Professional Documents
Culture Documents
Module XVIII
EC Council
EC-Council
External Penetration
Testing
Penetration Testing Roadmap
Start Here
Information Vulnerability External
Gathering Analysis Penetration Testing
Fi
Firewall
ll Router and Internal
Switches Network
Penetration Testing
Penetration Testing Penetration Testing
Cont’d
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Roadmap
(cont d)
(cont’d)
Cont’d
Physical Database VoIP
S
Security
i P
Penetration
i testing
i P
Penetration
i T Testing
i
Penetration Testing
Virus and
Vi d VPN
Trojan War Dialing
Penetration Testing
Detection
End Here
Telecommunication
Data Leakage Security Email Security
And Broadband
Penetration Testing Patches Penetration Testingg
Communication
Penetration Testing
Penetration Testing
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
External Intrusion Test and
Analysis
An external intrusion test and analysis identifies security
weaknesses and strengths of the client's systems and networks
as they appear from outside the client's security perimeter,
usually from the Internet.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How is it Done?
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Client Benefits
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
External Penetration Testing
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps – Conduct External
Penetration Testing
1 • Inventory the company’s external infrastructure
7 • Identify
Id if theh physical
h i l location
l i off the
h target servers
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps – Conduct External
Penetration Testing (cont
(cont’d)
d)
10 • Find IP block information about the target
18 • Use
U XMAS scan on the
th target
t t and
d see the
th response
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps – Conduct External
Penetration Testing (cont
(cont’d)
d)
19 • Use FIN scan on the target and see the response
• Check for directory consistency and page naming syntax of the web pages
37
• Record and replay the traffic to the target web server and note the response
42
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps – Conduct External
Penetration Testing (cont
(cont’d)
d)
53 • Try to use an HTTPS tunnel to encapsulate traffic
54 • OS fingerprint target servers
59 • Check for ICMP responses (type 17, subnet address mask request)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inventory Company’s External
Infrastructure (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Create Topological Map of the
Network
• Servers.
• Connection to ISP.
• Infrastructure used.
• How they are networked to other systems:
• Customers.
• Partners.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Create Topological Map of the
Network (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Identify the IP Address
Tools:
• NeoTrace
• IP Address 2 Country
• IP Prober
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Locate the Traffic Route
that Goes to the Web Servers
The network's topological map (or matrix) can be manually verified by
logging into each device on the network and using built-in operating
system commands such as tracert (Windows) or traceroute (Unix).
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tracert
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 5/6: Locate TCP/UDP Traffic
Path to the Destination
TCP/UDP trace tools:
IGI
p
pathChirp
p
Pathload
Pathrate
tulip
Tcptrace
Netperf
Scriptroute
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Identify the Physical
Location of the Target Servers
Use Neotrace tools to identify physical location of the target
servers.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Examine the Use IPV6 at
the Remote Location
Verifyy if the target
g servers are using
g IPv6 p
protocol.
Tools • 46Bouncer
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Lookup Domain Registry
for IP Information
All- Network tools include Whois, Traceroute,
Locate DNS servers Nettools.Com ping.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 10: Find IP Block
Information about the Target
Tools :
• SAM SPADE
• ARIN DATABASE
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 11: Locate the ISP Servicing
the Client
Look for the following:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: List Open Ports
7 Echo
13 DayTime
23 Telnet
Tools:
25 SMTP
63 Whois
66 SQL*net (Oracle)
• Super Scanner
• NetScan Tools Pro
70 Gopher
79 Finger
80 HTTP • Nmap
88 Kerberos
113 IDENT
Port 443
Port 23
Port 53 Port 21
Port 80
0
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: List Closed Ports
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Port Scanning Tools
Cerberus Internet Scanner (formally NTInfoScan or NTIS) www.cerberus-infosec.co.uk
CyperCop Scanner www.nai.com
Firewalk www.packetfactory.net
HackerShield www.bindview.com
Hostscan www.savant-software.com
Internet Scanner www.iss.net
IpEye/WUPS www.ntsecurity.nu
Nessus www.nessus.org
Netcat www.atstake.com
Netcop www.cotse.com
NetScan Tools www.nwpsw.com
Nmap www.insecure.org
NmapNT www.eeye.com
SAINT/SATAN www.wwdsi.com
SARA www.www-arc.com
www.www arc.com
Scanport www.dataset.fr
Strobe www.freebsd.org
Super Scan/Fscan www.foundstone.com
Twwwscan www.search.iland.co.kr
Whisker www.wiretrip.net
Winscan www.prosolve.com
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: List Suspicious Ports
that are Half Open/Close
Look out for stealth ports – stealth port will not generate
any kind of acknowledgement from the target machine.
The
h advantage
d off a stealth
l h port over a closed
l d port is that
h
the intruder's probing efforts are going to be slowed.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Port Scan Every Port
((65,536)
5,53 ) on the Target’s
g Network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 16: Use SYN Scan on the
Target and See the Response
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Use Connect Scan on the
Target and See the Response
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: Use XMAS Scan on the
Target and See the Response
Computer A Computer B
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
FIN/URG/PSH >192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note:
192.5.5.92:4031 -----------FIN----------------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE----------192.5.5.110:23
192.5.5.92:4031 -------------FIN----------------192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK------------192.5.5.110:23
Note:
Note:
The -f switch instructs the specified SYN or FIN scan to use tiny
fragmented packets.
packets
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 21: Firewalk on the Router’s
Gateway and Guess the Access-List
Access List
Firewalk works by sending out TCP or UDP packets with a TTL one greater
than the targeted gateway.
If the g
gatewayy allows the traffic,, it will forward the p
packets to the next hop
p
where they will expire and elicit an ICMP_TIME_EXCEEDED message.
If the gateway host does not allow the traffic, it is likely to drop the packets
on the floor and we will see no response.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 22: Examine TCP Sequence
Number Prediction
C:\> nmapnt -O -p 130-140 10.0.0.1
Starting nmapNT V. 2.53 by ryan@eEye.com
Use tools like nmap and predict eEye
y Digital
g Securityy ( http://www.eEye.com
p // y )
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 23: Examine the Use of Standard
and Non
Non-Standard
Standard Protocols
Almost no NIDS p
products can decode IPv6.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 24: Examine IPID Sequence
Number Prediction
This can be used to estimate web site traffic, determine when people log
on, etc.
Large sites use load balancing equipment so that a single address maps
to a small farm of servers.
By noting the IPID values you can determine how many machines are
behind the load balancer and which one you are connected with.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hping2 IPID Example
For example,
p , the "id" fields in the hping2
p g execution reveals that
beta.search.microsoft.com is handled by two machines behind a load
balancer (207.46.197.115).
# hping2 -c 10 -i 1 -p 80 -S beta.search.microsoft.com.
HPING beta.search.microsoft.com. (eth0 207.46.197.115): S set, 40 headers + 0 data bytes
46 bytes from 207.46.197.115: flags=SA seq=0 ttl=56 id=57645 win=16616 rtt=21.2 ms
46 bytes from 207.46.197.115: flags=SA seq=1 ttl=56 id=57650 win=16616 rtt=21.4 ms
46 bytes from 207.46.197.115: flags=RA seq=2 ttl=56 id=18574 win=0 rtt=21.3 ms
46 bytes from 207
207.46.197.115:
46 197 115: flags=RA seq=3 ttl=56 id=18587 win=0 rtt=21
rtt=21.1
1 ms
46 bytes from 207.46.197.115: flags=RA seq=4 ttl=56 id=18588 win=0 rtt=21.2 ms
46 bytes from 207.46.197.115: flags=SA seq=5 ttl=56 id=57741 win=16616 rtt=21.2 ms
46 bytes from 207.46.197.115: flags=RA seq=6 ttl=56 id=18589 win=0 rtt=21.2 ms
46 bytes from 207.46.197.115: flags=SA seq=7 ttl=56 id=57742 win=16616 rtt=21.7 ms
46 bytes from 207.46.197.115: flags=SA seq=8 ttl=56 id=57743 win=16616 rtt=21.6 ms
46 bytes from 207.46.197.115: flags=SA seq=9 ttl=56 id=57744 win=16616 rtt=21.3 ms
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 25: Examine the System
Uptime of Target Server
Look for the following
i f
information:
i
Tools:
• Netcraft
• Uptime
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 26: Examine Operating
System Used for Different Targets
Use banner grabbing techniques to identify remote OS.
Look out for honey pots, packet crafters, and banner fakers.
Tools:
Nmap
Telnet
Nc
Netcraft
OS fingerprinting tool
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 27: Examine the Applied
Patch to the Operating System
Tools: • Netcraft
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 28: Locate DNS Record of the
Domain and Attempt DNS Hijacking
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 29: Download Applications From the
Company’s Website and Reverse Engineer the
Bi
Binary C
Code
d
Download program executables from the remote website:
• Ja
Java
apprograms
og ams
• Exe programs
• Flash programs
Look for:
• Programmer s name
Programmer’s
• Comments
• Sensitive information
• Programming style
Tools:
• IDA Pro
• Java Engineer
• Fl hS
FlashSaver
• REC Decompiler
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
IDA Pro
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 30: List Programming Languages Used
and Application Software to Create Various
Programs From the Target Server
Check
h k for
f in-house
i h d
developed
l d application
li i
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 30: List Programming Languages Used and
Application Software to Create Various Programs
From the Target Server (cont
(cont’d)
d)
• AppleScript
•C
• AWK
• C++
• JavaScript
• C#
• Perl
• COBOL
• PHP
• Java
• Python
• J++
• Ruby
R b
• J#
• Tcl
• PowerBuilder
• VBScript
• Visual Basic
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 31: Look for Error and
Custom Web Pages
Example:
• http://www.xsecurity.com/slkdjfslkdfj
• http://www.xsecurity.com/sdkfjsdlf.asp
p // y / j p
• http://www.xsecurity.com/global.asa
• http://www.xsecurity.com/sdlfkj.aspx
• http://www.xsecurity.com/sdfsdf/php?
• http://www.xsecurity.com/login?
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 32: Guess Different Sub Domain
Names and Analyzey Responses
p
They are not published and used for internal purposes only
Example: xsecurity.com:
• sales.xsecurity.com
• marketing.xsecurity.com
• i
internal.xsecurity.com
l i
• intranet.xsecurity.com
• devl.xsecurity.com
• test.xsecurity.com
• b k
backup.xsecurity.com
it
• partner.xsecurity.com
• beta.xsecurity.com
• secret.xsecurity.com
• preview.xsecurity.com
i it
• temp.xsecurity.com
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 33: Examine the Session
Variables
Session hijacking, grabbing someone’s URL and stealing their session, is one of
the biggest security concerns.
concerns
Example:
• http://example.com/cgi-bin/phf?%0aid==haqr==_phone=
http://example com/cgi bin/phf?%0aid==haqr== phone=
• http://example.com/cgi-bin/phf?%0als%20-
la%20%7Esomeuser==haqr==_phone=
• http://example.com/cgi-
bin/phf?%0acp%20/etc/passwd%20%7Esomeuser/passwd%0A==haqr==_phone=
• http://example.com/~someuser/passwd
• http://example.com/cgi-
bin/phf?%0arm%20%7Esomeuser/passwd==haqr==_phone=
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 34: Examine Cookies
Generated by the Server
Cookies offer a way to check the identity of the user by means of storing the CFID and
CFTOKEN in client side cookies and using that information to uniquely identify the user.
• If encrypted
• Expiry
E i d date
t
• Content stored
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 35: Examine the Access Controls
Used by the Webb Application
pp
• Form authentication
• Windows authentication
• Biometrics authentication
• Secret question authentication
• Session based authentication
• Digital certificates
• Microsoft single
single-sign
sign on
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 36: Brute Force URL
Injections and Session Tokens
Some web applications embed user IDs and other sensitive information into a
URL, typically as parameters in the query component of the URL (the fields that
occur after
f theh ? symbol
b l in
i a URL).
URL)
Inject strings into the URL of a page and examine the response.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 37: Check for Directory Consistency
and Page
g Naming g Syntax
y of the Web Pages
g
• Logical directory.
• Files named based on naming conventions.
• Repository for images, PDFs, and other documents.
• Repository for sensitive information.
information
• Structured links and pages.
• Site outline.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 37: Check for Directory Consistency
and Page Naming Syntax of the Web Pages
(cont d)
(cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 38: Look for Sensitive
o at o in Web Page
Information age Source
Sou ce Code
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 39: Attempt URL
Encodings on the Web Pages
Try to access the website using various URL encodings.
Server might send different response when accessed using URL encodings.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 40: Try Buffer Overflow
Attempts in Input Fields
Input
p large
g amounts of data into the form and examine the response.
p
Tools:
• NTOM
NTOMax at www.foundstone.com
f d
• Hailstrom (www.cenzic.com)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Look for Invalid Rages in Input
Fields
A web developer may decide to use some of the built-in validation
capabilities
bili i off a client-side
li id language
l ( h as HTML,
(such HTML JavaScript,
J S i or
VBScript) to ensure that an input value is no longer (or shorter) than
expected.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Attempt Escape Character
Injection
Some operating systems will execute system-level commands if they are
embedded in an application
application'ss data input stream.
stream
This can occur when the system command is hidden in input data that is prefixed
by special control (escape) characters, such as $$.
The application may permit the command to escape up to the process that is
currently running the application.
The receiving process then attempts to execute the system command using its
own system privileges.
T ti tools:
Testing t l
• APSwww.stratum8.com
• G-Serverwww.gilian.com
• iBroker SecureWebwww.elitesecureweb.com
SecureWebwww elitesecureweb com
• URLScanwww.microsoft.com
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 41: Try Cross Site Scripting
(XSS) Techniques
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 42: Record and Replay the Traffic to the
Target
g Web Server and Note the Response
p
• CruiseControl
Tools:
oo s: • Webload (www.radview.com)
• e-Test Suite (www.empirix.com)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 43: Try Various SQL Injection
Techniques
Attempt SQL injection techniques to
the following:
• Form fields.
• Directly in URL.
• Login screens.
• Feedback
db k forms.
f
• Guestbook.
• ' or 1=1--
• " or 1=1--
Attempt SQL Injection
• or 1=1--
here
• ' or 'a'='a
• " or "a"="a
• ') or ('a'='a
• ") or ("a"="a
(" " "
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 44: Examine Hidden Fields
• Price.
• Username.
• Password.
• Session.
• URL characters.
• Special instructors.
• Encryption used.
• Web page behaviors.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Examine Server Side Includes
(SSI)
Server Side Includes (SSI) are placeholders (or
markers)
k ) in
i an HTML d document that
h theh web b server
will dynamically replace with data just before sending
the requested document to a browser:
• <HTML>
• <HEAD><TITLE>Show SSI at work</TITLE></HEAD>
• <BODY>
• <P>Lots of really Interesting stuff to read</P>
• <!--#Include file = "copywrite.Inc"-->
• </BODY>
/BODY
• </HTML>
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Examine Server Side Includes
(SSI) (cont
(cont’d)
d)
• <!
<!--- #exec cmd="/bin/cat
cmd= /bin/cat /etc/passwd
/etc/passwd" --->
>
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 45: Examine E-commerce and Payment
Gatewaysy Handled byy the Web Server
Outsourced ee-commerce
commerce gateway
Program logic
D
Document the
h ffollowing
ll i iinformation:
f i
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 47: Probe the Service by
SMTP Mail Bouncing
SMTP mail bouncing indicates that the user does not exist on that
server.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 48: Grab the Banner of
HTTP Servers
httprint is a web server fingerprinting tool which captures the
b
banner off htt
http servers.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 49: Grab the Banner of
SMTP Servers
• perl Makefile.PL
• make
• make test
• make install
Required libraries:
• Class::Accessor::Fast
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 50: Grab the Banner of
POP3 Servers
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 51: Grab the Banner of FTP
Servers
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 52: Identify the Web
Extensions Used at the Server
GNIT NT vulnerability scanner determines the web extensions at the server.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 53: Try to use HTTPS
Tunnel to Encapsulate Traffic
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 54: OS Fingerprint Target
Servers
Identifies OS using only ICMP packets
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 55: Check for ICMP Responses
((Type
yp 3, Port Unreachable)
b )
SYN scan is the default and most popular scan option for good reasons.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 56: Check for ICMP Responses
((Type
yp 8,, Echo Request)
q )
The host must respond to all Echo requests with an Echo reply
containing the exact data received in the request message.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 57: Check for ICMP Responses
((Type
yp 13,
3, Timestampp Request)
q )
SYN scan is the default and most popular scan option for good reasons.
reasons
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 58: Check for ICMP Responses
(Type 15, Information Request)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 59: Check for ICMP responses (Type
17,
7, Subnet Address Mask Request)
q )
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 60: Check for ICMP Responses
from Broadcast Address
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 61: Port Scan DNS Servers
(TCP/UDP 53)
UDP scan is activated with the -sU option. It can be combined with a TCP scan
type such as SYN scan ((-sS)
sS) to check both protocols during the same run.
UDP scan works by sending an empty (no data) UDP header to every targeted
port.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 62: Port Scan TFTP Servers
(Port 69)
This utility reports the port status of target TCP and User
D t
Datagram P
Protocol
t l (UDP) ports
t on a llocall computer
t or on
a remote computer.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 63: Test for NTP Ports
(Port 123)
Use the following command to find the NTP service on the network:
nmap
p -sU –p
p 123 x.x.x.x
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 64: Test for SNMP Ports
(Port 161)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 65: Test for Telnet Ports
(Port 23)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 66: Test for LDAP Ports
(Port 389)
PortQry
Q y version 1.22 is a TCP/IP
/ connectivityy testing
g utilityy that is
included with the Microsoft Windows Server 2003 support tools.
PortQry can send an LDAP query by using both TCP and UDP and
interpret an LDAP server's response to that query correctly.
PortQry parses, formats, and then returns the response from the LDAP
server to the user.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
LDAP Query Response
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 67: Test for NetBIOS Ports
(Ports 135
135-139,
139, 445)
The default
Th d f l ports used
d by
b NNetBIOS
BIOS service
i are 135,136,137,138,139,
6 8 and
d
445.
You can also use NAT (NetBIOS Auditing Tool) for checking open
NetBIOS ports.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 68: Test for SQL Server
Ports (Port 1433, 1434)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 69: Test for Citrix Ports
(Port 1495)
B default,
By d f l CiCitrix
i li
listens on P
Port 1495.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 70: Test for Oracle Ports
(Port 1521)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 71: Test for NFS Ports
(Port 2049)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 72: Test for Compaq, HP Inside
g p
Manager ports ((Port 2301,
3 , 2381)
3 )
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 73: Test for Remote Desktop
Ports (Port 3389)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 74: Test for Sybase Ports
(Port 5000)
By default,
default Sybase listens on port 5000
5000.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 75: Test for SIP Ports (Port
5060)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 76: Test for VNC Ports (Port
5900/5800)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 77: Test for X11 Ports (Port
6000)
By default, the X
server listens on port
6000 for incoming
connections.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 78: Test for Jet Direct Ports
(Port 9100)
• Nmap tool.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 79: Port Scan FTP Data
(Port 20)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 80: Port Scan Web Servers
(Port 80)
Determines TCP
C and U
UDP p ports that use p
port 80 for
transporting HTTP data from a web server
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 81: Port Scan SSL Servers
(Port 443)
• “–sV”
sV scan option is able to identify SSL services
nmap -F
F -sV
V x.x.x.x
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 82: Port Scan Kerberos-Active
Directoryy ((Port TCP/UDP
/ 88))
P t scan the
Port th network
t k ffor services
i li
listening
t i on portt 88
88.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 83: Port Scan SSH Servers
(Port 22)
By default,
default SSH servers listen on port 22
22.
• nmap -sS
sS -p
p 22 x.x.x.x
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited