Professional Documents
Culture Documents
CIS 76 - Lesson 6: Rich's Lesson Module Checklist
CIS 76 - Lesson 6: Rich's Lesson Module Checklist
Flash cards
Properties
Page numbers
1st minute quiz
Web Calendar summary
Web book pages
Commands
1
CIS 76 - Lesson 6
Evading Network
TCP/IP
Devices
Cryptography Network and
Computer Attacks
Embedded Operating
Enumeration
Systems
Desktop and Server Scripting and
Vulnerabilities Programming
1. Browse to:
http://simms-teach.com
2. Click the CIS 76 link.
3. Click the Calendar link.
4. Locate today’s lesson.
5. Find the Presentation slides for
the lesson and download for
easier viewing.
6. Click the Enter virtual classroom
link to join CCC Confer.
7. Log into Opus with Putty or ssh
command.
4
CIS 76 - Lesson 6
3) Click OK button.
[ ] Is recording on?
Should change
Red dot means recording from phone
handset icon to
little Microphone
[ ] Use teleconferencing, not mic icon and the
Teleconferencing …
Should be grayed out message displayed
7
CIS 76 - Lesson 6
vSphere Client
putty
[ ] Video (webcam)
[ ] Make Video Follow Moderator Focus
9
CIS 76 - Lesson 6
Quite interesting
that they consider
you to be an
Elmo rotated down to view side table
"expert" in order to
use this button!
Rotate
image
button Elmo rotated up to view white board
Rotate
image
button
Control Panel (small icons) General Tab > Settings… 500MB cache size Delete these
11
CIS 76 - Lesson 6
Start
12
CIS 76 - Lesson 6
Sound Check
Students that dial-in should mute their
line using *6 to prevent unintended
noises distracting the web conference.
13
CIS 76 - Lesson 6
Dave R.
Email me (risimms@cabrillo.edu) a relatively current photo of your face for 3 points extra credit
CIS 76 - Lesson 6
Scanning
Objectives Agenda
• Understand different types of port scans • Questions
15
CIS 76 - Lesson 6
Admonition
16
Shared from cis76-newModules.pptx
CIS 76 - Lesson 6
Questions
18
CIS 76 - Lesson 6
Questions
How this course works?
Previous labs?
他問一個問題,五分鐘是個傻子,他不問一個問題仍然是一個
Chinese 傻瓜永遠。
Proverb He who asks a question is a fool for five minutes; he who does not ask a question
remains a fool forever.
19
CIS 76 - Lesson 6
In the
news
20
CIS 76 - Lesson 6
Recent news
1. Catfishing
http://www.zdnet.com/article/exclusive-inside-a-million-
dollar-amazon-kindle-catfishing-scam/
21
CIS 76 - Lesson 6
https://www.us-cert.gov/ncas/bulletins/SB16-277 22
CIS 76 - Lesson 6
Best
Practices
23
CIS 76 - Lesson 6
24
CIS 76 - Lesson 6
Housekeeping
26
CIS 76 - Lesson 6
• You must work alone and not help or receive help from others.
Next week:
• Quiz 5
• Lab 5 is due
27
CIS 76 - Lesson 6
Test 1
HONOR CODE:
HOWEVER, you must work alone. You may not discuss the
test questions or answers with others during the test.
28
CIS 76 - Lesson 6
Perkins/VTEA Survey
This is an important
source of funding for
Cabrillo College.
Send me an email
stating you completed
this Perkins/VTEA
survey for three
points extra credit!
http://oslab.cis.cabrillo.edu/forum/viewtopic.php?f=121&t=4176
29
CIS 76 - Lesson 6
30
CIS 76 - Lesson 6
• Available after
registration is final
(two weeks after first
class)
• Available after
registration is final
(two weeks after first
class)
Red Pod
Blue Pod
33
CIS 76 - Lesson 6
34
CIS 76 - Lesson 6
Send me an email
if you would like to
join one of the
teams
35
CIS 76 - Lesson 6
Scanning
36
CIS 76 - Lesson 6
Phase 1 - Reconnaissance
Phase 2 - Scanning
http://www.techrepublic.com/blog/it-security/the-five-phases-of-a-successful-network-penetration/
37
CIS 76 - Lesson 6
Scanning
Objectives
• Discover all open services on a host server.
• Detect firewalls.
• Identify vulnerabilities.
Process:
• Scan all ports (not just well-know ports) and
make a list of open services.
• Record evidence of firewalls (stateful or not
stateful)
• Scan open services and identify the products
and versions in use.
• Identify vulnerabilities in those products using
vulnerability scans and research.
38
CIS 76 - Lesson 6
nmap
39
CIS 76 - Lesson 6
nmap.org
40
https://nmap.org/book/man-port-scanning-techniques.html
CIS 76 - Lesson 6
41
https://pen-testing.sans.org/blog/2013/10/08/nmap-cheat-sheet-1-0
CIS 76 - Lesson 6
Connect
Scan
same subnet
no firewall
42
CIS 76 - Lesson 6
Connect Scan
43
CIS 76 - Lesson 6
“Microlab Network”
172.30.10.0/24
.160 .126
Target Attacker
EH-Centos EH-Kali
Web Server
44
CIS 76 - Lesson 6
Connect Scan
Firewall action = no firewall and Service = Running
Victim
[rsimms@EH-Centos ~]$ sudo service iptables status
iptables: Firewall is not running.
[rsimms@EH-Centos ~]$
45
CIS 76 - Lesson 6
Connect Scan
Firewall action = no firewall and Service = Running
46
CIS 76 - Lesson 6
Connect Scan
Firewall action = no firewall and Service = Stopped
Victim
[rsimms@EH-Centos ~]$ sudo service iptables status
iptables: Firewall is not running.
[rsimms@EH-Centos ~]$
47
CIS 76 - Lesson 6
Connect Scan
Firewall action = no firewall and Service = Stopped
48
CIS 76 - Lesson 6
Connect Scan
49
CIS 76 - Lesson 6
Connect
Scan
different subnets
firewall on target
50
CIS 76 - Lesson 6
Connect Scan
51
CIS 76 - Lesson 6
EH-Kali-05
.150
Attacker
“Microlab Network”
172.30.10.0/24
.160 .205
.1 EH-Pod-05
Target 52
CIS 76 - Lesson 6
Connect Scan
Firewall action = ACCEPT and Service = running
Connect Scan
Firewall action = ACCEPT and Service = running
54
CIS 76 - Lesson 6
Connect Scan
Firewall action = ACCEPT and Service = stopped
Connect Scan
Firewall action = ACCEPT and Service = stopped
56
CIS 76 - Lesson 6
Connect Scan
Firewall action = DROP and Service = Running
Connect Scan
Firewall action = DROP and Service = Running
58
CIS 76 - Lesson 6
Connect Scan
Firewall action = REJECT with error and Service = Running
Connect Scan
Firewall action = REJECT with error and Service = Running
60
CIS 76 - Lesson 6
Connect Scan
61
CIS 76 - Lesson 6
Syn
Scan
62
CIS 76 - Lesson 6
Syn Scan
• Scan results:
• If SYN-ACK received: "open".
• If RST received: "closed".
• If no reply or ICMP error: "filtered".
63
CIS 76 - Lesson 6
EH-Kali-05
.150
Attacker
“Microlab Network”
172.30.10.0/24
.160 .205
.1 EH-Pod-05
Target 64
CIS 76 - Lesson 6
Syn Scan
Firewall action = ACCEPT and Service = running
Syn Scan
Firewall action = ACCEPT and Service = running
66
CIS 76 - Lesson 6
Syn Scan
Firewall action = ACCEPT and Service = stopped
Syn Scan
Firewall action = ACCEPT and Service = stopped
68
CIS 76 - Lesson 6
Syn Scan
Firewall action = DROP and Service = Running
Syn Scan
Firewall action = DROP and Service = Running
70
CIS 76 - Lesson 6
Syn Scan
Firewall action = REJECT with error and Service = Running
Syn Scan
Firewall action = REJECT with error and Service = Running
72
CIS 76 - Lesson 6
Syn Scan
73
CIS 76 - Lesson 6
Null, XMAS
and FIN
Scans
74
CIS 76 - Lesson 6
• These scan types work the same way using different TCP
flags.
• Scan results:
https://nmap.org/book/man-port-scanning-techniques.html
75
CIS 76 - Lesson 6
"The big downside is that not all systems follow RFC 793 to
the letter. A number of systems send RST responses to the
probes regardless of whether the port is open or not. This
causes all of the ports to be labeled closed. Major operating
systems that do this are Microsoft Windows, many Cisco
devices, BSDI, and IBM OS/400. This scan does work
against most Unix-based systems though. Another downside
of these scans is that they can't distinguish open ports from
certain filtered ones, leaving you with the response
open|filtered."
https://nmap.org/book/man-port-scanning-techniques.html
76
CIS 76 - Lesson 6
Null
Scan
(Linux)
77
CIS 76 - Lesson 6
Null Scan
Switched to Kali on the same subnet because NULL scans didn't get
through pfSense firewall
78
CIS 76 - Lesson 6
“Microlab Network”
172.30.10.0/24
.160 .126
Target Attacker
EH-Centos EH-Kali
Web Server
Switched to Kali on the same subnet because NULL scans didn't get
through pfSense firewall
79
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Running
80
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Running
No response by victim
81
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Stopped
82
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Stopped
83
CIS 76 - Lesson 6
84
CIS 76 - Lesson 6
Null
Scan
(Windows 7)
85
CIS 76 - Lesson 6
“Microlab Network”
172.30.10.0/24
.162 .126
Target Attacker
EH-Win7 EH-Kali
Web Server
86
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Running
Firewall off
87
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Running
88
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Stopped
Firewall off
89
CIS 76 - Lesson 6
Null Scan
Firewall action = no firewall and Service = Stopped
90
CIS 76 - Lesson 6
91
CIS 76 - Lesson 6
XMAS
Scan
92
CIS 76 - Lesson 6
XMAS Scan
Switched to Kali on the same subnet because XMAS scans didn't get
through pfSense firewall
93
CIS 76 - Lesson 6
“Microlab Network”
172.30.10.0/24
.160 .126
Target Attacker
EH-Centos EH-Kali
Web Server
Switched to Kali on the same subnet because NULL scans didn't get
through pfSense firewall
94
CIS 76 - Lesson 6
XMAS Scan
Firewall action = no firewall and Service = Running
95
CIS 76 - Lesson 6
XMAS Scan
Firewall action = no firewall and Service = Running
No response by victim
96
CIS 76 - Lesson 6
XMAS Scan
Firewall action = no firewall and Service = Stopped
97
CIS 76 - Lesson 6
XMAS Scan
Firewall action = no firewall and Service = Stopped
98
CIS 76 - Lesson 6
99
CIS 76 - Lesson 6
ACK
Scan
100
CIS 76 - Lesson 6
ACK Scan
• Only the ACK flag is set.
• Attempts to determine the presence of a stateful
firewall, not whether a port is open or closed.
• A stateful firewall always looks for a SYN to start the
three-way handshake.
• If the port responds with a reset (whether open or
closed) then it is considered unfiltered (no firewall or
filter was fooled).
• If there is no response or an ICMP error message is
returned then the port is considered filtered (whether
open or closed).
101
CIS 76 - Lesson 6
“Microlab Network”
172.30.10.0/24
.160 .126
Target Attacker
EH-Centos EH-Kali
Web Server
102
CIS 76 - Lesson 6
ACK Scan
Firewall action = no firewall and Service = Running
103
CIS 76 - Lesson 6
ACK Scan
Firewall action = no firewall and Service = Running
104
CIS 76 - Lesson 6
ACK Scan
Firewall action = REJECT and Service = Running
ACK Scan
Firewall action = REJECT and Service = Running
106
CIS 76 - Lesson 6
ACK Scan
Firewall action = ACCEPT and Service = Running
107
CIS 76 - Lesson 6
ACK Scan
Firewall action = ACCEPT and Service = Running
Victim has firewall that was fooled, packet made it to the open port
108
CIS 76 - Lesson 6
hping3
109
CIS 76 - Lesson 6
hping3
http://www.hping.org/
110
CIS 76 - Lesson 6
hping3
http://www.hping.org/
111
CIS 76 - Lesson 6
hping3
112
CIS 76 - Lesson 6
hping3
113
CIS 76 - Lesson 6
Attacker
EH-Kali-05
.150
Victim
.101 EH-OWASP-05
Web Server
EH-Pod-05
"EH-Pod-05 Network"
10.76.5.0/24
114
CIS 76 - Lesson 6
hping3
hping3 -c 2 10.76.5.101
hping3
hping3 --scan 79-84 -S 10.76.5.101
This does a
SYN scan of
ports 79-84
116
CIS 76 - Lesson 6
hping3
hping3 --udp --rand-source --data 20 -c 5 10.76.5.101
117
CIS 76 - Lesson 6
hping3
hping3 -S -p 80 -c 3 10.76.5.101
This command sent 351,972 spoofed packets in three and a half seconds! --flood is
"fast as you can", -V is verbose.
119
CIS 76 - Lesson 6
Vulnerability
Scans
120
CIS 76 - Lesson 6
Nessus
121
CIS 76 - Lesson 6
nessus
https://www.tenable.com/
122
CIS 76 - Lesson 6
nessus
https://www.tenable.com/products
123
CIS 76 - Lesson 6
nessus
https://store.tenable.com/index.php?main_page=product_info&cPath=1&products_id=94
124
CIS 76 - Lesson 6
nessus
https://www.tenable.com/products/nessus-home
125
CIS 76 - Lesson 6
Nikto
126
CIS 76 - Lesson 6
Nikto
https://cirt.net/nikto2
127
CIS 76 - Lesson 6
OpenVAS
128
CIS 76 - Lesson 6
OpenVAS
http://www.openvas.org/
129
CIS 76 - Lesson 6
OpenVAS
130
Doesn't come with Kali, use apt-get install openvas
CIS 76 - Lesson 6
OpenVAS
http://www.openvas.org/
131
CIS 76 - Lesson 6
OpenVAS
http://www.openvas.org/
132
CIS 76 - Lesson 6
OpenVAS
http://www.openvas.org/
133
CIS 76 - Lesson 6
OpenVAS
http://www.openvas.org/
134
CIS 76 - Lesson 6
Assignment
135
CIS 76 - Lesson 6
Lab 5 due
next week
136
CIS 76 - Lesson 6
Wrap up
138
CIS 76 - Lesson 6
Next Class
Assignment: Check the Calendar Page on the web site to see
what is due next week.
• From your pod Kali, do a SYN scan of your OWASP VM, what is
the status of port 80?
Test 1
140
CIS 76 - Lesson 6
Notes to instructor
[ ] Schedule end of practice test on Canvas [T-30]
141
CIS 76 - Lesson 6
142
CIS 76 - Lesson 6
Backup
143
CIS 76 - Lesson 6
Internet
“Server Network”
172.30.5.0/24 .20
Opus
NoSweat
gateway
.1
and firewall
.1
.160