‬rp i« o n ome. Don't Cornet to 1io : d tk n the 1e>ute for a menu with moio options.
mo L im ita tio n s . p•‫־‬

‫ ש‬ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices.

y
ARPStan 1 mac sea

Hone.

oadcaat

ic a a t le a st le a st lea se
ic a st

Ca<n« ForcnsKs

ic a a t
le a st le a st

A ttn * Uncovery 10

ica at e a st!
ea st! le a s t
ic a a t

relive l>K 0v»ryl«
Tool

FIGURE 7.7: Selecting ARP Scan (MAC Scan) option

11. Enter the range o f IPv4 address in Starting IPv4 A ddress and Ending IPv4 A ddress text boxes 12. Click Do Arp Scan

C E H L ab M an u al P ag e 146

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

test
File Edil Accembility View

NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»0n !1.19
Help

‫י ־־ “ ־ היו‬

IPv6

Manual Too 4 - ARP Scan (MAC Stan) $
i i / t o n a t e d Toots Manual Tools lalf) U9e thE tod a fine al active IPv4 d rie rs o‫י׳‬ you! n im -t. Staroic F v 4 Acerea‫־‬

| :0 . 0 & v 4 n gIP v 4A d jre s s
ip v i M . . .

A d s n o c c
[ J j ‫׳‬p 0 ‫ ־‬A 1 2 r a a l

I ]A d d ts^ a v a K a t
ARP Ping

w e Adflreofl 0(
EC .

r / r M 4 n u r * c f3 r e r

B c tta M C

E ntry Type d yr.arie dynaxac

l>5c•!

1 0 .0 .0 .1
1 0 .0 .0 .2

‫׳‬

« - ...

n e t;ca r, la c .
&»11 la c

1
vm -M SS C L .

10 . 0.0
1 0 .0 .0

‫־‬ ar The Connection Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database.

A«P*can(M can (MAC AC5<an)

iV n P c w In te rfa xS '
I 10.0.0.7 Scon OSsy T n c {•>»)

Cache forensic(

u

( I Z Z ₪
Connection Monitor FawxKe Tools Active Discovery Tool! P^iiixe Discovery Too 11 o tis roois PSCttt LCV(I Tools exttmai toon » 0 ‫־י‬gram into 0 Resolve P s

‫פב‬
FIGURE 7.8 Result of ARP Scan (MAC Scan)

13. Click DHCP Server Discovery in the left panel, a window will appear with inform ation about D H C P Server Discovery Tool. Click OK
f*:
f4 e Ed* Accessibility

test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
View IPv6 H e#

!‫־‬

n '

*

RPSean tMAC Son, *u» 0*n8ted lool M anual 10011 tall

About Hit* DHCP Sorv 1*f Discovery Tool
• U se U i b 1 004 t o j i t n n i y t o u t e DHCP a a n r o r s ( IP v 1 o n l y ) o n y o u r lo c a l n e t w o r k . It ifto m th« P addrau and k « : ‫־‬g» * » b «n g landed o u t by DHCP Ih i t too! a n a to find unknown or rooue' DHCP * r v e rj. D o n 't I o t g e t to rig h t d c k n th« results for a menu with more options.

Cat ha Forrniict


Connection Monitc O K P S f w r O ucorc

Dano limitations.
• N one. c r y T ype lo c a l

n a x le
n a x ic

1 0 .0 .0
1 0 .0 .0

LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv.

DNS >Tools-core T00IS - ‫י‬

a

J
P n tn r Ditcaveiy Tc
P « l r l level Tool External Too 1 1

FIGURE 7.9: Selecting DHCP Server Discovery Tool Option

14. Select all the Discover Options check box and click Discover DHCP Servers

C E H L ab M an u al P ag e 147

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

I
V

test - NetScanTools* Pro Demo Version Build 8-1 7-12 based o r version 11.19

Aurc mated To 015 Fnri DHCP Servers an f a r Add Itoie IM A *rtonoted

Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations

For Hdo. p‫׳‬-e£8 F : Cache F o renjio

.:n n c c to n Monitor

B

Ode or mtrrfacc bdow then crcos Discover Discover ( X P Server*

QAddtoP®»flnre5

TM

A d d re ss

KIC A ddreas
L. A A «» I I iD

I n t « r f « r • D e s c r ip tio n
H y p e r-V V i r t a • ! E t h e r n e t A d a p te r #2

Stop
DHCP S«1 1 » ‫ ׳‬Discovery W a t Time (sec)

1 0 .0 .0 .7

DIIS T o o k - Coie !

a
a

DiscouB0 ‫?־‬H 3n t e ‫ ׳ י‬H05tn 3r 1 V Subnet M5*r V ‫ ׳‬D o n o r ftairc

R sxordnc DHCP Servers EHCr S e r v e r I P 1 0 .0 .0 .1 S e r v e r Hd3 L n oM 1 0 .0 .0 .1 O ffe re d I ? 10. 0. 0. 2 O f f e r e d S u b n e t Mask ‫ י‬SS. 2 SS. 2 SS. 0 IP A d d re ss I 3 days, 0 :0 (

DMSloo's ■Advanced FiwoiiU Tools A<tfc« Dii coveiy Tools Paislv* Discovery Tools DNS Too 11 C rrtl Tooli W * ‫ *וזז‬Tools Pioqrtm Inro

‫ ׳י‬d n s p ‫ ׳י‬Router P fa * KTP Servers

FIGURE 7.10: Result of DHCP Server Drscovery

15. Click Ping sc a n n e r in the left panel. A window will appear with inform ation about Ping Scanner tool. Click OK
test NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
F8e EdK Atcesiiblfity V ltw IPv6 H«tp

A

j . j A I C
WtKOIM AUtOIMt«J To Oh M jn g jl T00K (411 N ttS u n T o o ii* P!o S?

A b o u t th e P in g S c a n n e r (a k a N e tS c a n n e r) lo o l
• u se r i m r o d ro p m g a ra n o e o r l m o f IP v 4 add resses. this tool shows you ch co m puw ‫ ׳‬s are acOve w tJiir! ? 0 * 106, h t ( : r e » hav« to ra p o n d to p ing). Uso it *vith an* u t o f F a d f lf « s « . To **e a fl ee*‫ ׳‬c*s n your subrtrt indudmg trios*blocking ping, you can j m u m ARP S o n tool. Y o u can ■ n p o rt a t e x t lest o f IP v 4 ad d resses t o p m g . D o n 't mres th is s p w a l f e a tu r e m th is t o o k use the Do SMB/NBNS Scan to per NetBIOS r« o o m « 5 fiom unprotected W in d o * * corrput&s. D o n 't f o r g e t td n g h t d!dc m th e results for a menu with more opaons.

£0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons.

R n gm E rv u rK c J m f i r , a
g - Graphi cal
Port Scanner

D em o Im ita tio n s . • P a c k e t D elay ( tim e b e tw e e n s e n d in g ea ch p m g ) is lim ite d t o a lo w e r tam t o f SO nulliseconds. P a rk e r D elay can b e a s lo w a s ze ro ( 0 ) m s m t h e f i l l ve rs io n . In o t h e r w o rd s , t h e fu ll ve rs io n w i b e a b it fa s te r.

P’ o a m u o in M od f *> < «

.J

M int

r a v o n t ct o o n D t i c o v e r y! 0‫׳‬ D i s c o v e r y1 0 DNS 1 0 0 1 1

P x te t L trti tooii

T o o ls
°rooram inro

FIGURE 7.11: selecting Ping scanner Option

16. Select the Use Default System DNS radio button, and enter the range o f IP address in S tart IP and End IP boxes 17. Click S tart

C E H L ab M an u al P ag e 148

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

----«e 6dK Accessibility

test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19
View IPv6

Aurc mated To 015

CQ Traceioute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device.

©

Start iP EndJP

10.0.0.: 10.0.0.S0

‫׳י‬ -

‫ח ח‬

|‫ ' •׳‬Lke Defadt System DN5j O Use Specific DNS: vll* AKANrtSeannw □ *5<J r0f®«0n?r3 S tA to a 0:0 t e a : s c p i v

IH

F a Hdp, press F1 T a r g e t IP H ostnam e

10.0.0.1 ?
1 0.5.0.2 10.0.0.5

Time ( M |

0

tnK‫־‬KS3ELOUK41 my:-UQM3MRiR«M
WIN-D39HRSHL9E4

0 0
0

0:0 tchs toply 0:0 Ech s taply 0:0 Echs Reply

0R esolveT P s
Port Scanner

1 0 .0 .0 .7

MSttp.0/.255W l
Addtbnal Scan Tests:

P r o » u c u o u 5 M o d e S<onr ^ FaroiK• Tools Attfci* Oil cover? Tools P a is ** Discovery Tools DNS Too 11 S* ‫׳‬ J «I L*vtl Tool I M * 1nal Tools Pfogr•!* Info

m

1 103 I oca

ARP Seen

□ 0 3 S*‫׳‬E .fc8\S Scar □ Do Sulnel M a i: Sea‫!־‬ EnaSfc Post-Scan M O b lg o f Msn-decso'dns Ps

| irw:»vu«:
I Oeof Imported tm

FIGURE 7.12: Result of sail IP address

18. Click Port sc a n n e r in the left panel. A window will appear with inform ation about die port scanner tool. Click OK
F
F ie Ed 11 Accembilrty

test NetScanTool‘ $ Pro Demo Version Build 8-17-12 based on version 11.19
View IPv6 Help

-_lnl

x ‫ך‬

ri i h 3■‫>ב‬ I^
WeKom* Automated T0011 M«nu«ITouU Iall u n n ti/N e tS u n n ei 9

A b o u t th e P o r t S c a n n e r 1 ool
NEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’ S PERMISSION TO SCAN.

\

PW 0 tnnanced


• • •

Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query

use rtm ‫ז‬ool to scan fcstening).

1 target for icp or ‫ *וגווו‬ports that .‫ מור‬listening (open with senna*

l y p e s o f s c a n n in g s u p p o r t e d : ‫״‬ull C on n ec t TCP Scan ( s e e n o te s b e lo w } . U 0P port u 'r e o c h a sle sc a n , c om b ined TCP ful c o r r e c t and UOP scan, TCP SYN o n ly scan and t c p OT^er s o n . D o n 't m is s t h is s p e c ia l l e d t u r e in t h ' s t o o l: After a target h as b een sca n n ed , an a ‫ ״‬alf s s .v in e o w w ill o p e n in > o u r O eh J t w e b brow ser. D o n 't f o r g e t ‫ מז‬n g h t c*<k n w e r e sjits for 3 m enu w ith m ore o p tio n s.

P nq Scanner

Notes: settings that strongly affect scan speed:
• • Com e::ton Timeout use 200 c* less on a fa st network correction yjdhneaiby cor‫״‬p . t e i . _ * 3 more on a d a u : conneoo‫־׳‬ W ot After Connect - J i s c- ►‫י‬ ‫ י‬0 « long each port test w aits before deoting thot ih ; port is ,‫־‬o r a o e . setfln<cA>ebv settee* ccmccxns. Try 0, (hen (ry lire. Notice the dfferexe. SfetU 1» ° ‫־‬ M G m e c jir * ) 3003 ‫ ־‬seconds) or

Port Scanner


P 0 1 » K U 0 u t M ode ‘

u

Domo KmlUtlons. • Hone.

FIGURE 7.13: selecting Port scanner option

19. Enter the IP Address in the T arget H ostnam e or IP A ddress field and select the TCP Ports only radio button 20. Click Scan Range of Ports

C E H L ab M an u al P ag e 149

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
fte
Ed* Accessibility View 6‫י\)ו‬ Help

1-1° ‫׳ ״ ־‬
M anual Fools - Port Scanner ^

Automated Tool? Manual Toots (alij T3r0ut H K T S ire 3r P A:d‫־‬£S3 Pore Range are! Sarvfcafc Start WARNING: the- tod scan? r * rargrfr- ports. Scan C i r p lr tr . Sea‫ ״‬R.anoc of ! v s St * ‫ י‬Comnon Path | & d tco n w > Parts Let Show Al S an r«d Ports, Actlvi 0 ‫ ז‬Not P o rt 80 P o rt D vac h te p P ro to c o l TCP R e s u lt ■ P o r t A c t iv e O a t • R» » .v » d 1 I •■ 'T C P P o rtsI LDP P3te C ny A rip T O *utOHMted |

m

I1 0 .0 -01

I
B'd f a

O TCP4UJP Ports

(

I

O tcpsyn

OlCPaMM

□^to^ont•

Port Stunner

P ro«ncuou5 M ode 1 f3vor1t* Tools /»<t*‫ «׳‬Discoreiy Tools Passr/t Discovery tools DNS roois p « * « t t m l loon t x ttm ji Tools Program inro

J

M rP a sp:-ir-^acr :‫־‬
10.D .0.
Connect T rco u t ( 100D = !second]

:
w a t Aftc‫ ׳‬co‫־‬¥>co ( I CO D - 1 **to n tf

:
FIGURE 7.14: Result of Port scanner

Lab A nalysis
Document all die IP addresses, open and closed ports, services, and protocols you discovered during die lab. T o o l/U tility In fo rm atio n C o llected /O b jectiv es A chieved ARP Scan R esults: ■ ■ ■ ■ ■ ■ N etS can T ools p ro IPv4 Address MAC Address I / F Manufacturer Hostname Entry Type Local Address

In fo rm atio n for D iscovered D H C P Servers: ■ ■ ■ ■ ■ ■ IPv4 A ddress: 10.0.0.7 In terface D escription: Hyper-V Virtual E thernet A dapter # 2 D H C P Server IP: 10.0.0.1 Server H o stn am e: 10.0.0.1 O ffered IP: 10.0.0.7 O ffered S u b n et M ask: 255.255.255.0

C E H L ab M an u al P ag e 150

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

YOUR INSTRUCTOR

IF YOU HAVE Q U E S T IO N S T H IS LAB.

RELATED

TO

Q uestions
1. Does NetScaii Tools Pro support proxy servers or firewalls? In tern e t C o n n ectio n R eq u ired □ Y es P latform S u p p o rted 0 C lassroom 0 iLabs 0 No

C E H L ab M an u al P ag e 151

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Drawing Network Diagrams Using LANSurveyor
l^42\s/nvejor discovers a nehvork andproduces a comprehensive nehvork diagram that integrates OSI Layer 2 and Lajer 3 topology data.
I CON 27 KEY

Lab S cenario
Ail attacker can gather information fiom ARP Scan, D HCP Servers, etc. using NetScan Tools Pro, as you have learned in die previous lab. Using diis information an attacker can compromise a DHCP server 011 the network; they might disrupt network services, preventing DHCP clients from connecting to network resources. By gaining control o f a DHCP server, attackers can configure DHCP clients with fraudulent T C P /IP configuration information, including an invalid default gateway or DNS server configuration.
111

Valuable inform ation T est your knowledge

‫ס‬ m

W eb exercise W orkbook review

diis lab, you will learn to draw network diagrams using LANSurveyor. To be an expert network adm inistrator and penetration te s te r you need to discover network topology and produce comprehensive network diagrams for discovered networks.

Lab O bjectives
The objective o f diis lab is to help students discover and diagram network topology and map a discovered network.
111

diis lab, you need to: ■ ■ Draw’ a map showing die logical connectivity o f your network and navigate around die map Create a report diat includes all you! managed switches and hubs

C E H L ab M an u al P ag e 152

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

ZZy Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

Lab Environm ent
To perform die lab, you need: ■ LANSurveyor located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Network Discovery and Mapping Tools\LANsurveyor ■ You can also download the latest version o f LANSurveyor from die link http: / / www.solarwi11ds.com / ■ I f you decide to download die latest version, dien screenshots shown in die lab might differ

■ A computer miming Windows Server 2012 ■ A web browser widi Internet access ■ Administrative privileges to mil die LANSurveyor tool

Lab D uration
Time: 10 Minutes

O verview o f LA N Surveyor
SolarWinds LANsurveyor automatically discovers your network and produces a comprehensive network diagram that can be easily exported to Microsoft Office Visio. LANsurveyor automatically detects new devices and changes to network topology. It simplifies inventory management for hardware and software assets, addresses reporting needs for PCI compliance and other regulatory requirements.
TASK 1

Lab Tasks
Install LANSurveyor on your Windows Server 2012 Follow die wizard-driven installation steps and install LANSurvyor. 1. Launch the S tart menu by hovering die mouse cursor in the lower-left corner o f the desktop

Draw Network Diagram

4 Windows Server 2012
« m m to w JOii «*<*•* C«:*d1tr 0«jce‫■׳«׳‬ (vafcrtun copy. lull) •40:

FIGURE 8.1: Windows Server 2012 - Desktop view

2. Click the LANSurvyor app to open the LANSurvyor window

C E H L ab M an u al P ag e 153

E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

LANsurveyor's Responder client Manage remote Windows, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files

Start
S e rw M o rale r Windows PowetShd Goo* Chrwne H»p«V 1 - 'X vj j. lANswv..

A d m in is tr a to r £

b

m

o

*

Pamrt

Q

w

V

e
rwn«t hptom ‫ף״‬

£ 2 ?

w : a

l i Megafing N eeanL. Pto Demo

FIGURE 8.2 Windows Server 2012 - Apps

3. Review the limitations o f the evaluation software and then click Continue with Evaluation to continue the evaluation
SolarW inds LANsurveyor

‫ ן‬- ‫יי * י ם י‬
s o la r w in d s

[fie

Edit Menage Mcnitoi Report Tods Window Help

^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.)

FIGURE 8.3: LANSurveyor evaluation window

4. The Getting S tarted with LANsurveyor dialog box is displayed. Click S tart Scanning Network

C E H L ab M an u al P ag e 154

E th ica l H a c k in g an d C o u n term easu res Copyright C by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

r
s o la rw in d s 7'
&]

Getting Started with LANsurveyor

a

u

What you can do with LANsurveyor.
Scan and map Layer 1. 2. 3 network topology Export maps to Microsoft V tito » View example mgp Continuously scan your network automatically be u o td
m S e la rV /n d a n o t/.o ‫׳‬k and o p p lc a to r V /atch a v d a e n t 'o t o b arn more

f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information.

"2

Onca aavod, a I cuatom ‫׳‬nap■a c a r

m anagerrcnt s o ftw a re , le a rn more »

» thwack LANsurveyor forum
t h w a c k is 8 com m unity site o r o v id ir o S o b r t V r d s j s e ‫־‬s w ith u s e fu l n io m a to n . t o o s a n d v a u a b le r e s o j r c e s

» Qnfcne Manual
For additional h e p on using the LAIJsu‫־‬ve yo r read the LANSurveyor Administrator G ude

» Evaluation Guide
T h a L A M a u r v a y o r E v aiu ab o n G u id a p r c v d a a a n ir tr » d 1»cton to L A M a u r v a y o r fa a tu ra a a r d r a t n ic b c n a fe r n t t a lin j . c o n f g u r n j , an d j s m g L A H s u rv e y o r.

» Support
T h e S o h r w in d s S u p o o rl W e b * i» o f fe r * a s e n p r e h e r s v e se t o f to o l* to h e lp y o u n a n a o e a ‫׳‬uJ n a r t a m y o » r S o h rW in d * a p p le a tio n s v b t tne < ii^ y d£ a 1 £ .e a 2 s , fic ^ t y Q v y » t9 » » . o r J p o a ic

I I Don't show agah

S tart S c a n r ir g fJet.‫׳‬. o ‫־‬k

] [

FIGURE 8.4: Getting Started with LANSurveyor Wizard

5. The C reate A Network Map window will appears; in order to draw a network diagram enter the IP address in Begin A ddress and End A ddress, and click S tart Network Discovery

C E H L ab M an u al P ag e 155

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Create A New Network Map
Netuioik Paraneetr Eecin Acdies; Erd Address 10.00.1 10.D.0.254 Enter Ke>t Address Here

‫מ ־‬

H ops

(Folowtrg cuter hopj requires SNMP fouler access! Rotfers. Switches and □her SNMP De/ice Dijcovery ■-M *
= ‫=&־‬

0 SNMPvl D*vk#j •• SMMP/I Community Strng(*)
[ p t fe fc p riv ate

QSHWPv2c Devices •• SNMPv2c Community Strngfs) | pubiu. pmats

— LANsurveyor's network discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address

QSNNPv3 Devices Other IP Service Dixovery

I SNMPv3 Options..

Ivi LANsuveya Fejpcnder;

1 jP

LANsurvefo* Responder Password: SlC M P prg) 0Nel8ICS Ciwvs MSPCSer*
I I A ctve Directory DCs

Mapping Speed

0

Slower

Faster

Configuration Ma^aperon* Save 0 ixovery Confgwaiion. I Discovery Donf^uiaiijn..

|

Cored

Start Notv»o*k Dioco/cry

FIGURE 8.5: New Network Map window

6. The entered IP address mapping p ro cess will display as shown in the following figure
Mapping Progress
Searching for P nodes

HopO: 10 .0 .0 . 1 - 10 .0 .0.254

SNMP Sends

03 L A N surveyor rs capable o f discovering and m appm g m ultiple V L A N s o n Layer 2. F or exam ple, to m ap a switch connecting m ultiple, nonconsecutive V LA N s

SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped Cancel WIN-D 39 MR5HL9 E4 Last Node Contacted:

FIGURE 8.6: Mapping progress window

7.

LANsurveyor displays die map o f your network

C E H L ab M an u al P ag e 156

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

SclaAVinds LANsurveyor - [Map 1] ■
Me Edit M anage M onitor Report Tools Avdow Help

|^ =

X

Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers.

‫ & נ‬h KH‘> e

00

j

1*

151 v s 3 a 0 a s r& ©
v

- 1-1 ‫■־‬ ♦ ‫| ׳‬ solarwinds •‫׳‬

©.

id *T |100*;

&m o
1 11
W ti '.'S ilL C M W I

E tf=d N etwork Segments (1}

ff £

P Addresses (4) D omain Names (4)

‫־־‬

-4 fP M f fc hC
as

N ode Names (4) R e u te r

W f.-W SC'tlXM K-O

veisor
W1N-DWlllR»lLSt4 WIN D3JI H5HJ * «

LANjurveyor Responder Nodes SNMP Nodes SNM P Svntches H u b s SIP (V0 IPJ Nodes la ye r J Nodes

Overview

f*~|

* ft

Actrve Directory DCs Groups

­ ‫נ‬. ‫ נ‬. 0 .0 - • (.0.0.255

■ ‫״‬ V * 4U C O N JW R S fW W M N -L X Q N 3 W R J N S N
10006

‫ ׳‬non•'
100 9 1

12-

FIGURE 8.7: Resulted network diagram

Lab A nalysis
Document all die IP addresses, domain names, node names, IP routers, and SNMP nodes you discovered during die lab. T o o l/U tility In fo rm atio n C o llected /O b jectiv es A cliieved IP address: 10.0.0.1 -10.0.0.254 IP N o d e s D etails: ■ ■ ■ ■ SNMP Send - 62 ICMP Ping Send 31‫־‬ ICMP Receipts 4 ‫־‬ Nodes Mapped 4 ‫־‬

LA N Surveyor

N etw o rk seg m en t D etails: ■ ■ ■ IP Address - 4 Domain Names - 4 N ode Names - 4

C E H L ab M an u al P ag e 157

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

YOUR INSTRUCTOR

IF YOU H A VE Q U E S T IO N S T H IS LAB.

RELATED

TO

Q uestions
1. Does LANSurveyor map every IP address to its corresponding switch or hub port? 2. Can examine nodes connected via wireless access points be detected and mapped? In te rn e t C o n n ectio n R eq u ired □ Yes

0 No

P latform S upported

0 C lassroom

0 iLabs

C E H L ab M an u al P ag e 15S

E thical H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Mapping a Network Using Friendly Pinger
Friendly Pinger is a user-friendly applicationfor network administration, monitoring, and inventory
I CON 27 KEY

Lab S cenario
111 die previous lab, you found die SNAIP, ICMP Ping, Nodes Mapped, etc. details using die tool LANSurveyor. If an attacker is able to get ahold o f this information, he or she can shut down your network using SNMP. They can also get a list o f interfaces 011 a router using die default name public and disable diem using die readwrite community. SNMP MIBs include information about the identity o f the agent's host and attacker can take advantage o f diis information to initiate an attack. Using die ICMP reconnaissance technique an attacker can also determine die topology o f die target network. Attackers could use either die ICMP ,’Time exceeded" or "Destination unreachable" messages. Bodi o f diese ICMP messages can cause a host to immediately drop a connection. As an expert Network Administrator and Penetration T e ste r you need to discover network topology and produce comprehensive network diagrams for discovered networks and block attacks by deploying firewalls 011 a network to filter un-wanted traffic. You should be able to block outgoing SNMP traffic at border routers or firewalls. 111 diis lab, you will leani to map a network using die tool Friendly Pinger.

Valuable inform ation T est your knowledge

‫ס‬ m

W eb exercise W orkbook review

Lab O bjectives
The objective o f diis lab is to help students discover and diagram network topology and map a discovered network.
hi

diis lab, you need to: ■ ■ ■ ■ Discover a network using discovery techniques Diagram the network topology Detect new devices and modifications made in network topology Perform inventory management for hardware and software assets

C E H L ab M an u al P ag e 159

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab Environm ent
ZZ7 Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks To perform die lab, you need: ■ Friendly Pinger located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Network Discovery and Mapping Tools\FriendlyPinger

■ You can also download the latest version o f Friendly Pinger from the link h ttp :// www.kilievich.com/fpinge17do\vnload.htm ■ If you decide to download the latest version, dien screenshots shown in die lab might differ

■ A computer running Windows Server 2012 ■ A web browser widi Internet access ■ Administrative privileges to run die Friendly Pinger tool

Lab D uration
Time: 10 Minutes

O verview o f N e tw o rk M apping
Network mapping is die study o f die physical connectivity of networks. Network mapping is often carried out to discover servers and operating systems ruining on networks. This tecluiique detects new devices and modifications made in network topology You can perform inventory management for hardware and software assets. Friendly Pinger performs the following to map the network: ■ Monitoring network devices availability ■ Notifies if any server wakes or goes down ■ Ping o f all devices in parallel at once ■ Audits hardw are and softw are components installed on the computers over the network

Lab Tasks
1. Install Friendly Pinger 0 x 1 your Windows Server 2012 2. Follow die wizard-driven installation steps and install Friendly Pinger.
task

1

Draw Network Map

3. Launch the S tart menu by hovering die mouse cursor in die lower-left corner of the desktop

C E H L ab M an u al P ag e 160

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

FIGURE 9.1: Windows Server 2012 - Desktop view

4. Click the Friendly Pinger app to open the Friendly Pinger window

S ta rt
^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods.
Sen*r Manager Windows PowerSMI GOOQte Chrome Uninaall

Administrator

^

r_
C o m p ile r

m

*
H y p « -V Machine..

% ¥
Path Ana»/zer Pro 2.7 i l

&

Control Panol

V £
Eaplewr Command Prompt

9
M 02111a Firefbx

!‫ר״‬
■ Km

€ >
Sm nfcO L.

Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IPaddresses for scanning

Fnendty PW^ff

O rte f

o

fl* IG

FIGURE 9.2 Windows Server 2012 - Apps

5. The Friendly Pinger window appears, and Friendly Pinger prom pts you to watch an online demonstration. 6. Click No
& To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map
‫ם‬ H

Friendly Pinger [Demo.mapl
fife E d it V ie w P in q N o t ific a tio n S can F W a tc h c r In v e n to r y H e lp ‫*־‬

1

1 ‫& □ צ‬£ - y a fit
V D o to

* ‫׳‬

Demons tration map

s
WoikStation
W ndc S ta tio n (*mall)

-

In la n d M .ui S h u ll cut S m v t i

^ 21/24/37
&

d ick the client orco to add ‫ ג‬new derice...

O G00:35

FIGURE 9.3: FPinger Main Window

C E H L ab M an u al P ag e 161

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

7. Select File from the menu bar and select die Wizard option L-!»j x ‫׳‬ Friendly Pinger [Demo.map]

r
□ | U

F ile | E d it

V ie w

P in g

N o t if ic a t io n

S ca n

F /fa tc l‫»׳‬er

In v e n to r y

H e lp

‫ ם‬Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network

*‫ י‬C ‫־‬ * %!‫ צ‬ft x
W eA

CtrUN Ctil+O

Gtfr Open... Reopen Uadate
Save. S «v« A t...

► C tr!‫־‬ » U
CtrUS

Clow t b Close A ll
f c V S a ve A s Im a ge... ^ ^ ^ 0 P rin t... Lo ck ... C reate

‫מ‬g

C trl'-B

Setup...
F9 Alt*■)(

‫ד‬ ‫ק‬

m

5T fr!

In la n d S c iy c i

Options...

X L F rit

Hob

JJ W orkstation a
r'r;m

--------Mnriem

Internet Hail Shoitcul Server

W inkStatiun

I1 ,1 1|

C icd t
C] Map occupies the most part of the window. Rightclick it. In the appeared contest menu select "Add” and then ‫״‬Workstation". A Device configuration dialog window will appear. Specify the requested parameters: device name, address, description, picture

O d ll in itia l llldL

FIGURE 9.4: FPinger Starting Wizard

8. To create initial mapping o f the network, type a range o f IP a d d re sse s in specified field as shown in the following figure click Next
Wizard

-----

Local IP address:

10.0.0.7

The initial map will be created by query from DNS-server the information about following IP-addresses:

10.0.0.1 •2d

You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 •5.1 •10

| I Timeout

1000

The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged
? Help

Timeout allows to increase searching, but you can miss some addresses.

4 * gack

=► M e x t

X

Cancel

FIGURE 9.5: FPinger Intializing IP address range

9. Then the wizard will start scanning o f IP a d d re sse s list them. 10. Click Next

111

die network, and

C E H L ab M an u al P ag e 162

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Wizard
IP address
Name W1N-MSSELCK4K41

0 10. 0. 0.2
0 0 □ 10.0.0.3 10.0.0.5 10.0.0.7

Windows8
W1N-LXQN3WR3R9M W1N-D39MR5HL9E4

£L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window
The inquiry is completed. 4 devices found.

Remove tick from devices, which you dont want to add on the map

?

Help

4 * Back

3 ‫► ־‬Next

X

Cancel

FPinger 9.6: FPmger Scanning of Address completed

11. Set the default options in the Wizard selection windows and click Next
Wizard

£0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server.

Qevices type:

W orkstation

Address

O Use IP-address
| ® Use DNS-name |

Name ‫ ח‬Remove DNS suffix

A dd* ion

O A dd devices to the new map
(•> Add devices to the current map

7

Help

!► Next

X

Cancel

FIGURE 9.7: FPinger selecting the Devices type

12. T hen the client area will displays the Network map in the FPinger window

C E H L ab M an u al P ag e 163

E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

V
F ile E d it View/ P in g N o t ific a T io n S can

Friend ly Ping er [Default.map]
F W a tc h e r in v e n t o ry H e lp

_

□1

x ‫י‬

H ‫>׳״‬
‫ ם‬If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server.

£ ft J* & g

FIGURE 9.8 FPmger Client area with Network architecture

13. To scan the selected computer in the network, select die com puter and select the Scan tab from the menu bar and click Scan
Friendly P ing er [Default.map]

file

Edit View Ping Notification

Scan FWrtchp Inventory Help Scan..

^ You may download the latest release: http: / /www. kilievich.com/ fpinger.

L b‫ם‬

-y a *

e? M

F61

50* m

click the clicnt area to add snew devicc..

233:1

3 / i/ 4

^

00:00:47

Q Select ‫״‬File | Options, and configure Friendly Pinger to your taste.

FIGURE 9.9: FPinger Scanning tlie computers in the Network

14. It displays scan n ed details in the Scanning wizard

C E H L ab M an u al P ag e 164

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Scanning
Service & ] HTTP £ ] HTTP Compute W1N-MSSELCK... W1N-D39MR5H... Command f a h ttp://W IN -M S S ELC X 4M 1 http://W IN -D39M R5H L9E 4

£□ Double-click tlie device to open it in Explorer.

S c a n n in g co m p le te Progress

^‫׳‬JB escan
y ok X Caned

? H elp

FIGURE 9.10: FPinger Scanned results

£□ Audit software and hardware components installed on tlie computers over the network

15. Click the Inventory tab from menu bar to view die configuration details o f the selected computer T ^ rr‫־‬ Friendly P h g e r fD efault.m apl V
P k E d it V 1« w P in g N o t if ic a t io n S<*n F W a tc h c r I r v c n t o ry \ N d p ___________________

1 ‫ ג‬C a : * BS J
m

\&\^ ‫* ׳‬
E l Inventory Option!.‫״‬ Ctil-F#

Tracking user access and files opened on your computer via the network

FIGURE 9.11: FPinger Inventory tab

16. The General tab o f the Inventory wizard shows die com puter name and installed operating system

C E H L ab M an u al P ag e 165

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

W
File Edit View Report Options Help

Inventory

la e:
W IN-D39MR5HL9E4 |g General[ Computer/User M isc| M 'j

0 ‫־‬S ? 1 1 ■ E
H ardware] Software{ _v) History| ^
K

>

CQ Assignment of external commands (like telnet, tracert, net.exe) to devices

Hos* name User name

|W IN-D39MR5HL9E4 !Administrator

W indows Name Service pack |W indows Server 2012 Release Candriate Datacenter

C otecton tme Colecbon time 18/22 /2 0 12 11 :2 2:3 4 AM

FIGURE 9.12: FPinger Inventory wizard General tab

17. The Misc tab shows the Network IP ad d resses. MAC a d d re sse s. File System , and Size o f the disks 5 Search of HTTP, FTP, e-mail and other network services
Inventory
File Edit View Report Options Help

x ' ©

eig ?

0 ₪ *a a
G*? fieneraj Misc hardware | Software |
Network IP addresses MAC addresses 1 10.0.0.7 D4-BE-D9-C3-CE-2D

History |

J o ta l space Free space

465.42 Gb 382.12 Gb

Display $ettng$ display settings [ 1366x768,60 H z, T rue Color (32 bit)

Disk 3 C

Type Fixed Fixed

Free, Gb 15.73 96.10
■—

Size, Gb 97.31 97.66

£ 84
2

File System NTFS NTFS

A

Function "Create Setup" allows to create a lite freeware version with your maps and settings

S D
— -

FIGURE 9.13: FPinger Inventory wizard Misc tab

18. The H ardw are tab shows the hardware com ponent details o f your networked computers

C E H L ab M an u al P ag e 166

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T T
File E dit V ie w R e p o rt O p tio n s H e lp

0 ^ 1 3 1 0
H
w

1N-D39MFS5HL9E4||

General

Miscl

Mi

H a rd w a re [^ ]

Software

History |

<

>1

4x Intel Pentium III Xeon 3093 B Mem ory

4096 Mb - Q j BIOS

<2 Q |

A T/AT COMPATIBLE DELL Genetic PnP Monitor

• 6222004 0 2/0 9/1 2

- £ ) ‫ י‬Monitors

-

■ V Displays a dapters B j) lnte<R) HD Graphics Family D is k drives
q

E O -

ST3500413AS (Serial: W2A91RH6)

^

N e tw o rk a dapters | j | @ netrt630x64.inf,% rtl8168e.devicedesc% ^ealtekPQeG BE Family Controller S CS I a nd R A ID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller

-^

I
FIGURE 9.14: FPinger Inventory wizard Hardware tab

J

19. The Softw are tab shows die installed software on die computers
Inventory
File Edit View Report Options Help

------------------ H
0 ‫י‬€ 1 3 1 0

[£ )Q 5 r
WIN-D39MR5HL9E4
G§* general | M ‫׳‬sc \

H«fdware| S

Software

History | QBr <
A

>

Q Visualization of your com puter network as a beautiful anim ated screen

Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 O ff*** Prnnfirxi (Pnnli^hl ? fllfl T e ta S Name Version Developer Homepage |f t Go

V

FIGURE 9.15: FPinger Inventory w!2ard Software tab

Lab A nalysis
Document all die IP addresses, open and closed ports, services, and protocols you discovered during die lab.

C E H L ab M an u al P ag e 167

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved IP address: 10.0.0.1 -10.0.0.20 F o u n d IP address: ■ ■ ■ ■ 10.0.0.2 10.0.0.3 10.0.0.5 10.0.0.7 Computer name Operating system IP Address MAC address File system Size o f disk Hardware information Software information

D etails R esult o f 10.0.0.7: F rien d ly P in g er ■ ■ ■ ■ ■ ■ ■ ■

YOUR INSTRUCTOR

IF YOU H A VE Q U E S T IO N S T H IS LAB.

RELATED

TO

Q uestions
1. Does FPinger support proxy servers firewalls? 2. Examine the programming o f language used in FPinger .

In te rn e t C o n n ectio n R eq u ired □ Yes P latform S u p p o rted 0 C lassroom 0 iLabs 0 No

C E H L ab M an u al P ag e 168

E thical H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab

Scanning a Network Using the NessusTool
Nessus allowsyou to remotely audit a netirork and determine if it has been broken into or misused in some n ‫׳‬ay. It alsoprovides the ability to locally audit a specific machinefor vulnerabilities.
I CON KEY 7= 7 ‫־‬Valuable
m form ation

Lab S cenario
111 the previous lab, you learned to use Friendly Pinger to m onitor network devices, receive server notification, ping information, track user access via the network, view grapliical traceroutes, etc. Once attackers have the information related to network devices, they can use it as an entry point to a network for a comprehensive attack and perform many types o f attacks ranging from DoS attacks to unauthorized administrative access. I f attackers are able to get traceroute information, they might use a methodology such as firewalking to determine the services that are allowed through a firewall. I f an attacker gains physical access to a switch 01 other network device, he or she will be able to successfiUly install a rogue network device; therefore, as an administrator, you should disable unused ports in the configuration o f the device. Also, it is very im portant that you use some methodologies to detect such rogue devices 011 the network. As an expert ethical h ack er and penetration te ste r, you m ust understand how vulnerabilities, com pliance specifications, and co n ten t policy violations are scanned using the N essus rool.

s

T est your knowledge W eb exercise

m

W orkbook review*

Lab O bjectives
This lab will give you experience 011 scanning the network for vulnerabilities, and show you how to use Nessus. It will teach you how to: ■ ■ Use the Nessus tool Scan the network for vulnerabilities

C E H L ab M an u al P ag e 169

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab Environm ent
£ ‫ ז‬Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks To cany out die lab, you need: ■ Nessus, located at D:\CEH-Tools\CEHv8 Module 03 Scanning NetworksW ulnerability Scanning Tools\N essus

■ You can also download the latest version o f Nessus from the link http: / / \vw\v. tenable.c om / products/nessus/nessus-dow nloadagreement ■ I f you decide to download the la te s t version, then screenshots shown in the lab might differ

■ A computer running Windows Server 2012 ■ A web browser with Internet access ■ Administrative privileges to run the Nessus tool

Lab D uration
Time: 20 Minutes

O verview o f N essus Tool
m Nessus is public Domain software related under the GPL.

Nessus helps students to learn, understand, and determine vulnerabilities and w eaknesses o f a system and network 111 order to know how a system can be exploited. Network vulnerabilities can be network topology and OS vulnerabilities, open ports and running services, application and service configuration errors, and application and service vulnerabilities.

Lab Tasks
8 TA sK 1

Nessus Installation

1. To install Nessus navigate to D:\CEH-Tools\CEHv8 Module 03 Scanning NetworksW ulnerability Scanning Tools\N essus 2. Double-click the Nessus-5.0.1-x86_64.msi file. 3. The Open File - Security Warning window appears; click Run ‫־ד‬5‫ך‬ O pen File Security Warning
D o y o u w a n t t o r u n t h is f i e ?

fJ a n e ‫־‬ P u d s h t ‫׳‬: Type

/ lk g r t \ A d m in irt r a t 0 r \ D e t H 0 D 'v N e c s 1 K - 5 0 2 -6 £ & ‫ר‬ C. r r K I c n a M c N e t w o r k S e c u r it y I n t. W in d o w s Installe r P a c k a g e

From;

C ;\lb c m A d m in i3 t‫׳‬ato1\Doklop\Ne11u1-5.02-*66 $ 4 -.

Run

CencH

" ^ 7 Nessus is designed to automate the testing and discovery of known security problems.

V A lw a y s e sk c e fc r e o p e n in g t h e file

W h Jr f i : « f r o m t h e In t& n e t c a n b e u sefu l, t h is f ile t y p e can p o te n tia lly ^ harm > o u r c o m p u t e r O n ly run s o ftw a r e f r o m p u b lt ih e n y e n t r u s t W h a t s th e nsk?

FIGURE 10.1: Open File ‫ ־‬Security Warning

C E H L ab M an u al P ag e 170

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

4. The N essus - InstallShield Wizard appears. D ining the installation process, the wizard prom pts you for some basic information. Follow die instructions. Click Next.
$
Tenable Nessus (x64) ‫ ־‬InstallShield Wizard
Welcome to the InstallShield Wizard for Tenable Nessus (x64)

m The updated Nessus security checks database is can be retrieved with commands nessus-updatedplugins.

The In sta lS h 1eld(R) W izard wdl n s t a l Tenable N essus (x64) on your com puter. T o continue, d d c N e x t.

W ARN ING : T h s program is p ro te cte d b y cop yrig ht law and n te rn a tio n a l treaties.

< Back

Next >

Cancel

FIGURE 10.2: The Nessus installation window

5. Before you begin installation, you must agree to the license agreem ent as shown in the following figure. 6. Select the radio button to accept the license agreement and click Next.
!‫;ל‬
Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more.

Tenable Nessus (x64) - InstallShield Wizard
P lease read the following k e n s e a greem en t carefully.

L ic e n s e A g r e e m e n t

Tenable Network Security, Inc. NESSUS® software license Agreement

This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“ Tenable"), and you, the party licensing Software (“ You‫)״‬. This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F np t w / . q ArtPFPMFUT auh 0
Nessus security scanner includes NASL (Nessus Attack Scripting Language).
acce p t the term s in the k e n s e ag reem en t O I d o n o t a cc e p t the term s n the k e n s e a greem en t In s ta lS h ie k J-------------------------------------------------------------< Back Next > Cancel P rin t

FIGURE 10.3: Hie Nessus Install Shield Wizard

7. Select a destination folder and click Next.

C E H L ab M an u al P ag e 171

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Tenable Nessus (x64) - InstallShield Wizard
D e s t in a t i o n F o ld e r

Click Next to instal to this folder, or ckk Change to instal to a different folder.

Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis.

£>

Instal Tenable Nessus (x64) to: C:\Program Ftes\Tenable Nessus \ Change...

InstalSh ield

< Back

Next >

Cancel

FIGURE 10.4: Tlie Nessus Install Shield Wizard

8. The wizard prom pts for Setup Type. W ith die Com plete option, all program features will be installed. Check Complete and click Next.
Tenable Nessus (x64) ‫ ־‬InstallShield Wizard
Se tu p T ype

Choose the setup type that best smts your needs.

Q Nessus probes a range of addresses on a network to determine which hosts are alive.

FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type

9. Tlie Nessus wizard will prom pt you to confirm the installation. Click Install

C E H L ab M an u al P ag e 172

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Tenable Nessus (x64) - InstallShield Wizard
R e a d y t o In s t a ll th e P r o g r a m

Nessus probes network services on each host to obtain banners that contain software and OS version informatioa

The w izard is r e a d y to b e g n n s ta la tio n .

Click Instal to begn the nstalatoon. I f you want to review or change any of your installation settings, dfck Back. C kk Cancel to exit the wizard.

InstalShield

< Back

Instal

Cancel

FIGURE 10.6: Nessus InstallShield Wizard

10. Once installation is complete, click Finish.
Tenable Nessus (x64) ‫ ־‬InstallShield Wizard
InstalShield Wizard Completed

Q Path of Nessus home directory for windows \programfiles\tanable\nessus

The InstalShield Wizard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard.

Cancel

FIGURE 10.7: Nessus Install Shield wizard

N essus Major D irectories ■ The major directories o f Nessus are shown in the following table.

C E H L ab M an u al P ag e 173

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

N essus H om e D ire c to ry 1 W in d o w s \Program Files\Tenable\Nessus

Nessus S u b -D ire c to rie s

P urpose

\conf \data

Configuration files Stylesheet templates Nessus plugins User knowledgebase saved on disk

feUI During the installation and daily operation of Nessus, manipulating the Nessus service is generally not required
----------------------- - 1 >

\nessus\plugins \nassus\us«rs\<username>\lcbs

\ no33us\ logs

, Nessus log flies -------------------------- 1

TABLE 10.1: Nessus Major Directories

11. A fter installation Nessus opens in your default browser. 12. The W elcome to N essus screen appears, click die here link to connect via SSL

w e lc o m e to N essus!
P Im m c o n n e c t v ia S S L b y c lic k in c J h » r « .

Y o u a r e h k e ly t o g e t a s e c u r it y a le r t f r o m y o u r w e b b r o w s e r s a y in g t h a t t h e S S L c e r t if ic a t e i s in v a lid . Y ou m a y e it h e r c h o o s e t o te m p o r a r ily a c c e p t t h e r isk , or c a n o b t a in a v a lid S S L c e r t if ic a t e f r o m a r e g is t r a r . P le a s e r e f e r t o t h e N e s s u s d o c u m e n t a t i o n f o r m o r e in fo r m a tio n .

FIGURE 10.8: Nessus SSL certification

13. Click OK in the Security Alert pop-up, if it appears Security Alert
— T h e N essus Server Manager used in N essus 4 has been deprecated

‫ע‬

J j You are about to view pages over a secure connection.
Any information you exchange with this site cannot be viewed by anyone else on the web. ^In the future, do not show this warning OK More Info

FIGURE 10.9: Internet Explorer Security Alert

14. Click the Continue to this w eb site (not recom m ended) link to continue

C E H L ab M an u al P ag e 174

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

&* ^
X Snagit g j

II

Ccrtficate Error: Mavigation... '

£t

1

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this websrte was issued for a different website's address. Sccunty certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
W c recommend th a t you close this webpage and do not continue to this website.

d Click here to close this webpage. 0 Continue to this website (not recommended).
M ore information

FIGURE 10.10: Internet Explorer website’s security certificate

15. on OK in the Security Alert pop-up, if it appears.
£Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers

Security Alert
1 C. i ) ^ou are a^out t0 view pages over a secure connection Any information you exchange with this site cannot be viewed by anyone else on the web. HI In the future, do not show this warning

1

OK

More Info

FIGURE 10.11: Internet Explorer Security Alert

16. Tlie Thank you for installing N essus screen appears. Click the Get S tarted > button.

R ff
W e lc o m e t o N e s s u s ‫׳‬ T W 1k you loi I11«ldlll1 •j tin• w uM 1 • >>< h * i 1i Nwmu* dllim i v»u to pwloiin

m warning, a custom certificate to your organization must be used

1I *ah 3pe«d vulnerability discovery, to <Je?e‫־׳‬r re *Ivcn hcets are njmlna nhich se1v 1r.es 1 AijnnlUiai Auditing, la 1 m U w t« no Im l )■ » ia aacurlty |W ■I ■ > !! > L-umplianca chocks, to verify and prove that eve‫ ־‬, host on your network adheres to tho security potcy you 1 ‫ י‬Scan scliHliJing, to automatically iu i *cant at the you ‫ ׳‬And morel

!!•< stofted >

FIGURE 10.11: Nessus Getting Started

17. 111 Initial A ccount Setup enter the credentials given at the time o f registration and click Next >

C E H L ab M an u al P ag e 175

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

p

• o («*•*<‫»*״‬.‫>״‬ . ec

Wefconeu Neaus

In it ia l A cco u n t S etu p
First, we need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete users, stop ongoing scans, and change the scanner configuration.
loo*n: admin

Confirm P.ivwvoiri. < Prev | Next > |

Because fAe admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be
i that the admin user has the same privileges as the * root‫( ״‬or administrator) user on the remote ho■

FIGURE 10.12: Nessus Initial Account Setup

18. 111 Plugin Feed R egistration, you need to enter die activation code. To obtain activation code, click the http://w w w .nessus.org/register/ link. 19. Click the Using N essus a t Home icon in Obtain an Activation Code
> ■ el

m If you are using tlie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it will normally not do without a valid Activation Code and plugins

<9> TENABLE Network Security*
I n CertiriMtion

mi (A* C A ftC M in ‫ז‬
Support

Resources

IriM h lr Product*. PiotfuU Oi'eniB* Nksui AudHai

Obtain an Activation Code
Using Nesaus a l Work? A l’ 1 nW*a4» . ^ - ‫״‬ wUk1uV 4cM * fu< all Using Nessus at Home? A Ham■( ■ml lUbtCltpMl Is DM 4 r«l tec h t m Mia ootj

.1ndi■

N w m Plug**

.Sjirplr Repom

N«MUi FAQ
Vk«le Ostlrtt FAQ

in

Dtptovmam 1>:001u
Mewos Evukoiion Training

FIGURE 10.13: Nessus Obtaining Activation Code

20. 111 N essus for Home accept the agreement by clicking the Agree button as shown in the following figure.

C E H L ab M an u al P ag e 176

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

ecem •‫■ י• ׳‬ ‫ ••־‬-•‫־■״‬. nr.• ■

Wokerne 10 NaMi

■ U s u ilv U tn ir n N t

Bw* m s i
1*vtl ProtoiaioaaJFetid

m bbithiiii enjoy You M ! •otu u 1
. The Netare rtoaaafecd

d o *1*c* gn* you io : w
Product Overview Features N055ue b> Buwwct Naasus ter Horn* W*y U p* «rit> to New#* * 7 Nesius MoMe A!(n

to of 1K 0v>yov to perform < dedR 0( *S* Tw Nes*u» llrtual apCliMK* 1Nmhh Hom Fnd Mibscilpllon it a■elable lot ptnoia) mm ‫ •י‬a I ( oaty. tt is net lot use by any commercial oigani/atna !on 1q«t! c*«»*| or v w * I n m * i i w M n i tr.iimvj Trawtoa Program ft* n•**) 0<>1ri; ■itlonf.

t

To »w •^ • # ! 1k* M m ii HowFbwJ »«tncri|40 n lot lo »1 «m |f c w cfe* ‘ ^ 7‫ ’ • •׳‬to k u « i *to Himi «1 «m and bagln the downlMd prooaat• SU8VCWII0M ACM I Ml NI

N w m PlufllM

Sarnia Rapatto N m a i fAQ VWtlu 0#>lM4 I AQ Deployment Options •‫־ » ׳ ״‬SuypmW n m •‫■יי‬Ini 01 Ope‫״‬nlr*j SyvtMn otw *tov>on1e) 1nok1a»«to to• 1 Mveelfe f%9 a fA Q 0t Naasaai fA£ lound on arry lenaUc « v *&01 ncto4 n! n n u n M o iy • • R •**«»•wna#-»*<1 S «4xc>|pl«n You agio• 1 0 r«v to *•‫ *«<« ״‬to• 10 T<«atd» to• each •yatoan which You havo inetrJted a Prjntr'K l Scam*• T‫ « »׳‬r ^ (Vg n v tiloni K.:»*iht1i«1iirg 1N» pit^ifcrtcn 0• c o m w cid v•• m S*c»m 2141.1 Vau ar« a *akiarxj otsnrkalon. You may copy M M !•*g et •MMMaM T t N t V t NM«U» M d Tm1U» HonMF«*d S<Mot*«M rw g to M toa<trw h •ad to« * ♦ e»»»ootn &e«lng onV Upon eompte^oti ot # * d m f*» J a to T i rigM to d a Itia Pkj£n& piotUfed by Via HomaFaad Subscription is

K »

o n

*

I* « ra aI

Ayee^aeann r«ftj (of ana pay an! <?AcaM«• tee■ ■associated - r t»•! Subscriptia• You awv not u&e tw H>r‫ *׳‬f sad SutricripUo $1anted to You lot »[‫ גי»» י‬puipoMS to aacuia Y«u>01 any third party’s , itatrvoifcs or to any efea■ •■ **e 'ltt dM M oai !raning h a r*xvp 10A 1clon «nv»on‫׳‬n*rr T m U a an y k t a a u h it o a Sut«rp#on undat this Soctnn 2 131 1 to•! C i s t * Massus Ftegm L«.<lopmcnt I apmant and Dtsoibullan Tenable I « & ‫ ״‬JM 1a<(1 at fta Subscriptions 10 mfle and d a v £ f 1

«#F«d S » t‫־‬vjlp‫־‬i:1‫«( ׳‬. actable n*coxtone* « rthtoeS u ts< ‫־‬i*

{c

FIGURE 10.14: Nessus Subscription Agreement

21 Fill in the R egister a HomeFeed section to obtain an activation code

S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the N essus server. Note: The Activation Code is not case sensitive.

and click Register.
ENTER SEARCH TEXT

*

TE N A B LE N e tw o rk S e c u rity
Partner* Ira in in g

GO!

f t

(V rttflratto n

R eso u rces

.Support • print |

Iriu ih lr I'rorfiirtr
Pioduct O v m v Iow Nos»us Auditor OuntSes N«84ua Ptu^lns Documentation Sample Repona N«5 sus FAQ Motde Devices FAQ Deployment Options Nes3u3 Evaluation Training

Register a HomeFeed

‫ס‬

T0 stay up to dah» with tlwi N 11tit>u1>pljgint you must tt‫־‬ •; em ai M td rn t to utilch an activation code wll be *ert Ye shared ‫׳‬.vtth any 3rd pany.

IM # tl4v jfe d
> 1 1 U nil! not t

■ ‫• *•*• ־‬

con^

□ Check lo receive updates from Tenable

I npqi<;tpr I
FIGURE 10.15: Nessus Registering HomeFeed

22. The Thank You for R egistering window appeals for T enable N essus HomeFeed.

C E H L ab M an u al P ag e 177

E th ica l H a c k in g an d C o u n term easu res Copyright C by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

. ‫׳‬V j .

*>■ «Y«.to ‫י‬ EN TER SEARCH I E ■ (

TE N A B LE N e tw o rk S e c u rity 1
solutions Products Services Partners iraimna & certification Resources Support About tenable Store >print | » sltare Q

Ten a b le P ro d u c ts

nessus

Thank You for Registering!
Thank jrou tor reghletlag your ‫ ז‬eon bit‫ ׳‬Ni-viun HomeFeed An em al eonraMng w a actlvafen rode hA» just b««n Mint to you al tie email • M m you ptavWed Please note that »*• Tenable Ne-uut HomeFeed 11 available for hoata u m oolr If you want to uaa Naasu* at your place of business, you must outcKase the Nessus Proteaaowageed Akemaiet. you n ay purchase a subscription to the Nessus Porimolot S arnica and te a * in Mis cioudl Tha N a t t u i Ponawlci Service does no( require any software download. Foi more artonnafon on t w HomsFeed. Professional eed and Nessus Perimeter Ser.ice. please visit our Discussions Forum.

T e n a b le C h a rita b le & Train in g O rg a n iz a tio n P ro g ra m Te nable N c t i n i l S c a iH y offers N essu s I'rc tttw o M f eed 1 uMcnp«on• •t no cost to ctiirttabi• orqarization• I

Product Overview Nessus Auditor Bundles Nessus Plugins Documentation

217After the initial registration, N essus will download and compile the plugins obtained from port 443 of plugins.nessus.or gpluginscustom ers.nessus .org

Sample Reports Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining

FIGURE 10.16: Nessus Registration Completed

23. N ow log in to your email for the activation code provided at the time o f registration as shown in the following figure.

r
I

< d 1X»»S •UfKftCiC X _ uSm9 Sma yanooco-n' ‫•״‬ Sm>Cu1 Oft■•■ >

• •> • » •

Y A H O O ! MAIL

1t»e Homefaea Activation Cooe

MIMDtlalt

1 0 1■■ -•O n H O O O O l*
Th■* )0ulw rejnlem j row N n w i k » * x a t»ll> scanting I you usa Hat (us n ‫ ג‬professoral 09301 10u Th* M»«u» H«mef««d gubKtcton • m II keep <»1» Netful a s*:fess1crulF«c 2ut>cagttc«1 : • «« k «Mr tie lalnl fluent ler

‫ י‬N M tut K i g i i i o i

Tns6*one4m »‫׳‬o » n ‫ ׳‬#ou•u new wtepswirascamtriiiHinario C««eusngmt srccediret Strpw .

cu itm*

Pltat*CCnWtlf*HWtl1t i **ttliaWn &•& No Inlfmel Acoe1» an 1 w Mm«ui M >t« MeH4 J« 1n«t|11»1»ncamoi ‫׳‬ ‫י*ז«•׳‬f • You can Andot>n« 1 c ‫־‬ jlst11l»Jt1irutveasnj *

■ w «,!te.^ffiwr.flgm.'iti'HMiitltinMSua^jaiiifrtiiwft*‫• ***יי‬
t — »** ‫״‬e»a ‫*>»**׳‬Me• in MWmtt' ptsteOir* to pMtie U*l ana c

■c n m te la poem > » »a « m u a 1 j ‫ •מ׳‬immi puj-<n»

Mtx caaa in it a ia ia ftB fl

FIGURE 10.17: Nessus Registration mail

24. N ow enter the activation code received to your email I D and click Next.

C E H L ab M an u al P ag e 178

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

F
P lu g in Feed R e g is tra tio n

" •‫״‬

- ,®[‫ ן‬Wekcm* 10 Meuvt 9

As• in fo rm a tio n ab o u t n ew vu ln e ra b ilitie s 18 d is co ve re d an d re lea se d in to th e p ublic d o m a in , T en a b le 's re se arc h s ta ff d esig n s p ro g ra m s (" p lu g in s ”) th a t e n a b le N es su s t o d e te c t th e ir p res en c e. T h e plugins co n tain v u ln e ra b ility In fo rm a tio n , t h e alg o rith m to te s t fo r th e pres en c e o f th e se cu rity Issue, a n d a se t of re m e d ia tio n actio n s. T o u se Nessus, y o u n eed to sub scribe to a "Plugin F eed *. You can do so b y v o t in g h ttp . / / w w w .n es su s .o rQ y reo ls te r/ to o b ta in a n A c tiv a tio n C o d e.

IbsdJ Once the plugins liave been downloaded and compiled, the Nessus GUI toUinitialize and the Nessus server will start

To use Nessus at your workplace, pufdiaae a

com metGd Prgfcaatonalfccd

• To u m N c M u ti a t 10 a n o n ■com m ercial h o m e e n v iro n m e n t, yo u ca n g et 11 H o iim F e od for fre e • Te n a b le Securltv C e n to r usore: E n ter 'S o a irlty C e n te r* in th e field b elow • To p e rfo rm o fflin e plu g in u p d ates , e n te r 'o fflin e ' In th e field b elow A c tiv atio n C ode

P lease e n te r y o u r A ctiv atio n C o d e :|9 0 6 1 -0 2 6 6 - 9 0 4 6 -S 6 E 4 - l8 £ 4 |

x |

O p tio n al P ro xy Settin g s < Prev N ext >

FIGURE 10.18: Nessus Applying Activation Code

25. Tlie Registering window appears as shown in die following screenshot.
C fx * B s ~ ** ■ d *-h o *

P • 0 Cc**uttemH S C

J wefc<•*‫ <׳‬to

m

ft *

o 1

R e g is te rin g ...
R egistering th e scan n er w ith T e n a b le ...

FIGURE 10.19: Nessus Registering Activation Code

26. After successful registration click, Next: Download plugins > to download Nessus plugins.
m Nessus server configuration is managed via the GUI The nessusdeonf file is deprecated In addition, proxy settings, subscription feed registration, and offline updates are managed via the GUI
P • O Ce*rt<*e««o« &
‫[ ן‬x

C|

Wetcone to N essus

a

■ ‫־־‬

‫׳ ־‬*‫יי‬ ft * o

R e g is te rin g ...
S u ccessfu lly re g istere d th e sc an n e r w ith T e n a b le. Su c ce ss fu lly c rea te d th e user. | N e x t: D o w n lo ad plugin a > |

FIGURE 10.20: Nessus Downloading Plugins

27. Nessus will start fetching the plugins and it will install them, it will take time to install plugins and initialization

N ess u s is fe tc h in g th e n e w e s t p lu g in set
P le a a e w a it...

FIGURE 10.21: Nessus fetching tlie newest plugin set

28. H ie N essus Log In page appears. Enter the U sernam e and Passw ord given at the time o f registration and click Log In.

C E H L ab M an u al P ag e 179

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

/>. 0
• T A S K 2

tc

Network Scan Vulnerabilities

nessus
I « •« ‫״‬ ‫׳‬ L TENA»Lg

i

Q For the item SSH user name, enter the name of the account that is dedicated to Nessus on each of the scan target systems.

FIGURE 10.22: The Nessus Log In screen

29. The N essus HomeFeed window appears. Click OK.

, 1

/

/

/

1

nessus
w l oaiiUtanter any oust fton* oroigMtaAofii M • to a PTOtoMknalFMd Subecrtpfcxi ha<•

inn r m m i v a u u r a h m k M to Itw id T B tH il lr» n m r ■ ■ ] • tntima to MMW uNM y i M W M u w may load 10 (*iMoaAon J m i u h (eepenew.

190* - ?0121)nM 1 N M M s*.o r* / nc

OK I

FIGURE 10.23: Nessus HomeFeed subscription

30. After you successfully log in, the N essus Daemon window appears as shown in the following screenshot.
m To add a new policy, chck Policies ‫ ^־־‬Add Policy.

FIGURE 10.24: The Nessus main screen

31. I f you have an A dm inistrator Role, you can see die U sers tab, which lists all U sers, their Roles, and their Last Logins.

C E H L ab M an u al P ag e 180

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

New policies are configured using the Credentials tab.

FIGURE 10.25: The Nessus administrator view

32. To add a new policy, click Policies ‫ >־‬Add Policy. Fill in the General policy sections, namely, Basic, Scan, Network C ongestion, Port S canners, Port Scan Options, and Perform ance.

^W ARNING: Any changes to the N essus scanner configuration will affect ALL N essus users. Edit these options carefully

FIGURE 10.26: Adding Policies

33. To configure die credentials o f new policy, click die C redentials tab shown in the left pane o f Add Policy.

C E H L ab M an u al P ag e 181

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

m The most effective credentials scans are those for which the supplied credentials have root privileges.

FIGURE 10.27: Adding Policies and setting Credentials

34. To select the required plugins, click the Plugins tab in the left pane o f Add Policy.
P • . ‫״״»׳‬

m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC.

W OWBlc/Otr!«c» U rir

18W8 eo? 1 Ax aunt 0+m * ‫ *י‬7 O ‫י יני יי‬ ‫ ין‬..‫■ וי‬OCUkttO'ta •• O o

- J ’UrKlnl IoiiiiiIii «>>uII.W

^

r» u « !j Suit# 1« o !v .b Oan ottKdfenwct,

A»««l fc**‫ ״‬ftM ■* 2m* L*»r> *> Ik n U . 1‫ ע ט י‬BaiHir r>KM1 &a.*3r Pa« 20 AO. R ntrciin ftwaia

(a) 0«neral Vj GenlTOUKBlS*aj‫*׳‬yChK*» y mp-ux L0Ca Seaifty c ‫ ׳‬k » i Jurat UjcU Sacunty ChKM 3wopn» Trie *m att tc* f*»1 Cik r e TCP p o ll *22 1WO. ‫ ז‬75‫יי***ד‬ **••*nee wmpars

O 1CWI ■■!Cl 1 Pi■ ‫ — ן‬C 1 1 * Mawagwwew Oefcnon O 1& ‫ מ ז‬C C H o AfflUM* p*01 ( « ‫׳‬Melon O c« 1tar« KTTP P ra ! Si t * ! Hcd H a t tt Rurola DoS <J 120M C tc d P o * F.irVVal 4■, 1 ‫ ו‬. uae VjInentollB |0 f . FS|

ffj»wy U ely B ia lK W 5 isA O io a i* sc rtr

‫־‬ TCP&221 ‫ מ>׳»!יא‬1‫ ני‬W vwrtce‫־‬CT. 17* M t i K t A w k l m s j . TCP.'1781 4‫־*יז‬.‫ )ייי*ו‬tc f irtocn U xlum g

FIGURE 10.28: Adding Policies and selecting Plugins

35. To configure preferences, click the P references tab in the left pane o f Add Policy.
If the policy is successfully added, then the Nessus server displays the massage 38.

a

36. In the Plugin field, select D atabase se ttin g s from the drop-down list. 37. Enter the Login details given at die time o f registration. Give the Database SID: 4587, Database port to use: 124, and select Oracle auth type: SYSDBA. 39. Click Submit.

