Professional Documents
Culture Documents
C E H
M o d u l e 0 3 : S c a n n in g N e t w o r k s E xa m 3 1 2 -5 0
E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v 8
M o d u le 0 3 Page 263
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
SecurityN ew s
H one Services Company Networks Contact
r
r
The w ell known b o tn e t Sality, w hich locates vulne rab le voice-over-IP (VoIP) servers can be con trolled to fin d th e e n tire IPv4 address space w ith o u t alerting, claim ed a new study, published by Paritynews.com on O ctober 10, 2012. Sality is a piece o f m alw are whose prim ary aim is to infe ct w eb servers, disperse spam, and steal data. But the latest research disclosed o th e r purposes o f the same including recognizing susceptible VoIP targets, which could be used in to ll fraud attacks.
r 1 1
N fu js
Through a m ethod called "reverse-byte ord e r scanning," sality has adm inistered tow ards scanning possibly the w hole IPv4 space devoid o f being recognized. That's on ly the reason th e technique uses very less num ber o f packets th a t com e fro m various sources.
The selection o f the target IP addresses is generated in re verse-byte-order increm ents. Also, th e re are large am ounts o f bots con tributin g in the scan. http://www.spamfighter.com
l- l
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
S e c u r ity N e w s
S a lie n tly S p a c e S a lity B o tn e t T r a p p e d S c a n n in g IP v 4 A d d r e s s
Source: h ttp ://w w w .s p a m fig h te r.c o m A sem i-fam ous b otn et, Sality, used fo r locating vulnerable vo ice o v e rIP (VoIP) servers has been co ntro lle d to w a rd d e te rm in in g the e ntire IPv4 address space w ith o u t setting o ff alerts, claims a new study, published by Paritynews.com , on O ctober 10, 2012. Sality is a piece o f m alw are w ith the prim a ry aim o f infecting w eb servers, dispersing spam, and stealing data. But the latest research has disclosed o th e r purposes, including recognizing susceptible VoIP targets th a t could be used in to ll fraud attacks. Through a m ethod called "reve rse -b yte o rd e r scanning," Sality can be adm inistered to w a rd scanning possibly the w hole IPv4 space, devoid o f being recognized. That's the only reason the tech n iq ue uses a very small num ber o f packets th a t come fro m various sources. The selection o f the ta rg e t IP addresses develops in re ve rse -b yte -o rd e r in cre m e nts. Also, there are many bots co n trib u tin g in the scan. The conclusion is th a t a solitary n e tw o rk w o u ld obtain scanning packets "d ilu te d " over a huge period o f tim e (12 days in this case, fro m various
M o d u le 0 3 Page 264
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
sources, U n ive rsity o f C a lifornia, San Diego (UCSD), claim ed one o f the researchers, A listair King, as published by Softpedia.com on O ctober 9, 2012). According to A lb e rto D a in o tti, it's n ot th a t this stealth-scanning m ethod is exceptional, b ut it's the firs t tim e th a t such a happening has been both noticed and docum ented, as re p orte d by Darkreading.com on O ctober 4, 2012. M any o th e r experts hold fa ith th a t this m anner has been accepted by o th e r botnets. Nevertheless, the team at UCSD is n ot aware o f any data verifying any event like this one. According to David P iscitello, Senior Security Technologist at ICANN, this indeed seems to be the firs t tim e th a t researchers have recognized a b o tn e t th a t utilizes this scanning m ethod by em ploying reverse-byte sequential increm ents o f ta rg e t IP addresses. The b o tn e t use classy "o rc h e s tra tio n " m ethods to evade d e te ctio n . It can be sim ply stated th a t the b o tn e t o p e ra to r categorized the scans at around 3 m illio n bots fo r scanning the fu ll IPv4 address space throu g h a scanning p atte rn th a t disperses coverage and p artly covers, b ut is unable to be noticed by present a u to m a tio n , as published by darkreading.com on O ctober 4, 2012.
M o d u le 0 3 Page 265
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M odule O bjectives
J J J J J J J J Overview o f N etw ork Scanning CEH Scanning M ethodology Checking fo r Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing Vulnerability Scanning Drawing N etw ork Diagrams ^ J J J J J J J J Use o f Proxies fo r Attack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonymizers
C E H
M o d u le
O b je c tiv e s
Once an a ttacker id e ntifies h is/h e r ta rg e t system and does the in itia l reconnaissance, as discussed in the fo o tp rin tin g and reconnaissance m odule, the a ttacker concentrates on g ettin g a m ode o f e n try into the ta rg e t system . It should be noted th a t scanning is n ot lim ited to in tru sion alone. It can be an extended fo rm o f reconnaissance w here the a tta cke r learns m ore about h is/h e r target, such as w h a t operating system is used, the services th a t are being run on th e systems, and c o n fig u ra tio n lapses if any can be id e n tifie d . The a tta cke r can then strategize h is/h e r attack, facto rin g in these aspects. This m odule w ill fam iliarize you w ith : 0 0 0 0 0 0 0 0 O verview o f N e tw o rk Scanning CEH Scanning M e tho d olog y Checking fo r Live Systems Scanning Techniques IDS Evasion Techniques Banner Grabbing V u ln e ra b ility Scanning Drawing N e tw o rk Diagrams 0 0 0 0 0 0 0 0 Use o f Proxies fo r A ttack Proxy Chaining HTTP Tunneling Techniques SSH Tunneling Anonym izers IP Spoofing D etection Techniques Scanning Counterm easures Scanning Pen Testing
M o d u le 0 3 Page 2 66
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
O v erv iewo fN e tw o r kS c a n n in gC E H
(rtift* ttkujl lUckM
N e tw o rk scanning refers to a set o f procedures fo r id e n tify in g hosts, p o rts, and services in a n e tw o rk N e tw o rk scanning is one o f th e c o m p o n e n ts o f in te llig e n c e g a th e rin g an a tta cker uses to create a p ro file o f th e ta rg e t organization
G e ts n e tw o r k
&
A ttacker
in fo r m a tio n
O b je c tiv e s o f N e t w o r k S c a n n in g
To discover operating
O v e r v ie w
o f N e t w o r k S c a n n in g
As we already discussed, fo o tp rin tin g is the firs t phase o f hacking in w hich the a ttacker gains in fo rm a tio n about a p ote n tia l target. F ootp rin tin g alone is n ot enough fo r hacking because here you w ill gather only the prim a ry in fo rm a tio n about the targe t. You can use this prim a ry in fo rm a tio n in th e next phase to gather many m ore details abo u t the target. The process o f g a th e rin g a d d itio n a l d etails about the ta rg e t using highly com plex and aggressive reconnaissance techniques is called scanning. The idea is to discover e x p lo ita b le c o m m u n ica tio n channels, to probe as many listeners as possible, and to keep track o f th e ones th a t are responsive o r useful fo r hacking. In the scanning phase, you can fin d various ways o f in tru d in g in to th e ta rg e t system. You can also discover m ore about the ta rg e t system , such as w h a t o p e ra tin g system is used, w h a t services are ru n nin g , and w h e th e r or n ot th e re are any co n fig u ra tio n lapses in the ta rg e t system. Based on the facts th a t you gather, you can fo rm a strategy to launch an attack. Types o f Scanning 9 e 6 P ort scanning - Open ports and services N e tw o rk scanning - IP addresses V u ln e ra b ility scanning - Presence o f know n weaknesses
M o d u le 0 3 Page 267
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
In a tra d itio n a l sense, the access p oints th a t a th ie f looks fo r are the doors and w indow s. These are usually the house's points o f vu ln e ra b ility because o f th e ir re la tively easy accessibility. W hen it comes to co m p u te r systems and netw orks, p o rts are the doors and w indow s o f the system th a t an in tru d e r uses to gain access. The m ore the ports are open, the m ore points o f vu ln e ra b ility, and the fe w e r the ports open, th e m ore secure the system is. This is sim ply a general rule. In some cases, the level o f vu ln e ra b ility may be high even though fe w ports are open. N e tw o rk scanning is one o f the m ost im p o rta n t phases o f intelligence gathering. During the n e tw o rk scanning process, you can gather in fo rm a tio n abo u t specific IP addresses th a t can be accessed over the Inte rn e t, th e ir targets' operating systems, system a rch itectu re , and the services running on each co m puter. In a dd ition, the a ttacker also gathers details about the netw orks and th e ir individual host systems.
Sends TCP /IP probes
Gets netw o rk
&
inform a tion
Attacker
FIGURE 3.1: N e tw o rk Scanning Diagram
Network
b je c tiv e s
o f N
e tw
o r k
S c a n n in g
If you have a large a m o un t o f in fo rm a tio n abo u t a ta rg e t o rg an iza tion , th e re are greater chances fo r you to learn the w eakness and lo o ph o les o f th a t p articula r organization, and consequently, fo r gaining unauthorized access to th e ir netw ork. Before launching the attack, the a ttacker observes and analyzes the ta rg e t n e tw o rk fro m d iffe re n t perspectives by p erfo rm ing d iffe re n t types o f reconnaissance. How to p erform scanning and w h a t type o f in fo rm a tio n to be achieved during the scanning process e n tire ly depends on the hacker's v ie w p o in t. There may be many objectives fo r p erfo rm ing scanning, b ut here we w ill discuss the m ost com m on objectives th a t are encountered during the hacking phase: D iscovering live hosts, IP address, and open p orts o f live hosts ru n n in g on th e n e tw o rk . D iscovering open p o rts: Open ports are the best means to break in to a system or n etw o rk. You can fin d easy ways to break into the ta rg e t organization's n e tw o rk by discovering open ports on its netw ork. D iscovering o p e ra tin g system s and system a rch ite ctu re o f th e ta rg e te d system : This is also referred to as fin g e rp rin tin g . Here the a ttacker w ill try to launch th e attack based on the operating system 's vulnerabilities.
M o d u le 0 3 Page 268
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. Detecting the associated network service of each port
M o d u le 0 3 Page 269
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
G i
HHH
Check for Live Systems ,. Check for Open Ports Scanning Beyond IDS Banner Grabbing wJ
h i
Scan for Vulnerability
n L 1^
r Prepare Proxies
C E H
S c a n n in g M e t h o d o lo g y
ft
r
Q O
Prepare Proxies
Banner Grabbing
This section highlights how to check fo r live systems w ith the help o f ICMP scanning, how to ping a system and various ping sweep tools.
M o d u le 0 3 Page 2 70
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
J Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply J This scan is useful for locating active devices or determining if ICMP is passing through a firewall
Source (192.168.168.3)
Zenmap
Sc!n Target. l o o Is P 'c fK Profile Ping cn
Scans
nmap jn 192.168.163.5
S t a r t i n g fJTap 6 .0 1 ( h t t p : / / n r o p . o r g ) a t 2 0 1 2 - 0 8 08 1 3 :0 2 EOT
Piter Hosts
http://nmap.org
Copyright by H H rW B C il. All Rights Reserved. Reproduction is S trictly Prohibited.
C h e c k in g ICMP Scanning
f o r L iv e
S y s te m s IC M P
S c a n n in g
All required in fo rm a tio n about a system can be gathered by sending ICMP packets to it. Since ICMP does n ot have a p o rt abstraction, this cannot be considered a case o f p o rt scanning. However, it is useful to d ete rm ine w hich hosts in a n e tw o rk are up by pinging the m all (the -P o ptio n does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the n um ber o f pings in parallel w ith the -L o ptio n . It can also be helpful to tw e ak the ping tim e o u t value w ith the -T option. ICMP Q uery The UNIX to o l IC M P query o r ICMPush can be used to request the tim e on the system (to find o u t w hich tim e zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netm ask on a p articula r system can also be d ete rm ine d w ith ICMP type 17 messages (ADDRESS MARK REQUEST). A fte r fin d in g th e netm ask o f a n e tw o rk card, one can d ete rm ine all the subnets in use. A fte r gaining in fo rm a tio n about th e subnets, one can ta rg e t only one p articula r subnet and avoid h ittin g the broadcast addresses. ICMPquery has both a tim e sta m p and address mask request o ptio n : icmp query <-query-> [-B] [-f fro m h o s t] [d delay] [-T tim e ] targe t
M o d u le 0 3 Page 271
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
W here <query> is one of: -t: icm p tim e sta m p request (default) -m : icm p address mask request -d: delay to sleep betw een packets is in microseconds. -T - specifies the n um ber o f seconds to w a it fo r a host to respond. The d e fa u lt is 5. A ta rg e t is a list o f hostnam es or addresses.
*iJN:::::::::::::ft:::::::::::::
ICMP Echo Request
/*
Source (192.168.168.3)
Destination (192.168.168.5)
Ping Scan O u tp u t Using Nm ap Source: h ttp ://n m a p .o rg Nm ap is a to o l th a t can be used fo r ping scans, also know n as host discovery. Using this to o l you can d ete rm ine the live hosts on a n etw o rk. It perform s ping scans by sending the ICMP ECHO requests to all the hosts on the n etw o rk. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful fo r locating active devices or d e te rm in in g if ICMP is passing throu g h a fire w a ll. The fo llo w in g screenshot shows the sample o u tp u t o f a ping scan using Zenm ap, the official cross-platform GUI fo r the Nmap Security Scanner:
Zenmap
Scan Jo o ls Profile Help
Target
v I Profile:
Ping scan
:Scan!
Cancel
Nmap Output Ports/H osts Topology Host Details Scans nmap -sn 192.168.168.5
V
Details
192.168.168.1 192.168.168.3 192.168.168.5 S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n 1 r a p .o r g ) a t 2 0 1 2 -08-08 a? Nmap sc a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5 H ost i s up ( 0 .0 6 s l a t e n c y ) . M A C A d d re ss: ( D e ll) Nmap done: 1 IP a d d re s s (1 h o s t up) sc a n n ed in 0 .1 0 sec o n d s
M o d u le 0 3 Page 272
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
PingSw eep
J Ping sweep is used to determ ine the live hosts from a range of IP addresses by sending ICMP ECHO requests to m ultiple hosts. If a host is live, it w ill return an ICMP ECHO reply Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet Attackers then use ping sweep to create an inventory o f live systems in the subnet T h e p in g s w e e p o u t p u t u s in g N m a p
Zenmap I n i , ICM P Echo Request
C E H
a a a
_l
Sen
T*fqcc
lo o ts
92.l6a.16S.l-S0
C o m m an d H o jb
1 9 2 .1 6 8 .1 6 8 .5 uM ^ !.1 8 .1 6 1 9 2 .1 6 8 .6 M l 1 9 2 .1 6 8 .1 6 8 .7
OS 4 Ho* * W i t t 16S. 1
3
*
V y
*
S t a r t l r a N 6 .0 1 h t t p : / / r o u p , o r g ) a t 2012 01 01 1 2 :4 1 to r * tu p ! c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 H o s t i s u s ( 0. 00) l a t e n c y ) . * W I A g f llC n . ( H e le t! - P a c k a r d C o m p an y ) * * p * c a n r e p o r t f o r 1 9 2 . 1 6 * . 1 6 . 5 fto v t I t u p ( t . M i l a t e n c y ) . *AC W r t t t ; (A p p le ) w p s c a n r e p o r t *or 1 9 2 . 1 6 8 . 1 6 8 . to s t i s u p ( 0 . 0 0 1 0 s l a t e n c y ) . HA( A d d re ss: (D e ll) f * 1a p s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 6 8 . 1 3 M o t i* u p < 8 latency). A C A d d re w : (F o x c o n n l s n a p s c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 4
Source
1 9 2 .1 6 8 .1 6 8 .3
IC M P Echo Reply ICM P Echo Request
.0 0 1
1 9 2 .1 6 8 .1 6 8 .8
http://nmap. org
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
P in g
S w eep
A ping sweep (also know n as an ICMP sweep) is a basic n e tw o rk scanning technique to d ete rm ine w hich range o f IP addresses map to live hosts (com puters). W hile a single ping tells th e user w h e th e r one specified host co m p u te r exists on the n etw o rk, a ping sweep consists o f ICMP ECHO requests sent to m u ltip le hosts.
M o d u le 0 3 Page 273
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
a
Source
1 9 2 .1 6 8 .1 6 8 .3
<
>
W
1 9 2 .1 6 8 .1 6 8 .7
<
TCP/IP Packet To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings, a single packet is sent across th e n e tw o rk to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes o f p rotocol header in fo rm a tio n . The sender then w aits fo r a re tu rn packet fro m the ta rg e t system. A good re tu rn packet is expected only w hen the connections are good and when the targe te d system is active. Ping also determ ines the num ber o f hops th a t lie betw een the tw o co m puters and the ro u n d -trip tim e , i.e., the to ta l tim e taken by a packet fo r co m p letin g a trip . Ping can also be used fo r resolving host names. In this case, if the packet bounces back w hen sent to th e IP address, b ut not w hen sent to the name, then it is an indication th a t the system is unable to resolve the name to the specific IP address. Source: h ttp ://n m a p .o rg Using Nm ap S ecurity Scanner you can p erfo rm ping sweep. Ping sweep determ ines the IP addresses o f live hosts. This provides in fo rm a tio n abo u t the live host IP addresses as w ell as th e ir MAC address. It allows you to scan m u ltip le hosts at a tim e and d ete rm ine active hosts on the n etw o rk. The fo llo w in g screenshot shows the result o f a ping sweep using Zenmap, the official cross-platform GUI fo r the Nmap Security Scanner:
M o d u le 0 3 Page 274
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Zenmap
Sc!n Joolt Target Erofik {jdp "v] Proffe
11
192.1 6 8 .1 6 8 . 1-50
Scan
Cancel
Command |nmap -sn -PE PA21 ,23 ,80 . 3389192 .168 .1 6 8 .1 -5 ( Hosts OS Host * * Sernces A Nmap Output Ports /Hosts Topology Host Details Scans nmap -sn PE-PA2 1 .23 .80.3389 1 9 2 .1 6 8 .1 6 8 .1-50 S tarting Mrap %
D etails
2012- 08-08
12:41
Map scan report fo r 192. 168. 168.1 Host is up ( 0. 00s latency). *AC Address; I (Hewlett-Packard Copany) f*rap scan report fo r 192. 168. 168.3 Host is up ( 0. 00s latency). *AC A d d rm i * (Apple) Nnap scan report for 192. 168. 168.5 Host is up ( 0 . 0010s latency). M A C Address; - (D e ll) Nnap scan report fo r 192. 168. 168.13 Host is up ( 0 . 00s latency). M A C Address: (Foxconn) N*ap scan report fo r 192. 168. 168.14 Host is up ( 0 . 0020s latency). v
* fti * *
M o d u le 0 3 Page 275
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
SolarWinds Engineer Toolset's Ping Sweep enables scanning a range o f IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.
Uctmiifc v
Q r-at 0.1 1 .1 1 1 0
9 1m Cm lm h/l 4n h/! 1m Kl KH K!
H c a r w r c / 1 1 H n O c w it
SUrt
In MM MttlCMM1 In/! <V IS IXQN5W OR9M HV! ln/1) In! In/! In/! In/) In! IV| In/! In!
h /1 l O ? m m
|V*I Kv.| K1 h/l !*/I Kl
I n /1 l
In/! In! A JI
Th0**
P in g
S w e e p T o o ls
D eterm ining live hosts on a ta rg e t n e tw o rk is the firs t step in the process o f hacking o r breaking in to a n etw o rk. This can be done using ping sweep tools. There are a num ber o f ping sweep tools readily available in the m arket using w hich you can p erfo rm ping sweeps easily. These tools a llow you to d ete rm ine the live hosts by sending ICMP ECHO requests to m u ltip le hosts at a tim e . A ngry IP Scanner and S olarw inds Engineer's Toolset are a fe w co m m only used ping sweep tools.
A n g r y
/j
IP
S c a n n e r
Angry IP Scanner is an IP scanner to o l. This to o l id e ntifie s all non-responsive addresses as dead nodes, and resolves hostnam e details, and checks fo r open ports. The main fe a tu re o f this to o l is m u ltip le ports scanning, configuring scanning colum ns. Its main goal is to fin d th e active hosts in the n e tw o rk by scanning all the IP addresses as w ell as ports. It runs on Linux, W indow s, Mac OS X, etc. It can scan IP addresses ranging fro m 1.1.1.1 to 255.255.255.255.
M o d u le 0 3 Page 276
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
IP Range | 10.0.0.1 Hostname | W IN-LXQN3WR3R9I IP >10.0.0.1 010.0.0.2 @10.0.0.3 #10.0.0.4 >10.0.0.5 10.0.0.6 )10.0.0.7 C m 0.0.0.8 > 10.0.0.9 #10.0.0.10 #10.0.0.11 # 10.0.0.12 #10.0.0.13 # I0.0.0.M #10.0.0.15 #10.0.0.16 # 10.0.0.17 #10.0.0.18 #10.0.0.19 Ready Ping 1 ms Oms Oms [n/a] 4 ms [n/a] 1 ms [n/a] [n/a] [n/a]
| to | 10.0.0.50
# IP I | Netmask r J
Hostname [n'a] W 1N-M SSLCK4IC41 WindowsS |n/a] W1N-LXQN3W R3R9M [n/a] [n/a] [n/a] [n/a] [n/a]
In /,] ln /
l"/a]
[n/a] [n/a]
]/[
[n/a] [n/a] [n/a] |n/a] [n/a] [n/a] Threads; 0
In'*]
In/a] Display: All
S o la r w in d s
E n g in e e r s
T o o ls e t
Source: h ttp ://w w w .s o la rw in d s .c o m The Solarwinds Engineer's Toolset is a collection o f n e tw o rk e ngineer's to o ls. By using this to o ls e t you can scan a range o f IP addresses and can id e n tify the IP addresses th a t are in use c u rre n tly and the IP addresses th a t are free. It also perform s reverse DNS lo o kup .
Ping Sweep
EHe E d it H e lp ^ I | S ra n F |A l I P t DNS Lookup A S t a r t i n g I P A d d r e s s 11 9 2 .1 6 8 .1 8 1 0 F n r im g IP A H r im t t fp A d d r e s s 192 I M IM 10 1 9 2 1 6 6 1 6 6 11 192 166 166 12 1 9 2 1 6 6 1 6 6 13 192 1 6 6 1 6 6 14 192 1 6 6 1 6 6 1 5 192 16 6 1 6 8 1 6 192 1 6 6 .1 6 6 1 7 192 166 1 6 6 .1 6 192 166 166 19 192 166 166 2 0 1 9 2 1 6 6 166 .2 1 1 9 2 1 6 6 1 6 6 .2 2 192 16 6 166 2 3 192 166 166 24 192 166 166 2 5 192 166 166 26 1 9 2 166 1 6 6 .2 7 192 1 6 6 1 6 6 .2 6 192 166 166 2 9 1 9 2 1 6 6 166 30 1 9 2 1 6 6 1 6 6 31 192 166 166 32 <1 S c a n C o m p l ie d S can N _ * V * " I J I _{ # R eauest T m e d O ut R eoues! T m ed O at R equest T m ed O ul R equest T m e d O ut R equest T m e d O ut R equest T m e d O ut R e q u e s t T im e d O u t R equest T m e d O ut R equest T m e d O ut 2 ms R equest T m e d O ut 2 ms R equest T m e d O yt 3 me 3 ms 2 ms III DNS
h
u o o
S ran
(1 9 2 1 8 8 1 6 8 95(
R ecues! T m ed O ul , t
> r 90
M o d u le 0 3 Page 277
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
PacketTrap MSP
http ://w w w .pa ckettra p .co m
Ping S w eep
h ttp://w w w .w hatsupgold.com
N e tw o rk Ping
h ttp://w w w .greenline-soft.com
Ping M o n ito r
h ttp ://w w w .n ilia n d . com
P in g ln fo V ie w
S
h ttp ://w w w .n irs o ft.n e t
P in kie
h ttp ://w w w .ip u p tim e .n e t
jf S S S
u
P in g
S w e e p T o o ls ( C o n t d )
r -
In a dd itio n to Solarwinds Engineer's Toolset and Angry IP Scanner, th e re are many o th e r tools th a t fea tu re ping sweep capabilities. For exam ple: 9 9 9 9 9 9 9 9 9 9 Colasoft Ping Tool available at h ttp ://w w w .c o la s o ft.c o m Visual Ping Tester - Standarad available at h ttp ://w w w .p in g te s te r.n e t Ping Scanner Pro available at h ttp ://w w w .d ig ile xte ch n o lo g ie s.co m Ultra Ping Pro available at h ttp ://u ltra p in g .w e b s .c o m P inglnfoView available at h ttp ://w w w .n irs o ft.n e t PacketTrap MSP available at http://www.packettrap.com Ping Sweep available at h ttp ://w w w .w h a ts u p g o ld .c o m N e tw o rk Ping available at h ttp ://w w w .g re e n lin e -s o ft.c o m Ping M o n ito r available at h ttp ://w w w .n ilia n d .c o m Pinkie available at h ttp ://w w w .ip u p tim e .n e t
M o d u le 0 3 Page 278
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
*- 1
So fa r we discussed how to check fo r live systems. Open ports are the doorw ays fo r an
attacker to launch attacks on systems. Now we w ill discuss scanning fo r open ports.
life
r
O Q ^
Prepare Proxies
Banner Grabbing
This section covers the th re e -w a y handshake, scanning IPv6 netw orks, and various scanning techniques such as FIN scan, SYN scan, and so on.
M o d u le 0 3 Page 279
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
(rtifwd
C E H
itkitjl
TCP uses a th re e-w ay handshake to establish a connection between server and client
T h re e -W a y H a n d s h a k e TCP is co n n e c tio n -o rie n te d , w hich im plies connection establishm ent is principal p rio r to data tra n sfe r betw een applications. This connection is possible throu g h the process o f the th re e -w a y handshake. The th re e -w a y handshake is im p le m e n te d fo r establishing the co nn e ction b etw e e n p ro to co ls.
M o d u le 0 3 Page 2 80
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
The TCP p ro to co l m aintains state ful connections fo r all co nn e ctio n -o rie n te d protocols across the Inte rn e t, and w orks the same as an o rd ina ry te lep h on e co m m unication, in w hich one picks up a telep h on e receiver, hears a dial tone, and dials a num ber th a t triggers ringing at the o th e r end u ntil a person picks up the receiver and says, "H e llo ."
Bill
Three-way Handshake
Sheela
1 0 .0 .0 .3 :2 1
1 0 . 0 . 0 . 2 : 6 2 0 0 0 ^ ..................
...............
........
..*
IrVC
C lient
S erver
As we previously discussed, a TCP connection is established based on the three -w ay hand shake m ethod. It is clear fro m the name o f the connection m ethod th a t the establishm ent o f the connection is accom plished in th re e m ain steps. Source: h ttp ://s u p p o rt.m ic ro s o ft.c o m /k b /1 7 2 9 8 3 The fo llo w in g th re e fram es w ill explain the e stablishm ent o f a TCP connection betw een nodes NTW3 and BDC3:
Frame 1:
In the firs t step, the client, NTW3, sends a SYN segm ent (TCP ....S.). This is a request to the server to synchronize the sequence num bers. It specifies its Initial Sequence N um ber (ISN), w hich is increm ented by 1 and th a t is sent to the server. To initialize a connection, the client and server m ust synchronize each o th e r's sequence num bers. There is also an o p tio n fo r the
M o d u le 0 3 Page 281
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M axim um Segment Size (MSS) to be set, w hich is defined by the length (len: 4), this o ptio n com m unicates th e m axim um segm ent size the sender w ants to receive. The A cknow ledgem ent fie ld (ack: 0) is set to zero because this is th e firs t part o f the th re e -w a y handshake. 1 2 .0 7 8 5 NTW3 - - > BDC3 TCP ___ S ., le n : 4, se q : 8221822-8221825, a c k : 0,
win: 8192, src: 1037 dst: 139 (NBT Session) NTW 3- > BDC3 IP TCP: d s t: ....S ., 139 le n : 4, se q: 8221822-8221825, a c k : 0, w in : 8192, s rc : 1037
(NBT S e s s io n )
TCP: S ource P o r t = 0x040D TCP: D e s t in a t io n P o r t = NETBIOS S e s s io n S TCP: Sequence Number = 8221822 (0x7D747E)
TCP: A cknow ledgem ent Number = 0 (0x0) TCP: Data O f f s e t = 24 (0x18) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x02 : . . . . S.
. . 0 ........
= No u r g e n t d a ta n o t s ig n if ic a n t
(0x2000)
TCP: O p tio n K in d
(Maximum Segment S iz e )
= 2 (0x2)
02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00 00 2C 0D 01 40 00 80 06 E l 4B 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 20 00 F2 13 00 00 02 04 05 B4 20 20
M o d u le 0 3 Page 282
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Frame 2: In the second step, the server, BDC3, sends an ACK and a SYN on this segm ent (TCP .A..S.). In this segm ent the server is acknow ledging the request o f the clie n t fo r synchronization. A t the same tim e , the server is also sending its request to the clie n t fo r synchronization o f its sequence num bers. There is one m ajor d ifference in this segm ent. The server transm its an acknow ledgem ent n um ber (8221823) to the client. The acknow ledgem ent is ju st p ro o f to the clie n t th a t the ACK is specific to the SYN the client in itia te d . The process o f acknow ledging the client's request allows th e server to in cre m e nt the client's sequence num ber by one and uses it as its acknow ledgem ent num ber. 2 2 .0 7 8 6 BDC3 > NTW3 8760, le n : s rc : TCP . A . . S . , 139 le n : 4, se q : d s t: 1109645-1109648, a c k : IP 8760,
(NBT S e s s io n )
4, se q: d s t:
1109645-1109648, a c k : 1037
139 (NBT S e s s io n )
TCP: S ource P o r t =
NETBIOS S e s s io n S e rv ic e
TCP: A cknow ledgem ent Number = 8221823 TCP: D ata O f f s e t = 24 (0x18) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x12 TCP: TCP: TCP: TCP: TCP: TCP: . . 0 .......... = ...1 .... = : .A .. S . No u r g e n t d a ta
s ig n if ic a n t
TCP: Checksum = 0x012D TCP: U rg e n t P o in t e r = 0 (0x0) TCP: O p tio n s TCP: O p tio n K in d (Maximum Segment S iz e ) = 2 (0x2)
TCP: O p tio n L e n g th = 4 (0x4) TCP: O p tio n V a lu e = 1460 TCP: Frame P adding (0x5B4)
02 00 02
.............E.
M o d u le 0 3 Page 283
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
00030: Frame 3:
22 38 01 2D 00 00 02 04 05 B4 20 20
8. -
In the th ird step, th e client sends an ACK on this segm ent (TCP .A....). In this segm ent, the client is acknow ledging the request fro m the server fo r synchronization. The client uses the same a lg orith m the server im p lem ented in providing an acknow ledgem ent num ber. The client's acknow ledgm ent o f the 3 server's request fo r synchronization TCP .A 1037 d s t: , le n : 139 0, se q: com pletes the process o f establishing a reliable connection, thus the th re e -w a y handshake. 2 .7 8 7 NTW3 - - > BDC3 8760, s rc : 8221823-8221823, a c k : NTW3 - - > BDC3
IP
1109646, w in :
(NBT S e s s io n )
TCP: s rc :
.A ...., 1037
le n : 139
0, se q:
8221823-8221823, a c k :
1109646, w in :
8760,
d s t:
(NBT S e s s io n )
TCP: S ource P o r t = 0x040D TCP: D e s t in a t io n P o rt = NETBIOS S e s s io n S e rv ic e TCP: Sequence Number = 8221823 (0x7D747F) (0xl0EE8E)
TCP: A cknow ledgem ent Number = 1109646 TCP: D ata O f f s e t = 20 (0x14) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x10 : . A . . . .
. . 0 .........
= No u r g e n t d a ta
............0. = No .............. 0 = No
(0x2238)
02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10 22 38 18 EA 00 00 20 20 20 20 20 20
(. . 0 ___ O .k .
.k
................... } t ----------P .
8 ___
M o d u le 0 3 Page 284
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
T C PC om m u n icationF lags
Data contained in the packet should be processed immediately There w ill be no more transmissions Resets a connection URG (Urgent) F IN (Finish)
jm mm
PSH (Push) ACK > (Acknowledgement)A SYN (Synchronize)
Standard TCP com m unications are con trolled by flags in th e TCP packet header
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited
T C P
C o m m u n ic a tio n
F la g s
Standard TCP com m unications m o n ito r the TCP packet header th a t holds the flags. These flags govern the connection betw een hosts, and give instructions to the system. The fo llo w in g are the TCP co m m unication flags: 9 9 Synchronize alias "SYN": SYN notifies transm ission o f a new sequence num ber A cknow ledgem ent alias "ACK": next expected sequence num ber 9 9 Push alias "PSH": System accepting requests and fo rw a rd in g buffered data U rgent alias "URG": Instructs data contained in packets to be processed as soon as possible Q Q Finish alias "FIN ": Announces no m ore transm issions w ill be sent to re m o te system Reset alias "RST": Resets a connection ACK confirm s receipt o f transm ission, and id e ntifies
SYN scanning m ainly deals w ith three o f the flags, nam ely, SYN, ACK, and RST. You can use these th re e flags fo r gathering illegal in fo rm a tio n fro m servers during the e nu m eration process.
M o d u le 0 3 Page 285
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Acknowledgem ent No
O ffse t
Res
TCP Flags
W indow
TCP Checksum
Urgent Pointer
M o d u le 0 3 Page 286
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
-
3ckte
Move Up |
| Packet No. | - * Packet Info: Padrec ttacer; ^ Backer Le=ath: Captnred Length: Delta Tine E d Ethernet Type I I j y iJ f s t ia t i Mdress: JUfSouic? U d m 9 : Protocol: E-.J I? - Internet Protocol ! Version 0 i 0 Me* 1: length g>-0 Differentiated Services Field j j 0 Srvlcf Cod*pcint j > Trr.*por1 ?101 .col w ill 1903c* tii* C C b it : 9 Coaaastios 000004
64
!***
-J
A tta c k e rs can also use it to c re a te fra g m e n te d packets to bypass fire w a lls a n d IDS system s in a n e tw o rk
60 0.100000 Second [0/14] 00: 00: 00: 00: 00:00 [ 0/ 6] 00: 00: 00:00 : 00:00 [ 6/ 6] 0x0800 (Inter: [14/20] 4 xFO [U / 1 ] O S <20 Bytes) [ 1 < 0000 oaoo xPF [15/1! O 0000 00.. [18/1] OxfC .......... 0. (Ignoi [15/1] ............ 0 (Xu Coixjumlon)
< 1
1
Total
<
6fl bytet
i>HuEdfco!
C re a te
C u s to m
P a c k e ts u s in g
T C P
F la g s
Source: h ttp ://w w w .c o la s o ft.c o m Colasoft Packet Builder is a to o l th a t allows you to create custom n e tw o rk packets and also allows you to check the n e tw o rk against various attacks. It allows you to select a TCP packet fro m the provided tem plates, and change the p aram ete rs in the decoder e d ito r, hexadecimal e d ito r, o r ASCII e d ito r to create a packet. In a dd itio n to building packets, Colasoft Packet B uilde r also supports saving packets to packet files and sending packets to the netw ork.
M o d u le 0 3 Page 2 87
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Im p o rt
E x p o rtw
Add
Insert
C o py
Pas-
Delete
| x
4*
Send
*fc *
Send A ll
M o ve
D ecode E ditor
P a cke tN o . 4
No. 2 3
L e n g th : L e n g th :
'w E I & B r S B
Delta T im e 0.100000 0.100000 0.100000 0.100000 Source 00:00:00:00:1 0.0.0.0 0.0.0.0:0 0.0.0.0:0
Packet Info: a P a c k e t N u m b e r:
<3 *P a c k e t !^ H H C a p tu re d D e lta
T im e
6 0 0.100000 S e cond
[0 /1 4 ]
IP - Internet Protocol
j & : E3@ | V e r s io n Header L e n g th S e r v ic e s F ie ld C o d e p o in t ig n o r e th e CE b i t D iffe r e n t ia t e d
[0/6] [6/6]
(In te rn OxFO [1 4
B y te a ) O xF F O xFC
_~ D if f e r e n t ia t e d O T ra n s p o rt C o n g e s tio n
S e r v ic e s
[1 5 /1 ] [1 5 /1 ] (Ig n o re )
P ro to c o l w i l l
[1 5 /1 ]
~~
..........0
(N o C o n g e s t i o n )
<L
jc% Hex E ditor T o ta l | 60 bytes
A
0 0 0 0 0 0 1 0 0 0 2 0 0 0 3 0 <
V/
: ...
M o d u le 0 3 Page 288
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
im ttiM
C E H
tUx*l lUckM
Traditional ne tw ork scanning techniques w ill be c o m p u ta tio n a lly less feasible due to larger search space (64 bits o f host address space o r 2s4 addresses) provided by IPv6 in a subnet
Scanning in IPv6 ne tw ork is more d iffic u lt and com plex than the IPv4 and also m ajor scanning tools such as Nmap do no t support ping sweeps on IPv6 n e tw orks
Attackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic , recorded logs o r Received fro m : and o th e r header lines in archived em ail o r Usenet news messages
Scanning IPv6 netw ork, however, offers a large num ber o f hosts in a subnet if an attacker can com prom ise one host in the subnet; attacker can probe the "all hosts" lin k local m ulticast address
S c a n n in g IP v 6 N e t w o r k IPv6 increases the size o f IP address space fro m 32 bits to 128 bits to su pp o rt m ore levels o f addressing hierarchy. T raditional n e tw o rk scanning techniques w ill be co m p u ta tio n a lly less feasible due to larger search space (64 bits o f host address space o r 264 addresses) provided by IPv6 in a subnet. Scanning an IPv6 n e tw o rk is m ore d iffic u lt and com plex than IPv4 and also m a jo r scanning tools such as Nmap do n o t su p p o rt ping sweeps on IPv6 n etw o rks. A ttackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic, recorded logs, o r Received fro m : and o th e r header lines in archived em ail o r Usenet news messages to id e n tify IPv6 addresses fo r subsequent p o rt scanning. Scanning IPv6 n etw o rk, how ever, offers a large n u m b e r o f hosts in a subnet; if an a ttacker can com prom ise one host in the subnet he can probe the "all hosts" link local m ulticast address.
M o d u le 0 3 Page 289
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
ScanningT ool:N m ap
J J m o n ito rin g host or service u p tim e
C E H
N etw ork adm inistrators can use Nmap fo r n e tw o rk inven tory, managing service upgrade schedules, and Attacker uses Nmap to extract info rm atio n such as live hosts on th e n e tw o rk , services (application name and version), type o f packet filte rs /fire w a lls , op eratin g systems and OS versions
h ttp ://n m a p .o rg
S c a n n in g T o o l: N m a p Source: h ttp ://n m a p .o rg Nmap is a se curity scanner fo r n e tw o rk e xplora tio n and hacking. It allows you to discover hosts and services on a co m p u te r n etw o rk, thus creating a "m ap " o f the n etw o rk. It sends specially cra fted packets to th e ta rg e t host and then analyzes the responses to accom plish its goal. Either a n e tw o rk a d m in istra to r or an a ttacker can use this to o l fo r th e ir p articula r needs. N e tw o rk adm inistrato rs can use Nmap fo r n e tw o rk in v e n to ry , m anaging service upgrade schedules, and m o n ito rin g host o r service uptim e. Attackers use Nmap to e xtract in fo rm a tio n such as live hosts on the n etw o rk, services (application name and version), type o f packet filte rs /fire w a lls , o p e ra tin g system s, and OS versions.
M o d u le 0 3 Page 2 90
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Zenm ap
iM k (" > !j* N
* M
M o w K M * TCf M*
tel
Mi M l M M * I u n
T A . IV M M > *M O W !
!N tO n lw '
* 14
u n
4
) m ) M
MM D u
tu n
M l t lliw
I M .n iH I D U s ia ti w m i a m ia f t M VC
1 1 :1 1
HHM rtt * . I t *
V *. M t f )
1 c ' 1m
C o M lr tM * V H r * U m a t : , M l * I m iH (I tv ta l M tf i) : M t l i t l *N r * u < c m r M lt f t iM * I * I t . t I f * H * i M r M lM tlM M I . *t . . H
t l H lli I n l t l M l f * Sm S t t t lt n Sm x i t 1S:22 k M i ^ W 1M IM S ( l ) t e r t i ] M K M f M M M M t I H t ( | M 1I2 I M 1 M S W w u r M M M PMt I M / t V M 1*2 IM 1M S M M M M M M W M M 44$/1( M IW 1 M .IM .1 M W M M M MW) W t 12 t<> on 1*2 144 IM S M M M t M>42 tcp on 1*2 IM .1 M .S T M l t l T l 1 ~ MOwt 22.22% m ac; I K : 19:24 ( 1 4 5
1 1
1 52 2
1 1 2 1 1 2 22 1
M M I/tu *
|.
4 4 12
v :
11I/1
S t i l l l uM i r t l SV.J U N f l w M *
'1 *M l lt I OM M I ( I 1 M i n P n lc e |t n t r l *tKfOM
MM M v l t!l *M
MMHyj
M tf m *
W h 1 * T M M M M t M !2 .1 M 144 S M M l t l W ** 11*1 : ! M M .4 M M M ) I K l IS 24 1 M 4)
%f%
im tL m r n * .* %
C M letM W S t I t * k M at IS 24. N . t l i 1 m m 4 ( M t H t4l M t * ) *W v i< *CM t IS: 24 t a M l | MTviCM M 1*2 IM 1 m C M W * M SM *|C M M t IS: , M .M l l l M l M ( I I K <#I M t
'*1 1 *
l .S M M y ( l t * Him u i t i > m
* M )
12 1
l 0 l* lc.lt-2S4 ( i M i 1m 1)
MiM i
(PI
2 4
M o d u le 0 3 Page 291
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H p in g2/ H ping3
J Command line packet crafter for the TCP/IP protocol J Tool for security auditing and testing firewall and networks J Runs on both Windows and Linux operating systems
UrtifW
C E H
itkMl lUikw
f o o t g b t : - # h ping3 A 1 0 .0 .0 .2 -p 89
H P IN C18.0.0.2 (ethl 19.0.0.2): Aset, 4 0h e a d e rs + 0 d a ta b y te l le n = 4 0 ip-10.0.0.2 ttl=128 O F id=26 85spoci^0 flags-R s e q ^ 0w ln0 rtt=1.3 m s ^ le n ^4 0 ip-10.0.0.2 ttl=128 O F id -2 6 5 8 6 sport-ee-flags-R se q -1 w ln = 0 rtt=6.8 m s le n = 4 0 ip-10.0.0.2 ttl=128 O F id = 2 6 0 8 7 sport-8G fflags= R Ie q ^2 w
in = o r = le n - 4 0 i p - 1 0 . 0 . 0 . 2 1n=0 r t t = 8 . 9 ms le n = 4 0 ip = 1 0 ^ L 0 . 2
11 1.0
ttl- 1 2 8
OF id - 2 6 0 8 8 s p o r t - 8 0 f lo g s - R
s c q -3 w
t t l = 1 2 8 DF id - 2 6 6 8 9 5 p o rjt= 8 e f t c g s f R s e q - 4 w
J le n = 4 6 ip=10.0.3.2 ttl=128 O F id = 2 6 0 9 1 sp o rt= 8 0 fla g s= Rs e q = 6w in = 0 rtt=e.7 m s le n = 4 0 ip= 10.O .0.2 ttl=128 O F id26092 sport80 flags^R s e q = 7w ln = 8 rtt=8.8 n s len-40 ip-10.0.0.2 ttl-128 O Fid -2 6 0 9 3 5port-80 flegsRse q -8 w
ACK Scanning on p o rt 80
Copyright by EG-GMMCil. All Rights Reserved. Reproduction Is S trictly Prohibited.
len=4) 1^=10 .0.8 *?ttl=128 D F ld=26090 sport8 0 flags=R seq=5 in0 rtt-0 .5 m s
H p in g 2 /H p in g 3 Source: h ttp ://w w w .h p in g .o rg HPing2/HPing3 is a co m m a n d -lin e -o rie n te d TCP/IP packet assem bler/analyzer th a t sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Tra ce ro ute m ode, and enables you to send files betw een covert channels. It has the a b ility to send custom TCP/IP packets and display ta rg e t replies like a ping program does w ith ICMP replies. It handles fra g m e n ta tio n , a rb itra ry packets' body and size, and can be used in o rd e r to tra n sfe r encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and n e tw o rk /h o s t scanning can be used to p erfo rm an anonym ous probe fo r services. An a tta cke r studies the behavior o f an idle host to gain in fo rm a tio n abo u t the ta rg e t such as the services th a t the host offers, the ports su pp o rtin g th e services, and the ope ra tin g system o f the targe t. This type o f scan is a predecessor to e ith e r heavier probing or o u trig h t attacks. Features: The fo llo w in g are some o f the features o f HPing2/HPing3: 9 e D eterm ines w h e th e r the host is up even w hen th e host blocks ICMP packets A dvanced p o rt scanning and te st net perform ance using d iffe re n t protocols, packet sizes, TOS, and fra g m e n ta tio n
M o d u le 0 3 Page 292
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M anual path MTU discovery Firew alk-like usage allows discovery o f open ports behind firew alls Remote OS fin g e rp rin tin g TCP/IP stack auditing
9
9 9
ICMP Scanning A ping sweep o r In te rn e t C o n trol Message P rotocol (ICMP) scanning is a process o f sending an ICMP request or ping to all hosts on the n e tw o rk to d ete rm ine w hich one is up. This p ro to co l is used by ope ra tin g system, ro u te r, sw itch, in terne t-p ro to co l-b a sed devices via the ping com m and to Echo re quest and Echo response as a co nn e ctivity te ste r betw een d iffe re n t hosts. The fo llo w in g screenshot shows ICMP scanning using the Hping3 to o l:
root@bt: ~
root@ bt:~# h p i ng3 -1 10 .0 .0 .2 HPING 1 0 .0 .0 .2 ( e t h l 10 . 0 . 0 . 2 ) : icmp mode s e t, 28 headers + 0 d len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25908 icmp_seq=0 r t t = 2 . 2 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25909 icm p_seq=l r t t = 1 . 0 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25910 icmp_seq=2 r t t = 1 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25911 icmp_seq=3 r t t = 0 . 5 ms icmp seq=4 rtt= 0 .4 m s len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=2591% len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25913 icmp seq=5 r t t = l . l ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25914 icmp seq=6 r t t = 0 . 9 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25915 icmp seq=7 r t t = l . l ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25916 icmp seq=8 r t t = 0 . 9 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25917 icmp seq=9 r t t = l . l ms len=28 ip = 1 0 .0 . 0 . ^ > t t l= 128 id=25918 icmp seq=10 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25919 icm p _ se q = ll r t t = 1 . 2 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25920 icmp seq=12 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25921 icmp seq=13 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25922 icmp seq=14 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25923 icmp seq=15 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25924 icmp seq=16 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25925 icmp seq=17 r t t = 1 . 0 ms
ACK Scanning on P ort 80 You can use this scan tech n iq ue to probe fo r the existence o f a fire w a ll and its rule sets. Simple packet filte rin g w ill allow you to establish connection (packets w ith the ACK b it set), whereas a sophisticated stateful fire w a ll w ill not a llow you to establish a connection. The fo llo w in g screenshot shows ACK scanning on p o rt 80 using the Hping3 to o l:
M o d u le 0 3 Page 293
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
>v
* r o o ta b t: -
0 0 t@ b t:~ # h p in g 3 -A 1 0 . 0 . 0 . 2 p 80 HPING 1 0 .0 .0 .2 ( e t h l 1 0 . 0 . 0 . 2 ) : A s e t , 40 h ea d ers + 0 d a ta b y te s le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 6 0 8 5 s p a rJ t-8 0 fla g s = R seq=0 w in = 0 r t t = 1 . 3 ms le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 6 s p o rt= 8 0 fla g s = R s e q = l w in = 0 r t t = 0 . 8 ms -'" le n = 4 0 ip = 1 0 . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 60 8 7 s p o rt= 8 9 fla g s = R seq=2 w in = 0 r t t = 1 . 0 ms le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 8 s p o rt= 8 0 ^ la g s = R seq=3 w in = 0 r t t = 0 . 9 ms le n = 4 0 ip = 1 0 J 0 .0 .2 t t l= 1 2 8 DF id = 2 6 0 8 9 s p o rt= 8 0 fla g s = R seq=4 w in = 0 r , t t = p . 9 ros ^ ^ J j I 4 ^ f j le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF id=26O 90 s p o rt= 8 0 fla g s = R seq=5 w in = 0 r t t = 0 . 5 ms le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 6 0 9 1 s p o rt= 8 0 fla g s = R seq=6 w in = 0 r t t = 0 . 7 ms le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 60 9 2 s p o rt= 8 0 fla g s = R seq=7 w in = 0 r t t = 0 . 8 ms le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 6 0 9 3 s p o rt= 8 0 fla g s = R seq=8 v
M o d u le 0 3 Page 294
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H pingC om m ands
ICMP Ping SYN scan on port 50-60
h p in g 3 -1 10.0.0.25 h p in g 3 -8 5 0 -5 6 -S
U rtifM
H cE
ItkKJl N m Im
1 0 .0 .0 .2 5
-V
hpng3
-A
1 0.0.0.25
-p
80
h p in g 3
-F
-p
-U
1 0 .0 .0 .2 5
-p
80
h p in g 3
-2
1 0.0.0.25
-p
80
-I ethO
sig n a tu re h p in g 3
In te rc e p t a ll t r a ffic co n ta in in g HTTP
h p in g 3
1 9 2 .1 6 8 .1 .1 0 3
-Q
-p
139
-9
HTTP
- I
e th O
t c p tim e s ta m p
1 9 2 .1 6 8 .1 .2 5 4
flo o d
H p in g
C o m m a n d s
The fo llo w in g table lists various scanning m ethods and respective Hping com m ands:
Scan ICMP ping ACK scan on port 80 UDP scan on port 80 Collecting initial sequence number Firewalls and time stamps SYN scan on port 50-60 FIN, PUSH and URG scan on port 80 Scan entire subnet for live host Intercept all traffic containing HTTP signature SYN flooding a victim
Commands hping3 -1 1 0.0.0.25 hping3 -A 10 .0 .0 .2 5 -p 80 hping3 -2 1 0.0.0.25 -p 80 hping3 192.168.1.103 -Q -p 139 -s hping3 -S 72.14.207.99 -p 80 --t c p timestamp hping3 -8 50-56 -S 10 .0 .0.2 5 -V hping3 -F -p -U 10 .0.0.25 -p 80 hping3 -1 1 0 .0 .1 .x --rand-dest - I ethO hping3 9 H TTP - I ethO hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flo o d
TABLE 3.1: Hping C om m ands Table
M o d u le 0 3 Page 295
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
ScanningT echniques
TCP Connect / Full Open Scan Stealth Scans IDLE Scan ICMP Echo Scanning/List Scan
T E C
SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning
H
N
I o
u
E
S c a n n in g T e c h n iq u e s Scanning is the process o f g ath erin g in fo rm a tio n about the systems th a t are alive and responding on the n etw o rk. The p o rt scanning tech n iq ue s are designed to id e n tify the open ports on a targe te d server or host. This is o fte n used by adm inistrato rs to ve rify security policies o f th e ir netw orks and by attackers to id e n tify running services on a host w ith the in te n t o f com prom ising it. D iffe re n t types o f scanning tech n iq ue s e m p loye d include: TCP Connect / Full Open Scan Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan IDLE Scan ICMP Echo Scanning/List Scan SYN/FIN Scanning Using IP Fragments UDP Scanning Inverse TCP Flag Scanning ACK Flag Scanning
M o d u le 0 3 Page 296
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Port/Protocol
7 /tc p 7 /u d p 9 /tc p 9 /u d p 1 1/tcp 1 3/tcp 13/udp 1 5/tcp 1 7/tcp 1 9/tcp 19/udp 2 0 /tcp 2 1 /tcp 2 2 /tcp 2 3 /tcp 2 5 /tcp 3 7 /tcp 3 7/u dp 3 9/u dp 4 3 /tcp 5 3 /tcp 5 3/u dp 6 6 /tcp 6 6/u dp 6 7 /tcp 6 7/u dp 6 8 /tcp
Description
Q uote tty ts t source tty ts t source ftp data tra nsfe r ftp com m and Secure Shell
M ail Tim eserver Tim eserver resource location w ho is dom ain name server dom ain name server Oracle SQL*net Oracle SQL*net boo tp server boo tp server boo tp client
M o d u le 0 3 Page 297
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
6 8/u dp 6 9 /tcp 6 9/u dp 7 0 /tcp 7 9 /tcp 8 0 /tcp 8 0 /u d p 8 8 /tcp 8 8 /u d p 1 09/tcp 1 10 /tcp 111 /tcp 111/udp 1 13/tcp 113/udp 114 /tcp 114/udp 119 /tcp 119/udp 123 /tcp P ort/P ro toco l 123/udp 1 37 /tcp 137/udp 1 38/tcp 138/udp 1 39/tcp 139/udp 143 /tcp
boo tp client Trivial File Transfer Trivial File Transfer gopher server Finger WWW WWW Kerberos Kerberos PostOffice V.2 PostOffice V.3 RPC 4.0 p o rtm a p p e r RPC 4.0 p o rtm a p p e r A u th e n tica tio n Service A u th e n tica tio n Service A udio News M u ltica st A udio News M u ltica st Usenet N e tw o rk News Transfer Usenet N e tw o rk News Transfer N e tw o rk Time Protocol Description N e tw o rk Time Protocol NETBIOS Name Service NETBIOS Name Service NETBIOS Datagram Service NETBIOS Datagram Service NETBIOS Session Service NETBIOS Session Service In te rn e t Message Access Protocol
M o d u le 0 3 Page 298
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
im a p s q l- n e t s q l- n e t s q ls r v s q ls r v snmp snmp s n m p -tra p s n m p -tra p c m ip -m a n c m ip -m a n c m ip - a g e n t c m ip - a g e n t ir e ir e a t- rtm p a t- rtm p a t-n b p a t- n b p a t-3 a t-3 a t- e c h o a t- e c h o a t-5 a t-5 a t- z is a t- z is a t- 7
143/udp 150 /tcp 150/udp 156/tcp 156/udp 1 61/tcp 161/udp 162 /tcp 162/udp 1 63/tcp 163/udp 1 64/tcp 164/udp 1 94/tcp 194/udp 2 01 /tcp 2 01 /ud p 2 02 /tcp 2 02 /ud p 203 /tcp 2 03 /ud p 2 04 /tcp 2 04 /ud p 2 05 /tcp 2 05 /ud p 2 06 /tcp 2 06 /ud p 2 07 /tcp
CMIP/TCP M anager CMIP CMIP/TCP Agent CMIP In te rn e t Relay Chat In te rn e t Relay Chat AppleTalk Routing M aintenance AppleTalk Routing M aintenance AppleTalk Name Binding AppleTalk Name Binding AppleTalk AppleTalk AppleTalk Echo AppleTalk Echo AppleTalk AppleTalk AppleTalk Zone Info rm a tio n AppleTalk Zone Info rm a tio n AppleTalk
M o d u le 0 3 Page 299
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
2 07 /ud p 2 08 /tcp 2 08 /ud p 2 13 /tcp 2 13 /ud p 2 20 /tcp 2 20 /ud p 3 87 /tcp 3 87 /ud p 3 96 /tcp 3 96 /ud p P ort/P ro toco l 4 1 1 /tcp 4 1 1 /u d p 4 4 5 /tcp 4 4 5 /u d p 5 00 /ud p 5 1 0 /tcp 5 12 /tcp 5 12 /ud p 5 1 3 /tcp 5 13 /ud p 5 14 /tcp 5 14 /ud p 5 15 /tcp 5 15 /ud p 5 1 7 /tcp 5 17 /ud p 5 18 /ud p
Interactive M ail Access Protocol v3 Interactive M ail Access Protocol v3 AppleTalk Update-Based Routing AppleTalk Update-Based Routing Novell N etw are over IP Novell N etw are over IP Description Remote m t Remote m t
ISAKMP/IKE First Class Server BSD rexecd(8) used by mail system to n o tify users BSD rlogind(8) w hod BSD rw hod(8) cmd BSD rshd(8) BSD syslogd(8) spooler BSD lpd(8) P rinter Spooler BSD talkd(8) Talk New Talk (ntalk)
M o d u le 0 3 Page 3 00
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
n ta lk n e tn e w s uucp uucp k lo g in k lo g in k s h e ll k s h e ll
SunOS talkd(8) R eadnew s uucpd BSD uucpd(8) uucpd BSD uucpd(8) Kerberos Login Kerberos Login Kerberos Shell Kerberos Shell krcm d Kerberos encrypted re m o te shell -k fa ll ECD Integrated PC board srvr NFS M o u n t Service PC-NFS DOS A u th e n tica tio n BW-NFS DOS A u th e n tica tio n Flexible License M anager Flexible License M anager Kerberos A d m in istra tio n Kerberos A d m in istra tio n kdc Kerberos a u th e n tic a tio n tcp Kerberos
e k s h e ll
5 45 /tcp
6 00 /tcp 6 35 /ud p 6 40 /ud p 6 50 /ud p 7 44 /tcp 7 44 /ud p 7 49 /tcp 7 49 /ud p 7 50 /tcp 7 50 /ud p
7 51 /ud p
7 51 /tcp
7 54 /tcp
M o d u le 0 3 Page 301
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
9 99 /ud p socks socks kpop m s - s q l- s m s - s q l- s m s - s q l- m m s - s q l- m Name p p tp p p tp nfs nfs e k lo g in r k in it kx k a u th ly s k o m s ip s ip x ll x ll ir e afs afs 1 080/tcp 1080/udp 1 109/tcp 1 433/tcp 1433/udp 1 434/tcp 1434/udp P ort/P ro toco l 1 723/tcp 1723/udp 2 04 9 /tcp 2049/udp 2 10 5 /tcp 2 10 8 /tcp 2 11 1 /tcp 2 12 0 /tcp 4 8 9 4 /tcp 5 06 0 /tcp 5060/udp 6 000-6063/tcp 6000-6063/udp 6 66 7 /tcp 7000-7009/udp 7000-7009/udp
TABLE 3.2: Reserved Ports Table
A pplixw are
Pop w ith Kerberos M icro so ft SQL Server M icro so ft SQL Server M icro so ft SQL M o n ito r M icro so ft SQL M o n ito r Description Pptp Pptp N e tw o rk File System N e tw o rk File System Kerberos encrypted rlogin Kerberos re m o te kin it X over Kerberos Remote kauth LysKOM (conference system) Session In itia tio n Protocol Session In itia tio n Protocol X W in d o w System X W in d o w System In te rn e t Relay Chat
M o d u le 0 3 Page 302
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
J J
T C PC o n n e c t/ F u llO p e nS c a n C E H M
)SYN Packet + P ort (n S Y N /A C K Packet . . .
m
A ttacker
......... A .t .5 S T . .......
Target
*
A ttacker
? ? . .
H
f ,
Target
T C P
C o n n e c t / F u ll O p e n S c a n
Source: h ttp ://w w w .in s e c u re .o rg TCP Connect / Full Open Scan is one o f the m ost re lia b le form s o f TCP scanning. The TCP connect() system call provided by an OS is used to open a connection to every in terestin g p o rt on th e machine. If the p o rt is listening, connect() w ill succeed; o therw ise, the p o rt isn't reachable.
m m
T C P
T h r e e - w
a y
H a n d s h a k e
In the TCP th re e -w a y handshake, the client sends a SYN flag, w hich is acknowledged
by a SYN+ACK flag by the server w hich, in tu rn , is acknow ledged by the clie n t w ith an ACK flag to com plete the connection. You can establish a connection fro m both ends, and te rm in a te fro m both ends individually.
V a n illa S c a n n in g
In vanilla scanning, once the handshake is com pleted, the clie n t ends the connection. If the connection is not established, the n the scanned m achine w ill be DoS'd, w hich allows you to make a new socket to be cre a te d /ca lle d . This confirm s you w ith an open p o rt to be scanned fo r a running service. The process w ill continue u ntil the m axim um p o rt threshold is reached.
M o d u le 0 3 Page 303
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
If the p o rt is closed the server responds w ith an RST+ACK flag (RST stands fo r "R eset the co n n e c tio n "), whereas the client responds w ith a RST flag and here ends the connection. This is created by a TCP connect () system call and w ill be id e n tifie d instantaneously if the p o rt is opened or closed. M aking separate connects() call fo r every targeted p o rt in a linear fashion w o u ld take a long tim e over a slow connection. The a ttacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the a ttacker to set a low tim e -o u t period and w atch all the sockets sim ultaneously.
u isd a v d itia g e s
The draw back o f this type o f scan is easily d e te cta b le and filte ra b le . The logs in the
The Output
Initia tin g Connect () Scan against (172.17.1.23) Adding open p o rt 1 9/tcp Adding open p o rt 2 1 /tcp Adding open p o rt 1 3/tcp SYN Packet + Port (n) ............................... SYN / ACK Packet ACK + RST A tta c k e r
FIGURE 3.14: Scan results w h e n a p o rt is open
T a rg e t
a rg e t
M o d u le 0 3 Page 304
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Zenmap
H o sts H o s t
P o tts/H o sts T o p o lo g yH o s tD t hS c a n s
*sT v n m jp 192.168.168.5
192.168.168.5
Starting N ra p6 .6 1 ( http://n*ap.0 rg ) at 2 0 1 20 81 01 2 :0 4 dT i Initiating A R PP in gS c a n at 1 2 :0 4 S can n in g1 9 2 .1 6 8 .1 6 8 .5 (1 port] C o m p le te dA R PP in gS < a n at 1 2 :0 4 , 0.0 8 s elapsed (1 total hosts) Initiating Parallel D N Sresolution of 1host, at 1 2 :0 4 C o m p le te d Parallel D N Sresolution of 1host, at 1 2 :0 4 , 0.0 2 s elap sed Initiating C o n n e c tS c a n at 1 2 :0 4 S can n in g1 9 2 .1 6 8 .1 6 8 .S[1 0 0 0 ports] D isco v ered o p e n port 80/tcp o n1 9 2 .1 6 8 .1 6 8 .5 D isco v ered o p e n port 993/tcp o n1 9 2 .1 6 8 .1 6 8 .S D isco v ered o p e n port 808 0 /tcp o n1 9 2 .1 6 8 .1 6 8 .S D isco v ered o p e n port 2S /tcp o n1 9 2 .1 6 8 .1 6 8 .S D isco v ered o p e n port 13 9 /tcp o n1 9 2 .1 6 8 .1 6 8 .5 D isco v ered o p e n port 888 8 /tcp o n1 9 2 .1 6 8 .1 6 8 .S C o m p le te dC o n n e c tS c a n at 1 2 :0 4 ,4 0 .6 3 s elapsed (1 0 0 0 total ports) N a p scan report for 1 9 2 .1 6 8 .1 6 8 .S F ailed to resolve g iv en h o stn aaie/IP :n ap . N o te that y o ucan't u se '/ ask * A M D* 1*4,7,100 style IPranges. If the achine o n ly h as a n IP v 6 ad d ress* a d d the N a p -6 * lag to scan that. H o st is u p (0 .0 0 0 S 7 s latency), tot itjtotoi 9 8 0S filtered P O U T S T A T E E R V IC E ports 2S /tcp o p e nM tp 80/tcp o p e n http 1 1 0 /t< po p e np o p ) 119/tcp o p e nn n tp 13 S /tcp o p e n asrp cice 8081/tcp o p e n black icecap 808 8 /tcp o p e n radan-http 888 8 /tcp o p e n su n an tw e rb o o k M lA fltirC il. (O eil) R cta fllll flic! frw; C :\P rogra Files (x 8 6 )\N * ap U m pd o n e : 1IPadd ress (I h o st u p ) scan n ed in 4 3 .0 8 seco n d s R a xpackets sent: 1 (2 8 8 )|R c v d : 1 (2 8 8 )
M o d u le 0 3 Page 305
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A tta c k e rs use s te a lth scan ning te c h n iq u e s to bypass fire w a ll ru le s , lo g g in g m e c h a n is m , and hide th e m s e lv e s as usual n e tw o rk tra ffic
SYN (Port 80) SYN + ACK
Ste a lth S c a n P r o c e s s
,^ s /
Bill
1 0 .0 .0 .2 :2 3 4 2
...........................
a
Sheela
1 0 .0 .0 .3 :8 0
Port is open
lf th e p o rt is open then th e server responds w ith a SYN/ACK packet
(ft
If th e server responds w ith an RST packet, then th e rem ote p o rt is in th e "closed" state
W N |P rlS n |
r
Bill
1 0 .0 .0 .2 :2 3 4 2
* O
j
Sheela
1 0 .0 .0 .3 :8 0
The client sends the RST packet to close the initiation before a connection can ever be established
Port is clo se d
S te a lth S c a n ( H a lf - O p e n S c a n ) Stealth scan sends a single fra m e to a TCP p o rt w ith o u t any TCP handshaking or a dd itio n al packet transfers. This is a scan type th a t sends a single fram e w ith the expectation o f a single response. The half-open scan p artially opens a connection, b ut stops halfw ay throu g h. This is also know n as a SYN scan because it only sends the SYN packet. This stops th e service fro m ever being n o tifie d o f the incom ing connection. TCP SYN scans or half-open scanning is a stealth m ethod o f p o rt scanning. The three -w ay handshake m e thodology is also implemented by the stealth scan. The difference is th a t in the last stage, re m o te ports are id e ntifie d by exam ining the packets e nte rin g the interface and te rm in a tin g the connection before a new in itia liza tio n was triggered. The process preludes the fo llo w in g : 9 To sta rt in itia liza tio n , the client forw a rd s a single "SYN" packet to the d estination server on the corresponding port. 9 The server actually in itiates the stealth scanning process, depending on th e response sent. 9 If th e server forw a rd s a "SYN/ACK" response packet, then the p o rt is supposed to be in an "OPEN" state.
M o d u le 0 3 Page 3 0 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
If the response is fo rw a rd e d w ith an "RST" packet, then the p o rt is supposed to be in a "CLOSED" state.
SYN (Port 80)
Bill
10.0.0.2:2342
Sheela
10.0.0.3:80
Port is open
FIGURE 3.16: S tealth Scan w h e n Port is Open
^
Bill
10.0.0.2:2342
...
P o r t is c lo s e d
FIGURE 3.17: S tealth Scan w h e n Port is Closed
Sheela
10.0.0.3:80
Zenm ap Tool Zenmap is the official graphical user in te rfa ce (GUI) fo r the Nm ap Security Scanner. Using this to o l you can save the fre q u e n tly used scans as profiles to make the m easy to run re cu rre ntly. It contains a com m and cre a to r th a t allows you to in teract and create Nmap com m and lines. You can save the Scan results and vie w the m in the fu tu re and th e y can be com pared w ith a no the r scan re p o rt to locate differences. The results o f the recent scans can be stored in a searchable database. The advantages o f Zenmap are as follow s: 9 9 e Q Q Interactive and graphical results view ing Comparison Convenience R epeatability D iscoverability
M o d u le 0 3 Page 307
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
cr
S c !n lo o k profile H elp
Zenmap
Is
,Scan C ancel
P ro file
P orts / H osts
Topology
H ost Details
Scans
* -sT -v n m a p 192.168.168.5
*| 1
Details
Starting Nmap 6.01 ( http://nMp.org ) at 2012-0810 12:04 d Tii Initiating ARP Ping Scan at 12:04 Scanning 192.168.168.S [1 port] Completed ARP Ping Scan at 12:04, 0.68s elapsed (1 total hosts) Initiating Parallel ONS resolution of 1 host, at 12:04 Completed Parallel DNS resolution of 1 host, at 12:04, 0.02s elapsed Initiating Connect Scan at 12:04 Scanning 192.168.168.S [1000 ports) Discovered open port 80/tcp on 192.168.168.S Discovered open port 993/tcp on 192.168.168.S Discovered open port 8080/tcp on 192.168.168.S Discovered open port 2$/tcp on 192.168.168.S Discovered open port 139/tCp on 192.168.168.5 Discovered open port 8888/tcp on 192.168.168.5 Coaipleted Connect Scan at 12:04, 40.63s elapsed (lOOO total ports) N*ap scan report for 192.168.168.S failed to resolve given hostnaae/IP: nap. Note that you can't use ,/ask' ANO *1-4,7,100-' style IP ranges. If the Machine only has an IPv6 address, add the Neap 6 flag to scan that. Host is up (O.00OS7S latency). ><gt *towtn; 980 filtered ports PORT STATE SERVICE 2S/tcp open satp open http 80/tcp 110/tcp open pop 3 119/tcp open nntp 135/tcp ooen srpc 8081/tcp open blackice-icecap 8088/tcp open radan-http 8888/tcp open sun-answerbook (Dell)
Rtad tfiH f i l e t fr w ; C:\Progra Files (x86)\N*ap H*ap done: 1 IP address (1 host up) scanned in 43.08 seconds Rax packets sent: 1 (288) | Rcvd: 1 (288)
F i l t e r Hosts
M o d u le 0 3 Page 308
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
X m a s Scan
o
c E l\
U ftN M ftb.ul H.. fcM
m u ::: 1
Server
1 0 .0 .0 .8 :2 3 1 0 .0 .0 .8 :2 3
10.0.0.6
10.0.0.6
Port is closed
Port is open
It will n o t w o r k a g a in s t a n y c u r r e n t v e r s io n o f M ic r o s o f t W in d o w s
X m a s S c a n
-----------X m a s Scan is a p o r t scan t e c h n i q u e w i t h ACK, RST, SYN, URG, PSH, a n d FIN fla g s s e t t o
s e n d a TCP f r a m e t o a r e m o t e d e v ic e . If t h e t a r g e t p o r t is c lo s e d , t h e n y o u w i ll re c e iv e a r e m o t e s y s te m r e p ly w i t h a RST. You can use t h i s p o r t scan t e c h n i q u e t o scan la rg e n e t w o r k s a n d fin d w h i c h h o s t is u p a n d w h a t se rv ic e s it is o f f e r i n g . It is a t e c h n i q u e t o d e s c r ib e all TCP fla g sets. W h e n all fla gs a re set, s o m e s y s te m s h a n g ; so t h e fla g s m o s t o f t e n se t a re t h e n o n s e n s e p a t t e r n URG-PSH-FIN. This scan o n l y w o r k s w h e n s y s te m s a re c o m p l i a n t w i t h RFC 7 93 .
B SD N e tw o rk in g C o d e
T his m e t h o d is based o n BSD n e t w o r k i n g c o d e ; y o u can use th is o n l y f o r all t h e p o r ts o n t h e h o s t a re o p e n e d .
UNIX h o s ts
a n d it d o e s n o t s u p p o r t W i n d o w s NT. If t h is scan is d ir e c t e d a t a n y M i c r o s o f t s y s te m , it s h o w s
T ra n s m ittin g P a c k e ts
You can in itia liz e all t h e fla g s w h e n t r a n s m i t t i n g t h e p a c k e t t o a r e m o t e h o s t. If t h e t a r g e t s y s te m a c c e p ts p a c k e t a nd d o e s n o t s e n d a n y re s p o n s e , t h e p o r t is o p e n . If t h e t a r g e t s y s te m se nd s RST fla g , t h e p o r t is c lo s e d .
M o d u le 0 3 Page 309
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Advantage:
It a v o id s t h e IDS a n d TCP t h r e e - w a y h a n d s h a k e .
Disadvantage:
It w o r k s o n t h e UN IX p l a t f o r m o n ly .
No Response Attacker
10.0.0.6
Server
10.0.0.8:23
P o r t is o p e n
FIGURE 3.19: Xmas Scan when Port is Open
RST Attacker
10.0.0.6
Server
10.0.0.8:23
P o r t is c lo s e d
FIGURE 3.20: Xmas Scan when Port is Closed
Z e n m a p is t h e o ffic ia l g ra p h ic a l u s e r in t e r f a c e (GUI) f o r t h e N m a p S e c u r i t y S c a n n e r. U sing th is t o o l y o u can sa ve t h e f r e q u e n t l y used scans as p r o f i l e s t o m a k e t h e m easy t o r u n r e c u r r e n t l y .
Zenmap Scan 100It Profile Help
Target: nmap 192.I6S.168.}
91X v r
Services
Nmip Output Pcm/Hosts Topology Host Ottals S<ans -sX-v nmap 152.16S. 168.3
Start
Details
W
*
192.168.16S.5 192.168.168.3 S tA 'tin g Nmap 6.01 ( * t 2612 08 10 12:39 Standarc 1ie In it ia t i n g Ping Scan a t 12:39 Scanning 192.168.168.3 [1 p o rt] Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 t o t a l hosts) In it ia t i n g P a ra lle l DNS resolution 0-f 1 host, a t 12:39 Completed P a r a lle l DNS reso lu tio n o* 1 host, at 12:39, 9.02s elapsed In it ia t i n g XMAS Scan at 12:3* Scanning 19 2.16 8.1 *8 .3 [10C po*ts] Increasing cnd delay *o r 192.168.168.3 0 to S du* to 108 out o f 358 dropped probes since la s t increase. Completed XMAS Scan at 12;39, 9.75s elapsed (1900 to ta l ports) Nra scan repo rt 197.1*3 .1 68 .3 F ailed o resolve given h o straee/IPr niwp. Note th a t you c a n 't use * / ? AHO *1 -4 ,7 ,1 8 0 s ty le IP ranges. I the wchine only ha? an IPv6 address. add the Mnap -6 fla g to scan th a t. Host is up (0.000023s la te rc y ). Not shovn; 997 clo jed ports PORT STATE SEUVICE 22 /tcp o o e r lfilte r e d ss* 88/tcp o p e r | f i l t e ed kerbercs-se: 548 tcp o p e r | f i lt e ed afp
A K P
from f
for
M A C A M rtu;
Rgttd tifltfl f l i p f r w i C:\Progra * lie s <x!6)\ta a o 1 IP a d lres t (1 host up) scanned in 12.19 seconds Rat. paccets sent: 13S3 <S4.188*8) I Rcvd: 998 (39.908K8)
FIGURE 3 .2 1 : Z e n m a p S h o w in g X m a s S c a n R e s u lt
M o d u le 0 3 Page 3 10
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Scan
J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set J FIN scan only with OS TCP/IP developed according to RFC 793 J It will not work against any current version of Microsoft Windows J *
>
F IN
S c a n
------------
t h e se rv ic e is n o t r u n n i n g o r if t h e p o r t is c lo s e d it r e p lie s t o y o u w i t h t h e p r o b e p a c k e t w i t h an RST.
FIN
No Response
Attacker
10.0.0.6
10.0.0.8:23
P o r t is o p e n
FIGURE 3.22: FIN Scan when Port is Open
M o d u le 0 3 Page 311
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Attacker
10.0.0.6
P o r t is c lo s e d
FIGURE 3.23: FIN Scan when Port is Closed
Zenmap
Scan Target Joels grofik fcjdp [Scan:
Cancel
E H
nmap 192.168.168.3
if -v nmap 192.168.168.3
192.168.168.5 192.168.168.3
S ta r t i n g N m p 6.01 ( h t t p :/ / n M p .o r g ) a t 2012-01-10 12:35 S tandard Tiae I n i t i a t i n g ARP Ping Scan a t 12:35 Scanning 192.1 6 * .1 6 1 .3 [1 p o rt] Completed ARP Ping Scan a t 12:35, 0 .0 7 s e la p se d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a ll e l DNS re s o lu tio n o f 1 h o s t, a t 12:35 Completed P a r a ll e l 0NS r e s o lu t i o n o f 1 h o s t, a t 12:35, 0 .1 0 s ela p se d I n i t i a t i n g FIN Scan a t 12:35 Scanning 1 9 2 .1 6 0 .16S .3 [1000 p o rts ] In c re a s in g send dela y fo r 192.1 6 9 .1 6 8 .3 f r o 0 t o 5 due t o 108 o u t o f 358 dropped probes s in c e l a s t in c re a s e . In c re a s in g send dela y f o r 192.1 6 8 .1 6 8 .3 fr o * 5 to 10 due to a x _ s u c c e s s fu l_ try n o in c re a s e to 4 Completed FIN Scan a t 12:35, 11.78s ela p se d (1000 t o t a l p o r ts ) *toap scan re p o rt f o r 192.168.168.3 F a ile d t o re s o lv e g iven h o s tn a e /IP : naap. Note t h a t you c a n 't use */ a s k AND 4, 7, 100*1 ' s t y l e IP ra n g e s . I f th e achine only has an IPv6 a d d r e s s , add th e Nap *6 f l a g t o scan t h a t . Host i s up (0.0000050s l a te n c y ) . Ugl-itHM?; 997 c lo s e d p o rts PORT STATE SERVICE 22/ t c p o p e n |f i i t e r e d ssh 88/ t c p o p e n j f i l t e r e d *cerperos sec S 4 8 /tc p o p e n j f i l t e r e d afp
* A i.A M Ttti;
Rctti d i t l f l i t * ff g g j C :\P ro g ra F ile s (x86)\N ap Nwap done: 1 IP a d d re ss (1 h o s t up) scanned in 14.28 seconds Rat p a c k e ts s e n t: 1378 (55.108K8) I Rcvd: 998 (39.908KB)
M o d u le 0 3 Page 312
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
N U L L Scan
P o rt is o p en
TCP Packet with NO Flag Set
CEH
9H
Attacker
No Response
10.0.0.6 In N U LLscan, attackers send a TCP frame to a remote host with NO Flags N U LLscan only works if OS' TCP/IP implementation is developed according to RFC 793 It will not work against any current version of Microsoft Windows
N U L L S c a n
NULL scans se n d TCP p a c k e ts w i t h all fla g s t u r n e d o f f . It is a s s u m e d t h a t c lo s e d p o r ts
w i ll r e t u r n a TCP RST. P a ckets r e c e iv e d by o p e n p o r t s a re d is c a rd e d as in v a lid . It sets all fla gs o f TCP h e a d e rs , such as ACK, FIN, RST, SYN, URG a nd PSH, t o NULL o r u n a s s ig n e d . W h e n a n y p a c k e ts a r r iv e a t t h e s e rv e r, BSD n e t w o r k i n g c o d e i n f o r m s t h e k e r n e l t o d r o p t h e i n c o m i n g p a c k e t if a p o r t is o p e n , o r r e t u r n s an RST fla g i f a p o r t is clo s e d . This scan uses fla gs in t h e r e v e rs e fa s h io n as t h e X m a s scan, b u t gives t h e s a m e o u t p u t as FIN a n d X m a s t r e e scans. M a n y n e t w o r k c o d e s o f m a j o r o p e r a t i n g s y s te m s can b e h a v e d i f f e r e n t l y in t e r m s o f r e s p o n d in g t o t h e p a c k e t, e.g., M i c r o s o f t v e rs u s UNIX. This m e t h o d d o e s n o t w o r k f o r M i c r o s o f t o p e r a t i n g s y s te m s . C o m m a n d lin e o p t i o n f o r n u ll s c a n n in g w i t h N M A P is " - s N "
Advantage:
It a v o id s IDS a nd TCP t h r e e - w a y h a n d s h a k e .
Disadvantage:
It w o r k s o n l y f o r UNIX.
M o d u le 0 3 Page 313
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P o r t is o p e n
C E
31 ^
> N o Response
Attacker
Server 10.0.0.8:23
P o r t is c lo s e d
f c _ 5 RST/ACK Attacker
Server 10.0.0.8:23
E lio ]
Scan
n m a p 192.168.168.3 * - s N v n m a p 192.168.168.3
N m a p O u tp u t
P o r ts / H o s ts
T o p o lo g y
H o s t D e ta ils
S ta n s
s N - v n m a p 192.168.168.3
192.168.168.5 192.168.168.3
Starting N m ap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 Standard Tine Initiating A R P Ping Scan at 12:41 Scanning 192.168.16a.3 (1 port) Com pleted A R P Ping Scan at 12:41, 0.06s lapsed < 1 total hosts) Initiating Parallel D N S resolution of 1 host, at 12:41 Com pleted Parallel D N S resolution of 1 host, at 12141, 0.02s elapsed Initiating N U L L Scan at 12:41 Scanning 192.168.168.3 [1000 ports) Increasing send delay for 192.168.168.3 froet 0 to S due to 21S out of 71S dropped probes since last increas*. Com pleted N U L L Scan at 12:41, 8.23s elapsed (1000 total ports) N oap scan report for 192.168.168.3 Failed to resolve given hostnaxe/IP: nm ap. N ote that you can't use /ask* A N D 1-4,7,100 'style IP ranges. If the achine only has an IPv6 address, add the N aap -6 flag to scan that. H ost is up (0.00s latency). N ot show n: 997 closed ports P O R T S T A T t S E R V IC E 22/tcp open|filtered ssh 88/tcp openjfiltered kerberos-sec 548/tcp openjfiltered afp
M AC A fld r c n ;
R ead data files fro: C:\Progran Files (x86)\N m ap N n p done: 1 IP address (1 hostup) scannedin 10.66 seconds R an packets sent: 1844(73.748K B) | R cvd: 998 (39.908K B)
M o d u le 0 3 Page 3 14
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
ID L E S ca n
M o st n e tw o rk s e rv e rs listen o n TCP p o rts , su ch a s w e b s e rv e rs o n p o r t 80 a n d m ail s e rv e r s o n p o r t 25. P o rt is c o n s id e re d " o p e n " if a n a p p lic a tio n is listening o n th e p o rt
CEH
A m a c h in e t h a t re c e iv e s a n u n so lic ite d SYN | ACK p a c k e t will re s p o n d w ith an RST. An u n so lic ite d RST will b e ig n o re d
t f
C o m m an d P rom pt
C:\>nmap -Pn -p- -si wvrw.juggyboy.com www.certifiedhacker.com Starting N m ap ( http://nmap.org ) Idlescan using zom bie w w w .3uggyboy.com (192.130.18.124:80); Class: Incremental N m ap scan report for 198.182.30.110 (The 40321 ports scanned but not Port State Service open 21/tcp ftp open sm tp 25/tcp open 80/tcp http N m ap done: 1 IP address (1 host tip) scanned in 1931.23 seconds
ID L E
S c a n
T h e id le scan is a TCP p o r t scan m e t h o d t h a t y o u can use t o s e n d a s p o o f e d s o u r c e a d d re s s t o a c o m p u t e r t o f i n d o u t w h a t s e rv ic e s a re a v a ila b le a n d o f f e r s c o m p l e t e b lin d s c a n n in g o f a r e m o t e h o s t. This is a c c o m p lis h e d b y i m p e r s o n a t i n g a n o t h e r c o m p u t e r . N o p a c k e t is s e n t f r o m y o u r o w n IP a d d re s s ; in s te a d , a n o t h e r h o s t is used , o f t e n ca lle d a " z o m b i e , " t o scan th e re m o te host and d e te rm in e th e o pe n p o r ts . T his is d o n e by e x p e c t i n g t h e s e q u e n c e n u m b e r s o f t h e z o m b ie h o s t a n d if t h e r e m o t e h o s t ch e c k s t h e IP o f t h e s c a n n in g p a r ty , t h e IP o f t h e z o m b ie m a c h in e w ill s h o w up.
Understanding TCP/IP
S o u rc e : h t t p : / / n m a p . o r g Id le s c a n n in g is a s o p h is t ic a t e d p o r t s c a n n in g m e t h o d . You d o n o t n e e d t o be a TCP/IP e x p e r t t o u n d e r s t a n d it. You n e e d t o u n d e r s t a n d t h e f o l l o w i n g basic fa c ts : Q M o s t o f t h e n e t w o r k s e rv e rs lis te n o n TCP p o r ts , such as w e b s e rv e rs o n p o r t 8 0 and m a il s e rv e rs o n p o r t 25. A p o r t is c o n s id e r e d " o p e n " if an a p p li c a t i o n is l is te n in g o n t h e p o r t ; o t h e r w i s e it is clo se d .
M o d u le 0 3 Page 315
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Command Prompt
M o d u le 0 3 Page 316
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
I D L E S c a n : S te p 1
CEH
Attacker
Zombie
Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In t h e f i r s t ste p , y o u can se n d a session e s t a b l i s h m e n t "S YN" p a c k e t o r
IPID p r o b e t o d e t e r m i n e
w h e t h e r a p o r t is o p e n o r clo s e d . If t h e p o r t is o p e n , t h e " z o m b i e " r e s p o n d s w i t h a session r e q u e s t a c k n o w l e d g m e n t "SYN | ACK" p a c k e t c o n t a i n i n g t h e IPID o f t h e r e m o t e h o s t m a c h in e . If t h e p o r t is c lo s e d , it se nd s a re s e t "RST" p a c k e t. E v e ry IP p a c k e t o n t h e I n t e r n e t has a " f r a g m e n t i d e n t i f i c a t i o n " n u m b e r , w h i c h is i n c r e m e n t e d by o n e f o r e v e r y p a c k e t tr a n s m is s io n . In t h e a b o v e d ia g r a m , t h e z o m b ie r e s p o n d s w i t h
IPID=31337.
M o d u le 0 3 Page 317
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
I D L E S c a n : S te p 2 a n d 3
Step 2
CEH
J Send SY N packet to the target machine (port 80) spoofing the IP address of the "zombie" J If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends RSTto the target J If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back
SYN Packet to port 80 spoofing zombie IP address
4V C
Attacker
r t o s f f i S S * 5 " T e"
Zom bie P o r t is o p e n
j
;
Step 3
J Probe "zombie" IPID again
Response: IPID=31339 RST Packet A tta c k e r IPID incremented by 2 since Step 1, so port 80 must be open
ID L E
S c a n : S te p
2 a n d
I d l e S c a n : S te p 2 .1 ( O p e n P o r t )
" Send a SYN p a c k e t t o t h e t a r g e t m a c h in e ( p o r t 80) s p o o f i n g t h e IP a d d re s s o f t h e
" z o m b i e . " If t h e p o r t is o p e n , t h e t a r g e t w ill se n d t h e S Y N /A C K p a c k e t t o t h e z o m b ie a n d in r e s p o n s e t h e z o m b ie se nd s t h e RST t o t h e t a r g e t . SYN Packet to port 80 spoofing zombie IP address
Attacker
QOO
Target
Zombie
P o rt is o p e n
M o d u le 0 3 Page 318
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Attacker
I -4
Target
Zombie
P o r t is c lo s e d
IPID P r o b e S Y N / A C K Packet
R e sponse: IP I D = 3 1 3 3 9 R S T Packet
Attacker
Zombie
M o d u le 0 3 Page 319
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
I C
E c h o
S c a n n i n g / L i s t
S c a n
C E H
T h is is n o t r e a l ly p o r t s c a n n i n g , s i n c e IC M P d o e s n o t h a v e a p o r t a b s tra c tio n
T h is t y p e o f s c a n s i m p l y g e n e r a t e s a n d p r i n t s a li s t o f I P s / N a m e s w i t h o u t a c t u a l l y p in g in g o r p o r t s c a n n in g t h e m
B u t it is s o m e t i m e s u s e f u l t o d e t e r m i n e w h i c h h o s t s in a n e t w o r k a r e u p b y p i n g i n g t h e m all J
A D N S n a m e r e s o l u t i o n w ill a l s o b e c a r r i e d out
Start In cN r w p6 .6 1 ( tittplZ /nM p.o*? ) *r 2 6 1 26 11 5 IB :1 7 .tn n fln ra rlnr K i m u 1 IP * iftlr h 'v (lnott u t > ) tC M M MIn 1 6 .3 7
f ! U rH o M S
Z e n m a p V |n lo o k ro fit* fc l * p T a rg e t .6 8 . 6 0 . - P ro M t jj ia n j C o m m a n dn ,n ptl v1 9 2 I6 8 .I6 6 S M o tt* S * rv K N m a p O u tp u tP o tt/M e tT e p o l& y , S c a m m a p 1 1vI9 2 .IM .1 6 & 5 O S -M o it n S ta rtin g M ra p 6 .6 1 < h ttp ://n a a p .o rf ) a t M l? Ml lltM d u raT in * Initiating P a ra lle lD 0 N S re s o lu tio n 0 1 h o .a t 1 J S 4 C a a p la te dP a ra ll) M re s o lu tio n o f 1 h o t. t1 3 :5 4 , e . 4 1fla p v td W ra p* c a nra p o rt fo r1 *2 .1 6 6 .1 6 1 .5 N m bd o n ; 1IPd d ra ts < 0hoitt u p ) ic a n n a din 6 .6 6 M to n d t M l rH o itt
V \
List Scan
IC M P
E c h o
S c a n n in g /L is t S c a n
IC M P e c h o s c a n n in g is u sed t o d is c o v e r liv e m a c h in e s b y p i n g i n g a ll t h e m a c h in e s in t h e t a r g e t n e t w o r k . A t t a c k e r s s e n d IC M P p r o b e s t o t h e b r o a d c a s t o r n e t w o r k a d d re s s w h i c h is r e la y e d t o all t h e h o s t a d d re s s e s in t h e s u b n e t . T h e live s y s te m s w i ll s e n d IC M P e c h o r e p ly m e s s a g e t o t h e s o u r c e o f IC M P e c h o p r o b e . IC M P e c h o s c a n n in g is used im p le m e n ta tio n s in th e s e in U N IX /L in u x a n d s y s te m BSD -based m a c h in e s as t h e TCP/IP sta c k ICMP e c h o r e q u e s ts t o t h e
o p e ra tin g
responds to
th e
M o d u le 0 3 Page 3 20
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Zenmap
Scan T a rg et: T o o ls P ro file H elp Profile: S can
^ L - r e l
192.168.1.26 n m a p -s n 192.168.1.26
C an c el
C om m and:
H o sts OS < H o st
S ervices
N m a p O u tp u t
P o rts /H o s ts
T o p o lo g y
H o s t D etails
S can s
n m a p -s n 192.168.1.26
*| i
D etails
Filter H o sts
Zenmap
Scan lo o ls E ro file {Help Profile: C ancel
Target
C om m and:
H o sts OS H o st
S ervices
N m a p O u tp u t
P o rts /H o s ts
T o p o lo g y
H o s t D etails
n m a p - s L - v 192.168.168.5
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-10 13:54 idard Tit!* Initiating Parallel DNS resolution of 1 host, at 13:54 Completed Parallel DNS resolution of 1 host, at 13:54, 0.04s elapsed Nmap scan report for 192.168.168.5 Nmap done: 1 IP address (0 hosts up) scanned in O.06 seconds
Filter H o sts
Advantage:
9 9 A list scan can p e r f o r m a g o o d s a n ity ch eck. T h e i n c o r r e c t l y d e f i n e d IP a d d re s s e s o n t h e c o m m a n d lin e o r in an o p t i o n file d e t e c t e d b y t h e list scan. T h e d e t e c t e d e r r o r s s h o u ld be r e p a i r e d p r i o r t o r u n n i n g " a c t i v e " scan. a re any
M o d u le 0 3 Page 321
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
U D P S c a n n in g
Are you open on UDP Port 29?
CEH
.............................................*
No response if port is ...................
*
If Port is Closed, an ICMP Port unreachable message is received
%
S erv er
........... I s s ______ j
U D P S c a n n in g
UDP Packets
S o u rc e : h t t p : / / n m a p . o r g W hen you se n d a packet to a c lo s e d UDP p o rt, m ost of th e h o s ts se nd an
M o d u le 0 3 Page 322
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Example
For e x a m p le , a s e c o n d w r i t e () call t o a c lo s e d p o r t w i ll u s u a lly fa il. A l o t o f s ca n n e rs , such as N e t c a t a n d Pluvial p scan .c d o r e c v f r o m () o n n o n - b l o c k i n g UDP so c k e ts , u s u a lly r e t u r n EAGAIN ( " T r y A g a in ," e rrn o 13) if t h e IC M P e rro r has not been re c e iv e d , and ECONNREFUSED
( " C o n n e c t i o n r e f u s e d , " e r r n o 1 11), if it has. T his is t h e t e c h n i q u e used f o r d e t e r m i n i n g o p e n p o r t s w h e n n o n - r o o t u sers use -u (UDP). R o o t u sers can also use t h e -I ( la m e r UDP scan) o p t i o n s t o f o r c e th is .
Advantage:
T h e UDP scan is less i n f o r m a l r e g a r d in g an o p e n p o r t , since t h e r e ' s n o o v e r h e a d o f a TCP h a n d s h a k e . H o w e v e r , i f IC M P is r e s p o n d i n g t o e a ch u n a v a ila b le p o r t , t h e n u m b e r o f t o t a l f r a m e s can e x c e e d a TCP scan. M ic r o s o f t - b a s e d o p e r a t i n g s y s te m s d o n o t u s u a lly i m p l e m e n t a n y t y p e o f IC M P r a te li m i t i n g , so t h i s scan o p e r a t e s v e r y e f f i c i e n t l y o n W i n d o w s - b a s e d d e vice s.
Disadvantage:
T h e UDP scan p r o v id e s p o r t i n f o r m a t i o n o n ly . If a d d it io n a l v e r s io n i n f o r m a t i o n is n e e d e d , t h e scan m u s t be s u p p l e m e n t e d w i t h fin g e rp rin tin g o p tio n (-0 ). T h e UDP scan r e q u ir e s p r iv ile g e d access, so th is scan o p t i o n is o n l y a v a ila b le o n s y s te m s w i t h t h e a p p r o p r i a t e u s e r p e r m is s io n s . M o s t n e t w o r k s h a v e h u g e a m o u n t s o f TCP t r a f f i c ; as a re s u lt, t h e e f f i c i e n c y o f t h e UDP scan is lost. T h e UDP scan w ill lo c a te th e s e o p e n p o r ts a n d p r o v id e t h e s e c u r it y m a n a g e r w i t h v a lu a b le i n f o r m a t i o n t h a t can be used t o i d e n t i f y th e s e in v a s io n s a c h ie v e d by t h e a t t a c k e r o n o p e n UDP p o r t s ca u s e d b y s p y w a r e a p p lic a tio n s , T r o ja n h orses, a n d o t h e r m a lic io u s s o f t w a r e .
Are you open on UDP Port 29?
a v e r s io n d e t e c t i o n scan (-sV) o r t h e
o p e r a t i n g s y s te m
c
di
S e rv e r
................................................
M o d u le 0 3 Page 323
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Zenmap
S<an Target Jooli Profile tjelp nmip 192.168.168.3 *s l l -v nmap 192.168.168.3 Services 4 N m a p Output Ports /Hosts Topok>9 > Host Detaih Scans
L 2_
Scant
x
Cancel
Profile:
192.168.168.3
Details
Starting Nmap 6.01 ( http://na1 ap.org ) at 2012 08 10 12:47 Standard Time Initiating ARP Ping Scan at 12:47 Scanning 192.168.168.3 [1 port] Completed ARP Ping Scan at 12:47, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:47 Completed Parallel DNS resolution of 1 host, at 12:47, 0.02s elapsed Initiating LOP Scan at 12:47 Scanning 192.168.168.9 [1000 ports) Discovered open port 53S3/udp on 192.168.168.3 Discovered open port 137/udp on 192.168.168.3 Discovered open port 123/udp on 192.168.168.3 Increasing send delay for 192.168.168.3 * r o o t 0 to SO due to 216 out of 719 dropped probes since last increase. Completed UOP Scan at 12:47, 19.66s elapsed (1000 total ports) Nmap scan report for 192.168.168.3 Failed to resolve given hostnaae/IP: nmap. Note that you can't use ,/mask' AND 1-4,7,100- style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. Host is up (0.000063s latency). Not shown: 994 closed ports PORT STATE SfRVICf 88/udp open|filtered kerberos-sec 123/udp open ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dga S3S3/udp open zeroconf S8178/udp open|filtered unknown MAC Address:
Read data file s fro; c:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 22.09 seconds Ra packets sent: 1839 (52.401KB) I Rcvd: 998 (S6.06SK8)
F i l t e r Host*
M o d u le 0 3 Page 324
c <
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
I n v e r s e
T C
l a g
c a n n i n g
CEH
(rtifwd itk itjl
Attackers send TCP probe packets with various TCP flags (FIN,URG,PSH) set or with no flags, no response means port is open and RST/ACK means the port is closed
No Response
Attacker
Port is open
Probe Packet (FIN/URG/PSH/NULL)
RST/ACK
Attacker
Port is closed
In v e rs e T C P
F la g
S c a n n in g
w i t h n o fla gs. W h e n t h e p o r t is o p e n , t h e a t t a c k e r d o e s n ' t g e t a n y r e s p o n s e f r o m t h e h o s t, w h e r e a s w h e n t h e p o r t is c lo s e d , he o r she re c e iv e s t h e R ST /A C K f r o m t h e t a r g e t h o s t. T h e SYN p a c k e ts t h a t a re s e n t t o t h e s e n s itiv e p o r ts o f t h e t a r g e t e d h o s ts a re d e t e c t e d b y using s e c u r it y m e c h a n is m s such as f i r e w a l l s a n d IDS. P r o g r a m s such as S y n lo g g e r a n d C o u r t n e y a re a v a ila b le t o log h a l f - o p e n SYN fla g scan a t t e m p t s . A t t i m e s , t h e p r o b e p a c k e ts e n a b le d w i t h TCP fla g s can pass t h r o u g h f i l t e r s u n d e t e c t e d , d e p e n d i n g o n t h e s e c u r it y m e c h a n is m s in s ta lle d . P r o b in g a t a r g e t u s in g a h a l f - o p e n SYN fla g is k n o w n as an in v e r t e d t e c h n i q u e . It is ca lle d th is b e c a u s e t h e c lo s e d p o r ts can o n l y s e n d t h e r e s p o n s e back. A c c o r d i n g t o RFC 7 9 3 , A n RST/ACK p a c k e t m u s t be s e n t f o r c o n n e c t i o n re s e t, w h e n t h e p o r t is c lo s e d o n h o s t side. A tta ck e rs ta ke
a d v a n ta g e o f th is f e a t u r e t o s e n d TCP p r o b e p a c k e ts t o e a c h p o r t o f t h e t a r g e t h o s t w i t h v a r io u s TCP fla gs set. C o m m o n fla g c o n f i g u r a t io n s used f o r p r o b e p a c k e t in c lu d e : 9 9 9 A FIN p r o b e w i t h t h e FIN TCP fla g se t A n X M A S p r o b e w i t h t h e FIN, URG, a n d PUSH TCP fla g s set A NULL p r o b e w i t h n o TCP fla g s se t
M o d u le 0 3 Page 325
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A SYN/ACK p r o b e
All t h e c lo s e d p o r t s o n t h e t a r g e t e d h o s t w i ll s e n d an RST/ACK r e s p o n s e . Since t h e RFC 793 s t a n d a r d is c o m p l e t e l y ig n o r e d in t h e o p e r a t i n g s y s te m such as W i n d o w s , y o u c a n n o t see t h e RST/ACK r e s p o n s e w h e n c o n n e c t e d t o t h e c lo s e d p o r t o n t h e t a r g e t h o s t. T his t e c h n i q u e is e f f e c t i v e w h e n u sed w i t h U N IX -b a s e d o p e r a t i n g s y s te m s .
Advantages
Q A v o id s m a n y IDS a nd lo g g in g s y s te m s , h ig h ly s t e a l t h y
Disadvantages
Q Q N e e d s r a w access t o n e t w o r k so c k e ts , t h u s r e q u i r in g s u p e r - u s e r p riv ile g e s M o s t l y e f f e c t i v e a g a in s t h o s ts u sin g a B S D -d e riv e d TCP/IP sta c k ( n o t e f f e c t i v e a g a in s t M i c r o s o f t W i n d o w s h o s ts in p a r t ic u la r ) Probe Packet (FIN/URG/PSH/NULL)
No Response
Attacker
Target Host
RST/ACK
Attacker
P o r t is c l o s e d FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed
Target Host
M o d u le 0 3 Page 3 26
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A C K F la g S c a n n in g
A C K
F la g
S c a n n in g
A s t e a l t h y t e c h n i q u e is used f o r i d e n t i f y i n g o p e n TCP p o r t s . In t h is t e c h n i q u e a TCP p a c k e t w i t h ACK fla g ON is s e n t t o t h e r e m o t e h o s t a n d t h e n t h e h e a d e r i n f o r m a t i o n o f t h e RST p a c k e ts s e n t by r e m o t e h o s t a re a n a ly z e d . U sing t h is t e c h n i q u e o n e can e x p l o i t t h e p o t e n t ia l v u ln e r a b i l it ie s o f BSD d e r iv e d TCP/IP sta ck. T his t e c h n i q u e g ive s g o o d r e s u lts w h e n used w i t h c e r t a i n o p e r a t i n g s y s te m s a n d p la t f o r m s . ACK s c a n n in g can be p e r f o r m e d in t w o w a y s : Q TTL f ie ld a n a n ly s is W I N D O W fi e ld a na lysis
nm ap 5 . 2 1
scanned p o rts
M o d u le 0 3 Page 327
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S t a t e f u l F i r e w a l l is P r e s e n t
Probe Packet (ACK)
Attacker
No Response
Target Host
IT LT I ...................................................
RST
Attacker
Target Host
Scgn
lo o k
Profit
Help
T.rgrt:
Profile
Scan
Cancel
Command:
H osts
P o r ts /H o s ts
Topology
H ost Detaih
Scans
details
Starting M a p 6.01 ( http://nMp.org ) at 2012-08-10 13:09 Standard Tine Initiating ARP Ping Scan at 13:10 Scanning 192.16*.160.5 [1 port] Completed ARP Ping Scan at 13:10, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host, at 13:10 Completed Parallel ONS resolution of 1 host, at 13:10, 0.10s elapsed Initiating ACK Scan at 13:10 Scanning 192.16*.168.5 [1000 ports] Completed ACK Scan at 13:10, 21.38s elapsed (1000 total ports) Knap scan report for 192.16*.168.5 Failed to resolve given hostnanc/lP: naap. Note that you cant use ,/ask' ANO 1-4,7,100- style IP ranges. If the achine only has an IPv6 address, add the Nnap 6 flag to scan that.
Host is *>p
10. W 1es
l a t e n t , ) . _____________________________
filler Hosts FIGURE 3.41: Zenmap showing ACK Flag Scanning Result
M o d u le 0 3 Page 328
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S c a n n in g
T o o l: N e tS c a n
T o o ls
P r o
C E H
A u to m a te d0 5
( Rsfren
sccrrectA l1 C P ] ciicUyFulPfKessP a t h s I P
193C 10'
tcW fUcftrftwh
] U s c c rre c tn e rm te1 C P
M fiC
lol< a'ufa.re
TCF.UOP ComeCQcn Enfant List
1nec1nfo.exe
flM w o ritInlctfe4rd5\< tnl'r .
N s t w o r kl n t o r ' n r c i \vrrtw M e r l o c t t * STacea
3bacr?.x IVChO K.IXI SeSre.exe
Local IP 0.0.0.0
O.O.0.0
Local lore
| http| 8 0
R eaote
0.0.0.0
1
r
0.0.0.0
)cpxag( 135
)MS (UlCEOSOCt-dS'
0 .0 .0 .0
0.0.0.0
0.0.0.0
O.O.0.0
0 .0 .0 .0
0.0.0.0
0.0.0.0
s
OKXCO 109b
D U lI V U l. t x t
8coeSzv.xt 5tot5c1v.exe
s ' rS :rv .c x e
1388 T C 2O S 2 T C
2092 TC 2092 TC
)o f ll
0.0.0.0
127.0.0.1 1 2 7.0.0 .1 1 2 7 .0 .0 .1 127.0.0.1
CMSf u v
S yat
S v s .w
*XKrt irvdonb
txtema! lods
S 7 3 c i
2.0. 0 . 1
1 2 7 .0 .0 .1 127.0.0.1
i h t t p i 8 0
Progmli^o
h t t p : / / w w w . n e t s c a n t o o 1 s . c o m
loop Copyright 6 by EG-CSUICil. A il Rights Reserved. Reproduction is Strictly Prohibited.
S c a n n in g
T o o l: N e tS c a n T o o ls P ro
S o u rc e : h t t p ://w w w .n e ts c a r 1 tools.com N etS can T o o ls Pro is an i n v e s t i g a t i o n t o o l . It a llo w s y o u t o t r o u b l e s h o o t , m o n i t o r , d is c o v e r , a n d d e t e c t d e v ic e s o n y o u r n e t w o r k . You can g a t h e r i n f o r m a t i o n a b o u t t h e local LAN as w e l l as I n t e r n e t users, IP a d d re s s e s , p o r ts , e tc . u sin g t h is t o o l . You can f i n d v u ln e r a b i l it ie s a n d e x p o s e d p o r t s in y o u r s y s te m . It is t h e c o m b i n a t i o n o f m a n y n e t w o r k t o o l s a nd u t i l i t i e s . T h e t o o l s a re c a te g o r iz e d b y f u n c t i o n s such as a c tiv e , passive, DNS, a n d local c o m p u t e r .
DNS Tools: Used t o d e t e c t p r o b l e m s w i t h DNS. Local Computer and General Information Tools: P ro v id e s d e ta ils a b o u t y o u r local c o m p u t e r ' s
n e tw o rk .
Benefits:
e T h e i n f o r m a t i o n g a t h e r i n g p ro c e s s is m a d e s i m p l e r a n d f a s t e r b y a u t o m a t i n g t h e use o f m a n y n e t w o r k t o o ls
M o d u le 0 3 Page 329
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P ro d u c e s t h e r e s u lt r e p o r t s in y o u r w e b b r o w s e r c le a rly
Welcome Automated Tools Manual Tools (all) Refresh 0 Display Full Process Paths 1 sec Disconnect All TCP
0
O Enable AutoRefresh MAC Address to Manufacturer
-J
Favorite Tools Active Discovery Tools Passive Discovery Tools DNS Tools Packet Level Tools External Tools Program Info For Help, press Fl
Pr oc e s s inetinf0 . e x e svchost .e xe Sy stem inetinf0 . e x e Sy stem dbsrv9. ex e svchost .e xe SemSvc. ex e SemSvc. ex e ag en t. ex e DkService.exe St or Serv.exe St or Serv.exe St or Serv.exe Sy stem Sy stem Sy stem Sy stem <
P I D Pro to co l TC P 2 5 2 TC P 4 TCP 1100 TCP 4 TCP 1 2 1 6 TCP 9 3 2 TCP 4 0 6 8 TCP 4 0 6 8 TCP 9 2 0 TCP 1 3 8 8 TCP 2 0 9 2 TCP 2 0 9 2 TCP 2 0 9 2 TCP 0 TCP 0 TC P 0 TCP 0 TC P
1100 n 'r r n
L o c a lI P
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
L o c a lP o r t 8 0( h t t p ) 1 3 S( e p m a p ) 4 4 5 ( m i c r o s o f t d s ) 1 0 2 5( b l a c k j a c k ) 1 7 2 3( p p t p ) 2 6 3 8( s y b a s e a n y w h e r e ) 2 8 6 9( i c s l a p ) 8 4 4 3( p c s y n c h t t p s ) 9 0 9 0( w e b s m ) 9 8 7 6( s d ) 31 0 3 8( u n k n o w n ) 34 5 7 1( u n k n o w n ) 34 5 7 2( u n k n o w n ) 34 57 3( u n k n o w n ) 8 0( h t t p ) 8 0( h t t p ) 8 0( h t t p ) 8 0( h t t p )
on
Remote I P
0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0
L i )
M o d u le 0 3 Page 3 30
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S c a n n in g T o o ls
PRTG Network Monitor
C E H
http://w w w .paessler.co m
http://w w w .m agnetosoft.com
i N . I1W I
http://m absoft.com
Net Tools
http://w w w .softperfect.com
E -
http://w w w .ks-soft.net
IP Tools
http://w w w .m agnetosoft.com
MegaPing
http://netifera.com
Netifera
http://w w w .1 0 -strike.com
http://w w w .nsauditor.com
=*~=
resources shared on th e n e tw o rk (including system and hidden). T h e a t t a c k e r m a y a t t e m p t t o la u n c h a tta c k s a g a in s t y o u r n e t w o r k o r n e t w o r k r e s o u r c e s b ase d o n t h e i n f o r m a t i o n g a t h e r e d w i t h t h e h e lp o f s c a n n in g to o ls . A fe w o f th e scanning to ols th a t can d ete ct active ports on th e systems are listed as fo llo w s: 9 9 9 9 9 9 9 9 9 9 PRTG N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . p a e s s l e r . c o m N e t T o o ls a v a ila b le a t h t t p : / / m a b s o f t . c o m IP T o o ls a v a ila b le a t h t t p : / / w w w . k s - s o f t . n e t M e g a P in g a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m N e t w o r k I n v e n t o r y E x p lo r e r a v a ila b le a t h t t p : / / w w w . 1 0 - s t r i k e . c o m G lo b a l N e t w o r k I n v e n t o r y S c a n n e r a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m S o f t P e r f e c t N e t w o r k S c a n n e r a v a ila b le a t h t t p : / / w w w . s o f t p e r f e c t . c o m A d v a n c e d P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . r a d m i n . c o m N e t if e r a a v a ila b le a t h t t p : / / n e t i f e r a . c o m Free P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m
M o d u le 0 3 Page 331
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
D o
N o t
S c a n
T h e s e
I P
A d d r e s s e s C E H
(U n le s s y o u w a n t to g e t in t o t r o u b le )
RANGE 128
128.37.0.0 Army Yuma Proving Ground 1 2 8 3 8 0 0 Naval Surface Warfare Center 128.43.0.0 Defence Research Establishment-Ottawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 1 2 8 8 0 0 0 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Right Facility 128.155.0.0 128.156.0.0 12815700 128.158.0.0 NASA NASA NASA NASA Langley Research Center Lewis Network Control Center Johnson Space Center Ames Research Center
129.53.0.0 - 129 53.255 255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology 129.99.0.0 NASA Ames Research Center 129.131.0.0 Naval Weapons Center 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IW 129.165.0.0 NASA Goddard Space Fight Center 129.167.0.0 NASA Marshall Space Right Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198 0.0 Air Force Fight Test Center 129.209.0.0 Army BaiSstcs Research Laboratory 129.229.0.0 U.S. Army Corps of Engmeers 129.251.0.0 United States Ar Force Academy
RANGE 132
1 3 2 .3 .0 .0W illia m sA ir F o rceB a se 1 3 2 .5 .0 .0- 1 3 2 .5 .2 5 5 .2 5 54 9 thF ig h te rW in g 1 3 2 .6 .0 .0A n ka raA ir S ta tio n 1 3 2 .7 .0 .0-132.7.255.255 S S G /S IN O 1 3 2 .9 .0 .0 2 8 thB o m bW in g 1 3 2 .1 0 .0 .0 3 1 9C o m mS q 1 3 2 .1 1 .0 .0 H e lle n iko nA ir B a s e 1 3 2 .1 2 .0 .0 M y rtleB e a c hA ir F o rceB a s e 1 3 2 .1 3 .0 .0 B e n tw a te rs R o y a lA ir F o rceB a s e 1 3 2 .1 4 .0 .0 A ir F o rceC o n ce n tra to rN e tw c rk 1 3 2 .1 5 .0 .0 K a d e n aA ir B a s e
132.16.0.0 Kunsan Air Base
RANGE 130
130.40.0.0 NASA Johnson Space Center 130.90.0.0 Mather Ar Force Base 1301090.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S-Army Corps of Engneers 130 167.0.0 NASA Headquarters
128 159 0 0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128 1 6 1 0 0 N ASA Ames Research Center 128 183.0 0 NASA Goddard Space Flight Center 128202 0 0 50th Space Wing 128 21 6 0 0 MacDifl Air Force Base 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. A r Force Academy
132.17.0.0 132.18.0.0 132.19.0.0 132.20.0.0 132.21.0.0 132.22.0.0 132.24.0.0 132.25.0.0 132.27 0 0 132.28.0.0 132.31.0.0 132.33.0.0 132.34.0.0 132.35.0.0 132.37.0.0 132.38.0.0 132.39.0.0
Lindsey Air Station McGuire Air Force Base 100CS (NET-MILDENHALL) 35th Communications Squadron Plattsburgh Ar Force Base 23Communication9 Sq Dower Air Force Base 786 CS/SCBM 132 27.255.255 39CS/SCBBN 14TH COMMUNICATION SQUADRON Lonng Air Force Base 60CS/SCSNM Cannon Air F ace Base Altus Air Force Base 75 ABW Goodfellow AFB K.I. Sawyer Air Force Base
RANGE 131
131.60.0 Langley Ar Force Base 131.10.0.0 Barksdale Ar Force Base 131.17.0.0 Sheppard Ar Fcrce Base 131.21.0.0 Hahn Ar Base 31.32.0.0 37 Communications Squadron 131 3 5 0 0 Fairchild Ar Force Base 131.36.0.0 Yokota Ar Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Ar Force Base
131.39.0.0 354CS/SCSN
RANGE 129
129.23.0.0 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 129.50.0.0 NASA Marshall Space Flight Center 129.51.0.0 Patrick Air Force Base 129.52.0.0 Wright-Patterson Air Force Base
For a complete list, see the file in DVD IP ADDRESSES YOU SHOULD NOT SCAN.txt
D o N o t S c a n T h e s e IP A d d re s s e s g e t in to tro u b le )
(U n le s s y o u w a n t to
RANGE 6
6 . * - A r m y I n f o r m a t i o n S y s te m s C e n te r
RANGE 7
7 . * . * . * D e fe n s e I n f o r m a t i o n S y s te m s Agency, VA
RANGE 11
M o d u le 0 3 Page 332
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
1 1 . * . * . * D 0 D In te l I n f o r m a t i o n S ys te m s , D e fe n s e In te llig e n c e A g e n c y , W a s h in g t o n DC
RANGE 21
2 1. - US D e fe n s e I n f o r m a t i o n S y s te m s Agency
1 2 9 .1 6 3 .0 . 0 N A S A /J o h n s o n Space C e n te r
RANGE 22
2 2 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
1 2 9 .1 6 4 .0 . 0 NASA IVV 1 2 9 .1 6 5 .0 . 0 NASA G o d d a r d Space F lig ht C e n te r 1 2 9 .1 6 7 .0 . 0 NASA M a r s h a ll Space F lig h t C e n te r 1 2 9 .1 6 8 .0 . 0 NASA Lew is Research C e n te r 1 2 9 .1 9 0 .0 . 0 N ava l U n d e r w a t e r S y ste m s C e n te r 1 2 9 .1 9 8 .0 . 0 A ir Force F lig h t T e s t C e n te r
RANGE 24
2 4 .1 9 8 .*.*
RANGE 25
2 5 . * . * . * Royal Signals a n d R adar E s t a b lis h m e n t , UK
RANGE 26
2 6 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
RANGE 29
2 9 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
RANGE 130
1 3 0 .4 0 .0 .0 NASA J o h n s o n Space C e n te r 1 3 0 .9 0 .0 .0 M a t h e r A i r Force Base 1 3 0 .1 0 9 .0 . 0 N ava l C oa sta l S y s te m s C e n te r 1 3 0 .1 2 4 .0 . 0 H o n e y w e ll D e fe n s e S y s te m s G roup 1 3 0 .1 6 5 .0 . 0 U .S .A r m y C o rp s o f E n g in e e rs 1 3 0 .1 6 7 .0 . 0 NASA H e a d q u a r t e r s
RANGE 30
3 0 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
RANGE 49
4 9 . * - J o in t T a c tic a l C o m m a n d
RANGE 50
5 0 . * - J o in t T a c tic a l C o m m a n d
RANGE 55
5 5 . * - A r m y N a t io n a l G u a r d B u re a u
RANGE 131
1 3 1 .6 .0 .0 L a n g le y A i r Force Base 1 3 1 .1 0 .0 .0 B a rk s d a le A ir Force Base
RANGE 55
M o d u le 0 3 Page 333
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
5 5 . * - A r m y N a t io n a l G u a r d B u re a u 5 5 . * - A r m y N a t io n a l G u a r d B u re a u
RANGE 62
6 2 .0 .0 .1 - 6 2 .3 0 . 2 5 5 . 2 5 5 Do n o t scan!
RANGE 6 4
6 4 . 7 0 . * . * Do n o t scan 6 4 . 2 2 4 . * Do n o t Scan 6 4 . 2 2 5 . * Do n o t scan 6 4 . 2 2 6 . * Do n o t scan
RANGE 128
1 2 8 .3 7 .0 .0 A r m y Y u m a P ro v in g G r o u n d 1 2 8 .3 8 .0 .0 N aval S u rfa c e W a r f a r e C e n te r
RANGE 132
1 3 2 .3 .0 .0 W i l l i a m s A i r Force Base 1 3 2 .5 .0 .0 - 1 3 2 .5 . 2 5 5 . 2 5 5 4 9 t h F ig h te r W in g 1 3 2 .6 .0 .0 A n k a r a A ir S ta tio n
1 3 2 .7 .0 .0 - 1 3 2 .7 . 2 5 5 . 2 5 5 SSG/SINO
1 3 2 .9 .0 .0 2 8 t h B o m b W i n g 1 3 2 .1 0 .0 .0 3 1 9 C o m m Sq 1 3 2 .1 1 .0 .0 H e lle n ik o n A i r Base 1 3 2 .1 2 .0 .0 M y r t l e Beach A ir Force Base 1 3 2 .1 3 .0 .0 B e n t w a t e r s Royal A i r Force Base 1 3 2 .1 4 .0 .0 A ir Force C o n c e n t r a t o r N e tw o rk 1 3 2 .1 5 .0 .0 Kade n a A ir Base
1 2 8 .6 3 .0 .0 A r m y Ballistics R esearch L a b oratory 1 2 8 .8 0 .0 .0 A r m y C o m m u n ic a t i o n s E le c tro n ic s C o m m a n d 1 2 8 .1 0 2 .0 . 0 NASA A m e s R esearch C e n te r 1 2 8 .1 4 9 .0 . 0 NASA H e a d q u a r t e r s 1 2 8 .1 5 4 .0 . 0 NASA W a l l o p s F lig h t F a cility 1 2 8 .1 5 5 .0 . 0 NASA L a n g le y R esearch C e n te r
M o d u le 0 3 Page 3 34
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
1 2 8 .1 5 6 .0 . 0 NASA Lew is N e t w o r k C o n tr o l C e n te r 1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r 1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r 1 2 8 .1 5 8 .0 . 0 NASA A m e s R esearch C e n te r 1 2 8 .1 5 9 .0 . 0 NASA A m e s R esearch C e n te r 1 2 8 .1 6 0 .0 . 0 N aval R esearch L a b o r a t o r y
1 3 2 .2 0 .0 .0 3 5 th C o m m u n ic a tio n s S q u a d ro n 1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir F orce Base 1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir Force Base 1 3 2 .2 2 .0 .0 2 3 C o m m u n ic a t i o n s Sq 1 3 2 .2 4 .0 .0 D o v e r A i r F orce Base 1 3 2 .2 5 .0 .0 7 8 6 CS/S CBM 1 3 2 . 2 7 . 0 . 0 - 1 3 2 .2 7 .2 5 5 .2 5 5 39CS/SCBBN 1 3 2 .2 8 .0 .0 14TH C O M M U N IC A T IO N SQ U A D R O N 1 3 2 .3 0 .0 .0 Lajes A ir Force Base 1 3 2 .3 1 .0 .0 L o rin g A ir Force Base 1 3 2 .3 3 .0 .0 60C S/S C SN M 1 3 2 .3 4 .0 .0 C a n n o n A ir Force Base 1 3 2 .3 5 .0 .0 A ltu s A i r Force Base 1 3 2 .3 7 .0 .0 75 A B W
1 2 8 .1 6 1 .0 . 0 NASA A m e s R esearch C e n te r
1 2 8 .1 8 3 .0 . 0 NASA G o d d a r d Space F lig ht C e n te r 1 2 8 .2 0 2 .0 . 0 5 0 t h Space W i n g 1 2 8 .2 1 6 .0 . 0 M a c D ill A i r Force Base 1 2 8 .2 1 7 .0 . 0 NASA K e n n e d y Space C e n te r 1 2 8 .2 3 6 .0 . 0 U.S. A i r Force A c a d e m y RANGE 129 1 2 9 .2 3 .0 .0 S t r a te g ic D e fe n s e In i t i a t i v e O r g a n iz a tio n 1 2 9 .2 9 .0 .0 U n ite d S ta te s M i l i t a r y A c a d e m y 1 2 9 .5 0 .0 .0 NASA M a r s h a ll Space F lig h t C e n te r
M o d u le 0 3 Page 335
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P o r t S c a n n in g
C o u n t e r m
e a s u r e s
C E H
Urtifw^ tthiul lUch(
C o n fig u r e f ir e w a ll a n d IDS r u le s t o d e t e c t a n d b lo c k p r o b e s
U se c u s to m r u le s e t t o lo c k d o w n t h e n e t w o r k a n d b lo c k u n w a n t e d p o r t s a t t h e fire w a ll
F ilter all ICM P m e s s a g e s (i.e. H id e s e n s iti v e in f o r m a ti o n f r o m p u b lic v ie w k in b o u n d ICMP m e s s a g e ty p e s a n d o u tb o u n d ICMP ty p e 3 u n r e a c h a b le m e s s a g e s ) a t t h e fir e w a lls a n d r o u te r s
W /
p o r ts o r s o u r c e - r o u tin g m e th o d s
E n s u re t h a t t h e r o u t e r , IDS, a n d fir e w a ll f ir m w a r e a r e u p d a t e d t o t h e i r l a te s t r e l e a s e s
E n su re th a t th e a n ti s c a n n in g a n d a n t i s p o o f in g r u le s a r e c o n f ig u r e d
P o rt S c a n n in g
C o u n te rm e a s u re s
c o u n te rm e a s u re s : 9 T h e f i r e w a l l s h o u ld be g o o d e n o u g h t o d e t e c t p r o b e s an a t t a c k e r s e n d s t o scan th e n e t w o r k . So t h e f i r e w a l l s h o u ld c a r r y o u t s t a t e f u l i n s p e c t io n i f it has a s p e c ific r u le set. S o m e f i r e w a l l s d o a b e t t e r j o b t h a n o t h e r s in d e t e c t i n g s t e a lth scans. M a n y f i r e w a l l s h a v e s p e c ific o p t i o n s t o d e t e c t SYN scans, w h i l e o t h e r s c o m p l e t e l y i g n o r e FIN scans.
p re v e n tio n
te c h n o lo g y
f r e q u e n t l y a v a ila b le f r o m p u b lic a u th o r s . O n ly n e c e s s a ry p o r t s s h o u ld be k e p t o p e n ; t h e re s t o f t h e p o r ts s h o u ld be f i l t e r e d as t h e i n t r u d e r w ill t r y t o e n t e r t h r o u g h a n y o p e n p o r t . This can be a c c o m p lis h e d w i t h t h e c u s t o m r u le set. F ilte r in b o u n d IC M P m e s s a g e ty p e s a nd all o u t b o u n d IC M P t y p e 3 u n r e a c h a b l e m essa ge s a t b o r d e r r o u t e r s a n d f ir e w a lls .
M o d u le 0 3 Page 3 36
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le 0 3 Page 337
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
S c a n n in g M e th o d o lo g y
fft
S c a n n in g B e y o n d IDS
prepare Proxies
Banner Grabbing
M o d u le 0 3 Page 338
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
ID S E v a s io n T e c h n iq u e s
C E H
m
Use fragmented IP packets
Spoof your when launching attacks and sniff responses from server
U s e source routing (if possible)
Q Q
_ _
Q1
ID S E v a s io n T e c h n iq u e s
M o s t o f t h e IDS e v a s io n t e c h n i q u e s r e ly o n t h e use f r a g m e n t e d p r o b e p a c k e ts t h a t
M o d u le 0 3 Page 339
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S Y N / F I N I P
S c a n n in g
U s in g C E H
F r a g m e n t s
The TCP header is split up into several packets so that the packet filters are not able to detect what the packets intend to do
&
C o m m a n d P ro m p t
S Y N / F I N ( S m a ll IP F ra g m e n t s ) + P o r t (n)
Starting N m ap 6.01 ( http://nmap.org ) at 2012-08-11 11:03 E D T Initiating S Y N Stealth Scan at 11:03 Scanning 192.168.168.5 [1000 ports] Discovered open port 139/tcp on 192.168.168.5 Discovered open port 445/tcp on 192.168.168.5 Discovered open port 135/tcp on 192.168.168.5 Discovered open port 912/tcp on 192.168.168.5 Completed S Y N Stealth Scan at 11:03, 4.75s elapsed (1000 total ports)
R ST ( if p o r t is c lo s e d )
A tta c k e r
T a rg et
SYN/FIN S ca n n in g
S Y N /F IN
S c a n n in g U s in g IP
F ra g m e n ts
SYN/FIN s c a n n in g u sin g IP f r a g m e n t s is a m o d i f i c a t i o n o f t h e e a r lie r m e t h o d s o f s c a n n in g ; t h e p r o b e p a c k e ts a re f u r t h e r f r a g m e n t e d . This m e t h o d c a m e i n t o e x is te n c e t o a v o id t h e fa ls e p o s i t i v e f r o m o t h e r scans, d u e t o a p a c k e t f i l t e r i n g d e v ic e p r e s e n t o n t h e t a r g e t m a c h in e . You h a v e t o s p lit t h e TCP h e a d e r i n t o s e v e r a l p a c k e ts in s te a d o f j u s t s e n d in g a p r o b e p a cke t f o r a v o id in g th e p a c k e t f ilte r s . E ve ry TCP h e a d e r s h o u ld in c lu d e t h e s o u r c e a nd d e s t i n a t i o n p o r t f o r t h e f i r s t p a c k e t d u r in g a n y t r a n s m is s io n : (8 o c t e t , 6 4 b it ) , a n d t h e in itia liz e d fla g s in t h e n e x t, w h i c h a l l o w t h e r e m o t e h o s t t o r e a s s e m b le t h e p a c k e t u p o n r e c e ip t t h r o u g h an I n t e r n e t p r o t o c o l m o d u l e t h a t re c o g n iz e s t h e f r a g m e n t e d d a ta p a c k e ts w i t h t h e h e lp o f fie ld e q u i v a l e n t v a lu e s o f p r o t o c o l , s o u r c e , d e s t i n a t i o n , a n d i d e n t if ic a t i o n . F r a g m e n t e d P a c k e ts T h e TCP h e a d e r , a f t e r s p li t t in g i n t o sm a ll f r a g m e n t s , is t r a n s m i t t e d o v e r t h e n e t w o r k . B u t, a t t i m e s y o u m a y o b s e r v e u n p r e d i c t a b l e r e s u lts such as f r a g m e n t a t i o n o f t h e d a ta in t h e IP h e a d e r a f t e r t h e r e a s s e m b ly o f IP o n t h e s e r v e r side. S o m e h o s ts m a y n o t be c a p a b le o f p a r s in g and r e a s s e m b lin g t h e f r a g m e n t e d p a c k e ts , a n d t h u s m a y ca use crash es, r e b o o ts , o r e v e n n e t w o r k d e v ic e m o n i t o r i n g d u m p s .
M o d u le 0 3 Page 3 40
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
i m p l e m e n t e d d u e t o t h e a d v e rs e e f f e c t o n p e r f o r m a n c e . Since s e v e ra l in t r u s io n s d e t e c t i o n s y s te m s e m p l o y s ig n a t u r e - b a s e d m e t h o d s t o i n d ic a t e s c a n n in g a t t e m p t s b a se d o n IP a n d / o r th e TCP h e a d e rs , f r a g m e n t a t i o n is o f t e n a b le t o e v a d e t h is t y p e o f p a c k e t f i l t e r i n g a n d d e t e c t i o n . T h e r e is a p r o b a b i l i t y o f n e t w o r k p r o b l e m s o n t h e t a r g e t n e t w o r k . SYN/FIN (Small IP Fragments) + Port (n) .................................................. < .................................................... RST (if p o r t is closed) _
Attacker
FIGURE 3.43: SYN/FIN Scanning
N m a p c o m m a n d p r o m p t s f o r SYN/FIN scan.
Target
Command Prompt
-s S -T 4 -A - f - v : 1 9 2 . 1 6 8 .1 6 :8 .!
C :\> O m a p
M o d u le 0 3 Page 341
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
| ' ^ Ml
ft
yj
C h e c k for O p e n Ports
C h e c k for
Live S y s t e m s
_ r )__
. Scan for Vulnerability Diagrams
Draw Network
H U H 1 1 k -i 1 1 r -J n _ M ---1/
__ a c _____ Scanning Banner B e y o n d IDS Grabb i n g Prepare! Proxies Scanning P e n Testing
= :ir
C E H
S c a n n in g
M e th o d o lo g y
191
Q f c i prepare Proxies
B a n n e r G ra b b in g
M o d u le 0 3 Page 342
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B a n n e r G r a b b in g
J Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive. A ctive B a n n e r G rabbing
S p e c ia lly c r a f t e d p a c k e ts a r e s e n t t o r e m o t e OS a n d t h e r e s p o n s e is n o te d T h e r e s p o n s e s a r e t h e n c o m p a r e d w ith a d a t a b a s e t o d e t e r m i n e t h e OS R e s p o n s e f r o m d if f e r e n t O S e s v a r ie s d u e to d if f e re n c e s in T C P /IP s ta c k i m p l e m e n t a t i o n
P a ssiv e B a n n e r G rabbing
B a n n e r g ra b b in g fro m e rro r m e ss a g e s: Error m e ssag e s provide info rm atio n su ch as ty p e of server, ty p e o f OS, a n d SSL tool u sed by th e ta rg e t re m o te system S n iffin g t h e n e t w o r k tr a f f ic : C apturing an d analyzing pack ets from th e ta rg e t e n a b le s an attack e r to d e te rm in e OS u sed by th e re m o te system e B a n n e r g ra b b in g fro m p a g e e x te n s io n s : Looking fo r an ex ten sio n in th e URL m ay a ssist in d eterm in in g th e app licatio n version Exam ple: .aspx => IIS serv er an d W indow s p latform
BQB
B a n n e r G ra b b in g
B a n n e r g r a b b i n g o r OS f i n g e r p r i n t i n g is a m e t h o d t o d e t e r m i n e t h e o p e r a t i n g s y s te m r u n n i n g o n a r e m o t e t a r g e t s y s t e m . B a n n e r g r a b b i n g is i m p o r t a n t f o r h a c k in g as it p r o v id e s y o u w i t h a g r e a t e r p r o b a b i l i t y o f success in h a c k in g . T his is b e c a u s e m o s t o f t h e v u l n e r a b i l it ie s are OS s p e c ific . T h e r e f o r e , if y o u k n o w t h e OS r u n n i n g o n t h e t a r g e t s y s te m , y o u can h a c k t h e s y s te m b y e x p l o i t i n g t h e v u l n e r a b i l it ie s s p e c ific t o t h a t o p e r a t i n g s y s te m . B a n n e r g r a b b i n g can be c a r r ie d o u t in t w o w a y s : e i t h e r by s p o t t i n g t h e b a n n e r w h i l e t r y i n g t o c o n n e c t t o a se rv ic e such as FTP o r d o w n l o a d i n g t h e b i n a r y f i l e / b i n / l s t o c h e c k t h e a r c h it e c t u r e w i t h w h i c h it w a s b u ilt. Banner g ra b b in g is p e rfo rm e d u sin g th e fin g e rp rin tin g te c h n iq u e . A m ore advanced
f i n g e r p r i n t i n g t e c h n i q u e d e p e n d s o n sta c k q u e r y i n g , w h i c h t r a n s f e r s t h e p a c k e ts t o t h e n e t w o r k h o s t a n d e v a lu a te s p a c k e ts b ase d o n t h e r e p ly . T h e f i r s t s ta c k q u e r y i n g m e t h o d w a s d e s ig n e d c o n s id e r in g t h e TCP m o d e o f c o m m u n i c a t i o n , in w h i c h t h e re s p o n s e o f t h e c o n n e c t i o n r e q u e s ts is e v a lu a te d . T h e n e x t m e t h o d w a s k n o w n as ISN ( In itia l S e q u e n c e N u m b e r ) analysis. This i d e n t if ie s t h e d if f e r e n c e s in t h e r a n d o m n u m b e r g e n e r a t o r s f o u n d in t h e TCP sta ck. A n e w m e t h o d , u s in g t h e ICMP p r o t o c o l , is k n o w n as IC M P r e s p o n s e a n a ly s is . It c o n s is ts o f s e n d in g t h e IC M P m e ssa g e s t o t h e r e m o t e h o s t a n d e v a l u a t i n g t h e r e p ly . T h e la t e s t IC M P m e s s a g in g is
M o d u le 0 3 Page 343
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A c tiv e B a n n e r G r a b b in g
A c t iv e b a n n e r g r a b b i n g is based o n t h e p r in c ip le t h a t an o p e r a t i n g s y s te m 's IP sta c k has a u n i q u e w a y o f r e s p o n d i n g t o s p e c ia lly c r a f t e d TCP p a c k e ts . This arises b e c a u s e o f d i f f e r e n t i n t e r p r e t a t i o n s t h a t v e n d o r s a p p ly w h i l e i m p l e m e n t i n g t h e TCP/IP s ta c k o n t h e p a r t i c u l a r OS. In a c tiv e b a n n e r g ra b b in g , a v a r i e t y o f m a l f o r m e d p a c k e ts a re s e n t t o t h e r e m o t e h o s t, a n d t h e r e s p o n s e s a re c o m p a r e d t o a d a ta b a s e . For in s ta n c e , in N m a p , t h e OS f i n g e r p r i n t o r b a n n e r g r a b b i n g is d o n e t h r o u g h e ig h t te s ts . T h e e ig h t te s ts a re n a m e d T l , T2, T3, T4, T5, T6, T7, a n d PU ( p o r t u n r e a c h a b le ) . Each o f th e s e te s ts is i l lu s t r a t e d as f o l lo w s , as d e s c r ib e d in w w w . p a c k e t w a t c h . n e t :
T4: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o an o p e n TCP p o r t. T5: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e SYN fla g e n a b le d t o a c lo s e d TCP p o r t . T6: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o a c lo s e d TCP p o r t . T7: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e URG, PSH, a n d FIN fla g s e n a b le d t o a c lo s e d TCP
p o rt.
i m p l e m e n t a t i o n s c h o o s e w h i l e r e s p o n d i n g t o a c o n n e c t i o n r e q u e s t. T he se can be c a te g o r iz e d i n t o m a n y g r o u p s such as t h e t r a d i t i o n a l 6 4 K ( m a n y o ld UN IX b oxe s), r a n d o m ( n e w e r v e r s io n s o f Solaris, IRIX, FreeBSD, D ig ita l UNIX, Cray, a n d in c re m e n ts
m a n y o th e r s ) , o r T ru e
M o d u le 0 3 Page 344
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S o u rc e : w w w . i n s e c u r e . o r g , " M o s t o p e r a t i n g s y s te m s i n c r e m e n t a s y s t e m - w i d e IPID v a lu e f o r e ach p a c k e t t h e y se n d . O th e rs , such as O p e n B S D , use a r a n d o m IPID a n d s o m e s y s te m s (like Linux) use an IPID o f 0 in m a n y cases w h e r e t h e D o n 't F r a g m e n t b it is n o t set. W i n d o w s d o e s n o t p u t t h e IPID in n e t w o r k b y t e o r d e r , so it i n c r e m e n t s b y 2 5 6 f o r e ach p a c k e t. A n o t h e r n u m b e r t h a t can be s e q u e n c e d f o r OS d e t e c t i o n p u r p o s e s is t h e TCP t i m e s t a m p o p t i o n va lu e s . S o m e s y s te m s d o n o t s u p p o r t t h e f e a t u r e ; o t h e r s i n c r e m e n t t h e v a lu e a t f r e q u e n c ie s o f 2HZ, 1 00HZ, o r 1 0 0 0 H Z a n d still o t h e r s r e t u r n 0.
P a s s iv e B a n n e r G ra b b in g
S o u rc e : h t t p : / / h o n e y n e t . o r g Like a c tiv e banner g ra b b in g , p assive banner g ra b b in g is also b ase d on th e d iffe re n tia l
i m p l e m e n t a t i o n o f t h e sta c k a nd t h e v a r io u s w a y s an OS r e s p o n d s t o p a c k e ts . H o w e v e r , in s te a d o f r e ly in g o n s c a n n in g t h e t a r g e t h o s t, p assive f i n g e r p r i n t i n g c a p tu r e s p a c k e ts f r o m t h e t a r g e t h o s t via s n if f i n g t o s t u d y f o r t e l l t a l e signs t h a t can re v e a l an OS. T h e f o u r a re as t h a t a re t y p i c a l l y n o t e d t o d e t e r m i n e t h e o p e r a t i n g s y s te m are: 9 9 9 9 TTL - W h a t t h e o p e r a t i n g s y s te m sets t h e T im e T o Live o n t h e o u t b o u n d p a c k e t W i n d o w Size - h a t t h e o p e r a t i n g s y s te m sets t h e W i n d o w size DF - D oes t h e o p e r a t i n g s y s te m se t t h e D o n ' t F r a g m e n t b it OS - D oes t h e o p e r a t i n g s y s te m s e t t h e T y p e o f Service, a n d i f so, a t w h a t
i m p r o v e d . T h e f o l l o w i n g is t h e a n a ly sis o f a s n if fe d p a c k e t d is s e c te d by Lance S p itz n e r in his p a p e r o n p assive f i n g e r p r i n t i n g ( h t t p : / / w w w . h o n e y n e t . o r g / p a p e r s / f i n g e r / ). 0 4 / 2 0 - 2 1 : 4 1 : 4 8 . 1 2 9 6 6 2 1 2 9 .1 4 2 .2 2 4 . 3 :6 5 9 -> 1 7 2 .1 6 .1 .1 0 7 :6 0 4 TCP TTL:45 TOS:OxO ID :5 6 2 5 7 * * * F * * A * Seq: 0 x 9 D D 9 0 5 5 3 A ck: 0 xE 3 C 6 5 D 7 W i n : 0 x 7 D 7 8 Based o n t h e f o u r c r it e r ia , t h e f o l l o w i n g a re i d e n t if ie d : 9 9 9 9 TTL: 4 5 W i n d o w Size: 0 x 7 D 7 8 ( o r 3 2 1 2 0 in d e c im a l) DF: T h e D o n 't F r a g m e n t b i t is se t TOS: 0 x 0
M o d u le 0 3 Page 345
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Based o n t h is TTL, it a p p e a r s t h a t t h e p a c k e t w a s s e n t f r o m a L in u x o r F reeB S D b o x ( h o w e v e r , m o r e s y s te m s ig n a t u r e s n e e d t o be a d d e d t o t h e d a ta b a s e ). T his TTL is c o n f i r m e d b y d o i n g a t r a c e r o u t e t o t h e r e m o t e h o s t. If t h e tr a c e n e e d s t o be d o n e s t e a lt h ily , t h e t r a c e r o u t e t i m e - t o live ( d e f a u l t 3 0 h o p s ) can be se t t o be o n e o r t w o h o p s less t h a n t h e r e m o t e h o s t ( -m o p t i o n ) . S e ttin g t r a c e r o u t e in th is m anner re v e a ls t h e p a th in fo rm a tio n ( in c lu d in g th e u p s tre a m
p r o v id e r ) w i t h o u t a c t u a l ly t o u c h i n g t h e r e m o t e h o s t.
W indow Sizes
T h e n e x t s te p is t o c o m p a r e w i n d o w sizes. T h e w i n d o w size is a n o t h e r e f f e c t i v e t o o l t h a t d e t e r m i n e s s p e c ific a lly w h a t w i n d o w size is used a n d h o w o f t e n t h e size is c h a n g e d . In t h e p r e v io u s s ig n a t u r e , it is s e t a t 0 x 7 D 7 8 , a d e f a u l t w i n d o w size is c o m m o n l y used b y L inux. In a d d it io n , FreeBSD a n d Solaris t e n d t o m a i n t a i n t h e s a m e w i n d o w size t h r o u g h o u t a sessio n. H o w e v e r , Cisco r o u t e r s a nd M i c r o s o f t W i n d o w s / N T w i n d o w sizes a re c o n s t a n t ly c h a n g in g . T h e w i n d o w size is m o r e a c c u r a te if m e a s u r e d a f t e r t h e in itia l t h r e e - w a y h a n d s h a k e (d u e t o TCP s l o w s ta rt).
Session Based
M o s t s y s te m s use t h e DF b it set, so t h i s is o f l i m i t e d v a lu e . H o w e v e r , t h is d o e s m a k e it e a s ie r t o i d e n t i f y t h e f e w s y s te m s t h a t d o n o t use t h e DF f l a g (such as SCO o r O p e n B S D ). TOS is also o f l i m i t e d v a lu e , since it s e e m s t o be m o r e s e s s io n -b a s e d t h a n o p e r a t i n g - s y s t e m - b a s e d . In o t h e r w o r d s , it is n o t so m u c h t h e o p e r a t i n g s y s te m t h a t d e t e r m i n e s t h e TOS, b u t t h e p r o t o c o l used. T h e r e f o r e , b a se d o n t h is i n f o r m a t i o n , s p e c ific a lly TTL a nd w i n d o w size, o n e can c o m p a r e t h e r e s u lts t o t h e d a ta b a s e o f s ig n a t u r e s a n d , w i t h a d e g r e e o f c o n f i d e n c e , d e t e r m i n e t h e OS (in t h is case, L in ux k e rn e l 2.2.x). Just as w i t h a c tiv e f i n g e r p r i n t i n g , p assive f i n g e r p r i n t i n g has s o m e l i m i t a t i o n s . First, a p p lic a t io n s t h a t b u ild t h e i r o w n p a c k e ts (such as N m a p , h u n t , n e m e s is , e tc .) w ill n o t use t h e s a m e
s ig n a t u r e s as t h e o p e r a t i n g s y s te m . S e co n d , it is r e l a t iv e l y s im p le f o r a r e m o t e h o s t t o a d ju s t t h e TTL, w i n d o w size, DF, o r TOS s e t t i n g o n p a cke ts. Passive f i n g e r p r i n t i n g can be used f o r s e v e ra l o t h e r p u r p o s e s . C ra ck e rs can use " s t e a l t h y " f i n g e r p r i n t i n g . For e x a m p le , t o d e t e r m i n e t h e o p e r a t i n g s y s te m o f a p o t e n t i a l t a r g e t , such as a w e b s e rv e r, o n e n e e d o n l y r e q u e s t a w e b p ag e f r o m t h e s e rv e r, a n d t h e n a n a ly z e t h e s n if f e r tra c e s . T his b yp a sse s t h e n e e d f o r u sin g an a c tiv e t o o l t h a t v a r io u s IDS s y s te m s can d e t e c t . Also, passive f i n g e r p r i n t i n g m a y be used t o i d e n t i f y r e m o t e p r o x y f ir e w a lls . Since p r o x y f i r e w a l l s r e b u i l d c o n n e c t i o n s f o r c lie n ts , it m a y be p o s s ib le t o ID p r o x y f i r e w a l l s b ase d o n t h e s ig n a t u r e s th a t have been d iscu ssed . O r g a n iz a tio n s can use p assive f i n g e r p r i n t i n g t o id e n tify rogue s y s te m s o n t h e i r n e t w o r k . T h e se w o u l d be s y s te m s t h a t a re n o t a u t h o r i z e d o n t h e n e t w o r k .
W h y B a n n e r G ra b b in g ?
I d e n t i f y i n g t h e OS u sed o n t h e t a r g e t h o s t a llo w s an a t t a c k e r t o f i g u r e o u t t h e v u ln e r a b i l it ie s t h e s y s te m possesses a n d t h e e x p lo it s t h a t m i g h t w o r k o n a s y s te m t o f u r t h e r c a r r y o u t a d d it io n a l a tta c k s .
M o d u le 0 3 Page 346
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B a n n e r G r a b b in g T o o ls
-J ID S e rv e is u s e d t o id e n tify t h e m a k e , m o d e l, a n d v e r s io n o f a n y w e b s i t e ^ s e r v e r s o f tw a r e J It is a ls o u s e d to id e n tify non-H T T P (n o n -w e b ) I n te r n e t s e rv e rs su c h a s FTP, SMTP, POP, NEWS, e tc . J N e tc ra f t r e p o r t s a s ite 's o p e r a t in g s y s te m , w e b s e r v e r , a n d n e tb lo c k o w n e r t o g e t h e r w ith , if a v a ila b le , a g r a p h ic a l v ie w o f t h e ti m e s in c e la s t r e b o o t f o r e a c h o f t h e c o m p u te r s s e rv in g t h e s ite
ID Serve
N etcraft
B S w v e a III 0 r\r 0
| _ 011e1y | lr * f'"* copy / p it
URL w IP
1 Iccttmedhoclier com ~|
^ yy p o w x !1 3 * i. 8< 1 0 1 1 oorta 3 7 8 01 11 5 3
J n :c t ?dC "
(/ MDb UMI
[Seiver McrDsoNIS/bO I
! :.P n v ^ o 1-fly A S P M F jl
TnewiverterttwdlMtM
fr"1
$ 2 0 1 0 1 0S w v *6r-*9
http://www. grc.com
http://toolbar. netcraft.com
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
B a n n e r G ra b b in g
T o o ls
\ j ID S e rv e
S o u rc e : h t t p : / / w w w . g r c . c o m ID Serve is u sed t o i d e n t i f y t h e m a k e , m o d e l , a n d v e r s io n o f a n y w e b s i t e 's s e r v e r s o f t w a r e ; it is also used t o i d e n t i f y n o n -H T T P ( n o n - w e b ) I n t e r n e t s e rv e rs such as FTP, SM TP, POP, NEWS, e tc.
M o d u le 0 3 Page 347
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
ID S *
| | ^ 0 r y P
I- q - F B
Internet Server Identification utilityvl 02 Personal Security Freeware by Steve Gibson CopyngN Ic) 2003 by Gfcson Research Cap | O &A/Help
U :4J
Background
Se!vr Query
Enter a or copy / pa-.te paste an Interne! server U R L or ot IP * a ir Mte es ssi here (example
(2
W hen an Inlemer U R L ot IP has been provided above press the button to n b ate a query 01 the s p e c fo d server
ft
Lest-Modrtied Wed. 12 Jan 2U11 Ub Accept-Ranges none ETaa Q76b5t18b2cb1 17d0 5 r Server MioosolHIS/6 0 X-Powered-By A SPN ET
Ub tiM I
C 0 (V
E*
ETC RAFT
S it e r e p o r t f o r c e r t if le d h a c k e r . c o m
Netcraft Toolbar
) Mom# Download Nowl
SHo D om ain
1 day 99 0 g ra p *
E 2 ) Uptimo
im VAW i>L H osting 270S0I ncO.rtoyo ar1yfooc.com dnn9n0Y artyfM com n s 1 .noyear1yfeet.com S u c c t t t Id e a IT Services,
IP w M m k i
C o untry
202 75.54.101
D Mr
DM flnt
see
Domain
O r g itk a tio
I
Tail a Fntoa cercrtetir1acfcer.com. cettW h jcV r com. 92345. united Scatts
T o o lb a r S u p p o rt . * a FAQ Glossary Contact Us Report Bug C heck a n o th e r s ite : N o s t l n g H is to r y Net block O w n e r IM V M S DC Hostm g TM VADS DC Hostm g TM VADS DC H osting TM VADS DC Hostm o TM VADS DC H osting IP a d d r e s s OS
Malaysia
L ast changed
1 /-Ju >~2012
T u to ria ls Installing Tooioar u w r 0 me Toolbar Gatling m Most Rpt>org a Phish A b o u t N e tc ra ft fJGlcrart Horn# About Nttcrafl
2 0 2 .7 $ . 4 . 101 W indow s srv r 2003 202.75 .5 4 .1 0 1 202.75 .5 4 .1 0 1 2 02.75.54.101 ?07.7S .S 4.101 W indow s S e rver 2003 W indow* Server 2003 Window* Server 2003 Window* Server
M o d u le 0 3 Page 3 48
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B a n n e r G r a b b in g T o o ls
(C o n td)
1. # nc / - w w w w .ju g g y b o y .c o m 8 0 - press[Enter]
CEH
2 . G ET
H T T P / 1 . 0 - Press [Enter] tw ic e
This utility reads and writes data across network connections, using the TCP/IP protocol
Etf* V im m ro o t e b t :- # rc - v * www .jtoayboy.co 8 DNS fw d /re i/ mismatch www.jugcydoy.toa </ww. j Lggybay . con 1295 .1 7 8 .1 5 2 .2 6] 30 GET / M TTP/1.9 HTTP/1 .1 296 O K Connection: elo se Date: Mon, 13 Aug 2912 12 :1 4 :1 0 GMT co n ten t-L e n g th : 2 1 0 | C o n te n t-iv p e : t e x t / r i p l ^ I C o n ten t-< C cat#rn: h t t p : 7 /1 6 .4 . 26. / b f a u It I h t n L a s tM o d itie d : Wed. 19 Apr 2366 2 2 :0 9 :1 2 GMT AcceotRanges: none ETaa: 9 b46bc3fd53c61:7a49 S e rv e r: M ic r o s o f t - IIS / 6 .0 M lrr 0 ( 0 f t O f f ic * W * b ( * r v t r ! 5 .8 Pub X Powered-By: ASP.MET
f* r
* r
t r a c k
h ttp : //n e tc a t.s o u r c e fo r g e .n e t L
1. t e ln e t
8 0 - press[Enter]
T e ln e t
2 . G ET
C .\ W in d o w A iy 5 te m 3 2 \ c m d .c x e
n t-U n g th :
This technique probes HTTP servers to determine the Server field in the HTTP response header
: H i P M c n f t - l I S / h . M
ChtmlXheadXtit le>Error<StitleXsheadXbodvXheadXtitle>Diecto1 *v List ing D od</t it lo Xhoad> ChodyXhl )Directory Listing D e n1ed</ hi >This Uirtual Director oe3 oot allow contents to be listed. < /-bodyX/'bodyX/y htnl>
B a n n e r G ra b b in g L* N e tc a t
T o o l s ( C o n t d )
S o u rc e : h t t p : / / n e t c a t . s o u r c e f o r g e . n e t N e t c a t is a n e t w o r k i n g u t i l i t y t h a t re a d s a n d w r i t e s d a t a acro ss n e t w o r k c o n n e c t i o n s , w i t h t h e h e lp o f t h e TCP/IP p r o t o c o l . It is d e s ig n e d t o be a r e lia b le " b a c k - e n d " t o o l t h a t can be used d ir e c t ly o r e a sily d r iv e n b y o t h e r p r o g r a m s a n d s c rip ts . It p r o v id e s access t o t h e f o l l o w i n g ke y fe a t u r e s : O u t b o u n d a n d i n b o u n d c o n n e c t i o n s , TCP o r UDP, t o o r f r o m a n y p o rts . F e a tu re d t u n n e l i n g m o d e , w h i c h also a llo w s sp ecial t u n n e l i n g such as UDP t o TCP, w i t h t h e p o s s ib ilit y o f s p e c ify in g all n e t w o r k p a r a m e t e r s ( s o u rc e p o r t / i n t e r f a c e , lis te n in g p o r t / i n t e r f a c e ) , a n d t h e r e m o t e h o s t a ll o w e d t o c o n n e c t t o t h e t u n n e l . B u ilt -in p o r t - s c a n n i n g c a p a b ilit ie s , w i t h r a n d o m i z e r . A d v a n c e d usage o p t i o n s , such as b u f f e r e d s e n d - m o d e (o n e lin e e v e r y N s e c o n d s ) a nd h e x d u m p (to s t d e r r o r t o a s p e c ifie d file ) o f t r a n s m i t t e d a n d r e c e iv e d d a ta . O p t i o n a l RFC854 t e l n e t c o d e s p a r s e r a n d r e s p o n d e r . You can use t h e N e t c a t t o o l f o r g r a b b i n g t h e b a n n e r o f a w e b s i t e by f o l l o w i n g t h is p ro c e ss. H e re , t h e b a n n e r g r a b b i n g is d o n e o n t h e w w w . J u g g y b o y . c o m w e b s e rv e r f o r g a t h e r i n g t h e s e r v e r fie ld s such as s e r v e r t y p e , v e r s io n , e tc.
M o d u le 0 3 Page 349
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
# nc - v v w w w . j u g g y b o y . c o m 8 0 - p re s s [E n te r] GET / H T T P /1 .0 - Press [E n te r ] t w i c e
F ro m t h e s c r e e n s h o t , y o u can o b s e r v e t h e a re a h ig h l i g h t e d in re d c o lo r is a s e r v e r v e r s io n (M ic ro s o ft-IIS /6 .0 ).
ro o t@ b t:-# nc -vv www.juggyboy.com 80 DNS fw d /re v mismatch: www.juggyboy.com ! * w2k3-web26. p ro d . n e ts o lh o s t. con www.juggyboy.com [2 0 5 .1 78 .1 5 2 .2 6] 80 (www) open GET / HTTP/1.0 HTTP/1.1 200 O K C onnection: close Date: Mon, 13 Aug 2012 12:14:1G GM T C on te n t-L e ng th: 2165M C ontent-Tvpe: t e x t / s C o n te n t^ffo ca titin : h t t p :/ /1 0 . 4 9 . 3 9 . 2 6 /d e fa u lt .htni L a s t-M o d ifie d : Wed, 19 Apr 2006 22:09:12 GM T AcceptRanges: none ETaq : Gb46be3f d63c61: 7349 S e rve r: M ic r o s o ft - IIS / 6 . 0 M ic ro s o ftO ffic e W e b S e rv e r: 5.0 Pub X-Powered-By: ASP.NET
ft* 1^ ^
Ix
C:\Windows\system32\cmd.exe H T T P /1 .1 403 F o r b id d e n C o n te n t- L e n g th : 218 C n n te n t Tune: te x t/h tm l S erv er: M ic ro so ft-IIS /6 .0 X - P o u e r e d - B y : ftS P . N E T D a t e : S a t , 1 1 fl u g 2 0 1 2 0 9 : 5 7 : 0 7 GMT u o n n e cc io n : cxose < h tm lX h e a d X title > E rro r< /title X /b e a d X b o d y X b e a d X title > D ire c to ry L istin g D e d < /t i t le X /b e a d > < b o d y X h l> D ire c to ry L i s tin g D e n ied < /h l> T h is U ir tu a l D ire c to r o e s n o t a l l o u c o n t e n t s to be l i s t e d .< / b o d y > < / b o d y X / h t n l > C o n n ec tio n to host lo st.
FIGURE 3.48: Command Prompt showing http server responses with the server version
M o d u le 0 3 Page 3 50
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B a n n e r G ra b b in g D is a b lin g
C o u n te rm e a s u re s : B a n n e r
C E H
o r C h a n g in g
Turn off 0 1 unnecessary services on the network host to limit the information tion disclosure disclos IIS users can use these tools to disable or change banner information
~ ~
Apache 2.x with m od_headers module - use a directive in h t t p d . conf file to change banner information Header set Server "New Server Name"
B a n n e r G ra b b in g --------C h a n g in g
C o u n te rm e a s u re s : D is a b lin g
o r
B a n n e rs
A t t a c k e r s use b a n n e r g r a b b in g t e c h n i q u e s a n d f i n d o u t s e n s i t i v e i n f o r m a t i o n such as d e v ic e ty p e s , o p e r a t i n g s y s te m s , a p p li c a t i o n v e r s io n , e tc . used b y t h e v i c t i m . W i t h t h e h e lp o f t h e g a t h e r e d i n f o r m a t i o n , t h e a t t a c k e r e x p lo it s t h e v u l n e r a b i l it ie s t h a t a re n o t u p d a t e d w i t h t h e s e c u r i t y p a tc h e s a n d la u n c h e s t h e a tta c k s . So, t o p r o t e c t y o u r s y s te m a g a in s t b a n n e r g r a b b in g a tta c k s , a f e w c o u n t e r m e a s u r e s can be a d o p t e d a n d t h e y a re lis te d as f o l lo w s : D is a b lin g o r C h a n g in g B a n n e r Q Q Q D isp la y fa lse b a n n e r s t o m is g u id e a t ta c k e r s T u r n o f f u n n e c e s s a r y se rv ic e s o n t h e n e t w o r k h o s t t o l i m i t i n f o r m a t i o n d is c lo s u r e IIS u sers can use th e s e t o o l s t o d is a b le o r c h a n g e b a n n e r i n f o r m a t i o n : S S 9 IIS L o c k d o w n T o o l (h t t p : / / m i c r o s o f t . c o m ) S e r v e r M a s k (h t t p : / / w w w . p o r t 8 0 s o f t w a r e . c o m )
httpd.conf file
M o d u le 0 3 Page 351
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H id in g W e b
F ile
E x t e n s io n s
f r o m C E H
P a g e s
c a n u tiliz e to la u n c h a t t a c k s
A p ach e u se rs can u se m o d _ n e g o t i a t i o n d ir e c ti v e s
H id in g
File
F ile E x te n s io n s fro m
p r o v id e in fo rm a tio n
W e b
th e
P a g e s
u n d e rly in g s e rve r te c h n o lo g y ;
e x te n s io n s
about
a t ta c k e r s can use t h is i n f o r m a t i o n t o s e a rc h v u l n e r a b i l it ie s a n d la u n c h a tta c k s . H id in g file e x te n s io n s is a good p r a c tic e to mask te c h n o lo g y -g e n e ra tin g d y n a m ic pages. Change
a p p li c a t i o n m a p p in g s such as .asp w i t h . h t m o r .fo o , e tc. t o d is g u is e t h e i d e n t i t y o f t h e s e rve rs. A p a c h e users can use m o d _ n e g o t i a t i o n d ir e c t iv e s . IIS users use t o o l s such as P a g e X c h a n g e r t o m a n a g e t h e f ile e x te n s io n s . D o in g w i t h o u t file e x te n s io n s a l t o g e t h e r is an e v e n b e t t e r ide a.
M o d u le 0 3 Page 352
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
S c a n n in g M e th o d o lo g y
So fa r, w e h a v e d iscu sse d h o w t o c h e c k f o r live s y s te m s , o p e n p o r ts , scan b e y o n d IDS, a n d t h e use o f b a n n e r g ra b b in g . All th e s e c o n c e p ts h e lp an a t t a c k e r o r s e c u r it y a d m i n i s t r a t o r t o fin d th e lo o p h o le s t h a t m ay a llo w an a t t a c k e r i n t o th e ir n e tw o rk . Now we w i ll discuss
v u l n e r a b i l i t y s c a n n in g , a m o r e d e t a i le d te s ts t o d e t e r m i n e v u ln e r a b i l it ie s in a n e t w o r k , a n d its re s o u rc e s .
^ a; Scan f o r V u l n e r a b i l i t y
ft
f^
Jfe J
Prepare Proxies
Banner Grabbing
T his s e c tio n d e s c r ib e s v u l n e r a b i l i t y s c a n n in g a n d v a r io u s v u l n e r a b i l i t y s c a n n in g to o ls .
M o d u le 0 3 Page 3 53
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COlMCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
V u ln e r a b i lit y S c a n n in g
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and netw< order to determine how a system can be exploited
1 w
Q
^
V u ln e ra b ility
S c a n n in g
V u l n e r a b i l i t y s c a n n in g i d e n t if ie s v u l n e r a b i l i t i e s a n d w e a k n e s s e s o f a s y s te m a nd
n e t w o r k in o r d e r t o d e t e r m i n e h o w a s y s te m can be e x p l o i t e d . S im ila r t o o t h e r s e c u r it y te s ts such as o p e n p o r t s c a n n in g a n d s n if f i n g , t h e v u l n e r a b i l i t y t e s t also assists y o u in s e c u r in g y o u r n e t w o r k b y d e t e r m i n i n g t h e l o o p h o l e s o r v u l n e r a b i l it ie s in y o u r c u r r e n t s e c u r it y m e c h a n is m . T his s a m e c o n c e p t can also be used b y a tt a c k e r s in o r d e r t o f i n d t h e w e a k p o i n t s o f t h e t a r g e t n e t w o r k . O n c e t h e y fin d a n y w e a k p o in t s , t h e y can e x p l o i t t h e m a n d g e t in t o t h e t a r g e t
M o d u le 0 3 Page 354
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
V u l n e r a b i l i t y N e s s u s
S c a n n in g
T o o l:
F eatures
Cw Sa a ssa
,
Agentless auditing Compliance checks Content audits Customized reporting High-speed vulnerability discovery In-depth assessments Mobile device audits Patch management integration Scan policy design and execution
. lb .1 W IW U .ir^ 1 T r w m * m Nw iil M T T P
a a >a , a
M \Ma
<M Iran
M M S o o a o f lW t w * n 1 1 S M B H a g i t T ! totu C a n m 4 A a * H th W to k x nf a ip M y
V u ln e ra b ility
S c a n n in g
T o o l: N e s s u s
S o u rc e : h t t p : / / w w w . t e n a b l e . c o m N essus is a v u l n e r a b i l i t y s c a n n e r a p r o g r a m t h a t s e a rc h e s f o r bugs in s o f t w a r e . This t o o l a llo w s a p e r s o n t o d is c o v e r a s p e c ific w a y t o v i o l a t e t h e s e c u r it y o f a s o f t w a r e p r o d u c t . T he v u ln e r a b i l it y , in v a r io u s levels o f d e t a il, is t h e n d is c lo s e d t o t h e u s e r o f t h e t o o l . T h e v a r io u s s te p s t h is t o o l f o l l o w s are: e e e 0 0 D ata g a t h e r i n g Host id e n tific a tio n P o r t scan P lu g-in s e le c tio n R e p o r tin g o f d a ta
T o o b t a i n m o r e a c c u r a te a n d d e t a i le d i n f o r m a t i o n f r o m W i n d o w s - b a s e d h o s ts in a W i n d o w s d o m a i n , t h e u s e r can c r e a te a d o m a i n g r o u p a n d a c c o u n t t h a t h a v e r e m o t e r e g is t r y access p riv ile g e s . A f t e r c o m p l e t i n g th is ta sk, he o r she g e ts access n o t o n l y t o t h e r e g is t r y k e y s e ttin g s b u t also t o t h e S e rvice Pack p a tc h levels, I n t e r n e t E x p lo r e r v u ln e r a b i l it ie s , a n d se rv ic e s r u n n i n g o n t h e h o s t.
M o d u le 0 3 Page 355
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
It is a c li e n t - s e r v e r a p p li c a t i o n . T h e N essus s e r v e r r u n s o n a UN IX s y s te m , k e e p s t r a c k o f all t h e d i f f e r e n t v u l n e r a b i l i t y te s ts , a nd p e r f o r m s t h e a c tu a l scan. It has its o w n u s e r d a ta b a s e a n d se c u re s a u t h e n t i c a t i o n m e t h o d s , so t h a t r e m o t e u sers u s in g t h e N essus c l i e n t can log in, c o n f i g u r e a v u l n e r a b i l i t y scan, a n d se n d it o n its w a y . N essus in c lu d e s S c r i p t in g
Language), a la n g u a g e d e s ig n e d t o w r i t e s e c u r it y te s ts .
T h e v a r io u s f e a t u r e s o f Nessus a re : 9 Each s e c u r it y t e s t is w r i t t e n as a
w i t h o u t h a v in g t o re a d t h e c o d e o f t h e N essus e n g in e . Q It p e r f o r m s s m a r t se rv ic e r e c o g n i t i o n . It a s s u m e s t h a t t h e t a r g e t h o s ts w i ll r e s p e c t t h e IA N A a ssig ne d p o r t n u m b e r s . 9 T h e N essus S e c u r ity S c a n n e r is m a d e u p o f t w o p a rts : A s e rv e r, w h i c h p e r f o r m s t h e a tta c k , a n d a c lie n t, w h i c h is t h e f r o n t e n d . T h e s e r v e r a nd t h e c l i e n t can be r u n o n d i f f e r e n t s y s te m s . T h a t is, t h e u s e r can a u d i t his w h o l e n e t w o r k f r o m his p e r s o n a l
**1 | H * |
| u f u l g
Scan LAN 1
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
V u l n e r a b i l i t y G F I L a n G
S c a n n in g
T o o l:
u a r d
c
UrtifW4
E H
ttkKJl N mIm
0
J i n v e n to r y , c h a n g e
0
GFI L a n G u a rd a s s is ts in a s s e t
H te
G m e
, Oienee
# Ccwtxjen
-M 3r>
'AJryraMtm
Fato>
.4
Softa Soft*(
w *
Harare
14
nj-mtbtli
, - -
Helps ensure third-party security applications offer optim um protection Performs network device vulnerability checks
lu n tu tn < U w a U * .y
i .c n p u u e * rope*m m *
http://www. gfi.com
V u ln e ra b ility
S c a n n in g
T o o l: G F I L a n G u a r d
S o u rc e : h t t p : / / w w w . g f i . c o m
m a n a g e m e n t , risk analysis, a n d p r o v in g c o m p lia n c e . F e a tu re s : 9 9 9 9 9 S e le c tiv e ly c r e a te s c u s t o m v u l n e r a b i l i t y ch e cks I d e n tifie s s e c u r it y v u l n e r a b i l it ie s a nd ta k e s r e m e d i a l a c tio n C re a te s d i f f e r e n t t y p e s o f scans a n d v u l n e r a b i l i t y te s ts H elp s e n s u r e t h i r d p a r t y s e c u r it y a p p lic a t io n s o f f e r o p t i m u m p r o t e c t i o n P e r f o r m s n e t w o r k d e v ic e v u l n e r a b i l i t y ch e cks
M o d u le 0 3 Page 357
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
11 1
J 'l
1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _A
0e o n o tte n
E B
I J-P I *
Configuration Utilities
<
Group
Dashboard
S<an
Remediate
Activity Monitor
Reports
Uj
Discuss ts versaon
Q.
Overview
IS
0 Computer!
ttrtory
&
ip VynerabAbes
(J
Patches Port Software Hardware
Syitem Information
5* Entire Network
* J lo c d h o s t: W INMSSELCK4<41 - 1 } local DomOT: WORKGROUP
E n tire N etw o rk -1 c o m p u te r
Vdnerabity Level Seanty Sensors Software Updates Firewall Issu e s C redent!! Setup
S SW I N H S S a C M M l
I0 computers
Service Packs and Up Most Vulnerable Computers |WIN-MSSELCK4K41 Vulnerabilities
# l 0. computers ......
1computers
VuherabAty Trend Over Tne
UP
H *
Tout
C o m m o n Talks
O
l Insta n progress Urwrstal * *progress Not IrtStalM D*ptoy*nrt Erron Ocomputvtl) 0 computer{*) 0 compa^*) 1computes) 0 compuM^s) 1 Agent Status | Audt Status |
HUBUldL.
Custom scar
Addmoncomodera
H gp M*2*yn tow HA
icompuc
0 comput..
Ocomput. Ocomput.
SaanrigatiDeploy aocrt
O
]computers By Operating...| Computers By Network ... 1
M o d u le 0 3 Page 358
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
V u l n e r a b i l i t y S A I N T
S c a n n in g
T o o l:
F e a tu re s : Identify vulnerabilities on network devices Detect and fix possible weaknesses in the network security Prevent common system vulnerabilities a Demonstrate compliance with current government and industry regulations e Perform compliance audits with policies defined by FDCC, USGCB,
V u ln e ra b ility
S c a n n in g
T o o l: S A IN T
a p p lic a tio n s , w e b a p p lic a tio n s , d a ta b a s e s , e tc. in a n o n - i n t r u s i v e m a n n e r . It also e n a b le s y o u t o g a t h e r i n f o r m a t i o n such as o p e r a t i n g s y s te m ty p e s a n d o p e n p o r ts , e tc . It a llo w s y o u t o scan a n d e x p l o i t t a r g e t s w i t h an IPv4, IPv6, a n d / o r URL a d d re s s . F e a tu r e s : 9 9 D e te c ts a n d fix e s p o s s ib le w e a k n e s s e s in y o u r n e t w o r k ' s s e c u r it y A n t i c i p a t e s a n d p r e v e n t s c o m m o n s y s te m v u ln e r a b i l it ie s D e m o n s t r a t e s c o m p li a n c e w i t h c u r r e n t g o v e r n m e n t a n d in d u s t r y r e g u l a t i o n s such as PCI DSS, NERC, FISMA, SOX, GLBA, HIPAA, a n d COPPA 9 P e r fo r m s c o m p li a n c e a u d it s w i t h p o lic ie s d e f i n e d by FDCC, USGCB, a n d DISA
M o d u le 0 3 Page 359
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
1 *
r
Vulnerability Scanner
I r iiu m U rn u w **
&
%
t>* * KM M
r e a a
rz ri
* CrmcMi f n u t m t A / f i o i Conem * * * * * H0*t * d ^ * 4 4 * a 10.7.0. IS 10-7-Q-14 1Q.7.Q.2 10.7. Q. 11 10 7.0 104 10-7-0-101 10-7.0.12 10.7.0.S * 10.7.0.13a 10.7.0.140 > 10.7.0.150 10,7.0 . m 4 10.7 o i a o 10-7.0.31 * 10.7.0.131 ^ 10.7.0.112 10.7.0.119 10.7.0.146 J 10.7.0.7 S 4 14 4 1 1 a s 0 6 0 0 0 ToU l 41 37 34 1 S
31 14 14 4 2 2
0 0 0 0 0 0 0 0 0 0 0 0
2 2 0 0 0 0 1 0 0 1
0 0 2 2 2 t 2 0 0 1 t 0
2 2 2 2 2 2 I I 1 1 1
______
M o d u le 0 3 Page 3 60
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
N e t w o r k
V u l n e r a b i l i t y
S c a n n e r s
C E H
Retina CS
-o
http://go.eeye.com
OpenVAS
g m
LJpSrJ
http://w w w .m anageengine.com
Security M a n a g e r Plus
MBSA
Nexpose
http://w w w .m icrosoft.co m
111
S h a d o w Security Scanner i]
http://w w w .safety-lab.com
B E 3F
M l
http://w w w .q u alys.com
QualysGuard
Nsauditor N e t w o r k Security
Auditor
http://w w w -arc.co m
EG-G*ancil. A ll
R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d .
N e tw o rk V u ln e r a b ility
N e tw o rk v u ln e r a b i l it ie s v u ln e ra b ility v u ln e ra b ility ta rg e t s c a n n e rs
S c a n n e rs
th e to o ls th a t assist y o u in id e n tify in g h e lp y o u can th e in
are
in t h e
n e tw o rk
or n e tw o rk a u d it in g .
r e s o u r c e s . T h e se s c a n n e rs U sing th e s e s c a n n e rs ,
assessm ent
and
n e tw o rk
you
fin d
v u ln e r a b i l it ie s in n e t w o r k s , w i r e d o r w ire le s s , o p e r a t i n g s y s te m s , s e c u r it y c o n f i g u r a t io n , s e rv e r t u n i n g , o p e n p o r ts , a p p lic a tio n s , e tc. A f e w n e t w o r k v u l n e r a b i l i t y s c a n n e rs a n d t h e i r h o m e site s a re m e n t i o n e d as f o l lo w s , u sin g w h i c h y o u can p e r f o r m n e t w o r k s c a n n in g : 9 9 Q Q 9 Q 9 e 9 9 R e tin a CS a v a ila b le a t h t t p : / / g o . e e v e . c o m C ore I m p a c t P ro fe s s io n a l a v a ila b le a t h t t p : / / w w w . c o r e s e c u r i t y . c o m M B S A a v a ila b le a t h t t p : / / w w w . m i c r o s o f t . c o m S h a d o w S e c u r ity S c a n n e r a v a ila b le a t h t t p : / / w w w . s a f e t v - l a b . c o m N s a u d i t o r N e t w o r k S e c u r ity A u d i t o r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m O p e n V A S a v a ila b le a t h t t p : / / w w w . o p e n v a s . o r g S e c u r ity M a n a g e r Plus a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m N e x p o s e a v a ila b le a t h t t p : / / w w w . r a p i d 7 . c o m Q u a ly s G u a r d a v a ila b le a t h t t p : / / w w w . q u a l y s . c o m S e c u r ity A u d i t o r 's R esearch A s s is ta n t (SARA) a v a ila b le a t h t t p : / / w w w - a r c . c o m
M o d u le 0 3 Page 361
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
S c a n n in g
M e th o d o lo g y
191
J *
3 0
r-^r-n
Prepare Proxies
Banner Grabbing
M o d u le 0 3 Page 362
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
r a
i n
e t w
o r k
i a g r a m
C E H
(rtifwtf ilk > Hhw
4 1
J Drawing target's network diagram gives valuable information about the network and its architecture to an attacker J Network diagram shows logical or physical path to a potential target
Intranet
DMZ
Intranet
C o p y r ig h t b y
EG-G*ancil. A ll
D ra w in g
N e tw o rk
D ia g ra m s
T h e m a p p i n g o f n e t w o r k s i n t o d ia g r a m s h e lp s y o u t o i d e n t i f y t h e t o p o l o g y o r th e a r c h it e c t u r e o f t h e t a r g e t n e t w o r k . T h e n e t w o r k d ia g r a m also h e lp s y o u t o t r a c e o u t t h e p a t h t o t h e t a r g e t h o s t in t h e n e t w o r k . It a lso a llo w s y o u t o u n d e r s t a n d t h e p o s it io n o f f ir e w a lls , r o u t e r s , a n d o t h e r access c o n t r o l d e v ic e s . Based o n t h e n e t w o r k d ia g r a m , t h e a t t a c k e r can a n a ly z e t h e t a r g e t n e t w o r k ' s t o p o l o g y a n d s e c u r it y m e c h a n i s m s . It h e lp s an a t t a c k e r t o see t h e f ir e w a lls , IDSs, a n d o t h e r s e c u r it y m e c h a n is m s o f t h e t a r g e t n e t w o r k . O n c e t h e a t t a c k e r has th is i n f o r m a t i o n , h e o r she can t r y t o f i g u r e o u t t h e v u l n e r a b i l it ie s o r w e a k p o i n t s o f t h o s e s e c u r it y m e c h a n is m s . T h e n t h e a t t a c k e r can f i n d his o r h e r w a y i n t o t h e t a r g e t n e t w o r k by e x p l o i t i n g t h o s e s e c u r it y w e a k n e s s e s . T h e n e t w o r k d ia g r a m also h e lp s n e t w o r k a d m i n i s t r a t o r s m a n a g e t h e i r n e t w o r k s . A t t a c k e r s use n e t w o r k d is c o v e r y o r m a p p i n g t o o l s t o d r a w n e t w o r k d ia g r a m s o f t a r g e t n e t w o r k s . T h e f o l l o w i n g f i g u r e d e p ic t s an e x a m p l e o f a n e t w o r k d ia g r a m :
M o d u le 0 3 Page 363
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
In tra n e t
DMZ
In tra n e t
M o d u le 0 3 Page 364
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
N e t w o r k
D is c o v e r y
T o o l: C E H
L A N s u r v e y o r
F e a tu re s
A u t o - g e n e r a t e N e tw o r k M a p s E x p o r t N e tw o r k M a p s t o V isio A u to -d e te c t C h a n g e s I n v e n to r y M a n a g e m e n t N e tw o r k R e g u la to r y C o m p lia n c e N e tw o r k T o p o lo g y D a t a b a s e M u lti-le v e l N e tw o r k D is c o v e ry
aao
LANsu
LANsurveyor
http://www.solarwinds.com
C o p y r ig h t b y E C - C t in C il. A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
N e tw o rk
D is c o v e ry
T o o l: L A N s u r v e y o r
S o u rc e : h t t p : / / w w w . s o l a r w i r 1d s .c o m L A N s u r v e y o r a llo w s y o u t o a u t o m a t i c a l l y d is c o v e r a n d c r e a t e a n e t w o r k m a p o f t h e t a r g e t n e t w o r k . It is a lso a b le t o d is p la y i n - d e p t h c o n n e c t i o n s like OSI L a y e r 2 a n d L a y e r 3 t o p o l o g y d a ta su ch as d is p la y in g s w it c h t o s w itc h , s w itc h t o n o d e , a n d s w it c h t o r o u t e r c o n n e c t i o n . You can e x p o r t t h e n e t w o r k m a p c r e a te d i n t o M i c r o s o f t O ffic e V isio. It can also k e e p t r a c k o f c h a n g e s t h a t o c c u r in t h e n e t w o r k . It a llo w s t h e u s e r t o p e r f o r m i n v e n t o r y m a n a g e m e n t o f h a r d w a r e a n d s o f t w a r e assets.
M o d u le 0 3 Page 365
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
*
B X
solarwinds
a
0 0 V . i~ 1
N e tw o rk S e gm ents (1) B H & IP A d dresses (5) S D o m a in N am es (5) N o d e N am es (5) IP Routers
SO
DEMONSTRATK
J 5 LL A N su rve y o r R esp o nd er N o d es
S N M P N o d es S N M P S w itch e s/H u b s SIP (VoIP) N o d es Layer 2 N o d e s A c tiv e D irecto ry D Cs
: H
l- C ^
1 f t . G rou ps
LAN surveyor
F o r H elp, press F1
M o d u le 0 3 Page 3 66
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
N e t w o r k O p M
D is c o v e r y
T o o l: C E H
a n a g e r
O p M a n a g e r is a n e t w o r k m o n i t o r i n g s o f t w a r e t h a t o f f e r s a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t f u n c t i o n a l i t y a c r o s s c r i tic a l IT r e s o u r c e s s u c h a s r o u t e r s , W A N lin k s , s w i t c h e s , f i r e w a l l s , V o IP c a ll p a t h s , p h y s ic a l s e r v e r s , v i r t u a l s e r v e r s , d o m a i n c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v i c e s
F e a tu re s
J J J J J J J J -l -l A vailability a n d U p tim e M o n ito rin g N e tw o rk Traffic A nalysis IP A d d re s s M a n a g e m e n t S w itch P o rt M a p p e r N e tw o rk P e r fo r m a n c e R e p o rtin g N e tw o rk C o n fig u ra tio n M a n a g e m e n t E x c h an g e S e r v e r M o n ito rin g A ctive D ire c to ry M o n ito rin g H yper-V M o n ito rin g SQL S e rv e r M o n ito rin g
O p M a ra g t? )
q m
noo < 1nln 1iv UvoJ lopuogv m ap ailtmwirv wrn iptonto m m ci front ta> Nmsc Mtal wiijf cor wiMr/twftdi x tl*
a a v c a
SAMPLE MAP
\ r. *
*T Y '
\ : 3 * /
jf _ .
http://w w w .m anageengine.com
C o p y r ig h t b y
EG-G*ancil. A ll
N e tw o rk
D is c o v e ry
T o o l: O p M a n a g e r
S o u rc e : h t t p : / / w w w . m a n a g e e n g i n e . c o m O p M a n a g e r is b a s ic a lly a n e t w o r k p e r f o r m a n c e m a n a g e m e n t a n d m o n i t o r i n g t o o l t h a t o ffe r s a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t f u n c t i o n a l i t y acro ss c r itic a l IT r e s o u r c e s such as r o u t e r s , W A N links, s w itc h e s , f ir e w a lls , V o IP call p a th s , p h y sica l se rv e rs , v i r t u a l se rv e rs , d o m a i n c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v ic e s . T his t o o l is h e l p f u l in d is c o v e r in g t h e s p e c ific n e t w o r k a u t o m a t i c a ll y . It can also p r e s e n t a live n e t w o r k d ia g r a m o f y o u r n e t w o r k . H e re a re s o m e o f t h e f e a t u r e s o f O p M a n a g e r : e e 0 e 0 9 e A v a i la b il i t y a n d u p t i m e m o n i t o r i n g N e t w o r k t r a f f i c a na lysis IP a d d re s s m a n a g e m e n t S w itc h p o r t m a p p e r N e tw o rk p e rfo rm a n c e re p o rtin g N e t w o r k c o n f i g u r a t io n m a n a g e m e n t E xch an g e s e r v e r m o n i t o r i n g
M o d u le 0 3 Page 367
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
9 9 9
M o d u le 0 3 Page 368
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
N e t w o r k
D is c o v e r y
T o o l: C E H
N e t w o r k V i e w
N e tw o r k V ie w is a n e tw o r k d is c o v e ry a n d m a n a g e m e n t to o l f o r W in d o w s
a i i s is
1 1
H*j
q. *. +
I N Q D s i S B a
http://www.networkview.com
C o p y r ig h t b y
EG-G*ancil. A ll
N e tw o rk
D is c o v e ry
T o o l: N e tw o rk V ie w
S o u rc e : h t t p : / / w w w . n e t w o r k v i e w . c o m N e t w o r k V i e w is a n e t w o r k d is c o v e r y a n d m a n a g e m e n t t o o l f o r W i n d o w s . Its k e y f e a t u r e s i n c l u d e : 9 9 e 9 9 D is c o v e r TCP/IP n o d e s a n d r o u t e s u s in g DNS, S N M P , Po rts, N etBIOS , a n d W M I G e t M A C a d d re s s e s a n d NIC m a n u f a c t u r e r n a m e s M o n i t o r n o d e s a n d re c e iv e a le rts D o c u m e n t w ith p rin te d m aps and re p o rts C o n tro l and secure y o u r n e tw o rk w ith th e S N M P M IB b ro w s e r, th e W M I b ro w s e r, and th e p o r t sca nn er
M o d u le 0 3 Page 369
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
NetworkView - [NetworkViewl]
b is 1
< * < * + - ; s x g x e ii
g n t4 s
8:
&
ft N e tw o rk V ie w l|
-an
11 11)
1 0111 2
B
III * M il i t 1 * ( M i o hf M W
N o t Y *I T f c y *
** | A.~
*1
L m m |^ # 1 ^T xiw w (m< 10 0 4 )]
HR
Monitoring is O ff
0 Polls
0 Mails Sent
Modified
M o d u le 0 3 Page 3 70
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
EH
N e tw o rk
D is c o v e ry
T o o l: T h e D u d e
Source: h ttp ://w w w .m ik ro tik .c o m The Dude w ill a u to m a tic a lly scan all devices w ith in specified subnets, draw and lay o u t a map o f y o u r netw orks, m o n ito r services o f yo u r devices, and a le rt you in case any service has problem s. A few features of the Dude include: A uto n e tw o rk discovery and layout Discovers any type o r brand o f device Device, link m o n ito rin g , and notifica tio ns Allow s you to draw yo u r own maps and add custom devices Supports SNMP, ICMP, DNS, and TCP m o n ito rin g fo r devices th a t su pp o rt it Direct access to rem ote co ntro l too ls fo r device m anagem ent Supports rem ote Dude server and local client
M o d u le 0 3 Page 371
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
O lV S r> 0 1 Q k o lo o * M\ fE lC 1 0 0 0 6 W IN M S S L K 4 K 4 1 W I N D O W S 1 0 .002 f, W I N L X Q N 3 W A 3 R 9 MW I N M S S E L C M M lj * W I N O 3 S M R 5 H L 9 C 4
169254 189180 BS) Otenl ix 199fcbp*/tt 191 bps Svr
'
M o d u le 0 3 Page 372
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
N e tw o rk D is c o v e ry a n d M a p p in g Tools
[_ j !i r* * >
CEH
http://w w w 8.hp.co m
HP Netw ork Node M an ager i Software
http://w w w .1 0 -5 trike.com
LANState
FriendlyPinger
http://w w w .kilievich.com
http://w w w .opnet.com
N e tM ap p er
(fT u le jsi
Ipsonar
M kM !
http://w w w .netbraintech.com
CartoReso
11
H R i |
Spiceworks-Network M ap p er
http://w w w .lan-secure.com
NetCrunch
N e tw o rk
D is c o v e ry
a n d
M a p p in g
T o o ls
N e tw o rk discovery and m apping tools a llo w you to view the map o f yo ur netw ork. They help you d e te ct rogue h ard w a re and s o ftw a re v io la tio n s. It n otifie s you w henever a p articula r host becomes active or goes dow n. Thus, you can also figure o ut the server outages or problem s related to perform ance. This is the purpose o f n e tw o rk discovery and m apping too ls in term s o f security. The same to o ls can be used by attackers to launch attacks on your n etw o rk. Using these tools, the a ttacker draws the n e tw o rk diagram o f the ta rg e t n etw o rk, analyzes the topology, find outs th e vu ln era b ilitie s or weak points, and launches an attack by e xploitin g the m . The a ttacker may use the fo llo w in g too ls to create a map o f the n etw o rk: Q 9 Q Q 9 9 9 9 9 LANState available at h ttp ://w w w .1 0 -s trik e .c o m FriendlyPinger avaialble at h ttp ://w w w .k ilie v ic h .c o m Ipsonar available at h ttp ://w w w .lu m e ta .c o m CartoReso available at h ttp ://ca rto re so .ca m p u s.e cp .fr Switch Center Enterprise available at h ttp ://w w w .la n -s e c u re .c o m HP N e tw o rk Node M anager i Softw are available at h ttp ://w w w 8 .h p .c o m N e tM a pp e r available at h ttp ://w w w .o p n e t.c o m NetBrain Enterprise Suite available at h ttp ://w w w .n e tb ra in te c h .c o m S picew orks-N etw ork M apper available at h ttp ://w w w .s p ic e w o rk s .c o m NetCrunch available at h ttp ://w w w .a d re m s o ft.c o m
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le 0 3 Page 373
fc js k ^
C E H
S c a n n in g M e th o d o lo g y
So far, we have discussed various means o f scanning and the sources to be scanned.
Now we w ill discuss proxies and im p o rta n t mechanisms used by attackers to access the restricted sources and also to avoid th e ir id e ntity.
191
Q ; Prepare Proxies ^
Banner Grabbing
This section describes how to prepare proxies and how an a ttacker can use the m to launch attacks.
M o d u le 0 3 Page 3 74
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P roxyServers
A proxy is a n e tw o r k c o m p u t e r th a t can s e r v e a s an in t e r m e d ia r y for c o n n ec tin g w ith o t h e r c o m p u t e r s
CEH
P ro x y
S e rv e rs
A proxy is a n e tw o rk co m p u te r th a t can serve as an in te rm e d ia ry fo r connecting w ith o th e r com puters. You can use a proxy server in m any ways such as: 0 A sa fire w a ll, a proxy protects the local n e tw o rk fro m th e outside access 9 As an IP address m ultip le xer, a proxy allows a n um ber o f com puters to connect to the In te rn e t w hen you have only one IP address 9 To anonym ize w eb surfing (to some extent) Q To filte r o u t unw anted co nte nt, such as ads or "u n su ita b le " m aterial (using specialized proxy servers) 9 To provide some p ro te ctio n against hacking attacks 9 To save ban d w id th Let's see how a proxy server works. W hen you use a proxy to request a p articula r w eb page on an actual server, it firs t sends yo ur re quest to th e p ro xy server. The proxy server then sends yo u r request to the actual server on
M o d u le 0 3 Page 375
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
behalf o f yo ur request, i.e., it m ediates betw een you and the actual server to send and respond to the request as shown in the fo llo w in g figure.
Attacker
Target Organization
FIGURE 3.57: Attacker using Proxy Server
In this process, the proxy receives the co m m unication betw een the clie n t and the d e stin a tio n application. In o rd e r to take advantage o f a proxy server, c lie n t program s m ust be configured so the y can send th e ir requests to the proxy server instead o f th e final destination.
M o d u le 0 3 Page 376
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
( r t i f W d it h iu l l U c k M
To m a s k t h e a c tu a l s o u rc e o f t h e a t ta c k b y im p e r s o n a tin g a fa k e s o u r c e a d d r e s s o f t h e p ro x y
To r e m o te ly a c c e s s in t r a n e t s a n d o t h e r w e b s ite r e s o u r c e s t h a t a r e n o r m a l l y o f f li m it s
T o i n t e r r u p t a ll t h e r e q u e s t s s e n t b y a n a t t a c k e r a n d t r a n s m i t t h e m t o a t h i r d d e s t i n a t i o n , h e n c e v ic tim s w ill o n ly b e a b l e t o id e n t i f y t h e p ro x y s e r v e r a d d r e s s I
A tta c k e rs c h a in m u ltip le p ro x y s e rv e rs t o a v o id d e t e c ti o n
W h y A tta c k e rs U se P ro x y S e rv e rs For an attacker, it is easy to a tta ck or hack a p articula r system than to conceal the attack source. So the main challenge fo r an attacker is to hide his id e n tity so th a t no one can trace him or her. To conceal the id e n tity, the a ttacker uses the proxy server. The main cause behind using a proxy is to avoid d e te c tio n o f a tta ck evidence. W ith help o f th e proxy server, an a ttacker can mask his or her IP address so th a t he or she can hack th e co m p u te r system w ith o u t any fear o f legal repercussion. W hen the a ttacker uses a proxy to connect to the d estination, the proxy's source address w ill be recorded in the server logs instead o f the actual source address o f the attacker. In a dd itio n to this, the reasons fo r w hich attackers use proxy servers include: Q A tta cke r appears in a victim server's log files w ith a fake source address o f the proxy ra th e r than w ith the attacker's actual address 9 9 To re m o te ly access in tranets and o th e r w ebsite resources th a t are norm ally o ff lim its To in te rru p t all the requests sent by an a ttacker and tra n s m it the m to a th ird d estination, hence victim s w ill only be able to id e n tify the proxy server address 9 To use m u ltip le proxy servers fo r scanning and attacking, making it d iffic u lt fo r adm inistrato rs to trace the real source o f attack
M o d u le 0 3 Page 377
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
U seofProxiesforA ttack
Direct attack/ No proxies
CEH
--
! s* 5 -
Logged P roxy
U se o f P ro x ie s fo r A tta c k Q uite a num ber o f proxies are in te n tio n a lly open to easy access. A no n ym o us proxies hide the real IP address (and som etim es o th e r in fo rm a tio n ) fro m w ebsites th a t the user visits. There are tw o types o r a no nym ous proxies: One th a t can be used in the same way as the nonanonym ous proxies and others th a t are web-based anonymizers. Let's see how m any d iffe re n t ways th a t attackers can use proxies to co m m it attacks on the target.
Case 1: In the firs t case, the a ttacker perform s attacks d ire ctly w ith o u t using proxy. The a ttacker may be at risk to be traced o u t as the server logs may contain in fo rm a tio n about th e IP
address o f the source.
D ire c t a t t a c k / N o p ro x ie s
T a rg et
Case 2: The a tta cke r uses the proxy to fetch the ta rg e t application. In this case, th e server log
w ill show the IP address o f the proxy instead o f the attacker's IP address, th e re b y hiding his or
M o d u le 0 3 Page 378
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
her id e n tity; thus, the a ttacker w ill be at m inim um risk o f being caught. This w ill give the a ttacker the chance to be anonym ous on the Inte rn e t.
A tta c k e r
L o g g e d P ro x y
T a rg e t
Case 3: To becom e m ore anonym ous on the In te rn e t, the a ttacker may use the proxy chaining tech n iq ue to fetch the ta rg e t application. If he or she uses proxy chaining, the n it is highly d iffic u lt to trace o u t his o r her IP address. Proxy chaining is a technique o f using m ore num bers o f proxies to fetch the target.
A tta c k e r
M o d u le 0 3 Page 379
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P roxyC haining
M
...................... IP: 20.10.10.2 Port: 8012
H a
M
IP: 20.10.15.4 Port: 8030
M >
IP: 10.10.20.5 Port: 8023 .......................<
U ser
Encrypted/unencrypted traffic
N
IP: 20.15.15.3 Port: 8054 IP: 15.20.15.2 Port: 8045
m
IP: 10.20.10.8 Port: 8028
Unencrypted traffic
1. 2. 3. 4. 5.
User r eq u es ts a resource from the destination Proxy client at the user's system connects to a proxy server and passes th e request to proxy server The proxy server strips th e user's identification information and passes th e request to next proxy server This process is repeated by all th e proxy servers in th e chain At th e end u ne n c ry p ted re q u e s t is passed to th e w eb server
P ro x y
a no n ym ity on the In te rn e t depends on the num ber o f proxies used fo r fetch in g the targe t application. If you use a larger num ber o f p ro xy servers, then you w ill become m ore anonym ous on the In te rn e t and vice versa. W hen th e attacker firs t requests the proxy s e rv e rl, this proxy s e rv e rl in tu rn requests a nother proxy server2. The proxy s e rv e rl strips the user's id e n tifica tio n in fo rm a tio n and passes the request to the next proxy server. This may again request a no th e r proxy server, server3, and so on, up to ta rg e t server, w here fin a lly the request is sent. Thus, it form s the chain o f th e proxy server to reach the destin a tion server as shown in the fo llo w in g figure:
m
IP: 20.10.10.2 Port: 8012 IP: 10.10.20.5 Port: 8023 IP: 20.10.15.4 Port: 8030
U ser
E n crypted/u nencrypted traffic
..................... v
IP: 20.15.15.3 Port: 8054
m
IP: 15.20.15.2 Port: 8045
....................V
M
IP: 10.20.10.8 Port: 8028
M o d u le 0 3 Page 3 80
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P r o x y T o o l: P r o x y W o r k b e n c h
U r tif W tf Ith K J i lU ik M
CEH
Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram
P r o x y T o o l: P r o x y W o r k b e n c h Source: h ttp ://p ro x y w o rk b e n c h .c o m Proxy W orkbench is a p ro xy server th a t displays th e data passing th ro u g h it in real tim e , allows you to d rill in to p articula r TCP/IP connections, view th e ir history, save the data to a file , and view the socket connection diagram . The socket connection diagram is an anim ated graphical history o f all o f the events th a t to o k place on the socket connection. It is able to handle (secure sockets) and
HTTPS
POP3 natively.
M o d u le 0 3 Page 381
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
"Z.
File View Tools Help
Proxy W o rk b e n c h
L s l #
0 5 - i s U
M ontana iravya !132168168170)
Dslafc
6
10 Dead (1318 X
308( Event So( 7 P a g e lo H
m J4 J 4J JN
SMTP Outgoing e-mad (25) POP3 Incoming c nvjd (110) HTTP Proxy W eb (8080) 127.aa1 to 127.0.01 (locahost) (127 0 01 20750) 491 bytes of iaa has been chnft. 12 14 49 53 8
fi P P P P P P P P P P P P P P P P P P P P P
DeaJ 113:18:26-779) D ead ( 1 1 1 8 2 5 7S2) Dead (1 1 1 8 2 5 757) Dead (13:1825752) Ded(13182S?46) Dead (13:1825741) Dead (131825736) Dead (1 *1 8 2 5 731) Dead (131825 724) Dead (131825 684) Dead (131825 67$) Dead (131825 662) Dead(131825 655) Dead (131825.647) Dead (131825641) Dead(131825625) Dead(111825620) Dead (13:1825.586) Dead (111825579) Deed (1118255741 Dead (13 1 82 5 566) Dead (13 1825 558) Dead (111825552) Dead 11118255431 Socke
The connection request Jo the remote server has been successful 13:14:49.817
D e a d(1 1 1 8 2 5 7 1 7 ) D e a d(1 3 :1 8 2 56 7 1 ) D e a d (1 1 1 8 2 5 6 3 3 )
1 2 7 0 0 1 fin 491 bytes of data has been
B
(1270 01 20750) FVB has (**connected horn the remote ckent 13 15 13 20 9 the remote server Kais disconnected 1315:13208
P
P P
U Memay
8 KByte*
M o d u le 0 3 Page 382
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C |E H
mpj/www proafr-aom
!B yK'CMAjV. M j arn: *st2-d?rjSfit3y c*C
P r o x y T o o l: P r o x if ie r Source: h ttp ://w w w .p ro x ifie r.c o m P roxifier allows n e tw o rk a p p lica tio n s th a t do n ot su pp o rt w o rkin g throu g h proxy servers to operate throu g h a SOCKS o r HTTPS proxy and chains. It allows you to surf w ebsites th a t are restricted o r blocked by yo u r governm ent, organization, etc. by bypassing the fire w a lls rules. Features: 0 9 Q You can access the In te rn e t fro m a restricted n e tw o rk throu g h a proxy server gateway It hides yo u r IP address It can w o rk throu g h a chain o f proxy servers using d iffe re n t protocols It allows you to bypass fire w a lls and any access co ntro l mechanisms
M o d u le 0 3 Page 383
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
1a
El
1j tf * *
Application ^ m s ts c .E X E (5044) 64 cxplore.exe (4704) ie3plore.exe (5664) lsvchost.exe (376, System) 64 (376, System) 64 4 $ !explore.exe (164)
Taiget 192.168.2.40:3389 w w w .l.g o o gle. com:30 [fe80::90bl:83b:c743:f49b]:80 IP v 6 w w w .u p d a te .m 1croso ft.co m :80 w w w .u p d ate.m icro s o ft.c om :4 43 Ib l.w w w .m s .ak ad n 5.n e t 443 w w w .m ic ro s o ftc o m :8 0 8 0
Time/'Sta t us 01:25 01:14 Closed 01d2 00:44 00:42 Failed 00:21 C o n nectin g
R u le : Proxy D e fa u lt: proxy.exam ple.net:1080 P ro x y2: proxy.exam ple.net:1080 L o c a l: Test proxy chain D e fa u lt: proxy.exam ple.net:1080 D e fa u lt: proxy.exam ple.net:1080 H T T P S : proxy2.exam ple.net:8080 D e fa u lt: proxy.exam ple.net:1080
0 0
0 0
R e a d y
6/sec
Up 0 B/sec
System DNS
M o d u le 0 3 Page 384
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P r o x y T o o l: P r o x y S w it c h e r
P r o x y S w i t c h e r h i d e s y o u r IP a d d r e s s f r o m t h e w e b s ite s y o u v is it
EH
File
Edit
Actions
View
Help
pl
State (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) / _ _ _ _ _ _ _ _x R esp o- _ * 603ms 1092ms 1612ns 1653ms 1882ms 2319ms 2324ms 2543ns 2641ms 2 6 8in s 2 6 9a m n-. > : B * ^ | M | | | FRANCE UNITED STATES UNITED STATES REPUBLIC OF MOLDOVA i SLOVAKIA SLOVAKIA REPUBLIC OF KOREA PAKISTAN | B I CHINA UNITED STATES D C D I I Q II T < > C M A If V > \ / A I (F R A N C E Crxrtry 2200ns UNITED STATES
PKwy Scanner ^ N ew (0) High Anonymous (19) j.... SSL (26) Bite (30) Dead (7220) Basic Anonymity (212) - E " Private (53) Dangerous (148) My Proxy Servers (0) - ProxySwltcherfO)
Server
$ g
194 160 765:8 0 arr,3c 3 mnedu sk 80 147.46.7.54:8088 121 52 14 8 30 8080 208-74-174-142sayfanet 31 - 0 11 0 A T C in.,_ _ _ _ _
,J f 1592 26 3 227:80
K w p A K v e IfA goS w c h
98 181 57.227:9090 tested as [Eke-Anonymous] cocreo dresacallao 90b pe: 80 tested as [Dead] smtp spectrum networks net :80 tested as ((Bite-SSL)J f-kasklab50a.eti.pg gdapl:80 tested as [Eie-Anonymous] cofreo disacallao gob p e:80 tested as [(Qite-SSL)] H iah Anonvmous/S SL 0 /6
Q KKww.proxyswitcher.com
*
P r o x y T o o l: P r o x y
S w itc h e r
Source: h ttp ://w w w .p ro x y s w itc h e r.c o m Proxy S w itcher allows you to su rf a no n ym o u sly on th e In te rn e t w ith o u t disclosing yo ur IP address. It also helps you to access various sites th a t have been blocked in th e o rg an iza tion . It avoids all sorts o f lim ita tio n s im posed by sites. Features: 9 Q It hides yo ur IP address It allows you to access restricted sites It has fu ll su pp o rt o f passw ord-protected servers
M o d u le 0 3 Page 385
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S * Proxy Sw itcher PRO ( D irect C o n n ec tio n ) File Edit A ctions View H elp
@ l # l
^
X I
d a a a i i
Server , f
>
j*
a j ii
Respo... * 603ms 1092ms 1612ms 1653ms 1882ms 2200ms 2319ms 2324ms 2543ms 2641ms 2683ms 2698ms Country 1 FRANCE I I FRANCE UNITED STATES * UNITED STATES UNITED STATES SLOVAKIA SLOVAKIA REPUBLIC OF KOREA CHINA m K 9 PAKISTAN UNITED STATES D C P I ipi irnc uni nn\/4 I I * REPUBLIC OF MOLDOVA >
Proxy Scanner ! # New (0) B i High Anonymous (19) SSL (26) ...E ? Elite (30) | B Dead (7220) Basic Anonymity (212) j g ; Private (53) Dangerous (148) My Proxy Servers (0) ;... Sr ProxySwitcher (0)
& f if , f .#
91.121.21 164:3128 ns1.homenux.com :3128 hherphpo.hchd.tmc .edu :80 170.57.24.100:80 81.180.75.142:8080 static tvvtele.85 - 66-162-61
, 194.160.76.5:80
State (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (Anonymous) (/Vionymous) (Anonymous) (Anonymous) (/Vionymous) (Anonymous) (Anonymous) -------- \ /A
Disabled
~]
Keep Alive
1 1 Auto Switch
O w 1wuv.proxyswvjtcher.com
98 181.57.227:9090tested as [Bite-Anonymous] correo diresacallao gob pe:80tested as [Dead] smtp spectrum-networks n e t:80 tested as [(Bite-SSL)] f-kasklab50a eti pg gda.pl :80 tested as [Bite-Anonymous] correo disacallao gob pe:8 0 tested as [(Bite-SSL)] H igh A nonvm ous/S S L
0/6
M o d u le 0 3 Page 386
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P r o x y T o o l: S o c k s C h a in
J SocksChain t r a n s m i t s t h e TCP/IP a p p lic a tio n s t h r o u g h a chain of proxy serv ers
CEH
im ttiM tU x*l lUckM
Ufasoft SocksChain
View Tools Help firefox To [64.4.11.42]:80 3 connections m m ^ m m 10 ! 0 To [65.55.57.27]:80 2 connections To [123.176.32.147]:80 13 connections To [64.4.11.301:80 2 connections To [123.176.32.1361:80 1 connections
LdfLJ
9 To [65.54.82.157]:80 2 connections chrome Through SE05411D17AFD6752EE36392EE4E42CAFB8A45D09=shadowhouse. S626F206838B0EA12CFCA5CE91 3 To www.certifiedhacker.com(202.75.54.101]:80 6 connections S I To safebrowsing.google.com[74.125224.73!:443 1 connections To safebrowsing-cache.google.com[74.125.224.67J:443 !connections 1 7 1 ^ iexplore 0 PING
III
V
I>
ht tp :/ / uf a so f t. c om
P r o x y T o o l: S o c k s C h a in Source: h ttp ://u fa s o ft.c o m SocksChain is a program th a t allows you to w o rk w ith any In te rn e t service throu g h a chain o f SOCKS or HTTP proxies to hide the real IP address. It can fu n ctio n as a usual SOCKS-server th a t tra nsm its queries throu g h a chain o f proxies. It can be used w ith clie n t program s th a t do not su pp o rt the SOCKS p rotocol, b ut w o rk w ith one TCP-connection, such as TELNET, HTTP, IRC, etc. It hides y o u r IP fro m being displayed in the server's log or mail headers.
M o d u le 0 3 Page 387
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
K
File View Tools Help
Ufasoft SocksChain
m
B firefox Through SE0S411017AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9I 9 To [64.4.11.42]:80 3 connections 9 To [65.55.57.27]:80 2 connections To [123.176.32.1471:80 13 connections To [64.4.11.301:80 2 connections _ To [123.176.32.136):80 1 connections To [175^41.150-21:80 1 connections
m To [207.46.49.1331:80 1 connections
9 1 To [64.4.21.39]:80 1 connections '*. To [65.54.82.1571:80 2 connections 0 0 B chrome Through SE05411Dl7AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9 3 8 To www.certrf1edhackef.coml202.75.54.101 ]:80 6 connections 9 1 To safebrowsmg.google.com(74.125.224.731:443 1 connections 9 E To safebrows1ng-c*che.google.com[74.125224.67]:443 1 connections !explore PING
<I
>I
M o d u le 0 3 Page 388
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P ro xy Tool: T O R (T h e O n io n R o u tin g )
CEH
Anonymity
Privacy
E n s u r e s t h e p r iv a c y o f b o th s e n d e r a n d
Security
P r o v id e s m u l t i p l e , la y e r s o f s e c u r it y f to a m essage
V id a lia C o n tro l P an el
c o m m u n i c a t io n o v e r In te rn e t
r e c ip ie n t o f a m essage
n
Encryption
E n c ry p ts a n d d e c r y p t s a ll d a t a p a c k e t s u s in g p u b lic k e y e n c r y p t io n V
.
Tor Proxy
T h e i n i t i a t i n g o n io n 1 r o u t e r , c a lle d a " T o r I c l i e n t " d e t e r m in e s th e p a th o f t r a n s m is s io n
Mcuogc Lug 3 Show ttii* winflow on t tir n n SclU 1g Q cxt View the Network Loc a Ncv> Id c rtty
Proxy Chain
U s e s c o o p e r a t in g p ro x y ro u te rs th r o u g h o u t th e n e tw o rk
B , Bandwidth !^ph
O H#ip
About
h t tp s : // w w w . to r p ro je c t, o rg
P r o x y T o o l: T O R
(T h e O n io n R o u tin g )
Source: h ttp s ://w w w .to rp ro je c t.o rg Tor is so ftw a re and an open n e tw o rk th a t surveillance th a t threa te ns personal fre e d o m helps you defend against a fo rm o f n e tw o rk and
relationships, and state security know n as tra ffic analysis. You can use Tor to prevent w ebsites fro m tracking you on the Inte rn e t. You can also connect to news sites and in stan t messaging services w hen these sites are blocked by yo u r n e tw o rk a d m in istra to r. Tor makes it d iffic u lt to trace y o u r In te rn e t a ctivity as it conceals a user's location o r usage. Features:
9
9
Provides anonym ous com m unication over the In te rn e t Ensures the privacy o f both sender and re cip ie nt o f a message
9
9
Provides m u ltip le layers o f security to a message Encrypts and decrypts all data packets using public key e ncryption Uses cooperating proxy routers th ro u g h o u t the n e tw o rk The in itia tin g onion ro u te r, called a "Tor clie n t" determ ines the path o f transm ission
9 9
M o d u le 0 3 Page 389
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
4 )1
Vidalia Shortcuts Stop Tor
# # Setup Relaying
O Help Settings
M o d u le 0 3 Page 3 90
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P r o x y T o o ls
Burp Suite Proxy
CEH
http://w w w .analogx.com
http://w w w .d la o .co m
Proxy C om m and er
http://w w w .protoport.com
http://w ebproxylist.co m
http://w w w .proxyplus.c1
Proxy+
http://gpassl.com
Gproxy
11
! !
http://affinity-tools.com
FastProxySwitch
http://w w w .fiddler2.com
Fiddler
ProxyFinder
P ro x y T o o ls In a dd itio n to these proxy tools, th e re are m any m ore proxy tools intended to allow users to surf the In te rn e t anonym ously. A fe w are listed as follow s: 9 9 9 9 9 Q 9 Burp Suite available at h ttp ://w w w .p o rts w ig g e r.n e t Proxy C om m ander available at h ttp ://w w w .d la o .c o m Proxy Tool W indow s App available at h ttp ://w e b p ro x y lis t.c o m Gproxy available at h ttp ://g p a s s l.c o m Fiddler available at h ttp ://w w w .fid d le r2 .c o m Proxy available at h ttp ://w w w .a n a lo g x .c o m P ro to p o rt Proxy Chain available at h ttp ://w w w .p ro to p o rt.c o m
Q Proxy+ available at h ttp ://w w w .p ro x y p lu s .c z 9 9 FastProxySwitch available at h ttp ://a ffin ity -to o ls .c o m ProxyFinder available at h ttp ://w w w .p ro x y -to o l.c o m
M o d u le 0 3 Page 391
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P r o x y T o o ls
(C o n td)
CEH
Socks Proxy Scanner
http://w w w .proxy-tool.co m
ProxyFinder Enterprise
HI
http://w w w .ode.o rg
ezProxy
A M _il
http://w w w .charlesproxy.com
Charles
http://anon.in f.tu-dresden.de/index_en.htm l
http://w w w .ultrasurf.us
UltraSurf
http://w w w .youngzsoft.net
CC Proxy Server
https://addons.m ozilla.org
FoxyProxy Standard
P r o x y T o o l s ( C o n t d )
---------- The list o f proxy tools m entioned in the previous slide continues as follow s: 9 9 9 9 9 9 Q 9 Q 9 ProxyFinder Enterprise available at h ttp ://w w w .p ro x y -to o l.c o m ezProxy available at h ttp ://w w w .o c lc .o rg JAP A no n ym ity and Privacy available at h ttp ://a n o n .in f.tu -d re s d e n .d e /in d e x en.htm l CC Proxy Server available at h ttp ://w w w .y o u n g z s o ft.n e t FoxyProxy Standard available at h ttp s://a d d o n s.m o zilla .o rg Socks Proxy Scanner available at h ttp ://w w w .m y la n v ie w e r.c o m Charles available at h ttp ://w w w .c h a rle s p ro x v .c o m U ltraS urf available at h ttp ://w w w .u ltra s u rf.u s WideCap available at h ttp ://w id e c a p .ru ProxyCap available at h ttp ://w w w .p ro x y c a p .c o m
M o d u le 0 3 Page 392
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
F re e P ro x y S e rv e rs
A search in Google lists thousands of free proxy servers
Cl EH
( r t r f w t f I S t k K J l l U c k M
F re eP ro x yS e rv e rs a d o u i1 2 .7 0 0 .0 0 0re s u lt?{ 0 2 0 s e c o n d s )
im a g e s u a p s
v M k i
Uor*
N w * S h o p p ln Q
Show searcn tools
P ro x y4F re e-Ff P ro x yStrvtrt -p ro te c tY o u rP ru n eP riv a c ya W 1 w w wproxy4tree comj P r o x y 4 F re e isr a tre e p w lis ta n d p r o x y c h e c k e r r o w d tn g y o M ti r * b e ? fre e p ro x y s e rv e re o r o v e rro 9 y e a rs Q u rso r^ s tc a ie o c n e c 3 n 5 3 ! u 3 m e a su re sL is t C o u n tr y R a tin o A c c e s sT im u st o f F ree P ro x y S erv ers - Page 10 0 w w wproxy4tree eor>v1ist7eaproxy1 htmi F re e P r o x y ,A n o n im iz e r ,V P N .P r o x y 4 F re ero P r o x y u il, I P T e s t, * n c c r-i* e m u H O M E A D D Y O U R P R O X Y U sio n re e P x y se rv e rs P a g e 1o r 10-u Pr P iw tf L is t P u b lic Proxy Sarvars U P JE Q S UA d e iJy A ss;* b id e m y a M .c o r rv p f o x y J is V
Free proxy list index. Ih* Uigvst !aMirn* database ofDu&fe ptoxy servers :r in e
Proxy 4 Free
... ~
H i d e M y A s sr iv F retP ro x ya n aP riv a c yT o o ts-su nr y ew co...* n i f l0 m v 0 M .c 0 Wuliproxy fioo) McAfgg SECURE c-ilot. lolpkeec tcusafofcom tr * : : !.*.
c1dit card fraud, spywst. Us our It proxy to twl anonmoasH crtn * ! rreeproxynerver net/
1
ssa sssssasssr
Bar =2
iNwyirj
1 : 1 '
Pu&lic Proxy Servers is a tree and 1dependent proxy :hecan; 5 sm Cur ser.ice neips you to proteclyour identity ana Dypass surting restnraons s!rce 2002
e a F re e P ro x y S e rv e rs
Besides proxy tools discussed previously, you can find a num ber o f free proxy sites
available on the In te rn e t th a t can help you to access restricted sites w ith o u t revealing yo ur IP address. Just type Free Proxy Servers in the Google search engine and you w ill get num erous proxy server websites.
( jO . )g ie
3 I
S e a rc h
13 r 00 000 r! u n to 70 m o m ! 1
Wo
Prav 4 Free F ree Proxy S erv ers Protect Your OMne Pnvacv wproxy41o*corv proxy server* for Over 9 yea* Ow Lilt County Ratng tc c tit T r O k w j h u m m n u h _
Proy 4 F ree- F ree Proxy S erv ers -Protect Your Onlne Privacy A _ preiraaee cou - cecfted - Smear Proxy 4 Free
** 55* * **
u a a i f i e e Pfoxj se rv e r* l y 1 a i 18 wwwp!o*if4lreecorA1rweapreey1 ren Frt Pron Anomrutf VPN Pro!* 4 Ftee Proy Ust P Te*t Aownn tCNU HOUE-AOOYOURPftOrr 1 .tc*rreee 1MjSenwr ? ?K rflO F ree ^ axv L st - P i t * Proxy S ervers P PORT n o e Mir A ss' * fttOtmrs com^rexy* !(epfor! s$1 no tv 1*c!*So 4aiac*s or caAK precy e rm s crtr* s= E 1 B -
m c Uxau : F re e r r p u A a i P a t a u . T a a i - a u T T n c m t ^ . *
A*e proxy rH Uo*JW SCUt MM K* , SSH *on4**r. T*4 creat caretswd s t *** u s ft* *ee proxy 1 0 s ^ t w>n>r1wow> oam M l .
-----------------------------I
. . H
l | V W P r a t Proxy S erv er _ I u m o ttt e . tortahtftconv *mTt#Mte40*eepnMy seryer - o e a r , w n tx S M an e 1m m < r n orowtieg too mar* a * se M trtrn 101e*oureeaM*eft*0*a 1 _
> Y
rjuZxvJ
,1
PiAftc Proxy Servers F ree Proxy S e rv er Lot ^ www |M<t*t#eayeeye1s ceev FuoecPreir Wrvor 1 t Iim n on a m U i i p>o <*o<S(ng <C X aemce 1 'u 10 proloct tour 1asrM1 anoerpess usng teMKSons trve7M 7
M o d u le 0 3 Page 393
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H T T P T u n n e l i n g T e c h n iq u e s
CEH
inside
( (p o rt
80)
<
I n t e r n e t ..........f t > * *
!<>
Router
Router
?111
H T T P T u n n e lin g
T e c h n iq u e s
HTTP Tunneling is a no the r technique th a t allows you to use the In te rn e t despite restrictions im posed by the firew alls. The HTTP p ro to co l acts as w ra p p e r fo r com m unication channels. An a tta cke r uses HTTP tu n n e l s o ftw a re to p e rfo rm HTTP tun n elin g. It is a client-server-based application used to com m unicate throu g h the HTTP p rotocol. This so ftw a re creates an HTTP tun n el betw een tw o machines, using a w eb proxy o ptio n . The tech n iq ue involves sending POST requests to an "HTTP server" and receiving replies. The a ttacker uses the client application o f HTTP tu n n e l softw are installed on his o r her system to com m unicate w ith o th e r machines. All requests sent throu g h the HTTP tu n n e l clie n t application go throu g h the HTTP protocol.
M o d u le 0 3 Page 394
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
R acks o f HTTP T u n n el S e rv e rs
M
R o u te r HTTP P roxy HTTP T u n n el S e rv e rs r e c e iv e a n d re la y th e d a ta o r F irew all
M 49
The HTTP tun n e lin g technique is used in n e tw o rk activities such as: 9 9 9 9 Stream ing video and audio Remote procedure calls fo r n e tw o rk m anagem ent For in tru sion d ete ction alerts Firewalls
M o d u le 0 3 Page 395
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
W h y do I N e e d H T T P T u n n e lin g
J J Organizations firewall all ports except
P o rt I P o rt P o rt P o rt P o rt
FTP
1 P o rt
v
HTTP Tunneling client running on local port
1 P o rt 11 P o r t P o rt
Data is sent via HTTP
F ire w a ll r u le s o n ly a llo w p o r t 8 0 a n d 4 4 3
C o p y rig h t b y
EG -G *ancil. A ll
W h y d o I N e e d H T T P T u n n e lin g ?
HTTP tu n n e lin g allows you to use the In te rn e t despite having fire w a ll re stric tio n s
such as blocking specific fire w a ll p o rts to re strict specific p ro to co l co m m unication. HTTP tun n e lin g helps you to overcom e this fire w a ll re strictio n by sending specific protocol co m m unication throu g h HTTP p rotocol. The a ttacker may use this tech n iq ue fo r the fo llo w in g reasons: 9 9 9 9 9 It assures the a ttacker th a t no one w ill m o n ito r him or her w hile browsing It helps the a ttacker to bypass fire w a ll restrictions It ensures secure browsing The a ttacker can hide his or her IP address fro m being trapped it assures th a t it is highly im possible fo r others to id e n tify him o r her online
Suppose the organization has blocked all ports in yo ur fire w a ll and only allows p o rt 8 0/4 4 3 , and you w a n t to use FTP to connect to some re m o te server on the Inte rn e t. In this case, you can send y o u r packets via HTTP p ro to co l as shown in the fo llo w in g figure:
M o d u le 0 3 Page 396
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
IN S ID E T H E N E T W O R K
F T P C li e n t
fL - s
ftp
S o ftw a re
v
HTTP T u n n e lin g c lie n t ru n n in g o n lo c a l p o r t
P o rt P o rt P o rt P o rt P o rt P o rt P o rt P o rt P o rt
23
21
F T P d a t a is e n c a p s u la te d in h t t p p a c k e t F ire w a ll r u le s o n ly a llo w p o r t 8 0 a n d 4 4 3
FIGURE 3.69: Effect of HTTP Tunneling on both Inside and Outside the Network
M o d u le 0 3 Page 397
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
H T T P T u n n e lin g
T o o l: S u p e r N e tw o r k
T u n n e l
Source: h ttp ://w w w .n e tw o rk tu n n e l.n e t Super N e tw o rk Tunnel is a professional HTTP tu n n e lin g softw are, w hich includes HTTP tu n n e l c lie n t and server so ftw a re . It is like secure VPN so ftw a re th a t allows you to access your In te rn e t program s w ith o u t being m o n ito re d by yo ur w ork, school, o r the governm ent, and gives you an extra layer o f p ro te ctio n against hackers, spyware, or ID th e ft. It can bypass any fire w a ll.
M o d u le 0 3 Page 398
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
ik
S ta rt
# H - a
S e tu p Lot Add
O ra g B o x
&.
R in H e to
J1
About
Use Rin Game WthGameGuard Mode Q Use Real Remote Dn* Resolve Send Speed Recv Speed Serves Total Threads(nctude cache)
[
IP
Thts operating system is 64b11, S K I support tunnel both 32b1t and 64b11 propa, and except us kook ngin*, you Iso can eon
L o g &>d S ta tu s |
: |
O e n t Stop
M o d u le 0 3 Page 399
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
h t tp : // w w w . h ttp - tu n n e l.c o m
C o p y rig h t b y
E G G * a n c i l . A ll
W _
H T T P T u n n e lin g
T o o l: H T T P -T u n n e l
HTTP Tunnel acts as a SOCKS server, allow ing you to access the In te rn e t by bypassing fire w a ll restrictions. It is very secure softw are. Using this so ftw a re does n ot a llow others to m o n ito r y o u r In te rn e t activities. It hides yo u r IP address; th e re fo re , it does not a llow tracing o f your system. It allows you the u n lim ite d tra n sfe r o f data. It runs in yo ur system tra y acting as a SOCKS server, managing all data transm issions betw een the co m p u te r and the n etw o rk.
M o d u le 0 3 Page 4 0 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H T T P -T u n n e l C lie n t v 4 .4 .4 0 0 0
Ptotty Srv
Configuration
r
C onligue C* Enter Key Mad Support
Autodtloct C a l |
E x rf
Connections
<11 56 11> RIP Pnged serve* to keep use! logged n I <11 56 11> RettievelP Log Window Geared
M *w n e e |H 4 }o n S t M >
Accei 1 Rwtactoro Turn ON 0 *cm 2 IP1 10 um w HTTPT irmH cktri L n v t O ff I you oriy *Mrt 10 um HTTPT umel how pvogrami *m n g o n t w PC r AI0M 4 >eovo IP* o comect foHTTP Tunnrt
Advanced U *n
f 0 advanced u w t only e*eete corriacl Svcded 101 r #0 Thn option Mi *osbcafly t ove performance i t supported by fOU proay Th m i vo l. ONLY I you Save 1 piO M y The comtc Icn loti dot! not lot( t t i opcn
r Ptoay * w C O N N EC T" command
U ser G u id e s
..
OomnomU.n e w t+ m rtP n a m c r
D a la P a * MT TP T c m * Infant an Peal 1080 lei conrecbon! ha* * * n 10rM Char^a >ou I r d port 1 0 6 C * * V r U M * a n you b * d H T T P I m l You n k n 10 10c 0r t 9 # *)K *ap p fca *an a and alart H T T P T im a l
Chck Here
h ttp tu n n e i
$3.99 a month/year
M o d u le 0 3 Page 401
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B ssh - f u s e r @ c e r tifie d h a c k e r .c o m -L 5 0 0 0 :c e r t i f i e d h a c k e r . c o m :2 5 -N
T h is f o r w a r d s t h e
local port 5 0 0 0 to
port
6
2 5 o n c e r t if ie d h a c k e r . c o m
-f
= > b a c k g ro u n d m o d e ,
y o u a r e lo g g in g i n t o , - L
5000 :
u s e r n a m e a n d s e rv e r = > lo c a l-
e n c ry p te d S im p ly p o i n t y o u r e m a il c lie n t t o u s e lo c a lh o s t : 5 0 0 0 as t h e S M T P s e r v e r
c o m m a n d o n t h e r e m o t e s y s te m
Copyright by
E G G * a n c i l . All
SSH T u n n e lin g SSH tun n e lin g is a n o th e r technique th a t an a ttacker can use to bypass fire w a ll
re strictio n s. It also helps you hide yo ur IP address on th e Inte rn e t; th e re fo re , no one can trace or m o n ito r you. The prerequisite o f SSH tun n e lin g is raised fro m the problem s caused by the p ub lic IP address, the means fo r accessing com puters fro m anyw here in the w o rld . The com puters netw orked w ith the public IP address are universally accessible, so th e y could be attacked by anyone on the global In te rn e t easily and can be victim ize d by attackers. The d eve lo p m en t o f SSH tun n e lin g solves the problem s faced by the public IP address. An SSH tun n el is a link th a t proceeds tra ffic fro m an indiscrim inate p o rt on one m achine to a re m o te m achine throu g h an in te rm e d ia te machine. An SSH tu n n e l comprises an encrypted tun n el, so all yo u r data is encrypted as it uses a secure shell to create the tun n el. Creating a tu n n e l fo r a p rivately addressed m achine needs to im p le m e n t th re e basic steps and also requires th re e machines. The th re e requisite machines are: 9 9 9 Local machine An in te rm e d ia te m achine w ith a public IP address Target m achine w ith a private address to w hich th e connection m ust be established
M o d u le 0 3 Page 402
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
You can create a tunnel as follows: 9 9 Start an SSH connection from local machine to the intermediate machine with public IP address. Instruct the SSH connection to wait and observe traffic on the local port, and use intermediate machine to send the traffic to an explicit port on the target machine with a private address. This is called port acceleration or port forwarding. On the local machine, select the application that you want to use for connection with the remote machine and configure it to use port forwarding on the local machine. Now, when you connect to the local port, it will redirect the traffic to the remote machine.
To secure communication between computers, SSH uses private and public encryption keys. The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized computer. On initiating an SSH connection, each machine exchanges public keys, but only the computer that has the matching private key can attain access to the remote computer applications and information and can read encrypted communications with the public key.
f t
M a il C lie n t
< i
% DB Server M a il Server ! 09 ............. ______ SSH P e rim e te r C o n tr o ls S erv er A pp Server W e b se rve r
DB C lient
I n *
A tta c k e r
SSH
<3
Internet
P e rim e te r C o n tr o ls
*4
t
A p p C lie n t
W eb Client
f !' <
C lie n t
OpenSSH
Source: http://www.openssh.org OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. OpenSSH can be used to tunnel the traffic on local machine to a remote machine that you have an account on.
s s h - f u s e r @ c e r tif ie d h a c k e r .c o m -f -L 2 0 0 0 : c e r t i f i e d h a c k e r . com: 25 -N
=> backgroung mode user name and server you are logging into => I0calp0rt:h0st:rem0tep0rt
user@ c e r t i f i e d h a c k e r . com=> -L -n
2000:
c e r t i f i e d h a c k e r . c o m : 25
This essentially forwards the local port 2000 to port 25 on certifiedhacker.com encrypted. Simply point your email client to use localhost:2000 as the SMTP server.
M o d u le 0 3 Page 4 0 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S S H T u n n e l i n g T o o l: B i t v i s e
B itv ise SSH S e r v e r p r o v id e s s e c u r e r e m o t e lo g in c a p a b ili tie s t o W in d o w s w o r k s t a ti o n s a n d s e r v e r s
C EH
I W indow
U pload Queue
a i D ownload Queue
] $ (3 c .\p ro g !a m file s(x S 6 } ',b 1 t/ise tu n n e lie r St ttrib u te s N a m e S iz eT y p e D a teM o d ife dA p p lic a tio n2 Q k M erm cex e 2 8 6 ,7 2 0A 0 0 6 -1 2 -2 50 .. A p pl irato n2 .2 6 5 .6 6 4A 0 0 6 -1 2 -2 50 .. A S /g lc l:tg c .o x o 1 p p lic a tio n2 i"7lo ge x e 2 0 .4 8 0A 0 0 6 -1 2 -2 50 A ,5 9 7 .4 4 0A p p lic a b o n2 Lsen see x e 1 0 0 6 -1 2 -2 50 A p p lic a tio n2 Isftp c .e x e 2 ,0 0 2 ,9 4 4A 0 0 6 -1 2 -2 50 .. A p p1cato n2 iis3 h d 3 tg 3 ex e2 .1 5 0 ,4 0 0A 0 0 6 -1 2 -2 50 .. A B 7 ste rm c 1 ,6 5 0 ,6 0 8A p p1c a b o n2 0 0 6 -1 2 -2 50 A p p lic a tio n2 Q to term cex e 3 7 2 ,7 3 6A 0 0 6 -1 2 -2 50 .. A p pIo a to n2 M T u rn0 1 to r.o x o6 .1 9 3 .1 5 2A 0 0 6 -1 2 -2 50 .. A p plo a to n2 S } u n 1 n 3 1 .e x o 5 5 2 .2 5 6A 0 0 6 1 2 -2 50 .. A v t100b d s 6 ,0 6 6T D SF ils 2 0 0 6 -1 2 -2 50 A x te rm td s 6 ,0 6 6T D S F ilo 2 0 0 6 -1 2 -2 50 .. A
o s> N o m e kL o g * b v ^ A d .o x e
{*
S iz eT y p e D e teM o d ife d 0F ileF o ld e r2 0 0 6 -1 2 -2 50 .. 1 6 7 .9 3 6A p p lic a tio n2 0 0 6 -1 2 -2 50 ... I 7 exe 1 8 8 .4 1 5A p p lic a tio n2 0 0 6 02 5 1 2 .. F |)Vrm sso * 2 0 0 .0 9 5A p p lic a tio n2 0 0 6 -1 2 -2 50 ; SCP.OXO 2 9 4 ,9 1 2A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 1 5 ,9 6 1C * S o u r... 2 0 0 6 -1 2 -2 50 .. * 1 S tc P u g in S o m p le .c p p S lp R u g in S o m p I#d ll 2 0 . 1 0 0A p p lic a ti 2 0 0 9 -1 2 -2 50 .. 6 1 0 .3 0 4a p p lic a tio n2 0 0 6 -1 2 -2 50 .. 2 .7 6 07 0 !A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 7 CCMCV.OXO 0 5 51 5 /V p p ilc a tlo n2 0 0 6 -1 2 -2 50 .. ^sow oxecoxe 2 ,2 1 1 .0 4 0A p p lic a tio n2 0 0 6 -1 2 -2 50 .. f7itM tlgt w in to to m 0 0 3 1 9 2 .5 1 2A p p lic a tio n2 0 0 6 -1 2 -2 50 .. P u m rs ie x e 3 5 2 .2 5 6A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 2 ,3 3 0 .0 1 6A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 3 .4 6 1 ,1 2 0A p p lic a tio n2 0 0 6 -1 2 -2 50 .. 7 W irSSHD.exe I!W rttsh d A d S ta te C h e c ke x e 4 4 6 ,4 6 4A p p lic a tio n2 0 0 6 -1 2 ^ 2 50 .. 2 ,6 6 6 ,4 9 6A p p lic a ti... 2 0 0 6 -1 2 -2 50 .. W n e sh d C fg M a n ipdI 3 .7 6 8 In te rfa c e 2 0 0 6 -1 2 -2 50 .. jW r'ssh d C fg M a o ipid l
h t tp : // w w w . b itv ise . c o m
C o p y rig h t b y
If B in a ry * _R e su rre j L iO v e rw rite ft S ta rt
SSH T u n n e lin g
T o o l: B itv is e
Source: http://www.bitvise.com Bitvise is client server-based application used for SSH tunneling. The server provides you secure remote login capabilities to Windows workstations and servers. With Bitvise SSH Server, you can administer the Windows server remotely. The Bitvise server even has the ability to encrypt the data during transmission so that no one can sniff your data during transmission. Bitvise SSH Client includes graphical as well as command line SFTP support, an FTP-to-SFTP bridge, tunneling features that can be helpful for port forwarding and remote administration.
M o d u le 0 3 Page 4 04
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
| J ) U p lo a d Q u e u e
D o w n lo a d Q u e u e
N am e n tv te rrn c .e x e
f f g ld s tg s .e x e
I 7 lo g .e x e F s e x e c exe s ftp c e x e s s h d s tg s .e x e F s te rm c .e x e
' s c p .e x e
c~ S ttp P lu g m S a m p le .c p p
S ftp P lu g in S a m p le .d ll ' sftp s.e xe F F ss h d c trl.e x e sshdexecexe
' s s h d s tg s .e x e F F F F to te rm .e xe u n in s te x e w c tg exe W in S S H D .e x e
W in s s h d A c tS ta te C h e c k e x e W in s s h d C fg M a n ip .d ll
i W in s s h d C tg M a n ip id l
S f B in a r v ; R esum e J O ve rw rite _ [ & Start JP jD in d iy * R esum e
M o d u le 0 3 Page 4 05
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A n o n y m iz e r s
J An a n o n y m iz er r e m o v e s all t h e identifying in f o rm a tio n fro m t h e u ser's c o m p u t e r while t h e u se r surfs t h e In te rn e t A nonymizers m a k e activity on t h e I n t e r n e t u n tr a c e a b le A nonym izer too ls allow you t o b y p a s s I n t e r n e t c e n s o r e d w e b s i t e s
CEH
J J
W h y u s e A n o n y m iz e r?
A n o n y m iz e rs
An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (gopher:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities.
W h y U se a n A n o n y m iz e r?
M o d u le 0 3 Page 4 06
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Protect you from online attacks: Anonym izers p ro te ct you fro m all instances o f online
pharm ing attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers.
Bypass IDS and firewall rules: Bypassing o f fire w a lls is m ostly done in organizations or
schools by em ployees or students accessing w ebsites th e y are n ot supposed to access. An anonym izer service gets around yo u r organization's fire w a ll by setting up a connection betw een yo ur co m p u te r and the anonym izer service. By doing such, fire w a lls can see only the connection fro m you to anonym izer's w eb address. The anonym izer w ill the n connect to T w itte r o r any w ebsite you w anted to access w ith the help o f an In te rn e t connection and sends the co n te n t back to you. For your organization, it looks like yo u r system is connected to an anonym izer's w eb address, but n ot to T w itte r or o th e r sites.
Anonym izers, apart fro m p ro te ctin g users' id e ntitie s, can also attack the w ebsite and no one can actually d ete ct w here the attack came fro m . T y p e s o f A n o n y m iz e rs An anonym izer is a service throu g h w hich one can hide th e ir id e n tity w hen using certain services o f the Inte rn e t. It basically works by encrypting the data from your computer, so that is cannot be understood by Internet service providers or anyone who might try to access it. Basically, anonym izers are o f tw o types: 9 9 - ____~ N e tw o rk e d A n o n y m iz e rs ____ These type o f anonym izer firs t transfers yo ur in fo rm a tio n throu g h a n e tw o rk o f N etw orked anonym izers S ingle-point anonym izers
In te rn e t com puters before sending it to the w ebsite. Since the in fo rm a tio n passes through several In te rn e t com puters, it becomes m ore cum bersom e fo r anyone tryin g to tra ck yo ur in fo rm a tio n to establish the connection betw een you and anonym izer.
Example: If you w a n t to visit any web page you have to make a request. The request w ill firs t pass throu g h A, B, and C In te rn e t com puters p rio r to going to the w ebsite. Then a fte r being opened, the page w ill be tra nsfe rre d back throu g h C , B, and A and then to you. Advantage: C om plication o f the com m unications makes tra ffic analysis com plex
M o d u le 0 3 Page 4 07
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Disadvantage: Any multi-node network communications have some degree of risk at each node for compromising confidentiality
___ S in g le -p o in t A n o n y m iz e r s
' ^ Single-point anonymizers first transfer your information through a website before sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity. Advantage: IP address and related identifying information are protected by the arms-length communications Disadvantage: It offers less resistance to sophisticated traffic analysis
M o d u le 0 3 Page 4 08
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C a s e : B lo g g e rs W rite T e x t B a c k w a rd s to B y p a s s W e b F il te r s in C h in a
Bloggers and journalists in China are using a novel approach to bypass Internet filters in their country - they write backwards or from right to left
' her^ r Z l em
packets co
. aSTibet,
50**are
< \ I f
C a s e : B lo g g e rs W rite T e x t B a c k w a r d s to y p a s s W e b F ilte r s in C h in a
China is well known for its implementation of the "packet filtering" technique. This technique detects TCP packets that contain controversial keywords such as Tibet, Democracy, Tiananmen, etc. To bypass Internet filters and dodge the censors, bloggers and journalists in China are writing the text backwards or from right to left. By doing so, though the content is still in human readable form, the text is successful in defeating web filtering software. Bloggers and journalists use vertical text converter tools to write the text backwards or from right to left and vertically instead of horizontally.
M o d u le 0 3 Page 4 09
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Psiphon 3
S S H d is c o n n e c te d .
Uncensored
1 8
h ttp : //p s ip h o n .c o
C o p y rig h t @ b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
C e n s o rs h ip
C irc u m v e n tio n
T o o l: P s ip h o n
Source: http://psiphon.ca Psiphon is a censorship circumvention system that allows users to bypass firewalls and access blocked sites in countries where the Internet is censored. It uses a secure, encrypted HTTP tunnel connection to receive requests from psiphonite to psiphonode, which in turn then transports the results back to the requested psophonite. It acts as a web proxy for authenticated psiphonites, and works on mobile browsers. It bypasses content-filtering systems of countries such as China, North Korea, Iran, Saudi Arabia, Egypt, and others.
M o d u le 0 3 Page 4 1 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Psiphon 3
O
H I ]
o v p n s1 h
O SSH SSH
@ Don! proxy domestic web sites Client Version: 40 SSH connecting Localhost port 1080 is already m use SOCKS proxy is runrwig on locahost port 1081. SSH successfully connected HTTP proxy is ru m n g on locahost port 8080 Preferred servers: 2 SSH disconnected SSH connecting... Localhost port 1080 is already m use SOCKS proxy is rurmng on locafriost port 1081 SSH successfully connected HTTP proxy is rurmng on locahost port 8080 SSH disconnected Fix VPN Services faded nsuffoent pmnleges to configure or start service IKEE VPN connecting... VPN successfully connected HTTP proxy is rurmng on locatiost port 8080 VPN disconnected SSH connect ng... Localhost port 1080 is already n use SOCKS proxy is rurmng on locatiost port 1081. SSH successfully connected HTTP proxy is rurmng on locahost port 8080 Unprcuoed autosinaxabout .com Unproxied: a1979.g akamai net Unproxied: bsmotormg com Unproxied: a 9 0 g akamai net Unprowed: www baja!auto com Unprowed mypulsar com SSH disconnected SSH connecting Localhost port 1080 is already in use SOCKS proxy is running on locatiost port 1081 About Ps*>hon 3
M o d u le 03 Page 4 11
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C o p y rig h t b y
C e n s o rs h ip
C irc u m v e n tio n
T o o l: Y o u r - F r e e d o m
Source: http://www.your-freedom.net Censorship circumvention tools allow you to access websites that are not accessible to you by bypassing firewalls. The Your Freedom services makes accessible what is unaccessible to you, and they hide your network address from those who don't need to know. This tool turns your PC into an uncensored, anonymous web proxy and an uncensored, anonymous SOCKS proxy that your applications can use, and if that's not enough, it can even get you connected to the Internet just as if you were using an unrestricted DSL or cable connection.
M o d u le 0 3 Page 412
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Y our F re e d o m
S ta tu s | S tr e a m s | A c c o u n t P r o file P o rts M essages V o u c h e rs j A p p lic a tio n s
_ EL
A bout
Freedom Server External IP Address Server located in Open streams Bytes sent Bytes received Send rate (bytes/sec) Receive rate (bytes/sec)
https://ems29.your-freedom.de 443 83.170.106 56 UK, United Kingdom 0 2973 704 279 111|
C o n fig u r e
S to p c o n n e c tio n
R e s ta r t c o n n e c tio n
U p d a te ?
E x it
II I
U p lin k 1.0 k
D o w n lin k 0 .4 k
M o d u le 0 3 Page 4 13
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H o w to C h e c k i f Y o u r W e b s ite is B lo c k e d in C h in a o r N ot?
J J Internet tools help identify if web users in China can access remote websites When Just Ping and WebSitePulse show "Packets lost" or "time-out" errors, chances are that the site is restricted
H o w --------N o t?
to C h e c k
if Y o u r W e b s ite
is B lo c k e d
in
C h in a o r
If a "packets lost" error is received or there is a connection time-out message is displayed while connecting to your site, chances are that the site is blocked. To find out whether the website at xyz.com is accessible by Chinese web users, you can use tools such as just ping and WebSitePulse.
f
00
J u s t p in g
Source: http://www.iust-ping.com Just ping is an online web-based ping tool that allows you to ping from various locations worldwide. It pings a website or IP address and displays the result as shown as follows:
M o d u le 0 3 Page 4 14
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
j u s t ^ p in g
u jn T C H m n u !
WATCMNC CVtROMlM IlMNISk
O n l i n e w e b -b a a e d p i n g :
F re e o n lin e p in g i r o n
SO l o c a i i o a a
w o r ld w id e
U-jhg
e g
| |p-r.g1
y ah o o con o r 6 6 .9 4 .2 3 4 .1 3 3
M 3 84 0 90 5 1 8 3 .9 1 9 3 .9 9 7 .2 10 3 3 9 1 .* 123 28 O M 8 9 4 .4 12 4 6 113 A 72 8 M 3
9 0 .5 84 6 90 6 1 8 9 .9 1 8 3 .8 9 7 .5 1 0 9 .9 8 2 .1 1 2 3 .9 2 8 .3 3 3 .9 94 .7 1 2 4 .7 1 1 3 .C 7 3 .2 9 0 .
91 O 8 3 .3 91 .0 1 9 8 .9 1 6 5 .0 96 .2 1 0 6 .1 8 2 .5 1 2 4 .2 2 8 .7 3 4 .1 9 8 .2 1 2 5 .3 1 1 3 .9 7 3 .C 9 0 .9
2 a 0 3 : 2 6 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc 6 6 . 2 2 0 .1 4 9 88 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc 2 a 0 3 : 2 8 8 0 : 1 0 : 1 f 0 2 : f a c a : bOOc 69 . 1 7 1 . 2 3 7 .1 6 6 9 . 1 7 1 .2 4 2 . 7 0 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c a bO O c:: < 9 . 1 7 1 . 2 3 7 .3 2 2 a0 3 2880 2110 3 f0 2 6 9 . 1 7 1 .2 2 8 7 0 2 a 0 3 :2 8 8 0 : 1 0 i f 0 3 fa c a .b O O c 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 3 : fa c a :b O O c 65 63 1 8 9 .7 4 2 a 0 3 2 8 8 0 ! 2 1 1 0 3 F02 f a o bOOc 2 a 0 3 2 8 8 0 10 I f 0 3 f a c bOOc 25 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f0 2 f a c e bOOc 29 f a c a bOOc 25
M o th e rla n d .
W e b s ite P u ls e
Source: http://www.websitepulse.com WebsitePulse provides remote monitoring services. It simultaneously pops websites from around the globe.
I B a IV W*t4Tt C w C A ww.wrt>nepuls<.<o n '.Ttoo<Krtn*-tCTtmm! s i x
I ^
WebsitePulse Tk* w#b S*r*M aad Wafcdt* Maatfck* S#rvk tnnlfd bv 184% mUoman tskt IT easy | . .1 A, j 1 mi Tata > > mi a^at * ! . r w v i c ! . * > ( m m l a r o tYo1# WrtiUt 0 F f c t a j iExtcnwun t tAdd-0<W OlfO f l M EXtMMOft* Opora E x t e o s > o o s Safan Ex t c rwon* Wtf>dow3V1a Gadget Facebook App* ^ n o r o w Jape <*V>h*6 * > * 3Ap* LIVE CHAT ' * i t Byt* 3 . 0 9 0MC MmM Am U.n4I last mukt wam 1( Jh I m M Im Chm T nM M i 12-00-2; l015?>tO(OT 0 0 : 0 0 )
ham c r f cR V 2 0 1 2 0 4 2 1 1 0 : 5 7 1 1 c (OMT 0 0 : 0 0 ) ml r t e 4 1 *) < KMoxwr H n M A i: M71.2S7.J2 IniMM t mi C M7 o 0. 0 c MC CaMKt C.3M c 0M0 Mr hntM: 0 . 1 3 3 ioc f t m m ]1311 M m # M T f i(>#g,TfMnUt> r M u f t s 11
ImImIlm>
lo N w H K ttm YTrbUtr frrr f a rM 0r Cktk He r r * 1m a i lm d h Son Rnull) Pafona a new tot Report a hvMaa
r #
T # *1Tod* 0 v . v
M o d u le 0 3 Page 4 1 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
G -Z a p p e r
CEH
G - Z a p p e r - TRIAL V E R S IO N
G Z a p p e r
G-Zaocei = ntsctrg you! Search Piivacy
Did you know - 300gl9 *teres a unique identifier in a cookie on your PC, which alow? them to track the kewkofdi yoo s sa c h fot. G -Zepper will ojtomalicdl/ dctcct and cban this cookie in your w5b bo/vie. J j; t jn G-Zaoce. ninini7e the vinebw. and enjoy ycur enhanced search privacy.
Y o u -a o o g leV(h re fo x8 5 3 6 d 4 5 Ib 3 6 7 1 7 3 8
e J
Yoji irWtitj* wil h ofc<cutd from previcut SMrchtfi *nd G Z*ppr wll mgulM^i clean luhir cookiat
h t tp : //w w w . d u m m y s o ftw a r e . c o m
G Z a p p e r
Source: http://www.dummysoftware.com G-Zapper is a utility to block Google cookies, clean Google cookies, and help you stay anonymous while searching online. It automatically detects and cleans Google cookies each time you use your web browser. It is compatible with Windows 95/98/ME/NT/2000/XP/Vista/Windows7. It requires Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome and is compatible with Gmail, Adsense, and other Google services.
M o d u le 0 3 Page 4 16
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
is G Z a p p e r
G -Z a p p e r P ro je c tin g y o u S e a rc h P riv a c y D id y o u k n o w G o o g le stores a u n q u e idenM ier r a c o o k ie o n y o u P C . w h ic h a to w s th e m to tra c k th e k e y w o rd s y o u s e a rc h lo r G Z a p p e r w i a u to m a tic a l}! d e te c t a n d d e a n th is c o o k ie y o u w e b b row se* J u s t ru n G Z a p p e r. m r m t t e th e w in d o w , a n d e n jo y y o u e n h a n c e d s e a rc h p riv a c y
2'
----
| You h a ve
2 G o o g le
s e a rc h e s s a v e d n M o z ia F re fa x
Settngs
M o d u le 0 3 Page 4 17
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A n o n y m iz e r s
M ow ser
EH
http://w w w .spotflux.com
Spotflux
http://w w w .m ow ser.co m
U-Surf
http://w w w .h ideyouripaddress.net
http://silent-surf.co m
WarpProxy
ps4
Anonymizer Universal
http://w w w .hopeproxy.co m
Hope Proxy
http://w w w .g uardster.co m
G uardster
s a f lH l
http://w w w .pri\/acy-pro.co m
Hide My IP
* " V
An anonymizer is a tool that allows you to mask your IP address to visit websites without being tracked or identified, keeping your activity private. It allows you to access blocked content on the Internet with omitted advertisements. A few anonymizers that are readily available in the market are listed as follows: a 9 9 Mowser available at http://www.mowser.com Anonymous Web Surfing Tool available at http://www.anonymous-surfing.com Hide Your IP Address available at http://www.hideyouripaddress.net
Anonymizer Universal available at http://www.anonvmizer.com 9 9 Guardster available at http://www.guardster.com Spotflux available at http://www.spotflux.com
Q U-Surf available at http://ultimate-anonymity.com 9 9 9 WarpProxy available at http://silent-surf.com Hope Proxy available at http://www.hopeproxy.com Hide My IP available at http://www.privacy-pro.com
M o d u le 0 3 Page 4 18
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S p o o fin g I P A d d r e s s
IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be someone else When the victim replies to the address, it goes back to the spoofed address and not to the attacker's real address IP spoofing using Hping 2:
H p in g 2 -a www. 7 . 7 . 7. 7
CEH
-.
S p o o fin g IP
A d d re s s e s
^ Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a fake IP in place of the attacker's assigned IP. When the attacker sends a connection request to the target host, the target host replys to the attacker's request. But the reply is sent to the spoofed address. When spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources.
IP sp oo fin g using Hping2: H p in g 2 w w w .c r e t i f i e d h a c k e r . c o m -a 7. 7. 7. 7
Using Hping2 you can perform IP spoofing. It helps you to send arbitrary TCP/IP packets to network hosts.
M o d u le 0 3 Page 4 19
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Send packet to host of s u s p ect spoofed packet th a t triggers reply and c o m p a re TTL with susp ect packet; if th e TTL in t h e reply is n o t th e s a m e as t h e packet being checked, it is a spoofed packet This te c h n iq u e is successful w h en attacker is in a diffe ren t s u b n e t from victim
a a '
A tta c k e r (S p o o fe d A d d re s s 10 .0 .0 .5 )
Target
10.0.0.5
N o te : N o r m a l tr a f f ic f r o m o n e h o s t c a n v a r y TTLs d e p e n d i n g o n tr a f f ic p a t t e r n s
C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
IP
S p o o fin g D e te c tio n
T e c h n iq u e s : D ire c t T T L P ro b e s
Initially send a packet to the host of suspect spoofed packet and wait for the reply. Check whether the TTL value in the reply matches with the TTL value of the packet that you are checking. Both will have the same TTL if they are the same protocol. Though, initial TTL values vary based on the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the commonly used initial values are 64 and 128 and for ICM P, the values are 128 and 255. If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. The hop count can be determined by deducting the TTL value in the reply from the initial TTL value. If the TTL in the reply is not matching with the TTL of the packet that you are checking, it is a spoofed packet. If the attacker knows the hop count between source and host, it will be very easy for the attacker to launch an attack. In this case, the test results in a false negative.
M o d u le 0 3 Page 4 2 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S e n d in g a p a c k e t w ith s p o o f e d 1 0 .0 .0 .5 IP - TTL 1 3
Attacker
(S p o o fed A d d ress
>*.
10.0.0.5)
y Nf
10.0.0.5
M o d u le 0 3 Page 421
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A tta c k e r (S p o o fe d A d d re s s 10 .0 .0 .5 )
*t ;.*
. * 5 .
Ta1get
10.0.0.5
r 3H1
IP
S p o o fin g D e te c tio n
T e c h n iq u e s : IP
Id e n tific a tio n
N u m b e r
Spoofed packets can be identified based on the identification number (IP ID ) in the IP header that increases each time a packet is sent. This method is effective even when both the attacker and victim are on same subnet. To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply. If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet.
Sending a packet w ith sp o o fed 1 0 .0 .0 .5 IP - IP ID 2586
w
A tta c k e r (S p o o fe d A d d re s s 1 0 .0 .0 .5 ) T a rg e t
1 0 .0 .0 .5
CEH
A tta c k e r
(Spoo fed Address
T a rg e t
10 .0 .0 .5 )
.'&<* v\
10.0.0.5
C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
IP
S p o o fin g D e te c tio n
T e c h n iq u e s : T C P
F lo w
C o n tro l
M e th o d
The TCP can optimize the flow control on both the send and the receiver side with its algorithm. The algorithm accomplishes the flow control based on the sliding window principle. The flow of IP packets can be controlled by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. When the window size is set to zero, the sender should stop sending more data. In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker who is unaware of the ACK packet containing window size information continues to send data to the victim. If the victim receives data packets beyond the window size, then the packets must be treated as spoofed. For effective flow control method and early detection of spoofing, the initial window size must be very small. Most spoofing attacks occur during the handshake, as it is difficult to build multiple spoofing replies with the correct sequence number. Therefore, the flow control spoofed packet detection must be applied at the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting
M o d u le 0 3 Page 4 23
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If the sender sends an ACK with any data, then it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet but not ACK with data.
FIGURE 3.82: Using TCP Flow Control Method for IP Spoofing Detection
M o d u le 0 3 Page 4 24
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
I P S p o o fin g C o u n t e r m e a s u r e s
Limit access to configuration information on a machine
CEH
IP
S p o o fin g
C o u n te rm e a s u re s
In ethical hacking, the ethical hacker also known as the pen tester, has to perform an additional task that a normal hacker doesn't follow, i.e., applying countermeasures to the respective vulnerabilities determined through hacking. This is essential because knowing security loopholes in your network is worthless unless you take measures to protect them against real hackers. As mentioned previously, IP spoofing is one of the techniques that a hacker employs to break into the target network. Therefore, in order to protect your network from external hackers, you should apply IP spoofing countermeasures to your network security settings. The following are a few IP spoofing countermeasures that you can apply: Avoid trust relationships Attackers may spoof themselves as a trusted host and send malicious packets to you. If you accept those packets by considering that the packets are sent by your trusted host, then you may get infected. Therefore, it is advisable to test the packets even when they come from one of your trusted hosts. You can avoid this problem by implementing password authentication along with trust-relationship-based authentication. Use firewalls and filtering mechanisms You should filter all the incoming and outgoing packets to avoid attacks and sensitive information loss. The incoming packets may be the malicious packets coming from the attacker.
M o d u le 0 3 Page 4 25
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
If you do not employ any kind of incoming packet filtering mechanism such as a firewall, then the malicious packets may enter your private network and may cause severe loss. You can use access control lists (ACLs) to block unauthorized access. At the same time, there is also a possibility of insider attackers. These attackers may send sensitive information about your business to your competitors. This may also lead to great monetary loss or other issues. There is one more risk of outgoing packets, which is when an attacker succeeds in installing a malicious sniffing program running in hidden mode on your network. These programs gather and send all your network information to the attacker without giving any notification. This can be figured out by filtering the outgoing packets. Therefore, you should give the same importance to the scanning of outgoing packets as that of the incoming packet data scanning. Use random initial sequence numbers Most of the devices chose their ISN based on timed counters. This makes the ISNs predictable as it is easy for a malicious person to determine the concept of generating the ISN. An attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he or she can make a malicious connection to the server and sniff your network traffic. To avoid this, risk you should use random initial sequence numbers. Ingress filtering Prohibiting spoofed traffic from entering the Internet is the best way to block it. This can be achieved with the help of ingress filtering. Ingress filtering applied on routers enhances the functionality of the routers and blocks spoofed traffic. It can be implemented in many ways. Configuring and using access control lists (ACLs) that drop packets with source address outside the defined range is one way to implement ingress filtering. Egress filtering Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside. Use encryption If you want to attain maximum network security, then use strong encryption for all the traffic placed onto the transmission media without considering its type and location. This is the best solution for IP spoofing attacks. Attackers usually tend to find targets that can be compromised easily. If an attacker wants to break into encrypted network, then he or she has to face a whole slew of encrypted packets, which is a difficult task. Therefore, the attacker may try to find another target that can be easily compromised or may attempt other techniques to break into the network. Use the latest encryption algorithms that provide strong security. SYN flooding countermeasures Countermeasures against SYN flooding attacks can also help you to avoid IP spoofing attacks.
M o d u le 0 3 Page 4 2 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Besides these basic countermeasures, you can perform the following to avoid IP spoofing attacks: 9 9 9 9 You should limit the access to configuration information on a machine You should always disable commands like ping You should reduce TTL fields in TCP/IP requests You should use multilayered firewalls
M o d u le 0 3 Page 4 27
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C E H
S c a n n in g M e th o d o lo g y
So far, we have discussed concepts such as what to scan, how to scan, how to detect vulnerabilities, and the respective countermeasures that are necessary to perform scanning pen testing. Now we will begin the action of scanning pen testing. Check for Live Systems Scan for Vulnerability
191
3 0
r -^ r -n
Prepare Proxies
Banner Grabbing
This section highlights the need to scan pen testing and the steps to be followed for effective pen testing.
M o d u le 0 3 Page 4 28
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S c a n n in g P e n T e s tin g
0
J P e n te s t in g a n e t w o r k f o r s c a n n in g v u ln e r a b ilitie s d e t e r m i n e s t h e n e t w o r k 's s e c u r i t y p o s t u r e b y
CEH
0
S c a n n in g
P e n
T e s tin g
The network scanning penetration test helps you to determine the network security posture by identifying live systems, discovering open ports and associated services, and grabbing system banners from a remote location, simulating a network hacking attempt. You should scan or test the network in all possible ways to ensure that no security loophole is overlooked. Once you are done with the penetration testing, you should document all the findings obtained at every stage of testing so that it helps system administrators to: 9 9 9 Close unused ports if not necessary/unknown open ports found Disable unnecessary services Hide or customize banners
9 Troubleshoot service configuration errors 9 Calibrate firewall rules to impose more restriction
M o d u le 0 3 Page 4 29
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S c a n n in g P e n T e s tin g
(C o n td)
CEH
C h ec k f o r t h e live h o s ts u s in g to o ls s u c h
START
.....>
g
V Scan for vulnerability
>
S c a n n in g
P e n
T e s tin g
( C o n t d )
Let's see step by step how a penetration test is conducted on the target network. Stepl: Host Discovery The first step of network penetration testing is to detect live hosts on the target network. You can attempt to detect the live host, i.e., accessible hosts in the target network, using network scanning tools such as Angry IP Scanner, Nmap, Netscan, etc. It is difficult to detect live hosts behind the firewall. Step 2: Port Scanning Perform port scanning using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc. These tools will help you to probe a server or host on the target network for open ports. Open ports are the doorways for attackers to install malware on a system. Therefore, you should check for open ports and close them if not necessary. Step 3: Banner Grabbing or OS Finger Printing Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, Netcat, etc. This determines the operating system running on the target host of a network and its version. Once you know the version and operating system running on the target system, find
M o d u le 0 3 Page 4 3 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
and exploit the vulnerabilities related to that OS. Try to gain control over the system and compromise the whole network.
Step 4: Scan fo r V u ln e ra b ilitie s
Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus, G FI LANGuard, SAINT, Core Impact Professional, Ratina CS, MBSA, etc. These tools help you to find the vulnerabilities present in the target network. In this step, you will able to determine the security weaknesses/loopholes of the target system or network.
M o d u le 0 3 Page 431
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S c a n n in g N e t w o r k s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
S c a n n i n g
P e n
T e s t i n g (Contd)
D raw n e tw o rk diagram s
Prepare proxies
Draw netw ork diagrams o f the vulnerable hosts using tools such as LAN surveyor, O pM anager, N etw orkV ie w , The Dude, FriendlyPinger, etc. e e Prepare proxies using tools such as Proxy W orkbench, P roxifier, Proxy Sw itcher, SocksChain, TOR, etc. D ocum ent all the findings
S c a n n in g
P e n
T e s tin g
( C o n t d )
Step 5: Draw Network Diagrams Draw a network diagram of the target organization that helps you to understand the logical connection and path to the target host in the network. The network diagram can be drawn with the help of tools such as LAN surveyor, OpManager, LANState, FriendlyPinger, etc. The network diagrams provide valuable information about the network and its architecture. Step 6 : Prepare Proxies Prepare proxies using tools such as Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy, ProxyFinder, etc. to hide yourself from being caught. Step 7: Document all Findings The last but the most important step in scanning penetration testing is preserving all outcomes of tests conducted in previous steps in a document. This document will assist you in finding potential vulnerabilities in your network. Once you determine the potential vulnerabilities, you can plan the counteractions accordingly. Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.
M o d u le 0 3 P a g e 4 3 2
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t
b y E C - C O U I I C il
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S c a n n in g N e t w o r k s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
o d u l e
S u m
a r y
The o b je c tiv e o f s c an ning is to d isco ve r live system s, a c tiv e /ru n n in g p o rts , th e o p e ra tin g system s, and th e service s ru n n in g on th e n e tw o rk A tta c k e r d e te rm in e s th e live hosts fro m a range o f IP addresses by se n d in g ICMP ECHO requests to m u ltip le hosts A tta c k e rs use v a rio u s scan ning te c h n iq u e s to bypass fire w a ll ru le s and lo g g in g m e ch a n ism , and hide th e m s e lv e s as usual n e tw o rk tra ffic B ann er g ra b b in g o r OS fin g e rp rin tin g is th e m e th o d to d e te rm in e th e o p e ra tin g system ru n n in g o n a re m o te ta rg e t system D ra w in g ta rg e t's n e tw o rk d ia g ra m gives va lu a b le in fo rm a tio n a b o u t th e n e tw o rk and its a rc h ite c tu re to an a tta c k e r HTTP T u n n e lin g te c h n o lo g y a llo w s users to p e rfo rm va rio u s In te rn e t tasks d e s p ite th e re s tric tio n s im p o s e d by fire w a lls P roxy is a n e tw o rk c o m p u te r th a t can serve as an in te rm e d ia ry fo r c o n n e c tin g w ith o th e r c o m p u te rs A c ha in o f proxies can be c re a te d to eva de a tra c e b a c k to th e a tta c k e r
M o d u le
S u m m a r y
Let's take a look at what you have learned in this module: The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network. Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. Attackers use various scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
e
Banner Grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. Drawing target's network diagram gives valuable information about the network and its architecture to an attacker. HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls. Proxy is a network computer that can serve as an intermediary for connecting with other computers. A chain of proxies can be created to evade a traceback to the attacker.
M o d u le 0 3 P a g e 4 3 3
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t
b y E C - C O U I I C il
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .