2018–2019

Scanning Networks L3 IPROSI, M. DIEDHIOU

2 PLAN
INTRODUCTION
OBJECTIVES OF NETWORKSCANNING
TYPEOF SCANNING
METHODOLOGY FOR SCANNING
I. Check for live systems
II. Check for open ports
III. Service Identification
IV. Banner Grabbing /OS Fingerprinting
V. Vulnerability Scanning
VI. Draw Network Diagrams of Vulnerable Hosts
VII. Proxy Servers
COUNTERMEASURES

Scanning Networks L3 IPROSI, M. DIEDHIOU

3 INTRODUCTION

After the reconnaissance and information-gathering stages have been

completed, scanning is performed. It is important that the information-
gathering stage be as complete as possible to identify the best location
and targets to scan.

During scanning, the hacker continues to gather information regarding the

network and its individual host systems. Information such as IP addresses,
operating system, services, and installed applications can help the hacker
determine which type of exploit to use in hacking a system.

Scanning Networks L3 IPROSI, M. DIEDHIOU

4 OBJECTIVES OF NETWORK SCANNING

To discover live hosts, IP Address, and open ports of live hosts

To discover operating systems and system architecture

To discover services running on hosts

To discover vulnerabilities in livehosts

Scanning Networks L3 IPROSI, M. DIEDHIOU

5 TYPEOF SCANNING

Port Scanning: Port scanning is the process of identifying open and

available TCP/IP ports on a system. Port-scanning tools enable a hacker to
learn about the services available on.

Network Scanning: Network scanning is a procedure for identifying active

hosts on a network, either to attack them or as a network security
assessment. Hosts are identified by their individual IP addresses. Network-
scanning tools attempt to identify all the live or responding hosts on the
network and their corresponding IP addresses.

Scanning Networks L3 IPROSI, M. DIEDHIOU

6 TYPEOF SCANNING

Vulnerability Scanning: Vulnerability scanning is the process of proactively

identifying the vulnerabilities of computer systems on a network. Generally,
a vulnerability scanner first identifies the operating system and version
number, including service packs that may be installed.

Then, the scanner identifies weaknesses or vulnerabilities in the operating

system. During the later attack phase, a hacker can exploit those
weaknesses in order to gain access to the system.

Scanning Networks L3 IPROSI, M. DIEDHIOU

7 METHODOLOGIE FOR SCANNING

Scanning Networks L3 IPROSI, M. DIEDHIOU

8 I. CHECK FOR LIVESYSTEM
Ping Sweep Techniques: ICMP scanning, or a ping sweep, is the process of
sending an ICMP request or ping to all hosts on the network to determine
which ones are up and responding to pings.
To determine the perimeter of the target network /system

To facilitate network mapping

To build an inventory of accessible systems on target network

ICMP Ping Scan

Scanning Networks L3 IPROSI, M. DIEDHIOU

9 I. CHECK FOR LIVESYSTEM

ICMP Ping Scan Ping Sweep output using Nmap

#nmap –sn 192.168.1.6 #nmap –sn –PE -PA21,23,80,53 192.168.1.1 -3

Scanning Networks L3 IPROSI, M. DIEDHIOU

10 I. CHECK FOR LIVESYSTEM

PING UTILITIES
Alternatively, TCP/UDP packets are sent if incoming ICMP messages are blocked
Ping Utilities include
Ping TestPro,
WS_Ping ProPack, ( www.ipswitch.com )
NetScan Tools, ( www.nwpsw.com )
Hping, ( http://www.hping.org/download.html )
icmpenum ( www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz )
Ping Sweep Detection Utilitiesinclude:
• Network based IDS( www.snort.org )
• Genius ( www.indiesoft.com )
• BlackICE ( www.networkice.com )
• Scanlogd ( www.openwall.com/scanlogd )
Scanning Networks L3 IPROSI, M. DIEDHIOU
11 II. CHECK FOR OPEN PORTS

Checking for open ports:

Is the second step in the scanning methodology. Port scanning is the method
used to check for open ports.

The process of port scanning involves probing each port on a host to

determine which ports are open

Scanning Networks L3 IPROSI, M. DIEDHIOU

13 II. CHECK FOR OPEN PORTS

ICMP Scanning ACK Scanning on port 80

Scanning Networks L3 IPROSI, M. DIEDHIOU

14 II. CHECK FOR OPEN PORTS

Scanning Techniques

Scanning Networks L3 IPROSI, M. DIEDHIOU

15 II. CHECK FOR OPEN PORTS

1 TCP Connect scan detects when a port is open by completing by the three-way handshake

2 TCP Connect scan establishes a full connection and tears it down by sending a RSTPacket

3 Itdoes not require super user privileges

Scan result when a port is open

Scan result when a port is closed

Scanning Networks L3 IPROSI, M. DIEDHIOU

16 II. CHECK FOR OPEN PORTS

 In Xmas Scan, attackers send a TCP frame to a remote device with FIN,
URG, and PUSHflags set
 It will not work against any current version of Microsoft Windows

Port is closed

Port is open

Scanning Networks L3 IPROSI, M. DIEDHIOU

17 II. CHECK FOR OPEN PORTS

 UDPPortOpen
 There is no three-way TCP Handshake for UDP scan
 The system does not respond with a message when the port is open

 UDPPortClosed
 Ifa UDPPacket is sent to closed port, the system responds with ICMP port unreachable
message
 Spywares, trojan horses, and other malicious applications use UDPports

Scanning Networks L3 IPROSI, M. DIEDHIOU

18 III. SERVICE IDENTIFICATION

Is the third step in the CEH scanning methodology; it’s usually performed using
the same tools as portscanning.

By identifying open ports, a hacker can usually also identify the services
associated with that port number

Scanning Networks L3 IPROSI, M. DIEDHIOU

19 III. CHECK FOR OPEN PORTS and SERVICE IDENTIFICATION

Nmap : is a free, open source tool that quickly and efficiently performs
ping sweeps, port scanning, service identification, IP address detection,
and operatingsystem detection.

IPEye: is a TCP port scanner that can do SYN, FIN, NULL, and XMAS scans.

Scanning Networks L3 IPROSI, M. DIEDHIOU

20 IV. BANNER GRABBING /OSFINGERPRINTING

Is the method to determine the operating system running on a remote target

system. There are two types of banner grabbing: active and passive

Identifying the used on the target hosts allows an attacker to figure out the
vulnerabilities the system posses and the exploits that might work on a
system to further carry out additional attacks.

Scanning Networks L3 IPROSI, M. DIEDHIOU

21 IV. BANNER GRABBING /OSFINGERPRINTING
IDServe
 IDServe is used to identify the make, model,
and version of any web site’s server software
 Itis also used to identify non-HTTP(non-web)
Internet servers such as FTP,SMTP,POP, NEWS,
etc..
Scanning Networks L3 IPROSI, M. DIEDHIOU
Netcraft
 Netcraft reports a site’s operation system, web
server, and netblock owner together with, if
available, a graphical view of the time since last
reboot for each of the computers serving the
site.
22 IV. BANNER GRABBING /OSFINGERPRINTING

Netcat: This utility reads and writes data across network connections,
using the TCP/IPprotocol.
1. #netcat –vvwww.website.com 80
2. GET /HTTP/1.0

Telnet: This technique probes HTTPservers to determine theServer field

in the HTTP response header.
1. telnet www.website.com 80
2. GET /HTTP/1.0

Scanning Networks L3 IPROSI, M. DIEDHIOU

23 IV. BANNER GRABBING /OSFINGERPRINTING
Active Banner Grabbing
 Specially crafted packets are sent to
remote OS and the responses are noted
 The responses are then compared with
a database todetermine the OS
 Response from different OS variesdue
to differences in TCP/IPstack
implementation
Scanning Networks L3 IPROSI, M. DIEDHIOU
Passive Banner Grabbing
Banner grabbing from error messages
Error messages provide information such as
type of server, type of OS, and SSL tool
used by the target remote system
Sniffing the networktraffic
Capturing and analyzing packets from the
target enables an attacker to determine
OS used bythe remote system
Banner grabbing from pages extensions
Looking for an extension in the URL may
assist in determining the application version
Exemple: .aspx =>IISserver and Windows Platform
24 V. Vulnerability Scanning

Open ports and

Network vulnerabilities
running services
Vulnerabilities scanning
identifies vulnerabilities and
weaknesses of a system and
network in order to determine
how a system can be
exploited
Application and
Application and
services configuration
services vulnerabilities
errors

Scanning Networks L3 IPROSI, M. DIEDHIOU

25 V. Vulnerability Scanning
Tool:
Isthe vulnerability and configuration assessmentproduct

Features
 Agentless Auditing
 Compliance checks
 Contents audits
 Customized reporting
 High-speed vulnerability
discovery
 In-depth assessments
 Mobile device audits
 Path management integration
 Scan policy design and
execution

http://www.tenable.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

26 V. Vulnerability Scanning
Tool:
Isassist in asset inventory, change management, risk analysis, and proving compliance

Features
 Selectively creates custom
vulnerability checks

 Identifies security
vulnerabilities and takes
remedial action

 Creates different types of

scans and vulnerability tests

 Helps ensure third-party

security applications offer
optimum protection

 Performs network device

vulnerability checks

http://www.gfi.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

27 V. Vulnerability Scanning

Retina CS ( www.beyondtrust.com )
Core Impact Professional ( www.coresecurity.com )
MBSA ( http://www.microsoft.com )
Shadow Security Scanner ( www.safety-lab.com )
Nsauditor Network Security Auditor (www.nsauditor.com )
OpenVAS( www.openvas.org )
Security Manager Plus ( www.indiesoft.com )
Nexpose ( www.rapid7.com )
SAINT ( www.saintcorporation.com )

Scanning Networks L3 IPROSI, M. DIEDHIOU

28 V. Vulnerability Scanning

Retina CS for SecurityMetrics Nessus Vulnerability

Mobile Mobile Scan Scanner

http://www.beyondtrust.com http://www.securitymetrics.com http://www.tenable.com

Scanning Networks L3 IPROSI, M. DIEDHIOU
29 VI. Draw Network Diagrams of Vulnerable Hosts

 Drawing target’s network diagram gives valuable information about the

network and its architecture to an attacker
 Network diagram shows logical or physical path to a potential target

Scanning Networks L3 IPROSI, M. DIEDHIOU

30 VI. Draw Network Diagrams of Vulnerable Hosts

Features
 Network topology
discovery and mapping

 Export network diagrams

to Visio

 Network mapping for

regulatory compliance

 Multi-level network
discovery

 Auto-detect changes to
network topology

http://www.solarwinds.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

31 VI. Draw Network Diagrams of Vulnerable Hosts
OpManager
 OpManager is a network monitoring software
that offers advanced fault and performance
management functionality across critical IT
resources such as routers, WAN links, switches,
firewalls, VoIP call paths, physical servers,etc.
http://www.manageengine.com
Scanning Networks L3 IPROSI, M. DIEDHIOU
NetworkView
 NetworkView is a network discovery and
management tool for Windows
 Discovery TCP/IPnodes and routes using DNS,
SNMP, ports, NetBIOS, and WMI
http://www.networkview.com
32 VI. Draw Network Diagrams of Vulnerable Hosts

The Dude (www.mikrotik.com )

LANState (www.10-strike.com )
Friendly Pinger ( http://www.kilievich.com )
Ipsonar (www.lumeta.com )
WhatsConnected (www.whatsupgold.com )
Switch Center Entreprise (www.lan-secure.com )
InterMapper (www.intermapper.com )
NetMapper (www.opnet.com )

Scanning Networks L3 IPROSI, M. DIEDHIOU

33 VI. Draw Network Diagrams of Vulnerable Hosts

Network «Swiss-Army-
Net Master Scany
Kniffe »

http://www.nutecapps.com http://happymagenta.com http://foobang.weebly.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

34 VII.Proxy Servers

A proxy is a network computer that can serve as an intermediary for

connecting with othercomputers.

As a firewall, proxy protects the local network from outside access.

A proxy can filter out unwanted content.

Scanning Networks L3 IPROSI, M. DIEDHIOU

35 VII.Proxy Servers

 Tohide the source IPaddress.

 Tomask the actual source of the attack.
 Tointerrupt all the requests sent by an attacker and transmit them to a third
destination, hence victims will only be able to identify the proxy server
address.
 Attackers chain multiple proxy servers to avoid detection.

Scanning Networks L3 IPROSI, M. DIEDHIOU

36 VII.Proxy Servers

 Use of proxies for attack

Scanning Networks L3 IPROSI, M. DIEDHIOU

37 VII.Proxy Servers

Hides your IP
Address from
The websites
You visit

http://www.proxyswitcher.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

38 VII.Proxy Servers

is a proxy server
that displays
data passing
through it in real
time, allows you
to drill into
particular TCP/IP

connections, view
their history, save
the data.

http://www.proxyworkbench.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

39 VII.Proxy Servers

CyberGhost allows you to protect your online privacy,

surf anonymously, and access blocked or censored content.

Torallows you to protect your privacy

And defend yourself against network
Surveillance and traficanalysis.

https://www.torproject.org http://www.cyberghostvpn.com
Scanning Networks L3 IPROSI, M. DIEDHIOU
40 VII.Proxy Servers

SocksChain (http://ufasoft.com )
Burp Suite(www.portswigger.net )
Proxifier ( http://www.proxifier.com )

Proxy Tool Windows App (http://webproxylist.com )

Fiddler (www.telerik.com )
Proxy (www.analogx.com )
Protoport Proxy Chain (www.protoport.com )

ProxyCap (www.proxycap.com )

Scanning Networks L3 IPROSI, M. DIEDHIOU

41 VII.Proxy Servers

Proxy Browser for

ProxyDroid NetShade
Android

https://play.google.com https://github.com http://www.raynersw.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

42 VII.Proxy Servers

Scanning Networks L3 IPROSI, M. DIEDHIOU

43 VII.Proxy Servers

An anonymizer removes all the identifying information from the user’s computer while
the user surfs the internet.

Anonymizers make activity on the internet untraceable

Anonymizers allow you to bypassInternet censors

Why use Anonymizer?

Privacy and anonymity ?

Protects from online attacks

Access restricted content

Bypass IDS and Firewall rules

Scanning Networks L3 IPROSI, M. DIEDHIOU

44 VII.Proxy Servers

Tails is a live operating system, that user can start on any computer from a
DVD, USB stick, or SD card.

https://tails.boum.org/install/download/index.fr.html
Scanning Networks L3 IPROSI, M. DIEDHIOU
45 VII.Proxy Servers

Orbot Psiphon OpenDoor

https://guardianproject.info https://s3.amazonaws.com https://itunes.apple.com

Scanning Networks L3 IPROSI, M. DIEDHIOU

46 COUNTERMEASURES
Port ScanningCountermeasures

Configure firewall and IDSrules to detect and block probes.

Run the port scanning tools against hosts on the network to determine whether the
firewall properly detects the port scanning activity
Ensure that mechanism used for routing and filtering at the routers and firewalls
respectively cannot be bypassed using particular source ports or source-routing
methods
Ensure that the router, IDS,and firewall firmware are updated to their latest releases
Use custom rule set to lock down the network and block unwanted ports at the
firewall
Filter ICMP messages at the firewalls and routers
Perform TCP and UDP scanning along with ICMP probes against your organization’s IP
address space to check the network configuration on its available ports

Scanning Networks L3 IPROSI, M. DIEDHIOU

47 Scanning Pen Testing

Pen testing a network for scanning vulnerabilities determines the network’s security
posture by identifying live systems, discovering open ports, associating services and
grabbing systembanners to simulate a network hacking attempt.
The penetration testing report will help system administratorsto:

Scanning Networks L3 IPROSI, M. DIEDHIOU

48

FIN
DU
CHAPITRE