C E H L ab M an u al P ag e 182

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

C D Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

FIG U R E 10.29: Adding Policies and setting Preferences

40. A message P olicy “N etw ork S can _P olicy‫ ״‬w a s s u c c e s s fu lly added displays as shown as follows.

FIG U R E 10.30: The NetworkScan Policy To scan the window, input the field name, type, policy, scan target, and target file. ‘

41. Now, click S c a n s ‫ >־‬Add to open the Add S ca n window. 42. Input the field N am e, T ype, P olicy, and S ca n T arget 43. 111 S ca n T argets, enter die IP address o f your network; here in this lab we are scanning 10.0.0.2. 44. Click Launch S ca n at die bottom-right o f the window.
N ote: The IP addresses may differ in your lab environment

C E H L ab M an u al P ag e 183

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council

Module 03 - Scanning Networks

Nessus lias the ability to save configured scan policies, network taigets, and reports as a .nessus file.

FIG U RE 10.31: Add Scan

45. The scan launches and sta r ts sca n n in g the network.

FIG U RE 10.32: Scanning in progress

S ' Tools dem onstrated in this lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Netw orks
fc

46. After the scan is complete, click the R eports tab.

FIG U RE 10.33: Nessus Reports tab

47. Double-click Local N etw ork to view the detailed scan report.
^

‫י‬..-*— ■ d

gMtyi

Bn■ B m tn

.

Cvwii

'

So-Mity

‫—« ״‬ H m n t ■w 11 ■1 I K INWI

‫״׳• *־׳‬ •M m Me

Z
•‫נ־י■׳‬ ‫< ז*ו‬ •< HM HM
m jm

M Ul-a* •*«-—■».»» * «Qi

C«uMUrm tlmb«n rf

UTMMB1W . i■■— 1

•M M •

£ [

l«v>

KTT* I n ■ T!•• M VIW M H N « M < N ilr a W U II M tW M « l

Wt W M W lK M l

H9W • x fn 1-01 UB •MO. In*) H Into Iftte

M .-~ > •rm *m M m x M tC o tn m k U u iu im G&a»1fcsKr< f o r r J . i « H « a ‫־‬r 1r m

»y%ttn 1 •hm lU n C M * * •

W i ll- ' WiMom w m m uv» fro^jMren CwMot 0. 0. ‫=־‬ *

McmcC A» : •an i t f i LMO10 ?nb> njlutPu <» Fun tu t SID Ewneutan

riC n ilto U D ■

FIG U R E 10.34: Report o f the scanned target

C E H L ab M an u al P ag e 184

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

48. Double-click any resu lt to display a more detailed synopsis, description, security level, and solution.

Q If you are manually creating"nessusrc" files, there are several parameters that can be configured to specify SSH authentications.

FIG U RE 10.35: R eport o f a scanned target

49. Click the Dow nload Report button in the left pane. 50. You can download available reports with a .n e s s u s extension from the drop-down list.
D o w n lo a d R ep o rt D o w n lo a d F o rm a t 1 C h a p te rs X

Chapter Selection Not Allowed

G 3 To stop Nessus servei, go to the Nessus Server Manager and click Stop Nessus Server button.
Cancel S u b m it

FIG U R E 10.36: Download R eport w ith .nessus extension

51. Now, click Log out. 52. 111 the Nessus Server Manager, click S top N e ss u s Server.

B‫־׳‬ ‫■׳‬
>M a

P ■

*6

■69■
FIG U R E 10.37: Log o ut Nessus

Lab Analysis
Document all die results and reports gadiered during die lab.

C E H L ab M an u al P ag e 185

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved Scan T a rg e t M ach in e: Local H ost P erfo rm ed Scan Policy: N etw ork Scan Policy

N e ssu s T arg e t IP A ddress: 10.0.0.2 R esult: Local H ost vulnerabilities

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Evaluate the OS platforms that Nessus has builds for. Evaluate whether Nessus works w ith the security center. 2. Determine how the Nessus license works in a V M (Virtual Machine) environment. In te rn e t C o n n ectio n R eq u ired
0 \ es

□ No

P latform S u p p o rted 0 C lassroom □ iLabs

C E H L ab M an u al P ag e 186

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

ICON

KEY

Auditing Scanning by using Global Network Inventory
Global]Seh) •ork Inventory is used as an audit scanner in ~ero deployment and agent-free environments. It scans conrptiters by IP range, domain, con/p!iters or single computers, defined by the GlobalNet!/‫׳‬ork Inventory hostfie.

a - Valuable information s Test your knowledge Web exercise m W orkbook review

Lab Scenario
W ith the development o f network technologies and applications, network attacks are greatly increasing both in number and severity. Attackers always look for s e r v ic e vulnerabilities and ap p lication vulnerabilities on a network 01 servers. If an attacker finds a flaw or loophole in a service run over the Internet, the attacker will immediately use that to compromise the entire system and other data found, thus he or she can compromise other systems 011 the network. Similarly, if the attacker finds a workstation with ad m in istrative p riv ileg es with faults in that workstation’s applications, they can execute an arbitrary code 01 implant viruses to intensify the damage to the network. As a key technique in network security domain, intrusion detection systems (IDSes) play a vital role o f detecting various kinds o f attacks and secure the networks. So, as an administrator you shoiild make sure that services do not run as the root u ser, and should be cautious o f patches and updates for applications from vendors 01 security organizations such as CERT and CVE. Safeguards can be implemented so that email client software does not automatically open or execute attachments. 111 this lab, you will learn how networks are scanned using the Global Netw ork Inventory tool.

Lab Objectives
This lab will show you how networks can be scanned and how to use Global N etw ork Inventory. It will teach you how to: Use the Global N etw ork Inventory tool

C E H L ab M an u al P ag e 187

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab Environment
ZZ‫ ל‬Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

To cany out die lab, you need: ■ Global Network Inventory tool located at D:\CEH-Tools\CEHv8 Module
03 Scanning Networks\Scanning Tools\Global Network Inventory Scanner

You can also download the latest version o f Global N etw ork Inventory from this link http://w w w .m agnetosoft.com /products/global network inventory/gn i features.htm / I f you decide to download the latest version, then s c r e e n s h o ts shown in the lab might differ

■ A computer running W indows Server 2012 as attacker (host machine) ■ Another computer running Window Server 2008 as victim (virtual machine) ■ A web browser with Internet access ■ Follow die wizard-driven installation steps to install Global Network
Inventory

■ Administrative privileges to run tools

Lab Duration
Time: 20 Minutes

Overview of Global Network Inventory
Global Network Inventory is one o f die d e fa cto tools for security auditing and testin g o f firewalls and networks, it is also used to exploit Idle Scanning.

Lab Tasks
t a s k

1

Scanning th e network

1. Launch the Start menu by hovering die mouse cursor in the lower-left corner o f die desktop.

FIGURE 11.1: Windows Server 2012 - Desktop view

2. Click die Global Network Inventory app to open die Global Network Inventory window.

C E H L ab M an u al P ag e 188

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

5 t 9 |‫־׳‬£

Administrator

Server M a n age r

Win dows PcrwerShell

G oogle C hrom e

Hn>er.V M anager

fL *J

m
C o n trol Panel

*
H y p r-V Virtual M a ch in e .

‫וי‬
SQ L S ervs

Scan computers by IP range, by domain, single com puters, or computers, defined by the Global N etw ork Inventory host file

■ F
C o m m an d Prom pt M ozfla Firefo*

*

£
Mw w &plcm PutBap

B
SBui Search 01.. Global N e c » o rt

©

H
FIGURE 112: Windows Server 2012 - Apps

3. The Global Network Inventory Main window appears as shown in die following figure. 4. The Tip of Day window also appears; click Close.

& S c a n only item s that you need by custom izing sca n elem en ts

FIGURE 11.3 Global Network Inventory Maui Window

5. Turn 011 W indows Server 2008 virtual machine from Hyper-V Manager.

C E H L ab M an u al P ag e 189

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

□ Reliable IP d etectio n and identification of network ap p lian ces such a s network printers, docum ent cen ters, hubs, and other d e v ic e s

FIGURE 11.4: Windows 2008 Virtual Machine

6. N ow switch back to Windows Server 2012 machine, and a new Audit Wizard window will appear. Click N ext (01‫ ־‬in die toolbar select S can tab and click Launch audit wizard).
New Audit Wizard Welcome to the New Audit Wizard
T hs wizard will guide you through the process of creating a new inventory audit.

V I E WS S C A N
R ESU LT S,
/

NC LU D / N C

HI STORI C
R ESU LT S F O R A LL
To continue, click Next.

SCANS, I N D I V I DU A L
M AC H IN E S ,
c Back

Next >

Cancel

FIGURE 11.5: Global Network Inventory new audit wizard

OK
S E LE C TE D

7. Select IP range scan and dien click Next in die Audit Scan Mode wizard.

NUMB E R OF
A D D R E S S E S

C E H L ab M an u al P ag e 190

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

N ew Audit Wizard
A u d it S c a n M ode To start a new audfc scan you must choose the scenario that best fits how you w i be using this scan.

Is■ (^ M

O Single address scan
Choose this mode i you want to audit a single computer

Q Fully customizable layouts and color schemes on all views and reports

(•) IP range scan Choose this mode i you want to audit a group of computers wttwn a sr>gle IP range

O Domain scan
Choose this mode i you want to audit computers that are part of the same doma»1(s) 0 Host file scan Choose this mode to audt computers specified in the host file The most common scenario is to audt a group of computers without auditing an IP range or a domain O Export audit agent Choose this mode i you want to audit computers using a domain login script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scriot. To continue, c ic k Next.

1 ______

< Back

Nexi >

Cancel

FIGURE 11.6: Global Network Inventory Audit Scan Mode

8. Set ail IP range scanand then click N ext in die IP Range S can wizard.
E xport data to HTML, XML, M icrosoft Excel, and text formats

Licenses are networkbased rather than userbased. In addition, extra licenses to cover additional addresses can be purchased at any time if required

9. 111 die Authentication S ettin gs wizard, select C onnect a s and fill the respected credentials o f your W indows Server 2 008 Virtual M achine, and click Next.

C E H L ab M an u al P ag e 191

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

N ew A u d it W izard
A u th e n tica tio n Setting s Specify the authentication settings to use to connect to a remote computer

£□ The program c o m e s with d ozen s of cu stom izable reports. N ew reports can be ea sily added through th e user interface

O Connect as cxrrertiy logged on user
(•) Connect as Domain \ User name Password ad^iriS'3(-‫•׳‬

...............'

To continue, d c k Next

< Back

Nert >

Caned

FIGURE 11.8 Global Network Inventory Authentication settings

10. Live die settings as default and click Finish to complete die wizard.
N ew A u d it W izard
Completing the New Audit Wizard

(— 7 Ability to generate reports on schedule after every scan, daily, weekly, or monthly

You are ready to start a new IP range scan You can set the following options for this scan:

@ Do not record unavailable nodes
@ Open scan progress dialog when scan starts Rescan nodes that have been successfJy scanned Rescan, but no more than once a day

(§₪ T o configure reports choose R ep o rts | C onfigure rep o rts from the main m enu and select a report from a tree control on a left. Each report can be configured independently

To complete this wizard, dick Finish.

< Back

Frwh

Caned

FIGURE 11.9: Global Network Inventory final Audit wizard

11. It displays die Scanning progress in die S can progress window.

C E H L ab M an u al P ag e 192

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

iJ
‫מ‬
0 1 2

Scan progress
Address
1 0 .0 .0 . 2

Name — W1N-ULY858KHQIP

Percent E !%

Tmestamp 0 8 /2 2 /1 2 1 5 3 8 :3 08/2 2 /1 2 1 5 :3 6 :2 3 08/2 2 /1 2 1 5 :3 6 :2 5 08/2 2 /1 2 1 5 :3 6 :2 3 | | 0 8/2 2 /1 2 1 5 :3 6 :2 3 08/2 2 /1 2 1 5 :3 6 :2 2 08/2 2 /1 2 1 5 :3 6 :2 3

1A

10.0.0.3 10.0.0.4 ‫ ו‬0.0.0.5 ‫ ו‬0.0 0 6 10.0.0.7 1 0 .0 .0 8 1 0 .0 0 9 100010 A O M INPC W IN-039M R5HL9E4 ! z ^ z z

3 4

E* E
8 52 !* 92* 92*

=

Q Filtering is a quick way to find a subset o f data within a dataset. A filtered gnd displays only the nodes that m eet the criteria you specified for a column(s)

5
6

7 8 9
10 ‫וו‬ ‫ ו‬2

_
W

0 8 /2 2 /1 2 1 5 :3 6 24 0 8 /2 2 /1 2 1 5 :3 6 24

100011 1 0 .0 .0 . 1 2

10.0.0.13 10.0.014

' I
'

E* E* E* E*

0 8 /2 2/1 21 5:3 6 :2 4 08/2 2 /1 2 1 5 :3 6 :2 4 08/2 2 /1 2 1 5 :3 6 :2 4
rtn

0 8 /2 2/1 21 5:3 6 :2 4 m‫ ר‬ic . v . ^ 1

@ Open this dialog sdien scan starts @ Close this dialog when scan completes @ D o n l display completed scans

Elapsed time: 0 min 6 sec Scanned nodes: 0 /24

.

Sl0p

_

Cl°”

[

FIGURE 11.10: Global Network Inventory Scanning Progress

12. After completion, scanning results can be viewed as shown in the following figure.

Pi'v fie

Globa' Netw ork Inventory - Unregistered
S ta n T o o ls R ep o rts H elp

V ie w

□ ]E r B lBW talri~ » E I] u *‫? י‬

a
C a r r i e ♦ s> « en

U te r r Q |A ) rjqr p

N etB IO S P rr*» M r*

0

| A ^ ]*

Shanes
M a n beard

JW ‫־ ־! ■־‬.W

A.‫־־‬
Memory pin Memory

Nirrt - M pIa■addresses
$ ‫ ־‬W ORKGROUP :■I 1 0.0JX7 (W IN -D 3 9 ... ■m 1 a 0 J X ‫ ( «־‬W 1N -U LV 8 ...

‫ ז»ר ס‬Syttern *tat» i w r a r r r . :•-•‫ד‬ S car M W i

HM ftte r c m n a o n ^ rrtm

1

Networt |Q g m e rit

^p#rat:r.r

| Tircitamp
‫־י‬ d D o ra r H o a tN ... ▼J Status ‫־י‬ M A C A.. V e r r fa w 0 3 M am s ‫־‬ » R o c e s s a ... *‫־‬. Com ment ‫»־‬ W O R K G R O U P [C O U N T -2 )

I P A d d e « : 1 0.0 0 .4 (C O U N T -1 1 T r r e s t a r o : G £ 2 /2 0 1 2 3 36:4B PM (C O U N T -1 )

0 Global N etw ork Inventory lets you change grid layout simply by dragging column headers using the mouse. D ropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column

‫ » ■־‬C o r o j . . |v/N ULV85(| S u c c c ii IP A d d c m . T 0 .0 0 .7 (C0UNT-=11

1 00-15 5D 001 M ic r o :)* C a V ir c c v M Server |

I T r r e jt a r .3 . & 36. 30 3 2012 ‫׳‬ 22 > ‫׳‬ PM ( C 0 U N T -1 ] •» C « ‫־‬k >j ..[ v / N € 3 S M F ||S u c c o m iD ^ -O E -D O -C ^ n o a lc ‘. |lnts(Rl CoiefTM' S olid. H202

Tow ?nwr(t)

[

r

1

R « ju ltjn 1 it0 r y d e p t^ L » !ts < a r 1 0 r ^

Oisplaye^roijp^l^roups

FIGURE 11.11: Global Network Inventory result window

13. N ow select W indows Server 2008 machine from view results to view individual results.

C E H L ab M an u al P ag e 193

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Global Network Inventory ‫ ־‬Unregistered
Me v ie w sca n T o o l( R ep o rt < H ?p

l - l ° W *

in

-

%-u110 | s ^ P i g
■' ‫י‬-‫מ‬

¥

B |Q |^ |a |D |B - B
| System dots NetBIOS Q | ^

#
|^

® ,
‫־‬Looc a d!s\s ^ Hot fxes 3 e ;jr**• certer Shores | 3 ‫■׳‬ Startup ^ M orer) Q ■ Desktoo | J Logged c r

& S9 3
N e rrc

Z»: ‫ ־‬- ‫־‬

□ »
^ j

Port a r r e d o R O rvces 3

L » ^ cvp s '•'ci‫ ־׳‬b o s d (ji) ^

Lbcre B8

B ‫ י^יי‬AH addresses B - <* WORKGROUP

Computer 3y3tcn Scan •u n ra ry

Po;c3:cn> ^ 0 ‫ נ כ‬ctn3 C,ctcn

§,

*|^r)0.a7(WN-D3T~1
»• ‫ נ י ו‬C J 4 iv>‫׳‬N-ULV3.r.

Global Netw ork Inventory grid color scheme is completely customizable. Y ou can change Global N etw ork Inventory colors by selecting T o o ls | G rid colors from main m enu and changing colors

Type J

‫״‬

HikIM

» Sfdlin

» MAC A

*

V btkIh

» CJS

* PlOCHZM (

* C0I1HIMf »

Duiein *‫׳‬o ^ e n a j p COUNT-11 JIP A d d rew 10.Cl07(C O U N T1‫) ־‬ TncU aro: G/22/2012 3 G G : 38 PM (CO UN T-1)
■» C5t o j . |V/NC39MR Succc«

|D4 BE D9-C|Realck

ntefR] CorcfTM' Send: H202!

01011‫ ז‬i‫׳‬a»(j)

Re»dr

^esufc^jto^jegt^oj^ca^o^oc^cdfcj^

^jgl^c^roug^l^r

FIGURE 11.12 Global Network Inventory Individual machine results

14. The Scan Summary section gives you a brief summary o f die machines diat have been scanned
Global Network Inventory ‫ ־‬Unregistered
f ie View Scan Tools Reports Melo

1 - ‫ ^־‬r

*5 '
▼ a x

□ ]e

t1
‫ נ כ‬tin>lcr5 yw don k ( j

1 ^ -sa
V crito o | jjjjj S^eton d o t• | £

a wLogical d sk a Hoi tacoe Sharoe ^ Jt ^ Q CX>k & ts z i mo "Sntcn J | j* Startup fa B*S Q | Networx oocp to o |H Dcckiop LoggoCon ^ M enoiy cevicee S o c u ty ccrto■ 0 $orgroupt *5 ^ U*«ra

n 1* a □ * a Nam• - ‫■י‬ ! A1addrestM
^ £ WORKGROUP

Sn J l# |

D ovcoi

[# j

NoifcKJS Q ®]

- .r% xi*r ty rt» r Scan a n r m y

:■^:•;ore ijperatmg

M a n te s :

j^

:mtOiXOi’^N-ULYC"
‫ ם‬To configure results history level c h o o s e Scan | R esults history level from th e main menu and s e t th e desired history level
Hcs4 H.. ^

Status

‫ ־״‬MAC A .. ‫■״־‬barrio-

~ OSKsrw

‫ ־י‬Prco3350r.. ‫ ״י‬Corrmert■‫״‬

d t 'o m a r :\v tR r .ii-O U ‫ ׳־‬l .‫־‬JLrJ -‫־‬ P i d i e w : 1C.O.O : CQUNT=1J _________________________ Id Tnrgra«p B/22;2PlZ3-36 ^ P M p = D U H r= ll | ;*» Ccnpu |W K-039M R|Succg« rU-BF-D»C:| R ^ r r i h!el(R)Cme|TM: Seiial H?‫?ר‬

Tolall 4em(s)

1 ‫־‬
^c^U^iiitorydepthj

r

1 ‫־‬

r

FIGURE 11.13: Global Inventory Scan Summary tab

15. The B ios section gives details o f Bios settings.

C E H L ab M an u al P ag e 194

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Global Network Inventory ‫ ־‬Unregistered
f it v ie w 5ta n T o o ls R e p o rt( H e lp

1‫ ' ־‬° '

x

‫ז‬

1^ ‫ז‬
icwresufts

‫־‬

S J 1 '’‫־‬ □ E T? | 5 | □
‫׳יי‬ X
^ k. Por. -annccfcrc Derive* 2 jij System dots MdBIOS P Hct fixes Shares ‫״‬ £ . ■rrq .7 : 3" ■> Startup | ^ fid . . • ■ Desktop Lccocd o r Memory donees ‫׳‬cut

*

89 £ □ J5
_
5 ‫ ־‬W ORKGROUP

‫־ד‬ ^

Q

Scaabr e a te r .s r jx x p s )£•

Narrc
H * P A ll a d d r e s s e s B

^
Poeewots

1555 >*‫י‬

Mar ?pad Q

Merer? fc l

Scan only items that you need by customizing scan elements

a

• »|1a616T(w’ 1^039 .7'''

Ssa^aumanr

J^

Opcra.i-10 Cvs.or

{ ■ 10.0.1‫>נ*ר‬VIN-IJI Y8...

1 01* 1 ‫ו‬

»U »d/

Ret jt t t hutory depth: Latt t o n for tacft aflcret;

Q 't p lt / « d g r o u p : All g r o u p t

FIGURE 11.14: Global Network Inventory Bios summary tab

16. The Memory tab summarizes die memory in your scanned machine.
£□ E-mail ad d ress S p ecifies th e email ad d ress that p eop le should u se w hen sending email to you at this a ccou n t. The email ad d ress m ust be in th e format name(ftcompany— for exam ple, som eone@ m ycom pany.com
Global Network Inventory - Unregistered
F ie V ie w S ca n T o o ls R e p o rts h e lp

*

‫ח‬
▼ a x

H e V iB lB & lm lH F i- iii
■» >#H ‫י ן״‬ \M »0 coofirokn L. Mentors iff) |g j

®
Logical daks t M Oak ± n Q
11 ‫׳‬

v ie w retuR*

** s «a □ ‫« מ‬
N am * H % All edd resse*

- ‫!־־־‬:•-

Operating ‫ל‬,‫׳‬d-• H ‫■•יי‬ fff

1 ‫ י»ת‬0 ‫ו׳*חוח‬
‫׳‬

•>

Network a d ^ c n ! | 'j |K or ber/ r*c

1

y -. ‫■ ־■ ־ ־‬ • D*Ye*t

ct encct f

■t•5 ‫־‬
%-

Startup

[ # ]

NmBIOS

|

Shw*1

p

Uttramu

tk # n

4 # WOWCROUP

‫־‬ ■ *w
;h

p

y

‫־‬

a
Tc<alPh3^cdven>0f/.M 3 S a la b le H -yrea... Total vfcuaL. ~ A v a to e V rtja ... »•

Memory f l w f «

I0.C.0.4 (WIN-ULY8...

lo t a . . . - -

&valabl&.. ‫»י‬

d[D
J

V .C R t5F 0U P [C rM JN '= ]J Hcsr Marre 3 9 ^ ^ ‫־‬MF5HL9E4 (C0U!\iT=1) ‫ ־‬hrescnp

V22J20123:36-38 PM (COUNT‫| ) ־‬
3317

7 o b i 1 it s u ;1

Results history depth: Last scan fo i each address

O ii p la / e d g r o u p : A ll g r o u p s

FIGURE 11.15: Global Network Inventory Memory tab

17. In die NetBIOS section, complete details can be viewed.

C E H L ab M an u al P ag e 195

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

G lobal Netw ork Inventory ‫ ־‬Unregistered
F ie v ie w Son T o o ls R ep o rts H elp

;- !o r

!□is? iBiaiasp 5!■!a & » B
v * y * re s u lts Memcry ®a Memory d e v ic e c N a 1r « 4• Scan 3 jm a r y Port c o n r w c t r c ♦ C l S) Qf h it d t e d « y t * sre S * d r t / M ‫׳‬t« r C l | ."3 ‫ל‬ n vm m g rt Startup |;& ■ Services D esktop lo g g e d on

& I addresses
H - f i‫ ־‬W ORKGROUP

‫ד‬

M essag e su bject Type the Subject o f your message. Global N etw ork Inventory cannot post a message that does n ot contain a subject

1C.0.C.’ (WIN-D39...

19 1 0 ^ f^ U L Y « ::

zJ Hart l l i n * 0 33* | , ‫ י\ ׳‬VF 5 H. =)E4 (COLNT=3)
T r^ rta rtp 8/22V2012 3:3ft 38 FM (COUN T 3‫) ־‬
L m q j? L nque Group W o ik s ta t c r Service F ie Server Service Domain N am e

* [ W K - 0 3 9 M R o - LSE4<C>tt>> X 3 W K C •SM R^rLSE4<0x2O5‫־‬ W ORKGROUP <0x00>

T o id 3 i . e n ld

R ea fly

Rem its history depth H i t scan re t earh naorett

t»<pt»/ed g ro u p : A ll g r o u p s

FIGURE 11:16: Global Network Inventory NetBIOS tab

18. The U ser Groups tab shows user account details with die work group.
G'obel Network Inventory ‫ ־‬Unregistered
Fie View Scan Tools Reports Help

I ‫ ־‬1‫ם‬

□ Nam e S p ecifies th e friendly nam e a sso c ia te d with your e-mail ad dress. When you sen d m e s sa g e s , this nam e appears in th e From box of your outgoing m essa g es

1□ c V | B p |g |m |
2 C o n j u t a s r r f— Q

a
P^ cc350ra |^ M a r board I^J) M em ?y ‫■י‬P r r t c o ‫מ‬ •> Memory c fc v c c s N e tte d ‫־‬ .

S3 5) □ *3 $
N jit«
* i* A ll a d d r e s s • :

» ‫־‬ccc

• I ‫ ־‬:

k #>

Vent ‫רה‬ CIO ‫כ‬ jj]

Locicoldbks Opcralinq Cyslcrr

^ Q

D 9sdr>c*

m 7‫י‬
^ D e v ic c :

El

!nvronmcrrt

Q
It#] Net Cl DC ^

ij0
S hares | J?

«•
-b w g rx x »

cr A-

j•

Startup I,

Deaktoo Lojj=d o r

- i f

WORKGROUP

_bera

? S iiilL

»• i a i J i w N S : ‫׳‬

H o s t N c n e ‫־‬/ / * -D 3 9 -4 R 5 H L 9 E 4 (C O U N T -5 1 z i ' r r e s c a n p : E /2 2 '2 0 1 2 3:36:38 F M ( C OU N 5- ‫] ל‬ G io u j £< *ar> sfrafo:(C0U NT= 1) U 5 cr o c c c u r t

‫■׳י‬ ‫ !׳‬S 0 C E N R 5HL3E4'>Adrim $tratoi z i C r^ JD : C K t t K it e d CO M Usets (C O U N I - 1 1 v / ls C 2 S N R 5 H _ 3 E 4 \ A d f 1 i‫ ״‬istj<)(01 _ J G r» ^ o : Guc:»; C O U N T -1 ) Jk• u A N 0 3 E M R 5 H L 9 E 4 \ G u t s l

U ;e t a c c o u rt

U :* f « ccou rt

d C 1 0 *.IIS J U S fiS
z i G r a if T U 0 I 5 i c n | i|

CO UN T■ !) VV«# k r c v ‫ ׳‬n gtcup oooounl

% N T >‫ ־‬F \lZ c V ^ c p c rlS c « v o r p M t a v u r e * 1r g U tt r t ( C Q I J N T ■ 1)

R sa d /

RcsuMts h isto r y d e p th : Last s c a n f o i e a c h o o a e s !

D sp la y c C g r o u p ; All q io u p a

FIGURE 11.17: Global Network Inventory User groups section

19. The Logged on tab shows detailed logged on details o f die machine.

C E H L ab M an u al P ag e 196

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Globa! Network Inventoiy ‫ ־‬Unregistered
Me v ie w 5<ar T o o ls R e p o rts H e lp

1 - 1‫״‬

■ ‫■ ״‬

§ 3 - □Is ? H c 1 ® e /
V « w re<uKs

-•1a & ‫׳״‬
Q Processors £ M ain beard ^ N e n o iy w Memory d e / c e s

*2 »‫□ ־־ י‬
N errc
E % S

m
_

J

‫ ו ג ב‬a i d s y ie fi

\
m ‫?יי‬ S c a n s u r a n a iy Port c o m e d o s C‫־־‬r ■ ^r . ^ BCS | .§ )

^
System slots |

L>j1d j s v j
H o tfix e s S h a ‫׳‬e& >

Q
l£ ‫)־‬ ^

Di:-•. J .
t o t a le d software S e a i t ) e e r ie r U s e tu . |(| %

£■
Environment

Net ■ ..
S ervices |

O o e fa tr o System

A l l a d d re s s e s f W O RKGRO UP

3 .< n : u ,_ _ H L _ 2 s 5 tlS B _ J Users | j> Logg ed o r J

'* { 3 0 S

2'

& Port ‫ ־‬S p ecifies th e port number you co n n ect to on your outgoing email (SMTP) server. This port number is usually
25.

;1abix7"(wi‫׳‬N-D3g...
;■ '1 6 0 . 0 4 (W IN -U LY 8 ...

H oaN ok

W H -033N R 5H L3£4 (C O U N T S

1 N T S E R V .C E >M s D is S e rv e rl 10 f f f H ” S E R V C E 'M S S Q L F D L o u n c h a N ‫ ־‬£ £ R V lC E VM S S Q L S E R V E R N ‫ ־‬S E R V C E 'M S S Q L S e r / e iO L A P S e iv ie e

* , N ‫ ־‬S E R V C E 'R e p o r t S c r v a 5 \ A H D 3 9 M R E H L 9 E 4 \A < in h a tr‫*־‬or 3 8 /2 2/1 2 09:01:20

R ea dy

R e su lts f r i t pry d e p th la s t ;c a n lo r t e c h a d d r c n

Oowove^rou^lUroups

FIGURE 11.18: Global Network Inventory Lowed on Section

20. Tlie Port con n ectors section shows ports connected in die network.
ST
F ile Scan T o o lt R ep o rt( H elp

G lob a ' N e tw ork Inventory - U nregistered

1S
v ie w re s u t; w a x NetBIOS
n L. AH a d d re s s e s f r £* W O R K G R O U P

O u tg o in g m ail (SM T P) ‫ ־‬Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages

a ‫ש‬b #
Name
H-

£
F io c e s s o is £

91‫־‬ares
^ L o g c a l d isk s

Ji>

LSe

1
m ay

Users

|

Logg ed o n

Memory devotes
•£‫־‬ ‫׳‬ Netw ork 0d3?1cr: | ■1 S « m :« D esktop

l- b n t c r j

D:

: -t‫־‬KC1: Q a

;can currrjr,
P « t c on n ecto rs

*

WOS

| S)

0p«1fcrg Syren•

‫—ן‬

fcrvron m en t Startup

■ »r10b n ‫־‬ 7‫־‬ ^N -big".'‫־‬.‫־‬
0^ 10 ‫«־‬.(W‫׳‬fW‫׳‬N‫־‬ULY8""

JO

^

hrr ‫י‬

D o r ia n . V / D ^ K O R O U ? (C0U N T = 2 5I J he*• H a r e : t*‫׳‬T . D 3 9 M R 5 H L J 3 E 4 (C O U N T -2 5 ) J 1■ ‫ * ״‬t t a r o : & '2 2 /2 D 1 2 3 3 6 3 8 PM (C O U N T =26) ’ ‫א כ כו׳ן‬ ‫ ז‬7 ‫»ככ‬ ‫ ז‬7 ‫»נ כ‬ ’ 703H
t7

S e r a i P o r 1S55CA C o n p a r t le K e l o i d P011 M ou cc Po ri USB USB UCD USB

D 6 9 ‫־‬.M ale FS /2 F S /2 a< r*51 bus

00h

‫ י‬7 3 ‫ווכ‬ , 703H

A c c 0 H .b u 4 A c o e s t.b u t

‫ ז‬alal 25

A tris
Fes j t s nistory deptn: Last scan foi eatfi address D isj ayecl arouo; All aroups

FIGURE 11.19; Global Network Inventory Port connectors tab

21. Tlie Service section give die details o f die services installed in die machine.

C E H L ab M an u al P ag e 197

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

S To cr ea te a n ew cu stom report that includes more than on e sca n elem en t, click c h o o s e Reports | Configure reports from th e main menu, click th e Add button on th e reports dialog, cu stom ize se ttin g s a s desired, and click th e OK button

Globa! Network Inventory ‫ ־‬Unregistered
Me v ie w 5<ar T o o ls R e p o rts H e lp

R

= r

‫ ־‬- $ * ]‫ י ® ב ס‬H e p H B ] ® e |
V ie w re<ufts

•-•Eg & ‫׳״‬
| | Shares Ci

*1 *9 2 □
N e ir c E % S

m
_

pf
g

Devices Port cornedas

NetBOS et30S Q D

£
^
ig )

User croups ^ Secut) center

Jsers Memory n

| ■
|

Loaaedor Msrrcryde/ces Desktoo
S c r r is c a

Main board

Qf
1•

System slots

Hotfixes

£
13

Startup

|
|

A l l a d d re s s e s f W O RKGRO UP •1 ‫ ־‬y ' a a ’ 7 i w i ‘N -D 3 8 ’‫״‬ "’ ;■ '1 6 0 . 0 4 (W IN -U LY 8 ...

