CEH Lab Manual Scanning Networks Module 03‘Module 03 - Scanning Networks Scanning a Target Network Scanning a network: refers to a set of procedures for identifying hosts, ports, and services ramming in a network Vulnerability scanning determines the possibility of network secusity attacks. It evaluates the orginization’s systems and network for vulnerabilities stich as missing patches, unnecessary services, weak anthentication, and weak encryption ‘Vulnerability scanning is a cutical component of any penetzation testing assignment. ‘You need to conchct penetration testing and list the threats and vulnerabilities found in an oxganization’s network and perform port scanning, network scanning, and vulnerability scanning to identify IP /hostname, live hosts, and vulnerabilities. EWottecken’ Lab Objectives ‘The objective of this lab isto help smdents in conducting network scanning, analyzing the network vulnerabilities, and maintaining a secwe network, ‘You need to perfoum a network sean to: = Check live systems and open posts + Perform banner grabbing and OS fingespainting * Identify network vulnerabilities * Draw network diagrams of vulnerable hosts = Toots Lab Environment demonstrated in this lab are In the lab, you need: available in = A compnter nuning with Windows Server 2012, Windows Server 2008, DACEH- Windows 8 ot Windows 7 with Internet access Tools\CEHve Module 03 *® Aweb browser ‘Scanning = Administrative privileges to mn tools and perform scans Lab Duration Time: 50 Minntes Overview of Scanning Networks Balding on what we learned fiom one information gathering and thieat modeling, swe can now begin to actively query our victims for vulnerabilities that may lead to a compromise. We have nacrowed down ont attack sntfice considerably since we first ‘began the peneuation test with everything potentially in scope. CEH Lab Namal Page 6 ical Hacking snd Counirmc ars Copp © oj CCl ‘A Righs Revered Rapsodvcton i Suacty Probeed,= Task 4 ‘onl eng handed ‘ut fortis ab ‘Module 03 - Scanning Networks Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities yon will find more issues that disclose sensitive information or canse a denial of service condition than vulnerabilities that lead to remote code execution. These may still mm out to be very interesting on a penetration test. In fact even a seemingly harmless misconfiguration can be the ‘mming point in a penetration test that gives up the keys to the kingdom. For example, consider FTP anonymous read access. This is a fay noumal setting, ‘Though FTP is an insecure protocol and we should generally steer ont clients towards using moxe secre options like SFTP, using FIP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP serves that allows anonymons tead access, but read access is restricted to an FTP ditectory that does not contain any files that would be interesting to an attacker, then the tisk associated with the anonymous read option is minimal, On the other hand, if you axe able to xead the entie fle system using the anonymous FTP accomnt, or possibly even worse, someone has mistakenly left the customer's tade secrets in the FIP disectory that is readable to the anonymons uses; this configuration is a critical issue. ‘Vulnerability scanners do have their uses in a penetration test, and it is certainly usefil to know your way around a few of them. As we will see in this module, using a vulnexability scanner can help a penetration tester quickly giin a good deal of ‘potentially interesting information about an environment. In this module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools Lab Tasks ick an organization that you feel is worthy of your attention. This could be an educational instimition, a commercial company, or perhaps a nonprofit charity. ‘Recommended labs to assist you in scanning networks: + Scanning System and Network Resources Using Advanced IP Scanner * Banner Grabbing to Detemmine a Remote Target System Using 1D Serve = Fingerprint Open Ports for Rrnning Applications Using the Amap Tool + Monitor TCP/IP Connections Using the GurrPorts Toot # Scana Network for Vulnerabilities Using GF! LanGuard 2012 + Explore and Andit a Network Using Nmap * Scanning a Network Using the NetScan Tools Pro * Drawing Network Diagrams Using LANSurveyor * Mapping a Network Using the Friendly Pinger * Scanning a Network Using the Nessus Tool + Anditing Scanning by Using Global Network Inventory * Anonymons Browsing Using Proxy Switcher “CEH Lab Nanal Page TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Daisy Chaining Using Proxy Workbench HTTP Tunneling Using HTTPort Basic Network Troubleshooting Using the MegaPing Detect, Delete and Block Google Cookies Using 6-Zapper Scanning the Network Using the Colasoft Packet Builder Scanning Devices in a Network Using The Dude Lab Analysis Analyze and document the results related to the lb exercise. Give yont opinion on ‘your target's security posture and exposue through public and fie¢ information. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. ‘CEH Lab Nand Page TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Scanning System and Network Resources Using Advanced IP Scanner Advanced IP Semuner isa free network scammer that gives you various types of information regarding local network: computers. Lab Scenario In this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intmdes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities Lab Objectives ‘The objective of this lab is to help smdents perfoum a local network scan and discover all the resontces on the network. ‘You need to: | Perform a system and network scan, = Enumerate user acconnts * Esccute remote penetration + Gather information about local network computers Lab Environment Deanne In the lab, you need: dened Advanced P + Advanced IP Scanner located at 2:\GEHV8 Module 03 Scanning Ip free enced Networks\Scanning Tools\Advanced IP Scanner os * Yon can also download the latest version of Advanced IP Scanner fiom the link http: //www.advanced-ip-scanner.com CEH Lab Noman Page o> ical Hacking snd Counirmc ars Copp © oj CCl ‘A Righs Revered Rapsodvcton i Suacty Probeed,= acminced1P Scanner ‘post 0a Windows Serie 2005/ Sever 2008 and Windows 7 2 i, ts) ‘Module 03 - Scanning Networks = Ifyou decide to download the latest version, then screenshots shown, in the lab might differ * A computer mnning Windows 8 2s the attacker (host machine) * Another computer minning Windows server 2008 as the victim (virrnal machine) = Aweb browser with Intemet access = Donble-click Ipsean20.msi and follow the wizard-criven installation steps to install Advanced IP Scanner + Administrative privileges to mn this tool Lab Duration ‘Time: 20 Minutes Overview of Network Scanning Network scanning is performed to collect information about tive systems, open ports, and network vulnerabilities. Gathered information is helpful in determining ‘threats and vulnerabilities in 2 nenwork and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to xesoxces. Lab Tasks tasks 1. Go to Start by hovering the mouse cussor in the lower-left comer of the desktop Launching ‘Advanced IP ‘Scanner FIGURE L1- Windows 9-Dekop ew 2. Click Advanced IP Scanner fiom the Start ment in the attacker machine (Windows 8). ‘CEH Tab Namal Page o> Tihial Hacking and Countereasares Coppagn © by BC Comal “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks B eo wn atvanced TP eo Seana youcaa ena ‘anand OF TP adases, ssmaaneonsy ‘i FIGURE 12 Wacows 8- App 3. The Advanced IP Scanner main window appears. ED You can wake any che ect Rrmaisoawes Sppcstt ome TAGURE 13 Te Avene? Sn Wace 4. Now launch the Windows Server 2008 virmal machine (vietim’s machine). CERES Nama Page a Hoang a Comers COGS WRC Coe “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks Vou nae to gues saage OF ats [IGURE L¢ Tee win machine Wows ser 208 5. Now, switch back to the attacker machine (Windows 8) and enter an IP epee access range in the Select range ficld. ‘stale oemote 6. Click the Sean button to start the sean. computer oth ese Be BD tre stats of canis sce of he mado [FIGURE 15 The Adrance IP Scanner a window wh IP aes ge 7. Advanced IP Scanner scans all the IP addresses within the range and displays the sean results after completion. “CEH Lab Nanwal Page 97 TEhical Hacking and Countermearnces Coppagin © by BC Cosma "AL Rights Reserved Repeodictoa i Sticty ProbieDum etempuen pemgeatneg cate mio, memnry ee Jot ait Slee poe ilunmp oma 2D cronp Opeations: Ay festue of rent IP Semper can beset ‘wih aay suber of ‘Siete competes For came, yoo can eemetey ‘aut down a complete ‘computer das with a few ce = Task 2 ‘Module 03 - Scanning Networks zc) ities FIGURE 16 Te Adee P Samer aw se eing 8 You can see in the above figure that Advanced IP Scanner has detected ‘he victim machine’ TP address and displays the seams 2s attve 9. Right-click any of the detected IP addresses. It will ist Wake-On-LAN, Shut down, and Abort Shut down FIGURE 17"The Aras IP Semnesnin wade wits Aire Host bt 10. The list displays properties of the detected computer, stich as IP. address, Name, MAC, and NetBIOS information. 11, You can forcefully Shutdown, Reboot, and Abort Shutdown the selected victim machine/TP address ‘CEH Lab Manaal Page 9? TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks CD wniningepaint apt ‘Options: + tPRange (Nemask and averted Net sppoed IP LitSagle : Host Neghbotiood teisseneson FIGURE 18 The Adewen P Sees Compe pops: win 12. Now you have the IP address, Name, and other detaits of the victim machine. 13. You can also try Angry IP scanner located at BAGEH-Tools\GEHVB Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner. It also scans the network for machines and ports. Lab Analysis ‘Document all the IP addresses, open ports and their nnning applications, and protocols discovered during the lab, Prema cmetnken ae ear Scan Information: IP address System name ‘MAC address ‘NetBIOS information Manufacturer System status ‘CEH Lab Namal Page 95 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Examine and evaluate the IP addresses and range of IP addresses. ZNo Zikabs “CEH Lab Nanal Page 9° TEhical Hacking and Countermeasnoes Copragin © by BC Cosma “Al Rights Reserved. Reproduction is Sticty Probie.‘Module 03 - Scanning Networks Banner Grabbing to Determine a Remote Target System using ID Serve IDS Serve is used to identify the make, model, and version of any website's server software. “ivow «key Lab Scenario © Vatesble In the previons lab, yon leamed to use Advanced IP Scanner. This tool can also be ——nfoumation sed by an attacker to detect vulnerabilities such as buffer overtlow, integer How, 7 Test your SQL injection, and web application on a network. If these vulnerabilities are not Knowledge _ fined immediately, attackers can easily exploit them and crack into the network and. BS Webeccrcse case server damage. A Wodhoot view ‘Therefore, it is extremely important for penetvation testers to be familiar with —s banner grabbing techniques to monitor servers to enste compliance and appropriate secutity updates. Using this technique you can also loeate rogne servers or determine the tole of servers within a network. In this lab, yon will leam the banner grabbing technique to deteumiine a xemote target system using ID Serve. Lab Objectives ‘The objective of this lab is to help students leamn to banner grabbing the website and discover applications running on this website. In this lab you will lean to: = Tools © Identify the domain IP adress demonstrated in © Identify the domain information avaliable in Lab Environment DicEH. ‘Tools\CEHv8 To pestoum the lab you need: Module 03 a ‘Sommning + _ ID Server is located at DCEH-Tools\GEHV8 Module 03 Scanning peewerkcs Networks\Banner Grabbing Tools\ID Serve CEH Lab anual Page Tihs Hacking and Countermeasures Copragn © by BC Comal ‘A Righs Revered Rapsodvcton i Suacty Probeed,= TASK + ‘Module 03 - Scanning Networks © Yon can also download the latest version of ID Serve fiom the link ‘http://www.gre.com/id/idserve.htm_ * Ifyou decide to download the latest version, then screenshots shown in the lab might differ * Double-click idserve to run ID Serve * Administuative privileges to mn the 1D Serve tool = Run this tool on Windows Server 2012, Lab Duration ‘Time: 5 Minutes Overview of ID Serve ID Serve can connect to any server port on any domain or IP addvess, then pull and display the server's greeting message, if any, often identifying the server's make, model, and version, whether it’s for FTP, SMTP, POP, NEWS, or anything els. Lab Tasks 1. Double-click Idserve located at Di GEH-Tools\CEHv8 Module 03 Scanning NetworksiBanner Grabbing ToolsiID Serve 2. Inthe main window of 1D Serve show in the following figure, select the ‘Sever Query tab ny pe ret er FL Po re ge onan @ @ © ehh tes gaya Rec 3. Enter the IP addiess or URL addsess in Enter or Copyipaste an Internal ‘server URL or IP address here: “CEH Lab Manal Page 6 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Background ServerGuey | O8A/Hep ED were can scept @ [_oer ese] ow per te URL onIPas comaandsise paramere /IGURE22 Eaeeag te URL for oer 4. Click Query The Server, it shows server query processed information Er ten tare eo FL asec nae vee mci ck erivedhacker cond Ow sere can ato conaect th pe ee Vernier cf need ste Servers owes and emintamioracesassyate peuesicns por tat ere gretng ‘evage. Tas power eves the servers ae, Freire sever aver ‘model reson ad ote Jacking up ado or domain ww criuchochst com poveataly wef [ihe actress tre coma 200784101 ‘bformaton Lab Analysis ‘Document all the IP addresses, their mnning applications, and the protocols you discovered duuting the lab. ‘CEH Tab Namal Page 7 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks Tomer otic eG tan ID Serve IP address: 202.75.54.101 Server Connection: Standaid HTTP post: 80 Response headers returned from server: HTTP/1.1 200 Server: Mictosoft-IIS/6.0 X-Powered-By: PHP/4.4.8 ‘Transfer-Encoding: chunked Content-Type: text/html PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Examine what protocols ID Serve apprehends. 