Professional Documents
Culture Documents
LAB ID: 3
SCANNING
Port Scanning
OS Fingerprinting
Service Detection
Idle Scan
[Scanning] LAB ID: 3
1. LAB
You are a Penetration tester given an entire Network block as scope of
engagement.
NETBLOCK: 10.50.96.0/23
2. GOALS
Find all hosts alive
OS Fingerprinting
Detecting Services
To guide you during the lab you will find different Tasks.
Tasks are meant for educational purposes and to show you the usage of
different tools and different methods to achieve the same goal.
Armed with the skills acquired though the task you can achieve the Lab
goal.
If this is the first time you do this lab, we advise you to follow these Tasks.
Once you have completed all the Tasks, you can proceed to the end of
this paper and check the solutions.
4. RECOMMENDED TOOLS
Nmap
Hping3
5. TASKS
Task 1: Host Discovery
Perform a ICMP Ping sweep with Nmap and save the results into an XML
file. Which hosts have you found to be alive?
Host IP address
Now repeat the scan to also include probes to most common TCP ports.
Use Hping3 to perform a TCP SYN scan on address 10.50.97.5. Scan for
ports 23/53/135 and determine through the results, which of them are
open, which are closed and which are filtered.
Status Ports
Open
Closed
Filtered
Use Nmap to perform a UDP scan on host 10.50.97.5. This will reveal
other open/filtered ports.
Task 7: OS fingerprint
Use Nmap to detect all the services running on each host in the network.
SOLUTIONS
1: Host Discovery
The Nmap command to perform a ping sweep, and then save the results
into an xml, is the following:
>>nmap –PE –sn -n 10.50.96.0/23 –oX /root/Desktop/scan.xml
where with the -sn we tell nmap to not do a port scan after a host
discovery, the -PE enables ICMP Echo request host discovery (Ping scan)
and with the -oX we tell nmap to save the results into an XML file (in our
case the filename is scan.xml and is located in /root/Desktop).
Option -n is optional and skips DNS reverse lookup on all the IP addresses.
Host IP address
10.50.96.1
10.50.96.105
10.50.96.110
10.50.96.115
10.50.97.1
10.50.97.5
10.50.97.10
10.50.97.15
10.50.97.20
10.50.97.25
Note that if you use only –sn without –PE nmap uses ICMP requests, but
will also send a TCP SYN packet on ports 80 and 443 of each host.
2: Open/Closed/Filtered ports
Hping3 is one of the most powerful packet crafting tools. It’s very easy to
start a TCP communication defining flags to use in order to scan specific
ports and hosts. We want to scan ports 23/53/135 on the address
10.50.97.5. For a SYN scan, we will have to enable the SYN flag, and
according to the response we can determine if a port is
open/close/filtered.
>>hping3 -S –p 23 10.50.97.5
where:
We already know that the host is alive, but if we try the previous
command we will receive no packets. This could happen when there is a
Firewall between us and the target, that blocks our packets.
In the same way as before, let’s use the previous command in order to
scan port 53:
>>hping3 -S –p 53 10.50.97.5
In this case the tool tells us that it received the R flag (Reset) and the A
(Acknowledgement) flag. This means that the port 53 is closed.
The last port to check is 135. The command will look like this:
Status Port
Open 135
Closed 53
Filtered 23
In order to perform a TCP scan with Hping3 from port 1 to port 1000 we
can use the following option:
Since the previous scan does not reveal any information about
open/closed/filtered ports used by UDP services, we can use Nmap to
perform an UDP scan and get more information about our target. In order
to do that, we can use the following command:
Note that the open|filtered result means that no response has been
received, and that the port can be open or filtered by a firewall.
In Task 1 we have found a list of alive hosts. We can use this information
to create a ‘.txt’ file that contains the list of IP address to take care of.
Once we have created the file, we can give it to Nmap and perform a TCP
SYN scan in order to find open/closed/filtered ports. The command will
look like this:
This command will take times. To check the progress of the scan press
the up arrow on your keyboard.
6: Source port
>>hping3 -S -s 53 –k -p 53 10.50.97.25
Note that when you specify a source port, hping takes it as a base port
and increases it at every packet sent. You can use the –k (keep) option to
prevent this behavior. From the results of the previous two commands,
we can see that there is only one host (10.50.97.25) with the port 53
open. This is an information that we didn’t find using any of the previous
scans, so make sure to play with source ports during your scans.
7: OS fingerprinting
>>nmap –O –v –n 10.50.97.0/24
where:
This will tell us that there are two different Operating systems in the
remote network:
- Windows XP SP3
- Windows Server 2003
8: Service detection
In this case we will show the basic command, but you can use different
options and check the different results yourself. If you need more
information about it, please check out the Nmap man page here:
http://nmap.org/book/man-version-detection.html.
Note that Nmap first checks for alive hosts, then performs a port scan and
after that, it performs a service and version detection. Moreover you can
use the –A option to get more information about services and
applications version. This is quite aggressive and will also enable Nmap
scripts.
To do this we can use Hping3 sending packets to open ports at each host
in the network, using the following command:
where:
In this way if the ID increments by 1 for each packet (id=+1), means that
the target is not sending packets through the network and is a good
zombie candidate.
>>nmap –O –v –n 10.50.97.10
Now that we have the address of a good zombie we can check if the
target hosts have port 23 open :