Ethical Hacking - Scanning and Enumeration

Port Scanning and System Enumeration Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are open on the target device. Once open, applications or services can be discovered. At this point, further information is typically gathered to determine how best to target any vulnerabilities and weaknesses in the system.

Port Scanning Steps Port scanning is one of the key steps of ethical hacking. Before a system can be attacked the hacker must determine what systems are up, what applications are running, and what what versions the applications are. 1. Determining If The System Is Alive

Network Ping Sweeps

2. Port Scanning

Nmap - As you might guess, the name nmap implies that the program was ostensibly developed as a network mapping tool. Well, as you can imagine, such a capability is attractive to the folks that attack networks, not just network and system administrators and the network support staff. Of all the tools available it is nmap that people just seem to keep coming back to. The familiar command line interface, the availability of documentation, and the generally competent way in which the tool has been developed and maintained, are all attractive to us. Nmap performs a variety of network tricks. To learn more check out the NMAP tutorial. Nmap - Interesting options o -f fragments packets o -D Launches decoy scans for concealment o -I IDENT Scan finds owners of processes (on Unix systems) o -b FTP Bounce Port Scan Types o TCP Connect scan o TCP SYN scan o TCP FIN scan o TCP Xmas Tree scan (FIN, URG, and PUSH) o TCP Null scan o TCP ACK scan o UDP scan

3. Banner-Grabbing Many services announce what they are in response to requests. Banner grabbers just collect those banners the easiest way to banner grab: telnet <ipaddress> 80 4. Operating System Fingerprinting

Active Stack Fingerprinting o Nmap o Xprobe2 Passive fingerprinting o siphon o p0f

Enumeration The process of enumeration, finding find what services are running, versions, open shares, account details, or possible points of entry. One such target is SMB. While SMB makes it possible for users to share files and folders, SMB offers access on Windows computers via the IPC$ share. This share, the IPC$, is used to support named pipes that programs used for interprocess (or process-to-process) communications. Because named pipes can be redirected over the

network to connect local and remote systems, they also enable remote administration. 1. Attacking Null Sessions The Windows Server Message Block (SMB) protocol hands out a wealth of information freely. Null Sessions are turned off by default in Win XP, Server 2003, Vista, and Windows 7 but open in Win 2000 and NT. Null Session Tools

Dumpsec Winfo Sid2User NBTenun 3.3

2. Enumerating Windows Active Directory via LDAP, TCP/UDP 389 and 3268. Active Directory contains user accounts and additional information about accounts on Windows DC's. If the domain is made compatible with earlier versions of Windows, such as Win NT Server, any domain member can enumerate Active Directory 3. Targeting Border Gateway Protocol (BGP). The de facto routing protocol on the Internet. BGP is used by routers to help them guide packets to their destinations. It can be used to find all the networks associated with a particular corporation