2. Check if ID Serve supports hitps (SSL) connections. Platform Supported “CEH Lab Nanad Page 5 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged= Tools ‘demonstrated in this lab are available in Tools\CEHva Module 03 ‘Scanning ‘Module 03 - Scanning Networks Fingerprinting Open Ports Using the Amap Tool Amap determines applications running on each open port. Lab Scenario Computers commnnicate with each other by knowing the IP addcess in use and ports check which program to use when data is received. A complete data transfer alkvays contains the TP address plus the port mumber reqpited. In the previons lab ‘we fonnd out that the server connection is using a Standard HTTP port 80. If an attacker finds this infomation, he or she will be able to use the open ports for attacking the machine. In this lab, yon will leam to use the Amap tool to perform port scanning and know exactly what applications are running on each post found open. Lab Objectives ‘The objective of this lab is to help students leamn to fingerpuint open ports and discover applications munning on these open ports. In this lab, you wil eam to: = Identify the application protocols munning on open posts 80 * Detect application protocols Lab Environment To pestoum the lab you need: * Amap is located at DACEH-Tools\CEHV8 Module 03 Scanning Networks\Banner Grabbing Tools\AMAP = You can also download the latest version of AMAP fiom the link hetp://www.th = Ifyou decide to download the latest version, then screenshots shown in the lab might differ amay “CEH Lab Nanaal Page 9 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibgedtask 4 Identity Application Protocols Running on Port 80 tan ip |- BP] A) boSRELG falocde} pp | [e-T ed te oe (te) Ep pote) (i fle fet ee pet] 7? Fox Amap option, ‘ype amap-belp ‘Module 03 - Scanning Networks * A computer numning Web Services enabled fox port 80 * Administative privileges to run the Amap tool = Run this tool on Windows Server 2012 Lab Duration Time: 5 Mimutes Overview of Fingerprinting Fingerprinting is used to discover the applications mnning on each open port found on the network. Fingerprinting is achieved by sending trigger packets and looking ‘up the responses in a list of response strings. Lab Tasks 1. Open the command prompt and navigate to the Amap ditectory. In this lab the Amap disectory is located at D:\CEH-Tools\CEHV8 Module 03 Scanning Networks\Banner Grabbing Tools\AMAP 2. Type amap www.certifiedhacker.com 80, ad press Enter. FIGURE 31: Anup with best ame ysl cn with Pot 3. You can see the specific application protocols munning on the entered host name and the port 80. 4, Use the IP address to check: the applications running on a pasticulac port. 5. In the command prompt, type the IP address of your local Windows Server 2008(virtual machine) amap 10.0.0.4 75-81 (local Windows Server 2008) and press Enter (the IP address will be different in your network). 6. Try scanning different websites using different ranges of switches like amap ‘www.certifiedhacker.com 1-200 “CEH Lab Manat Page 100 TEhical Hacking and Countermearnces Coppagin © by BC Cosma ‘AL Rights Reserves Repeodocton i Sucty Peokibzed‘Module 03 - Scanning Networks HTML Reports = All Items. epi FIGURE 42 The QanPocs with IML Report AB et ate check the Covey wen aus seers. |[m ter [sr nee ff ll ‘County fle Youkave to | | aeooeese [2988 | 10007 je si9e38 Ie genenccemer |e [or [er foo [Tuan ae ‘por exe. = [ee [ 007 icy | -all l 007 [oe =f [es arooeme [mn [ree [ss | ic} [amneee [ses [ree [us| oar [er fe steaes ——| aLe064 [> |arneee [vee [rem [ores | 1007 [to lime |r upea6as ow — Joven [ree |eao4 | wo07 Jno ep [arises Ie ROUND tore pe Pe Re Ae 5. To save the generated CurxPorts report fiom the web browser, click Fie > Save page An ouies SERN SE OES “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks (Dower samen EET He Ses tm is to sare al hanes aed al ‘Sc cored coer) Int sigg Ge inoncrto ‘a outa rote ope, check the ‘Tog Change’ ‘puoo unde fe Put [sens lo Tie [rasnces? [ow passa Taal ioe 0007 131913615 [om oy cet, te ge oe fine? raiment (ow ‘sere eporlopin te [tow | [ioo raises ite Goreeticeres You | [acne — ee a a cectmeeceoatee [Tameeng—ane_lice lem [linn __ low vou Tophlemne cae cpooscig te FIGURE 44 Te Wed tomec to Se CPs Repo Ales 6. To view only the selected report as HTML page, select reports and click View > HTML Reports - Selected Items. hep TS pe MESS wan Se "IGURE 45 CuuPos wh ML RepSeted es Eivoo ca os cickonthe We pageand 7. The selected report automatically opens using the default browser. ‘ave te pet ‘CEH Tab Mama Page 106 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Rate tes dag tenon mow ons sunge (cepa y pes Sees oa [_[imoas [a [ice | eee ace soe [FIGURE 46 The Web bares dspying GuuPots th HTML Repo ~ Std es Eee Sytes fo Fer 8. To save the generated CursPorts report from the web browser, click oo fee File > Save Page As...Ctri+5. [__ [meas jas [ime] ee soe Diconmant ine option: oes ecae> ean [IGURE 47-The Web bose Se CaP ith HTML Repo —Seet! Tens rete tt of adopt “ ‘TCP/UDP poe into» 9. To view the properties of a port, select the port and click File > plete ‘CEH Lab Namal Page 7 Tcl Hacking snd Counts Coppi © oy BC Creed “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks FIGURE 4 CaaPors owe popes fra sdk pot 10. The Properties window appears and displays all the properties for the selected port. LI. Click OK to close the Properties window Process Name: Process 0: Protect: Local Port: Local Por Name: Local Address: Remote Port a — Remote Port Name: Tn eas cote Remote Address: ‘ave thet of al opened emote Host Name: ‘TeP/UDP posts ito an ol ‘HTL le (Hoon. Process Path: Prout Name: Fie Description: Fie Version: Company: ‘CERI Lab Manaal Page 106‘Module 03 - Scanning Networks 12. To close a TCP connection you think is suspicions, select the process and click File > Close Selected TCP Connections (or Ctri+T). = Task 2 pase FIGURE 410 The CaaPoes Coe Seloced TCP Connections option wien [FIGURE 411 The GxaPocs KiProceses of See Pons Option Wier 14, To exit from the CumPorts utility, click File > Exit. The CumPorts window eloses. ‘CEH Tab Manaal Page 109 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks (command ine opt (veil “Pnane® Starks oftlopennt Tere pow sto Bn (esa. Lab Analysis Document all the IP addresses, open potts and their running applications, and protocols discovered curing the lb. Riana yasc oe POS enten ae en eee Seen coc Sie Sean Profile Details: Network scan for open ports Ssesowe ate Siero Process Name Process ID Protocol Local Poxt Local Address Remote Port Remote Port Name Remote Address Remote Host Name CERT Nomad Page TBST Facing ad Comers Copa HEC Some “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze the results from CrusPorts by creating a filter string that displays Dour sen only packets with remote TCP port 80 and UDP port 53 and manning it. Seoreeamttenerte >. _Analyze and evaluate the output results by creating a filter that displays only the opened ports in the Firefox browser. 3. Determine the use of each of the following options that are available under the options menn of CumPorts: a. Display Established b. Mark Ports Of Unidentified Applications ©. Display Items Without Remote Address d_ Display Items With Unknown State ee ZNo @Z Classroom Zitabs ‘CEH Lab Nanaal Page Ht TEhical Hacking and Countermeasnoes Copragin © by BC Cosma “AL Rahs Reserved Repeodictoa s Sty Pood& Vatoabte Jnformation 7 Testyour BS Webesesise £2 Wodtook review = Tools ‘demonstrated in Tools\CEHV8 Module 03 ‘Scanning ‘Module 03 - Scanning Networks Scanning for Network Vulnerabilities Using the GFI LanGuard 2012 GF LANguard scans networks and ports to detect, assess, and correct any secity sulverabilities that are found. Lab Scenario ‘You have leaned in the previous lab to monitor TEP/IP and UDP ports on your local computer or network using CunPorts. This tool will automaticaly mack with a pink: color snspicions TCP/UDP ports owned by unidentified applications. To prevent attacks pertaining to TCP/IP; yon can select one or more items, and then close the selected connections. ‘Yout company’s web server is hosted by a large ISP and is well protected behind a firewall. Your company needs to andit the defenses sed by the ISP. After tasting a scan, a setions milnerabilty was identified but not immediately corrected by the ISP. An evil attacker nses this vulnerability and places a backdoor on the server. Using the backdoor, the attacker gets complete access to the server and is able to manipulate the information on the server. The attacker also uses the server to leapfrog and attack other servers on the ISP network fiom this compromised one. _As a security administrator and penetration tester for yon company, yon need to conduct penetation testing in oxder to detexmine the lst of threats and ‘Vulnerabilities to the network infiastmetuse yon manage. In ths lab, you will be ‘using GFI LanGuard 2012 to scan your network to look for vulnerabilities. Lab Objectives ‘The objective of this lab is to help smdents conduct vnlnerability scanning, patch management, and network auditing. In this lab, you need to: = Perform a vulnerability scan ‘CEH Lab Manual Page Hi TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty PobibgedEX youcan domnioad (GFLLANgui from Insp, fi com, Romuasgat soupusy ents ou Stetson Wwator See 2oos Santee tows seer 00 Sant Sepa, Siatows Usk, Sere ae Sa Sota Seve 203 (ia Sea ees Sew ars. © cman oneguaon etags tat ‘Slow ont in edit ‘eam oon ae the ‘eran compte ‘Module 03 - Scanning Networks * Andit the network * Detect vilnesable posts © Identify secusity vulnesabilities * Couect secutity vilnerabiltes with remedial action Lab Environment To pexfoum the lab, you need: "GFT Langnard located at DAGEH-ToolsiCEHV8 Module 03 Scanning Networks\Vulnerability Scanning ToolsiGF! LanGuard "You can also download the latest version of GFI Languard fiom the link hup://www.gfi.com/lannetscan, * Ifyou decide to download the latest version, then screenshots shown, in the lab might differ = A computer minning Windows 2012 Server as the host machine + Windows Server 2008 running in virtual machine * Mictosofit .NET Framework 2.0 + Administitor privileges to mn the @FI LANguard Network Security Scanner # It equites the user to register on the @FI website tip:/ Awww. gfi;com/lannetscan to geta Weense key * Complete the subscription and get an activation code; the user will receive an email that contains an activation code Lab Duration Time: 10 Mites Overview of Scanning Network As an administrator, you often have to deal separately with problems related to ‘vulnerability issncs, patch management, and network auditing. It is your responsibilty to addtess all the vulnerability management needs and act as a vistual consultant to give a complete picture of a network setup, provide risk analysis, and maintain a secre and compliant network state faster and more effectively. Security scans or andits enable you to identify and assess possible risks within a network. Anditing operations imply any type of checking performed duing a network secusity audit. These inchide open port checks, missing Microsoft patches and vulnerabilities, service information, and user ot process information. “CEH Tab Nanal Page 1 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty PobibgedES task ‘Scanning for Vulnerabilities © zeap ts ‘te totong tee 1 Nimap Cove Fes + Nmap Path + wiaPcap 411 1 Neseouk Itecice Inport + Zeamap (GUT foatead) 1 Neat odeen Nee) ‘Module 03 - Scanning Networks Lab Tasks Follow the wizard -dtiven instalation steps to install the GFI LANguard network scanner on the host machine windows 2012 server. 1. Navigate to Windows Server 2012 and launch the Start ment by hovering the mouse cursor in the lower-left comer of the desktop FIGURE 51: Windows Sere 2012 Detop vw 2. Click the GFI LanGuard 2012 app to open the GFI LanGuard 2012 window FIGURE 52: Winter Sever 2012 App 3, The GFI LanGuard 2012 main window appears and displays the Network ‘Audit tab contents. ‘CEH Lab Manual Page it TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probateeset ang psc tn poe Semen eee + acca 1 Setup ache san © esmsion deecion softexe (DS) smaing ing scans, GFT LANgout ses off ‘multe of DS waunigs Sod nro atin ese ‘Module 03 - Scanning Networks ‘Welcome to GF! LanGuard 2012 [FIGURE 53 The GFTLAN gua man winow 4. Click the Launeh a Sean option to pesform a network scan. Welcome to GFI LanGuard 2012 ‘FIGURE 54 The GFTLAN palin window inking te Lach a Costa Sen option 5. Launch a New scan window will appear i. In the Scan Target option, select localhost fiom the drop-down list In the Profile option, select Full Sean from the drop-down list In the Credentials option, select currently logged on user fiom the drop-down list 6. Click Sean, “CEH Tab Manal Page HF TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks a= —— SS ee FIGURE 55 Sceing a pti fc oe sing 7. Scanning will start; it will take some time to scan the network. See the following figure D cut seas tare stave het san (Gunton tes compare to ‘ll sans, mun beease qu eae perf checks of nh; abet of te ete amber It {commended to mana quekweanetleat once FIGURE $6 To GF Lau cigs te 8. After completing the scan, the scan resutt will show in the left panel ‘CEH Tab Manal Page He TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks SSSuERS. FIGURE 57 The GFT LanGoatd Connon rt sees few nace 9. To check the Scan Result Overview, click 1P address of the machinein the Be sight panel + Scan computes in tet SPEEA 10. It shows the Vulnerability Assessment and Network & Software Audit; ‘CEH Lab Nanal Page HT TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks 11, Tt shows all the Vulnerability Assessment indicators by category FIGURE 59: Lato VkeabayAsesaneat neces 12. Click Network & Software Audit in the sight panel, and then click System Patching Status, which shiows all the system patching statuses FIGURE 510 Sytem pcg ss port 15. Click Ports, and under this, click Open TCP Ports “CEH Tab Manal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty ProbeFIGURE 5 1 TCP/UDP Paseo 14, Click System Information in the tight side panel it shows all the details of the system information 15. Click Password Policy Fre nest job atte a ntwouk secu sean sf ‘Ment wfae sen aad ‘stems requie your ‘umedateateiton Do ths by aang and comet erpeting the rvcited dung two Sony can IGURE 512 oestion of Peo Peg 16. Click Groups; it shows all the groups present in the system “CEH Tab Nanal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks Lab Analysis Document all the results, threats, and vulnerabilities discovered during the scanning and auditing process. ‘CEH Tab Manaal Page 0 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks otic eG tan ‘Vulnenability Level ‘Vulnerable Assessment System Patching Stats Scan Results Details for Open TCP Ports Scan Results Details for Password Policy GFI LanGuard 012 Dashboard — Entire Network Vulnerability Level Secusity Sensors ‘Most Vulnerable Compnters Agent Status Vulnerability Trend Over Time Compnter Vilnerability Distuibution Computers by Operating System PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze how GFI LANguaud prodnects provide protection against a worm, 2, Evalnate nnnder what circumstances GFI LANgnard displays a dialog dning patch deployment. 3. Can you change the message displayed when GFILANguaud is perfouning administuative tasks? If yes, how? No Zilabs ‘CEH Tab Nanaal Page Di TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Exploring and Auditing a Network Using Nmap Noap (Zenmap is the oficial Nowgp GUI) is a free, open sone (license) utility for network exploration and security auditing. Lab Scenario E Vatoabte In the previous lab you leaned to use GFI LanGuard 2012 to scan a network to —stamation find ont the uulhnerability level, system patching statis, details for open and closed AF Tse you ports, vulletable computers, etc. An administitor and an attacker can use the same ——tnowledge __ tools to fix or exploit a system. If an attacker gets to know all the information about 1B Webeceacse ___ Tilneiable computers, they will immeclately act to compromise those systems wsing Dl Wosten am “womnaisance techniques. ‘Therefore, 28 an administiator itis very important for you to patch those systems alier you have determined all he vulnetabiltes in a network, befoue the attacker andits the network to gain vulnezable information. Also, as an ethical hacker and network administrator for your company, yout job is to camry ont daily secntity tasks, such as network inventory, service upgrade schedules, and the monitoring of host or service tptime. So, you wil be guided in this hb to use Ninap to exploce and audit a network. Lab Objectives ‘The objective of this lab is to help smdents Jeam and understand how to perform a networks inventory, manage services and upgrades, schecinle network tasks, and monitor host or service uptime and downtime. In this lab, you need to: = Scan TCP and UDP ports © Analyze host details and their topology © Determine the types of packet filters “CEH Lab Nand Page TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged= Toots ‘demonstrated in this lab are. available in Tools\CEHve Module 03 Scanning Task + Intense Scan ‘Module 03 - Scanning Networks © Record and save all scan seports * Compare saved results for suspicious ports, Lab Environment To perfoun the lab, you need: = Nimap located at DACEH-Tools\GEHVv8 Module 03 Scanning NetworksiScanning Toots\Nmap © You can also download the latest version of Nmap fiom the link http://amap.org./ = Ifyou decide to download the latest version, then screenshots shown in the lab might dittes = Acomputer running Windows Server 2012 as a host machine + Windows Server 2008 running on a vistual machine asa guest ® Aweb browser with Intemet access + Administative privileges to run the Nmap tool Lab Duration Time: 20 Minntes Overview of Network Scanning ‘Network addresses are scanned to determine: * What services (application names and versions) those hosts offer = What operating systems (and OS versions) they run = ‘The type of packet filtersifirewalls that ate in use and dozens of other characteristics Lab Tasks Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in the host machine (Window Server 2012), 1. Launch the Start menu by hovering the mouse cursor in the lower-left cornet of the desktop ‘CEH Tab Manal PageZenaap fe inte ‘he flog fee 1 Nmap Cove Fes + Nimap Path wiareap 411 Import + Zeamap (GUT frostead) 1 Nea (Modeen Nees snip spree ap [Bean Type [Optons) {taget specication} FZ rapes techniques, nly ont ‘ne except hat UDP sean (20) and ay one of the ‘SCT sean types (<2) (Se of the TOP scan pen FIGURE 62 Wino: Sere 2012- Appr ‘The Nmap - Zenmap GUI window appears. sean Ties Bele ep tage T rte [enn HEE Hess [Seve | Nop Ove Par Het |Top [ eat att Sam FIGURE 63: The Zep an wiv Enter the virtual machine Windows Server 2008 IP address (0.0.0.4) in the Target: text field. You are performing a network inventory for the virtual machine. In this lab, the IP address would be 10.0.0. your lab environment In the Profile: text field, select, from the drop-down lis, the type of profile you want to scan. In this lab, select intense Scan ; it will be different from “CEH Lab Manal Page Ht TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks 7. Click Sean to start scanning the virtual machine. [FIGURE 64 The Zen main widow with Tg el Pro ented Zire te por ns 8. Nmap scans the provided IP address with intense sean and displays the sean result below the Nmap Output tab. + Opa + Coma : San Teoh Bef Hep : tg: [roe Ey pte [re on Bl Sees ‘amma [op 8-804 + pea) teed Cloned Uastesed S] = Bat seating tay 601 Cote tormiore tweens £D Nmap acepts Sno commang ine ma ‘they dont aced to be of the ‘ane npe. FLOURE 65 The Zennap sain win wh he Nap Ouputb fox ese Son, 9. After the scan is complete, Ninap shows the scanned results. ‘CEH Tab Manna Page 125 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks 1D revo aie tecentl te econ + a ceputiennne> + Sirhge Sea Fea cron wet me 2 Beem + ete (etme te eno Re nn i ‘[host2>[ J} [Seapciaie! Steves dniveatne . ties se nee re ns etna on sone Gece EPR ESL ae Eee reece oe, (Ghiteniin:nicosoPe winder or name Serer 208 PL ER Sioa le Foes SaaS Dm tern (os 26) pcos content Soop + stairs 1-50 oports) FIGURE 66 The Zeanap man wed oh te Nop Opto x tee Son + Po Noping) 10. Click the Ports/Mests tab to display more information on the scan + Be OP Protocol Pag) + -PRARP Ping) ‘+ cette (Tac path tohee + -a(NoDNS cestanen) 1+ -RODNS cctosoa for age) + ~sstem-dos Use system DNS cele) Steerer > eserves, J] Serer to we for rewece DNS quet) [FIGURE 67, Te Zemnsp main winow withthe Poets Hoss ub forte Sea ‘CEH Lab Manal Page 5 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probeopen aap aoa oe scorer Seaton port son sean each host ‘Steen to be oon 205 eta, Nenap etemines your DNS Serves (for DNS ‘esotuion) from yout ‘esol oat fle (UNTS) or he Regt (i ‘Module 03 - Scanning Networks 12. Click the Topology tab to view Nmap’s topology for the provided IP addcess in the Intense sean Profile. FIGURE 65:The Zeamsp main wine wth Teper fo eters Sea | 15. Click the Host Details tab to see the details of all hosts discovered during the intense scan profile. Cecdpons Samed gers 108 estore Faugzt ana Note ace c0"s50205710 “CEH Tab Manal Page D7‘Module 03 - Scanning Networks 14, Click the Seans tab to scan details for provided IP addresses. ‘San Tone Daf p ese [tonne Dy rie ines 2D nip oes options Jommant [nna 1-8- W008 fox specifying which ports ‘eso sd wheter ‘econ one ‘atonal oc eet bare] owe] 2 wre arin TIGURE 610 Te Zep ma vino vi Son rae Sn ‘only specibed por, 15, Now, click the Services tab located in the tight pane of the window. This tab displays the list of services. 16 Click the http service to list all the HTTP Hostnames/IP addresses, outs, and theit states (Open/Closed). 2D taNmap, opion-F ‘mets te poe) ‘CEH Lab Manaal Page D5‘Module 03 - Scanning Networks 17. Click the msrpe service to list all the Microsoft Windows RPC. ‘San Teo Bele lp 1 nx opm foe fee a Tihrecween oan ‘ean Sean al pods in = [oneal revs [ese] esteeeTses| __) ‘nmap sees fe oh ‘at peter aa eae gree —rato> mux be Sermeen 00d 11 FIGURE 612 The Zeap min window wih ape See frat San 18. Click the netbios-ssn service to list all NetBIOS hostnames. ET ad [eee j Poo Tops [ ees] 1D taxes, opion « Come Tass] [rep epa|Prs rs | ‘pesos dot eee poms FIGURE 615: The Zenmap main vow oth toes Sec foc tens Sean task 2 19. Xmas sean sends a TEP frame to a remote device with URG, ACK, RST, ‘SYN, and FIN flags set. FIN scans only with OS TCP/IP developed ‘CEH Tab Manaal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbePSs e998 Serum te ‘Bags, Hgting the packet wp li Chetas ee EA masopton tos tiemat New Profile or Command Ctrt+P. 3 Bi [ema] SN eroeed == ergs + Heanane = Pat | Pts Thedexptinatldectin shane sande sec sei [FIGURE 615 The Zeanap Profle i window wa the Pte i ‘CEH Tab Manaal Page BO TEihical Hacking and Countermearnoes Coppugin © by BC Cooma "AL Rights Reserved Repeodictoa s Stity Probe(6D wn scan is activated seth the Ul option Itean De combined witha TCP sngpe mada SYN ccm (GS) toaeck bot protocols ing the same ER Yeveapedp paubPent ty Saecene Pn ng cs the pop poe ‘esc notend ‘teva tg Siento sip oe ‘Module 03 - Scanning Networks 22. Click the Sean tab, and select Xmas Tree scan (-sX) fiom the TCP seans: drop-down list. sowp 14 4 one (eal Jina Sting |Twe| Sec | One| Ting Teton ‘ute 05 seeion9 vein ’ ‘ecton ca scp amingt -“ ‘Ciangtecesael sacra. Teng erie Actes) 1B cre anmnet apn acs oP [D Oneatrasem dtcibn men san Deion) htc (ah) Didesean zombie) TCE 8) LDrrmtownceamck(e) TeFcommet a) (Dial rerese ONS etn Wow scan) Finenme (Gee [secre FIGURE 616 The Zeamap roe Bator winlow wth he San > 23, Select None in the Non-TGP scans: drop-down list and Aggressive (- 74) in the Timing template: list and click Save Changes. oe TA 804 J) rin ng] Sting | Tape Sa] Ch Ting "Dl ated gsee Scam options “eee Te tone sone tf dation ean See st sone Te SERRATE, = get Btn oh eaaUnppopee A) Dopenng sem aacten 0 vein dette Diesen Zoi Crtmeoucearen 3) Dit reese085 eaten nd Fireamponce FIGURE 617 TheZenmap Profle Bator window wth he San > 24, Enter the IP address in the Target: field, select the Xmas scan option fiom the Profile: field and click Sean. ‘CEH Lab Manual Page Di TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Sian Teo Pie Hep ee nee es FIGURE 618 The Zeanap mas wirlos with Tags ant Poe test 25. Nmap scans the target IP address provided and displays results on the Nmap Output tab. CO wen scasning stems compl th {hs RPC ret ay poet otcentaneg ABST, ‘CK bein ‘red BST, te pt covet anno spon et ite persopee tng 6.03 (ep: /nmmsrg) a Ee ane SEES ong SSS Sentai tele tl i.e tron esos we co ED tac option, 14 CP anpleces Wa sear ar is/at) 8aes clases (10 total eee Feibeing sercce son a8 36.99 ‘out firewall ruests, Initiating os cetection [try #1) ognirst 10.9.0.6 emg wheter they Bates tain ‘Be Hae or 2 a Completed MSE at 36: ‘whuch ports ae tered fap Seon report fort FIGURE 619 The Zanrap sn wow wah be Nawp Qua 26. Click the Services tab located at the sight side of the pane. It displays all the services of that host. CEH Lab Namal Page Tcl Hacking snd Counts Coppi © oy BC Creed “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks oo . Initiating os detection [tej #1) opsinst 10.0.0.4 fe, Set tng SSE ETL Baie Sete "FIGURE 62. Zeamep Man wane wth Sri —S TASK 2 97. ult scan works only if the operating system's TCP/IP implementation Nutt Sean is developed according to REC 793. In a null scan, attackers send 2 TCP frame to a semote host with NO Flags. 28. To perform a null scan for a target IP address, create a new profile, Click Profile > New Profile or Command Ctri¢P. 7 Taw opton Nu San (a9 ert st ay ba (eongume so) [FIGURE 621: The Zeamap main window withthe New Pre oc Comma option ‘CEH Tab Manaal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbeED tre option, hoe [= pobeport ae ‘sean an advent sea ‘method that aows fora tay bnd TCP post an ofthe tage (meaning 20 packet ue vento the eget fom youre TP ‘izes Intend suse ‘ee-chmnne tack explo peste Eegeenaion ID pce roeaton onthe ra onto ges socmacon ‘Sout te open porto ‘ete EL Tae option, PIP sap hon FTP tomes seu) lows « FIP server and then tsk thes be sent toa thd party verve: Sch See ape for shoe on may evel, 29 Inow server have ised supporting it ‘Module 03 - Scanning Networks 29. On the Profile tab, input 2 profile name Null Scan in the Profile name text field. ] el “ae i. FIGURE 622 The Zee Poe Bator withthe Prose ab 30. Click the Sean tab in the Profile Editor window. Now select the Null ‘Scan (-sN) option fiom the TEP sean: drop-down list rer | i Sir] nO Tg] Me Semon Tpine tte ie Toth enka ERIN TOs sees 9 y erteemee Tig erp sek 8) osama teen Serene cneecean Orme Fucertometa Sepsis Cletrcaceatct ge) TOP comescan > [aire ONS in Window sci) Caveaparce ia Tc 8) FIGURE 625: The Zenmap Poe Bator withthe Sean tb 31, Select None fiom the Non-TOP scans: diop-down field and select Aggressive (-T4) fiom the Timing template: diop-down field, 32. Click Save Changes to save the newly created profile. ‘CEH Tab Manaal Page I TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks [ts [ing Sing Fa [ Sos Ob |e] Scmeptow Tagesintont inaos sa epic ayes (4 eer cpu emanation) CD vein deste iiaesen zane [Ere beace aac 9 1 bute ene mation Capone FIGURE 624 The Zenmap Poe Bator wih the Sea tb 33. In the main window of Zenmap, enter the target IP address to scan, select the Null Scan profile from the Profile drop-down list, and then click Sean, San Teck Botle Hele vo ne Bes se Cama] ‘nap Outpt] Forts Hess |Toploy | Host Deis] Scns FIGURE 625: The Zep in wow wth Tre al Profe etd 34. Nmap scans the target IP address provided and displays results in Nmap Output tab. “CEH Tab Manal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe2 Tre option version ‘Module 03 - Scanning Networks Fos sept Pot | es) Starting te 6. ( ep//oraeore ) 20 08.24 Se Bee Sits e wo ‘Scanning 10.0.0.4 [1 port) SEE LEN se, ae ame tn Sstreang Ee’ elay or 108, Gnghetes WX Sen at 167s 77h elapsed O00 total race (ace verona Scongy comes ep | aeiersbrweyil Moot fe up (@.0easne latency). ‘oagyg eaour wat Taeenbetotttat yee Resniecolvieyes FIGURE 626 The Zearop man wine tt Nap Oat ob 35. Click the Host Details tab to view the details of hosts, such as Host ‘Status, Addresses, Open Ports, aiid Closed Ports, PIGURE 627 The Zap a Window wh he Hos Dent tb BE TAs 4 36, Attackers send an ACK probe packet with a random sequence number. ACK Flag Scan No response means the port is filtered and an RST response means the port is not filtered. CEH Lab Namal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks 37. To perform an AGK Flag Scan for a taxget IP addtess, create a new TIGURE 628 The Zemap man sino sh he Nor Poe Come pion 38. On the Profile tab, input ACK Flag Scan in the Profile name textfield. re oh Tha toad El a] rs sin [ape | oe oe te ee] | seams Taye | suse] ome | nrg] = een Thedecivi est deciion Putte, [Rose perianal acipton =a Pesemance FIGURE 629 The Zesmup hohe Bec Winton wh Poe wb 39. To select the parameters for an ACK scan, click the Sean tab in the Profile Editor window, select ACK scan (-sA) from the Non-TCP ‘seans: drop-down list, and select None for all the other fields but leave the Targets: field empty. “CEH Lab Nand Page D7 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks moet Aw oe Esl Pr] Sistna Tae Sone] Oe Tenia] "Ss santncs “Tener eoenat: ele 05 secon) vein si Senseo spt corng am Siantncece toc Tague & Cable eacediggen Fe OF peng sem detention at vmencenceran Maton Pointe) | TOPcourmticn 3D) alee ONS in Widows) [FIGURE 630, The Zuma Profle tr window with he San ib 40. Now click the Ping tab and check IPProto probes (-PO) to probe the IP address, and then click Save Changes. 2 ne option as rte Sm [ro st] Ta So] Toa] satin cumin” Gpecly — {he maxinem numberof [1 oontprabeoesaminn On ‘enmity, When Ca patra Niwp cee no pose (x tng ce) toapor san pobe ean Ce erie ‘Beate posts sed Hicungen Scrat te Comms conte ner TISEIPINT pte FIGURE 631-The Zeamap Pole Borin nah eg > 41. In the Zenmap main window, input the IP address of the target machine (in this Lab: 10.0,0.3), select ACK Flag Scan fiom Profile: drop-down list, and then click Sean. CEH Tab Nana Page Tihial Hacking and Countereasares Coppagn © by BC Comal “Ad Rights Revere Reprodicuon s Stacy ProbeED masoption scm ey cane ance Pea 7680 5m| 09 Siero] rie Stic 2 SNS Gnd I, = Ea Neen eens FED nthe NAOT eb Orem neat dente Mco tna pe Ctl FIGURE 914 Finger Tventoy wal Hastene ab 19. The Software tab shows the installed sofbwase on the computers © Visualization of your computer network as a Document all the IP addresses, open and closed ports, services, and protocols you discovered ducing the lab. “CEH Lab Mand Page 7 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks kee ea) IP address: 10.0.0.1 -10.0.0.20 Found IP address: = 100.02 = 100.03 = 100.05 = 100.07 . . Details Result of 10.0.0.7: FriendlyPinger Computer name * Operating system = IP Address = MAC address © File system "Size of disk * Hardware information © Software information YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Does FPinger suppost prosy servers fiewalls? 2. Examine the progsamming of language used in FPinges. eer ee MNo Platform Supported © Classroom ilabs CEH Lab Namal Page ical Hacking snd Counirmc ars Copp © oj CCl ‘Al Rights Revered Repsodueon Sticty PobibgedON KEY © Vatoable P Tex your EA Workbook renew ‘Module 03 - Scanning Networks Scanning a Network Using the Nessus Tool Nessus allons you to remotely audit a network and determine if it has been broken into or misused in some way. It also provides the ability to localy audit a specific ‘machine for vulnerabilities Lab Scenario In the previous lab, you leamed to use Friendly Pinger to monitor network devices, receive server notification, ping information, track user access via the network, view graphical uaceroutes, ete. Once attackers have the information related to network devices, they can use it as an entry point to a network for a comprehensive attack and perform many types of attacks ranging from DoS attacks to unauthorized administrative access. If attackers are able to get tuaceronte information, they might use a methodology such as firewalking to determine the services that are allowed through a firewall. If an attacker gains physical access to a switch or other network device, he or she will be able to successfully install a rogue network device; therefore, as an administiator, you should disable unnsed posts in the confignsation of the device. Also, it is very important that you use some methodologies to detect such rogue devices on the network. "As an expert ethical hacker and penetration tester, you nist understand how vulnerabilities, compliance specifications, and content policy violations :¢ scanned using the Nessus tool. Lab Objectives This lab will give you experience on scanning the network for vulnesabilities, and show yon how to use Nessus, It will teach you how to: = Use the Nessus tool = Scan the network for vulnerabilities ‘CEH Tab Manaal Page 16 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘A Righs Revered Rapsodvcton i Suacty Probeed,Toots ‘demonstrated in this lab are available in ‘Tools\CEHv8 Module 03 Scanning ED Nessa is pubic ‘wader the GPL. iS TAsK 2 News digs to sstomnte the testing nd dscorey of torn secur problems ‘Module 03 - Scanning Networks Lab Environment To carry ont the lab, you need: ‘Nessus, located at DACEH-Tools\GEHV8 Module 03 Scanning Networks\Vuinerability Scanning Tools\Nessus You can also download the latest version of Nessus from the link http:/ /www.tenable.com/ products /nessus/nessus-download- agreement Ifyou decide to download the latest version, then screenshots shown in the lab might differ A compnter mnning Windows Server 2012 A web browser with Internet access Administrative privileges to nin the Nessus tool Lab Duration ‘Time: 20 Minutes Overview of Nessus Tool ‘Nessus helps students to Jearn, understand, and determine vulnerabilities and ‘weaknesses of a system and network in order to know how a system can be ‘exploited. Network vulnerabilities can be network topology and OS vulnerabilities, open posts and munning services, application and service configuration errors, and application and service vulnerabilities. Lab Tasks To install Nessus navigate to DACEH-Tools\CEHv8 Module 03 Scanning Networks\Vulnerability Scanning Tools\Nessus Double-click the Nessus-5.0.1-x86_64.msi file. ‘The Open File - Security Warning window appears; click Run # =: ee @ FIGURE 101: Open Fae Secusty Waring ‘CEH Lab Manal Page 70 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbeED seme testays Spnsup ae (Deon ey eacnee soondes NASL Ne Ack Spiga) ‘Module 03 - Scanning Networks 4. The Nessus - Installshield Wizard appears. During the installation process, the wizard prompts you for some basic information. Follow the instructions. Click Next. FIGURE 1022 The Net inmalition adore 5. Before you begin installation, you must agree to the lleense agreement as shown in the following figure 6. Select the radio button to accept the license agreement and click Next. Drwve, Sute 100, Columbia, MD 21046 ("Tenable"), and you, party icensing Software (‘You’) This Agreement covers Your [Eli aceot he ens ne kere areenent Ortaonet cet he tems he eae oreenent a [FIGURE 103 The Ness Lat iid Wind 7. Select a destination folder and click Next. reacts ‘CEH Lab Nanaal Page PT TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbeED sempre yute oer npetamog epi pore ere 9 Sree ED sees probes a ange Semmens | ‘Module 03 - Scanning Networks (ker ota tos er, or ck hang tora Areal eb en 6 to Crogan FlstTeratleesis FIGURE 104 The Nev Taal Shei Wea 8. The wizard prompts for Setup Type. With the Complete option, all program features will be installed. Check Complete and click Next. ‘Setup Type Chace the setup type at best ts You newts Pease sect a set te [FIGURE 10.5. The Ness Install Stet Wand for Sup Type 9. The Nessns wizard will prompt you to confirm the installation. Click Install ‘CEH Lab Manal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks 2D sess probes netroce ceoxes nebo sot a OS mrion 10. Once installation is complete, click Finish. C2 Path of Neos heme eo fr widows FIGURE 107 Ness Tosa Shih wnat Nessus Major Directories = The major directories of Nessus ate shown in the following table. ‘CEH Lab Manaal Page 5 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty ProbeEA Dung te nation soidayoptannot Seon ean be Nomoto en ‘Stylesheet templates \essvus\asera\casername\ibe | User knowedgebase Veeswwa tows Ness op es "TABLE 101 News Majo Duets 11, Aftec instalation Nessus opens in your default browser. 12. The Weleome to Nessus screen appears, click the here link to connect via SSL, Jweicome to Nessust rane ont in yin] FIGURE 108 Ness SSL ceieaton 13. Click OK in the Seeurity Alert pop-up, if it appears & ‘You are about to view pages over a secure connection, ‘ry ctomation you exchange with this ste cannot be ‘viewed by anyone else on the web. Ciinthe future, do net show this waming OR] | More fo [FIGURE 109: Totemet Explorer Seusty Alet 14, Click the Continue to this website (not recommended) link to. continue “CEH Lab Manal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks rece povimt iste ssa crite ‘erecrmend at youn hs wrong nd de tonite see [0 acne att (rman [FIGURE 1010: Interet Esplover website's seca cette 15, on OK in the Security Alert pop-up, if it appears. snpomaion oS ‘rs et pele eaprcniore he eet ee eee eee homer ‘ey etomaton you exchange wih his ste cannct be ‘wewed by anyone ese onthe web Citithe future, do not show ths waming OK More fo FIGURE 10 11 Tere Bsplon Scucy Alet 16. The Thank you for installing Nessus screen appeats. Click the Get Started > button. 2D waning acto senso pn ‘Somnath FIGURE 1011 Ness Geting Stated 17, In Initial Account Setup enter the credentials given at the time of segistuation and click Next >. CERT Lab Nanna Page P Tihial Hacking and Countereasares Coppagn © by BC Comal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks initial Account Setup [FIGURE 10 12-Nesn Inia Acconat emp 18. In Plugin Feed Registration, you need to enter the activation code. To ‘obtain activation code, click the http://www.nessus.ore/register/ link. 19. Click the Using Nessus at Home icon in Obtain an Activation Code. <@ TENABLE Network Security” FIGURE 1013 News Obtaining Actvtion Cate 20. In Nessus for Home accept the agreement by clicking the Agree button as shown in the following figure. ‘CEH Tab Manaal Page 76 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe[FIGURE 10.14 Ness Subscipton Agreemeat and click Register. Register a HomeFeed FIGURE 1015 Nessus Regiteing HomeFed 22. The Thank You for Registering window appears for Tenable Nessus HomeFeed. ‘CEH Tab Manaal Page D7 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probeafter the initial registration, oan Nessus will ome ‘download and se ‘compile the plugins obtained FIGURE 1016 News Repstaton Completed from port 443 of 23. Now log in to your email for the activation code provided at the time of plugins.nessus.or segistration as shown in the following figure. gplugins- ‘customers.nessus org FIGURE 10,17 Nea Regtuaton mal 24. Now enter the activation code received to your email ID and click Next. ‘CEH Tab Mama Page 173 Tihs Hacking and Countermeasures Coppagn © by EC Comal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks ome pagistave ‘opi thew GU eodean FIGURE 101 Ness Apping Action Code 25. The Registering window appears as shown in the following screenshot. FIGURE 1019: News Reptesing Action Code 26. After successful egistiation click, Next: Download plugins > to download Nessus plugins. CD Nem wom condeuinon cent eeu Re ccmelon edepected instten, ‘pea eters bapa Retin eerie ioe were he er FIGURE 1020 Ness Doraontng Pas 27. Nessus will start fetching the plugins and it will install them, it will take ‘time to install pIugins and initialization FIGURE 1021. Ness etching te aces pag wt 28, The Nessus Log In page appears. Enter the Username and Password given atthe time of segistuation and click Leg In. CEH Lab Namal Page Tcl Hacking snd Counts Coppi © oy BC Creed “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Brasx 2 Network Sean ‘Vulnerabilities DD ree eitem SSH wee sae er th rae ofthe FIGURE 1022 The Nest LogIn sxeen ‘oon tht dete fae pe 29. The Nessus HomeFeed window appeats. Click OK: FIGURE 1023-Nesns HomeFeed section 30. After you successfully log in, the Nessus Daemon window appears as ~ shown in the following screenshot. DD tontts re ps < coexPces > ac Poy FIGURE 1 24: The Nee min sxeea 31. If you have an Administrator Role, you can see the Users tab, which lists all Users, their Roles, and theit Last Logins. CEH Lab Nanaal Page 190 TEhical Hacking and Countermearnces Coppagin © by BC Cosma ‘AL Rights Reserves Repeodocton i Sucty Peokibzed‘Module 03 - Scanning Networks Eee ptcsne conga tangs cman FIGURE 1025 The Ness aint view 32. To add a new policy, click Policles > Add Policy. Fill in the General policy sections, namely, Basie, Sean, Network Congestion, Port ‘Scanners, Port Scan Options, and Performance. FIGURE 1026: Adding Policies 33. To configure the credentials of new policy, click the Credentials tab shown in the left pane of Add Policy. ‘CEH Lab Manual Page i TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty ProbeCD tre morte tenn tov foe ‘ach the ppd cress Inne oot paige FIGURE 1027 Adding Poeie and stig Cadets 34. To select the requised plugins, click the Plugins tab in the left pane of ‘Add Policy. FIGURE 1028 ding Pokies at edecing Pi 35. To configure preferences, click the Preferences tab in the left pane of ‘Add Policy. Dvtepaye 36. In the Plugin field, sclect Database settings from the drop-down list. ecenttyatietentte 37. Enter the Login details given at the time of registration. —l 38. Give the Database SID: 4887, Database port to use: 124, and select Oracle auth type: SYSDBA. (39. Click Submit. ‘CER Lab Nanna Page 15? Tcl Hacking snd Counts Coppi © oy BC Creed “AL Rights Reserved Reprodichon s Stacy Probate© Toots demonstrated in this lab are available in DiCEH- Tools\CEHv8 Module 03 ‘Scanning Networks: FIGURE 1029: Adding Polis sod sing Prefreces 40. A message Polley *NetworkScan_Policy” was successfully added displays as shown as follows. FIGURE 1030- The NewoskSea Pokey 2D rosmnnewnden, 41. Now, click Seans > Add to open the Add Sean window. sagt Sedan, pisvewnertatat 42. Input the field Name, Type, Policy, and Scan Target. 43, In Sean Targets, enter the IP address of your network; here in this lab ‘we are scanning 10.0.0.2. 44, Click Launch Sean at the bottom-tight of the window. Note: The IP addkesses may differ in your lab environment ‘CEH Tab Manaal Page 5 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty ProbeFIGURE 1031: Add Sin 45. The scan launches and starts scanning the network. [FIGURE 10.32: Semaing in progies = teots ; kth 4 in 46. After the scan is complete, click the Reports tab. FIGURE 1038: News Reports tb 47. Double-click Local Network to view the detailed scan report, “CEH Lab Manal Page 1‘Module 03 - Scanning Networks 48, Double-click any result to display a more detailed synopsis, description, y level, and solution, FIGURE 1035: Repo ofa scanned tget 49. Click the Download Report button in the left pane. 50. You can download available reports with 2 snessus extension fiom the drop-down list. Download Report ee) con oer [To sep Nene ee ppeeenemcene Sige op FIGURE 1036 Download Repot ih ness extension 51. Now, click Log out. 52, In the Nessus Setver Manages, click Stop Nessus Server. FIGURE 1037 Logout Ness Lab Analysis Document all the results and reports gathered dung the lab, “CEH Lab Mand Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma "AL Rights Reserved Repeodictoa i Sticty Probie‘Module 03 - Scanning Networks Pee me Rotor ken ne eer tear! Scan Target Machine: Local Host Performed Scan Policy: Network Scan Policy ‘Target IP Address: 10.0.0. Result: Local Host vulnerabilities ‘Nessus PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Evalnate the OS platforms that Nessus has builds for. Evaluate whether Nessus works with the security center. 2. Determine how the Nessus license works in a VM (Virtnal Machine) environment. Serene eartTeoT Bes ONo Platform Supported Classroom Clitabs “CEH Lab Nanal Page 6 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘ON KEY & Vatoabte snformation P Test your —tnowledge EB Web exercise EA Woekbook review ‘Module 03 - Scanning Networks Auditing Scanning by using Global Network Inventory Global Network Inventory is used as an audit scanner in zero deployment and cent free environments. It scans computers by IP range, domain, conrputers or single computers, defined by the Global Network Imentory host file Lab Scenario With the development of network technologies and applications, network attacks are greatly incteasing both in number and severity. Attackers always look for service vulnerabilities and application vulnerabilities on a network or servers. If an attacker finds a flaw or loophole in a service mn over the Internet, the attacker will immediately nse that to compromise the entire system and other data found, thus he or she can compromise other systems on the network. Similarly, if the attacker finds a workstation with administrative privileges with faults in that workstation's applications, they can execnte an arbitrary code or implant viruses to intensify the damage to the network. Asa key technique in network secnsity domain, intmision detection systems ([DSes) play a vital sole of detecting various kinds of attacks and secuse the networks. So, as an administrator you should make sure that services do not mn as the root user, and should be cautious of patches and updates for applications fiom vendors or sectuity organizations such as CERT and GVE. Safeguards can be implemented so that email client software does not automatically open or execute attachments. In this lab, yon will learn how networks are scanned using the Global Network Inventory tool. Lab Objectives ‘This lab will show you how networks can be scanned and how to use Global Network Inventory. It will teach you how to: = Use the Global Network Inventory tool “CEH Lab Nand Page 7 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘A Righs Revered Rapsodvcton i Suacty Probeed,= Toots ‘demonstrated in this lab are available in Tools\CEHvS Module 03 ‘Scanning S Task + ‘Scanning the ‘Module 03 - Scanning Networks Lab Environment To carry ont the lab, you need: Global Network Inventory tool located at DACEH-Tools\CEHV8 Module (03 Scanning Networks\Scanning ToolsiGlobal Network Inventory Scanner ‘You can also download the latest version of Global Network Inventory from this link hup://www.magnetosofi.com/products/global_network inventory/gn features htm/ Tf yon decide to download the Iatest version, then sereenshots shown in the lab might differ A computer running Windows Server 2012 as attacker (host machine) Another computer munning Window Server 2008 as victim (virtual machine) A web browser with Intemet access Follow the wizard-diven installation steps to install Global Network Inventory Administrative privileges to mn tools Lab Duration ‘Time: 20 Minutes Overview of Global Network Inventory Global Network Inventory is one of the de facto tools for seeurity auditing and testing of fuewalls and networks, its also used to exploit Idle Scanning. Lab Tasks 2 Launch the Start menu by hovering the mouse cursor in the lower-left comner of the desktop. [FIGURE 1.1 Widows Sever 2012—Desiop or Click the Global Network Inventory app to open the Global Network Inventory window. “CEH Lab Manal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks saan compares by IP ‘ange, by dom, sole ‘compute, or computers, ‘Nerwodt lneutor host oe FIGURE 112 Windows Senet 2012- Apps 3. The Global Network Inventory Main window appears as shown in the following figure. 4, The Tip of Day window also appears; lick Close. Scan only items that you need by ‘customizing scan ‘elements, FIGURE 113 Gita Netw veto Man Window 5, Tum on Windows Server 2008 virtual machine fiom Hyper-V Manager ‘CEH Lab Nana Page 1 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks 2 Reliable iP detection and identification of network appliances such as network document centers, hubs, and other devices FIGURE 114 Widows 2008 Vinal Machine 6. Now switch back to Windows Server 2012 machine, and a new Audit ‘Wizard window will appear. Click Next (or in the toolbar select Sean tab and click Launch audit wizard). inceuoine Resutrs ror ace INDIVIDUAL FIGURE 115 Gita Nerwodk ety sew wa Select #P range scan and then click Next in the Audit Scan Mode wizard. NUMBER OF ApoResses ‘CEH Tab Manaal Page 90 TEhical Hacking and Countermearnces Coppagin © by BC Cosma "AL Rights Reserved Repeodictoa i Sticty Probie‘Module 03 - Scanning Networks CO segoaome sca, iothena yosnettonuits wigan (1 ty custome [Fea layouts a eae seme Clorsthemade yu metals ge deren nt segs no ‘onal sews an eeports Oman ‘Gone themed yu neta conten baton pet dean ena Oreatasce ‘Seem htnoono mt cmeues tctncnmtonie eo cnmen Sceairnissslagee domptceatar arse romp a scoan Opto anee ‘iene yuan conten ang era bon sot Sa rea eraser are ane Tost. kes FIOURE 116 Gita Newok neta At Son Made 8. Setan IP range scanand then click Next in the 1 Range Scan wizard. sed ete than ie ‘oda ia, en FIGURE 17 Gita Nerden sering an TP ge 2 ‘eset comer sonal eugene sssceser cin epucied 9. the Authentication Settings wizard, select Connect as and fill the seeoyteait copied espected credentials of your Windows Server 2008 Virtual Machine, and click Next. ‘CER Lab Nana Page DT Tihial Hacking and Countereasares Coppagn © by BC Comal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks © The program ‘comes with dozens of customizable reports. New reports can be ‘easily added through the user interface FIGURE 118 Gta New ave Aubin tings 10, Live the settings as defilt and click Finish to complete the wizard 5 Consent New te Were 2 Atay to gaete 5 sooo ees i Someta. ee te ay, ety, r spent reenter : soem 2 cert va cy red a [ecmiaronectinaeredy >] 1 Tocontgue eps ; ec Reports | Contig port fom ‘he ine a seca be contigued spent FIGURE 119 Gita Nets Iectnyf A iad 1. It displays the Scanning progress in the Scan progress window. ‘CEH Tab Namal Page BE ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks = a we smear core oe eae sons cleanups agua ne lS Soutee sitemtesl te foes ‘wots acdataset A eae yooo10 wwean2 538 recone a co ems woe Sons ‘specified for a colsann(yy 00013 wnan2 153624 oo conaneie3ea get ine Dan ex [see] [om] ‘ROURB 1 Gb Newer Soi Poe SET SOUTEEO (ot. 273 TENT (Mees MINED Sans [UICC a eS, [FIGURE 111: Ghote Neto lvetoy te dow 13. Now select Windows Server 2008 machine fiom view results to view individual results. ‘CEH Tab Manaal Page 195 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks se oe FF on 8 Soren! @ teen 19 sores [Saae Se eee geo SS samme @ Bt |S) orale rats Tal we ot [Pain oct (eax OR (Nora: AEH See ZORA [aS at Ee CRNA) + Sg eee SSE o ocean ie mtn 2 To configure results history level choose Scan [ Results history eee level from the ‘main menu and ‘set the desired history level FIGURE 113 Gita vestry Son Same ib 15, The Blos section gives details of Bios settings. ‘CERI Lab Manaal Page 194 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks Di sea ety tes tat you ned by cooing Sean cements Tentee Sane ere FIGURE 11.1: Global Newod ventoy Bie ray a FIGURE 1115 Global Netwodk evento Meo tab 17. In the NetBIOS section, complete details can be viewed. ‘CEH Lab Manaal Page ‘Bical Hocking snd Countermeasuces Copjagin © by BC Cooma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks or ears Be Tg ee ree [pee tere FIGURE 116 Gltal Newest arto NetBlOS wh 18, The User Groups tab shows user account details with the work group. a 8 sareneae [Np etn 1) sate [> Deen Sotamor’ | 005g ene hash I TF Petts “O)Saenttn Qs A toe ty mee Tp “ew [FIGURE 1117. Global Need Lect Une ope econ 19. The Logged on tab shows detailed logged on details of the machine. TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe ‘CEH Lab Manaal Page 196‘Module 03 - Scanning Networks [FIGURE 1116 Global Nerd Lenton Logged on Sto 20. The Port connectors section shows ports connected in the network. 21. The Serviee section give the details of the services installed in the machine. ‘CEH Lab Manaal Page 97 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks ee : Se ees SStunnane igeeetoneee fo sgesrmenageinee —faeme tosses ——— Waa epeesangend FIGURE 1120. Gib Newodavetoy Serie Section fg sorrieatin [eieose uen) ESEN [oee Fes e Lab Analysis ‘Document all the IP addresses, open ports and mnning applications, and protocols you discovered dusing the lab. ‘CERI Lab Manaal Page 95 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks [ool/Utility | Information Collected/ Objectives Achieved IP Scan Range: 10.0.0.1 ~ 10.0.0.50 2 10.0.0.7,10.0.0.4 Scan summary Bios Global Network Inventory Memory = NetBIOS = UserGroup = Logged On = Port connector = Services # Network Adapter PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Can Global Network Inventory andit remore computers and network appliances, and if yes, how? 2, How can you export the Global Network agent to a shared network directory? OYes MNo Platform Supported @ Classroom: Milabs conan omg ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Anonymous Browsing using Proxy Switcher Proxy Switcher allows you to automatically execute actions, based on the detected network connection. Lab Scenario In the previous lab, you gathered infomation like scan summary, NetBIOS details, services mnning on a computer, etc. using Global Network Inventory. NetBIOS provides programs with a uniform set of commands for requesting the lower-level services that the programs must have to manage names, conduct sessions, and send datagrams between nodes on a network. Vulnerability has been identified in Microsoft Windows, which involves one of the NetBIOS over TCP/IP (NetBT) services, the NetBIOS Name Server (NBNS). With this service, the attacker can find a computer's IP address by using its NetBIOS name, and vice versa. The response to a NetBT name service query may contain random data from the destination computer's memory; an attacker could seek to exploit this vulnerability by sending the destination computer a NetBT name service query and then looking carefully at the response to determine whether any random data from that computer's memory is included. ‘As an expert penetration tester, you should follow typical security practices, to block such Internet-based attacks block the port 137 User Datagram Protocol (UDP) at the firewall. You must also understand how networks are scanned using Proxy Switcher. Lab Objectives This lab will show you how networks can be scanned and how to use Proxy Switcher. It will teach you how to: "Hide your IP address fiom the websites you visit + Phosy sesver switching for improved anonymous surfing ‘CERI Lab Nanaal Page 200 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘A Righs Revered Rapsodvcton i Suacty Probeed,‘Module 03 - Scanning Networks Lab Environment To carry ont the lab, you need: Proxy Switcher is located at DGEH-Tools\GEHV Module 03 Scanning Networks\Proxy ToolsiProxy Switcher = Toots demonstrated in * Yon can also download the latest version of Proxy Workbench from, this lab are this link http://www. proxyswitcher.com/ avaliable in * Ifyou decide to download the latest version, then screenshots shown in ACEH the lab might differ ToolsiCEHve Module 03 * A computer ninning Windows Server 2012 ‘Scanning # Aweb browser wi Networks: A web browser with Intemet access * Follow Wizard-ctiven installation steps to install Proxy Switcher Administrative privileges to mn tools Lab Duration ‘Time: 15 Minutes Overview of Proxy Switcher Proxy Switcher allows you to automatically execute actions, based on the detected network connection. As the name indicates, Proxy Switcher comes with some default actions, for example, setting proxy settings for Intemet Explorer, Fitefox, and Opera. Lab Tasks 2 Automatic . ‘change of proxy 1. Install Proxy Workbench in Windows Server 2012 (Host Machine) configurations (or 2. Proxy Switcher is located at Di\CEH-Tools\CEHV8 Module 03 Scanning any other action) Networks\Proxy Tools\Proxy Switcher based on network Information: 3. Follow the wizard-driven installation steps and install it in all platforms of the Windows operating system. This lab will wouk in the CEH lab envizoument - on Windows Server 2012, Windows Server 2008, anc Windows 7 Open the Fisefox browser in your Windows Server 2012, 20 to Tools, ani click Options in the menn bas. “CEH Lab Nand Page 201 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty PobibgedProry Sotcer fly companies amet and oe popes [FIGURE 121: Flan opto tb 6. Go to the Advanced profile in the Options wizard of Fitefox, and select Network tab, and then click Settings. g a G & a@Q sewd Tae Cort type Py Seatty Spe [Ope neon Cogn tees cnet Yocom ca cae erg 7 Meet pe rents che mgeret ‘s pben co coy eg ip (2 tAlnaaten hte tm bein FIGURE 122 Flos Netwok Seis 7. Select the Use System proxy settings raclio button, and click OK. ‘CEH Lab Manaal Page 207 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks 9 beste pon stings Tn POY OGIO proxy switcher HIT rg ‘command tine . ‘options: t Activate direct ‘connection FIGURE 123 Fieior Comes Stings 8. Now to Install Proxy Switcher Standard, follow the wizard-driven installation steps. 9. To launch Proxy Switcher Standard, go to Start menu by hovering the mouse cursor in the lower-left corner of the desktop. Proxy Servers, Downloading FIGURE 124 Waadows Sener 2012—Destop er 10. Click the Proxy Switcher Standard app to open the Proxy Switcher window, OR Click Proxy Switcher from the Tray Icon list. “CEH Tab Manat Page 205 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Proxy Switcher is free to use ‘without limitations {for personal and ‘commercial use 1 the sere becomes saaceesabie rosy Scher ‘ily tof wong peony vever- aves Dackground wl be spied lla working otay verve fond FIGURE 126 See Pry Scher 11. The Proxy List Wizard will appearas shown in the following fignre; click Next ‘CEH Lab Manaal Page 20° TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks FIGURE 127 rosy Lat wat 12. Sclect the Find New Server, Rescan Server, Recheck Dead radio button fiom Common Task, and click Finish. FIGURE 128 Sekstcommon tas 15. A list of downloaded proxy servers will show in the left panel ‘CEH Lab Mand Page 205 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks Pes tar Aons View Hep Oe ax aaaaet B #8 Aaa @men~ FIGURE 129 Let of dolor Pry Seve 4 To stop downlonding the prosy sever click al FIGURE 12.0 Cickon Sinton 15, Click Basle Anonymity in the sist panes; it shows alist of downloaded. proxy servers. ‘CEH Lab Manaal Page 0 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks © When running in Auto Switch mode Proxy ‘Switcher will ‘switch active Proxy servers ‘Switching period can be set with a ‘slider from 5 minutes to 10 [FIGURE 1211: Sening dose! Prony vere fon Base Anooaty 16. Select one Proxy server IP address fiom tight panel to swich the selected Fe ces atone foymmgecoe moe Segre tng soos ee TRGURE 2 Sag pemre 17. The selected proxy server will connect, and it will show the following ‘connection icon. ENE aad pe aa nding Coane CoO oad “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Fle Cit Atos Wow Heb os axjaa Bad 38S BBA) emmn FIGURE 1213 Some comaction of ce pay 18. Go toa web browser (Fisefos), and type the following URL, datp./ sews prosysssitcher.com/check.php to check the selected proxy secver connetivity, if its successfly conncted, then it shows the following, 202.53.11.130, 192.168.1.1 Unknown FIGURE 1214 Deer Pray see 19. Open another tab in the web browser, and surf anonymosly using this proxy. ‘CEH Lab Manal Page 28 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbeD Atectnesacapnens roy eres he become [rabble foc mecheg re ‘Saat ayo to ‘beers ble fr these yout bc Pon are Pony Stet heron pyr teas ete eeptantwe e roses Ce Oe Psy Pr-O sneoson wri aw serve Lab Analysis Document all the IP addresses of live (SSL) proxy servers and the connectivity eeaeney Proxy Switcher FIGURE 1214 Sut sing Poy see Information Collected / Objectives Ac Server: List of available Proxy servers Selected Proxy Server IP Address: 95.110.159.54 Selected Proxy Country Name: ITALY Resulted Proxy server IP Address: 95.110.159.67 PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Questions RELATED TO THIS LAB. 1. Esamine which technologies ate used for Proxy Switcher. 2. Evaluate why Proxy Switcher is not open sonrce. ‘CEH Lab Mand Page 2 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Yes ONo Platform Supported © Classroom Citabs CEH Lab Namal Page 2 ical Hacking snd Counirmc ars Copp © oj CCl “Al Rights Reserved. Reproduction is Sticty Probie.‘Module 03 - Scanning Networks Daisy Chaining using Proxy Workbench Proxy Workbendh is a unique prory server, ideal for developers, security experts, and trainers, which displays data in real time, Lab Scenario Yon have learned in the previous lab how to hide your actual IP using a Proxy Switcher and browse anonymously. Similarly an attacker with malicious intent can pose as someone else using a proxy server and gather infomation like account or bank details of an individual by petforming social engineering Once attacker gains relevant information he or she can hack into that individual’s bank acconnt for online shopping. Attackers sometimes use annltiple proxy servers for scanning and attacking, making it very difficult for administrators to trace the real source of attacks. ‘As an administuator you should be able to prevent such attacks by deploying an intusion detection system with which yon can collect network information for analysis to determine if an attack or intrusion has occurred. You can also use Proxy Workbench to tinderstand how networks are scanned. Lab Objectives ‘This lab will show you how networks can be scanned and how to use Proxy Workbench. It will teach you how to: * Use the Prosy Workbench tool * Daisy chain the Windows Host Machine and Virtual Machines Lab Environment To cauy out the lab, you need: * Proxy Workbench is located at DACEH-Tools\CEHv8 Module 03 Scanning NetworksiProxy Tools\Proxy Workbench ‘CEA Lab Nanal Page 2 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks = You can also download the latest version of Proxy Workbench fiom this link http:/proxyworkbench.com demonstrated in ® Ifyou decide to download the latest version, then screenshots shown in this lab are the lab might difiex available in paceH. = Acompnter ninning Windows Server 2012 as attacker (host machine) ToolsicEHvs * Another computer mnning Window Server 2008, and Windows 7 1s Module 03 ‘victim (vistal machine) ‘Scanning Networks: © Aweb browser with Intemet access * Follow Wizard- 7. Go to Advanced profile in the Options wizard of Fisefox, and select the Network tab, and then click Settings. g a @ F&O feed Tae coat Mpa hay Sty Ope (Ba pa a Coast ence ew ct ce seh gto herd nance ‘s pben co coy eg ip Eien sake cn dir sne ‘Mellen wate eave re eine FIGURE 132 Flor Netwodk Seis ‘CEH Lab Manaal Page 2 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe1 The status bar ‘shows the details of Proxy Workbench's activity. The first panel displays the ‘amount of data Proxy Workbench ‘currently has in memory. The ‘actual amount of Proxy Workbench is consuming is. generally much more than this. ‘due to overhead In managing It. Di saas competes by P ‘age, by dots, ge computes of computers, ‘ene oy the Globe Sooner it ‘Module 03 - Scanning Networks 8. Check Manual proxy configuration in the Connection Settings wizard. 9. Type HTTP Proxy as 127.0.0.1 and enter the post vale as 8080, and checl the option of Use this proxy server for all protocols, ari click OK. Configure Posies to Acces the Intent, Ao deect pony sting forth ner Use system pon stings © Maral poy configuration: HiT Preoy [7008 Te Uae is pron seve fra potas No Proeyfor [leon 1270001 ample iin net IGRI O Automatic ry configuaton URL FIGURE 153 Fiefor Comes Seg: 10. While contigueing, if you enconnter any port error please ignore it 11. Launch the Start menu cornet of the desktop. y hovering the mouse cursor in the lower-left FIGURE 154 Windows Sere 3012-Detog tem 12. Click the Proxy Workbench app to open the Proxy Workbench window. “CEH Lab Mand Page 20 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe2 The vets pel lips te tot aunbec tenn that Peay Woateach tao Se orieocew Al ‘Data this wil decree to ‘onoectn# fat ae Alive © The last panel displays the ‘current time as reported by your ‘operating system ‘Module 03 - Scanning Networks FIGURE 135: Wiows See 2012 — Ape 13, ‘The Proxy Workbench main window appears as shown in the following figure, GRE lo - ANS hese imesieter_— en rats) Eiisaaane Bienen | Bowie emeneea ie lesa Sep Pas Thiowhy-For Teng Ape 1008) [el ana gtais 72300 sa'5302) FIGURE 136 Pry Wetensh ia ino 14, Go to Tools on the toolbar, and select Configure Ports “CEH Lab Manal Page 25 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probate& The ‘show the real time data window’ allows the user to ‘specify whether the realtime data pane should be displayed or not |G People who veett ‘Hoa Proxy Woatbenca Sw dae + papers Ee-- + ee nd Sass ‘Sa Ss os ‘Module 03 - Scanning Networks j TRG wae Juris tamemeren nase En aon ae tte icy aunornny Rhett haan Frvrotawetacs) phar aes Feta aot Ant FIGURE 137 Py Wedltch CoP IGURE Pot pon 15, In the Configure Proxy Workbench wizard, slect 8080 HTTP Proxy - Web in the left pane of Ports to listen on. 16. Check HTP in the tight pane of protocol assigned to port 8080, and click Configure HTTP for port 8080. FTP Fie Tete Praca Pass Tcugh Fr Tesi As ost. |_| Stn i oneal ata C=] FIGURE 158 Py Woxtbench Centgung HTTP fx Pot 080 17. The HTTP Properties window appears, Now check Connect via another proxy, enter your Windows Server 2003 virtual machine IP address in Proxy Server, and enter 8080 in Port and then click OK ‘CEH Lab Manaal Page 6 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Gene © Onthe web server, conectto pot [60 7 Connel vamater poy Pow we [EOE poe [a — [FIGURE 139 Proxy Wottbech HTTP for Pot 508) 18. Click Close in the Configure Proxy Workbench wizard after completing the configuration settings: Prom Pots eats tn on Pat_[ Descpin 2B SMIP-Oupengemal 10 _FOP3 Income eval ‘US HTTPS Poy Secue Web 21 FIP- Fle Taser tact 1000 Pate Though For Tesing Apes Aad. | Deke Corto HTTP ogo 02D FIGURE 1510- Pros; WedthentsConfgued py 19. Repeat the configuation steps of Proxy Workbench fiom Step 11 to Step 18 in Windows Server 2008 Vistnal Machines. “CEH Tab Manal Page 277 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe& Proxy changes this. Not only is itan awesome proxy ‘server, but you can see all of the ‘through it, © asd aor, Pry ‘conneevon fate | ‘Sualton statepes What this eas tha you et ‘Stale poor actwodk, 4 ‘ow Intec ov ‘uuesponue server Tas aaabe the dere "Top appleaten tee ‘Module 03 - Scanning Networks 20. In Windows Server 2008 type the IP address of Windows 7 Virtual ‘Machine. 21. Opena Firefox browser in Windows Server 2008 and browse web pages. 22. Proxy Workbench Generates the traffic will be generated as shown in the following figure of Windows Server 2008 23. Check the Te Columu; it is forwarding the waffic to 10.0.0.3 (Windows Server 2008 virtual Machine). FIGURE 1811: Proxy Woke Geet Tafa Wentows Sere 2012 Hest Mache 24. Now log in in to Windows Server 2008 Virtual Machine, and check the To column; itis forwarding the traffic to 10.0.0.7 (Windows 7 Virtual ‘Machine). ‘CEH Tab Manaal Page 2‘Module 03 - Scanning Networks 25. Select On the web server, connect to port 80 in Windows 7 virtual machine, and click OK Srawow: yout! ‘ow our cleat Saeeboves ees a clnered ous ‘reer nd why you FIP cece ot conmreg FIGURE 1813 Conguing ITP ropes Wor? 26, Now Check: the traffic in 40.0.0.7 (Windows 7 Virtual Machine) “To” ‘cohimn shows traffic generated from the different websites browsed in. Qin the Connection Tree, 5B Set Ta if protocol or a Baers eee client'server pair 4 ER Ee ‘Is selected, the ao cea displays the : = information of all : i of the socket y : aa ‘connections that are in progress for the selected item ‘on the Connection Tree. Lab Analysis ‘Document all the IP addresses, open ports and running applications, and protocols you discovered ducing the lab. CEH Lab Namal Page 2 Tcl Hacking snd Counts Coppi © oy BC Creed “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks otic eG tan Proxy server Used: Port scanned: 8080 0.0.0.7 Proxy Workbench Result: Traffic captured by windows 7 virtual machine(10.0.0.7) PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Examine the Connection Failwe-Termination and Refusal. 2. Evaluate how real-time logging records everything in Prosy Internet Connection Required Yes Platform Supported % Classroom ‘CEH Lab Nanaal Page 23) TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks HTTP Tunneling Using HTTPort HI TPort is a program fram HT THost that creates a transparent mel throngh a _prasy server or firewall. Lab Scenario Attackers are always in a hunt for clients that can be easily compromised and they can enter these networks with IP spoofing to damage or steal data. The attacker can get packets through 2 firewall by spoofing the IP addiess. If attackers are able to capture network traffic, as you have learned to do in the previons lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can prove to be disastrous for an organization's network. An attacker may use a network probe to capture raw packet data and then use this raw packet data to retrieve packet information such as source and destination IP address, somtce and destination ports, flags, header length, checksum, Time to Live (TTL), and protocol type. Thetefore, as a network administrator you should be able to identify attacks by estuacting information fiom captured traffic such as source and destination IP addresses, protocol type, header length, sousce and destination ports, etc. and compate these details with modeled attack signatures to determine if an attack has occntred, Yon can also check the attack logs for the list of attacks and take evasive actions. Also, you should be familiar with the HTTP mnneling technique by which you can identify additional security sisks that may not be readily visible’ by conducting simple network and vulnerability scanning and determine the extent to which a network IDS can identify malicious traffic within a commnnication channel. In this lab you will learn HTTP Tunneling using HTTPoxt. Lab Objectives This lab will show you how networks can be scanned and how to use HTTPort and HTTHost. Lab Environment In the lab, you need the HTTPort tool. “CEH Lab Nand Page 221 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘A Righs Revered Rapsodvcton i Suacty Probeed,‘Module 03 - Scanning Networks HTTPoxtis located at D’ACEH-Tools\CEHV8 Module 03 Scanning Networks\Tunneling Tools\HTTPort ‘Yon can also download the latest version of HTTPort from the link hrtp://wwew.targeted.org, If you decide to download the latest version, then screenshots shown in = Tools the lab might ditfer demonstrated in * Install HITTHost on Windows Server 2008 Virinal Machine available in * Install HTTPort on Windows Server 2012 Host Machine Pe ve = Follow the wizard-diiven installation steps and install it. Module 03 + Administrative privileges is required to mn this tool Scanning ; Networks: . This ab might not work if remote server filters/blocks HTTP tunneling packets Lab Duration Tune: 20 Minutes Overview of HTTPort HrTPort creates 2 transparent tunneling tunnel through a proxy server or fixewall. HT TPoxt allows using all sorts of Internet Software from behind the proxy. It bypasses HTTP proxies and HTTP, firewalls, and transparent accelerators. TASK 4 Lab Tasks ‘Stopping I 1. Before mnning the tool you need to stop HS Admin Service and World Services Wide Web Publishing services on Windows Server 2008 virtual machine. 2. Go to Administrative Privileges > Services > IIS Admin Service, right click and click the Stop option. QMTTPort creates a transparent tunnel through a proxy server or firewall. This allows you to use all sorts of Internet software from behind the proxy. ‘CEH Lab Manaal Page 227 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘A Righs Revered Rapsodvcton i Suacty Probeed,It supports ‘strong traffic ‘makes proxy logging useless, and supports NTLM and other ‘Module 03 - Scanning Networks FIGURE 141 Sopp I Ann Sere Wanton See 2018 3. Go to Administrative Privileges > Services > World Wide Web Publishing Services, tizht-click and click the Stop option. pelo [FIGURE 142 Stopping Wn Wile Wed Services in Wino: Serve 2008 4. Open Mapped Network Diive “CEH-Tools” 2\CEHV8 Module 03 ‘Scanning Networks\Tunneling Tools\HTTHost. Open HTTHost folder and double click ntthost.exe. ‘The HTTHost wizard will open; select the Options tab. 7. On the Options tab, sct all the scttings to default except Personal Password field, which should be filled in with any other password. In this Jab, the personal password is “magic.” ‘CEH Lab Manal Page 235 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty ProbeTo set up HTTPort need to point your browser to 127.0.0.1 ‘CEH Lab Manaal Page 230 ‘Module 03 - Scanning Networks 8. Check the Revalidate DNS names and Log Connections options and click Apply. fers cee = a TT Passtwough unrecognized requests tot vernon — ee ax: local buffer: fae feel FIGURE 143 HTTP Options 9. Now leave HITTHost intact, and don’t tum off Windows Server 2008. ‘Virtual Machine. 10. Now switch to Windows Server 2012 Host Machine, and install HTTPort fiom DACEH-Tools\CEHV8 Module 03 Scanning Networks\Tunneling Tools\HTTPort and double-click httport3snfm.exe, 11, Follow the wizarc-driven installation steps. 12, Launch the Start menn by hovering the mouse cursor in the lower-left cornet of the desktop. [FIGURE 1.4 Wino Sere 2012p ew 13. Click the HTTPort 3.SNFM app to open the HTTPort 3.SNFM window. TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Scanning Dreccach sofwue 10 Simone Spent: For appease ‘at a darcy ‘ang the ports ere ‘oct pecay mode ‘uch the sofwue wl ‘ese loca server Socks ca700n ‘Module 03 - Scanning Networks FIGURE 165: Windows Seve 2012 Agpe 14, The HTTPort 3.SNFM window appears as shown in the figure that follows. ‘Syatem [BIS57| Por mapping | About| Register| TTP prony to bypass (Bank = dec or fren) [> roxy requis authantestion DO User-Agent ypass mode ee pertonal emote host a (Sank = use pubic) Po fT 2] Cie baton halon sit FIGURE 146 HTTPor Main Winlos Select the Proxy tab and enter the host name or IP address of targeted Here as an example: enter Windows Server 2008 vistual machine 1P address, ancl enter Port number 80. ‘You cannot set the Username and Password ficlds, . In the User personal remote host at section, click start and then stop and then enter the targeted Host machine IP address and port, which showld ‘CEH Lab Manaal Page 235 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probatepeople sometimes: use password to make company ‘employees to access the Internet. DET Tees spponts the regisuaton bit ee ‘i be ied aig ID, ‘whch you can comet the ‘oppor tear ed your ‘Module 03 - Scanning Networks 19. Hete any password could be used. Here as an example: Enter the password tsmagie”™ Stem Pen [Pot mapeing| about] Reser WET oomy to byoes (lnk = rc ora) se personal remote host at (blank = use pubke) 2) ie baton helps FIGURE 17 TTP Pry eign 20. Select the Port Mapping tab and click Add to create New Mapping sytem | rox [Por manna [About| Rept] ste 1910 por maronge (waa) Tew mapas Steel por B Remate host Ramet port ‘elec » mapping to see statistics To sats select a mapping mee Wa eee ava F nun Socks server (por 1080) Avalabe in"Remate Hos!” mode: Fru sockse suppor (No) (2 | the button alee FIGURE 168 HT TPon aeatag New Maing 21, Select New Mapping Node, and right-click New Mapping, and click Edit ‘CEH Lab Manal Page 236 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe= Tools ‘demonstrated in this lab are. available in Tools\CEHv8 Module 03 B In this kind of ‘environment, the federated search ‘webpart of Microsoft Search ‘Server 2008 will not work outof- ‘we only support protected proxy. ‘Module 03 - Scanning Networks ‘yitem| Prony Port mapoing [About| Resieter| | remove state TER/IP port mappings (tunnels) a = Glele tat Selec mapping to see satin: Wee webs ak ulin SOCKS narvar I Run SOCKS server (sot 1080), IF ult S0cKs4 suppor (ino) 2] ia bation halos FIGURE 149: HTTP Esttag ssgnamappag 22. Rename this to ftp certified hacker, and select Local port node; then tight- click Bat and enter Port value to 24 23. Now tight lick on Remote host node to Edit and rename itas ‘tp.certifiedhacker.com 24, Now sight lick on Remote port node to Eallt and enter the port value to 24 Sratem| Prony Per mapping |About | Reaister| State TCP/IP port mappings (tunnels) 1B toes por IF mun SOCKS server (prt 1080), Fru Socxs4 suppor (Bin0) 2 | tha button halos FIGURE 1610 HTPoe Suite TIP pot app.ng 25. Click Start on the Proxy tab of HTTPort to mn the HTTP tinneling, ‘CEH Tab Manaal Page 227 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy ProbeDETR isthe base for Web sig 10 yon ca ely sc the Web een ‘whet you ate, HTTPort ‘eal bang you the est of the Tene ppicaons. |B Tomate adst mane ‘though the passrerd estes peony, soe an [nap een wee to Joe pom ar ode te cesich elt ‘Module 03 - Scanning Networks ‘system [Prox] Por mapoing| About| Register| ae optone UserAgents ypass mode: [isco] [Remote host =I ‘Use personal remote host ot (blank = wee pute) ——— 2] Crh baton hloe a FIGURE 1411-4 Ponto eating 26. Now switch to the Windows Server 2008 virtual machine and click the Applications log tab. 27. Check the lst line if Listener: listening at 0.0.0.0:80, and then itis running FIGURE 1¢ 12 HTTHost Appleton legen 28. Now switch to the Windows Server 2012 host machine and mun ON the Windows Firewall 29. Go to Windows Firewall with Advanced Security ‘CEH Lab Manaal Page 235 "Ethical Hacking and Countermcarares Coprught © by BC Cosned “AL Rights Reserved Repeodictoa i Sticty Probe= Tools ‘demonstrated in this lab are available in ‘Tools\CEHVs Module 03 ‘Scanning Tools ‘demonstrated in this lab are. available in Z:\ Mapped Network Drive in Virtual ‘Module 03 - Scanning Networks 30. Select Outbound rules fiom the left pane of the window, and then click [sarasasasartsrsaarsceesey FIGURE 1413 Wows Faena with Advanced Sect wnt in Wen Server 208 31, In the New Outbound Rule Wizard, sclect the Port option in the Rule Type section and click Next arose odd won? fore ee ‘CEH Lab Manaal Page 23) TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks 32. Now select All remote ports in the Protocol and Ports section, and click Next See beptechanontto nih arden Dn nd me TPO? ow © vw eee sept ecm [FIGURE 1415 Wintows Reena angi Protec and Pos 33. In the Action section, select the Block the connection” option and click ‘arate meted hc nod ae at © ham crest 8 ci eer ‘CEH Tab Manaal Page 2 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks FIGURE 1416 Widows Few sting aa Acton 34. In the Profile section, select all three options. The mule will apply to: Domain, Public, Private and then click Next FIGURE 1417 Weloss Furl roe ings Toots 35, Type Port 21 Blocked in the Name field, and click Finish i teecetaik TCP post {foc FIP connection pon 21 Sometimes the loa Tntemet Service Proves ‘locks ts pow aod the sei enitia FTP "CREED NMA Page 257 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks FIGURE 1418 Windows Ferwil aging rane Pot 36, The new rule Port 21 Blocked is created as shown in the following figure. erp dost ety (ce fothe poy ws Iwo pect wath ‘eeval tarepast asckaons, NATS and u ‘ese sting that the HTTP peseel ‘troegh on Buerrven tea s Pe sete that concen a te sod ras # conga : eons ‘ene though ie los ces FIGURE 142 Windows Freon ee pee - 438. Select the Protocols and Ports tab. Change the Remote Port option to Baste yo posn=—n ele ae ‘Specific Ports anc enter the Port number as 21 ‘Mocks you ftom the 39. Leave the other settings as their defaults and click Apply then click OK. ‘CEH Lab Nana Page 22 Tihial Hacking and Countereasares Coppagn © by BC Comal “Ad Rights Revere Reprodicuon s Stacy Probe‘hat yoo set wp yout rrr ont does ater ‘eeae aoc hang What you se eapercocng i nova 2 bloctang operations" © werrpeamatesit connection an provide it to ay softnc. The Ison eve ave." ‘Module 03 - Scanning Networks FIGURE 1021: Feena Pst 21 Bice Propesics 10. Type ftp ftp.certifiedhacker.com in the command prompt and press Enter. The connection is blocked in Windows Server 2008 by firewall FIGURE 1422 fp consent Now open the command prompt on the Windows Server 2012 host 41 machine and type ftp 127.0.0.4 and press Enter TEhical Hacking and Countermearnces Coppagin © by BC Cosma ‘AL Rights Reserves Repeodocton i Sucty Peokibzed‘Module 03 - Scanning Networks FIGURE 1425: Beet fp comma Lab Analysis Document all the IP addtesses, open ports and running applications, and protocols you discovesed dusing the lab. Result: ftp 127.0.0.1 connected to 127.0.0.1 RELATED TO THIS LA Questions 1. How do you set up an HTTPort to use an email client (Outlook, Messenger, etc.)? 2. Examine if software does not allow editing the address to connect to. eee eneeteiee ie Yes No Platform Supported % Classroom Oilabs ‘CEH Lab Namal Page 7 ihical Hacking and Coumenncanas Copii © EC Gna ‘AL Rights Reserves Repeodocton i Sucty Peokibzed‘Module 03 - Scanning Networks Basic Network Troubleshooting Using MegaPing MegaPing is an ultimate toolkit that provides complete essential utilities for information system administrators and TT solution providers. Lab Scenario ‘You have learned in the previons lab that HTTP tunneling is a technique where communications within network protocols are captued using the HTTP protocol. For any companies to exist on the Intemet, they requite a web server, These web servers prove to be a high data value target for attackers. The attacker usually exploits the WWW server mnaing IIS and gains command line access to the system. Once a connection has been established, the attacker uploads a precompiled version of the HTTP tunnel sezver (hts). With the hts server set up the attacker then stasts a client on his or her system and disects its tuatlic to the SRC port of the system mnning the hts server. This hts process listens on port 80 of the host WWW and seditects tuafiic. The hts process captures the tafiic in HTTP headers and forwards it to the WWW server port 80, after which the attacker tries to log in to the system; once access is gained he or she sets up additional tools to futher exploit the network. ‘MegaPing secusity scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves infoumation in secuity reports. In this lab you will leam to use MegaPing to check for vulnerabilities and troubleshoot issues, Lab Objectives This lab gives an insight into pinging to a destination address list. It teaches how to: "Ping a destination address list = Traceronte * Perform NetBIOS scanning ‘CEH Lab Manaal Page 2 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘A Righs Revered Rapsodvcton i Suacty Probeed,Tools ‘demonstrated in this lab are available in Tools\CEHv8 Module 03 ‘Scanning A PING stands foe ‘Packet lateraet Gropes. S TAsK + IP Scanning ‘Module 03 - Scanning Networks Lab Environment To carry ont the lab, you need: “MegaPing is located at DACEH-Tools\CEHV8 Module 03 Scanning Networks\Scanning Tools\MegaPing ‘You can also download the latest version of Megaping from the link http://www. magnetosoft.com, If you decide to download the latest version, then screenshots shown in the lab might differ Administrative privileges to mun tools ‘TOPAP settings correctly configured and an accessible DNS server ‘This lab will work in the CEH lab envizonment, on Windows Server 2012, Windows 2008, ancl Windows 7 Lab Duration Time: 10 Minutes Overview of Ping ‘The ping command sends Intemet Control Message Protocol (IEMP) echo request packets to the target host and waits for an IMP response. Duting this request- response process, ping measures the time from transmission to reception, known as the round-trip time, and records any loss packets. Lab Tasks 2 Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. FIGURE 15: Windows Sere 2012 Dep ew Click the MegaPing app to open the MegaPing window. ‘CEH Lab Manal Page 256 TEhical Hocking and Conntermeasnses Coppugit © by BC Connal “AL Rights Reserved Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks [FIGURE 152: Windows Sere 2012~ App 3. The MegaPing main window, as shown in the following figure. at sean ca can Bloom indeettl comptes ay SB nen ‘age of IP ade, a oma, nd sete’ pe ‘ofeomptes ie Bey se 3 roe arin, gues 5: MepsPag man maxows 4. Select any one of the options fiom the left pane of the window. © Sec eae 5. Select 1P seanner, and type in the 1P range in the From and To field; in cms the fol é k Bs me this lab the IP range is from 10,0.0.1 to 10.0.0.254, Click Start Remsen, ng 6. You can select the 1P range depending on your network. eran UDP po, ‘Tonspocts, Shes, Uses, Groups, Semees, Dee, Remote Tine ofDite, ‘CEH Lab Manaal Page 27 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks FIGURE 1544 MegaPing 1 Seaning ‘7. It will list down all the IP addresses under that range with their TTL (Time to Live), Status (dead or alive), and the statistics of the dead and alive hosts. EPEREERE FIGURE 15 5 MepaPing IP Scanning Repot 8 Select the NetBIOS Scanner fiom the left pane and type in the IP range jin the From and To fields. In this lab, the IP range is from 10.0.0.1 to 10.0.0.284, Click Start ‘CERI Lab Manaal Page 258 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks isco. 3 MegaPing can Bronce ‘scan your entire a comm [EE Provide Qari information such oo ‘83 open shared 4 resources, open sac pore Bont servicesidrivers active on the ‘computer, Key registry entries, users and groups, trusted domains, printers, and © Scan results can be saved in HTML or TXT reports, which ‘can be used to ‘secure your network - for ‘example, by ‘shutting down unnecessary ports, closing ‘shares, etc. FIGURE 157 MersPiag NetBIOS Semin Report 10. Right-click the IP address. In this lab, the selected IP is 10.0.0.4; it will be different in your network. STAs 3 11. Then, sight-click and select the Traceroute option. Traceroute CEH Lab Namal Page 2 Tcl Hacking snd Counts Coppi © oy BC Creed “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Sahid aoa cerar eo ‘tay sopport, and mote dep oe SS FIGURE 154: MepsPing Taceroute ©& Toots ‘demonstrated in this lab are. ‘Tools\CEHv8 Module 03 ‘Scanning [FIGURE 159 MepiPag Tacesoie Rept Trask s 13, Select Port Scanner from the left pane and add wwwcertifiedhacker.com in the Destination Address List and then click the Start button. 14, After clicking the Start button it toggles to Stop 15. It will lists the ports associated with www.certifiedhacker.com with the Keyword, risk, and port number. Port Scanning ‘CEH Lab Manaal Page 20) TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Document all the IP addresses, open ports and nunning applications, and protocols you discovered dusing the lab. Tool/Utility | Information Collected / Objectives Achi IP Scan Range: 10.0.0.1 — 10.0.0.254 Performed Actions: IP Scanning NetBIOS Scanning Traceroute Port Scanning Result: = List of Active Host = NetBios Name "Adapter Name “CEH Lab Manal Page 241 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. How does MegaPing detect secusity vulnerabilities on the network? 2. Esamine the report generation of MegaPing. nee OYes No Platform Supported © Classroom Bilabs CEH Lab Namal Page 2 Tihs Hacking and Countermeasures Copragn © by BC Comal “Al Rights Reserved. Reproduction is Sticty Probie.‘Module 03 - Scanning Networks Detect, Delete and Block Google Cookies Using G-Zapper G-Lopper isa utility to block Google cookies, can Google cookies, and help you stay anonymous wbile searching online. Lab Scenario ‘You have leamed in the previons lab that MegaPing secusity scanner checks your network for potential vulnerabilities that might be used to attack your network, and saves information in secusity reports. It provides detailed information about all computers and network appliances. It seans your entise network and provides information such as open shared resources, open ports, services /dtivers active on the computer, Key registry entries, users and groups, tmsted domains, printers, ete. Scan results can be saved in HTML ot TXT sepotts, which can be used to secure your network. As an administrator, you can organize safety measures by shutting down unnecessary ports, closing shares, ete. to block attackers from intruding the network. As another aspect of prevention you can use G-Zapper, which blocks Google cookies, cleans Google cookies, and helps yon stay anonymous while searching online. This way yon can protect your identity and search history Lab Objectives This lab explain how G-Zapper automatically detects and cleans the Google cookie each time you nse your web browser. Lab Environment To cay ont the lab, you need: ‘CERI Tab Nanaal Page 205 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma “AL Rahs Reserved Repeodictoa s Sty Pood= Toots ‘domonstrated in this lab are available in Tools\cEHva Module 03 ‘Scanning ‘Module 03 - Scanning Networks G-Zapper is located at DACEH-Tools\CEHV8 Module 03 Scanning Networks\Anonymizers\G-Zapper ‘Yon can also download the latest version of @- Zapper from the link http://swww.dummysofoware.com/ Ifyou decide to download the latest version, then screenshots shown in the lab might differ Install @-Zapper in Windows Server 2012 by following wizard diiven installation steps Administrative privileges to mn tools A computer running Windows Server 2012 Lab Duration Time: 10 Minntes Overview of G-Zapper G Zapper helps protect your identity and search history. G-Zapper will read the Google cookie installed on your PC, display the date it was installed, determine how Jong your searches have been tracked, and display your Google searches. G- Zapper allows yon to automatically delete or entirely block the Google search cookie fiom fut installation Lab Tasks 1. 2 Launch the Start menn by hovering the mouse cursor on the lower-left comner of the desktop. [FIGURE 161 Windows Sere 2012—Deop ew Click the 6-Zapper app to open the G-Zapper window. ‘CERI Lab Manaal Page 200 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks Bozpers congenic etn Sam ne so, Yun noe? FIGURE 162: Winows Seve 2012 App 3. The 6-Zapper main window will appear as shown in the following screenshot. WtiG 208 (6 2mpr-Petsingyou Seach Pivay ee ee ee ee MinnGZape mrmasteondm edeuyvorehresdsochpoeg 3) Aeon Dwi 0 or FE Yor Soge 6 Ore essere (16-Zappec eps protect Ssage raat cosue or sted, Septenbe 05, 201201546 At pee a nt trrateus ‘ie Ceoge ce ted 9 poco erctesteen ane Enter do ‘goat FC ply he ae ken inne, How to Use Wi ‘eeanne how log poor ‘Sires ave bens ace, Toh Gnd coi ek Dl Cnn btn ‘etcagiy your Googe “ashy Scion sou sate oo 6 ape eck ae cates seus & ‘Torestore the Google search cookie cick the Restore Cockle bulton ta en dna FIGURE 163 G-Zapper ain ingore 4, To delete the Google search cookies, click the Delete Cookie button; a window will appear that gives information about the deleted cookie location, Click OK CEH Lab Namal Page Tcl Hacking snd Counts Coppi © oy BC Creed “AL Rights Reserved Reprodichon s Stacy ProbateDA sew cookie wilde (ona opoa our next ‘rato Googe, beating ‘the cain tha celer poe ‘Module 03 - Scanning Networks == eee eee eee ap aes te acme ara G-Zapper The Google seach coke wat removed and ibe re-read wth» ew upon visting wi googie com The coki was located at (Freton Caer inter Appcation Daca feeton Protec Seton dea coobesaite Tote and dete he Gogo south ac, Bb Coc on [Salar eroe mlb neve ek ood) Sse) fama FIGURE 16 4-Deketing serch cootee 5. To block the Google search cookie, click the Block cookie button. A ‘window will appear asking if you want to manually block the Google cookie, Click Yes ate 2p 2appr-Petcingyou Seach Pig iy rm -Gone dea ure nina cock an you FC wich low mock tho Fonds sech gp nl asshole sn an hr coker ou eb oe Manually Blocking the Google Cookie ‘rai and ete Googie sece willbe unaaiule we he cookie ‘manual lees ‘Tyee tere sences we commend no blocking the cookie ane ‘nse alow Capper to regu chan the cootieeutomatcaly. ‘Are you sure you wih to manu block the Googe coke? rene es | Tobeck adeeb Googe such ac, Sak Sh Coa bho {Sn ndAteree nl beccovabe nh ol bk aim demas con C= ==) FIGURE 16 5 Block Googh cookie 6. Itwill show a message that the Google cookie has been blocked. To verify, click OK ‘CERI Lab Manaal Page 206 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe© GZapper can also clean your Google search history in Intemet Explorer and Mozilla Firefox. Its far too easy for someone using your PC to get a glimpse of what you've been ‘searching for. ‘Module 03 - Scanning Networks ate Zp (2p Petcng you Seen Pavcy Dit gouhnow- Ges ds oui dein cos eng FC ich ow ame ack Fess jou sah Ganga anemia ane and cance jos eb NOS ian 2ee nemee he son ondenay tou bared each ny G-Zapper “The Gogh cookies ben blocked You may now serch rorymousy on goglecem. Ck the Tet Goole baton over. paw] a a a cl a a a RS ET GQ erence heen abt ies mmc ca [penor] (wemnonse | arises [aera fama] FIGURE 166 Block Google cookie (2) 7. To test the Google cookie that has been blocked, click the Test Google button. 8. Your default web browser will now open to Google’s Preferences page. Click 0K. Io PES | rseene Google ererrness Global Prefrmnees mgs Conga) FIGURE 167 Cookies disabled mastge 9. To view the deleted cookie information, click the Setting button, and click View Log in the cleaned cookies log . ‘CEH Lab Manaal Page 207 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks ‘G-Zapper Settings Sante | Play sound ect when acon dlted dea nay (Fee) [omee) Geng ais Tc 1B Yox can sgn 1 ck Ga Ai emacs th -Zapper, ie the ‘indo an ea Four . lo I trate bmpl canis hs he cyto dered 1 Seve my Goode nite chore esis FIGURE 168 Viewing the delete oes 10. The deleted cookies information opens in Notepad. (Firefox) C:\Wsers\Adainistrator pplication Data WoriTla\Firefox = Toots: Wrofites\svccdlns.default\cookies. sqlite Friday, August 31, 2012 demonstrated in 30:42:13 A this lab aro (Corone) \DeFauit\Cookies Friday, August 31, 2692 11: available in (Firefox) C:\Users\Adainistrator\Application Date\Mozt2la\Firefox DicEH. \Profiles\Svceddns.default\cookies. sqlite Friday, August 31, 2012 ToolsiCEHvs 106.23 (Firefox) C:\Users\Adninistrator pplication Data Worilla\Firefox Module 03 Wrofiles\SvecdOns.default\cookies. sqlite Wednesday, September 05, 2012 ‘Scanning 02:52:38 PM Networks, FIGURE 169: Deleted age Repost Lab Analysis ‘Document all the IP addresses, open ports and nunning applications, and protocols you discovered during the lab. ‘CER Lab Nana Page Tihial Hacking and Countereasares Coppagn © by BC Comal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks omtinken a eG ia ‘Action Performed: # Detect the cookies # Delete the cookies G-Zapper * Block the cookies Result: Deleted cookies ate stored in. C:\Users\Administrator\ Application Data PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB Questions 1. Examine how G-Zapper antomatically cleans Google cookies. 2. Check to see if G-zapper is blocking cookies on sites other than Google. Platform Supported ‘CEH Tab Nanaal Page 2 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma ‘Al Rights Revered Repsodueon Sticty Pobibged‘Module 03 - Scanning Networks Scanning the Network Using the Colasoft Packet Builder The Colasoft Packet Builder is a useful tool for creating custom network packets, Lab Scenario In the previous lab you have learned how you can detect, delete, and block cookies. Attackers exploit the XSS vulnerability, which involves an attacker pushing mulicions JavaScript code into a web application, ‘When another user visits a page with that malicious code in it, the user’s browser will execute the code. The browser has no way of telling the difference between legitimate and malicious code. Injected code is another mechanism that an attacker can use for session hijacking: by default cookies stored by the browser can be read by JavaScript code. The injected code can sead a user's cookies and transmit those cookies to the attacker. _As an expett ethical hacker and penetration tester, you should be able to prevent such attacks by validating all headers, cookies, query strings, form fields, and hidden fields, encoding input and ontput and filter meta characters in the input and using a ‘web applictionfcewall to block the execition of malicious scp. Another method of vulnerability checking is to scan a network using the Colasoft Packet Builder. In this lab, you will be lean about sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning, Lab Objectives =Teols demonstrated in The objective of ths lab is to reinforce concepts of network secnsity policy, policy this lab are enforcement, and policy audits. available in DICEH. Lab Environment Tools\cEHve, Module 03 In this lab, you need: canning * Colasoft Packet Builder located at DACEH-Tools\GEHv8 Module 03 ‘Scanning Networks\Custom Packet Creator\Colasoft Packet Bullder + A computer sinning Windows Server 2012 as host machine CEH Lab Namal Page 25 ical Hacking snd Counirmc ars Copp © oj CCl ‘A Righs Revered Rapsodvcton i Suacty Probeed,ASK 4 ‘Module 03 - Scanning Networks "Window 8 running on vistual machine as target machine * You can also download the latest version of Advanced Colasoft Packet Bullder fiom the link |itp:/ /weww-colasoft.com/ download /products/download_packet_ bilder: php * Ifyou decide to download the latest version, then screenshots shown in the lb might differ. * Aweb browser with Intemet connection mnning in host machine Lab Duration ‘Time: 10 Minutes Overview of Colasoft Packet Builder Colasoft Packet Builder creates and enables custom network packets. This tool can be used to verify network protection against attacks and intmders. Colasoft Packet Builder feanaces a decoding editor allowing users to edit specific protocol field vanes auch easier. Users ate also able to edit decoding infoumation in two editors: Decode Editor and Hex Editor. Users can select any one of the provided templates: Ethemet Packet, Packet, ARP Packet, o: TCP Packet. Lab Tasks 1 Install and launch the Colasoft Packet Builder. ‘Scanning 2. Launch the Start menn by hovering the mouse cursor on the lower-left Network corner of the desktop. FIGURE 174 Windows Sere 012—Desto wer 3. Click the Colasoft Packet Builder 1.0 app to open the Colasoft Fv. i demniont Packer Builder window tom Innp/ new eaitof com. CERT Lab Nanna Page 1 Tihial Hacking and Countereasares Coppagn © by BC Comal “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks FIGURE 172 Windows Ser 212 App 4, The Colasoft Packet Builder main window appears. nse eke eon | a Dopenting stem sequierect| ‘Windows Server 2003 ac ‘Baton [FIGURE 173, Coot Packt Bude ren ‘Windows 7 and 64-bit tion Before starting of your task, check that the Adapter settings are set to default and then click OK. Prades ORSEDRCSCEDO Likspeed 00.0% Dadien — 1007755285.250 Dela Gtenay 00.1 Adste Sets Operate FIGURE 17 Conof Pact Baer Adapts tings ‘CEH Lab Manaal Page 252 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks 6. Todd or create the packet, click Add in the menu section. [FIGURE 175 Coot Paciet Baker the packet 7. When an Add Packet dizlog box pops up, you need to select the template and click OK. Packet Fi foamat You ‘a7 ao impos eta om: ‘ap Nero Aone: Sater packet es), = pat (BtheaPee/TotcaPeek/ ‘coPekr9/OnssPeed Dacket fe, * dp (TCP DUMP, od cps (aw packet He FIGURE 176 Cott Patt Bae Add Pak eg bo 8 You can view the added packets list on your sight-hand side of your Brask 2 Decode Editor FIGURE 177 Cols Pat Pile Pcet it 9. Colasoft Packet Builder allows you to edit the decoding information in the ‘nwo editors: Decode Editor and Hex Editor. ‘CEH Tab Manna Page 255 ihical Hacking snd Couniesmeasares Copngt © by EC-Commal “Ad Rights Revere Reprodicuon s Stacy Probe‘Wun: 000001 Lengeh:64 Captured: Tone Wp Destination Address: Ba FE [0/6] 00:00:00:00:00:00 [/é] Rdowr ote Opn: oxaece cane) 122 oven te opey 30728) Sat ie Bae SP karoere eps : (exnerset) ‘other without

All Packets. ‘CERI Lab Manaal Page 25 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks © Ethernet type I WJ Destination Address: Dopsioa, Packers Sear ‘Ths tows tae aumbec of packers sent meee (Com Pacet Bales Notersmishyou enh depisthe paces seat vn ‘wnsoccenly, 0, thee Ja packet ao eat ot [FIGURE 171 See cation tose he expr He & Pockatacocpht pct cana pi a yep Lab Analysis Analyze and document the results related to the lab exercise. ieved TO CMEC cen at ener er Used: Realtelx PCIe Family Contuoller [Selected Packet Name: ARP Packets | Result: Captured packets are saved in packets.csepkt_| ‘CERI Lab Manal Page TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze how Colasoft Packet Buller affects your network traftic while analyzing your network. 2, Evaluate what types of instant messages Capsa monitors. ‘Determine whether the packet butter affects performance. I yes, then what steps do yon take to avoid or rechice its effect on software? Sreetakeomtec creer tine OYes EINo Platform Supported © Classroom lilabs ‘CEH Lab Manaal Page 257 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma “Al Rights Reserved. Reproduction is Sticty Probie.‘Module 03 - Scanning Networks Scanning Devices in a Network Using The Dude The Dude automatically scans all devces within specified subnets, draws and lays out a map of your networks, monitors services of your devices, and alerts you in case some service has problems. Lab Scenario In the previous lab you leaned how packets can be captured using Colasoft Packet Builder. Attackers too can sniff can captase and analyze packets trom a network and obtain specific network information. The attacker can disrupt communication between hosts and clients by modifying system configurations, or throngh the physical destmction of the network. As an expert ethical hacker, you should be able to gather information on ‘organizations network to check for vulnerabilities and fix them before an attacker gets to compromise the machines using those vulnerabilities. If you detect any attack that has been performed on a network, immediately implement preventative measures to stop any additional unauthorized access. In this lab yon will learn to use The Dude tool to scan the devices in a network and the tool will alert you if any attack has been performed on the network. Lab Objectives ‘The objective of this lab is to demonstrate how to scan all devices within specified subnets, draw and layout a map of your networks, and monitor services on the network. = Toots - demonstratedin. Lab Environment {this lab are To camry out the lab, you need: available in 5 } DicEH. * The Dudle is located at DACEH-Tools\CEHV8 Module 03 Scanning Tools\cEHV8 Networks\Network Discovery and Mapping Tools\The Dude Module 03 * You can also download the latest version of The Dude fiom the ‘Scanning http:/ /seww.miksotik.com/thednde php Networks: “CER Lab Nanna Page 8 Tihs Hacking and Countermeasures Copragn © by BC Comal ‘A Righs Revered Rapsodvcton i Suacty Probeed,‘Module 03 - Scanning Networks = Ifyou decide to download the latest version, then screenshots shown in the lab might differ * A computer mnning Windows Server 2012 "Double-click the The Dude and follow wizard-driven installation steps to install The Dude * Administrative privileges to mn tools Lab Duration Time: 10 Minutes Overview of The Dude ‘The Dude network monitor is a new application that can dramatically improve the way you manage your network environment. It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices, and alert you in case some service has problems, Lab Tasks 1. Launch the Start menu by hovesing the mouse cursor on the lower-left coer of the desktop. FIGURE 181: Widows Seve 2012 Destop iw Stas 1 2. In the Start menu, to launch The Dude, click The Dude icon. Launch The Dude ‘CEH Lab Manaal Page 2 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Reprodichon s Stacy Probate‘Module 03 - Scanning Networks FIGURE 182 Wows See 2012-Sat nes 3, The main window of The Dude will appear. FIGURE 183 Mai iow of Te Dae 4, Click the Discover button on the toolbar of the main window. FIGURE 84S aorta 5, The Device Discovery window appeats. ‘CEH Tab Manaal Page 25) TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks Scan Newote: 00002 SSCSCSC~S ot Cs -]. || FA NetwaksTo Ao Scan Back Ut: one Dewce Name Preference: [DNS, SNMP, NETBIS.1P Dacovery Mode: fast canby ping) rable ocan each serves) . Recurive Hops: [T=] 2 Layee Map Mtr Dacovery Complete FIGURE 186 Desee dicorey ior In the Device Discovery window, specify Sean Networks sange, select default fiom the Agent drop-down list, select DNS, SNMP, NETBIOS, and IP from the Device Name Preference drop-down list, and click Sean Newots: fi000072 S a_i 1 his twas Te to Sco teaua: fre SSS TL [Breton fowon [ons SwPNETBOSP Dacovery Mode: ( fast ecanby ping) ~ rable (econ each serves) Recurive Hops: [T=] 2p Layout Map ater Discovery Conse FIGURE 187 Sect ence rane pee Once the scan is complete, all the devices connected to a particular network will be displayed, “CEH Lab Manal Page 261 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty Probe‘Module 03 - Scanning Networks i figansenet ent e ETE i = EE ue Hea | FIGURE 188 Over of seodk connection information about that device. FIGURE 189 Detaled ifounston ofthe deze 9. Now, click the down atrow for the Local drop-down list to see information on History Actions, Tools, Files, Logs, anid so on. ‘CEH Lab Manaal Page 262 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “AL Rights Reserved Repeodictoa i Sticty ProbeFIGURE 1810 Seeing Lol infoanation ‘CERI Lab Manaal Page 265‘Module 03 - Scanning Networks 1. As described previously, you may select all the other options from the drop-down list to view the xespective information. 12, Once scanaing is complete, cick the (® tutto to disconnect. -anning, : ‘asa URE ei meet ee Lab Analysis Analyze and document the results related to the lab exercise. Soyer Information Collected / Objectives Achieved IP Address Range: 10.0.0.0— 10.0.0.24 Device Name Preferences: DNS, SNMP, The Dude NETBIOS, IP Output: List of connected system, devices in ‘Network ‘CERI Lab Manaal Page 50 TEhical Hacking and Countermearnces Coppagin © by BC Cosma “Ad Rights Revere Reprodicuon s Stacy Probe‘Module 03 - Scanning Networks PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. etre No Hilabs ‘CEH Lab Manaal Page 2 TEhical Hacking and Countermeasnoes Copragin © by BC Cosma “Al Rights Reserved. Reproduction is Sticty Probie.