CEH Lab Manual Scanning Networks Module 03‘Module 03 - Scanning Networks Scanning a Target Network Scanning a network: refers to a set of procedures for identifying hosts, ports, and services ramming in a network Vulnerability scanning determines the possibility of network secusity attacks. It evaluates the orginization’s systems and network for vulnerabilities stich as missing patches, unnecessary services, weak anthentication, and weak encryption ‘Vulnerability scanning is a cutical component of any penetzation testing assignment. ‘You need to conchct penetration testing and list the threats and vulnerabilities found in an oxganization’s network and perform port scanning, network scanning, and vulnerability scanning to identify IP /hostname, live hosts, and vulnerabilities. EWottecken’ Lab Objectives ‘The objective of this lab isto help smdents in conducting network scanning, analyzing the network vulnerabilities, and maintaining a secwe network, ‘You need to perfoum a network sean to: = Check live systems and open posts + Perform banner grabbing and OS fingespainting * Identify network vulnerabilities * Draw network diagrams of vulnerable hosts = Toots Lab Environment demonstrated in this lab are In the lab, you need: available in = A compnter nuning with Windows Server 2012, Windows Server 2008, DACEH- Windows 8 ot Windows 7 with Internet access Tools\CEHve Module 03 *® Aweb browser ‘Scanning = Administrative privileges to mn tools and perform scans Lab Duration Time: 50 Minntes Overview of Scanning Networks Balding on what we learned fiom one information gathering and thieat modeling, swe can now begin to actively query our victims for vulnerabilities that may lead to a compromise. We have nacrowed down ont attack sntfice considerably since we first ‘began the peneuation test with everything potentially in scope. CEH Lab Namal Page 6 ical Hacking snd Counirmc ars Copp © oj CCl ‘A Righs Revered Rapsodvcton i Suacty Probeed,= Task 4 ‘onl eng handed ‘ut fortis ab ‘Module 03 - Scanning Networks Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities yon will find more issues that disclose sensitive information or canse a denial of service condition than vulnerabilities that lead to remote code execution. These may still mm out to be very interesting on a penetration test. In fact even a seemingly harmless misconfiguration can be the ‘mming point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fay noumal setting, ‘Though FTP is an insecure protocol and we should generally steer ont clients towards using moxe secre options like SFTP, using FIP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP serves that allows anonymons tead access, but read access is restricted to an FTP ditectory that does not contain any files that would be interesting to an attacker, then the tisk associated with the anonymous read option is minimal, On the other hand, if you axe able to xead the entie fle system using the anonymous FTP accomnt, or possibly even worse, someone has mistakenly left the customer's tade secrets in the FIP disectory that is readable to the anonymons uses; this configuration is a critical issue. ‘Vulnerability scanners do have their uses in a penetration test, and it is certainly usefil to know your way around a few of them. As we will see in this module, using a vulnexability scanner can help a penetration tester quickly giin a good deal of ‘potentially interesting information about an environment. In this module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools Lab Tasks ick an organization that you feel is worthy of your attention. This could be an educational instimition, a commercial company, or perhaps a nonprofit charity. ‘Recommended labs to assist you in scanning networks: + Scanning System and Network Resources Using Advanced IP Scanner * Banner Grabbing to Detemmine a Remote Target System Using 1D Serve = Fingerprint Open Ports for Rrnning Applications Using the Amap Tool + Monitor TCP/IP Connections Using the GurrPorts Toot # Scana Network for Vulnerabilities Using GF! LanGuard 2012 + Explore and Andit a Network Using Nmap * Scanning a Network Using the NetScan Tools Pro * Drawing Network Diagrams Using LANSurveyor * Mapping a Network Using the Friendly Pinger * Scanning a Network Using the Nessus Tool + Anditing Scanning by Using Global Network Inventory * Anonymons Browsing Using Proxy Switcher “CEH Lab Nanal Page TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Daisy Chaining Using Proxy Workbench HTTP Tunneling Using HTTPort Basic Network Troubleshooting Using the MegaPing Detect, Delete and Block Google Cookies Using 6-Zapper Scanning the Network Using the Colasoft Packet Builder Scanning Devices in a Network Using The Dude Lab Analysis Analyze and document the results related to the lb exercise. Give yont opinion on ‘your target's security posture and exposue through public and fie¢ information. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. ‘CEH Lab Nand Page TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Scanning System and Network Resources Using Advanced IP Scanner Advanced IP Semuner isa free network scammer that gives you various types of information regarding local network: computers. Lab Scenario In this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intmdes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities Lab Objectives ‘The objective of this lab is to help smdents perfoum a local network scan and discover all the resontces on the network. ‘You need to: | Perform a system and network scan, = Enumerate user acconnts * Esccute remote penetration + Gather information about local network computers Lab Environment Deanne In the lab, you need: dened Advanced P + Advanced IP Scanner located at 2:\GEHV8 Module 03 Scanning Ip free enced Networks\Scanning Tools\Advanced IP Scanner os * Yon can also download the latest version of Advanced IP Scanner fiom the link http: //www.advanced-ip-scanner.com CEH Lab Noman Page o> ical Hacking snd Counirmc ars Copp © oj CCl ‘A Righs Revered Rapsodvcton i Suacty Probeed,= acminced1P Scanner ‘post 0a Windows Serie 2005/ Sever 2008 and Windows 7 2 i, ts) ‘Module 03 - Scanning Networks = Ifyou decide to download the latest version, then screenshots shown, in the lab might differ * A computer mnning Windows 8 2s the attacker (host machine) * Another computer minning Windows server 2008 as the victim (virrnal machine) = Aweb browser with Intemet access = Donble-click Ipsean20.msi and follow the wizard-criven installation steps to install Advanced IP Scanner + Administrative privileges to mn this tool Lab Duration ‘Time: 20 Minutes Overview of Network Scanning Network scanning is performed to collect information about tive systems, open ports, and network vulnerabilities. Gathered information is helpful in determining ‘threats and vulnerabilities in 2 nenwork and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to xesoxces. Lab Tasks tasks 1. Go to Start by hovering the mouse cussor in the lower-left comer of the desktop Launching ‘Advanced IP ‘Scanner FIGURE L1- Windows 9-Dekop ew 2. Click Advanced IP Scanner fiom the Start ment in the attacker machine (Windows 8). ‘CEH Tab Namal Page o> Tihial Hacking and Countereasares Coppagn © by BC Comal “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks B eo wn atvanced TP eo Seana youcaa ena ‘anand OF TP adases, ssmaaneonsy ‘i FIGURE 12 Wacows 8- App 3. The Advanced IP Scanner main window appears. ED You can wake any che ect Rrmaisoawes Sppcstt ome TAGURE 13 Te Avene? Sn Wace 4. Now launch the Windows Server 2008 virmal machine (vietim’s machine). CERES Nama Page a Hoang a Comers COGS WRC Coe “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks Vou nae to gues saage OF ats [IGURE L¢ Tee win machine Wows ser 208 5. Now, switch back to the attacker machine (Windows 8) and enter an IP epee access range in the Select range ficld. ‘stale oemote 6. Click the Sean button to start the sean. computer oth ese Be BD tre stats of canis sce of he mado [FIGURE 15 The Adrance IP Scanner a window wh IP aes ge 7. Advanced IP Scanner scans all the IP addresses within the range and displays the sean results after completion. “CEH Lab Nanwal Page 97 TEhical Hacking and Countermearnces Coppagin © by BC Cosma "AL Rights Reserved Repeodictoa i Sticty ProbieDum etempuen pemgeatneg cate mio, memnry ee Jot ait Slee poe ilunmp oma 2D cronp Opeations: Ay festue of rent IP Semper can beset ‘wih aay suber of ‘Siete competes For came, yoo can eemetey ‘aut down a complete ‘computer das with a few ce = Task 2 ‘Module 03 - Scanning Networks zc) ities FIGURE 16 Te Adee P Samer aw se eing 8 You can see in the above figure that Advanced IP Scanner has detected ‘he victim machine’ TP address and displays the seams 2s attve 9. Right-click any of the detected IP addresses. It will ist Wake-On-LAN, Shut down, and Abort Shut down FIGURE 17"The Aras IP Semnesnin wade wits Aire Host bt 10. The list displays properties of the detected computer, stich as IP. address, Name, MAC, and NetBIOS information. 11, You can forcefully Shutdown, Reboot, and Abort Shutdown the selected victim machine/TP address ‘CEH Lab Manaal Page 9? TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks CD wniningepaint apt ‘Options: + tPRange (Nemask and averted Net sppoed IP LitSagle : Host Neghbotiood teisseneson FIGURE 18 The Adewen P Sees Compe pops: win 12. Now you have the IP address, Name, and other detaits of the victim machine. 13. You can also try Angry IP scanner located at BAGEH-Tools\GEHVB Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner. It also scans the network for machines and ports. Lab Analysis ‘Document all the IP addresses, open ports and their nnning applications, and protocols discovered during the lab, Prema cmetnken ae ear Scan Information: IP address System name ‘MAC address ‘NetBIOS information Manufacturer System status ‘CEH Lab Namal Page 95 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Examine and evaluate the IP addresses and range of IP addresses. ZNo Zikabs “CEH Lab Nanal Page 9° TEhical Hacking and Countermeasnoes Copragin © by BC Cosma “Al Rights Reserved. Reproduction is Sticty Probie.‘Module 03 - Scanning Networks Banner Grabbing to Determine a Remote Target System using ID Serve IDS Serve is used to identify the make, model, and version of any website's server software. “ivow «key Lab Scenario © Vatesble In the previons lab, yon leamed to use Advanced IP Scanner. This tool can also be ——nfoumation sed by an attacker to detect vulnerabilities such as buffer overtlow, integer How, 7 Test your SQL injection, and web application on a network. If these vulnerabilities are not Knowledge _ fined immediately, attackers can easily exploit them and crack into the network and. BS Webeccrcse case server damage. A Wodhoot view ‘Therefore, it is extremely important for penetvation testers to be familiar with —s banner grabbing techniques to monitor servers to enste compliance and appropriate secutity updates. Using this technique you can also loeate rogne servers or determine the tole of servers within a network. In this lab, yon will leam the banner grabbing technique to deteumiine a xemote target system using ID Serve. Lab Objectives ‘The objective of this lab is to help students leamn to banner grabbing the website and discover applications running on this website. In this lab you will lean to: = Tools © Identify the domain IP adress demonstrated in © Identify the domain information avaliable in Lab Environment DicEH. ‘Tools\CEHv8 To pestoum the lab you need: Module 03 a ‘Sommning + _ ID Server is located at DCEH-Tools\GEHV8 Module 03 Scanning peewerkcs Networks\Banner Grabbing Tools\ID Serve CEH Lab anual Page Tihs Hacking and Countermeasures Copragn © by BC Comal ‘A Righs Revered Rapsodvcton i Suacty Probeed,= TASK + ‘Module 03 - Scanning Networks © Yon can also download the latest version of ID Serve fiom the link ‘http://www.gre.com/id/idserve.htm_ * Ifyou decide to download the latest version, then screenshots shown in the lab might differ * Double-click idserve to run ID Serve * Administuative privileges to mn the 1D Serve tool = Run this tool on Windows Server 2012, Lab Duration ‘Time: 5 Minutes Overview of ID Serve ID Serve can connect to any server port on any domain or IP addvess, then pull and display the server's greeting message, if any, often identifying the server's make, model, and version, whether it’s for FTP, SMTP, POP, NEWS, or anything els. Lab Tasks 1. Double-click Idserve located at Di GEH-Tools\CEHv8 Module 03 Scanning NetworksiBanner Grabbing ToolsiID Serve 2. Inthe main window of 1D Serve show in the following figure, select the ‘Sever Query tab ny pe ret er FL Po re ge onan @ @ © ehh tes gaya Rec 3. Enter the IP addiess or URL addsess in Enter or Copyipaste an Internal ‘server URL or IP address here: “CEH Lab Manal Page 6 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Background ServerGuey | O8A/Hep ED were can scept @ [_oer ese] ow per te URL onIPas comaandsise paramere /IGURE22 Eaeeag te URL for oer 4. Click Query The Server, it shows server query processed information Er ten tare eo FL asec nae vee mci ck erivedhacker cond Ow sere can ato conaect th pe ee Vernier cf need ste Servers owes and emintamioracesassyate peuesicns por tat ere gretng ‘evage. Tas power eves the servers ae, Freire sever aver ‘model reson ad ote Jacking up ado or domain ww criuchochst com poveataly wef [ihe actress tre coma 200784101 ‘bformaton Lab Analysis ‘Document all the IP addresses, their mnning applications, and the protocols you discovered duuting the lab. ‘CEH Tab Namal Page 7 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks Tomer otic eG tan ID Serve IP address: 202.75.54.101 Server Connection: Standaid HTTP post: 80 Response headers returned from server: HTTP/1.1 200 Server: Mictosoft-IIS/6.0 X-Powered-By: PHP/4.4.8 ‘Transfer-Encoding: chunked Content-Type: text/html PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports hitps (SSL) connections. Platform Supported “CEH Lab Nanad Page 5 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged= Tools ‘demonstrated in this lab are available in Tools\CEHva Module 03 ‘Scanning ‘Module 03 - Scanning Networks Fingerprinting Open Ports Using the Amap Tool Amap determines applications running on each open port. Lab Scenario Computers commnnicate with each other by knowing the IP addcess in use and ports check which program to use when data is received. A complete data transfer alkvays contains the TP address plus the port mumber reqpited. In the previons lab ‘we fonnd out that the server connection is using a Standard HTTP port 80. If an attacker finds this infomation, he or she will be able to use the open ports for attacking the machine. In this lab, yon will leam to use the Amap tool to perform port scanning and know exactly what applications are running on each post found open. Lab Objectives ‘The objective of this lab is to help students leamn to fingerpuint open ports and discover applications munning on these open ports. In this lab, you wil eam to: = Identify the application protocols munning on open posts 80 * Detect application protocols Lab Environment To pestoum the lab you need: * Amap is located at DACEH-Tools\CEHV8 Module 03 Scanning Networks\Banner Grabbing Tools\AMAP = You can also download the latest version of AMAP fiom the link hetp://www.th = Ifyou decide to download the latest version, then screenshots shown in the lab might differ amay “CEH Lab Nanaal Page 9 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibgedtask 4 Identity Application Protocols Running on Port 80 tan ip |- BP] A) boSRELG falocde} pp | [e-T ed te oe (te) Ep pote) (i fle fet ee pet] 7? Fox Amap option, ‘ype amap-belp ‘Module 03 - Scanning Networks * A computer numning Web Services enabled fox port 80 * Administative privileges to run the Amap tool = Run this tool on Windows Server 2012 Lab Duration Time: 5 Mimutes Overview of Fingerprinting Fingerprinting is used to discover the applications mnning on each open port found on the network. Fingerprinting is achieved by sending trigger packets and looking ‘up the responses in a list of response strings. Lab Tasks 1. Open the command prompt and navigate to the Amap ditectory. In this lab the Amap disectory is located at D:\CEH-Tools\CEHV8 Module 03 Scanning Networks\Banner Grabbing Tools\AMAP 2. Type amap www.certifiedhacker.com 80, ad press Enter. FIGURE 31: Anup with best ame ysl cn with Pot 3. You can see the specific application protocols munning on the entered host name and the port 80. 4, Use the IP address to check: the applications running on a pasticulac port. 5. In the command prompt, type the IP address of your local Windows Server 2008(virtual machine) amap 10.0.0.4 75-81 (local Windows Server 2008) and press Enter (the IP address will be different in your network). 6. Try scanning different websites using different ranges of switches like amap ‘www.certifiedhacker.com 1-200 “CEH Lab Manat Page 100 TEhical Hacking and Countermearnces Coppagin © by BC Cosma ‘AL Rights Reserves Repeodocton i Sucty Peokibzed‘Module 03 - Scanning Networks HTML Reports = All Items. epi FIGURE 42 The QanPocs with IML Report AB et ate check the Covey wen aus seers. |[m ter [sr nee ff ll ‘County fle Youkave to | | aeooeese [2988 | 10007 je si9e38 Ie genenccemer |e [or [er foo [Tuan ae ‘por exe. = [ee [ 007 icy | -all l 007 [oe =f [es arooeme [mn [ree [ss | ic} [amneee [ses [ree [us| oar [er fe steaes ——| aLe064 [> |arneee [vee [rem [ores | 1007 [to lime |r upea6as ow — Joven [ree |eao4 | wo07 Jno ep [arises Ie ROUND tore pe Pe Re Ae 5. To save the generated CurxPorts report fiom the web browser, click Fie > Save page An ouies SERN SE OES “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks (Dower samen EET He Ses tm is to sare al hanes aed al ‘Sc cored coer) Int sigg Ge inoncrto ‘a outa rote ope, check the ‘Tog Change’ ‘puoo unde fe Put [sens lo Tie [rasnces? [ow passa Taal ioe 0007 131913615 [om oy cet, te ge oe fine? raiment (ow ‘sere eporlopin te [tow | [ioo raises ite Goreeticeres You | [acne — ee a a cectmeeceoatee [Tameeng—ane_lice lem [linn __ low vou Tophlemne cae cpooscig te FIGURE 44 Te Wed tomec to Se CPs Repo Ales 6. To view only the selected report as HTML page, select reports and click View > HTML Reports - Selected Items. hep TS pe MESS wan Se "IGURE 45 CuuPos wh ML RepSeted es Eivoo ca os cickonthe We pageand 7. The selected report automatically opens using the default browser. ‘ave te pet ‘CEH Tab Mama Page 106 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Rate tes dag tenon mow ons sunge (cepa y pes Sees oa [_[imoas [a [ice | eee ace soe [FIGURE 46 The Web bares dspying GuuPots th HTML Repo ~ Std es Eee Sytes fo Fer 8. To save the generated CursPorts report from the web browser, click oo fee File > Save Page As...Ctri+5. [__ [meas jas [ime] ee soe Diconmant ine option: oes ecae> ean [IGURE 47-The Web bose Se CaP ith HTML Repo —Seet! Tens rete tt of adopt “ ‘TCP/UDP poe into» 9. To view the properties of a port, select the port and click File > plete ‘CEH Lab Namal Page 7 Tcl Hacking snd Counts Coppi © oy BC Creed “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks FIGURE 4 CaaPors owe popes fra sdk pot 10. The Properties window appears and displays all the properties for the selected port. LI. Click OK to close the Properties window Process Name: Process 0: Protect: Local Port: Local Por Name: Local Address: Remote Port a — Remote Port Name: Tn eas cote Remote Address: ‘ave thet of al opened emote Host Name: ‘TeP/UDP posts ito an ol ‘HTL le (Hoon. Process Path: Prout Name: Fie Description: Fie Version: Company: ‘CERI Lab Manaal Page 106‘Module 03 - Scanning Networks 12. To close a TCP connection you think is suspicions, select the process and click File > Close Selected TCP Connections (or Ctri+T). = Task 2 pase FIGURE 410 The CaaPoes Coe Seloced TCP Connections option wien [FIGURE 411 The GxaPocs KiProceses of See Pons Option Wier 14, To exit from the CumPorts utility, click File > Exit. The CumPorts window eloses. ‘CEH Tab Manaal Page 109 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks (command ine opt (veil “Pnane® Starks oftlopennt Tere pow sto Bn (esa. Lab Analysis Document all the IP addresses, open potts and their running applications, and protocols discovered curing the lb. Riana yasc oe POS enten ae en eee Seen coc Sie Sean Profile Details: Network scan for open ports Ssesowe ate Siero Process Name Process ID Protocol Local Poxt Local Address Remote Port Remote Port Name Remote Address Remote Host Name CERT Nomad Page TBST Facing ad Comers Copa HEC Some “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze the results from CrusPorts by creating a filter string that displays Dour sen only packets with remote TCP port 80 and UDP port 53 and manning it. Seoreeamttenerte >. _Analyze and evaluate the output results by creating a filter that displays only the opened ports in the Firefox browser. 3. Determine the use of each of the following options that are available under the options menn of CumPorts: a. Display Established b. Mark Ports Of Unidentified Applications ©. Display Items Without Remote Address d_ Display Items With Unknown State ee ZNo @Z Classroom Zitabs ‘CEH Lab Nanaal Page Ht TEhical Hacking and Countermeasnoes Copragin © by BC Cosma “AL Rahs Reserved Repeodictoa s Sty Pood& Vatoabte Jnformation 7 Testyour BS Webesesise £2 Wodtook review = Tools ‘demonstrated in Tools\CEHV8 Module 03 ‘Scanning ‘Module 03 - Scanning Networks Scanning for Network Vulnerabilities Using the GFI LanGuard 2012 GF LANguard scans networks and ports to detect, assess, and correct any secity sulverabilities that are found. Lab Scenario ‘You have leaned in the previous lab to monitor TEP/IP and UDP ports on your local computer or network using CunPorts. This tool will automaticaly mack with a pink: color snspicions TCP/UDP ports owned by unidentified applications. To prevent attacks pertaining to TCP/IP; yon can select one or more items, and then close the selected connections. ‘Yout company’s web server is hosted by a large ISP and is well protected behind a firewall. Your company needs to andit the defenses sed by the ISP. After tasting a scan, a setions milnerabilty was identified but not immediately corrected by the ISP. An evil attacker nses this vulnerability and places a backdoor on the server. Using the backdoor, the attacker gets complete access to the server and is able to manipulate the information on the server. The attacker also uses the server to leapfrog and attack other servers on the ISP network fiom this compromised one. _As a security administrator and penetration tester for yon company, yon need to conduct penetation testing in oxder to detexmine the lst of threats and ‘Vulnerabilities to the network infiastmetuse yon manage. In ths lab, you will be ‘using GFI LanGuard 2012 to scan your network to look for vulnerabilities. Lab Objectives ‘The objective of this lab is to help smdents conduct vnlnerability scanning, patch management, and network auditing. In this lab, you need to: = Perform a vulnerability scan ‘CEH Lab Manual Page Hi TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty PobibgedEX youcan domnioad (GFLLANgui from Insp, fi com, Romuasgat soupusy ents ou Stetson Wwator See 2oos Santee tows seer 00 Sant Sepa, Siatows Usk, Sere ae Sa Sota Seve 203 (ia Sea ees Sew ars. © cman oneguaon etags tat ‘Slow ont in edit ‘eam oon ae the ‘eran compte ‘Module 03 - Scanning Networks * Andit the network * Detect vilnesable posts © Identify secusity vulnesabilities * Couect secutity vilnerabiltes with remedial action Lab Environment To pexfoum the lab, you need: "GFT Langnard located at DAGEH-ToolsiCEHV8 Module 03 Scanning Networks\Vulnerability Scanning ToolsiGF! LanGuard "You can also download the latest version of GFI Languard fiom the link hup://www.gfi.com/lannetscan, * Ifyou decide to download the latest version, then screenshots shown, in the lab might differ = A computer minning Windows 2012 Server as the host machine + Windows Server 2008 running in virtual machine * Mictosofit .NET Framework 2.0 + Administitor privileges to mn the @FI LANguard Network Security Scanner # It equites the user to register on the @FI website tip:/ Awww. gfi;com/lannetscan to geta Weense key * Complete the subscription and get an activation code; the user will receive an email that contains an activation code Lab Duration Time: 10 Mites Overview of Scanning Network As an administrator, you often have to deal separately with problems related to ‘vulnerability issncs, patch management, and network auditing. It is your responsibilty to addtess all the vulnerability management needs and act as a vistual consultant to give a complete picture of a network setup, provide risk analysis, and maintain a secre and compliant network state faster and more effectively. Security scans or andits enable you to identify and assess possible risks within a network. Anditing operations imply any type of checking performed duing a network secusity audit. These inchide open port checks, missing Microsoft patches and vulnerabilities, service information, and user ot process information. “CEH Tab Nanal Page 1 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty PobibgedES task ‘Scanning for Vulnerabilities © zeap ts ‘te totong tee 1 Nimap Cove Fes + Nmap Path + wiaPcap 411 1 Neseouk Itecice Inport + Zeamap (GUT foatead) 1 Neat odeen Nee) ‘Module 03 - Scanning Networks Lab Tasks Follow the wizard -dtiven instalation steps to install the GFI LANguard network scanner on the host machine windows 2012 server. 1. Navigate to Windows Server 2012 and launch the Start ment by hovering the mouse cursor in the lower-left comer of the desktop FIGURE 51: Windows Sere 2012 Detop vw 2. Click the GFI LanGuard 2012 app to open the GFI LanGuard 2012 window FIGURE 52: Winter Sever 2012 App 3, The GFI LanGuard 2012 main window appears and displays the Network ‘Audit tab contents. ‘CEH Lab Manual Page it TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probateeset ang psc tn poe Semen eee + acca 1 Setup ache san © esmsion deecion softexe (DS) smaing ing scans, GFT LANgout ses off ‘multe of DS waunigs Sod nro atin ese ‘Module 03 - Scanning Networks ‘Welcome to GF! LanGuard 2012 [FIGURE 53 The GFTLAN gua man winow 4. Click the Launeh a Sean option to pesform a network scan. Welcome to GFI LanGuard 2012 ‘FIGURE 54 The GFTLAN palin window inking te Lach a Costa Sen option 5. Launch a New scan window will appear i. In the Scan Target option, select localhost fiom the drop-down list In the Profile option, select Full Sean from the drop-down list In the Credentials option, select currently logged on user fiom the drop-down list 6. Click Sean, “CEH Tab Manal Page HF TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks a= —— SS ee FIGURE 55 Sceing a pti fc oe sing 7. Scanning will start; it will take some time to scan the network. See the following figure D cut seas tare stave het san (Gunton tes compare to ‘ll sans, mun beease qu eae perf checks of nh; abet of te ete amber It {commended to mana quekweanetleat once FIGURE $6 To GF Lau cigs te 8. After completing the scan, the scan resutt will show in the left panel ‘CEH Tab Manal Page He TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks SSSuERS. FIGURE 57 The GFT LanGoatd Connon rt sees few nace 9. To check the Scan Result Overview, click 1P address of the machinein the Be sight panel + Scan computes in tet SPEEA 10. It shows the Vulnerability Assessment and Network & Software Audit; ‘CEH Lab Nanal Page HT TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks 11, Tt shows all the Vulnerability Assessment indicators by category FIGURE 59: Lato VkeabayAsesaneat neces 12. Click Network & Software Audit in the sight panel, and then click System Patching Status, which shiows all the system patching statuses FIGURE 510 Sytem pcg ss port 15. Click Ports, and under this, click Open TCP Ports “CEH Tab Manal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty ProbeFIGURE 5 1 TCP/UDP Paseo 14, Click System Information in the tight side panel it shows all the details of the system information 15. Click Password Policy Fre nest job atte a ntwouk secu sean sf ‘Ment wfae sen aad ‘stems requie your ‘umedateateiton Do ths by aang and comet erpeting the rvcited dung two Sony can IGURE 512 oestion of Peo Peg 16. Click Groups; it shows all the groups present in the system “CEH Tab Nanal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks Lab Analysis Document all the results, threats, and vulnerabilities discovered during the scanning and auditing process. ‘CEH Tab Manaal Page 0 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks otic eG tan ‘Vulnenability Level ‘Vulnerable Assessment System Patching Stats Scan Results Details for Open TCP Ports Scan Results Details for Password Policy GFI LanGuard 012 Dashboard — Entire Network Vulnerability Level Secusity Sensors ‘Most Vulnerable Compnters Agent Status Vulnerability Trend Over Time Compnter Vilnerability Distuibution Computers by Operating System PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze how GFI LANguaud prodnects provide protection against a worm, 2, Evalnate nnnder what circumstances GFI LANgnard displays a dialog dning patch deployment. 3. Can you change the message displayed when GFILANguaud is perfouning administuative tasks? If yes, how? No Zilabs ‘CEH Tab Nanaal Page Di TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Exploring and Auditing a Network Using Nmap Noap (Zenmap is the oficial Nowgp GUI) is a free, open sone (license) utility for network exploration and security auditing. Lab Scenario E Vatoabte In the previous lab you leaned to use GFI LanGuard 2012 to scan a network to —stamation find ont the uulhnerability level, system patching statis, details for open and closed AF Tse you ports, vulletable computers, etc. An administitor and an attacker can use the same ——tnowledge __ tools to fix or exploit a system. If an attacker gets to know all the information about 1B Webeceacse ___ Tilneiable computers, they will immeclately act to compromise those systems wsing Dl Wosten am “womnaisance techniques. ‘Therefore, 28 an administiator itis very important for you to patch those systems alier you have determined all he vulnetabiltes in a network, befoue the attacker andits the network to gain vulnezable information. Also, as an ethical hacker and network administrator for your company, yout job is to camry ont daily secntity tasks, such as network inventory, service upgrade schedules, and the monitoring of host or service tptime. So, you wil be guided in this hb to use Ninap to exploce and audit a network. Lab Objectives ‘The objective of this lab is to help smdents Jeam and understand how to perform a networks inventory, manage services and upgrades, schecinle network tasks, and monitor host or service uptime and downtime. In this lab, you need to: = Scan TCP and UDP ports © Analyze host details and their topology © Determine the types of packet filters “CEH Lab Nand Page TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged= Toots ‘demonstrated in this lab are. available in Tools\CEHve Module 03 Scanning Task + Intense Scan ‘Module 03 - Scanning Networks © Record and save all scan seports * Compare saved results for suspicious ports, Lab Environment To perfoun the lab, you need: = Nimap located at DACEH-Tools\GEHVv8 Module 03 Scanning NetworksiScanning Toots\Nmap © You can also download the latest version of Nmap fiom the link http://amap.org./ = Ifyou decide to download the latest version, then screenshots shown in the lab might dittes = Acomputer running Windows Server 2012 as a host machine + Windows Server 2008 running on a vistual machine asa guest ® Aweb browser with Intemet access + Administative privileges to run the Nmap tool Lab Duration Time: 20 Minntes Overview of Network Scanning ‘Network addresses are scanned to determine: * What services (application names and versions) those hosts offer = What operating systems (and OS versions) they run = ‘The type of packet filtersifirewalls that ate in use and dozens of other characteristics Lab Tasks Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in the host machine (Window Server 2012), 1. Launch the Start menu by hovering the mouse cursor in the lower-left cornet of the desktop ‘CEH Tab Manal PageZenaap fe inte ‘he flog fee 1 Nmap Cove Fes + Nimap Path wiareap 411 Import + Zeamap (GUT frostead) 1 Nea (Modeen Nees snip spree ap [Bean Type [Optons) {taget specication} FZ rapes techniques, nly ont ‘ne except hat UDP sean (20) and ay one of the ‘SCT sean types (<2) (Se of the TOP scan pen FIGURE 62 Wino: Sere 2012- Appr ‘The Nmap - Zenmap GUI window appears. sean Ties Bele ep tage T rte [enn HEE Hess [Seve | Nop Ove Par Het |Top [ eat att Sam FIGURE 63: The Zep an wiv Enter the virtual machine Windows Server 2008 IP address (0.0.0.4) in the Target: text field. You are performing a network inventory for the virtual machine. In this lab, the IP address would be 10.0.0. your lab environment In the Profile: text field, select, from the drop-down lis, the type of profile you want to scan. In this lab, select intense Scan ; it will be different from “CEH Lab Manal Page Ht TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks 7. Click Sean to start scanning the virtual machine. [FIGURE 64 The Zen main widow with Tg el Pro ented Zire te por ns 8. Nmap scans the provided IP address with intense sean and displays the sean result below the Nmap Output tab. + Opa + Coma : San Teoh Bef Hep : tg: [roe Ey pte [re on Bl Sees ‘amma [op 8-804 + pea) teed Cloned Uastesed S] = Bat seating tay 601 Cote tormiore tweens £D Nmap acepts Sno commang ine ma ‘they dont aced to be of the ‘ane npe. FLOURE 65 The Zennap sain win wh he Nap Ouputb fox ese Son, 9. After the scan is complete, Ninap shows the scanned results. ‘CEH Tab Manna Page 125 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks 1D revo aie tecentl te econ + a ceputiennne> + Sirhge Sea Fea cron wet me 2 Beem + ete (etme te eno Re nn i ‘[host2>[ J} [Seapciaie! Steves dniveatne . ties se nee re ns etna on sone Gece EPR ESL ae Eee reece oe, (Ghiteniin:nicosoPe winder or name Serer 208 PL ER Sioa le Foes SaaS Dm tern (os 26) pcos content Soop + stairs 1-50 oports) FIGURE 66 The Zeanap man wed oh te Nop Opto x tee Son + Po Noping) 10. Click the Ports/Mests tab to display more information on the scan + Be OP Protocol Pag) + -PRARP Ping) ‘+ cette (Tac path tohee + -a(NoDNS cestanen) 1+ -RODNS cctosoa for age) + ~sstem-dos Use system DNS cele) Steerer > eserves, J] Serer to we for rewece DNS quet) [FIGURE 67, Te Zemnsp main winow withthe Poets Hoss ub forte Sea ‘CEH Lab Manal Page 5 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probeopen aap aoa oe scorer Seaton port son sean each host ‘Steen to be oon 205 eta, Nenap etemines your DNS Serves (for DNS ‘esotuion) from yout ‘esol oat fle (UNTS) or he Regt (i ‘Module 03 - Scanning Networks 12. Click the Topology tab to view Nmap’s topology for the provided IP addcess in the Intense sean Profile. FIGURE 65:The Zeamsp main wine wth Teper fo eters Sea | 15. Click the Host Details tab to see the details of all hosts discovered during the intense scan profile. Cecdpons Samed gers 108 estore Faugzt ana Note ace c0"s50205710 “CEH Tab Manal Page D7‘Module 03 - Scanning Networks 14, Click the Seans tab to scan details for provided IP addresses. ‘San Tone Daf p ese [tonne Dy rie ines 2D nip oes options Jommant [nna 1-8- W008 fox specifying which ports ‘eso sd wheter ‘econ one ‘atonal oc eet bare] owe] 2 wre arin TIGURE 610 Te Zep ma vino vi Son rae Sn ‘only specibed por, 15, Now, click the Services tab located in the tight pane of the window. This tab displays the list of services. 16 Click the http service to list all the HTTP Hostnames/IP addresses, outs, and theit states (Open/Closed). 2D taNmap, opion-F ‘mets te poe) ‘CEH Lab Manaal Page D5‘Module 03 - Scanning Networks 17. Click the msrpe service to list all the Microsoft Windows RPC. ‘San Teo Bele lp 1 nx opm foe fee a Tihrecween oan ‘ean Sean al pods in = [oneal revs [ese] esteeeTses| __) ‘nmap sees fe oh ‘at peter aa eae gree —rato> mux be Sermeen 00d 11 FIGURE 612 The Zeap min window wih ape See frat San 18. Click the netbios-ssn service to list all NetBIOS hostnames. ET ad [eee j Poo Tops [ ees] 1D taxes, opion « Come Tass] [rep epa|Prs rs | ‘pesos dot eee poms FIGURE 615: The Zenmap main vow oth toes Sec foc tens Sean task 2 19. Xmas sean sends a TEP frame to a remote device with URG, ACK, RST, ‘SYN, and FIN flags set. FIN scans only with OS TCP/IP developed ‘CEH Tab Manaal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbePSs e998 Serum te ‘Bags, Hgting the packet wp li Chetas ee EA masopton tos tiemat New Profile or Command Ctrt+P. 3 Bi [ema] SN eroeed == ergs + Heanane = Pat | Pts Thedexptinatldectin shane sande sec sei [FIGURE 615 The Zeanap Profle i window wa the Pte i ‘CEH Tab Manaal Page BO TEihical Hacking and Countermearnoes Coppugin © by BC Cooma "AL Rights Reserved Repeodictoa s Stity Probe(6D wn scan is activated seth the Ul option Itean De combined witha TCP sngpe mada SYN ccm (GS) toaeck bot protocols ing the same ER Yeveapedp paubPent ty Saecene Pn ng cs the pop poe ‘esc notend ‘teva tg Siento sip oe ‘Module 03 - Scanning Networks 22. Click the Sean tab, and select Xmas Tree scan (-sX) fiom the TCP seans: drop-down list. sowp 14 4 one (eal Jina Sting |Twe| Sec | One| Ting Teton ‘ute 05 seeion9 vein ’ ‘ecton ca scp amingt -“ ‘Ciangtecesael sacra. Teng erie Actes) 1B cre anmnet apn acs oP [D Oneatrasem dtcibn men san Deion) htc (ah) Didesean zombie) TCE 8) LDrrmtownceamck(e) TeFcommet a) (Dial rerese ONS etn Wow scan) Finenme (Gee [secre FIGURE 616 The Zeamap roe Bator winlow wth he San > 23, Select None in the Non-TGP scans: drop-down list and Aggressive (- 74) in the Timing template: list and click Save Changes. oe TA 804 J) rin ng] Sting | Tape Sa] Ch Ting "Dl ated gsee Scam options “eee Te tone sone tf dation ean See st sone Te SERRATE, = get Btn oh eaaUnppopee A) Dopenng sem aacten 0 vein dette Diesen Zoi Crtmeoucearen 3) Dit reese085 eaten nd Fireamponce FIGURE 617 TheZenmap Profle Bator window wth he San > 24, Enter the IP address in the Target: field, select the Xmas scan option fiom the Profile: field and click Sean. ‘CEH Lab Manual Page Di TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Sian Teo Pie Hep ee nee es FIGURE 618 The Zeanap mas wirlos with Tags ant Poe test 25. Nmap scans the target IP address provided and displays results on the Nmap Output tab. CO wen scasning stems compl th {hs RPC ret ay poet otcentaneg ABST, ‘CK bein ‘red BST, te pt covet anno spon et ite persopee tng 6.03 (ep: /nmmsrg) a Ee ane SEES ong SSS Sentai tele tl i.e tron esos we co ED tac option, 14 CP anpleces Wa sear ar is/at) 8aes clases (10 total eee Feibeing sercce son a8 36.99 ‘out firewall ruests, Initiating os cetection [try #1) ognirst 10.9.0.6 emg wheter they Bates tain ‘Be Hae or 2 a Completed MSE at 36: ‘whuch ports ae tered fap Seon report fort FIGURE 619 The Zanrap sn wow wah be Nawp Qua 26. Click the Services tab located at the sight side of the pane. It displays all the services of that host. CEH Lab Namal Page Tcl Hacking snd Counts Coppi © oy BC Creed “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks oo . Initiating os detection [tej #1) opsinst 10.0.0.4 fe, Set tng SSE ETL Baie Sete "FIGURE 62. Zeamep Man wane wth Sri —S TASK 2 97. ult scan works only if the operating system's TCP/IP implementation Nutt Sean is developed according to REC 793. In a null scan, attackers send 2 TCP frame to a semote host with NO Flags. 28. To perform a null scan for a target IP address, create a new profile, Click Profile > New Profile or Command Ctri¢P. 7 Taw opton Nu San (a9 ert st ay ba (eongume so) [FIGURE 621: The Zeamap main window withthe New Pre oc Comma option ‘CEH Tab Manaal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbeED tre option, hoe [= pobeport ae ‘sean an advent sea ‘method that aows fora tay bnd TCP post an ofthe tage (meaning 20 packet ue vento the eget fom youre TP ‘izes Intend suse ‘ee-chmnne tack explo peste Eegeenaion ID pce roeaton onthe ra onto ges socmacon ‘Sout te open porto ‘ete EL Tae option, PIP sap hon FTP tomes seu) lows « FIP server and then tsk thes be sent toa thd party verve: Sch See ape for shoe on may evel, 29 Inow server have ised supporting it ‘Module 03 - Scanning Networks 29. On the Profile tab, input 2 profile name Null Scan in the Profile name text field. ] el “ae i. FIGURE 622 The Zee Poe Bator withthe Prose ab 30. Click the Sean tab in the Profile Editor window. Now select the Null ‘Scan (-sN) option fiom the TEP sean: drop-down list rer | i Sir] nO Tg] Me Semon Tpine tte ie Toth enka ERIN TOs sees 9 y erteemee Tig erp sek 8) osama teen Serene cneecean Orme Fucertometa Sepsis Cletrcaceatct ge) TOP comescan > [aire ONS in Window sci) Caveaparce ia Tc 8) FIGURE 625: The Zenmap Poe Bator withthe Sean tb 31, Select None fiom the Non-TOP scans: diop-down field and select Aggressive (-T4) fiom the Timing template: diop-down field, 32. Click Save Changes to save the newly created profile. ‘CEH Tab Manaal Page I TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe