Scribd Logo
Upload

Welcome to Scribd!

  • 2 - Footprinting and Scanning (Part 1)

    Uploaded by

    dany sayed
    3 views21 pages

    Original Title

    2- Footprinting and Scanning (Part 1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views21 pages

    2 - Footprinting and Scanning (Part 1)

    Uploaded by

    dany sayed

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    Footprinting and Scanning (Part 1)

    Instructor :
    Eng / Bishoy Gamel Tawfik
    Network Discovery and Mapping
     After collecting information about the target organization during the information
    gathering stage, a penetration tester proceeds to the fingerprinting and
    enumeration of the nodes running on the client's network.
     The techniques you are going to see work both on local and remote networks.
     As you know, every host connected to the Internet or a private network must
    have a unique IP address which identifies it.

     How can a penetration tester determine what


    hosts, sitting in an in-scope network,
    are up and running ???
    Why Map a (Remote) Network ?
     A company asks for a penetration test, and the following address block is
    considered in scope:
     200.200.0.0/16

     A sixteen-bit long netmask means the network could contain up to 216


    (65535) hosts with IP addresses in the 200.200.0.0 - 200.200.255.255 range.

     The penetration tester needs a way to find which of the 65535 IP addresses are
    assigned to a node.
    Why Map a (Remote) Network ?
     We need a way to transform an unknown network into a useful map, starting
    from something like this :-

     We will get something like this !


    Scanning Goals
     Goals of Scanning :-

     Determine network addresses of live hosts, firewalls, routers, and such on the
    network .
     Determine the network topology of the target environment .

     Determine operating system types of discovered hosts .

     Determine open ports and network services in a target environment .

     Determine lists of potential vulnerabilities .

     Do these in a manner that minimizes risk of impairing host or service .


    Scanning Types
     Scan Types :-

     Network sweeping
    - Send a series of probe packets to identify live hosts at IP addresses in the target
    network .
     OS fingerprinting
    - Determine target operating system type based on network .
     Port scanning
    - Determine listening TCP and UDP ports on target systems .
     Version scanning
    - Determine the version of services and protocols spoken by open TCP and UDP ports .
     Vulnerability scanning
    - Determine a list of potential vulnerabilities (misconfigurations, unpatched services,
    and so on) in the target environment .
    Scanning Topology
    Network Sweeping
     The previous example shows how mapping the remote network completely
    changes your understanding of it.
     Trying to blindly exploit 65536 hosts would be a massive waste of time and
    resources !

    Q) How do you determine which IP addresses in scope are assigned to a host ??

    A) The simplest way is through Network Sweeping !


    Ping Sweep
     Identify devices connected to the network by sending ping them all.
     ( Online – Offline )

     Ping scan involves sending ICMP ECHO requests to multiple hosts. If a host is
    online, it will return an ICMB ECHO reply.

     Attackers calculate subnet masks to identify the number

    of hosts present in the subnet.

     This scan is useful for locating active devices

    or determining is ICMB is passing through a firewall.


    Example Ping Sweep
     nmap -sn (Network IP Address) / ( subnet mask {8-16-24-32})
    Advanced Host Discovery and Much More ByNMAP
     You can specify your targets on the command line in CIDR format as a range and
    by using wildcard notation.

    nmap –sn 192.168.1.0/24


    nmap –sn 192.168.1.1-100
    nmap –sn 192.168.1.*
    nmap –sn 192.168.*.10

     You can save your host list and invoke it with Nmap by using the input command
    line switch in conjunction with -sn. This way you will conduct a ping scan against
    each host that is in the given list.
     Please note, that in this example we are naming our saved file hostslist.txt.
    nmap -sn -iL hostslist.txt
    Advanced Host Discovery and Much More ByNMAP

     In fact, the scanner does not just use ping packets to find live hosts.
     Here is an extract of the output of the nmap command.
    OS Fingerprinting
     To transform a list of live IP addresses into something more useful, we need to
    know what software (i.e., what operating system) responded to our probes.

     OS Fingerprinting :-
     Identify the target OS using both active and passive techniques.

     To fingerprint an operating system you have to send network requests to the


    host and then analyze the responses you get back.

     Finally, the signature is compared against a database of known operating


    systems signatures.
    OS Fingerprinting
     During a penetration test, you will have to perform this reconnaissance step on
    every network node, including :-
     Routers - Firewalls - Hosts - Servers - Printers - And so on...

     The goal of this phase is to write a table like the following :-

    IP Address OS Confidence
    10.10.100.5 Linux 3.7 100%
    10.10.100.6 Linux 2.6.19 – 2.6.36 90%
    10.10.100.8 Windows 7 SP1 100%
    10.10.100.10 Windows 7 SP1 75%
    10.10.100.15 FreeBSD 85%
    10.10.100.20 HP-OS 78%
    OS Fingerprinting
     There are two types of OS Fingerprinting :-

     Active OS Fingerprinting :
     Sends packets and waits for a response (or lack of one).
     Active OS fingerprinting sometimes sends unexpected packets, because
    different implementations respond differently to such errors.

     Passive OS Fingerprinting :
     Identifies the remote operating system with packets that are received, without
    sending any packets.
     For example: analyzing traffic that we have already captured.
    OS Fingerprinting
     Operating System DNA
    0 4 8 16 31
    4 bit
    4 bit 8-bit type of service
    Header 16-bit total length ( in bytes )
    Version Length (TOS)=0
    3 bit
    16-bit identification 13-bit Fragment Offset
    Flags
    8-bit time to live 8-bit protocol=1 20
    16-bit header checksum
    ( TTL ) (ICMP) bytes

    32-bit source IP address

    32-bit destination IP address

    Options ( if any )

    Type Code Checksum 4 bytes

    IP Data ICMP data (depending on the type of message)


    Field
    Active OS Fingerprinting
     Active OS Fingerprinting (Manually) :-
     By Using ping command + (Target IP Address)
    Active OS Fingerprinting
     Active OS Fingerprinting (Automatically) :-
     By Using Nmap tool, the command to enable OS detection is -O
     We will run the scan against a single target, our command will be as follows :-
     nmap -O (OS detection) (IP Target Address)
     You can also add the -Pn switch to skip the ping scan if you already know that the
    targets are alive.
    Passive OS Fingerprinting
     Passive OS Fingerprinting (Automatically) :-
     By Using (p0f tool) to read the conversation between two victim.

     p0f -read < Location conversation >

     Ex:- p0f -r /Desktop/conversation.pcap

    You might also like