Untitled
Untitled
Untitled
e LO# Ol : Explain Network Scanning Concepts e L0#05: Demonstrate Various Scanning Techniques
for OS Discovery
e L0#02: Use Various Network Scan ning Tools
e L0#06: Demonstrate Various Techniques for Scanning
e L0#03: Demonstrate Various Scanning Techniques Beyond IDS and Firewa ll
for Host Discovery
e L0#07: Explain Netwo rk Scanning Countermeasures
e L0#04 : Demonstrate Various Scanning Techniques
for Port and Service Discove ry
1
Copynght C) by IC-CINCII All Rights Reserved Reproduction 1s Strictly Proh1b1ted
Learning Objectives
After identifying the target and performing the initial reconnaissance, as discussed in the
Footprinting and Reconnaissance module, attackers begin to search for an entry point into the
target system . Attackers should determine whether the target systems are active or inactive to
reduce the time spent on scanning. Notably, the scanning itself is not the actual intrusion but an
extended form of reconnaissance in which the attacker learns more about his/her target,
including information about OSs, services, and any configuration lapses. The information gleaned
from such reconnaissance helps the attacker select strategies for attacking the target system or
network.
This module starts with an overview of network scanning and provides insights into various host
discovery techniques that can be used to check for live and active systems. Furthermore, it
discusses various port and service discovery techniques, operating system discovery techniques,
and techniques for scanning beyond IDS and firewalls. Finally, it ends with an overview of drawing
network diagrams.
At the end of this module, you will be able to :
■ Describe the network scanning concepts
■ Use various scanning tools
■ Perform host discovery to check for live systems
■ Perform port and service discovery using various scanning techniques
■ Perform operating system (OS) discovery
■ Scan beyond intrusion detection systems (IDS) and firewalls
■ Explain various network scanning counterm easures
1
Copynght C) by IC-CINCII All Rights Reserved Reproduction 1s Strictly Proh1b1ted
~- ........................................
Gets network
information
Attacker Network
Types of Scanning
• Port Scanning- Lists the open ports and services. Port scanning is the process of checking
the services running on the target computer by sending a sequence of messages in an
attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports
of the target system to determine whether the services are running or are in a listening
state. The listening state provides information about the OS and the application currently
in use. Sometimes, active services that are listening may allow unauthorized users to
misconfigure systems or to run software with vulnerabilities.
• Network Scanning - Lists the active hosts and IP addresses. Network scanning is a
procedure for identifying active hosts on a network, either to attack them or assess the
security of the network.
• Vulnerability Scanning - Shows the presence of known weaknesses. Vulnerability
scanning is a method for checking whether a system is exploitable by identifying its
vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The
catalog includes a list of common files with known vulnerabilities and common exploits
for a range of servers. A vulnerability scanner may, for example, look for backup files or
directory traversal exploits. The scanning engine maintains logic for reading the exploit
list, transferring the request to the web server, and analyzing the requests to ensure the
safety of the server. These tools generally target vulnerabilities that secure host
configurations can fix easily through updated security patches and a clean web document.
A thief who wants to break into a house looks for access points such as doors and windows. These
are usually the house's points of vulnerability, as they are easily accessible. When it comes to
computer systems and networks, ports are the doors and windows of a system that an intruder
uses to gain access. A general rule for computer systems is that the greater the number of open
ports on a system, the more vulnerable is the system. However, there are cases in which a system
with fewer open ports than another machine presents a much higher level of vulnerability.
Objectives of Network Scanning
The more the information at hand about a target organization, the higher are the chances of
knowing a network's security loopholes, and, consequently, for gaining unauthorized access to
it.
Some objectives for scanning a network are as follows:
• Discover the network's live hosts, IP addresses, and open ports of the live hosts. Using the
open ports, the attacker will determine the best means of entering into the system.
• Discover the OS and system architecture of the target. This is also known as fingerprinting.
An attacker can formulate an attack strategy based on the OS's vulnerabilities.
• Discover the services running/listening on the target system . Doing so gives the attacker
an indication of the vulnerabilities (based on the service) that can be exploited for gaining
access to the target system .
• Identify specific applications or versions of a particular service.
Acknowledgement No
Sequence No
Acknowledgement No
Options
t"•·· '
TCP Flags
• Synchronize or "SYN": It notifies the transmission of a new sequence number. This flag
generally represents the establishment of a connection (three-way handshake) between
two hosts.
■ Acknowledgement or "ACK": It confirms the receipt of the transmission and identifies
the next expected sequence number. When the system successfully receives a packet, it
sets the value of its flag to "1," thus implying that the receiver should pay attention to it.
■ Push or "PSH": When it is set to "1," it indicates that the sender has raised the push
operation to the receiver; this implies that the remote system should inform the receiving
application about the buffered data coming from the sender. The system raises the PSH
flag at the start and end of data transfer and sets it on the last segment of a file to prevent
buffer deadlocks.
• Urgent or "URG": It instructs the system to process the data contained in packets as soon
as possible. When the system sets the flag to "1," priority is given to processing the urgent
data first and all the other data processing is stopped.
• Finish or "FIN": It is set to "1" to announce that no more transmissions will be sent to the
remote system and the connection established by the SYN flag is terminated.
• Reset or "RST": When there is an error in the current connection, this flag is set to "1"
and the connection is aborted in response to the error. Attackers use this flag to scan
hosts and identify open ports.
SYN scanning mainly deals with three flags: SYN, ACK, and RST. You can use these three flags for
gathering illegitimate information from servers during enumeration .
TCP/IP Communication
TCP Session Establishment TCP Session Termination
(Th ree-way Handshake)
TCP/IP Communication
TCP is connection oriented, i.e., it prioritizes connection establishment before data transfer
between applications. This connection between protocols is possible through the three-way
handshake.
A TCP session initiates using a three-way handshake mechanism:
■ To launch a TCP connection, the source (10.0.0.2:21) sends a SYN packet to the
destination (10.0.0.3 :21).
■ On receiving the SYN packet, the destination responds by sending a SYN/ACK packet back
to the source.
■ The ACK packet confirms the arrival of the first SYN packet to the source.
■ Finally, the source sends an ACK packet for the ACK/SYN packet transmitted by the
destination.
■ This triggers an "OPEN" connection, thereby allowing communication between the source
and destination, which continues until one of them issues a "FIN" or "RST" packet to close
the connection .
I Would lik
Sh e t o talk With
••••••••• ee/a on Port 21 You
• • • • • • • • • • • • • , Are You open-;,
SYN, ·······
SEQ# ; ~ ••• • •• • • •.• • • •• •>
Ok, let 's talk Bill \,
I am open On port 21 •••••••• •••••
<• ............ •: c•:••;~~;~~.-S~~#l42
S'iN +"" "'
The TCP protocol maintains stateful connections for all connection-oriented protocols
throughout the Internet and works similarly to ordinary telephone communication, in which one
picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the
other end until someone picks up the receiver and says, " Hello."
The system terminates the established TCP session as follows:
After completing all the data transfers through the established TCP connection, the sender sends
the connection termination request to the receiver through a FIN or RST packet. Upon receiving
the connection termination request, the receiver acknowledges the termination request by
sending an ACK packet to the sender and finally sends its own FIN packet. Then, the system
terminates the established connection.
Bill Sheela
10.0.0.2:21 10.0.0.3:21
1
Copynght C) by IC-CINCII All Rights Reserved Reproduction 1s Strictly Proh1b1ted
□ X • Zffl""P □ X
Network administrators
Scjn !ooh e.ro1,1e Jjelp
can use Nmap for
inventorying a network,
Tw!Jd: 10.10.1.11 hr!Jd: 10.10.1.11 3 Profile:
https://nmop.org
[o Command line network scanning and packet crafting tool for the TCP/IP protocol
It can be used for network security auditing, firewall testing, manual path MTU discovery, advanced traceroute,
remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc.
hrtp://www.hping.org
Hping Commands
I□
SYN scan on port 50· 60
hping3 - F - P -U 10.0.0 . 25 -p 80
J
F scanonport80 7------ Scan e ntire subnet for live host
--
---
-- L
L
Fire walls and Timestamps
J
hping3 -s 72 . 14 . 207 . 99 -p 80 --tcp-timastamp
l
L
SYN flooding a victim
Scanning Tools
Metasploit NetScanTools Pro
Metasploit is an o pen-sou rce project t hat provides the infrast ructure, NetScanTools Pro assists attackers in automat ically
co nte nt, and tools to perform penetration tests and extensive security or manually listing 1Pv4/1Pv6 addresses, host names,
auditing domain names, and URLs
•
. .-=----- □----- --· ---·
•·---·
•·-----·
•·----·
•·---~
10.l0.1.UU - .... ""
11. 10,1. >l • ...... TO
10, 10,1,,au - .... Ttt
, . . . . _, _, , ,. . _ TCJ
htrps://www.nersconraols.com
Scanning Tools
Scanning tools are used to scan and identify live hosts, open ports, running services on a target
network, location info, NetBIOS info, and information about all TCP/IP and UDP open ports. The
information obtained from these tools will help an ethical hacker in creating the profile of the
target organization and scanning the network for open ports of the devices connected .
■ Nmap
Source: https://nmap.org
Nmap ("Network Mapper") is a security scanner for network exploration and hacking. It
allows you to discover hosts, ports, and services on a computer network, thus creating a
"map" of the network. It sends specially crafted packets to the target host and then
analyzes the responses to accomplish its goal. It scans vast networks of literally hundreds
of thousands of machines. Nmap includes many mechanisms for port scanning (TCP and
UDP), OS detection, version detection, ping sweeps, and so on.
Either a network administrator or an attacker can use this tool for their specific needs.
Network administrators can use Nmap for network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Attackers use Nmap to extract
information such as live host s on the network, open ports, services (application name and
version), type of packet filters/firewalls, MAC details, and OSs along with their versions.
Syntax: # nmap <options> <Target IP address>
• Zenmap D X
Sqn Iools frofile !::!elp
• Zenmap D X
Sqn Iools frofile !::!elp
• Hping3
Source: http://www.hping.org
Hping3 is a command-line-oriented network scanning and packet crafting tool for the
TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP
protocols. It performs network security auditing, firewall testing, manual path MTU
discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing,
TCP/IP stacks auditing, and other functions. It can send custom TCP/IP packets and display
target replies similarly to a ping program with ICMP replies. It handles fragmentation as
well as arbitrary packet body and size, and it can be used to transfer encapsulated files
under the supported protocols. It also supports idle host scanning. IP spoofing and
network/host scanning can be used to perform an anonymous probe for services. Hping3
also has a Traceroute mode, which enables attackers to send files between covert
channels. It also determines whether the host is up even when the host blocks ICMP
packets. Its firewalk-like usage allows the discovery of open ports behind firewalls. It
performs manual path MTU discovery and enables attackers to perform remote OS
fingerprinting.
Using Hping, an attacker can study the behavior of an idle host and gain information about
the target, such as the services that the host offers, the ports supporting the services, and
the OS of the target. This type of scan is a predecessor to either heavier probing or
outright attacks.
Syntax:# hping3 <options> <Target IP address>
Hping Commands
o ICMP ping
The OS, router, switch, and IP-based devices use this protocol via the ping command
for echo request and echo response as a connectivity tester between different hosts.
Hping performs an ICMP ping scan by specifying the argument-1 in the command line.
You may use --ICMP or -1 as the argument in the command line. By issuing the above
command, hping sends an ICMP echo request to 10.0.0.25 and receives an ICMP reply
similarly to a ping utility.
This scanning technique can be used to probe the existence of a firewall and its rule
sets. Simple packet filtering allows the establishment of a connection (packets with
the ACK bit set), whereas a sophisticated stateful firewall does not allow the
establishment of a connection.
Hping can be configured to perform an ACK scan by specifying the argument -A in the
command line. Here, you set the ACK flag in the probe packets and perform the scan.
You perform this scan when a host does not respond to a ping request. By issuing this
command, Hping checks if a host is alive on a network. If it finds a live host and an
open port, it returns an RST response.
Hping uses TCP as its default protocol. Using the argument -2 in the command line
specifies that Hping operates in the UDP mode. You may use either --udp or -2 as the
argument in the command line.
By issuing the above command, Hping sends UDP packets to port 80 on the host
(10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed and
does not return a message if the port is open.
Using the argument -Q in the command line, Hping collects all the TCP sequence
numbers generated by the target host (192.168.1.103).
Many firewalls drop those TCP packets that do not have the TCP Timestamp option
set. By adding the --tcp-timestamp argument in the command line, you can enable the
TCP timestamp option in Hping and try to guess the timestamp update frequency and
uptime of the target host (72.14.207.99).
o SYN scan on port 50-60
Using the argument -8 or --scan in the command line, you are operating Hping in the
scan mode to scan a range of ports on the target host. Adding the argument-Sallows
you to perform a SYN scan.
Therefore, the above command performs a SYN scan on ports 50-60 on the target
host.
o FIN, PUSH and URG scan on port 80
By adding the arguments -F, -P, and -u in the command line, you are setting FIN,
PUSH, and URG packets in the probe packets. By issuing this command, you are
performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port
80 is open, you will not receive a response. If the port is closed, Hping will return an
RST response.
o Scan entire subnet for live host
By issuing this command, Hping performs an ICMP ping scan on the entire subnet
10.0.1.x; in other words, it sends an ICMP echo request randomly (--rand-dest) to all
the hosts from 10.0.1.0 to 10.0.1.255 that are connected to the interface eth0. The
hosts whose ports are open will respond with an ICMP reply. In this case, you have not
set a port; hence, Hping sends packets to port 0 on all IP addresses by default.
o Intercept all traffic containing HTTP signature
The argument -9 will set the Hping to the listen mode. Hence, by issuing the command
-9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network
to interface eth0), intercepts all the packets containing the HTTP signature, and dumps
from the signature end to the packet's end.
o SYN flooding a victim
Ex. hping3 -S 192 .168 .1.1 -a 192 . 168 .1. 254 -p 22 --flood
The attacker employs TCP SYN flooding techniques using spoofed IP addresses to
perform a DoS attack.
■ Metasploit
Source: h ttps ://www.metasploit.com
Metasploit is an open-source project that provides the infrastructure, content, and tools
to perform penetration tests and extensive security auditing. It provides information
about security vulnerabilities and aids in penetration testing and IDS signature
development. It facilitates the tasks of attackers, exploits writers, and payload writers. A
major advantage of the framework is the modular approach, i.e., allowing the
combination of any exploit with any payload.
It enables you to automate the process of discovery and exploitation and provides you
with the necessary tools to perform the manual testing phase of a penetration test. You
can use Metasploit Pro to scan for open ports and services, exploit vulnerabilities, pivot
further into a network, collect evidence, and create a report of the test results.
■ NetScanTools Pro
Source: https:j/www.netscantools.com
NetScanTools Pro is an investigation tool that allows you to troubleshoot, monitor,
discover, and detect devices on your network. Using this tool, you can easily gather
information about the local LAN as well as Internet users, IP addresses, ports, and so on.
Attackers can find vulnerabilities and exposed ports in the target system. It helps the
attackers to list 1Pv4/1Pv6 addresses, hostnames, domain names, email addresses, and
URLs automatically or manually (using manual tools). NetScanTools Pro combines many
network tools and utilities categorized by their functions, such as active, passive, DNS,
and local computer.
X
demo - NetScanToolst!l Pro Demo Version Build 7-3-2019 based on version 11.86.3
: File: Edit Access1b1lrty V1f!N tPv6 Help "
• a
Wekome: Click here to Buy Now! Manual Tools• Port Scanner '¥
Automated Tools
Taroct Hos~ or IP Ada-ess Port R ~ and Scan~
Add Note
t-_ _ _
M_an_u=•l=T•=-•_ls_(•_II_
) --"11 ~Ii_o._10_._1.22_ _ _ _ _ _ _ _v~I x 0 TCP FtJ Com,ct
Port Range Q UOP Port,; Orly br<) To Automated
S!Nt 1 Q TCP ftJ-tUJP Ports
D use Ta,oet Ust When Sc....,..., Q TCP SYN 5cM (Half()pofl)
Reports
Packet Generator
Scan C~tt: • 2S6 ports scanned in 5 sec.
End 256 Q TCP Custom 5cM 0 Add to Favorites
•
• 2: AdlwTCPPortsRetumiogDab,0
Defaut,;
• 3: TCP Ports Re)Kbng Connkbon. 0
Comect Trneout
• 41 No RISp,ortSe - rmeout, 251
2000
ReadT~t
3000 IP Ad.dt-e33 Pon Po n Desc Prot ocol Re sults Dat a Receiv ed
10 . 10 .1.22 53 domain TCP Port Active
10 .10 . 1.22 80 http TCP Po rt Ac tiv e
Favorite Tools 10 .10 .1.22 86 ke rberos TCP Port Active
Activt Discovery Tools 10 .10 .1.22 13S epmap TCP Po n Acti ve
10 .10 .1.22 139 netbios-ssn TCP Po rt Ac tive
Pass1Ve Oiscove.ry Tools
ONS Tools
Packet l~el Tools
External Tools
Application Info
For Hel ress Fl NUM
Carrier ~ 3:03 PM
IP Network Scanner
network router
192.168 1 3 •
n Sonos
192.168.1.5
network camera?
192.168.1 100 •
Kim's Tablet
0 192.1681 151
Playstation
OIi 192 168 1 155 •
iOS Device
192.168 1.158 •
Nest Protect
, •
Rescan Devices:27 Tools
■ Fing
Source: h ttps ://www.fing. io
Fing is a mobile app for Android and iOS that scans and provides complete network
information, such as IP address, MAC address, device vendor, and ISP location. It allows
attackers to discover all devices connected to a Wi-Fi network along with their IP and MAC
address as well as the name of the vendor/device manufacturer. It also allows attackers
to perform network pinging and traceroute activities through specific ports such as SSH,
FTP, NetBIOS, etc.
2:14
Notifications
Wi-Fi signal
IP Address 192.168.1.13
■ Network Scanner
Source: https://play.google.com
Network Scanner is an Android mobile application that allows attackers to identify the
active hosts in the range of possible addresses in a network. It also displays IP addresses,
MAC addresses, host names, and vendor details of all the available devices in the network.
This tool also allows attackers to port scan targets with specific port numbers.
1
Copynght C) by IC-CINCII All Rights Reserved Reproduction 1s Strictly Proh1b1ted
Host Discovery
Scanning is the process of gathering information about systems that are " alive" and responding
on the network. Host discovery is considered as the primary task in the network scanning process.
To perform a complete scan and identify open ports and services, it is necessary to check for live
systems. Host discovery provides an accurate status of the syst ems in the network, which enables
an attacker to avoid scanning every port on every system in a list of IP addresses to identify
whether the target host is up.
Host discovery is the first step in network scanning. This section highlights how to check for live
systems in a network using various ping scan techniques. It also discusses how to ping sweep a
network to detect live hosts/systems along with various ping sweep tools.
[ Host discovery techniques are used to identify the active/live systems in the network
···• •~
,,..
ICMP Ping Scan •
( TCP Ping Scan
Source
~ - ~~~~~~ ~>~~] Destination
✓
Advantages
✓ Address mask response from the destination host ✓ Alternative for the conventional ICMP ECHO
is conditional, and it may or may not respond with ping scan
ICMP Address Ma sk nmap-sn - PM <Target IP ICMP address
the appropriate subnet value depending on its ✓ Determines whether t he target host is live,
Ping Scan Add ress> mask request
configurat ion by t he administrator at the target 's specifically when the administrators block
end ICMP ECHO pings
✓
with out creating any connection
nmap-sn-PS <Target IP Empty TCP SYN ACK response- Host is active
TCP SYN Ping Scan ✓ Logs are not recorded at the system or
Address> request ✓ No response - Host is inactive
network level, enabling the attacker to leave
no traces for detection
nmap -sn -PO <Target IP IP ping requests using different IP ✓ Any re sponse - Host is active ✓ Sends di fferent packet s using d iffere nt IP protocols in the
IP Protocol Ping Scan
Address> protocol s (ICM P, IGMP, TCP, and UDP) ✓ No respon se - Host is inactive hope of rece iving a response indicating that a host is online
• Zenmap D X
Sein look £rofile tfelp
□
~ Setvtcts Nmap OutpYt Ports / Host1 Topolog), Host Oet,ils Sctn.1
0 ..L r=::J
□
0 . 08s h t ency) .
Ii' 10..10..1.13
~ 02:1S;5D:86 : 26:F7 (UnknOWT'I)
Ping Sweep Ii' 10.10..1.19 port for 10 . 10. 1.11
9.88s latency).
Ii' 10..10.1.22 ~ 88:15 : 50:91:88:80 (Kicrosoft)
r=::J port for 18 .10.1 .13
0.00s 1, tency).
~ 02:15 :50:06 : l6:F6 (Unknown )
port for 18 . 10. t. 22
0 . 80s 1, t ency).
~ 80:15:50:01 : 88:02 (Kicrosoft )
~ e port for 10 . 19. 1 . 19
Note: -sn is the Nmap command to disable the port scan. Since Nmap uses ARP ping scan as
the default ping scan, to disable it and perform other desired ping scans, you can use --
disable-arp-ping.
• -
ARP request probe
..••..•.. ~~; ·r~·s·;~~:: • ..... ·► ~
~
T; -;J
<·............................ ~~ l
Host is Active
Attacker Target
Figure 3.15: ARP ping scan
Advantages:
• ARP ping scan is considered to be more efficient and accurate than other host discovery
techniques
• ARP ping scan automatically handles ARP requests, retransmission, and timeout at its own
discretion
• ARP ping scan is useful for system discovery, where you may need to scan large address
spaces
• ARP ping scan can display the response time or latency of a device to an ARP packet
· Zenmap □
Sc~n Iools P.rofile t!elp
Figure 3.17: UDP ping scan to det ermine if the host is active
-
. ., UDP ping
························· · ···►
Host unreachable/TTL exceeded
<·····························
tJ1 '•'
Host is Inactive
Attacker Target
Advantages:
■ UDP ping scans have the advantage of detecting systems behind firewalls with strict TCP
filtering, leaving the UDP traffic forgotten.
• Zenmap □ X
Sqn I ools P.rofile .tielp
Command: ..
, n
-m- ap_ _s_
n _-P_U_1_0-.1-0.-1.-1""'
1 l.- 7
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
✓ 10.10.1 .11 Starting Nmap 7.80 ( https ://nmap .or g ) at 2022- 03-14
21 : 55 Time
Nmao sc an r eportl for 10.10 . 1.11
I Host is UD 1(0 . 00s latency).
MAC Address : 00:15 : 5D:01:80:00 ( Microsoft)
Nmap done : 1 IP address (1 host up ) sc anned in 0 . 08
Filter Hosts seconds
◄···············
Source
{10.10.1.19)
UNIX/Linux and BSD-based machines use ICMP echo scanning; the TCP/IP stack implementations
in these OSs respond to the ICMP echo requests to the broadcast addresses. This technique does
not work on Windows-based networks, as their TCP/IP stack implementation does not reply to
ICMP probes directed at the broadcast address.
Nmap uses the -P option to ICMP scan the target. The user can also increase the number of pings
in parallel using the -L option. It may also be useful to tweak the ping timeout value using the -
T option.
In Zenmap, the -PE option is used to perform the ICMP ECHO ping scan. Active hosts are
displayed as "Host is up," as shown in the screens hot.
· Zenmap □ X
Sc~n Iools E_rofile !::::!elp
Command: I
nmap -sn -PE 10.10.1.111 i
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
Filter Hosts J
10.10.1.13
To understand pings better, one should be able to understand the TCP/IP packet. When a system
pings, it sends a single packet across the network to a specific IP address. This packet contains 64
bytes (56 data bytes and 8 bytes of protocol header information). The sender then waits or listens
for a return packet from the target system. If the connections are good and the target computer
is "alive," a good return packet is expected. However, this will not be the case if there is a
disruption in communication. Pings also detail the time taken for a packet to make a complete
trip, called the "round-trip time." They also help in resolving hostnames. In this case, if the packet
bounces back when sent to the IP address, but not when sent to the name, then the system is
unable to reconcile the name with the specific IP address.
Attackers calculate subnet masks using subnet mask calculators to identify the number of hosts
that are present in the subnet. They subsequently use ping sweep to create an inventory of live
systems in the subnet.
ICMP ECHO Ping Sweep Using Nmap
Source: https://nmap.org
Nmap helps an attacker to perform a ping sweep that determines live hosts from a range of IP
addresses. In Zenmap, the -PE option with a list of IP addresses is used to perform ICMP ECHO
ping sweep.
• Zenmap D X
Sc~n Iools Erofile .t!elp
• Zenmap D X
Sc~n I ools .e_rofile .!:::!elp
Filter Hosts
• Zenmap D X
Sqn Iools Erofile .!:::!elp
Advantages:
■ As the machines can be scanned parallelly, the scan never gets the time-out error while
waiting for the response.
■ TCP SYN ping can be used to determine if the host is active without creating any
connection. Hence, the logs are not recorded at the system or network level, enabling the
attacker to leave no traces for detection.
• Zenmap □ X
Scgn Iools Erofile tlelp
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
Filter Hosts
.................~~~!Y.:~~.~~~.~!~~···············> ~
11Aa.•~ Host is Active RST packets ~
-<··············································
Attacker Target Host
Advantages:
• Both the SYN and the ACK packet can be used to maximize the chances of bypassing the
firewall. However, firewalls are mostly configured to block the SYN ping packets, as they
are the most common pinging technique. In such cases, the ACK probe can be effectively
used to bypass these firewall rule sets easily.
• Zenmap D X
Sq_n Iools frofile .!:::!.elp
Filter Hosts
Multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4) are sent by
default when no protocols are specified. For configuring the default protocols, change
DEFAULT_PROTO_PROBE_PORT_SPEC in nmap . h during compile time. For specific protocols
such as ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), the packets are to be sent with
proper protocol headers, and for the remaining protocols, only the IP header data is to be sent
with the packets.
In a nutshell, attackers send different probe packets of different IP protocols to the target host;
any response from any probe indicates that a host is online. In Zenmap, the -PO option is used
to perform an IP protocol ping scan.
• Zenmap □
Sqn Iools E,rofile !::!elp
Command: I
nmap -sn -PO 10.10.1.11 1
7
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
Filter Hosts
Angry IP Angry IP Scanner pings each IP addre ss to check if any of these addresses are live. Then,
Scanner it optionally resolv es hostnames, determines the MAC address, scans ports, etc.
https.J/www.ongryip.org
Source: https://www.angryip.org
Angry IP scanner is an IP address and port scanner. It can scan IP addresses in any range
as well as any of their ports. It pings each IP address to check if it is alive; then, it optionally
resolves its hostname, determines the MAC address, scans ports, and so on . The amount
of data gathered about each host increases with plugins. Angry IP scanner has additional
features, such as NetBIOS information (computer name, workgroup name, and currently
logged in Windows user), favorite IP address ranges, web server detection, and
customizable openers. The tool allows the user to save the scanning results to CSV, TXT,
XML, or IP-Port list files. To increase the scanning speed, it uses a multithreaded
approach : a separate scanning thread is created for each scanned IP address.