*i
M

'
3

jjjj
0 . ‫ גי‬c t i U S vtte‫״‬

» "
iii'iu n ic il

N»♦
z i D om r* V»ORC13RO UP |CD UM I«l4/) _!J Hcs‫* ׳‬sLan^ '*1 N 0 ‫»־‬IR5HL9E4(CO UN T■!47| zi rr^ a n p 3 /2 2 !2 0 H 3 3&38FM [COUNT =147) 41loma1‫׳‬c Manual Automatic Manual Manual Manual Manual RufM rg R u m rg R j'i'ir g Stepped R im r g Stepped Stepped

-

. Ldcte A cxbat U pcare Ser!/ce , £ p f teanon E>o=r1 ence . Appicanon Host Helper Service ^A p p fc a n o n Idenfctji tpflr9r»0nlnf1‫־‬rml1on . Apftlcanon Layer 5 ‫־‬rewau Service Apffcarion Manafjenenr
I0 la l1 < 7 toart :J

‫־־‬: 'P n g -a n Filei [vf‫־‬fc)\Comrmn Fite'iAdobi C‫ ־‬vV.mdowt\system32\svehott eye •k netsv C «V.»Klowt\^1stern32\fivch0ftexe •k apph( C‫\*־‬fcmdow1\svstem32\svc*10ft.exe •k Local C »V.m<tem(t\systern32\svcf10fr.exe •k net?•/ C ,V,mdowt\S3i5tem32Ulg ew> C »\v!n<kw?\system32\svcf10‫־‬ tt exe •k ne lw

Ready

Results fcitory depth lost icon lor to<h address

Oowoye^KOu^lUroups

FIGURE 11J20: Global Network Inventory Services Section

22. The Network Adapters section shows die Adapter IP and Adapter type.
G lob al N etw ork Inventory ‫ ־‬Unregistered
Fie view Stan Tools Reports Help

1‫־‬

I* ‫״‬
V cw rcsu R ; ▼ ‫ל‬ X


^ j| y

e

v
D c*cca [# J C o n p u te r ‫>־ת‬€*‫ו‬ Pc‫ ׳‬t c o r r c c t o o S ca n s jr r r c r v ^ Q Q

Q 'l l
N e tBIO S | ^

&

< ‫׳״‬
4■ U3cr<rouF3 fjj JL• M em ory j* B Uaera B?1 Startup Envtronmoat ^ Looocdon Memory d e v ic e s |^ | ‫״‬j , Deoksop S o rv cm Mom boane H o t fx c a ^

SK3X3

r-l

^ □ E $
1^‫י‬

Prooeaaora System alota |^

& A security accou n t passw ord is created to m ake sure that no other u ser can log on to Global Network Inventory. By default, Global Network Inventory u s e s a blank passw ord

Narre B All addr*<«#<
y~ * £ W O RKGRO UP

Ccc^ rfy e e r ie r h w U to d t c ftv m o

H

80S

|‫׳‬jgj]

O p o r s trg Syrtom

h■ v® 00

1-

?‫מ‬

|v

■- m o ‫״‬M

( w n ' u ’l ^ " . " ’

- Tinettarp: £ / ^ 2 3 36:33 3 2 ‫ ־‬FM (COUNT-11 n ^ ^ v V ^ E t ,.|D 4 : B E :D 9 :C |1 0 0 .D 7 l2 S 2 S .2 g |1 D C .0 1 [vicreolt |E therrct QIC|N 0

Iotall 1enlj Rea^ ^esujt^jjto^jepth^as^a^o^scj^ddrts^ ^jjjte^e^roup^lU^oup^

FIGURE 11.21: Global Network Inventory Network Adapter tab

Lab Analysis
Document all die IP addresses, open ports and miming applications, and protocols you discovered during die lab.

C E H L ab M an u al P ag e 198

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved IP Scan R ange: 10.0.0.1 —10.0.0.50 S can n ed IP A ddress: 10.0.0.7,10.0.0.4 Result: ■ Scan summary ■ Bios ■ Memory ■ NetBIOS ■ UserGroup ■ Logged O n ■ Port connector ■ Services ■ N etw ork Adapter

G lobal N etw o rk Inventory

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Can Global N etw ork Inventory audit remote computers and network appliances, and if yes, how? 2. How can you export the Global N etw ork agent to a shared network directory?

In tern e t C o n n ectio n R eq u ired □ Yes P latfo rm S u p p o rted 0 C lassroom 0 iLabs 0 No

C E H L ab M an u al P ag e 199

E thical H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Anonymous Browsing using Proxy Switcher
Proxy Switcher allowsyou to automatically execute actions; based on the detected netnork connection.
ICON KEY

Lab Scenario
111 the previous lab, you gathered inform ation like scan summary, NetBIOS details, services running on a computer, etc. using Global Netw ork Inventory. N etBIOS provides programs with a uniform set o f commands for requesting the lower-level services that the programs must have to manage names, conduct sessions, and send datagrams between nodes on a network. Vulnerability lias been identified in Microsoft Windows, which involves one o f the NetBIOS over T C P /IP (NetBT) services, the NetBIOS N am e Server (NBNS). W ith this service, the attacker can find a com puter’s IP address by using its N etBIOS name, and vice versa. The response to a N etBT name service query may contain random data from the destination com puter’s memory; an attacker could seek to exploit this vulnerability by sending the destination com puter a N etBT name service query and then looking carefully at the response to determine whether any random data from that computer's memory is included. As an expert penetration tester, you should follow typical security practices, to block such Internet-based attacks block the port 137 User Datagram Protocol (UDP) at the firewall. You m ust also understand how networks are scanned using Proxy Switcher.

p =7 Valuable information Test your knowledge w Q Web exercise Workbook review

Lab Objectives
This lab will show you how networks can be scanned and how to use Proxy Switcher. It will teach you how to: ■ ■ Hide your IP address from the websites you visit Proxy server switching for improved anonymous surfing

C E H L ab M an u al P ag e 200

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab Environment
To cany out the lab, you need: ■
2 " Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

Proxy Switcher is located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Proxy Tools\Proxy Sw itcher

■ You can also download the latest version o f Proxy W orkbench from this link http:/ / www.proxyswitcher.com/ ■ I f you decide to download the latest version, then screenshots shown in the lab might differ

■ A computer running W indows Server 2012 ■ A web browser with Internet access ■ Follow’ Wizard-driven installation steps to install Proxy Sw itcher

■ Administrative privileges to run tools

Lab Duration
Time: 15 Minutes

Overview of Proxy Switcher
Proxy Switcher allows you to automatically execute actions, based on the detected network connection. As the name indicates, Proxy Switcher comes with some default actions, for example, setting proxy settings for Internet Explorer, Firefox, and Opera.

Lab Tasks
Cl Autom atic

ch a n g e of proxy configurations (or any other action) b ased on network information

1. Install Proxy Workbench in W indows Server 2 012 (Host Machine) 2. Proxy Switcher is located at D:\CEH-Tools\CEHv8 Module 03 S can nin g
N etw orks\P roxy T ools\Proxy S w itch er

3. Follow’ the wizard-driven installation steps and install it in all platforms o f the W indow s op eratin g sy stem . 4. This lab will work in the C EH lab environm ent - on W indow s S erver 2 0 1 2 , W indow s S erver 20 0 8 , and W indow s 7 5. Open the Firefox browser in your W indows Server 2012, go to Tools, and click Options in die menu bar.

C E H L ab M an u al P ag e 201

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

G o o g le

M o iillo Firefox

colt | HtJp
Qownloatfs moderns S<* UpS^K. CW -I

cm * v ‫*«״‬A
D ocu m en ts C alendar M ote •

e •!1• -■ cc9 u

fi
Sign n

*

C 3Often different

♦You

S e a r ch

Im ages

Web Developer Page Info

internet co n n ectio n s require com pletely different proxy server settin g s and it's a real pain to ch a n g e them manually

Cle«r Recent Ustsr.

01+“ Sh1ft*IW

Google
Gocgle Search I'm feeling Lucky

A6 .««t>11ng P io g a m m e i

Bu sin ess SolUion*

P ir a c y t Te

•Google

Aboul Google

Google com

FIGURE 121: Firefox options tab

6.

Go to die Advanced profile in die Options wizard o f Firefox, and select Network tab, and dien click Settings.
Options

‫ם‬
G e n e ra l

&
Tabs

‫§י‬
C o n te n t

%
A p p l ic a t io n s j

p
P r iv a c y

*k
S e c u r it y

3
S> nc A dvanced

G e n e ra l | M e tw o rV

j U p d a t e | E n c r y p t io n

C o n n e c tio n C o n f ig u r e h o w h r e f o i c o n n e c t s t o t h e I n te r n e t | S g t n g i.

3‫׳‬k Proxy Switcher fully compatible w ith Internet Explorer, Firefox, Opera and other programs

C a c h e d W e b C o n te n t Y o u r v r e b c o n t e n t c a c h e 5 ‫ י‬c u r r e n t ly u s in g 8 .7 M B o f d i s k s p a c e I I O v e r r id e a u t o m a t e c a c h e m a n a g e m e n t C le a r N o w

Limit cache to | 1024-9] MB of space
O f f lin e W e b C o n t e n t a n d U s e r D a ta You M

1 a p p lic a t io n

c a c h e i s c j i r e n t l / u s in g 0 b y t e s 01 d is k s p a c e

C le a r N o v /

T e ll m e w h e n a w e fc c ite a c lr t t o s t o r e H a t* f o r o f f l in e u c e

Exceptions..

T h e f o llo v / in g t v e b s it e s a r e a lo w e d t o s to r e d a ta f o r o f f lin e u s e

B a r eve..

OK

Cancel

H e lp

FIGURE 122 Firefox Network Settings

7. Select die U se S ystem proxy se ttin g s radio button, and click OK.

C E H L ab M an u al P ag e 202

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

C onnection Settings
Configure P oxies to Access the Internet

‫ייי־‬

O

N o prox^

'‫ )־‬Auto-detect proxy settings fo r this network (•) Use system proxy settings M anual proxy configuration:

f i proxy switcher supports following command line options: -d: Activate direct connection

HTTP 5rojjy:

127.0.0.1 @ U je this prcxy server for all protocols

SSLVoxy: FTP *roxy. SOCKS H o s t

127.0.0.1 127.0.0.1 127.0.0.1 O SOCKS v4 ® SOCKS v5

P firt P o rt P o rt

N o Pro>y f o r localhcst, 127.0.0.1

Example: .mozilla.org, .net.nz, 192.168.1.0/24 O Autom atic proxy configuration URL: Reload

OK

Cancel

Help

FIGURE 12.3: Firefox Connection Settings

8. N ow to Install Proxy Switcher Standard, follow the wizard-driven installation steps. 9. To launch Proxy Switcher Standard, go to Start menu by hovering die mouse cursor in die lower-left corner o f the desktop.
T A S K 1

Proxy Servers Downloading

FIGURE 124: WmdcKvs Server 2012 - Desktop view

10. Click die Proxy Sw itcher Standard app to open die Proxy Sw itcher window. OR Click Proxy S w itch er from die Tray Icon list.

C E H L ab M an u al P ag e 203

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

S tart
S e rv er M anager W indow s Pow ershell G oogle C h ro m e Hyper-V M a n ag e r Global N etw ork Inventory

A d m in istra to r^

£□ Proxy Sw itcher is free to u se without lim itations for personal and com m ercial u se

Fs b

W
C ontrol Panel

*
H yper-V M achine...

9 1
C entof...

SI

C o m p u te r

y
. £«p«-

v
C o m m an d P ro m p t

9
M021I* Fre f o x

K

PKKVSw*

v rr

< 0
Proxy C hecker

* *
.‫ר‬ ►
FIGURE 125: Windows Server 2012 - Apps

CM*u p

,‫י‬

a t*
‫ ם‬i f the server becomes inaccessible Proxy Switcher will try to find working proxy server ‫ ־‬a reddish background will be displayed till a working proxy server is found.

o

s Server.
A /Q \

Customize... t— 1 l A r - r ‫ ״‬/ 1 ‫!׳‬

jate Datacenter ^ D p ^ u ild 8400

FIGURE 126: Select Proxy Switcher

11. The Proxy List Wizard will appear as shown in die following figure; click
Next

C E H L ab M an u al P ag e 204

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Proxy List Wizard

£3‫ ־‬Proxy Sw itcher ssu pp orts for LAN, dialup, VPN and other RAS co n n ectio n s

Welcome to the Proxy Switcher
Using this wizard you can quickly complete common proxy list managment tasks. To continue, dick Next

@ Show Wizard on Startup

<Back

Next >

Caned

FIGURE 127: Proxy List wizard

12. Select die Find N ew Server, R escan Server, R ech eck Dead radio button fiom Common Task, and click Finish.
Proxy List Wizard
Uang this wizard you can qc*ckly complete common proxy lot managment tasks Cick finish to continue.

& ‫ ־‬Proxy sw itchin g from com m and line (can be u sed at logon to autom atically s e t con n ection settin gs).

Common Tasks (•) find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers

0 Show Wizard on Startup

< Back

Finish

Caned

FIGURE 12.8: Select common tasks

13. A list o f dow nloaded proxy servers will show in die left panel.

C E H L ab M an u al P ag e 205

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Proxy Switcher Unregistered ( Direct Connection ]
F ile E d it A c t io n s V ie w H e lp

I
Filer Proxy Servers

M
‫א‬ A

W hen Proxy Switcher is running in K eep-A .live m ode it tries to maintain working proxy server connection by switching to different proxy server if current dies

Roxy Scanner * N e w (683) B ‫ &־‬high Aronymsus (0) SSL (0) £ : Brte(O) i ‫ מ‬Dead (2871) 2 Permanently (656?) 1 — B o ok . Anonymity (301) ‫ן‬ — -£5 ‫ ־‬Pnva!e (15) V t t Dangerous (597) f~‫־‬ & My P‫ “׳‬V Server• (0) : — PnwcySwitchcr (0)

Serve* , ? 93.151.160.1971080 £ 93.151.180.195:1080 93.150.9.381C80 tu1rd-113-68 vprtage.com , f 93 126.111213:80 £ 95.170.181 121 8080 <? 95.159 368 ‫ו‬C 95.159.31.31:80 95.159 3 M 4 8 0 , f 94.59.260 71:8118 * - ..............

State Testira Teetirg Testing Lhtested Lhtested Lht*ct*d Lhtested Lhtested Lhtested Lhtoetod _ _ L>!tested___

ResDDnte 17082ns 17035n« 15631ns

Countiy H RJSSIAN FEDERATION m a RJSSIAN FEDERATION RJSSIAN FEDERATION * UNITED STATES m a RJSSIAN FEDERATION “ SYR;AM ARAD REPUBLIC — b ‫ ׳‬KAfJ AHAB KtPUBLIC “ SYRIAN ARAB REPUBLIC ^ 5 UNITED ARAB EMIRATES C UNITED AR\B EMIRATES

Caned S tefre Core PrcxyNet wviwali veproxy .com ‫״‬mw .cyberayndrome .net w!w nrtime.com<
Conpfcte

State
Conpbte

Progress

MZ3

28 kb

Fbu‫»׳‬ d 1500

&
FIGURE 129: List of downloadeed Prosy Server

DL

14. To stop downloading die proxy server click
Proxy Switcher Unregistered ( Direct Connection )
File Edit Actions View Help
filer F o x / Servers

L= Jg' x 1
«

‫ ־‬Proxy Scanner ♦ N#w (?195)

Serve*

Slate

Resroroe

Couriry

When active proxy server becomes inaccessible Proxy Switcher will pick different server from P roxyS w itcher category I f the active proxy server is currently a l i v e the background will be green

H

\y

A ic n y m o u o (0)

I••••© ‫ ׳‬SSL (0)

|

fc?Bte(0)

B ~ # Dead (1857)
=••••{2' P e rm a n e n tly 16844] Basic Anonymity (162) | ^ Private (1) j--& Dangerous \696) h‫־‬ & My Proxy Servers (0J - 5 ‫}־‬ ‫ ׳‬ProocySwtcher (0)

£ £ £ £ £ £

001 147 48 1€‫«»* ־‬tw n«t 1 ‫י‬:< *54-159‫ד־‬10‫־‬ 95 ‫ב‬ »‫ג‬,»‫ זז‬1 ‫ס‬ ‫י‬ 218152.121 184:8080 95.211.152.218:3128 95.110.159.54:3080 9156129 24 8)80 u>4 gpj 1133aneunc co pjf dsd»cr/2'20Jcvonfcrc com: 91.144.44.86:3128 £ 91.144.44.88:8080 92.62.225.13080: ‫ר־‬

(Aliv«-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (.*Jive-SSL) (Alive-SSL) (.Alive-SSL) (Alive-SSL)

13810nt 106Nh* 12259ns 11185ns 13401ns 11&D2ns 11610m 15331ns 11271ns 11259ns 11977ns

J HONG KONG | ITALY »: REPUBLIC OF KOREA “ NETHERLANDS !IT A L Y ™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN “ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC

r

Cancel DsajleJ Keep Ali/e Auto Swtcf‫־‬

108.21.59 69:18221 tested 09 (Deod) bccousc ccrre oo n bmed out 2 ' 3.864.103.80 tested as [Deod] because connection llrrcd 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because comection •jmed out.

V

FIGURE 1210: Click on Start button

15. Click B asic Anonymity in die right panel; it shows a list o f downloaded proxy servers.

C E H L ab M an u al P ag e 206

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Proxy Switcher Unregistered ( Direct Connection)
File Edit Actions View Help

| _ ; o ^

£z‫ ־‬When running in Auto Switch m ode Proxy S w itch er will sw itch active proxy servers regularly. Sw itching period can be s e t with a slider from 5 m inutes to 10 secon d s

& s ►□ x I a a a
g ? Proxy Scanner j~ # New (853) B ‫&־‬ Aronyrroue (0) h & SSL(0) Bte(0) ■ ‫ »־‬-& Dead (2872) Femanently (6925)

A

L i 0■ 0
State (Alve-SSU (Aive-SSU (Alve-SSL) (Alve-SSU Alve Alvo (Alve-SSL) Alve (Alve-SSU (Alve-SSU (Alve-SSU ■ 1

A 1!l) 2 )
RespxKe 10160ns 99/2rre 10705ns 12035ns 11206ns 10635n• 11037ns 10790ns 10974m 10892m 11115ns

= *° *‘‫״‬,‫׳‬

K

1513 ■
\— j~ & 1 ■ & -■ ‫־‬

'‫‘י‬.. . " < <1‫־"׳‬

Pnvale (16) Dancerous (696) My Proxy Sorvoro (0) PraxySwltcher (0)

,f <f ,f f ,f ,f ,f <f <f ,f if

Server 91 14444 65 3128 119252.170.34:80.. 114110*4.353128 41 164.142.154:3123 2‫כי‬ 1 49101 10? 3128 2D3 66 4* 28C 203 254 223 54 8080 200253146.5 8080 199231 211 1078080 1376315.61:3128 136233.112.23128 <1

Countiy — Sv R A fi ARAB REPUBI INDONESIA ^ INDONESIA ► )E SOUTH AFRICA m BRAZIL H iT A IV /A M REPUBLIC OF KOREA p g BRAZIL P 3 BRAZIL 1 ‫ ס‬BRAZIL

Caned Dsabled
K e e p A liv e A u to S w t d ‫־‬

177 38.179.26 80 tested as [Alwej 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive] 119252.170.34.80 tested as [(Alive-SSL)]

ISilli&SSitSiSk

33/32

FIGURE 1211: Selecting downloaded Proxy server from Basic Anonymity

16. Select one Proxy server IP ad dress from right panel to swich die selected proxy server, and click die
flit a1 3
F ile E d it ,A c t io n s V ie w H e lp

fTJ icon.
1 ~ l~a ! *

P ro x y S w itc h e r U n re g is te re d ( D ire c t C o n n e c tio n )

O

#‫□ ׳‬

n [a
,.

a . a
Server

a if

j \

2 \y
State (Alve-SSU (Alve-SSL (Alve-SSU Alh/e (Alve-SSU (Alve-SSL:• (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSL) (Alve-SSU (AlveSSU (Alve-SSU

A

L is | Hesponte 10159ms 131 5‫־‬m 10154‫*״‬ 10436ns 13556ns n123me 10741ns 10233ns 10955ns 11251m 10931ns 15810ns 10154ns

‫י‬/ |

Proxy S«rvera

|X j

P x » y S ca n n e r £ 5

J •••‫ *ל‬New )766(
r t g h A n o rry m o u * )0 ( & S S L )0 <

f ,9 1 .1 4 4 4 4 .65:3123 f 0 0 1 .147.48.1 U . c t a b c r c t f ,2 1 8 .152.121.184:3030
95.110159.545080

lx>stS4 1 59 ? , ‫ל־‬1&‫־‬.a e m e f .95

; ‫־־‬B1te 01)0( In addition to standard add/rem ove/edit functions proxy manager contains functions useful for anonymous surfing and proxy availability testing
^

B Y

Dead )2381(
.... P e m a n e n tly 7 $ )6 9 2 5 (

Lointiy “ SYRIAN ARAB REPUBLIC [ J HONG KONG 1 | ITALY REPUBLIC OF IQOREA ;-S W E D E N 1 ITALY ----- NETHERLANDS REPUBLIC OF KOREA “ HUNGARY ^ ^ IR A fl S3£5 KENYA “ SYRIAN ARAB REPUBLIC

Basic A n o n ym ity )467'
h‫& ־‬ P n ‫ ׳‬a t e 116(

3i.S6.2‫־‬ S . 2 i . S ) S D . .

if
f

9 5 .2 1 1 1 5 2 .2 1 8 :3 1 2 3 u 5 4 jp j1 1 3 5 a T T S jn o coJcr:• 9 1 .8 2 .6 5 .1 7 3 :8 0 8 0

j‫ & ־ ־‬Dangerous )696!‫׳‬
r ‫&־‬ :— P ro x y S e r/e re )0 ( P ro x y S v tttch e r )0 (

,f
$

< f 8 6 . 1 1 1 1 A 4 .T 9 4 .3 1 2 3

4 ‫ד‬.89.130.23128
9 ‫ ו‬1 4 4 4 4 86 3123

,f
C ta e b lc d [[ K o e p A liv e

][ A u to S w t c h

|

218 152. 121.I84:8030tested as ((Alve-SSL:]
2 1 8 .152.121.144:8030 tested as [Alive]
ha * » 5 4 -1 5 9 -l 1 0-9 5 s e n ie r ie d ie a ti a m b a « 8 0 8 0 t e 4 » d » (‫ ׳‬A lv e - S S L ) ] 0 3 1 .1 4 7 .4 8 .1 1 6 .w a tb .n e t/ ig 3 to r.c o m :3 1 2 3 te a ts d 0 5 [(ASve S S L ) )

h‫׳‬

FIGURE 1212 Selecting the proxy server

17. The selected proxy server will connect, and it will show die following connection icon.

C E H L ab M an u al P ag e 207

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ‫ ־‬ITALY)
p FFiile k E d it A c t io n s V ie w H e lp

I~ l ‫ ם‬f

x

$5

Proxy Scanner H * New !766) Ugh Anonymous (0) • g t SSL(O) - ‫־־‬e ? Bte(O) B - R Dead (2381) P»m*n#ntly (G975) 003‫״‬. Anonymity(4G7) Pnvate lib) | 0 ‫ ־־‬Dangerous (696) l‫ & ״‬My Proxy Servere (0) : —ProxySviitcha 2 5 ‫) ־‬0(

Serve!
£ 9 T.144 4^.65:3123

001.147.48. ilS.etatic .ret.. , ? host54-159-110-95.server..
& ,f 2 1 8 .152.121.194:3030 d e d se rr2i 2 3 Jevonlm e

to n

L

95 110159 54 8080

, ? 95 211 152 218:3123 u54aDJl133a‫׳‬r»unfl,co.kr:l , f 91 82 £5 173:8080 g 86.111 144.194.3128 , ? 41.89.130^3128 £ 91 14444 86 3123

State (Alve-SSU (Alve-SSU (Alve-SSU Alive (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (AlveSSU (Alve-SSU (Alve-SSU (Alve-SSU

Response
10159ms

13115n* 10154ns
10436n s 13556n s

1123‫־‬n.« 107^0rn»
10233n s 10955n s

1l251r»a 10931ns 158101s
10194ns

Comtiy SVRAM ARAB REPUBLIC HONG KONG | |IT MY > : REPJBLIC OF KOREA ■■SWEDEN I ITAtr UNI ILL) ARAD CMIRATCS “ NETHERLANDS REP JBLIC OF KOREA “ HUNGARY “ IRAG g g K E N rA “ S ^ A N ARAB REPUBLIC
“ [ J

> I

‫״י‬

Dseblcd

1 1 Keep Alive

|[ " Auto Switch

2l8.152.121.1&4:8030tested as [fAlve-SSL! 218.152.121.184:8030tested as (Alive]
h o s t5 4 - 1 5 9 -1 1 0 -9 5 9 » rv e rd e d ic a ti a rn b a 8 ‫ג‬C 8 0 te s te d a s R A Iv e -S S L )] 0 3 1 .1 4 7 .4 8 .1 1 6 .a to tc .n c tv ig a to r.c o n > :3 1 2 3 te s te d 0 9 [(M rvc S S L )) E a u c A n o n y m it y

ML
FIGURE 1213: Succesfiil connection o f selected proxy

£□ Starting from version 3.0 Proxy Sw itcher incorporates internal proxy server. It is useful w hen you w ant to u se other applications (b esid es Internet Explorer) that support HTTP proxy via Proxy Sw itcher. By default it w a its for co n n ectio n s on localh ost:3128

18. Go to a w eb brow ser (Firefox), and type die following URL http: / / w ^v.proxy switcher, com/ checLphp to check die selected proxy server comietivity; if it is successfully conncted, then it show's die following figure.
Detecting your location
3? £ri!t ¥"■'‫ '״‬History Bookm orH Iool*• Jjdp

M 07 illa Firefox

r 1 0‫ ־‬Cx 1

0*r»<ring your kx‫ «־‬io ‫׳‬v

4‫ ־‬-.IUU-..J.UU,I

C

* ‘ I G o ® , I .

fi

f!

Your possible IP address is: Location:

2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1

Unknown

Proxy In fo rm a tio n Proxy Server: Proxy IP: Proxy C ountry: DFTFCTFD 95.110.159.67 U n kn o w n

FIGURE 1214: Detected Proxy server

19. Open anodier tab in die w eb browser, and surf anonymosly using diis proxy.

C E H L ab M an u al P ag e 208

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

p ro x y r lc Edit y ie * History Bookmark: Tools fcWp

server Cerca con Google - Mozilla Firefox

Ottecbngyour location.. ^ *Tu

| p r a y i c ‫־‬. « - C e r a c o n G oogle C U ttio ‫ ־‬G ccgfc

< 9 wvw* g c o g k .it ?hb(t& g5_nf=1& pq-prcr)■ w r ‫^־‬rc?cr>- 0&g?_<l-22t51.1t>f-taq-pro>fy‫»־‬scfvcr& pt-p8b 1»R ic e r c a I m m a g in i M aps P la y Y ouT ube M ew s G m a il D o cu m e n t! C a le n d a r

P

*

Google
0 3 After the anonymous proxy servers have become available for switching you can activate any one to become invisible for die sites you visit.
Ricerca

proxy server

P ro xy
Immagini

Wikipodia

Maps
V id e o M oaze S h o pp in g

it w k jp e d ia .o tg A v ik n 'P ro x y In in fo rm atica e te le c o m u n ic a ^ o w u n p r o x y 6 un prog ram m a c h e s i ml e i pone tra un c lie nt ed un s e r v e r fa re n d o d a tr a m r e o n e e rfa c c ia tra 1 d u e h ost ow ero ... A ltri u si d e l term rne P r o x y P io x y H T T P Note V o a correlate

Public Proxy Servers - Free Proxy Server List
ivwiv p u b lic p r o x y s e r v e r s c o n V T ia C u a q u e s ta pagina P u b lic P r o x y S e r v e r * is a free a n d *!dependent proxy c h e c k in g s y s le m . O u r service h elps you to protect y ou r K te n tly and b y p a s s surfing re strictio n s s in c e 2 002. P r o x y S ervers - S o r e d B y R a tin g - P r o x y S ervers S orted B y C o u n try - U s e fu l L in k s

Ptu contanuti

Proxy Server - Pest Secure, rree. Online Proxy
ItaHa
Cemtm locnKtA
w v w p r o x y s e r v e r c o m ‫ • '׳‬T ra d u c i q u e s ta pagm a Thn boet fi!!*‫ י‬P io x y S e r v e r out thar®' S lo p s e a rc h in g a proxy list (or p roxies that are never taut or do n o i even get anl* 1e P r o x y S e r v e r c o m h as you covered from ...

Proxoit - Cuida alia naviaazione anonima I proxy server

FIGURE 1214: Surf using Proxy server

Lab Analysis
Document all die IP a d d r esses of live (SSL) proxy servers and the connectivity you discovered during die lab. T o o l/U tility In fo rm atio n C o llected /O b jectiv es A chieved Server: List o f available Proxy servers S elected Proxy Server IP A ddress: 95.110.159.54 Proxy Sw itcher S elected Proxy C o u n try N am e: ITALY R esulted Proxy server IP A ddress: 95.110.159.67

PL E A S E TA LK T O Y O U R I N S T R U C T O R IF Y OU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Examine which technologies are used for Proxy Switcher. 2. Evaluate why Proxy Switcher is not open source.

C E H L ab M an u al P ag e 209

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

In te rn e t C o n n ectio n R eq u ired 0 Y es P latform S u p p o rted 0 C lassroom
□ iLabs

□ No

C E H L ab M an u al P ag e 210

E thical H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab
w

1 i

3

Daisy Chaining using Proxy Workbench
Proxy Workbench is a uniquepivxy server, idealfor developers, security experts, and twiners, which displays data in real time.
ICON 2 3 ‫ ־‬Valuable information Test your knowledge ‫ס‬ m Web exercise W orkbook review KEY

Lab Scenario
You have learned in the previous lab how to h id e your a ctu a l IP using a Proxy Switcher and browse anonymously. Similarly an attacker with malicious intent can pose as someone else using a proxy server and gather inform ation like account or bank details o f an individual by performing so c ia l en gin eerin g. Once attacker gains relevant information he or she can hack into that individual’s bank account for online shopping. Attackers sometimes use multiple proxy servers for scanning and attacking, making it very difficult for administrators to trace die real source o f attacks. As an administrator you should be able to prevent such attacks by deploying an intrusion detection system with which you can collect network inform ation for analysis to determine if an attack or intrusion has occurred. You can also use Proxy W orkbench to understand how networks are scanned.

Lab Objectives
This lab will show you how networks can be scanned and how to use Proxy W orkbench. It will teach you how to: ■ ■ Use the Proxy W orkbench tool Daisy chain the Windows H ost Machine and Virtual Machines

Lab Environment
To carry out the lab, you need: ■ Proxy Workbench is located at D:\CEH-Tools\CEHv8 Module 03 Scanning
Networks\Proxy Tools\Proxy Workbench

C E H L ab M an u al P ag e 211

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

ZZ7 Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

You can also download die latest version o f Proxy W orkbench from this link h ttp://proxyw orkbench.com I f you decide to download the latest version, then screenshots shown in the lab might differ A computer running W indows Server 2012 as attacker (host machine) Another computer running Window Server 2008, and W indows 7 as victim (virtual machine) A web browser widi Internet access Follow Wizard-driven installation steps to install Proxy Workbench Administrative privileges to run tools

Lab Duration
Time: 20 Minutes

Overview of Proxy Workbench
Proxy Workbench is a proxy server diat displays its data in real time. The data flowing between web browser and web server even analyzes FTP in passive and active modes.

Lab Tasks
C Security: Proxy servers provide a level of security within a network. They can help prevent security a ttack s a s th e only w ay into th e network from th e Internet is via th e proxy server
\

Install Proxy Workbench on all platforms o f die Windows operating system ‫׳‬W indows Server 2012. W indows Server 2008. and W indows 7) Proxy W orkbench is located at D:\CEH-Tools\CEHv8 M odule 03
S can n in g N etw orks\P roxy T ools\Proxy W orkbench

-

‫ ר‬You can also download the latest version o f Proxy W orkbench from

this link h ttp ://proxyworkbench.com 4. Follow the wizard-driven installation steps and install it in all platforms o f W indow s operatin g s y s te m
_

This lab will work in the CEFI lab environment - on W indow s S erver 2 0 1 2 , W indow s S erver 2 0 0 8 ‫ י‬and W indow s 7 O pen Firefox browser in your W indow s S erver 2012, and go to T ools and click op tion s

6.

C E H L ab M an u al P ag e 212

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC •Council AU Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Google Moiillo Firefox
colt | HtJp Downloads moderns

CW-I a<*SM»A
D ocu m en ts C alendar M ote •

S t*UpS^K.
♦You S e a r ch Im a g es Web Developer Page Info

e •!1• -■ cc9 u

fi
Sign n

*

5‫«ז‬1£‫ו‬1 *«)‫ז‬6 ‫ ״זי הי‬9
Cle«r Recent Ustsr. 01+“ Sh1ft*W

Google
Google Search I'm feeling Lucky

AtfM«t1«M 1g P io g a m m e i

Bu sin ess Soltiion*

P ir a c y t Te

• Google

About Google

Google com

FIGURE 13.1: Firefox options tab

7.

Go to Advanced profile in die Options wizard o f Firefox, and select die Network tab, and dien click Settings.
Options

G e n e ra l

‫§י & ם‬
Tabs C o n te n t C o n n e c tio n

%
A p p l ic a t io n s j

p
P ii v a c y S e c u r it y

3
|

S> nc

A dvanced

f t The sockets panel shows the num ber o f Alive socket connections that Proxy W orkbench is managing. During periods o f n o activity this will drop back to zeroSelect

G e n e ra l | M e tw o rV

j U p d a t e | E n c r y p t io n

C o n f ig u r e h o w h r e f o i c o n n e c t s t o t h e I n te r n e t

S g t n g i.

C a c h e d W e b C o n te n t Y o u r v re b c o n te n t c a c h e > s c u r r e n t ly u s in g 8 .7 M B o f d i s k s p a c e I I O v e r r id e a u t o m a t e c a c h e r r a n a g e m e n t C le a r N o w

Limit cache to | 1024-9] MB of space
O f f lin e W e b C o n t e n t a n d U s e r D a ta You M

1 a p p lic a t io n

c a c h e i s c j i i e n t l / u s in g 0 b y t e s o f d is k s p a c e

C le a r N o v /

T e ll m e w h e n a * refccit* a c lr t t o s t o r e H a t* f o r o f f l in e u c e

Exceptions..

T h e f o llo v / in g t v e b s it e s a t e a lo w e d t o s to r e d a ta f o r o f f lin e u s e

Bar eve..

OK

Cancel

H e lp

FIGURE 13.2 Firefox Network Settings

C E H L ab M an u al P ag e 213

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

S The sta tu s bar sh o w s th e d etails o f Proxy Workbench*s activity. The first panel displays th e am ount of data Proxy Workbench currently h as in memory. The actual am ount of m emory that Proxy Workbench is consum ing is generally much more than this due to overhead in m anaging it.

8. Check Manual proxy configuration 111 the C onnection S ettin gs wizard. 9. Type HTTP Proxy a s 127.0.0.1 and enter die port value as 8 0 8 0 ‫ י‬and check die option o f U se th is proxy server for all protocols, and click OK.
Connection Settings
Configure Proxies to Access the Internet O No prox^ O Auto-detect proxy settings for this network O iis * system proxy settings (§) Manual proxy configuration: HTTP Proxy: 127.0.0.1 @ Use this proxy server for all protocols SSL Proxy: £TP Proxy: SO£KS Host 127.0.0.1 127.0.0.1 127.0.0.1 D SOCKS v4 No Proxy fo r (S) SOCKS ^5 Port Port PorJ: 8080— 8080y | 8080v Port

localhost, 127.0.0.1 Example .mozilla.org, .net.nz, 192.168.1.0/24

O Automatic proxy configuration URL Rgload

OK

Cancel

Help

FIGURE 13.3: Firefox Connection Settings

10. While configuring, if you encounter any port error p le a se ignore it 11. Launch the S tart menu by hovering die mouse cursor in the lower-left corner o f the desktop.
Scan computers by IP range, by domain, single com puters, or computers, defined by the Global N etw ork Inventory host file

4 Windows Server 2012 W a o o m W 1 Pi W 2 (dentC jiC kttr0H iK tT r baLM cnco wtuidM O .

g. - ? • FIGURE 13.4: Windows Server 2012 - Desktop view

12. Click die Proxy Workbench app to open die Proxy Workbench window

C E H L ab M an u al P ag e 214

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

S erver M anager

W in d o w s Pow erShell

G o o g le C h ro m e

H y p e r-V M anager

S The events panel displays the total num ber o f events that Proxy W orkbench has in memory. By clearing the data (File‫ >־‬C lear All D ata) this will decrease to zero if there are no connections that are Alive

Fa

m
C o n tro l Pa n d


H yper• V V irtu a l M a c h in e ‫״‬

‫וי‬
S O I S e rve r

W

£
D e tk c

Com m and Prom pt

MO? 1 1 3 Firefox

Searct101_

H
dobaI N e tw o rk In v en tory

O
Prox y W oricbenu.

Si
FIGURE 13.5: Windows Server 2012 - Apps

13. The Proxy Workbench main window appears as shown in die following figure.
Proxy W orkbench
File View Tools Help

H I

& The last panel displays the current tim e a s reported by your operating sy stem

‫ו ם‬

_ ‫ש‬ ‫ב‬ ‫ע‬
Mooitorirg: WIND33MR5HL9E4 (10.0.0.7) SMTP • Outgoing e-mal (25) ^ & ^ POP3 • Incoming e-mail (110) HTTP Proxji •Web (80B0) HTTPS Proxy • SecureWeb (443) FTP • File T!ansfer Protocol (21) Pass Through ■ For Testing Apps (1000) Details for All Activity
From

m
KNJHm
To 173.194.36.24:80 (www.g.. 74.125.31.106:80 (p5 4ao 173.194 36 21:443 (m aig 173.194.36.21 :443 (m a ig . 173.194.36.21:443 (maig..
17‫ ר‬K M

1 Protocol HTTP HTTP HTTP HTTP HTTP
H T T P ____

| Started 18:23:39.3^ 18:23:59.0‫־‬ 18:24:50.6( 18:24:59.8' 18:25:08.9‫־‬
1 Q .T C .1 Q M

J J 1 2 7 .0 .0.1:51199 127.0.0.1:51201 J l l 127.0.0.1:51203 J d 127.0.0.1:51205 J d 127.0.0.1:51207 W 'l!? 7 n n 1 ‫ו לו ^ו‬ 3eal time data for All Activity
000032 000048 000064 000080 000096 000112 000128 000144 000160 000176

T C .

71 • A n ( m ‫־‬d ‫״‬

/ I . 1 . . U s e r —A g : M o z i ll a / 5 .0 in d o w s N T 6 .2 OU6 4 ; r v : 1 4 .0 e c k o /2 0 1 0 0 1 0 1 re fo x /1 4 .0 .1 . o x y - C o n n e c t io k o o p - a liv o . H

ent (¥ ; W ) G F i . Pr n : ost

: m a il.g o o g le .c o m . . . .

2f 3a 69 4f 65 ?2 6f 6b 3a 6d

31 20 6e 57 63

b5
73 65 20 Od

2e 4d 64 36 6b 66 79 65 6d

31 S i 6£ 34 6f 6f 2d 70 61 Od

Od 7a 77 3b 2f 78 43 2d 69 0a

0A 69 73 20 32 2f 6f 61 6c

SS 6c 20 72 30 31

60
6c 2e

73 6c 4e 76 31 34 6e 69 67

,

0o

<
Memory: 95 KByte Sockets: 1CO Events: 754

I I I
u n ; 1 iciu ic . u n ; 11 7angwrrx?n— Luyymy. u n ; 1 .

>

J

FIGURE 13.6: Proxv Workbench main window

14. Go to T ools on die toolbar, and select Configure Ports

C E H L ab M an u al P ag e 215

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Proxy Workbench
File L^ oo lsJ Help View I Save Data...

5
Monitoring: W All Activity ^ SMTF

Configure Ports. Failure Simulation... Real Tim e L°99in9 •

U|10m

3
mnihm
| T0 173.194.36.24:80 (w»w*.g.. 74.125.31.106:80 |pt4ao 173.194 36.21:443 (n a ig . 173.194 36.21:443 (na*g 173.194 36 21:443 (n a ig • m 1 ‫*־‬ c ‫״* ול־‬n ‫» ו *י׳ו‬ I Protocol HTTP HTTP HTTP HTTP HTTP HTTP | Started 18:23:39.3} 18:23:59.0‫־‬ 18:24:50.6( 18:24:59.8! 18:25:08.9‫־‬ ■ m -w ip r ^

=tails for All Activity

& The *Show the real tim e data window' allow s th e u ser to sp ecify w hether th e real-time data pane should be displayed or not

POPd Options... k # HTTP T‫־־‬TWny T T W U (W W ) ^ HTTPS Proxy • Secure Web |443) ^ FTP • File T ransler Protocol (21) Pass Through ■ For Testing Apps (1000)

J 127.0.0.1 51199 tJ 127.0.0.1 51201 3 d 127.0.0.1 51203 £ J 127.0.0.1 51205 ;jd 127.0.0.1 51207 4 - | ‫ ל ו‬7 ‫ ח וו‬1 51‫ו ו ל‬

>

Real time data for All Activity 000032 000048 000064 000080 000096 / l . 1 . .U s e r-A g e n t : M o z i l l a / 5 . 0 (W in d o w s NT 6 . 2 ; U O U64; r v : 1 4 . 0 ) G e cko /2 0 1 0 0 1 0 1 F i r e £ o x / 1 4 .0 .1 . P r o x y - C o n n e c t io n : k e e p - a liv e . . H ost : m a il. g o o g le . c o m 2£ 3a 69 4£ 65 72 6f 6b 3a 6d 31 20 be 57 b3 65 ?8 b5 20 Od 2e 4d 64 36 6b 66 79 65 6d 0a 31 6f 6f 34

000112
000128 000144 000160 000176

....

6£ 2d 70 61 Od

0 a 55 73 69 6 c 6 c ? 3 20 4 e 20 72 76 2 £ 3 2 30 31 78 2 f 31 34 43 6 f 6 e 6 e 2d 61 6 c 69 69 6 c 2e 67 0a

Od 7a 77 3b

Memory: 95 KByte Sockets: 100

Events: 754

I eiiim a ic UII

11c1u4c. u u

u n u u ic u i i

L‫« ׳‬ty1c u n

1_<.yymy. u n

‫ ׳‬ju i

FIGURE 13.7: Proxy Workbench ConFIGURE Ports option

15. 111 die Configure Proxy W orkbench wizard, select 8 080 HTTP Proxy - Web 111 die left pane o f Ports to listen on. 16. Check HTTP 111 die right pane o f protocol assigned to port 8080, and click
Configure HTTP for port 8080
CLl People w ho benefit from Proxy W orkbench
Home users who have taken the first step in understanding the Internet and are starting to ask "Bat how does it work?” People who are curious about how their web browser, email client or FTP client communicates with the Internet. People who are concerned about malicious programs sending sensitive information out into the Internet. The information that programs are sending can be readily identified. Internet software developers who are writing programs to existing protocols. Software development for die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the client and server software simultaneously. Proxy Workbench will help identify non-compliant protocol

Configure Proxy Workbench
Proxy Ports Ports to listen on: Port [ Description SMTP • Outgoing e-mail PI‫־‬lP3 - lnnnmino ft-maiI 18080 HTTP Proxy ■Web 443 HTTPS Proxy ‫ ־‬Secure Web 2 1 FTP ‫ ־‬File Transfer Protocol 1 0 0 0 Pass Through ■Foe Testing Apps Protocol assigned to port 8080 ; >>Don't use : ■✓ Pass Through HTTPS □ POP3 □ ‫ ח‬FTP

2 5 un

&dd-

|

Qetete

| |

Configure H TTP tor poet 8080.| Close

W Sho^ this screen at startup
FIGURE 13.8: Prosy Workbench Configuring HTTP for Port 8080

:- T -1-■ >
Internet Security experts will benefit from seeing the data flowing in real-time This wiH help them see who is doing what and when

17. The HTTP Properties window appears. N ow check C onnect via another proxy, enter your W indows Server 2 003 virtual machine IP address 111 Proxy Server, and enter 8080 in Port and dien click OK

C E H L ab M an u al P ag e 216

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

HTTP Properties
General

C On the web server, connect to port: (• Connect via another proxy
Proxy server Port:
^ Many people understand sockets much better then they think. W hen you surf the web and go to a web site called www.altavista.com, you are actually directing your web browser to open a socket connection to the server called "www.altaviata.com" with p ort num ber 80

|10.0.0.7| Iftfififi

OK

Cancel

FIGURE 13.9: Prosy Workbench HTTP for Port 8080

18. Click C lose in die Configure Proxy W orkbench wizard after completing die
configuration settin g s
Configure Proxy Workbench
Proxy Ports 3orts to listen on: Port | Description 25 SMTP • Outgoing e-mail POP3 ‫ ־‬Incoming e-mail 110 8080 HTTP Proxy - Web 443 HTTPS Proxy-Secure Web 21 FTP ‫ ־‬File Transfer Protocol 1000 Pass Through - For Testing Apps Protocol assigned to port 8080 □ <Don't use>___________ □ Pass Through □ HTTPS □ POP3 □FTP

T he real time logging allows you to record everything Proxy W orkbench does to a text file. This allows the inform ation to be readily im ported in a spreadsheet or database so that the m ost advanced analysis can be perform ed o n the data

Add

delete

Configure HTTP for pent 8080 Close

W Show this screen at startup
FIGURE 13.10: Proxv Workbench Configured proxy

19. Repeat die configuration steps o f Proxy Workbench from S tep 11 to Step 15 in Windows Server 2008 Virtual Machines.

C E H L ab M an u al P ag e 217

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

20. 111 W indows Server 2008 type die IP address o f Windows 7 Virtual Machine. 21. Open a Firefox browser in W indows Server 2008 and browse web pages.
& Proxy Workbench ch a n g es this. Not only is it an a w e so m e proxy server, but you can s e e all of th e data flowing through it, visually display a so c k e t con n ection history and s a v e it to HTML

22. Proxy Workbench Generates die traffic will be generated as shown in die following figure o f W indows Server 2008 23. Check die To Column; it is forwarding die traffic to 10.0.0.3 (Windows Server 2008 virtual Machine).

M cn fan jMN1r2CtU.2 001 0 |4 3 ‫־‬ ;‫|׳‬
| M AO AO y ^ ship 0.*!>>‫ ו\»*<»׳‬1 ‫מן‬

^1C Q C • )

I .(flff J ' . f ' A I B I ' / t l l i l U I I y H T‫ מ ז‬F W - Sioim W.b (4 43 1 6 FTp.Fteriattfa *<xo:d|71)

V p* m 1 1 1 * h 1 1 -f«r»»njA « c * n o 3 0 )

0‫ ל‬7 v r. u -‫י‬ 11 ‫׳‬ ‫־־‬.* * » fJ'• U
.4 1 • •I >1. ‫נ‬

w an to n aaa aca! la o o itC M maiaxo
1 1

Mtaiaon taaa ‫•ו‬cm
10011 > rw

1000 )•CB)

> 1‫י‬ u 1 1.‫«־‬ :‫«־‬ > 1‫י‬ 1 1:‫נ־‬ .* 1•

ra a a ir a
M00 )•CIO

la a a iK m
100a )■m

11• ■ ‫י‬ U .‫נ‬

taaaiacta M00 )•CM M aaiK H i 144a]•Q M 1000)«:w laaaiaao

?W »11!»r 0IB ;v » » . < * < * 1 1 9 9
(C05:?(CT

»1 0 5 ‫גג‬.‫ זמ‬0 6 .K 2 S .3 1 T A‫«־־‬ •‫׳‬-= ‫ ־‬UK 0 60 5 2 ?‫סט‬ -*<o»e£ 5 7 7 ‫ז‬ 06052C92? 274B <V13r>M4ca1facc tWJ «052 1 1 0 2 06® 1556 06052*16? ®0526217 utre^riT O r» 9 rM 0 (a < rM . ‫נ מו‬ KOI.2t.3K K rT 1 1 9 1 c c o sjt* 1 K ( S O S ? M B K05267W 2110 tiiir, :1 4r, arezrui I’ JK « 05 2(. 734 » 05.‫» י‬ ‫י‬6 *v«**<*3ntrr»»t 3(85 n n ; 1 19, KT , s z a I V J
ce05 25&43 « 052*100

tS O lJM M HB700 *AttkaacaiNMt h ■ ■aita‫ •׳״‬a »0 5 ; ‫י‬ » ‫י‬ ‫י‬ » 0 J2 n 0 1 ««27» ct 0127 33 De«r?«e M 0*27 411
06052»»l PAthtf<ka»Mcc
06052*173

0 6 0 5 2 7 * 3

.* ‫״‬
I3S

1Wi

M taian
laaa iax a

2 —1
•0(448 •00D&4 •a [csc

uaaiaceo lO O O K W
1 ( 0 17 34 <3TT E x t e r n Sot 26 S .. : : t l 00 52 4‫ י‬a i r 1 u > - ) u t f «J F r i . 23 0 c« 2* 1‫ י‬.'0 10 • 4 :•dta-C aat c : . J i- a g e > : 3«0

160527496 £605275.* *0 5 27 59? (6052702 £05£27 ‫ ט‬3

F V » 9 h n < * c o < ra < t

sauszs

C 6 0 5 2 7 5 S 7
01 03 0 31 2 45 78 70 63 4d £1 72 20 32 30 31 39 30 47 u 4; 41 0• 6 6 6‫ י‬6 5 64 38 20 >>
31 4c ?2 32 (3 3d <3

t£3 5 2 4 :4 5

06052• 3‫ י‬3

‫»ה‬9► « •* » « ‫*׳״‬ ■ * 1 1 2 0

2‫ת‬

•0 C 1 1 2 • 0 )‫די‬ :■ « • < ? on d 5 > ? 2
3C]‫׳‬141 • 00160

1 > 3n

47 Id 14 O dQ o 13 11 t l I c 3a d« 20 61 71 m Od 0 . 43 ?< bI «m C

01 0 3» ? 0 7 42 03 23

4 50 ‫ל‬M tC6 1$ ‫י‬7 * «} MH

ro 11 W 3d U 41 74

0‫נ‬ 7i 2c 3» K k(1

Sf <4

2 0 « ( 3 0I I

FIGURE 13.11: Proxy Workbench Generated Traffic in Windows Server 2012 Host Machine

24. Now log in in to W indows Server 2008 Virtual Machine, and check die To column; it is forwarding die traffic to 10.0.0.7 (Windows 7 Virtual Machine).
Fife View Tod* Hrip

9

M irilcrrfj y1cbncni<2(’.3|10Q0 3|

r**»h':1H TIP P n» y‫'־‬Veb(0C8])
T rd 1 1000701 C O 1 a o .a ? ;» 8 0 lQ 0 D ;- m m 1aoa7.83E0 ‫ ו‬0 0 0 7 : ‫ש נט‬ 100 07:83 EO 100.07:8360 1aoa7!m E 0 1a0.a7:83EO ‫ ו‬0 0 0 7 :‫ש ש‬ 1000.7:8303 1ClO.a7.83EO m o n 7 rm g o 1 HTTP HUP HUP HTTP HUP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HUP 1 cM s tei Hr TP Ptcay •V/H3 |B0B]| £ J *)O O G « fflO 4J10.QO.6SWO jU ': a : f c 3 1 i4 £ J ' ] . 0 0.69615 £ J 6 ; 0 : ‫־‬snt £ J 1 0 0 0 6 9819 S te M 05 flfl 0^7 3‫ג‬ 06.05 40109 ( E tft * 6 9 ‫נ נ‬ 06.(E *3 375 (£ 0 6 41437 0506 *3 531 06.05 4Q 546 0E<E 4a 578 0 6 0 = 4 :6 5 5 06 0 5 *3 906 06<e 41015 06.0C 41 *09 ( K f f i 41 TIB | 1 ■.,* 1 •.f ‫״‬I or, 05 4n !00 06 1*41 15 6 1)• (h 41 070 CB O G■ 4 1 625 (COS 41 015 (C 05 41 281 06.05 41.281 05 05 40 B43 06 05:41.828 (KOS415Q3 06 05 41 406 06 05 41 718 O, ( h 41 ‫׳׳‬HI K F K F F F F F F F F F F Fj 2J

^ ,iM TP•IJ1 * y t« n yv m « 1 l(2 & |

Q■H wpnm am m 1QOQ2I0 1QQQ7 &1 0 .00 .6!0 1 00 .0?
"W

POP3 •IruM fiinjoniilplC I

HITP5 Ro«v - Seojic Web(4431

FTP ■ Fie 1 lend® FVolard |211 • Nol L ila £ J 1 a a 0.6 9620 PdssThioj^i F01 Tastro^oo*nOOOl f« j h J ' I Q 0.&9B22 £ | - : . 0 : . 6 5824 £ 1 1 0 .0 0 69626

£ 7 A nd now, Proxy W orkbench includes connection failure simulation strategies. W hat this means is that you can simulate a poor network, a slow Internet or unresponsive server. This is makes it the definitive TC P application tester
Mar a y 3ES KBylei

£1100069828 £ 1 * 1 0 0 .6 9830 £ 1 1 0 0 0 &9H32 *1 ffe d : ‫ ״‬064

d

S x p iro D

010080
‫ ־ ־ ־‬09*

ot 26 H n x2 0 1 1S 0 aG 2 <0 CUT T.m t Hrd

060112
00012C

060144 060160 060176 080192

f t 1. 23 0 c t 2009 2 0 • 10 04 GMT. . C»ch0-C011t ro L m a x-o g e -3 6 0 0 . C on n e ct io a k o e p - o l iv c

76 4d 39 66 74 47

70 69 72 61 72 20 20 47 <d 69 6564 20 32 30 4d Od 6t 6 c 30 20 Od 0 9 43 61 65 70 2d 61

65 32 64 30 G« 6d te 6c

73 30 Od 20 39 <3 61 in 69

3c 31 0« 1e 20

61
78 15 6‫ל‬

S3 3a 4r b'3 32 63 2d 63 65

i l 20 74
30 61 2c 30 b0 61 74 Od 30 73 2? 3.‫י‬ 65 6? 69 0o

20 31 ‫ ל‬rf? . 4 20 32 31 30 2d ■(3 65 3d bl 6• Od 0o

a ?‫פ‬

T»!mnale 01( RcIlbc Qr 'h rb »f‫־‬

C m ^ ! ‫ ׳‬CK - o g g r g 01( 613A M

J Start |

Proxy Worfctxfyh

6 :1 5 A T 1 ‫׳‬

AiLd
FIGURE 13.12 Proxy Workbench Generated Traffic in Windows Serve! 2003 Virtual Machine

C E H L ab M an u al P ag e 218

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

25. Select O n die web server, connect to port 80 in W indows 7 virtual machine, and click OK
-TTTP P r o p e r tie s
G e n e ra l |

(•

O n th e * tcb s e rv e r, c o n n e c t to port:

C " Connect v b

0 T0*her p ro x y

Pro<y :errer 110.0.0.5 Port: [fiflffi

HI I t allows you to 'see' h ow your email client communicates w ith the email server, how web pages are delivered to your browser and why your FTP client is n ot connecting to its server

OK

il

C«r>cd

FIGURE 13.13: Configuring HTTP properties in Windows 7

26. N ow Check die traffic in 10.0.0.7 (Windows 7 Virtual Machine) “TO” column shows traffic generated fiom die different websites browsed in
W indows Server 2008
" Unix
p i?

w a»

'*w ts c « > » w

Wd

is o

«
r*e

>•
VWwr

< § > o
Toeli

1 11 ► ;> ■ ‫ הו‬7 ‫צ&ו‬

Help

Q 2 In the C onnection Tree, if a protocol or a client/server pair is s e le c te d , the D etails Pane displays th e summary information of all o f th e s o c k e t co n n ectio n s that are in progress for th e s e le c te d item on th e C onnection Tree.

£< ‫& •ג&ל ! ־‬
nfl. Vicim-iT naOLCLTl f t All«5ctr»*y ^ SMT P - Ouiflonfl e ‫ ״‬id |25| D c U I1 taH T T P IW -W « b 180801 I From *010.0 D 32237 ) 0 1 0 0 0 32239 )8 100032239 ;0 1 0 0 0 3 2 2 4 0 ) 0 1 0 0 0 3 2241 ) 0 10 0 0 3 2242 50100032243 ) 0 10 0 0 3 2244 ) 0 1 0 0 0 3 2245 ) B 1 0 0 0 3 224S )010 0 0 22 ‫ נ‬c )610 0 0 3 2 2 9 ) 0 10 0 0 3 224) ',W10 0 0 3 2250 ) 0 10 0 0 3 2251 )01O O O 3 2 2 C ‫־‬M 1 0 0 0 3 2253 )0 1 0 0 0 3 2 2 5 4 ) 0 10.0.0 3 2255 )01O O O 322S ) 0 1 0 0 0 3 2257 )010.0.0.32258 ­ ‫י‬: .‫ גן‬.*3 ‫ ד‬26E0 I1:..h < . •571SS22G.aK:£0|adi ‫ * י‬78206126 »0 &‫»*<י‬ i3 8 7 8 2 0 S 1 2 6 £ 0 ( a h t 133 73 336126.tC |ic ‫ *־‬U 2027921012140 (t*K 1 57‫ י‬if f i 2262(68(U *te 56 ZJ5 14311 l&C0lme*c 201l0&9517&a>fd»1e1 1 -: ► 1. ‫ ־‬, ‫ ־ ׳‬I..: '» r a 2 0 5 1 2 e w 0 a * u 1 » 7 8 a * 1 2 M 0 |l « h t . . 1 9 1vV..'X .;fflT11^1. 1«7820612S8000<ht , . ‫ ״‬: . • . . ! . u u ‫ ־‬.. •57166 2 ® 1 6 £ 0 (wmm.... 8 2 6 >2» « 81 :6 ‫ י‬a h (u '38JB20612t<a)|iCT*U •3 8 7 3 2 0 6 1 2 6 t0 1 ic d n .. •3a7320£1;& £C|1‫־‬ « fce ‫־‬i» 7 8 2 0 6 l2 6 0 H ic e h t 157.165Z262C6e0l«fc Pidocoi HUP HTTP HTTP HTTP HTTP HTTP HTTP h i TP HTTP HI TP HI IP HUP HTTP HUP h i IP HTTP HTTP HI TP HTTP HTTP HTTP HTTP 06:0634.627 0&£634643 C6(6 3 4 6 6 6 (6:0634.836 060634.336 C&C634963 (6(6S6(E3C CC.Ct.X.X^ 0 f e » 35 4 » 06:0636483 06C03BW 3 CC.CVXUC flf.r»3570? t e a . 56 786 060U 36W 9 c tc e - x c 7 ? (6:0636124 C6:Cfc36.166 0606X 216 CfcC&XSCS 06*636396 06C 636606 |U * E - * r l 1 LMlSUto 06.C635.436 FV»B ho? dfOcmecC.. CE<62SG 3 fVt'B hai d ; c f r r « l 0 6 (6 3 6 3 9 0 0 6 (6 3 5 6 2 4 060636624 cec& x21e (6 (6 3 6 1 8 6 C60& X 3W C M & X T tS ( 6 (C! 36 (66 c u r *124 0C.CtX.4V• f f.f f T V . • > P*J»3 l « J i « r r « l . . . f* ■ ‫ ?״‬t e d t a r r e d . FV»B h n J ‫־‬ .ccrreO ... Km d : « r r « l FWB hat d n c r m l . hat d i f f r r w l m il► B/*5 C25 1 BylesS 1577 0 1555 0 1556 1950 1131 2110 4176 2710 1572 ‫וי י‬ 11« IA » 2‫ ט‬3 1183 2103 .‫ »י‬5 3333 2125 2421 112i 1120 1533 0 0 0 0 0 0 112 0 0 0 0 0 0 0 0 398 0 0 0 0

‫ד‬C lC lC l3 to 10 0 0 5 1a a a 3 h > 203.85.231.83 |m‫־‬j .Brc> ’ 0 00 3 1 # 68 71 209 176 |abc goc 1 00031 a 50 27 06 207 |edn>m)k| 1a a a 3 la 58.27.86.123 ledue qua 100031 a 68 71 220 165 |abc cm 100031 a 202 79 210 121 Ibi tav 1QOCl3 b1 205 128 84.126 l£ « to 100031 a 50 27 86 105 | f « * \ 1ur 100031 a 58 27 86 217 100031 a 157 166 255 216 |4d1 ‫׳‬c 100031 a 157 166 255 31 im iiv, 100031 a 203 85 231 148 lilt 100031 a 203 106 85 51 |b kcmc 100031 a 50 27 06 225 |s etrrcd 100031 a 157. 166.226.26 Iw m c 100031 a 199 93 62 126 |i2.« * \u 100031 a 203. 106.85.65 liF c.^r 100031 a 207 46 148 32 |vi*va(£ 100031 a 66 235 130 59 Ix-ffccm 10.0031 a 203. 106.85.177 Ib.scc‫״‬ 100031 a 0 26 207 126 ledn vrtt 100031 a 157 166 226 32 |tve± a 100031 a 58 27 22 72 |r.«*\h 4m 100031 a 190 70 206 126 |icchk 100031 a 157 166 226.46 ledlnr^ 100031 a 66 235 142 24 |rre4 1 b)< 100031 a 203 106 05 176 Idi M rw 1 0 0 Q 3 I1 157. 166.255.13 Immma 1000310 68 71 209173 | 4bc fl0<

f . « ‫׳‬J n c r r « l rv>V bm d iw r iK l... ► V .T 1 dtecrreel P * 8 tu a d K c r re c 1 ... 06C 6 XU>1 1 8 ‫ ״ י‬h o d i m r M l . t t C f i X f ® M Km • i i t f r r f f l 8 * ‫ יי‬hoj 4 1 « f f « l .. F h o ! dtccrrccC.. PV.‫־‬ B h a tiic e rrc c t.. P*v»8 FVjB h s d .c crre cl...

0 6 (6 3 6 7 1 8 C6C63E7*9 06.0636611 < £ ffiX fi2 7 (6 (6 3 6 8 (6 060637.436

p e al line dsis t i HTTP P * • / ■ Web (9060) 0 0 01 60 000176 0 0 01 92 00 0206 000224 0 0 02 40 0 0 02 56 000272 61 M 4f 55 20 3S 61 72 69 il 4e 32 32 74 60 ?4 75 3 a 20 4 1 6 3 63

60 6 ? Od 0a 6 0 33 20 i d 4 ? 5 6 61 20
4 ? 22 36 20 3a 33 6? 6( 65 6a Od 4d 31 6■ ?4 0» 61 20 3• 2d 44 ?2 47 20 4c 61 20 4d 6) 65

C ‫־‬S I 3 0 l« 5 e l. 2 6 b a r 2011 00 5 2 31 CUT C onn* c t *oc . : ! » • . Co

12L

Btwt-Uimh 20

65 SO if 74 32 ?4 &c

?0 3a ?5 65 30 011 Cl 60 6 7

74 20 S2 3• 31 0a ?3 ‫ל‬4

2d 43 20 20 31 4) 65 68

4 61 3 6 ‫ג‬ 5 0 3d 2 2 4 2 5 ? 53 5 3 ( 1 74 2 0 30 3 0 i i 6e ( e C J 0■ 43 3* 20 32

‫ ־‬.‫־‬ 40 20 2c 3a 65 il 30

_ L * a

FIGURE 13.14: Prosy Workbench Generated Traffic in Windows 7 Virtual Machine

Lab Analysis
Document all die IP a d d resses, open ports and running applications, and protocols you discovered during die lab.

C E H L ab M an u al P ag e 219

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved Proxy server U sed: 10.0.0.7

Proxy W o rk b en ch

P ort scan n ed : 8080 R esult: Traffic captured by windows 7 virtual machine( 10.0.0.7)

P L E A S E TALK T O YO U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S L AB.

Questions
1. Examine the Connection Failme-Termination and Refusal. 2. Evaluate how real-time logging records everything in Proxy Workbench.

In tern e t C o n n ectio n R equired 0 Yes P latform S u p p o rted 0 C lassroom □ iLabs □ No

C E H L ab M an u al P ag e 220

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

HTTP Tunneling Using HTTPort
HTTPo/f is aprogramfrom HTTHosf that mates a transparent tunnel through a pm xj server o r f renal!
ICON KEY

Lab Scenario
Attackers are always in a hunt for clients that can be easily compromised and they can enter these networks with IP spoofing to damage or steal data. The attacker can get packets through a firewall by spoofing die IP address. If attackers are able to capture network traffic, as you have learned to do in the previous lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can prove to be disastrous for an organization’s network. An attacker may use a network probe to capture raw packet data and then use this raw packet data to retrieve packet information such as source and destination IP address, source and destination ports, flags, header length, checksum, Time to Live (TIL), and protocol type. Therefore, as a network administrator you should be able to identify attacks by extracting inform ation from captured traffic such as source and destination IP addresses, protocol type, header length, source and destination ports, etc. and compare these details with modeled attack signatures to determine if an attack has occurred. You can also check the attack logs for the list o f attacks and take evasive actions. Also, you should be familiar with the H TTP tunneling technique by which you can identify additional security risks that may n ot be readily visible by conducting simple network and vulnerability scanning and determine the extent to which a network IDS can identify malicious traffic within a communication channel. 111 this lab you will learn H TTP Tunneling using HTTPort.

Valuable information Test your knowledge 3 Q Web exercise W orkbook review’ ‫׳‬

Lab Objectives
This lab will show you how networks can be scanned and how to use HTTPort and HTTHost

Lab Environment
111 die lab, you need die HTTPort tool.

C E H L ab M an u al P ag e 221

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

H T T P o rtis located at D:\CEH-Tools\CEHv8 M odule 03 S can nin g
N etw orks\T unneling Tools\HTTPort

■ You can also download the latest version o f HTTPort from die link littp :/ Avww. targeted.org/ ■
£ " Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

I f you decide to download the latest version, then screenshots shown in the lab might differ

■ Install H TTH ost 011 W indow s Server 2 0 0 8 Virtual Machine ■ Install H TTPort 011 W indow s S erver 2 0 1 2 H ost Machine ■ Follow the wizard-driven installation steps and install it.
■ A dm inistrative p riv ileg es is required to run diis tool

■ This lab might n ot work if remote server filters/blocks H TTP tunneling packets

Lab Duration
Time: 20 Minutes

Overview of HTTPort
HTTPort creates a transparent tunneling tunnel dirough a proxy server 01 firewall.

HTTPort allows using all sorts o f Internet Software from behind die proxy. It bypasses HTTP proxies and HTTP, firew alls, and transparent accelerators.

Lab Tasks
Stopping IIS S erv ices
2.

Before running die tool you need to stop IIS Admin S ervice and World Wide Web Publishing se r v ic e s on W indows Server 2008 virtual m achine. Go to Administrative Privileges click and click the Stop option.
S ervices IIS Admin Service, right

0 1 HTTPort cr e a te s a transparent tunnel through a proxy server or firewall. This allow s you to u se all sorts of Internet softw are from behind th e proxy.

C E H L ab M an u al P ag e 222

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

IIS Admin Scrvict
Sioo th - service 5.estart t h e s e v c e

Ka-n- * '*,FurcBon Discovery Provide Host P -rcocn Decovery Resource P J > l3 te n -C^C-rOiP Poicy C e n t Key a id Cerbftrate Mens9 »trp-t £ ,h \jm a 1 i r t e ' f c • Devise A ttest 3 . * v o r •v m u txchanoa s w a 1 Cfcnyoer-v Gue»t Shutdown Se‫ ׳‬v»oe ■S^Hyp*r*V HurBjM t 5 n v c » '^ ,h v sf'-v Tir* Synctvon m t o ' S a v e • ‫ • '־׳‬x ‫ « ׳‬voiu neSh jaow C oovR M u M B r £ , 3 2 a ‫־־‬d Au0!:P !P t•: Ktyttg ModJ«t CfeInter acave services Detection 4 Internet C ornecton Shwrng CCS) •£ !P h d p ‫־‬f £ ,: P s e c Polcy Agent :£J kctR.t1 *cr 3£trb uted Tra-sam on C oordnsso ‫־‬ ^ I n it - t o v e ‫ ־׳‬T oso o c v Discovery 1 “tepee?iw ic r o a jft KETFrans 0‫ ״‬rk NGB< v3 0.50727_kfr■ ^.M toosoft .KCTFraiKWOrkNS&l v : 0.5 0 7 2 7 _ > « '■*, M 00 9 0 * Fbre channel ?Istfo'n R e 3 s t 3 ‫ »־‬n Se‫״‬ ^ Mictom4? 6CSI ]ntigtor Service ^ V b o n * ! 5 ‫ ז » י \ | ) כ‬Shacton Copy P 'o r d fi Q,M 0 J la M anttnaioa S w v c t w b

I CeKri3bcn N w t a o c e .. , P -b e h e s t... The se rv e ... P‫־‬ov d e * X ... E -ajtet os P 0 ‫־‬v d 81 a .. . fv o v d e s a .. . M o 'ib n th.. . Syrxh'Cnj..

| 5:«b_s S ta te d Started Started

D o cr p to n : ‫ »׳׳‬:« * «

61 1 1nvj! t ‫ •־‬::s »r*ou‫ ׳‬M 1 0 n *or ‫ «ימ‬SK*®one FTP i«‫׳‬v«' nil 2 * u1 « 6 * to amfg.«« S-— 3 or ftp. :, the servce e d s x c d . an,
Enabltc ‫ «> ־ « י‬to *d ‫־‬
1*rv io r* ‫ « יי־‬H5 ‫׳‬X 'J tK C t h u m v t e • tta u p rd . :‫»־‬ s e 1 /‫׳׳‬ee* * v 9 !t» p o r v d fp e o ; fa I to tU t t. *mI

Started Started 5 la ‫׳‬t*d 5 :* U d ‘

c o c td n jte . _ 1 u ‫־׳‬ted S t J t __________ P .-llv R es - r e R essrr AIT mks R£^G^1 P rop rf br% t .... 8‫ ־‬t.. , ‫ן‬ . ► 3te , ----- ‫ ־‬0 ... S t* lid j n ... S la te d S ta ted Started Sia-ted S ta te d

W r a g n « ... ‫ •ויז‬Mojll*..

J

>t:p jcrvce IL Acrrr S trV tt on loco CaiOutt*

FIGURE 14.1: Stopping IIS Admin Service in Windows Server 2008

3.
& It b y p a sse s HTTPS and HTTP proxies, transparent accelera to rs, and firew alls. It h as a built-in SOCKS4 server.

Go to Administrative Privileges S erv ices World Wide Web Publishing S ervices, right-click and click die Stop option.
-Tllx]
*te Action jjen tela
l -'

E N + l t w l ‫ רי‬A Servwj C l o m J)
I

f I[B > rrf | £
S f n » M ( lo c a l)

World VVxic Web PwbW-mg S t m i

12 r!ttt’.ct C«so1 aion: (V»1 ‫׳‬df 1 Web a n ‫־‬w r< rr end ari'iprsron rry .y ■fc :‫־‬r r Infonrnston SerMoes Hjrage‫ י צ‬ne servce !< ” ‫׳‬v

‫־‬ (^<r1tu4 ^ vau''* S‫*״‬to/. Cooy C^iVeo Mir^wwnt Se‫<׳־‬ce £fetYrd»/.e Audo ^ \'‫<־׳‬to/.s Aucto ErekJrtit S ^ Y‫<־־‬to/.S Cotor SySteri £(Mfld M DectoymeotSevcesSesa £ .% Y f‫־‬tto/.9 Driver Fourdsoon - Lee ‫״‬cce Drver “ ‫ ׳ * ־‬xr■ «Y ‫־־‬d ‫׳‬/.s &‫ ׳ ׳‬Repo ‫ יט ׳‬Ser\ ce flj%Yrd»/.9 E‫׳‬e t Cotecto ® ‫׳‬e i: uw ^>Yrd /,s F»e.\dl (^»Y‫־׳‬d tnsteller I aat CJt«Yrtto/.9 »^1‫?׳‬gen‫־‬ e1t 1 ‫י׳ז‬5«‫קמי׳ י׳«יו״‬ «v‫־׳‬d Modiies Injuler Ci«Y‫׳‬xto/.® Biocen Activation Setv'd I ^ r C( •Y'-do’ /.* 5«mote M Re*»t £^.\'‫־׳‬rt>/.« try AlTMka ^ iV'tte/.fl updat# ^*vrH np web pw v Auto-ceeovJ ^ . v ‫<»׳‬ - Autocar*c H n y rB fi Perfcrwsrce Aflao*f

1CwJOCor
Ptcr>*0M‫זו‬... MWU0K*... TUtWtbM.. Mo'eOcS a... Ha'sOeid... ‫־‬he WaPl.. Ha'cOes r... Ma-aoe; u... Ab ‫־‬ .-sero... Thssevfc... Thssevfc... ViWowsF.. . Adds, m od■.‫״‬ ftovd» a ... &»ab«ns... ‫ •יזל‬wndo... VJ«o‫» ״‬B... Mints‫ *׳‬. ‫־י‬... KrHTTPl...

IS !aw

j

1 Ja n 1 0 5 3 0 8 1 1 % \V 'tk r /.$ 0 0 /.9 0 /,9

1

Sated Stated Stated Stated Stated Stated Stated stand statid

*

S ..

Pre0 6*0^‫ ־‬.. Stared JE 3 S JB

•\'08>'‫׳‬t3ecr

bet)

\£ x a r d e ; A

/

£‫־‬:c -T ‫;'׳‬g .‫־‬ ',o 'c

'■ ,.e: -vt»e-‫־‬n ; s r .- g

.:•r: co‫־־‬t x : r

FIGURE 142: Stopping World Wide Web Services in Windows Server 2008

‫ ט‬It supports
strong traffic encryption, w hich m ak es proxy logging u s e le ss, and supports NTLM and other authentication sc h e m e s.

4. 5.

Open Mapped Network Drive “CEH-Tools" Z:\CEHv8 Module 03
Scanning Networks\Tunneling Tools\HTTHost

Open HTTHost folder and double click htth ost.exe.

6. Tlie HTTHost wizard will open; select die Options tab. 7. O n die Options tab, set all die settings to default except Personal Passw ord field, which should be filled in widi any other password. 111 diis lab, die personal password is k m agic.'?

C E H L ab M an u al P ag e 223

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

8. Check die Revalidate DNS n am es and Log C onnections options and click
Apply
H TTH ost 1.8.5
N e tw o rk B in d lis t e n in g t o :

P ort:
[80

B in d e x t e r n a l to :

|0 . 0 .0 .0
A llo w a c c e s s f r o m :

1 0 .0 .0 .0
P e rs o n a l p a s s w o rd :

10.0.0.0
[‫־‬ P a s s t h r o u g h u n r e c o g n iz e d r e q u e s ts to : P o rt: O r ig in a l I P h e a d e r f ie ld : | x ‫ ־‬O r ig in a l‫ ־‬IP

H o s t n a m e o r IP :

112 7 .0 .0 .1

|8 1
T im e o u ts :

& To s e t up HTTPort need to point your brow ser to 127.0.0.1

M a x . lo c a l b u f f e r :

‫־‬3

| 0 =1 ‫ ־‬2

R e v a lid a t e D N S n a m e s Log c o n n e c tio n s ‫־‬ A p p ly

S ta tis tic s ] A p p lic a tio n lo g |^

3 p t io n s jj" S e c u r'ty

| S e n d a G ift)

FIGURE 14.3: HTTHost Options tab

9. N ow leave HTTHost intact, and don’t turn off W indows Server 2008 Virtual Machine. 10. Now switch to Windows Server 2 012 H ost Machine, and install HTTPort fiom D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTPort and double-click httport3snfm .exe
& HTTPort g o e s with the predefined mapping "External HTTP proxy‫ ״‬of local port

11. Follow die wizard-driven installation step s. 12. Launch the S tart menu by hovering die mouse cursor in the lower-left corner o f the desktop.

FIGURE 14.4: Windows Server 2012 - Desktop view

13. Click die HTTPort 3.SNFM app to open die HTTPort 3.SNFM window.

C E H L ab M an u al P ag e 224

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

5 t3 ft

Administrator

Server Manager

W indow s Power Shell

G oogle Chrome

Hyper-V M anager

HTTPort 3.SNPM

T ools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

i.
Con>puter

m
C ontrol Panel

»
Hyper-V Virtual Machine...

9 1
SOI 5 f ‫ ׳‬w r in c a k n o r Ccntof.~

1

*‫נ‬ £
■ “ ‫יי ■ ״ ״‬-

V
C om m and Prompt M021IU Firefox

n

N ctwodc

F ‫־־‬

©
Proxy W orkbea. - T

if
M egaP n g

* 8
FIGURE 14.5: Windows Server 2012 - Apps

14. The HTTPort 3.SNFM window appears as shown in die figure diat follows.
HTTPort 3.SNFM

'‫־‬r°
Port:

S y s te m j Proxy :j por^ m a p p in g | A b o u t | R e g is te r | H T T P p ro x y to b y p a s s ( b la n k = d ire c t o r fire w a ll) H o s t n a m e o r IP a d d re s s :

For each software to create custom, given all the addresses from which it operates. For applications that are dynamically changing the ports there Socks 4-proxy mode, in which the software will create a local server Socks (127.0.0.1)

P ro x y re q u ire s a u th e n tic a tio n U s e rn a m e : Passw o rd !

Misc. o p tio n s U s e r-A g e n t: IE 6 .0 Bypass m o d e :

U s e p e rs o n a l r e m o te h o s t a t ( b la n k = u s e p ub lic) H o s t n a m e o r IP a d d re s s : P o rt: Passw o rd :

I-------------------------------- P
? \ 4 — T h is b u tto n h elp s

I-------------S ta rt

FIGURE 14.6: HTTPort Main Window

15. Select die Proxy tab and enter die h ost nam e or IP ad d ress o f targeted machine. 16. Here as an example: enter W indows Server 2008 virtual machine IP ad dress, and enter Port number 80 17. You cannot set die U sernam e and Passw ord fields. 18. 111 die User personal rem ote h ost at section, click start and dien sto p and dien enter die targeted H ost m achine IP ad d ress and port, which should be 80.

C E H L ab M an u al P ag e 225

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

19. Here any password could be used. Here as an example: Enter die password as ‘*magic‫״‬
In real world environm ent, p eop le so m etim es u se passw ord protected proxy to m ake com pany em p lo y ees to a c c e s s the Internet.
r|a
S y s te m

HTTPort3.SNFM | 3

' ‫־‬

x

P ro x y | p 0 rt m a p p in g | A b o u t | R e g is te r |

H T T P p ro x y to b y p a s s ( b la n k = d irect o r fire w a ll) H o st n a m e o r IP a d d re s s : | 1 0 . 0 . 0 .4 P ro x y re q u ire s a u th e n tic a tio n U s e rn a m e : P a ssw ord: Port: |8 0

M isc. o p tio n s U s e r -A g e n t: | IE 6 .0 B ypass m o d e : | R e m o te h o s t

U s e p e rs o n a l r e m o te h o s t a t ( b la n k * u s e p u b lic) H o st n a m e o r IP a d d re s s : | 1 0 . 0 .0 .4 * o r t: P a s s v » rd :

I8 0

|............ 1
S ta rt

? | <— T h is b u tto n h e lp s

FIGURE 14.7: HTTPort Proxv settings \rindow

20. Select die Port Mapping tab and click Add to create N ew Mapping
*‫ב‬
S y s te m | P ro x y

HTTPort 3.SNFM 1 - 1 °
Po rt m a p p in g A b o u t | R e g is te r

J

S tatic T C P /IP p o rt m a p p in g s (tu n n e ls ) Q New m a p p in g Q Local p o rt

1 ‫ םייי ם‬1

1-0
(3 R e m o te ho s t

Q H T T H ost supports the registration, b ut it is free and password-free - you will be issued a unique ID , which you can contact the support team and ask your questions.

— □

r e m o te , h o s t, n a m e

R e m o te port

1_0
S e le c t a m a p p in g to s e e statistics: No s ta ts - s e le c t a m a p p in g n /a x n / a B /s e c n /a K LEDs:

‫□□□ם‬
O Proxy

B u ilt-in S O C K S 4 s e rv e r W R u n SO CK S s e rv e r (p o r t 1 0 8 0 )

A v a ila b le in " R e m o te H o st" m o d e : r Full S O C K S 4 s u p p o rt (B IN D )

? | 4— T h is b u tto n h elp s

FIGURE 14.8: HTTPort creating a New Mapping

21. Select N ew Mapping Node, and right-click N ew Mapping, and click Edit

C E H L ab M an u al P ag e 226

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

HTTPort 3.SNFM
S y s te m | P ro x y

T3 3

Po rt m a p p in g | A b o u t | R e g is te r |

S tatic T C P /IP p o rt m a p p in g s (tu n n e ls )

Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

‫ש‬
W

New m a o □ 0 Local p 0 ■

Add

Edit

Rem ove

R e m o te ho s t r e m o te , h o s t, n a m e

(=J R e m o te p o rt

L_o
S e le c t a m a p p in g to s e e statistics: No s ta ts - s e le c t a m a p p in g n /a x n / a B /s e c n /a K LEDs:

□ □□□
O Proxy

B u ilt-in S O C K S 4 s e rv e r R u n SO CK S s e rv e r (p o r t 1 0 8 0 )

A v a ila b le in " R e m o te H o st" m o d e : r Full S O C K S 4 s u p p o rt (B IN D )

? | 4 — T h is b u tto n h elp s

FIGURE 14.9: HTTPort Editing to assign a mapping

22. Rename this to ftp certified hacker, and select Local port node; then lightclick Edit and enter Port value to 21 23. N ow right click on R em ote h ost node to Edit and rename it as
ftp.certifiedhacker.com

24. Now right click on R em ote port node to Edit and enter die port value to 21
I
r * 1 S y s te m | P ro x y
r

HTTPort 3.SNFM

-

1 °

r

x

Po rt m a p p in g | A b o u t | R e g is te r |

S tatic T C P /IP p o rt m a p p in g s (tu n n e ls ) 1=1 •.•‫=•׳‬. 0 ‫ ־‬Local p o rt 5 -2 1
0 /s

Add Rem ove

R e m o te ho s t ftp .c e rtifie d h a c k e r.c o m

S In this kind of

E5 R e m o te port I— 2 1

=
V

environm ent, the federated search w ebpart of M icrosoft Search Server 2 0 0 8 will not work out-ofthe-box b e c a u se w e only support non-password protected proxy.

S e le c t a m a p p in g to s e e statistics: No s ta ts ‫ ־‬in active n /a x n / a B /s e c n /a K

LEDs:

‫□ □ □ם‬ O Proxy
1

d u

lit ‫ ־‬in

se rve r

W

R u n S O C K S s e rv e r (p o r t 1 0 8 0 )

A v a ila b le in " R e m o te H o st" m o d e : I” Full S O C K S 4 s u p p o rt (B IN D )

|

? |

T h is b u tto n h elp s

FIGURE 14.10: H IT P ort Static T C P /IP port mapping

25. Click Start on die Proxy tab o f HTTPort to run die HTTP tunneling.

C E H L ab M an u al P ag e 227

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

HTTPort 3.SNFM ‫־‬r a :
S y s te m ^ o x y | P o rt m a p p in g | A b o u t | R e g is te r |

- H T T P p ro x y to b yp a s s ( b la n k = d ire c t o r fire w a ll) H o s t n a m e o r IP a d d re s s : |1 0 .0 .0 .4 P ro x y re q u ire s a u th e n tic a tio n U s e rn a m e : P a ssw ord: P ort: [8 0

M isc. o p tio n s U s e r-A g e n t: IE 6 .0 ‫נ ד‬ B y pass m o d e : [ R e m o te h o s t

U s e p e rs o n a l r e m o t e h o s t a t ( b la n k = u s e p u b lic) H o s t n a m e o r IP a d d re s s : Port: Passw ord:

|1 0 .0 .0 .4

[So

‫*״ * * *ן‬

(J3 H T T P is the basis for W eb surfing, so if you can freely surf the W eb from where you axe, H T TPort will bring you tlie rest o f the Internet applications.

? | ^— T h is b u tto n h e lp s

FIGURE 14.11: HTTPort to start tunneling

26. N ow switch to die W indows Server 2 0 0 8 virtual machine and click die Applications log tab. 27. Check die last line if L isten er listening at 0.0.0.0:80, and then it is running properly.
HTTHost 1.8.5
Application log: MAIN: HTTHOST 1.8 .5 PERSONAL G IFT WARE DEMO s ta rtin g ^ MAIN: Project codename: 99 red balloons MAIN: Written by Dmitry Dvoinikov MAIN: (c) 19 99-20 04 , Dmitry Dvoinikov MAIN: 64 total available connection(s) MAIN: netv/ork started MAIN: RSA keys initialized MAIN: loading security filters... MAIN: loaded filter "grant.dll" (allows all connections within MAIN: loaded filter "block.dll" (denies al I connections withir MAIN: done, total 2 filter(s) loaded MAIN: using transfer encoding: PrimeScrambler64/SevenTe grant.dll: filters conections block.dll: filters conections !LISTENER: listening at C .C .0 .C :s T |

Q T o make a data tunnel through the password protected proxy, so we can m ap external website to local port, and federate tlie search result.

z]
Statistics ( A p p lic a t io n lo g Options Security | Send a Gift

FIGURE 14.12 HTTHost Application log section

28. Now7switch to die W indows Server 2 0 1 2 host machine and turn ON die
W indows Firewall

29. Go to Windows Firewall with A dvanced Security

C E H L ab M an u al P ag e 228

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

30. Select Outbound rules from die left pane o f die window, and dien click N ew Rule in die right pane o f die window.
Windows Firewall v/ith Advanced Security
F ie A ction V iew H elp

■ -:° ‫־‬

- ‫־‬

W in d o w s F 1rew,5ll w ith Adv! Q ■ ‫^ •ן‬ Inb ou nd R u in O u tb o u n d Rules | C o n n e c tio n Security Ru M o n ito rin g

O u tb o u n d R u i n N am e © B ‫ ׳‬a n c h C a ( h e C 0n t« n :R at 1i«val (H TT P-0... © B r s n c h C e c h e H o rfe d Ca<t!e Cbent IHTT... © B r a n c h C e ih e K n W J C • c h • S*rvw(HTTP. © B r a n c h C ache Peer D n co v ery (W S D O u t) © C o ‫ « ׳‬N e tw orkin g • D N S < U0P-0ut) G roup B ra n ch C a c h e - Con ten t Retc... B ran ch Cach e - Hosted C e c h B ran ch Cach e - H o tted C a d i . B r a n c h ( a r h r - PeerOtseove... C ore N e tw orkin g Profile A l Al Al Al Al Al Al Deane■! Dom ain Deane•! Al Al Al Al Al Al Al Al Al Al Al Al Al Al Inab ied A No No No No Yes Yes Yes Ves Yes Yes Yes Yes Ves Ves Yes Ves res Ves Yes Vo Ves Vet Yes Vet v ' "■i T r " ........... ‫ז‬Q ■ V V 7 Filter by Profile Filter by State Filter by G ro up View

Outbound Rule*
N ew Rule...

© C o r e N e tw o rk in g - D>1v > m -e H o * C o n fig ... C ore N e tw orkin g © C o r e Ne tw orkin g ‫ ־‬D y n a m ic H o s t Config... © C o r e N e t w o r k n g ‫ ־‬G rcu p P olicy (ISA5S‫~ ־‬ © C o r e N etw orking - 5 ‫ ׳‬c u p P o k y (N P -O ut) C ore N e tw orkin g C ore N etw orking C ore N etw orking C ore N etw orking C ore N etw orking C ore N etw orking C ore N etw orking C ore N etw orking Core N etw orking

O R efresh
Export List... Help

£ ‫ ז‬Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

© C o r e N e tw o r k w ig - Group P olicy CTCP-0-. © C o r e N etw ork ing - Internet G ro u p M an a... © C o r e N etw orln ng - IPHTTPS CTCP-Out] © C o r e N etw ork ing - IPv6 ( I P v 6 0 ‫־‬u t) © C o r e N etw orV w g ‫ ־‬M ulb eost lis te n e r D o-. © C o r e N etw orking - M u locast Listener Q u ~

© C o r e N etw ork *!g - M ulticast I!sten er R ep~ C ore N etw orking © C o r e N etw orking • M u tec jst Listener Rep... C ore N etw orking © C o r e N etw ork ing - N eigh b or D nc every A... C ore N etw orking © C o r e N etw orking N eigh b or D isc o v er y S .Core N etw orking

© C o r e N r t w o f k n g ‫ ־‬P acket 1 c o Big (ICMP-. C ore N etw orking © C o r e N etw orking Param eter P rob lem ( I Core N etw orking

© C o r e N etw ork ing - P.cutei A d v ertn em en t... C are N etw orking © C o r e N etw orking - P.cuur S o i c t a e o n (1C.. © C ore N etw ork * ^ ‫ *! ־‬r e d o (UO P-O ut ( Core N etw orking C ore N etw orking

FIGURE 14.13: W 1 ndcra*s Firewall with Advanced Secunty window in Window's Server 2008

31. 111 die N ew Outbound Rule Wizard, select die Port option in die Rule Type section and click Next
N e w O u t b o u n d R u le W iz a rd p R u le T y p e Select the type cf firewall rule to create Steps. * 4 Rule Type Protocol and Ports O Program Rde Bidt controls connections for a program. ‫ >§י‬Port | R Je tw l controls connexions for a TCP or UDP W . O Predefined: |BranrhCacne - Content Retrieval (Ueee HTTP) R Je t a controls connections for a Windows experience. O Custom Cu3tomrJe v 1 What :ype of rue wodd you like to create? ■

« Action « « Profle flame

S Tools dem onstrated in this lab are available in Z:\ Mapped Network Drive in Virtual M achines

<Beck

Next >

11

Cancel

FIGURE 14.14: Windows Firewall selecting a Rule Type

C E H L ab M an u al P ag e 229

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

32. Now select All rem ote ports in die Protocol and Ports section, and click
Next
New Outbound Rule Wizard
P ro to co l and Porta
Specify the protocols and ports to which ths rJe apofes

Steps
+ R u • 'y p •

Does t‫*־‬s rule aopty to TCP or UDP? < !• > TCP O UD P

4

Prctocol and Ports

4 Acao r
4 Profile

4 Nam e
Q H T T P ort doesn't really care for the proxy as such, it works perfectly with firewalls, transparent accelerators, N ATs and basically anything that lets H T T P protocol through.

Does tnis n ie aoply tc all remote ports or specific re n o te port*9
!? m o te p o d s

O Specific re m o teports:
Example 80.443.5000-5010

< Eacx

Ned >

Cancel

FIGURE 14.15: Windows Firewall assigning Protocols and Ports

33. 111 die Action section, select die Block th e con n ection '’ option and click
Next
New Outbound Rule Wizard
A c t io n

Q You need to install htthost on a PC, who is generally accessible on the Internet typically your "home" PC. This means that if you started a Webserver on the home PC, everyone else must be able to connect to it. There are two showstoppers for htthost on home PCs

Spccify the a c to n to b e tak e n w hen ‫ ס‬con ncctio n •nacchea the c o n d ticn a specified in the n i e .

Steps
4 4 4 4 4 H U e Type P r o t o c o l a n d Porta A c io n P rofile W h a t a c b o n o h o J d b « t a k e n w h o n a c o n n e x io n m a t c h 08 th o o p o c / io d c o n c it ic n Q 7

O Alowttv connection
T T w n c l x J e s c o r n c c t io n a th a t a ie p io t e c to d w t h I P a o c 0 9 w e l c s t ‫־‬w 3 e a t e n ot.

O Alow Itic cw iic d iu i If MIs secuie
Nam e

Ths ncbdes only conrections thar. have been a1ihent1:ated by usng IPsec. Connections wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes n the Conrecion Security RuteTode.

'• ) H o c k t h e c o n n e c t i o n

C E H L ab M an u al P ag e 230

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

FIGURE 14.16: Windows Firewall setting an Action

34. 111 die Profile section, select all three options. The rule will apply to: Domain, Public. Private and then click N ext
Q NAT/firewall issu es: You need to en ab le an incom ing port. For HTThost it will typically be 80(http) or 443(https), but any port can be u sed - IF the HTTP proxy at work supports it ‫־‬ so m e proxys are configured to allow only 80 and 443.
New Outbound Rule Wizard
P ro file
Specify the prof les for which this rule applies

*

Skin * Ru*Typ# 4 3rctocol anc Ports
# *cbor 171 D a m a n Vpfces * I en a computer is connected to Is corporate doman.
0 P r iv a te

When does # ‫ מו‬rule apply’

3rcfile

3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home 3rwor<pi ce B Public
V p * ‫״‬c3 c n a ccm putcr io c c o n c c tc d to a p j b lc nctw oiK k co o o n

c Eacx

Next >

Cancel

FIGURE 14.17: Windows Firewall Profile settings

ZZy Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

35. Type Port 21 Blocked in die Nam e field, and click Finish
New Outbound Rule Wizard
Nam e
Specify the name and desorption of this l i e .

N one

| ?or.

2' BbdceJ

Desaiption (optional):

£ 3 T he default TCP port for FTP connection is port 21. Sometimes the local Internet Service Provider blocks this p ort and this will result in FTP C®W<EAfl*1MaW&al P ag e 231

<Back

Finish

C ancel

E th ica l H a c k in g an d C o u n term easu res Copyright C by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

FIGURE 14.18: Windows Firewall assigning a name to Port

36. The new rule Port 21 Blocked is created as shown in die following figure.
Windows Firewall with Advanced Security
F ie A c tio n V iew H dp

1- 1 “1 * :
A» tio r o

W in d o w s Firew all w ith Adv; C C nfcound Rules O u tb o u n d Rules C o n n e c b o n Security Rul t M o n ito rin g Na [O ^Port 21 Blockcd © B r a n c h C a c h e C on ten t R c t r c v t l ( H T T P -0 .. © B r a n c h ( * ! h e H o tte d C a c h e C lie n t ( H IT . B ran ch C ach e • C o n te n t Retr.. B i. n c h ( m h r • H o tte d C a c h Al

Outbound Rules
N e w Rule...

:1
Al A l Al Al A l D o m a in D o m a in D o m ain A l Al A l Al Al Al Al Al Al A l A l Al Al

V

Filter by Profit• F liter by State Filter by G io u p V iew

© B ta n ch C a c h e H osted C ach e $erv* 1(HTTP... B ran ch C ach e • H o tte d C a c h

V
V

H T T Port doesn't really care for the proxy as such: it works perfectly with firewalls, transparent accelerators, N ATs and basically anything that lets the H T T P protocol through.
^

© B r a n c h C a c h e Peer Oise every //SD C u t) © C o r e N e tw o rk in g ‫ ־‬O N S (U O P-O u tJ © C o i e N e tw o r k in g - D y n am ic H o d C o n fig .. © C o r e N e tw o rk in g - D y n a m ic H o s t Config... © C o r e N e tw o rk in g - G ro u p Pcfccy CLSAS S -@ P C o re N e tw o rk in g - G ro up P c E c y (fJP -O u t) © C o r e N e tw o rk in g - G ro up P o ic y (T C P -O -. © C o r e N e tw o rk in g - internet G ro up M ana... © C o r e N e tw o r k in g - lP H T T P 5 (T C P -O u tJ © C o t e N e tw o rk in g - Pv 6 (Pw 6 -0 ut) © C o r e N e tw o rk in g © C o r e N e tw o rk in g V u h cast Listener Do‫״‬ M u h <yt* liste n e r O j ‫ ״‬.

B ran ch C ach e • Peer D isco ve .. C o re N e tw orkin g C o re N e tw orkin g C o re N e tw orkin g C o re N e tw orkin g C ore N etw orking C o re N e tw orkin g C o re N e tw orkin g C o te N e tw orkin g C o te N e tw orkin g C o re N e tw orkin g C o re N e tw orkin g C o re N e tw orkin g C o r • N e tw orkin g

Q [a » Li

Refresh Export List... H elp

Port 21 Blocked
* D isable Rule

4
X
(£ | U

cut
‫♦ז »ו » ם‬ P ro p e itie * H elp

G fe C o p y

© C o i e K iel w o rt m g • M u l 1 < «U Ik te n e t Rep. © C o r « N e tw o rk in g • V u h cast -K ten er Rep. © C o r e N e tw o rk in g

rfcig nfccf D isco ve ry A... C o re N e tw orkin g C o re N e tw orkin g

© C o r . 1N e tw o rk m g • N e ig h b o r D iscovery 5 ,

©Coie Networking - F«.h&Tv. Big K M P .. CortNttwQiking
© C o r e N e tw o rk in g - Param eter P ro b le m (I.. C o re N e tw orkin g © C o r e N e tw o rk in g ‫ ־‬R ou te r A d .e rtc e m e n t... C o re N e tw orkin g © C o r e N e tw o rk in g - R ou te r S oK ck ation (1C... C o re N e tw orkin g

FIGURE 14.19: Windows Firewall New rule

37. Right-click die newly created rule and select Properties
*
File A c t io n V iew H dp

Windows Firewall with Advanced Security

* ‫►י‬

^

q

!
I Actions
Nam e O .P 0 rt 2 1 B lo c k c d ^ B r a n c h C a c h e C on ten t Retrieval (H T T P -O ‫ ״‬. Bra nc hCac he ‫ ־‬C o r © B r a n c h C a c h e H osted C a ch e C ie m (H T T ‫ ״‬. © B r a n c h C a c h e H osted C a ch e S aver(H T T P _ © B r a n c h C a c h e P ee t D is c c v a y (WSO‫־‬OulJ Bran ch C ach e - Hos Bran ch C ach e ‫ ־‬H o: Bran ch C ach e - Pee Core N e tw o rk in g L o re N e tw orkin g Core N e tw o rk in g Core N e tw o rk in g Core N e tw orkin g Core N e tw orkin g Core N e tw o rk in g Core N e tw orkin g Core N e tw orkin g Core N e tw orkin g Core N e tw orkin g Hdp Dom *n Do»n*n D o m ain Al Al Al Al Al Al Al Al Al Al Al Al Al Vet Ves Ye* Vet Yes Yes Yes Yes Yes Yes Yes Yes Yb Yes YCS Yes 0 H elp ^ Q Cut Copy Delete Properties V F ilter b y Profile Filter b y State F liter b y G ro up V iew Refresh Export List... H elp ► ► ► ► G ro up * P ro fie D isable Rule Enal

g f W in d o w s Firew all w ith Adv; C l in b o u n d Rules O X / O u tb o u n d Rulea Co n n e c tio n S e c u rity Rul M o n ito rin g

Outbound Rules
N e w Rule...

-

V
V

H T T Port then intercepts that connection and runs it through a tunnel through the proxy.

S

© C o i e N etw ork ing - D f 5 (U 0 P - 0 u t ) © C o r e N etw ork ing D >n anvc H c it C c n f ig .. Most C onfig...

© C o r e N e tw o r b n g • D >nrn»

© C o r e N e tw o r b n g • G roup P olicy (ISA SS-... © C o r e N etw ork ing © C o r e N etw ork ing G roup P olic y (NP-O ut) G roup P olic y ( TCP0 ‫־‬-

© C o r e N e tw o r b n g • Intern*! G iou p M ana.. © C o r e N etw ork ing IPHTTPSfTCP-Out)

Port 21 Blocked
♦ D isable Rule c ‫״‬t

© C o r e N e tw o r b n g - IPv6 (1P»‫׳‬$‫<־‬XjtJ © C o r e N e tw o r b n g - M ufticest Listener Do... © C o r e N e tw o r b n g - M J c c a s t Listener Qu...

4
X

•41 C o p y Delete Properties

© C o r e N e r w c r b n g - M J b c s s t Listener Rep... Core N e tw orkin g © C o r e N e tw o r b n g - M u lb ce si Listener Rep... Core N e tw orkin g © C o r e N e tw o r b n g - N eig h b o r D iscovery A ‫״‬. © C o r e N e tw o r b n g N eig h b o r D iscovery S... Core N e tw orkin g Core N e tw orkin g Core N e tw orkin g Core N e tw o rk in g Core N e tw orkin g Core N e tw o rk in g r . . . *■ ------- 11—

l© C c r e N e tw o r b n g ■ P acket T oo Big (ICMP... © C o r e N e tw o r b n g • P aiam eter P rob lem (1-‫״‬ © C o r e N e tw o r b n g R euter A d v c n sc m c n t...

© C o r e N e tw o r b n g * R cu le t Solicitation (IC~

1 th e p rop erties d ia lo g box for th e current s e le a jo n

FIGURE 14.20: Windows Firewall new rule properties

£ 7 Enables you to bypass your H T T P proxy in case it blocks you from the Internet

38. Select die Protocols and Ports tab. Change die R em ote Port option to Specific Ports and enter die Port number as 21 39. Leave die other settings as dieir defaults and click Apply dien click OK.
E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

C E H L ab M an u al P ag e 232

Module 03 - Scanning Networks

Port 21 Blocked Properties
jerteral_________Pngams and Services
Protocolt and F o re FVwocob and po*s Prctocdtype: P rcto cd ru n b e r | Sco pe | Ad vance c

* ‫ד‬
Remote Conpjtefs
j Local P rin cp ab

Loco port

All Potto

Exam pb. 80. 443.5003-5010 Remote p3rt: S pecifc Pats

[21
Example. 80. 443.5003-5010 hten‫־‬e t Gortnd M essage Protocol ( C M P ) « tin g * :

I Custonizo.

i— ‘ W ith H TTPort, you can use various Internet software from behind the proxy, e.g., e-mail, instant messengers, P2P file sharing, IC Q , News, FTP, IRC etc. The basic idea is that you set up your Internet software

FIGURE 14.21: Firewall Port 21 Blocked Properties

40. Type ftp ftp.certifiedhacker.com in the command prompt and press Enter. The connection is blocked in W indows Server 2008 by firewall

£ 3 H T T P ort does neither freeze n or hang. W hat you are experiencing is known as ‫״‬blocking operations”

FIGURE 14.22: ftp connection is blocked

41. N ow open die command prompt 011 die W indows Server 2012 host machine and type ftp 127.0.0.1 and press Enter

7 ^ H T TPort makes it possible to open a client side o f a T C P /IP connection and provide it to any software. The keywords here are: "client" and "any software".

C E H L ab M an u al P ag e 233

E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

FIGURE 14.23: Executing ftp command

Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab.
Tool/Utility Information Collected/Objectives Achieved

Proxy server U sed: 10.0.0.4 H T T P o rt P o rt scan n ed : 80 R esult: ftp 127.0.0.1 connected to 127.0.0.1

P L E A S E TALK T O YO U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S L AB.

Questions
1. How do you set up an HTTPort to use an email client (Oudook, Messenger, etc.)? 2. Examine if software does not allow editing die address to connect to.
Internet Connection Required

0 Y es P latform S u p p o rted 0 C lassroom

□ No

□ iLabs

C E H L ab M an u al P ag e 234

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Basic Network Troubleshooting Using MegaPing
MegaPing is an ultimate toolkit thatprovides complete essential utilitiesfor information system administrator and IT solutionproviders.
icon key
/ / Valuable information Test your knowledge Web exercise m W orkbook review

Lab Scenario
You have learned in the previous lab that H TTP tunneling is a technique where communications within network protocols are captured using the H TTP protocol. For any companies to exist 011 the Internet, they require a web server. These web servers prove to be a high data value target for attackers. Tlie attacker usually exploits die WWW server running IIS and gains command line access to the system. O nce a connection has been established, the attacker uploads a precompiled version o f the H TTP tunnel server (lits). W ith the lits server set up the attacker then starts a client 011 his 01‫ ־‬her system and directs its traffic to the SRC port o f the system running the lits server. This lits process listens 011 port 80 o f the host WW W and redirects traffic. Tlie lits process captures the traffic in H TTP headers and forwards it to the WWW server port 80, after which the attacker tries to log in to the system; once access is gained he or she sets up additional tools to further exploit the network. MegaPing security scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves inform ation in security reports. 111 diis lab you will learn to use MegaPing to check for vulnerabilities and troubleshoot issues.

s

Lab Objectives
This lab gives an insight into pinging to a destination address list. It teaches how to: ■ ■ ■
C E H L ab M an u al P ag e 235

Ping a destination address list Traceroute Perform NetBIOS scanning
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Lab Environment
To cany out die lab, you need: ■ MegaPing is located at D:\CEH-Tools\CEHv8 M odule 03 S can nin g
C D Tools

N etw ork s\S can n in g T ools\M egaPing

dem onstrated in this lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Netw orks

■ You can also download the latest version o f M egaping from the link http: / / www.magnetosoft.com/ ■ I f you decide to download the la te s t version , then screenshots shown in the lab might differ ■ Administrative privileges to run tools
■ TCP/IP settings correcdy configured and an accessible DNS server

P IN G stands for Packet Internet Groper.

■ This lab will work in the C EH lab environment, on W indow s S erver 2 0 1 2 , W indow s 2 0 0 8 , and W indow s 7

Lab Duration
Time: 10 Minutes

Overview of Ping
Tlie ping command sends Internet Control M essa g e Protocol (ICMP) echo request packets to die target host and waits for an ICMP respon se. During diis requestresponse process, ping measures die time from transmission to reception, known as die round-trip tim e, and records any loss packets.

Lab Tasks
T A S K 1

1.

IP Scanning

Launch the Start menu by hovering die mouse cursor on the lower-left corner o f the desktop.

FIGURE 13.1: Windows Server 2012 - Desktop view

2. Click die MegaPing app to open die MegaPing window.

C E H L ab M an u al P ag e 236

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

FIGURE 15.2: Windows Server 2012 - Apps

g u 1^ ^ ^ 3. TQi^Meg a P in g ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ 1‫־‬
55
F ile V ie w T o o ls H dp

MegaPing (Unregistered)

-

□ '

x

‫ד‬

* Q

DN S Lookup N am e Fng cr N e t w o r k T im e

‫&י־‬

D N S L id rto s fe

1S

g g P in g

CQ All Scanners can scan individual computers, any range o f IP addresses, domains, and selected type o f com puters inside domains

gg

T r a c e ro u te

W ho 1 1
^ N e t w o r k R # to u fc # t

< < •> P r o c e s s I n fo S y s ta m In fo £ $ IP S c a n n e r N e tB I O S S c a n n e r

•'4? S h a re S c a n n e r ^ S e c u r it y S c a n n e r

- J ? P o rt S ca n n e r J i t H o s t M o n it o r

*S L b t H o > ts

Figure 15.3: MegaPing main windows

4. Select any one o f die o p tio n s from the left pane o f the window.
Security scanner provides the following information: NetB IO S names, Configuration info, open TC P and U D P ports, Transports, Shares, Users, G roups, Services, Drivers, Local D hves, Sessions, Remote Time o f Date, Printers

5. Select IP sca n n er, and type in the IP range in die From and To field; in this lab the IP range is from 10.0.0.1 to 1 0 .0 .0 .2 5 4 . Click Start 6. You can select the IP range depending on your network.

C E H L ab M an u al P ag e 237

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

fs r
F ile V « ‫ *׳‬/ Took H e lp

MegaPing (Unregistered)

‫ ־‬°r

ft ft
<. ‫׳‬3 _
§

^
r
r « a

* %v
^ —
P -1 'S W W

^

a* 3

DNS L s t H o sts

* t DNS Lookup N am e F in g e r N e tw o r k T im e 8 a8 P in g ir a c c r o u t c W hoK N e tw o r k R e s o u rc e s <§> P ro c e s s In fo ^ S y s te m Info I ► S c a m • ‫׳׳‬ “ I | 10 0 0 1 10 0 0 254 | 1 S M 1

t

I3 Scanner
S elect

IP S ca n n e r S s t n g j

■*iiaui.111
■ £ N e tB I O S S ca n n e r Y * S h a re S c a n n e r j& ^ ^ S e c u r ity S c a n n e r P o rt S ca n n e r H o s t M o n it o r

F IG U R E 15.4: MegaPing IP Scanning

It will list down all the IP a d d r e s s e s under that range with their TTL (Time to Live), S ta tu s (dead or alive), and die s t a t is t ic s o f the dead and alive hosts.
MegaPing (Unregistered)
P ie V ie w T o o ls H e lp

CD N etw o rk utilities: D N S list host, D N S lookup name, N etw ork Time Synchroni2er, Ping, Traceroute, Wliois, and Finger.

1 1
i , Q a

g
d

ft

A< >
I P 5 i« n n w

r j ‫ כ‬L .st 1 l o s t i

,p , D N S L o o k u p N a m e F in g e r N e t w o r k T im e X

IP S a n n a r

$

IP S ca n n e r S a tn g e

t l P in g T r a c e rc u t e H V hols 1 “ 5 N e t w o r k R e so u rc e s % ^ ro c e s s Info S y s t e m Info

Setect|R a rg e F S ca re 10 . 0 0 . 1 10 0 0 251 I Start

Status:
* ddrest

Z o ro e te c 25^ adcresees in 15 8ccs
Nam e True 0 1 0 0 TTL &4 128 128 128 S ta tj* A fiv e Abve A S ve Afcve O a t.. D e s t.. D e s t ._ D est — D e « t._ D est — Dest Report

Show MAC

. = 1 10.0.0.1 N e tB I O S S c a n n e r y * Share Scanner $ S e c u r ity S c o n n e r g g £ g JQ g 1 a 0 .0 4 10.0.0.6 1 a o .o .7 1 a 0 .0 .1 0 10.0.0.100 1010.0.101 1 a0 .0 .1 0 2 £ g g 10.0.0.105 10.0.0.104 10.0.0.105

A ddresses
Hosts Stats
T o ld . A ctiv e 254 4

l . J j ? P o rt Scanner J S i H o s t M o n it o r

Paled : 2 5 0

FIG U RE 15.5: MegaPing IP Scanning Report
S T A S K 2

NetBIOS Scanning

8. Select the NetBIOS S ca n n er from the left pane and type in the IP range in the From and To fields. 111 this lab, the IP ran ge is from 10.0.0.1 to 1 0 .0 .0 .2 5 4 Click Start

C E H L ab M an u al P ag e 238

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

W
F ile rP- A J* | D N S L is t H o s t s V ie w T o o ls H dp

f/egaPing (Unregistered)

T IP I

, 5 ,D N S L o o k u p N a m e

N c G C S S so n rc r

‫ ס‬MegaPing can sca n your entire network and provide information such a s open shared reso u rces, open ports, services/drivers a ctiv e on the com puter, key registry entries, u sers and groups, trusted dom ains, printers, and more.

g

F in g e r

3
tS

Network Time
P1n9 T r a c e ro u t e

&

W h o ls N e tw o r k R e s o u r c e

<$> P r o c e s s Info 4 ^ S y s te m I n fo IP S c a n n c r

i!\
S h a re S c a n n e r ^ ^ S e c u r ity S c a n n e r P o rt S ca n n e r H o s t M o n it o r

N etB IO S S c a nn er

FIG U RE 15.6: MegaPing N etB IO S Scanning

9. The NetBIOS scan will list all the hosts with their NetBIOS n am es and
ad ap ter a d d r e s s e s
MegaPing (Unregistered)
M e V tfA T o r i? H e lp

JL JL 4S & * “ 8 8a &

&r S can results can be saved in HTML or TXT reports, which can be u sed to se c u r e your network ■ ‫ ־‬for exam ple, by shutting down u n n ecessa ry ports, closin g sh ares, etc.

J J , D N S L is t H o s t s •j! L DNS Lookup N am Q F in g e r ^

$

K«BIT$ Sc^rrer

N e t w o r k T im e 3 1 !

Net 9 0 $ S c a n r e r

Men BIO S S c a r r r a

t i p,n9
g*3 T r a c e ro u t e W h o le ^ O N e t w o r k R e s o u rc e s P r o c e s s Info % ‫ ״ ״‬J ^ S y s t e m In fo IP S c a n n e r ^ 1 0 0 .0 .4 » 2 ) N e tB I O S N a m e s Wgf A d o p t e r A d d r e s s A D o m a in |R e rg 5 N stE JO S S can n er aJatLS‫־‬ Z o r o e e c Q u e m g Net B O S Nam es on Nam e STctus ‫ י‬E x p a rd

] | 10 . 0 . 0 . 1 |

10

0

.

0

.2 5 4

Stop

1Names
W IN -U L Y 8 3 3 K H Q .. A I v « 3 0 0 1 5 -5 D 0 0 -0 7 . . W ORKGROUP A D M IN • P C 6 A J iv c T o ld . A c tvc M < ro s o ft ‫״‬ =a!od 131 3 123 M ic r o s o f t ‫״‬ Stats Exp and Summary

m g g n n 1 $
:S h a re S c a n n e r ?

1

S e c u r it y S c a n n e r /‫״‬y P o rt S ca n n e r

iac.0.6
fr] N e tB IO S N o m e : W B A d a p te r A d d re ss

H o s t M o n it o r 2 1

00-15-50-00-07‫־‬..
W ORKGROUP W I N - D 3 9 M R S H L .. 3 D 4 - B E - D 9 - C 3 - C E ..

4^
»

D o m a in

1 0 0 .0 .7 j | ] N e tB I O S N a m e s X f A d a p te r A d d re ss

A lv #

Report

N e tB IO S S c a n n e r

FIG U R E 15.7: MegaPing NetB IO S Scanning Report

10. Right-click the IP address. 111 this lab, the selected IP is 10.0.0.4; it will be different in your network. 5
TA sK 3

11. Then, right-click and select the T racerou te option.

Traceroute

C E H L ab M an u al P ag e 239

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

v
F ile V ie w T o o ls Hdp
^ D N S L is t H o s t s

MegaPing (Unregistered)

I I M

‫ ם‬O ther features include m ultithreaded design that allows to process any num ber o f requests in any tool at the same time, realtime network connections status and protocols statistics, real-time process inform ation and usage, real-time network information, including netw ork connections, and open network files, system tray support, and m ore

NctBICS S c a rr e ‫־‬

;j, DNS Lookup Nam e g 3 F in g e r N e t w o r k T im e

$

M * 3 0 S Scarner So eci:
Range N e tE lO S S e i n e r v |

NetBIOS Scanner S9<tngs Rom:
10 0 0 0 254 Stdft

t®* P in 9 A T r a c e ro u t e W h o ls N e t w o r k R e s o u rc e s P r o c e s s In fo ^ • ‫^־‬ S y s te m In fo IP S c a n n e r

Satus

Oroteted ?M addresses m M secs

_____
B
*

Names Nome E x p o rt T o File M e r g e H o s ts Hoete Slate O p e n S h a re V ie w H o t f ix D e t a b Total: 254 3 0 ( jj

‫׳‬J ^ N e tB I O S S c a n n e r S h a re S ca n n e r S e c u r it y S c a n n e r ^ P o rt S ca n n e r

0 B
D

D cpand * b‫ ?׳‬Summary

N e tB I O S f■ A d a p e e rA

A j j

C c m a in

10.0.0.5 N e tB IO S A p p l y H o t F ix es C o p y s e le c t e d it e m C o p y s e le c t e d r o w C o p y a ll re s u lt; S ave A s T r a c e ro u te

g l H o s t M o n it o r

i- J |

A ctve

3

S ? A d o p te r A ^ B A £ C o m a in

F ailed251 ‫־‬

10.0.0.7 N e tB IG S ‫ף‬ ■3 A d o p t e r A

T r a c c r o u t c s t h e s e le c t io n

FIG U RE 15.8: MegaPing Traceroute

12. It will open the T racerou te window, and will trace die IP address selected.
MegaPing (Unregistered)
F ie V ie w T o o ls H e lp

S. JL 4$ 151 *« 8 8
J j , D N S L is t H o > b J!L D N S L o o k u p N a m e Trace r 0 «*

& T ools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks

| J F in g e r i l l N e t w o r k T im e

** Destrebon:
1 0 0 0 .4 Z te s tr a w n \Jd rc s 5 J s t

aa

Trace ro ute S e tth o t

^ -O

W h o ls N e t w o r k R e s o u rc e s

R e so lv e I4an‫־‬s

* ■ { ?> P r o c e s s Info S y s t e m Info ■^ IP S c a n n e r N e tB I O S S c a n n e r *jp S h a re S c a n n e i S e c u r it y S c a n n e r ‫>׳‬ y P o rt S ca n n e r D d c tc

□ Select Al
Add

j t A H o » t M o n it o r hoo Tim e N am e D s ta fc

9> 91 ‫י‬
1 ‫־‬ m £ 1 0

W I N - U L Y 8 S 8 K H C J I P [ 1 _ C o m p le t e . 10.0.0.4 A D M I N P C [ 1 0 .0 .0 .6 ] 1 ‫ו‬ 10.0.0.6 0 & '2 3 / 1 2 1 0 t 4 4 t f C o m p le t e . 0 8 / 2 3 /1 2 1 Q 4 S J 1

A'
* 4

Report

|

FIG U R E 15.9: MegaPing Traceroute Report

S

TA sK

4

Port Scanning

13. Select Port Scanner from die left pane and add w w w .ce rtifie d h a ck er .co m 111 the D estin ation A d d ress List and then click the S tart button. 14. After clicking the Start button it toggles to Stop 15. It will lists the ports associated with www.certifiedl1 acker.com with die keyword, risk, and port number.

C E H L ab M an u al P ag e 240

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

MegaPing (Unregistered)
File View Tools Help

‫ך‬

- ‫ז ״ י‬

v

‫ן‬

A

A

£ GJ 8s 8s <5
Finger

J 'b

&

r H

I

J

&

G O

- j j , DNS List Hosts ,5 , DNS Lookup N am e 5 4 Netw ork T im e

J ‫!׳‬
^ AotScamcr
mm < ‫ »־‬V **tv 3 0 ‫ ׳‬fl‫׳<»־׳‬n D eslnrtor A i ^ n t Ua> jftjf F01 S c * 1 r* ‫׳‬ Pnxowte Scan Type TCP an: UCP A /!h » » S P a b

MegaPing security scanner checks your network for potential vulnerabilities that might use to attack your network, and saves inform ation in security reports

f t Ping g g T rac ero u te

^Whois
N etw o ik R esources -^ ^ P ick m Info System Info IP Sc«nn«< Share Seanner j P S * u n t y Scanner j j j ’ NetBIOS Sc *nn*i

-11

S100

□ S*t*dA l w»!* |
2 o r* = S 3 C e 2 fc TCP TCP ftp w w w -http tcp m u x com press.. Type Keyword O s8cr»on S c ann in g— (51 %) 99 Sccon ds R em ain ‫ ח‬g File T ransfer [Control] World V.'ide W eb HTTP TCP Port Servkc M ultL. M a nagem ent Utility E k satcd Elevated E le .x e d L<*m Law Low Low Law R *

j/
J 4 H 05‫ ז‬Monitor

,y 1 .J‫*״‬ .y!
.* 5 y * ' •

UDP UOP UOP UOP UOP UOP

com p t e n . Com preiM oo P r o e m rje ech o ditcntd R em ote Job Entry Echo Discard

FIG U RE 15.10: MegaPing P ort Scanning Report

Lab Analysis
Document all die IP addresses, open ports and running applications, and protocols you discovered during die lab.
Tool/Utility Information Collected/Objectives Achieved

IP Scan R ange: 10.0.0.1 —10.0.0.254 P erfo rm ed A ctions: ■ ■ ■ ■ Result: ■ List o f Active H ost ■ NetBios Name ■ Adapter Name IP Scanning NetBIOS Scanning Traceroute Port Scanning

M eg aP in g

C E H L ab M an u al P ag e 241

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

P L E A S E TALK T O YO U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. How does MegaPing detect security vulnerabilities on die network? 2. Examine the report generation o f MegaPing.

Internet Connection Required

□ Yes
P latform S u p p o rted 0 C lassroom

0 No

0 iLabs

C E H L ab M an u al P ag e 242

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Lab

Detect, Delete and Block Google Cookies Using G-Zapper
G-Zapper is a utility to block Goog/e cookies, dean Goog/e cookies, and help yon stay anonymous nhile searching online.
ICON KEY

Lab Scenario
You have learned in die previous lab diat MegaPing security scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves inform ation in security reports. It provides detailed inform ation about all computers and network appliances. It scans your entire network and provides inform ation such as open shared resources, open ports, services/drivers active 011 the computer, key registry entries, users and groups, trusted domains, printers, etc. Scan results can be saved in HTM L 01‫ ־‬TXT reports, which can be used to secure your network. As an administrator, you can organize safety measures by shutting down unnecessary ports, closing shares, etc. to block attackers from intruding the network. As another aspect o f prevention you can use G -Zapper, which blocks Google cookies, cleans Google cookies, and helps you stay anonymous while searching online. This way you can protect your identity and search history.

Valuable information Test your knowledge m. Web exercise o W orkbook review

Lab Objectives
This lab explain how G -Zapper automatically d e t e c t s and c le a n s the Google cookie each time you use your web browser.

Lab Environment
To carry out the lab, vou need:

C E H L ab M an u al P ag e 243

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

G -Zapper is located at D:\CEH-Tools\CEHv8 M odule 03 Scan nin g
S ’ Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Netw orks N etw orks\A nonym izers\G -Z apper

You can also download die latest version o f G‫־‬Z apper from the link littp://w w w . dumm ysoftware.com / I f you decide to download the la te s t version , then screenshots shown in the lab might differ Install G-Zapper 111 Windows Server 2012 by following wizard driven installation steps Administrative privileges to run tools A com puter running W indow s S erver 2 0 1 2

Lab Duration
Time: 10 Minutes

Overview of G-Zapper
G-Zapper helps protect your identity and search history. G-Zapper will read die G oogle cook ie installed on your PC, display die date it was installed, determine how long your se a r c h e s have been tracked, and display your Google searches. GZapper allows you to automatically d e lete or entirely block die Google search cookie from future installation.

Lab Tasks
S
t a

s

k

1

1.

Launch the Start menu by hovering die mouse cursor on the lower-left com er o f the desktop.____________________________________

D etect & D elete G oogle C ookies

!3 Windows Serve! 2012
* ttcua Stfwr JOtJ Release Cmadtte Oatacert* ftabslanuwy. 1uMM>:

FIGURE 16.1: Windows Server 2012 - Desktop view

2. Click die G-Zapper app to open die G‫־‬Zapper window.

C E H L ab M an u al P ag e 244

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Start
Server Manager W ruiows PowerShel 6009* Chrome H-jpw-V Manager A ncrym .. Surfog Tutonal G-Zapper

Administrator £

f L m
Computer

V
Control Pwl

#
ItyperV Virtual M « tw w

1 1
SOL S e n a

m G-Zapper xs compatible with Windows 95,98, ME, NT, 2000, XP, Vista, Windows 7.

w
Command Prompt ‫י‬

Q
M v <1 l.retox

n

$
Ns’ tSca'iT... Pro D em o

5 1
Standard 11

M aw

T *

FIGURE 162: Windows Server 2012 - Apps

3. The G-Zapper main window will appear as shown in die following screenshot.
G-Zapper ‫ ־‬TRIAL VERSION
What is G-Zapper G-Zapper - Protecting you Search Privacy Did you know • Google stores a unique identifier in a cookie on your PC, vrfich alows them to track the keywords you search for. G-Zapper w i automatically detect and clean this cookie in your web browser. Just run G-Zapper, mrwnee the wndow, and en!oy your enhanced search privacy

2 ' I A G oogle Tracking ID o a s ts on your PC.

LJ G-Zapper helps protect your identity and search history. G-Zapper will read the Google cookie installed on your PC, display the date it was installed, determine how long your searches have been tracked, and display your Google searches

Your Google ID (Chrome) 6b4b4d9fe5c60cc1 Google nstaled the cookie on Wednesday. September 05.2012 01 54 46 AM Your searches have been tracked for 13 hours
«>| No Google searches found n Internet Explorer or Frefox

How to Use It

«

To delete the Google cookie, dck the Delete Cookie button Your identity w i be obscured from previous searches and G-Zapper w i regiiariy dean future cookies. T0 restore the Google search cookie dick the Restore Cookie button

htto //www dummvsoftware. com

Delete Cookie

R estore Cookie

T e st G oogle

S ettings

Register

FIGURE 16.3: G-Zapper main windows

4. To delete the Google search cookies, click the D e le te C ookie button; a window will appear that gives information about the deleted cookie location. Click OK

C E H L ab M an u al P ag e 245

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

‫י‬
What is G-Zapper

G-Zapper - TRIAL VERSION

■ ]jlF x

‫י‬

G-Zapper ‫ ־‬Protectng your Search Privacy

■#

Did you know ■Google stores a unique identifier n a cookie on you PC, v*»ch alows them 10 track the keywords you search for G-Zapper w i automatically defect and dean this cookie in your web browser.
- J 1 1 s L ( 1 j n - f i- 7 a n n f t t th e , w n d n w * i n i f t n in u .u n u i ^ n h a o c a d n c i Y ^ u _________ _________

G‫־‬Zapper

C] A new cookie will be generated upon your next visit to Google, breaking the chain that relates your searches.
Howt

©

The Google search cookie was removed and w ill be re-created with a new ID upon visiting www.google.com The cookie was located a t (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite

OK T0 block and delete the Google search cookie, click the Block Cookie button (Gmail and Adsense w i be unavaJable with the cookie blocked) http //www. dummvsoftware com

Delete Cookie

Block Cookie

T e s t G oogle

S ettings

Register

FIGURE 16.4: Deleting search cookies

5. To block the Google search cookie, click die B lock c o o k ie button. A window will appear asking if you want to manually block the Google cookie. Click Y es
G‫־‬Zapper - TRIAL VERSION
What is G-Zapper G-Zapper - Protectng you Search Privacy

' - m

‫ ס‬The tiny tray icon runs in th e background, ta k es up very little s p a c e and can notify you by sound & anim ate w hen th e G oogle co o k ie is blocked.
How

_ _ p

Did you know - Google stores a unique identifier in a cookie on your PC. which alows them to track the keywords you search for. G-Zapper will automatically detect and dean this cookie in you web browser. .LMiijnfi-Zanrret mrnnnre the, wnrinw and pjiinu .unu..ftnhanrari sftatnh nrtwra______ _____

Manually Blocking the Google Cookie

Gm ail and other Google services w ill be unavailable while the cookie is manually blocked. If you use these services, we recom mend not blocking the cookie and instead allow G-Zapper to regularly clean the cookie automatically. Are you sure you wish to m anually block the Google cookie?

Yes

No

T0 block and delete the Google search cookie, click the Block Cookie bUton (Gmail and Adsense w l be unavaiaWe with the cookie blocked) http //www dummvsoftware, com

Delete Cookie

Block Cookie

T e st G oogle

S ettings

R egister

FIGURE 16.5: Block Google cookie

6. It will show a message diat the Google cookie has been blocked. To verify, click OK
C E H L ab M an u al P ag e 246 E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

G‫־‬Zapper - TRIAL VERSION
What is G-Zapper G-Zappef - Protecbng your Search Privacy
1 ^ 0

Did you know ■Google stores a unique identtfier in a cookie on your PC. which alows them to track the keywords you search for GZapper will automatically detect and dean this cookie n you web browser. Just run GZapper, mmmize the wrxlow. and enjoy your enhanced search privacy

G‫־‬Zapper

The Google cookie has been blocked. You may now search anonym ously on google.com . Click the Test Google button to verify.

How t

O K
Your identity will be obscured from previous searches and G-Zapper w i regularly clean future cookies T0 restore the Google search cookie clck the Restore Cookie button

& ‫ ־‬G-Zapper can a lso clea n your G oogle search history in Internet Explorer and Mozilla Firefox. It's far too e a sy for so m eo n e using your PC to g e t a glim pse of w hat you've been searching for.

http //www dummvsoftware com

Delete Cookie

Restore Cookie

T e st G oogle

Settings

Regtster

FIGURE 16.6: Block Google cookie (2)

7. To test the Google cookie that has been blocked, click the T e s t G oogle button. 8. Yoiu default web browser will now open to Google’s Preferences page. Click OK.
AAgoog... P - 2 (5 [ 0 ?references
♦You Search Images Maps Play YouTube News Gmal More ‫־‬

‫יו‬
Sign in

1

Google

Preferences

Goflflls Account 5£tt303 Piefeiences Help I About Google
S a v e P re fe re n c e s

S a v e y o u r p r e f e r v n c v » w h e n f in i s h e d a n d ! * t u r n t o i w r c h

Global Preferences (changoc apply to al Googio sorvtcos)

Y o u r c o o k ie s s e e m t o b e d is a b le d .

Setting preferences will not work until you enable cookies in your browser.

Interface Language

Display Googio Tips and messages in: Engiisn tt you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program

Search I anguage

Piefei pages mitten in these language(*) □ Afrikaans b£ English U Indonesian LI Serbian □ Arabic L. Esperanto U Italian □ Slovak D Armenian I~ Estonian FI Japanese 0 Slovenian □ Belarusian C Flipino □ Koiean G Spanish U Bulgarian L Finnish U Latvian LI Swahi

FIGURE 16.7: Cookies disabled massage

9. To view the deleted cookie information, click die S ettin g button, and click V iew Log in the cleaned cookies log .

C E H L ab M an u al P ag e 247

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

G‫־‬Zapper - TRIAL VERSION
What is G-Zapper

‫׳‬- m

G‫־‬Zapper Settings
Sounds f* Ray sound effect when a cookie is deleted default wav
Preview Browse

Google Analytics Trackng

Q You can simply run G-Zapper, minimize the window, and enjoy your enhanced search privacy

W Block Google Analytics fiom tiackng web sites that I visit.

Deaned Cookies Log

W Enable logging of cookies that have recently been cleaned.
I” Save my Google ID in the deaned cookies log.

Clear Log

View Log

OK

Delete Cookie

Restore Cookie

Test Google

Settings

Register

FIGURE 16.8: Viewing the deleted logs

10. The deleted cookies information opens in Notepad.
cookiescleaned - Notepad
File Edit Format View Help

t

‫ ־־[ ם‬x

S ' T ools dem onstrated in this lab are available in D:\CEHTools\CEHv 8 Module 03 Scanning Netw orks

(Firefox) C :\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 10:42:13 AM (Chrome) C :\Users\Administrator\AppData\Local\Google\Chrome\User Data \Default\Cookies Friday, August 31, 2012 11:04:20 AM (Firefox) C :\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 11:06:23 AM (Firefox) C :\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Wednesday, September 05, 2012 02:52:38 PM|

FIGURE 16.9: Deleted logs Report

Lab A nalysis
Document all the IP addresses, open ports and running applications, and protocols you discovered during die lab.

C E H L ab M an u al P ag e 248

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

T ool/U tility

Inform ation C ollected/O bjectives Achieved Action Performed: ■ Detect die cookies ■ Delete the cookies ■ Block the cookies Result: Deleted cookies are stored in C:\Users\Administrator\Application Data

G‫־‬Zapper

PLEASE

TALK TO

Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H IS LAB.

HAVE

QUESTIONS

Q uestions
1. Examine how G-Zapper automatically cleans Google cookies. 2. Check to see if G-zappei is blocking cookies on sites other than Google. Internet C onnection R equired

0 Y es
Platform Supported 0 Classroom

□ No

□ iLabs

C E H L ab M an u al P ag e 249

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab

Scanning the Network Using the Colasoft Packet Builder
The Colasoft Packet Builder is a useful toolfor creating custom nehrorkpackets.
ICON KEY

Lab S cenario
111 die previous lab you have learned how you can detect, delete, and block cookies. Attackers exploit die XSS vulnerability, which involves an attacker pushing malicious JavaScript code into a web application. When anodier user visits a page widi diat malicious code in it, die user’s browser will execute die code. The browser lias 110 way of telling the difference between legitimate and malicious code. Injected code is anodier mechanism diat an attacker can use for session liijacking: by default cookies stored by the browser can be read by JavaScript code. The injected code can read a user’s cookies and transmit diose cookies to die attacker.

Valuable inform ation T est vour knowledge Q Q W eb exercise W orkbook review

As an expert ethical h acker and penetration t e s t e r you should be able to prevent such attacks by validating all headers, cookies, query strings, form fields, and hidden fields, encoding input and output and filter meta characters in the input and using a web application firewall to block the execution of malicious script. Anodier method of vulnerability checking is to scan a network using the Colasoft Packet Builder. 111 this lab, you will be learn about sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning.
^ T T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv 8 Module 03 Scanning Netw orks

Lab O bjectives
The objective of diis lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.

Lab Environm ent
111 diis lab, you

need:

■ Colasoft Packet Builder located at D:\CEH-Tools\CEHv8 Module 03
Scanning Networks\Custom P ack et Creator\Colasoft P ack et Builder

■ A computer running W indows Server 2012 as host machine

C E H L ab M an u al P ag e 250

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Window 8 running on virtual machine as target machine

■ You can also download die latest version of A dvanced Colasoft P acket Builder from die link http:/ / www.colasoft.com/download/products/download_packet_builder. php ■ If you decide to download die la test version, dien screenshots shown in die lab might differ. ■ A web browser widi Internet connection nuuiing in host macliine

Lab D uration
Time: 10 Minutes

O verview o f C olasoft P acket B uilder
Colasoft P ack et Builder creates and enables custom network packets. This tool can be used to verify network protection against attacks and intmders. Colasoft Packet Builder features a decoding editor allowing users to edit specific protocol field values much easier.

Users are also able to edit decoding infonnation in two editors: D ecod e Editor and Hex Editor. Users can select any one of die provided templates: Ethernet Packet, IP Packet, ARP Packet, or TCP Packet.

Lab Tasks
S
ta sk 1

1. Install and launch die Colasoft P ack et Builder. 2. Launch the Start menu by hovering die mouse cursor on the lower-left corner o f the desktop.

Scanning Network

FIGURE 17.1: Windows Server 2012 - Desktop view

Q y < can download “ You Colasoft Packet Builder from http: / /www. colasoft. com.

3. Click the C olasoft P a ck et Builder 1.0 app to open the C olasoft P ack er Builder window

C E H L ab M an u al P ag e 251

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬C oundl All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Start
Sem * Windows PowerSN>ll Googte Chrome S»#Th C otaoft Packpt Bunder t.O

Adm inistrator

ik
com p ut e r

m

*
ManagM

*
v M och n#.

*

control 1'anrt

*J
e

V
Command Prompt

91
SQL J*rv*‫׳‬ Irn-.aljt 0 ‫י־‬ C enter.

9
MfrtjpaC* Studc

te r se

V
.
MeuMa r»efax

3
Nnwp 7«ftmap GUI

CMtoo

$

o
FIGURE 17.2 Windows Server 2012 - Apps

4. Tlie Colasoft Packet Builder main window appears.
Colasoft Packet Builder
F ie # Import Edt ^ Send Help & Insert

155

= 1

‫ך ־ ־‬ !

1 S?’
Add

1
Packet

♦ Checksum [ A s ^ J

Adapter Packets

C o la s o ft
0 Selected 0 1

4 $ Oecode Editor

No.

N o p x k e c elected:

\$

Packet Lilt Delta Time Sourer

Operating system requirements: Windows Server 2003 and 64-bit Edition Windows 2008 and 64-bit Edition Windows 7 and 64-bit Edition

^ >0:0

He«Edfcor

fa ta l

0 byte* |

<L

FIGURE 17.3: Colasoft Packet Builder main screen

5. Before starting of vonr task, check diat die Adapter settings are set to default and dien click OK.
Select Adapter
Adapter:

*

‫ ? י‬-iF.W lT.rtf&TaTi.Fi
D4:BE:D9:C3:CE:2D0 100.0 l*)ps 1500 bytes 10.0.0.7/255.255.255.0 10.0 .0.1 Operational

Physical Address Link Speed Max Frame Size IP Address Default Gateway Adapter Status

OK

Cancel

Help

FIGURE 17.4: Colasoft Packet Builder Adapter settings

C E H L ab M an u al P ag e 252

E th ica l H a c k in g an d C o u n term easu res Copyright < 0 by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

6. To add 01 create die packet, click Add 111 die menu section.
There are two ways to create a packet - Add and Insert. The difference between these is the newly added packet's position in the Packet List. The new packet is listed as the last packet in the list if added but after the current packet if inserted.

File 0 1 Import [ ^

Edit

Send

Help 0 Insert

Export‫־‬ ‫״‬ ‫־‬

Add

Decode Editor

FIGURE 17.5: Colasoft Packet Builder creating die packet

7. When an Add P ack et dialog box pops up, you need to select die template and click OK.
£ 2 Colasoft Packet Builder supports *.cscpkt (Capsa 5.x and 6.x Packet File) and*cpf (Capsa 4.0 Packet File) format. You may also import data from ‫ ״‬.cap (Network Associates Sniffer packet files), *.pkt (EtherPeekv7/TokenPeek/ A1roPeekv9/ OmniPeekv9 packet files), *.dmp (TCP DUMP), and *rawpkt (raw packet files).

Add Packet
Select Template:
ARP Packet

‫־‬ nn

Delta Time:

0.1

Second

OK

Cancel

Help

FIGURE 17.6: Cohsoft Packet Builder Add Packet dialog box

8. You can view die added packets list 011 your right-hand side of your window.
Packet List Packets 1 S elected 1

S

TA sK

2

_____ Usl____D elta Tims . Source
1 0.100000 00:00:00:00:00:00

Destination______,

D ecod e Editor
FIGURE 17.7: Colasoft Packet Builder Packet List

9. Colasoft Packet Builder allows you to edit die decoding information in die two editors: D ecod e Editor and Hex Editor.

C E H L ab M an u al P ag e 253

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Decode Editor

P a c k e t: B - © E t h e r n e t Type I I l e s t i n a t i o n A d d re ss: J © S o u rc e A d d re s s : Q B u s t Mode Option: If you check this option, Colasoft Packet Builder sends packets one after another without intermission. If you want to send packets at the original delta time, do not check this option. j ! ^ P ro to c o l: !••••<#> H ardw are t y p e : ! ‫ץ‬#( P ro to c o l T ype: j...© H ardw are A d d re ss L e n g th : ‫ן‬...© P r o t o c o l A d d re s s L e n g th : ! \ - s j ARP - A d d re s s R e s o lu t io n P r o t o c o l

Num:000001 L e n g th :64 C a p tu re d :• [0 /1 4 ] FF: FF: F F : FF: FF: FF [0 /6 ] [6 /6 ] (ARP) [12.

00: 0 0 : 0 0 :0 0 : 0 0 :0 0
0x0806 [1 4 /2 8 ] 1 0x0800 6 4

( E th e r n e t) [1 6 /2 ] [1 8 /1 ] [1 9 /1 ] (ARP Reque. [2 2 /6 ] [3 2 /6 ]

|— <#1ype:
-^J>S0 u r c e P h y s ic s : j3 ‫ ״‬S o u rc e IP : D e s t i n a t i o n P h y s ic s : D e s t i n a t i o n IP : Number o f B y te s : FCS : L # FCS:

1 00: 0 0 : 0 0 :0 0 : 0 0 :0 0
0 .0 .0 .0 0 .0 .0 .0 [4 2 /1 8 ] 18 b y t e s 0xF577BDD9 [4 2 /1 8 ] [2 8 /4 ] [3 8 /4 ]

00: 0 0 : 0 0 :0 0 : 0 0 :0 0

j

- •© E x t r a D a ta :

,< L
^ Hex Editor

1 1 1

j

...... ; ..... ,.... ‫־‬ ...
Total

‫ >״‬J

FIGURE 17.8: Cohsoft Packet Builder Decode Editor 60 bytes

0000
000E 001C 002A 0038

FF FF FF FF FF FF 00 01 08 00 06 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00

00 01 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 08 06 00 00 00 00 00 00 00 00 00
.... V

FIGURE 17.9: Colasoft Packet Builder Hex Editor

10. To send all packets at one time, click Send A l l from die menu bar. 11. Check die Burst Mode option in die Send A l l Packets dialog window, and dien click Start .
‫ר‬
.^ O p tio n , Loop Sending: This defines the repeated times of the sending execution, one time in default. Please enter zero if you want to keep sending packets until you pause or stop it manually.

^4
Jown Checksum
1 Packet List No. Delta Tim e Source Send Send All Packets

Colasoft Capsa
Packet Analyzer
1 S elected 1

Destination

1

0.1 0 00 00 0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 0
FIGURE 17.10: Colasoft Packet Builder Send All button

F F : F F : F F : F F : F F : F F

C E H L ab M an u al P ag e 254

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

£ 3 Select a packet from the packet listing to activate Send All button

FIGURE 17.11: Colasoft Packet Builder Send AHPackets

12.

Click Start

Send All Packets
Options Adapter: Realtek PCIe G8E Famrfy Controller Select...

□ Burst Mode (no delay between packets) □ Loop Sendng: Delay Between Loops:

1

A 1000 A 1000 -

loops (zero for infinite loop) milliseconds

Sending Information

£ 0 T h e progress bar presents an overview of the sending process you are engaged in at the moment.

Total Packets: Packets Sent: Progress:

1 1

Start

Stop

Close

Help

FIGURE 17.12 Colasoft Packet Builder Send AHPackets

13.

To

export die packets File‫^־‬Export‫^־‬All Packets.

sent

from

die

File

menu,

select

C E H L ab M an u al P ag e 255

E th ica l H a c k in g an d C o u n term easu res Copyright < 0 by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

‫ י‬L?

‫ר״‬ Colas Edit Send 1* ► ^ Help 0 1 ‫ ׳‬a All Packets... Selected Packets... X glete ketN o . |_ jJ I Num: 00(

File

Import... 10 Export

Exit +^ T Packet:

EJ-@ E th e r n e t Type I I
^ D e s t i n a t i o n A d d re ss: S o u rce A d d re ss: FIGURE 17.13: Export All Packets potion Q Option, Packets Sent This shows the number of packets sent successfully. Colasoft Packet Builder displays the packets sent unsuccessfully, too, if there is a packet not sent out. Save As
5avein‫ ! " ! ־‬: o l a e c - f t flfc l Rcccnt plocca Nome D«tc modified No items match your search.

] 0 /1 4 [

‫ן‬ ,

FF: FF:1
0 0 :0 0 :(

x I

Type

■ Desktop

< 3
Libraries lA ff Computer

Network

r n ______ F 1 Un»m* S»v• •c typ♦

... | Fjiekct• e«cpld (Colafloft Packot Rio (v6) (*.oocpkt) vj v| Sav• C«rc«l

r >1

|

FIGURE 17.14: Select a location to save the exported file

U

Packets.cscpkt

FIGURE 17.15: Colasoft Packet Builder exporting packet

Lab A nalysis
Analyze and document die results related to the lab exercise. T ool/U tility Colasoft Packet Builder Inform ation C ollected/O bjectives Achieved A dapter Used: Realtek PCIe Family Controller Selected Packet N am e: ARP Packets Result: Captured packets are saved in packets.cscpkt

C E H L ab M an u al P ag e 256

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

PLEASE TALK TO

Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H IS LAB.

HAVE

QUESTIONS

Q uestions
1. Analyze how Colasoft Packet Builder affects your network traffic while analyzing your network. 2. Evaluate what types of instant messages Capsa monitors. 3. Determine whether die packet buffer affects performance. If yes, dien what steps do you take to avoid or reduce its effect on software? Internet C onnection Required □ Yes Platform Supported 0 No

0 Classroom

0 iLabs

C E H L ab M an u al P ag e 257

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 03 - Scanning Networks

Lab

Scanning Devices in a Network Using The Dude
I CON KEY
5 Valuable information Test your knowledge Web exercise Workbook review

The Dnde automatically scans all devices within specified subnets, draws and lays out a wap ofyour networks, monitors services ofyour devices, and a/eftsyon in case some service hasp roblems.

Lab S cenario
111 the previous lab you learned how packets can be captured using Colasoft Packet Builder. Attackers too can sniff can capture and analyze packets from a network and obtain specific network information. The attacker can disrupt communication between hosts and clients by modifying system configurations, or through the physical destruction of the network. As an expert eth ic a l h ack er, you should be able to gadier information 011
organ ization s n etw ork to c h e c k for vu ln erab ilities and fix th em b efo re an a tta ck er g e t s to co m p ro m ise th e m a c h in e s using th o s e vu ln erab ilities. If

you detect any attack that has been performed 011 a network, immediately implement preventative measures to stop any additional unauthorized access. 111 this lab you will learn to use The Dude tool to scan the devices in a network and the tool will alert you if any attack has been performed 011 the network.

Lab O bjectives
The objective of diis lab is to demonstrate how to scan all devices widiin specified subnets, draw and layout a map o f your networks, and monitor services 011 die network.
V — J Tools dem onstrated in this lab are available in D:\CEHTools\CEHv 8 Module 03 Scanning Netw orks
C E H L ab M an u al P ag e 258

Lab Environm ent
To carry out the lab, you need: ■ The Dude is located at D:\CEH-T00 ls\CEHv 8 Module 03 S can nin g
N etw ork s\N etw ork D iscovery and Mapping T ools\T h e Dude

■ You can also download the latest version o f The Dude from the http: / / www.1nikiodk.com / thedude.php

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

■ If you decide to download the latest version, then s c r e e n s h o ts shown in the lab might differ ■ A computer running Windows Server 2012 ■ Double-click die The Dude and follow wizard-driven installation steps to install The Dude ■ Administrative privileges to run tools

Lab D uration
Time: 10 Minutes

O verview o f T h e Dude
The Dude network monitor is a new application that can dramatically improve die way you manage your network environment It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services o f your devices, and alert you in case some service lias problems.

Lab Tasks
1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.

i | Windows Server2012
Ser*r 2012 M « a 1e Candklate DitaceM* ______________________________________________________________________________________ Ev^mbonoopy BuildWX:

FIGURE 18.1: Windows Server 2012- Desktop view

E

ta sk

1

111 the Start m enu, to launch T he Dude, click T he Dude icon.

Launch The Dude

Start
Server Maiwgcr Computer

Administrator ^

iL
~ v
M m n itr. T<xJ1

U
e

*
‫יי‬
1 n» 0u0f

f>

-—J
command Prompt

%

0— l»p

C E H L ab M an u al P ag e 259

E th ica l H a c k in g an d C o u n term easu res Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

FIGURE 182: Windows Server 2012 - Start menu

3. The main window o f The Dude will appear.
fS m m (§ )
a d m in @ lo c a lh o s t - T h e D u d e 4 .0 b e ta 3 5references Setting* Contert*

9

Local Server CJ

Hdo

’- l ° l ‫י‬ jjyi2m c*‫ ״‬m .TffB
X ! ‫־‬

□ A3<*T3S U SS A Admn#
H H 0 ‫»ו »י‬ D*wic«»

71S E 1

O*

Ssttnst

j

Dkovo 70011*

W

‫• ־‬.

.*.‫־‬

Lay*

irk*

vJ

? 5 ? □
M
H □

E - B

I-

Flea FLnctona H tfa y Action* Lntu Lc0* £ 7 A^icn £ 7 Cecus £ 7 & ‫׳‬ent £ 7 Syslog Notic? Keftroric Maps B Lccd 1 U n ir t i

5

-A

[.Ca 1MU«d

Ctert. a 9‫ מ‬bu« /t x 384 M

S * ‫׳ ״*־‬x 2 1 5 b c *.'U M 2 b c «

FIGURE 18.3: Main window of The Dude

4. Click the D iscover button on the toolbar of die main window.
-------------------------— ■■ a d m i r t @ l o c a l h o s t - T h e D u d e 4 .0 b e t a 3 ® ‫ ־‬reference* 9 a Ca-'teri* Q Addra# list* A ‫׳‬vawro □ 0 ‫יו *ו‬ f‫“־‬l Om icM f * . Ftes n F_nccon8 Local Seiver c ‫׳‬ * - 1 + ‫״‬ o * Sett re# D ko v * ‫| ־‬ *T oo• ‫•־‬. •v 1*« |lrk* * b r h tZ 3 . ‫״‬ 1 x E ®

IIIIJHb
_d 2

‫י‬

B
n □

H a a y Action* 1 ^‫*י‬ “ Leo* £ ? Acttcn

£7 Defcus £7 Event
R - Q £ 7 Sjobg Mb No tie? fcw ortc Ma08

M

B

Lccdl

'‫׳‬

| !Connected

Cie‫ ׳‬t. 1x

$59bus / t x 334bp*

:«<* a215bo*<'u642bc«

FIGURE 18.4: Select discover button

5. The D ev ice D iscovery window appears.

C E H L ab M an u al P ag e 260

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

Device Discovery
General Services Device Types Advanced Discover Cancel

Enter subnet number you want to scan for devices Scan Networks: 1 10.0.0.0/24 Agent: |P£g? P Add Networks To Auto Scan Black List: |i Device Name Preference: |DNS. SNMP. NETBIOS. IP Discovery Mode:
(•

!-

fast (scan by ping)

C

reliable (scan each service)

Recursive Hops: ‫פ ר ־ י ו‬ F

/ ‫י‬
2

I I I I I
4 6 8 10 14

I I I
20 50

Layout Map /tfter Discovery Complete

FIGURE 18.6: Device discovery ^‫־‬ uxicra‫־‬

6. 111 the Device Discovery window, specify S ca n N etw ork s range, select d efau lt from die A gent drop-down list, select DNS, SNMP, NETBIOS, and IP from die D ev ice N am e P referen ce drop-down list, and click
D iscover.
Device Discovery
General Services Device Types Advanced number you want to scan for Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none Device Name Preference Discovery Mode DNS. SNMP. NETBIOS. IP
(•

3
8 10 14 20 S O

fast (scan by ping)

C

reliable (scan each service)

0
Recursive Hops: [1 I ]▼] / —r
2 4 6

‫ו —ר‬ —1 — ‫ו —ו‬ ---------------------------------------------------------------

Layout Map /tfter Discovery Complete

FIGURE 18.7: Selecting device name preference

7. Once the scan is complete, all the devices connected to a particular network will be displayed.

C E H L ab M an u al P ag e 261

E th ica l H a c k in g an d C o u n term easu res Copyright C by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

adrmn@localhost The Dude 4.0beta3 1 1d Locd
!_ S a n h fla Ccrtemt_______________ f~ l *ric teo Lata Adnns 4 . +

‫־‬f t ^t
tt 1a s ‫י‬|l‫־‬ks ^ 209m : [10

•fat

ll B S
- _ ^ e: _e [o * | S W | | Dhcovef | ^Tooia

B «*< 2□

‫ק‬

‫*׳‬ -* P ie » QF u 1 d io n
□ ‫י‬-00* 127A*en Lf U o fco a

O e v te a a□

Chats

Q y
WW*IXY858KH04P

.•
WN-D39MR5 HL9E4 AOMN

ecu 19N fn«r: 63 %vM: 27%disk 75%

» A e te n 0 7 * 40 H1 -‫״‬ ‫*י‬ ‫׳‬
ptVem asy*B
Q Local Metwortc*

MflfeMtttLUUKAl

r

I
*
WIN

\
N . ‫י‬

? U ' t ' . l O ' . t f S \

‫י‬

□ to b> 1 0 «m dn ‫־ז‬ ^ ‫״‬ ‫״‬ ‫ס‬ *M a p *
‫ק‬

‫ ב ר ז‬-‫ו א ^נ‬

H□ P jT riS Q adrrin 127.0,0.1 QPxtee
5 > Sennco

Q NotActfont

QTcde
YHhH.K0H)ftR3fi?M

r i'r -r ^ r

Q m - ‫׳‬x 3 2 5 ■ ‫ ׳‬oc« ‫ ׳‬w I95bpj

Saver r | ( ( 4(>> * 3 9 t ® c «

FIGURE 18.8: Overview of network connection

8. Select a device and place die m ouse cursor o n it to display the detailed
inform ation about diat device.

CartvM
Ad<*«3a Lota 5

♦• ‫ ״‬%

jo ^ S tf ttK u jo D w o v w

~ * 1Z o o m .[ T O

R Afl*rta *Chat □

* AA d m r

^ Plea Q Functions

Q0 8 V 1 0 0 8
® *•* H atovV □

tftteO T .J L Y K S O -C iP W r d c v n a x n p u c r ‘ , IP• 100 0 9 M A C C tt ■ - 1 0
S*'42m (7 V
U>.da3 rcOiM 1C2 coj fnemcry vrtuai memoiy. cfck

L n k□ *
‫□ ־‬ Lcoa

C7 Detua Ewr ?£ L7S«bg ® * M bM o d •n Nnwwk

J ?A c to n ]

C esacto- -fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M/M COUPATBU 6 0 0 1W ipxnsrFix)
Ipwue 0028‫־‬ <J771

S jcrT !‫ז‬.‫*־״‬.vw .-’ . ‫׳‬-Y 35am 3ip

Virc0*5 I to ia i 6 & End

te tw o *M a p s ,! B B lo c a l
I» _ i**W U « L 'i» tX > :»

« N o ! llc < U o r2 Q >S a m c a s

Q Parris H • * ™ 127.00.1 □ P‫ »׳‬cN

)>*

l*»

1‫ ג‬a t

1‫» נ‬

iwttdai e UU liriMMOll-

■■ 1 1 *••:‫ י‬.1rc»1 c :r

(< » •

n-n

H T o cte

1 2 :3

12:31

12:40

12: X

1*•:

13: ta

Ie c u• lam0«■a.'iaaeoip

|m d iv0v n n -u iY K B o c n P

.W * ‫־‬ . n m ‫־‬, t «W -ll‫־‬ r8!a.H0TP

C V t m 2 45 kbp* ‫'׳‬tx 197bp»

n .1 3 4 ttp a /fc 3 3 k b c «

FIGURE 18.9: Detailed information of the device

9.

N o w , click the d ow n arrow for die Local drop-dow n list to see inform ation 011 H istory A ctio n s, T ools, F iles. Logs, and so 011.

C E H L ab M an u al P ag e 262

E th ica l H a c k in g an d C o u n term easu res Copyright © by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

FIGURE 18.10: Selecting Local information

10. Select options from die drop-down list to view complete information.
adm1r!@iocalha5t ‫ ־‬The Dude 4.0beta3
® | | Preferences 19 Local S w » Heb ‫־ < _ ־‬ X ‫־‬,

• O
Q

S e tB n g j
Co‫׳‬not?

e• I ~
I
‫ ו‬u
7 U

Q Add's** Luts

4M m »
Aq*0U

130245

A d en
NetwOlk Map Be‫׳‬nnt dn1£1‫*׳‬d Ner*e«k Map Be‫׳‬n»nt chanjed tM « a k Map b tm rU tf»a•‫׳‬ ‫׳־‬r * « changed Nerwak Map B 1 FMflCik Mat' blvw'i: J w j*0 Nmv»c « k Map Br‫׳‬nf‫׳‬r! changed fMocik Map Merwak Map Be-nem changed fjnC*«k Map b c w : changed Nef«c<k Map Bemem changed NetWClk Map Netwcik Map Berotm changed r«(.«c«k Map 0 c1‫*׳‬s‫׳‬r. changed r‫״‬ er*cfk Map Beroen: changed . cha' Sed ta t« a k Map Bc1 * ‫׳‬T tieCMdk Map B f w t changed Netwcik Map Bwnert changed rjefMCik Map Berne'S changed

□ O w l• r* 1L V v is•• ‫ליי‬rte »

Q I undior*
□ IW « y /towns M Lrk» ‫ □ >־‬Logs

3U * u 5U
C U

1 3 0 2 4 C
13024S 130?44 1302S0
130 ? ‫ע‬

7U
fi U

130254
130? K

H » w 1 !« .< > • ‫ ׳‬j« 0 B e 'IW > .» « ' je O

£7A = 1 ‫״‬n

£7 D ebug
Q £ ? Stfog Mb Nedcx

9u u ‫ וו‬u u 13 U

1 0 1 2

130258
130340

130302
1303-03

13.0306
130348

14 U

15 U
•6 U

13.03.14
1303 16

7‫ ו‬u
16 U

13.0320

2 0u
CemtcM

19 U

130322 130324 Netwcik Map Bwmnl jed 1303 27 Netwcik Map Beroen! changed

eta'

0*rt ‫׳‬x9 17kbps/|x 1 I 2 kbp•
a d ^ n ^ io c a lh o s t - The

S«nv‫ ־‬a 3 74 Ktv* 11 & ‫ ׳׳‬Tklcn

Dude 4,Obeta3

‫־‬

a

*

®

fafaenoee

O toca s«n

oI

G e tn rg j
Comats

L ‘

*‫־‬

‫׳*״‬

ih ti^rS S B S S X S A l
J‫ ״‬C J U
Type, ( * U iZ.-r'tn ‫»ז<ז‬ n -= te in c te MTCte Mncte M‫ ־‬rle WCte w ‫־‬ *• lias Local Local Local Local Local Local Local Local Local Local Local Local 3 M * f‫^ ־ ־‬i T] □ ‫י‬

3 Address Lists & Adms Q Agents
Q O w i•

i l l l
De*c* 100 a !

Q Devicw
'<■ Fte» Q Functor•

1000.12
1000255 A D ** V/N2H9STOSG

Q Ktateiy Actons
‫ם‬ Lrkj

W M O U M R 5H L
V / f N « 6t< SG1 W IU J O 0 M I

‫־‬1 ‫ס‬C 1 ‫יה״‬ 7 A c lc n
C f CebuQ

w!s«5sn.c1u
W KMW S8 w woowss

unci*
M‫ ־‬de trmo M‫* |״‬ *met*

Lf S^oo C JM b!* < !» .

r> E v .rt

C flrr ‫׳‬x 2 91 kbps / tx 276 bps

S e r.'? ‫־‬0 t2I6 ‫־‬ ‫׳‬rc *■ ^ ‫ל‬ 2 ‫׳ל‬4 ‫מז‬

FIGURE 18.11: Scanned network complete information

C E H L ab M an u al P ag e 263

E th ica l H a c k in g an d C o u n term easu res Copyright C by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

11. As described previously, you may select all the other options from the drop-down list to view die respective information. 12. Once scanning is complete, click the
Freferences •‫ל‬ S e ttn o ) 9 d Local Server C* ” *•to

button to disconnect.

admin©localhost - The Dude 4.0beta3

+ ‫״‬
R £ □ Address U8I8 Adn<rM Agert«

r

C.

O

k

S*Crgc

O noowf

‫ ״‬Tooli

ft

\

•*.‫״‬

* i"


Chate
O w c es FLnaens History Actions Linlcs Leg* C‫־‬ f A cton

t>
WikULYSSBKHQIP t p u 22% IM fT t SOS. v .it 34% d isk 75%

,1
W IN -D 39N R SH 1.91=4

‫י‬
ADMIN

r* = 1 «
n Q H = 3

‫י‬
_ W IN -2N 95T 0S G IE M

v.
\

‫י‬
1000

(Z JD cb u o E v en t
□ Q O S/*>og Mto Nodeo Netv.'Oik Mips B - l g cjj r

<|

1 ■

j [>

‫ ־‬r ‫ ־\־ ^־־‬T ^ ‫־ ר ^ ל ^ ה ־ רז‬ .1
WM -LXQ \3\VR3!W M

nZ W kbw 'b 135 bps

5<?vrr rt i .12cp5 't* 3 •15 *bps

FIGURE 18.12: Connection of systems in network

Lab A nalysis
Analyze and document die results related to die lab exercise. T ool/U tility Inform ation C ollected/O bjectives Achieved IP A ddress Range: 10.0.0.0 —10.0.0.24 T he D ude Device N am e Preferences: DNS, SNMP, NETBIOS, IP O utput: List of connected system, devices in Network

C E H L ab M an u al P ag e 264

E th ica l H a c k in g an d C o u n term easu res Copyright O by E C ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

Module 03 - Scanning Networks

PLEASE TALK TO

Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H IS LAB.

HAVE

QUESTIONS

In te r n e t C o n n e c tio n R e q u ire d □ Y es P la tfo r m S u p p o rte d 0 C la s s ro o m 0 iLabs 0 No

C E H L ab M an u al P ag e 265

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.