CEHv8 Module 03 Scanning Networks

Scanning N etw orks M odule 03
Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
ScanningN etw orks

M o d u le 0 3
Engineered by Hackers. Presented by Professionals.
C E H
M o d u l e 0 3 : S c a n n in g N e t w o r k s E xa m 3 1 2 -5 0
E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v 8
M o d u le 0 3 Page 263
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Exam 3 1 2 -5 0 C ertified Ethical H acker
SecurityN ew s
H one Services Company Networks Contact
Oct 18 2012 S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e
r
r
The w ell known b o tn e t Sality, w hich locates vulne rab le voice-over-IP (VoIP) servers can be con trolled to fin d th e e n tire IPv4 address space w ith o u t alerting, claim ed a new study, published by Paritynews.com on O ctober 10, 2012. Sality is a piece o f m alw are whose prim ary aim is to infe ct w eb servers, disperse spam, and steal data. But the latest research disclosed o th e r purposes o f the same including recognizing susceptible VoIP targets, which could be used in to ll fraud attacks.
r 1 1
N fu js
Through a m ethod called "reverse-byte ord e r scanning," sality has adm inistered tow ards scanning possibly the w hole IPv4 space devoid o f being recognized. That's on ly the reason th e technique uses very less num ber o f packets th a t com e fro m various sources.
The selection o f the target IP addresses is generated in re verse-byte-order increm ents. Also, th e re are large am ounts o f bots con tributin g in the scan. http://www.spamfighter.com
l- l
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
S e c u r ity N e w s
S a lie n tly S p a c e S a lity B o tn e t T r a p p e d S c a n n in g IP v 4 A d d r e s s
Source: h ttp ://w w w .s p a m fig h te r.c o m A sem i-fam ous b otn et, Sality, used fo r locating vulnerable vo ice o v e rIP (VoIP) servers has been co ntro lle d to w a rd d e te rm in in g the e ntire IPv4 address space w ith o u t setting o ff alerts, claims a new study, published by Paritynews.com , on O ctober 10, 2012. Sality is a piece o f m alw are w ith the prim a ry aim o f infecting w eb servers, dispersing spam, and stealing data. But the latest research has disclosed o th e r purposes, including recognizing susceptible VoIP targets th a t could be used in to ll fraud attacks. Through a m ethod called "reve rse -b yte o rd e r scanning," Sality can be adm inistered to w a rd scanning possibly the w hole IPv4 space, devoid o f being recognized. That's the only reason the tech n iq ue uses a very small num ber o f packets th a t come fro m various sources. The selection o f the ta rg e t IP addresses develops in re ve rse -b yte -o rd e r in cre m e nts. Also, there are many bots co n trib u tin g in the scan. The conclusion is th a t a solitary n e tw o rk w o u ld obtain scanning packets "d ilu te d " over a huge period o f tim e (12 days in this case, fro m various
sources, U n ive rsity o f C a lifornia, San Diego (UCSD), claim ed one o f the researchers, A listair King, as published by Softpedia.com on O ctober 9, 2012). According to A lb e rto D a in o tti, it's n ot th a t this stealth-scanning m ethod is exceptional, b ut it's the firs t tim e th a t such a happening has been both noticed and docum ented, as re p orte d by Darkreading.com on O ctober 4, 2012. M any o th e r experts hold fa ith th a t this m anner has been accepted by o th e r botnets. Nevertheless, the team at UCSD is n ot aware o f any data verifying any event like this one. According to David P iscitello, Senior Security Technologist at ICANN, this indeed seems to be the firs t tim e th a t researchers have recognized a b o tn e t th a t utilizes this scanning m ethod by em ploying reverse-byte sequential increm ents o f ta rg e t IP addresses. The b o tn e t use classy "o rc h e s tra tio n " m ethods to evade d e te ctio n . It can be sim ply stated th a t the b o tn e t o p e ra to r categorized the scans at around 3 m illio n bots fo r scanning the fu ll IPv4 address space throu g h a scanning p atte rn th a t disperses coverage and p artly covers, b ut is unable to be noticed by present a u to m a tio n , as published by darkreading.com on O ctober 4, 2012.
Copyright S P A M fig h te r 2 0 03 -201 2

h ttp ://w w w .s p a m fig h te r.c o m /N e w s -1 7 9 9 3 -S a lie r1 tlv -S a litv -B o tn e t-T ra p p e d -S c a n n in g -IP v 4 A dd ress-S p ace .h tm
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M odule O bjectives
J J J J J J J J Overview o f N etw ork Scanning CEH Scanning M ethodology Checking fo r Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing N etw ork Diagrams ^ J J J J J J J J Use o f Proxies fo r Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers
C E H
IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing
M o d u le
O b je c tiv e s
Once an a ttacker id e ntifies h is/h e r ta rg e t system and does the in itia l reconnaissance, as discussed in the fo o tp rin tin g and reconnaissance m odule, the a ttacker concentrates on g ettin g a m ode o f e n try into the ta rg e t system . It should be noted th a t scanning is n ot lim ited to in tru sion alone. It can be an extended fo rm o f reconnaissance w here the a tta cke r learns m ore about h is/h e r target, such as w h a t operating system is used, the services th a t are being run on th e systems, and c o n fig u ra tio n lapses if any can be id e n tifie d . The a tta cke r can then strategize h is/h e r attack, facto rin g in these aspects. This m odule w ill fam iliarize you w ith : 0 0 0 0 0 0 0 0 O verview o f N e tw o rk Scanning CEH Scanning M e tho d olog y Checking fo r Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing V u ln e ra b ility Scanning Drawing N e tw o rk Diagrams 0 0 0 0 0 0 0 0 Use o f Proxies fo r A ttack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonym izers IP Spoofing D etection Techniques Scanning Counterm easures Scanning Pen Testing
M o d u le 0 3 Page 2 66
O v erv iewo fN e tw o r kS c a n n in gC E H
(rtift* ttkujl lUckM
N e tw o rk scanning refers to a set o f procedures fo r id e n tify in g hosts, p o rts, and services in a n e tw o rk N e tw o rk scanning is one o f th e c o m p o n e n ts o f in te llig e n c e g a th e rin g an a tta cker uses to create a p ro file o f th e ta rg e t organization
Sends TCP /IP p ro b e s
G e ts n e tw o r k
&
A ttacker
in fo r m a tio n
O b je c tiv e s o f N e t w o r k S c a n n in g
To discover live hosts, IP address, and open po rts o f live hosts
To discover operating
To discover services ru nning on hosts
To discover vu ln e ra b ilitie s in live hosts
systems and system architecture
O v e r v ie w
o f N e t w o r k S c a n n in g
As we already discussed, fo o tp rin tin g is the firs t phase o f hacking in w hich the a ttacker gains in fo rm a tio n about a p ote n tia l target. F ootp rin tin g alone is n ot enough fo r hacking because here you w ill gather only the prim a ry in fo rm a tio n about the targe t. You can use this prim a ry in fo rm a tio n in th e next phase to gather many m ore details abo u t the target. The process o f g a th e rin g a d d itio n a l d etails about the ta rg e t using highly com plex and aggressive reconnaissance techniques is called scanning. The idea is to discover e x p lo ita b le c o m m u n ica tio n channels, to probe as many listeners as possible, and to keep track o f th e ones th a t are responsive o r useful fo r hacking. In the scanning phase, you can fin d various ways o f in tru d in g in to th e ta rg e t system. You can also discover m ore about the ta rg e t system , such as w h a t o p e ra tin g system is used, w h a t services are ru n nin g , and w h e th e r or n ot th e re are any co n fig u ra tio n lapses in the ta rg e t system. Based on the facts th a t you gather, you can fo rm a strategy to launch an attack. Types o f Scanning 9 e 6 P ort scanning - Open ports and services N e tw o rk scanning - IP addresses V u ln e ra b ility scanning - Presence o f know n weaknesses
In a tra d itio n a l sense, the access p oints th a t a th ie f looks fo r are the doors and w indow s. These are usually the house's points o f vu ln e ra b ility because o f th e ir re la tively easy accessibility. W hen it comes to co m p u te r systems and netw orks, p o rts are the doors and w indow s o f the system th a t an in tru d e r uses to gain access. The m ore the ports are open, the m ore points o f vu ln e ra b ility, and the fe w e r the ports open, th e m ore secure the system is. This is sim ply a general rule. In some cases, the level o f vu ln e ra b ility may be high even though fe w ports are open. N e tw o rk scanning is one o f the m ost im p o rta n t phases o f intelligence gathering. During the n e tw o rk scanning process, you can gather in fo rm a tio n abo u t specific IP addresses th a t can be accessed over the Inte rn e t, th e ir targets' operating systems, system a rch itectu re , and the services running on each co m puter. In a dd ition, the a ttacker also gathers details about the netw orks and th e ir individual host systems.
Sends TCP /IP probes
Gets netw o rk
&
inform a tion
Attacker
FIGURE 3.1: N e tw o rk Scanning Diagram
Network
b je c tiv e s
o f N
e tw
o r k
S c a n n in g
If you have a large a m o un t o f in fo rm a tio n abo u t a ta rg e t o rg an iza tion , th e re are greater chances fo r you to learn the w eakness and lo o ph o les o f th a t p articula r organization, and consequently, fo r gaining unauthorized access to th e ir netw ork. Before launching the attack, the a ttacker observes and analyzes the ta rg e t n e tw o rk fro m d iffe re n t perspectives by p erfo rm ing d iffe re n t types o f reconnaissance. How to p erform scanning and w h a t type o f in fo rm a tio n to be achieved during the scanning process e n tire ly depends on the hacker's v ie w p o in t. There may be many objectives fo r p erfo rm ing scanning, b ut here we w ill discuss the m ost com m on objectives th a t are encountered during the hacking phase: D iscovering live hosts, IP address, and open p orts o f live hosts ru n n in g on th e n e tw o rk . D iscovering open p o rts: Open ports are the best means to break in to a system or n etw o rk. You can fin d easy ways to break into the ta rg e t organization's n e tw o rk by discovering open ports on its netw ork. D iscovering o p e ra tin g system s and system a rch ite ctu re o f th e ta rg e te d system : This is also referred to as fin g e rp rin tin g . Here the a ttacker w ill try to launch th e attack based on the operating system 's vulnerabilities.
Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. Detecting the associated network service of each port
G i
HHH

Check for Live Systems ,. Check for Open Ports Scanning Beyond IDS Banner Grabbing wJ
h i
Scan for Vulnerability
Draw N e tw o rk. Diagrams
n L 1^
r Prepare Proxies
W m, U Scanning Pen Testing
C E H
S c a n n in g M e t h o d o lo g y
The firs t step in scanning the n e tw o rk is to check fo r live systems.
Check fo r Live Systems
ft
Check for Open Ports
r
Q O
Draw Network Diagrams
Scanning Beyond IDS
Prepare Proxies
Banner Grabbing
Scanning Pen Testing
This section highlights how to check fo r live systems w ith the help o f ICMP scanning, how to ping a system and various ping sweep tools.
C h e c k in gfo rL iv eS y ste m sIC M PS c a n n in g

t o
C E H
J Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply J This scan is useful for locating active devices or determining if ICMP is passing through a firewall
ICMP Echo Request
ICMP Echo Reply D e stin a tio n (192.168.168.5)
Source (192.168.168.3)
T h e ping s c a n output u sin g Nm ap:
Zenmap
Sc!n Target. l o o Is P 'c fK Profile Ping cn
192166.168.5 |n rr*p wi 192.168.168.3 Service! * Nmap 0utp14
Command: Hosts Host
Pciti H oiti Topology H ojI Detail!
Scans
nmap jn 192.168.163.5
192.16S. 168.1 192.168.1663 192.168.1685 192.168.166.1S
S t a r t i n g fJTap 6 .0 1 ( h t t p : / / n r o p . o r g ) a t 2 0 1 2 - 0 8 08 1 3 :0 2 EOT
Swap scan re p o rt fo r 192.168.168.5

i s up ( 0 .0 0 5 l a t e n c y ) . MAC f l d d r e t t : ( D e l l) M!ap do ng : 1 IP ad dre ss (1 h o s t up ) scanned i n 0 .1 0 se co rd s
most
Piter Hosts
http://nmap.org
Copyright by H H rW B C il. All Rights Reserved. Reproduction is S trictly Prohibited.
C h e c k in g ICMP Scanning
f o r L iv e
S y s te m s IC M P
S c a n n in g
All required in fo rm a tio n about a system can be gathered by sending ICMP packets to it. Since ICMP does n ot have a p o rt abstraction, this cannot be considered a case o f p o rt scanning. However, it is useful to d ete rm ine w hich hosts in a n e tw o rk are up by pinging the m all (the -P o ptio n does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the n um ber o f pings in parallel w ith the -L o ptio n . It can also be helpful to tw e ak the ping tim e o u t value w ith the -T option. ICMP Q uery The UNIX to o l IC M P query o r ICMPush can be used to request the tim e on the system (to find o u t w hich tim e zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netm ask on a p articula r system can also be d ete rm ine d w ith ICMP type 17 messages (ADDRESS MARK REQUEST). A fte r fin d in g th e netm ask o f a n e tw o rk card, one can d ete rm ine all the subnets in use. A fte r gaining in fo rm a tio n about th e subnets, one can ta rg e t only one p articula r subnet and avoid h ittin g the broadcast addresses. ICMPquery has both a tim e sta m p and address mask request o ptio n : icmp query <-query-> [-B] [-f fro m h o s t] [d delay] [-T tim e ] targe t
W here <query> is one of: -t: icm p tim e sta m p request (default) -m : icm p address mask request -d: delay to sleep betw een packets is in microseconds. -T - specifies the n um ber o f seconds to w a it fo r a host to respond. The d e fa u lt is 5. A ta rg e t is a list o f hostnam es or addresses.
*iJN:::::::::::::ft:::::::::::::
ICMP Echo Request
/*
ICMP Echo Reply
Source (192.168.168.3)
Destination (192.168.168.5)
FIGURE 3.2: ICMP Q u e ry Diagram
Ping Scan O u tp u t Using Nm ap Source: h ttp ://n m a p .o rg Nm ap is a to o l th a t can be used fo r ping scans, also know n as host discovery. Using this to o l you can d ete rm ine the live hosts on a n etw o rk. It perform s ping scans by sending the ICMP ECHO requests to all the hosts on the n etw o rk. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful fo r locating active devices or d e te rm in in g if ICMP is passing throu g h a fire w a ll. The fo llo w in g screenshot shows the sample o u tp u t o f a ping scan using Zenm ap, the official cross-platform GUI fo r the Nmap Security Scanner:
Zenmap
Scan Jo o ls Profile Help
Target
192.168.168.5 |nm ap -sn 192.168.168.51 Services
v I Profile:
Ping scan
:Scan!
Cancel
Command: Hosts OS < Host IM I* *"
Nmap Output Ports/H osts Topology Host Details Scans nmap -sn 192.168.168.5
V
Details
192.168.168.1 192.168.168.3 192.168.168.5 S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n 1 r a p .o r g ) a t 2 0 1 2 -08-08 a? Nmap sc a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5 H ost i s up ( 0 .0 6 s l a t e n c y ) . M A C A d d re ss: ( D e ll) Nmap done: 1 IP a d d re s s (1 h o s t up) sc a n n ed in 0 .1 0 sec o n d s
tM 192.168.168.13 .. v ------- ------ -----------------1 Filter Hosts
FIGURE 3.3: Zenm ap S how ing Ping Scan O u tp u t
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
PingSw eep
J Ping sweep is used to determ ine the live hosts from a range of IP addresses by sending ICMP ECHO requests to m ultiple hosts. If a host is live, it w ill return an ICMP ECHO reply Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet Attackers then use ping sweep to create an inventory o f live systems in the subnet T h e p in g s w e e p o u t p u t u s in g N m a p
Zenmap I n i , ICM P Echo Request
C E H
a a a
_l
Sen
T*fqcc
lo o ts
H e lp v P ro file *I S c irt C anct
92.l6a.16S.l-S0
C o m m an d H o jb
| m 8 p P f PA21,23.9Q,J389192.168.168.1-501 k n x ei N n < * p O u t p u t P o r t ( / HoUi | T o p o l o g y H o t ! D e t a i l * S c a n t n m a p w P E PA21.2J.80l3 3 8 9 192.168.168.1*0

0 S [0 ** ICM P Echo Reply ICM P Echo Request
1 9 2 .1 6 8 .1 6 8 .5 uM ^ !.1 8 .1 6 1 9 2 .1 6 8 .6 M l 1 9 2 .1 6 8 .1 6 8 .7
OS 4 Ho* * W i t t 16S. 1
3
*
I t t 168 3 1& 1 6 6 . 1 & ) 19e.166.16a.1j
1 v .1 t t.1 tt .1 4 I ttlttlttlS 1 9 2 16s.16a.17 1 9 2 . It t I t t 1 9 1 9 2 .1 6 8 . 1 6 8 2 6 I 9 ilttltt2 3 F * H o s ts v
V y
*
S t a r t l r a N 6 .0 1 h t t p : / / r o u p , o r g ) a t 2012 01 01 1 2 :4 1 to r * tu p ! c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 H o s t i s u s ( 0. 00) l a t e n c y ) . * W I A g f llC n . ( H e le t! - P a c k a r d C o m p an y ) * * p * c a n r e p o r t f o r 1 9 2 . 1 6 * . 1 6 . 5 fto v t I t u p ( t . M i l a t e n c y ) . *AC W r t t t ; (A p p le ) w p s c a n r e p o r t *or 1 9 2 . 1 6 8 . 1 6 8 . to s t i s u p ( 0 . 0 0 1 0 s l a t e n c y ) . HA( A d d re ss: (D e ll) f * 1a p s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 6 8 . 1 3 M o t i* u p < 8 latency). A C A d d re w : (F o x c o n n l s n a p s c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 4
ICM P Echo Request
Source
1 9 2 .1 6 8 .1 6 8 .3
IC M P Echo Reply ICM P Echo Request
.0 0 1
1 9 2 .1 6 8 .1 6 8 .8
http://nmap. org
P in g
S w eep
A ping sweep (also know n as an ICMP sweep) is a basic n e tw o rk scanning technique to d ete rm ine w hich range o f IP addresses map to live hosts (com puters). W hile a single ping tells th e user w h e th e r one specified host co m p u te r exists on the n etw o rk, a ping sweep consists o f ICMP ECHO requests sent to m u ltip le hosts.
ICMP ECHO Reply

If a host is active, it returns an ICMP ECHO reply. Ping sweeps are am ong the oldest and slowest m ethods to scan a n etw o rk. This u tility is d istrib u te d across alm ost all platform s, and acts like a roll call fo r systems; a system th a t is live on the n e tw o rk answers the ping query th a t is sent by a no th e r system.
ICMP Echo Request 1 9 2 .1 6 8 .1 6 8 .5
a
Source
1 9 2 .1 6 8 .1 6 8 .3
ICMP Echo Request
<
ICMP Echo Reply 1 9 2 .1 6 8 .1 6 8 .6
ICMP Echo Request
>
W
1 9 2 .1 6 8 .1 6 8 .7
<
ICMP Echo ICMP Echo Request 1 9 2 .1 6 8 .1 6 8 .8
FIGURE 3.4: Ping Sweep Diagram
TCP/IP Packet To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings, a single packet is sent across th e n e tw o rk to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes o f p rotocol header in fo rm a tio n . The sender then w aits fo r a re tu rn packet fro m the ta rg e t system. A good re tu rn packet is expected only w hen the connections are good and when the targe te d system is active. Ping also determ ines the num ber o f hops th a t lie betw een the tw o co m puters and the ro u n d -trip tim e , i.e., the to ta l tim e taken by a packet fo r co m p letin g a trip . Ping can also be used fo r resolving host names. In this case, if the packet bounces back w hen sent to th e IP address, b ut not w hen sent to the name, then it is an indication th a t the system is unable to resolve the name to the specific IP address. Source: h ttp ://n m a p .o rg Using Nm ap S ecurity Scanner you can p erfo rm ping sweep. Ping sweep determ ines the IP addresses o f live hosts. This provides in fo rm a tio n abo u t the live host IP addresses as w ell as th e ir MAC address. It allows you to scan m u ltip le hosts at a tim e and d ete rm ine active hosts on the n etw o rk. The fo llo w in g screenshot shows the result o f a ping sweep using Zenmap, the official cross-platform GUI fo r the Nmap Security Scanner:
Zenmap
Sc!n Joolt Target Erofik {jdp "v] Proffe
11
192.1 6 8 .1 6 8 . 1-50
Scan
Cancel
Command |nmap -sn -PE PA21 ,23 ,80 . 3389192 .168 .1 6 8 .1 -5 ( Hosts OS Host * * Sernces A Nmap Output Ports /Hosts Topology Host Details Scans nmap -sn PE-PA2 1 .23 .80.3389 1 9 2 .1 6 8 .1 6 8 .1-50 S tarting Mrap %
D etails
1 9 2 .1 6 8 .1 6 8 .1 1 9 2 .168 .1 6 8.3 1 9 2 .1 6 8 . 16 8.1 3 1 9 2 .1 6 8 .168.14 1 9 2 . 168 .168.15 6.01

( http://nmap.org ) at
2012- 08-08
12:41
Map scan report fo r 192. 168. 168.1 Host is up ( 0. 00s latency). *AC Address; I (Hewlett-Packard Copany) f*rap scan report fo r 192. 168. 168.3 Host is up ( 0. 00s latency). *AC A d d rm i * (Apple) Nnap scan report for 192. 168. 168.5 Host is up ( 0 . 0010s latency). M A C Address; - (D e ll) Nnap scan report fo r 192. 168. 168.13 Host is up ( 0 . 00s latency). M A C Address: (Foxconn) N*ap scan report fo r 192. 168. 168.14 Host is up ( 0 . 0020s latency). v
< 1 9 2 .168 .1 6 8.5
* fti * *
1 9 2 .1 6 8 . 168.17 1 9 2 .168 .168.19 1 9 2 . 168 .1 6 8-26 1 9 2 . 168.16828

Filter Hosts v
FIGURE 3.5: Zenm ap show ing ping sweep o u tp u t
PingSw eepT ools

Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determ ines the MAC address, scans ports, etc.
o S'** *Rjr* * 1C011 M0*wme V W NUQN3W R1RW IP Range Angry IP Scanner JoeU Hlp to K.0J.S) [lPjnje v * M Pcm1i00c-1 80 0US.1 1JX In) 1JH H M U In x
C E H
SolarWinds Engineer Toolset's Ping Sweep enables scanning a range o f IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.
Uctmiifc v
1 :0 :1 1 0 0 cj Q io a u f ti o a c j Q10&&S C H o a tt 100C7 fh o ac j MOOC9
CH ac 1 0 a a; Chocu # ac.u #1001 &1COC.U M o atr C h o a tu f h o a c . *<
Q r-at 0.1 1 .1 1 1 0
9 1m Cm lm h/l 4n h/! 1m Kl KH K!
H c a r w r c / 1 1 H n O c w it
SUrt
In MM MttlCMM1 In/! <V IS IXQN5W OR9M HV! ln/1) In! In/! In/! In/) In! IV| In/! In!
h /1 l O ? m m
|V*I Kv.| K1 h/l !*/I Kl
I n /1 l
In/! In! A JI
|n ! |nfe| In! ! In'! In! |n ! In! In! |n | In! I" !____________________ v |
Th0**
Angry IP Scanner http://www.angryip.org

P in g
S w e e p T o o ls
D eterm ining live hosts on a ta rg e t n e tw o rk is the firs t step in the process o f hacking o r breaking in to a n etw o rk. This can be done using ping sweep tools. There are a num ber o f ping sweep tools readily available in the m arket using w hich you can p erfo rm ping sweeps easily. These tools a llow you to d ete rm ine the live hosts by sending ICMP ECHO requests to m u ltip le hosts at a tim e . A ngry IP Scanner and S olarw inds Engineer's Toolset are a fe w co m m only used ping sweep tools.
A n g r y
/j
IP
S c a n n e r
Source: h ttp ://w w w .a n g ry ip .o rg
Angry IP Scanner is an IP scanner to o l. This to o l id e ntifie s all non-responsive addresses as dead nodes, and resolves hostnam e details, and checks fo r open ports. The main fe a tu re o f this to o l is m u ltip le ports scanning, configuring scanning colum ns. Its main goal is to fin d th e active hosts in the n e tw o rk by scanning all the IP addresses as w ell as ports. It runs on Linux, W indow s, Mac OS X, etc. It can scan IP addresses ranging fro m 1.1.1.1 to 255.255.255.255.
IP Range - Angry IP Scanner

Scan 0 Commands Favorites loots Help | | IF Range C+ Start v i| Ports [2000.] 80 80.135.139.4... 135,139,445,... [n/a] 135,139,445,... [n/a] 80.135 [n/a] [n/a] =
IP Range | 10.0.0.1 Hostname | W IN-LXQN3WR3R9I IP >10.0.0.1 010.0.0.2 @10.0.0.3 #10.0.0.4 >10.0.0.5 10.0.0.6 )10.0.0.7 C m 0.0.0.8 > 10.0.0.9 #10.0.0.10 #10.0.0.11 # 10.0.0.12 #10.0.0.13 # I0.0.0.M #10.0.0.15 #10.0.0.16 # 10.0.0.17 #10.0.0.18 #10.0.0.19 Ready Ping 1 ms Oms Oms [n/a] 4 ms [n/a] 1 ms [n/a] [n/a] [n/a]
| to | 10.0.0.50
# IP I | Netmask r J
Hostname [n'a] W 1N-M SSLCK4IC41 WindowsS |n/a] W1N-LXQN3W R3R9M [n/a] [n/a] [n/a] [n/a] [n/a]
In /,] ln /
l"/a]
[n/a] [n/a]
[n/a] [n/a] [n/a] [n/a] 627 ms [n/a] [n/a] [n/a] [n/a]
[n/a] [n/a] [n/a] [n/a] Inâ]
]/[
[n/a] [n/a] [n/a] |n/a] [n/a] [n/a] Threads; 0
In'*]
In/a] Display: All
FIGURE 3.6: A ngry IP Scanner Screenshot
S o la r w in d s
E n g in e e r s
T o o ls e t
Source: h ttp ://w w w .s o la rw in d s .c o m The Solarwinds Engineer's Toolset is a collection o f n e tw o rk e ngineer's to o ls. By using this to o ls e t you can scan a range o f IP addresses and can id e n tify the IP addresses th a t are in use c u rre n tly and the IP addresses th a t are free. It also perform s reverse DNS lo o kup .
Ping Sweep
EHe E d it H e lp ^ I | S ra n F |A l I P t DNS Lookup A S t a r t i n g I P A d d r e s s 11 9 2 .1 6 8 .1 8 1 0 F n r im g IP A H r im t t fp A d d r e s s 192 I M IM 10 1 9 2 1 6 6 1 6 6 11 192 166 166 12 1 9 2 1 6 6 1 6 6 13 192 1 6 6 1 6 6 14 192 1 6 6 1 6 6 1 5 192 16 6 1 6 8 1 6 192 1 6 6 .1 6 6 1 7 192 166 1 6 6 .1 6 192 166 166 19 192 166 166 2 0 1 9 2 1 6 6 166 .2 1 1 9 2 1 6 6 1 6 6 .2 2 192 16 6 166 2 3 192 166 166 24 192 166 166 2 5 192 166 166 26 1 9 2 166 1 6 6 .2 7 192 1 6 6 1 6 6 .2 6 192 166 166 2 9 1 9 2 1 6 6 166 30 1 9 2 1 6 6 1 6 6 31 192 166 166 32 <1 S c a n C o m p l ie d S can N _ * V * " I J I _{ # R eauest T m e d O ut R eoues! T m ed O at R equest T m ed O ul R equest T m e d O ut R equest T m e d O ut R equest T m e d O ut R e q u e s t T im e d O u t R equest T m e d O ut R equest T m e d O ut 2 ms R equest T m e d O ut 2 ms R equest T m e d O yt 3 me 3 ms 2 ms III DNS
h
u o o
S ran
(1 9 2 1 8 8 1 6 8 95(
R esponse Tm e R equest T m e d O ut R equest T m e d O ut R equest T m e d O ut ^ ^ R equO St T m e d O u t 3 me
R ecues! T m ed O ul , t
> r 90
FIGURE 3.7: Solarw inds Engineer's T oolset Screenshot
PingSw eepT ools

(C o n td)
C o la so ft Ping Tool
h ttp ://w w w . colasoft. com
C E H
PacketTrap MSP
http ://w w w .pa ckettra p .co m
V isu a l Ping T ester - S ta n d a rd

h ttp ://w w w .p in g te ste r.n e t
Ping S w eep
h ttp://w w w .w hatsupgold.com
Ping S canner Pro

http://w w w .digilextechnoiogies.com
N e tw o rk Ping
h ttp://w w w .greenline-soft.com
U ltra Ping Pro

h ttp ://u ltra p in g . webs.com
Ping M o n ito r
h ttp ://w w w .n ilia n d . com
P in g ln fo V ie w
S
h ttp ://w w w .n irs o ft.n e t
P in kie
h ttp ://w w w .ip u p tim e .n e t
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited.
jf S S S
u
P in g
S w e e p T o o ls ( C o n t d )
r -
In a dd itio n to Solarwinds Engineer's Toolset and Angry IP Scanner, th e re are many o th e r tools th a t fea tu re ping sweep capabilities. For exam ple: 9 9 9 9 9 9 9 9 9 9 Colasoft Ping Tool available at h ttp ://w w w .c o la s o ft.c o m Visual Ping Tester - Standarad available at h ttp ://w w w .p in g te s te r.n e t Ping Scanner Pro available at h ttp ://w w w .d ig ile xte ch n o lo g ie s.co m Ultra Ping Pro available at h ttp ://u ltra p in g .w e b s .c o m P inglnfoView available at h ttp ://w w w .n irs o ft.n e t PacketTrap MSP available at http://www.packettrap.com Ping Sweep available at h ttp ://w w w .w h a ts u p g o ld .c o m N e tw o rk Ping available at h ttp ://w w w .g re e n lin e -s o ft.c o m Ping M o n ito r available at h ttp ://w w w .n ilia n d .c o m Pinkie available at h ttp ://w w w .ip u p tim e .n e t
*- 1
So fa r we discussed how to check fo r live systems. Open ports are the doorw ays fo r an
attacker to launch attacks on systems. Now we w ill discuss scanning fo r open ports.
Check for Live Systems
life
Check fo r Open Ports
r
O Q ^
Scanning Beyond IDS
Prepare Proxies
Banner Grabbing
This section covers the th re e -w a y handshake, scanning IPv6 netw orks, and various scanning techniques such as FIN scan, SYN scan, and so on.
T h ree-W ayH andshake

T hre e-w ay H a n d sh a k e P ro c e s s
1. The Computer A (10.0.0.2) initiates a connection to the server (10.0.0.3) via a packet w ith only the SYN flag set 2. The server replies w ith a packet w ith both the SYN and the ACK flag set 3. For the final step, the client responds back to the server w ith a single ACK packet 4. If these three steps are com pleted w ithou t com plication, then a TCP connection is established between the client and the server
(rtifwd
C E H
itkitjl
TCP uses a th re e-w ay handshake to establish a connection between server and client
T h re e -W a y H a n d s h a k e TCP is co n n e c tio n -o rie n te d , w hich im plies connection establishm ent is principal p rio r to data tra n sfe r betw een applications. This connection is possible throu g h the process o f the th re e -w a y handshake. The th re e -w a y handshake is im p le m e n te d fo r establishing the co nn e ction b etw e e n p ro to co ls.
The three-way handshake process goes as follows:

9 To launch a TCP conn e ction , the source (10.0.0.2:62000) sends a SYN packet to the d estination (10.0.0.3:21). 9 The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN/ACK packet back to the source. 9 9 This ACK packet confirm s the arrival o f the firs t SYN packet to the source. In conclusion, the source sends an ACK packet fo r the ACK/SYN packet sent by the destination. 9 This triggers an "OPEN" connection allow ing com m unication betw een the source and the d estination, u ntil e ith e r o f the m issues a "FIN" packet or a "RST" packet to close the connection.
The TCP p ro to co l m aintains state ful connections fo r all co nn e ctio n -o rie n te d protocols across the Inte rn e t, and w orks the same as an o rd ina ry te lep h on e co m m unication, in w hich one picks up a telep h on e receiver, hears a dial tone, and dials a num ber th a t triggers ringing at the o th e r end u ntil a person picks up the receiver and says, "H e llo ."
Bill
Three-way Handshake
Sheela
1 0 .0 .0 .3 :2 1
1 0 . 0 . 0 . 2 : 6 2 0 0 0 ^ ..................
...............
........
..*
IrVC
C lient
S erver
FIGURE 3.8: Three-way Handshake Process

E s ta b lis h in g a T C P C o n n e c tio n
As we previously discussed, a TCP connection is established based on the three -w ay hand shake m ethod. It is clear fro m the name o f the connection m ethod th a t the establishm ent o f the connection is accom plished in th re e m ain steps. Source: h ttp ://s u p p o rt.m ic ro s o ft.c o m /k b /1 7 2 9 8 3 The fo llo w in g th re e fram es w ill explain the e stablishm ent o f a TCP connection betw een nodes NTW3 and BDC3:
Frame 1:
In the firs t step, the client, NTW3, sends a SYN segm ent (TCP ....S.). This is a request to the server to synchronize the sequence num bers. It specifies its Initial Sequence N um ber (ISN), w hich is increm ented by 1 and th a t is sent to the server. To initialize a connection, the client and server m ust synchronize each o th e r's sequence num bers. There is also an o p tio n fo r the
M axim um Segment Size (MSS) to be set, w hich is defined by the length (len: 4), this o ptio n com m unicates th e m axim um segm ent size the sender w ants to receive. The A cknow ledgem ent fie ld (ack: 0) is set to zero because this is th e firs t part o f the th re e -w a y handshake. 1 2 .0 7 8 5 NTW3 - - > BDC3 TCP ___ S ., le n : 4, se q : 8221822-8221825, a c k : 0,
win: 8192, src: 1037 dst: 139 (NBT Session) NTW 3- > BDC3 IP TCP: d s t: ....S ., 139 le n : 4, se q: 8221822-8221825, a c k : 0, w in : 8192, s rc : 1037
(NBT S e s s io n )
TCP: S ource P o r t = 0x040D TCP: D e s t in a t io n P o r t = NETBIOS S e s s io n S TCP: Sequence Number = 8221822 (0x7D747E)
TCP: A cknow ledgem ent Number = 0 (0x0) TCP: Data O f f s e t = 24 (0x18) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x02 : . . . . S.
TCP: TCP: TCP: TCP: TCP: TCP:
. . 0 ........
= No u r g e n t d a ta n o t s ig n if ic a n t
. . . 0 . . . . = A cknow ledgem ent f i e l d ....0 ... = No Push f u n c t io n
......... 0 . . = No R eset 1 . = S y n c h ro n iz e sequence numbers ............................ 0 = No F in .
TCP: Window = 8192
(0x2000)
TCP: Checksum = 0xF213 TCP: U rg e n t P o in t e r = 0 (0x0) TCP: O p tio n s
TCP: O p tio n K in d
(Maximum Segment S iz e )
= 2 (0x2)
TCP: O p tio n L e n g th = 4 (0x4) TCP: O p tio n V a lu e = 1460 TCP: Frame P ad d in g (0x5B4)
00000: 00010: 00020: 00030:
02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00 00 2C 0D 01 40 00 80 06 E l 4B 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 20 00 F2 13 00 00 02 04 05 B4 20 20
. ' ......... ' . ; ------- E . . , . . 0 ___ K .k . . .k .............. } t ~ ------- ' .
Frame 2: In the second step, the server, BDC3, sends an ACK and a SYN on this segm ent (TCP .A..S.). In this segm ent the server is acknow ledging the request o f the clie n t fo r synchronization. A t the same tim e , the server is also sending its request to the clie n t fo r synchronization o f its sequence num bers. There is one m ajor d ifference in this segm ent. The server transm its an acknow ledgem ent n um ber (8221823) to the client. The acknow ledgem ent is ju st p ro o f to the clie n t th a t the ACK is specific to the SYN the client in itia te d . The process o f acknow ledging the client's request allows th e server to in cre m e nt the client's sequence num ber by one and uses it as its acknow ledgem ent num ber. 2 2 .0 7 8 6 BDC3 > NTW3 8760, le n : s rc : TCP . A . . S . , 139 le n : 4, se q : d s t: 1109645-1109648, a c k : IP 8760,
8221823, w in : TCP: s rc : .A ..S .,
(NBT S e s s io n )
1037 BDC3 - - > NTW3 8221823, w in :
4, se q: d s t:
1109645-1109648, a c k : 1037
139 (NBT S e s s io n )
TCP: S ource P o r t =
NETBIOS S e s s io n S e rv ic e
TCP: D e s t in a t io n P o r t = 0x040D TCP: Sequence Number = 1109645 (0xl0EE8D) (0x7D747F)
TCP: A cknow ledgem ent Number = 8221823 TCP: D ata O f f s e t = 24 (0x18) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x12 TCP: TCP: TCP: TCP: TCP: TCP: . . 0 .......... = ...1 .... = : .A .. S . No u r g e n t d a ta
A cknow ledgem ent f i e l d
s ig n if ic a n t
. . . . 0 . . . = No Push f u n c t io n ......... 0 . . = No R eset ..............1. = S y n c h ro n iz e ................0 = No F in (0x2238) sequence numbers
TCP: Window = 8760
TCP: Checksum = 0x012D TCP: U rg e n t P o in t e r = 0 (0x0) TCP: O p tio n s TCP: O p tio n K in d (Maximum Segment S iz e ) = 2 (0x2)
TCP: O p tio n L e n g th = 4 (0x4) TCP: O p tio n V a lu e = 1460 TCP: Frame P adding (0x5B4)
00000 00010 00020
02 00 02
60 8C 3B 85 C l 02 60 8C 9E 18 8B 08 00 45 00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12 . , [ . 0 _____ L . k . . . k .............................. } t ' .
.............E.
00030: Frame 3:
22 38 01 2D 00 00 02 04 05 B4 20 20
8. -
In the th ird step, th e client sends an ACK on this segm ent (TCP .A....). In this segm ent, the client is acknow ledging the request fro m the server fo r synchronization. The client uses the same a lg orith m the server im p lem ented in providing an acknow ledgem ent num ber. The client's acknow ledgm ent o f the 3 server's request fo r synchronization TCP .A 1037 d s t: , le n : 139 0, se q: com pletes the process o f establishing a reliable connection, thus the th re e -w a y handshake. 2 .7 8 7 NTW3 - - > BDC3 8760, s rc : 8221823-8221823, a c k : NTW3 - - > BDC3
IP
1109646, w in :
(NBT S e s s io n )
TCP: s rc :
.A ...., 1037
le n : 139
0, se q:
8221823-8221823, a c k :
1109646, w in :
8760,
d s t:
(NBT S e s s io n )
TCP: S ource P o r t = 0x040D TCP: D e s t in a t io n P o rt = NETBIOS S e s s io n S e rv ic e TCP: Sequence Number = 8221823 (0x7D747F) (0xl0EE8E)
TCP: A cknow ledgem ent Number = 1109646 TCP: D ata O f f s e t = 20 (0x14) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x10 : . A . . . .
TCP: TCP: TCP: TCP: TCP: TCP:
. . 0 .........
= No u r g e n t d a ta
. . . 1 . . . . = A cknow ledgem ent f i e l d ___ 0 . . . ......... 0 . . = No = No Push f u n c t io n R eset S y n c h ro n iz e F in
............0. = No .............. 0 = No
TCP: Window = 8760
(0x2238)
TCP: Checksum = 0xl8E A TCP: U rg e n t P o in t e r = 0 (0x0) TCP: Frame P ad d in g
00000: 00010: 00020: 00030:
02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10 22 38 18 EA 00 00 20 20 20 20 20 20
. ' ............. ' . ; ---------- E . .
(. . 0 ___ O .k .
.k
................... } t ----------P .
8 ___
T C PC om m u n icationF lags
Data contained in the packet should be processed immediately There w ill be no more transmissions Resets a connection URG (Urgent) F IN (Finish)
jm mm
PSH (Push) ACK > (Acknowledgement)A SYN (Synchronize)
Sends all buffered data immediately
Acknowledges the receipt of a packet
Initiates a connection between hosts
Standard TCP com m unications are con trolled by flags in th e TCP packet header
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited
T C P
C o m m u n ic a tio n
F la g s
Standard TCP com m unications m o n ito r the TCP packet header th a t holds the flags. These flags govern the connection betw een hosts, and give instructions to the system. The fo llo w in g are the TCP co m m unication flags: 9 9 Synchronize alias "SYN": SYN notifies transm ission o f a new sequence num ber A cknow ledgem ent alias "ACK": next expected sequence num ber 9 9 Push alias "PSH": System accepting requests and fo rw a rd in g buffered data U rgent alias "URG": Instructs data contained in packets to be processed as soon as possible Q Q Finish alias "FIN ": Announces no m ore transm issions w ill be sent to re m o te system Reset alias "RST": Resets a connection ACK confirm s receipt o f transm ission, and id e ntifies
SYN scanning m ainly deals w ith three o f the flags, nam ely, SYN, ACK, and RST. You can use these th re e flags fo r gathering illegal in fo rm a tio n fro m servers during the e nu m eration process.
Acknowledgem ent No
O ffse t
Res
TCP Flags
W indow
TCP Checksum
Urgent Pointer
Options \< ------------------------- 0-31 B its --------------------------- >

FIGURE 3.9: TCP C o m m u n ica tio n Flags
C r e a teC u sto m P a c k e tU sin g T C PF la g s

Colasoft Packet Builder
C E H
-
.$ 5 & 5 .xpcr:- Add Inser: Copy
3ckte
Move Up |
Chcdcsum| Send ScndAII
| Packet No. | - * Packet Info: Padrec ttacer; ^ Backer Le=ath: Captnred Length: Delta Tine E d Ethernet Type I I j y iJ f s t ia t i Mdress: JUfSouic? U d m 9 : Protocol: E-.J I? - Internet Protocol ! Version 0 i 0 Me* 1: length g>-0 Differentiated Services Field j j 0 Srvlcf Cod*pcint j > Trr.*por1 ?101 .col w ill 1903c* tii* C C b it : 9 Coaaastios 000004
64
!***
-J
C o la s o ft Packet B u ild e r en ables c re a tin g c u s to m n e tw o rk pa ckets to a u d it n e tw o rk s fo r v a rio u s a tta c k s
A tta c k e rs can also use it to c re a te fra g m e n te d packets to bypass fire w a lls a n d IDS system s in a n e tw o rk
60 0.100000 Second [0/14] 00: 00: 00: 00: 00:00 [ 0/ 6] 00: 00: 00:00 : 00:00 [ 6/ 6] 0x0800 (Inter: [14/20] 4 xFO [U / 1 ] O S <20 Bytes) [ 1 < 0000 oaoo xPF [15/1! O 0000 00.. [18/1] OxfC .......... 0. (Ignoi [15/1] ............ 0 (Xu Coixjumlon)
< 1
1
Total
<
6fl bytet
i>HuEdfco!
http://www. colasoft. com
Copyright by EG-Gaoncil. All Rights Reserved. Reproduction is S trictly Prohibited
C re a te
C u s to m
P a c k e ts u s in g
T C P
F la g s
Source: h ttp ://w w w .c o la s o ft.c o m Colasoft Packet Builder is a to o l th a t allows you to create custom n e tw o rk packets and also allows you to check the n e tw o rk against various attacks. It allows you to select a TCP packet fro m the provided tem plates, and change the p aram ete rs in the decoder e d ito r, hexadecimal e d ito r, o r ASCII e d ito r to create a packet. In a dd itio n to building packets, Colasoft Packet B uilde r also supports saving packets to packet files and sending packets to the netw ork.
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Colasoft Packet Builder

File Edit Send H elp
Im p o rt
E x p o rtw
Add
Insert
C o py
Pas-
Delete
| x
4*
Send
*fc *
Send A ll
M o ve
D ecode E ditor
P a cke tN o . 4
No. 2 3
L e n g th : L e n g th :
'w E I & B r S B
Delta T im e 0.100000 0.100000 0.100000 0.100000 Source 00:00:00:00:1 0.0.0.0 0.0.0.0:0 0.0.0.0:0
Packet Info: a P a c k e t N u m b e r:
<3 *P a c k e t !^ H H C a p tu re d D e lta
- > Ethernet T ype II

D e s tin a tio n S o u rc e A d d re s s : A d d re s s : P r o to c o l:
0
T im e
6 0 0.100000 S e cond
[0 /1 4 ]
IP - Internet Protocol
j & : E3@ | V e r s io n Header L e n g th S e r v ic e s F ie ld C o d e p o in t ig n o r e th e CE b i t D iffe r e n t ia t e d
00:00:00:00:00:00 00:00:00:00:00:00 0x0 800

[1 4 /2 0 ] [1 4 /1 ] (2 0
[0/6] [6/6]
(In te rn OxFO [1 4
B y te a ) O xF F O xFC
_~ D if f e r e n t ia t e d O T ra n s p o rt C o n g e s tio n
S e r v ic e s
0000 0 0 0 0 0000 00..

...........0.
[1 5 /1 ] [1 5 /1 ] (Ig n o re )
P ro to c o l w i l l
[1 5 /1 ]
~~
..........0
(N o C o n g e s t i o n )
<L
jc% Hex E ditor T o ta l | 60 bytes
A
0 0 0 0 0 0 1 0 0 0 2 0 0 0 3 0 <
0 00 00 00 00 00 00 00 00 00 00 00 00 80 04 50 0 0 02 C0 00 04 00 04 01 13 AC O0 00 00 00 00 00 0 --- 0.0.s . 0 00 00 00 00 00 00 01 AF FB A0 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 0 T >
V/
: ...
FIGURE 3 .1 0 : C o la s o ft P acket B u ild e r S c re e n s h o t
ScanningIP v6N etw ork I I L a 1

IPv6 increases the IP address size fro m 32 bits to 128 bits, to support m ore levels o f addressing hierarchy
im ttiM
C E H
tUx*l lUckM
Traditional ne tw ork scanning techniques w ill be c o m p u ta tio n a lly less feasible due to larger search space (64 bits o f host address space o r 2s4 addresses) provided by IPv6 in a subnet
Scanning in IPv6 ne tw ork is more d iffic u lt and com plex than the IPv4 and also m ajor scanning tools such as Nmap do no t support ping sweeps on IPv6 n e tw orks
Attackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic , recorded logs o r Received fro m : and o th e r header lines in archived em ail o r Usenet news messages
Scanning IPv6 netw ork, however, offers a large num ber o f hosts in a subnet if an attacker can com prom ise one host in the subnet; attacker can probe the "all hosts" lin k local m ulticast address
Copyright by EC-ClUIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
S c a n n in g IP v 6 N e t w o r k IPv6 increases the size o f IP address space fro m 32 bits to 128 bits to su pp o rt m ore levels o f addressing hierarchy. T raditional n e tw o rk scanning techniques w ill be co m p u ta tio n a lly less feasible due to larger search space (64 bits o f host address space o r 264 addresses) provided by IPv6 in a subnet. Scanning an IPv6 n e tw o rk is m ore d iffic u lt and com plex than IPv4 and also m a jo r scanning tools such as Nmap do n o t su p p o rt ping sweeps on IPv6 n etw o rks. A ttackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic, recorded logs, o r Received fro m : and o th e r header lines in archived em ail o r Usenet news messages to id e n tify IPv6 addresses fo r subsequent p o rt scanning. Scanning IPv6 n etw o rk, how ever, offers a large n u m b e r o f hosts in a subnet; if an a ttacker can com prom ise one host in the subnet he can probe the "all hosts" link local m ulticast address.
ScanningT ool:N m ap
J J m o n ito rin g host or service u p tim e
C E H
N etw ork adm inistrators can use Nmap fo r n e tw o rk inven tory, managing service upgrade schedules, and Attacker uses Nmap to extract info rm atio n such as live hosts on th e n e tw o rk , services (application name and version), type o f packet filte rs /fire w a lls , op eratin g systems and OS versions
h ttp ://n m a p .o rg
S c a n n in g T o o l: N m a p Source: h ttp ://n m a p .o rg Nmap is a se curity scanner fo r n e tw o rk e xplora tio n and hacking. It allows you to discover hosts and services on a co m p u te r n etw o rk, thus creating a "m ap " o f the n etw o rk. It sends specially cra fted packets to th e ta rg e t host and then analyzes the responses to accom plish its goal. Either a n e tw o rk a d m in istra to r or an a ttacker can use this to o l fo r th e ir p articula r needs. N e tw o rk adm inistrato rs can use Nmap fo r n e tw o rk in v e n to ry , m anaging service upgrade schedules, and m o n ito rin g host o r service uptim e. Attackers use Nmap to e xtract in fo rm a tio n such as live hosts on the n etw o rk, services (application name and version), type o f packet filte rs /fire w a lls , o p e ra tin g system s, and OS versions.
Zenm ap
iM k (" > !j* N
* M
M o w K M * TCf M*
tel
Mi M l M M * I u n
T A . IV M M > *M O W !
!N tO n lw '
* 14
u n
4
) m ) M
MM D u
tu n
M l t lliw
I M .n iH I D U s ia ti w m i a m ia f t M VC
S t M tl* * < M t . I < M M r < f la t B L . M M I M f l K l #M K M | R | . B L W rlM
1 1 :1 1
HHM rtt * . I t *
V *. M t f )
!w ltia tln g 4 V !** S<M I t IS 22 W m w I m 1*2 144 144.S (1 t v t l
1 c ' 1m
C o M lr tM * V H r * U m a t : , M l * I m iH (I tv ta l M tf i) : M t l i t l *N r * u < c m r M lt f t iM * I * I t . t I f * H * i M r M lM tlM M I . *t . . H
t l H lli I n l t l M l f * Sm S t t t lt n Sm x i t 1S:22 k M i ^ W 1M IM S ( l ) t e r t i ] M K M f M M M M t I H t ( | M 1I2 I M 1 M S W w u r M M M PMt I M / t V M 1*2 IM 1M S M M M M M M W M M 44$/1( M IW 1 M .IM .1 M W M M M MW) W t 12 t<> on 1*2 144 IM S M M M t M>42 tcp on 1*2 IM .1 M .S T M l t l T l 1 ~ MOwt 22.22% m ac; I K : 19:24 ( 1 4 5
1 1
1 52 2
1 1 2 1 1 2 22 1
M M I/tu *
IKjuatL M m lfM WVCK

ft M H
|.
1 1 11 Ira* 1 1 1 0 \o * z 1 0 2 |7 f l l CPt: cp IcreM ^t inM n _ v 1 * f : :

*tw it M> M ^ U
4 4 12
v :
11I/1
S t i l l l uM i r t l SV.J U N f l w M *
'1 *M l lt I OM M I ( I 1 M i n P n lc e |t n t r l *tKfOM
MM M v l t!l *M
MMHyj
0 ll( 'M < t 0 %I r t t l l t :

MM V I. i r t r l M
M tf m *
W h 1 * T M M M M t M !2 .1 M 144 S M M l t l W ** 11*1 : ! M M .4 M M M ) I K l IS 24 1 M 4)
%f%
im tL m r n * .* %
c m :/ ! l cm In d M I . M r 't '. M N M l < : / i < r | M * t * lc r M M t id iM M IT t lt l V V V I . K U M ktM s ! I
C M letM W S t I t * k M at IS 24. N . t l i 1 m m 4 ( M t H t4l M t * ) *W v i< *CM t IS: 24 t a M l | MTviCM M 1*2 IM 1 m C M W * M SM *|C M M t IS: , M .M l l l M l M ( I I K <#I M t
'*1 1 *
l .S M M y ( l t * Him u i t i > m
* M )
12 1
l 0 l* lc.lt-2S4 ( i M i 1m 1)
MiM i
(PI
2 4
-<. M t10S mr:
H p in g2/ H ping3
J Command line packet crafter for the TCP/IP protocol J Tool for security auditing and testing firewall and networks J Runs on both Windows and Linux operating systems
UrtifW
C E H
itkMl lUikw
h ttp ://w w w . hping.org
f o o t g b t : - # h ping3 A 1 0 .0 .0 .2 -p 89
H P IN C18.0.0.2 (ethl 19.0.0.2): Aset, 4 0h e a d e rs + 0 d a ta b y te l le n = 4 0 ip-10.0.0.2 ttl=128 O F id=26 85spoci^0 flags-R s e q ^ 0w ln0 rtt=1.3 m s ^ le n ^4 0 ip-10.0.0.2 ttl=128 O F id -2 6 5 8 6 sport-ee-flags-R se q -1 w ln = 0 rtt=6.8 m s le n = 4 0 ip-10.0.0.2 ttl=128 O F id = 2 6 0 8 7 sport-8G fflags= R Ie q ^2 w
in = o r = le n - 4 0 i p - 1 0 . 0 . 0 . 2 1n=0 r t t = 8 . 9 ms le n = 4 0 ip = 1 0 ^ L 0 . 2
11 1.0
ttl- 1 2 8
OF id - 2 6 0 8 8 s p o r t - 8 0 f lo g s - R
s c q -3 w
t t l = 1 2 8 DF id - 2 6 6 8 9 5 p o rjt= 8 e f t c g s f R s e q - 4 w
J le n = 4 6 ip=10.0.3.2 ttl=128 O F id = 2 6 0 9 1 sp o rt= 8 0 fla g s= Rs e q = 6w in = 0 rtt=e.7 m s le n = 4 0 ip= 10.O .0.2 ttl=128 O F id26092 sport80 flags^R s e q = 7w ln = 8 rtt=8.8 n s len-40 ip-10.0.0.2 ttl-128 O Fid -2 6 0 9 3 5port-80 flegsRse q -8 w
ACK Scanning on p o rt 80
Copyright by EG-GMMCil. All Rights Reserved. Reproduction Is S trictly Prohibited.
len=4) 1^=10 .0.8 *?ttl=128 D F ld=26090 sport8 0 flags=R seq=5 in0 rtt-0 .5 m s
H p in g 2 /H p in g 3 Source: h ttp ://w w w .h p in g .o rg HPing2/HPing3 is a co m m a n d -lin e -o rie n te d TCP/IP packet assem bler/analyzer th a t sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Tra ce ro ute m ode, and enables you to send files betw een covert channels. It has the a b ility to send custom TCP/IP packets and display ta rg e t replies like a ping program does w ith ICMP replies. It handles fra g m e n ta tio n , a rb itra ry packets' body and size, and can be used in o rd e r to tra n sfe r encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and n e tw o rk /h o s t scanning can be used to p erfo rm an anonym ous probe fo r services. An a tta cke r studies the behavior o f an idle host to gain in fo rm a tio n abo u t the ta rg e t such as the services th a t the host offers, the ports su pp o rtin g th e services, and the ope ra tin g system o f the targe t. This type o f scan is a predecessor to e ith e r heavier probing or o u trig h t attacks. Features: The fo llo w in g are some o f the features o f HPing2/HPing3: 9 e D eterm ines w h e th e r the host is up even w hen th e host blocks ICMP packets A dvanced p o rt scanning and te st net perform ance using d iffe re n t protocols, packet sizes, TOS, and fra g m e n ta tio n
M anual path MTU discovery Firew alk-like usage allows discovery o f open ports behind firew alls Remote OS fin g e rp rin tin g TCP/IP stack auditing
9
9 9
ICMP Scanning A ping sweep o r In te rn e t C o n trol Message P rotocol (ICMP) scanning is a process o f sending an ICMP request or ping to all hosts on the n e tw o rk to d ete rm ine w hich one is up. This p ro to co l is used by ope ra tin g system, ro u te r, sw itch, in terne t-p ro to co l-b a sed devices via the ping com m and to Echo re quest and Echo response as a co nn e ctivity te ste r betw een d iffe re n t hosts. The fo llo w in g screenshot shows ICMP scanning using the Hping3 to o l:
root@bt: ~
File E dit V iew Term inal H elp
root@ bt:~# h p i ng3 -1 10 .0 .0 .2 HPING 1 0 .0 .0 .2 ( e t h l 10 . 0 . 0 . 2 ) : icmp mode s e t, 28 headers + 0 d len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25908 icmp_seq=0 r t t = 2 . 2 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25909 icm p_seq=l r t t = 1 . 0 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25910 icmp_seq=2 r t t = 1 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25911 icmp_seq=3 r t t = 0 . 5 ms icmp seq=4 rtt= 0 .4 m s len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=2591% len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25913 icmp seq=5 r t t = l . l ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25914 icmp seq=6 r t t = 0 . 9 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25915 icmp seq=7 r t t = l . l ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25916 icmp seq=8 r t t = 0 . 9 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25917 icmp seq=9 r t t = l . l ms len=28 ip = 1 0 .0 . 0 . ^ > t t l= 128 id=25918 icmp seq=10 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25919 icm p _ se q = ll r t t = 1 . 2 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25920 icmp seq=12 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25921 icmp seq=13 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25922 icmp seq=14 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25923 icmp seq=15 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25924 icmp seq=16 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25925 icmp seq=17 r t t = 1 . 0 ms
FIGURE 3.12: Hping3 to o l show ing ICMO scanning o u tp u t
ACK Scanning on P ort 80 You can use this scan tech n iq ue to probe fo r the existence o f a fire w a ll and its rule sets. Simple packet filte rin g w ill allow you to establish connection (packets w ith the ACK b it set), whereas a sophisticated stateful fire w a ll w ill not a llow you to establish a connection. The fo llo w in g screenshot shows ACK scanning on p o rt 80 using the Hping3 to o l:
>v
* r o o ta b t: -
File Edit View Terminal Help
0 0 t@ b t:~ # h p in g 3 -A 1 0 . 0 . 0 . 2 p 80 HPING 1 0 .0 .0 .2 ( e t h l 1 0 . 0 . 0 . 2 ) : A s e t , 40 h ea d ers + 0 d a ta b y te s le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 6 0 8 5 s p a rJ t-8 0 fla g s = R seq=0 w in = 0 r t t = 1 . 3 ms le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 6 s p o rt= 8 0 fla g s = R s e q = l w in = 0 r t t = 0 . 8 ms -'" le n = 4 0 ip = 1 0 . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 60 8 7 s p o rt= 8 9 fla g s = R seq=2 w in = 0 r t t = 1 . 0 ms le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 8 s p o rt= 8 0 ^ la g s = R seq=3 w in = 0 r t t = 0 . 9 ms le n = 4 0 ip = 1 0 J 0 .0 .2 t t l= 1 2 8 DF id = 2 6 0 8 9 s p o rt= 8 0 fla g s = R seq=4 w in = 0 r , t t = p . 9 ros ^ ^ J j I 4 ^ f j le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF id=26O 90 s p o rt= 8 0 fla g s = R seq=5 w in = 0 r t t = 0 . 5 ms le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 6 0 9 1 s p o rt= 8 0 fla g s = R seq=6 w in = 0 r t t = 0 . 7 ms le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 60 9 2 s p o rt= 8 0 fla g s = R seq=7 w in = 0 r t t = 0 . 8 ms le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 6 0 9 3 s p o rt= 8 0 fla g s = R seq=8 v
FIGURE 3.13: Hping3 to o l show ing ACK scanning o u tp u t
H pingC om m ands
ICMP Ping SYN scan on port 50-60
h p in g 3 -1 10.0.0.25 h p in g 3 -8 5 0 -5 6 -S
U rtifM
H cE
ItkKJl N m Im
1 0 .0 .0 .2 5
-V
ACK scan on port 80
FIN, PUSH a n d URG scan o n p o r t 80
hpng3
-A
1 0.0.0.25
-p
80
h p in g 3
-F
-p
-U
1 0 .0 .0 .2 5
-p
80
UDP scan on port 80
Scan entire subnet for live host

h p in g 3 -1 1 0 .0 .1 .x ra n d -d e s t
h p in g 3
-2
1 0.0.0.25
-p
80
-I ethO
sig n a tu re h p in g 3
Collecting Initial Sequence Number
In te rc e p t a ll t r a ffic co n ta in in g HTTP
h p in g 3
1 9 2 .1 6 8 .1 .1 0 3
-Q
-p
139
-9
HTTP
- I
e th O
Firewalls and Time Stamps

h p in g 3 -S 7 2 .1 4 .2 0 7 .9 9 -p 80
SYN flooding a victim

h p in g 3 -S 1 9 2 .1 6 8 .1 .1 -p 22 -a
t c p tim e s ta m p
1 9 2 .1 6 8 .1 .2 5 4
flo o d
Copyright by EC-CM ICil. All Rights Reserved. Reproduction is S trictly Prohibited.
H p in g
C o m m a n d s
The fo llo w in g table lists various scanning m ethods and respective Hping com m ands:
Scan ICMP ping ACK scan on port 80 UDP scan on port 80 Collecting initial sequence number Firewalls and time stamps SYN scan on port 50-60 FIN, PUSH and URG scan on port 80 Scan entire subnet for live host Intercept all traffic containing HTTP signature SYN flooding a victim
Commands hping3 -1 1 0.0.0.25 hping3 -A 10 .0 .0 .2 5 -p 80 hping3 -2 1 0.0.0.25 -p 80 hping3 192.168.1.103 -Q -p 139 -s hping3 -S 72.14.207.99 -p 80 --t c p timestamp hping3 -8 50-56 -S 10 .0 .0.2 5 -V hping3 -F -p -U 10 .0.0.25 -p 80 hping3 -1 1 0 .0 .1 .x --rand-dest - I ethO hping3 9 H TTP - I ethO hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flo o d
TABLE 3.1: Hping C om m ands Table
ScanningT echniques
TCP Connect / Full Open Scan Stealth Scans IDLE Scan ICMP Echo Scanning/List Scan
T E C
SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning
H
N
I o
u
E
Copyright by EG-GlOOCil. All Rights Reserved. Reproduction is S trictly Prohibited.
S c a n n in g T e c h n iq u e s Scanning is the process o f g ath erin g in fo rm a tio n about the systems th a t are alive and responding on the n etw o rk. The p o rt scanning tech n iq ue s are designed to id e n tify the open ports on a targe te d server or host. This is o fte n used by adm inistrato rs to ve rify security policies o f th e ir netw orks and by attackers to id e n tify running services on a host w ith the in te n t o f com prom ising it. D iffe re n t types o f scanning tech n iq ue s e m p loye d include: TCP Connect / Full Open Scan Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan IDLE Scan ICMP Echo Scanning/List Scan SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning
The following is the list of important reserved ports: Name

echo echo d is c a r d d is c a r d s y s ta t d a y t im e d a y t im e n e ts ta t q o td c h a rg e n c h a rg e n ftp -d a ta ftp ssh te ln e t s m tp t im e t im e r ip n ic n a m e d o m a in d o m a in s q l* n e t s q l* n e t b o o tp s b o o tp s b o o tp c
Port/Protocol
7 /tc p 7 /u d p 9 /tc p 9 /u d p 1 1/tcp 1 3/tcp 13/udp 1 5/tcp 1 7/tcp 1 9/tcp 19/udp 2 0 /tcp 2 1 /tcp 2 2 /tcp 2 3 /tcp 2 5 /tcp 3 7 /tcp 3 7/u dp 3 9/u dp 4 3 /tcp 5 3 /tcp 5 3/u dp 6 6 /tcp 6 6/u dp 6 7 /tcp 6 7/u dp 6 8 /tcp
Description
sink null sink null Users
Q uote tty ts t source tty ts t source ftp data tra nsfe r ftp com m and Secure Shell
M ail Tim eserver Tim eserver resource location w ho is dom ain name server dom ain name server Oracle SQL*net Oracle SQL*net boo tp server boo tp server boo tp client
b o o tp c tftp t f tp gopher fin g e r w w w - h ttp w w w - h ttp k e rb e ro s k e rb e ro s P P 2 Pop 3 s u n rp c s u n rp c a u th /id e n t a u th a u d io n e w s a u d io n e w s n n tp n n tp n tp Name n tp n e tb io s - n s n e tb io s - n s n e t b io s - d g m n e t b io s - d g m n e t b io s - s s n n e t b io s - s s n im a p
6 8/u dp 6 9 /tcp 6 9/u dp 7 0 /tcp 7 9 /tcp 8 0 /tcp 8 0 /u d p 8 8 /tcp 8 8 /u d p 1 09/tcp 1 10 /tcp 111 /tcp 111/udp 1 13/tcp 113/udp 114 /tcp 114/udp 119 /tcp 119/udp 123 /tcp P ort/P ro toco l 123/udp 1 37 /tcp 137/udp 1 38/tcp 138/udp 1 39/tcp 139/udp 143 /tcp
boo tp client Trivial File Transfer Trivial File Transfer gopher server Finger WWW WWW Kerberos Kerberos PostOffice V.2 PostOffice V.3 RPC 4.0 p o rtm a p p e r RPC 4.0 p o rtm a p p e r A u th e n tica tio n Service A u th e n tica tio n Service A udio News M u ltica st A udio News M u ltica st Usenet N e tw o rk News Transfer Usenet N e tw o rk News Transfer N e tw o rk Time Protocol Description N e tw o rk Time Protocol NETBIOS Name Service NETBIOS Name Service NETBIOS Datagram Service NETBIOS Datagram Service NETBIOS Session Service NETBIOS Session Service In te rn e t Message Access Protocol
im a p s q l- n e t s q l- n e t s q ls r v s q ls r v snmp snmp s n m p -tra p s n m p -tra p c m ip -m a n c m ip -m a n c m ip - a g e n t c m ip - a g e n t ir e ir e a t- rtm p a t- rtm p a t-n b p a t- n b p a t-3 a t-3 a t- e c h o a t- e c h o a t-5 a t-5 a t- z is a t- z is a t- 7
143/udp 150 /tcp 150/udp 156/tcp 156/udp 1 61/tcp 161/udp 162 /tcp 162/udp 1 63/tcp 163/udp 1 64/tcp 164/udp 1 94/tcp 194/udp 2 01 /tcp 2 01 /ud p 2 02 /tcp 2 02 /ud p 203 /tcp 2 03 /ud p 2 04 /tcp 2 04 /ud p 2 05 /tcp 2 05 /ud p 2 06 /tcp 2 06 /ud p 2 07 /tcp
In te rn e t Message Access Protocol SQL-NET SQL-NET SQL Service SQL Service
CMIP/TCP M anager CMIP CMIP/TCP Agent CMIP In te rn e t Relay Chat In te rn e t Relay Chat AppleTalk Routing M aintenance AppleTalk Routing M aintenance AppleTalk Name Binding AppleTalk Name Binding AppleTalk AppleTalk AppleTalk Echo AppleTalk Echo AppleTalk AppleTalk AppleTalk Zone Info rm a tio n AppleTalk Zone Info rm a tio n AppleTalk
a t- 7 a t- 8 a t- 8 ip x ip x im a p 3 im a p 3 a u rp a u rp n e tw a r e - ip n e tw a r e - ip Name rm t rm t 5 4 e rb e ro s 5 4 -d s 5 4 e rb e ro s 5 4 -d s is a k m p fc p exec c o m s a t/ b if f lo g in who s h e ll s y s lo g p r in te r p r in te r ta lk ta lk n ta lk
2 07 /ud p 2 08 /tcp 2 08 /ud p 2 13 /tcp 2 13 /ud p 2 20 /tcp 2 20 /ud p 3 87 /tcp 3 87 /ud p 3 96 /tcp 3 96 /ud p P ort/P ro toco l 4 1 1 /tcp 4 1 1 /u d p 4 4 5 /tcp 4 4 5 /u d p 5 00 /ud p 5 1 0 /tcp 5 12 /tcp 5 12 /ud p 5 1 3 /tcp 5 13 /ud p 5 14 /tcp 5 14 /ud p 5 15 /tcp 5 15 /ud p 5 1 7 /tcp 5 17 /ud p 5 18 /ud p
AppleTalk AppleTalk AppleTalk
Interactive M ail Access Protocol v3 Interactive M ail Access Protocol v3 AppleTalk Update-Based Routing AppleTalk Update-Based Routing Novell N etw are over IP Novell N etw are over IP Description Remote m t Remote m t
ISAKMP/IKE First Class Server BSD rexecd(8) used by mail system to n o tify users BSD rlogind(8) w hod BSD rw hod(8) cmd BSD rshd(8) BSD syslogd(8) spooler BSD lpd(8) P rinter Spooler BSD talkd(8) Talk New Talk (ntalk)
n ta lk n e tn e w s uucp uucp k lo g in k lo g in k s h e ll k s h e ll
5 18 /ud p 5 3 2 /tc p 5 40 /tcp 5 40 /ud p 5 43 /tcp 5 43 /ud p 5 44 /tcp 5 44 /ud p
SunOS talkd(8) R eadnew s uucpd BSD uucpd(8) uucpd BSD uucpd(8) Kerberos Login Kerberos Login Kerberos Shell Kerberos Shell krcm d Kerberos encrypted re m o te shell -k fa ll ECD Integrated PC board srvr NFS M o u n t Service PC-NFS DOS A u th e n tica tio n BW-NFS DOS A u th e n tica tio n Flexible License M anager Flexible License M anager Kerberos A d m in istra tio n Kerberos A d m in istra tio n kdc Kerberos a u th e n tic a tio n tcp Kerberos
e k s h e ll
5 45 /tcp
p c s e rv e r m ount p c n fs b w n fs f le x lm f le x lm 5 6 e rb e ro s -a d m 5 6 e rb e ro s -a d m k e rb e ro s k e rb e ro s 5 6 e r b e r o s mas te r 5 6 e r b e r o s mas te r k rb _ p ro p
6 00 /tcp 6 35 /ud p 6 40 /ud p 6 50 /ud p 7 44 /tcp 7 44 /ud p 7 49 /tcp 7 49 /ud p 7 50 /tcp 7 50 /ud p
7 51 /ud p
Kerberos a uth e n tica tio n
7 51 /tcp
Kerberos a uth e n tica tio n
7 54 /tcp
Kerberos slave propagation
9 99 /ud p socks socks kpop m s - s q l- s m s - s q l- s m s - s q l- m m s - s q l- m Name p p tp p p tp nfs nfs e k lo g in r k in it kx k a u th ly s k o m s ip s ip x ll x ll ir e afs afs 1 080/tcp 1080/udp 1 109/tcp 1 433/tcp 1433/udp 1 434/tcp 1434/udp P ort/P ro toco l 1 723/tcp 1723/udp 2 04 9 /tcp 2049/udp 2 10 5 /tcp 2 10 8 /tcp 2 11 1 /tcp 2 12 0 /tcp 4 8 9 4 /tcp 5 06 0 /tcp 5060/udp 6 000-6063/tcp 6000-6063/udp 6 66 7 /tcp 7000-7009/udp 7000-7009/udp
TABLE 3.2: Reserved Ports Table
A pplixw are
Pop w ith Kerberos M icro so ft SQL Server M icro so ft SQL Server M icro so ft SQL M o n ito r M icro so ft SQL M o n ito r Description Pptp Pptp N e tw o rk File System N e tw o rk File System Kerberos encrypted rlogin Kerberos re m o te kin it X over Kerberos Remote kauth LysKOM (conference system) Session In itia tio n Protocol Session In itia tio n Protocol X W in d o w System X W in d o w System In te rn e t Relay Chat
J J
TCP C o n n e c t scan d e te c ts w h e n a p o rt is o p e n b y c o m p le tin g th e th r e e - w a y h a n d sh a ke TCP C o n n e c t scan e s ta b lis h e s a fu ll c o n n e c tio n an d te a rs it d o w n by se n d in g a RST packet
T C PC o n n e c t/ F u llO p e nS c a n C E H M
)SYN Packet + P ort (n S Y N /A C K Packet . . .
Scan result w hen a p o rt is open ^
m
A ttacker
......... A .t .5 S T . .......
Target
Scan result w hen a p o rt is closed
SVN Packet + Port Jn). ^
*
A ttacker
? ? . .
H
f ,
Target
T C P
C o n n e c t / F u ll O p e n S c a n
Source: h ttp ://w w w .in s e c u re .o rg TCP Connect / Full Open Scan is one o f the m ost re lia b le form s o f TCP scanning. The TCP connect() system call provided by an OS is used to open a connection to every in terestin g p o rt on th e machine. If the p o rt is listening, connect() w ill succeed; o therw ise, the p o rt isn't reachable.
m m
T C P
T h r e e - w
a y
H a n d s h a k e
In the TCP th re e -w a y handshake, the client sends a SYN flag, w hich is acknowledged
by a SYN+ACK flag by the server w hich, in tu rn , is acknow ledged by the clie n t w ith an ACK flag to com plete the connection. You can establish a connection fro m both ends, and te rm in a te fro m both ends individually.
V a n illa S c a n n in g
In vanilla scanning, once the handshake is com pleted, the clie n t ends the connection. If the connection is not established, the n the scanned m achine w ill be DoS'd, w hich allows you to make a new socket to be cre a te d /ca lle d . This confirm s you w ith an open p o rt to be scanned fo r a running service. The process w ill continue u ntil the m axim um p o rt threshold is reached.
If the p o rt is closed the server responds w ith an RST+ACK flag (RST stands fo r "R eset the co n n e c tio n "), whereas the client responds w ith a RST flag and here ends the connection. This is created by a TCP connect () system call and w ill be id e n tifie d instantaneously if the p o rt is opened or closed. M aking separate connects() call fo r every targeted p o rt in a linear fashion w o u ld take a long tim e over a slow connection. The a ttacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the a ttacker to set a low tim e -o u t period and w atch all the sockets sim ultaneously.
u isd a v d itia g e s
The draw back o f this type o f scan is easily d e te cta b le and filte ra b le . The logs in the
ta rg e t system w ill disclose the connection.
The Output
Initia tin g Connect () Scan against (172.17.1.23) Adding open p o rt 1 9/tcp Adding open p o rt 2 1 /tcp Adding open p o rt 1 3/tcp SYN Packet + Port (n) ............................... SYN / ACK Packet ACK + RST A tta c k e r
FIGURE 3.14: Scan results w h e n a p o rt is open
T a rg e t
SYN Packet + Port (n) ...................................... RST A t ta c k e r

FIGURE 3.15: Scan results w h e n a p o rt is closed
a rg e t
Zenmap
S < !n |oeh E o f.1 c fc jftp

T trg c t nmap 92 . 63 . 68 . ~vj Profile C o m m jn d
sT v n m ip 192-168.168.5 S trv K tt N m ip Output
H o sts H o s t
P o tts/H o sts T o p o lo g yH o s tD t hS c a n s
*sT v n m jp 192.168.168.5
192.168.168.5
Starting N ra p6 .6 1 ( http://n*ap.0 rg ) at 2 0 1 20 81 01 2 :0 4 dT i Initiating A R PP in gS c a n at 1 2 :0 4 S can n in g1 9 2 .1 6 8 .1 6 8 .5 (1 port] C o m p le te dA R PP in gS < a n at 1 2 :0 4 , 0.0 8 s elapsed (1 total hosts) Initiating Parallel D N Sresolution of 1host, at 1 2 :0 4 C o m p le te d Parallel D N Sresolution of 1host, at 1 2 :0 4 , 0.0 2 s elap sed Initiating C o n n e c tS c a n at 1 2 :0 4 S can n in g1 9 2 .1 6 8 .1 6 8 .S[1 0 0 0 ports] D isco v ered o p e n port 80/tcp o n1 9 2 .1 6 8 .1 6 8 .5 D isco v ered o p e n port 993/tcp o n1 9 2 .1 6 8 .1 6 8 .S D isco v ered o p e n port 808 0 /tcp o n1 9 2 .1 6 8 .1 6 8 .S D isco v ered o p e n port 2S /tcp o n1 9 2 .1 6 8 .1 6 8 .S D isco v ered o p e n port 13 9 /tcp o n1 9 2 .1 6 8 .1 6 8 .5 D isco v ered o p e n port 888 8 /tcp o n1 9 2 .1 6 8 .1 6 8 .S C o m p le te dC o n n e c tS c a n at 1 2 :0 4 ,4 0 .6 3 s elapsed (1 0 0 0 total ports) N a p scan report for 1 9 2 .1 6 8 .1 6 8 .S F ailed to resolve g iv en h o stn aaie/IP :n ap . N o te that y o ucan't u se '/ ask * A M D* 1*4,7,100 style IPranges. If the achine o n ly h as a n IP v 6 ad d ress* a d d the N a p -6 * lag to scan that. H o st is u p (0 .0 0 0 S 7 s latency), tot itjtotoi 9 8 0S filtered P O U T S T A T E E R V IC E ports 2S /tcp o p e nM tp 80/tcp o p e n http 1 1 0 /t< po p e np o p ) 119/tcp o p e nn n tp 13 S /tcp o p e n asrp cice 8081/tcp o p e n black icecap 808 8 /tcp o p e n radan-http 888 8 /tcp o p e n su n an tw e rb o o k M lA fltirC il. (O eil) R cta fllll flic! frw; C :\P rogra Files (x 8 6 )\N * ap U m pd o n e : 1IPadd ress (I h o st u p ) scan n ed in 4 3 .0 8 seco n d s R a xpackets sent: 1 (2 8 8 )|R c v d : 1 (2 8 8 )
FIGURE 3.16: Zenm ap Screenshot
S tea lthS c a n(H a lf-o p e nS c a n ) C E H

UrtifWtf ttkujl lUckM
A tta c k e rs use s te a lth scan ning te c h n iq u e s to bypass fire w a ll ru le s , lo g g in g m e c h a n is m , and hide th e m s e lv e s as usual n e tw o rk tra ffic
SYN (Port 80) SYN + ACK
Ste a lth S c a n P r o c e s s
,^ s /
Bill
1 0 .0 .0 .2 :2 3 4 2
...........................
a
Sheela
1 0 .0 .0 .3 :8 0
The client sends a single SYN packet to th e server on th e appropriate p o rt
Port is open
lf th e p o rt is open then th e server responds w ith a SYN/ACK packet
(ft
If th e server responds w ith an RST packet, then th e rem ote p o rt is in th e "closed" state
W N |P rlS n |
r
Bill
1 0 .0 .0 .2 :2 3 4 2
* O
j
Sheela
1 0 .0 .0 .3 :8 0
The client sends the RST packet to close the initiation before a connection can ever be established
Port is clo se d
S te a lth S c a n ( H a lf - O p e n S c a n ) Stealth scan sends a single fra m e to a TCP p o rt w ith o u t any TCP handshaking or a dd itio n al packet transfers. This is a scan type th a t sends a single fram e w ith the expectation o f a single response. The half-open scan p artially opens a connection, b ut stops halfw ay throu g h. This is also know n as a SYN scan because it only sends the SYN packet. This stops th e service fro m ever being n o tifie d o f the incom ing connection. TCP SYN scans or half-open scanning is a stealth m ethod o f p o rt scanning. The three -w ay handshake m e thodology is also implemented by the stealth scan. The difference is th a t in the last stage, re m o te ports are id e ntifie d by exam ining the packets e nte rin g the interface and te rm in a tin g the connection before a new in itia liza tio n was triggered. The process preludes the fo llo w in g : 9 To sta rt in itia liza tio n , the client forw a rd s a single "SYN" packet to the d estination server on the corresponding port. 9 The server actually in itiates the stealth scanning process, depending on th e response sent. 9 If th e server forw a rd s a "SYN/ACK" response packet, then the p o rt is supposed to be in an "OPEN" state.
M o d u le 0 3 Page 3 0 6
If the response is fo rw a rd e d w ith an "RST" packet, then the p o rt is supposed to be in a "CLOSED" state.
SYN (Port 80)
Bill
10.0.0.2:2342
Sheela
10.0.0.3:80
Port is open
FIGURE 3.16: S tealth Scan w h e n Port is Open
^
Bill
10.0.0.2:2342
...
P o r t is c lo s e d
FIGURE 3.17: S tealth Scan w h e n Port is Closed
Sheela
10.0.0.3:80
Zenm ap Tool Zenmap is the official graphical user in te rfa ce (GUI) fo r the Nm ap Security Scanner. Using this to o l you can save the fre q u e n tly used scans as profiles to make the m easy to run re cu rre ntly. It contains a com m and cre a to r th a t allows you to in teract and create Nmap com m and lines. You can save the Scan results and vie w the m in the fu tu re and th e y can be com pared w ith a no the r scan re p o rt to locate differences. The results o f the recent scans can be stored in a searchable database. The advantages o f Zenmap are as follow s: 9 9 e Q Q Interactive and graphical results view ing Comparison Convenience R epeatability D iscoverability
cr
S c !n lo o k profile H elp
Zenmap
Is
,Scan C ancel
n m a p 192.168.168.5 C om m and H osts OS w H ost * 192.168.168.5 * -sT -v n m a p 192.168.168.5 Services N m ap O u tp u t
P ro file
P orts / H osts
Topology
H ost Details
Scans
* -sT -v n m a p 192.168.168.5
*| 1
Details
Starting Nmap 6.01 ( http://nMp.org ) at 2012-0810 12:04 d Tii Initiating ARP Ping Scan at 12:04 Scanning 192.168.168.S [1 port] Completed ARP Ping Scan at 12:04, 0.68s elapsed (1 total hosts) Initiating Parallel ONS resolution of 1 host, at 12:04 Completed Parallel DNS resolution of 1 host, at 12:04, 0.02s elapsed Initiating Connect Scan at 12:04 Scanning 192.168.168.S [1000 ports) Discovered open port 80/tcp on 192.168.168.S Discovered open port 993/tcp on 192.168.168.S Discovered open port 8080/tcp on 192.168.168.S Discovered open port 2$/tcp on 192.168.168.S Discovered open port 139/tCp on 192.168.168.5 Discovered open port 8888/tcp on 192.168.168.5 Coaipleted Connect Scan at 12:04, 40.63s elapsed (lOOO total ports) N*ap scan report for 192.168.168.S failed to resolve given hostnaae/IP: nap. Note that you can't use ,/ask' ANO *1-4,7,100-' style IP ranges. If the Machine only has an IPv6 address, add the Neap 6 flag to scan that. Host is up (O.00OS7S latency). ><gt *towtn; 980 filtered ports PORT STATE SERVICE 2S/tcp open satp open http 80/tcp 110/tcp open pop 3 119/tcp open nntp 135/tcp ooen srpc 8081/tcp open blackice-icecap 8088/tcp open radan-http 8888/tcp open sun-answerbook (Dell)
Rtad tfiH f i l e t fr w ; C:\Progra Files (x86)\N*ap H*ap done: 1 IP address (1 host up) scanned in 43.08 seconds Rax packets sent: 1 (288) | Rcvd: 1 (288)
F i l t e r Hosts
FIGURE 3.18: Zenmap Showing Scanning Results
X m a s Scan
o
c E l\
U ftN M ftb.ul H.. fcM
FIN, URG, PUSH
FIN, URG, PUSH
No Response Attacker Server Attacker
m u ::: 1
Server
1 0 .0 .0 .8 :2 3 1 0 .0 .0 .8 :2 3
10.0.0.6
10.0.0.6
Port is closed
Port is open
In X m a s s c a n , a t ta c k e r s s e n d a TCP f r a m e t o a r e m o t e d e v ic e w ith U RG, ACK, RST, SYN, PSH , a n d FIN fla g s s e t
FIN s c a n o n ly w ith OS TC P/IP d e v e lo p e d a c c o r d in g t o RFC 7 9 3
It will n o t w o r k a g a in s t a n y c u r r e n t v e r s io n o f M ic r o s o f t W in d o w s
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
X m a s S c a n
-----------X m a s Scan is a p o r t scan t e c h n i q u e w i t h ACK, RST, SYN, URG, PSH, a n d FIN fla g s s e t t o
s e n d a TCP f r a m e t o a r e m o t e d e v ic e . If t h e t a r g e t p o r t is c lo s e d , t h e n y o u w i ll re c e iv e a r e m o t e s y s te m r e p ly w i t h a RST. You can use t h i s p o r t scan t e c h n i q u e t o scan la rg e n e t w o r k s a n d fin d w h i c h h o s t is u p a n d w h a t se rv ic e s it is o f f e r i n g . It is a t e c h n i q u e t o d e s c r ib e all TCP fla g sets. W h e n all fla gs a re set, s o m e s y s te m s h a n g ; so t h e fla g s m o s t o f t e n se t a re t h e n o n s e n s e p a t t e r n URG-PSH-FIN. This scan o n l y w o r k s w h e n s y s te m s a re c o m p l i a n t w i t h RFC 7 93 .
B SD N e tw o rk in g C o d e
T his m e t h o d is based o n BSD n e t w o r k i n g c o d e ; y o u can use th is o n l y f o r all t h e p o r ts o n t h e h o s t a re o p e n e d .
UNIX h o s ts
a n d it d o e s n o t s u p p o r t W i n d o w s NT. If t h is scan is d ir e c t e d a t a n y M i c r o s o f t s y s te m , it s h o w s
T ra n s m ittin g P a c k e ts
You can in itia liz e all t h e fla g s w h e n t r a n s m i t t i n g t h e p a c k e t t o a r e m o t e h o s t. If t h e t a r g e t s y s te m a c c e p ts p a c k e t a nd d o e s n o t s e n d a n y re s p o n s e , t h e p o r t is o p e n . If t h e t a r g e t s y s te m se nd s RST fla g , t h e p o r t is c lo s e d .
Advantage:
It a v o id s t h e IDS a n d TCP t h r e e - w a y h a n d s h a k e .
Disadvantage:
It w o r k s o n t h e UN IX p l a t f o r m o n ly .
FIN, URG, PUSH
No Response Attacker
10.0.0.6
Server
10.0.0.8:23
P o r t is o p e n
FIGURE 3.19: Xmas Scan when Port is Open
FIN, URG, PUSH
RST Attacker
10.0.0.6
Server
10.0.0.8:23
FIGURE 3.20: Xmas Scan when Port is Closed
Z e n m a p is t h e o ffic ia l g ra p h ic a l u s e r in t e r f a c e (GUI) f o r t h e N m a p S e c u r i t y S c a n n e r. U sing th is t o o l y o u can sa ve t h e f r e q u e n t l y used scans as p r o f i l e s t o m a k e t h e m easy t o r u n r e c u r r e n t l y .
Zenmap Scan 100It Profile Help
Target: nmap 192.I6S.168.}
Command: Hotts OS Host
91X v r
Services
Nmip Output Pcm/Hosts Topology Host Ottals S<ans -sX-v nmap 152.16S. 168.3
Start
Details
W
*
192.168.16S.5 192.168.168.3 S tA 'tin g Nmap 6.01 ( * t 2612 08 10 12:39 Standarc 1ie In it ia t i n g Ping Scan a t 12:39 Scanning 192.168.168.3 [1 p o rt] Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 t o t a l hosts) In it ia t i n g P a ra lle l DNS resolution 0-f 1 host, a t 12:39 Completed P a r a lle l DNS reso lu tio n o* 1 host, at 12:39, 9.02s elapsed In it ia t i n g XMAS Scan at 12:3* Scanning 19 2.16 8.1 *8 .3 [10C po*ts] Increasing cnd delay *o r 192.168.168.3 0 to S du* to 108 out o f 358 dropped probes since la s t increase. Completed XMAS Scan at 12;39, 9.75s elapsed (1900 to ta l ports) Nra scan repo rt 197.1*3 .1 68 .3 F ailed o resolve given h o straee/IPr niwp. Note th a t you c a n 't use * / ? AHO *1 -4 ,7 ,1 8 0 s ty le IP ranges. I the wchine only ha? an IPv6 address. add the Mnap -6 fla g to scan th a t. Host is up (0.000023s la te rc y ). Not shovn; 997 clo jed ports PORT STATE SEUVICE 22 /tcp o o e r lfilte r e d ss* 88/tcp o p e r | f i l t e ed kerbercs-se: 548 tcp o p e r | f i lt e ed afp
A K P
from f
for
M A C A M rtu;
Rgttd tifltfl f l i p f r w i C:\Progra * lie s <x!6)\ta a o 1 IP a d lres t (1 host up) scanned in 12.19 seconds Rat. paccets sent: 13S3 <S4.188*8) I Rcvd: 998 (39.908K8)
FIGURE 3 .2 1 : Z e n m a p S h o w in g X m a s S c a n R e s u lt
Scan
J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set J FIN scan only with OS TCP/IP developed according to RFC 793 J It will not work against any current version of Microsoft Windows J *
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
>
F IN
S c a n
------------
FIN Scan is a t y p e o f p o r t scan. T h e c l i e n t s e n d s a FIN p a c k e t t o t h e t a r g e t p o r t , a n d if
t h e se rv ic e is n o t r u n n i n g o r if t h e p o r t is c lo s e d it r e p lie s t o y o u w i t h t h e p r o b e p a c k e t w i t h an RST.
FIN
No Response
Attacker
10.0.0.6
10.0.0.8:23
P o r t is o p e n
FIGURE 3.22: FIN Scan when Port is Open
Attacker
10.0.0.6
FIGURE 3.23: FIN Scan when Port is Closed
Zenmap
Scan Target Joels grofik fcjdp [Scan:
Cancel
E H
nmap 192.168.168.3
Command: Hosts OS * Host *
ifv nmap 192.168.168.3

Nmap Output Ports / Hosts Topo*og> Host Details Scans
if -v nmap 192.168.168.3
192.168.168.5 192.168.168.3
S ta r t i n g N m p 6.01 ( h t t p :/ / n M p .o r g ) a t 2012-01-10 12:35 S tandard Tiae I n i t i a t i n g ARP Ping Scan a t 12:35 Scanning 192.1 6 * .1 6 1 .3 [1 p o rt] Completed ARP Ping Scan a t 12:35, 0 .0 7 s e la p se d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a ll e l DNS re s o lu tio n o f 1 h o s t, a t 12:35 Completed P a r a ll e l 0NS r e s o lu t i o n o f 1 h o s t, a t 12:35, 0 .1 0 s ela p se d I n i t i a t i n g FIN Scan a t 12:35 Scanning 1 9 2 .1 6 0 .16S .3 [1000 p o rts ] In c re a s in g send dela y fo r 192.1 6 9 .1 6 8 .3 f r o 0 t o 5 due t o 108 o u t o f 358 dropped probes s in c e l a s t in c re a s e . In c re a s in g send dela y f o r 192.1 6 8 .1 6 8 .3 fr o * 5 to 10 due to a x _ s u c c e s s fu l_ try n o in c re a s e to 4 Completed FIN Scan a t 12:35, 11.78s ela p se d (1000 t o t a l p o r ts ) *toap scan re p o rt f o r 192.168.168.3 F a ile d t o re s o lv e g iven h o s tn a e /IP : naap. Note t h a t you c a n 't use */ a s k AND 4, 7, 100*1 ' s t y l e IP ra n g e s . I f th e achine only has an IPv6 a d d r e s s , add th e Nap *6 f l a g t o scan t h a t . Host i s up (0.0000050s l a te n c y ) . Ugl-itHM?; 997 c lo s e d p o rts PORT STATE SERVICE 22/ t c p o p e n |f i i t e r e d ssh 88/ t c p o p e n j f i l t e r e d *cerperos sec S 4 8 /tc p o p e n j f i l t e r e d afp
* A i.A M Ttti;
Rctti d i t l f l i t * ff g g j C :\P ro g ra F ile s (x86)\N ap Nwap done: 1 IP a d d re ss (1 h o s t up) scanned in 14.28 seconds Rat p a c k e ts s e n t: 1378 (55.108K8) I Rcvd: 998 (39.908KB)
FIGURE 3.24: Zenmap showing FIN Scan Result
N U L L Scan
P o rt is o p en
TCP Packet with NO Flag Set
CEH
9H
Attacker
No Response
10.0.0.6 In N U LLscan, attackers send a TCP frame to a remote host with NO Flags N U LLscan only works if OS' TCP/IP implementation is developed according to RFC 793 It will not work against any current version of Microsoft Windows
N U L L S c a n
NULL scans se n d TCP p a c k e ts w i t h all fla g s t u r n e d o f f . It is a s s u m e d t h a t c lo s e d p o r ts
w i ll r e t u r n a TCP RST. P a ckets r e c e iv e d by o p e n p o r t s a re d is c a rd e d as in v a lid . It sets all fla gs o f TCP h e a d e rs , such as ACK, FIN, RST, SYN, URG a nd PSH, t o NULL o r u n a s s ig n e d . W h e n a n y p a c k e ts a r r iv e a t t h e s e rv e r, BSD n e t w o r k i n g c o d e i n f o r m s t h e k e r n e l t o d r o p t h e i n c o m i n g p a c k e t if a p o r t is o p e n , o r r e t u r n s an RST fla g i f a p o r t is clo s e d . This scan uses fla gs in t h e r e v e rs e fa s h io n as t h e X m a s scan, b u t gives t h e s a m e o u t p u t as FIN a n d X m a s t r e e scans. M a n y n e t w o r k c o d e s o f m a j o r o p e r a t i n g s y s te m s can b e h a v e d i f f e r e n t l y in t e r m s o f r e s p o n d in g t o t h e p a c k e t, e.g., M i c r o s o f t v e rs u s UNIX. This m e t h o d d o e s n o t w o r k f o r M i c r o s o f t o p e r a t i n g s y s te m s . C o m m a n d lin e o p t i o n f o r n u ll s c a n n in g w i t h N M A P is " - s N "
Advantage:
It a v o id s IDS a nd TCP t h r e e - w a y h a n d s h a k e .
Disadvantage:
It w o r k s o n l y f o r UNIX.
P o r t is o p e n
T C P Packet with N O Flag Set
C E
31 ^
> N o Response
Attacker
Server 10.0.0.8:23
10.0.0.6 FIGURE 3.25: NULL Scan when Port is Open
T C P Packet with N O Flag Set
f c _ 5 RST/ACK Attacker
Server 10.0.0.8:23
10.0.0.6 FIGURE 3.26: NULL Scan when Port is Closed

Zenmap
S c jn T a rg e t: J o o ls P ro file
E lio ]
Scan
n m a p 192.168.168.3 * - s N v n m a p 192.168.168.3
Com m and: H o sts OS H ost
N m a p O u tp u t
P o r ts / H o s ts
T o p o lo g y
H o s t D e ta ils
S ta n s
s N - v n m a p 192.168.168.3
192.168.168.5 192.168.168.3
Starting N m ap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 Standard Tine Initiating A R P Ping Scan at 12:41 Scanning 192.168.16a.3 (1 port) Com pleted A R P Ping Scan at 12:41, 0.06s lapsed < 1 total hosts) Initiating Parallel D N S resolution of 1 host, at 12:41 Com pleted Parallel D N S resolution of 1 host, at 12141, 0.02s elapsed Initiating N U L L Scan at 12:41 Scanning 192.168.168.3 [1000 ports) Increasing send delay for 192.168.168.3 froet 0 to S due to 21S out of 71S dropped probes since last increas*. Com pleted N U L L Scan at 12:41, 8.23s elapsed (1000 total ports) N oap scan report for 192.168.168.3 Failed to resolve given hostnaxe/IP: nm ap. N ote that you can't use /ask* A N D 1-4,7,100 'style IP ranges. If the achine only has an IPv6 address, add the N aap -6 flag to scan that. H ost is up (0.00s latency). N ot show n: 997 closed ports P O R T S T A T t S E R V IC E 22/tcp open|filtered ssh 88/tcp openjfiltered kerberos-sec 548/tcp openjfiltered afp
M AC A fld r c n ;
R ead data files fro: C:\Progran Files (x86)\N m ap N n p done: 1 IP address (1 hostup) scannedin 10.66 seconds R an packets sent: 1844(73.748K B) | R cvd: 998 (39.908K B)
FIGURE 3.27: Zenmap showing NULL Scan Result
ID L E S ca n
M o st n e tw o rk s e rv e rs listen o n TCP p o rts , su ch a s w e b s e rv e rs o n p o r t 80 a n d m ail s e rv e r s o n p o r t 25. P o rt is c o n s id e re d " o p e n " if a n a p p lic a tio n is listening o n th e p o rt
CEH
A m a c h in e t h a t re c e iv e s a n u n so lic ite d SYN | ACK p a c k e t will re s p o n d w ith an RST. An u n so lic ite d RST will b e ig n o re d
O n e w ay to d e te r m in e w h e th e r a p o rt is o p e n is to s e n d a "SYN" (sessio n e s ta b lis h m e n t) p a c k e t to th e p o rt
Every IP p a c k e t o n th e I n te rn e t h a s a " f ra g m e n t id e n tific a tio n " n u m b e r (IP ID)
T he ta r g e t m a c h in e will s e n d back a "SYN | ACK" (sessio n r e q u e s t a c k n o w le d g m e n t) p a c k e t if th e p o rt is o p e n , a n d a n "RST" (R eset) p a c k e t if th e p o rt is clo sed
OS in c re m e n ts th e IP ID fo r e a c h p a c k e t s e n t, th u s p ro b in g a n IP ID gives a n a tta c k e r th e n u m b e r o f p a c k e ts s e n t sin ce last p ro b e
t f
C o m m an d P rom pt
C:\>nmap -Pn -p- -si wvrw.juggyboy.com www.certifiedhacker.com Starting N m ap ( http://nmap.org ) Idlescan using zom bie w w w .3uggyboy.com (192.130.18.124:80); Class: Incremental N m ap scan report for 198.182.30.110 (The 40321 ports scanned but not Port State Service open 21/tcp ftp open sm tp 25/tcp open 80/tcp http N m ap done: 1 IP address (1 host tip) scanned in 1931.23 seconds
Copyright by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
ID L E
S c a n
T h e id le scan is a TCP p o r t scan m e t h o d t h a t y o u can use t o s e n d a s p o o f e d s o u r c e a d d re s s t o a c o m p u t e r t o f i n d o u t w h a t s e rv ic e s a re a v a ila b le a n d o f f e r s c o m p l e t e b lin d s c a n n in g o f a r e m o t e h o s t. This is a c c o m p lis h e d b y i m p e r s o n a t i n g a n o t h e r c o m p u t e r . N o p a c k e t is s e n t f r o m y o u r o w n IP a d d re s s ; in s te a d , a n o t h e r h o s t is used , o f t e n ca lle d a " z o m b i e , " t o scan th e re m o te host and d e te rm in e th e o pe n p o r ts . T his is d o n e by e x p e c t i n g t h e s e q u e n c e n u m b e r s o f t h e z o m b ie h o s t a n d if t h e r e m o t e h o s t ch e c k s t h e IP o f t h e s c a n n in g p a r ty , t h e IP o f t h e z o m b ie m a c h in e w ill s h o w up.
Understanding TCP/IP
S o u rc e : h t t p : / / n m a p . o r g Id le s c a n n in g is a s o p h is t ic a t e d p o r t s c a n n in g m e t h o d . You d o n o t n e e d t o be a TCP/IP e x p e r t t o u n d e r s t a n d it. You n e e d t o u n d e r s t a n d t h e f o l l o w i n g basic fa c ts : Q M o s t o f t h e n e t w o r k s e rv e rs lis te n o n TCP p o r ts , such as w e b s e rv e rs o n p o r t 8 0 and m a il s e rv e rs o n p o r t 25. A p o r t is c o n s id e r e d " o p e n " if an a p p li c a t i o n is l is te n in g o n t h e p o r t ; o t h e r w i s e it is clo se d .
T o d e t e r m i n e w h e t h e r a p o r t is o p e n , se nd a session e s t a b l i s h m e n t "S Y N " p a c k e t t o t h e p o r t . T h e t a r g e t m a c h in e r e s p o n d s w i t h a session r e q u e s t a c k n o w l e d g m e n t "SYN | ACK" p a c k e t if t h e p o r t is o p e n a n d a R eset "RST" p a c k e t if t h e p o r t is clo se d .
A m a c h in e t h a t r e c e iv e s an u n s o lic ite d SYN | ACK p a c k e t r e s p o n d s w i t h an RST. An u n s o lic it e d RST is ig n o r e d .
E ve ry IP p a c k e t o n t h e I n t e r n e t has a " f r a g m e n t i d e n t i f i c a t i o n " n u m b e r . M a n y o p e r a t i n g s y s te m s s i m p l y i n c r e m e n t t h is n u m b e r f o r e v e r y p a c k e t t h e y se n d . So p r o b i n g f o r th is n u m b e r can te ll an a t t a c k e r h o w m a n y p a c k e ts h a v e b e e n s e n t since t h e last p r o b e .
F ro m th e s e fa c ts , it is p o s s ib le t o scan a t a r g e t n e t w o r k w h i l e f o r g i n g y o u r i d e n t i t y so t h a t it lo o k s like an i n n o c e n t " z o m b i e " m a c h in e d id t h e s c a n n in g .
Command Prompt
FIGURE 3.28: Nmap Showing Idle Scan Result
I D L E S c a n : S te p 1
CEH
Every IP p a c k e t o n th e I n te rn e t h as a f ra g m e n t id e n tific a tio n n u m b e r (IP ID), w hich increases eve ry tim e a

host sends; IP packet
Attacker
RST Packet FIGURE 3.29: IPID Probe Request and Response
Zombie
Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In t h e f i r s t ste p , y o u can se n d a session e s t a b l i s h m e n t "S YN" p a c k e t o r
IPID p r o b e t o d e t e r m i n e
w h e t h e r a p o r t is o p e n o r clo s e d . If t h e p o r t is o p e n , t h e " z o m b i e " r e s p o n d s w i t h a session r e q u e s t a c k n o w l e d g m e n t "SYN | ACK" p a c k e t c o n t a i n i n g t h e IPID o f t h e r e m o t e h o s t m a c h in e . If t h e p o r t is c lo s e d , it se nd s a re s e t "RST" p a c k e t. E v e ry IP p a c k e t o n t h e I n t e r n e t has a " f r a g m e n t i d e n t i f i c a t i o n " n u m b e r , w h i c h is i n c r e m e n t e d by o n e f o r e v e r y p a c k e t tr a n s m is s io n . In t h e a b o v e d ia g r a m , t h e z o m b ie r e s p o n d s w i t h
IPID=31337.
I D L E S c a n : S te p 2 a n d 3
Step 2
CEH
J Send SY N packet to the target machine (port 80) spoofing the IP address of the "zombie" J If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends RSTto the target J If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back
SYN Packet to port 80 spoofing zombie IP address
4V C
Attacker
r t o s f f i S S * 5 " T e"
Zom bie P o r t is o p e n
j
;
Step 3
J Probe "zombie" IPID again
IPID Probe SYN / ACK Packet
Response: IPID=31339 RST Packet A tta c k e r IPID incremented by 2 since Step 1, so port 80 must be open
ID L E
S c a n : S te p
2 a n d
I d l e S c a n : S te p 2 .1 ( O p e n P o r t )
" Send a SYN p a c k e t t o t h e t a r g e t m a c h in e ( p o r t 80) s p o o f i n g t h e IP a d d re s s o f t h e
" z o m b i e . " If t h e p o r t is o p e n , t h e t a r g e t w ill se n d t h e S Y N /A C K p a c k e t t o t h e z o m b ie a n d in r e s p o n s e t h e z o m b ie se nd s t h e RST t o t h e t a r g e t . SYN Packet to port 80 spoofing zombie IP address
Attacker
QOO
Target
Zombie
P o rt is o p e n
FIGURE 3.30: Target Response to Spoofed SY N Request when Port is Open I d l e S c a n : S te p 2 .2 ( C l o s e d P o r t)

T h e t a r g e t w i ll se nd t h e RST t o t h e " z o m b i e " if t h e p o r t is c lo s e d , b u t t h e z o m b ie w ill
n o t se nd a n y t h i n g back. SYN Packet to p ort 80 spoofing zombie IP address
Attacker
I -4
........... ......... ....................
Target
Zombie
FIGURE 3.31: Target Response to Spoofed SY N Request when Port is Closed I d l e S c a n : S te p 3

P ro b e t h e " z o m b i e " I PI D again.
IPID P r o b e S Y N / A C K Packet
R e sponse: IP I D = 3 1 3 3 9 R S T Packet
Attacker
IPID incremented by 2 since Step 1,

so p o r t 8 0 m u s t b e o p e n
Zombie
FIGURE 3.32: IPID Probe Request and Response
I C
E c h o
S c a n n i n g / L i s t
S c a n
C E H
T h is is n o t r e a l ly p o r t s c a n n i n g , s i n c e IC M P d o e s n o t h a v e a p o r t a b s tra c tio n
T h is t y p e o f s c a n s i m p l y g e n e r a t e s a n d p r i n t s a li s t o f I P s / N a m e s w i t h o u t a c t u a l l y p in g in g o r p o r t s c a n n in g t h e m
B u t it is s o m e t i m e s u s e f u l t o d e t e r m i n e w h i c h h o s t s in a n e t w o r k a r e u p b y p i n g i n g t h e m all J
A D N S n a m e r e s o l u t i o n w ill a l s o b e c a r r i e d out
nmap -P cert.org/24 152.148.0.0/16

Z enm ap S c a n lo o ts P r o f ile M l p T trg tc 1 9 2 .1 6 6 .1 ^ 6 v| P r o f ile : [ [j |$ < a n C * n c < 1 ^ 2 U M
C o m m a n d n m a p tn1 9 2 .1 6 & 1 .2 6 M o a t 0 $ H o * S ffv k tt N m a pO u tp u t P o rts /H o M T o p o lo g yH o rt D * ta * S < a m n m ) tC M M MIn 1 6 .3 7
f ! U rH o M S
Z e n m a p V |n lo o k ro fit* fc l * p T a rg e t .6 8 . 6 0 . - P ro M t jj ia n j C o m m a n dn ,n ptl v1 9 2 I6 8 .I6 6 S M o tt* S * rv K N m a p O u tp u tP o tt/M e tT e p o l& y , S c a m m a p 1 1vI9 2 .IM .1 6 & 5 O S -M o it n S ta rtin g M ra p 6 .6 1 < h ttp ://n a a p .o rf ) a t M l? Ml lltM d u raT in * Initiating P a ra lle lD 0 N S re s o lu tio n 0 1 h o .a t 1 J S 4 C a a p la te dP a ra ll) M re s o lu tio n o f 1 h o t. t1 3 :5 4 , e . 4 1fla p v td W ra p* c a nra p o rt fo r1 *2 .1 6 6 .1 6 1 .5 N m bd o n ; 1IPd d ra ts < 0hoitt u p ) ic a n n a din 6 .6 6 M to n d t M l rH o itt
V \
List Scan
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited
IC M P
E c h o
S c a n n in g /L is t S c a n
IC M P e c h o s c a n n in g is u sed t o d is c o v e r liv e m a c h in e s b y p i n g i n g a ll t h e m a c h in e s in t h e t a r g e t n e t w o r k . A t t a c k e r s s e n d IC M P p r o b e s t o t h e b r o a d c a s t o r n e t w o r k a d d re s s w h i c h is r e la y e d t o all t h e h o s t a d d re s s e s in t h e s u b n e t . T h e live s y s te m s w i ll s e n d IC M P e c h o r e p ly m e s s a g e t o t h e s o u r c e o f IC M P e c h o p r o b e . IC M P e c h o s c a n n in g is used im p le m e n ta tio n s in th e s e in U N IX /L in u x a n d s y s te m BSD -based m a c h in e s as t h e TCP/IP sta c k ICMP e c h o r e q u e s ts t o t h e
o p e ra tin g
responds to
th e
b r o a d c a s t a d d re sse s. This t e c h n i q u e c a n n o t be used in W i n d o w s b ase d n e t w o r k s as t h e TCP/IP s ta c k i m p l e m e n t a t i o n in w i n d o w s m a c h in e s is c o n f i g u r e d , b y d e f a u l t , n o t t o r e p ly IC M P p r o b e s d ir e c t e d t o t h e b r o a d c a s t a d d re ss. IC M P e c h o s c a n n in g is n o t r e f e r r e d to as p o r t s c a n n in g since it d o e s not h a ve a p ort
a b s t r a c t io n . IC M P e c h o s c a n n in g is u s e fu l t o d e t e r m i n e w h i c h h o s ts in a n e t w o r k a re a c tiv e by p in g in g t h e m all. T h e a c tiv e h o s ts in t h e n e t w o r k is d is p la y e d in Z e n m a p as " H o s t is u p (0 .0 2 0 s l a t e n c y ) . " You can o b s e r v e t h a t in t h e s c r e e n s h o t :
Zenmap
Scan T a rg et: T o o ls P ro file H elp Profile: S can
^ L - r e l
192.168.1.26 n m a p -s n 192.168.1.26
C an c el
C om m and:
H o sts OS < H o st
S ervices
N m a p O u tp u t
P o rts /H o s ts
T o p o lo g y
H o s t D etails
S can s
n m a p -s n 192.168.1.26
*| i
D etails
192.168.1.26 S t a r t i n g Nmap 6 . 0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 - 0 8 - 1 3 1 8 :3 7 S t a n d a r d T im e Nmap s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 . 2 6 |H o s t i s u p ( 0 . 0 0 2 0 s l a t e n c y ) ~| Nmap d o n e : 1 I P a d d r e s s ( 1 h o s t u p ) s c a n n e d i n 1 6 . 5 7 seconds
Filter H o sts
FIGURE 3.33: Zenmap showing ICMP Echo Scanning Result

In a list scan, d is c o v e r y o f t h e a c tiv e h o s t in t h e n e t w o r k is d o n e in d i r e c t l y . A list scan s im p ly g e n e r a t e s a nd p r i n t s a list o f IP s /N a m e s w i t h o u t a c t u a lly p in g in g t h e h o s t n a m e s o r p o r t s c a n n in g t h e m . As a re s u lt, t h e list scan o u t p u t o f all t h e IP a d d re s s e s w ill be s h o w n as " n o t s c a n n e d ," i.e., (0 h o s ts up). By d e f a u l t , a r e v e r s e DNS r e s o lu t i o n is still b e in g c a r r ie d o u t o n t h e h o s t b y N m a p f o r le a r n in g t h e i r n a m e s .
Zenmap
Scan lo o ls E ro file {Help Profile: C ancel
Target
192.168.168.5 n m a p -sL -v 192.168.168.5
C om m and:
H o sts OS H o st
S ervices
N m a p O u tp u t
P o rts /H o s ts
T o p o lo g y
H o s t D etails
S can s "vj | D etails
n m a p - s L - v 192.168.168.5
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-10 13:54 idard Tit!* Initiating Parallel DNS resolution of 1 host, at 13:54 Completed Parallel DNS resolution of 1 host, at 13:54, 0.04s elapsed Nmap scan report for 192.168.168.5 Nmap done: 1 IP address (0 hosts up) scanned in O.06 seconds
Filter H o sts
FIGURE 3.34: Zenmap showing List Scanning Result
Advantage:
9 9 A list scan can p e r f o r m a g o o d s a n ity ch eck. T h e i n c o r r e c t l y d e f i n e d IP a d d re s s e s o n t h e c o m m a n d lin e o r in an o p t i o n file d e t e c t e d b y t h e list scan. T h e d e t e c t e d e r r o r s s h o u ld be r e p a i r e d p r i o r t o r u n n i n g " a c t i v e " scan. a re any
U D P S c a n n in g
Are you open on UDP Port 29?
CEH
.............................................*
No response if port is ...................
*
If Port is Closed, an ICMP Port unreachable message is received
%
S erv er
........... I s s ______ j
UDP Port Open

T h e r e is n o t h r e e - w a y TCP h a n d s h a k ke fo r UDP sc a n T h e s y s t e m d o e s n o t r e s p o n d w ith a m e s s a g e w h e n t h e p o r t is o p e n
UDP Port Closed

e if a U D P p a c k e t is s e n t t o c l o s e d p o r t , t h e s y s t e m r e s p o n d s w ith IC M P p o r t u n re a c h a b le m e ss a g e S p y w a r e s , T ro ja n h o r s e s , a n d o t h e r m a lic io u s a p p l i c a t i o n s u s e U D P p o r t s
U D P S c a n n in g
UDP Raw ICMP Port Unreachable Scanning

UDP p o r t s c a n n e rs use t h e U DP p r o t o c o l in s te a d o f TCP, a n d can be m o r e d i f f i c u l t t h a n TCP s c a n n in g . You can s e n d a p a c k e t, b u t y o u c a n n o t d e t e r m i n e t h a t t h e h o s t is a liv e o r d e a d o r f i l t e r e d . H o w e v e r , t h e r e is o n e IC M P t h a t y o u can use t o d e t e r m i n e w h e t h e r p o r ts a re o p e n o r c lo s e d . If y o u s e n d a UDP p a c k e t t o a p o r t w i t h o u t an a p p li c a t i o n b o u n d t o it, t h e IP sta c k w ill r e t u r n an IC M P p o r t u n r e a c h a b l e p a c k e t . If a n y p o r t r e t u r n s an IC M P e r r o r , t h e n it's clo s e d , w h i l e t h e p o r ts t h a t d i d n ' t a n s w e r a re e i t h e r o p e n o r f i l t e r e d by t h e f i r e w a l l . T his h a p p e n s b e c a u s e o p e n p o r ts d o n o t h a ve t o s e n d an a c k n o w l e d g e m e n t in re s p o n s e t o a p r o b e , a n d c lo s e d p o r ts a re n o t e v e n r e q u i r e d t o se n d an e r r o r p a c k e t.
UDP Packets
S o u rc e : h t t p : / / n m a p . o r g W hen you se n d a packet to a c lo s e d UDP p o rt, m ost of th e h o s ts se nd an
IC M P _ P O R T _ U N R E A C H e r r o r . T hu s, y o u can f i n d o u t if a p o r t is N O T o p e n . N e i t h e r UDP p a c k e ts n o r t h e IC M P e r r o r s a re g u a r a n t e e d t o a rr iv e , so UDP s c a n n e rs o f th is s o r t m u s t also i m p l e m e n t t h e r e t r a n s m is s io n o f p a c k e ts t h a t a p p e a r lost. UDP s c a n n e rs i n t e r p r e t lo s t t r a f f i c as o p e n p o r ts .
In a d d it io n , t h is s c a n n in g t e c h n i q u e is s lo w b e c a u s e o f l i m i t i n g t h e IC M P e r r o r m e s s a g e r a te as c o m p e n s a t io n t o m a c h in e s t h a t a p p ly RFC 1 8 1 2 s e c tio n 4 .3 .2 .8 . A r e m o t e h o s t w i ll n e e d t o access t h e r a w IC M P s o c k e t t o d is t in g u is h c lo s e d f r o m u n r e a c h a b l e p o r ts .
UDP RECVFROM () and WRITE () Scanning

W h i l e n o n - r o o t users c a n n o t re a d p o r t u n r e a c h a b le e r r o r s d ir e c t ly ; L in ux i n f o r m s y o u i n d i r e c t l y w h e n t h e y r e c e iv e m essages.
Example
For e x a m p le , a s e c o n d w r i t e () call t o a c lo s e d p o r t w i ll u s u a lly fa il. A l o t o f s ca n n e rs , such as N e t c a t a n d Pluvial p scan .c d o r e c v f r o m () o n n o n - b l o c k i n g UDP so c k e ts , u s u a lly r e t u r n EAGAIN ( " T r y A g a in ," e rrn o 13) if t h e IC M P e rro r has not been re c e iv e d , and ECONNREFUSED
( " C o n n e c t i o n r e f u s e d , " e r r n o 1 11), if it has. T his is t h e t e c h n i q u e used f o r d e t e r m i n i n g o p e n p o r t s w h e n n o n - r o o t u sers use -u (UDP). R o o t u sers can also use t h e -I ( la m e r UDP scan) o p t i o n s t o f o r c e th is .
Advantage:
T h e UDP scan is less i n f o r m a l r e g a r d in g an o p e n p o r t , since t h e r e ' s n o o v e r h e a d o f a TCP h a n d s h a k e . H o w e v e r , i f IC M P is r e s p o n d i n g t o e a ch u n a v a ila b le p o r t , t h e n u m b e r o f t o t a l f r a m e s can e x c e e d a TCP scan. M ic r o s o f t - b a s e d o p e r a t i n g s y s te m s d o n o t u s u a lly i m p l e m e n t a n y t y p e o f IC M P r a te li m i t i n g , so t h i s scan o p e r a t e s v e r y e f f i c i e n t l y o n W i n d o w s - b a s e d d e vice s.
Disadvantage:
T h e UDP scan p r o v id e s p o r t i n f o r m a t i o n o n ly . If a d d it io n a l v e r s io n i n f o r m a t i o n is n e e d e d , t h e scan m u s t be s u p p l e m e n t e d w i t h fin g e rp rin tin g o p tio n (-0 ). T h e UDP scan r e q u ir e s p r iv ile g e d access, so th is scan o p t i o n is o n l y a v a ila b le o n s y s te m s w i t h t h e a p p r o p r i a t e u s e r p e r m is s io n s . M o s t n e t w o r k s h a v e h u g e a m o u n t s o f TCP t r a f f i c ; as a re s u lt, t h e e f f i c i e n c y o f t h e UDP scan is lost. T h e UDP scan w ill lo c a te th e s e o p e n p o r ts a n d p r o v id e t h e s e c u r it y m a n a g e r w i t h v a lu a b le i n f o r m a t i o n t h a t can be used t o i d e n t i f y th e s e in v a s io n s a c h ie v e d by t h e a t t a c k e r o n o p e n UDP p o r t s ca u s e d b y s p y w a r e a p p lic a tio n s , T r o ja n h orses, a n d o t h e r m a lic io u s s o f t w a r e .
Are you open on UDP Port 29?
a v e r s io n d e t e c t i o n scan (-sV) o r t h e
o p e r a t i n g s y s te m
No response if port is Open
c
di
S e rv e r
If Port is Closed, an ICMP Port unreachable message is received A tta c k e r
................................................
FIGURE 3.35: UDP Scanning
Zenmap
S<an Target Jooli Profile tjelp nmip 192.168.168.3 *s l l -v nmap 192.168.168.3 Services 4 N m a p Output Ports /Hosts Topok>9 > Host Detaih Scans
L 2_
Scant
x
Cancel
Profile:
Command; Hosts OS - Host
192.168.168.3
Details
192 168.168.5 192.168.168.3
Starting Nmap 6.01 ( http://na1 ap.org ) at 2012 08 10 12:47 Standard Time Initiating ARP Ping Scan at 12:47 Scanning 192.168.168.3 [1 port] Completed ARP Ping Scan at 12:47, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:47 Completed Parallel DNS resolution of 1 host, at 12:47, 0.02s elapsed Initiating LOP Scan at 12:47 Scanning 192.168.168.9 [1000 ports) Discovered open port 53S3/udp on 192.168.168.3 Discovered open port 137/udp on 192.168.168.3 Discovered open port 123/udp on 192.168.168.3 Increasing send delay for 192.168.168.3 * r o o t 0 to SO due to 216 out of 719 dropped probes since last increase. Completed UOP Scan at 12:47, 19.66s elapsed (1000 total ports) Nmap scan report for 192.168.168.3 Failed to resolve given hostnaae/IP: nmap. Note that you can't use ,/mask' AND 1-4,7,100- style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. Host is up (0.000063s latency). Not shown: 994 closed ports PORT STATE SfRVICf 88/udp open|filtered kerberos-sec 123/udp open ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dga S3S3/udp open zeroconf S8178/udp open|filtered unknown MAC Address:
Read data file s fro; c:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 22.09 seconds Ra packets sent: 1839 (52.401KB) I Rcvd: 998 (S6.06SK8)
F i l t e r Host*
FIGURE 3.36: Zenmap showing UDP Scanning Result
c <
I n v e r s e
T C
l a g
c a n n i n g
CEH
(rtifwd itk itjl
Attackers send TCP probe packets with various TCP flags (FIN,URG,PSH) set or with no flags, no response means port is open and RST/ACK means the port is closed
Probe Packet (FIN/URG/PSH/NULL)
No Response
Attacker
Port is open
RST/ACK
Attacker
Port is closed
Copyright by EG-Gtnncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
In v e rs e T C P
F la g
S c a n n in g
A t t a c k e r s se n d t h e TCP p r o b e p a c k e ts b y e n a b lin g v a r io u s TCP fla g (FIN, URG, PSH) o r
w i t h n o fla gs. W h e n t h e p o r t is o p e n , t h e a t t a c k e r d o e s n ' t g e t a n y r e s p o n s e f r o m t h e h o s t, w h e r e a s w h e n t h e p o r t is c lo s e d , he o r she re c e iv e s t h e R ST /A C K f r o m t h e t a r g e t h o s t. T h e SYN p a c k e ts t h a t a re s e n t t o t h e s e n s itiv e p o r ts o f t h e t a r g e t e d h o s ts a re d e t e c t e d b y using s e c u r it y m e c h a n is m s such as f i r e w a l l s a n d IDS. P r o g r a m s such as S y n lo g g e r a n d C o u r t n e y a re a v a ila b le t o log h a l f - o p e n SYN fla g scan a t t e m p t s . A t t i m e s , t h e p r o b e p a c k e ts e n a b le d w i t h TCP fla g s can pass t h r o u g h f i l t e r s u n d e t e c t e d , d e p e n d i n g o n t h e s e c u r it y m e c h a n is m s in s ta lle d . P r o b in g a t a r g e t u s in g a h a l f - o p e n SYN fla g is k n o w n as an in v e r t e d t e c h n i q u e . It is ca lle d th is b e c a u s e t h e c lo s e d p o r ts can o n l y s e n d t h e r e s p o n s e back. A c c o r d i n g t o RFC 7 9 3 , A n RST/ACK p a c k e t m u s t be s e n t f o r c o n n e c t i o n re s e t, w h e n t h e p o r t is c lo s e d o n h o s t side. A tta ck e rs ta ke
a d v a n ta g e o f th is f e a t u r e t o s e n d TCP p r o b e p a c k e ts t o e a c h p o r t o f t h e t a r g e t h o s t w i t h v a r io u s TCP fla gs set. C o m m o n fla g c o n f i g u r a t io n s used f o r p r o b e p a c k e t in c lu d e : 9 9 9 A FIN p r o b e w i t h t h e FIN TCP fla g se t A n X M A S p r o b e w i t h t h e FIN, URG, a n d PUSH TCP fla g s set A NULL p r o b e w i t h n o TCP fla g s se t
A SYN/ACK p r o b e
All t h e c lo s e d p o r t s o n t h e t a r g e t e d h o s t w i ll s e n d an RST/ACK r e s p o n s e . Since t h e RFC 793 s t a n d a r d is c o m p l e t e l y ig n o r e d in t h e o p e r a t i n g s y s te m such as W i n d o w s , y o u c a n n o t see t h e RST/ACK r e s p o n s e w h e n c o n n e c t e d t o t h e c lo s e d p o r t o n t h e t a r g e t h o s t. T his t e c h n i q u e is e f f e c t i v e w h e n u sed w i t h U N IX -b a s e d o p e r a t i n g s y s te m s .
Advantages
Q A v o id s m a n y IDS a nd lo g g in g s y s te m s , h ig h ly s t e a l t h y
Disadvantages
Q Q N e e d s r a w access t o n e t w o r k so c k e ts , t h u s r e q u i r in g s u p e r - u s e r p riv ile g e s M o s t l y e f f e c t i v e a g a in s t h o s ts u sin g a B S D -d e riv e d TCP/IP sta c k ( n o t e f f e c t i v e a g a in s t M i c r o s o f t W i n d o w s h o s ts in p a r t ic u la r ) Probe Packet (FIN/URG/PSH/NULL)
No Response
Attacker
P o r t is o p e n FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open

Target Host
RST/ACK
Attacker
P o r t is c l o s e d FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed
Target Host
A C K F la g S c a n n in g
A C K
F la g
S c a n n in g
A s t e a l t h y t e c h n i q u e is used f o r i d e n t i f y i n g o p e n TCP p o r t s . In t h is t e c h n i q u e a TCP p a c k e t w i t h ACK fla g ON is s e n t t o t h e r e m o t e h o s t a n d t h e n t h e h e a d e r i n f o r m a t i o n o f t h e RST p a c k e ts s e n t by r e m o t e h o s t a re a n a ly z e d . U sing t h is t e c h n i q u e o n e can e x p l o i t t h e p o t e n t ia l v u ln e r a b i l it ie s o f BSD d e r iv e d TCP/IP sta ck. T his t e c h n i q u e g ive s g o o d r e s u lts w h e n used w i t h c e r t a i n o p e r a t i n g s y s te m s a n d p la t f o r m s . ACK s c a n n in g can be p e r f o r m e d in t w o w a y s : Q TTL f ie ld a n a n ly s is W I N D O W fi e ld a na lysis
U sing TTL v a lu e o n e can d e t e r m i n e t h e n u m b e r o f s y s te m s t h e TCP p a c k e t tr a v e r s e s . You can s e n d an ACK p r o b e p a c k e t w i t h r a n d o m s e q u e n c e n u m b e r : n o r e s p o n s e m e a n s p o r t is f i l t e r e d (s ta te f u ll f i r e w a l l is p r e s e n t) a n d RST re s p o n s e m e a n s t h e p o r t is n o t f i l t e r e d ,

nm ap - s A S ta r t in g A ll 529 -P 0 1 0 .1 0 .0 .2 5 (h t t p : / / n m a p . o r g ) on 1 0 .1 0 .0 .2 5 a t a re : 2 0 1 0 -0 5 -1 6 filte r e d 1 2 :1 5 EST
nm ap 5 . 2 1
scanned p o rts
S t a t e f u l F i r e w a l l is P r e s e n t
Probe Packet (ACK)
Attacker
No Response
Target Host
FIGURE 3.39: A CK Flag Scanning when Stateful Firewall is Present N o F ir e w a ll

Probe Packet (ACK)
IT LT I ...................................................
RST
Attacker
Target Host
FIGURE 3.40: A CK Flag Scanning when No Firewall is Present

Z e n m a p
Scgn
lo o k
Profit
Help
T.rgrt:
nm ip 192.168.168.5 * sA v Pn nmap 1941 68.168.5

Services N m ap O utput
Profile
Scan
Cancel
Command:
H osts
P o r ts /H o s ts
Topology
H ost Detaih
Scans
* -sA-v -Pn nmap 192.168.168.5
details
Starting M a p 6.01 ( http://nMp.org ) at 2012-08-10 13:09 Standard Tine Initiating ARP Ping Scan at 13:10 Scanning 192.16*.160.5 [1 port] Completed ARP Ping Scan at 13:10, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host, at 13:10 Completed Parallel ONS resolution of 1 host, at 13:10, 0.10s elapsed Initiating ACK Scan at 13:10 Scanning 192.16*.168.5 [1000 ports] Completed ACK Scan at 13:10, 21.38s elapsed (1000 total ports) Knap scan report for 192.16*.168.5 Failed to resolve given hostnanc/lP: naap. Note that you cant use ,/ask' ANO 1-4,7,100- style IP ranges. If the achine only has an IPv6 address, add the Nnap 6 flag to scan that.
Host is *>p
10. W 1es
l a t e n t , ) . _____________________________
IAll 1000 scanned ports on 192.168.168.S are filteredl MAC Address:

Read f la t * f i l e ! f r v ; C:\Progr Files ( x 8 6 ) \ m m p done; l IP address (1 host up) scanned in 23.90 seconds Rax packets sent: 2001 (80.O28K8) | Rcvd: 1 (288)
filler Hosts FIGURE 3.41: Zenmap showing ACK Flag Scanning Result
S c a n n in g
T o o l: N e tS c a n
T o o ls
P r o
C E H
m y re & u U s d a t^ b a s e-N e tS c a n T o o b P ro1 1 .0 0

2 fit Edt Accesatolly rJ>
Manual 1 5 0- networkCcnrecton E-dxrts 9
A u to m a te d0 5
( Rsfren
sccrrectA l1 C P ] ciicUyFulPfKessP a t h s I P
193C 10'
tcW fUcftrftwh
] U s c c rre c tn e rm te1 C P
Jjrp A u to rrc ite d]
M fiC
lol< a'ufa.re
TCF.UOP ComeCQcn Enfant List
1nec1nfo.exe
flM w o ritInlctfe4rd5\< tnl'r .
N s t w o r kl n t o r ' n r c i \vrrtw M e r l o c t t * STacea
3bacr?.x IVChO K.IXI SeSre.exe
sycr.osz c x s Systea inee nfo.exe
Local IP 0.0.0.0
O.O.0.0
Local lore
| http| 8 0
R eaote
0.0.0.0
1
r
0.0.0.0
)cpxag( 135
)MS (UlCEOSOCt-dS'
0 .0 .0 .0
0.0.0.0
0.0.0.0
O.O.0.0
0 .0 .0 .0
1 0 2 S (blackjack( !)pptp( 23 4)) pcsync-https w e b 5 ( 9090(

)oy M rcanw bccc ( 2638 lc lh p ( 2069(
0.0. 0.0 0.0.0.0 0.0.0.0

0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
0 . 0 . D.O 1 2 7 .0 .0 .1
0.0.0.0
0.0.0.0
s
OKXCO 109b
D U lI V U l. t x t
l. r.w o -< r yT. H aw roL>M vay lo c to
8coeSzv.xt 5tot5c1v.exe
s ' rS :rv .c x e
1388 T C 2O S 2 T C
2092 TC 2092 TC
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
)o f ll
0.0.0.0
127.0.0.1 1 2 7.0.0 .1 1 2 7 .0 .0 .1 127.0.0.1
CMSf u v
S yat
S v s .w
*XKrt irvdonb
txtema! lods
S 7 3 c i
)u n kn o w n ! 3 1038 )u n k n o w n ! 3 4571 )u n k n o w n | 04572 34S73 !u n k n o w n ( 8 0 | http| 0 0

IhttpI 00
2.0. 0 . 1
1 2 7 .0 .0 .1 127.0.0.1
i h t t p i 8 0
Progmliô
h t t p : / / w w w . n e t s c a n t o o 1 s . c o m
loop Copyright 6 by EG-CSUICil. A il Rights Reserved. Reproduction is Strictly Prohibited.
S c a n n in g
T o o l: N e tS c a n T o o ls P ro
S o u rc e : h t t p ://w w w .n e ts c a r 1 tools.com N etS can T o o ls Pro is an i n v e s t i g a t i o n t o o l . It a llo w s y o u t o t r o u b l e s h o o t , m o n i t o r , d is c o v e r , a n d d e t e c t d e v ic e s o n y o u r n e t w o r k . You can g a t h e r i n f o r m a t i o n a b o u t t h e local LAN as w e l l as I n t e r n e t users, IP a d d re s s e s , p o r ts , e tc . u sin g t h is t o o l . You can f i n d v u ln e r a b i l it ie s a n d e x p o s e d p o r t s in y o u r s y s te m . It is t h e c o m b i n a t i o n o f m a n y n e t w o r k t o o l s a nd u t i l i t i e s . T h e t o o l s a re c a te g o r iz e d b y f u n c t i o n s such as a c tiv e , passive, DNS, a n d local c o m p u t e r .
Active Discovery and Diagnostic Tools: U sed f o r t e s t i n g a n d l o c a tin g d e v ic e s t h a t a re

c o n n e c te d to y o u r n e tw o rk .
Passive Discovery Tools: M o n i t o r s t h e a c tiv it ie s o f t h e d e v ic e s t h a t a re c o n n e c t e d t o y o u r

n e t w o r k a n d also g a th e r s i n f o r m a t i o n f r o m t h i r d p a r tie s .
DNS Tools: Used t o d e t e c t p r o b l e m s w i t h DNS. Local Computer and General Information Tools: P ro v id e s d e ta ils a b o u t y o u r local c o m p u t e r ' s
n e tw o rk .
Benefits:
e T h e i n f o r m a t i o n g a t h e r i n g p ro c e s s is m a d e s i m p l e r a n d f a s t e r b y a u t o m a t i n g t h e use o f m a n y n e t w o r k t o o ls
P ro d u c e s t h e r e s u lt r e p o r t s in y o u r w e b b r o w s e r c le a rly
m y re s u lts d a ta b a s e - N etS canT ools P ro 1 1 .0 0 File Edit Accessibility View Help
Welcome Automated Tools Manual Tools (all) Refresh 0 Display Full Process Paths 1 sec Disconnect All TCP
Manual Tools - Network Connection Endpoints Add Note Jump To Automated

IPv4 IP v 6 0
0
O Enable AutoRefresh MAC Address to Manufacturer
10 sec I Disconnect Remote TCP Double-click Enable TCP Disconnects
-J
Reports Add to Favorites
TCP/UDP Connection Endpoint List Network Connection Endpoints
Network Interfaces and Statistics
Network Interfaces - Wireless
Network Shares - SMB
Favorite Tools Active Discovery Tools Passive Discovery Tools DNS Tools Packet Level Tools External Tools Program Info For Help, press Fl
Pr oc e s s inetinf0 . e x e svchost .e xe Sy stem inetinf0 . e x e Sy stem dbsrv9. ex e svchost .e xe SemSvc. ex e SemSvc. ex e ag en t. ex e DkService.exe St or Serv.exe St or Serv.exe St or Serv.exe Sy stem Sy stem Sy stem Sy stem <
P I D Pro to co l TC P 2 5 2 TC P 4 TCP 1100 TCP 4 TCP 1 2 1 6 TCP 9 3 2 TCP 4 0 6 8 TCP 4 0 6 8 TCP 9 2 0 TCP 1 3 8 8 TCP 2 0 9 2 TCP 2 0 9 2 TCP 2 0 9 2 TCP 0 TCP 0 TC P 0 TCP 0 TC P
1100 n 'r r n
L o c a lI P
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
12 7. 0. 0. 1 127.0. 0.1 12 7. 0. 0.1 12 7. 0. 0.1

0 > n
L o c a lP o r t 8 0( h t t p ) 1 3 S( e p m a p ) 4 4 5 ( m i c r o s o f t d s ) 1 0 2 5( b l a c k j a c k ) 1 7 2 3( p p t p ) 2 6 3 8( s y b a s e a n y w h e r e ) 2 8 6 9( i c s l a p ) 8 4 4 3( p c s y n c h t t p s ) 9 0 9 0( w e b s m ) 9 8 7 6( s d ) 31 0 3 8( u n k n o w n ) 34 5 7 1( u n k n o w n ) 34 5 7 2( u n k n o w n ) 34 57 3( u n k n o w n ) 8 0( h t t p ) 8 0( h t t p ) 8 0( h t t p ) 8 0( h t t p )
on
Remote I P
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
L i )
127.0.0 .1 127.0. 0. 1 1 2 7 . 0 .0. 1 1 2 7 . 0 .0. 1 1 < f tf t >

NUM
FIGURE 3.42: NetScan Tools Pro Screenshot
S c a n n in g T o o ls
PRTG Network Monitor
C E H
http://w w w .paessler.co m
http://w w w .m agnetosoft.com
Global Network Inventory Scanner
i N . I1W I
http://m absoft.com
Net Tools
http://w w w .softperfect.com
SoftPerfect Network Scanner
E -
http://w w w .ks-soft.net
IP Tools
http://w w w .radm in.com
Advanced Port Scanner
http://w w w .m agnetosoft.com
MegaPing
http://netifera.com
Netifera
http://w w w .1 0 -strike.com
Network Inventory Explorer
http://w w w .nsauditor.com
Free Port Scanner
=*~=
S c a n n in g t o o l s ping com puters, scan fo r listening TCP/UDP ports, and display th e ty p e o f
resources shared on th e n e tw o rk (including system and hidden). T h e a t t a c k e r m a y a t t e m p t t o la u n c h a tta c k s a g a in s t y o u r n e t w o r k o r n e t w o r k r e s o u r c e s b ase d o n t h e i n f o r m a t i o n g a t h e r e d w i t h t h e h e lp o f s c a n n in g to o ls . A fe w o f th e scanning to ols th a t can d ete ct active ports on th e systems are listed as fo llo w s: 9 9 9 9 9 9 9 9 9 9 PRTG N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . p a e s s l e r . c o m N e t T o o ls a v a ila b le a t h t t p : / / m a b s o f t . c o m IP T o o ls a v a ila b le a t h t t p : / / w w w . k s - s o f t . n e t M e g a P in g a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m N e t w o r k I n v e n t o r y E x p lo r e r a v a ila b le a t h t t p : / / w w w . 1 0 - s t r i k e . c o m G lo b a l N e t w o r k I n v e n t o r y S c a n n e r a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m S o f t P e r f e c t N e t w o r k S c a n n e r a v a ila b le a t h t t p : / / w w w . s o f t p e r f e c t . c o m A d v a n c e d P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . r a d m i n . c o m N e t if e r a a v a ila b le a t h t t p : / / n e t i f e r a . c o m Free P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m
D o
N o t
S c a n
T h e s e
I P
A d d r e s s e s C E H
(U n le s s y o u w a n t to g e t in t o t r o u b le )
RANGE 128
128.37.0.0 Army Yuma Proving Ground 1 2 8 3 8 0 0 Naval Surface Warfare Center 128.43.0.0 Defence Research Establishment-Ottawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 1 2 8 8 0 0 0 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Right Facility 128.155.0.0 128.156.0.0 12815700 128.158.0.0 NASA NASA NASA NASA Langley Research Center Lewis Network Control Center Johnson Space Center Ames Research Center
129.53.0.0 - 129 53.255 255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology 129.99.0.0 NASA Ames Research Center 129.131.0.0 Naval Weapons Center 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IW 129.165.0.0 NASA Goddard Space Fight Center 129.167.0.0 NASA Marshall Space Right Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198 0.0 Air Force Fight Test Center 129.209.0.0 Army BaiSstcs Research Laboratory 129.229.0.0 U.S. Army Corps of Engmeers 129.251.0.0 United States Ar Force Academy
RANGE 132
1 3 2 .3 .0 .0W illia m sA ir F o rceB a se 1 3 2 .5 .0 .0- 1 3 2 .5 .2 5 5 .2 5 54 9 thF ig h te rW in g 1 3 2 .6 .0 .0A n ka raA ir S ta tio n 1 3 2 .7 .0 .0-132.7.255.255 S S G /S IN O 1 3 2 .9 .0 .0 2 8 thB o m bW in g 1 3 2 .1 0 .0 .0 3 1 9C o m mS q 1 3 2 .1 1 .0 .0 H e lle n iko nA ir B a s e 1 3 2 .1 2 .0 .0 M y rtleB e a c hA ir F o rceB a s e 1 3 2 .1 3 .0 .0 B e n tw a te rs R o y a lA ir F o rceB a s e 1 3 2 .1 4 .0 .0 A ir F o rceC o n ce n tra to rN e tw c rk 1 3 2 .1 5 .0 .0 K a d e n aA ir B a s e
132.16.0.0 Kunsan Air Base
RANGE 130
130.40.0.0 NASA Johnson Space Center 130.90.0.0 Mather Ar Force Base 1301090.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S-Army Corps of Engneers 130 167.0.0 NASA Headquarters
128 159 0 0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128 1 6 1 0 0 N ASA Ames Research Center 128 183.0 0 NASA Goddard Space Flight Center 128202 0 0 50th Space Wing 128 21 6 0 0 MacDifl Air Force Base 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. A r Force Academy
132.17.0.0 132.18.0.0 132.19.0.0 132.20.0.0 132.21.0.0 132.22.0.0 132.24.0.0 132.25.0.0 132.27 0 0 132.28.0.0 132.31.0.0 132.33.0.0 132.34.0.0 132.35.0.0 132.37.0.0 132.38.0.0 132.39.0.0
Lindsey Air Station McGuire Air Force Base 100CS (NET-MILDENHALL) 35th Communications Squadron Plattsburgh Ar Force Base 23Communication9 Sq Dower Air Force Base 786 CS/SCBM 132 27.255.255 39CS/SCBBN 14TH COMMUNICATION SQUADRON Lonng Air Force Base 60CS/SCSNM Cannon Air F ace Base Altus Air Force Base 75 ABW Goodfellow AFB K.I. Sawyer Air Force Base
RANGE 131
131.60.0 Langley Ar Force Base 131.10.0.0 Barksdale Ar Force Base 131.17.0.0 Sheppard Ar Fcrce Base 131.21.0.0 Hahn Ar Base 31.32.0.0 37 Communications Squadron 131 3 5 0 0 Fairchild Ar Force Base 131.36.0.0 Yokota Ar Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Ar Force Base
131.39.0.0 354CS/SCSN
132.30.0.0 Lqes Air F a c e Base
RANGE 129
129.23.0.0 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 129.50.0.0 NASA Marshall Space Flight Center 129.51.0.0 Patrick Air Force Base 129.52.0.0 Wright-Patterson Air Force Base
For a complete list, see the file in DVD IP ADDRESSES YOU SHOULD NOT SCAN.txt
D o N o t S c a n T h e s e IP A d d re s s e s g e t in to tro u b le )
(U n le s s y o u w a n t to
T h e IP a d d re s s e s lis te d in t h e f o l l o w i n g t a b l e a re a s s o c ia te d w i t h t h e c r itic a l i n f o r m a t i o n r e s o u r c e c e n te r s o f t h e US. S c a n n in g th e s e IP a d d re s s e s w i ll be c o n s id e r e d an a t t e m p t t o b re a k t h e US's i n f o r m a t i o n s e c u r ity . T h e r e f o r e , d o n o t scan th e s e IP a d d re s s e s u nless y o u w a n t t o g e t in to tro u b le .
RANGE 6
6 . * - A r m y I n f o r m a t i o n S y s te m s C e n te r
129.51.0.0 Patrick Air Force Base

1 2 9 .5 2 .0 .0 W r i g h t - P a t t e r s o n A ir Force Base 1 2 9 .5 3 .0 .0 - 1 2 9 .5 3 .2 5 5 .2 5 5 66SPTG-SCB 1 2 9 .5 4 .0 .0 V a n d e n b e r g A ir Force Base, CA 1 2 9 .9 2 .0 .0 A i r Force I n s t i t u t e o f T e c h n o lo g y
RANGE 7
7 . * . * . * D e fe n s e I n f o r m a t i o n S y s te m s Agency, VA
RANGE 11
1 1 . * . * . * D 0 D In te l I n f o r m a t i o n S ys te m s , D e fe n s e In te llig e n c e A g e n c y , W a s h in g t o n DC
129.99.0.0 NASA A m es R esearch C enter

1 2 9 .1 3 1 .0 . 0 N ava l W e a p o n s C e n te r
RANGE 21
2 1. - US D e fe n s e I n f o r m a t i o n S y s te m s Agency
1 2 9 .1 6 3 .0 . 0 N A S A /J o h n s o n Space C e n te r
RANGE 22
2 2 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
1 2 9 .1 6 4 .0 . 0 NASA IVV 1 2 9 .1 6 5 .0 . 0 NASA G o d d a r d Space F lig ht C e n te r 1 2 9 .1 6 7 .0 . 0 NASA M a r s h a ll Space F lig h t C e n te r 1 2 9 .1 6 8 .0 . 0 NASA Lew is Research C e n te r 1 2 9 .1 9 0 .0 . 0 N ava l U n d e r w a t e r S y ste m s C e n te r 1 2 9 .1 9 8 .0 . 0 A ir Force F lig h t T e s t C e n te r
RANGE 24
2 4 .1 9 8 .*.*
RANGE 25
2 5 . * . * . * Royal Signals a n d R adar E s t a b lis h m e n t , UK
RANGE 26
1 2 9 .2 0 9 .0 . 0 A r m y Ballistics Research L a b oratory 1 2 9 .2 2 9 .0 . 0 U.S. A r m y C o rp s o f E n g in e e rs 1 2 9 .2 5 1 .0 . 0 U n ite d S ta te s A ir Force Academ y
RANGE 29
RANGE 130
1 3 0 .4 0 .0 .0 NASA J o h n s o n Space C e n te r 1 3 0 .9 0 .0 .0 M a t h e r A i r Force Base 1 3 0 .1 0 9 .0 . 0 N ava l C oa sta l S y s te m s C e n te r 1 3 0 .1 2 4 .0 . 0 H o n e y w e ll D e fe n s e S y s te m s G roup 1 3 0 .1 6 5 .0 . 0 U .S .A r m y C o rp s o f E n g in e e rs 1 3 0 .1 6 7 .0 . 0 NASA H e a d q u a r t e r s
RANGE 30
RANGE 49
4 9 . * - J o in t T a c tic a l C o m m a n d
RANGE 50
5 0 . * - J o in t T a c tic a l C o m m a n d
RANGE 55
5 5 . * - A r m y N a t io n a l G u a r d B u re a u
RANGE 131
1 3 1 .6 .0 .0 L a n g le y A i r Force Base 1 3 1 .1 0 .0 .0 B a rk s d a le A ir Force Base
RANGE 55
5 5 . * - A r m y N a t io n a l G u a r d B u re a u 5 5 . * - A r m y N a t io n a l G u a r d B u re a u
131.17.0.0 S h epp ard A ir Fo rce Base

1 3 1 .1 7 .0 .0 S h e p p a r d A ir Force Base 1 3 1 .2 1 .0 .0 H a h n A i r Base 3 1 .3 2 . 0 .0 37 C o m m u n ic a t i o n s S q u a d r o n 1 3 1 .3 5 .0 .0 F a irc h ild A i r Force Base 1 3 1 .3 6 .0 .0 Y o k o ta A i r Base 1 3 1 .3 7 .0 .0 E l m e n d o r f A ir Force Base 1 3 1 .3 8 .0 .0 H ic k a m A i r Force Base 1 3 1 .3 9 .0 .0 354CS/SCSN
RANGE 62
6 2 .0 .0 .1 - 6 2 .3 0 . 2 5 5 . 2 5 5 Do n o t scan!
RANGE 6 4
6 4 . 7 0 . * . * Do n o t scan 6 4 . 2 2 4 . * Do n o t Scan 6 4 . 2 2 5 . * Do n o t scan 6 4 . 2 2 6 . * Do n o t scan
RANGE 128
1 2 8 .3 7 .0 .0 A r m y Y u m a P ro v in g G r o u n d 1 2 8 .3 8 .0 .0 N aval S u rfa c e W a r f a r e C e n te r
RANGE 132
1 3 2 .3 .0 .0 W i l l i a m s A i r Force Base 1 3 2 .5 .0 .0 - 1 3 2 .5 . 2 5 5 . 2 5 5 4 9 t h F ig h te r W in g 1 3 2 .6 .0 .0 A n k a r a A ir S ta tio n
1 2 8 .4 3 .0 .0 D e fe n c e R esearch E s t a b lis h m e n t O tta w a 1 2 8 .4 7 .0 .0 A r m y C o m m u n ic a t i o n s E le c tr o n ic s C o m m a n d 1 2 8 .4 9 .0 .0 N aval O c e a n S y s te m s C e n te r 1 2 8 .5 0 .0 .0 D e p a r t m e n t o f D e fe n s e 1 2 8 .5 1 .0 .0 D e p a r t m e n t o f D e fe n s e 1 2 8 .5 6 .0 .0 U.S. N ava l A c a d e m y 1 2 8 .6 0 .0 .0 N aval R esearch L a b o r a t o r y
1 3 2 .7 .0 .0 - 1 3 2 .7 . 2 5 5 . 2 5 5 SSG/SINO
1 3 2 .9 .0 .0 2 8 t h B o m b W i n g 1 3 2 .1 0 .0 .0 3 1 9 C o m m Sq 1 3 2 .1 1 .0 .0 H e lle n ik o n A i r Base 1 3 2 .1 2 .0 .0 M y r t l e Beach A ir Force Base 1 3 2 .1 3 .0 .0 B e n t w a t e r s Royal A i r Force Base 1 3 2 .1 4 .0 .0 A ir Force C o n c e n t r a t o r N e tw o rk 1 3 2 .1 5 .0 .0 Kade n a A ir Base
1 2 8 .6 3 .0 .0 A r m y Ballistics R esearch L a b oratory 1 2 8 .8 0 .0 .0 A r m y C o m m u n ic a t i o n s E le c tro n ic s C o m m a n d 1 2 8 .1 0 2 .0 . 0 NASA A m e s R esearch C e n te r 1 2 8 .1 4 9 .0 . 0 NASA H e a d q u a r t e r s 1 2 8 .1 5 4 .0 . 0 NASA W a l l o p s F lig h t F a cility 1 2 8 .1 5 5 .0 . 0 NASA L a n g le y R esearch C e n te r
1 3 2 .1 6 .0 .0 K u nsa n A ir Base 1 3 2 .1 7 .0 .0 L in d s e y A i r S t a tio n 1 3 2 .1 8 .0 .0 M c G u i r e A ir Force Base 1 3 2 .1 9 .0 .0 100CS (N E T -M IL D E N H A LL )
1 2 8 .1 5 6 .0 . 0 NASA Lew is N e t w o r k C o n tr o l C e n te r 1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r 1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r 1 2 8 .1 5 8 .0 . 0 NASA A m e s R esearch C e n te r 1 2 8 .1 5 9 .0 . 0 NASA A m e s R esearch C e n te r 1 2 8 .1 6 0 .0 . 0 N aval R esearch L a b o r a t o r y
1 3 2 .2 0 .0 .0 3 5 th C o m m u n ic a tio n s S q u a d ro n 1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir F orce Base 1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir Force Base 1 3 2 .2 2 .0 .0 2 3 C o m m u n ic a t i o n s Sq 1 3 2 .2 4 .0 .0 D o v e r A i r F orce Base 1 3 2 .2 5 .0 .0 7 8 6 CS/S CBM 1 3 2 . 2 7 . 0 . 0 - 1 3 2 .2 7 .2 5 5 .2 5 5 39CS/SCBBN 1 3 2 .2 8 .0 .0 14TH C O M M U N IC A T IO N SQ U A D R O N 1 3 2 .3 0 .0 .0 Lajes A ir Force Base 1 3 2 .3 1 .0 .0 L o rin g A ir Force Base 1 3 2 .3 3 .0 .0 60C S/S C SN M 1 3 2 .3 4 .0 .0 C a n n o n A ir Force Base 1 3 2 .3 5 .0 .0 A ltu s A i r Force Base 1 3 2 .3 7 .0 .0 75 A B W
1 2 8 .1 6 1 .0 . 0 NASA A m e s R esearch C e n te r
1 2 8 .1 8 3 .0 . 0 NASA G o d d a r d Space F lig ht C e n te r 1 2 8 .2 0 2 .0 . 0 5 0 t h Space W i n g 1 2 8 .2 1 6 .0 . 0 M a c D ill A i r Force Base 1 2 8 .2 1 7 .0 . 0 NASA K e n n e d y Space C e n te r 1 2 8 .2 3 6 .0 . 0 U.S. A i r Force A c a d e m y RANGE 129 1 2 9 .2 3 .0 .0 S t r a te g ic D e fe n s e In i t i a t i v e O r g a n iz a tio n 1 2 9 .2 9 .0 .0 U n ite d S ta te s M i l i t a r y A c a d e m y 1 2 9 .5 0 .0 .0 NASA M a r s h a ll Space F lig h t C e n te r
1 3 2 .3 8 .0 .0 G o o d f e l l o w AFB 1 3 2 .3 9 .0 .0 K.l. S a w y e r A ir Force Base
TABLE 3.3: Do Not Scan These IP Addresses Table
P o r t S c a n n in g
C o u n t e r m
e a s u r e s
C E H
Urtifw^ tthiul lUch(
C o n fig u r e f ir e w a ll a n d IDS r u le s t o d e t e c t a n d b lo c k p r o b e s
U se c u s to m r u le s e t t o lo c k d o w n t h e n e t w o r k a n d b lo c k u n w a n t e d p o r t s a t t h e fire w a ll
F ilter all ICM P m e s s a g e s (i.e. H id e s e n s iti v e in f o r m a ti o n f r o m p u b lic v ie w k in b o u n d ICMP m e s s a g e ty p e s a n d o u tb o u n d ICMP ty p e 3 u n r e a c h a b le m e s s a g e s ) a t t h e fir e w a lls a n d r o u te r s
E n su re t h a t m e c h a n is m u s e d fo r ro u tin g a n d filte rin g a t t h e r o u te r s a n d fire w a lls re s p e c tiv e ly c a n n o t b e b y p a s s e d u sin g p a rtic u la r s o u rc e
W /
P e rfo rm TCP a n d U DP s c a n n in g a lo n g w ith ICMP p r o b e s a g a in s t y o u r
o r g a n iz a tio n s IP a d d r e s s s p a c e to c h e c k t h e n e t w o r k c o n f ig u r a tio n a n d its a v a ila b le p o r ts
p o r ts o r s o u r c e - r o u tin g m e th o d s
E n s u re t h a t t h e r o u t e r , IDS, a n d fir e w a ll f ir m w a r e a r e u p d a t e d t o t h e i r l a te s t r e l e a s e s
E n su re th a t th e a n ti s c a n n in g a n d a n t i s p o o f in g r u le s a r e c o n f ig u r e d
P o rt S c a n n in g
C o u n te rm e a s u re s
As d iscu s se d p re v io u s ly , p o r t s c a n n in g p r o v id e s a l o t o f u s e fu l i n f o r m a t i o n such as IP a d d re s s e s , h o s t n a m e s , o p e n p o r ts , e tc . t o t h e a tta c k e r . O p e n p o r t s e s p e c ia lly p r o v id e an easy m e a n s f o r t h e a t t a c k e r t o b r e a k i n t o t h e s e c u r it y . B u t t h e r e is n o t h i n g t o w o r r y a b o u t , as y o u can s e c u re your s y s te m or n e tw o rk a g a in s t p ort s c a n n in g by a p p ly in g th e fo llo w in g
c o u n te rm e a s u re s : 9 T h e f i r e w a l l s h o u ld be g o o d e n o u g h t o d e t e c t p r o b e s an a t t a c k e r s e n d s t o scan th e n e t w o r k . So t h e f i r e w a l l s h o u ld c a r r y o u t s t a t e f u l i n s p e c t io n i f it has a s p e c ific r u le set. S o m e f i r e w a l l s d o a b e t t e r j o b t h a n o t h e r s in d e t e c t i n g s t e a lth scans. M a n y f i r e w a l l s h a v e s p e c ific o p t i o n s t o d e t e c t SYN scans, w h i l e o t h e r s c o m p l e t e l y i g n o r e FIN scans.
N e t w o r k i n t r u s io n d e t e c t i o n s y s te m s s h o u ld d e t e c t t h e OS d e t e c t i o n m e t h o d used by to o ls such as Nmap, e tc. th a t S nort can (h t t p : / / . s n o r t . o r g ) is an be o f g re at h e lp , m a in ly i n t r u s io n because d e te c tio n s ig n a t u r e s a nd a re
p re v e n tio n
te c h n o lo g y
f r e q u e n t l y a v a ila b le f r o m p u b lic a u th o r s . O n ly n e c e s s a ry p o r t s s h o u ld be k e p t o p e n ; t h e re s t o f t h e p o r ts s h o u ld be f i l t e r e d as t h e i n t r u d e r w ill t r y t o e n t e r t h r o u g h a n y o p e n p o r t . This can be a c c o m p lis h e d w i t h t h e c u s t o m r u le set. F ilte r in b o u n d IC M P m e s s a g e ty p e s a nd all o u t b o u n d IC M P t y p e 3 u n r e a c h a b l e m essa ge s a t b o r d e r r o u t e r s a n d f ir e w a lls .
E nsure t h a t r o u t i n g a n d f i l t e r i n g m e c h a n is m s c a n n o t be b y p a s s e d u sin g s p e c ific s o u r c e p o rts o r s o u rc e -ro u tin g te c h n iq u e s .
T e s t y o u r o w n IP a d d re s s sp ace u s in g TCP a n d UDP p o r t scans as w e l l as IC M P P ro b e s t o d e t e r m i n e t h e n e t w o r k c o n f i g u r a t io n a n d a c ce ssib le p o rts .
If a c o m m e r c i a l f i r e w a l l is in use, t h e n e n s u r e t h a t t h e f i r e w a l l is p a t c h e d w i t h t h e la t e s t u p d a te s , a n t i s p o o f i n g r u le s h a v e b e e n c o r r e c t ly d e f i n e d , a n d f a s t m o d e se rv ic e s a re n o t used in C h e ck P o in t F ir e w a ll-1 e n v i r o n m e n t s .
C E H
S c a n n in g M e th o d o lo g y
So f a r w e h a ve d iscu sse d h o w t o c h e c k f o r live s y s te m s a n d o p e n p o r ts , t h e t w o c o m m o n n e t w o r k v u ln e r a b i l it ie s . A n IDS is t h e s e c u r it y m e c h a n is m i n t e n d e d t o p r e v e n t an a t t a c k e r f r o m e n t e r i n g a s e c u r e n e t w o r k . Bu t, e v e n t h e IDS has s o m e l i m i t a t i o n s in o f f e r i n g s e c u r it y . A t t a c k e r s a re t r y i n g t o la u n c h a tta c k s by e x p l o i t i n g l i m i t a t i o n s o f IDS.
fft
S c a n n in g B e y o n d IDS
prepare Proxies
Banner Grabbing
This s e c tio n h ig h lig h ts IDS e v a s io n t e c h n i q u e s a n d S Y N /F IN s c a n n in g .
ID S E v a s io n T e c h n iq u e s
C E H
m
Use fragmented IP packets
Spoof your when launching attacks and sniff responses from server
U s e source routing (if possible)
Connect to > or compromised trojaned machines to launch attacks
Q Q
_ _
Q1
ID S E v a s io n T e c h n iq u e s
M o s t o f t h e IDS e v a s io n t e c h n i q u e s r e ly o n t h e use f r a g m e n t e d p r o b e p a c k e ts t h a t
r e a s s e m b le o n c e t h e y re a ch t h e t a r g e t h o s t. IDS e v a s io n can also o c c u r w i t h t h e use o f s p o o f e d f a k e h o s ts la u n c h i n g n e t w o r k s c a n n in g p ro b e s .
Use fragmented IP packets

A t t a c k e r s use d i f f e r e n t f r a g m e n t a t i o n m e t h o d s t o e v a d e t h e IDS. T h e s e a tta c k s a re s im ila r t o session s p lic in g . W i t h t h e h e lp o f fragroute, all t h e p r o b e p a c k e ts f l o w i n g f r o m y o u r h o s t o r n e t w o r k can be f r a g m e n t e d . It can also be d o n e w i t h th e h e lp o f a p o r t s c a n n e r w i t h
f r a g m e n t a t i o n f e a t u r e such as N m a p . T his is a c c o m p lis h e d b e c a u s e m o s t IDS s e n s o rs fa il t o p ro c e s s la rg e v o lu m e s o f f r a g m e n t e d p a c k e ts , as t h is in v o lv e s g r e a t e r CPU c o n s u m p t i o n a nd m e m o r y a t t h e n e t w o r k s e n s o r level.
Use source routing (if possible)

S o u rc e r o u t i n g is a t e c h n i q u e w h e r e b y t h e s e n d e r o f a p a c k e t can s p e c ify t h e r o u t e t h a t a p a c k e t s h o u ld t a k e t h r o u g h t h e n e t w o r k . It is a s s u m e d t h a t t h e s o u r c e o f t h e p a c k e t k n o w s a b o u t t h e l a y o u t o f t h e n e t w o r k a n d can s p e c ify t h e b e s t p a th f o r t h e p a c k e t.
S Y N / F I N I P
S c a n n in g
U s in g C E H
F r a g m e n t s
It is not a new scanning method but a modification of the earlier methods
The TCP header is split up into several packets so that the packet filters are not able to detect what the packets intend to do
&
C o m m a n d P ro m p t
S Y N / F I N ( S m a ll IP F ra g m e n t s ) + P o r t (n)
C:\>nmap -sS -T4 -A -f -v 192.168.168.5
Starting N m ap 6.01 ( http://nmap.org ) at 2012-08-11 11:03 E D T Initiating S Y N Stealth Scan at 11:03 Scanning 192.168.168.5 [1000 ports] Discovered open port 139/tcp on 192.168.168.5 Discovered open port 445/tcp on 192.168.168.5 Discovered open port 135/tcp on 192.168.168.5 Discovered open port 912/tcp on 192.168.168.5 Completed S Y N Stealth Scan at 11:03, 4.75s elapsed (1000 total ports)
R ST ( if p o r t is c lo s e d )
A tta c k e r
T a rg et
SYN/FIN S ca n n in g
S Y N /F IN
S c a n n in g U s in g IP
F ra g m e n ts
SYN/FIN s c a n n in g u sin g IP f r a g m e n t s is a m o d i f i c a t i o n o f t h e e a r lie r m e t h o d s o f s c a n n in g ; t h e p r o b e p a c k e ts a re f u r t h e r f r a g m e n t e d . This m e t h o d c a m e i n t o e x is te n c e t o a v o id t h e fa ls e p o s i t i v e f r o m o t h e r scans, d u e t o a p a c k e t f i l t e r i n g d e v ic e p r e s e n t o n t h e t a r g e t m a c h in e . You h a v e t o s p lit t h e TCP h e a d e r i n t o s e v e r a l p a c k e ts in s te a d o f j u s t s e n d in g a p r o b e p a cke t f o r a v o id in g th e p a c k e t f ilte r s . E ve ry TCP h e a d e r s h o u ld in c lu d e t h e s o u r c e a nd d e s t i n a t i o n p o r t f o r t h e f i r s t p a c k e t d u r in g a n y t r a n s m is s io n : (8 o c t e t , 6 4 b it ) , a n d t h e in itia liz e d fla g s in t h e n e x t, w h i c h a l l o w t h e r e m o t e h o s t t o r e a s s e m b le t h e p a c k e t u p o n r e c e ip t t h r o u g h an I n t e r n e t p r o t o c o l m o d u l e t h a t re c o g n iz e s t h e f r a g m e n t e d d a ta p a c k e ts w i t h t h e h e lp o f fie ld e q u i v a l e n t v a lu e s o f p r o t o c o l , s o u r c e , d e s t i n a t i o n , a n d i d e n t if ic a t i o n . F r a g m e n t e d P a c k e ts T h e TCP h e a d e r , a f t e r s p li t t in g i n t o sm a ll f r a g m e n t s , is t r a n s m i t t e d o v e r t h e n e t w o r k . B u t, a t t i m e s y o u m a y o b s e r v e u n p r e d i c t a b l e r e s u lts such as f r a g m e n t a t i o n o f t h e d a ta in t h e IP h e a d e r a f t e r t h e r e a s s e m b ly o f IP o n t h e s e r v e r side. S o m e h o s ts m a y n o t be c a p a b le o f p a r s in g and r e a s s e m b lin g t h e f r a g m e n t e d p a c k e ts , a n d t h u s m a y ca use crash es, r e b o o ts , o r e v e n n e t w o r k d e v ic e m o n i t o r i n g d u m p s .
F ir e w a lls S o m e f i r e w a l l s m a y h a ve r u le sets t h a t b lo c k IP f r a g m e n t a t i o n q u e u e s in t h e k e rn e l (like th e CONFIG _IP_ALW A YS_D EFR AG o p tio n in th e L in ux k e rn e l) , a lt h o u g h t h is is not w id e ly
i m p l e m e n t e d d u e t o t h e a d v e rs e e f f e c t o n p e r f o r m a n c e . Since s e v e ra l in t r u s io n s d e t e c t i o n s y s te m s e m p l o y s ig n a t u r e - b a s e d m e t h o d s t o i n d ic a t e s c a n n in g a t t e m p t s b a se d o n IP a n d / o r th e TCP h e a d e rs , f r a g m e n t a t i o n is o f t e n a b le t o e v a d e t h is t y p e o f p a c k e t f i l t e r i n g a n d d e t e c t i o n . T h e r e is a p r o b a b i l i t y o f n e t w o r k p r o b l e m s o n t h e t a r g e t n e t w o r k . SYN/FIN (Small IP Fragments) + Port (n) .................................................. < .................................................... RST (if p o r t is closed) _
Attacker
FIGURE 3.43: SYN/FIN Scanning
N m a p c o m m a n d p r o m p t s f o r SYN/FIN scan.
Target
Command Prompt
-s S -T 4 -A - f - v : 1 9 2 . 1 6 8 .1 6 :8 .!
C :\> O m a p
S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g } a t: 2 D 1 2 -P 8 -1 1 1 1 : 03 jSDT................... ......................... I n i t i a t i n g SYN S t e a l t h S can a t 1 1 :0 3 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .5 [1 0 00 p o r t s ] D is c o v e r e d o p e n p o r t 1 3 9 / t c p on 1 9 2 .1 6 8 .1 6 8 . D is c o v e r e d o p e n p o r t 4 4 5 / t c p on 1 9 2 .1 6 8 .1 6 8 . D is c o v e r e d o p e n D is c o v e r e d o p e n p o r t ! 3 5 / t c p . On p o r t 9 1 2 / t c p 0n 1 9 2 .1 6 8 .1 6 8 . 1 9 2 .1 6 8 .1 6 8 . 4 .7 5 s
C o m p le te d SYN S t e a l t h Scan a t 1 1 :0 3 , e la p s e d (1000 t o t a l p o r t s )
FIGURE 3.44: Nmap showing SYN/FIN Scanning Result
| ' ^ Ml
ft
yj
C h e c k for O p e n Ports
C h e c k for
Live S y s t e m s
_ r )__
. Scan for Vulnerability Diagrams
Draw Network
H U H 1 1 k -i 1 1 r -J n _ M ---1/
__ a c _____ Scanning Banner B e y o n d IDS Grabb i n g Prepare! Proxies Scanning P e n Testing
Copyright by EG-Gouncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
= :ir
C E H
S c a n n in g
M e th o d o lo g y
So f a r w e h a ve d iscu sse d h o w t o c h e c k f o r live s y s te m s , o p e n p o r ts , a n d scan b e y o n d IDS. All o f th e s e a re t h e d o o r w a y s f o r an a t t a c k e r t o b r e a k i n t o a n e t w o r k . A n o t h e r i m p o r t a n t t o o l o f an a t t a c k e r is b a n n e r g ra b b in g , w h i c h w e w i ll discuss n e x t.
191
Scanning Beyond IDS
Q f c i prepare Proxies
B a n n e r G ra b b in g
T his s e c tio n h ig h lig h ts b a n n e r g ra b b in g , t h e n e e d t o p e r f o r m b a n n e r g ra b b in g , v a r io u s w a y s o f b a n n e r g ra b b in g , a n d t h e t o o l s t h a t h e lp in b a n n e r g ra b b in g .
B a n n e r G r a b b in g
J Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive. A ctive B a n n e r G rabbing
S p e c ia lly c r a f t e d p a c k e ts a r e s e n t t o r e m o t e OS a n d t h e r e s p o n s e is n o te d T h e r e s p o n s e s a r e t h e n c o m p a r e d w ith a d a t a b a s e t o d e t e r m i n e t h e OS R e s p o n s e f r o m d if f e r e n t O S e s v a r ie s d u e to d if f e re n c e s in T C P /IP s ta c k i m p l e m e n t a t i o n
P a ssiv e B a n n e r G rabbing
B a n n e r g ra b b in g fro m e rro r m e ss a g e s: Error m e ssag e s provide info rm atio n su ch as ty p e of server, ty p e o f OS, a n d SSL tool u sed by th e ta rg e t re m o te system S n iffin g t h e n e t w o r k tr a f f ic : C apturing an d analyzing pack ets from th e ta rg e t e n a b le s an attack e r to d e te rm in e OS u sed by th e re m o te system e B a n n e r g ra b b in g fro m p a g e e x te n s io n s : Looking fo r an ex ten sio n in th e URL m ay a ssist in d eterm in in g th e app licatio n version Exam ple: .aspx => IIS serv er an d W indow s p latform
BQB
Why Banner Grabbing?

Id e n tify in g t h e OS u s e d o n t h e t a r g e t h o s t a llo w s a n a t ta c k e r t o f ig u r e o u t t h e v u ln e r a b il iti e s t h e s y s t e m p o s s e s a n d t h e e x p lo its t h a t m ig h t w o r k o n a s y s te m t o f u r t h e r c a r r y o u t a d d i t i o n a l a t t a c k s
B a n n e r g r a b b i n g o r OS f i n g e r p r i n t i n g is a m e t h o d t o d e t e r m i n e t h e o p e r a t i n g s y s te m r u n n i n g o n a r e m o t e t a r g e t s y s t e m . B a n n e r g r a b b i n g is i m p o r t a n t f o r h a c k in g as it p r o v id e s y o u w i t h a g r e a t e r p r o b a b i l i t y o f success in h a c k in g . T his is b e c a u s e m o s t o f t h e v u l n e r a b i l it ie s are OS s p e c ific . T h e r e f o r e , if y o u k n o w t h e OS r u n n i n g o n t h e t a r g e t s y s te m , y o u can h a c k t h e s y s te m b y e x p l o i t i n g t h e v u l n e r a b i l it ie s s p e c ific t o t h a t o p e r a t i n g s y s te m . B a n n e r g r a b b i n g can be c a r r ie d o u t in t w o w a y s : e i t h e r by s p o t t i n g t h e b a n n e r w h i l e t r y i n g t o c o n n e c t t o a se rv ic e such as FTP o r d o w n l o a d i n g t h e b i n a r y f i l e / b i n / l s t o c h e c k t h e a r c h it e c t u r e w i t h w h i c h it w a s b u ilt. Banner g ra b b in g is p e rfo rm e d u sin g th e fin g e rp rin tin g te c h n iq u e . A m ore advanced
f i n g e r p r i n t i n g t e c h n i q u e d e p e n d s o n sta c k q u e r y i n g , w h i c h t r a n s f e r s t h e p a c k e ts t o t h e n e t w o r k h o s t a n d e v a lu a te s p a c k e ts b ase d o n t h e r e p ly . T h e f i r s t s ta c k q u e r y i n g m e t h o d w a s d e s ig n e d c o n s id e r in g t h e TCP m o d e o f c o m m u n i c a t i o n , in w h i c h t h e re s p o n s e o f t h e c o n n e c t i o n r e q u e s ts is e v a lu a te d . T h e n e x t m e t h o d w a s k n o w n as ISN ( In itia l S e q u e n c e N u m b e r ) analysis. This i d e n t if ie s t h e d if f e r e n c e s in t h e r a n d o m n u m b e r g e n e r a t o r s f o u n d in t h e TCP sta ck. A n e w m e t h o d , u s in g t h e ICMP p r o t o c o l , is k n o w n as IC M P r e s p o n s e a n a ly s is . It c o n s is ts o f s e n d in g t h e IC M P m e ssa g e s t o t h e r e m o t e h o s t a n d e v a l u a t i n g t h e r e p ly . T h e la t e s t IC M P m e s s a g in g is
k n o w n as t e m p o r a l re s p o n s e analysis. Like o t h e r s , t h is m e t h o d uses t h e TCP p r o t o c o l . T e m p o r a l r e s p o n s e a n a lys is lo o k s a t t h e r e t r a n s m i s s i o n t i m e o u t (RTO) r e s p o n s e s f r o m a r e m o t e h o s t. T h e r e a re t w o t y p e s o f b a n n e r g r a b b i n g t e c h n i q u e s a v a ila b le ; o n e is a c tiv e a n d t h e o t h e r is passive.
A c tiv e B a n n e r G r a b b in g
A c t iv e b a n n e r g r a b b i n g is based o n t h e p r in c ip le t h a t an o p e r a t i n g s y s te m 's IP sta c k has a u n i q u e w a y o f r e s p o n d i n g t o s p e c ia lly c r a f t e d TCP p a c k e ts . This arises b e c a u s e o f d i f f e r e n t i n t e r p r e t a t i o n s t h a t v e n d o r s a p p ly w h i l e i m p l e m e n t i n g t h e TCP/IP s ta c k o n t h e p a r t i c u l a r OS. In a c tiv e b a n n e r g ra b b in g , a v a r i e t y o f m a l f o r m e d p a c k e ts a re s e n t t o t h e r e m o t e h o s t, a n d t h e r e s p o n s e s a re c o m p a r e d t o a d a ta b a s e . For in s ta n c e , in N m a p , t h e OS f i n g e r p r i n t o r b a n n e r g r a b b i n g is d o n e t h r o u g h e ig h t te s ts . T h e e ig h t te s ts a re n a m e d T l , T2, T3, T4, T5, T6, T7, a n d PU ( p o r t u n r e a c h a b le ) . Each o f th e s e te s ts is i l lu s t r a t e d as f o l lo w s , as d e s c r ib e d in w w w . p a c k e t w a t c h . n e t :
T l: In t h is te s t , a TCP p a c k e t w i t h t h e SYN a n d ECN-Echo fla g s e n a b le d is s e n t t o an o p e n TCP

p o rt.
T2: It in v o lv e s s e n d in g a TCP p a c k e t w i t h n o fla g s e n a b le d t o an o p e n TCP p o r t . T his t y p e o f

p a c k e t is k n o w n as a NULL p a c k e t.
T3: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e URG, PSH, SYN, a n d FIN fla gs e n a b le d t o an o p e n

TCP p o r t.
T4: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o an o p e n TCP p o r t. T5: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e SYN fla g e n a b le d t o a c lo s e d TCP p o r t . T6: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o a c lo s e d TCP p o r t . T7: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e URG, PSH, a n d FIN fla g s e n a b le d t o a c lo s e d TCP
p o rt.
PU (Port Unreachable): It in v o lv e s s e n d in g a UDP p a c k e t t o a c lo s e d UDP p o r t . T h e o b j e c t iv e is

t o e x t r a c t an " I C M P p o r t u n r e a c h a b l e " m e s s a g e f r o m t h e t a r g e t m a c h in e . T h e last t e s t t h a t N m a p p e r f o r m s is n a m e d TSeq f o r TCP S e q u e n c a b ilit y te s t. This t e s t tr ie s t o d e t e r m i n e t h e s e q u e n c e g e n e r a t io n p a t t e r n s o f t h e TCP in itia l s e q u e n c e n u m b e r s , also k n o w n as TCP ISN s a m p li n g , t h e IP i d e n t i f i c a t i o n n u m b e r s (also k n o w n t i m e s t a m p n u m b e r s . T h e t e s t is p e r f o r m e d e n a b le d t o an o p e n TCP p o r t. The o b j e c t iv e is to fin d p a tte rn s in th e in itia l sequence of n u m b e rs th a t th e TCP as IPID s a m p li n g ) , a n d t h e TCP
b y s e n d in g six TCP p a c k e ts w i t h t h e SYN fla g
i m p l e m e n t a t i o n s c h o o s e w h i l e r e s p o n d i n g t o a c o n n e c t i o n r e q u e s t. T he se can be c a te g o r iz e d i n t o m a n y g r o u p s such as t h e t r a d i t i o n a l 6 4 K ( m a n y o ld UN IX b oxe s), r a n d o m ( n e w e r v e r s io n s o f Solaris, IRIX, FreeBSD, D ig ita l UNIX, Cray, a n d in c re m e n ts
m a n y o th e r s ) , o r T ru e
" r a n d o m " (L in u x 2 .0 . * , O p e n V M S , n e w e r AIX, e tc.). W i n d o w s b o x e s use a " t i m e - d e p e n d e n t " m o d e l w h e r e t h e ISN is i n c r e m e n t e d by a fix e d a m o u n t f o r e a ch t i m e p e r io d .
S o u rc e : w w w . i n s e c u r e . o r g , " M o s t o p e r a t i n g s y s te m s i n c r e m e n t a s y s t e m - w i d e IPID v a lu e f o r e ach p a c k e t t h e y se n d . O th e rs , such as O p e n B S D , use a r a n d o m IPID a n d s o m e s y s te m s (like Linux) use an IPID o f 0 in m a n y cases w h e r e t h e D o n 't F r a g m e n t b it is n o t set. W i n d o w s d o e s n o t p u t t h e IPID in n e t w o r k b y t e o r d e r , so it i n c r e m e n t s b y 2 5 6 f o r e ach p a c k e t. A n o t h e r n u m b e r t h a t can be s e q u e n c e d f o r OS d e t e c t i o n p u r p o s e s is t h e TCP t i m e s t a m p o p t i o n va lu e s . S o m e s y s te m s d o n o t s u p p o r t t h e f e a t u r e ; o t h e r s i n c r e m e n t t h e v a lu e a t f r e q u e n c ie s o f 2HZ, 1 00HZ, o r 1 0 0 0 H Z a n d still o t h e r s r e t u r n 0.
P a s s iv e B a n n e r G ra b b in g
S o u rc e : h t t p : / / h o n e y n e t . o r g Like a c tiv e banner g ra b b in g , p assive banner g ra b b in g is also b ase d on th e d iffe re n tia l
i m p l e m e n t a t i o n o f t h e sta c k a nd t h e v a r io u s w a y s an OS r e s p o n d s t o p a c k e ts . H o w e v e r , in s te a d o f r e ly in g o n s c a n n in g t h e t a r g e t h o s t, p assive f i n g e r p r i n t i n g c a p tu r e s p a c k e ts f r o m t h e t a r g e t h o s t via s n if f i n g t o s t u d y f o r t e l l t a l e signs t h a t can re v e a l an OS. T h e f o u r a re as t h a t a re t y p i c a l l y n o t e d t o d e t e r m i n e t h e o p e r a t i n g s y s te m are: 9 9 9 9 TTL - W h a t t h e o p e r a t i n g s y s te m sets t h e T im e T o Live o n t h e o u t b o u n d p a c k e t W i n d o w Size - h a t t h e o p e r a t i n g s y s te m sets t h e W i n d o w size DF - D oes t h e o p e r a t i n g s y s te m se t t h e D o n ' t F r a g m e n t b it OS - D oes t h e o p e r a t i n g s y s te m s e t t h e T y p e o f Service, a n d i f so, a t w h a t
Passive f i n g e r p r i n t i n g has t o be n e i t h e r f u l l y a c c u r a te n o r be l i m i t e d t o th e s e f o u r s ig n a tu r e s . H ow ever, by l o o k in g a t s e v e ra l s ig n a t u r e s and c o m b in in g in fo rm a tio n , accuracy can be
i m p r o v e d . T h e f o l l o w i n g is t h e a n a ly sis o f a s n if fe d p a c k e t d is s e c te d by Lance S p itz n e r in his p a p e r o n p assive f i n g e r p r i n t i n g ( h t t p : / / w w w . h o n e y n e t . o r g / p a p e r s / f i n g e r / ). 0 4 / 2 0 - 2 1 : 4 1 : 4 8 . 1 2 9 6 6 2 1 2 9 .1 4 2 .2 2 4 . 3 :6 5 9 -> 1 7 2 .1 6 .1 .1 0 7 :6 0 4 TCP TTL:45 TOS:OxO ID :5 6 2 5 7 * * * F * * A * Seq: 0 x 9 D D 9 0 5 5 3 A ck: 0 xE 3 C 6 5 D 7 W i n : 0 x 7 D 7 8 Based o n t h e f o u r c r it e r ia , t h e f o l l o w i n g a re i d e n t if ie d : 9 9 9 9 TTL: 4 5 W i n d o w Size: 0 x 7 D 7 8 ( o r 3 2 1 2 0 in d e c im a l) DF: T h e D o n 't F r a g m e n t b i t is se t TOS: 0 x 0
D a t a b a s e S ig n a tu r e s T his i n f o r m a t i o n is t h e n c o m p a r e d t o a d a ta b a s e o f s ig n a tu r e s . C o n s id e r in g t h e TTL used b y t h e r e m o t e h o s t, it is d e t e r m i n e d f r o m t h e s n if f e r t r a c e t h a t t h e TTL is se t a t 4 5. T his in d ic a te s t h a t it w e n t t h r o u g h 19 h o p s t o g e t t o t h e t a r g e t , so t h e o rig in a l TTL m u s t h a ve b e e n s e t a t 64.
Based o n t h is TTL, it a p p e a r s t h a t t h e p a c k e t w a s s e n t f r o m a L in u x o r F reeB S D b o x ( h o w e v e r , m o r e s y s te m s ig n a t u r e s n e e d t o be a d d e d t o t h e d a ta b a s e ). T his TTL is c o n f i r m e d b y d o i n g a t r a c e r o u t e t o t h e r e m o t e h o s t. If t h e tr a c e n e e d s t o be d o n e s t e a lt h ily , t h e t r a c e r o u t e t i m e - t o live ( d e f a u l t 3 0 h o p s ) can be se t t o be o n e o r t w o h o p s less t h a n t h e r e m o t e h o s t ( -m o p t i o n ) . S e ttin g t r a c e r o u t e in th is m anner re v e a ls t h e p a th in fo rm a tio n ( in c lu d in g th e u p s tre a m
p r o v id e r ) w i t h o u t a c t u a l ly t o u c h i n g t h e r e m o t e h o s t.
W indow Sizes
T h e n e x t s te p is t o c o m p a r e w i n d o w sizes. T h e w i n d o w size is a n o t h e r e f f e c t i v e t o o l t h a t d e t e r m i n e s s p e c ific a lly w h a t w i n d o w size is used a n d h o w o f t e n t h e size is c h a n g e d . In t h e p r e v io u s s ig n a t u r e , it is s e t a t 0 x 7 D 7 8 , a d e f a u l t w i n d o w size is c o m m o n l y used b y L inux. In a d d it io n , FreeBSD a n d Solaris t e n d t o m a i n t a i n t h e s a m e w i n d o w size t h r o u g h o u t a sessio n. H o w e v e r , Cisco r o u t e r s a nd M i c r o s o f t W i n d o w s / N T w i n d o w sizes a re c o n s t a n t ly c h a n g in g . T h e w i n d o w size is m o r e a c c u r a te if m e a s u r e d a f t e r t h e in itia l t h r e e - w a y h a n d s h a k e (d u e t o TCP s l o w s ta rt).
Session Based
M o s t s y s te m s use t h e DF b it set, so t h i s is o f l i m i t e d v a lu e . H o w e v e r , t h is d o e s m a k e it e a s ie r t o i d e n t i f y t h e f e w s y s te m s t h a t d o n o t use t h e DF f l a g (such as SCO o r O p e n B S D ). TOS is also o f l i m i t e d v a lu e , since it s e e m s t o be m o r e s e s s io n -b a s e d t h a n o p e r a t i n g - s y s t e m - b a s e d . In o t h e r w o r d s , it is n o t so m u c h t h e o p e r a t i n g s y s te m t h a t d e t e r m i n e s t h e TOS, b u t t h e p r o t o c o l used. T h e r e f o r e , b a se d o n t h is i n f o r m a t i o n , s p e c ific a lly TTL a nd w i n d o w size, o n e can c o m p a r e t h e r e s u lts t o t h e d a ta b a s e o f s ig n a t u r e s a n d , w i t h a d e g r e e o f c o n f i d e n c e , d e t e r m i n e t h e OS (in t h is case, L in ux k e rn e l 2.2.x). Just as w i t h a c tiv e f i n g e r p r i n t i n g , p assive f i n g e r p r i n t i n g has s o m e l i m i t a t i o n s . First, a p p lic a t io n s t h a t b u ild t h e i r o w n p a c k e ts (such as N m a p , h u n t , n e m e s is , e tc .) w ill n o t use t h e s a m e
s ig n a t u r e s as t h e o p e r a t i n g s y s te m . S e co n d , it is r e l a t iv e l y s im p le f o r a r e m o t e h o s t t o a d ju s t t h e TTL, w i n d o w size, DF, o r TOS s e t t i n g o n p a cke ts. Passive f i n g e r p r i n t i n g can be used f o r s e v e ra l o t h e r p u r p o s e s . C ra ck e rs can use " s t e a l t h y " f i n g e r p r i n t i n g . For e x a m p le , t o d e t e r m i n e t h e o p e r a t i n g s y s te m o f a p o t e n t i a l t a r g e t , such as a w e b s e rv e r, o n e n e e d o n l y r e q u e s t a w e b p ag e f r o m t h e s e rv e r, a n d t h e n a n a ly z e t h e s n if f e r tra c e s . T his b yp a sse s t h e n e e d f o r u sin g an a c tiv e t o o l t h a t v a r io u s IDS s y s te m s can d e t e c t . Also, passive f i n g e r p r i n t i n g m a y be used t o i d e n t i f y r e m o t e p r o x y f ir e w a lls . Since p r o x y f i r e w a l l s r e b u i l d c o n n e c t i o n s f o r c lie n ts , it m a y be p o s s ib le t o ID p r o x y f i r e w a l l s b ase d o n t h e s ig n a t u r e s th a t have been d iscu ssed . O r g a n iz a tio n s can use p assive f i n g e r p r i n t i n g t o id e n tify rogue s y s te m s o n t h e i r n e t w o r k . T h e se w o u l d be s y s te m s t h a t a re n o t a u t h o r i z e d o n t h e n e t w o r k .
W h y B a n n e r G ra b b in g ?
I d e n t i f y i n g t h e OS u sed o n t h e t a r g e t h o s t a llo w s an a t t a c k e r t o f i g u r e o u t t h e v u ln e r a b i l it ie s t h e s y s te m possesses a n d t h e e x p lo it s t h a t m i g h t w o r k o n a s y s te m t o f u r t h e r c a r r y o u t a d d it io n a l a tta c k s .
B a n n e r G r a b b in g T o o ls
-J ID S e rv e is u s e d t o id e n tify t h e m a k e , m o d e l, a n d v e r s io n o f a n y w e b s i t e ^ s e r v e r s o f tw a r e J It is a ls o u s e d to id e n tify non-H T T P (n o n -w e b ) I n te r n e t s e rv e rs su c h a s FTP, SMTP, POP, NEWS, e tc . J N e tc ra f t r e p o r t s a s ite 's o p e r a t in g s y s te m , w e b s e r v e r , a n d n e tb lo c k o w n e r t o g e t h e r w ith , if a v a ila b le , a g r a p h ic a l v ie w o f t h e ti m e s in c e la s t r e b o o t f o r e a c h o f t h e c o m p u te r s s e rv in g t h e s ite
ID Serve
N etcraft
B S w v e a III 0 r\r 0
| _ 011e1y | lr * f'"* copy / p it
y Iniemet Server Ideniiftcahon Utility v l 0 2 P e rs o n a lS e c u rity F re e w a reb yS te v eG ib te n C o p p g N f c l y fttw nR e t 0 c i C a p & 0 3

0 A /b *p 5
URL w IP
!| *vjfr<l w m rncroKO tan(
1 Iccttmedhoclier com ~|
^ 7 7 j *.t W h tr v r tlrl* tn iU R l0 I P K h01 !- p 0 ' l* d b o v I/ I AW |fwa<rvw im baton 1 >r*.* *****

( ; ILas*Wcamd Aed jETaa StSt'
^ yy p o w x !1 3 * i. 8< 1 0 1 1 oorta 3 7 8 01 11 5 3
J n :c t ?dC "
(/ MDb UMI
[Seiver McrDsoNIS/bO I
! :.P n v ^ o 1-fly A S P M F jl
TnewiverterttwdlMtM
fr"1
$ 2 0 1 0 1 0S w v *6r-*9
http://www. grc.com
http://toolbar. netcraft.com
T o o ls
B a n n e r g r a b b in g can be d o n e e v e n w i t h t h e h e lp o f to o ls . M a n y t o o l s a re a v a ila b le in t h e m a r k e t . T h e se t o o l s m a k e b a n n e r g r a b b i n g an easy ta sk. T h e f o l l o w i n g a re e x a m p le s o f b a n n e r g r a b b i n g to o ls :
\ j ID S e rv e
S o u rc e : h t t p : / / w w w . g r c . c o m ID Serve is u sed t o i d e n t i f y t h e m a k e , m o d e l , a n d v e r s io n o f a n y w e b s i t e 's s e r v e r s o f t w a r e ; it is also used t o i d e n t i f y n o n -H T T P ( n o n - w e b ) I n t e r n e t s e rv e rs such as FTP, SM TP, POP, NEWS, e tc.
ID S *
| | ^ 0 r y P
I- q - F B
Internet Server Identification utilityvl 02 Personal Security Freeware by Steve Gibson CopyngN Ic) 2003 by Gfcson Research Cap | O &A/Help
U :4J
Background
Se!vr Query
Enter a or copy / pa-.te paste an Interne! server U R L or ot IP * a ir Mte es ssi here (example
Irnrtifmdhncker |c e ftil B d h n ck e r com co w

Query The Server
m mrraaosoW rmaosoH com)
(2
W hen an Inlemer U R L ot IP has been provided above press the button to n b ate a query 01 the s p e c fo d server
ft
Server query processng
Lest-Modrtied Wed. 12 Jan 2U11 Ub Accept-Ranges none ETaa Q76b5t18b2cb1 17d0 5 r Server MioosolHIS/6 0 X-Powered-By A SPN ET
Ub tiM I
Ihe terveridentted (tel as
C 0 (V
(j 010 ID Serve web page
E*
FIGURE 3.45: ID Serve Screenshot N e tc ra ft

S o u rc e : h t t p : / / t o o l b a r . n e t c r a f t . c o m N e t c r a f t r e p o r t s a s ite 's o p e r a t i n g s y s te m , w e b s e rv e r, a n d n e t b l o c k o w n e r t o g e t h e r w i t h , if a v a ila b le , a g r a p h ic a l v i e w o f t h e t i m e sin ce last r e b o o t f o r e a ch o f t h e c o m p u t e r s s e rv in g t h e site .
ETC RAFT
S it e r e p o r t f o r c e r t if le d h a c k e r . c o m
Netcraft Toolbar
) Mom# Download Nowl
SHo D om ain
h ttp / ccrtA < jhjd..eom com
L a st ro b o o t N o tb k x k S it ran k N nM Krvr DNS a dm in R e v e rs e DNS N m i ( 1v 1 r
1 day 99 0 g ra p *
E 2 ) Uptimo
im VAW i>L H osting 270S0I ncO.rtoyo ar1yfooc.com dnn9n0Y artyfM com n s 1 .noyear1yfeet.com S u c c t t t Id e a IT Services,
Rapwt a P hah Top R port re P N M tttC tu n tM PNhlelHolefa Mod Popular WaDc<tet
IP w M m k i
C o untry
202 75.54.101
D Mr
DM flnt
00c*mfcK 2002 dxoMS.com

1 #ftA *flhd com.
see
Domain
O r g itk a tio
I
Tail a Fntoa cercrtetir1acfcer.com. cettW h jcV r com. 92345. united Scatts
T o o lb a r S u p p o rt . * a FAQ Glossary Contact Us Report Bug C heck a n o th e r s ite : N o s t l n g H is to r y Net block O w n e r IM V M S DC Hostm g TM VADS DC Hostm g TM VADS DC H osting TM VADS DC Hostm o TM VADS DC H osting IP a d d r e s s OS
organisation Oamansara Java. Recakng Jaym. S elangor. 4 7 400.
Malaysia
W e b S e rv e r Microsoftn s /e .Q Microsoft IIS/6.0 Microsoft IIS /6.0 Microsoft 115/6.0 MicrosoftIIS/C.O
L ast changed
1 /-Ju >~2012
T u to ria ls Installing Tooioar u w r 0 me Toolbar Gatling m Most Rpt>org a Phish A b o u t N e tc ra ft fJGlcrart Horn# About Nttcrafl
2 0 2 .7 $ . 4 . 101 W indow s srv r 2003 202.75 .5 4 .1 0 1 202.75 .5 4 .1 0 1 2 02.75.54.101 ?07.7S .S 4.101 W indow s S e rver 2003 W indow* Server 2003 Window* Server 2003 Window* Server
9 )on 2012 9-May-2012 9-Apr-2012 19-Feb20 1 2
FIGURE 3.46: Netcraft Screenshot
B a n n e r G r a b b in g T o o ls
(C o n td)
1. # nc / - w w w w .ju g g y b o y .c o m 8 0 - press[Enter]
CEH
2 . G ET
H T T P / 1 . 0 - Press [Enter] tw ic e
This utility reads and writes data across network connections, using the TCP/IP protocol
Etf* V im m ro o t e b t :- # rc - v * www .jtoayboy.co 8 DNS fw d /re i/ mismatch www.jugcydoy.toa </ww. j Lggybay . con 1295 .1 7 8 .1 5 2 .2 6] 30 GET / M TTP/1.9 HTTP/1 .1 296 O K Connection: elo se Date: Mon, 13 Aug 2912 12 :1 4 :1 0 GMT co n ten t-L e n g th : 2 1 0 | C o n te n t-iv p e : t e x t / r i p l ^ I C o n ten t-< C cat#rn: h t t p : 7 /1 6 .4 . 26. / b f a u It I h t n L a s tM o d itie d : Wed. 19 Apr 2366 2 2 :0 9 :1 2 GMT AcceotRanges: none ETaa: 9 b46bc3fd53c61:7a49 S e rv e r: M ic r o s o f t - IIS / 6 .0 M lrr 0 ( 0 f t O f f ic * W * b ( * r v t r ! 5 .8 Pub X Powered-By: ASP.MET
f* r
* r
S e rv e r id en tified a s M icrosoft-1 IS/6.0
t r a c k
h ttp : //n e tc a t.s o u r c e fo r g e .n e t L
1. t e ln e t
w w w .c e r tifie d h a c k e r .c o m H T T P / 1 . 0 - Press [Enter] tw ic e
8 0 - press[Enter]
T e ln e t
2 . G ET
C .\ W in d o w A iy 5 te m 3 2 \ c m d .c x e
n t-U n g th :
HTTP/ 40 1.1J Forbidde

21H
This technique probes HTTP servers to determine the Server field in the HTTP response header
: H i P M c n f t - l I S / h . M
S e rv e r id en tified a s M icrosoft-1 IS/6.0
ChtmlXheadXtit le>Error<StitleXsheadXbodvXheadXtitle>Diecto1 *v List ing D od</t it lo Xhoad> ChodyXhl )Directory Listing D e n1ed</ hi >This Uirtual Director oe3 oot allow contents to be listed. < /-bodyX/'bodyX/y htnl>
B a n n e r G ra b b in g L* N e tc a t
T o o l s ( C o n t d )
S o u rc e : h t t p : / / n e t c a t . s o u r c e f o r g e . n e t N e t c a t is a n e t w o r k i n g u t i l i t y t h a t re a d s a n d w r i t e s d a t a acro ss n e t w o r k c o n n e c t i o n s , w i t h t h e h e lp o f t h e TCP/IP p r o t o c o l . It is d e s ig n e d t o be a r e lia b le " b a c k - e n d " t o o l t h a t can be used d ir e c t ly o r e a sily d r iv e n b y o t h e r p r o g r a m s a n d s c rip ts . It p r o v id e s access t o t h e f o l l o w i n g ke y fe a t u r e s : O u t b o u n d a n d i n b o u n d c o n n e c t i o n s , TCP o r UDP, t o o r f r o m a n y p o rts . F e a tu re d t u n n e l i n g m o d e , w h i c h also a llo w s sp ecial t u n n e l i n g such as UDP t o TCP, w i t h t h e p o s s ib ilit y o f s p e c ify in g all n e t w o r k p a r a m e t e r s ( s o u rc e p o r t / i n t e r f a c e , lis te n in g p o r t / i n t e r f a c e ) , a n d t h e r e m o t e h o s t a ll o w e d t o c o n n e c t t o t h e t u n n e l . B u ilt -in p o r t - s c a n n i n g c a p a b ilit ie s , w i t h r a n d o m i z e r . A d v a n c e d usage o p t i o n s , such as b u f f e r e d s e n d - m o d e (o n e lin e e v e r y N s e c o n d s ) a nd h e x d u m p (to s t d e r r o r t o a s p e c ifie d file ) o f t r a n s m i t t e d a n d r e c e iv e d d a ta . O p t i o n a l RFC854 t e l n e t c o d e s p a r s e r a n d r e s p o n d e r . You can use t h e N e t c a t t o o l f o r g r a b b i n g t h e b a n n e r o f a w e b s i t e by f o l l o w i n g t h is p ro c e ss. H e re , t h e b a n n e r g r a b b i n g is d o n e o n t h e w w w . J u g g y b o y . c o m w e b s e rv e r f o r g a t h e r i n g t h e s e r v e r fie ld s such as s e r v e r t y p e , v e r s io n , e tc.
# nc - v v w w w . j u g g y b o y . c o m 8 0 - p re s s [E n te r] GET / H T T P /1 .0 - Press [E n te r ] t w i c e
F ro m t h e s c r e e n s h o t , y o u can o b s e r v e t h e a re a h ig h l i g h t e d in re d c o lo r is a s e r v e r v e r s io n (M ic ro s o ft-IIS /6 .0 ).
file Edit ytew Jferminal Help
ro o t@ b t:-# nc -vv www.juggyboy.com 80 DNS fw d /re v mismatch: www.juggyboy.com ! * w2k3-web26. p ro d . n e ts o lh o s t. con www.juggyboy.com [2 0 5 .1 78 .1 5 2 .2 6] 80 (www) open GET / HTTP/1.0 HTTP/1.1 200 O K C onnection: close Date: Mon, 13 Aug 2012 12:14:1G GM T C on te n t-L e ng th: 2165M C ontent-Tvpe: t e x t / s C o n te n t^ffo ca titin : h t t p :/ /1 0 . 4 9 . 3 9 . 2 6 /d e fa u lt .htni L a s t-M o d ifie d : Wed, 19 Apr 2006 22:09:12 GM T AcceptRanges: none ETaq : Gb46be3f d63c61: 7349 S e rve r: M ic r o s o ft - IIS / 6 . 0 M ic ro s o ftO ffic e W e b S e rv e r: 5.0 Pub X-Powered-By: ASP.NET
ft* 1^ ^
Ix
FIGURE 3.47: Netcat showing Banner Grabbing Result T e ln e t

T his t e c h n i q u e p r o b e s HTTP s e r v e r s t o d e t e r m i n e t h e S e rv e r fie ld in t h e HTTP response hea de r. For in s ta n c e , i f y o u w a n t t o e n u m e r a t e a h o s t r u n n i n g h t t p ( tc p 80), t h e n y o u h a ve t o f o l l o w t h is p r o c e d u r e : First, o p e n t h e c o m m a n d p r o m p t w i n d o w . Go t o S t a r t > R un , t y p e c m d , a n d press E n te r o r clic k OK. In t h e c o m m a n d p r o m p t w i n d o w , r e q u e s t t e l n e t t o c o n n e c t t o a h o s t o n a s p e c ific p o r t : C : \ t e l n e t w w w . c e r t i f i e d h a c k e r . c o m 8 0 a n d p re ss E n te r. N e x t, y o u w i ll g e t a b la n k s c re e n w h e r e y o u h a v e t o t y p e GET / H T T P /1 .0 a n d press E n te r t w i c e . In t h e f in a l s te p , t h e h t t p s e r v e r re s p o n s e s w i t h t h e s e r v e r v e r s io n , say M ic r o s o f t - I I S / 6 . 0 . F ro m t h e s c r e e n s h o t y o u can see t h e a rea h ig h l i g h t e d in re d c o lo r is t h e s e r v e r v e rs io n d e ta ils .
C:\Windows\system32\cmd.exe H T T P /1 .1 403 F o r b id d e n C o n te n t- L e n g th : 218 C n n te n t Tune: te x t/h tm l S erv er: M ic ro so ft-IIS /6 .0 X - P o u e r e d - B y : ftS P . N E T D a t e : S a t , 1 1 fl u g 2 0 1 2 0 9 : 5 7 : 0 7 GMT u o n n e cc io n : cxose < h tm lX h e a d X title > E rro r< /title X /b e a d X b o d y X b e a d X title > D ire c to ry L istin g D e d < /t i t le X /b e a d > D ire c to ry L i s tin g D e n ied < /h l> T h is U ir tu a l D ire c to r o e s n o t a l l o u c o n t e n t s to be l i s t e d . C o n n ec tio n to host lo st.
FIGURE 3.48: Command Prompt showing http server responses with the server version
B a n n e r G ra b b in g D is a b lin g
C o u n te rm e a s u re s : B a n n e r
C E H
o r C h a n g in g
Display false banners to misguide the attackers
Turn off 0 1 unnecessary services on the network host to limit the information tion disclosure disclos IIS users can use these tools to disable or change banner information
~ ~
IIS L ockdow n Tool (h ttp ://m ic r o s o f t.c o m ) S e rv e rM a s k (h ttp ://w w w .p o r t8 0 s o f tw a r e .c o m )
Apache 2.x with m od_headers module - use a directive in h t t p d . conf file to change banner information Header set Server "New Server Name"
itu Alternatively, change the S e rv e rS ig n a tu re line to S e rv e rS ig n a tu re O ff in h t t p d . co n f file
B a n n e r G ra b b in g --------C h a n g in g
C o u n te rm e a s u re s : D is a b lin g
o r
B a n n e rs
A t t a c k e r s use b a n n e r g r a b b in g t e c h n i q u e s a n d f i n d o u t s e n s i t i v e i n f o r m a t i o n such as d e v ic e ty p e s , o p e r a t i n g s y s te m s , a p p li c a t i o n v e r s io n , e tc . used b y t h e v i c t i m . W i t h t h e h e lp o f t h e g a t h e r e d i n f o r m a t i o n , t h e a t t a c k e r e x p lo it s t h e v u l n e r a b i l it ie s t h a t a re n o t u p d a t e d w i t h t h e s e c u r i t y p a tc h e s a n d la u n c h e s t h e a tta c k s . So, t o p r o t e c t y o u r s y s te m a g a in s t b a n n e r g r a b b in g a tta c k s , a f e w c o u n t e r m e a s u r e s can be a d o p t e d a n d t h e y a re lis te d as f o l lo w s : D is a b lin g o r C h a n g in g B a n n e r Q Q Q D isp la y fa lse b a n n e r s t o m is g u id e a t ta c k e r s T u r n o f f u n n e c e s s a r y se rv ic e s o n t h e n e t w o r k h o s t t o l i m i t i n f o r m a t i o n d is c lo s u r e IIS u sers can use th e s e t o o l s t o d is a b le o r c h a n g e b a n n e r i n f o r m a t i o n : S S 9 IIS L o c k d o w n T o o l (h t t p : / / m i c r o s o f t . c o m ) S e r v e r M a s k (h t t p : / / w w w . p o r t 8 0 s o f t w a r e . c o m )
A p a c h e 2.x w i t h mod_headers m o d u l e - use a d ir e c t iv e in httpd. conf file t o c h a n g e b a n n e r i n f o r m a t i o n H e a d e r s e t S e r v e r " N e w S e rv e r N a m e "
A l t e r n a t i v e l y , c h a n g e t h e ServerSignature lin e t o ServerSignature Off in t h e
httpd.conf file
H id in g W e b
F ile
E x t e n s io n s
f r o m C E H
P a g e s
F ile e x t e n s i o n s r e v e a l i n f o r m a t i o n a b o u t t h e u n d e rly in g s e r v e r te c h n o lo g y t h a t a n a tta c k e r
c a n u tiliz e to la u n c h a t t a c k s
IIS u s e r s u s e t o o l s s u c h a s P a g e X c h a n g e r to m a n a g e th e file e x t e n s i o n s H id e file e x t e n s i o n s t o m a s k t h e w e b te c h n o lo g y
A p ach e u se rs can u se m o d _ n e g o t i a t i o n d ir e c ti v e s
C h a n g e a p p lic a tio n m a p p in g s su ch a s .a s p w ith . h t m o r .f o o , e t c . to d is g u is e t h e i d e n t i t y o f t h e s e r v e r s
It is even better if the file extensions are not at all used

H id in g
File
F ile E x te n s io n s fro m
p r o v id e in fo rm a tio n
W e b
th e
P a g e s
u n d e rly in g s e rve r te c h n o lo g y ;
e x te n s io n s
about
a t ta c k e r s can use t h is i n f o r m a t i o n t o s e a rc h v u l n e r a b i l it ie s a n d la u n c h a tta c k s . H id in g file e x te n s io n s is a good p r a c tic e to mask te c h n o lo g y -g e n e ra tin g d y n a m ic pages. Change
a p p li c a t i o n m a p p in g s such as .asp w i t h . h t m o r .fo o , e tc. t o d is g u is e t h e i d e n t i t y o f t h e s e rve rs. A p a c h e users can use m o d _ n e g o t i a t i o n d ir e c t iv e s . IIS users use t o o l s such as P a g e X c h a n g e r t o m a n a g e t h e f ile e x te n s io n s . D o in g w i t h o u t file e x te n s io n s a l t o g e t h e r is an e v e n b e t t e r ide a.
C E H
So fa r, w e h a v e d iscu sse d h o w t o c h e c k f o r live s y s te m s , o p e n p o r ts , scan b e y o n d IDS, a n d t h e use o f b a n n e r g ra b b in g . All th e s e c o n c e p ts h e lp an a t t a c k e r o r s e c u r it y a d m i n i s t r a t o r t o fin d th e lo o p h o le s t h a t m ay a llo w an a t t a c k e r i n t o th e ir n e tw o rk . Now we w i ll discuss
v u l n e r a b i l i t y s c a n n in g , a m o r e d e t a i le d te s ts t o d e t e r m i n e v u ln e r a b i l it ie s in a n e t w o r k , a n d its re s o u rc e s .
^ a; Scan f o r V u l n e r a b i l i t y
ft
f^
Scanning Beyond IDS
Jfe J
Prepare Proxies
Banner Grabbing
T his s e c tio n d e s c r ib e s v u l n e r a b i l i t y s c a n n in g a n d v a r io u s v u l n e r a b i l i t y s c a n n in g to o ls .
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COlMCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
V u ln e r a b i lit y S c a n n in g
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and netw< order to determine how a system can be exploited
1 w
Q
^
V u ln e ra b ility
S c a n n in g
V u l n e r a b i l i t y s c a n n in g i d e n t if ie s v u l n e r a b i l i t i e s a n d w e a k n e s s e s o f a s y s te m a nd
n e t w o r k in o r d e r t o d e t e r m i n e h o w a s y s te m can be e x p l o i t e d . S im ila r t o o t h e r s e c u r it y te s ts such as o p e n p o r t s c a n n in g a n d s n if f i n g , t h e v u l n e r a b i l i t y t e s t also assists y o u in s e c u r in g y o u r n e t w o r k b y d e t e r m i n i n g t h e l o o p h o l e s o r v u l n e r a b i l it ie s in y o u r c u r r e n t s e c u r it y m e c h a n is m . T his s a m e c o n c e p t can also be used b y a tt a c k e r s in o r d e r t o f i n d t h e w e a k p o i n t s o f t h e t a r g e t n e t w o r k . O n c e t h e y fin d a n y w e a k p o in t s , t h e y can e x p l o i t t h e m a n d g e t in t o t h e t a r g e t
n e t w o r k . E thical h a c k e rs can use th is c o n c e p t t o d e t e r m i n e t h e s e c u r it y w e a k n e s s e s o f t h e i r t a r g e t b u s in e ss a n d fix t h e m b e f o r e t h e b ad g u ys f i n d a n d e x p l o i t t h e m . V u l n e r a b i l i t y s c a n n in g can f i n d t h e v u l n e r a b i l it ie s in: Q 9 9 9 N e t w o r k t o p o l o g y a nd OS v u ln e r a b i l it ie s O p e n p o r t s a n d r u n n i n g se rv ic e s A p p l i c a t i o n a n d s e rvice s c o n f i g u r a t i o n e r r o r s A p p l i c a t i o n a n d s e rvice s v u ln e r a b i l it ie s
V u l n e r a b i l i t y N e s s u s
S c a n n in g
T o o l:
Nessus is the vulnerability and configuration assessment product
F eatures
Cw Sa a ssa
,
Agentless auditing Compliance checks Content audits Customized reporting High-speed vulnerability discovery In-depth assessments Mobile device audits Patch management integration Scan policy design and execution
. lb .1 W IW U .ir^ 1 T r w m * m Nw iil M T T P
a a >a , a
M \Ma
<M Iran
M M S o o a o f lW t w * n 1 1 S M B H a g i t T ! totu C a n m 4 A a * H th W to k x nf a ip M y
http://www. tenable, com

V u ln e ra b ility
S c a n n in g
T o o l: N e s s u s
S o u rc e : h t t p : / / w w w . t e n a b l e . c o m N essus is a v u l n e r a b i l i t y s c a n n e r a p r o g r a m t h a t s e a rc h e s f o r bugs in s o f t w a r e . This t o o l a llo w s a p e r s o n t o d is c o v e r a s p e c ific w a y t o v i o l a t e t h e s e c u r it y o f a s o f t w a r e p r o d u c t . T he v u ln e r a b i l it y , in v a r io u s levels o f d e t a il, is t h e n d is c lo s e d t o t h e u s e r o f t h e t o o l . T h e v a r io u s s te p s t h is t o o l f o l l o w s are: e e e 0 0 D ata g a t h e r i n g Host id e n tific a tio n P o r t scan P lu g-in s e le c tio n R e p o r tin g o f d a ta
T o o b t a i n m o r e a c c u r a te a n d d e t a i le d i n f o r m a t i o n f r o m W i n d o w s - b a s e d h o s ts in a W i n d o w s d o m a i n , t h e u s e r can c r e a te a d o m a i n g r o u p a n d a c c o u n t t h a t h a v e r e m o t e r e g is t r y access p riv ile g e s . A f t e r c o m p l e t i n g th is ta sk, he o r she g e ts access n o t o n l y t o t h e r e g is t r y k e y s e ttin g s b u t also t o t h e S e rvice Pack p a tc h levels, I n t e r n e t E x p lo r e r v u ln e r a b i l it ie s , a n d se rv ic e s r u n n i n g o n t h e h o s t.
It is a c li e n t - s e r v e r a p p li c a t i o n . T h e N essus s e r v e r r u n s o n a UN IX s y s te m , k e e p s t r a c k o f all t h e d i f f e r e n t v u l n e r a b i l i t y te s ts , a nd p e r f o r m s t h e a c tu a l scan. It has its o w n u s e r d a ta b a s e a n d se c u re s a u t h e n t i c a t i o n m e t h o d s , so t h a t r e m o t e u sers u s in g t h e N essus c l i e n t can log in, c o n f i g u r e a v u l n e r a b i l i t y scan, a n d se n d it o n its w a y . N essus in c lu d e s S c r i p t in g
NASL (Nessus Attack
Language), a la n g u a g e d e s ig n e d t o w r i t e s e c u r it y te s ts .
T h e v a r io u s f e a t u r e s o f Nessus a re : 9 Each s e c u r it y t e s t is w r i t t e n as a
separate plug-in. T his w a y , t h e u s e r can e a s ily a d d te s ts
w i t h o u t h a v in g t o re a d t h e c o d e o f t h e N essus e n g in e . Q It p e r f o r m s s m a r t se rv ic e r e c o g n i t i o n . It a s s u m e s t h a t t h e t a r g e t h o s ts w i ll r e s p e c t t h e IA N A a ssig ne d p o r t n u m b e r s . 9 T h e N essus S e c u r ity S c a n n e r is m a d e u p o f t w o p a rts : A s e rv e r, w h i c h p e r f o r m s t h e a tta c k , a n d a c lie n t, w h i c h is t h e f r o n t e n d . T h e s e r v e r a nd t h e c l i e n t can be r u n o n d i f f e r e n t s y s te m s . T h a t is, t h e u s e r can a u d i t his w h o l e n e t w o r k f r o m his p e r s o n a l
c o m p u t e r , w h e r e a s t h e s e r v e r p e r f o r m s its a tta c k s f r o m t h e m a in f r a m e , w h i c h m a y be l o c a te d in a d i f f e r e n t a rea.
n e ssus R e p o rts Reports Mobile Scans Policies Users Configurator
**1 | H * |
| u f u l g
Scan LAN 1
V v trm n tm ySummary | HortSunmTY

* Add Flit* 9 Clear FHtec*
Rj/ vwq LMKfwd Aug 13,2012 19:07 Filters ! N o F ltea
FIGURE 3.49: Nessus Screenshot
V u l n e r a b i l i t y G F I L a n G
S c a n n in g
T o o l:
u a r d
c
UrtifW4
E H
ttkKJl N mIm
0
J i n v e n to r y , c h a n g e
0
GFI L a n G u a rd a s s is ts in a s s e t
H te
GPI LanGuard 2012 > *D * M o * d S c m R e T M d u tr M o n itc r R tp c rtt C o n fig u ritk n
G m e
, Oienee
# Ccwtxjen
-M 3r>
'AJryraMtm
Fato>
.4
< Ports Fo rt*
Softa Soft*(
w *
Harare
14
m a n a g e m e n t , ris k a n a ly s is , a n d p r o v in g c o m p lia n c e J F e a tu r e s : e Selectively creates custom vulnerability checks
*E rtrtto rtw rt t j Lxahoet w3N*EBOcc1 - J l * l v 0 e S C ^
p Enore Network -1 computer<
----------------jrn u to o tiie dA p p c * ... 0c o n p tfe n A u d r iS ta tu O w S im
nj-mtbtli
, - -
Helps ensure third-party security applications offer optim um protection Performs network device vulnerability checks
lu n tu tn < U w a U * .y
i .c n p u u e * rope*m m *
0, - Copyright by fC-CNDCil. All Rights Reserved. Reproduction is Strictly Prohibited.
http://www. gfi.com
V u ln e ra b ility
S c a n n in g
T o o l: G F I L a n G u a r d
S o u rc e : h t t p : / / w w w . g f i . c o m
GFI L a n G u a rd acts as a v i r t u a l s e c u r i t y c o n s u l t a n t . It o f f e r s p a tc h m a n a g e m e n t , v u l n e r a b i l i t y a s s e s s m e n t, a n d n e t w o r k a u d it in g se rvice s. It also assists y o u in a s set i n v e n t o r y , c h a n g e
m a n a g e m e n t , risk analysis, a n d p r o v in g c o m p lia n c e . F e a tu re s : 9 9 9 9 9 S e le c tiv e ly c r e a te s c u s t o m v u l n e r a b i l i t y ch e cks I d e n tifie s s e c u r it y v u l n e r a b i l it ie s a nd ta k e s r e m e d i a l a c tio n C re a te s d i f f e r e n t t y p e s o f scans a n d v u l n e r a b i l i t y te s ts H elp s e n s u r e t h i r d p a r t y s e c u r it y a p p lic a t io n s o f f e r o p t i m u m p r o t e c t i o n P e r f o r m s n e t w o r k d e v ic e v u l n e r a b i l i t y ch e cks
11 1
Creates different types of scans and vulnerability tests
J 'l
1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _A
Identifies security vulnerabilities and takes remedial action
0e o n o tte n
E B
GFI LanGuard 2012
I J-P I *
Configuration Utilities
<
Group
Dashboard
S<an
Remediate
Activity Monitor
Reports
Uj
Discuss ts versaon
Q.
Overview
IS
0 Computer!
ttrtory
&
ip VynerabAbes
(J
Patches Port Software Hardware
Syitem Information
5* Entire Network
* J lo c d h o s t: W INMSSELCK4<41 - 1 } local DomOT: WORKGROUP
E n tire N etw o rk -1 c o m p u te r
Vdnerabity Level Seanty Sensors Software Updates Firewall Issu e s C redent!! Setup
S SW I N H S S a C M M l
I0 computers
Service Packs and Up Most Vulnerable Computers |WIN-MSSELCK4K41 Vulnerabilities
# l 0. computers ......
1computers
VuherabAty Trend Over Tne
UP
H *
Tout
C o m m o n Talks
O
l Insta n progress Urwrstal * *progress Not IrtStalM D*ptoy*nrt Erron Ocomputvtl) 0 computer{*) 0 compa^*) 1computes) 0 compuM^s) 1 Agent Status | Audt Status |
Computer ViJnerabAty Ois&fcubon
Computers By Operating System
HUBUldL.
Custom scar
Addmoncomodera
H gp M*2*yn tow HA
icompuc
0 comput..
Ocomput. Ocomput.
SaanrigatiDeploy aocrt
O
]computers By Operating...| Computers By Network ... 1
FIGURE 3.50: GFI LanGuard Screenshot
V u l n e r a b i l i t y S A I N T
S c a n n in g
T o o l:
F e a tu re s : Identify vulnerabilities on network devices Detect and fix possible weaknesses in the network security Prevent common system vulnerabilities a Demonstrate compliance with current government and industry regulations e Perform compliance audits with policies defined by FDCC, USGCB,
V u ln e ra b ility
S c a n n in g
T o o l: S A IN T
S o u rc e : h t t p : / / w w w . s a i n t c o r p o r a t i o n . c o m SAINT is an i n t e g r a t e d n e t w o r k t o o l s f o r s e c u r i t y a d m i n i s t r a t o r s . U sing t h is t o o l , y o u can f i n d s e c u r it y v u l n e r a b i l it ie s acro ss t h e n e tw o rk i n c lu d in g d e v ic e s , o p e ra tin g s y s te m s , d e skto p
a p p lic a tio n s , w e b a p p lic a tio n s , d a ta b a s e s , e tc. in a n o n - i n t r u s i v e m a n n e r . It also e n a b le s y o u t o g a t h e r i n f o r m a t i o n such as o p e r a t i n g s y s te m ty p e s a n d o p e n p o r ts , e tc . It a llo w s y o u t o scan a n d e x p l o i t t a r g e t s w i t h an IPv4, IPv6, a n d / o r URL a d d re s s . F e a tu r e s : 9 9 D e te c ts a n d fix e s p o s s ib le w e a k n e s s e s in y o u r n e t w o r k ' s s e c u r it y A n t i c i p a t e s a n d p r e v e n t s c o m m o n s y s te m v u ln e r a b i l it ie s D e m o n s t r a t e s c o m p li a n c e w i t h c u r r e n t g o v e r n m e n t a n d in d u s t r y r e g u l a t i o n s such as PCI DSS, NERC, FISMA, SOX, GLBA, HIPAA, a n d COPPA 9 P e r fo r m s c o m p li a n c e a u d it s w i t h p o lic ie s d e f i n e d by FDCC, USGCB, a n d DISA
1 *
r
Vulnerability Scanner
I r iiu m U rn u w **
&
%
t>* * KM M
Op(** > kM M 1c% 1
r e a a
rz ri
Vulnerability By Count! VnNfiMn
* CrmcMi f n u t m t A / f i o i Conem * * * * * H0*t * d ^ * 4 4 * a 10.7.0. IS 10-7-Q-14 1Q.7.Q.2 10.7. Q. 11 10 7.0 104 10-7-0-101 10-7.0.12 10.7.0.S * 10.7.0.13a 10.7.0.140 > 10.7.0.150 10,7.0 . m 4 10.7 o i a o 10-7.0.31 * 10.7.0.131 ^ 10.7.0.112 10.7.0.119 10.7.0.146 J 10.7.0.7 S 4 14 4 1 1 a s 0 6 0 0 0 ToU l 41 37 34 1 S
31 14 14 4 2 2
0 0 0 0 0 0 0 0 0 0 0 0
2 2 0 0 0 0 1 0 0 1
0 0 2 2 2 t 2 0 0 1 t 0
2 2 2 2 2 2 I I 1 1 1
______
FIGURE 3.51: SAINT Screenshots
N e t w o r k
V u l n e r a b i l i t y
S c a n n e r s
C E H
Retina CS
-o
http://go.eeye.com
http://w w w .open\/a s.o rg
OpenVAS
http://w w w .coresecu rity,co m
Core Impact Professional
g m
LJpSrJ
http://w w w .m anageengine.com
Security M a n a g e r Plus
MBSA
Nexpose
http://w w w .m icrosoft.co m
http://w w w .ra p id 7 .co m
111
S h a d o w Security Scanner i]
http://w w w .safety-lab.com
B E 3F
M l
http://w w w .q u alys.com
QualysGuard
Nsauditor N e t w o r k Security
Security Auditor's Research Assistant (SARA)
http://w w w .nsa u d ito r.co m

C o p y r ig h t b y
Auditor
http://w w w -arc.co m
EG-G*ancil. A ll
R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d .
N e tw o rk V u ln e r a b ility
N e tw o rk v u ln e r a b i l it ie s v u ln e ra b ility v u ln e ra b ility ta rg e t s c a n n e rs
S c a n n e rs
th e to o ls th a t assist y o u in id e n tify in g h e lp y o u can th e in
are
in t h e
n e tw o rk
or n e tw o rk a u d it in g .
r e s o u r c e s . T h e se s c a n n e rs U sing th e s e s c a n n e rs ,
assessm ent
and
n e tw o rk
you
fin d
v u ln e r a b i l it ie s in n e t w o r k s , w i r e d o r w ire le s s , o p e r a t i n g s y s te m s , s e c u r it y c o n f i g u r a t io n , s e rv e r t u n i n g , o p e n p o r ts , a p p lic a tio n s , e tc. A f e w n e t w o r k v u l n e r a b i l i t y s c a n n e rs a n d t h e i r h o m e site s a re m e n t i o n e d as f o l lo w s , u sin g w h i c h y o u can p e r f o r m n e t w o r k s c a n n in g : 9 9 Q Q 9 Q 9 e 9 9 R e tin a CS a v a ila b le a t h t t p : / / g o . e e v e . c o m C ore I m p a c t P ro fe s s io n a l a v a ila b le a t h t t p : / / w w w . c o r e s e c u r i t y . c o m M B S A a v a ila b le a t h t t p : / / w w w . m i c r o s o f t . c o m S h a d o w S e c u r ity S c a n n e r a v a ila b le a t h t t p : / / w w w . s a f e t v - l a b . c o m N s a u d i t o r N e t w o r k S e c u r ity A u d i t o r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m O p e n V A S a v a ila b le a t h t t p : / / w w w . o p e n v a s . o r g S e c u r ity M a n a g e r Plus a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m N e x p o s e a v a ila b le a t h t t p : / / w w w . r a p i d 7 . c o m Q u a ly s G u a r d a v a ila b le a t h t t p : / / w w w . q u a l y s . c o m S e c u r ity A u d i t o r 's R esearch A s s is ta n t (SARA) a v a ila b le a t h t t p : / / w w w - a r c . c o m
C E H
S c a n n in g
M e th o d o lo g y
So fa r, w e d iscu sse d v a r io u s s c a n n in g c o n c e p ts such as s o u rc e s t o be s c a n n e d , t o o l s t h a t can be u sed f o r s c a n n in g , a n d v u l n e r a b i l i t y s c a n n in g . N o w w e w ill discuss t h e n e t w o r k d ia g r a m , an i m p o r t a n t d ia g r a m t h a t e n a b le s y o u t o a n a ly z e t h e c o m p l e t e n e t w o r k t o p o l o g y .
191
J *
Scanning Beyond IDS
3 0
r-^r-n
Prepare Proxies
Banner Grabbing
T his s e c tio n h ig h lig h ts t h e i m p o r t a n c e o f t h e n e t w o r k d ia g r a m , h o w t o d r a w t h e n e t w o r k d ia g r a m o r m a p s , h o w a t ta c k e r s can use th e s e l a u n c h in g a tta c k s , a n d t h e t o o l s t h a t can be used t o d r a w n e t w o r k m ap s.
r a
i n
e t w
o r k
i a g r a m
C E H
(rtifwtf ilk > Hhw
4 1
J Drawing target's network diagram gives valuable information about the network and its architecture to an attacker J Network diagram shows logical or physical path to a potential target
Intranet
DMZ
Intranet
EG-G*ancil. A ll
D ra w in g
N e tw o rk
D ia g ra m s
T h e m a p p i n g o f n e t w o r k s i n t o d ia g r a m s h e lp s y o u t o i d e n t i f y t h e t o p o l o g y o r th e a r c h it e c t u r e o f t h e t a r g e t n e t w o r k . T h e n e t w o r k d ia g r a m also h e lp s y o u t o t r a c e o u t t h e p a t h t o t h e t a r g e t h o s t in t h e n e t w o r k . It a lso a llo w s y o u t o u n d e r s t a n d t h e p o s it io n o f f ir e w a lls , r o u t e r s , a n d o t h e r access c o n t r o l d e v ic e s . Based o n t h e n e t w o r k d ia g r a m , t h e a t t a c k e r can a n a ly z e t h e t a r g e t n e t w o r k ' s t o p o l o g y a n d s e c u r it y m e c h a n i s m s . It h e lp s an a t t a c k e r t o see t h e f ir e w a lls , IDSs, a n d o t h e r s e c u r it y m e c h a n is m s o f t h e t a r g e t n e t w o r k . O n c e t h e a t t a c k e r has th is i n f o r m a t i o n , h e o r she can t r y t o f i g u r e o u t t h e v u l n e r a b i l it ie s o r w e a k p o i n t s o f t h o s e s e c u r it y m e c h a n is m s . T h e n t h e a t t a c k e r can f i n d his o r h e r w a y i n t o t h e t a r g e t n e t w o r k by e x p l o i t i n g t h o s e s e c u r it y w e a k n e s s e s . T h e n e t w o r k d ia g r a m also h e lp s n e t w o r k a d m i n i s t r a t o r s m a n a g e t h e i r n e t w o r k s . A t t a c k e r s use n e t w o r k d is c o v e r y o r m a p p i n g t o o l s t o d r a w n e t w o r k d ia g r a m s o f t a r g e t n e t w o r k s . T h e f o l l o w i n g f i g u r e d e p ic t s an e x a m p l e o f a n e t w o r k d ia g r a m :
In tra n e t
DMZ
In tra n e t
FIGURE 3.52: Network Diagram
N e t w o r k
D is c o v e r y
T o o l: C E H
L A N s u r v e y o r
L A N s u r v e y o r discovers a n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e n e t w o r k d i a g r a m that integrates OSI Layer 2 a n d Layer 3 topology data
F e a tu re s
A u t o - g e n e r a t e N e tw o r k M a p s E x p o r t N e tw o r k M a p s t o V isio A u to -d e te c t C h a n g e s I n v e n to r y M a n a g e m e n t N e tw o r k R e g u la to r y C o m p lia n c e N e tw o r k T o p o lo g y D a t a b a s e M u lti-le v e l N e tw o r k D is c o v e ry
aao
LANsu
LANsurveyor
http://www.solarwinds.com
C o p y r ig h t b y E C - C t in C il. A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
N e tw o rk
D is c o v e ry
T o o l: L A N s u r v e y o r
S o u rc e : h t t p : / / w w w . s o l a r w i r 1d s .c o m L A N s u r v e y o r a llo w s y o u t o a u t o m a t i c a l l y d is c o v e r a n d c r e a t e a n e t w o r k m a p o f t h e t a r g e t n e t w o r k . It is a lso a b le t o d is p la y i n - d e p t h c o n n e c t i o n s like OSI L a y e r 2 a n d L a y e r 3 t o p o l o g y d a ta su ch as d is p la y in g s w it c h t o s w itc h , s w itc h t o n o d e , a n d s w it c h t o r o u t e r c o n n e c t i o n . You can e x p o r t t h e n e t w o r k m a p c r e a te d i n t o M i c r o s o f t O ffic e V isio. It can also k e e p t r a c k o f c h a n g e s t h a t o c c u r in t h e n e t w o r k . It a llo w s t h e u s e r t o p e r f o r m i n v e n t o r y m a n a g e m e n t o f h a r d w a r e a n d s o f t w a r e assets.
SolarW inds LANsurveyor - [M ap 1]

.
*
B X
i;. File Edit Manage Monitor Report Tools Window Help !3 y *
solarwinds
a
0 0 V . i~ 1
N e tw o rk S e gm ents (1) B H & IP A d dresses (5) S D o m a in N am es (5) N o d e N am es (5) IP Routers
SO
DEMONSTRATK
J 5 LL A N su rve y o r R esp o nd er N o d es
S N M P N o d es S N M P S w itch e s/H u b s SIP (VoIP) N o d es Layer 2 N o d e s A c tiv e D irecto ry D Cs
: H
l- C ^
1 f t . G rou ps
LAN surveyor
F o r H elp, press F1
FIGURE 3.53: LANsurveyor Screenshot
N e t w o r k O p M
D is c o v e r y
T o o l: C E H
a n a g e r
O p M a n a g e r is a n e t w o r k m o n i t o r i n g s o f t w a r e t h a t o f f e r s a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t f u n c t i o n a l i t y a c r o s s c r i tic a l IT r e s o u r c e s s u c h a s r o u t e r s , W A N lin k s , s w i t c h e s , f i r e w a l l s , V o IP c a ll p a t h s , p h y s ic a l s e r v e r s , v i r t u a l s e r v e r s , d o m a i n c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v i c e s
F e a tu re s
J J J J J J J J -l -l A vailability a n d U p tim e M o n ito rin g N e tw o rk Traffic A nalysis IP A d d re s s M a n a g e m e n t S w itch P o rt M a p p e r N e tw o rk P e r fo r m a n c e R e p o rtin g N e tw o rk C o n fig u ra tio n M a n a g e m e n t E x c h an g e S e r v e r M o n ito rin g A ctive D ire c to ry M o n ito rin g H yper-V M o n ito rin g SQL S e rv e r M o n ito rin g
1 'o l|R tN 1nr U ip t& M 'A jh U a p m ! !u r& irlc tird N u d r-T
O p M a ra g t? )
q m
noo < 1nln 1iv UvoJ lopuogv m ap ailtmwirv wrn iptonto m m ci front ta> Nmsc Mtal wiijf cor wiMr/twftdi x tl*
a a v c a
SAMPLE MAP
\ r. *
*T Y '
\ : 3 * /
jf _ .
http://w w w .m anageengine.com
EG-G*ancil. A ll
N e tw o rk
D is c o v e ry
T o o l: O p M a n a g e r
S o u rc e : h t t p : / / w w w . m a n a g e e n g i n e . c o m O p M a n a g e r is b a s ic a lly a n e t w o r k p e r f o r m a n c e m a n a g e m e n t a n d m o n i t o r i n g t o o l t h a t o ffe r s a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t f u n c t i o n a l i t y acro ss c r itic a l IT r e s o u r c e s such as r o u t e r s , W A N links, s w itc h e s , f ir e w a lls , V o IP call p a th s , p h y sica l se rv e rs , v i r t u a l se rv e rs , d o m a i n c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v ic e s . T his t o o l is h e l p f u l in d is c o v e r in g t h e s p e c ific n e t w o r k a u t o m a t i c a ll y . It can also p r e s e n t a live n e t w o r k d ia g r a m o f y o u r n e t w o r k . H e re a re s o m e o f t h e f e a t u r e s o f O p M a n a g e r : e e 0 e 0 9 e A v a i la b il i t y a n d u p t i m e m o n i t o r i n g N e t w o r k t r a f f i c a na lysis IP a d d re s s m a n a g e m e n t S w itc h p o r t m a p p e r N e tw o rk p e rfo rm a n c e re p o rtin g N e t w o r k c o n f i g u r a t io n m a n a g e m e n t E xch an g e s e r v e r m o n i t o r i n g
9 9 9
A c t iv e d i r e c t o r y m o n i t o r i n g H ype r-V m o n ito rin g SQL S e rv e r m o n i t o r i n g
FIGURE 3.54: OpManager showing Sample Map
N e t w o r k
D is c o v e r y
T o o l: C E H
N e t w o r k V i e w
N tv w < kVcw ;N c tw c rk V 1 0 v *1[

Re id* V *- lisu letf Arvlw
N e tw o r k V ie w is a n e tw o r k d is c o v e ry a n d m a n a g e m e n t to o l f o r W in d o w s
a i i s is
1 1
H*j
q. *. +
I N Q D s i S B a
D is c o v e r T C P /IP n o d e s a n d r o u t e s u s in g D NS, S N M P , p o r t s , N e tB IO S , and WMI
http://www.networkview.com
EG-G*ancil. A ll
R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
N e tw o rk
D is c o v e ry
T o o l: N e tw o rk V ie w
S o u rc e : h t t p : / / w w w . n e t w o r k v i e w . c o m N e t w o r k V i e w is a n e t w o r k d is c o v e r y a n d m a n a g e m e n t t o o l f o r W i n d o w s . Its k e y f e a t u r e s i n c l u d e : 9 9 e 9 9 D is c o v e r TCP/IP n o d e s a n d r o u t e s u s in g DNS, S N M P , Po rts, N etBIOS , a n d W M I G e t M A C a d d re s s e s a n d NIC m a n u f a c t u r e r n a m e s M o n i t o r n o d e s a n d re c e iv e a le rts D o c u m e n t w ith p rin te d m aps and re p o rts C o n tro l and secure y o u r n e tw o rk w ith th e S N M P M IB b ro w s e r, th e W M I b ro w s e r, and th e p o r t sca nn er
NetworkView - [NetworkViewl]
f t F1 l Edit View Lists logs Window Help
b is 1
< * < * + - ; s x g x e ii
g n t4 s
8:
&
ft N e tw o rk V ie w l|
-an
11 11)
1 0111 2
B
III * M il i t 1 * ( M i o hf M W
N o t Y *I T f c y *
** | A.~
*1
L m m |^ # 1 ^T xiw w (m< 10 0 4 )]
HR
50 Nodes For Help, press FI
Monitoring is O ff
[Last monitoring: Unknown
0 Polls
0 Mails Sent
Modified
FIGURE 3.55: NetworkView Screenshot
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
N e tw o rk D is c o v e ry Tool: The Dude
EH
N e tw o rk
D is c o v e ry
T o o l: T h e D u d e
Source: h ttp ://w w w .m ik ro tik .c o m The Dude w ill a u to m a tic a lly scan all devices w ith in specified subnets, draw and lay o u t a map o f y o u r netw orks, m o n ito r services o f yo u r devices, and a le rt you in case any service has problem s. A few features of the Dude include: A uto n e tw o rk discovery and layout Discovers any type o r brand o f device Device, link m o n ito rin g , and notifica tio ns Allow s you to draw yo u r own maps and add custom devices Supports SNMP, ICMP, DNS, and TCP m o n ito rin g fo r devices th a t su pp o rt it Direct access to rem ote co ntro l too ls fo r device m anagem ent Supports rem ote Dude server and local client
admin@localhost - The Dude 4.0beta3
O lV S r> 0 1 Q k o lo o * M\ fE lC 1 0 0 0 6 W IN M S S L K 4 K 4 1 W I N D O W S 1 0 .002 f, W I N L X Q N 3 W A 3 R 9 MW I N M S S E L C M M lj * W I N O 3 S M R 5 H L 9 C 4
169254 189180 BS) Otenl ix 199fcbp*/tt 191 bps Svr
'
FIGURE 3.56: The Dude Screenshots
N e tw o rk D is c o v e ry a n d M a p p in g Tools
[_ j !i r* * >
CEH
http://w w w 8.hp.co m
HP Netw ork Node M an ager i Software
http://w w w .1 0 -5 trike.com
LANState
FriendlyPinger
http://w w w .kilievich.com
http://w w w .opnet.com
N e tM ap p er
(fT u le jsi
http://w w w .lum eta.com
Ipsonar
M kM !
http://w w w .netbraintech.com
NetBrain Enterprise Suite
http://cartoreso.ca m p u s,ecp .fr
CartoReso
11
H R i |
http://w w w .sp icew orks.co m
Spiceworks-Network M ap p er
http://w w w .lan-secure.com
Switch Center Enterprise
http://w w w .adrem soft.co m
NetCrunch
C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
N e tw o rk
D is c o v e ry
a n d
M a p p in g
T o o ls
N e tw o rk discovery and m apping tools a llo w you to view the map o f yo ur netw ork. They help you d e te ct rogue h ard w a re and s o ftw a re v io la tio n s. It n otifie s you w henever a p articula r host becomes active or goes dow n. Thus, you can also figure o ut the server outages or problem s related to perform ance. This is the purpose o f n e tw o rk discovery and m apping too ls in term s o f security. The same to o ls can be used by attackers to launch attacks on your n etw o rk. Using these tools, the a ttacker draws the n e tw o rk diagram o f the ta rg e t n etw o rk, analyzes the topology, find outs th e vu ln era b ilitie s or weak points, and launches an attack by e xploitin g the m . The a ttacker may use the fo llo w in g too ls to create a map o f the n etw o rk: Q 9 Q Q 9 9 9 9 9 LANState available at h ttp ://w w w .1 0 -s trik e .c o m FriendlyPinger avaialble at h ttp ://w w w .k ilie v ic h .c o m Ipsonar available at h ttp ://w w w .lu m e ta .c o m CartoReso available at h ttp ://ca rto re so .ca m p u s.e cp .fr Switch Center Enterprise available at h ttp ://w w w .la n -s e c u re .c o m HP N e tw o rk Node M anager i Softw are available at h ttp ://w w w 8 .h p .c o m N e tM a pp e r available at h ttp ://w w w .o p n e t.c o m NetBrain Enterprise Suite available at h ttp ://w w w .n e tb ra in te c h .c o m S picew orks-N etw ork M apper available at h ttp ://w w w .s p ic e w o rk s .c o m NetCrunch available at h ttp ://w w w .a d re m s o ft.c o m
fc js k ^
C E H
So far, we have discussed various means o f scanning and the sources to be scanned.
Now we w ill discuss proxies and im p o rta n t mechanisms used by attackers to access the restricted sources and also to avoid th e ir id e ntity.
191
Scanning Beyond IDS
Q ; Prepare Proxies ^
Banner Grabbing
This section describes how to prepare proxies and how an a ttacker can use the m to launch attacks.
P roxyServers
A proxy is a n e tw o r k c o m p u t e r th a t can s e r v e a s an in t e r m e d ia r y for c o n n ec tin g w ith o t h e r c o m p u t e r s
CEH
A s a n IP a d d r e s s e s m u l tip l e x e r , a p ro x y a llo w s t h e c o n n e c tio n o f a n u m b e r o f c o m p u te rs to th e I n t e r n e t w h ile h a v in g o n ly o n e IP a d d r e s s
Proxy servers can be used (to some extent) to anonymize w eb surfing
P ro x y
S e rv e rs
A proxy is a n e tw o rk co m p u te r th a t can serve as an in te rm e d ia ry fo r connecting w ith o th e r com puters. You can use a proxy server in m any ways such as: 0 A sa fire w a ll, a proxy protects the local n e tw o rk fro m th e outside access 9 As an IP address m ultip le xer, a proxy allows a n um ber o f com puters to connect to the In te rn e t w hen you have only one IP address 9 To anonym ize w eb surfing (to some extent) Q To filte r o u t unw anted co nte nt, such as ads or "u n su ita b le " m aterial (using specialized proxy servers) 9 To provide some p ro te ctio n against hacking attacks 9 To save ban d w id th Let's see how a proxy server works. W hen you use a proxy to request a p articula r w eb page on an actual server, it firs t sends yo ur re quest to th e p ro xy server. The proxy server then sends yo u r request to the actual server on
behalf o f yo ur request, i.e., it m ediates betw een you and the actual server to send and respond to the request as shown in the fo llo w in g figure.
Attacker
Target Organization
FIGURE 3.57: Attacker using Proxy Server
In this process, the proxy receives the co m m unication betw een the clie n t and the d e stin a tio n application. In o rd e r to take advantage o f a proxy server, c lie n t program s m ust be configured so the y can send th e ir requests to the proxy server instead o f th e final destination.
W h y A ttackers Use Proxy Servers?
CEH
( r t i f W d it h iu l l U c k M
To m a s k t h e a c tu a l s o u rc e o f t h e a t ta c k b y im p e r s o n a tin g a fa k e s o u r c e a d d r e s s o f t h e p ro x y
To r e m o te ly a c c e s s in t r a n e t s a n d o t h e r w e b s ite r e s o u r c e s t h a t a r e n o r m a l l y o f f li m it s
T o i n t e r r u p t a ll t h e r e q u e s t s s e n t b y a n a t t a c k e r a n d t r a n s m i t t h e m t o a t h i r d d e s t i n a t i o n , h e n c e v ic tim s w ill o n ly b e a b l e t o id e n t i f y t h e p ro x y s e r v e r a d d r e s s I
A tta c k e rs c h a in m u ltip le p ro x y s e rv e rs t o a v o id d e t e c ti o n
W h y A tta c k e rs U se P ro x y S e rv e rs For an attacker, it is easy to a tta ck or hack a p articula r system than to conceal the attack source. So the main challenge fo r an attacker is to hide his id e n tity so th a t no one can trace him or her. To conceal the id e n tity, the a ttacker uses the proxy server. The main cause behind using a proxy is to avoid d e te c tio n o f a tta ck evidence. W ith help o f th e proxy server, an a ttacker can mask his or her IP address so th a t he or she can hack th e co m p u te r system w ith o u t any fear o f legal repercussion. W hen the a ttacker uses a proxy to connect to the d estination, the proxy's source address w ill be recorded in the server logs instead o f the actual source address o f the attacker. In a dd itio n to this, the reasons fo r w hich attackers use proxy servers include: Q A tta cke r appears in a victim server's log files w ith a fake source address o f the proxy ra th e r than w ith the attacker's actual address 9 9 To re m o te ly access in tranets and o th e r w ebsite resources th a t are norm ally o ff lim its To in te rru p t all the requests sent by an a ttacker and tra n s m it the m to a th ird d estination, hence victim s w ill only be able to id e n tify the proxy server address 9 To use m u ltip le proxy servers fo r scanning and attacking, making it d iffic u lt fo r adm inistrato rs to trace the real source o f attack
U seofProxiesforA ttack
Direct attack/ No proxies
CEH
--
! s* 5 -
Logged P roxy
U se o f P ro x ie s fo r A tta c k Q uite a num ber o f proxies are in te n tio n a lly open to easy access. A no n ym o us proxies hide the real IP address (and som etim es o th e r in fo rm a tio n ) fro m w ebsites th a t the user visits. There are tw o types o r a no nym ous proxies: One th a t can be used in the same way as the nonanonym ous proxies and others th a t are web-based anonymizers. Let's see how m any d iffe re n t ways th a t attackers can use proxies to co m m it attacks on the target.
Case 1: In the firs t case, the a ttacker perform s attacks d ire ctly w ith o u t using proxy. The a ttacker may be at risk to be traced o u t as the server logs may contain in fo rm a tio n about th e IP
address o f the source.
D ire c t a t t a c k / N o p ro x ie s
T a rg et
FIGURE 3.58: Attacker Communicating with Target Directly (No Proxy)
Case 2: The a tta cke r uses the proxy to fetch the ta rg e t application. In this case, th e server log
w ill show the IP address o f the proxy instead o f the attacker's IP address, th e re b y hiding his or
her id e n tity; thus, the a ttacker w ill be at m inim um risk o f being caught. This w ill give the a ttacker the chance to be anonym ous on the Inte rn e t.
A tta c k e r
L o g g e d P ro x y
T a rg e t
FIGURE 3.59: Attacker Communicating with Target through Proxy
Case 3: To becom e m ore anonym ous on the In te rn e t, the a ttacker may use the proxy chaining tech n iq ue to fetch the ta rg e t application. If he or she uses proxy chaining, the n it is highly d iffic u lt to trace o u t his o r her IP address. Proxy chaining is a technique o f using m ore num bers o f proxies to fetch the target.
A tta c k e r
FIGURE 3.60: Attacker using Proxy Chaining for the attack
P roxyC haining
M
...................... IP: 20.10.10.2 Port: 8012
H a
M
IP: 20.10.15.4 Port: 8030
M >
IP: 10.10.20.5 Port: 8023 .......................<
U ser
Encrypted/unencrypted traffic
N
IP: 20.15.15.3 Port: 8054 IP: 15.20.15.2 Port: 8045
m
IP: 10.20.10.8 Port: 8028
Unencrypted traffic
1. 2. 3. 4. 5.
User r eq u es ts a resource from the destination Proxy client at the user's system connects to a proxy server and passes th e request to proxy server The proxy server strips th e user's identification information and passes th e request to next proxy server This process is repeated by all th e proxy servers in th e chain At th e end u ne n c ry p ted re q u e s t is passed to th e w eb server
C o p y rig h t b y E C -G *a n cil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
P ro x y
C h a in in g becom e m ore ano n ym o us on th e Inte rn e t. Your
Proxy chaining helps you to
a no n ym ity on the In te rn e t depends on the num ber o f proxies used fo r fetch in g the targe t application. If you use a larger num ber o f p ro xy servers, then you w ill become m ore anonym ous on the In te rn e t and vice versa. W hen th e attacker firs t requests the proxy s e rv e rl, this proxy s e rv e rl in tu rn requests a nother proxy server2. The proxy s e rv e rl strips the user's id e n tifica tio n in fo rm a tio n and passes the request to the next proxy server. This may again request a no th e r proxy server, server3, and so on, up to ta rg e t server, w here fin a lly the request is sent. Thus, it form s the chain o f th e proxy server to reach the destin a tion server as shown in the fo llo w in g figure:
m
IP: 20.10.10.2 Port: 8012 IP: 10.10.20.5 Port: 8023 IP: 20.10.15.4 Port: 8030
U ser
E n crypted/u nencrypted traffic
..................... v
IP: 20.15.15.3 Port: 8054
m
IP: 15.20.15.2 Port: 8045
....................V
M
IP: 10.20.10.8 Port: 8028
................................ > Unencrypted traffic
FIGURE 3.61: Proxy Chaining
P r o x y T o o l: P r o x y W o r k b e n c h
U r tif W tf Ith K J i lU ik M
CEH
Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram
P r o x y T o o l: P r o x y W o r k b e n c h Source: h ttp ://p ro x y w o rk b e n c h .c o m Proxy W orkbench is a p ro xy server th a t displays th e data passing th ro u g h it in real tim e , allows you to d rill in to p articula r TCP/IP connections, view th e ir history, save the data to a file , and view the socket connection diagram . The socket connection diagram is an anim ated graphical history o f all o f the events th a t to o k place on the socket connection. It is able to handle (secure sockets) and
HTTPS
POP3 natively.
"Z.
File View Tools Help
Proxy W o rk b e n c h
L s l #
0 5 - i s U
M ontana iravya !132168168170)
Dslafc
6
10 Dead (1318 X
308( Event So( 7 P a g e lo H
m J4 J 4J JN
SMTP Outgoing e-mad (25) POP3 Incoming c nvjd (110) HTTP Proxy W eb (8080) 127.aa1 to 127.0.01 (locahost) (127 0 01 20750) 491 bytes of iaa has been chnft. 12 14 49 53 8
fi P P P P P P P P P P P P P P P P P P P P P
DeaJ 113:18:26-779) D ead ( 1 1 1 8 2 5 7S2) Dead (1 1 1 8 2 5 757) Dead (13:1825752) Ded(13182S?46) Dead (13:1825741) Dead (131825736) Dead (1 *1 8 2 5 731) Dead (131825 724) Dead (131825 684) Dead (131825 67$) Dead (131825 662) Dead(131825 655) Dead (131825.647) Dead (131825641) Dead(131825625) Dead(111825620) Dead (13:1825.586) Dead (111825579) Deed (1118255741 Dead (13 1 82 5 566) Dead (13 1825 558) Dead (111825552) Dead 11118255431 Socke
The connection request Jo the remote server has been successful 13:14:49.817
locahost (127.00 1 8080)
D e a d(1 1 1 8 2 5 7 1 7 ) D e a d(1 3 :1 8 2 56 7 1 ) D e a d (1 1 1 8 2 5 6 3 3 )
1 2 7 0 0 1 fin 491 bytes of data has been
ser* to Ihe !emote tervet.
locahost (127 0 0 1 80801
B
(1270 01 20750) FVB has (**connected horn the remote ckent 13 15 13 20 9 the remote server Kais disconnected 1315:13208
P
P P
U Memay
Reel tnw date for Dead (13 18 30 308) lU U U U J ^ t i n t / ! J tt e ju ua u a id ua
8 KByte*
FIGURE 3.62: Proxy Workbench Screenshot
P roxyT ool:P roxifier

Prox-fie1 is a program that a ows r>etwork appicatons that do rxrt support working through proxy servers to operate through an HTTPS or SOCKS proxy or a chain of proxy servers
C |E H
mpj/www proafr-aom
!B yK'CMAjV. M j arn: *st2-d?rjSfit3y c*C
P r o x y T o o l: P r o x if ie r Source: h ttp ://w w w .p ro x ifie r.c o m P roxifier allows n e tw o rk a p p lica tio n s th a t do n ot su pp o rt w o rkin g throu g h proxy servers to operate throu g h a SOCKS o r HTTPS proxy and chains. It allows you to surf w ebsites th a t are restricted o r blocked by yo u r governm ent, organization, etc. by bypassing the fire w a lls rules. Features: 0 9 Q You can access the In te rn e t fro m a restricted n e tw o rk throu g h a proxy server gateway It hides yo u r IP address It can w o rk throu g h a chain o f proxy servers using d iffe re n t protocols It allows you to bypass fire w a lls and any access co ntro l mechanisms
P r o x ifier F i l e P r o f i l e log ub View Help 1 &
1a
El
1j tf * *
Application ^ m s ts c .E X E (5044) 64 cxplore.exe (4704) ie3plore.exe (5664) lsvchost.exe (376, System) 64 (376, System) 64 4 $ !explore.exe (164)
Taiget 192.168.2.40:3389 w w w .l.g o o gle. com:30 [fe80::90bl:83b:c743:f49b]:80 IP v 6 w w w .u p d a te .m 1croso ft.co m :80 w w w .u p d ate.m icro s o ft.c om :4 43 Ib l.w w w .m s .ak ad n 5.n e t 443 w w w .m ic ro s o ftc o m :8 0 8 0
Time/'Sta t us 01:25 01:14 Closed 01d2 00:44 00:42 Failed 00:21 C o n nectin g
R u le : Proxy D e fa u lt: proxy.exam ple.net:1080 P ro x y2: proxy.exam ple.net:1080 L o c a l: Test proxy chain D e fa u lt: proxy.exam ple.net:1080 D e fa u lt: proxy.exam ple.net:1080 H T T P S : proxy2.exam ple.net:8080 D e fa u lt: proxy.exam ple.net:1080
Bytes Sent 2.75 KB 3.33 KB 958 172 131 KB
Bytes Received 4.06 KB 13.5 KB 376 262 7 5 4 KB
0 0
0 0
etp lo re.exe (2776)
stC o n n ectio n su A .T ra ff1 t S ta tistic s

[19.591 svchost o t [19 59] svchost exe [19 59 ] svchost exe [19 59 ] svchost exe [19 59 ] svchost exe [19 59] svchost exe [19 59 ] svchost exe [19 59] svchost exe [19 59 ] svchost exe [20 00] svchost exe [20 00] explore exe [2000: expJoreexe 120 00] explore exe [20 00] !explore exe [20 00] explore exe [20 00] explore exe ]20 00; ejcloro exe [20 00 ] svchost exe (37S. System) $4 - resolve v .^w updale rnicroMft.cotn DNS (37S. System) *64 resolve w.vw update rmcroso*t c o t DNS (376. System) *64 - www update microsoft com 442 match!r>3 Defadt rd e : usng proxy proxy .examptenet:1080 (376. System) *64 - A m update microsoft c o t 44 open through prxxy proxy example net 1080 (375. System) *64 download.w 1 ndow 3 update.com 80 dose. 6S1 bytes aert. 1183 bytes (1-15 KB) received, bfefcme 00 05 (376. System) *64 resolve download wmdowsLpdate com DNS (376. System) *64 resolve download.wmdowsupdate.com : DNS (376. System) *64 download windowsupdate com 80 matchrtg DefaJt a ie usng proxy proxy example net 1080 (376. System) *64 dowrload.wnndowsupdate .com 80 open through proxy proxy example net 1080 (376. System) *64 download.w 1 ndowsupdate.com 80 dose. 175 bytes aert. 256 bytes recerved. tfetr>e 00:04 (164) - lb 1 www ms akadns net 443 matching H TTPS rule using proxy proxy2 example net 8080 (2776) - www nxyosoft com :8080 matchna Default a ie ue>g proxy proxy example net 1080 (4704) w a w I aooale com 80 dose. 1560 bytes (1 52 KB) sert 13451 bytes (13 1 KB) recoved Ife tm e 0 0 59 (5664) - www I cooole com SO dose. 1456 byte (1 42 KB) t e r( 26617 bytes (25.9 KB) received *fet me 01 11 (5664) wwwJ.QOQQle.cQm.gO dose. 3530 bytes(3 44 KB) sert 722 bytes receded fcfetneOI 11 (4704) wwvr I cooole com 80 d o te . 3413 bytes(3 33 KB) s e t 13881 bytes (13.5 KB) received tfettne 01 14 ,'1641 b l w w w n s ekados net 443 error Codd not c o o k ed throudiproxy proxy2examolenet 8090 Reedng proxy replay on a c o m e d c n reouest faled w the*ror 10054 (376. System) *64 www update microsoft com 8C dose. 172 bytes sent. 252 bvtes receded, tfetm e 01:01 7 actnre connections Down 0
R e a d y
6/sec
Up 0 B/sec
System DNS
FIGURE 3.63: Proxifier Screenshot
P r o x y T o o l: P r o x y S w it c h e r
P r o x y S w i t c h e r h i d e s y o u r IP a d d r e s s f r o m t h e w e b s ite s y o u v is it
EH
File
Edit
Actions
View
Help
pl
State (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) / _ _ _ _ _ _ _ _x R esp o- _ * 603ms 1092ms 1612ns 1653ms 1882ms 2319ms 2324ms 2543ns 2641ms 2 6 8in s 2 6 9a m n-. > : B * ^ | M | | | FRANCE UNITED STATES UNITED STATES REPUBLIC OF MOLDOVA i SLOVAKIA SLOVAKIA REPUBLIC OF KOREA PAKISTAN | B I CHINA UNITED STATES D C D I I Q II T < > C M A If V > \ / A I (F R A N C E Crxrtry 2200ns UNITED STATES
PKwy Scanner ^ N ew (0) High Anonymous (19) j.... SSL (26) Bite (30) Dead (7220) Basic Anonymity (212) - E " Private (53) Dangerous (148) My Proxy Servers (0) - ProxySwltcherfO)
Server
91.121.21.164:3128 ns1homenux.ccm:3l28 hherphpo.hchdtmc.edu:80 170.57.24.100:80 81 180 7 5 1 4 2 8080 66-162-61-85stabc:tvrteJe
$ g
194 160 765:8 0 arr,3c 3 mnedu sk 80 147.46.7.54:8088 121 52 14 8 30 8080 208-74-174-142sayfanet 31 - 0 11 0 A T C in.,_ _ _ _ _
,J f 1592 26 3 227:80
K w p A K v e IfA goS w c h
98 181 57.227:9090 tested as [Eke-Anonymous] cocreo dresacallao 90b pe: 80 tested as [Dead] smtp spectrum networks net :80 tested as ((Bite-SSL)J f-kasklab50a.eti.pg gdapl:80 tested as [Eie-Anonymous] cofreo disacallao gob p e:80 tested as [(Qite-SSL)] H iah Anonvmous/S SL 0 /6
Q KKww.proxyswitcher.com
*
P r o x y T o o l: P r o x y
S w itc h e r
Source: h ttp ://w w w .p ro x y s w itc h e r.c o m Proxy S w itcher allows you to su rf a no n ym o u sly on th e In te rn e t w ith o u t disclosing yo ur IP address. It also helps you to access various sites th a t have been blocked in th e o rg an iza tion . It avoids all sorts o f lim ita tio n s im posed by sites. Features: 9 Q It hides yo ur IP address It allows you to access restricted sites It has fu ll su pp o rt o f passw ord-protected servers
S * Proxy Sw itcher PRO ( D irect C o n n ec tio n ) File Edit A ctions View H elp
@ l # l
^
X I
d a a a i i
Server , f
>
j*
a j ii
Respo... * 603ms 1092ms 1612ms 1653ms 1882ms 2200ms 2319ms 2324ms 2543ms 2641ms 2683ms 2698ms Country 1 FRANCE I I FRANCE UNITED STATES * UNITED STATES UNITED STATES SLOVAKIA SLOVAKIA REPUBLIC OF KOREA CHINA m K 9 PAKISTAN UNITED STATES D C P I ipi irnc uni nn\/4 I I * REPUBLIC OF MOLDOVA >
Proxy Scanner ! # New (0) B i High Anonymous (19) SSL (26) ...E ? Elite (30) | B Dead (7220) Basic Anonymity (212) j g ; Private (53) Dangerous (148) My Proxy Servers (0) ;... Sr ProxySwitcher (0)
& f if , f .#
91.121.21 164:3128 ns1.homenux.com :3128 hherphpo.hchd.tmc .edu :80 170.57.24.100:80 81.180.75.142:8080 static tvvtele.85 - 66-162-61
, 194.160.76.5:80
State (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (/Vionymous) (Anonymous) (Anonymous) (/Vionymous) (Anonymous) (Anonymous) -------- \ /A
amac3.minedu s k :80 147.46.7.54:8088 159.226.3.227:80 121.52 148 30:8080 sayfa.net .31:208-74-174-142

10n 01 1 . 0 .* ---------
Disabled
~]
Keep Alive
1 1 Auto Switch
O w 1wuv.proxyswvjtcher.com
98 181.57.227:9090tested as [Bite-Anonymous] correo diresacallao gob pe:80tested as [Dead] smtp spectrum-networks n e t:80 tested as [(Bite-SSL)] f-kasklab50a eti pg gda.pl :80 tested as [Bite-Anonymous] correo disacallao gob pe:8 0 tested as [(Bite-SSL)] H igh A nonvm ous/S S L
0/6
FIGURE 3.64: Proxy Switcher PRO Screenshot
P r o x y T o o l: S o c k s C h a in
J SocksChain t r a n s m i t s t h e TCP/IP a p p lic a tio n s t h r o u g h a chain of proxy serv ers
CEH
im ttiM tU x*l lUckM
Ufasoft SocksChain
View Tools Help firefox To [64.4.11.42]:80 3 connections m m ^ m m 10 ! 0 To [65.55.57.27]:80 2 connections To [123.176.32.147]:80 13 connections To [64.4.11.301:80 2 connections To [123.176.32.1361:80 1 connections
LdfLJ
To [175.41.150.21:80 1 connections To [207.46.49.1331:80 1 connections To [64.4.21.391:80 1 connections
9 To [65.54.82.157]:80 2 connections chrome Through SE05411D17AFD6752EE36392EE4E42CAFB8A45D09=shadowhouse. S626F206838B0EA12CFCA5CE91 3 To www.certifiedhacker.com(202.75.54.101]:80 6 connections S I To safebrowsing.google.com[74.125224.73!:443 1 connections To safebrowsing-cache.google.com[74.125.224.67J:443 !connections 1 7 1 ^ iexplore 0 PING
III
V
< DANGEROUS.SOCKS PR0T0C0L=S0CKS5 ADDRESS=65.S4.82.157:80
I>
DVUCEKOn? ?0CK8 bB0i.0C0r^0CK2J VDDKE2ê2?85m :80

S blUG
ht tp :/ / uf a so f t. c om
C o p y rig h t b y E C -C suncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d
P r o x y T o o l: S o c k s C h a in Source: h ttp ://u fa s o ft.c o m SocksChain is a program th a t allows you to w o rk w ith any In te rn e t service throu g h a chain o f SOCKS or HTTP proxies to hide the real IP address. It can fu n ctio n as a usual SOCKS-server th a t tra nsm its queries throu g h a chain o f proxies. It can be used w ith clie n t program s th a t do not su pp o rt the SOCKS p rotocol, b ut w o rk w ith one TCP-connection, such as TELNET, HTTP, IRC, etc. It hides y o u r IP fro m being displayed in the server's log or mail headers.
K
File View Tools Help
Ufasoft SocksChain
m
B firefox Through SE0S411017AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9I 9 To [64.4.11.42]:80 3 connections 9 To [65.55.57.27]:80 2 connections To [123.176.32.1471:80 13 connections To [64.4.11.301:80 2 connections _ To [123.176.32.136):80 1 connections To [175^41.150-21:80 1 connections
m To [207.46.49.1331:80 1 connections
9 1 To [64.4.21.39]:80 1 connections '*. To [65.54.82.1571:80 2 connections 0 0 B chrome Through SE05411Dl7AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9 3 8 To www.certrf1edhackef.coml202.75.54.101 ]:80 6 connections 9 1 To safebrowsmg.google.com(74.125.224.731:443 1 connections 9 E To safebrows1ng-c*che.google.com[74.125224.67]:443 1 connections !explore PING
I
DANGEROUS.SOCKS PROTOCOL SOCKS5 ADDRESS=65.54.82.157:80
FIGURE 3.65: Ufasoft SocksChain Screenshot
P ro xy Tool: T O R (T h e O n io n R o u tin g )
CEH
Anonymity
Privacy
E n s u r e s t h e p r iv a c y o f b o th s e n d e r a n d
Security
P r o v id e s m u l t i p l e , la y e r s o f s e c u r it y f to a m essage
V id a lia C o n tro l P an el
c o m m u n i c a t io n o v e r In te rn e t
r e c ip ie n t o f a m essage
n
Encryption
E n c ry p ts a n d d e c r y p t s a ll d a t a p a c k e t s u s in g p u b lic k e y e n c r y p t io n V
.
Tor Proxy
T h e i n i t i a t i n g o n io n 1 r o u t e r , c a lle d a " T o r I c l i e n t " d e t e r m in e s th e p a th o f t r a n s m is s io n
Mcuogc Lug 3 Show ttii* winflow on t tir n n SclU 1g Q cxt View the Network Loc a Ncv> Id c rtty
Proxy Chain
U s e s c o o p e r a t in g p ro x y ro u te rs th r o u g h o u t th e n e tw o rk
B , Bandwidth !^ph
O H#ip
About
h t tp s : // w w w . to r p ro je c t, o rg
C o p y rig h t b y EG -G ouncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
P r o x y T o o l: T O R
(T h e O n io n R o u tin g )
Source: h ttp s ://w w w .to rp ro je c t.o rg Tor is so ftw a re and an open n e tw o rk th a t surveillance th a t threa te ns personal fre e d o m helps you defend against a fo rm o f n e tw o rk and
and privacy, co nfid e ntia l business activities
relationships, and state security know n as tra ffic analysis. You can use Tor to prevent w ebsites fro m tracking you on the Inte rn e t. You can also connect to news sites and in stan t messaging services w hen these sites are blocked by yo u r n e tw o rk a d m in istra to r. Tor makes it d iffic u lt to trace y o u r In te rn e t a ctivity as it conceals a user's location o r usage. Features:
9
9
Provides anonym ous com m unication over the In te rn e t Ensures the privacy o f both sender and re cip ie nt o f a message
9
9
Provides m u ltip le layers o f security to a message Encrypts and decrypts all data packets using public key e ncryption Uses cooperating proxy routers th ro u g h o u t the n e tw o rk The in itia tin g onion ro u te r, called a "Tor clie n t" determ ines the path o f transm ission
9 9
Vidalia Control Panel 1 ~ 1 Status
4 )1
Vidalia Shortcuts Stop Tor
Connected to the Tor network'
# # Setup Relaying
View the Network
Use a New Identty
, Bandwidth Graph = ]Message Log
O Help Settings
About fcÊxit Hide
@ Show the wndow on startup
FIGURE 3.66: Vidalia Control Panel showing the Status
P r o x y T o o ls
Burp Suite Proxy
CEH
http://w w w .portsw igger.net
http://w w w .analogx.com
http://w w w .d la o .co m
Proxy C om m and er
http://w w w .protoport.com
P ro top ort Proxy Chain
http://w ebproxylist.co m
Proxy Tool W indow s App
http://w w w .proxyplus.c1
Proxy+
http://gpassl.com
Gproxy
11
! !
http://affinity-tools.com
FastProxySwitch
http://w w w .fiddler2.com
Fiddler
http://w w w .pro xy-to o l.co m
ProxyFinder
P ro x y T o o ls In a dd itio n to these proxy tools, th e re are m any m ore proxy tools intended to allow users to surf the In te rn e t anonym ously. A fe w are listed as follow s: 9 9 9 9 9 Q 9 Burp Suite available at h ttp ://w w w .p o rts w ig g e r.n e t Proxy C om m ander available at h ttp ://w w w .d la o .c o m Proxy Tool W indow s App available at h ttp ://w e b p ro x y lis t.c o m Gproxy available at h ttp ://g p a s s l.c o m Fiddler available at h ttp ://w w w .fid d le r2 .c o m Proxy available at h ttp ://w w w .a n a lo g x .c o m P ro to p o rt Proxy Chain available at h ttp ://w w w .p ro to p o rt.c o m
Q Proxy+ available at h ttp ://w w w .p ro x y p lu s .c z 9 9 FastProxySwitch available at h ttp ://a ffin ity -to o ls .c o m ProxyFinder available at h ttp ://w w w .p ro x y -to o l.c o m
P r o x y T o o ls
(C o n td)
CEH
Socks Proxy Scanner
http://w w w .proxy-tool.co m
ProxyFinder Enterprise
http://w w w .m yla nview er.co m
HI
http://w w w .ode.o rg
ezProxy
A M _il
http://w w w .charlesproxy.com
Charles
JAP Anonymity and Privacy
http://anon.in f.tu-dresden.de/index_en.htm l
http://w w w .ultrasurf.us
UltraSurf
http://w w w .youngzsoft.net
CC Proxy Server
https://addons.m ozilla.org
FoxyProxy Standard
P r o x y T o o l s ( C o n t d )
---------- The list o f proxy tools m entioned in the previous slide continues as follow s: 9 9 9 9 9 9 Q 9 Q 9 ProxyFinder Enterprise available at h ttp ://w w w .p ro x y -to o l.c o m ezProxy available at h ttp ://w w w .o c lc .o rg JAP A no n ym ity and Privacy available at h ttp ://a n o n .in f.tu -d re s d e n .d e /in d e x en.htm l CC Proxy Server available at h ttp ://w w w .y o u n g z s o ft.n e t FoxyProxy Standard available at h ttp s://a d d o n s.m o zilla .o rg Socks Proxy Scanner available at h ttp ://w w w .m y la n v ie w e r.c o m Charles available at h ttp ://w w w .c h a rle s p ro x v .c o m U ltraS urf available at h ttp ://w w w .u ltra s u rf.u s WideCap available at h ttp ://w id e c a p .ru ProxyCap available at h ttp ://w w w .p ro x y c a p .c o m
F re e P ro x y S e rv e rs
A search in Google lists thousands of free proxy servers
Cl EH
( r t r f w t f I S t k K J l l U c k M
Google
Google
F re eP ro x yS e rv e rs a d o u i1 2 .7 0 0 .0 0 0re s u lt?{ 0 2 0 s e c o n d s )
im a g e s u a p s
v M k i
Uor*
N w * S h o p p ln Q
Show searcn tools
P ro x y4F re e-Ff P ro x yStrvtrt -p ro te c tY o u rP ru n eP riv a c ya W 1 w w wproxy4tree comj P r o x y 4 F re e isr a tre e p w lis ta n d p r o x y c h e c k e r r o w d tn g y o M ti r * b e ? fre e p ro x y s e rv e re o r o v e rro 9 y e a rs Q u rso r^ s tc a ie o c n e c 3 n 5 3 ! u 3 m e a su re sL is t C o u n tr y R a tin o A c c e s sT im u st o f F ree P ro x y S erv ers - Page 10 0 w w wproxy4tree eor>v1ist7eaproxy1 htmi F re e P r o x y ,A n o n im iz e r ,V P N .P r o x y 4 F re ero P r o x y u il, I P T e s t, * n c c r-i* e m u H O M E A D D Y O U R P R O X Y U sio n re e P x y se rv e rs P a g e 1o r 10-u Pr P iw tf L is t P u b lic Proxy Sarvars U P JE Q S UA d e iJy A ss;* b id e m y a M .c o r rv p f o x y J is V
Free proxy list index. Ih* Uigvst !aMirn* database ofDu&fe ptoxy servers :r in e
Proxy 4 Free
... ~
H i d e M y A s sr iv F retP ro x ya n aP riv a c yT o o ts-su nr y ew co...* n i f l0 m v 0 M .c 0 Wuliproxy fioo) McAfgg SECURE c-ilot. lolpkeec tcusafofcom tr * : : !.*.
c1dit card fraud, spywst. Us our It proxy to twl anonmoasH crtn * ! rreeproxynerver net/
1
ssa sssssasssr
Bar =2
F re eP ro x yS erv er-s u rr !rr ,\rr A -n n y m n .m : , S u rrm *w e ba n o n y m o u s lyw ith o u rtre ep ro x y s e rv e r F re eP ro x yS e rv er T iirL n H U u .
iNwyirj
1 : 1 '
P u b licP ro x yS e rv e rs F reeP ro x yS erv erl s i wvcttpu Dlicproxyservers.conv
Pu&lic Proxy Servers is a tree and 1dependent proxy :hecan; 5 sm Cur ser.ice neips you to proteclyour identity ana Dypass surting restnraons s!rce 2002
e a F re e P ro x y S e rv e rs
Besides proxy tools discussed previously, you can find a num ber o f free proxy sites
available on the In te rn e t th a t can help you to access restricted sites w ith o u t revealing yo ur IP address. Just type Free Proxy Servers in the Google search engine and you w ill get num erous proxy server websites.
( jO . )g ie
Free Proxy Servers
3 I
S e a rc h
13 r 00 000 r! u n to 70 m o m ! 1
Wo
Prav 4 Free F ree Proxy S erv ers Protect Your OMne Pnvacv wproxy41o*corv proxy server* for Over 9 yea* Ow Lilt County Ratng tc c tit T r O k w j h u m m n u h _
Proy 4 F ree- F ree Proxy S erv ers -Protect Your Onlne Privacy A _ preiraaee cou - cecfted - Smear Proxy 4 Free
** 55* * **
u a a i f i e e Pfoxj se rv e r* l y 1 a i 18 wwwp!o*if4lreecorA1rweapreey1 ren Frt Pron Anomrutf VPN Pro!* 4 Ftee Proy Ust P Te*t Aownn tCNU HOUE-AOOYOURPftOrr 1 .tc*rreee 1MjSenwr ? ?K rflO F ree ^ axv L st - P i t * Proxy S ervers P PORT n o e Mir A ss' * fttOtmrs com^rexy* !(epfor! s$1 no tv 1*c!*So 4aiac*s or caAK precy e rm s crtr* s= E 1 B -
m c Uxau : F re e r r p u A a i P a t a u . T a a i - a u T T n c m t ^ . *
A*e proxy rH Uo*JW SCUt MM K* , SSH *on4**r. T*4 creat caretswd s t *** u s ft* *ee proxy 1 0 s ^ t w>n>r1wow> oam M l .
-----------------------------I
. . H
l | V W P r a t Proxy S erv er _ I u m o ttt e . tortahtftconv *mTt#Mte40*eepnMy seryer - o e a r , w n tx S M an e 1m m < r n orowtieg too mar* a * se M trtrn 101e*oureeaM*eft*0*a 1 _
> Y
rjuZxvJ
,1
PiAftc Proxy Servers F ree Proxy S e rv er Lot ^ www |M<t*t#eayeeye1s ceev FuoecPreir Wrvor 1 t Iim n on a m U i i p>o <*o<S(ng <C X aemce 1 'u 10 proloct tour 1asrM1 anoerpess usng teMKSons trve7M 7
FIGURE 3.67: Google Search showing Free Proxy Servers
H T T P T u n n e l i n g T e c h n iq u e s
CEH
HTTP Tunneling te c h n o lo g y allows users to d e s p ite t h e restrictio ns im p o se d by firewalls

E n c a p s u la te s d a ta
inside
( (p o rt
80)
, f ! * HTTP Proxy or Firewall
> .......... <
 * *
!<>
Router
Router
End Users use HTTPTunnel to transmit or receive data through Firewall
Previously inaccessible servers and services
?111
C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d
H T T P T u n n e lin g
T e c h n iq u e s
HTTP Tunneling is a no the r technique th a t allows you to use the In te rn e t despite restrictions im posed by the firew alls. The HTTP p ro to co l acts as w ra p p e r fo r com m unication channels. An a tta cke r uses HTTP tu n n e l s o ftw a re to p e rfo rm HTTP tun n elin g. It is a client-server-based application used to com m unicate throu g h the HTTP p rotocol. This so ftw a re creates an HTTP tun n el betw een tw o machines, using a w eb proxy o ptio n . The tech n iq ue involves sending POST requests to an "HTTP server" and receiving replies. The a ttacker uses the client application o f HTTP tu n n e l softw are installed on his o r her system to com m unicate w ith o th e r machines. All requests sent throu g h the HTTP tu n n e l clie n t application go throu g h the HTTP protocol.
R acks o f HTTP T u n n el S e rv e rs
M
R o u te r HTTP P roxy HTTP T u n n el S e rv e rs r e c e iv e a n d re la y th e d a ta o r F irew all
M 49
End U se rs u s e H TTP-Tunnel to tr a n s m it o r re c e iv e d a ta th r o u g h F irew all & _ u! j P re v io u s ly in a c c e s s ib le s e r v e r s a n d s e rv ic e s
FIGURE 3.68: HTTP Tunneling Process
The HTTP tun n e lin g technique is used in n e tw o rk activities such as: 9 9 9 9 Stream ing video and audio Remote procedure calls fo r n e tw o rk m anagem ent For in tru sion d ete ction alerts Firewalls
W h y do I N e e d H T T P T u n n e lin g
J J Organizations firewall all ports except
80 and 443, and
you may w ant to use FTP
HTTP tunneling will enable use of FTP via HTTP protocol
INSIDE THE NETW ORK
P o rt I P o rt P o rt P o rt P o rt
23 21 79 25 110 500 69 80 443
OUTSIDE THE NETW ORK Q Q a ! ........ Q 1 Internet
FTP
1 P o rt
v
HTTP Tunneling client running on local port
1 P o rt 11 P o r t P o rt
Data is sent via HTTP
H t t p tu n n e lin g s e rv e r s o ftw a r e r u n n in g R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
FTP data is encapsulated in http packet
F ire w a ll r u le s o n ly a llo w p o r t 8 0 a n d 4 4 3
C o p y rig h t b y
EG -G *ancil. A ll
W h y d o I N e e d H T T P T u n n e lin g ?
HTTP tu n n e lin g allows you to use the In te rn e t despite having fire w a ll re stric tio n s
such as blocking specific fire w a ll p o rts to re strict specific p ro to co l co m m unication. HTTP tun n e lin g helps you to overcom e this fire w a ll re strictio n by sending specific protocol co m m unication throu g h HTTP p rotocol. The a ttacker may use this tech n iq ue fo r the fo llo w in g reasons: 9 9 9 9 9 It assures the a ttacker th a t no one w ill m o n ito r him or her w hile browsing It helps the a ttacker to bypass fire w a ll restrictions It ensures secure browsing The a ttacker can hide his or her IP address fro m being trapped it assures th a t it is highly im possible fo r others to id e n tify him o r her online
Suppose the organization has blocked all ports in yo ur fire w a ll and only allows p o rt 8 0/4 4 3 , and you w a n t to use FTP to connect to some re m o te server on the Inte rn e t. In this case, you can send y o u r packets via HTTP p ro to co l as shown in the fo llo w in g figure:
IN S ID E T H E N E T W O R K
F T P C li e n t
fL - s
ftp
S o ftw a re
v
HTTP T u n n e lin g c lie n t ru n n in g o n lo c a l p o r t
P o rt P o rt P o rt P o rt P o rt P o rt P o rt P o rt P o rt
23
21
79 25 110 500 69 80 S3 443 B
F T P d a t a is e n c a p s u la te d in h t t p p a c k e t F ire w a ll r u le s o n ly a llo w p o r t 8 0 a n d 4 4 3
FIGURE 3.69: Effect of HTTP Tunneling on both Inside and Outside the Network
H T T P T u n n e lin g Tool: S uper N e tw o r k T u n n e l
CEH
T o o l: S u p e r N e tw o r k
T u n n e l
Source: h ttp ://w w w .n e tw o rk tu n n e l.n e t Super N e tw o rk Tunnel is a professional HTTP tu n n e lin g softw are, w hich includes HTTP tu n n e l c lie n t and server so ftw a re . It is like secure VPN so ftw a re th a t allows you to access your In te rn e t program s w ith o u t being m o n ito re d by yo ur w ork, school, o r the governm ent, and gives you an extra layer o f p ro te ctio n against hackers, spyware, or ID th e ft. It can bypass any fire w a ll.
ik
S ta rt
# H - a
S e tu p Lot Add
O ra g B o x
&.
R in H e to
J1
About
TotalSendBytes Tota/Recvfiytes Server Cwent Connections: My Local IP: 10 9 0 74
Use Rin Game WthGameGuard Mode Q Use Real Remote Dn* Resolve Send Speed Recv Speed Serves Total Threads(nctude cache)
[
IP
View System Today Log

O nly Im p o rta n t M e ssa g e s
Thts operating system is 64b11, S K I support tunnel both 32b1t and 64b11 propa, and except us kook ngin*, you Iso can eon
L o g &>d S ta tu s |
: |
O e n t Stop
In Vksta.You can use dragdrop box to fragdrop program or program shortcut
FIGURE 3.70: Super Network Tunnel Screenshot
End user w ith HTTP-tunnel
HTTP Proxy or Firewall
h t tp : // w w w . h ttp - tu n n e l.c o m
C o p y rig h t b y
E G G * a n c i l . A ll
R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
W _
T o o l: H T T P -T u n n e l
/ Source: h ttp ://w w w .h ttp -tu n n e l.c o m
HTTP Tunnel acts as a SOCKS server, allow ing you to access the In te rn e t by bypassing fire w a ll restrictions. It is very secure softw are. Using this so ftw a re does n ot a llow others to m o n ito r y o u r In te rn e t activities. It hides yo u r IP address; th e re fo re , it does not a llow tracing o f your system. It allows you the u n lim ite d tra n sfe r o f data. It runs in yo ur system tra y acting as a SOCKS server, managing all data transm issions betw een the co m p u te r and the n etw o rk.
%J file Wy g e ttin g s He*p Log H elp
H T T P -T u n n e l C lie n t v 4 .4 .4 0 0 0
Ptotty Srv
Configuration
r
C onligue C* Enter Key Mad Support
Autodtloct C a l |
E x rf
< N0P>0>V C Speciy Pioty Serve* NneAP
Connections
| S p eed T ett | Diagnostics | About |
<11 56 11> RIP Pnged serve* to keep use! logged n I <11 56 11> RettievelP Log Window Geared
M *w n e e |H 4 }o n S t M >
Accei 1 Rwtactoro Turn ON 0 *cm 2 IP1 10 um w HTTPT irmH cktri L n v t O ff I you oriy *Mrt 10 um HTTPT umel how pvogrami *m n g o n t w PC r AI0M 4 >eovo IP* o comect foHTTP Tunnrt
Advanced U *n
f 0 advanced u w t only e*eete corriacl Svcded 101 r #0 Thn option Mi *osbcafly t ove performance i t supported by fOU proay Th m i vo l. ONLY I you Save 1 piO M y The comtc Icn loti dot! not lot( t t i opcn
r Ptoay * w C O N N EC T" command
U ser G u id e s
..
OomnomU.n e w t+ m rtP n a m c r
D a la P a * MT TP T c m * Infant an Peal 1080 lei conrecbon! ha* * * n 10rM Charâ >ou I r d port 1 0 6 C * * V r U M * a n you b * d H T T P I m l You n k n 10 10c 0r t 9 # *)K *ap p fca *an a and alart H T T P T im a l
Chck Here
h ttp tu n n e i
$3.99 a month/year
M u n if o ( I i n * A n y w l i Key n o t fo u n d Free S erver M o d e.
fioio 0K BUp/0 K BDown

IP R etrieved(. 149]
FIGURE 3.71: HTTP-Tunnel Client and Configuration Windows
B ssh - f u s e r @ c e r tifie d h a c k e r .c o m -L 5 0 0 0 :c e r t i f i e d h a c k e r . c o m :2 5 -N
T h is f o r w a r d s t h e
local port 5 0 0 0 to
port
6
2 5 o n c e r t if ie d h a c k e r . c o m
-f
= > b a c k g ro u n d m o d e ,
y o u a r e lo g g in g i n t o , - L
5000 :
u s e r S c e r t i f i e d h a c k e r . com = > c e r t i f i e d h a c k e r . com : 2 5

-N
=>
u s e r n a m e a n d s e rv e r = > lo c a l-
e n c ry p te d S im p ly p o i n t y o u r e m a il c lie n t t o u s e lo c a lh o s t : 5 0 0 0 as t h e S M T P s e r v e r
p o rt:h o s t:re m o te -p o rt, a n d
Do not execute the
c o m m a n d o n t h e r e m o t e s y s te m
Copyright by
E G G * a n c i l . All
Rights Reserved. Reproduction is S trictly Prohibited.
SSH T u n n e lin g SSH tun n e lin g is a n o th e r technique th a t an a ttacker can use to bypass fire w a ll
re strictio n s. It also helps you hide yo ur IP address on th e Inte rn e t; th e re fo re , no one can trace or m o n ito r you. The prerequisite o f SSH tun n e lin g is raised fro m the problem s caused by the p ub lic IP address, the means fo r accessing com puters fro m anyw here in the w o rld . The com puters netw orked w ith the public IP address are universally accessible, so th e y could be attacked by anyone on the global In te rn e t easily and can be victim ize d by attackers. The d eve lo p m en t o f SSH tun n e lin g solves the problem s faced by the public IP address. An SSH tun n el is a link th a t proceeds tra ffic fro m an indiscrim inate p o rt on one m achine to a re m o te m achine throu g h an in te rm e d ia te machine. An SSH tu n n e l comprises an encrypted tun n el, so all yo u r data is encrypted as it uses a secure shell to create the tun n el. Creating a tu n n e l fo r a p rivately addressed m achine needs to im p le m e n t th re e basic steps and also requires th re e machines. The th re e requisite machines are: 9 9 9 Local machine An in te rm e d ia te m achine w ith a public IP address Target m achine w ith a private address to w hich th e connection m ust be established
You can create a tunnel as follows: 9 9 Start an SSH connection from local machine to the intermediate machine with public IP address. Instruct the SSH connection to wait and observe traffic on the local port, and use intermediate machine to send the traffic to an explicit port on the target machine with a private address. This is called port acceleration or port forwarding. On the local machine, select the application that you want to use for connection with the remote machine and configure it to use port forwarding on the local machine. Now, when you connect to the local port, it will redirect the traffic to the remote machine.
To secure communication between computers, SSH uses private and public encryption keys. The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized computer. On initiating an SSH connection, each machine exchanges public keys, but only the computer that has the matching private key can attain access to the remote computer applications and information and can read encrypted communications with the public key.
f t
M a il C lie n t
< i
% DB Server M a il Server ! 09 ............. ______ SSH P e rim e te r C o n tr o ls S erv er A pp Server W e b se rve r
DB C lient
I n *
A tta c k e r
SSH
<3
Internet
P e rim e te r C o n tr o ls
*4
t
A p p C lie n t
W eb Client
f !' <
C lie n t
FIGURE 3.72: SSH Tunneling Process
OpenSSH
Source: http://www.openssh.org OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. OpenSSH can be used to tunnel the traffic on local machine to a remote machine that you have an account on.
s s h - f u s e r @ c e r tif ie d h a c k e r .c o m -f -L 2 0 0 0 : c e r t i f i e d h a c k e r . com: 25 -N
=> backgroung mode user name and server you are logging into => I0calp0rt:h0st:rem0tep0rt
user@ c e r t i f i e d h a c k e r . com=> -L -n
2000:
c e r t i f i e d h a c k e r . c o m : 25
=> Do not execute the command on the remote system
This essentially forwards the local port 2000 to port 25 on certifiedhacker.com encrypted. Simply point your email client to use localhost:2000 as the SMTP server.
S S H T u n n e l i n g T o o l: B i t v i s e
B itv ise SSH S e r v e r p r o v id e s s e c u r e r e m o t e lo g in c a p a b ili tie s t o W in d o w s w o r k s t a ti o n s a n d s e r v e r s
C EH
SSH C lie n t in c lu d e s p o w e rf u l tu n n e lin g f e a t u r e s in c lu d in g d y n a m ic p o r t f o r w a r d in g t h r o u g h a n in t e g r a t e d p ro x y , a n d a ls o r e m o t e a d m i n i s t r a t i o n f o r t h e SSH S e r v e r

?1
Bitvise SFTP - localhost:22 Local Remote U pload Queue ^ Download Queue Log Log
I W indow
U pload Queue
a i D ownload Queue
] $ (3 c .\p ro g !a m file s(x S 6 } ',b 1 t/ise tu n n e lie r St ttrib u te s N a m e S iz eT y p e D a teM o d ife dA p p lic a tio n2 Q k M erm cex e 2 8 6 ,7 2 0A 0 0 6 -1 2 -2 50 .. A p pl irato n2 .2 6 5 .6 6 4A 0 0 6 -1 2 -2 50 .. A S /g lc l:tg c .o x o 1 p p lic a tio n2 i"7lo ge x e 2 0 .4 8 0A 0 0 6 -1 2 -2 50 A ,5 9 7 .4 4 0A p p lic a b o n2 Lsen see x e 1 0 0 6 -1 2 -2 50 A p p lic a tio n2 Isftp c .e x e 2 ,0 0 2 ,9 4 4A 0 0 6 -1 2 -2 50 .. A p p1cato n2 iis3 h d 3 tg 3 ex e2 .1 5 0 ,4 0 0A 0 0 6 -1 2 -2 50 .. A B 7 ste rm c 1 ,6 5 0 ,6 0 8A p p1c a b o n2 0 0 6 -1 2 -2 50 A p p lic a tio n2 Q to term cex e 3 7 2 ,7 3 6A 0 0 6 -1 2 -2 50 .. A p pIo a to n2 M T u rn0 1 to r.o x o6 .1 9 3 .1 5 2A 0 0 6 -1 2 -2 50 .. A p plo a to n2 S } u n 1 n 3 1 .e x o 5 5 2 .2 5 6A 0 0 6 1 2 -2 50 .. A v t100b d s 6 ,0 6 6T D SF ils 2 0 0 6 -1 2 -2 50 A x te rm td s 6 ,0 6 6T D S F ilo 2 0 0 6 -1 2 -2 50 .. A
o s> N o m e kL o g * b v ^ A d .o x e
{*
fc ip r o g r a r r Files (x36)/bitvise w insshd
S iz eT y p e D e teM o d ife d 0F ileF o ld e r2 0 0 6 -1 2 -2 50 .. 1 6 7 .9 3 6A p p lic a tio n2 0 0 6 -1 2 -2 50 ... I 7 exe 1 8 8 .4 1 5A p p lic a tio n2 0 0 6 02 5 1 2 .. F |)Vrm sso * 2 0 0 .0 9 5A p p lic a tio n2 0 0 6 -1 2 -2 50 ; SCP.OXO 2 9 4 ,9 1 2A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 1 5 ,9 6 1C * S o u r... 2 0 0 6 -1 2 -2 50 .. * 1 S tc P u g in S o m p le .c p p S lp R u g in S o m p I#d ll 2 0 . 1 0 0A p p lic a ti 2 0 0 9 -1 2 -2 50 .. 6 1 0 .3 0 4a p p lic a tio n2 0 0 6 -1 2 -2 50 .. 2 .7 6 07 0 !A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 7 CCMCV.OXO 0 5 51 5 /V p p ilc a tlo n2 0 0 6 -1 2 -2 50 .. ^sow oxecoxe 2 ,2 1 1 .0 4 0A p p lic a tio n2 0 0 6 -1 2 -2 50 .. f7itM tlgt w in to to m 0 0 3 1 9 2 .5 1 2A p p lic a tio n2 0 0 6 -1 2 -2 50 .. P u m rs ie x e 3 5 2 .2 5 6A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 2 ,3 3 0 .0 1 6A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 3 .4 6 1 ,1 2 0A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 7 W irSSHD.exe I!W rttsh d A d S ta te C h e c ke x e 4 4 6 ,4 6 4A p p lic a tio n2 0 0 6 -1 2 ^ 2 50 .. 2 ,6 6 6 ,4 9 6A p p lic a ti... 2 0 0 6 -1 2 -2 50 .. W n e sh d C fg M a n ipdI 3 .7 6 8 In te rfa c e 2 0 0 6 -1 2 -2 50 .. jW r'ssh d C fg M a o ipid l
h t tp : // w w w . b itv ise . c o m
C o p y rig h t b y
^B in a ry !_[R e s u m e |:|JO v e rw rite ft S ta rt
If B in a ry * _R e su rre j L iO v e rw rite ft S ta rt
E C -C M M C il. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
SSH T u n n e lin g
T o o l: B itv is e
Source: http://www.bitvise.com Bitvise is client server-based application used for SSH tunneling. The server provides you secure remote login capabilities to Windows workstations and servers. With Bitvise SSH Server, you can administer the Windows server remotely. The Bitvise server even has the ability to encrypt the data during transmission so that no one can sniff your data during transmission. Bitvise SSH Client includes graphical as well as command line SFTP support, an FTP-to-SFTP bridge, tunneling features that can be helpful for port forwarding and remote administration.
. Bitvise SFTP - localhost:22

W in d o w B ro w s e Local R e m o te U p lo a d Q u e u e 1 2 D o w n lo a d Q u e u e -_ /^ L o g R e m o t e F ile s o O S 13( .4 < S ize 286.720 1.265.664 20.480 1.597.440 2.002.944 2 . 50.400 1.650.688 372.736 6.193.152 352.256 6.066 6.066 c :\p ro g ra m file s (x 86 )Vb1tv is e tunrieher Type A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n T D S F ile T O S F ile D a te M o d ife d 2006-12-25 0... 2006-12-26 0 ... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-26 0 ... 2006-12-25 0... 2006-12-26 0 ... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0... 2006-12-25 0 ... A ttrib u te s A A A A A A A A A A A A S O Nam e 1 Logs bvPw dexe b v R u n .e x e b v te rm s e x e *2 } fit /c /p ro g ra m file s (x 86 )/b !tv is e w in ssh d S ize 0 167.936 188.416 208.896 294.912 15.961 23.480 610.304 2.763.704 45.056 2.211.840 192.512 352.256 2.338.816 3.461.120 445,464 2.666.496 3,768 O verw rite Type F ile F o ld e r A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n C Sour... A p p lic a ti... A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a tio n A p p lic a ti... In te rla ce S ta rt ] a te M o d ite d 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0 .. 2006-12-25 0. . 2006-12-25 0 .. 2006-12-25 0 2006-12-25 0 .. 2006-12-25 0 Log
| J ) U p lo a d Q u e u e
D o w n lo a d Q u e u e
N am e n tv te rrn c .e x e
f f g ld s tg s .e x e
I 7 lo g .e x e F s e x e c exe s ftp c e x e s s h d s tg s .e x e F s te rm c .e x e
' s c p .e x e
c~ S ttp P lu g m S a m p le .c p p
S ftp P lu g in S a m p le .d ll ' sftp s.e xe F F ss h d c trl.e x e sshdexecexe
Q to t e r m c e x e ; ' T u n n e lie r.e xe J | u n 1r s t e x s v tlO C .td s xJerm .lds
' s s h d s tg s .e x e F F F F to te rm .e xe u n in s te x e w c tg exe W in S S H D .e x e
W in s s h d A c tS ta te C h e c k e x e W in s s h d C fg M a n ip .d ll
i W in s s h d C tg M a n ip id l
S f B in a r v ; R esum e J O ve rw rite _ [ & Start JP jD in d iy * R esum e
FIGURE 3.73: Bitvise Tool Screenshot
A n o n y m iz e r s
J An a n o n y m iz er r e m o v e s all t h e identifying in f o rm a tio n fro m t h e u ser's c o m p u t e r while t h e u se r surfs t h e In te rn e t A nonymizers m a k e activity on t h e I n t e r n e t u n tr a c e a b le A nonym izer too ls allow you t o b y p a s s I n t e r n e t c e n s o r e d w e b s i t e s
CEH
J J
W h y u s e A n o n y m iz e r?
C o p y rig h t b y E G -G *nncil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
A n o n y m iz e rs
An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (gopher:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities.
W h y U se a n A n o n y m iz e r?
The reasons for using anonymizers include:
Ensures privacy: It protects yo u r id e n tity by m aking yo u r w e b n aviga tio n activities

untraceable. Your privacy is m aintained u n til and unless you disclose yo u r personal in fo rm a tio n on the w eb by fillin g o u t form s, etc.
Accesses government-restricted content: Most governments prevent their citizens from

accessing certain websites or content in order to avoid them from accessing inappropriate information or sensitive information. But these people can access even these types of resources by an anonymizer located outside the country.
Protect you from online attacks: Anonym izers p ro te ct you fro m all instances o f online
pharm ing attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers.
Bypass IDS and firewall rules: Bypassing o f fire w a lls is m ostly done in organizations or
schools by em ployees or students accessing w ebsites th e y are n ot supposed to access. An anonym izer service gets around yo u r organization's fire w a ll by setting up a connection betw een yo ur co m p u te r and the anonym izer service. By doing such, fire w a lls can see only the connection fro m you to anonym izer's w eb address. The anonym izer w ill the n connect to T w itte r o r any w ebsite you w anted to access w ith the help o f an In te rn e t connection and sends the co n te n t back to you. For your organization, it looks like yo u r system is connected to an anonym izer's w eb address, but n ot to T w itte r or o th e r sites.
Anonym izers, apart fro m p ro te ctin g users' id e ntitie s, can also attack the w ebsite and no one can actually d ete ct w here the attack came fro m . T y p e s o f A n o n y m iz e rs An anonym izer is a service throu g h w hich one can hide th e ir id e n tity w hen using certain services o f the Inte rn e t. It basically works by encrypting the data from your computer, so that is cannot be understood by Internet service providers or anyone who might try to access it. Basically, anonym izers are o f tw o types: 9 9 - ____~ N e tw o rk e d A n o n y m iz e rs ____ These type o f anonym izer firs t transfers yo ur in fo rm a tio n throu g h a n e tw o rk o f N etw orked anonym izers S ingle-point anonym izers
In te rn e t com puters before sending it to the w ebsite. Since the in fo rm a tio n passes through several In te rn e t com puters, it becomes m ore cum bersom e fo r anyone tryin g to tra ck yo ur in fo rm a tio n to establish the connection betw een you and anonym izer.
Example: If you w a n t to visit any web page you have to make a request. The request w ill firs t pass throu g h A, B, and C In te rn e t com puters p rio r to going to the w ebsite. Then a fte r being opened, the page w ill be tra nsfe rre d back throu g h C , B, and A and then to you. Advantage: C om plication o f the com m unications makes tra ffic analysis com plex
Disadvantage: Any multi-node network communications have some degree of risk at each node for compromising confidentiality
___ S in g le -p o in t A n o n y m iz e r s
' ^ Single-point anonymizers first transfer your information through a website before sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity. Advantage: IP address and related identifying information are protected by the arms-length communications Disadvantage: It offers less resistance to sophisticated traffic analysis
C a s e : B lo g g e rs W rite T e x t B a c k w a rd s to B y p a s s W e b F il te r s in C h in a
Bloggers and journalists in China are using a novel approach to bypass Internet filters in their country - they write backwards or from right to left
IF H B O T H E R SY O U T H A TT H EC H IN A S C V E M flE N TD O E SIT ! ITS H O U L D 9 C T V C RY O U W H E NY O U *C A B L EC O M P A N Y

DOCS IT 1 "
' her^ r Z l em
*adablebvh ns~ beings k . . / U rr> an

e r in g
packets co
. aSTibet,
50**are
^ 0r cracvJ Oeroc r a ananr0en etC
I R ights R eserved. R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
< \ I f
C a s e : B lo g g e rs W rite T e x t B a c k w a r d s to y p a s s W e b F ilte r s in C h in a
China is well known for its implementation of the "packet filtering" technique. This technique detects TCP packets that contain controversial keywords such as Tibet, Democracy, Tiananmen, etc. To bypass Internet filters and dodge the censors, bloggers and journalists in China are writing the text backwards or from right to left. By doing so, though the content is still in human readable form, the text is successful in defeating web filtering software. Bloggers and journalists use vertical text converter tools to write the text backwards or from right to left and vertically instead of horizontally.
C en so rsh ip C irc u m v e n tio n Tool: P siphon

J P sip h o n is a c e n s o r s h ip c irc u m v e n tio n s y s te m t h a t a llo w s u s e r s to b y p a s s f ire w a lls a n d a c c e s s b lo c k e d s ite s in c o u n tr ie s w h e r e t h e I n te r n e t is c e n s o r e d J It u s e s a s e c u r e , e n c r y p t e d HTTP tu n n e l c o n n e c tio n t o r e c e iv e r e q u e s t s fro m p s ip h o n ite to p s ip h o n o d e w h ic h in t u r n tr a n s p o r t s t h e re s u lts b a c k t o t h e r e q u e s t e d p s o p h o n ite J It a c ts a s a w e b p ro x y fo r a u t h e n ti c a te d p s ip h o n ite s , e v e n w o rk s o n m o b ile d e v ic e s -1 It b y p a s s t h e c o n te n t- f ilte r in g s y s te m s o f c o u n tr ie s like C h in a, N o rth K orea, Iran , S au d i A ra b ia , E gypt a n d o th e r s
0 0 proxy domestic web sites Qicrr. Veraion; 40 S S H connecting... Localhos! poit 1080 is already in use SCCfCS proxy is running on localhcst port 1081 A .
CEH
Psiphon 3
S S H s u c c e s s fu llyc o n n e c te d HTTP proxy is running cn localhost poit SOSO

Preferred sen era: 2 SSH disconnected.
S S H c o n n e c tin g Localhos! poit 1030 is already in u#c

SOCKS proxy is running on localMcst port 1081 SSH successfully connected HTTP proxy ia rumhg cn localhooi poit 8030. Fix VPN Servces faled: ireutfciert privileoesto confiaure 0 stal servce IKEE VPN connecting... YPN succesûly connected.
S S H d is c o n n e c te d .
Uncensored
HTTP proxy is rumha cn localhost poit 8080.

VPN disconnected. SSH connecting. ..
Locahoss poit 1080 already inuse

SOCKS proxy it running on localhost port 1081 SSH succesûly comcctod.
1 8
HTTP proxy is rumnq cn localhos! poit 8080.

Unpraeed autee ruixjifcoiit com Urproxed. a 1970.gok.anoi /id U ronxed: osnotomq .com Unproved a$0g akamai net Unproxed: wyvw.bqaiautc.com Uronxed: mypalsar.com SSH disconnected SSH* connecting...
Locahos: cor. 1080 is aready in use

SOCKS proxy is running on localhost port 1081 Aboii Psphon 2
h ttp : //p s ip h o n .c o
C o p y rig h t @ b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
C e n s o rs h ip
C irc u m v e n tio n
T o o l: P s ip h o n
Source: http://psiphon.ca Psiphon is a censorship circumvention system that allows users to bypass firewalls and access blocked sites in countries where the Internet is censored. It uses a secure, encrypted HTTP tunnel connection to receive requests from psiphonite to psiphonode, which in turn then transports the results back to the requested psophonite. It acts as a web proxy for authenticated psiphonites, and works on mobile browsers. It bypasses content-filtering systems of countries such as China, North Korea, Iran, Saudi Arabia, Egypt, and others.
Psiphon 3
O
H I ]
o v p n s1 h
O SSH SSH
@ Don! proxy domestic web sites Client Version: 40 SSH connecting Localhost port 1080 is already m use SOCKS proxy is runrwig on locahost port 1081. SSH successfully connected HTTP proxy is ru m n g on locahost port 8080 Preferred servers: 2 SSH disconnected SSH connecting... Localhost port 1080 is already m use SOCKS proxy is rurmng on locafriost port 1081 SSH successfully connected HTTP proxy is rurmng on locahost port 8080 SSH disconnected Fix VPN Services faded nsuffoent pmnleges to configure or start service IKEE VPN connecting... VPN successfully connected HTTP proxy is rurmng on locatiost port 8080 VPN disconnected SSH connect ng... Localhost port 1080 is already n use SOCKS proxy is rurmng on locatiost port 1081. SSH successfully connected HTTP proxy is rurmng on locahost port 8080 Unprcuoed autosinaxabout .com Unproxied: a1979.g akamai net Unproxied: bsmotormg com Unproxied: a 9 0 g akamai net Unprowed: www baja!auto com Unprowed mypulsar com SSH disconnected SSH connecting Localhost port 1080 is already in use SOCKS proxy is running on locatiost port 1081 About Ps*>hon 3
FIGURE 3.74: Psiphon Screenshot
M o d u le 03 Page 4 11
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C o p y rig h t b y
G M IilC il. A ll R ig h ts R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
C e n s o rs h ip
C irc u m v e n tio n
T o o l: Y o u r - F r e e d o m
Source: http://www.your-freedom.net Censorship circumvention tools allow you to access websites that are not accessible to you by bypassing firewalls. The Your Freedom services makes accessible what is unaccessible to you, and they hide your network address from those who don't need to know. This tool turns your PC into an uncensored, anonymous web proxy and an uncensored, anonymous SOCKS proxy that your applications can use, and if that's not enough, it can even get you connected to the Internet just as if you were using an unrestricted DSL or cable connection.
Y our F re e d o m
S ta tu s | S tr e a m s | A c c o u n t P r o file P o rts M essages V o u c h e rs j A p p lic a tio n s
_ EL
A bout
Freedom Server External IP Address Server located in Open streams Bytes sent Bytes received Send rate (bytes/sec) Receive rate (bytes/sec)
https://ems29.your-freedom.de 443 83.170.106 56 UK, United Kingdom 0 2973 704 279 111|
C o n fig u r e
S to p c o n n e c tio n
R e s ta r t c o n n e c tio n
U p d a te ?
E x it
II I
U p lin k 1.0 k
D o w n lin k 0 .4 k
FIGURE 3.75: Your-Freedom Screenshot
H o w to C h e c k i f Y o u r W e b s ite is B lo c k e d in C h in a o r N ot?
J J Internet tools help identify if web users in China can access remote websites When Just Ping and WebSitePulse show "Packets lost" or "time-out" errors, chances are that the site is restricted
h ttp : // w w w . w e b s ite p u lse . c o m

H o w --------N o t?
to C h e c k
if Y o u r W e b s ite
is B lo c k e d
in
C h in a o r
If a "packets lost" error is received or there is a connection time-out message is displayed while connecting to your site, chances are that the site is blocked. To find out whether the website at xyz.com is accessible by Chinese web users, you can use tools such as just ping and WebSitePulse.
f
00
J u s t p in g
Source: http://www.iust-ping.com Just ping is an online web-based ping tool that allows you to ping from various locations worldwide. It pings a website or IP address and displays the result as shown as follows:
j u s t ^ p in g
u jn T C H m n u !
WATCMNC CVtROMlM IlMNISk
O n l i n e w e b -b a a e d p i n g :
F re e o n lin e p in g i r o n
SO l o c a i i o a a
w o r ld w id e
U-jhg
e g
| |p-r.g1
y ah o o con o r 6 6 .9 4 .2 3 4 .1 3 3
pina: tnm .fA cm bock.com < C h eck http fly!w .facatoook co m /)

S in g a p o re . Unknow n h o a t : S in g a p o re : vnr f a e e b o o k . com f y j s * te r d a .n 2 , O kay N a th a rla n d a F l o r i d a . U.S.A . : O kay X a a ta rd ia 3. O kay N c * .h e rla rv d : H ong K o r . r j , C h in * O kay Sydney. O kay Hi h I w I 1 MA*tnchn. O kay C rn a n y : C o l o a n . S a rm an Y rO k a y Hav Y o r k , U .S .A . O kay S to c k ho l a . O kay Sw adan. S a n ta C la r a . U .S .A .: V a n c o u v e r. L ondon. K in g d o m . M a d r id . Padova A u tin . U ni ta d S p a in : Ita ly : U .S .A .: O kay O kay O kay O kay O kay O kay O kay
M 3 84 0 90 5 1 8 3 .9 1 9 3 .9 9 7 .2 10 3 3 9 1 .* 123 28 O M 8 9 4 .4 12 4 6 113 A 72 8 M 3
9 0 .5 84 6 90 6 1 8 9 .9 1 8 3 .8 9 7 .5 1 0 9 .9 8 2 .1 1 2 3 .9 2 8 .3 3 3 .9 94 .7 1 2 4 .7 1 1 3 .C 7 3 .2 9 0 .
91 O 8 3 .3 91 .0 1 9 8 .9 1 6 5 .0 96 .2 1 0 6 .1 8 2 .5 1 2 4 .2 2 8 .7 3 4 .1 9 8 .2 1 2 5 .3 1 1 3 .9 7 3 .C 9 0 .9
2 a 0 3 : 2 6 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc 6 6 . 2 2 0 .1 4 9 88 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc 2 a 0 3 : 2 8 8 0 : 1 0 : 1 f 0 2 : f a c a : bOOc 69 . 1 7 1 . 2 3 7 .1 6 6 9 . 1 7 1 .2 4 2 . 7 0 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c a bO O c:: < 9 . 1 7 1 . 2 3 7 .3 2 2 a0 3 2880 2110 3 f0 2 6 9 . 1 7 1 .2 2 8 7 0 2 a 0 3 :2 8 8 0 : 1 0 i f 0 3 fa c a .b O O c 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 3 : fa c a :b O O c 65 63 1 8 9 .7 4 2 a 0 3 2 8 8 0 ! 2 1 1 0 3 F02 f a o bOOc 2 a 0 3 2 8 8 0 10 I f 0 3 f a c bOOc 25 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f0 2 f a c e bOOc 29 f a c a bOOc 25
M o th e rla n d .
FIGURE 3.76: Just Ping Screenshot
W e b s ite P u ls e
Source: http://www.websitepulse.com WebsitePulse provides remote monitoring services. It simultaneously pops websites from around the globe.
I B a IV W*t4Tt C w C A ww.wrt>nepuls<.<o n '.Ttoo<Krtn*-tCTtmm! s i x
I ^
WebsitePulse Tk* w#b S*r*M aad Wafcdt* Maatfck* S#rvk tnnlfd bv 184% mUoman tskt IT easy | . .1 A, j 1 mi Tata > > mi aât * ! . r w v i c ! . * > ( m m l a r o tYo1# WrtiUt 0 F f c t a j iExtcnwun t tAdd-0<W OlfO f l M EXtMMOft* Opora E x t e o s > o o s Safan Ex t c rwon* Wtf>dow3V1a Gadget Facebook App* ^ n o r o w Jape <*V>h*6 * > * 3Ap* LIVE CHAT ' * i t Byt* 3 . 0 9 0MC MmM Am U.n4I last mukt wam 1( Jh I m M Im Chm T nM M i 12-00-2; l015?>tO(OT 0 0 : 0 0 )
ham c r f cR V 2 0 1 2 0 4 2 1 1 0 : 5 7 1 1 c (OMT 0 0 : 0 0 ) ml r t e 4 1 *) < KMoxwr H n M A i: M71.2S7.J2 IniMM t mi C M7 o 0. 0 c MC CaMKt C.3M c 0M0 Mr hntM: 0 . 1 3 3 ioc f t m m ]1311 M m # M T f i(>#g,TfMnUt> r M u f t s 11
ImImIlm>
Hnmni ( 000 o*v 0000*k CMM(t : OON nc
W. 0* * t i c *MU (PMoaraovtNU) nu(t
lo N w H K ttm YTrbUtr frrr f a rM 0r Cktk He r r * 1m a i lm d h Son Rnull) Pafona a new tot Report a hvMaa
r #
T # *1Tod* 0 v . v
FIGURE 3.77: WebsitePulse Screenshot
G -Z a p p e r
CEH
G - Z a p p e r - TRIAL V E R S IO N
G Z a p p e r
G-Zaocei = ntsctrg you! Search Piivacy
Did you know - 300gl9 *teres a unique identifier in a cookie on your PC, which alow? them to track the kewkofdi yoo s sa c h fot. G -Zepper will ojtomalicdl/ dctcct and cban this cookie in your w5b bo/vie. J j; t jn G-Zaoce. ninini7e the vinebw. and enjoy ycur enhanced search privacy.
G o o g le s e t s a c o o k ie o n u s e r 's s y s te m w ith a u n iq u e id e n tif ie r t h a t e n a b l e s t h e m to tr a c k u s e r 's w e b a c tiv itie s s u c h a s :

I
2' A Google Trr^rking ID exi s t s on ymPC

Goxê instaled the cookie on Tuesday, July 03. 2012 12:10:32 AM Y a * scaiche; ha/e teen tracked for *9 days You have 2 Gog teaiehet aved n Mjjilla Rrafax
Y o u -a o o g leV(h re fo x8 5 3 6 d 4 5 Ib 3 6 7 1 7 3 8
e J
S earch K eyw ords a n d h a b its S earch re s u lts W e b site s visited

Tobbck *nddelete th Googe ceareh cook*, die*, the 8look Cooki button. (Grtai aid A 0 ie r 1 > 1 1 be unavailable vitli the oju ke blocKcd)
Yoji irWtitj* wil h ofc<cutd from previcut SMrchtfi *nd G Z*ppr wll mgulMî clean luhir cookiat
1 0d e le teth eU x atec o o k ie ,c lic kth eU e le teL o o k ieb u tto n .
I n f o r m a tio n f r o m G o o g le c o o k ie s c a n b e u s e d a s e v i d e n c e in a c o u r t o f la w | O b tt Cootie J ^ Block Cock* j ^ Test Google j ^

Settings
hllc/jw w M d u rm w sD liw a(fi.cflm
h t tp : //w w w . d u m m y s o ftw a r e . c o m
C o p y rig h t b y EG-GtUIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
G Z a p p e r
Source: http://www.dummysoftware.com G-Zapper is a utility to block Google cookies, clean Google cookies, and help you stay anonymous while searching online. It automatically detects and cleans Google cookies each time you use your web browser. It is compatible with Windows 95/98/ME/NT/2000/XP/Vista/Windows7. It requires Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome and is compatible with Gmail, Adsense, and other Google services.
G-Zapper - TRIAL VERSION

W hat
is G Z a p p e r
G -Z a p p e r P ro je c tin g y o u S e a rc h P riv a c y D id y o u k n o w G o o g le stores a u n q u e idenM ier r a c o o k ie o n y o u P C . w h ic h a to w s th e m to tra c k th e k e y w o rd s y o u s e a rc h lo r G Z a p p e r w i a u to m a tic a l}! d e te c t a n d d e a n th is c o o k ie y o u w e b b row se* J u s t ru n G Z a p p e r. m r m t t e th e w in d o w , a n d e n jo y y o u e n h a n c e d s e a rc h p riv a c y
2'
A Google Tracking ID exists on yocr PC.

You Google ID: (Frefox) 85%d451b86*738 Google instaled the cook* on: Tuesday. Jdy 03.2012 12:10:32 AM
Y o u s e a rc h e s h a v e b e e n b a c k e d 10149 days
----
| You h a ve
2 G o o g le
s e a rc h e s s a v e d n M o z ia F re fa x
H o w to U s e It T o d e le te th e G o o g le c o o k ie , d c k th e D e le te C o o k ie b u tto n Y o u id e n tity w i b e o b s c u e d from p re v io u s se a rc h e s a n d G -Z a p p e i w i reg u la rly c le a n fu tu re c o o k ie s
T 0 b lo c k a n d d e le te th e G o o g le s e a rc h c o o k ie , d ic k th e B lo c k C o o k ie b u tto n (Gmad a n d A d s e n s e w i b e u n a v a ia b le w ith th e c o o k ie M o c k e d )
http //www dunmvsdtware com

D e le te C ookie B lo c k C ookie T e s t G o o g le
Settngs
FIGURE 3.78: G-Zapper-Trial Version Screenshot
A n o n y m iz e r s
M ow ser
EH
http://w w w .spotflux.com
Spotflux
http://w w w .m ow ser.co m
http://w w w .anonym ous-surfing.com
A nonym ous Web Surfing Tool
http://ultim ate-anonym ity.com
U-Surf
http://w w w .h ideyouripaddress.net
Hide Your IP Address
http://silent-surf.co m
WarpProxy
ps4
http://w w w .anonym izer,co m
Anonymizer Universal
http://w w w .hopeproxy.co m
Hope Proxy
http://w w w .g uardster.co m
G uardster
s a f lH l
http://w w w .pri\/acy-pro.co m
Hide My IP
* " V
An anonymizer is a tool that allows you to mask your IP address to visit websites without being tracked or identified, keeping your activity private. It allows you to access blocked content on the Internet with omitted advertisements. A few anonymizers that are readily available in the market are listed as follows: a 9 9 Mowser available at http://www.mowser.com Anonymous Web Surfing Tool available at http://www.anonymous-surfing.com Hide Your IP Address available at http://www.hideyouripaddress.net
Anonymizer Universal available at http://www.anonvmizer.com 9 9 Guardster available at http://www.guardster.com Spotflux available at http://www.spotflux.com
Q U-Surf available at http://ultimate-anonymity.com 9 9 9 WarpProxy available at http://silent-surf.com Hope Proxy available at http://www.hopeproxy.com Hide My IP available at http://www.privacy-pro.com
S p o o fin g I P A d d r e s s
IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be someone else When the victim replies to the address, it goes back to the spoofed address and not to the attacker's real address IP spoofing using Hping 2:
H p in g 2 -a www. 7 . 7 . 7. 7
CEH
You w ill n o t b e a b l e to c o m p l e t e t h e t h r e e - w a y h a n d s h a k e a n d o p e n a s u c c e s s f u l TCP c o n n e c tio n b y s p o o f in g a n IP a d d r e s s

-.
S p o o fin g IP
A d d re s s e s
^ Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a fake IP in place of the attacker's assigned IP. When the attacker sends a connection request to the target host, the target host replys to the attacker's request. But the reply is sent to the spoofed address. When spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources.
IP sp oo fin g using Hping2: H p in g 2 w w w .c r e t i f i e d h a c k e r . c o m -a 7. 7. 7. 7
Using Hping2 you can perform IP spoofing. It helps you to send arbitrary TCP/IP packets to network hosts.
FIGURE 3.79: Attacker Sending Spoofed Packet to The Victim
IP Spoofing D etectio n Techniques: D ire c t T T L Probes

J
CEH
Send packet to host of s u s p ect spoofed packet th a t triggers reply and c o m p a re TTL with susp ect packet; if th e TTL in t h e reply is n o t th e s a m e as t h e packet being checked, it is a spoofed packet This te c h n iq u e is successful w h en attacker is in a diffe ren t s u b n e t from victim
Sending a packet w ith spoofed 10.0.0.5 IP -T T L 13
a a '
A tta c k e r (S p o o fe d A d d re s s 10 .0 .0 .5 )
Target
10.0.0.5
N o te : N o r m a l tr a f f ic f r o m o n e h o s t c a n v a r y TTLs d e p e n d i n g o n tr a f f ic p a t t e r n s
C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
IP
S p o o fin g D e te c tio n
T e c h n iq u e s : D ire c t T T L P ro b e s
Initially send a packet to the host of suspect spoofed packet and wait for the reply. Check whether the TTL value in the reply matches with the TTL value of the packet that you are checking. Both will have the same TTL if they are the same protocol. Though, initial TTL values vary based on the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the commonly used initial values are 64 and 128 and for ICM P, the values are 128 and 255. If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. The hop count can be determined by deducting the TTL value in the reply from the initial TTL value. If the TTL in the reply is not matching with the TTL of the packet that you are checking, it is a spoofed packet. If the attacker knows the hop count between source and host, it will be very easy for the attacker to launch an attack. In this case, the test results in a false negative.
S e n d in g a p a c k e t w ith s p o o f e d 1 0 .0 .0 .5 IP - TTL 1 3
Attacker
(S p o o fed A d d ress
>*.
10.0.0.5)
y Nf
10.0.0.5
FIGURE 3.80: Using Direct TTL Probes for IP Spoofing Detection
IP Spoofing D etectio n Techniques: IP Id e n tific a tio n N u m b e r

J S e n d p r o b e t o h o s t o f s u s p e c t s p o o f e d tr a f fic t h a t tr ig g e r s re p ly a n d c o m p a r e IP ID w ith s u s p e c t tra f fic J J If IP IDs a r e n o t in t h e n e a r v a l u e o f p a c k e t b e in g c h e c k e d , s u s p e c t tr a f fic is s p o o f e d T h is te c h n i q u e is s u c c e s s f u l e v e n if t h e a t ta c k e r is in t h e s a m e s u b n e t
Send packet w ith spoofed IP 10.0.0.5; IP ID 2586
A tta c k e r (S p o o fe d A d d re s s 10 .0 .0 .5 )
*t ;.*
. * 5 .
Ta1get
10.0.0.5
r 3H1
IP
T e c h n iq u e s : IP
Id e n tific a tio n
N u m b e r
Spoofed packets can be identified based on the identification number (IP ID ) in the IP header that increases each time a packet is sent. This method is effective even when both the attacker and victim are on same subnet. To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply. If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet.
Sending a packet w ith sp o o fed 1 0 .0 .0 .5 IP - IP ID 2586
w
A tta c k e r (S p o o fe d A d d re s s 1 0 .0 .0 .5 ) T a rg e t
1 0 .0 .0 .5
FIGURE 3.81: Using IP Identification Number for IP Spoofing Detection

M o d u le 0 3 Page 422 Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
IP Spoofing D etectio n Techniques: T C P F lo w C ontrol M e th o d

J A tta c k e rs s e n d in g s p o o f e d TCP p a c k e ts , will n o t r e c e iv e t h e t a r g e t 's SYN-ACK p a c k e ts J A tta c k e rs c a n n o t t h e r e f o r e b e r e s p o n s iv e t o c h a n g e in t h e c o n g e s t io n w in d o w s iz e _l W h e n r e c e iv e d tr a f fic c o n t in u e s a f t e r a w in d o w s iz e is e x h a u s t e d , m o s t p ro b a b ly t h e p a c k e ts a r e s p o o fe d
CEH
Sending a SYN packet with spoofed 10.0.0.5 IP
A tta c k e r
(Spoo fed Address
T a rg e t
10 .0 .0 .5 )
.'&<* v\
10.0.0.5
IP
T e c h n iq u e s : T C P
F lo w
C o n tro l
M e th o d
The TCP can optimize the flow control on both the send and the receiver side with its algorithm. The algorithm accomplishes the flow control based on the sliding window principle. The flow of IP packets can be controlled by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. When the window size is set to zero, the sender should stop sending more data. In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker who is unaware of the ACK packet containing window size information continues to send data to the victim. If the victim receives data packets beyond the window size, then the packets must be treated as spoofed. For effective flow control method and early detection of spoofing, the initial window size must be very small. Most spoofing attacks occur during the handshake, as it is difficult to build multiple spoofing replies with the correct sequence number. Therefore, the flow control spoofed packet detection must be applied at the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting
the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If the sender sends an ACK with any data, then it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet but not ACK with data.
FIGURE 3.82: Using TCP Flow Control Method for IP Spoofing Detection
I P S p o o fin g C o u n t e r m e a s u r e s
Limit access to configuration information on a machine
CEH
Use random initial sequence numbers
C o p y rig h t b y EG-GlOOCil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
IP
S p o o fin g
C o u n te rm e a s u re s
In ethical hacking, the ethical hacker also known as the pen tester, has to perform an additional task that a normal hacker doesn't follow, i.e., applying countermeasures to the respective vulnerabilities determined through hacking. This is essential because knowing security loopholes in your network is worthless unless you take measures to protect them against real hackers. As mentioned previously, IP spoofing is one of the techniques that a hacker employs to break into the target network. Therefore, in order to protect your network from external hackers, you should apply IP spoofing countermeasures to your network security settings. The following are a few IP spoofing countermeasures that you can apply: Avoid trust relationships Attackers may spoof themselves as a trusted host and send malicious packets to you. If you accept those packets by considering that the packets are sent by your trusted host, then you may get infected. Therefore, it is advisable to test the packets even when they come from one of your trusted hosts. You can avoid this problem by implementing password authentication along with trust-relationship-based authentication. Use firewalls and filtering mechanisms You should filter all the incoming and outgoing packets to avoid attacks and sensitive information loss. The incoming packets may be the malicious packets coming from the attacker.
If you do not employ any kind of incoming packet filtering mechanism such as a firewall, then the malicious packets may enter your private network and may cause severe loss. You can use access control lists (ACLs) to block unauthorized access. At the same time, there is also a possibility of insider attackers. These attackers may send sensitive information about your business to your competitors. This may also lead to great monetary loss or other issues. There is one more risk of outgoing packets, which is when an attacker succeeds in installing a malicious sniffing program running in hidden mode on your network. These programs gather and send all your network information to the attacker without giving any notification. This can be figured out by filtering the outgoing packets. Therefore, you should give the same importance to the scanning of outgoing packets as that of the incoming packet data scanning. Use random initial sequence numbers Most of the devices chose their ISN based on timed counters. This makes the ISNs predictable as it is easy for a malicious person to determine the concept of generating the ISN. An attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he or she can make a malicious connection to the server and sniff your network traffic. To avoid this, risk you should use random initial sequence numbers. Ingress filtering Prohibiting spoofed traffic from entering the Internet is the best way to block it. This can be achieved with the help of ingress filtering. Ingress filtering applied on routers enhances the functionality of the routers and blocks spoofed traffic. It can be implemented in many ways. Configuring and using access control lists (ACLs) that drop packets with source address outside the defined range is one way to implement ingress filtering. Egress filtering Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside. Use encryption If you want to attain maximum network security, then use strong encryption for all the traffic placed onto the transmission media without considering its type and location. This is the best solution for IP spoofing attacks. Attackers usually tend to find targets that can be compromised easily. If an attacker wants to break into encrypted network, then he or she has to face a whole slew of encrypted packets, which is a difficult task. Therefore, the attacker may try to find another target that can be easily compromised or may attempt other techniques to break into the network. Use the latest encryption algorithms that provide strong security. SYN flooding countermeasures Countermeasures against SYN flooding attacks can also help you to avoid IP spoofing attacks.
Besides these basic countermeasures, you can perform the following to avoid IP spoofing attacks: 9 9 9 9 You should limit the access to configuration information on a machine You should always disable commands like ping You should reduce TTL fields in TCP/IP requests You should use multilayered firewalls
C o p y rig h t b y EG -G ouncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
C E H
So far, we have discussed concepts such as what to scan, how to scan, how to detect vulnerabilities, and the respective countermeasures that are necessary to perform scanning pen testing. Now we will begin the action of scanning pen testing. Check for Live Systems Scan for Vulnerability
191
Scanning Beyond IDS
3 0
r -^ r -n
Prepare Proxies
Banner Grabbing
f* * Scanning Pen Testing
This section highlights the need to scan pen testing and the steps to be followed for effective pen testing.
S c a n n in g P e n T e s tin g
0
J P e n te s t in g a n e t w o r k f o r s c a n n in g v u ln e r a b ilitie s d e t e r m i n e s t h e n e t w o r k 's s e c u r i t y p o s t u r e b y
CEH
0
id e n tify in g live s y s t e m s , d is c o v e r in g o p e n p o r t s , a s s o c ia tin g s e r v ic e s a n d g r a b b in g s y s t e m b a n n e r s to s im u l a te a n e t w o r k h a c k in g a t t e m p t J T h e p e n e t r a t i o n te s t in g r e p o r t w ill h e lp s y s t e m a d m i n i s t r a t o r s to :
Close unused ports
Calibrate firewall rules
Disable unnecessary services
Troubleshoot service configuration errors
Hide or customize banners
S c a n n in g
P e n
T e s tin g
The network scanning penetration test helps you to determine the network security posture by identifying live systems, discovering open ports and associated services, and grabbing system banners from a remote location, simulating a network hacking attempt. You should scan or test the network in all possible ways to ensure that no security loophole is overlooked. Once you are done with the penetration testing, you should document all the findings obtained at every stage of testing so that it helps system administrators to: 9 9 9 Close unused ports if not necessary/unknown open ports found Disable unnecessary services Hide or customize banners
9 Troubleshoot service configuration errors 9 Calibrate firewall rules to impose more restriction
S c a n n in g P e n T e s tin g
(C o n td)
CEH
C h ec k f o r t h e live h o s ts u s in g to o ls s u c h
START
a s N m a p , A n g ry IP S c a n n e r, S o la rW in d s E n g in e e r 's to o l s e t , C o la s o f t P in g Tool, e tc . U se to o ls su c h a s N m a p , A ngry IP S c a n n e r, e tc . e C h ec k f o r o p e n p o r ts u s in g to o ls s u c h a s N m a p , N e ts c a n T ools P ro , PRTG N e tw o r k M o n ito r , N e t T o o ls, e tc .
V Perform port scanning V

P e rfo rm b a n n e r g ra bibing b in g /O S fin g e rp rin tin g U se to o ls s u c h a s T e ln et, N e tc ra ft, ID S erv e, e tc . P e rfo rm b a n n e r g ra b b in g /O S f in g e r p rin tin g u s in g to o ls s u c h a s T e ln e t, N e tc ra f t, ID S e rv e , e tc . S can f o r v u ln e r a b ilitie s u s in g to o ls su c h a s N e s s u s , GFI L A N G u ard , S A IN T scan n er, C o re I m p a c t P r o f e s s io n a l, R e tin a CS M a n a g e m e n t, M BSA, e tc .
.....>
U se to o ls su ch a s N m ap, N etscan Tools Pro, etc.
g
V Scan for vulnerability
>
U se to o ls su ch a s N essus, SAINTscanner, GFI LANGuard, etc.
S c a n n in g
P e n
T e s tin g
( C o n t d )
Let's see step by step how a penetration test is conducted on the target network. Stepl: Host Discovery The first step of network penetration testing is to detect live hosts on the target network. You can attempt to detect the live host, i.e., accessible hosts in the target network, using network scanning tools such as Angry IP Scanner, Nmap, Netscan, etc. It is difficult to detect live hosts behind the firewall. Step 2: Port Scanning Perform port scanning using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc. These tools will help you to probe a server or host on the target network for open ports. Open ports are the doorways for attackers to install malware on a system. Therefore, you should check for open ports and close them if not necessary. Step 3: Banner Grabbing or OS Finger Printing Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, Netcat, etc. This determines the operating system running on the target host of a network and its version. Once you know the version and operating system running on the target system, find
and exploit the vulnerabilities related to that OS. Try to gain control over the system and compromise the whole network.
Step 4: Scan fo r V u ln e ra b ilitie s
Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus, G FI LANGuard, SAINT, Core Impact Professional, Ratina CS, MBSA, etc. These tools help you to find the vulnerabilities present in the target network. In this step, you will able to determine the security weaknesses/loopholes of the target system or network.
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S c a n n in g N e t w o r k s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
S c a n n i n g
P e n
T e s t i n g (Contd)
D raw n e tw o rk diagram s
Use tools such as LAN surveyor, OpManager, etc.
Prepare proxies
Use tools such as Proxy Workbench, Proxifier, Proxy Switcher, etc.
Draw netw ork diagrams o f the vulnerable hosts using tools such as LAN surveyor, O pM anager, N etw orkV ie w , The Dude, FriendlyPinger, etc. e e Prepare proxies using tools such as Proxy W orkbench, P roxifier, Proxy Sw itcher, SocksChain, TOR, etc. D ocum ent all the findings
S c a n n in g
P e n
T e s tin g
( C o n t d )
Step 5: Draw Network Diagrams Draw a network diagram of the target organization that helps you to understand the logical connection and path to the target host in the network. The network diagram can be drawn with the help of tools such as LAN surveyor, OpManager, LANState, FriendlyPinger, etc. The network diagrams provide valuable information about the network and its architecture. Step 6 : Prepare Proxies Prepare proxies using tools such as Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy, ProxyFinder, etc. to hide yourself from being caught. Step 7: Document all Findings The last but the most important step in scanning penetration testing is preserving all outcomes of tests conducted in previous steps in a document. This document will assist you in finding potential vulnerabilities in your network. Once you determine the potential vulnerabilities, you can plan the counteractions accordingly. Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.
M o d u le 0 3 P a g e 4 3 2
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t
b y E C - C O U I I C il
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S c a n n in g N e t w o r k s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
o d u l e
S u m
a r y
The o b je c tiv e o f s c an ning is to d isco ve r live system s, a c tiv e /ru n n in g p o rts , th e o p e ra tin g system s, and th e service s ru n n in g on th e n e tw o rk A tta c k e r d e te rm in e s th e live hosts fro m a range o f IP addresses by se n d in g ICMP ECHO requests to m u ltip le hosts A tta c k e rs use v a rio u s scan ning te c h n iq u e s to bypass fire w a ll ru le s and lo g g in g m e ch a n ism , and hide th e m s e lv e s as usual n e tw o rk tra ffic B ann er g ra b b in g o r OS fin g e rp rin tin g is th e m e th o d to d e te rm in e th e o p e ra tin g system ru n n in g o n a re m o te ta rg e t system D ra w in g ta rg e t's n e tw o rk d ia g ra m gives va lu a b le in fo rm a tio n a b o u t th e n e tw o rk and its a rc h ite c tu re to an a tta c k e r HTTP T u n n e lin g te c h n o lo g y a llo w s users to p e rfo rm va rio u s In te rn e t tasks d e s p ite th e re s tric tio n s im p o s e d by fire w a lls P roxy is a n e tw o rk c o m p u te r th a t can serve as an in te rm e d ia ry fo r c o n n e c tin g w ith o th e r c o m p u te rs A c ha in o f proxies can be c re a te d to eva de a tra c e b a c k to th e a tta c k e r
M o d u le
S u m m a r y
Let's take a look at what you have learned in this module: The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network. Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. Attackers use various scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
e
Banner Grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. Drawing target's network diagram gives valuable information about the network and its architecture to an attacker. HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls. Proxy is a network computer that can serve as an intermediary for connecting with other computers. A chain of proxies can be created to evade a traceback to the attacker.
M o d u le 0 3 P a g e 4 3 3
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t
b y E C - C O U I I C il
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .

CEHv8 Module 03 Scanning Networks

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 03 Scanning Networks

Uploaded by

Copyright:

Available Formats

Scanning N etw orks M odule 03

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2-50 C ertified Ethical H acker

ScanningN etw orks

Engineered by Hackers. Presented by Professionals.

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Oct 18 2012 S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Copyright S P A M fig h te r 2 0 03 -201 2

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

IP Spoofing Detection Techniques Scanning Countermeasures Scanning Pen Testing

Copyright by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Sends TCP /IP p ro b e s

To discover live hosts, IP address, and open po rts o f live hosts

To discover services ru nning on hosts

To discover vu ln e ra b ilitie s in live hosts

systems and system architecture

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

Draw N e tw o rk. Diagrams

W m, U Scanning Pen Testing

The firs t step in scanning the n e tw o rk is to check fo r live systems.

Check fo r Live Systems

Scan for Vulnerability

Check for Open Ports

Draw Network Diagrams

Scanning Beyond IDS

Scanning Pen Testing

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

C h e c k in gfo rL iv eS y ste m sIC M PS c a n n in g

ICMP Echo Request

ICMP Echo Reply D e stin a tio n (192.168.168.5)

T h e ping s c a n output u sin g Nm ap:

192166.168.5 |n rr*p wi 192.168.168.3 Service! * Nmap 0utp14

Command: Hosts Host

Pciti H oiti Topology H ojI Detail!

192.16S. 168.1 192.168.1663 192.168.1685 192.168.166.1S

Swap scan re p o rt fo r 192.168.168.5

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

ICMP Echo Reply

FIGURE 3.2: ICMP Q u e ry Diagram

192.168.168.5 |nm ap -sn 192.168.168.51 Services

Command: Hosts OS < Host IM I* *"

tM 192.168.168.13 .. v ------- ------ -----------------1 Filter Hosts

FIGURE 3.3: Zenm ap S how ing Ping Scan O u tp u t

Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s

Exam 3 1 2 -5 0 C ertified Ethical H acker

H e lp v P ro file *I S c irt C anct

| m 8 p P f PA21,23.9Q,J389192.168.168.1-501 k n x ei N n < * p O u t p u t P o r t ( / HoUi | T o p o l o g y H o t ! D e t a i l * S c a n t n m a p w P E PA21.2J.80l3 3 8 9 192.168.168.1*0

I t t 168 3 1& 1 6 6 . 1 & ) 19e.166.16a.1j

1 v .1 t t.1 tt .1 4 I ttlttlttlS 1 9 2 16s.16a.17 1 9 2 . It t I t t 1 9 1 9 2 .1 6 8 . 1 6 8 2 6 I 9 ilttltt2 3 F * H o s ts v

ICM P Echo Request

ICMP ECHO Reply

192166.168.5 |n rrp wi 192.168.168.3 Service! Nmap 0utp14