Some additional ping sweep tools that an attacker uses to determine live hosts on the target
network are listed below:
• SolarWinds Engineer's Toolset (https://www.solarwinds.com)
• NetScanTools Pro (https://www.netscantools.com)
■ Colasoft Ping Tool (https://www.colasoft.com)
■ Visual Ping Tester (http://www.pingtester.net)
• OpUtils (https://www.manageengine.com)
10#04: Demonstrate Various Scanning Techniques for Port and Service Discovery
1
Copynght C) by IC-CINCII All Rights Reserved Reproduction 1s Strictly Proh1b1ted
••
Xmas Scan
( Half-ope n Scan
) . FIN Sca n )
· Port and Service\ < ( Inv erse TCP Flag Scan ) .. l NULL Scan
Discovery • ··
• ACK Flag Probe Scan
} ··: Maimon Scan
• ,• •
( SCTP IN IT Scanning ) •
) )
( SCTP COOKIE ECHO
Scanning )
·► •
• Copyright O by (C-CIUICII All Rights Reserved Reproduction 1s Stnctty Prohibited
✓ No response - Port is
nmap -sF - v <Target IP Probe packet open
FIN Scan
Address> (FIN) ✓ RST packet response -
Port is closed
✓
Disadvantages
✓ No response - Port is ✓ The COOKIE ECHO chunk is not b locked ✓ Cannot differentiate clearly
SCTP COOKIE nmap -sz - v <Target IP COOKIE open by non-stateful fi rewall rule sets. between open and filtered ports,
ECHO Scan Address> ECHO chunk ✓ ABORT chunk - Port is ✓ Only an advanced JDS can detect an showing the output as
closed SCTP COOKIE ECHO scan open I filtered in both cases
TCP Scanning:
■ Open TCP Scanning Methods
o Half-open Scan
• Xmas Scan
• FIN Scan
• NULL Scan
• Maiman Scan
o ACK Flag Probe Scan
• TTL-Based Scan
• Window-Based Scan
UDP Scanning:
• UDP Scanning
SCTP Scanning:
SSDP Scanning:
• SSDP and List Scanning
1Pv6 Scanning:
• 1Pv6 Scanning
···································►
RST
Attacker Target
Figure 3.33: Scan res ult when a port is open
◄· ................................. .
RST
Attacker Target
Figure 3.34: Scan result w hen a port is closed
Making a separate connect o call for every targeted port in a linear manner would take a long
time over a slow connection. The attacker can accelerate the scan using many sockets in parallel.
Using non-blocking, 1/0 allows the attacker to set a short time-out period and watch all the
sockets simultaneously. In Zenmap, the -sT option is used to perform TCP Connect/full open
scan.
• Zenmap D X
Sc~n Iools .e_rofile .t!elp
Command: -----------=========-------==;
l !
nmap -sT -v 10.10.1.11
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
The drawback of this type of scan is that it is easily detectable and filterable. The logs in the target
system will disclose the connection. Such scanning does not require superuser privileges.
......:~~!~?.~.~?_)····>
SYN + ACK Packet
..c[······················
I" f) -
.......::~.!~?.':'.~?!.... ~ ""
..c[••······················
RST
1'l
= ==...L.----LJ
Bill Sheela
10.10.1.19:2342 10.10.1.11:80
Attackers use stealth scanning techniques to bypass firewall rules and logging mechanisms, and
they hide themselves as usual under network traffic. In Zenmap, the -ss option is used to
perform a stealth scan/TCP half-open scan.
Zenmap □ X
Sqn Iools P.rofile l::!elp
Figure 3.38: TCP St ealth/ Half Open scan using Zen map
-
closed, he or she receives the RST from the target host.
_,
Probe Packet (FIN/URG/PSH/NULL)
························································►
<···································
No Response
[[]
Attacker Target Host
Security mechanisms such as firewalls and IDS detect the SYN packets sent to the sensitive ports
of the targeted hosts. Programs such as Syslog are available to log half-open SYN flag scan
attempts. At times, the probe packets enabled with TCP flags can pass through filters undetected,
depending on the security mechanisms installed.
An inverted technique involves probing a target using a half-open SYN flag because the closed
ports can only send the response back. According to RFC 793, an RST/ACK packet is sent for
connection reset when the host closes a port. Attackers take advantage of this feature to send
TCP probe packets to each port of the target host with various TCP flags set.
Common flag configurations used for a probe packet include:
All closed ports on the targeted host will send an RST/ACK response. Since OSs such as Windows
completely ignore the RFC 793 standard, you cannot see the RST/ ACK response when connected
to a closed port on the target host. However, this technique is effective when used with UNIX-
based OSs.
Advantages
Disadvantages
■ Mostly effective against hosts using a BSD-derived TCP/IP stack (not effective against
Microsoft Windows hosts, in particular).
Note: Inverse TCP flag scanning is known as FIN, URG, and PSH scanning based on the flag set in
the probe packet. If there is no flag set, it is known as NULL scanning. If only the FIN flag is set, it
is known as FIN scanning, and if all of FIN, URG, and PSH are set, it is known as Xmas scanning.
Xmas Scan
Xmas scan is a type of inverse TCP scanning technique with the FIN, URG, and PUSH flags set to
send a TCP frame to a remote device. If the target has opened the port, then you will receive no
response from the remote system. If the target has closed the port, then you will receive a remote
system reply with an RST. You can use this port scanning technique to scan large networks and
find which host is up and what services it is offering. This technique describes all TCP flag sets.
When all flags are set, some systems hang; hence, the flags are often set in the nonsense pattern
URG-PSH-FIN. Attackers use the TCP Xmas scan to determine if ports are closed on the target
machine via the RST packet. This scan only works when systems are compliant with RFC 793-
based TCP/IP implementation. It will not work against any current version of Microsoft Windows.
Attacker Server
10.10.1.19 10.10.1.11:23
"'Iii((··································
RST
Attacker Server
10.10.1.19 10.10.1.11:23
This method relies on the BSD networking code. Thus, you can use this only for UNIX hosts; it
does not support Windows NT. If the user scans any Microsoft system, it will show that all the
ports on the host are open .
Transmitting Packets
You can initialize all the flags when transmitting the packet to a remote host. If the target system
accepts the packet and does not send any response, it means that the port is open. If the target
system sends an RST flag, then it implies that the port is closed.
Advantages
• Zenmap □ X
Sq_n Iools £rofile !::!elp
.....:!~(!':~~!'.~??.~······► I►
No Response
I:
<······················
Attacker Target
Figure 3.44: TCP Maimon scan result of open port
A
FIN/ACK Probe
····························►
~.......Rs·-i -~~~ic~; ........ .
Attacker Target
Figure 3.45: TCP Maimon scan result of closed port
Target
Figure 3.46: TCP Maimon scan result of filtered port
· Zenmap D X
Sqn Iools P.rofile J:!elp
Figure 3.47: TCP Mai mon scan displaying port state in Zenma p
stack. Thus, such scanning is effective only on those OSs and platforms on which the BSD derives
TCP/IP stacks.
Categories of ACK flag probe scanning include:
• TTL-Based ACK Flag Probe scanning
In this scanning technique, you will first need to send ACK probe packets (several
thousands) to different TCP ports and then analyze the TTL field value of the RST packets
received. In Zenmap, the syntax nmap -ttl [time] [target] is used to perform TTL-
based scan.
If the TTL value of the RST packet on a particular port is less than the boundary value of
64, then that port is open . An example showing a log of the fi rst four RST packets received
is presented below:
Figure 3.49: Screenshot showing t he open po rt based o n the TTL va lue of the RST packet
In this example, port 22 returned a TTL value of 50, which is less than 64; all other ports
returned a TTL value of 80, which is greater than 64. Therefore, port 22 is open.
• Window-Based ACK Flag Probe scanning
In this scanning t echnique, you will first need to send ACK probe packets (several
thousands) to different TCP ports and then analyze the window field value of the received
RST packets. The user can use this scanning technique when all t he ports return the same
TTL value. In Zen map, the - sw option is used to perform a window scan.
• i~~:,:.~l.............................
<I> ACK Probe Packet s ~
D ····. ~~·s·~;~:~;........
Attacker
~ -~~~-
J> □
Target Host
If the window value of the RST packet on a particular port is non-zero, then th at port is
open. An example showing a log of t he first four RST packets received is presented below:
Figure 3.51: Screenshot showing the open port based on the window value of the RST packet
The above figure shows that the TTL value returned for each packet is the same; hence,
you cannot perform TTL-based ACK flag probe scanning to find the open ports. Therefore,
when you observe the window value, the third packet has a non-zero window value,
which means that the port is open. When the returned RST value is zero, then the port is
closed. If there is no response even after many retransmissions and an ICMP unreachable
error (type 3, code 1, 2, 3, 9, 10, or 13) is returned, then the port is inferred to be a filtered
port.
• ~/> ,....................................
TCP/ACK Probe
·> a]
D .!!!!!!!!!!!!!!!!!!~l< ····································
Attacker
' TCP RST with non-zero window field
□
Target
- a]
Figure 3.52: TCP Window scan result of an open port
0
D
TCP/ACK Probe
<I> t····································>
-==-•' •
~-!!!!!!!!!!!!;!!~-<····································
TCP RST with zero window field
Attacker Target
TCP/ACK Probe
····································>
a]
0
D ==~,
- -:<I> I X <= ······~?.~:.sf.~~!~........
Attacker
~~<····································
ICMP unreachable error
Target
Advantages:
■ It is extremely slow and can exploit only older OSs with vulnerable BSD-derived TCP/IP
stacks.
.ft <I>
)
l. . . . . . . . . . . . . . . . . . .
Probe Packet (ACK)
◄······························
~ □
d]
No Response
Attacker Target Host
- <I~
Attacker
l~:: : : : : ::: : ~: ~:~: : : :~ IL Jbl
RST
Target Host
· Zenmap □ X
Sqn Iools P.rofile l:ielp
___jv
====~--v \Scan\
Target ~ 0.10.1.11 Profile:
The attacker performs this scan by impersonating another computer via spoofing. The attacker
does not send a packet from their IP address; instead, they use another host, often called a
"zombie," to scan the remote host and identify open ports. In this attack, the attacker expects
the sequence numbers of the zombie host, and if the remote host checks the IP of the scanning
party, the IP of the zombie machine is displayed.
IDLE Scan
• Step 1
The first step in an idle scan is to determine an appropriate zombie. A zombie that
incrementally assigns IPID packets on a global basis is an appropriate or idle zombie for
performing idle scans. The shorter the time interval for request/response between the
attacker-zombie and zombie-target, the faster is the scan.
In the first step, the SYN+ACK packet is sent to the zombie machine to probe its IPID
number. Here, the SYN+ACK packet is sent to probe the IPID number and not to establish
a TCP connection (three-way handshake).
...................................
IPID Probe SYN+ ACK Packet
·>
<····································
Response: IPID=31337
Attacker RST Packet Zombie
As the zombie does not expect a SYN+ACK packet, it denies the connection by returning
an RST packet. The RST packet sent by the zombie machine is analyzed to extract the IPID.
As shown in figure, we assume that the zombie responds with IPID=31337.
Furthermore, we assume that the IPID is X.
■ Step 2
The attacker sends a SYN packet to the target machine on port 80, spoofing the IP address
of the zombie.
Idle Scan: Step 2.1 (Open Port)
If the port is open, the target sends the SYN+ACK packet to the zombie (as the IP address
was spoofed) to proceed with the three-way handshake. Because the zombie did not
expect a SYN+ACK packet from the target machine, it responds with an RST packet.
Zombie
Because every IP packet has an IPID, which increases by one for every packet
transmission, the zombie now uses the next available IPID, i.e., 31338 {X + 1).
Assume that the port on the target is closed. Subsequently, upon receiving the SYN packet
from the attacker, the target responds with an RST packet, and the zombie remains idle
thereafter.
Zombie
• Step 3
Send a SYN+ACK packet to the zombie, and it responds with an RST packet containing the
IPID. Assuming that the port on the target was open and that the zombie has already sent
an RST packet to the target, the IPID number is increased by 1. Now, the zombie responds
with an RST packet to the attacker using its next IPID, i.e., 31339 (X + 2). Consequently,
the IPID is increased by 2, which implies that the port on the target machine was open.
Thus, using an idle scan, an attacker can identify the open ports and services on the target
machine by spoofing their IP address with a zombie's IP address.
UDP Scan
UDP Raw ICMP Port Unreachable Scanning
UDP port scanners use the UDP protocol instead of TCP. There is no three-way handshake for the
UDP scan. The UDP protocol can be more challenging to use than TCP scanning because you can
send a packet but you cannot determine whether the host is alive, dead, or filtered. However,
you can use one ICMP that checks for open or closed ports. If you send a UDP packet to a port
without an application bound to it, the IP stack will return an ICMP port unreachable packet. If
any port returns an ICMP error, it will be closed, leaving the ports that did not answer if they are
open or filtered through the firewall.
4
Are you open on UDP Port 29?
~~ ·;~~~~·~~~·i~·~~~ ·i~·~·~~~· •••► [u]
·
..•....•.•.......•.
~··· ................. ..... .. ......... -
-
Attacker
~··················································· =
If port is Closed, an ICMP Port
Server
unreachable message is received
This happens because open ports do not have to send an acknowledgement in response to a
probe, and closed ports are not even required to send an error packet.
UDP Packets
Source: https://nmap.org
When you send a packet to a closed UDP port, most of the hosts send an ICMP_PORT_UNREACH
error. Thus, you can determine whether a port is open if UDP packets or ICMP errors are not
guaranteed to arrive. Thus, UDP scanners of this type must implement retransmission of packets
that appear lost. UDP scanners interpret lost traffic as open ports. In Zenmap, the -su option is
used to perform a UDP scan .
• Zenmap □ X
Sqn l oots .e_rofile !::!elp
In addition, this scanning technique is slow because it limits the ICMP error message rate as a
form of compensation to machines that apply RFC 1812 section 4.3.2.8. A remote host will
require access to the raw ICMP socket to distinguish closed ports from unreachable ports.
UDP RECVFROM () and WRITE() Scanning
Although non-root users cannot read unreachable port errors directly, Linux informs you
indirectly when it receives messages.
■ Example:
For example, a second write () call to a closed port will usually fail. Various scanners,
such as Netcat and Pluvial pscan. c, perform recvfrom () on non-blocking UDP
sockets, and they usually return EAGAIN ("Try Again," errno 13} if the ICMP error has
not been received or ECONNREFUSED ("connection refused," errno 111}
otherwise. This technique is used for determining open ports when non-root users use -
u (UDP}. Root users can also use the -1 (lamer UDP scan} option to force this process.
Advantage:
The UDP scan is less informal with regard to an open port because there is no overhead of a TCP
handshake. However, if ICMP is responding to each unavailable port, the total number of frames
can exceed that from a TCP scan . Microsoft-based OSs do not usually implement any ICMP rate
limiting; hence, this scan operates very efficiently on Windows-based devices.
Disadvantage:
The UDP scan provides port information only. If additional information of the version is needed,
the scan must be supplemented with a version detection scan (-sv} or the OS fingerprinting
option (-o} .
The UDP scan requires privileged access; hence, this scan option is only available on systems with
the appropriate user permissions.
Most networks have massive amounts of TCP traffic; as a result, the efficiency of the UDP scan is
low. The UDP scan will locate open ports and provide the security manager with valuable
information for identifying successful attacker invasions on open UDP ports owing to spyware
applications, Trojan horses, and other malicious software.
SCTP INIT Scan
Stream Control Transport Protocol (SCTP} is a reliable message-oriented transport layer protocol.
It is used as an alternative to the TCP and UDP protocols, as its characteristics are similar to those
of TCP and UDP. SCTP is specifically used to perform multi-homing and multi-streaming activities.
Some SCTP applications include discovering VoIP, IP telephony, and Signaling System 7/SIGnaling
TRAN sport (557/SIGTRAN}-related services. SCTP association comprises a four-way handshake
method, as shown in the screenshot below.
~ ••••••••'.~' As,od•:::~••••••••►
Four-way Handshake
Bob
◄································► Clara
10.10.10.9 10. 10.10.11
IN/T ••·••••••·►
···········;~~~~~~t ··················
~······
·················~~;;K;i~i~Ho···············➔
......................................
~·....... coOKIE-ACl<.
Client Server
In SCTP, the INIT scan is performed quickly by scanning thousands of ports per second on a fast
network not obstructed by a firewall offering a stronger sense of security. The SCTP INIT scan is
very similar to the TCP SYN scan; comparatively, it is also stealthy and unobtrusive, as it cannot
complete SCTP associations, hence making the connection half-open.
Attackers send INIT chunk to the target host. If the port is listening or open, it sends an
acknowledgement as an INIT+ACK chunk.
INIT Chunk
.................................... ·->
◄······································
INIT + ACK Chunk
Attacker Target Host
If the target is inactive and it is not listening, then it sends an acknowledgement as an ABORT
chunk.
INIT Chunk
..................................... ➔ ~
◄····· · ································
ABORT Chunk
Attacker Target Host
Figure 3.67: SCTP INIT scan result w hen a port is not list ening (Close d)
After several retransmissions, if there is no response, then the port is indicated as a filtered port.
The port is also indicated as a filtered port if the t arget server responds with an ICM P unreachable
exception (type 3, code 0, 1, 2, 3, 9, 10, or 13). In Zenmap, the -sY option is used to perform the
SCTP INIT scan.
Advantages:
• INIT scan can clearly differentiate between various ports such as open, closed, and filtered
states
· Zenmap □ X
Sc~n Iools ~rofile .t!elp
Target § o.1.11 TI .
Profile: I~ ----_-_-_-_-_-_-_-_-_---~~lv iScani Cancel
Figure 3.70: SCTP COOKIE ECHO scan result when port is closed
Advantages:
■ The port scan is not as conspicuous as the INIT scan.
Disadvantages:
■ SCTP COOKIE ECHO scan cannot differentiate clearly between open and f iltered ports,
and it shows the output as open Ifiltered in both cases.
· Zenmap □ X
Sqn Iools £refile !::!elp
OS ◄ Host
1
nmap -sZ -v 10.10.1.11 ~ Details
10.10.1.11 Starting Nmap 7.80 ( https : //nmap. org at 20 22-03-15
05 : 38 Time
Initiating ARP Ping Scan at 05:38
Scanning 10.10. 1.11 [1 port]
Completed ARP Ping Scan at 05:38, 0 .02s elapsed (1
total hosts)
Initiating Parallel DNS r esolut i on of 1 host . at 05:38
Completed Parallel DNS r esolution of 1 host. at 05:38,
0 .00s ela psed
Initiating SCTP COOKIE-ECHO Scan at 0S:38
Scanning 10.10 . 1 . 11 [52 ports )
Completed SCTP COOKIE-ECHO Scan at 05:38, 2.13s
elapsed ( 52 total ports )
Nmap sc an r eport for 10.10. 1 .11
Host is up (0.0015s latency) .
:!I
- D X
Sc1,n lools frof,lt t!elp
hrget: 10.10.1.11 ~ Profile
https://nmop.org
Copyright O by (C-CIUICII All Rights Reserved Reproduction 1s Stnctty Prohibited
The attacker may use the UPnP SSDP M-SEARCH information discovery tool to check whether the
machine is vulnerable to UPnP exploits. The UPnP SSDP M-SEARCH information discovery tool
gleans information from UPnP-enabled systems, as shown in the figure.
List Scan
In a list scan, the discovery of the active network host is indirect. A list scan simply generates and
prints a list of IPs/Names without actually pinging or scanning the hosts. As a result, the list scan
shows all IP addresses as "not scanned" (0 hosts up). By default, a reverse DNS resolution is still
carried out on each host by Nmap to learn th eir names. In Zenmap, the -sL option is used to
perform a list scan.
· Zenmap D X
Sc~n lools P.rofile .tfelp
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
Advantages:
1Pv6 Scan
1Pv6 increases the IP address size from 32 bits to 128 bits to support more levels of address hierarchy
Attackers need to harvest 1Pv6 addresses from network traffic, recorded logs, or Received from : header
lines in archived emails
1Pv6 Scan
1Pv6 increases the size of the IP address space from 32 bits to 128 bits to support higher levels of
the addressing hierarchy. Traditional network scanning techniques are computationally less
feasible because of the larger search space (64 bits of host address space, or 264 addresses)
provided by 1Pv6 in a subnet. Scanning the 1Pv6 network is more difficult and complex compared
to 1Pv4. Additionally, a number of scanning tools do not support ping sweeps on 1Pv6 networks.
Attackers need to harvest 1Pv6 addresses from network traffic, recorded logs, or "Received from"
and other header lines in archived email or Usenet news messages to identify 1Pv6 addresses for
subsequent port scanning. However, scanning an 1Pv6 network provides a large number of hosts
in a subnet; if an attacker can compromise one subnet host, he/she can probe the "all hosts" link
local multicast address if the hosts numbers are sequential or use any regular scheme. An
attacker needs to analyze 264 addresses to verify if a particular open service is running on a host
in that subnet. At a conservative rate of one probe per second, such a scan would take about 5
billion years to complete. Attackers can use Nmap to perform 1Pv6 scanning. In Zenmap, the -6
option is used to perform the 1Pv6 scan.
• Zenmap 0 X
Service version detection helps atta ckers to
Sqn Iools frofile J:::ielp
obtain information abo ut running services and
their versions on a target system
Target 10.10.1.11 ~ Profile: ==:J ~~ Cancel
Obtaining an accurate service version number ~ ~rvices Nmap Output Ports / Hosts Topology Host ONails Scans
a !lows attackers t o determine the vulnerability OS 4 Hort ~0.10.1.11 _=a - Drlails
of target system to particular exploits Iii 10.10.1.11 Startini Nmap 7.88 ( https : // n11ap . o r 1 ) at 2022·03·15
06:14 · • ... ~ Ti11e
Nmap scan report for 10.10.1.11
In Zen map, the -sV option is used to detect Host is up (0.00s latency) .
Not shown : 994 c l osed rts
service versions
tcpwrap~
http Microsoft 11S httpd
Filter Hosts
seconds
https://nmap.org
Copyright O by (C-CIUICII All Rights Reserved Reproduction 1s Stnctty Prohibited
• Zenmap □ X
Sqn Iools P.rofile .tielp
L lo Nmap, perto,=ore aod att"racy cao be achle,ed by "'"''"' the scao tlml og
Ie Separate and Optimize UDP Scans e Scan from a Favorable Network Location
To control the scan activity, Nmap provides the -T option for scanning ranging from high-
level to low-level timing aggressiveness. This can be extremely useful for scanning highly
filtered networks.
■ Separate and Optimize UDP Scans
As many vulnerable services use the UDP protocol, scanning the UDP protocol is vital, and
it should be scanned separately, as TCP scans have different performance requirements
and timing characteristics. Moreover, the UDP scan is more affected by the ICMP error
rate-limiting compared to the TCP scan.
■ Upgrade Nmap
It is always advisable to use the upgraded version of Nmap as it contains many bug fixes,
important algorithmic enhancements, and high-performance features such as local
network ARP scanning.
■ Execute Concurrent Nmap Instances
Running Nmap against the whole network usually makes the system slower and less
efficient. Nmap supports parallelization and it can also be customized according to
specific needs. It becomes very efficient by getting an idea of the network reliability while
scanning a larger group. The overall speed of the scan can be improved by dividing it into
many groups and running them simultaneously.
■ Scan from a Favorable Network Location
It is always advisable to run Nmap from the host' s local network to the target while in the
internal network, as it offers defense-in-depth security. External scanning is obligatory
when performing firewall testing or when the network should be monitored from the
external attacker' s viewpoint.
■ Increase Available Bandwidth and CPU Time
By increasing the available bandwidth or CPU power, the Nmap scan time can be reduced.
This can be done by installing a new data line or stopping any running applications. Nmap
is controlled by its own congestion control algorithms, so that network flooding can be
prevented. This improves its accuracy. The Nmap bandwidth usage can be tested by
running it in the verbose mode -v.
1
Copynght C) by IC-CINCII All Rights Reserved Reproduction 1s Strictly Proh1b1ted
OS Discovery/Banner Grabbing
Banner grabbing or OS fingerprinting is the method u sed to determine the operating system running on a remote
target system. Th ere a re two t ypes of ban nergrab bing: active and passiv e
Identifying th e 05 used on t he t a rget ho st a llows an attacker to figure out the vulnerabilities possessed by the
system and the exploits that might w ork o n a syste m t o fu rther carryout additional attacks
e Specially crafted packets are sent t o the rem ot e OS and 8 Banner grabbing from error messages
the responses are n oted Error messages provide information such as the type of server,
type of OS, and SSL tool used by t he target remote sy stem.
e The respo nses are th en compa red wit h a da t a base to
determine the OS 8 Sniffing the network traffic
Capturing and analyzing packets from the target enables an
e Responses from differentOSes vary due to differences attacker to determine the OS used by the remote syst em.
in the TCP/IP stack implementation e Banner grabbing from page extensions
Looking for an ext ension in the URL may assist in determining
t he applicat ion'sversion.
Example: .aspx => 115 server and Windows platform
OS Discovery/Banner Grabbing
Banner grabbing, or "OS fingerprinting," is a method used to determine the OS that is running on
a remote target system. It is an important scanning method, as the attacker will have a higher
probability of success if the OS of the target system is known (many vulnerabilities are OS-
specific). The attacker can then formulate an attack strategy based on the OS of the target
system.
There are two methods for banner grabbing: spotting the banner while trying to connect to a
service, such as an FTP site, and downloading the binary file/bin/ls to check the system
architecture.
A more advanced fingerprinting technique depends on stack querying, which transfers the
packets to the network host and evaluates them by the reply. The first stack-querying method
designed with regard to the TCP mode of communication evaluates the response to connection
requests.
The next method, known as initial sequence number {ISN) analysis, identifies the differences in
random number generators found in the TCP stack. ICMP response analysis is another method
used to fingerprint an OS. It consists of sending ICMP messages to a remote host and evaluating
the reply.
Two types of banner grabbing techniques are described below:
• Active Banner Grabbing
Active banner grabbing applies the principle that an OS's IP stack has a unique way of
responding to specially crafted TCP packets. This happens because of different
interpretations that vendors apply while implementing the TCP/IP stack on a particular
OS. In active banner grabbing, the attacker sends a variety of malformed packets to the
remote host, and the responses are compared with a database. Responses from different
OS vary because of differences in TCP/IP stack implementation.
For instance, the scanning utility Nmap uses a series of nine tests to determine an OS
fingerprint or banner grabbing. The tests listed below provide some insights into an active
banner grabbing attack, as described at www.packetwatch.net:
o Test 1: A TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP
port.
o Test 2: A TCP packet with no flags enabled is sent to an open TCP port. This type of
packet is a NULL packet.
o Test 3: A TCP packet with the URG, PSH, SYN, and FIN flags enabled is sent to an open
TCP port.
o Test 4: A TCP packet with the ACK flag enabled is sent to an open TCP port.
o Test 5: A TCP packet with the SYN flag enabled is sent to a closed TCP port.
o Test 6: A TCP packet with the ACK flag enabled is sent to a closed TCP port.
o Test 7: A TCP packet with the URG, PSH, and FIN flags enabled is sent to a closed TCP
port.
o Test 8 PU (Port Unreachable): A UDP packet is sent to a closed UDP port. The objective
is to extract an "ICMP port unreachable" message from the target machine.
o Test 9 TSeq (TCP Sequence ability test): This test tries to determine the sequence
generation patterns of the TCP initial sequence numbers (also known as TCP ISN
sampling), the IP identification numbers (also known as IPID sampling), and the TCP
timestamp numbers. It sends six TCP packets with the SYN flag enabled to an open
TCP port.
The objective of these tests is to find patterns in the initial sequence of numbers that the
TCP implementations chose while responding to a connection request. They can be
categorized into groups, such as traditional 64K (many old UNIX boxes), random
increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many
others), or true random (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a
"time-dependent" model in which the ISN is incremented by a fixed amount for each
occurrence.
■ Passive Banner Grabbing
Source: https://www.broadcom.com
Like active banner grabbing, passive banner grabbing also depends on the differential
implementation of the stack and the various ways in which an OS responds to packets.
However, instead of relying on scanning the target host, passive fingerprinting captures
packets from the target host via sniffing to study telltale signs that can reveal an OS.
Window Size: In this step, the window sizes are compared. The window size is another
effective tool for determining precisely what window size is used and how often it is
changed. In the previous signature, the window size is set at 0x7D78, which is the default
window size used by Linux. In addition, FreeBSD and Solaris tend to maintain the same
window size throughout a session. However, Cisco routers and Microsoft Windows NT
window sizes constantly change. The window size is more accurate when measured after
the initial three-way handshake (due to TCP slow start}.
DF bit: Most systems use the DF bit set; hence, this is of limited value. However, this
makes it easier to identify a few systems that do not use the DF flag (such as SCO or
Open BSD}.
TOS: TOS is also of limited value, as it seems to be more session-based than OS-based. In
other words, it is not so much the OS as the protocol used that determines the TOS to a
large extent.
Using the information obtained from the packet, specifically the TTL and the window size,
one can compare the results with the database of signatures and determine the OS with
some degree of confidence (in this case, Linux kernel 2.2.x).
Passive fingerprinting, like active fingerprinting, has some limitations. First, applications
that build their own packets (e.g., Nmap, Hunt, Nemesis, etc.} will not use the same
signatures as the OS. Second, it is relatively simple for a remote host to adjust the TTL,
window size, DF, or TOS setting on the packets.
Passive fingerprinting has several other uses. For example, attackers can use stealthy
fingerprinting to determine the OS of a potential target such as a web server. A user only
needs to request a web page from the server and then analyze the sniffer traces. This
bypasses the need for using an active tool that various IDS systems can detect. Passive
fingerprinting also helps in identifying remote proxy firewalls. It may be possible to ID
proxy firewalls from the signatures as discussed above, simply because proxy firewalls
rebuild connections for clients. Similarly, passive fingerprinting can be used to identify
rogue systems.
Note: We will discuss passive banner grabbing in later modules.
An attacker uses banner grabbing to identify the OS used on the target host and thus determine
th e system vulnerabilities and exploits that might work on that system to carry out further
attacks.
-■-
Live (TTL) and TCP window size in the IP header of t he first packet in a TCP session
Sniff/capture the response generated from the target machine using packet-sniffing tools
like Wires hark and observe the TTL and TCP wi ndow size fields
Linux 64 5840
____ ,.._,_.,._...,._
................
'-
FreeBSD 64 65535
" ' '.t; ...... " OpenBSO 255 16384
65,535 bytes
Windows 1 28
to 1 Gigabyte
_ ,,., _
.. .. ___.....
................
,._ "· ....
....... , , , ,
•---•.t,c••111•..... ••·•u
_
......... .. ..-·
"').---·.. ---··
....... )
•.. ,........ Cisco
Routers
255 4128
-•--•-•I• , . , _ , , 1 ' 0 - - - • ( - N U ) , ....... _ U W M U ) .........OC<-'<>_ _j_ _ _ _ _ , _ _I U ),WI
Linux 64 5840
FreeBSD 64 65535
Table 3 .2: TTL and TCP Window size val ues for OS
Attackers can use various tools to perform OS discovery on the target machine, including
Wireshark, Nmap, Unicornscan, and Nmap Script Engine. Attackers can also adopt the 1Pv6
fingerprinting method to grab the target OS details.
OS Discovery using Wireshark
Source: https;//www.wireshark.org
To identify the target OS, sniff/capture the response generated from the target machine to the
request-originated machine using packet-sniffing tools such as Wireshark, etc., and observe the
TTL and TCP window size fields in the f irst captured TCP packet. By comparing these values with
those in the above table, you can determine the target OS that has generated t he response.
Possible OS is Windows
.. . e eeee eeee eeee • FngKnt Offset: e
J Tl. to Live: 121 I
Protocol: !CNP (I)
liHder Chuksua: h:df?S (vdldation disabled)
(He.der checlc:sua st•tvs: Unverifi~)
t;o.i,cce Addcau• "' 1A 1 2l
~
99 15 Sd 91 89 99 99 IS Sd 91 ae 92 ea ee 45 ee J
9818 98 3c 45 17 89 89 61 m df 7S ea ea 81 16 ea ea <E I u
e1 9b ee 98 S'5 S• ee e1 99 91 61 62 63 64 6S 66 UZ •bcdef
67 68 69 64 6b 6c 6d 6< 6f 79 71 72 73 74 75 76 ghijkt.n opqrstuv
77 61 62 63 64 65 66 67 68 69 wabcdefa hi
-
66 21. 764199 f.S8: :15:Sdff:ftll:- ff82: :fb IOIS 371 Standard query r"tsponse exeeee TXT., cache flush PTR _odb._tcp.-
67 21 , 764189 fd8: :8b38:«k7:281.. ff82:: fb IOIS 437 Standard query response exeeee TXT., cache flush PTR _~b._tcp,-
68 21.985381 Kicroso-f_e1:se:ee Broadcast 42 11,o hu 18.18. 1.91 Tdl 18.18.1.11
69 21.985935 HS•NL8 • PhysServer• 2- Hi cr-osof_81 : 88 :00 ARP 42 18.19.1.9 h at 92:15 : Sd: 18:27: eb
7 78 21.985957 18. 18.1.ll 18.18.1.9 ICNP 74 Echo (p1"1) request i d•9lc0081, stq•S/ 1288, ttl•128 ( r , ply !.n _
.,_ 71 21.986492 18,18.1.9 18.18.1,U IOIP 74 Echo (Pi"8) rtply id-oxee&l, seq•5/12st, ttl-64 (request in...
72 22.993879 18.16.1.11 10.19. 1.9 IOIP 74 Echo (pin() rt u. ., i d - 1, ••9•6/1536, ttl•128 {,..~ in - _
-
, ,...,_ 7 1: 74 bytes on wi re ( 592 bi t s), 74 byte s capt ured (592 bi t s) on i nterface \Devlce\ HPF_{SA.9835S8•F693~4823· 8986 · DCC29A0811 14}, i d 8
Ethtrnet II , Src: IIS·Hl 8· PhysStrvtr• 21_5d: 18:27:tb ( 62: 15 :Sd:18: 27:tb), Ost: 1<icrosof _81:88:88 (88: 15:Sd:91 :&e:88)
v I nter net Protocol Ve rsi o n 4 , Src: 10. 18. 1 . 9 , Ost: 19 . 18. 1,11
8198 . . . . • ve rsion: 4
.. .. 8181 • H. .dtr l t na th: 26 bytt s ( SJ
!CH : r'ct •fCT)
Possible OS is Linux
.. . e eeee 0000 eeee • Frap,e,nt Offse t: e
ITIM to Liv<: 64 1 ~
Pro<ocol: IOIP ( 1)
He.der CM!cksua: e xtfd [validation d i.sabled]
[HHdt r chtck.sua s utus: Unwr lflt-d)
=- ""'=>....Addc,,<< - ~- -
ea ee 4 5
-
88 lS 5d 61 88 88 92 15 5d 1s 21 eb 00 J I E•
........
ee1e 98 3c 44 b9 98 88 m9 1 1f e1 ea ea e1 99 ea ea ·<O.. ·I·
.. w
81 8b 98 88 55 56 98 91 ee es 61 62 63 64 65 66 obcdtt
.
67 68 69 60 6b 6c 6d k 6f 78 71 72 73 74 75 76 ahij klan opqrst uv
.,,
n 61 62 63 64 65 66
T>nt.,Uvo(l>.Ul), lb~
67 68 69 wabcd•f& hi
4- Zenmap - D X
Sc.1n look eror.ie .1::!etp
Command: l nmap-010.10.1.1 1 I
~ SeM<a; Nm1pOutpu1 Ports / Hosts Topc>!ogy Hostl>Nik Sc.am
· Zenmap □ X
Sqn I ools P.rofile !::!elp
Command: l nmap-010.10.1.11
Hosts Services Nmap Output Ports / Hosts Tapology Host Details Scans
----,
05 ◄ Host nmap -0 10.10.1.11 V Details
✓ 10.10.1 .11 Starting Nmap 7 .80 ( https ://nmap . or g at 2022-03-15
22:25 - 'wtJt Time
Nmap scan r eport for 10.10.1.11
Host i s up (0.00s latency) .
Not shown : 994 closed por t s
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
- - - - 1£. - - -
MAC Address : 00:15:SD:01:80:00 (Micr osoft)
Device t)l[!e : gener al pur pos e
Running : Microsoft Windows 10
OS CPE : cpe: / o:micr osoft :windows_10 :1703
OS details : Microsoft Windows 10 1703
Net:worK u1s1::ance : .1 nop
1Pv6 Fingerp rinting can be u sed to identifythe OS running on the ta rget machi ne
The difference bet ween 1Pv6 and 1Pv4 fingerprinting is that t he 1Pv6 uses several additional advanced
probes specific to 1Pv6 along w ith a separate OS detection engine that is specialized for 1Pv6
In Zen m ap, the -6 option an d -0 option are used t o perform OS discovery using th e 1Pv6
fin gerprinting method
8 Syntax: # nmap -6 -0 <target>
- •
Copyright O by (C-CIUICII All Rights Reserved Reproduction 1s Stnctty Prohibited
In Zenmap, the - 6 option along with -o option is used to perform OS discovery using the 1Pv6
fingerprinting method.
Syntax: # nmap -6 -0 <target>
10#06: Demonstrate Various Techniques for Scanning Beyond IDS and Firewall
1
Copynght C) by IC-CINCII All Rights Reserved Reproduction 1s Strictly Proh1b1ted
Though firewalls and IDSs can prevent malicious traffic (packet s) from entering a network, attackers
can manage to send intended packets to the target by evading an IDS or firewall through the follow ing
t echniques:
II IP Address Decoy
II Proxy Servers
J
II IP Address Spoofing II Anonymizers
J
Copyright O by (C-CIUICII All Rights Reserved Reproduction 1s Stnctty Prohibited
• Packet Fragmentation
• Source Routing
• Source Port Manipulation
• IP Address Decoy
• IP Address Spoofing
• Proxy Servers
• Anonymizers
Packet Fragmentation
• Zfflm1p - 0 X
Packet fragmentation refers t o the splitting of a probe Sein look frofilt !:felp
packet into several smaller packets (fragments) wh ile T119tt: 10.10.1.1 1 _3 P,ofile:
Packet Fragmentation
Packet fragmentation refers to the splitting of a probe packet into several smaller packets
(fragments) while sending it to a network. When these packets reach a host, the IDS and firewalls
behind the host generally queue all of them and process them one by one. However, since this
method of processing involves greater CPU and network resource consumption, the
configuration of most IDS cause them to skip fragmented packets during port scans.
Therefore, attackers use packet fragmentation tools such as Nmap and fragroute to split the
probe packet into smaller packets that circumvent the port-scanning techniques employed by
IDS. Once these fragments reach the destined host, they are reassembled to form a single packet.
SYN/FIN Scanning Using IP Fragments
SYN/FIN scanning using IP fragments is not a new scanning method but a modification of previous
techniques. This process of scanning was developed to avoid false positives generated by other
scans because of a packet filtering device on the target system . The TCP header splits into several
packets to evade the packet filter. For any transmission, every TCP header must have the source
and destin ation port for the initial packet (8-octet, 64-bit) . The initialized flags in the next packet
allow the remote host to reassemble the packets upon receipt via an Internet protocol module
th at detects the fragmented data packets using field -equivalent values of the source, destination,
protocol, and identification.
SYN/FIN (Small IP
..................................·
Fragments) + Port (n)
►
--c(••••••••••• • •••••••••••••••••••••••
RST (if port is closed)
Attacker Target
In this scan, the system splits the TCP header into several fragments and transmits them over the
network. However, IP reassembly on the server side may result in unpredictable and abnormal
results, such as fragmentation of the IP header data. Some hosts may fail to parse and reassemble
the fragmented packets, which may lead to crashes, reboots, or even network device monitoring
dumps.
Some firewalls might have rule sets that block IP fragmentation queues in the kernel (e.g.,
CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely
implemented because of its adverse effects on performance. Since many IDS use signature-based
methods to indicate scanning attempts on IP and/or TCP headers, the use of fragmentation will
often evade this type of packet filtering and detection, resulting in a high probability of causi ng
problems on the target network. Attackers use the SYN/FIN scanning method with IP
fragmentation to evade this type of filtering and detection.
The screenshot below shows the SYN/FIN scan using the Zenmap tool.
· Zenmap □ X
Sq_n Iools P.rofile .!:::!elp I
Target: ~ 0 .1.11 v Profile: \Scan\ Cancel
Hosts Services Nmap Output Ports / Hosts Tapology Host Details Scans
Source Routing
As t he packet t ravels through the nodes in the net w or k, each router examines the destination IP address and
chooses the next hop to direct the packet to the destin ation
Source routing refers to sending a packet to the intended destination w ith a partially or completely specified
route (w it hout firewall -/lDS-configured routers) in order to evade an IDS or fi rew all
In source routing, the attacker makes some or all of these decisions on the router
~ ~ Destination
eventual route of the traffic
~ ....................~ l-· ············· ·l» •
B C D
Source Routing
An IP datagram contains various fields, including the IP options field, which stores source routing
information and includes a list of IP addresses through which the packet travels to its destination.
As the packet travels through th e nodes in the network, each router examines the destination IP
address and chooses the next hop to direct the packet to the destination.
When attackers send malformed packets to a target, these packets hop through various routers
and gateways to reach the destination. In some cases, the routers in the path might include
configured firewalls and IDS that block such packets. To avoid them, attackers enforce a loose or
strict source routing mechanism, in which they manipulate the IP address path in the IP options
field so that the packet takes the attacker-defined path (without firewall-/lDS-configured routers)
to reach the destination, thereby evading firewalls and IDS.
The figure below shows source routing, where the originator dictates the eventual route of the
traffic.
.........----
~
■---■ ............. JN ...........►
:..------=
:.-----.:
E
[[J
.=
= F
Sender :
~
Dest ination
v
►»
B
.......... ..
►N ---·--- ·------·► ~N
C D
Figure 3.83: Source Routing
Source port manipulation refers to manipulating actual port numbers w ith common port numbers in order to
G
evade an IDS or firewall
It occurs when a firewall is configured to allow packets from w ell-known ports like HTTP, DNS, FTP, etc.
Nmap uses t he -g or --source-port opt ions to perform source port manipulation
• Zfflmap - □ X
Firewall allowing manipulated Sc:,1n lools f rofff li~P
Comm1nd: l nm1p•98010.10.1.11 I
~ Sc,v,c:ft Nm1pOucpu1 Ports / Hosts T ~ HostOet1ils Sum
https./ /nmop.org
Copyright O by (C-CIUICII All Rights Reserved Reproduction 1s Stnctty Prohibited
Actual
Port: 242
............. •...................
Port 242
·►
:....... ➔ Blocked
Manipulated Allowed
Attacker Port: 80
...................... ➔
Port 80
Victim
Figure 3.84: Firewall allowing manipulated port 80 to t he victim from attacker
Although the firewall s can be made secure using application-level proxies or protocol-parsing
firewall elements, this technique helps the attacker to bypass the firewall rules easily. The
attacker tries to manipulate the original port number with the common port numbers, which can
easily bypass th e IDS/firewall. In Zenmap, the - g or -- source-port option is used to perform
source port manipulation.
• Zenmap □ X
Sc£n l ools P.rofile .!:::!elp
Command: "In• m
- a•p --g
- 80
- 1•o .•10• .•1•.1•1_.- -
7
Hosts Services Nmap Output Ports / Hosts Topology Host Details Scans
Module 03 Page 352 Ethical Hacking and Counte rmeasures Copyright © by EC-Council
All Right s Reserved. Reproduction is Strictly Prohibite d.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Scanning Networks
IP Address Decoy
IP address decoy technique refers to generating or manually specifying the IP addresses of decoys in order
to evade an IDS or firewall
It appears to the target that the decoys as well as the host(s) are scanning the network
This technique makes it difficult for the IDS or firewall to determine which IP address was actually scanning
the network and which IP addresses were decoys
- □ X
https://nmap.org
Copyright O by (C-CIUICII All Rights Reserved Reproduction 1s Stnctty Prohibited
IP Address Decoy
The IP address decoy technique refers to generating or manually specifying IP addresses of the
decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are
scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP
address is actually scanning the network and which IP addresses are decoys.
The Nmap scanning tool comes with a built-in scan function called a decoy scan, which cloaks a
scan with decoys. This technique generates multiple IP addresses to perform a scan, thus making
it difficult for the target security mechanisms such as IDS, firewalls, etc., to identify the original
source from the registered logs. The target IDS might report scanning from 5- 0 IP addresses;
however, it cannot differentiate between the actual scanning IP address and the innocuous decoy
IPs.
Using this command, Nmap automatically generates a random number of decoys for the
scan and randomly positions the real IP address between the decoy IPs.
Ex. Assume that 10.10.10.10 is the target IP address to be scanned. Thus, the Nmap decoy
scan command will be:
# nmap -D RND: 10 10.10.10.10
· Zenmap □ X
Sqn Iools P.rofile .t!elp
Command: !
nmap -D RND: 10.10.1.11 ! -------- 7
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
Module 03 Page 354 Ethical Hacking and Counte rmeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Ethical Hacker
Scanning Networks
• Zenmap D X
Sc~n Iools £refile ]:::!elp
Command: !
nmap -D 192.168.0.1, 172.120.2.8, 192.168.2.8, 10.10.1.19, 10.10.1.510.10.1.11
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
Nmap done: 1 IP addr ess (1 host up) scanned in 1.80 s econds ..,,
Filter Hosts
These decoys can be generated in both initial ping scans such as ICMP, SYN, ACK, etc., and during
the actual port scanning phase.
IP address decoy is a useful technique for hiding your IP address. However, it will not be
successful if the target employs active mechanisms such as router path tracing, response
dropping, etc. Moreover, using many decoys can slow down the scanning process and affect the
accuracy of the scan .
IP Address Spoofing
IP spoofing refers t o changing the source IP addresses so th at th e attack appears to be coming from someone else
When the vict im rep lies to the address, it goes b ack to th e spoofed address rathe r than the attacker's real address
Attackers modify the address information in t h e IP pa cket head er and the so urce address bits fiel d in order t o bypass
the IDS o r firewa ll
Attacker sending a
packet w ith a spoofed
address7 .7.7.7
Victim IP address
5 .5.5.5
Real address
1.1.1.1
Note: You wil l not be able t o comp lete t he three-way handshake and open a successful TCP con nection with spoofed IP addresses
IP Address Spoofing
Most firewalls filter packets based on the source IP address. These firewalls examine the source
IP address and determine whether the packet is coming from a legitimate source or an
illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing
technique to bypass such IDS/firewalls.
IP address spoofing is a hijacking technique in which an attacker obtains a computer's IP address,
alters the packet headers, and sends request packets to a target machine, pretending to be a
legitimate host. The packets appear to be sent from a legitimate machine but are actually sent
from the attacker's machine, while his/her machine's IP address is concealed. When the victim
replies to the address, it goes back to the spoofed address and not to the attacker's real address.
Attackers mostly use IP address spoofing to perform DoS attacks.
When the attacker sends a connection request to the target host, the target host replies to the
spoofed IP address. When spoofing a nonexistent address, the target replies to a nonexistent
system and then hangs until the session times out, thus consuming a significant amount of its
own resources.
Attacker sending a
packet with a spoofed
address 7.7.7. 7
Victim IP address
5.5.5.5
Real address
7.7.7.7
You can use Hping3 to perform IP spoofing. The above command helps you to send arbitrary
TCP/IP packets to network hosts.
Note: You will not be able to complete the three-way handshake and open a successful TCP
connection with spoofed IP addresses.
The MAC address spoofing technique involves spoofing a MAC address with the MAC address of a
legitimate user on the network.
Attackers use the --spoof-mac Nmap option to set a specific MAC address for the packets to evade
firewalls.
Attackers use the --spoof-mac Nmap option to choose or set a specific MAC address for
packets and send them to the target system/network.
• nmap -sT -Pn --spoof-mac O [Target IP]
The above command automatically generates a random MAC address and attaches it to
the packets in place of the original MAC address while performing host scanning. Here, -
-spoof-mac o represents the randomization of the MAC address.
Figure 3.89: Screenshot of scanning using the Nmap - spoof-mac O opt ion
The above command allows attackers to opt for a MAC address from the vendor and spoof
it by attaching it to the packets in place of the original MAC address during the scan. This
type of scan allows attackers to scan in the hidden mode, as the original MAC address is
not recorded in the firewall logs. - -spoof-mac [vendor] represents the
randomization of the MAC address based on the specified vendor.
The above command allows attackers to manually choose or set a new MAC address for
the packets sent during the scanning process. --spoof-mac [new MAC] represents
manually setting the MAC address.
Figure 3.91: Scanning using the Nmap - spoof -mac [new MAC] option
--jj. ,.
fjlc [11,it Mnd Help
-l)c-i,,:u,--•
\fl~lu Th •c
L•"~"
.. ,
Q
8.1-S,colld
,u;,.,..,1.1.. ,, iiiii#i#i#i
1e, •J
Attackers create custom fj'111 11.lw:mJ...;..l
IC,l ou1lnetlo,,,1,11e1,..•u ff:H:ff:ff:ff:H [8/ J
l(li! SouruA<lclrt-n et: N:N:80:N:N [6/ J
TCP packets using various df'Protc><olType
l { ft• nH U•· J
packet crafting tools like f$J?,<1to,:ol lyp,,
-41-.,,.sl;t
txMe
6
IPva 1161
(11/lJ
CIP•atocol Sit• a [ 19/I J
Colasoft Packet Builder, '6'0o<-
~ :,,,,-~ ~-•t AG•US
l ( AIU'A..quot
N:H:H:H:N:N
[28 /
[2V
J
J
9 i•-•
NetScanTools Pro, etc. to lpAO••n
lll,I Ta•&•t ~.....,.,,,,..,Adrtu N:N:N:N:N:N
· · · · · · ' (211 J
8 .11.8.8 (381 J
['JI J
':J h•Jrt lpAdrUI
hups;// www.colosoft.com
Attackers create custom TCP packets to scan the target by bypassing the firewalls.
Attackers use various packet crafting tools such as Colasoft packet builder
(https;//www.colasoft.com), NetScanTools Pro (https;//www.netscantools.com), etc., to
scan the target that is beyond the firewall. Packet crafting tools craft and send packet
streams (custom packets) using different protocols at different transfer rates.
o Colasoft Packet Builder
j
'
·E"J Nul!'ber
~ Packet Lenath
-{I Capture
~ Delta
Lenl[th
Tb.e
..
000001
64
0. 100000000 Second
1 01oo::>oo'.X)'.) 0000:00:00:00:00 FFFFFFFFFFFF
There are three views in the Packet Builder: Packet List, Decode Editor, and Hex Editor.
• Packet List displays all the constructed packets. When you select one or more
packets in Packet List, the first highlighted packet is displayed in both Decode
Editor and Hex Editor for editing.
• In Hex Editor, the data of the packet are represented as hexadecimal values and
ASCII characters; nonprintable characters are represented by a dot (" .") in the
ASCII section. You can edit either the hexadecimal values or the ASCII characters.
• Decode Editor allows the attacker to edit packets without remembering the value
length, byte order, and offsets. You can select a field and change the value in the
edit box.
For creating a packet, you can use the add or insert packet command in the Edit menu
or the Tool bar to create a new packet.
The attacker can send a constructed packet to wire directly and control how Colasoft
Packet Builder sends the packets, specifying, for example, the interval between
packets, loop times, and delay between loops.
This packet builder audits networks and checks the network protection against attacks
and intruders. Attackers may use this packet builder to create fragmented packets to
bypass network firewalls and IDS systems. They can also create packets and flood the
victim with a very large number of packets, which could result in DoS attacks.
l
Randomizing Host Order
10.10.1.11
...
Nmap Output Ports / Hosts Topolog), Host Details Scans
nmap••randomizc-hosts 10.10.1.11 =::)
Shrtin1 Nmap 7.88 ( https ://nawip.or1 ) at 2022· 03·16
Ottails os ~Host
.,..
Services
10.10.1.11
... nm,p--badsuml0.10.1.11 =a
NmapOutput Ports / Hosts Topolog)' HostDct,ilt Scans
• Zenmap □ X
Sqn Iools frofile !::!elp
· Zenmap □ X
Sqn Iools frofile !::!elp
Command: l
nmap --badsum 10.10.1.111 7
I Hosts I Services Nmap Output Ports / Hosts Topology Host Details Scans
Module 03 Page 364 Ethical Hacking and Counte rmeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Scanning Networks
Proxy Servers
A proxy server is an application that can serve as an intermediary for connecting with other computers
0 To hide the actual source of a sca n and evade certain IDS/firewall restrictions
e To mask the actual source of an attack by impersonating the fake source address of the proxy
Why Attackers
Use Proxy
Servers?
e To remotely access intranets and other website resources that are normally restricted
To interrupt all requests sent by a user and t ransmit them to a third destination such that victims
can only identify the proxy server address
Proxy Servers
A proxy server is an application that can serve as an intermediary for connecting with other
computers.
A proxy server is used:
■ As a firewall and to protect the local network from external attacks.
■ As an IP address multiplexer that allows several computers to connect to the Internet
when you have only one IP address (NAT/PAT).
■ To anonymize web surfing (to some extent).
■ To extract unwanted content, such as ads or "unsuitable" material (using specialized
proxy servers).
■ To provide some protection against hacking attacks.
■ To save bandwidth .
How does a proxy server work?
Initially, when you use a proxy to request a particular web page on an actual server, the proxy
server receives it. The proxy server then sends your request to the actual server on your behalf.
It mediates between you and the actual server to transmit and respond to the request, as shown
in the figure below.
.....:rt ~- ~ v.......
A J,; •••••••••••• Pm"'I Sme, ••••••••••,.
A·~················X················► ~
aAttacker
Target Organization
Figure 3.95: Attacker using a proxy server for connecting to the target
In this process, the proxy receives the communication between the client and the destination
application. To take advantage of a proxy server, an attacker must configure client programs so
that they can send their requests to the proxy server instead of the final destination.
Why Attackers Use Proxy Servers?
It is easier for an attacker to attack or hack a particular system than to conceal the attack source.
Therefore, the primary challenge for an attacker is to hide his/her identity so that he/she cannot
be traced. Thus, the attacker uses a proxy server to avoid attack detection by masking his/her IP
address. When the attacker uses a proxy to connect to the target system, the server logs will
record the proxy's source address rather than the attacker's source address.
Proxy sites help the attacker to browse the Internet anonymously and access blocked sites (i.e.,
evade firewall restrictions). Thus, the attacker can surf restricted sites anonymously without
using the source IP address.
Attackers use proxy servers:
■ To hide the actual source of a scan and evade certain IDS/firewall restrictions.
■ To hide the source IP address so that they can hack without any legal corollary.
■ To mask the actual source of the attack by employing a fake source address of the proxy.
■ To remotely access intranets and other website resources that are normally off limits.
■ To interrupt all the requests sent by a user and transmit them to a third destination;
hence, victims will only be able to identify the proxy server address.
■ To chain multiple proxy servers to avoid detection.
~ C O i google.com/search?qafree+proxy+servers&oq•free+proxy+servers&aqs•chrome..69157J01512I9.5326J... ~ I!? :. 0.
-
*
! free proxy servers ! X 0 ...
,'.
a. All El VideOS Ill) News I;;) Images (} Shepp<ng ' More TOOIS
Proxy list, free proxy servers list online, hide you r IP address ... Developer(s): Hand-Crafted Software
Free proxy lisl Http, ssl, socks proxy servers for free Fresh public proxy servers lists to unblock License: Freeware
your internet Realtime updated live proxies
Free proxy list US Untted States Proxy list by count,y HTTP proxy list People also search for
~ ~x A
httpsJ/geonode.com , free-proxy-list
Free Proxy List HI
IP Port Count,y ORG&ASN Protocol An
190 7197115 5678 coco EPM Telecomunicaciones SA ESP (ASS socks4 eltte Squid Privoxy hide.me NordVPN
43 24911 68 8888 usus Zenlayer Inc (AS21859) socks4 elite VPN
218 64 129 3 5678 CNCN N/A(AS4134) socks4 eltte
Feedbadc
View 47 more rows
•r I . ~
Proxy Chaining
Proxy client at the user 's system connects t o a proxy server and passes t he request to proxy server
The proxy server strips the user's identification information and passes t he request t o next p roxy server
'···► [iJ
IP: 20.1S.15.3
··············►~ [iJ · · · · · · · ►Q[i]
IP: 15.20.1S. 2 IP: 10.20.10.8
Port: 8054 Port: 8045 Port: 8028
Web Server
Proxy Chaining
Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity
depends on the number of proxies used for fetching the target application; the larger the number
of proxy servers used, the greater is the attacker's anonymity.
The proxy chaining process is described below:
■ The user requests a resource from the destination.
■ A proxy client in the user's system connects to a proxy server and passes the request to
the proxy server.
■ The proxy server strips the user's identification information and passes the request to the
next proxy server.
■ This process is repeated by all the proxy servers in the chain .
■ Finally, the unencrypted requ est is passed to the w eb server.
~
~-~
..................► [i] ............. [i]
IP: 20.10.10.2 IP: 10.10.20.5
[i]
IP: 20.10.15.4
Port: 8012 Port: 8023 Port: 8030
User
Encrypted/unencrypt ed traffic
Proxy Tools
Proxy Switcher al lows you to surf
anonymously on the Internet without
disclosing your IP address
CyberGhost
VPN
CyberGhostVPN hides your IP and
replaces it with one of your cho ice, thus
allowing you to surf anonymously
j
OiloLN __ _
Allseivers
If•• 11,.
·1!il!J. i~;~~-_IIii ·-
}' Iii >< lll lll 1ii1 D c::I ,(,.
·-
----~
>
*
·- Z ""- * >
>
·-
*
- * >
- -- -
,a,_,,.____
.-.----
.... ,,1.,_
llt,,.'llot ■-•JJ,,,11 m--•-•-
.._.., _____ _
p,o,i_,,,,,_ """--·-·-
•111122•-•--••-
" . . .15, _ _.. ..,_____ _
o-
@··
...
-
ft
ft
*
*
*
*
"
>
>
>
>
>
Proxy Tools
Proxy tools are intended to allow users to surf the Internet anonymously by keeping their IP
hidden through a chain of SOCKS or HTTP proxies. These tools can also act as HTTP, mail, FTP,
SOCKS, news, telnet, and HTTPS proxy servers.
■ Proxy Switcher
Source: h ttps ://www.proxyswitcher.com
Proxy Switcher allows attackers to surf the Internet anonymously without disclosing their
IP address. It also helps attackers to access various blocked sites in the organization. In
addition, it avoids all sorts of limitations imposed by target sites.
a
CORE(()! rt 196.22.53 153 80 r...,,., 21062,,,, ... M0ZAMBOUE 0"4 11 mntea <.......
KQI, Pnony,nout (Cl
"'" 37 187115 112 80 Tc,t,,g 21062,,,, 1 1 FAN.CE 01. 11ml'UCS <-
Ncn-SSL(O) ct 54 m 138 m so Te,u,o 21031,.,. I IRElAIJO 0"4 11 mn.Aes <-
Bte(O) rt 54 221.121 8'80 TNU11J 21031n UNITED STATES 0"4 11 ........ <.......
-
El Deadl'9) I>,,
203.189 89.1!>3 8080 TNU11J 2101&m - INOONESIA O"I. 111"1'1niee <........
El _,,_,,,(O)
P~ffl I>,,190.206 66 75 8080
"'" 79 12518 225 80 r...,,.,
T- 21031""
2101&,,,
-
I
VENEZUELA
IREIA!lO
O"I.
0"4
11 mnA:OI
11fflnA.CI
<nno<
<-
tJon.SSL(O)
"'" 91 21742 2 8080 Te,u,o - RUSSIAN FEDERATIOll 01. ,,,,.,..,,..es <-
"""""(O)
Oanpero.a(O)
1t 37 187.1115&80 TNU11J 26m 1 1FRAI.CE 01. 11- <-
llyP...,.Scrvas(O)
l\o,cySwtchd (0)
C.noel
■ CyberGhost VPN
All servers
~e ,untry tc nect to itnd CyberGhost w,11 route all your traffte through the ~ncrypted
VPNh
Albama
>
*
1.4481tm 11'1\
,,,.,
~ Argentma
>
*
ii 436 km I'll
• Australia r-
>
*
16.442 k'TI 33'1\
,,,.,
_..... Austria
>
739 km
*
C)'I\
• Belarus
>
t,.tJ6km !lO'I\
*
>
*
81 km 11'1\
*
Brazil
>
• Sulgana
9 787km 13'1\
*
1.535 km 53'1\ ◊ >
In addition to the proxy tools mentioned above, there are many other proxy tools intended to
allow users to surf the Internet anonymously. Some additional proxy tools are listed below:
■ Burp Suite (https://www.portswigger.net)
■ Tor (https://www.torproject.org)
■ CCProxy (https://www.youngzsoft.net)
■ Hotspot Shield (https://www.hotspotshield.com)
Profi les
Switch to another profile or add new profiles
Network Traffic
Internet connection available. {latency; 1841 ms)
Sent. O Bytes 1 O Bytes/s
Received: 0 Bytes. 0 Bytes/s
Server Settings
Profile Name
Placeholder
Server
example .com
Remote Port
8388 (port number of the remote server)
Local Port
1080 (port number of the local server)
Password
Anonymizers
~---
l'!'!':
~-•-,.~.orr.~.~!!.~.'!'.~!!'?.',":!.~~-~ P.!",
e
0$~,C..~ ~- , . .~9'C(IC~~!"""1ol?:'WI' --1
~-~~~ ~
II Diill
Protection against online attacks I'!'!'!
!:...
...-......
::"..-:...::::....,
::."";..-.:;:-
https://www,whonix.org
Anonymizers
An anonymizer is an intermediate server placed between an end user and a website that accesses
the website on their behalf and makes web surfing activities untraceable. Anonymizers allow
users to bypass Internet censorship. An anonymizer eliminates all identifying information (IP
address) from the system while surfing the Internet, thereby ensuring privacy. It encrypts the
data transferred from a computer to the Internet service provider (ISP). Most anonymizers can
anonymize web (HTTP :), File Transfer Protocol (FTP :), and gopher (gopher:) Internet services.
To visit a page anonymously, you can visit your preferred anonymizer site and enter the name of
the target website in the anonymization field . Alternatively, you can set your browser home page
to point to an anonymizer to anonymize subsequent web access. In addition, you can choose to
anonymously provide passwords and other information to sites without revealing any additional
information, such as your IP address. Attackers may configure an anonymizer as a permanent
proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy
options in t heir application configuration menu, thereby cloaking their malicious activities.
Why Use an Anonymizer?
■ Protection against online attacks: An anonymizer can protect you from all instances of
online pharming attacks by routing all customer Internet traffic via its protected DNS
server.
■ Bypassing IDS and firewall rules: Firewalls are typically bypassed by employees or
students accessing websites that they are not supposed to access. An anonymizer service
gets around your organization's firewall by setting up a connection between your
computer and the anonymizer service. Thus, firewalls see only the connection from your
computer to the anonymizer's web address. The anonymizer will subsequently connect
to any website (e.g., Twitter} with the help of an Internet connection and then direct the
content back to you. To your organization, your system appears to be simply connected
to the anonymizer's web address but not to the actual site that you are browsing.
In addition to protecting users' identities, anonymizers can also be used to attack a website
without being traced .
Types of Anonymizers
Anonymizers are of two basic types: networked anonymizers and single-point anonymizers.
■ Networked Anonymizers
Anonymizer tools use various techniques such as SSH, VPN, and HTTP proxies, which allow access
to blocked or censored content on the Internet with advertisements omitted.
■ Whonix
Source: https://www.whonix.org
Whonix is a desktop OS designed for advanced security and privacy. It mitigates the threat
of common attack vectors while maintain ing usability. Online anonymity is realized via
fail-safe, automatic, and desktop-wide use of the Tor network. It consists of a heavily
reconfigured Debian base that is run inside multiple virtual machines, providing a
substantial layer of protection from malware and IP address leaks.
Y.~~_1-~
C.\ )'HI' ffff Ws\~ (01'
Your locauon Anonynu:u, Proxy
JOILDoD)'IIIPrtm.l'll::IQMr't'IC'ffl
J-
Reven• OtlS ... ~~-~IJ!'!V.'!'-!~U~.~~ !'!~}! .C!c!~~•.'! JoaDoB-ro,,su p"""'1: l\rollf
pn,,..cy (Mw•~nrfiat
UAI.N MOI.E &bout the mdmdu&l test.I pe.rlonned br lhe JP Check_ Clu:k here• T.._ 12 s., ! O!l
--
How 1ou.Tnni&trhelw1\li
Attnbute Vahle Ratlng
Tb.30A)lf : !: O!O
eoo1u.. Thu web site mar_recerve coolue:s from:yw ~~':1!'!
erotected P.'?'!'!
Youru.nu~u,e_lD_159i3◄ 569 ~~ Anon)'IIUty on \ht lnkfrw\
~~-~ 1o_m1m1tes (unul tour Tor idenuir_u cha.nqedJ ~~~ · -,os., !0::!:0
Pqrneat. _ . _ . for
~,~ Onqm.al _Webt1tu ma1 aee from wluch other weblu.e yw come_from• -~~~ Jo.OOaym
9.~ Tlua,23Aa,!0!0
~~ 8ah3al"k:5&1.d99f1e3&6e5c03cad9148_(F1NfaxJ
i..:=::■;=--..1 Mo1tllal&.O_CW1ndow1 NT 6.1., rv_lOO) Geck.~0100101 Fu"t(ca:/100 9.~
03if:1C4AlPSAD9A3P7C11B3D29C6B52850DE40606952EDBf'CPD11CDP16372A9P ~~!r~
~ en-us.•n.~-0.6 9.~
_t,,_
f~
tatlhtmlapphe.llo~tml+zml.apphcallon/:lmlq•09 •r .q_•08 9.~ lo., IP:,_.
---
__..,...,,.,.10..
..__.. ___ .,... .
~
BrowM rlAloa
AdokL1nu1 ILNX ll l.20?.2JI I
"'°"°"'
L,n., J 2 O-J-616-NC" fen
10l,'"7U 72 DPI
I 201201 ~06 PMI
MAXA Tools PnTICY Tut
Brc,wMrSPYA
J•nScr1pt 11 •ctwat.ed.1 (Ver,ion _ 1..1!) ~!~~
Found. lpluq_1n1.. Fluh.11 •cUY•• Your browser send, q1tem.J)t,th11 A':~ M•Wr ~MoUJ.u.rc-. Tool
■ Psiphon Pro
Source: https://psiphon.ca
Psiphon Pro is a circumvention tool developed by Psiphon, Inc., which uses VPN, SSH, and
HTTP proxy technology to provide you with open and uncensored access to Internet
content. However, Psiphon Pro does not increase online privacy and is not an online
security tool.
Features:
o Browser or VPN (whole-device) mode: one can choose whether to tunnel everything
or just the web browser.
o ln-app stats: This lets you know how much traffic you have been using.
-
USB stick, or SD card
the world
·--
~-Hioooty-
b
o-!Aoc - - ~ -- t'---
C:..-
..J 0 '1 .L • - - -
__ ,... .,.>
.&.•~ ~ • -·
--· -·• 4,, ...... . It ·
- 0 X
Welcome to Tails!
_1
c:=-
Go gle
(b,gl,t~
--"'°"- -·--
......
rmF""'9lucky
lM'W-Go"'IJll\()- l o t a l _ _ , _ _
,_ --
=::] - - Encrypted Ptrsls ltnl Storage 8i
AdditioNI Settings
~ del.rtt ~llnj!o
buttoo~tow
(D
ilt
(D
..
lkw:dSl.ltn
r:-_ ---::-J
hu ps://github.com https://tails.boum.org
a Goo91, . .-.- - 0 X
J. ..,,._oOOOI• com'
.....Sourch , J I r ,,q, , (I
Go gle
Googk! St!arch J rm Fe8ng Lucky /
l """ W11ch Google 110 ~ llletl innowat1ons news & uptOtTMng lanc:hts
- Dfla:t ----;:::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.::.:::,--
-- .....
- ~
.....
°"'"'"""'--
■ Tails
Source: https://tails.boum.org
Tails is a live OS that users can run on any computer from a DVD drive, USB stick, or SD
card. It uses state-of-the-art cryptographic tools to encrypt files, emails, and instant
messaging. It allows attackers to use the Internet anonymously and circumvent
censorship. It leaves no trace on the computer.
Sh\ltdown li§f@i
Welcome to Tails!
O,c dcldull ~citing~ .UC ~die in mo~l ~iludlion~. lo ddd J lU~lom ~citing, pre~~ lhc. ~'
button bel ow.
6
Run port scanning tools against host s on the network
to det ermine wheth er the firewall properly detects
m
Filtm ll lCMP mo,,a"' (Le., ,ObooodlCMP
message t ypes and outbound ICMP type 3
j
port scanning activity unreachable messages) at the firewalls and routers
Ensure that the mechanisms used for routing and Perfo rm TCP and UDP scanning al o ng with ICM P
a very useful intrusion detection and prevention technology, mainly because signatures
are frequently available from public authors.
• Keep as few ports open as possible and filter the rest, as an intruder may attempt to enter
through any open port. Use a custom rule set to lock down the network, block unwanted
ports at the firewa ll, and filter the following ports: 135-159, 256-258, 389, 445, 1080,
1745, and 3268.
• Block unwanted services running on the ports and update the service versions.
■ Ensure that the versions of services running on the ports are non-vulnerable.
■ Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages
at border routers arranged in front of the company's main firewall.
• Attackers attempt to perform source routing and send packets to the targets, which may
not be reachable via the Internet, using an intermediate host that can interact with the
target. Hence, it is necessary to ensure that the firewall and router can block such source-
routing techniques.
■ Ensure that the mechanisms used for routing and filtering at the routers and firewalls,
respectively, cannot be bypassed using a particular source port or source routing
methods.
■ Test the IP address space using TCP and UDP port scans as well as ICMP probes to
determine the network configuration and accessible ports.
■ Ensure that the anti-scanning and anti-spoofing rules are configured.
• If a commercial firewall is in use, then ensure the following:
o It is patched with the latest updates.
o It has correctly defined anti-spoofing rules.
o Its fast-mode services are unusable.
• Ensure that TCP wrappers limit access to the network based on domain names or IP
addresses.
• Test how the network firewall and IDS manages the fragmented packets using fragtest
and fragroute.
• Use proxy servers to block fragmented or malformed packets.
• Ensure that the firewalls forward open port scans to empty hosts or honeypots to make
the port-scanning task difficult and time-consuming.
• Employ an intrusion prevention system (IPS) to identify port scan attempts and blacklist
IP addresses.
An open port indicates that a service/banner is running on it. When attackers connect to
an open port using banner grabbing techniques, the system presents a banner containing
sensitive information such as the OS, server type, and version . Using the information
gathered, the attacker identifies specific vulnerabilities to exploit and then launches
attacks. The countermeasures against banner grabbing attacks are as follows:
o Display false banners to mislead or deceive attackers.
o Turn off unnecessary services on the network host to limit information disclosure.
o Use server masking tools to disable or change banner information.
o Remove unnecessary HTTP headers and response data and camouflage the server by
providing false signatures. This also provides the option of eliminating file extensions
such as . asp and . aspx, which clearly indicate that the site is running on a Microsoft
server.
o For Apache 2.x with the mod_headers module, use a directive in the httpd. conf
file to change the banner information header and set the server as New Server
Name.
o Modify the value of RemoveServerHeader from Oto 1 in the UrlScan . ini config
file found at c: WindowsSystem32inetservUrlscan. This method prevents
disclosure of the server version.
o Trick attackers by modifying the value of Al ternateServerName to values such as
xyz or myserver.
o Disable HTTP methods such as Connect, Put, Delete, and Options from web
application servers.
o Remove the X-Powered-By header only with t he customHeaders option in the
<system. webServer> section of the web. config file.
.--v=d
L a packet to the host of a suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected
packet; if the TTL in the reply is not the same as the packet being checked, this implies that it is a spoofed packet
This technique is successful when the attacker is in a different subnet from that of the victim
Attacker
(Spoofed Address Target
10.0.0.S)
10.0.0.S
Note: Normal traffic from one host can contrastTTLs depending on traffic patterns
Send a probe to the host of a suspected spoofed traffic that triggers a reply and compare the IPID with the
01 suspected traffic
02 If the IPIDs are not close in value to the packet being checked, then the suspected traffic is spoofed
03 This technique is considered reliable even if the attacker is in the same subnet
10.0.0. 5
a Attackers sending spoofed TCP packets w ill not receive the target's SYN-ACK packets
W hen recei ved traffic continues after a window si ze is exhausted, the packets are most likely spoofed
In this technique, you initially send a packet (ping request) to the legitimate host and wait
for a reply. Check whether the TTL value in the reply matches with that of the packet you
are checking. Both will have the same TTL if they are using the same protocol. Although
the initial TTL values vary according to the protocol used, a few initial TTL values are
commonly used. For TCP/UDP, the values are 64 and 128; for ICMP, they are 128 and 255.
10.0.0.5
Figure 3 .106: IP Spoofing det ection tech n iq ue: Direct TTL Probes
If the reply is from a different protocol, then you should check the actual hop count to
detect the spoofed packets. Deduct the TTL value in the reply from the initial TTL value to
determine the hop count. The packet is a spoofed packet if the reply TTL does not match
the TTL of the packet. It will be very easy to launch an attack if th e attacker knows the
hop count between the source and the host . In this case, th e test result is a false negative.
This technique is successful when the attacker is in a different subnet from that of the
victim.
Note: Normal traffic from one host can contrast TTLs depending on traffic patterns.
• IP Identification Number
Users can identify spoofed packets by monitoring the IP identification {IPID) number in
the IP packet headers. The IPID increases incrementally each time a system sends a
packet. Every IP packet on the network has a unique "IP identification" number, which is
increased by one for every packet transmission. To identify whether a packet is spoofed,
send a probe packet to the source IP address of the packet and observe the IPID number
in the reply. The IPID value in the response packet must be close to but slightly greater
than the IPID value of the probe packet. The source address of the IP packet is spoofed if
the IPID of the response packet is not close to that of the probe packet.
This method is effective even when both the attacker and the target are on the same
subnet.
The TCP can optimize the flow control on both the sender's and the receiver's end with
its algorithm. The algorithm accomplishes flow control using the sliding window principle.
The user can control the flow of IP packets by the window size field in the TCP header.
This field represents the maximum amount of data that the recipient can receive and the
maximum amount of data that the sender can transmit without acknowledgement. Thus,
this field helps to control data flow. The sender should stop sending data whenever the
window size is set to zero.
In general flow control, the sender should stop sending data once the initial window size
is exhausted. The attacker, who is unaware of the ACK packet containing window size
information, might continue to send data to the victim. If the victim receives data packets
beyond the window size, they are spoofed packets. For effective flow control and early
detection of spoofing, the initial window size must be very small.
Most spoofing attacks occur during the handshake, as it is challenging to build multiple
spoofing replies with the correct sequence number. Therefore, apply the flow control
spoofed packet detection method to the handshake. In a TCP handshake, the host sending
the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether
you are getting the SYN request from a genuine client or a spoofed one, set SYN-ACK to
zero. If the sender sends an ACK with any data, it means that the sender is a spoofed one.
This is because when SYN-ACK is set to zero, the sender must respond to it only with the
ACK packet, without additional data.
Figure 3. 108: IP Spoofing det ection technique: TCP Flow Cont rol Method
Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets.
Attackers cannot respond to changes in the congestion window size. When the received
t raffic continues after a window size is exhausted, the packets are most likely spoofed.
IP Spoofing Countermeasures
Encrypt all the network traffic using cryptogra phic network protocols such as IPsec, TLS, SSH, and HTTPS
•e Use a random initial sequence number to prevent IP spoofing attacks based on sequence number spoofing
Ingress Filtering: Use routers and fi rewalls at your network perimeter to filter incoming packets that appear
to come from an internal IP address
e Egress Filtering: Filter all outgoing packets with an invalid local IP address as the source address
IP Spoofing Countermeasures
As mentioned previously, IP spoofing is a technique adopted by a hacker to break into a target
network. Therefore, to protect the network from external hackers, IP spoofing countermeasures
should be applied in network security settings. Some IP spoofing countermeasures that can be
applied are as follows:
• Avoid Trust Relationships
Do not rely on IP-based authentication . Attackers may masquerade as trusted hosts and
send malicious packets. If these packets are accepted under the assumption that they are
"clean" because they are from a trusted host, malicious code will infect the system.
Therefore, it is advisable to test all packets, even when they originate from a trusted host.
This problem can be avoided by implementing password authentication along with trust
relationship-based authentication.
■ Use Firewalls and Filtering Mechanisms
As stated above, all incoming and outgoing packets should be filtered to avoid attacks and
loss of sensitive information. A firewall can restrict malicious packets from entering a
private network and prevent severe data loss. Access-control lists (ACLs) can be used to
block unauthorized access. However, the possibility of an insider attack also exists. Inside
attackers can send sensitive information about the business to competitors, which could
lead to financial loss and other issues. Another risk of outgoing packets is that an attacker
may succeed in installing a malicious sniffing program running in a hidden mode on the
network. These programs gather and send all the network information to the attacker
without any notification after filtering out the outgoing packets. Therefore, the scanning
of outgoing packets must be assigned the same importance as that of incoming packets.
Most devices choose their initial sequence numbers (ISNs) based on timed counters. This
makes the ISNs predictable, as it is easy for an attacker to determine the concept of
generating an ISN. The attacker can determine the ISN of the next TCP connection by
analyzing the ISN of the current session or connection. If the attacker can predict the ISN,
then they can establish a malicious connection to the server and sniff network traffic. To
avoid this risk, use random ISNs.
■ Ingress Filtering
Ingress filtering prevents spoofed traffic from entering the Internet. It is applied to routers
because it enhances the functionality of the routers and blocks spoofed traffic.
Configuring and using ACLs that drop packets with a source address outside the defined
range is one method of implementing ingress filtering.
■ Egress Filtering
Egress filtering is a practice that aims to prevent IP spoofing by blocking outgoing packets
with a source address from the outside.
■ Use Encryption
To maximize network security, use strong encryption for all traffic placed on transmission
media without considering its type and location. This is the best method to prevent IP
spoofing attacks. IPSec can be used to drastically reduce the IP spoofing risk, as it provides
data authentication, integrity, and confidentiality. Encryption sessions should be enabled
on the router so that trusted hosts can communicate securely with local hosts. Attackers
tend to focus on targets that are easy to compromise. If an attacker desires to break into
an encrypted network, they must decrypt the entire slew of encrypted packets, which is
a difficult task. Therefore, an attacker is likely to move on and attempt to find another
target that is easy to compromise or simply abort the attempt. Moreover, use the latest
encryption algorithms that provide strong security.
■ SYN Flooding Countermeasures
Countermeasures against SYN flooding attacks can also help avoid IP spoofing attacks.
■ Other IP Spoofing Countermeasures
o Enhance the integrity and confidentiality of websites by migrating from 1Pv4 to 1Pv6
during development.
o Implement digital certificate authentication mechanisms such as domain and two-way
auth certificate verification.
o Use a secure VPN while accessing any type of public Internet service such as free Wi-
Fi and hotspots.
o Employ application-specific mitigation devices such as Behemoth scrubbers for deep-
level packet investigation at a high speed of nearly 100 million packets/s.
ExtraHop
It provi des complete vi sibility, real-ti m e detection, and
intelligent response t o maliciou s network scanning
[!] Splunk Enterprise Security
https://www.splunk.com
I PJ. Scanlogd
https://github.com
~
Vectra Cognito Detect
htrps://www.veetra.ai
Cynet 360
ht tps://www.cynet.com
https://www.extrahop.com
Source: https://www.extrahop.com
ExtraHop provides complete visibility, real-time detection, and intelligent response to
malicious network scanning. This tool allows security professionals to automatically
discover and identify every device and its vulnerabilities, including unmanaged Internet
of things (loT) devices in a network. Further, this tool allows security professionals to
analyze all network interactions in real time, including all cloud transactions and SSL/TLS
encrypted traffic, to provide compl et e visibility inside th e network perimeter.
ExtraHop also assist s in the auto-discovery and cl assification of every device in the
network, using which security teams can analyze all communication .
Some of the additional scanning detection and prevention tools are listed below:
Module Summary
• ► How attackers discover live hosts from a range of IP addresses by sending various ping
scan requests to multiple host s
► How attackers perform banner grabbing or OS fingerprinting to determine the opera ting
system running on a remote target system
► Va rious scanning techniques that attackers can employ to bypass IDS/firewa ll rules and
logging mechanisms, and disguise themselves as regularnet work traffic
► Network scanning countermea sures to defend against network sca nning attacks
□ In the next module, we wi ll discuss in detail how attackers, as well as ethical hackers and
pen-testers, perform enumeration t o collect information about a target before an attack
or au dit
Module Summary
This module discussed how attackers determine live hosts from a range of IP addresses by
sending various ping scan requests to multiple hosts. It also described how attackers perform
different scanning techniques to determine open ports, services, service versions, etc., on the
target system. Furthermore, it explained how attackers perform banner grabbing or OS
fingerprinting to determine the OS running on a remote target system. It also illustrated various
scanning techniques that attackers can adopt to bypass IDS/firewall rules and logging
mechanisms and hide themselves as usual under network traffic. Finally, it ended with a detailed
discussion on network scanning countermeasures to defend against network scanning attacks.
In the next module, we will discuss in detail how attackers as well as ethical hackers and pen-
testers perform enumeration to collect information about a target before an attack or audit.