Scanning N etw orks Module 03 Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker ScanningNetworks M o d u le 0 3 Engineered by Hackers. Presented by Professionals. CEH © E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v 8 M o d u l e 0 3 : S c a n n in g N e t w o r k s E xa m 3 1 2 -5 0 M o d u le 0 3 Page 263 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker SecurityNews H one Services Company Networks Contact Oct 18 2012 S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e r The w ell known b o tn e t Sality, w hich locates vulne rab le voice-over-IP (VoIP) servers can be con trolled to fin d th e e n tire IPv4 address space w ith o u t alerting, claim ed a new study, published by Paritynews.com on O ctober 10, 2012. Sality is a piece o f m alw are whose prim ary aim is to infe ct w eb servers, disperse spam, and steal data. But the latest research disclosed o th e r purposes o f the same including r r ■ 1 1 recognizing susceptible VoIP targets, which could be used in to ll fraud attacks. Through a m ethod called "reverse-byte ord e r scanning," sality has adm inistered tow ards scanning possibly the w hole IPv4 space devoid o f being recognized. That's on ly the reason th e technique uses very less num ber o f packets th a t com e fro m various sources. The selection o f the target IP addresses is generated in re verse-byte-order increm ents. Also, th e re are large am ounts o f bots con tributin g in the scan. http://www.spamfighter.com l- l Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited. S e c u r ity N e w s N fu js S a lie n tly S a lity B o tn e t T r a p p e d S c a n n in g IP v 4 A d d r e s s S p a c e Source: h ttp ://w w w .s p a m fig h te r.c o m A sem i-fam ous b otn et, Sality, used fo r locating vulnerable vo ice ־o v e r־IP (VoIP) servers has been co ntro lle d to w a rd d e te rm in in g the e ntire IPv4 address space w ith o u t setting o ff alerts, claims a new study, published by Paritynews.com , on O ctober 10, 2012. Sality is a piece o f m alw are w ith the prim a ry aim o f infecting w eb servers, dispersing spam, and stealing data. But the latest research has disclosed o th e r purposes, including recognizing susceptible VoIP targets th a t could be used in to ll fraud attacks. Through a m ethod called "reve rse -b yte o rd e r scanning," Sality can be adm inistered to w a rd scanning possibly the w hole IPv4 space, devoid o f being recognized. That's the only reason the tech n iq ue uses a very small num ber o f packets th a t come fro m various sources. The selection o f the ta rg e t IP addresses develops in re ve rse -b yte -o rd e r in cre m e nts. Also, there are many bots co n trib u tin g in the scan. The conclusion is th a t a solitary n e tw o rk w o u ld obtain scanning packets "d ilu te d " over a huge period o f tim e (12 days in this case, fro m various M o d u le 0 3 Page 264 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker sources, U n ive rsity o f C a lifornia, San Diego (UCSD), claim ed one o f the researchers, A listair King, as published by Softpedia.com on O ctober 9, 2012). According to A lb e rto D a in o tti, it's n ot th a t this stealth-scanning m ethod is exceptional, b ut it's the firs t tim e th a t such a happening has been both noticed and docum ented, as re p orte d by Darkreading.com on O ctober 4, 2012. M any o th e r experts hold fa ith th a t this m anner has been accepted by o th e r botnets. Nevertheless, the team at UCSD is n ot aware o f any data verifying any event like this one. According to David P iscitello, Senior Security Technologist at ICANN, this indeed seems to be the firs t tim e th a t researchers have recognized a b o tn e t th a t utilizes this scanning m ethod by em ploying reverse-byte sequential increm ents o f ta rg e t IP addresses. The b o tn e t use classy "o rc h e s tra tio n " m ethods to evade d e te ctio n . It can be sim ply stated th a t the b o tn e t o p e ra to r categorized the scans at around 3 m illio n bots fo r scanning the fu ll IPv4 address space throu g h a scanning p atte rn th a t disperses coverage and p artly covers, b ut is unable to be noticed by present a u to m a tio n , as published by darkreading.com on O ctober 4, 2012. Copyright © S P A M fig h te r 2 0 03 -201 2 h ttp ://w w w .s p a m fig h te r.c o m /N e w s -1 7 9 9 3 -S a lie r1 tlv -S a litv -B o tn e t-T ra p p e d -S c a n n in g -IP v 4 A dd ress-S p ace .h tm M o d u le 0 3 Page 265 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Module Objectives CEH J Overview o f N etw ork Scanning J Use o f Proxies fo r Attack J CEH Scanning M ethodology J Proxy Chaining J Checking fo r Live Systems J HTTP Tunneling Techniques J Scanning Techniques J SSH Tunneling J IDS Evasion Techniques J Anonymizers J Banner Grabbing J IP Spoofing Detection Techniques J Vulnerability Scanning J Scanning Countermeasures J Drawing N etw ork Diagrams J Scanning Pen Testing ^ Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited. M o d u le O b je c tiv e s Once an a ttacker id e ntifies h is/h e r ta rg e t system and does the in itia l reconnaissance, as discussed in the fo o tp rin tin g and reconnaissance m odule, the a ttacker concentrates on g ettin g a m ode o f e n try into the ta rg e t system . It should be noted th a t scanning is n ot lim ited to in tru sion alone. It can be an extended fo rm o f reconnaissance w here the a tta cke r learns m ore about h is/h e r target, such as w h a t operating system is used, the services th a t are being run on th e systems, and c o n fig u ra tio n lapses if any can be id e n tifie d . The a tta cke r can then strategize h is/h e r attack, facto rin g in these aspects. This m odule w ill fam iliarize you w ith : 0 O verview o f N e tw o rk Scanning 0 Use o f Proxies fo r A ttack 0 CEH Scanning M e tho d olog y 0 Proxy Chaining 0 Checking fo r Live Systems 0 HTTP Tunneling Techniques 0 Scanning Techniques 0 SSH Tunneling 0 IDS Evasion Techniques 0 Anonym izers 0 Banner Grabbing 0 IP Spoofing D etection Techniques 0 V u ln e ra b ility Scanning 0 Scanning Counterm easures 0 Drawing N e tw o rk Diagrams 0 Scanning Pen Testing M o d u le 0 3 Page 2 66 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker OverviewofNetworkScanning CEH (•rtift•* N e tw o rk scanning refers to a set o f ttkujl lUckM Sends TCP procedures fo r id e n tify in g hosts, p o rts, and /IP p ro b e s services in a n e tw o rk G e ts n e tw o r k N e tw o rk scanning is one o f th e c o m p o n e n ts o f in te llig e n c e g a th e rin g an a tta cker uses to create a p ro file o f th e ta rg e t organization S & in fo r m a tio n A ttacker O b je c tiv e s o f N e t w o r k S c a n n in g To discover live hosts, To discover operating To discover services To discover IP address, and open po rts o f live hosts systems and system architecture ru nning on hosts vu ln e ra b ilitie s in live hosts O v e r v ie w o f N e t w o r k S c a n n in g As we already discussed, fo o tp rin tin g is the firs t phase o f hacking in w hich the a ttacker gains in fo rm a tio n about a p ote n tia l target. F ootp rin tin g alone is n ot enough fo r hacking because here you w ill gather only the prim a ry in fo rm a tio n about the targe t. You can use this prim a ry in fo rm a tio n in th e next phase to gather many m ore details abo u t the target. The process o f g a th e rin g a d d itio n a l d etails about the ta rg e t using highly com plex and aggressive reconnaissance techniques is called scanning. The idea is to discover e x p lo ita b le c o m m u n ica tio n channels, to probe as many listeners as possible, and to keep track o f th e ones th a t are responsive o r useful fo r hacking. In the scanning phase, you can fin d various ways o f in tru d in g in to th e ta rg e t system. You can also discover m ore about the ta rg e t system , such as w h a t o p e ra tin g system is used, w h a t services are ru n nin g , and w h e th e r or n ot th e re are any co n fig u ra tio n lapses in the ta rg e t system. Based on the facts th a t you gather, you can fo rm a strategy to launch an attack. Types o f Scanning 9 P ort scanning - Open ports and services e N e tw o rk scanning - IP addresses 6 V u ln e ra b ility scanning - Presence o f know n weaknesses M o d u le 0 3 Page 267 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker In a tra d itio n a l sense, the access p oints th a t a th ie f looks fo r are the doors and w indow s. These are usually the house's points o f vu ln e ra b ility because o f th e ir re la tively easy accessibility. W hen it comes to co m p u te r systems and netw orks, p o rts are the doors and w indow s o f the system th a t an in tru d e r uses to gain access. The m ore the ports are open, the m ore points o f vu ln e ra b ility, and the fe w e r the ports open, th e m ore secure the system is. This is sim ply a general rule. In some cases, the level o f vu ln e ra b ility may be high even though fe w ports are open. N e tw o rk scanning is one o f the m ost im p o rta n t phases o f intelligence gathering. During the n e tw o rk scanning process, you can gather in fo rm a tio n abo u t specific IP addresses th a t can be accessed over the Inte rn e t, th e ir targets' operating systems, system a rch itectu re , and the services running on each co m puter. In a dd ition, the a ttacker also gathers details about the netw orks and th e ir individual host systems. Sends TCP /IP probes Gets netw o rk & נ inform a tion Network Attacker FIGURE 3.1: N e tw o rk Scanning Diagram O b je c tiv e s o f N e tw o r k S c a n n in g If you have a large a m o un t o f in fo rm a tio n abo u t a ta rg e t o rg an iza tion , th e re are greater chances fo r you to learn the w eakness and lo o ph o les o f th a t p articula r organization, and consequently, fo r gaining unauthorized access to th e ir netw ork. Before launching the attack, the a ttacker observes and analyzes the ta rg e t n e tw o rk fro m d iffe re n t perspectives by p erfo rm ing d iffe re n t types o f reconnaissance. How to p erform scanning and w h a t type o f in fo rm a tio n to be achieved during the scanning process e n tire ly depends on the hacker's v ie w p o in t. There may be many objectives fo r p erfo rm ing scanning, b ut here we w ill discuss the m ost com m on objectives th a t are encountered during the hacking phase: © D iscovering live hosts, IP address, and open p orts o f live hosts ru n n in g on th e n e tw o rk . © D iscovering open p o rts: Open ports are the best means to break in to a system or n etw o rk. You can fin d easy ways to break into the ta rg e t organization's n e tw o rk by discovering open ports on its netw ork. D iscovering o p e ra tin g system s and system a rch ite ctu re o f th e ta rg e te d system : This is also referred to as fin g e rp rin tin g . Here the a ttacker w ill try to launch th e attack based on the operating system 's vulnerabilities. M o d u le 0 3 Page 268 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker 9 Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. 9 Detecting the associated network service of each port M o d u le 0 3 Page 269 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Gi Exam 3 1 2 -5 0 C ertified Ethical H acker HHH □ שם Check for Live Systems ן,.✓ Check for Open Ports n ■ “ hi Scan for Vulnerability C E H Scanning Beyond IDS n L 1^■ Banner Grabbing W ₪m, U r — י Draw N e tw o rk. Diagrams Prepare Proxies wJ Scanning Pen Testing S c a n n in g M e t h o d o lo g y The firs t step in scanning the n e tw o rk is to check fo r live systems. Scan for Vulnerability Check fo r Live Systems ft Check for Open Ports Scanning Beyond IDS Banner Grabbing r Q O 1 Draw Network Diagrams Prepare Proxies Scanning Pen Testing This section highlights how to check fo r live systems w ith the help o f ICMP scanning, how to ping a system and various ping sweep tools. M o d u le 0 3 Page 2 70 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker CheckingforLiveSystemsICMPScanning CEH J Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply J This scan is useful for locating active devices or determining if ICMP is passing through a firewall t o M ICMP Echo Request ICMP Echo Reply Source (192.168.168.3) D e stin a tio n (192.168.168.5) T h e ping s c a n output u sin g Nm ap: Zenmap Sc!n l o o Is Target. P 'c fK 192166.168.5 Command: Hosts Profile Ping »c«n |n rr*p •wi 192.168.168.3 Service! Host * Nmap 0utp14 Pciti ׳H oiti Topology H ojI Detail! 1 192.16S. 168.1 192.168.1663 192.168.1685 Scans ד־פ nmap ■jn 192.168.163.5 S t a r t i n g fJTap 6 .0 1 ( h t t p : / / n r o p . o r g ) a t 2 0 1 2 - 0 8 08 1 3 :0 2 EOT Swap scan re p o rt fo r 192.168.168.5 i s up ( 0 .0 0 5 l a t e n c y ) . MAC f l d d r e t t : ( D e l l) M!ap do ng : 1 IP ad dre ss (1 h o s t up ) scanned i n 0 .1 0 se co rd s most 192.168.166.1S ו־ ר ד^־י־ו Piter Hosts http://nmap.org Copyright © by H H rW B C il. All Rights Reserved. Reproduction is S trictly Prohibited. C h e c k in g f o r L iv e S y s te m s ־IC M P S c a n n in g ICMP Scanning All required in fo rm a tio n about a system can be gathered by sending ICMP packets to it. Since ICMP does n ot have a p o rt abstraction, this cannot be considered a case o f p o rt scanning. However, it is useful to d ete rm ine w hich hosts in a n e tw o rk are up by pinging the m all (the -P o ptio n does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase the n um ber o f pings in parallel w ith the -L o ptio n . It can also be helpful to tw e ak the ping tim e o u t value w ith the -T option. ICMP Q uery The UNIX to o l IC M P query o r ICMPush can be used to request the tim e on the system (to find o u t w hich tim e zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The netm ask on a p articula r system can also be d ete rm ine d w ith ICMP type 17 messages (ADDRESS MARK REQUEST). A fte r fin d in g th e netm ask o f a n e tw o rk card, one can d ete rm ine all the subnets in use. A fte r gaining in fo rm a tio n about th e subnets, one can ta rg e t only one p articula r subnet and avoid h ittin g the broadcast addresses. ICMPquery has both a tim e sta m p and address mask request o ptio n : icmp query <-query-> [-B] [-f fro m h o s t] [־d delay] [-T tim e ] targe t M o d u le 0 3 Page 271 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker W here <query> is one of: -t: icm p tim e sta m p request (default) -m : icm p address mask request -d: delay to sleep betw een packets is in microseconds. -T - specifies the n um ber o f seconds to w a it fo r a host to respond. The d e fa u lt is 5. A ta rg e t is a list o f hostnam es or addresses. *iJN:::::::::::::ft::::::::::::: ICMP Echo Request /* V V ־ / ICMP Echo Reply Source (192.168.168.3) Destination (192.168.168.5) FIGURE 3.2: ICMP Q u e ry Diagram Ping Scan O u tp u t Using Nm ap Source: h ttp ://n m a p .o rg Nm ap is a to o l th a t can be used fo r ping scans, also know n as host discovery. Using this to o l you can d ete rm ine the live hosts on a n etw o rk. It perform s ping scans by sending the ICMP ECHO requests to all the hosts on the n etw o rk. If the host is live, then the host sends an ICMP ECHO reply. This scan is useful fo r locating active devices or d e te rm in in g if ICMP is passing throu g h a fire w a ll. The fo llo w in g screenshot shows the sample o u tp u t o f a ping scan using Zenm ap, the official cross-platform GUI fo r the Nmap Security Scanner: Zenmap Scan Jo o ls Target Profile Help 192.168.168.5 Command: Hosts v I Profile: Ping scan v :Scan! Cancel |nm ap -sn 192.168.168.51 Services OS < Host IM 192.168.168.1 I•* 192.168.168.3 *" 192.168.168.5 tM 192.168.168.13 .. v ------- —------ -----------------1 Filter Hosts Nmap Output Ports/H osts Topology Host Details Scans nmap -sn 192.168.168.5 V Details S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n 1r a p .o r g ) a t 2 0 1 2 -08-08 ■a? Nmap sc a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5 H ost i s up ( 0 .0 6 s l a t e n c y ) . MAC A d d re ss: ( D e ll) Nmap done: 1 IP a d d re s s (1 h o s t up) sc a n n ed in 0 .1 0 sec o n d s FIGURE 3.3: Zenm ap S how ing Ping Scan O u tp u t M o d u le 0 3 Page 272 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker PingSweep CEH J Ping sweep is used to determ ine the live hosts from a range of IP addresses by sending ICMP ECHO requests to m ultiple hosts. If a host is live, it w ill return an ICMP ECHO reply J Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet _l Attackers then use ping sweep to create an inventory o f live systems in the subnet a a T h e p in g s w e e p o u t p u t u s in g N m a p lo o ts T*fqcc N * H e lp ’92.l6a.16S.l-S0 C o m m an d H o jb “3 ICM P Echo Request v P ro file *I S c irt C anct 192.168.168.5 | ״m 8 p ג ו וP f PA21,23.9Q,J389192.168.168.1-501 k n x ei 19e.166.16a.1j 1 v .1 t t.1 tt .1 4 V I ttlttlttlS y 1 9 2 16s.16a.17 » 1 9 2 . It t I t t 1 9 * 1 9 2 .1 6 8 . 1 6 8 2 6 » I 9 ilttltt2 3 S [0 ** .001 v uM 192!.1 .168^.16 8.6 ICM P Echo Reply ( 1& 1 6 6 . 1 & ) * 0 S t a r t l r a N » « 6 .0 1 h t t p : / / r o u p , o r g ) a t 2012 01 01 1 2 :4 1 to r * tu p ! c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 H o s t i s u s ( 0. 00) l a t e n c y ) . * W I A g f llC n . ( ״H e « le t! - P a c k a r d C o m p an y ) “* * • p * c a n r e p o r t f o r 1 9 2 . 1 6 * . 1 6 • . 5 fto v t I t u p ( t . M i l a t e n c y ) . *AC W r t t t ; (A p p le ) w p s c a n r e p o r t *or 1 9 2 . 1 6 8 . 1 6 8 . ל ► to s t i s u p ( 0 . 0 0 1 0 s l a t e n c y ) . HA( A d d re ss: (D e ll) f * 1a p s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 6 8 . 1 3 M o » t i* u p < 8 latency). «A C A d d re w : » (F o x c o n n l s n a p s c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 4 אזI t t 168 3 •» ICM P Echo Request N ׳n < * p O u t p u t P o r t ( / HoUi | T o p o l o g y H o t ! D e t a i l * S c a n t n m a p w P E PA21.2J.80l3 3 8 9 192.168.168.1•*0 OS 4 Ho* * W i t t 16S. 1 * יי I n i , — Zenmap Sen a ICM P Echo Request Source 192.168.168.3 M l 192.168.168.7 IC M P Echo Reply ICM P Echo Request F * « H o s ts » 192.168.168.8 http://nmap. org Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited. P in g S w eep A ping sweep (also know n as an ICMP sweep) is a basic n e tw o rk scanning technique to d ete rm ine w hich range o f IP addresses map to live hosts (com puters). W hile a single ping tells th e user w h e th e r one specified host co m p u te r exists on the n etw o rk, a ping sweep consists o f ICMP ECHO requests sent to m u ltip le hosts. ICMP ECHO Reply If a host is active, it returns an ICMP ECHO reply. Ping sweeps are am ong the oldest and slowest m ethods to scan a n etw o rk. This u tility is d istrib u te d across alm ost all platform s, and acts like a roll call fo r systems; a system th a t is live on the n e tw o rk answers the ping query th a t is sent by a no th e r system. M o d u le 0 3 Page 273 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ICMP Echo Request 1 9 2 .1 6 8 .1 6 8 .5 ICMP Echo Request a < ICMP Echo Reply 1 9 2 .1 6 8 .1 6 8 .6 ICMP Echo Request Source > W 1 9 2 .1 6 8 .1 6 8 .7 1 9 2 .1 6 8 .1 6 8 .3 < ICMP Echo ICMP Echo Request 1 9 2 .1 6 8 .1 6 8 .8 FIGURE 3.4: Ping Sweep Diagram TCP/IP Packet To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings, a single packet is sent across th e n e tw o rk to a specific IP address. This packet contains 64 bytes, i.e., 56 data bytes and 8 bytes o f p rotocol header in fo rm a tio n . The sender then w aits fo r a re tu rn packet fro m the ta rg e t system. A good re tu rn packet is expected only w hen the connections are good and when the targe te d system is active. Ping also determ ines the num ber o f hops th a t lie betw een the tw o co m puters and the ro u n d -trip tim e , i.e., the to ta l tim e taken by a packet fo r co m p letin g a trip . Ping can also be used fo r resolving host names. In this case, if the packet bounces back w hen sent to th e IP address, b ut not w hen sent to the name, then it is an indication th a t the system is unable to resolve the name to the specific IP address. Source: h ttp ://n m a p .o rg Using Nm ap S ecurity Scanner you can p erfo rm ping sweep. Ping sweep determ ines the IP addresses o f live hosts. This provides in fo rm a tio n abo u t the live host IP addresses as w ell as th e ir MAC address. It allows you to scan m u ltip le hosts at a tim e and d ete rm ine active hosts on the n etw o rk. The fo llo w in g screenshot shows the result o f a ping sweep using Zenmap, the official cross-platform GUI fo r the Nmap Security Scanner: M o d u le 0 3 Page 274 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Zenmap Sc!n Joolt Erofik {jdp 192.168. 168. 1-50 Target "v] Proffe Scan Cancel % Details 11 Command |nmap -sn -PE •PA21,23,80. 3389192.168.168.1- 5( Hosts Sernces OS « Host * 192. 168. 168.1 * 192.168.168.3 Nmap Output Ports /Hosts Topology Host Details Scans A S tarting Mrap 192.168. 168.13 192. 168.168.14 192. 168.168.15 192. 168. 168.17 fti 192.168.168.19 * 192. 168.168-26 * 192. 168.16828 Filter Hosts 6.01 ( http://nmap.org ) at 2012- 08-08 12:41 <■ 192.168.168.5 * nmap -sn •PE-PA21.23.80.3389 192. 168. 168.1-50 v Map scan report fo r 192. 168. 168.1 Host is up ( 0. 00s latency). *AC Address; I (Hewlett-Packard Co«pany) f*rap scan report fo r 192. 168. 168.3 Host is up ( 0. 00s latency). *AC A d d rm i * (Apple) Nnap scan report for 192. 168. 168.5 Host is up ( 0 . 0010s latency). MAC Address; - • (D e ll) Nnap scan report fo r 192. 168. 168.13 Host is up ( 0 . 00s latency). MAC Address: • • (Foxconn) N*ap scan report fo r 192. 168. 168.14 Host is up ( 0 . 0020s latency). v FIGURE 3.5: Zenm ap show ing ping sweep o u tp u t M o d u le 0 3 Page 275 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker PingSweepTools SolarWinds Engineer Toolset's Ping Sweep enables scanning a range o f IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup. Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determ ines the MAC address, scans ports, etc. o IP Range Angry IP Scanner to K.0J.S) M0*wme VWNUQN3WR1RW © 1 :0 :1 £ 1 0 0 cj Q io a u f ti o a c j Q10&&S C H o a tt ©100C7 fh o ac j ®MOOC9 Qr-at 0.11 .11 10 CH ac •1 0 a a; Chocu # ac.u #100£1י &1COC.U ® M o atr C h o a tu f h o a c .» ם x JoeU H»lp S'** *Rjr* * 1C011 9 ״ CEH f» י״י׳9 1m Cm lm h/»l 4n h/•! 1m K»l KH K!»׳ [l»Pjnje Uctmiifc v Hcarwrc /11 HnOcwit v * SUrt M Pcm1i00c-1 80 •0US.1 1JX In)•׳ 1JH H M U In In MM Mtt£lCMM1 In/•! <VIS IXQN5WOR9M HV•! ln/1) In!•׳ h/1l O?m m |V*I Kv.| K»1 h/»l !*/•I K«l 1 In/•! In/•! In/•) In!•׳׳ I׳V»| In/•! In!•׳ In/1l In/•! In!•׳ AJI *•׳<״״ !•׳ |n !•׳ |nfe| In!•׳ !•׳ייו In'•! In•! |n •! In!•׳ In!•׳ |n |«׳ In•! I" •!____________________ v | Th0*»«*״ Angry IP Scanner http://www.angryip.org Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited. P in g S w e e p T o o ls D eterm ining live hosts on a ta rg e t n e tw o rk is the firs t step in the process o f hacking o r breaking in to a n etw o rk. This can be done using ping sweep tools. There are a num ber o f ping sweep tools readily available in the m arket using w hich you can p erfo rm ping sweeps easily. These tools a llow you to d ete rm ine the live hosts by sending ICMP ECHO requests to m u ltip le hosts at a tim e . A ngry IP Scanner and S olarw inds Engineer's Toolset are a fe w co m m only used ping sweep tools. A n g r y /j IP S c a n n e r Source: h ttp ://w w w .a n g ry ip .o rg Angry IP Scanner is an IP scanner to o l. This to o l id e ntifie s all non-responsive addresses as dead nodes, and resolves hostnam e details, and checks fo r open ports. The main fe a tu re o f this to o l is m u ltip le ports scanning, configuring scanning colum ns. Its main goal is to fin d th e active hosts in the n e tw o rk by scanning all the IP addresses as w ell as ports. It runs on Linux, W indow s, Mac OS X, etc. It can scan IP addresses ranging fro m 1.1.1.1 to 255.255.255.255. M o d u le 0 3 Page 276 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker IP Range - Angry IP Scanner Scan £0 י° Commands Favorites IP Range | 10.0.0.1 loots Help | to | 10.0.0.50 Hostname | WIN-LXQN3WR3R9I IP Ping 1 ms Oms Oms [n/a] 4 ms [n/a] 1 ms [n/a] €>10.0.0.1 010.0.0.2 @10.0.0.3 #10.0.0.4 €>10.0.0.5 © 10.0.0.6 €)10.0.0.7 C m 0.0.0.8 €> 10.0.0.9 #10.0.0.10 #10.0.0.11 # 10.0.0.12 #10.0.0.13 # I0.0.0.M #10.0.0.15 #10.0.0.16 # 10.0.0.17 #10.0.0.18 #10.0.0.19 | | IF Range # IP I | Netmask r J v א C+ Start i| Hostname [n'a] W1N-MSS£LCK4IC41 WindowsS Ports [2000•.] 80 80.135.139.4... 135,139,445,... [n/a] 135,139,445,... |n/a] W1N-LXQN3WR3R9M [n/a] 80.135 [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] 627 ms [n/a] In /,] [n/a] [n/a] [n/a] In^a] l"/a] [n/a] [n/a] ln /» ]»׳/•[ [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] [n/a] |n/a] [n/a] [n/a] In'*] In/a] Ready = Display: All v 1 Threads; 0 1 FIGURE 3.6: A ngry IP Scanner Screenshot S o la r w in d s E n g in e e r ’ s T o o ls e t Source: h ttp ://w w w .s o la rw in d s .c o m The Solarwinds Engineer's Toolset is a collection o f n e tw o rk e ngineer's to o ls. By using this to o ls e t you can scan a range o f IP addresses and can id e n tify the IP addresses th a t are in use c u rre n tly and the IP addresses th a t are free. It also perform s reverse DNS lo o kup . Ping Sweep EHe E d it S t a r t i n g I P A d d r e s s 11 9 2 .1 6 8 .1 £ 8 1 0 F n r im g IP A H r im t t ^ I (1 9 2 1 8 8 1 6 8 95( | S ra n F « 10 R equest T m e d O ut 1 9 2 1 6 6 1 6 6 11 R equest T m e d O ut IM |A l I P t R esponse Tm e fp A d d r e s s 192 I M u o o H e lp S ran R equest T m e d O ut 192 166 166 12 ^ 1 9 2 1 6 6 1 6 6 13 192 1 6 6 1 6 6 14 A DNS Lookup = R equO St T m e d O u t ^ 3 me 192 16 6 1 6 8 1 6 _{י R eauest T m e d O ut 192 1 6 6 .1 6 6 1 7 192 166 1 6 6 .1 6 # 192 1 6 6 1 6 6 1 5 R eoues! T m ed O at ^■ייי R ecues! T m ed O ul , t 192 166 166 19 R equest T m ed O ul 192 166 166 2 0 R equest T m e d O ut 1 9 2 1 6 6 166 .2 1 R equest T m e d O ut 1 9 2 1 6 6 1 6 6 .2 2 R equest T m e d O ut 192 16 6 166 2 3 R e q u e s t T im e d O u t 192 166 166 24 » I J I R equest T m e d O ut 192 166 166 2 5 R equest T m e d O ut 192 166 166 26 2 ms 1 9 2 166 1 6 6 .2 7 _ * V * “" 192 1 6 6 1 6 6 .2 6 192 166 166 2 9 N R equest T m e d O ut 2 ms R equest T m e d O yt 1 9 2 1 6 6 166 30 3 me 1 9 2 1 6 6 1 6 6 31 3 ms 192 166 166 32 2 ms ׳י III <1 S c a n C o m p l ie d S can > DNS h r 90 FIGURE 3.7: Solarw inds Engineer's T oolset Screenshot M o d u le 0 3 Page 277 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker PingSweepTools CEH (C o n t’d) ^ C o la so ft Ping Tool PacketTrap MSP h ttp ://w w w . colasoft. com http ://w w w .pa ckettra p .co m V isu a l Ping T ester - S ta n d a rd f Ping S w eep h ttp://w w w .w hatsupgold.com h ttp ://w w w .p in g te ste r.n e t Ping S canner Pro N e tw o rk Ping http://w w w .digilextechnoiogies.com h ttp://w w w .greenline-soft.com ז U ltra Ping Pro h ttp ://u ltra p in g . webs.com S® * Ping M o n ito r h ttp ://w w w .n ilia n d . com P in g ln fo V ie w P in kie h ttp ://w w w .n irs o ft.n e t h ttp ://w w w .ip u p tim e .n e t Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited. jf S S S u P in g S w e e p T o o ls ( C o n t’ d ) r - In a dd itio n to Solarwinds Engineer's Toolset and Angry IP Scanner, th e re are many o th e r tools th a t fea tu re ping sweep capabilities. For exam ple: 9 Colasoft Ping Tool available at h ttp ://w w w .c o la s o ft.c o m 9 Visual Ping Tester - Standarad available at h ttp ://w w w .p in g te s te r.n e t 9 Ping Scanner Pro available at h ttp ://w w w .d ig ile xte ch n o lo g ie s.co m 9 Ultra Ping Pro available at h ttp ://u ltra p in g .w e b s .c o m 9 P inglnfoView available at h ttp ://w w w .n irs o ft.n e t 9 PacketTrap MSP available at http://www.packettrap.com 9 Ping Sweep available at h ttp ://w w w .w h a ts u p g o ld .c o m 9 N e tw o rk Ping available at h ttp ://w w w .g re e n lin e -s o ft.c o m 9 Ping M o n ito r available at h ttp ://w w w .n ilia n d .c o m 9 Pinkie available at h ttp ://w w w .ip u p tim e .n e t M o d u le 0 3 Page 278 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s *-— 1 Exam 3 1 2 -5 0 C ertified Ethical H acker So fa r we discussed how to check fo r live systems. Open ports are the doorw ays fo r an attacker to launch attacks on systems. Now we w ill discuss scanning fo r open ports. Check for Live Systems life Scan for Vulnerability r Check fo r Open Ports Scanning Beyond IDS O Q יז־^־ל Banner Grabbing Draw Network Diagrams Prepare Proxies Scanning Pen Testing This section covers the th re e -w a y handshake, scanning IPv6 netw orks, and various scanning techniques such as FIN scan, SYN scan, and so on. M o d u le 0 3 Page 279 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker CEH Three-WayHandshake (•rtifwd itkitjl TCP uses a th re e-w ay handshake to establish a connection between server and client T hre e-w ay H a n d sh a k e P ro c e s s 1. The Computer A (10.0.0.2) initiates a connection to the server (10.0.0.3) via a packet w ith only the SYN flag set 2. The server replies w ith a packet w ith both the SYN and the ACK flag set 3. For the final step, the client responds back to the server w ith a single ACK packet 4. If these three steps are com pleted w ithou t com plication, then a TCP connection is established between the client and the server Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited. T h re e -W a y H a n d s h a k e TCP is co n n e c tio n -o rie n te d , w hich im plies connection establishm ent is principal p rio r to data tra n sfe r betw een applications. This connection is possible throu g h the process o f the th re e -w a y handshake. The th re e -w a y handshake is im p le m e n te d fo r establishing the co nn e ction b etw e e n p ro to co ls. The three-way handshake process goes as follows: 9 To launch a TCP conn e ction , the source (10.0.0.2:62000) sends a SYN packet to the d estination (10.0.0.3:21). 9 The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN/ACK packet back to the source. 9 This ACK packet confirm s the arrival o f the firs t SYN packet to the source. 9 In conclusion, the source sends an ACK packet fo r the ACK/SYN packet sent by the destination. 9 This triggers an "OPEN" connection allow ing com m unication betw een the source and the d estination, u ntil e ith e r o f the m issues a "FIN" packet or a "RST" packet to close the connection. M o d u le 0 3 Page 2 80 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker The TCP p ro to co l m aintains state ful connections fo r all co nn e ctio n -o rie n te d protocols across the Inte rn e t, and w orks the same as an o rd ina ry te lep h on e co m m unication, in w hich one picks up a telep h on e receiver, hears a dial tone, and dials a num ber th a t triggers ringing at the o th e r end u ntil a person picks up the receiver and says, "H e llo ." Bill Three-way Handshake 1 0 . 0 . 0 . 2 : 6 2 0 0 0 ^ ־.................. י י............... Sheela 1 0 .0 .0 .3 :2 1 ........ ..* ״ IrVC C lient S erver FIGURE 3.8: Three-way Handshake Process E s ta b lis h in g a T C P C o n n e c tio n As we previously discussed, a TCP connection is established based on the three -w ay hand shake m ethod. It is clear fro m the name o f the connection m ethod th a t the establishm ent o f the connection is accom plished in th re e m ain steps. Source: h ttp ://s u p p o rt.m ic ro s o ft.c o m /k b /1 7 2 9 8 3 The fo llo w in g th re e fram es w ill explain the e stablishm ent o f a TCP connection betw een nodes NTW3 and BDC3: Frame 1: In the firs t step, the client, NTW3, sends a SYN segm ent (TCP ....S.). This is a request to the server to synchronize the sequence num bers. It specifies its Initial Sequence N um ber (ISN), w hich is increm ented by 1 and th a t is sent to the server. To initialize a connection, the client and server m ust synchronize each o th e r's sequence num bers. There is also an o p tio n fo r the M o d u le 0 3 Page 281 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker M axim um Segment Size (MSS) to be set, w hich is defined by the length (len: 4), this o ptio n com m unicates th e m axim um segm ent size the sender w ants to receive. The A cknow ledgem ent fie ld (ack: 0) is set to zero because this is th e firs t part o f the th re e -w a y handshake. 1 2 .0 7 8 5 NTW3 - - > BDC3 TCP ___ S ., le n : 4, se q : 8221822-8221825, a c k : 0, win: 8192, src: 1037 dst: 139 (NBT Session) NTW 3- > BDC3 IP TCP: ....S ., d s t: 139 le n : 4, se q: 8221822-8221825, a c k : 0, w in : 8192, s rc : 1037 (NBT S e s s io n ) TCP: S ource P o r t = 0x040D TCP: D e s t in a t io n P o r t = NETBIOS S e s s io n S TCP: Sequence Number = 8221822 (0x7D747E) TCP: A cknow ledgem ent Number = 0 (0x0) TCP: Data O f f s e t = 24 (0x18) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x02 : . . . . S. TCP: . . 0 ........ = No u r g e n t d a ta TCP: . . . 0 . . . . = A cknow ledgem ent f i e l d TCP: ....0 ... n o t s ig n if ic a n t = No Push f u n c t io n ......... 0 . . = No R eset TCP: 1 . = S y n c h ro n iz e sequence numbers . TCP: TCP: ............................ 0 = No F in TCP: Window = 8192 (0x2000) TCP: Checksum = 0xF213 TCP: U rg e n t P o in t e r = 0 (0x0) TCP: O p tio n s TCP: O p tio n K in d (Maximum Segment S iz e ) = 2 (0x2) TCP: O p tio n L e n g th = 4 (0x4) TCP: O p tio n V a lu e = 1460 (0x5B4) TCP: Frame P ad d in g 00000: 02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00 . ' ......... ' . ; ------- E . 00010: 00 2C 0D 01 40 00 80 06 E l 4B 83 6B 02 D6 83 6B . , . . 0 ___ K .k . . .k 00020: 02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02 .............. } t ~ ------- ' . 00030: 20 00 F2 13 00 00 02 04 05 B4 20 20 M o d u le 0 3 Page 282 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Frame 2: In the second step, the server, BDC3, sends an ACK and a SYN on this segm ent (TCP .A..S.). In this segm ent the server is acknow ledging the request o f the clie n t fo r synchronization. A t the same tim e , the server is also sending its request to the clie n t fo r synchronization o f its sequence num bers. There is one m ajor d ifference in this segm ent. The server transm its an acknow ledgem ent n um ber (8221823) to the client. The acknow ledgem ent is ju st p ro o f to the clie n t th a t the ACK is specific to the SYN the client in itia te d . The process o f acknow ledging the client's request allows th e server to in cre m e nt the client's sequence num ber by one and uses it as its acknow ledgem ent num ber. 2 2 .0 7 8 6 BDC3 — > NTW3 8221823, w in : 8760, TCP . A . . S . , s rc : TCP: .A ..S ., le n : s rc : 139 (NBT S e s s io n ) TCP: S ource P o r t = 139 le n : 4, se q : (NBT S e s s io n ) 4, se q: d s t: d s t: 1109645-1109648, a c k : 1037 BDC3 - - > NTW3 1109645-1109648, a c k : 8221823, w in : IP 8760, 1037 NETBIOS S e s s io n S e rv ic e TCP: D e s t in a t io n P o r t = 0x040D TCP: Sequence Number = 1109645 (0xl0EE8D) TCP: A cknow ledgem ent Number = 8221823 (0x7D747F) TCP: D ata O f f s e t = 24 (0x18) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x12 : .A .. S . TCP: . . 0 .......... = TCP: ...1 .... = TCP: . . . . 0 . . . = No Push f u n c t io n TCP: ......... 0 . . = No R eset TCP: ..............1. = S y n c h ro n iz e TCP: ................0 = No F in TCP: Window = 8760 No u r g e n t d a ta A cknow ledgem ent f i e l d s ig n if ic a n t sequence numbers (0x2238) TCP: Checksum = 0x012D TCP: U rg e n t P o in t e r = 0 (0x0) TCP: O p tio n s TCP: O p tio n K in d (Maximum Segment S iz e ) = 2 (0x2) TCP: O p tio n L e n g th = 4 (0x4) TCP: O p tio n V a lu e = 1460 (0x5B4) TCP: Frame P adding 00000 02 60 8C 3B 85 C l 02 60 8C 9E 18 8B 08 00 45 00 00010 00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B . , [ . 0 _____ L . k . . . k 00020 02 D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12 .............................. } t ' . M o d u le 0 3 Page 283 .............E. Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker 00030: 8״. - 22 38 01 2D 00 00 02 04 05 B4 20 20 Frame 3: In the th ird step, th e client sends an ACK on this segm ent (TCP .A....). In this segm ent, the client is acknow ledging the request fro m the server fo r synchronization. The client uses the same a lg orith m the server im p lem ented in providing an acknow ledgem ent num ber. The client's acknow ledgm ent o f the server's request fo r synchronization com pletes the process o f establishing a reliable connection, thus the th re e -w a y handshake. 3 2 .7 8 7 NTW3 - - > BDC3 1109646, w in : TCP: .A ...., s rc : 1037 8760, s rc : le n : d s t: TCP .A 1037 0, se q: 139 , le n : d s t: 139 0, se q: 8221823-8221823, a c k : (NBT S e s s io n ) 8221823-8221823, a c k : NTW3 - - > BDC3 1109646, w in : IP 8760, (NBT S e s s io n ) TCP: S ource P o r t = 0x040D TCP: D e s t in a t io n P o rt = NETBIOS S e s s io n S e rv ic e TCP: Sequence Number = 8221823 (0x7D747F) TCP: A cknow ledgem ent Number = 1109646 (0xl0EE8E) TCP: D ata O f f s e t = 20 (0x14) TCP: R eserved = 0 (0x0000) TCP: F la g s = 0x10 : . A . . . . TCP: . . 0 ......... = No u r g e n t d a ta TCP: . . . 1 . . . . = A cknow ledgem ent f i e l d TCP: ___ 0 . . . = No Push f u n c t io n TCP: ......... 0 . . = No R eset TCP: ............0. = No S y n c h ro n iz e TCP: .............. 0 = No F in TCP: Window = 8760 (0x2238) TCP: Checksum = 0xl8E A TCP: U rg e n t P o in t e r = 0 (0x0) TCP: Frame P ad d in g 00000: 02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00 . ' ............. ' . ; ---------- E . 00010: 00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B . 00020: 02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10 ................... } t ----------P . 00030: 22 38 18 EA 00 00 20 20 20 20 20 20 ״8 ___ M o d u le 0 3 Page 284 (. . 0 ___ O .k . . .k Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker TCPCommunicationFlags Data contained in the packet should be processed immediately There w ill be no more transmissions Resets a connection F IN (Finish) URG (Urgent) jm ₪₪mm PSH (Push) Sends all buffered data immediately ACK > (Acknowledgement)A Acknowledges the receipt of a packet 1 SYN (Synchronize) Initiates a connection between hosts Standard TCP com m unications are con trolled by flags in th e TCP packet header Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited T C P C o m m u n ic a tio n F la g s Standard TCP com m unications m o n ito r the TCP packet header th a t holds the flags. These flags govern the connection betw een hosts, and give instructions to the system. The fo llo w in g are the TCP co m m unication flags: 9 Synchronize alias "SYN": SYN notifies transm ission o f a new sequence num ber 9 A cknow ledgem ent alias "ACK": ACK confirm s receipt o f transm ission, and id e ntifies next expected sequence num ber 9 9 Push alias "PSH": System accepting requests and fo rw a rd in g buffered data U rgent alias "URG": Instructs data contained in packets to be processed as soon as possible Q Finish alias "FIN ": Announces no m ore transm issions w ill be sent to re m o te system Q Reset alias "RST": Resets a connection SYN scanning m ainly deals w ith three o f the flags, nam ely, SYN, ACK, and RST. You can use these th re e flags fo r gathering illegal in fo rm a tio n fro m servers during the e nu m eration process. M o d u le 0 3 Page 285 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Acknowledgem ent No O ffse t Res TCP Flags TCP Checksum W indow Urgent Pointer Options \< ------------------------- 0-31 B its ---------------------------> FIGURE 3.9: TCP C o m m u n ica tio n Flags M o d u le 0 3 Page 286 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker CreateCustomPacketUsing TCPFlags CEH Colasoft Packet Builder .$׳ 5 & 5 .xpcr:- Add Inser: Copy 3ckte Move Up | Chcdcsum| Send ScndAII | Packet No. | ־ -J C o la s o ft Packet B u ild e r en ables c re a tin g c u s to m n e tw o rk pa ckets to a u d it n e tw o rk s fo r v a rio u s a tta c k s J A tta c k e rs can also use it to c re a te fra g m e n te d - ¥ * Packet Info: Padrec ttacer; —^ Backer Le=ath: Captnred Length: Delta Tine E ־d Ethernet Type I I j y iJ f s t ia t i ״Mdress: JUfSouic? U d m 9 : Protocol: E-.J I? - Internet Protocol ! ״Version 0 i •••0 Me* 1•: length g>-0 Differentiated Services Field j j 0 S«rvlc«f Cod*pcint j > Tr«r.*por1 ?101 .col w ill 1903c* tii* CC b it : 9 Coaaastios <1 M - !«»***ג 000004 64 60 0.100000 Second [0/14] 00: 00:00:00: 00:00 [0/ 6] 00: 00:00:00 : 00:00 [6/ 6] 0x0800 (Inter: [14/20] 4 [U /1 ] OxFO S <20 Bytes) [1< 0000 oaoo [15/1! OxPF 0000 00.. [18/1] OxfC .......... 0. (Ignoi• [15/1] ............0 (Xu Coixjumlon) 1כ i>HuEdfco! < Total 6fl bytet packets to bypass fire w a lls a n d IDS system s in a n e tw o rk http://www. colasoft. com Copyright © by EG-Gaoncil. All Rights Reserved. Reproduction is S trictly Prohibited C re a te C u s to m P a c k e ts u s in g T C P F la g s Source: h ttp ://w w w .c o la s o ft.c o m Colasoft Packet Builder is a to o l th a t allows you to create custom n e tw o rk packets and also allows you to check the n e tw o rk against various attacks. It allows you to select a TCP packet fro m the provided tem plates, and change the p aram ete rs in the decoder e d ito r, hexadecimal e d ito r, o r ASCII e d ito r to create a packet. In a dd itio n to building packets, Colasoft Packet B uilde r also supports saving packets to packet files and sending packets to the netw ork. M o d u le 0 3 Page 2 87 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker Colasoft Packet Builder File Edit Im p o rt Send H elp # E x p o rtw # Add Insert !£נ C o py © Pas- * Delete | x M o ve 4* *fc* Send Send A ll Packet Info: a P a c k e t N u m b e r: <3 *־P a c k e t L e n g th : !^״״ C a p tu re d H H D e lta 60 0.100000 Second L e n g th : T im e ₪-€> Ethernet Type II D e s tin a tio n S o u rc e 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 A d d re s s : A d d re s s : •••©IP - Internet Protocol j— & V e r s io n : © Header E3@ ״ | | (2 0 L e n g th S e r v ic e s _~© D if f e r e n t ia t e d O ~~© T ra n s p o rt C o n g e s tio n Delta T im e ו 0.100000 00:00:00:00:1 2 0.100000 0.0.0.0 3 0.100000 0.0.0.0:0 0.100000 0.0.0.0:0 Source [0/6] [6/6] (In te rn [1 4 /2 0 ] [1 4 /1 ] D iffe r e n t ia t e d No. [0 /1 4 ] P r o to c o l: 0 'w E I & B r S B Packet No. 4 D ecode E ditor 0000 0000 0000 00.. F ie ld S e r v ic e s P ro to c o l w i l l C o d e p o in t ig n o r e th e CE b i t ...........0. ..........0 OxFO B y te a ) [1 5 /1 ] O xF F [1 5 /1 ] O xFC (Ig n o re ) [1 4 [1 5 /1 ] (N o C o n g e s t i o n ) <L jc% Hex E ditor 0000 0010 0020 0030 < T o ta l | 60 bytes 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 00 2C00 00 40 00 40 11 3ACO00 00 00 00 00 00 --- 0.0.s . 00 00 00 00 00 00 00 1A FF BA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A V/ T> : ... FIGURE 3 .1 0 : C o la s o ft P acket B u ild e r S c re e n s h o t M o d u le 0 3 Page 288 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ScanningIPv6Network CEH imttiM tUx*l lUckM I I L a 1 IPv6 increases the IP address size fro m 32 bits to 128 bits, to support m ore levels o f addressing hierarchy Traditional ne tw ork scanning techniques w ill be c o m p u ta tio n a lly less feasible due to larger search space (64 bits o f host address space o r 2s4 addresses) provided by IPv6 in a subnet Scanning in IPv6 ne tw ork is more d iffic u lt and com plex than the IPv4 and also m ajor scanning tools such as Nmap do no t support ping sweeps on IPv6 n e tw orks Attackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic , recorded logs o r Received fro m : and o th e r header lines in archived em ail o r Usenet news messages Scanning IPv6 netw ork, however, offers a large num ber o f hosts in a subnet if an attacker can com prom ise one host in the subnet; attacker can probe the "all hosts" lin k local m ulticast address Copyright © by EC-ClUIICil. All Rights Reserved. Reproduction is S trictly Prohibited. S c a n n in g IP v 6 N e t w o r k IPv6 increases the size o f IP address space fro m 32 bits to 128 bits to su pp o rt m ore levels o f addressing hierarchy. T raditional n e tw o rk scanning techniques w ill be co m p u ta tio n a lly less feasible due to larger search space (64 bits o f host address space o r 264 addresses) provided by IPv6 in a subnet. Scanning an IPv6 n e tw o rk is m ore d iffic u lt and com plex than IPv4 and also m a jo r scanning tools such as Nmap do n o t su p p o rt ping sweeps on IPv6 n etw o rks. A ttackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic, recorded logs, o r Received fro m : and o th e r header lines in archived em ail o r Usenet news messages to id e n tify IPv6 addresses fo r subsequent p o rt scanning. Scanning IPv6 n etw o rk, how ever, offers a large n u m b e r o f hosts in a subnet; if an a ttacker can com prom ise one host in the subnet he can probe the "all hosts" link local m ulticast address. M o d u le 0 3 Page 289 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ScanningTool:Nmap CEH J N etw ork adm inistrators can use Nmap fo r n e tw o rk inven tory, managing service upgrade schedules, and J Attacker uses Nmap to extract info rm atio n such as live hosts on th e n e tw o rk , services (application name and version), type o f packet filte rs /fire w a lls , op eratin g systems and OS versions m o n ito rin g host or service u p tim e h ttp ://n m a p .o rg Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited. S c a n n in g T o o l: N m a p Source: h ttp ://n m a p .o rg Nmap is a se curity scanner fo r n e tw o rk e xplora tio n and hacking. It allows you to discover hosts and services on a co m p u te r n etw o rk, thus creating a "m ap " o f the n etw o rk. It sends specially cra fted packets to th e ta rg e t host and then analyzes the responses to accom plish its goal. Either a n e tw o rk a d m in istra to r or an a ttacker can use this to o l fo r th e ir p articula r needs. N e tw o rk adm inistrato rs can use Nmap fo r n e tw o rk in v e n to ry , m anaging service upgrade schedules, and m o n ito rin g host o r service uptim e. Attackers use Nmap to e xtract in fo rm a tio n such as live hosts on the n etw o rk, services (application name and version), type o f packet filte rs /fire w a lls , o p e ra tin g system s, and OS versions. M o d u le 0 3 Page 2 90 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker Zenmap iM k *•« M tel M o w K M * TCf M*» t (" > « • !j* » Mi M l M M - ' *14 u n 4 T S t M tl* * < M t • . • I < M M r < f la t B L . M M • I M f l K l #M K M | R | . B L W rlM ) • זm ) « M 11:11 I M .n iH I D U • •1 1 MMHyj MM D u tu n HHM —rtt «»»* . 1 « s ia ti w m i a « m ia f t M W h 1 * T M M M M ־״t M !•2 .1 M 144 S M M l t l W ** 11*1— : ! • M M .4 M M M ) I K l IS 24 1• M 4) %f% '•»*1»י1«י*י C M »letM W S t • • I t * k M at IS 24. N . t l i •1 m m 4 ( M t H t«4«l M ־״t * ) *W v i< • *CM • t IS: 24 t a M l « | • MTviCM M 1*2 IM 1 m C M W * M SM *|C• M M • t IS: , M .M l l l M l M ( I I K » <#I M t 1 •» M M I/tu • * « 11I/1 |. S t i l l l uM i r t l SV.»J 4412 v : IKjuatL M m lfM WVCK VC ■ 1 1 11 Ira* 1 1 1 0 \o * z 1 0 2 |7 f l l CPt: cp« ■ IcreM ^t ■inM n _ v 1 * f : :• *־׳tw it M> M ^ « U U N f l w M •* '1 *■׳M l« « lt I OM ־״M I ( I 1 M i n P n lc e |t n t r « l *tKfOM ft— M ״H ׳ • M tf m * 00%ll(I r'Mt t «l l<t :t MM V I. 24 ■ ןן *ן 1c • ' 1«m 1111222 2 1 t l H lli I n l t l M l f * Sm S t t t lt n Sm x i t 1S:22 k M i ^ W 1M IM S ( l » ) t • e r t i ] M K M f M M M M ־״t I H t ( | M 1I2 I M 1 M S W w u r M M M PMt I M / t V M 1*2 IM 1M S M M M M M M W M M 44$/1(» M IW 1 M .IM .1 M W M M M MW) • W t •12 t<> on 1*2 144 IM S M M M ׳t M>42 tcp on 1*2 IM .1 M .S T» « M l t l — T l« 1 ~ MOwt 22.22% m ac; I K : 19:24 ( • •1 4 5 M o d u le 0 3 Page 291 *M O W ! V■ *. M t f ) 1522 1 !•N tO n lw M l t lliw I t •*• !w ltia tln g 4 V » !** S<M I t IS 22 W m w I m 1*2 144 144.S (1 t v t l 4 T A . IV M» M» > ••• C o M lr tM * V H r * U m a t : , • M l * I m iH (I tv ta l M tf i) : M t l i t l *׳N r * u < c m r « M lt f t iM • * I * • I t . • t I f » * ׳H * i M r » M lM tlM » ״M I . *t . . H 1 1 N 1 —« * » I « u n MM M v l» t!l *M c m :/ ! » l cm ■ In d M I . M r 't '. M N M l < » : / • • i < r | M * t * lc r M M t id iM M IT t lt l V • V V I . K U M ktM s■ ! I / imtLmrn•*.*% i r t —r l M l .S M M y • ( » l « t * Him u i t i > »״m ■־T 4 *« M • ) 1 21 « ג l 0 l* ״lc«.lt»-2S4 ( i M i 1m «1) MiM — i (PI -<. Mt«10S mr: 1 » ז « י1מ •*י Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Hping2/ Hping3 CEH UrtifW itkMl lUikw J Command line packet crafter for the TCP/IP protocol J Tool for security auditing and testing firewall and networks J Runs on both Windows and Linux operating systems h ttp ://w w w . hping.org f o o t g b t : - # h ping3 ■A 1 0 .0 .0 .2 -p 89 HPINC18.0.0.2 (ethl 19.0.0.2): Aset, 40 headers + 0 data bytel len=40 ip-10.0.0.2 ttl=128 OF id=26©85spoci^0 flags-R seq^0 w ln0 ־rtt=1.3 ms ^ך־ len^40 ip-10.0.0.2 ttl=128 OF id-26586 sport-ee-flags-R seq-1 w ln=0 rtt=6.8 ms len=40 ip-10.0.0.2 ttl=128 OF id=26087 sport-8Gfflags=R Ieq^2 w 11 1.0 in = o r = לווו le n - 4 0 i p - 1 0 . 0 . 0 . 2 1n=0 r t t = 8 . 9 ms le n = 4 0 ip = 1 0 ^ L 0 . 2 ttl- 1 2 8 OF id - 2 6 0 8 8 s p o r t - 8 0 f lo g s - R s c q -3 w t t l = 1 2 8 DF id - 2 6 6 8 9 5 p o rjt= 8 e f t c g s f R s e q - 4 w len=4) 1^=10.0.8 *?ttl=128 DF ld=26090 sport80 ־flags=R seq=5 in»0 rtt-0 .5 ms J len=46 ip=10.0.3.2 ttl=128 OF id=26091 sport=80 flags=R seq=6 w in=0 rtt=e.7 ms len=40 ip=10.O.0.2 ttl=128 OF id26092 ־sport80 ־flags^R seq=7 w ln=8 rtt=8.8 ns len-40 ip-10.0.0.2 ttl-128 OFid-26093 5port-80 flegs־Rseq-8 w ACK Scanning on p o rt 80 Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is S trictly Prohibited. H p in g 2 /H p in g 3 Source: h ttp ://w w w .h p in g .o rg HPing2/HPing3 is a co m m a n d -lin e -o rie n te d TCP/IP packet assem bler/analyzer th a t sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Tra ce ro ute m ode, and enables you to send files betw een covert channels. It has the a b ility to send custom TCP/IP packets and display ta rg e t replies like a ping program does w ith ICMP replies. It handles fra g m e n ta tio n , a rb itra ry packets' body and size, and can be used in o rd e r to tra n sfe r encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and n e tw o rk /h o s t scanning can be used to p erfo rm an anonym ous probe fo r services. An a tta cke r studies the behavior o f an idle host to gain in fo rm a tio n abo u t the ta rg e t such as the services th a t the host offers, the ports su pp o rtin g th e services, and the ope ra tin g system o f the targe t. This type o f scan is a predecessor to e ith e r heavier probing or o u trig h t attacks. Features: The fo llo w in g are some o f the features o f HPing2/HPing3: 9 D eterm ines w h e th e r the host is up even w hen th e host blocks ICMP packets e A dvanced p o rt scanning and te st net perform ance using d iffe re n t protocols, packet sizes, TOS, and fra g m e n ta tio n M o d u le 0 3 Page 292 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker 9 M anual path MTU discovery 9 Firew alk-like usage allows discovery o f open ports behind firew alls 9 Remote OS fin g e rp rin tin g 9 TCP/IP stack auditing ICMP Scanning A ping sweep o r In te rn e t C o n trol Message P rotocol (ICMP) scanning is a process o f sending an ICMP request or ping to all hosts on the n e tw o rk to d ete rm ine w hich one is up. This p ro to co l is used by ope ra tin g system, ro u te r, sw itch, in terne t-p ro to co l-b a sed devices via the ping com m and to Echo re quest and Echo response as a co nn e ctivity te ste r betw een d iffe re n t hosts. The fo llo w in g screenshot shows ICMP scanning using the Hping3 to o l: « v x root@bt: ~ File E dit V iew Term inal H elp root@ bt:~# h p i ng3 -1 10 .0 .0 .2 HPING 1 0 .0 .0 .2 ( e t h l 10 . 0 . 0 . 2 ) : icmp mode s e t, 28 headers + 0 d len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25908 icmp_seq=0 r t t = 2 . 2 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25909 icm p_seq=l r t t = 1 . 0 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25910 icmp_seq=2 r t t = 1 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25911 icmp_seq=3 r t t = 0 . 5 ms icmp seq=4 r t t = 0 . 4 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=2591% len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25913 icmp seq=5 r t t = l . l ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25914 icmp seq=6 r t t = 0 . 9 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25915 icmp seq=7 r t t = l . l ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25916 icmp seq=8 r t t = 0 . 9 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25917 icmp seq=9 r t t = l . l ms len=28 ip = 1 0 .0 . 0 . ^ > t t l= 128 id=25918 icmp seq=10 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25919 icm p _ se q = ll r t t = 1 . 2 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25920 icmp seq=12 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25921 icmp seq=13 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25922 icmp seq=14 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25923 icmp seq=15 r t t = 0 . 7 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25924 icmp seq=16 r t t = 0 . 8 ms len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25925 icmp seq=17 r t t = 1 . 0 ms FIGURE 3.12: Hping3 to o l show ing ICMO scanning o u tp u t ACK Scanning on P ort 80 You can use this scan tech n iq ue to probe fo r the existence o f a fire w a ll and its rule sets. Simple packet filte rin g w ill allow you to establish connection (packets w ith the ACK b it set), whereas a sophisticated stateful fire w a ll w ill not a llow you to establish a connection. The fo llo w in g screenshot shows ACK scanning on p o rt 80 using the Hping3 to o l: M o d u le 0 3 Page 293 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s • >׳v Exam 3 1 2 -5 0 C ertified Ethical H acker * r o o ta b t: - File Edit View Terminal Help £ 0 0 t@ b t:~ # h p in g 3 -A 1 0 . 0 . 0 . 2 •p 80 HPING 1 0 .0 .0 .2 ( e t h l 1 0 . 0 . 0 . 2 ) : A s e t , 40 h ea d ers + 0 d a ta b y te s le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 6 0 8 5 s p a rJ t-8 0 fla g s = R seq=0 w in = 0 r t t = 1 . 3 ms le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 6 s p o rt= 8 0 fla g s = R s e q = l w in = 0 r t t = 0 . 8 ms ׳-'"׳׳ le n = 4 0 ip = 1 0 . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 60 8 7 s p o rt= 8 9 fla g s = R seq=2 w in = 0 r t t = 1 . 0 ms le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 8 s p o rt= 8 0 ^ la g s = R seq=3 w in = 0 r t t = 0 . 9 ms le n = 4 0 ip = 1 0 J 0 .0 .2 t t l= 1 2 8 DF id = 2 6 0 8 9 s p o rt= 8 0 fla g s = R seq=4 w in = 0 r , t t = p . 9 ros —^ ^ ■יJ j I •4■ ^ f j le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF id=26O 90 s p o rt= 8 0 fla g s = R seq=5 w in = 0 r t t = 0 . 5 ms le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 6 0 9 1 s p o rt= 8 0 fla g s = R seq=6 w in = 0 r t t = 0 . 7 ms le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 60 9 2 s p o rt= 8 0 fla g s = R seq=7 w in = 0 r t t = 0 . 8 ms le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 6 0 9 3 s p o rt= 8 0 fla g s = R seq=8 v FIGURE 3.13: Hping3 to o l show ing ACK scanning o u tp u t M o d u le 0 3 Page 294 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker HpingCommands -1 h p in g 3 10.0.0.25 ACK scan on port 80 hp±ng3 -A 1 0.0.0.25 -p -2 1 0.0.0.25 1 9 2 .1 6 8 .1 .1 0 3 -S 5 0 -5 6 -S 1 0 .0 .0 .2 5 -V -F -p -U 1 0 .0 .0 .2 5 -p 80 Scan entire subnet for live host -p h p in g 3 -Q -p 7 2 .1 4 .2 0 7 .9 9 -1 -I ethO 80 1 0 .0 .1 .x — ra n d -d e s t In te rc e p t a ll t r a ffic co n ta in in g HTTP sig n a tu re h p in g 3 139 Firewalls and Time Stamps h p in g 3 -8 h p in g 3 80 Collecting Initial Sequence Number h p in g 3 ItkKJl Nm Im FIN, PUSH a n d URG scan o n p o r t 80 UDP scan on port 80 h p in g 3 U rtifM SYN scan on port 50-60 ICMP Ping h p in g 3 cEH ־ -9 HTTP - I e th O SYN flooding a victim -p 80 h p in g 3 — t c p ־tim e s ta m p -S 1 9 2 .1 6 8 .1 .1 1 9 2 .1 6 8 .1 .2 5 4 -p 22 -a — flo o d Copyright © by EC-CM ICil. All Rights Reserved. Reproduction is S trictly Prohibited. H p in g C o m m a n d s The fo llo w in g table lists various scanning m ethods and respective Hping com m ands: Scan Commands ICMP ping hping3 -1 1 0.0.0.25 ACK scan on port 80 hping3 -A 10 .0 .0 .2 5 -p 80 UDP scan on port 80 hping3 -2 1 0.0.0.25 -p 80 Collecting initial sequence number SYN scan on port 50-60 hping3 192.168.1.103 -Q -p 139 -s hping3 -S 72.14.207.99 -p 80 --t c p timestamp hping3 -8 50-56 -S 10 .0 .0.2 5 -V FIN, PUSH and URG scan on port 80 hping3 -F -p -U 10 .0.0.25 -p 80 Scan entire subnet for live host hping3 -1 1 0 .0 .1 .x --rand-dest - I ethO Intercept all traffic containing HTTP signature hping3 9 ־HTTP - I ethO SYN flooding a victim hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flo o d Firewalls and time stamps TABLE 3.1: Hping C om m ands Table M o d u le 0 3 Page 295 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ScanningTechniques TCP Connect / Full Open Scan Stealth Scans IDLE Scan ICMP Echo Scanning/List Scan T E C H N SYN/FIN Scanning Using IP Fragments UDP Scanning I o Inverse TCP Flag Scanning E ACK Flag Scanning u S Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is S trictly Prohibited. S c a n n in g T e c h n iq u e s Scanning is the process o f g ath erin g in fo rm a tio n about the systems th a t are alive and responding on the n etw o rk. The p o rt scanning tech n iq ue s are designed to id e n tify the open ports on a targe te d server or host. This is o fte n used by adm inistrato rs to ve rify security policies o f th e ir netw orks and by attackers to id e n tify running services on a host w ith the in te n t o f com prom ising it. D iffe re n t types o f scanning tech n iq ue s e m p loye d include: © TCP Connect / Full Open Scan © Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan © IDLE Scan © ICMP Echo Scanning/List Scan © SYN/FIN Scanning Using IP Fragments © UDP Scanning © Inverse TCP Flag Scanning © ACK Flag Scanning M o d u le 0 3 Page 296 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker The following is the list of important reserved ports: Name Port/Protocol Description echo 7 /tc p echo 7 /u d p d is c a r d 9 /tc p sink null d is c a r d 9 /u d p sink null s y s ta t 1 1/tcp Users d a y t im e 1 3/tcp d a y t im e 13/udp n e ts ta t 1 5/tcp q o td 1 7/tcp Q uote c h a rg e n 1 9/tcp tty ts t source c h a rg e n 19/udp tty ts t source ftp -d a ta 2 0 /tcp ftp data tra nsfe r ftp 2 1 /tcp ftp com m and ssh 2 2 /tcp Secure Shell te ln e t 2 3 /tcp s m tp 2 5 /tcp M ail t im e 3 7 /tcp Tim eserver t im e 3 7/u dp Tim eserver r ip 3 9/u dp resource location n ic n a m e 4 3 /tcp w ho is d o m a in 5 3 /tcp dom ain name server d o m a in 5 3/u dp dom ain name server s q l* n e t 6 6 /tcp Oracle SQL*net s q l* n e t 6 6/u dp Oracle SQL*net b o o tp s 6 7 /tcp boo tp server b o o tp s 6 7/u dp boo tp server b o o tp c 6 8 /tcp boo tp client M o d u le 0 3 Page 297 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker b o o tp c 6 8/u dp boo tp client tftp 6 9 /tcp Trivial File Transfer t f tp 6 9/u dp Trivial File Transfer gopher 7 0 /tcp gopher server fin g e r 7 9 /tcp Finger w w w - h ttp 8 0 /tcp WWW w w w - h ttp 8 0 /u d p WWW k e rb e ro s 8 8 /tcp Kerberos k e rb e ro s 8 8 /u d p Kerberos P °P 2 1 09/tcp PostOffice V.2 Pop 3 1 10 /tcp PostOffice V.3 s u n rp c 111 /tcp RPC 4.0 p o rtm a p p e r s u n rp c 111/udp RPC 4.0 p o rtm a p p e r a u th /id e n t 1 13/tcp A u th e n tica tio n Service a u th 113/udp A u th e n tica tio n Service a u d io n e w s 114 /tcp A udio News M u ltica st a u d io n e w s 114/udp A udio News M u ltica st n n tp 119 /tcp Usenet N e tw o rk News Transfer n n tp 119/udp Usenet N e tw o rk News Transfer n tp 123 /tcp N e tw o rk Time Protocol Name P ort/P ro toco l Description n tp 123/udp N e tw o rk Time Protocol n e tb io s - n s 1 37 /tcp NETBIOS Name Service n e tb io s - n s 137/udp NETBIOS Name Service n e t b io s - d g m 1 38/tcp NETBIOS Datagram Service n e t b io s - d g m 138/udp NETBIOS Datagram Service n e t b io s - s s n 1 39/tcp NETBIOS Session Service n e t b io s - s s n 139/udp NETBIOS Session Service im a p 143 /tcp In te rn e t Message Access Protocol M o d u le 0 3 Page 298 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker im a p 143/udp In te rn e t Message Access Protocol s q l- n e t 150 /tcp SQL-NET s q l- n e t 150/udp SQL-NET s q ls r v 156/tcp SQL Service s q ls r v 156/udp SQL Service snmp 1 61/tcp snmp 161/udp s n m p -tra p 162 /tcp s n m p -tra p 162/udp c m ip -m a n 1 63/tcp CMIP/TCP M anager c m ip -m a n 163/udp CMIP c m ip - a g e n t 1 64/tcp CMIP/TCP Agent c m ip - a g e n t 164/udp CMIP ir e 1 94/tcp In te rn e t Relay Chat ir e 194/udp In te rn e t Relay Chat a t- rtm p 2 01 /tcp AppleTalk Routing M aintenance a t- rtm p 2 01 /ud p AppleTalk Routing M aintenance a t-n b p 2 02 /tcp AppleTalk Name Binding a t- n b p 2 02 /ud p AppleTalk Name Binding a t-3 203 /tcp AppleTalk a t-3 2 03 /ud p AppleTalk a t- e c h o 2 04 /tcp AppleTalk Echo a t- e c h o 2 04 /ud p AppleTalk Echo a t-5 2 05 /tcp AppleTalk a t-5 2 05 /ud p AppleTalk a t- z is 2 06 /tcp AppleTalk Zone Info rm a tio n a t- z is 2 06 /ud p AppleTalk Zone Info rm a tio n a t- 7 2 07 /tcp AppleTalk M o d u le 0 3 Page 299 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker a t- 7 2 07 /ud p AppleTalk a t- 8 2 08 /tcp AppleTalk a t- 8 2 08 /ud p AppleTalk ip x 2 13 /tcp ip x 2 13 /ud p im a p 3 2 20 /tcp Interactive M ail Access Protocol v3 im a p 3 2 20 /ud p Interactive M ail Access Protocol v3 a u rp 3 87 /tcp AppleTalk Update-Based Routing a u rp 3 87 /ud p AppleTalk Update-Based Routing n e tw a r e - ip 3 96 /tcp Novell N etw are over IP n e tw a r e - ip 3 96 /ud p Novell N etw are over IP Name P ort/P ro toco l Description rm t 4 1 1 /tcp Remote m t rm t 4 1 1 /u d p Remote m t 5 4 e rb e ro s 5 4 -d s 4 4 5 /tcp 5 4 e rb e ro s 5 4 -d s 4 4 5 /u d p is a k m p 5 00 /ud p ISAKMP/IKE fc p 5 1 0 /tcp First Class Server exec 5 12 /tcp BSD rexecd(8) c o m s a t/ b if f 5 12 /ud p used by mail system to n o tify users lo g in 5 1 3 /tcp BSD rlogind(8) who 5 13 /ud p w hod BSD rw hod(8) s h e ll 5 14 /tcp cmd BSD rshd(8) s y s lo g 5 14 /ud p BSD syslogd(8) p r in te r 5 15 /tcp spooler BSD lpd(8) p r in te r 5 15 /ud p P rinter Spooler ta lk 5 1 7 /tcp BSD talkd(8) ta lk 5 17 /ud p Talk n ta lk 5 18 /ud p New Talk (ntalk) M o d u le 0 3 Page 3 00 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker n ta lk 5 18 /ud p SunOS talkd(8) n e tn e w s 5 3 2 /tc p R eadnew s uucp 5 40 /tcp uucpd BSD uucpd(8) uucp 5 40 /ud p uucpd BSD uucpd(8) k lo g in 5 43 /tcp Kerberos Login k lo g in 5 43 /ud p Kerberos Login k s h e ll 5 44 /tcp Kerberos Shell k s h e ll 5 44 /ud p Kerberos Shell e k s h e ll 5 45 /tcp p c s e rv e r 6 00 /tcp ECD Integrated PC board srvr m ount 6 35 /ud p NFS M o u n t Service p c n fs 6 40 /ud p PC-NFS DOS A u th e n tica tio n b w n fs 6 50 /ud p BW-NFS DOS A u th e n tica tio n f le x lm 7 44 /tcp Flexible License M anager f le x lm 7 44 /ud p Flexible License M anager 5 6 e rb e ro s -a d m 7 49 /tcp Kerberos A d m in istra tio n 5 6 e rb e ro s -a d m 7 49 /ud p Kerberos A d m in istra tio n k e rb e ro s 7 50 /tcp kdc Kerberos a u th e n tic a tio n —tcp k e rb e ro s 7 50 /ud p Kerberos 5 6 e r b e r o s mas te r 7 51 /ud p Kerberos a uth e n tica tio n 5 6 e r b e r o s mas te r 7 51 /tcp Kerberos a uth e n tica tio n k rb _ p ro p 7 54 /tcp Kerberos slave propagation M o d u le 0 3 Page 301 krcm d Kerberos encrypted re m o te shell -k fa ll Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker 9 99 /ud p A pplixw are socks 1 080/tcp socks 1080/udp kpop 1 109/tcp Pop w ith Kerberos m s - s q l- s 1 433/tcp M icro so ft SQL Server m s - s q l- s 1433/udp M icro so ft SQL Server m s - s q l- m 1 434/tcp M icro so ft SQL M o n ito r m s - s q l- m 1434/udp M icro so ft SQL M o n ito r Name P ort/P ro toco l Description p p tp 1 723/tcp Pptp p p tp 1723/udp Pptp nfs 2 04 9 /tcp N e tw o rk File System nfs 2049/udp N e tw o rk File System e k lo g in 2 10 5 /tcp Kerberos encrypted rlogin r k in it 2 10 8 /tcp Kerberos re m o te kin it kx 2 11 1 /tcp X over Kerberos k a u th 2 12 0 /tcp Remote kauth ly s k o m 4 8 9 4 /tcp LysKOM (conference system) s ip 5 06 0 /tcp Session In itia tio n Protocol s ip 5060/udp Session In itia tio n Protocol x ll 6 000-6063/tcp X W in d o w System x ll 6000-6063/udp X W in d o w System ir e 6 66 7 /tcp In te rn e t Relay Chat afs 7000-7009/udp afs 7000-7009/udp TABLE 3.2: Reserved Ports Table M o d u le 0 3 Page 302 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker TCPConnect/ FullOpenScan CEH M J TCP C o n n e c t scan d e te c ts w h e n a p o rt is o p e n b y c o m p le tin g th e th r e e - w a y h a n d sh a ke J TCP C o n n e c t scan e s ta b lis h e s a fu ll c o n n e c tio n an d te a rs it d o w n by se n d in g a RST packet Scan result w hen a p o rt is open ^ )SYN Packet + P ort (n m S Y N /A C K Packet . . . ......... A « .t .׳5ST. ....... Target A ttacker Scan result w hen a p o rt is closed SVN Packet + Port Jn). ^ ^ * ??.־י. A ttacker H f , Target Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited. T C P C o n n e c t / F u ll O p e n S c a n Source: h ttp ://w w w .in s e c u re .o rg TCP Connect / Full Open Scan is one o f the m ost re lia b le form s o f TCP scanning. The TCP connect() system call provided by an OS is used to open a connection to every in terestin g p o rt on th e machine. If the p o rt is listening, connect() w ill succeed; o therw ise, the p o rt isn't reachable. 0 m m T C P T h r e e - w a y H a n d s h a k e In the TCP th re e -w a y handshake, the client sends a SYN flag, w hich is acknowledged by a SYN+ACK flag by the server w hich, in tu rn , is acknow ledged by the clie n t w ith an ACK flag to com plete the connection. You can establish a connection fro m both ends, and te rm in a te fro m both ends individually. V a n illa S c a n n in g In vanilla scanning, once the handshake is com pleted, the clie n t ends the connection. If the connection is not established, the n the scanned m achine w ill be DoS'd, w hich allows you to make a new socket to be cre a te d /ca lle d . This confirm s you w ith an open p o rt to be scanned fo r a running service. The process w ill continue u ntil the m axim um p o rt threshold is reached. M o d u le 0 3 Page 303 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker If the p o rt is closed the server responds w ith an RST+ACK flag (RST stands fo r "R eset the co n n e c tio n "), whereas the client responds w ith a RST flag and here ends the connection. This is created by a TCP connect () system call and w ill be id e n tifie d instantaneously if the p o rt is opened or closed. M aking separate connects() call fo r every targeted p o rt in a linear fashion w o u ld take a long tim e over a slow connection. The a ttacker can accelerate the scan by using many sockets in parallel. Using non-blocking, I/O allows the a ttacker to set a low tim e -o u t period and w atch all the sockets sim ultaneously. , u isd a v d itia g e s The draw back o f this type o f scan is easily d e te cta b le and filte ra b le . The logs in the ta rg e t system w ill disclose the connection. The Output Initia tin g Connect () Scan against (172.17.1.23) Adding open p o rt 1 9/tcp Adding open p o rt 2 1 /tcp Adding open p o rt 1 3/tcp SYN Packet + Port (n) ............................... SYN / ACK Packet ACK + RST T a rg e t A tta c k e r FIGURE 3.14: Scan results w h e n a p o rt is open SYN Packet + Port (n) י...................................... ■■►■■■■־ RST a rg e t A t ta c k e r FIGURE 3.15: Scan results w h e n a p o rt is closed M o d u le 0 3 Page 304 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Zenmap S<!n |oeh E»of.1c fcjftp T trg c t nmap ו92 . ו63 . ו68 .ל C o m m jn d Hosts Host ~vj Profile • •sT •v n m ip 192-168.168.5 S trv K tt 192.168.168.5 N m ip Output Potts/Hosts Topology HostD«t««h Scans • *sT •v n m jp 192.168.168.5 Starting Nrap6.61 ( http://n*ap.0rg ) at 201208 10 12:04 d Ti Initiating ARPPing Scan at 12:04 Scanning 192.168.168.5 (1 port] CompletedARPPing S<an at 12:04, 0.08s elapsed (1 total hosts) Initiating Parallel DNSresolution of 1host, at 12:04 Completed Parallel DNSresolution of 1host, at 12:04, 0.02s elapsed Initiating Connect Scan at 12:04 Scanning 192.168.168.S[1000 ports] Discovered open port 80/tcp on 192.168.168.5 Discovered open port 993/tcp on 192.168.168.S Discovered open port 8080/tcp on 192.168.168.S Discovered open port 2S/tcp on 192.168.168.S Discovered open port 139/tcp on 192.168.168.5 Discovered open port 8888/tcp on 192.168.168.S Completed Connect Scan at 12:04, 40.63s elapsed (1000 total ports) N״ap scan report for 192.168.168.S Failed to resolve given hostnaaie/IP: n«ap. Note that youcan't use '/■ask* AM D*1*4,7,100•‘ style IPranges. If the •achine only has an IPv6 address* add the N«ap -6 *lag to scan that. Host is up (0.000S7s latency), tot 9T 8E 0S filtered POUTitjtotoiSTA ERVICE ports 2S/tcp open Mtp 80/tcp open http 110/t<p open pop) 119/tcp open nntp 13S/tcp ooppeenn black asrpcice■icecap 8081/tcp 8088/tcp open radan-http 8888/tcp open sun•antwerbook Ml AfltirCil. • (Oeil) R cta fllll flic! frw; C :\P Ump done: 1IPaddress (Irogra• host upFiles ) scan(xn8ed6)\N in*ap 43.08 seconds Raxpackets sent: 1 (288) | Rcvd: 1 (288) FIGURE 3.16: Zenm ap Screenshot M o d u le 0 3 Page 305 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker StealthScan(Half-openScan) CEH UrtifWtf ttkujl lUckM A tta c k e rs use s te a lth scan ning te c h n iq u e s to bypass fire w a ll ru le s , lo g g in g m e c h a n is m , and hide □a SYN (Port 80) th e m s e lv e s as usual n e tw o rk tra ffic SYN + ACK Ste a lth S c a n P r o c e s s © The client sends a single SYN packet to th e server on th e appropriate p o rt ,^ s / ........................... Bill Sheela 1 0 .0 .0 .2 :2 3 4 2 1 0 .0 .0 .3 :8 0 Port is open @ lf th e p o rt is open then th e server responds w ith a SYN/ACK packet ® If th e server responds w ith an RST packet, then (ft ® W N |P ״rlS n | r th e rem ote p o rt is in th e "closed" state “־ י — *׳O j j Bill Sheela 1 0 .0 .0 .2 :2 3 4 2 1 0 .0 .0 .3 :8 0 The client sends the RST packet to close the initiation before a connection can ever be established Port is clo se d Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited. S te a lth S c a n ( H a lf - O p e n S c a n ) Stealth scan sends a single fra m e to a TCP p o rt w ith o u t any TCP handshaking or a dd itio n al packet transfers. This is a scan type th a t sends a single fram e w ith the expectation o f a single response. The half-open scan p artially opens a connection, b ut stops halfw ay throu g h. This is also know n as a SYN scan because it only sends the SYN packet. This stops th e service fro m ever being n o tifie d o f the incom ing connection. TCP SYN scans or half-open scanning is a stealth m ethod o f p o rt scanning. The three -w ay handshake m e thodology is also implemented by the stealth scan. The difference is th a t in the last stage, re m o te ports are id e ntifie d by exam ining the packets e nte rin g the interface and te rm in a tin g the connection before a new in itia liza tio n was triggered. The process preludes the fo llo w in g : 9 To sta rt in itia liza tio n , the client forw a rd s a single "SYN" packet to the d estination server on the corresponding port. 9 The server actually in itiates the stealth scanning process, depending on th e response sent. 9 If th e server forw a rd s a "SYN/ACK" response packet, then the p o rt is supposed to be in an "OPEN" state. M o d u le 0 3 Page 3 0 6 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker If the response is fo rw a rd e d w ith an "RST" packet, then the p o rt is supposed to be in a "CLOSED" state. SYN (Port 80) Bill Sheela 10.0.0.2:2342 10.0.0.3:80 Port is open FIGURE 3.16: S tealth Scan w h e n Port is Open ^ ... * Bill Sheela 10.0.0.2:2342 10.0.0.3:80 P o r t is c lo s e d FIGURE 3.17: S tealth Scan w h e n Port is Closed Zenm ap Tool Zenmap is the official graphical user in te rfa ce (GUI) fo r the Nm ap Security Scanner. Using this to o l you can save the fre q u e n tly used scans as profiles to make the m easy to run re cu rre ntly. It contains a com m and cre a to r th a t allows you to in teract and create Nmap com m and lines. You can save the Scan results and vie w the m in the fu tu re and th e y can be com pared w ith a no the r scan re p o rt to locate differences. The results o f the recent scans can be stored in a searchable database. The advantages o f Zenmap are as follow s: 9 Interactive and graphical results view ing 9 Comparison e Convenience Q R epeatability Q D iscoverability M o d u le 0 3 Page 307 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker cr Is Zenmap S c !n lo o k profile H elp n m a p 192.168.168.5 C om m and H osts ,Scan C ancel *| 1 Details * -sT -v n m a p 192.168.168.5 Services OS w H ost * P ro file N m ap O u tp u t 4 P orts / H osts Topology H ost Details Scans * -sT -v n m a p 192.168.168.5 192.168.168.5 Starting Nmap 6.01 ( http://nMp.org ) at 2012-0810 12:04 d Tii Initiating ARP Ping Scan at 12:04 Scanning 192.168.168.S [1 port] Completed ARP Ping Scan at 12:04, 0.68s elapsed (1 total hosts) Initiating Parallel ONS resolution of 1 host, at 12:04 Completed Parallel DNS resolution of 1 host, at 12:04, 0.02s elapsed Initiating Connect Scan at 12:04 Scanning 192.168.168.S [1000 ports) Discovered open port 80/tcp on 192.168.168.S Discovered open port 993/tcp on 192.168.168.S Discovered open port 8080/tcp on 192.168.168.S Discovered open port 2$/tcp on 192.168.168.S Discovered open port 139/tCp on 192.168.168.5 Discovered open port 8888/tcp on 192.168.168.5 Coaipleted Connect Scan at 12:04, 40.63s elapsed (lOOO total ports) N*ap scan report for 192.168.168.S failed to resolve given hostnaae/IP: n«ap. Note that you can't use ,/■ask' ANO *1-4,7,100-' style IP ranges. If the Machine only has an IPv6 address, add the Neap •6 flag to scan that. Host is up (O.00OS7S latency). ><gt *towtn; 980 filtered ports PORT STATE SERVICE 2S/tcp open satp open http 80/tcp 110/tcp open pop 3 119/tcp open nntp 135/tcp ooen ■srpc 8081/tcp open blackice-icecap 8088/tcp open radan-http 8888/tcp open sun-answerbook ♦ ♦ ♦ • (Dell) Rtad tfiH f i l e t fr w ; C:\Progra■ Files (x86)\N*ap H*ap done: 1 IP address (1 host up) scanned in 43.08 seconds Rax packets sent: 1 (288) | Rcvd: 1 (288) Filter Hosts FIGURE 3.18: Zenmap Showing Scanning Results M o d u le 0 3 Page 308 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker c E l\ X m a s Scan ftb.ul H.. fcM U ftN M o FIN, URG, PUSH FIN, URG, PUSH m u ::: 1 No Response Attacker 10.0.0.6 J Server Port is open 1 1 0 .0 .0 .8 :2 3 Server Attacker 10.0.0.6 1 0 .0 .0 .8 :2 3 Port is closed In X m a s s c a n , a t ta c k e r s s e n d a TCP f r a m e t o a r e m o t e d e v ic e w ith U RG, ACK, RST, SYN, PSH , a n d FIN fla g s s e t J FIN s c a n o n ly w ith OS TC P/IP d e v e lo p e d a c c o r d in g t o RFC 7 9 3 J It will n o t w o r k a g a in s t a n y c u r r e n t v e r s io n o f M ic r o s o f t W in d o w s Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. X m a s S c a n ------------ X m a s Scan is a p o r t scan t e c h n i q u e w i t h ACK, RST, SYN, URG, PSH, a n d FIN fla g s s e t t o s e n d a TCP f r a m e t o a r e m o t e d e v ic e . If t h e t a r g e t p o r t is c lo s e d , t h e n y o u w i ll re c e iv e a r e m o t e s y s te m r e p ly w i t h a RST. You can use t h i s p o r t scan t e c h n i q u e t o scan la rg e n e t w o r k s a n d fin d w h i c h h o s t is u p a n d w h a t se rv ic e s it is o f f e r i n g . It is a t e c h n i q u e t o d e s c r ib e all TCP fla g sets. W h e n all fla gs a re set, s o m e s y s te m s h a n g ; so t h e fla g s m o s t o f t e n se t a re t h e n o n s e n s e p a t t e r n URG-PSH-FIN. This scan o n l y w o r k s w h e n s y s te m s a re c o m p l i a n t w i t h RFC 7 93 . B SD N e tw o rk in g C o d e T his m e t h o d is based o n BSD n e t w o r k i n g c o d e ; y o u can use th is o n l y f o r UNIX h o s ts a n d it d o e s n o t s u p p o r t W i n d o w s NT. If t h is scan is d ir e c t e d a t a n y M i c r o s o f t s y s te m , it s h o w s all t h e p o r ts o n t h e h o s t a re o p e n e d . T ra n s m ittin g P a c k e ts You can in itia liz e all t h e fla g s w h e n t r a n s m i t t i n g t h e p a c k e t t o a r e m o t e h o s t. If t h e t a r g e t s y s te m a c c e p ts p a c k e t a nd d o e s n o t s e n d a n y re s p o n s e , t h e p o r t is o p e n . If t h e t a r g e t s y s te m se nd s RST fla g , t h e p o r t is c lo s e d . M o d u le 0 3 Page 309 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Advantage: It a v o id s t h e IDS a n d TCP t h r e e - w a y h a n d s h a k e . Disadvantage: It w o r k s o n t h e UN IX p l a t f o r m o n ly . FIN, URG, PUSH No Response Attacker Server 10.0.0.6 10.0.0.8:23 P o r t is o p e n FIGURE 3.19: Xmas Scan when Port is Open FIN, URG, PUSH RST Attacker Server 10.0.0.6 10.0.0.8:23 P o r t is c lo s e d FIGURE 3.20: Xmas Scan when Port is Closed Z e n m a p is t h e o ffic ia l g ra p h ic a l u s e r in t e r f a c e (GUI) f o r t h e N m a p S e c u r i t y S c a n n e r. U sing th is t o o l y o u can sa ve t h e f r e q u e n t l y used scans as p r o f i l e s t o m a k e t h e m easy t o r u n r e c u r r e n t l y . Zenmap Scan 100It Profile Help Target: 9•1X •v r Hotts Services * V Start Nmip Output Pcm/Hosts Topology Host Ottals S<ans «-sX-v nmap 152.16S. 168.3 OS ▼ Host W צ nmap 192.I6S.168.} Command: Details 192.168.16S.5 192.168.168.3 S tA 'tin g Nmap 6.01 ( ’ * t 2612 08 10 12:39 Standarc 1i»e In it ia t i n g Ping Scan a t 12:39 Scanning 192.168.168.3 [1 p o rt] Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 t o t a l hosts) In it ia t i n g P a ra lle l DNS resolution 0-f 1 host, a t 12:39 Completed P a r a lle l DNS reso lu tio n o* 1 host, at 12:39, 9.02s elapsed In it ia t i n g XMAS Scan at 12:3* Scanning 19 2.16 8.1 *8 .3 [10C® po«*ts] Increasing c»nd delay *o r 192.168.168.3 0 to S du* to 108 out o f 358 dropped probes since la s t increase. Completed XMAS Scan at 12;39, 9.75s elapsed (1900 to ta l ports) Nra כscan repo rt 197.1*3 .1 68 .3 F ailed ♦o resolve given h o straee/IPr niwp. Note th a t you c a n 't use * / ■»»?«• AHO *1 -4 ,7 ,1 8 0 •• s ty le IP ranges. I the ■wchine only ha? an IPv6 address. add the Mnap -6 fla g to scan th a t. Host is up (0.000023s la te rc y ). Not shovn; 997 clo jed ports PORT STATE SEUVICE 22 /tcp o o e r lfilte r e d ss* 88/tcp o p e r | f i l t e ־ed kerbercs-se: 548 ׳tcp o p e r | f i lt e ־ed afp AKP from for f M ACAMrtu; Rgttd tifltfl f l i p f r w i C:\Progra■ * lie s <x!6)\ta a o 1 IP a d lres t (1 host up) scanned in 12.19 seconds Rat. paccets sent: 13S3 <S4.188*8) I Rcvd: 998 (39.908K8) FIGURE 3 .2 1 : Z e n m a p S h o w in g X m a s S c a n R e s u lt M o d u le 0 3 Page 3 10 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Scan J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set J FIN scan only with OS TCP/IP developed according to RFC 793 J“ * J It will not work against any current version of Microsoft Windows Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. £ > ל ------------ F IN S c a n FIN Scan is a t y p e o f p o r t scan. T h e c l i e n t s e n d s a FIN p a c k e t t o t h e t a r g e t p o r t , a n d if t h e se rv ic e is n o t r u n n i n g o r if t h e p o r t is c lo s e d it r e p lie s t o y o u w i t h t h e p r o b e p a c k e t w i t h an RST. FIN No Response Attacker 10.0.0.6 10.0.0.8:23 P o r t is o p e n FIGURE 3.22: FIN Scan when Port is Open M o d u le 0 3 Page 311 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Attacker 10.0.0.6 P o r t is c lo s e d FIGURE 3.23: FIN Scan when Port is Closed ־E H Zenmap Scan Joels Target grofik fcjdp [Scan: nmap 192.168.168.3 Command: » Cancel ■if•v nmap 192.168.168.3 Hosts OS * Host * 192.168.168.5 » 192.168.168.3 Nmap Output Ports / Hosts Topo*og> Host Details Scans « •if -v nmap 192.168.168.3 S ta r t i n g Nmp 6.01 ( h t t p :/ / n M p .o r g ) a t 2012-01-10 12:35 S tandard Tiae I n i t i a t i n g ARP Ping Scan a t 12:35 Scanning 192.1 6 * .1 6 1 .3 [1 p o rt] Completed ARP Ping Scan a t 12:35, 0 .0 7 s e la p se d (1 t o t a l h o s ts ) I n i t i a t i n g P a r a ll e l DNS re s o lu tio n o f 1 h o s t, a t 12:35 Completed P a r a ll e l 0NS r e s o lu t i o n o f 1 h o s t, a t 12:35, 0 .1 0 s ela p se d I n i t i a t i n g FIN Scan a t 12:35 Scanning 1 9 2 .1 6 0 .16S .3 [1000 p o rts ] In c re a s in g send dela y fo r 192.1 6 9 .1 6 8 .3 f r o • 0 t o 5 due t o 108 o u t o f 358 dropped probes s in c e l a s t in c re a s e . In c re a s in g send dela y f o r 192.1 6 8 .1 6 8 .3 fr o * 5 to 10 due to •a x _ s u c c e s s fu l_ try n o in c re a s e to 4 Completed FIN Scan a t 12:35, 11.78s ela p se d (1000 t o t a l p o r ts ) *toap scan re p o rt f o r 192.168.168.3 F a ile d t o re s o lv e g iven h o s tn a e « /IP : naap. Note t h a t you c a n 't use */ « a s k ־AND 4, 7, 100*1 ' •־s t y l e IP ra n g e s . I f th e ■achine only has an IPv6 a d d r e s s , add th e N«ap *6 f l a g t o scan t h a t . Host i s up (0.0000050s l a te n c y ) . Ugl-itHM?; 997 c lo s e d p o rts PORT STATE SERVICE 22/ t c p o p e n |f i i t e r e d ssh 88/ t c p o p e n j f i l t e r e d *cerperos• sec S 4 8 /tc p o p e n j f i l t e r e d afp *Ai.AMTtti; Rctti d i t l f l i t * ff g g j C :\P ro g ra • F ile s (x86)\N «ap Nwap done: 1 IP a d d re ss (1 h o s t up) scanned in 14.28 seconds Rat• p a c k e ts s e n t: 1378 (55.108K8) I Rcvd: 998 (39.908KB) FIGURE 3.24: Zenmap showing FIN Scan Result M o d u le 0 3 Page 312 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker N U L L Scan CEH P o rt is o p en TCP Packet with NO Flag Set 9H ^ No Response Attacker 10.0.0.6 In NULLscan, attackers send a TCP frame to a remote host with NO Flags NULLscan only works if OS' TCP/IP implementation is developed according to RFC 793 It will not work against any current version of Microsoft Windows N U L L S c a n NULL scans se n d TCP p a c k e ts w i t h all fla g s t u r n e d o f f . It is a s s u m e d t h a t c lo s e d p o r ts w i ll r e t u r n a TCP RST. P a ckets r e c e iv e d by o p e n p o r t s a re d is c a rd e d as in v a lid . It sets all fla gs o f TCP h e a d e rs , such as ACK, FIN, RST, SYN, URG a nd PSH, t o NULL o r u n a s s ig n e d . W h e n a n y p a c k e ts a r r iv e a t t h e s e rv e r, BSD n e t w o r k i n g c o d e i n f o r m s t h e k e r n e l t o d r o p t h e i n c o m i n g p a c k e t if a p o r t is o p e n , o r r e t u r n s an RST fla g i f a p o r t is clo s e d . This scan uses fla gs in t h e r e v e rs e fa s h io n as t h e X m a s scan, b u t gives t h e s a m e o u t p u t as FIN a n d X m a s t r e e scans. M a n y n e t w o r k c o d e s o f m a j o r o p e r a t i n g s y s te m s can b e h a v e d i f f e r e n t l y in t e r m s o f r e s p o n d in g t o t h e p a c k e t, e.g., M i c r o s o f t v e rs u s UNIX. This m e t h o d d o e s n o t w o r k f o r M i c r o s o f t o p e r a t i n g s y s te m s . C o m m a n d lin e o p t i o n f o r n u ll s c a n n in g w i t h N M A P is " - s N " Advantage: It a v o id s IDS a nd TCP t h r e e - w a y h a n d s h a k e . Disadvantage: It w o r k s o n l y f o r UNIX. M o d u le 0 3 Page 313 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker P o r t is o p e n T C P Packet with N O Flag Set ^ C E 31 ^ >י N o Response Attacker Server 10.0.0.6 10.0.0.8:23 FIGURE 3.25: NULL Scan when Port is Open P o r t is c lo s e d T C P Packet with N O Flag Set E מ f c _ 5 3 RST/ACK Attacker Server 10.0.0.6 10.0.0.8:23 FIGURE 3.26: NULL Scan when Port is Closed E lio ] Zenmap S c jn J o o ls T a rg e t: P ro file n m a p 192.168.168.3 Com m and: Scan * - s N •v n m a p 192.168.168.3 H o sts OS - x H ost — 192.168.168.5 *» 192.168.168.3 N m a p O u tp u t • P o r ts / H o s ts T o p o lo g y H o s t D e ta ils S ta n s s N - v n m a p 192.168.168.3 a Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 •י Standard Tine Initiating ARP Ping Scan at 12:41 Scanning 192.168.16a.3 (1 port) Completed ARP Ping Scan at 12:41, 0.06s •lapsed <1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:41 Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed Initiating NULL Scan at 12:41 Scanning 192.168.168.3 [1000 ports) Increasing send delay for 192.168.168.3 froet 0 to S due to 21S out of 71S dropped probes since last increas*. Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports) Noap scan report for 192.168.168.3 Failed to resolve given hostnaxe/IP: nmap. Note that you can't use ‘/•ask* AND •1-4,7,100 '־style IP ranges. If the ■achine only has an IPv6 address, add the Naap -6 flag to scan that. Host is up (0.00s latency). Not shown: 997 closed ports PORT STATt SERVICE 22/tcp open|filtered ssh 88/tcp openjfiltered kerberos-sec 548/tcp openjfiltered afp MAC A fld r c n ; Read data files fro■: C:\Progran Files (x86)\Nmap Nn»«p done: 1 IP address (1 hostup) scannedin 10.66 seconds Ran packets sent: 1844(73.748KB) | Rcvd: 998 (39.908KB) FIGURE 3.27: Zenmap showing NULL Scan Result M o d u le 0 3 Page 3 14 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ID L E S ca n M o st n e tw o rk s e rv e rs listen o n TCP p o rts , su ch a s w e b s e rv e rs o n p o r t 80 a n d m ail s e rv e r s o n p o r t 25. P o rt is c o n s id e re d " o p e n " if a n a p p lic a tio n is listening o n th e p o rt O n e w ay to d e te r m in e w h e th e r a p o rt is o p e n is to s e n d a "SYN" (sessio n e s ta b lis h m e n t) p a c k e t to th e p o rt T he ta r g e t m a c h in e will s e n d back a "SYN | ACK" (sessio n r e q u e s t a c k n o w le d g m e n t) p a c k e t if th e p o rt is o p e n , a n d a n "RST" (R eset) p a c k e t if th e p o rt is clo sed t f CEH A m a c h in e t h a t re c e iv e s a n u n so lic ite d SYN | ACK p a c k e t will re s p o n d w ith an RST. An u n so lic ite d RST will b e ig n o re d Every IP p a c k e t o n th e I n te rn e t h a s a " f ra g m e n t id e n tific a tio n " n u m b e r (IP ID) OS in c re m e n ts th e IP ID fo r e a c h p a c k e t s e n t, th u s p ro b in g a n IP ID gives a n a tta c k e r th e n u m b e r o f p a c k e ts s e n t sin ce last p ro b e C o m m an d P rom pt C:\>nmap -Pn -p- -si wvrw.juggyboy.com www.certifiedhacker.com Starting Nmap ( http://nmap.org ) Idlescan using zombie www.3uggyboy.com (192.130.18.124:80); Class: Incremental Nmap scan report for 198.182.30.110 (The 40321 ports scanned but not Port State Service open 21/tcp ftp open smtp 25/tcp open 80/tcp http Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds 3 Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited. ID L E S c a n T h e id le scan is a TCP p o r t scan m e t h o d t h a t y o u can use t o s e n d a s p o o f e d s o u r c e a d d re s s t o a c o m p u t e r t o f i n d o u t w h a t s e rv ic e s a re a v a ila b le a n d o f f e r s c o m p l e t e b lin d s c a n n in g o f a r e m o t e h o s t. This is a c c o m p lis h e d b y i m p e r s o n a t i n g a n o t h e r c o m p u t e r . N o p a c k e t is s e n t f r o m y o u r o w n IP a d d re s s ; in s te a d , a n o t h e r h o s t is used , o f t e n ca lle d a " z o m b i e , " t o scan th e re m o te host and d e te rm in e th e o pe n p o r ts . T his is d o n e by e x p e c t i n g t h e s e q u e n c e n u m b e r s o f t h e z o m b ie h o s t a n d if t h e r e m o t e h o s t ch e c k s t h e IP o f t h e s c a n n in g p a r ty , t h e IP o f t h e z o m b ie m a c h in e w ill s h o w up. Understanding TCP/IP S o u rc e : h t t p : / / n m a p . o r g Id le s c a n n in g is a s o p h is t ic a t e d p o r t s c a n n in g m e t h o d . You d o n o t n e e d t o be a TCP/IP e x p e r t t o u n d e r s t a n d it. You n e e d t o u n d e r s t a n d t h e f o l l o w i n g basic fa c ts : Q M o s t o f t h e n e t w o r k s e rv e rs lis te n o n TCP p o r ts , such as w e b s e rv e rs o n p o r t 8 0 and m a il s e rv e rs o n p o r t 25. A p o r t is c o n s id e r e d " o p e n " if an a p p li c a t i o n is l is te n in g o n t h e p o r t ; o t h e r w i s e it is clo se d . M o d u le 0 3 Page 315 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s 9 Exam 3 1 2 -5 0 C ertified Ethical H acker T o d e t e r m i n e w h e t h e r a p o r t is o p e n , se nd a session e s t a b l i s h m e n t "S Y N " p a c k e t t o t h e p o r t . T h e t a r g e t m a c h in e r e s p o n d s w i t h a session r e q u e s t a c k n o w l e d g m e n t "SYN | ACK" p a c k e t if t h e p o r t is o p e n a n d a R eset "RST" p a c k e t if t h e p o r t is clo se d . 9 A m a c h in e t h a t r e c e iv e s an u n s o lic ite d SYN | ACK p a c k e t r e s p o n d s w i t h an RST. An u n s o lic it e d RST is ig n o r e d . 9 E ve ry IP p a c k e t o n t h e I n t e r n e t has a " f r a g m e n t i d e n t i f i c a t i o n " n u m b e r . M a n y o p e r a t i n g s y s te m s s i m p l y i n c r e m e n t t h is n u m b e r f o r e v e r y p a c k e t t h e y se n d . So p r o b i n g f o r th is n u m b e r can te ll an a t t a c k e r h o w m a n y p a c k e ts h a v e b e e n s e n t since t h e last p r o b e . F ro m th e s e fa c ts , it is p o s s ib le t o scan a t a r g e t n e t w o r k w h i l e f o r g i n g y o u r i d e n t i t y so t h a t it lo o k s like an i n n o c e n t " z o m b i e " m a c h in e d id t h e s c a n n in g . Command Prompt a FIGURE 3.28: Nmap Showing Idle Scan Result M o d u le 0 3 Page 316 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker CEH I D L E S c a n : S te p 1 Every IP p a c k e t o n th e I n te rn e t h as a f ra g m e n t id e n tific a tio n n u m b e r (IP ID), w hich increases eve ry tim e a host sends; IP packet יי 4 Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Attacker RST Packet Zombie FIGURE 3.29: IPID Probe Request and Response Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number In t h e f i r s t ste p , y o u can se n d a session e s t a b l i s h m e n t "S YN" p a c k e t o r IPID p r o b e t o d e t e r m i n e w h e t h e r a p o r t is o p e n o r clo s e d . If t h e p o r t is o p e n , t h e " z o m b i e " r e s p o n d s w i t h a session r e q u e s t a c k n o w l e d g m e n t "SYN | ACK" p a c k e t c o n t a i n i n g t h e IPID o f t h e r e m o t e h o s t m a c h in e . If t h e p o r t is c lo s e d , it se nd s a re s e t "RST" p a c k e t. E v e ry IP p a c k e t o n t h e I n t e r n e t has a " f r a g m e n t i d e n t i f i c a t i o n " n u m b e r , w h i c h is i n c r e m e n t e d by o n e f o r e v e r y p a c k e t tr a n s m is s io n . In t h e a b o v e d ia g r a m , t h e z o m b ie r e s p o n d s w i t h M o d u le 0 3 Page 317 IPID=31337. Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker I D L E S c a n : S te p 2 a n d 3 CEH Step 2 J Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie" J If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends RSTto the target J If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back SYN Packet to port 80 spoofing zombie IP address 4V C Attacker r t o s f f i S S * 5 "■ ״T ״e" Zom bie Step 3 P o r t is o p e n m j ; IPID Probe SYN / ACK Packet J Probe "zombie" IPID again Response: IPID=31339 RST Packet IPID incremented by 2 since Step 1, so port 80 must be open A tta c k e r Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. ID L E S c a n : S te p 2 a n d 3 I d l e S c a n : S te p 2 .1 ( O p e n P o r t ) " Send a SYN p a c k e t t o t h e t a r g e t m a c h in e ( p o r t 80) s p o o f i n g t h e IP a d d re s s o f t h e " z o m b i e . " If t h e p o r t is o p e n , t h e t a r g e t w ill se n d t h e S Y N /A C K p a c k e t t o t h e z o m b ie a n d in r e s p o n s e t h e z o m b ie se nd s t h e RST t o t h e t a r g e t . SYN Packet to port 80 spoofing zombie IP address m QOO Attacker Target Zombie P o rt is o p e n FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open I d l e S c a n : S te p 2 .2 ( C l o s e d P o r t) T h e t a r g e t w i ll se nd t h e RST t o t h e " z o m b i e " if t h e p o r t is c lo s e d , b u t t h e z o m b ie w ill M o d u le 0 3 Page 318 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker n o t se nd a n y t h i n g back. SYN Packet to p ort 80 m spoofing zombie IP address Attacker I-4 ״״ ........... ......... .................... Target P o r t is c lo s e d Zombie FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed I d l e S c a n : S te p 3 P ro b e t h e " z o m b i e " I PI D again. IPID P r o b e S Y N / A C K Packet R e sponse: IP I D = 3 1 3 3 9 R S T Packet Attacker IPID incremented by 2 since Step 1, Zombie so p o r t 8 0 m u s t b e o p e n FIGURE 3.32: IPID Probe Request and Response M o d u le 0 3 Page 319 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s I C J M Exam 3 1 2-50 C ertified Ethical H acker P E c h o S c a n n i n g / L i s t T h is is n o t r e a l ly p o r t s c a n n i n g , s i n c e IC M P J J C E H T h is t y p e o f s c a n s i m p l y g e n e r a t e s a n d d o e s n o t h a v e a p o r t a b s tra c tio n p r i n t s a li s t o f I P s / N a m e s w i t h o u t a c t u a l l y B u t it is s o m e t i m e s u s e f u l t o d e t e r m i n e p in g in g o r p o r t s c a n n in g t h e m w h i c h h o s t s in a n e t w o r k a r e u p b y p i n g i n g J t h e m all J S c a n A D N S n a m e r e s o l u t i o n w ill a l s o b e c a r r i e d out nmap -P cert.org/24 152.148.0.0/16 Zenmap 1 ^ 2 Zenmap V|n look £rofit* fcl«*p Target »ו.ו68.ז60.צ - ProMt jj«ianj Command n,n»ptl •v192I68.I66S Mott* S*rvK«» NmapOutput Po׳tt/Me«t Tepol&y, Scam ׳י OS- Moit « nmap•11•vI92.IM.16&5 S ta rtin g M ra p 6 .6 1 < h ttp ://n a a p .o rf ) a t M l? Ml• lltM •• •duraTin* Initiating rall•) llelD0M NSreressoolulutio tionno0 C aaplatedPP aara f♦11hh oo »t.«.a•tt 11 3J:5S 44, e.«41flapvtd W rap*canraport for 1*2.166.161.5 Nmb don■; 1IP•ddrats <0hoitt up) icannadin 6.66 Mtondt Ml«rHoitt U M Scan loots Profile M «lp Ttrgtc 192.166.1^6 v| Profile: [ [«j |$<an C*nc< Command nmap tn192.16&1.26 Moat Sffvktt NmapOutput Ports/HoM ׳Topology Hort D*ta* S<am nm<p tnW.168.U6 0$ « Ho* ״ CM ** Start Inc Nrwp 6.61 ( tittplZ/nMp.o*? ) *r 2612 61 15 IB:17 •• ־.tnnflnra rlnr K im u 1 IP *iftlr«h'v (lnott ut>) tCM M MIn 16.37 f !׳UrH oM S V List Scan \ A Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited IC M P E c h o S c a n n in g /L is t S c a n IC M P e c h o s c a n n in g is u sed t o d is c o v e r liv e m a c h in e s b y p i n g i n g a ll t h e m a c h in e s in t h e t a r g e t n e t w o r k . A t t a c k e r s s e n d IC M P p r o b e s t o t h e b r o a d c a s t o r n e t w o r k a d d re s s w h i c h is r e la y e d t o all t h e h o s t a d d re s s e s in t h e s u b n e t . T h e live s y s te m s w i ll s e n d IC M P e c h o r e p ly m e s s a g e t o t h e s o u r c e o f IC M P e c h o p r o b e . IC M P e c h o s c a n n in g is used im p le m e n ta tio n s in th e s e in U N IX /L in u x a n d o p e ra tin g s y s te m BSD -based responds to m a c h in e s as t h e TCP/IP sta c k th e ICMP e c h o r e q u e s ts t o t h e b r o a d c a s t a d d re sse s. This t e c h n i q u e c a n n o t be used in W i n d o w s b ase d n e t w o r k s as t h e TCP/IP s ta c k i m p l e m e n t a t i o n in w i n d o w s m a c h in e s is c o n f i g u r e d , b y d e f a u l t , n o t t o r e p ly IC M P p r o b e s d ir e c t e d t o t h e b r o a d c a s t a d d re ss. IC M P e c h o s c a n n in g is n o t r e f e r r e d to as p o r t s c a n n in g since it d o e s not h a ve a p ort a b s t r a c t io n . IC M P e c h o s c a n n in g is u s e fu l t o d e t e r m i n e w h i c h h o s ts in a n e t w o r k a re a c tiv e by p in g in g t h e m all. T h e a c tiv e h o s ts in t h e n e t w o r k is d is p la y e d in Z e n m a p as " H o s t is u p (0 .0 2 0 s l a t e n c y ) . " You can o b s e r v e t h a t in t h e s c r e e n s h o t : M o d u le 0 3 Page 3 20 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ^ L - r e —l Zenmap Scan T o o ls T a rg et: P ro file H elp 192.168.1.26 C om m and: H o sts Profile: S can C an c el n m a p -s n 192.168.1.26 S ervices N m a p O u tp u t P o rts /H o s ts T o p o lo g y H o s t D etails S can s *| i n m a p -s n 192.168.1.26 OS < H o st D etails 192.168.1.26 S t a r t i n g Nmap 6 . 0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 - 0 8 - 1 3 1 8 :3 7 S t a n d a r d T im e Nmap s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 . 2 6 |H o s t i s u p ( 0 . 0 0 2 0 s l a t e n c y ) ■~| Nmap d o n e : 1 I P a d d r e s s ( 1 h o s t u p ) s c a n n e d i n 1 6 . 5 7 seconds Filter H o sts FIGURE 3.33: Zenmap showing ICMP Echo Scanning Result In a list scan, d is c o v e r y o f t h e a c tiv e h o s t in t h e n e t w o r k is d o n e in d i r e c t l y . A list scan s im p ly g e n e r a t e s a nd p r i n t s a list o f IP s /N a m e s w i t h o u t a c t u a lly p in g in g t h e h o s t n a m e s o r p o r t s c a n n in g t h e m . As a re s u lt, t h e list scan o u t p u t o f all t h e IP a d d re s s e s w ill be s h o w n as " n o t s c a n n e d ," i.e., (0 h o s ts up). By d e f a u l t , a r e v e r s e DNS r e s o lu t i o n is still b e in g c a r r ie d o u t o n t h e h o s t b y N m a p f o r le a r n in g t h e i r n a m e s . Zenmap Scan lo o ls {Help 192.168.168.5 Target C om m and: H o sts OS - E ro file Profile: C ancel n m a p -sL -v 192.168.168.5 S ervices H o st N m a p O u tp u t P o rts /H o s ts T o p o lo g y H o s t D etails n m a p - s L - v 192.168.168.5 S can s "vj | D etails Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-10 13:54 idard Tit!* Initiating Parallel DNS resolution of 1 host, at 13:54 Completed Parallel DNS resolution of 1 host, at 13:54, 0.04s elapsed Nmap scan report for 192.168.168.5 Nmap done: 1 IP address (0 hosts up) scanned in O.06 seconds Filter H o sts FIGURE 3.34: Zenmap showing List Scanning Result Advantage: 9 A list scan can p e r f o r m a g o o d s a n ity ch eck. 9 T h e i n c o r r e c t l y d e f i n e d IP a d d re s s e s o n t h e c o m m a n d lin e o r in an o p t i o n file a re d e t e c t e d b y t h e list scan. T h e d e t e c t e d e r r o r s s h o u ld be r e p a i r e d p r i o r t o r u n n i n g any " a c t i v e " scan. M o d u le 0 3 Page 321 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker CEH U D P S c a n n in g Are you open on UDP Port 29? .............................................*■ No response if port is ................... * 1 % ........... I s s ______ j If Port is Closed, an ICMP Port unreachable message is received S erv er UDP Port Open T h e r e is n o t h r e e - w a y TCP h a n d s h a kke fo r UDP sc a n © T h e s y s t e m d o e s n o t r e s p o n d w ith a m e s s a g e w h e n t h e p o r t is o p e n UDP Port Closed e if a U D P p a c k e t is s e n t t o c l o s e d p o r t , t h e s y s t e m r e s p o n d s w ith IC M P p o r t u n re a c h a b le m e ss a g e © S p y w a r e s , T ro ja n h o r s e s , a n d o t h e r m a lic io u s a p p l i c a t i o n s u s e U D P p o r t s U D P S c a n n in g UDP Raw ICMP Port Unreachable Scanning UDP p o r t s c a n n e rs use t h e U DP p r o t o c o l in s te a d o f TCP, a n d can be m o r e d i f f i c u l t t h a n TCP s c a n n in g . You can s e n d a p a c k e t, b u t y o u c a n n o t d e t e r m i n e t h a t t h e h o s t is a liv e o r d e a d o r f i l t e r e d . H o w e v e r , t h e r e is o n e IC M P t h a t y o u can use t o d e t e r m i n e w h e t h e r p o r ts a re o p e n o r c lo s e d . If y o u s e n d a UDP p a c k e t t o a p o r t w i t h o u t an a p p li c a t i o n b o u n d t o it, t h e IP sta c k w ill r e t u r n an IC M P p o r t u n r e a c h a b l e p a c k e t . If a n y p o r t r e t u r n s an IC M P e r r o r , t h e n it's clo s e d , w h i l e t h e p o r ts t h a t d i d n ' t a n s w e r a re e i t h e r o p e n o r f i l t e r e d by t h e f i r e w a l l . T his h a p p e n s b e c a u s e o p e n p o r ts d o n o t h a ve t o s e n d an a c k n o w l e d g e m e n t in re s p o n s e t o a p r o b e , a n d c lo s e d p o r ts a re n o t e v e n r e q u i r e d t o se n d an e r r o r p a c k e t. UDP Packets S o u rc e : h t t p : / / n m a p . o r g W hen you se n d a packet to a c lo s e d UDP p o rt, m ost of th e h o s ts se nd an IC M P _ P O R T _ U N R E A C H e r r o r . T hu s, y o u can f i n d o u t if a p o r t is N O T o p e n . N e i t h e r UDP p a c k e ts n o r t h e IC M P e r r o r s a re g u a r a n t e e d t o a rr iv e , so UDP s c a n n e rs o f th is s o r t m u s t also i m p l e m e n t t h e r e t r a n s m is s io n o f p a c k e ts t h a t a p p e a r lost. UDP s c a n n e rs i n t e r p r e t lo s t t r a f f i c as o p e n p o r ts . M o d u le 0 3 Page 322 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker In a d d it io n , t h is s c a n n in g t e c h n i q u e is s lo w b e c a u s e o f l i m i t i n g t h e IC M P e r r o r m e s s a g e r a te as c o m p e n s a t io n t o m a c h in e s t h a t a p p ly RFC 1 8 1 2 s e c tio n 4 .3 .2 .8 . A r e m o t e h o s t w i ll n e e d t o access t h e r a w IC M P s o c k e t t o d is t in g u is h c lo s e d f r o m u n r e a c h a b l e p o r ts . UDP RECVFROM () and WRITE () Scanning W h i l e n o n - r o o t users c a n n o t re a d p o r t u n r e a c h a b le e r r o r s d ir e c t ly ; L in ux i n f o r m s y o u i n d i r e c t l y w h e n t h e y r e c e iv e m essages. Example For e x a m p le , a s e c o n d w r i t e () call t o a c lo s e d p o r t w i ll u s u a lly fa il. A l o t o f s ca n n e rs , such as N e t c a t a n d Pluvial p scan .c d o r e c v f r o m () o n n o n - b l o c k i n g UDP so c k e ts , u s u a lly r e t u r n EAGAIN ( " T r y A g a in ," e rrn o 13) if t h e IC M P e rro r has not been re c e iv e d , and ECONNREFUSED ( " C o n n e c t i o n r e f u s e d , " e r r n o 1 11), if it has. T his is t h e t e c h n i q u e used f o r d e t e r m i n i n g o p e n p o r t s w h e n n o n - r o o t u sers use -u (UDP). R o o t u sers can also use t h e -I ( la m e r UDP scan) o p t i o n s t o f o r c e th is . Advantage: T h e UDP scan is less i n f o r m a l r e g a r d in g an o p e n p o r t , since t h e r e ' s n o o v e r h e a d o f a TCP h a n d s h a k e . H o w e v e r , i f IC M P is r e s p o n d i n g t o e a ch u n a v a ila b le p o r t , t h e n u m b e r o f t o t a l f r a m e s can e x c e e d a TCP scan. M ic r o s o f t - b a s e d o p e r a t i n g s y s te m s d o n o t u s u a lly i m p l e m e n t a n y t y p e o f IC M P r a te li m i t i n g , so t h i s scan o p e r a t e s v e r y e f f i c i e n t l y o n W i n d o w s - b a s e d d e vice s. Disadvantage: T h e UDP scan p r o v id e s p o r t i n f o r m a t i o n o n ly . If a d d it io n a l v e r s io n i n f o r m a t i o n is n e e d e d , t h e scan m u s t be s u p p l e m e n t e d w i t h a v e r s io n d e t e c t i o n scan (-sV) o r t h e o p e r a t i n g s y s te m fin g e rp rin tin g o p tio n (-0 ). T h e UDP scan r e q u ir e s p r iv ile g e d access, so th is scan o p t i o n is o n l y a v a ila b le o n s y s te m s w i t h t h e a p p r o p r i a t e u s e r p e r m is s io n s . M o s t n e t w o r k s h a v e h u g e a m o u n t s o f TCP t r a f f i c ; as a re s u lt, t h e e f f i c i e n c y o f t h e UDP scan is lost. T h e UDP scan w ill lo c a te th e s e o p e n p o r ts a n d p r o v id e t h e s e c u r it y m a n a g e r w i t h v a lu a b le i n f o r m a t i o n t h a t can be used t o i d e n t i f y th e s e in v a s io n s a c h ie v e d by t h e a t t a c k e r o n o p e n UDP p o r t s ca u s e d b y s p y w a r e a p p lic a tio n s , T r o ja n h orses, a n d o t h e r m a lic io u s s o f t w a r e . Are you open on UDP Port 29? No response if port is Open ................................................ If Port is Closed, an ICMP Port unreachable message is received A tta c k e r □c di S e rv e r FIGURE 3.35: UDP Scanning M o d u le 0 3 Page 323 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker L2_ו פ ו Zenmap Jooli Scant Cancel v Details * -sll -v nmap 192.168.168.3 N m a p Output Ports /Hosts Topok>9> Host Detaih Scans Services OS - Host 192 168.168.5 192.168.168.3 4 1 Hosts » Profile: nmip 192.168.168.3 Command; x tjelp •1 Target Profile c < S<an 192.168.168.3 Starting Nmap 6.01 ( http://na1ap.org ) at 2012 08 10 12:47 Standard Time Initiating ARP Ping Scan at 12:47 Scanning 192.168.168.3 [1 port] Completed ARP Ping Scan at 12:47, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host, at 12:47 Completed Parallel DNS resolution of 1 host, at 12:47, 0.02s elapsed Initiating LOP Scan at 12:47 Scanning 192.168.168.9 [1000 ports) Discovered open port 53S3/udp on 192.168.168.3 Discovered open port 137/udp on 192.168.168.3 Discovered open port 123/udp on 192.168.168.3 Increasing send delay for 192.168.168.3 * r o o t 0 to SO due to 216 out of 719 dropped probes since last increase. Completed UOP Scan at 12:47, 19.66s elapsed (1000 total ports) Nmap scan report for 192.168.168.3 Failed to resolve given hostnaae/IP: nmap. Note that you can't use ,/mask' AND •1-4,7,100-• style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that. Host is up (0.000063s latency). Not shown: 994 closed ports PORT STATE SfRVICf 88/udp open|filtered kerberos-sec 123/udp open ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dga S3S3/udp open zeroconf S8178/udp open|filtered unknown MAC Address: Read data file s fro■; c:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 22.09 seconds Ra» packets sent: 1839 (52.401KB) I Rcvd: 998 (S6.06SK8) Filter Host* FIGURE 3.36: Zenmap showing UDP Scanning Result M o d u le 0 3 Page 324 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s I n v e r s e Exam 3 1 2-50 C ertified Ethical H acker T C P F l a g S c a n n i n g CEH (•rtifwd itk itjl Attackers send TCP probe packets with various TCP flags (FIN,URG,PSH) set or with no flags, no response means port is open and RST/ACK means the port is closed Probe Packet (FIN/URG/PSH/NULL) No Response Attacker Port is open Probe Packet (FIN/URG/PSH/NULL) RST/ACK Attacker Port is closed Copyright © by EG-Gtnncil. All Rights Reserved. Reproduction Is Strictly Prohibited. In v e rs e T C P — F la g S c a n n in g A t t a c k e r s se n d t h e TCP p r o b e p a c k e ts b y e n a b lin g v a r io u s TCP fla g (FIN, URG, PSH) o r w i t h n o fla gs. W h e n t h e p o r t is o p e n , t h e a t t a c k e r d o e s n ' t g e t a n y r e s p o n s e f r o m t h e h o s t, w h e r e a s w h e n t h e p o r t is c lo s e d , he o r she re c e iv e s t h e R ST /A C K f r o m t h e t a r g e t h o s t. T h e SYN p a c k e ts t h a t a re s e n t t o t h e s e n s itiv e p o r ts o f t h e t a r g e t e d h o s ts a re d e t e c t e d b y using s e c u r it y m e c h a n is m s such as f i r e w a l l s a n d IDS. P r o g r a m s such as S y n lo g g e r a n d C o u r t n e y a re a v a ila b le t o log h a l f - o p e n SYN fla g scan a t t e m p t s . A t t i m e s , t h e p r o b e p a c k e ts e n a b le d w i t h TCP fla g s can pass t h r o u g h f i l t e r s u n d e t e c t e d , d e p e n d i n g o n t h e s e c u r it y m e c h a n is m s in s ta lle d . P r o b in g a t a r g e t u s in g a h a l f - o p e n SYN fla g is k n o w n as an in v e r t e d t e c h n i q u e . It is ca lle d th is b e c a u s e t h e c lo s e d p o r ts can o n l y s e n d t h e r e s p o n s e back. A c c o r d i n g t o RFC 7 9 3 , A n RST/ACK p a c k e t m u s t be s e n t f o r c o n n e c t i o n re s e t, w h e n t h e p o r t is c lo s e d o n h o s t side. A tta ck e rs ta ke a d v a n ta g e o f th is f e a t u r e t o s e n d TCP p r o b e p a c k e ts t o e a c h p o r t o f t h e t a r g e t h o s t w i t h v a r io u s TCP fla gs set. C o m m o n fla g c o n f i g u r a t io n s used f o r p r o b e p a c k e t in c lu d e : 9 A FIN p r o b e w i t h t h e FIN TCP fla g se t 9 A n X M A S p r o b e w i t h t h e FIN, URG, a n d PUSH TCP fla g s set 9 A NULL p r o b e w i t h n o TCP fla g s se t M o d u le 0 3 Page 325 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s © Exam 3 1 2 -5 0 C ertified Ethical H acker A SYN/ACK p r o b e All t h e c lo s e d p o r t s o n t h e t a r g e t e d h o s t w i ll s e n d an RST/ACK r e s p o n s e . Since t h e RFC 793 s t a n d a r d is c o m p l e t e l y ig n o r e d in t h e o p e r a t i n g s y s te m such as W i n d o w s , y o u c a n n o t see t h e RST/ACK r e s p o n s e w h e n c o n n e c t e d t o t h e c lo s e d p o r t o n t h e t a r g e t h o s t. T his t e c h n i q u e is e f f e c t i v e w h e n u sed w i t h U N IX -b a s e d o p e r a t i n g s y s te m s . Advantages Q A v o id s m a n y IDS a nd lo g g in g s y s te m s , h ig h ly s t e a l t h y Disadvantages Q N e e d s r a w access t o n e t w o r k so c k e ts , t h u s r e q u i r in g s u p e r - u s e r p riv ile g e s Q M o s t l y e f f e c t i v e a g a in s t h o s ts u sin g a B S D -d e riv e d TCP/IP sta c k ( n o t e f f e c t i v e a g a in s t M i c r o s o f t W i n d o w s h o s ts in p a r t ic u la r ) Probe Packet (FIN/URG/PSH/NULL) No Response Attacker P o r t is o p e n Target Host FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open Probe Packet (FIN/URG/PSH/NULL) RST/ACK Attacker Target Host P o r t is c l o s e d FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed M o d u le 0 3 Page 3 26 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker A C K F la g S c a n n in g Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. A C K F la g S c a n n in g A s t e a l t h y t e c h n i q u e is used f o r i d e n t i f y i n g o p e n TCP p o r t s . In t h is t e c h n i q u e a TCP p a c k e t w i t h ACK fla g ON is s e n t t o t h e r e m o t e h o s t a n d t h e n t h e h e a d e r i n f o r m a t i o n o f t h e RST p a c k e ts s e n t by r e m o t e h o s t a re a n a ly z e d . U sing t h is t e c h n i q u e o n e can e x p l o i t t h e p o t e n t ia l v u ln e r a b i l it ie s o f BSD d e r iv e d TCP/IP sta ck. T his t e c h n i q u e g ive s g o o d r e s u lts w h e n used w i t h c e r t a i n o p e r a t i n g s y s te m s a n d p la t f o r m s . ACK s c a n n in g can be p e r f o r m e d in t w o w a y s : Q TTL f ie ld a n a n ly s is © W I N D O W fi e ld a na lysis U sing TTL v a lu e o n e can d e t e r m i n e t h e n u m b e r o f s y s te m s t h e TCP p a c k e t tr a v e r s e s . You can s e n d an ACK p r o b e p a c k e t w i t h r a n d o m s e q u e n c e n u m b e r : n o r e s p o n s e m e a n s p o r t is f i l t e r e d (s ta te f u ll f i r e w a l l is p r e s e n t) a n d RST re s p o n s e m e a n s t h e p o r t is n o t f i l t e r e d , nm ap - s A -P 0 S ta r t in g nm ap 5 . 2 1 A ll 529 1 0 .1 0 .0 .2 5 (h t t p : / / n m a p . o r g ) scanned p o rts M o d u le 0 3 Page 327 on 1 0 .1 0 .0 .2 5 a t 2 0 1 0 -0 5 -1 6 a re : filte r e d 1 2 :1 5 EST Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker S t a t e f u l F i r e w a l l is P r e s e n t Probe Packet (ACK) ♦א No Response Attacker Target Host FIGURE 3.39: ACK Flag Scanning when Stateful Firewall is Present N o F ir e w a ll Probe Packet (ACK) I TLT I ................................................... RST Attacker Target Host FIGURE 3.40: ACK Flag Scanning when No Firewall is Present Z e n m a p Scgn lo o k T.rgrt: Profit♦ Help nm ip 192.168.168.5 Command: H osts v Profile Scan Cancel * ■sA ■v •Pn nmap 1941 68.168.5 Services N m ap O utput P o r ts /H o s ts Topology H ost Detaih Scans * -sA-v -Pn nmap 192.168.168.5 details Starting M a p 6.01 ( http://nMp.org ) at 2012-08-10 13:09 Standard Tine Initiating ARP Ping Scan at 13:10 Scanning 192.16*.160.5 [1 port] Completed ARP Ping Scan at 13:10, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host, at 13:10 Completed Parallel ONS resolution of 1 host, at 13:10, 0.10s elapsed Initiating ACK Scan at 13:10 Scanning 192.16*.168.5 [1000 ports] Completed ACK Scan at 13:10, 21.38s elapsed (1000 total ports) Knap scan report for 192.16*.168.5 Failed to resolve given hostnanc/lP: naap. Note that you can’t use ,/■ask' ANO ■1-4,7,100-• style IP ranges. If the ■achine only has an IPv6 address, add the Nnap ■6 flag to scan that. Host is *>p 10. W 1es l a t e n t , ) . _____________________________ IAll 1000 scanned ports on 192.168.168.S are filteredl MAC Address: Read f i l e ! f r v • ; C:\Progr•• Files ( x 8 6 ) \ m m p done; l IP address (1 host up) scanned in 23.90 seconds Rax packets sent: 2001 (80.O28K8) | Rcvd: 1 (288) f la t * filler Hosts FIGURE 3.41: Zenmap showing ACK Flag Scanning Result M o d u le 0 3 Page 328 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S c a n n in g T o o l: N e tS c a n T o o ls P r o C E H myre&uUsdat^base-NetScanToob©Pro11.00 2 fit Edt Accesatolly r»J> Manual 15ד0כ- networkCcnrecton E-dxrts 9 Automated05״־ ( Rsfren □ciicUyFulPfKessPaths I PsccrrectAl 1CP ] ך Usccrrect nermte1CP]”י Jjrp דAutorrcited ] ח£t«cW fUcftrftwh MfiC 193C 10'° ־ 0 lol<״a'ufa״.re־ TCF.UOP ComeCQcn Enfant List Local IP 0.0.0.0 1nec1nfo.exe flMworitInlctf«e»4rd5\<tnl'r״. sycr.osz• cxs Systea inee nfo.exe O.O.0.0 0.0.0.0 1 0 .0 .0 .0 0.0.0.0 STacea Nstworkl c* i \vrrtw Mn etrolro'cntrt s 0.0.0.0 O.O.0.0 Se•Sre.exe D U lI V U l. t x t ־׳OKXCO 109b 1 l. ״r.wo-<r yT.»» HawroL>Mvay locto 1 0.0.0.0 3bacr?.«x« IVChO K.IXI CMSfuv» *XKrt irvdזonb 8coeS«zv.«xt 5tot5c1v.exe s '« rS :rv .c x e 1388 TC 2OS2 TC 2092 TC 2092 TC 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 127.0.0.1 1 2 7.0.0 .1 1 2 7 .0 .0 .1 127.0.0.1 Syat•® S73c«i S v s .w Local lore Reaote | http| 80 0.0.0.0 )cpxag( 135 )MS (UlCEOSOCt-dS' 102S (blackjack( !)לpptp( 23 )oy M rcanw bccc ( 2638 lc » lh p ( 2069( ח4£)) רpcsync-https web5( 9090«( ) »ל»עofll )unknown! 31038 )unknown! 34571 )unknown| 04572 34S73 !unknown( 80 |http| 00 IhttpI 00 ihttpi 80 1 r 0.0. 0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 . 0 . D.O 1 2 7 .0 .0 .1 ג2ד.0.0.1 1 2 7 .0 .0 .1 127.0.0.1 txtema! lods Progmli^o http://www.netscantoo1s.com loop Copyright 6 by EG-CSUICil. A il Rights Reserved. Reproduction is Strictly Prohibited. S c a n n in g T o o l: N e tS c a n T o o ls P ro S o u rc e : h t t p ://w w w .n e ts c a r 1tools.com N etS can T o o ls Pro is an i n v e s t i g a t i o n t o o l . It a llo w s y o u t o t r o u b l e s h o o t , m o n i t o r , d is c o v e r , a n d d e t e c t d e v ic e s o n y o u r n e t w o r k . You can g a t h e r i n f o r m a t i o n a b o u t t h e local LAN as w e l l as I n t e r n e t users, IP a d d re s s e s , p o r ts , e tc . u sin g t h is t o o l . You can f i n d v u ln e r a b i l it ie s a n d e x p o s e d p o r t s in y o u r s y s te m . It is t h e c o m b i n a t i o n o f m a n y n e t w o r k t o o l s a nd u t i l i t i e s . T h e t o o l s a re c a te g o r iz e d b y f u n c t i o n s such as a c tiv e , passive, DNS, a n d local c o m p u t e r . Active Discovery and Diagnostic Tools: U sed f o r t e s t i n g a n d l o c a tin g d e v ic e s t h a t a re c o n n e c te d to y o u r n e tw o rk . Passive Discovery Tools: M o n i t o r s t h e a c tiv it ie s o f t h e d e v ic e s t h a t a re c o n n e c t e d t o y o u r n e t w o r k a n d also g a th e r s i n f o r m a t i o n f r o m t h i r d p a r tie s . DNS Tools: Used t o d e t e c t p r o b l e m s w i t h DNS. Local Computer and General Information Tools: P ro v id e s d e ta ils a b o u t y o u r local c o m p u t e r ' s n e tw o rk . Benefits: e T h e i n f o r m a t i o n g a t h e r i n g p ro c e s s is m a d e s i m p l e r a n d f a s t e r b y a u t o m a t i n g t h e use o f m a n y n e t w o r k t o o ls M o d u le 0 3 Page 329 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s 9 Exam 3 1 2 -5 0 C ertified Ethical H acker P ro d u c e s t h e r e s u lt r e p o r t s in y o u r w e b b r o w s e r c le a rly m y re s u lts d a ta b a s e - N etS canT ools® P ro 1 1 .0 0 • File Edit Accessibility View Help Welcome Manual Tools - Network Connection Endpoints Automated Tools Manual Tools (all) Refresh 0 Display Full Process Paths 0 1 sec O Enable AutoRefresh -־J— MAC Address to Manufacturer Disconnect All TCP Add Note Jump To Automated 10 sec I Disconnect Remote TCP Double-click ₪ Enable TCP Disconnects IPv4© IP v 6 0 TCP/UDP Connection Endpoint List Network Connection Endpoints Network Interfaces and Statistics m Network Interfaces - Wireless Network Shares - SMB Favorite Tools Active Discovery Tools Passive Discovery Tools DNS Tools Packet Level Tools External Tools Program Info Process inetinf0.exe svchost.exe System inetinf0.exe System dbsrv9.exe svchost.exe SemSvc.exe SemSvc.exe agent.exe DkService.exe StorServ.exe StorServ.exe StorServ.exe System System System System PID Protocol TCP 252 TCP 4 TCP 1100 TCP 4 TCP 1216 TCP 932 TCP 4068 TCP 4068 TCP 920 TCP 1388 TCP 2092 TCP 2092 TCP 2092 TCP 0 TCP 0 TCP 0 TCP 0 TCP 1100 n 'r r n Local IP Reports חAdd to Favorites 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Local Port 80 (http) 13S (epmap) 445 (microsoft-ds) 1025 (blackjack) 1723 (pptp) 2638 (sybaseanywhere) 2869 (icslap) 8443 (pcsync-https) 9090 (websm) 9876 (sd) 31038 (unknown) 34571 (unknown) 34572 (unknown) 34573 (unknown) 80 (http) 80 (http) 80 (http) 80 (http) ו0 ר> ל״n on 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 ו Remote IP 0 .0 .0 .0 0 .0 .0 .0 Li) 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 0 .0 .0 .0 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 1 ל״<׳ft ft ו נ < A 0 .0 .0 .0 > NUM For Help, press Fl FIGURE 3.42: NetScan Tools Pro Screenshot M o d u le 0 3 Page 3 30 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S c a n n in g T o o ls C E H Global Network Inventory Scanner PRTG Network Monitor http://www.paessler.com i— N.I1WI http://www.magnetosoft.com SoftPerfect Network Scanner Net Tools http://mabsoft.com http://www.softperfect.com IP Tools E - Advanced Port Scanner http://www.ks-soft.net http://www.radmin.com MegaPing ט ט ט □□ם http://www.magnetosoft.com Network Inventory Explorer Netifera http://netifera.com Free Port Scanner http://www.10-strike.com http://www.nsauditor.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. =*~=■־ S c a n n in g t o o l s ping com puters, scan fo r listening TCP/UDP ports, and display th e ty p e o f resources shared on th e n e tw o rk (including system and hidden). T h e a t t a c k e r m a y a t t e m p t t o la u n c h a tta c k s a g a in s t y o u r n e t w o r k o r n e t w o r k r e s o u r c e s b ase d o n t h e i n f o r m a t i o n g a t h e r e d w i t h t h e h e lp o f s c a n n in g to o ls . A fe w o f th e scanning to ols th a t can d ete ct active ports on th e systems are listed as fo llo w s: 9 PRTG N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . p a e s s l e r . c o m 9 N e t T o o ls a v a ila b le a t h t t p : / / m a b s o f t . c o m 9 IP T o o ls a v a ila b le a t h t t p : / / w w w . k s - s o f t . n e t 9 M e g a P in g a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m 9 N e t w o r k I n v e n t o r y E x p lo r e r a v a ila b le a t h t t p : / / w w w . 1 0 - s t r i k e . c o m 9 G lo b a l N e t w o r k I n v e n t o r y S c a n n e r a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m 9 S o f t P e r f e c t N e t w o r k S c a n n e r a v a ila b le a t h t t p : / / w w w . s o f t p e r f e c t . c o m 9 A d v a n c e d P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . r a d m i n . c o m 9 N e t if e r a a v a ila b le a t h t t p : / / n e t i f e r a . c o m 9 Free P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m M o d u le 0 3 Page 331 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s D o N o t Exam 3 1 2 -5 0 C ertified Ethical H acker S c a n T h e s e I P A d d r e s s e s C E H (U n le s s y o u w a n t to g e t in t o t r o u b le ) RANGE 128 128.37.0.0 Army Yuma Proving Ground 1 2 8 3 8 0 0 Naval Surface Warfare Center 128.43.0.0 Defence Research Establishment-Ottawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 1 2 8 8 0 0 0 Army Communications Electronics Command 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Right Facility 128.155.0.0 128.156.0.0 12815700 128.158.0.0 NASA NASA NASA NASA Langley Research Center Lewis Network Control Center Johnson Space Center Ames Research Center 128 159 0 0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128 1 6 1 0 0 N ASA Ames Research Center 128 183.0 0 NASA Goddard Space Flight Center 128202 0 0 50th Space Wing 128 21 6 0 0 MacDifl Air Force Base 128.217.0.0 NASA Kennedy Space Center 128.236.0.0 U.S. A r Force Academy RANGE 129 129.23.0.0 Strategic Defense Initiative Organization 129.29.0.0 United States Military Academy 129.50.0.0 NASA Marshall Space Flight Center 129.51.0.0 Patrick Air Force Base 129.52.0.0 Wright-Patterson Air Force Base 129.53.0.0 - 129 53.255 255 66SPTG-SCB 129.54.0.0 Vandenberg Air Force Base, CA 129.92.0.0 Air Force Institute of Technology 129.99.0.0 NASA Ames Research Center 129.131.0.0 Naval Weapons Center 129.163.0.0 NASA/Johnson Space Center 129.164.0.0 NASA IW 129.165.0.0 NASA Goddard Space Fight Center 129.167.0.0 NASA Marshall Space Right Center 129.168.0.0 NASA Lewis Research Center 129.190.0.0 Naval Underwater Systems Center 129.198 0.0 Air Force Fight Test Center 129.209.0.0 Army BaiSstcs Research Laboratory 129.229.0.0 U.S. Army Corps of Engmeers 129.251.0.0 United States Ar Force Academy RANGE 130 130.40.0.0 NASA Johnson Space Center 130.90.0.0 Mather Ar Force Base 1301090.0 Naval Coastal Systems Center 130.124.0.0 Honeywell Defense Systems Group 130.165.0.0 U.S-Army Corps of Engneers 130 167.0.0 NASA Headquarters RANGE 132 132.3.0.0WilliamsAir ForceBase 132.5.0.0- 132.5.255.25549thFighter Wing 132.6.0.0AnkaraAir Station 132.7.0.0-132.7.255.255 SSG/SINO 132.9.0.0 28thBombWing 132.10.0.0 319CommSq 132.11.0.0 HellenikonAir Base 132.12.0.0 MyrtleBeachAir ForceBase 132.13.0.0 Bentwaters Royal Air ForceBase 132.14.0.0 Air ForceConcentrator Netwcrk 132.15.0.0 KadenaAir Base 132.16.0.0 Kunsan Air Base 132.17.0.0 132.18.0.0 132.19.0.0 132.20.0.0 132.21.0.0 132.22.0.0 132.24.0.0 132.25.0.0 132.27 0 0 132.28.0.0 Lindsey Air Station McGuire Air Force Base 100CS (NET-MILDENHALL) 35th Communications Squadron Plattsburgh Ar Force Base 23Communication9 Sq Dower Air Force Base 786 CS/SCBM • 132 27.255.255 39CS/SCBBN 14TH COMMUNICATION SQUADRON 132.30.0.0 Lqes Air F a c e Base RANGE 131 131.60.0 Langley Ar Force Base 131.10.0.0 Barksdale Ar Force Base 131.17.0.0 Sheppard Ar Fcrce Base 131.21.0.0 Hahn Ar Base 31.32.0.0 37 Communications Squadron 131 3 5 0 0 Fairchild Ar Force Base 131.36.0.0 Yokota Ar Base 131.37.0.0 Elmendorf Air Force Base 131.38.0.0 Hickam Ar Force Base 131.39.0.0 354CS/SCSN 132.31.0.0 132.33.0.0 132.34.0.0 132.35.0.0 132.37.0.0 132.38.0.0 132.39.0.0 Lonng Air Force Base 60CS/SCSNM Cannon Air F ace Base Altus Air Force Base 75 ABW Goodfellow AFB K.I. Sawyer Air Force Base For a complete list, see the file in DVD IP ADDRESSES YOU SHOULD NOT SCAN.txt Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. D o N o t S c a n T h e s e IP A d d re s s e s g e t in to (U n le s s y o u w a n t to tro u b le ) T h e IP a d d re s s e s lis te d in t h e f o l l o w i n g t a b l e a re a s s o c ia te d w i t h t h e c r itic a l i n f o r m a t i o n r e s o u r c e c e n te r s o f t h e US. S c a n n in g th e s e IP a d d re s s e s w i ll be c o n s id e r e d an a t t e m p t t o b re a k t h e US's i n f o r m a t i o n s e c u r ity . T h e r e f o r e , d o n o t scan th e s e IP a d d re s s e s u nless y o u w a n t t o g e t in to tro u b le . RANGE 6 6 . * - A r m y I n f o r m a t i o n S y s te m s C e n te r 129.51.0.0 Patrick Air Force Base 1 2 9 .5 2 .0 .0 W r i g h t - P a t t e r s o n A ir Force Base RANGE 7 1 2 9 .5 3 .0 .0 - 1 2 9 .5 3 .2 5 5 .2 5 5 66SPTG-SCB 7 . * . * . * D e fe n s e I n f o r m a t i o n S y s te m s 1 2 9 .5 4 .0 .0 V a n d e n b e r g A ir Force Base, Agency, VA CA RANGE 11 M o d u le 0 3 Page 332 1 2 9 .9 2 .0 .0 A i r Force I n s t i t u t e o f T e c h n o lo g y Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker D e fe n s e In te llig e n c e A g e n c y , W a s h in g t o n DC 129.99.0.0 NASA A m es R esearch C enter RANGE 21 1 2 9 .1 3 1 .0 . 0 N ava l W e a p o n s C e n te r 1 1 . * . * . * D 0 D In te l I n f o r m a t i o n S ys te m s , 2 1. - US D e fe n s e I n f o r m a t i o n S y s te m s Agency RANGE 22 2 2 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y RANGE 24 2 4 .1 9 8 .*.* RANGE 25 2 5 . * . * . * Royal Signals a n d R adar E s t a b lis h m e n t , UK RANGE 26 2 6 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y RANGE 29 1 2 9 .1 6 3 .0 . 0 N A S A /J o h n s o n Space C e n te r 1 2 9 .1 6 4 .0 . 0 NASA IVV 1 2 9 .1 6 5 .0 . 0 NASA G o d d a r d Space F lig ht C e n te r 1 2 9 .1 6 7 .0 . 0 NASA M a r s h a ll Space F lig h t C e n te r 1 2 9 .1 6 8 .0 . 0 NASA Lew is Research C e n te r 1 2 9 .1 9 0 .0 . 0 N ava l U n d e r w a t e r S y ste m s C e n te r 1 2 9 .1 9 8 .0 . 0 A ir Force F lig h t T e s t C e n te r 1 2 9 .2 0 9 .0 . 0 A r m y Ballistics Research L a b oratory 1 2 9 .2 2 9 .0 . 0 U.S. A r m y C o rp s o f E n g in e e rs 1 2 9 .2 5 1 .0 . 0 U n ite d S ta te s A ir Force Academ y 2 9 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y RANGE 130 RANGE 30 1 3 0 .4 0 .0 .0 NASA J o h n s o n Space C e n te r 3 0 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y 1 3 0 .9 0 .0 .0 M a t h e r A i r Force Base RANGE 49 4 9 . * - J o in t T a c tic a l C o m m a n d 1 3 0 .1 0 9 .0 . 0 N ava l C oa sta l S y s te m s C e n te r 1 3 0 .1 2 4 .0 . 0 H o n e y w e ll D e fe n s e S y s te m s G roup RANGE 50 1 3 0 .1 6 5 .0 . 0 U .S .A r m y C o rp s o f E n g in e e rs 5 0 . * - J o in t T a c tic a l C o m m a n d 1 3 0 .1 6 7 .0 . 0 NASA H e a d q u a r t e r s RANGE 55 RANGE 131 5 5 . * - A r m y N a t io n a l G u a r d B u re a u 1 3 1 .6 .0 .0 L a n g le y A i r Force Base RANGE 55 1 3 1 .1 0 .0 .0 B a rk s d a le A ir Force Base M o d u le 0 3 Page 333 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker 5 5 . * - A r m y N a t io n a l G u a r d B u re a u 131.17.0.0 S h epp ard A ir Fo rce Base 5 5 . * - A r m y N a t io n a l G u a r d B u re a u 1 3 1 .1 7 .0 .0 S h e p p a r d A ir Force Base RANGE 62 1 3 1 .2 1 .0 .0 H a h n A i r Base 6 2 .0 .0 .1 - 6 2 .3 0 . 2 5 5 . 2 5 5 Do n o t scan! 3 1 .3 2 . 0 .0 37 C o m m u n ic a t i o n s S q u a d r o n RANGE 6 4 1 3 1 .3 5 .0 .0 F a irc h ild A i r Force Base 6 4 . 7 0 . * . * Do n o t scan 1 3 1 .3 6 .0 .0 Y o k o ta A i r Base 6 4 . 2 2 4 . * Do n o t Scan 1 3 1 .3 7 .0 .0 E l m e n d o r f A ir Force Base 6 4 . 2 2 5 . * Do n o t scan 1 3 1 .3 8 .0 .0 H ic k a m A i r Force Base 6 4 . 2 2 6 . * Do n o t scan 1 3 1 .3 9 .0 .0 354CS/SCSN RANGE 128 RANGE 132 1 2 8 .3 7 .0 .0 A r m y Y u m a P ro v in g G r o u n d 1 3 2 .3 .0 .0 W i l l i a m s A i r Force Base 1 2 8 .3 8 .0 .0 N aval S u rfa c e W a r f a r e C e n te r 1 2 8 .4 3 .0 .0 D e fe n c e R esearch E s t a b lis h m e n t O tta w a 1 2 8 .4 7 .0 .0 A r m y C o m m u n ic a t i o n s E le c tr o n ic s C o m m a n d 1 3 2 .5 .0 .0 - 1 3 2 .5 . 2 5 5 . 2 5 5 4 9 t h F ig h te r W in g 1 3 2 .6 .0 .0 A n k a r a A ir S ta tio n 1 3 2 .7 .0 .0 - 1 3 2 .7 . 2 5 5 . 2 5 5 SSG/SINO 1 2 8 .4 9 .0 .0 N aval O c e a n S y s te m s C e n te r 1 3 2 .9 .0 .0 2 8 t h B o m b W i n g 1 2 8 .5 0 .0 .0 D e p a r t m e n t o f D e fe n s e 1 3 2 .1 0 .0 .0 3 1 9 C o m m Sq 1 2 8 .5 1 .0 .0 D e p a r t m e n t o f D e fe n s e 1 3 2 .1 1 .0 .0 H e lle n ik o n A i r Base 1 2 8 .5 6 .0 .0 U.S. N ava l A c a d e m y 1 3 2 .1 2 .0 .0 M y r t l e Beach A ir Force Base 1 2 8 .6 0 .0 .0 N aval R esearch L a b o r a t o r y 1 3 2 .1 3 .0 .0 B e n t w a t e r s Royal A i r Force Base 1 2 8 .6 3 .0 .0 A r m y Ballistics R esearch 1 3 2 .1 4 .0 .0 A ir Force C o n c e n t r a t o r L a b oratory N e tw o rk 1 2 8 .8 0 .0 .0 A r m y C o m m u n ic a t i o n s E le c tro n ic s C o m m a n d 1 3 2 .1 5 .0 .0 Kade n a A ir Base 1 2 8 .1 0 2 .0 . 0 NASA A m e s R esearch C e n te r 1 3 2 .1 6 .0 .0 K u nsa n A ir Base 1 2 8 .1 4 9 .0 . 0 NASA H e a d q u a r t e r s 1 3 2 .1 7 .0 .0 L in d s e y A i r S t a tio n 1 2 8 .1 5 4 .0 . 0 NASA W a l l o p s F lig h t F a cility 1 3 2 .1 8 .0 .0 M c G u i r e A ir Force Base 1 2 8 .1 5 5 .0 . 0 NASA L a n g le y R esearch C e n te r 1 3 2 .1 9 .0 .0 100CS (N E T -M IL D E N H A LL ) M o d u le 0 3 Page 3 34 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker 1 2 8 .1 5 6 .0 . 0 NASA Lew is N e t w o r k C o n tr o l 1 3 2 .2 0 .0 .0 3 5 th C o m m u n ic a tio n s C e n te r S q u a d ro n 1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r 1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir F orce Base 1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r 1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir Force Base 1 2 8 .1 5 8 .0 . 0 NASA A m e s R esearch C e n te r 1 3 2 .2 2 .0 .0 2 3 C o m m u n ic a t i o n s Sq 1 2 8 .1 5 9 .0 . 0 NASA A m e s R esearch C e n te r 1 3 2 .2 4 .0 .0 D o v e r A i r F orce Base 1 2 8 .1 6 0 .0 . 0 N aval R esearch L a b o r a t o r y 1 3 2 .2 5 .0 .0 7 8 6 CS/S CBM 1 2 8 .1 6 1 .0 . 0 NASA A m e s R esearch C e n te r 1 3 2 . 2 7 . 0 . 0 - 1 3 2 .2 7 .2 5 5 .2 5 5 39CS/SCBBN 1 2 8 .1 8 3 .0 . 0 NASA G o d d a r d Space F lig ht 1 3 2 .2 8 .0 .0 14TH C O M M U N IC A T IO N C e n te r SQ U A D R O N 1 2 8 .2 0 2 .0 . 0 5 0 t h Space W i n g 1 3 2 .3 0 .0 .0 Lajes A ir Force Base 1 2 8 .2 1 6 .0 . 0 M a c D ill A i r Force Base 1 3 2 .3 1 .0 .0 L o rin g A ir Force Base 1 2 8 .2 1 7 .0 . 0 NASA K e n n e d y Space C e n te r 1 3 2 .3 3 .0 .0 60C S/S C SN M 1 2 8 .2 3 6 .0 . 0 U.S. A i r Force A c a d e m y 1 3 2 .3 4 .0 .0 C a n n o n A ir Force Base RANGE 129 1 3 2 .3 5 .0 .0 A ltu s A i r Force Base 1 2 9 .2 3 .0 .0 S t r a te g ic D e fe n s e In i t i a t i v e O r g a n iz a tio n 1 2 9 .2 9 .0 .0 U n ite d S ta te s M i l i t a r y A c a d e m y 1 2 9 .5 0 .0 .0 NASA M a r s h a ll Space F lig h t C e n te r 1 3 2 .3 7 .0 .0 75 A B W 1 3 2 .3 8 .0 .0 G o o d f e l l o w AFB 1 3 2 .3 9 .0 .0 K.l. S a w y e r A ir Force Base TABLE 3.3: Do Not Scan These IP Addresses Table M o d u le 0 3 Page 335 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker P o r t S c a n n in g C o u n t e r m e a s u r e s C E H Urtifw^ tthiul lUch•( U se c u s to m r u le s e t t o lo c k C o n fig u r e f ir e w a ll a n d IDS r u le s d o w n t h e n e t w o r k a n d b lo c k t o d e t e c t a n d b lo c k p r o b e s u n w a n t e d p o r t s a t t h e fire w a ll F ilter all ICM P m e s s a g e s (i.e. in b o u n d ICMP m e s s a g e ty p e s a n d H id e s e n s iti v e in f o r m a ti o n f r o m o u tb o u n d ICMP ty p e 3 u n r e a c h a b le p u b lic v ie w m e s s a g e s ) a t t h e fir e w a lls a n d k j W / E n su re t h a t m e c h a n is m u s e d fo r ro u tin g a n d filte rin g a t t h e r o u te r s P e rfo rm TCP a n d U DP s c a n n in g a lo n g w ith ICMP p r o b e s a g a in s t y o u r o r g a n iz a tio n ’s IP a d d r e s s s p a c e to a n d fire w a lls re s p e c tiv e ly c a n n o t b e b y p a s s e d u sin g p a rtic u la r s o u rc e p o r ts o r s o u r c e - r o u tin g m e th o d s r o u te r s c h e c k t h e n e t w o r k c o n f ig u r a tio n a n d its a v a ila b le p o r ts £ E n su re th a t th e a n ti s c a n n in g E n s u re t h a t t h e r o u t e r , IDS, a n d fir e w a ll f ir m w a r e a r e u p d a t e d a n d a n t i s p o o f in g r u le s a r e t o t h e i r l a te s t r e l e a s e s c o n f ig u r e d Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. P o rt S c a n n in g C o u n te rm e a s u re s As d iscu s se d p re v io u s ly , p o r t s c a n n in g p r o v id e s a l o t o f u s e fu l i n f o r m a t i o n such as IP a d d re s s e s , h o s t n a m e s , o p e n p o r ts , e tc . t o t h e a tta c k e r . O p e n p o r t s e s p e c ia lly p r o v id e an easy m e a n s f o r t h e a t t a c k e r t o b r e a k i n t o t h e s e c u r it y . B u t t h e r e is n o t h i n g t o w o r r y a b o u t , as y o u can s e c u re your s y s te m or n e tw o rk a g a in s t p ort s c a n n in g by a p p ly in g th e fo llo w in g c o u n te rm e a s u re s : 9 T h e f i r e w a l l s h o u ld be g o o d e n o u g h t o d e t e c t p r o b e s an a t t a c k e r s e n d s t o scan th e n e t w o r k . So t h e f i r e w a l l s h o u ld c a r r y o u t s t a t e f u l i n s p e c t io n i f it has a s p e c ific r u le set. S o m e f i r e w a l l s d o a b e t t e r j o b t h a n o t h e r s in d e t e c t i n g s t e a lth scans. M a n y f i r e w a l l s h a v e s p e c ific o p t i o n s t o d e t e c t SYN scans, w h i l e o t h e r s c o m p l e t e l y i g n o r e FIN scans. Q N e t w o r k i n t r u s io n d e t e c t i o n s y s te m s s h o u ld d e t e c t t h e OS d e t e c t i o n m e t h o d used by to o ls such p re v e n tio n as Nmap, te c h n o lo g y e tc. th a t S nort can (h t t p : / / . s n o r t . o r g ) is an be o f g re at h e lp , m a in ly i n t r u s io n d e te c tio n a nd because s ig n a t u r e s a re f r e q u e n t l y a v a ila b le f r o m p u b lic a u th o r s . O n ly n e c e s s a ry p o r t s s h o u ld be k e p t o p e n ; t h e re s t o f t h e p o r ts s h o u ld be f i l t e r e d as t h e i n t r u d e r w ill t r y t o e n t e r t h r o u g h a n y o p e n p o r t . This can be a c c o m p lis h e d w i t h t h e c u s t o m r u le set. F ilte r in b o u n d IC M P m e s s a g e ty p e s a nd all o u t b o u n d IC M P t y p e 3 u n r e a c h a b l e m essa ge s a t b o r d e r r o u t e r s a n d f ir e w a lls . M o d u le 0 3 Page 3 36 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s 9 Exam 3 1 2 -5 0 C ertified Ethical H acker E nsure t h a t r o u t i n g a n d f i l t e r i n g m e c h a n is m s c a n n o t be b y p a s s e d u sin g s p e c ific s o u r c e p o rts o r s o u rc e -ro u tin g te c h n iq u e s . 9 T e s t y o u r o w n IP a d d re s s sp ace u s in g TCP a n d UDP p o r t scans as w e l l as IC M P P ro b e s t o d e t e r m i n e t h e n e t w o r k c o n f i g u r a t io n a n d a c ce ssib le p o rts . 9 If a c o m m e r c i a l f i r e w a l l is in use, t h e n e n s u r e t h a t t h e f i r e w a l l is p a t c h e d w i t h t h e la t e s t u p d a te s , a n t i s p o o f i n g r u le s h a v e b e e n c o r r e c t ly d e f i n e d , a n d f a s t m o d e se rv ic e s a re n o t used in C h e ck P o in t F ir e w a ll-1 e n v i r o n m e n t s . M o d u le 0 3 Page 337 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s C E H Exam 3 1 2 -5 0 C ertified Ethical H acker S c a n n in g M e th o d o lo g y So f a r w e h a ve d iscu sse d h o w t o c h e c k f o r live s y s te m s a n d o p e n p o r ts , t h e t w o c o m m o n n e t w o r k v u ln e r a b i l it ie s . A n IDS is t h e s e c u r it y m e c h a n is m i n t e n d e d t o p r e v e n t an a t t a c k e r f r o m e n t e r i n g a s e c u r e n e t w o r k . Bu t, e v e n t h e IDS has s o m e l i m i t a t i o n s in o f f e r i n g s e c u r it y . A t t a c k e r s a re t r y i n g t o la u n c h a tta c k s by e x p l o i t i n g l i m i t a t i o n s o f IDS. Check for Live Systems fft Check for Open Ports Scan for Vulnerability t Draw Network Diagrams S c a n n in g B e y o n d IDS prepare Proxies Banner Grabbing Scanning Pen Testing This s e c tio n h ig h lig h ts IDS e v a s io n t e c h n i q u e s a n d S Y N /F IN s c a n n in g . M o d u le 0 3 Page 338 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ID S E v a s io n T e c h n iq u e s C E H m Use fragmented IP packets Spoof your when launching attacks and sniff responses from server U s e source routing (if possible) Connect to> or compromised trojaned machines to launch attacks Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. Q Q —Q©1י # _ _ # ID S E v a s io n T e c h n iq u e s ־ M o s t o f t h e IDS e v a s io n t e c h n i q u e s r e ly o n t h e use f r a g m e n t e d p r o b e p a c k e ts t h a t r e a s s e m b le o n c e t h e y re a ch t h e t a r g e t h o s t. IDS e v a s io n can also o c c u r w i t h t h e use o f s p o o f e d f a k e h o s ts la u n c h i n g n e t w o r k s c a n n in g p ro b e s . Use fragmented IP packets A t t a c k e r s use d i f f e r e n t f r a g m e n t a t i o n m e t h o d s t o e v a d e t h e IDS. T h e s e a tta c k s a re s im ila r t o session s p lic in g . W i t h t h e h e lp o f fragroute, all t h e p r o b e p a c k e ts f l o w i n g f r o m y o u r h o s t o r n e t w o r k can be f r a g m e n t e d . It can also be d o n e w i t h th e h e lp o f a p o r t s c a n n e r w i t h f r a g m e n t a t i o n f e a t u r e such as N m a p . T his is a c c o m p lis h e d b e c a u s e m o s t IDS s e n s o rs fa il t o p ro c e s s la rg e v o lu m e s o f f r a g m e n t e d p a c k e ts , as t h is in v o lv e s g r e a t e r CPU c o n s u m p t i o n a nd m e m o r y a t t h e n e t w o r k s e n s o r level. Use source routing (if possible) S o u rc e r o u t i n g is a t e c h n i q u e w h e r e b y t h e s e n d e r o f a p a c k e t can s p e c ify t h e r o u t e t h a t a p a c k e t s h o u ld t a k e t h r o u g h t h e n e t w o r k . It is a s s u m e d t h a t t h e s o u r c e o f t h e p a c k e t k n o w s a b o u t t h e l a y o u t o f t h e n e t w o r k a n d can s p e c ify t h e b e s t p a th f o r t h e p a c k e t. M o d u le 0 3 Page 339 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S Y N / F I N I P S c a n n in g U s in g C E H F r a g m e n t s The TCP header is split up into several packets so that the packet filters are not able to detect what the packets intend to do It is not a new scanning method but a modification of the earlier methods & C o m m a n d P ro m p t C:\>nmap -sS -T4 -A -f -v 192.168.168.5 S Y N / F I N ( S m a ll IP Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-11 11:03 EDT Initiating SYN Stealth Scan at 11:03 Scanning 192.168.168.5 [1000 ports] Discovered open port 139/tcp on 192.168.168.5 Discovered open port 445/tcp on 192.168.168.5 Discovered open port 135/tcp on 192.168.168.5 Discovered open port 912/tcp on 192.168.168.5 Completed SYN Stealth Scan at 11:03, 4.75s elapsed (1000 total ports) F ra g m e n t s ) + P o r t (n) R ST ( if p o r t is c lo s e d ) A tta c k e r T a rg et SYN/FIN S ca n n in g Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S Y N /F IN S c a n n in g U s in g IP F ra g m e n ts SYN/FIN s c a n n in g u sin g IP f r a g m e n t s is a m o d i f i c a t i o n o f t h e e a r lie r m e t h o d s o f s c a n n in g ; t h e p r o b e p a c k e ts a re f u r t h e r f r a g m e n t e d . This m e t h o d c a m e i n t o e x is te n c e t o a v o id t h e fa ls e p o s i t i v e f r o m o t h e r scans, d u e t o a p a c k e t f i l t e r i n g d e v ic e p r e s e n t o n t h e t a r g e t m a c h in e . You h a v e t o s p lit t h e TCP h e a d e r i n t o s e v e r a l p a c k e ts in s te a d o f j u s t s e n d in g a p r o b e p a cke t f o r a v o id in g th e p a c k e t f ilte r s . E ve ry TCP h e a d e r s h o u ld in c lu d e t h e s o u r c e a nd d e s t i n a t i o n p o r t f o r t h e f i r s t p a c k e t d u r in g a n y t r a n s m is s io n : (8 o c t e t , 6 4 b it ) , a n d t h e in itia liz e d fla g s in t h e n e x t, w h i c h a l l o w t h e r e m o t e h o s t t o r e a s s e m b le t h e p a c k e t u p o n r e c e ip t t h r o u g h an I n t e r n e t p r o t o c o l m o d u l e t h a t re c o g n iz e s t h e f r a g m e n t e d d a ta p a c k e ts w i t h t h e h e lp o f fie ld e q u i v a l e n t v a lu e s o f p r o t o c o l , s o u r c e , d e s t i n a t i o n , a n d i d e n t if ic a t i o n . F r a g m e n t e d P a c k e ts T h e TCP h e a d e r , a f t e r s p li t t in g i n t o sm a ll f r a g m e n t s , is t r a n s m i t t e d o v e r t h e n e t w o r k . B u t, a t t i m e s y o u m a y o b s e r v e u n p r e d i c t a b l e r e s u lts such as f r a g m e n t a t i o n o f t h e d a ta in t h e IP h e a d e r a f t e r t h e r e a s s e m b ly o f IP o n t h e s e r v e r side. S o m e h o s ts m a y n o t be c a p a b le o f p a r s in g and r e a s s e m b lin g t h e f r a g m e n t e d p a c k e ts , a n d t h u s m a y ca use crash es, r e b o o ts , o r e v e n n e t w o r k d e v ic e m o n i t o r i n g d u m p s . M o d u le 0 3 Page 3 40 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker F ir e w a lls S o m e f i r e w a l l s m a y h a ve r u le sets t h a t b lo c k IP f r a g m e n t a t i o n q u e u e s in t h e k e rn e l (like th e CONFIG _IP_ALW A YS_D EFR AG o p tio n in th e L in ux k e rn e l) , a lt h o u g h t h is is not w id e ly i m p l e m e n t e d d u e t o t h e a d v e rs e e f f e c t o n p e r f o r m a n c e . Since s e v e ra l in t r u s io n s d e t e c t i o n s y s te m s e m p l o y s ig n a t u r e - b a s e d m e t h o d s t o i n d ic a t e s c a n n in g a t t e m p t s b a se d o n IP a n d / o r th e TCP h e a d e rs , f r a g m e n t a t i o n is o f t e n a b le t o e v a d e t h is t y p e o f p a c k e t f i l t e r i n g a n d d e t e c t i o n . T h e r e is a p r o b a b i l i t y o f n e t w o r k p r o b l e m s o n t h e t a r g e t n e t w o r k . SYN/FIN (Small IP Fragments) + Port (n) ..................................................» < .................................................... RST (if p o r t is closed) _ Attacker Target FIGURE 3.43: SYN/FIN Scanning N m a p c o m m a n d p r o m p t s f o r SYN/FIN scan. m Command Prompt C :\> O m a p -s S -T 4 -A - f - v : 1 9 2 . 1 6 8 .1 6 :8 .! S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g } a t: 2 D 1 2 -P 8 -1 1 • 1 1 : 03 jSDT................... ......................... I n i t i a t i n g SYN S t e a l t h S can a t 1 1 :0 3 S c a n n in g 1 9 2 .1 6 8 .1 6 8 .5 [1 0 00 p o r t s ] D is c o v e r e d o p e n p o r t 1 3 9 / t c p on 1 9 2 .1 6 8 .1 6 8 . D is c o v e r e d o p e n p o r t 4 4 5 / t c p on 1 9 2 .1 6 8 .1 6 8 . D is c o v e r e d o p e n D is c o v e r e d o p e n p o r t ! 3 5 / t c p . On p o r t 9 1 2 / t c p 0n 1 9 2 .1 6 8 .1 6 8 . 1 9 2 .1 6 8 .1 6 8 . C o m p le te d SYN S t e a l t h Scan a t 1 1 :0 3 , e la p s e d (1000 t o t a l p o r t s ) 4 .7 5 s FIGURE 3.44: Nmap showing SYN/FIN Scanning Result M o d u le 0 3 Page 341 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s ®מ |' “ C h e c k for Exam 3 1 2-50 C ertified Ethical H acker ft yj Live S y s t e m s C h e c k for O p e n Ports _ r )__ ^ Ml Scan for ך . 1 1HUH k -i ־ 1 1 r ר-J n _ M ---1/ __ב a □ _____ Scanning Banner B e y o n d IDS Grabb i n g Draw Network ן Vulnerability c Diagrams Prepare! Scanning Proxies P e n Testing Copyright © by EG-Gouncil. All Rights Reserved. Reproduction Is Strictly Prohibited. =יי־ :ir C E H S c a n n in g M e th o d o lo g y So f a r w e h a ve d iscu sse d h o w t o c h e c k f o r live s y s te m s , o p e n p o r ts , a n d scan b e y o n d IDS. All o f th e s e a re t h e d o o r w a y s f o r an a t t a c k e r t o b r e a k i n t o a n e t w o r k . A n o t h e r i m p o r t a n t t o o l o f an a t t a c k e r is b a n n e r g ra b b in g , w h i c h w e w i ll discuss n e x t. Check for Live Systems 191 Check for Open Ports Scanning Beyond IDS ^ B a n n e r G ra b b in g Scan for Vulnerability r Draw Network Diagrams Q f c i prepare Proxies Scanning Pen Testing T his s e c tio n h ig h lig h ts b a n n e r g ra b b in g , t h e n e e d t o p e r f o r m b a n n e r g ra b b in g , v a r io u s w a y s o f b a n n e r g ra b b in g , a n d t h e t o o l s t h a t h e lp in b a n n e r g ra b b in g . M o d u le 0 3 Page 342 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker B a n n e r G r a b b in g J Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive. A ctive B a n n e r G rabbing ® P a ssiv e B a n n e r G rabbing S p e c ia lly c r a f t e d p a c k e ts a r e s e n t t o r e m o t e OS ® a n d t h e r e s p o n s e is n o te d ® Error m e ssag e s provide info rm atio n su ch as ty p e of server, ty p e o f OS, a n d SSL tool u sed by th e ta rg e t re m o te system T h e r e s p o n s e s a r e t h e n c o m p a r e d w ith a d a t a b a s e t o d e t e r m i n e t h e OS ® © R e s p o n s e f r o m d if f e r e n t O S e s v a r ie s d u e to S n iffin g t h e n e t w o r k tr a f f ic : C apturing an d analyzing pack ets from th e ta rg e t e n a b le s an attack e r to d e te rm in e OS u sed by th e re m o te system d if f e re n c e s in T C P /IP s ta c k i m p l e m e n t a t i o n e BQB ח B a n n e r g ra b b in g fro m e rro r m e ss a g e s: □ □ם B a n n e r g ra b b in g fro m p a g e e x te n s io n s : Looking fo r an ex ten sio n in th e URL m ay a ssist in d eterm in in g th e app licatio n version Exam ple: .aspx => IIS serv er an d W indow s p latform Why Banner Grabbing? Id e n tify in g t h e OS u s e d o n t h e t a r g e t h o s t a llo w s a n a t ta c k e r t o f ig u r e o u t t h e v u ln e r a b il iti e s t h e s y s t e m p o s s e s a n d t h e e x p lo its t h a t m ig h t w o r k o n a s y s te m t o f u r t h e r c a r r y o u t a d d i t i o n a l a t t a c k s Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. B a n n e r G ra b b in g B a n n e r g r a b b i n g o r OS f i n g e r p r i n t i n g is a m e t h o d t o d e t e r m i n e t h e o p e r a t i n g s y s te m r u n n i n g o n a r e m o t e t a r g e t s y s t e m . B a n n e r g r a b b i n g is i m p o r t a n t f o r h a c k in g as it p r o v id e s y o u w i t h a g r e a t e r p r o b a b i l i t y o f success in h a c k in g . T his is b e c a u s e m o s t o f t h e v u l n e r a b i l it ie s are OS s p e c ific . T h e r e f o r e , if y o u k n o w t h e OS r u n n i n g o n t h e t a r g e t s y s te m , y o u can h a c k t h e s y s te m b y e x p l o i t i n g t h e v u l n e r a b i l it ie s s p e c ific t o t h a t o p e r a t i n g s y s te m . B a n n e r g r a b b i n g can be c a r r ie d o u t in t w o w a y s : e i t h e r by s p o t t i n g t h e b a n n e r w h i l e t r y i n g t o c o n n e c t t o a se rv ic e such as FTP o r d o w n l o a d i n g t h e b i n a r y f i l e / b i n / l s t o c h e c k t h e a r c h it e c t u r e w i t h w h i c h it w a s b u ilt. Banner g ra b b in g is p e rfo rm e d u sin g th e fin g e rp rin tin g te c h n iq u e . A m ore advanced f i n g e r p r i n t i n g t e c h n i q u e d e p e n d s o n sta c k q u e r y i n g , w h i c h t r a n s f e r s t h e p a c k e ts t o t h e n e t w o r k h o s t a n d e v a lu a te s p a c k e ts b ase d o n t h e r e p ly . T h e f i r s t s ta c k q u e r y i n g m e t h o d w a s d e s ig n e d c o n s id e r in g t h e TCP m o d e o f c o m m u n i c a t i o n , in w h i c h t h e re s p o n s e o f t h e c o n n e c t i o n r e q u e s ts is e v a lu a te d . T h e n e x t m e t h o d w a s k n o w n as ISN ( In itia l S e q u e n c e N u m b e r ) analysis. This i d e n t if ie s t h e d if f e r e n c e s in t h e r a n d o m n u m b e r g e n e r a t o r s f o u n d in t h e TCP sta ck. A n e w m e t h o d , u s in g t h e ICMP p r o t o c o l , is k n o w n as IC M P r e s p o n s e a n a ly s is . It c o n s is ts o f s e n d in g t h e IC M P m e ssa g e s t o t h e r e m o t e h o s t a n d e v a l u a t i n g t h e r e p ly . T h e la t e s t IC M P m e s s a g in g is M o d u le 0 3 Page 343 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker k n o w n as t e m p o r a l re s p o n s e analysis. Like o t h e r s , t h is m e t h o d uses t h e TCP p r o t o c o l . T e m p o r a l r e s p o n s e a n a lys is lo o k s a t t h e r e t r a n s m i s s i o n t i m e o u t (RTO) r e s p o n s e s f r o m a r e m o t e h o s t. T h e r e a re t w o t y p e s o f b a n n e r g r a b b i n g t e c h n i q u e s a v a ila b le ; o n e is a c tiv e a n d t h e o t h e r is passive. A c tiv e B a n n e r G r a b b in g A c t iv e b a n n e r g r a b b i n g is based o n t h e p r in c ip le t h a t an o p e r a t i n g s y s te m 's IP sta c k has a u n i q u e w a y o f r e s p o n d i n g t o s p e c ia lly c r a f t e d TCP p a c k e ts . This arises b e c a u s e o f d i f f e r e n t i n t e r p r e t a t i o n s t h a t v e n d o r s a p p ly w h i l e i m p l e m e n t i n g t h e TCP/IP s ta c k o n t h e p a r t i c u l a r OS. In a c tiv e b a n n e r g ra b b in g , a v a r i e t y o f m a l f o r m e d p a c k e ts a re s e n t t o t h e r e m o t e h o s t, a n d t h e r e s p o n s e s a re c o m p a r e d t o a d a ta b a s e . For in s ta n c e , in N m a p , t h e OS f i n g e r p r i n t o r b a n n e r g r a b b i n g is d o n e t h r o u g h e ig h t te s ts . T h e e ig h t te s ts a re n a m e d T l , T2, T3, T4, T5, T6, T7, a n d PU ( p o r t u n r e a c h a b le ) . Each o f th e s e te s ts is i l lu s t r a t e d as f o l lo w s , as d e s c r ib e d in w w w . p a c k e t w a t c h . n e t : T l: In t h is te s t , a TCP p a c k e t w i t h t h e SYN a n d ECN-Echo fla g s e n a b le d is s e n t t o an o p e n TCP p o rt. T2: It in v o lv e s s e n d in g a TCP p a c k e t w i t h n o fla g s e n a b le d t o an o p e n TCP p o r t . T his t y p e o f p a c k e t is k n o w n as a NULL p a c k e t. T3: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e URG, PSH, SYN, a n d FIN fla gs e n a b le d t o an o p e n TCP p o r t. T4: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o an o p e n TCP p o r t. T5: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e SYN fla g e n a b le d t o a c lo s e d TCP p o r t . T6: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o a c lo s e d TCP p o r t . T7: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e URG, PSH, a n d FIN fla g s e n a b le d t o a c lo s e d TCP p o rt. PU (Port Unreachable): It in v o lv e s s e n d in g a UDP p a c k e t t o a c lo s e d UDP p o r t . T h e o b j e c t iv e is t o e x t r a c t an " I C M P p o r t u n r e a c h a b l e " m e s s a g e f r o m t h e t a r g e t m a c h in e . T h e last t e s t t h a t N m a p p e r f o r m s is n a m e d TSeq f o r TCP S e q u e n c a b ilit y te s t. This t e s t tr ie s t o d e t e r m i n e t h e s e q u e n c e g e n e r a t io n p a t t e r n s o f t h e TCP in itia l s e q u e n c e n u m b e r s , also k n o w n as TCP ISN s a m p li n g , t h e IP i d e n t i f i c a t i o n n u m b e r s (also k n o w n t i m e s t a m p n u m b e r s . T h e t e s t is p e r f o r m e d as IPID s a m p li n g ) , a n d t h e TCP b y s e n d in g six TCP p a c k e ts w i t h t h e SYN fla g e n a b le d t o an o p e n TCP p o r t. The o b j e c t iv e is to fin d p a tte rn s in th e in itia l sequence of n u m b e rs th a t th e TCP i m p l e m e n t a t i o n s c h o o s e w h i l e r e s p o n d i n g t o a c o n n e c t i o n r e q u e s t. T he se can be c a te g o r iz e d i n t o m a n y g r o u p s such as t h e t r a d i t i o n a l 6 4 K ( m a n y o ld UN IX b oxe s), r a n d o m ( n e w e r v e r s io n s o f Solaris, IRIX, FreeBSD, D ig ita l UNIX, Cray, a n d in c re m e n ts m a n y o th e r s ) , o r T ru e " r a n d o m " (L in u x 2 .0 . * , O p e n V M S , n e w e r AIX, e tc.). W i n d o w s b o x e s use a " t i m e - d e p e n d e n t " m o d e l w h e r e t h e ISN is i n c r e m e n t e d by a fix e d a m o u n t f o r e a ch t i m e p e r io d . M o d u le 0 3 Page 344 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S o u rc e : w w w . i n s e c u r e . o r g , " M o s t o p e r a t i n g s y s te m s i n c r e m e n t a s y s t e m - w i d e IPID v a lu e f o r e ach p a c k e t t h e y se n d . O th e rs , such as O p e n B S D , use a r a n d o m IPID a n d s o m e s y s te m s (like Linux) use an IPID o f 0 in m a n y cases w h e r e t h e ׳D o n 't F r a g m e n t ׳b it is n o t set. W i n d o w s d o e s n o t p u t t h e IPID in n e t w o r k b y t e o r d e r , so it i n c r e m e n t s b y 2 5 6 f o r e ach p a c k e t. A n o t h e r n u m b e r t h a t can be s e q u e n c e d f o r OS d e t e c t i o n p u r p o s e s is t h e TCP t i m e s t a m p o p t i o n va lu e s . S o m e s y s te m s d o n o t s u p p o r t t h e f e a t u r e ; o t h e r s i n c r e m e n t t h e v a lu e a t f r e q u e n c ie s o f 2HZ, 1 00HZ, o r 1 0 0 0 H Z a n d still o t h e r s r e t u r n 0. P a s s iv e B a n n e r G ra b b in g S o u rc e : h t t p : / / h o n e y n e t . o r g Like a c tiv e banner g ra b b in g , p assive banner g ra b b in g is also b ase d on th e d iffe re n tia l i m p l e m e n t a t i o n o f t h e sta c k a nd t h e v a r io u s w a y s an OS r e s p o n d s t o p a c k e ts . H o w e v e r , in s te a d o f r e ly in g o n s c a n n in g t h e t a r g e t h o s t, p assive f i n g e r p r i n t i n g c a p tu r e s p a c k e ts f r o m t h e t a r g e t h o s t via s n if f i n g t o s t u d y f o r t e l l t a l e signs t h a t can re v e a l an OS. T h e f o u r a re as t h a t a re t y p i c a l l y n o t e d t o d e t e r m i n e t h e o p e r a t i n g s y s te m are: 9 TTL - W h a t t h e o p e r a t i n g s y s te m sets t h e T im e T o Live o n t h e o u t b o u n d p a c k e t 9 W i n d o w Size - h a t t h e o p e r a t i n g s y s te m sets t h e W i n d o w size 9 DF - D oes t h e o p e r a t i n g s y s te m se t t h e D o n ' t F r a g m e n t b it 9 OS - D oes t h e o p e r a t i n g s y s te m s e t t h e T y p e o f Service, a n d i f so, a t w h a t Passive f i n g e r p r i n t i n g has t o be n e i t h e r f u l l y a c c u r a te n o r be l i m i t e d t o th e s e f o u r s ig n a tu r e s . H ow ever, by l o o k in g a t s e v e ra l s ig n a t u r e s and c o m b in in g in fo rm a tio n , accuracy can be i m p r o v e d . T h e f o l l o w i n g is t h e a n a ly sis o f a s n if fe d p a c k e t d is s e c te d by Lance S p itz n e r in his p a p e r o n p assive f i n g e r p r i n t i n g ( h t t p : / / w w w . h o n e y n e t . o r g / p a p e r s / f i n g e r / ). 0 4 / 2 0 - 2 1 : 4 1 : 4 8 . 1 2 9 6 6 2 1 2 9 .1 4 2 .2 2 4 . 3 :6 5 9 -> 1 7 2 .1 6 .1 .1 0 7 :6 0 4 TCP TTL:45 TOS:OxO ID :5 6 2 5 7 * * * F * * A * Seq: 0 x 9 D D 9 0 5 5 3 A ck: 0 xE 3 C 6 5 D 7 W i n : 0 x 7 D 7 8 Based o n t h e f o u r c r it e r ia , t h e f o l l o w i n g a re i d e n t if ie d : 9 TTL: 4 5 9 W i n d o w Size: 0 x 7 D 7 8 ( o r 3 2 1 2 0 in d e c im a l) 9 DF: T h e D o n 't F r a g m e n t b i t is se t 9 TOS: 0 x 0 D a t a b a s e S ig n a tu r e s T his i n f o r m a t i o n is t h e n c o m p a r e d t o a d a ta b a s e o f s ig n a tu r e s . C o n s id e r in g t h e TTL used b y t h e r e m o t e h o s t, it is d e t e r m i n e d f r o m t h e s n if f e r t r a c e t h a t t h e TTL is se t a t 4 5. T his in d ic a te s t h a t it w e n t t h r o u g h 19 h o p s t o g e t t o t h e t a r g e t , so t h e o rig in a l TTL m u s t h a ve b e e n s e t a t 64. M o d u le 0 3 Page 345 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Based o n t h is TTL, it a p p e a r s t h a t t h e p a c k e t w a s s e n t f r o m a L in u x o r F reeB S D b o x ( h o w e v e r , m o r e s y s te m s ig n a t u r e s n e e d t o be a d d e d t o t h e d a ta b a s e ). T his TTL is c o n f i r m e d b y d o i n g a t r a c e r o u t e t o t h e r e m o t e h o s t. If t h e tr a c e n e e d s t o be d o n e s t e a lt h ily , t h e t r a c e r o u t e t i m e - t o live ( d e f a u l t 3 0 h o p s ) can be se t t o be o n e o r t w o h o p s less t h a n t h e r e m o t e h o s t ( -m o p t i o n ) . S e ttin g t r a c e r o u t e in th is m anner re v e a ls t h e p a th in fo rm a tio n ( in c lu d in g th e u p s tre a m p r o v id e r ) w i t h o u t a c t u a l ly t o u c h i n g t h e r e m o t e h o s t. W indow Sizes T h e n e x t s te p is t o c o m p a r e w i n d o w sizes. T h e w i n d o w size is a n o t h e r e f f e c t i v e t o o l t h a t d e t e r m i n e s s p e c ific a lly w h a t w i n d o w size is used a n d h o w o f t e n t h e size is c h a n g e d . In t h e p r e v io u s s ig n a t u r e , it is s e t a t 0 x 7 D 7 8 , a d e f a u l t w i n d o w size is c o m m o n l y used b y L inux. In a d d it io n , FreeBSD a n d Solaris t e n d t o m a i n t a i n t h e s a m e w i n d o w size t h r o u g h o u t a sessio n. H o w e v e r , Cisco r o u t e r s a nd M i c r o s o f t W i n d o w s / N T w i n d o w sizes a re c o n s t a n t ly c h a n g in g . T h e w i n d o w size is m o r e a c c u r a te if m e a s u r e d a f t e r t h e in itia l t h r e e - w a y h a n d s h a k e (d u e t o TCP s l o w s ta rt). Session Based M o s t s y s te m s use t h e DF b it set, so t h i s is o f l i m i t e d v a lu e . H o w e v e r , t h is d o e s m a k e it e a s ie r t o i d e n t i f y t h e f e w s y s te m s t h a t d o n o t use t h e DF f l a g (such as SCO o r O p e n B S D ). TOS is also o f l i m i t e d v a lu e , since it s e e m s t o be m o r e s e s s io n -b a s e d t h a n o p e r a t i n g - s y s t e m - b a s e d . In o t h e r w o r d s , it is n o t so m u c h t h e o p e r a t i n g s y s te m t h a t d e t e r m i n e s t h e TOS, b u t t h e p r o t o c o l used. T h e r e f o r e , b a se d o n t h is i n f o r m a t i o n , s p e c ific a lly TTL a nd w i n d o w size, o n e can c o m p a r e t h e r e s u lts t o t h e d a ta b a s e o f s ig n a t u r e s a n d , w i t h a d e g r e e o f c o n f i d e n c e , d e t e r m i n e t h e OS (in t h is case, L in ux k e rn e l 2.2.x). Just as w i t h a c tiv e f i n g e r p r i n t i n g , p assive f i n g e r p r i n t i n g has s o m e l i m i t a t i o n s . First, a p p lic a t io n s t h a t b u ild t h e i r o w n p a c k e ts (such as N m a p , h u n t , n e m e s is , e tc .) w ill n o t use t h e s a m e s ig n a t u r e s as t h e o p e r a t i n g s y s te m . S e co n d , it is r e l a t iv e l y s im p le f o r a r e m o t e h o s t t o a d ju s t t h e TTL, w i n d o w size, DF, o r TOS s e t t i n g o n p a cke ts. Passive f i n g e r p r i n t i n g can be used f o r s e v e ra l o t h e r p u r p o s e s . C ra ck e rs can use " s t e a l t h y " f i n g e r p r i n t i n g . For e x a m p le , t o d e t e r m i n e t h e o p e r a t i n g s y s te m o f a p o t e n t i a l t a r g e t , such as a w e b s e rv e r, o n e n e e d o n l y r e q u e s t a w e b p ag e f r o m t h e s e rv e r, a n d t h e n a n a ly z e t h e s n if f e r tra c e s . T his b yp a sse s t h e n e e d f o r u sin g an a c tiv e t o o l t h a t v a r io u s IDS s y s te m s can d e t e c t . Also, passive f i n g e r p r i n t i n g m a y be used t o i d e n t i f y r e m o t e p r o x y f ir e w a lls . Since p r o x y f i r e w a l l s r e b u i l d c o n n e c t i o n s f o r c lie n ts , it m a y be p o s s ib le t o ID p r o x y f i r e w a l l s b ase d o n t h e s ig n a t u r e s th a t have been d iscu ssed . O r g a n iz a tio n s can use p assive f i n g e r p r i n t i n g t o id e n tify rogue s y s te m s o n t h e i r n e t w o r k . T h e se w o u l d be s y s te m s t h a t a re n o t a u t h o r i z e d o n t h e n e t w o r k . W h y B a n n e r G ra b b in g ? I d e n t i f y i n g t h e OS u sed o n t h e t a r g e t h o s t a llo w s an a t t a c k e r t o f i g u r e o u t t h e v u ln e r a b i l it ie s t h e s y s te m possesses a n d t h e e x p lo it s t h a t m i g h t w o r k o n a s y s te m t o f u r t h e r c a r r y o u t a d d it io n a l a tta c k s . M o d u le 0 3 Page 346 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker B a n n e r G r a b b in g T o o ls -J ID S e rv e is u s e d t o id e n tify t h e m a k e , m o d e l, a n d J N e tc ra f t r e p o r t s a s ite 's o p e r a t in g s y s te m , w e b s e r v e r , a n d n e tb lo c k o w n e r t o g e t h e r w ith , if It is a ls o u s e d to id e n tify non-H T T P (n o n -w e b ) a v a ila b le , a g r a p h ic a l v ie w o f t h e ti m e s in c e la s t I n te r n e t s e rv e rs su c h a s FTP, SMTP, POP, NEWS, e tc . r e b o o t f o r e a c h o f t h e c o m p u te r s s e rv in g t h e s ite N etcraft ID Serve ©BSwve ■■ ך a III 0 r\r 0 | _ J v e r s io n o f a n y w e b s i t e ^ s e r v e r s o f tw a r e y Iniemet Server Ideniiftcahon Utility v l 0 2 PersonalSecurityFreewarebySteveGibten CoppgNfclמיyfttwnRet«0ci«Cap& 03 011e1y | a f'"*» copy / p it• lr»—*ר 0 « A /b *p « » 5 t» URL w IP « !«| «*־vjfr<l• w m rncroKO tan( 1 Iccttmedhoclier com ~|־ ליI/ I AW ^־־־7|fwa<rvw ־־7 ־־־־j *.t W htrvim•rtlrl* tn«iURl0•IPKh01 ♦!•-יp0'•«*l*•d* *«b•o*v*«׳ baton 1>r*.*• • 3 »י^*זy ypowx!״oorta1i. 8<1011 37 80 111 53 ( ; ILas*־Wcam«d Aed jETaa « StSt' :c t J n (/ •־MDb UMI ?dC " [Seiver McrDsoNIS/bO I ! :.•P n v ^ o 1-fly A S P M F jl TnewiverterttwdlMtM fr"1 $201010Swv•«*6r-*9® http://www. grc.com http://toolbar. netcraft.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. B a n n e r G ra b b in g T o o ls B a n n e r g r a b b in g can be d o n e e v e n w i t h t h e h e lp o f to o ls . M a n y t o o l s a re a v a ila b le in t h e m a r k e t . T h e se t o o l s m a k e b a n n e r g r a b b i n g an easy ta sk. T h e f o l l o w i n g a re e x a m p le s o f b a n n e r g r a b b i n g to o ls : \ ׳ ׳j ID S e rv e S o u rc e : h t t p : / / w w w . g r c . c o m ID Serve is u sed t o i d e n t i f y t h e m a k e , m o d e l , a n d v e r s io n o f a n y w e b s i t e 's s e r v e r s o f t w a r e ; it is also used t o i d e n t i f y n o n -H T T P ( n o n - w e b ) I n t e r n e t s e rv e rs such as FTP, SM TP, POP, NEWS, e tc. M o d u le 0 3 Page 347 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker © ID S * ™ I- q - F B ■ | | ^ 0 Background r y P Se!v»r Query | O &A/Help Enter a or copy / pa-.te paste an Interne! server U R L or ot IP * a ir Mteesssi here (example 1 Irnrtifmdhncker |c e ftil B d h n ck e r com co w ^ (2 U :4J Internet Server Identification utilityvl 02 Personal Security Freeware by Steve Gibson CopyngN Ic) 2003 by Gfcson Research Cap mmrraaosoW rmaosoH com) | Query The Server W hen an Inlemer U R L ot IP has been provided above press the button to n b ate a query 01 the s p e c fo d server *י Server query processng ft Lest-Modrtied Wed. 12 Jan 2U11 Ub Accept-Ranges none ETaa •Q76b5t18b2cb1 17d0 5 r Server MioosolHIS/6 0 X-Powered-By A SPN ET Ub tiM I Ihe terveridentted (tel as C0(V E* (j 010 ID Serve web page FIGURE 3.45: ID Serve Screenshot N e tc ra ft S o u rc e : h t t p : / / t o o l b a r . n e t c r a f t . c o m N e t c r a f t r e p o r t s a s ite 's o p e r a t i n g s y s te m , w e b s e rv e r, a n d n e t b l o c k o w n e r t o g e t h e r w i t h , if a v a ila b le , a g r a p h ic a l v i e w o f t h e t i m e sin ce last r e b o o t f o r e a ch o f t h e c o m p u t e r s s e rv in g t h e site . חETC RAFT S it e r e p o r t f o r c e r t if le d h a c k e r . c o m Netcraft Toolbar •) Mom# • SHo h ttp / ccrtA «< jhjd׳.»׳.eom D om ain com 1 day 99 0 g ra p * N o tb k x k im VAW» i>L H osting E 2 ) Uptimo Download Nowl • Rapwt a P hah • Top R • port •re • P N M tttC tu n tM • • PN»hle»lHo»lefa • Mod Popular WaDc<tet IP w M m k i 202 75.54.101 S it• ran k 270S0I C o untry D N «nM K«rv»r ncO.rtoyo ar1yfooc.com DM• flnt 00c*mfc«K 2002 DNS a dm in «dn«n9n0Y «artyf«M com dxoMS.com R e v e rs e DNS n s 1 .noyear1yfeet.com 1־#ftA *flh»d ׳ • ׳com. N « m i ( 1v 1 r S u c c t t t Id e a IT Services, cercrtetir1acfcer.com. ce־ttW h jcV « r com. 92345. united Scatts organisation Oamansara Java. Recakng Jaym. S elangor. 4 7 400. Mr see• Domain •I • Tail a Fntoa T o o lb a r S u p p o rt . * • a L a st ro b o o t FAQ Glossary Contact Us Report גBug T u to ria ls • Installing • מTooioar • u w r 0 me Toolbar • Gatling m Most R«pt>org a Phish A b o u t N e tc ra ft fJGlcrart Horn# • About Nttcrafl O r g itk a tio • Malaysia C heck a n o th e r s ite : N o s t l n g H is to r y L ast changed Net block O w n e r IP a d d r e s s IM V M S DC Hostm g 2 0 2 .7 $ . צ4 . 101 W indow s s«rv « r 2003 Microsoftn s /e .Q 1 /-Ju >~2012 TM VADS DC Hostm g 202.75 .5 4 .1 0 1 W indow s S e rver 2003 Microsoft IIS/6.0 9 )on 2012 TM VADS DC H osting 202.75 .5 4 .1 0 1 W indow* Server 2003 Microsoft• IIS /6.0 9-May-2012 TM VADS DC Hostm o 2 02.75.54.101 Window* Server 2003 Microsoft• 115/6.0 9-Apr-2012 TM VADS DC H osting ?07.7S .S 4.101 Window* Server MicrosoftIIS/C.O OS W e b S e rv e r 19-Feb20 1 2 FIGURE 3.46: Netcraft Screenshot M o d u le 0 3 Page 3 48 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker B a n n e r G r a b b in g T o o ls (C o n t’d) 1. # nc 2 . G ET - w / w w w .ju g g y b o y .c o m CEH 8 0 - press[Enter] H T T P / 1 . 0 - Press [Enter] tw ic e f*r This utility reads and writes data across network connections, using the TCP/IP protocol Etf* V ■״im m ro o t e b t :- # rc - v * www .jtoayboy.co■ 8© DNS fw d /re i/ mismatch• www.jugcydoy.toa </ww. j Lggybay . con 1295 .1 7 8 .1 5 2 .2 6] 30 GET / M TTP/1.9 HTTP/1 .1 296 OK Connection: elo se Date: Mon, 13 Aug 2912 12 :1 4 :1 0 GMT co n ten t-L e n g th : 2 1 0 |נ C o n te n t-iv p e : t e x t / r i p l ^ I C o n ten t-< C cat#rn: h t t p : 7 /1 6 .4 « . 26. מ/ b « f a u It I h t n L a s t•M o d itie d : Wed. 19 Apr 2366 2 2 :0 9 :1 2 GMT Acceot•Ranges: none ETaa: 9 ־b46bc3fd53c61:7a49־ S e rv e r: M ic r o s o f t - IIS / 6 .0 M lrr0 ( 0 f t O f f ic * W * b ( * r v t r ! 5 .8 Pub X Powered-By: ASP.MET *r 1. t e ln e t T e ln e t 2 . G ET / S e rv e r id en tified a s M icrosoft-1 IS/6.0 t r a c k h ttp : //n e tc a t.s o u r c e fo r g e .n e t L w w w .c e r tifie d h a c k e r .c o m 8 0 - press[Enter] H T T P / 1 . 0 - Press [Enter] tw ic e C .\ W in d o w A iy 5 te m 3 2 \ c m d .c x e HTTP/ 40 1.1׳J Forbidde n t-U n g th : This technique probes HTTP servers to determine the Server field in the HTTP response header 21H S e rv e r id en tified a s M icrosoft-1 IS/6.0 »»: H i P M c n f t - l I S / h . M ChtmlXheadXtit le>Error<StitleXsheadXbodvXheadXtitle>Di»»ecto1*v List ing D od</t it lo X׳׳׳hoad> ChodyXhl )Directory Listing Den1ed</־hi >This Uirtual Director oe3 oot allow contents to be listed. </-׳bodyX/'bodyX/yhtnl> Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. B a n n e r G ra b b in g L* T o o l s ( C o n t ’d ) N e tc a t ש S o u rc e : h t t p : / / n e t c a t . s o u r c e f o r g e . n e t N e t c a t is a n e t w o r k i n g u t i l i t y t h a t re a d s a n d w r i t e s d a t a acro ss n e t w o r k c o n n e c t i o n s , w i t h t h e h e lp o f t h e TCP/IP p r o t o c o l . It is d e s ig n e d t o be a r e lia b le " b a c k - e n d " t o o l t h a t can be used d ir e c t ly o r e a sily d r iv e n b y o t h e r p r o g r a m s a n d s c rip ts . It p r o v id e s access t o t h e f o l l o w i n g ke y fe a t u r e s : © O u t b o u n d a n d i n b o u n d c o n n e c t i o n s , TCP o r UDP, t o o r f r o m a n y p o rts . © F e a tu re d t u n n e l i n g m o d e , w h i c h also a llo w s sp ecial t u n n e l i n g such as UDP t o TCP, w i t h t h e p o s s ib ilit y o f s p e c ify in g all n e t w o r k p a r a m e t e r s ( s o u rc e p o r t / i n t e r f a c e , lis te n in g p o r t / i n t e r f a c e ) , a n d t h e r e m o t e h o s t a ll o w e d t o c o n n e c t t o t h e t u n n e l . © B u ilt -in p o r t - s c a n n i n g c a p a b ilit ie s , w i t h r a n d o m i z e r . © A d v a n c e d usage o p t i o n s , such as b u f f e r e d s e n d - m o d e (o n e lin e e v e r y N s e c o n d s ) a nd h e x d u m p (to s t d e r r o r t o a s p e c ifie d file ) o f t r a n s m i t t e d a n d r e c e iv e d d a ta . O p t i o n a l RFC854 t e l n e t c o d e s p a r s e r a n d r e s p o n d e r . You can use t h e N e t c a t t o o l f o r g r a b b i n g t h e b a n n e r o f a w e b s i t e by f o l l o w i n g t h is p ro c e ss. H e re , t h e b a n n e r g r a b b i n g is d o n e o n t h e w w w . J u g g y b o y . c o m w e b s e rv e r f o r g a t h e r i n g t h e s e r v e r fie ld s such as s e r v e r t y p e , v e r s io n , e tc. M o d u le 0 3 Page 349 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker © # nc - v v w w w . j u g g y b o y . c o m 8 0 - p re s s [E n te r] e GET / H T T P /1 .0 - Press [E n te r ] t w i c e F ro m t h e s c r e e n s h o t , y o u can o b s e r v e t h e a re a h ig h l i g h t e d in re d c o lo r is a s e r v e r v e r s io n (M ic ro s o ft-IIS /6 .0 ). file Edit ytew Jferminal Help ro o t@ b t:-# nc -vv www.juggyboy.com 80 DNS fw d /re v mismatch: www.juggyboy.com ! * w2k3-web26. p ro d . n e ts o lh o s t. con www.juggyboy.com [2 0 5 .1 78 .1 5 2 .2 6] 80 (www) open GET / HTTP/1.0 HTTP/1.1 200 OK C onnection: close Date: Mon, 13 Aug 2012 12:14:1G GMT C on te n t-L e ng th: 2165M C ontent-Tvpe: t e x t / s C o n te n t^ffo ca titin : h t t p :/ /1 0 . 4 9 . 3 9 . 2 6 /d e fa u lt .htni L a s t-M o d ifie d : Wed, 19 Apr 2006 22:09:12 GMT Accept■Ranges: none ETaq : ־־Gb46be3f d63c61: 7349־־ S e rve r: M ic r o s o ft - IIS / 6 . 0 M ic ro s o ftO ffic e W e b S e rv e r: 5.0 Pub X-Powered-By: ASP.NET ^ I I ■ ft* 1^ ^ Ix FIGURE 3.47: Netcat showing Banner Grabbing Result T e ln e t T his t e c h n i q u e p r o b e s HTTP s e r v e r s t o d e t e r m i n e t h e S e rv e r fie ld in t h e HTTP response hea de r. For in s ta n c e , i f y o u w a n t t o e n u m e r a t e a h o s t r u n n i n g h t t p ( tc p 80), t h e n y o u h a ve t o f o l l o w t h is p r o c e d u r e : © First, o p e n t h e c o m m a n d p r o m p t w i n d o w . Go t o S t a r t > ־R un , t y p e c m d , a n d press E n te r o r clic k OK. © In t h e c o m m a n d p r o m p t w i n d o w , r e q u e s t t e l n e t t o c o n n e c t t o a h o s t o n a s p e c ific p o r t : C : \ t e l n e t w w w . c e r t i f i e d h a c k e r . c o m 8 0 a n d p re ss E n te r. © N e x t, y o u w i ll g e t a b la n k s c re e n w h e r e y o u h a v e t o t y p e GET / H T T P /1 .0 a n d press E n te r t w i c e . © In t h e f in a l s te p , t h e h t t p s e r v e r re s p o n s e s w i t h t h e s e r v e r v e r s io n , say M ic r o s o f t - I I S / 6 . 0 . F ro m t h e s c r e e n s h o t y o u can see t h e a rea h ig h l i g h t e d in re d c o lo r is t h e s e r v e r v e rs io n d e ta ils . C:\Windows\system32\cmd.exe H T T P /1 .1 403 F o r b id d e n C o n te n t- L e n g th : 218 C n n t e n t —T u n e : t e x t / h t m l S erv er: M ic ro so ft-IIS /6 .0 X - P o u e r e d - B y : ftS P . N E T D a t e : S a t , 1 1 fl u g 2 0 1 2 0 9 : 5 7 : 0 7 GMT u o n n e cc io n : cxose < h tm lX h e a d X title > E rro r< /title X /b e a d X b o d y X b e a d X title > D ire c to ry L istin g D e d < /t i t le X /b e a d > < b o d y X h l> D ire c to ry L i s tin g D e n ied < /h l> T h is U ir tu a l D ire c to r o e s n o t a l l o u c o n t e n t s to be l i s t e d .< / b o d y > < / b o d y X / h t n l > C o n n ec tio n to host lo st. FIGURE 3.48: Command Prompt showing http server responses with the server version M o d u le 0 3 Page 3 50 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker B a n n e r G ra b b in g D is a b lin g C o u n te rm e a s u re s : o r C h a n g in g B a n n e r C E H Display false banners to misguide the attackers Turn off 01 unnecessary services on the network host to limit the information tion disclosure disclos IIS users can use these tools to disable or change banner information ~ IIS L ockdow n Tool (h ttp ://m ic r o s o f t.c o m ) ~ S e rv e rM a s k (h ttp ://w w w .p o r t8 0 s o f tw a r e .c o m ) Apache 2.x with m od_headers module - use a directive in h t t p d . conf file to change banner information Header set Server "New Server Name" Alternatively, change the S e rv e rS ig n a tu re line to S e rv e rS ig n aitu tu re O ff in h t t p d . co n f file Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. B a n n e r G ra b b in g --------- C h a n g in g C o u n te rm e a s u re s : D is a b lin g o r B a n n e rs A t t a c k e r s use b a n n e r g r a b b in g t e c h n i q u e s a n d f i n d o u t s e n s i t i v e i n f o r m a t i o n such as d e v ic e ty p e s , o p e r a t i n g s y s te m s , a p p li c a t i o n v e r s io n , e tc . used b y t h e v i c t i m . W i t h t h e h e lp o f t h e g a t h e r e d i n f o r m a t i o n , t h e a t t a c k e r e x p lo it s t h e v u l n e r a b i l it ie s t h a t a re n o t u p d a t e d w i t h t h e s e c u r i t y p a tc h e s a n d la u n c h e s t h e a tta c k s . So, t o p r o t e c t y o u r s y s te m a g a in s t b a n n e r g r a b b in g a tta c k s , a f e w c o u n t e r m e a s u r e s can be a d o p t e d a n d t h e y a re lis te d as f o l lo w s : D is a b lin g o r C h a n g in g B a n n e r Q D isp la y fa lse b a n n e r s t o m is g u id e a t ta c k e r s Q T u r n o f f u n n e c e s s a r y se rv ic e s o n t h e n e t w o r k h o s t t o l i m i t i n f o r m a t i o n d is c lo s u r e Q IIS u sers can use th e s e t o o l s t o d is a b le o r c h a n g e b a n n e r i n f o r m a t i o n : 9 S IIS L o c k d o w n T o o l (h t t p : / / m i c r o s o f t . c o m ) S S e r v e r M a s k (h t t p : / / w w w . p o r t 8 0 s o f t w a r e . c o m ) A p a c h e 2.x w i t h mod_headers m o d u l e - use a d ir e c t iv e in httpd. conf file t o c h a n g e b a n n e r i n f o r m a t i o n H e a d e r s e t S e r v e r " N e w S e rv e r N a m e " 9 A l t e r n a t i v e l y , c h a n g e t h e ServerSignature lin e t o ServerSignature Off in t h e httpd.conf file M o d u le 0 3 Page 351 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker H id in g W e b F ile E x t e n s io n s f r o m C E H P a g e s F ile e x t e n s i o n s r e v e a l i n f o r m a t i o n a b o u t t h e u n d e rly in g s e r v e r te c h n o lo g y t h a t a n a tta c k e r g g i g 2 c a n u tiliz e to la u n c h a t t a c k s IIS u s e r s u s e t o o l s s u c h a s H id e file e x t e n s i o n s t o m a s k P a g e X c h a n g e r to m a n a g e th e t h e w e b te c h n o lo g y file e x t e n s i o n s C h a n g e a p p lic a tio n m a p p in g s su ch A p ach e u se rs can u se a s .a s p w ith . h t m o r .f o o , e t c . to m o d _ n e g o t i a t i o n d ir e c ti v e s d is g u is e t h e i d e n t i t y o f t h e s e r v e r s It is even better if the file extensions are not at all used Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. H id in g File F ile E x te n s io n s fro m e x te n s io n s p r o v id e in fo rm a tio n W e b about th e P a g e s u n d e rly in g s e rve r te c h n o lo g y ; a t ta c k e r s can use t h is i n f o r m a t i o n t o s e a rc h v u l n e r a b i l it ie s a n d la u n c h a tta c k s . H id in g file e x te n s io n s is a good p r a c tic e to mask te c h n o lo g y -g e n e ra tin g d y n a m ic pages. Change a p p li c a t i o n m a p p in g s such as .asp w i t h . h t m o r .fo o , e tc. t o d is g u is e t h e i d e n t i t y o f t h e s e rve rs. A p a c h e users can use m o d _ n e g o t i a t i o n d ir e c t iv e s . IIS users use t o o l s such as P a g e X c h a n g e r t o m a n a g e t h e f ile e x te n s io n s . D o in g w i t h o u t file e x te n s io n s a l t o g e t h e r is an e v e n b e t t e r ide a. M o d u le 0 3 Page 352 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s C E H Exam 3 1 2 -5 0 C ertified Ethical H acker S c a n n in g M e th o d o lo g y So fa r, w e h a v e d iscu sse d h o w t o c h e c k f o r live s y s te m s , o p e n p o r ts , scan b e y o n d IDS, a n d t h e use o f b a n n e r g ra b b in g . All th e s e c o n c e p ts h e lp an a t t a c k e r o r s e c u r it y a d m i n i s t r a t o r t o fin d th e lo o p h o le s t h a t m ay a llo w an a t t a c k e r i n t o th e ir n e tw o rk . Now we w i ll discuss v u l n e r a b i l i t y s c a n n in g , a m o r e d e t a i le d te s ts t o d e t e r m i n e v u ln e r a b i l it ie s in a n e t w o r k , a n d its re s o u rc e s . Check for Live Systems ft f^ j ^ a; Scan f o r V u l n e r a b i l i t y Check for Open Ports r Scanning Beyond IDS Jfe J Banner Grabbing Draw Network Diagrams Prepare Proxies Scanning Pen Testing T his s e c tio n d e s c r ib e s v u l n e r a b i l i t y s c a n n in g a n d v a r io u s v u l n e r a b i l i t y s c a n n in g to o ls . M o d u le 0 3 Page 3 53 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COlMCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker V u ln e r a b i lit y S c a n n in g Vulnerability scanning identifies vulnerabilities and weaknesses of a system and netw< order to determine how a system can be exploited 1 ■ י w ■־ m ח ח Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Q V u ln e ra b ility ^ S c a n n in g V u l n e r a b i l i t y s c a n n in g i d e n t if ie s v u l n e r a b i l i t i e s a n d w e a k n e s s e s o f a s y s te m a nd n e t w o r k in o r d e r t o d e t e r m i n e h o w a s y s te m can be e x p l o i t e d . S im ila r t o o t h e r s e c u r it y te s ts such as o p e n p o r t s c a n n in g a n d s n if f i n g , t h e v u l n e r a b i l i t y t e s t also assists y o u in s e c u r in g y o u r n e t w o r k b y d e t e r m i n i n g t h e l o o p h o l e s o r v u l n e r a b i l it ie s in y o u r c u r r e n t s e c u r it y m e c h a n is m . T his s a m e c o n c e p t can also be used b y a tt a c k e r s in o r d e r t o f i n d t h e w e a k p o i n t s o f t h e t a r g e t n e t w o r k . O n c e t h e y fin d a n y w e a k p o in t s , t h e y can e x p l o i t t h e m a n d g e t in t o t h e t a r g e t n e t w o r k . E thical h a c k e rs can use th is c o n c e p t t o d e t e r m i n e t h e s e c u r it y w e a k n e s s e s o f t h e i r t a r g e t b u s in e ss a n d fix t h e m b e f o r e t h e b ad g u ys f i n d a n d e x p l o i t t h e m . V u l n e r a b i l i t y s c a n n in g can f i n d t h e v u l n e r a b i l it ie s in: Q N e t w o r k t o p o l o g y a nd OS v u ln e r a b i l it ie s 9 O p e n p o r t s a n d r u n n i n g se rv ic e s 9 A p p l i c a t i o n a n d s e rvice s c o n f i g u r a t i o n e r r o r s 9 A p p l i c a t i o n a n d s e rvice s v u ln e r a b i l it ie s M o d u le 0 3 Page 354 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker V u l n e r a b i l i t y S c a n n in g T o o l: N e s s u s Nessus is the vulnerability and configuration assessment product F eatures Cw Sa לa ssa Agentless auditing , a a >a In-depth assessments . lb.1 ץ Mobile device audits M \Ma Patch management integration M MS o-oaoflW tw *n1 » 1SM BH agitT! totu C anm 4Aa*Hth•W tokxnfaipM y , a Compliance checks T rw m *m Nwiil«M T T P»► Content audits Customized reporting High-speed vulnerability discovery W IWU.ir^ 1 <M Iran Scan policy design and execution http://www. tenable, com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. V u ln e ra b ility S c a n n in g T o o l: N e s s u s S o u rc e : h t t p : / / w w w . t e n a b l e . c o m N essus is a v u l n e r a b i l i t y s c a n n e r — a p r o g r a m t h a t s e a rc h e s f o r bugs in s o f t w a r e . This t o o l a llo w s a p e r s o n t o d is c o v e r a s p e c ific w a y t o v i o l a t e t h e s e c u r it y o f a s o f t w a r e p r o d u c t . T he v u ln e r a b i l it y , in v a r io u s levels o f d e t a il, is t h e n d is c lo s e d t o t h e u s e r o f t h e t o o l . T h e v a r io u s s te p s t h is t o o l f o l l o w s are: e D ata g a t h e r i n g e Host id e n tific a tio n e P o r t scan 0 P lu g-in s e le c tio n 0 R e p o r tin g o f d a ta T o o b t a i n m o r e a c c u r a te a n d d e t a i le d i n f o r m a t i o n f r o m W i n d o w s - b a s e d h o s ts in a W i n d o w s d o m a i n , t h e u s e r can c r e a te a d o m a i n g r o u p a n d a c c o u n t t h a t h a v e r e m o t e r e g is t r y access p riv ile g e s . A f t e r c o m p l e t i n g th is ta sk, he o r she g e ts access n o t o n l y t o t h e r e g is t r y k e y s e ttin g s b u t also t o t h e S e rvice Pack p a tc h levels, I n t e r n e t E x p lo r e r v u ln e r a b i l it ie s , a n d se rv ic e s r u n n i n g o n t h e h o s t. M o d u le 0 3 Page 355 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker It is a c li e n t - s e r v e r a p p li c a t i o n . T h e N essus s e r v e r r u n s o n a UN IX s y s te m , k e e p s t r a c k o f all t h e d i f f e r e n t v u l n e r a b i l i t y te s ts , a nd p e r f o r m s t h e a c tu a l scan. It has its o w n u s e r d a ta b a s e a n d se c u re s a u t h e n t i c a t i o n m e t h o d s , so t h a t r e m o t e u sers u s in g t h e N essus c l i e n t can log in, c o n f i g u r e a v u l n e r a b i l i t y scan, a n d se n d it o n its w a y . N essus in c lu d e s NASL (Nessus Attack Language), a la n g u a g e d e s ig n e d t o w r i t e s e c u r it y te s ts . S c r i p t in g T h e v a r io u s f e a t u r e s o f Nessus a re : 9 Each s e c u r it y t e s t is w r i t t e n as a separate plug-in. T his w a y , t h e u s e r can e a s ily a d d te s ts w i t h o u t h a v in g t o re a d t h e c o d e o f t h e N essus e n g in e . Q It p e r f o r m s s m a r t se rv ic e r e c o g n i t i o n . It a s s u m e s t h a t t h e t a r g e t h o s ts w i ll r e s p e c t t h e IA N A a ssig ne d p o r t n u m b e r s . 9 T h e N essus S e c u r ity S c a n n e r is m a d e u p o f t w o p a rts : A s e rv e r, w h i c h p e r f o r m s t h e a tta c k , a n d a c lie n t, w h i c h is t h e f r o n t e n d . T h e s e r v e r a nd t h e c l i e n t can be r u n o n d i f f e r e n t s y s te m s . T h a t is, t h e u s e r can a u d i t his w h o l e n e t w o r k f r o m his p e r s o n a l c o m p u t e r , w h e r e a s t h e s e r v e r p e r f o r m s its a tta c k s f r o m t h e m a in f r a m e , w h i c h m a y be l o c a te d in a d i f f e r e n t a rea. Q •**1 | H * | n e ssus R e p o rts Reports Scan LAN Mobile Scans Policies Users | u f« u l Configurator g VvtrmntmySummary | HortSunmTY Rj/ vwq • LMKfwd Aug 13,2012 19:07 1 Filters N o F ltea * Add Flit* 9 Clear FHtec* ! FIGURE 3.49: Nessus Screenshot Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker V u l n e r a b i l i t y G F I L a n G 0 0 J GFI L a n G u a rd a s s is ts in a s s e t m a n a g e m e n t , ris k a n a ly s is , a n d p r o v in g c o m p lia n c e J T o o l: c u a r d UrtifW4 D*Mo*d §״ Gme *־Ertrttortwrt t j Lxahoet w3N*EBOc«c»1 - J־l«*l ״•״״סv»0e«SC«^■ Scm ,£ Oienee ReTM dutr # Ccwtxjen M onitcr ־־£ -M3r> Rtpcrtt Configuritkn 'AJryraMtm Fato>« .4 <־ Ports Fo rt* w* Soft»a« Soft•*( 14 Harare p Enore Network -1 computer< ----------------- F e a tu r e s : e E H ttkKJl NmIm GPI LanGuard 2012 > *- Hte׳ i n v e n to r y , c h a n g e S c a n n in g 1 jrnutootiiedApp»c*... Selectively creates custom vulnerability checks 0 conptfen O w S ₪ ₪ ₪ im « Creates different types of scans and vulnerability tests » Helps ensure third-party security applications offer optim um protection 9 0 o Performs network device vulnerability checks 0eonotten nj-mtbtli *וזוז J 'l 1 , - - ־ ־ ׳ luntutn <U ׳w aU *.y 11 1 © Identifies security vulnerabilities and takes remedial action 1 _________________ A A udri Statu• i.cnpuue*•׳rope••*mm* 0, http://www. gfi.com - Copyright © by fC-CNDCil. All Rights Reserved. Reproduction is Strictly Prohibited. V u ln e ra b ility ✓ S c a n n in g T o o l: G F I L a n G u a r d S o u rc e : h t t p : / / w w w . g f i . c o m GFI L a n G u a rd acts as a v i r t u a l s e c u r i t y c o n s u l t a n t . It o f f e r s p a tc h m a n a g e m e n t , v u l n e r a b i l i t y a s s e s s m e n t, a n d n e t w o r k a u d it in g se rvice s. It also assists y o u in a s set i n v e n t o r y , c h a n g e m a n a g e m e n t , risk analysis, a n d p r o v in g c o m p lia n c e . F e a tu re s : 9 S e le c tiv e ly c r e a te s c u s t o m v u l n e r a b i l i t y ch e cks 9 I d e n tifie s s e c u r it y v u l n e r a b i l it ie s a nd ta k e s r e m e d i a l a c tio n 9 C re a te s d i f f e r e n t t y p e s o f scans a n d v u l n e r a b i l i t y te s ts 9 H elp s e n s u r e t h i r d p a r t y s e c u r it y a p p lic a t io n s o f f e r o p t i m u m p r o t e c t i o n 9 P e r f o r m s n e t w o r k d e v ic e v u l n e r a b i l i t y ch e cks M o d u le 0 3 Page 357 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s * Exam 3 1 2-50 C ertified Ethical H acker I“ J-P I * GFI LanGuard 2012 E B ■<׳־»׳ §• Group 5* Entire Network Dashboard Q. S<an IS Remediate Overview Activity Monitor 0 Computer! & ttrtory Reports Configuration Utilities Patches Port• i pVynerabAbes Uj ’ Discuss t«s versaon (J Software Hardware Syitem Information E n tire N etw o rk -1 c o m p u te r * J lo c d h o s t: W IN־MSSELCK4<41 - 1} ׳local DomOT: WORKGROUP Seanty Sensors Vdnerabity Level SSWIN-HSSaCMMl Firewall Issu e s Software Updates C redent!•!• Setup I0 computers Service Packs and Up— Most Vulnerable Computers # l 0. computers ...... — UP |WIN-MSSELCK4K41 Vulnerabilities 1computers VuherabAty Trend Over Tne Tout “H*■ Common Talks HUBUldL. Addmoncomodera Custom scar SaanrigatiDeploy aocrt O ■l ■ Insta■ n progress ■ Urwrstal **progress ■ Not IrtStalM ■ D*ptoy*n«rt Erron Computers By Operating System Computer ViJnerabAty Ois&fcubon Ocomputvtl) 0 computer{*) 0 compa•^*) 1computes) 0 compuM^s) ■ Hgp• M*2*yn ■ tow ■ HA icompuc 0 comput.. Ocomput. Ocomput. 1 Agent Status | Audt Status | O ]computers By Operating...| Computers By Network ... 1 FIGURE 3.50: GFI LanGuard Screenshot M o d u le 0 3 Page 358 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker V u l n e r a b i l i t y S c a n n in g T o o l: S A I N T F e a tu re s : טIdentify vulnerabilities on network devices » Detect and fix possible weaknesses in the network security » Prevent common system vulnerabilities a Demonstrate compliance with current government and industry regulations e Perform compliance audits with policies defined by FDCC, USGCB, Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. V u ln e ra b ility S c a n n in g T o o l: S A IN T S o u rc e : h t t p : / / w w w . s a i n t c o r p o r a t i o n . c o m SAINT is an i n t e g r a t e d n e t w o r k t o o l s f o r s e c u r i t y a d m i n i s t r a t o r s . U sing t h is t o o l , y o u can f i n d s e c u r it y v u l n e r a b i l it ie s acro ss t h e n e tw o rk i n c lu d in g d e v ic e s , o p e ra tin g s y s te m s , d e skto p a p p lic a tio n s , w e b a p p lic a tio n s , d a ta b a s e s , e tc. in a n o n - i n t r u s i v e m a n n e r . It also e n a b le s y o u t o g a t h e r i n f o r m a t i o n such as o p e r a t i n g s y s te m ty p e s a n d o p e n p o r ts , e tc . It a llo w s y o u t o scan a n d e x p l o i t t a r g e t s w i t h an IPv4, IPv6, a n d / o r URL a d d re s s . F e a tu r e s : 9 D e te c ts a n d fix e s p o s s ib le w e a k n e s s e s in y o u r n e t w o r k ' s s e c u r it y 9 A n t i c i p a t e s a n d p r e v e n t s c o m m o n s y s te m v u ln e r a b i l it ie s 0 D e m o n s t r a t e s c o m p li a n c e w i t h c u r r e n t g o v e r n m e n t a n d in d u s t r y r e g u l a t i o n s such as PCI DSS, NERC, FISMA, SOX, GLBA, HIPAA, a n d COPPA 9 P e r fo r m s c o m p li a n c e a u d it s w i t h p o lic ie s d e f i n e d by FDCC, USGCB, a n d DISA M o d u le 0 3 Page 359 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker « 1* Vulnerability Scanner % 0 & I r iiu m • U rn u w ״**״•׳ t>«*• * KM V M •• r e a וי a Op(■•** •> kM M 1■c%— ■1 Vulnerability By Count! •r VnNfiMn rz ri * CrmcMi f n u t m t A/ f i o i Cone•m * * * * * •י H0*t * d ^ * 4 4 * a 10.7.0. IS 10-7-Q-14 1Q.7.Q.2 10.7. Q. 11 10 7.0 104 10-7-0-101 10-7.0.12 10.7.0.S * 10.7.0.13a י10.7.0.140 > 10.7.0.150 10,7.0 י. m 4 10.7 o i a o 10-7.0.31 * 10.7.0.131 ^ 10.7.0.112 10.7.0.119 10.7.0.146 J 10.7.0.7 ToU l 41 37 34 2 a s 0 6 0 0 0 1 2 0 2 2 0 0 0 0 0 2 2 2 t 2 0 0 1 t 0 0 0 0 0 0 0 0 0 0 0 0 נ נ 2 2 2 2 2 2 I I 1 1 1 • S 4 14 4 1 0 1 0 0 1 31 14 14 4 1• S נ ______ FIGURE 3.51: SAINT Screenshots M o d u le 0 3 Page 3 60 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker N e t w o r k V u l n e r a b i l i t y S c a n n e r s OpenVAS Retina CS http://go.eeye.com -o I ▼ http://www.open\/as.org \ g m Core Impact Professional http://www.coresecurity,com Security M a n a g e r Plus http://www.manageengine.com LJpSrJ W MBSA Nexpose http://www.rapid7.com http://www.microsoft.com 111 BE3F S h a d o w Security Scanner http://www.safety-lab.com i] QualysGuard http://www.qualys.com Security Auditor's Research Nsauditor N e t w o r k Security ■M l Auditor Assistant (SARA) http://www.nsauditor.com http://www-arc.com C o p y r ig h t © b y N e tw o rk V u ln e r a b ility N e tw o rk v u ln e r a b i l it ie s v u ln e ra b ility v u ln e ra b ility in t h e ta rg e t assessm ent C E H s c a n n e rs n e tw o rk and R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d . S c a n n e rs are th e to o ls or n e tw o rk n e tw o rk EG-G*ancil. A ll a u d it in g . th a t assist y o u in id e n tify in g r e s o u r c e s . T h e se s c a n n e rs U sing th e s e s c a n n e rs , th e h e lp y o u you can in fin d v u ln e r a b i l it ie s in n e t w o r k s , w i r e d o r w ire le s s , o p e r a t i n g s y s te m s , s e c u r it y c o n f i g u r a t io n , s e rv e r t u n i n g , o p e n p o r ts , a p p lic a tio n s , e tc. A f e w n e t w o r k v u l n e r a b i l i t y s c a n n e rs a n d t h e i r h o m e site s a re m e n t i o n e d as f o l lo w s , u sin g w h i c h y o u can p e r f o r m n e t w o r k s c a n n in g : 9 R e tin a CS a v a ila b le a t h t t p : / / g o . e e v e . c o m 9 C ore I m p a c t P ro fe s s io n a l a v a ila b le a t h t t p : / / w w w . c o r e s e c u r i t y . c o m Q M B S A a v a ila b le a t h t t p : / / w w w . m i c r o s o f t . c o m Q S h a d o w S e c u r ity S c a n n e r a v a ila b le a t h t t p : / / w w w . s a f e t v - l a b . c o m 9 N s a u d i t o r N e t w o r k S e c u r ity A u d i t o r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m Q O p e n V A S a v a ila b le a t h t t p : / / w w w . o p e n v a s . o r g 9 S e c u r ity M a n a g e r Plus a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m e N e x p o s e a v a ila b le a t h t t p : / / w w w . r a p i d 7 . c o m 9 Q u a ly s G u a r d a v a ila b le a t h t t p : / / w w w . q u a l y s . c o m 9 S e c u r ity A u d i t o r 's R esearch A s s is ta n t (SARA) a v a ila b le a t h t t p : / / w w w - a r c . c o m M o d u le 0 3 Page 361 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s C E H S c a n n in g Exam 3 1 2 -5 0 C ertified Ethical H acker M e th o d o lo g y So fa r, w e d iscu sse d v a r io u s s c a n n in g c o n c e p ts such as s o u rc e s t o be s c a n n e d , t o o l s t h a t can be u sed f o r s c a n n in g , a n d v u l n e r a b i l i t y s c a n n in g . N o w w e w ill discuss t h e n e t w o r k d ia g r a m , an i m p o r t a n t d ia g r a m t h a t e n a b le s y o u t o a n a ly z e t h e c o m p l e t e n e t w o r k t o p o l o g y . Check for Live Systems 191 Scan for Vulnerability Check for Open Ports J * Scanning Beyond IDS 3 0 Draw Network Diagrams Prepare Proxies r-^r-n Banner Grabbing Scanning Pen Testing T his s e c tio n h ig h lig h ts t h e i m p o r t a n c e o f t h e n e t w o r k d ia g r a m , h o w t o d r a w t h e n e t w o r k d ia g r a m o r m a p s , h o w a t ta c k e r s can use th e s e l a u n c h in g a tta c k s , a n d t h e t o o l s t h a t can be used t o d r a w n e t w o r k m ap s. M o d u le 0 3 Page 362 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s D r a w Exam 3 1 2 -5 0 C ertified Ethical H acker i n g N e t w o r k D i a g r a m s C E H (•rtifwtf 41 ilk > ׳H«hw J Drawing target's network diagram gives valuable information about the network and its architecture to an attacker J Network diagram shows logical or physical path to a potential target DMZ Intranet Intranet C o p y r ig h t © b y D ra w in g N e tw o rk EG-G*ancil. A ll R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d . D ia g ra m s T h e m a p p i n g o f n e t w o r k s i n t o d ia g r a m s h e lp s y o u t o i d e n t i f y t h e t o p o l o g y o r th e a r c h it e c t u r e o f t h e t a r g e t n e t w o r k . T h e n e t w o r k d ia g r a m also h e lp s y o u t o t r a c e o u t t h e p a t h t o t h e t a r g e t h o s t in t h e n e t w o r k . It a lso a llo w s y o u t o u n d e r s t a n d t h e p o s it io n o f f ir e w a lls , r o u t e r s , a n d o t h e r access c o n t r o l d e v ic e s . Based o n t h e n e t w o r k d ia g r a m , t h e a t t a c k e r can a n a ly z e t h e t a r g e t n e t w o r k ' s t o p o l o g y a n d s e c u r it y m e c h a n i s m s . It h e lp s an a t t a c k e r t o see t h e f ir e w a lls , IDSs, a n d o t h e r s e c u r it y m e c h a n is m s o f t h e t a r g e t n e t w o r k . O n c e t h e a t t a c k e r has th is i n f o r m a t i o n , h e o r she can t r y t o f i g u r e o u t t h e v u l n e r a b i l it ie s o r w e a k p o i n t s o f t h o s e s e c u r it y m e c h a n is m s . T h e n t h e a t t a c k e r can f i n d his o r h e r w a y i n t o t h e t a r g e t n e t w o r k by e x p l o i t i n g t h o s e s e c u r it y w e a k n e s s e s . T h e n e t w o r k d ia g r a m also h e lp s n e t w o r k a d m i n i s t r a t o r s m a n a g e t h e i r n e t w o r k s . A t t a c k e r s use n e t w o r k d is c o v e r y o r m a p p i n g t o o l s t o d r a w n e t w o r k d ia g r a m s o f t a r g e t n e t w o r k s . T h e f o l l o w i n g f i g u r e d e p ic t s an e x a m p l e o f a n e t w o r k d ia g r a m : M o d u le 0 3 Page 363 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s In tra n e t Exam 3 1 2 -5 0 C ertified Ethical H acker DMZ In tra n e t FIGURE 3.52: Network Diagram M o d u le 0 3 Page 364 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s N e t w o r k Exam 3 1 2 -5 0 C ertified Ethical H acker D is c o v e r y T o o l: C E H L A N s u r v e y o r L A N s u r v e y o r discovers a n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e n e t w o r k d i a g r a m that integrates OSI Layer 2 a n d Layer 3 topology data F e a tu re s aao A u t o - g e n e r a t e N e tw o r k M a p s E x p o r t N e tw o r k M a p s t o V isio □LANsu A u to -d e te c t C h a n g e s I n v e n to r y M a n a g e m e n t N e tw o r k R e g u la to r y C o m p lia n c e N e tw o r k T o p o lo g y D a t a b a s e M u lti-le v e l N e tw o r k D is c o v e ry □LANsurveyor http://www.solarwinds.com C o p y r ig h t © b y E C - C t in C il. A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d . N e tw o rk D is c o v e ry T o o l: L A N s u r v e y o r S o u rc e : h t t p : / / w w w . s o l a r w i r 1d s .c o m L A N s u r v e y o r a llo w s y o u t o a u t o m a t i c a l l y d is c o v e r a n d c r e a t e a n e t w o r k m a p o f t h e t a r g e t n e t w o r k . It is a lso a b le t o d is p la y i n - d e p t h c o n n e c t i o n s like OSI L a y e r 2 a n d L a y e r 3 t o p o l o g y d a ta su ch as d is p la y in g s w it c h t o s w itc h , s w itc h t o n o d e , a n d s w it c h t o r o u t e r c o n n e c t i o n . You can e x p o r t t h e n e t w o r k m a p c r e a te d i n t o M i c r o s o f t O ffic e V isio. It can also k e e p t r a c k o f c h a n g e s t h a t o c c u r in t h e n e t w o r k . It a llo w s t h e u s e r t o p e r f o r m i n v e n t o r y m a n a g e m e n t o f h a r d w a r e a n d s o f t w a r e assets. M o d u le 0 3 Page 365 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s □ Exam 3 1 2 -5 0 C ertified Ethical H acker l * SolarW inds LANsurveyor - [M ap 1] i;. File Edit Manage Monitor Report Tools Window Help !3 y * B X •«r ־ solarwinds ׳ ± i~ 100V. ♦ . a SO N e tw o rk S e gm ents (1) B H & IP A d dresses (5) S £ D o m a in N am es (5) ♦ £ N o d e N am es (5) I— IP Routers DEMONSTRATK J5LL A N su rve y o r R esp o nd er N o d es : H S N M P N o d es S N M P S w itch e s/H u b s l- C SIP (VoIP) N o d es ® Layer 2 N o d e s ^ A c tiv e D irecto ry D Cs 1 ־f t . G rou ps □LAN surveyor F o r H elp, press F1 FIGURE 3.53: LANsurveyor Screenshot M o d u le 0 3 Page 3 66 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s N e t w o r k Exam 3 1 2 -5 0 C ertified Ethical H acker D is c o v e r y T o o l: C E H O p M a n a g e r O p M a n a g e r is a n e t w o r k m o n i t o r i n g s o f t w a r e t h a t o f f e r s a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t f u n c t i o n a l i t y a c r o s s c r i tic a l IT r e s o u r c e s s u c h a s r o u t e r s , W A N lin k s , s w i t c h e s , f i r e w a l l s , V o IP c a ll p a t h s , p h y s ic a l s e r v e r s , v i r t u a l s e r v e r s , d o m a i n c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v i c e s F e a tu re s J A vailability a n d U p tim e M o n ito rin g J N e tw o rk Traffic A nalysis J IP A d d re s s M a n a g e m e n t J S w itch P o rt M a p p e r J N e tw o rk P e r fo r m a n c e R e p o rtin g J N e tw o rk C o n fig u ra tio n M a n a g e m e n t J E x c h an g e S e r v e r M o n ito rin g J A ctive D ire c to ry M o n ito rin g -l H yper-V M o n ito rin g -l SQL S e rv e r M o n ito rin g 1'ol|RtN1nr ■Uipt& M 'AjhUapm!!ur&irlctirdNudr-T OpMaragt?) qm noo < 1nl«n 1iv« ״Uvo־J lopuogv map ailtmwirv wrn iptonto mmci front »»יta> Nmsc Mtal wiijf cor• wiMr/twftdi x tl* aavca SAMPLE MAP \ r. • * T Y '״ ! * \ / : 3 *־ jf _ . http://www.manageengine.com C o p y r ig h t © b y N e tw o rk D is c o v e ry EG-G*ancil. A ll R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d . T o o l: O p M a n a g e r S o u rc e : h t t p : / / w w w . m a n a g e e n g i n e . c o m O p M a n a g e r is b a s ic a lly a n e t w o r k p e r f o r m a n c e m a n a g e m e n t a n d m o n i t o r i n g t o o l t h a t o ffe r s a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t f u n c t i o n a l i t y acro ss c r itic a l IT r e s o u r c e s such as r o u t e r s , W A N links, s w itc h e s , f ir e w a lls , V o IP call p a th s , p h y sica l se rv e rs , v i r t u a l se rv e rs , d o m a i n c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v ic e s . T his t o o l is h e l p f u l in d is c o v e r in g t h e s p e c ific n e t w o r k a u t o m a t i c a ll y . It can also p r e s e n t a live n e t w o r k d ia g r a m o f y o u r n e t w o r k . H e re a re s o m e o f t h e f e a t u r e s o f O p M a n a g e r : e A v a i la b il i t y a n d u p t i m e m o n i t o r i n g e N e t w o r k t r a f f i c a na lysis 0 IP a d d re s s m a n a g e m e n t e S w itc h p o r t m a p p e r 0 N e tw o rk p e rfo rm a n c e re p o rtin g 9 N e t w o r k c o n f i g u r a t io n m a n a g e m e n t e E xch an g e s e r v e r m o n i t o r i n g M o d u le 0 3 Page 367 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker 9 A c t iv e d i r e c t o r y m o n i t o r i n g 9 H ype r-V m o n ito rin g 9 SQL S e rv e r m o n i t o r i n g FIGURE 3.54: OpManager showing Sample Map M o d u le 0 3 Page 368 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker N e t w o r k D is c o v e r y T o o l: C E H N e t w o r k V i e w 1 N«tvw<׳kVcw ;NctwcrkV10v*1[ Re id* V *- lisu letf Arvlw J N e tw o r k V ie w is a a i i s is 1 1 •כ t H*j q. *. + T -• I N Q D s i S B a n e tw o r k d is c o v e ry a n d m a n a g e m e n t to o l f o r W in d o w s J D is c o v e r T C P /IP n o d e s a n d r o u t e s u s in g D NS, S N M P , p o r t s , N e tB IO S , and WMI http://www.networkview.com C o p y r ig h t © b y N e tw o rk D is c o v e ry EG-G*ancil. A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d . T o o l: N e tw o rk V ie w S o u rc e : h t t p : / / w w w . n e t w o r k v i e w . c o m N e t w o r k V i e w is a n e t w o r k d is c o v e r y a n d m a n a g e m e n t t o o l f o r W i n d o w s . Its k e y f e a t u r e s i n c l u d e : 9 D is c o v e r TCP/IP n o d e s a n d r o u t e s u s in g DNS, S N M P , Po rts, N etBIOS , a n d W M I 9 G e t M A C a d d re s s e s a n d NIC m a n u f a c t u r e r n a m e s e M o n i t o r n o d e s a n d re c e iv e a le rts 9 D o c u m e n t w ith p rin te d m aps and re p o rts 9 C o n tro l and secure y o u r n e tw o rk w ith th e S N M P M IB b ro w s e r, th e W M I b ro w s e r, and th e p o r t sca nn er M o d u le 0 3 Page 369 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker NetworkView - [NetworkViewl] - = « f t F1l« Edit View Lists logs Window Help b is 1 1 •ס t < * < * + - « ; s x g x e ii ״ »יg n ט שt»4 s 8: & ■ ft NetworkViewl | a -an 11 11) a a Q 101112 s s q 0 B »III—■*M il i t 1 («ן»*יM «i» o hfM W *1מ N o t Y •* I T « fc y * ** | •יןA.~« Lmm| ^#•1 r 50 Nodes Monitoring is O ff HR a [Last monitoring: Unknown ^Txiw«w(m<—1004)] a 0 Polls 0 Mails Sent Modified For Help, press FI FIGURE 3.55: NetworkView Screenshot M o d u le 0 3 Page 3 70 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker N e tw o rk D is c o v e ry Tool: The Dude N e tw o rk D is c o v e ry EH T o o l: T h e D u d e Source: h ttp ://w w w .m ik ro tik .c o m The Dude w ill a u to m a tic a lly scan all devices w ith in specified subnets, draw and lay o u t a map o f y o u r netw orks, m o n ito r services o f yo u r devices, and a le rt you in case any service has problem s. A few features of the Dude include: © A uto n e tw o rk discovery and layout © Discovers any type o r brand o f device © Device, link m o n ito rin g , and notifica tio ns © Allow s you to draw yo u r own maps and add custom devices © Supports SNMP, ICMP, DNS, and TCP m o n ito rin g fo r devices th a t su pp o rt it © Direct access to rem ote co ntro l too ls fo r device m anagem ent © Supports rem ote Dude server and local client M o d u le 0 3 Page 371 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker _ admin@localhost - The Dude 4.0beta3 +• ■Ol V S«r>01 Qko«« •loo* M \ י fEL lCK4K41 10006 W INM SS י י W INDOW S® 10.002לל י W INLXQN3W A3R9M W INMSf, SELCMMlj U X ' *י W IN-O3SM R5HL9C4 י 169254 189180 BS) Otenl ix 199fcbp*/tt 191 bps S«v־r FIGURE 3.56: The Dude Screenshots M o d u le 0 3 Page 372 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker N e tw o rk D is c o v e ry a n d M a p p in g Tools [_ j !i CEH HP Netw ork Node M an ager i Software LANState r* *>־ http://www.10-5trike.com http://www8.hp.com £ FriendlyPinger N e tM ap p er http://www.kilievich.com (fT u le jsi http://www.opnet.com http://www.lumeta.com Ipsonar M kM ■ ! http://www.netbraintech.com http://cartoreso.campus,ecp.fr CartoReso 11 http://www.spiceworks.com Switch Center Enterprise HR i | http://www.lan-secure.com NetBrain Enterprise Suite m Spiceworks-Network M ap p er NetCrunch http://www.adremsoft.com — C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . N e tw o rk D is c o v e ry a n d M a p p in g T o o ls N e tw o rk discovery and m apping tools a llo w you to view the map o f yo ur netw ork. They help you d e te ct rogue h ard w a re and s o ftw a re v io la tio n s. It n otifie s you w henever a p articula r host becomes active or goes dow n. Thus, you can also figure o ut the server outages or problem s related to perform ance. This is the purpose o f n e tw o rk discovery and m apping too ls in term s o f security. The same to o ls can be used by attackers to launch attacks on your n etw o rk. Using these tools, the a ttacker draws the n e tw o rk diagram o f the ta rg e t n etw o rk, analyzes the topology, find outs th e vu ln era b ilitie s or weak points, and launches an attack by e xploitin g the m . The a ttacker may use the fo llo w in g too ls to create a map o f the n etw o rk: © LANState available at h ttp ://w w w .1 0 -s trik e .c o m Q FriendlyPinger avaialble at h ttp ://w w w .k ilie v ic h .c o m 9 Ipsonar available at h ttp ://w w w .lu m e ta .c o m Q CartoReso available at h ttp ://ca rto re so .ca m p u s.e cp .fr Q Switch Center Enterprise available at h ttp ://w w w .la n -s e c u re .c o m 9 HP N e tw o rk Node M anager i Softw are available at h ttp ://w w w 8 .h p .c o m 9 N e tM a pp e r available at h ttp ://w w w .o p n e t.c o m 9 NetBrain Enterprise Suite available at h ttp ://w w w .n e tb ra in te c h .c o m 9 S picew orks-N etw ork M apper available at h ttp ://w w w .s p ic e w o rk s .c o m 9 NetCrunch available at h ttp ://w w w .a d re m s o ft.c o m M o d u le 0 3 Page 373 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s fc js k C E H ^ Exam 3 1 2 -5 0 C ertified Ethical H acker S c a n n in g M e th o d o lo g y So far, we have discussed various means o f scanning and the sources to be scanned. Now we w ill discuss proxies and im p o rta n t mechanisms used by attackers to access the restricted sources and also to avoid th e ir id e ntity. Check for Live Systems 191 Check for Open Ports Scanning Beyond IDS Banner Grabbing Scan for Vulnerability r Draw Network Diagrams Q ; Prepare Proxies יז־ז^־־ל Scanning Pen Testing This section describes how to prepare proxies and how an a ttacker can use the m to launch attacks. M o d u le 0 3 Page 3 74 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ProxyServers CEH A proxy is a n e tw o r k c o m p u t e r th a t can s e r v e a s an in t e r m e d ia r y for c o n n ec tin g w ith o t h e r c o m p u t e r s A s a n IP a d d r e s s e s m u l tip l e x e r , a p ro x y a llo w s t h e c o n n e c tio n o f a n u m b e r o f c o m p u te rs to th e I n t e r n e t w h ile h a v in g o n ly o n e IP a d d r e s s Proxy servers can be used (to some extent) to anonymize w eb surfing C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . P ro x y S e rv e rs A proxy is a n e tw o rk co m p u te r th a t can serve as an in te rm e d ia ry fo r connecting w ith o th e r com puters. You can use a proxy server in m any ways such as: 0 A sa fire w a ll, a proxy protects the local n e tw o rk fro m th e outside access 9 As an IP address m ultip le xer, a proxy allows a n um ber o f com puters to connect to the In te rn e t w hen you have only one IP address 9 To anonym ize w eb surfing (to some extent) Q To filte r o u t unw anted co nte nt, such as ads or "u n su ita b le " m aterial (using specialized proxy servers) 9 To provide some p ro te ctio n against hacking attacks 9 To save ban d w id th Let's see how a proxy server works. W hen you use a proxy to request a p articula r w eb page on an actual server, it firs t sends yo ur re quest to th e p ro xy server. The proxy server then sends yo u r request to the actual server on M o d u le 0 3 Page 375 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker behalf o f yo ur request, i.e., it m ediates betw een you and the actual server to send and respond to the request as shown in the fo llo w in g figure. Attacker Target Organization FIGURE 3.57: Attacker using Proxy Server In this process, the proxy receives the co m m unication betw een the clie n t and the d e stin a tio n application. In o rd e r to take advantage o f a proxy server, c lie n t program s m ust be configured so the y can send th e ir requests to the proxy server instead o f th e final destination. M o d u le 0 3 Page 376 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker W h y A ttackers Use Proxy Servers? CEH (•rtifW d ithiul lU c k M To m a s k t h e a c tu a l s o u rc e o f t h e a t ta c k b y im p e r s o n a tin g a fa k e s o u r c e a d d r e s s o f t h e p ro x y To r e m o te ly a c c e s s in t r a n e t s a n d o t h e r w e b s ite r e s o u r c e s t h a t a r e n o r m a l l y o f f li m it s T o i n t e r r u p t a ll t h e r e q u e s t s s e n t b y a n a t t a c k e r a n d t r a n s m i t t h e m t o a t h i r d d e s t i n a t i o n , h e n c e v ic tim s w ill o n ly b e a b l e t o id e n t i f y t h e p ro x y s e r v e r a d d r e s s I A tta c k e rs c h a in m u ltip le p ro x y s e rv e rs t o a v o id d e t e c ti o n C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . W h y A tta c k e rs U se P ro x y S e rv e rs For an attacker, it is easy to a tta ck or hack a p articula r system than to conceal the attack source. So the main challenge fo r an attacker is to hide his id e n tity so th a t no one can trace him or her. To conceal the id e n tity, the a ttacker uses the proxy server. The main cause behind using a proxy is to avoid d e te c tio n o f a tta ck evidence. W ith help o f th e proxy server, an a ttacker can mask his or her IP address so th a t he or she can hack th e co m p u te r system w ith o u t any fear o f legal repercussion. W hen the a ttacker uses a proxy to connect to the d estination, the proxy's source address w ill be recorded in the server logs instead o f the actual source address o f the attacker. In a dd itio n to this, the reasons fo r w hich attackers use proxy servers include: Q A tta cke r appears in a victim server's log files w ith a fake source address o f the proxy ra th e r than w ith the attacker's actual address 9 To re m o te ly access in tranets and o th e r w ebsite resources th a t are norm ally o ff lim its 9 To in te rru p t all the requests sent by an a ttacker and tra n s m it the m to a th ird d estination, hence victim s w ill only be able to id e n tify the proxy server address 9 To use m u ltip le proxy servers fo r scanning and attacking, making it d iffic u lt fo r adm inistrato rs to trace the real source o f attack M o d u le 0 3 Page 377 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker UseofProxiesforAttack CEH Direct attack/ No proxies !s־*®״5 ־- ■ -- Logged P roxy C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . U se o f P ro x ie s fo r A tta c k Q uite a num ber o f proxies are in te n tio n a lly open to easy access. A no n ym o us proxies hide the real IP address (and som etim es o th e r in fo rm a tio n ) fro m w ebsites th a t the user visits. There are tw o types o r a no nym ous proxies: One th a t can be used in the same way as the nonanonym ous proxies and others th a t are web-based anonymizers. Let's see how m any d iffe re n t ways th a t attackers can use proxies to co m m it attacks on the target. Case 1: In the firs t case, the a ttacker perform s attacks d ire ctly w ith o u t using proxy. The a ttacker may be at risk to be traced o u t as the server logs may contain in fo rm a tio n about th e IP address o f the source. D ire c t a t t a c k / N o p ro x ie s T a rg et FIGURE 3.58: Attacker Communicating with Target Directly (No Proxy) Case 2: The a tta cke r uses the proxy to fetch the ta rg e t application. In this case, th e server log w ill show the IP address o f the proxy instead o f the attacker's IP address, th e re b y hiding his or M o d u le 0 3 Page 378 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker her id e n tity; thus, the a ttacker w ill be at m inim um risk o f being caught. This w ill give the a ttacker the chance to be anonym ous on the Inte rn e t. L o g g e d P ro x y A tta c k e r T a rg e t FIGURE 3.59: Attacker Communicating with Target through Proxy Case 3: To becom e m ore anonym ous on the In te rn e t, the a ttacker may use the proxy chaining tech n iq ue to fetch the ta rg e t application. If he or she uses proxy chaining, the n it is highly d iffic u lt to trace o u t his o r her IP address. Proxy chaining is a technique o f using m ore num bers o f proxies to fetch the target. A tta c k e r FIGURE 3.60: Attacker using Proxy Chaining for the attack M o d u le 0 3 Page 379 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ProxyChaining M Ha M ...................... IP: 20.10.10.2 Port: 8012 > M .......................< ־ IP: 20.10.15.4 Port: 8030 IP: 10.10.20.5 Port: 8023 U ser Encrypted/unencrypted traffic N m IP: 15.20.15.2 Port: 8045 IP: 20.15.15.3 Port: 8054 Unencrypted IP: 10.20.10.8 Port: 8028 1. User r eq u es ts a resource from the destination 2. Proxy client at the user's system connects to a proxy server and passes th e request to proxy server 3. The proxy server strips th e user's identification information and passes th e request to next proxy server 4. This process is repeated by all th e proxy servers in th e chain 5. At th e end u ne n c ry p ted re q u e s t is passed to th e w eb server traffic M־ »* □ C o p y rig h t © b y E C -G *a n cil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . P ro x y C h a in in g Proxy chaining helps you to becom e m ore ano n ym o us on th e Inte rn e t. Your a no n ym ity on the In te rn e t depends on the num ber o f proxies used fo r fetch in g the targe t application. If you use a larger num ber o f p ro xy servers, then you w ill become m ore anonym ous on the In te rn e t and vice versa. W hen th e attacker firs t requests the proxy s e rv e rl, this proxy s e rv e rl in tu rn requests a nother proxy server2. The proxy s e rv e rl strips the user's id e n tifica tio n in fo rm a tio n and passes the request to the next proxy server. This may again request a no th e r proxy server, server3, and so on, up to ta rg e t server, w here fin a lly the request is sent. Thus, it form s the chain o f th e proxy server to reach the destin a tion server as shown in the fo llo w in g figure: m IP: 20.10.10.2 Port: 8012 IP: 10.10.20.5 Port: 8023 IP: 20.10.15.4 Port: 8030 U ser E n crypted/u nencrypted traffic ..................... v IP: 20.15.15.3 Port: 8054 m ....................V IP: 15.20.15.2 Port: 8045 M IP: 10.20.10.8 Port: 8028 ................................ > Unencrypted traffic FIGURE 3.61: Proxy Chaining M o d u le 0 3 Page 3 80 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker P r o x y T o o l: P r o x y W o r k b e n c h CEH UrtifW tf IthKJi lUikM Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . P r o x y T o o l: P r o x y W o r k b e n c h Source: h ttp ://p ro x y w o rk b e n c h .c o m Proxy W orkbench is a p ro xy server th a t displays th e data passing th ro u g h it in real tim e , allows you to d rill in to p articula r TCP/IP connections, view th e ir history, save the data to a file , and view the socket connection diagram . The socket connection diagram is an anim ated graphical history o f all o f the events th a t to o k place on the socket connection. It is able to handle (secure sockets) and M o d u le 0 3 Page 381 HTTPS POP3 natively. Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker "Z. L s l® # ■ Proxy W o rk b e n c h File View Tools Help 0 5 - i s U M ontana iravya !132168168170) ^ SMTP • Outgoing e-mad (25) POP3 • Incoming c nvjd (110) Q HTTP Proxy •W eb (8080) ’ 127.aa1 to 127.0.01 (locahost) fi P P P P P P P P P P P P P P P P P P P P P P P P U Memay Dslafc ■6 10 ׳Dead (1318 X 308( (127 0 01 20750) Event So( 7 P a g e lo H m J4 J 4J ►J N 491 bytes of ia»a has been chnft. 12 14 49 53 8 DeaJ 113:18:26-779) D ead ( 1 1 1 8 2 5 7S2) Dead (1 1 1 8 2 5 757) Dead (13:1825752) De«d(13182S?46) The connection request Jo the remote server has been successful 13:14:49.817 Dead (13:1825741) Dead (131825736) Dead (1 *1 8 2 5 731) locahost (127.00 1 8080) Dead (131825 724) Dead(111825717) Dead (131825 684) Dead (131825 67$) 1 2 7 0 0 1 fi£«n Dead(13:1825671) 491 bytes of data has been ser* to Ihe !emote tervet. locahost (127 0 0 1 80801 Dead (131825 662) Dead(131825 655) Dead (131825.647) B Dead (131825641) Dead(111825633) Dead(131825625) (1270 01 20750) Dead(111825620) Dead (13:1825.586) FVB has (**connected horn the remote ckent 13 15 13 20 9 the remote server Kais disconnected 1315:13208 Dead (111825579) Deed (1118255741 Dead (13 1 82 5 566) Reel tnw date for Dead (13 18 30 308) Dead (13 1825 558) lU U U U J ^ Dead (111825552) Dead 11118255431 8 KByte* t i n t ׳/ ! J tt « ׳e ju ua u a id ua Socke״ FIGURE 3.62: Proxy Workbench Screenshot M o d u le 0 3 Page 382 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker ProxyTool:Proxifier C|EH Prox-fie1 ־is a program that a ows r>etwork appicatons that do rxrt support working through proxy servers to operate through an HTTPS or SOCKS proxy or a chain of proxy servers mpj/www proaf«r-aom ! ByK'CMAjV. • M “j •arn: *s־t2-d?rjSfit3y ״״c*C גשנ P r o x y T o o l: P r o x if ie r Source: h ttp ://w w w .p ro x ifie r.c o m P roxifier allows n e tw o rk a p p lica tio n s th a t do n ot su pp o rt w o rkin g throu g h proxy servers to operate throu g h a SOCKS o r HTTPS proxy and chains. It allows you to surf w ebsites th a t are restricted o r blocked by yo u r governm ent, organization, etc. by bypassing the fire w a lls rules. Features: 0 You can access the In te rn e t fro m a restricted n e tw o rk throu g h a proxy server gateway © It hides yo u r IP address 9 It can w o rk throu g h a chain o f proxy servers using d iffe re n t protocols Q It allows you to bypass fire w a lls and any access co ntro l mechanisms M o d u le 0 3 Page 383 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s ^ Exam 3 1 2 -5 0 C ertified Ethical H acker 1a Proxifier File Profile 1j tf * * log View ub El Help £1 & Application Taiget Time/'Sta t us R u le : Proxy Bytes Sent ^ m s ts c .E X E (5044) 64״ 192.168.2.40:3389 01:25 D e fa u lt: proxy.exam ple.net:1080 2.75 KB 4.06 KB w w w .l.g o o gle. com:30 01:14 Closed P ro x y2: proxy.exam ple.net:1080 3.33 KB 13.5 KB cxplore.exe (4704) ie3plore.exe (5664) lsvchost.exe (376, System) 64״ (376, System) 64״ Bytes Received [fe80::90bl:83b:c743:f49b]:80 IP v 6 01d2 L o c a l: Test proxy chain 958 376 w w w .u p d a te .m 1croso ft.co m :80 00:44 D e fa u lt: proxy.exam ple.net:1080 172 262 w w w .u p d ate.m icro s o ft.c om :4 43 00:42 D e fa u lt: proxy.exam ple.net:1080 131 KB 7 5 4 KB 4 $ !explore.exe (164) Ib l.w w w .m s .ak ad n 5.n e t 443 Failed H T T P S : proxy2.exam ple.net:8080 0 0 @ w w w .m ic ro s o ftc o m :8 0 8 0 00:21 C o n nectin g D e fa u lt: proxy.exam ple.net:1080 0 0 etp lo re.exe (2776) ■stConnections uA.Traff1t •״Statistics [19.591 svchost o t [19 59] svchost exe [19 59 ] svchost exe [19 59 ] svchost exe [19 59 ] svchost exe [19 59] svchost exe [19 59 ] svchost exe [19 59] svchost exe [19 59 ] svchost exe [20 00] svchost exe [20 00] explore exe [2000: expJoreexe 120 00] explore exe [20 00] !explore exe [20 00] explore exe [20 00] explore exe ]20 00; ejcloro exe [20 00 ] svchost exe Ready (37S. System) $4 ־- resolve v .^w updale rnicroMft.cotn DNS (37S. System) *64 • resolve w.vw update rmcroso*t c o t DNS (376. System) *64 - www update microsoft com 442 match!r>3 Defadt rd e : usng proxy proxy .examptenet:1080 (376. System) *64 - •A m ׳update microsoft c o t 44 ־open through prxxy proxy example net 1080 (375. System) *64 download.w 1ndow 3update.com 80 dose. 6S1 bytes aert. 1183 bytes (1-15 KB) received, bfefcme 00 05 (376. System) *64 • resolve download wmdowsLpdate com DNS (376. System) *64 resolve download.wmdowsupdate.com : DNS (376. System) *64 ־download windowsupdate com 80 matchrtg DefaJt a ie usng proxy proxy example net 1080 (376. System) *64 ■dowrload.wnndowsupdate .com 80 open through proxy proxy example net 1080 (376. System) *64 download.w 1ndowsupdate.com 80 dose. 175 bytes aert. 256 bytes recerved. tfetr>e 00:04 (164) - lb 1 www ms akadns net 443 matching H TTPS rule using proxy proxy2 example net 8080 (2776) - www nxyosoft com :8080 matchna Default a ie ue»>g proxy proxy example net 1080 (4704) • w a w I aooale com 80 dose. 1560 bytes (1 52 KB) sert 13451 bytes (13 1 KB) recoved Ife tm e 0 0 59 (5664) - www I cooole com SO dose. 1456 byte♦ (1 42 KB) t e r( 26617 bytes (25.9 KB) received *fet me 01 11 (5664) • wwwJ.QOQQle.cQm.gO dose. 3530 bytes(3 44 KB) sert 722 bytes receded fcfetneOI 11 (4704) • wwvr I cooole com 80 d o te . 3413 bytes(3 33 KB) s e t 13881 bytes (13.5 KB) received tfettne 01 14 ,'1641 ■b l w w w n s ekados net 443 error Codd not c o o k ed throudiproxy proxy2examolenet 8090 Reedng proxy replay on a c o m e d c n reouest faled w the*ror 10054 (376. System) *64 • www update microsoft com 8C dose. 172 bytes sent. 252 bvtes receded, tfetm e 01:01 7 actnre connections Down 0 6/sec Up 0 B/sec System DNS FIGURE 3.63: Proxifier Screenshot M o d u le 0 3 Page 384 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker P r o x y T o o l: P r o x y S w it c h e r P r o x y S w i t c h e r h i d e s y o u r IP a d d r e s s f r o m File Edit Actions View Bite (30) Dead (7220) 603ms (Anonymous) 1092ms (Anonymous) 1612ns * UNITED STATES 1653ms ^ UNITED STATES 1882ms | 194 160 765:8 0 (Anonymous) (Anonymous) 2324ms 2543ns ,J f 1592 26 3 227:80 (Anonymous) 2641ms 121 52 14 8 30 8080 208-74-174-142sayfanet 31 - 0 11 0 A T Cin.,_ _ _ _ _ (Anonymous) 2 6 8in s (Anonymous) /» _ _ _ _ _ _ _ _x 2 6 9a m «׳n-. KwpAKve IfAgoSw«ch M i SLOVAKIA SLOVAKIA > : REPUBLIC OF KOREA | B I CHINA B PAKISTAN ■ UNITED STATES ■ ■D C D IIQ I IT< >־ C M A I fV ־ > \/A Q KKww.proxyswitcher.com 98 181 57.227:9090 tested as [Eke-Anonymous] cocreo dresacallao 90b pe: 80 tested as [Dead] smtp spectrum ■networks net :80 tested as ((Bite-SSL)J f-kasklab50a.eti.pg gdapl:80 tested as [Eie-Anonymous] cofreo disacallao gob p e:80 tested as [(Qite-SSL)] H iah Anonvmous/S SL REPUBLIC OF MOLDOVA 2200ns UNITED STATES 2319ms (Anonymous) ProxySwltcherfO) | (Anonymous) (Anonymous) 147.46.7.54:8088 g | FRANCE (Anonymous) arr,3c 3 mnedu sk 80 Dangerous (148) My Proxy Servers (0) Crxrtry | I (F R A N C E hherphpo.hchdtmc.edu:80 66-162-61-85stabc:tvrteJe $ R esp o- _ * (Anonymous) 170.57.24.100:80 81 180 7 5 1 4 2 8080 Basic Anonymity (212) - E " Private (53) State 91.121.21.164:3128 ns1homenux.ccm:3l28 j.... SSL (26) -£ pl Server £ High Anonymous (19) EH t h e w e b s ite s y o u v is it Help PKwy Scanner ^ ׳N ew (0) C * □ 0 /6 P r o x y T o o l: P r o x y S w itc h e r Source: h ttp ://w w w .p ro x y s w itc h e r.c o m Proxy S w itcher allows you to su rf a no n ym o u sly on th e In te rn e t w ith o u t disclosing yo ur IP address. It also helps you to access various sites th a t have been blocked in th e o rg an iza tion . It avoids all sorts o f lim ita tio n s im posed by sites. Features: 9 It hides yo ur IP address © It allows you to access restricted sites Q It has fu ll su pp o rt o f passw ord-protected servers M o d u le 0 3 Page 385 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S * Proxy Sw itcher PRO ( D irect C o n n ec tio n ) File Edit A ctions @ l # l View □ X I Proxy Scanner ! # New (0) B i High Anonymous (19) SSL (26) ׳...E ? Elite (30) | B Dead (7220) Basic Anonymity (212) j— g ; Private (53) H elp d a a a i i ^ Dangerous (148) My Proxy Servers (0) ;... Sr ProxySwitcher (0) Server 91.121.21 164:3128 ns1.homenux.com :3128 hherphpo.hchd.tmc .edu :80 170.57.24.100:80 81.180.75.142:8080 static tvvtele.85 - 66-162-61 £ ,f & f , 194.160.76.5:80 if ,f £ .»# Disabled ~] Keep Alive amac3.minedu s k :80 147.46.7.54:8088 159.226.3.227:80 121.52 148 30:8080 sayfa.net .31:208-74-174-142 10n 01 שז־1 . 0 .* --------- 11 Auto Switch > j* a j ii State (Anonymous) (Anonymous) (Anonymous) (Anonymous) Respo... * 603ms 1092ms 1612ms 1653ms (Anonymous) (Anonymous) (/Vionymous) (Anonymous) (Anonymous) (/Vionymous) (Anonymous) (Anonymous) /A-------- \ 1882ms 2200ms 2319ms 2324ms 2543ms 2641ms 2683ms 2698ms ­ ­ר­ י­ מ- I I * > ׳E REPUBLIC OF MOLDOVA UNITED STATES SLOVAKIA SLOVAKIA REPUBLIC OF KOREA CHINA m K 9 PAKISTAN ■ UNITED STATES ■ ■ DCPI ipi irnc uni nn\/4 O w 1wuv.proxyswvjtcher.com 98 181.57.227:9090tested as [Bite-Anonymous] correo diresacallao gob pe:80tested as [Dead] smtp spectrum-networks n e t:80 tested as [(Bite-SSL)] f-kasklab50a eti pg gda.pl :80 tested as [Bite-Anonymous] correo disacallao gob pe:8 0 tested as [(Bite-SSL)] H igh A nonvm ous/S S L Country 1 וFRANCE I I FRANCE UNITED STATES * UNITED STATES □ 0/6 FIGURE 3.64: Proxy Switcher PRO Screenshot M o d u le 0 3 Page 386 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker P r o x y T o o l: S o c k s C h a in CEH im ttiM J tU x*l lUckM SocksChain t r a n s m i t s t h e TCP/IP a p p lic a tio n s t h r o u g h a chain of proxy serv ers Ufasoft SocksChain View Tools LdfLJ Help firefox To [64.4.11.42]:80 3 connections m To [65.55.57.27]:80 2 connections To [123.176.32.147]:80 13 connections m To [64.4.11.301:80 2 connections ^ To [123.176.32.1361:80 1 connections = ™ To [175.41.150.21:80 1 connections m To [207.46.49.1331:80 1 connections m To [64.4.21.391:80 1 connections 9 £ To [65.54.82.157]:80 2 connections £10© ! 0 chrome Through SE05411D17AFD6752EE36392EE4E42CAFB8A45D09=shadowhouse. S626F206838B0EA12CFCA5CE91 3 ■ To www.certifiedhacker.com(202.75.54.101]:80 6 connections S I To safebrowsing.google.com[74.125224.73!:443 1 connections To safebrowsing-cache.google.com[74.125.224.67J:443 !connections 1 7 1 ^ iexplore 0 PING V I> III < DANGEROUS.SOCKS PR0T0C0L=S0CKS5 ADDRESS=65.S4.82.157:80 DVUCEKOn? ?0CK8 bB0i.0C0r^0CK2J VDDKE2^e2?»85׳m :80 http://ufasoft.com C o p y rig h t © b y E C -C suncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d S blUG P r o x y T o o l: S o c k s C h a in Source: h ttp ://u fa s o ft.c o m SocksChain is a program th a t allows you to w o rk w ith any In te rn e t service throu g h a chain o f SOCKS or HTTP proxies to hide the real IP address. It can fu n ctio n as a usual SOCKS-server th a t tra nsm its queries throu g h a chain o f proxies. It can be used w ith clie n t program s th a t do not su pp o rt the SOCKS p rotocol, b ut w o rk w ith one TCP-connection, such as TELNET, HTTP, IRC, etc. It hides y o u r IP fro m being displayed in the server's log or mail headers. M o d u le 0 3 Page 387 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker K Ufasoft SocksChain File View m ¥ B Tools Help firefox Through SE0S411017AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9I 9 £ To [64.4.11.42]:80 3 connections 9 £ To [65.55.57.27]:80 2 connections To [123.176.32.1471:80 13 connections « To [64.4.11.301:80 2 connections _ To [123.176.32.136):80 1 connections ™ ■יTo [175^41.150-21:80 1 connections m To [207.46.49.1331:80 1 connections 9 1 To [64.4.21.39]:80 1 connections '■*. To [65.54.82.1571:80 2 connections 0 0 © B chrome Through SE05411Dl7AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9■ 3 8 To www.certrf1edhackef.coml202.75.54.101 ]:80 6 connections 9 1 To safebrowsmg.google.com(74.125.224.731:443 1 connections 0 <I 9 E To safebrows1ng-c*che.google.com[74.125224.67]:443 1 connections !explore PING •יי >I DANGEROUS.SOCKS PROTOCOL ־SOCKS5 ADDRESS=65.54.82.157:80 FIGURE 3.65: Ufasoft SocksChain Screenshot M o d u le 0 3 Page 388 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker P ro xy Tool: T O R (T h e O n io n R o u tin g ) Anonymity V id a lia C o n tro l P an el Security Privacy E n s u r e s t h e p r iv a c y , la y e r s o f s e c u r it y c o m m u n i c a t io n r e c ip ie n t o f a f to a m essage o v e r In te rn e t m essage n U s e s c o o p e r a t in g Tor Proxy T h e i n i t i a t i n g o n io n d e c r y p t s a ll d a t a V p ro x y ro u te rs 1 r o u t e r , c a lle d a " T o r p a c k e t s u s in g p u b lic J th r o u g h o u t th e I c l i e n t " d e t e r m in e s k e y e n c r y p t io n ° x . Proxy Chain E n c ry p ts a n d ־ P r o v id e s m u l t i p l e o f b o th s e n d e r a n d Encryption CEH n e tw o rk th e p a th o f View the Network Loc a Ncv> Id c rtty B , Bandwidth !^זרph ןMcuogc Lug O H#ip SclU1g» 0 About Q cxt 3 Show ttii* winflow on t tir n n t r a n s m is s io n h t tp s : // w w w . to r p ro je c t, o rg C o p y rig h t © b y EG -G ouncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . P r o x y T o o l: T O R (T h e O n io n R o u tin g ) Source: h ttp s ://w w w .to rp ro je c t.o rg Tor is so ftw a re and an open n e tw o rk th a t helps you defend against a fo rm surveillance th a t threa te ns personal fre e d o m and privacy, co nfid e ntia l business activities o f n e tw o rk and relationships, and state security know n as tra ffic analysis. You can use Tor to prevent w ebsites fro m tracking you on the Inte rn e t. You can also connect to news sites and in stan t messaging services w hen these sites are blocked by yo u r n e tw o rk a d m in istra to r. Tor makes it d iffic u lt to trace y o u r In te rn e t a ctivity as it conceals a user's location o r usage. Features: 9 Provides anonym ous com m unication over the In te rn e t 9 Ensures the privacy o f both sender and 9 Provides m u ltip le layers o f security to a message 9 Encrypts and decrypts all data packets using public key e ncryption 9 Uses cooperating proxy routers th ro u g h o u t the n e tw o rk 9 The in itia tin g onion ro u te r, called a "Tor clie n t" determ ines the path o f transm ission M o d u le 0 3 Page 389 re cip ie nt o f a message Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Vidalia Control Panel 1 ~ 1 ם x Status 4)1 Connected to the Tor network' Vidalia Shortcuts # # • Stop Tor Setup Relaying View the Network Use a New Identty , Bandwidth Graph O Help = ]Message Log @ Show the wndow on startup Settings About fc^Exit Hide FIGURE 3.66: Vidalia Control Panel showing the Status M o d u le 0 3 Page 3 90 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker P r o x y T o o ls CEH Burp Suite Proxy http://www.portswigger.net 0 http://www.analogx.com Proxy C om m and er P ro top ort Proxy Chain http://www.dlao.com http://www.protoport.com Proxy Tool W indow s App Proxy+ http://webproxylist.com http://www.proxyplus.c1 http://gpassl.com Gproxy 11 Fiddler !י ן!ן http://www.fiddler2.com FastProxySwitch http://affinity-tools.com 1 ProxyFinder http://www.proxy-tool.com C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . ןP ro x y T o o ls In a dd itio n to these proxy tools, th e re are m any m ore proxy tools intended to allow users to surf the In te rn e t anonym ously. A fe w are listed as follow s: 9 Burp Suite available at h ttp ://w w w .p o rts w ig g e r.n e t 9 Proxy C om m ander available at h ttp ://w w w .d la o .c o m 9 Proxy Tool W indow s App available at h ttp ://w e b p ro x y lis t.c o m 9 Gproxy available at h ttp ://g p a s s l.c o m 9 Fiddler available at h ttp ://w w w .fid d le r2 .c o m Q Proxy available at h ttp ://w w w .a n a lo g x .c o m 9 P ro to p o rt Proxy Chain available at h ttp ://w w w .p ro to p o rt.c o m Q Proxy+ available at h ttp ://w w w .p ro x y p lu s .c z 9 FastProxySwitch available at h ttp ://a ffin ity -to o ls .c o m 9 ProxyFinder available at h ttp ://w w w .p ro x y -to o l.c o m M o d u le 0 3 Page 391 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker P r o x y T o o ls CEH (C o n t’d) ProxyFinder Enterprise Socks Proxy Scanner http://www.mylanviewer.com http://www.proxy-tool.com A M »_ךil ezProxy ® HI http://www.ode.org JAP Anonymity and Privacy Charles http://www.charlesproxy.com UltraSurf http://anon.inf.tu-dresden.de/index_en.html http://www.ultrasurf.us CC Proxy Server http://www.youngzsoft.net ™ FoxyProxy Standard https://addons.mozilla.org C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . h P r o x y T o o l s ( C o n t ’d ) ---------- The list o f proxy tools m entioned in the previous slide continues as follow s: 9 ProxyFinder Enterprise available at h ttp ://w w w .p ro x y -to o l.c o m 9 ezProxy available at h ttp ://w w w .o c lc .o rg 9 JAP A no n ym ity and Privacy available at h ttp ://a n o n .in f.tu -d re s d e n .d e /in d e x en.htm l 9 CC Proxy Server available at h ttp ://w w w .y o u n g z s o ft.n e t 9 FoxyProxy Standard available at h ttp s://a d d o n s.m o zilla .o rg 9 Socks Proxy Scanner available at h ttp ://w w w .m y la n v ie w e r.c o m Q Charles available at h ttp ://w w w .c h a rle s p ro x v .c o m 9 U ltraS urf available at h ttp ://w w w .u ltra s u rf.u s Q WideCap available at h ttp ://w id e c a p .ru 9 ProxyCap available at h ttp ://w w w .p ro x y c a p .c o m M o d u le 0 3 Page 392 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker F re e P ro x y S e rv e rs Cl EH (•rtrfw tf Google A search in Google lists thousands of free proxy servers Google IS tk K J l lU c k M 1 FreeProxyServers adoui12.700.000result?{020seconds) P roxy4Free-Ff ProxyStrvtrt -protectYourPrunePrivacyaW 1 wwwproxy4tree comj roxxyy4seFrv reeereisraortre nduprso roxr^ ycshtceackieeorשcrnoew r■e*absu e?•refres-e pPro oveeprro 9yw ealisrstaQ c«d3tnng5y3o!ד ׳u3M «חtiוm List Country Ratino AccessTim• u st o fFreeProxyServers- Page 10 ד0ז wwwproxy4tree eor>v1ist7»eaproxy1 htmi F PE roA xyD ,A onO im izePrR ,V N .P rosio xyn4re Fre ero Prxoyxyse uil, PTePst,ag*en1cocrr-i* HreOeM DnY UR OP X Y U eP rveIrs 10-uemu Pr•• P iw bidemyaM .ctforL rvisptfoxPyu-Jbislic VProxy Sarvars UPJEQSUAdeiJyAss;* images uaps vM ki N«w* ShopplnQ Uor* Proxy 4 Free “ ״נגלו - n ... ~ — Free proxy list index. Ih* Uigvst !•aMirn* database ofDu&fe ptoxy servers :r in e Show searcn tools 1■ H M A niifdl0em v0yM .cs0srוivFretProxyanaPrivacyToots-sunזryewco...* Wuliproxy fioo) McAfgg SECURE c-ilot. lolpkeec tcusafofcom ״tr * : ־:• !.*. ssa sssssasssr Bar =2— c1»dit card fraud, spywst•. Us• our It• • proxy to twl anonmoasH crtn * !■ » - FreeProxyServer-surr !rr ,\rr A-nnymn. m:, Surrm*webanonymouslywithourtreeproxyserver FreeProxyServer TiirLnHUu. rreeproxynerver net/ iNwyirj 1:1' P ublicProxyServers FreeProxyServerlsi wvcttpu Dlicproxyservers.conv Pu&lic Proxy Servers is a tree and 1חdependent proxy :hecan; 5 « sm Cur ser.ice neips you to proteclyour identity ana Dypass surting restnraons s!r»ce 2002 C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . e a F re e — P ro x y S e rv e rs Besides proxy tools discussed previously, you can find a num ber o f free proxy sites available on the In te rn e t th a t can help you to access restricted sites w ith o u t revealing yo ur IP address. Just type Free Proxy Servers in the Google search engine and you w ill get num erous proxy server websites. ( jO . )g ie Free Proxy Servers “** 55* יי •׳•״*״ **«•׳ H 3 I 13 r 00 000 r•! u n to 70 m o m ! 1 S e a rc h W«o 4 O Pra«v 4 Free F ree Proxy S erv ers Protect Your OMne Pnvacv «w»proxy41»o*corv proxy server* for Over 9 yea* Ow Lilt County Ratng tc c tit T r» Pro«y 4 F ree- F ree Proxy S erv ers -Protect Your Onlne Privacy ■A _ preiraaee co«u - cecfted - Smear O k w j h u m •m n u h _ Proxy 4 Free u a a i f i e e Pfoxj se rv e r* • l y 1 a i 18 wwwp!o*if4lreecorA1rweapreey1 ren« Fr«t Pron Anomrutf VPN Pro!* 4 Ftee Pro»y Ust P Te*t A»ownn» tCNU HOUE-AOOYOURPftOrr 1.«tc*rreee1MjSenwr» ? •?•K rflO F ree ^ ־axv L st - P i t * Proxy S ervers P PORT n o e Mir A ss' *״ fttOtmrs•• com^rexy*■• !(•epfor! s$1 no«« tv• 1*׳c«»!«•*»So« 4aiac*s« or caAK precy •e rm s crtr* m c Uxau : F re e r r p u A a i P a t a u . T a a i - a u T T n c m t ^ . * s= ■ E 1 -----------------------------I B - f A*e proxy r׳H Uo*JW S€CU«t MM K♦* •• ♦ז,©« SSH *on•4**r. T*4 creat caretswd s t ■•**»* u s• ft* *ee proxy 10 s ^ t w>n>r1wow»> o«am M l . — •־ B - ׳. . H l | ׳V W rjuZxvJ > Y ,1 P r a t Proxy S erv er _ I u m o ttt e . tortahtftconv *mTt#Mte40*eepnMy seryer - o e a r •זי,» רw n tx S M an e 1m m < r n orowtieg too mar* נ a* se» M trtrn«101e*oureeaM*eft*«0*a1 _ 1 I PiAftc Proxy Servers F ree Proxy S e rv er Lot ^ www |M<t*t#«eayee«ye1s ceev FuoecPreir Wrvor• 1» t Iim •non a m U i i p>o» <*o<S(ng יי«ו»<וCX aemce 1 «ייז •'׳u 10 proloct tour 1asrM1 anoerpess •usng teMKSons trve7M 7 0 FIGURE 3.67: Google Search showing Free Proxy Servers M o d u le 0 3 Page 393 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker H T T P T u n n e l i n g T e c h n iq u e s J CEH HTTP Tunneling te c h n o lo g y allows users to d e s p ite t h e restrictio ns im p o se d by firewalls E n c a p s u la te s d a ta inside (ן (p o rt , ייוf ! * > י ו.......... • < 80) < I n t e r n e t ..........f t > * * Router !<•■■••> יי Router HTTP Proxy or Firewall End Users use HTTPTunnel to transmit or receive data through Firewall ?111 Previously inaccessible servers and services C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d H T T P T u n n e lin g T e c h n iq u e s HTTP Tunneling is a no the r technique th a t allows you to use the In te rn e t despite restrictions im posed by the firew alls. The HTTP p ro to co l acts as w ra p p e r fo r com m unication channels. An a tta cke r uses HTTP tu n n e l s o ftw a re to p e rfo rm HTTP tun n elin g. It is a client-server-based application used to com m unicate throu g h the HTTP p rotocol. This so ftw a re creates an HTTP tun n el betw een tw o machines, using a w eb proxy o ptio n . The tech n iq ue involves sending POST requests to an "HTTP server" and receiving replies. The a ttacker uses the client application o f HTTP tu n n e l softw are installed on his o r her system to com m unicate w ith o th e r machines. All requests sent throu g h the HTTP tu n n e l clie n t application go throu g h the HTTP protocol. M o d u le 0 3 Page 394 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker R acks o f HTTP T u n n el S e rv e rs א M R o u te r אM 49 HTTP P roxy HTTP T u n n el o r F irew all S e rv e rs r e c e iv e a n d re la y th e d a ta - End U se rs u s e H TTP-Tunnel to tr a n s m it o r re c e iv e d a ta 1 th r o u g h F irew all & _ • •u! j P re v io u s ly in a c c e s s ib le s e r v e r s a n d s e rv ic e s FIGURE 3.68: HTTP Tunneling Process The HTTP tun n e lin g technique is used in n e tw o rk activities such as: 9 Stream ing video and audio 9 Remote procedure calls fo r n e tw o rk m anagem ent 9 For in tru sion d ete ction alerts 9 Firewalls M o d u le 0 3 Page 395 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker W h y do I N e e d H T T P T u n n e lin g 80 and 443, and J Organizations firewall all ports except J HTTP tunneling will enable use of FTP via HTTP protocol INSIDE THE NETW ORK a v HTTP Tunneling client running on local port OUTSIDE THE NETW ORK P o rt 23 □ P o rt 21 □ P o rt 79 □ P o rt 25 ם P o rt 110 Q 1 P o rt 500 Q 1 P o rt 69 □ 11 P o r t 80 a ! ........•נ 443 Q I FTP you may w ant to use FTP P o rt 1 Internet © Data is sent via HTTP V I FTP data is encapsulated in http packet F ire w a ll r u le s o n ly H t t p tu n n e lin g s e rv e r a llo w p o r t 8 0 a n d 4 4 3 s o ftw a r e r u n n in g C o p y rig h t © b y EG-G*ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . W h y d o I N e e d H T T P T u n n e lin g ? HTTP tu n n e lin g allows you to use the In te rn e t despite having fire w a ll re stric tio n s such as blocking specific fire w a ll p o rts to re strict specific p ro to co l co m m unication. HTTP tun n e lin g helps you to overcom e this fire w a ll re strictio n by sending specific protocol co m m unication throu g h HTTP p rotocol. The a ttacker may use this tech n iq ue fo r the fo llo w in g reasons: 9 It assures the a ttacker th a t no one w ill m o n ito r him or her w hile browsing 9 It helps the a ttacker to bypass fire w a ll restrictions 9 It ensures secure browsing 9 The a ttacker can hide his or her IP address fro m being trapped 9 it assures th a t it is highly im possible fo r others to id e n tify him o r her online Suppose the organization has blocked all ports in yo ur fire w a ll and only allows p o rt 8 0/4 4 3 , and you w a n t to use FTP to connect to some re m o te server on the Inte rn e t. In this case, you can send y o u r packets via HTTP p ro to co l as shown in the fo llo w in g figure: M o d u le 0 3 Page 396 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker IN S ID E T H E N E T W O R K o ן F T P C li e n t fL S o ftw a re - s ftp v HTTP T u n n e lin g c lie n t ru n n in g P o rt P o rt P o rt P o rt P o rt P o rt P o rt P o rt P o rt 23 ם ם 79 ם 25 ם 110 ם 500 ם 69 ם 80 S3 443 B 21 o n lo c a l p o r t F T P d a t a is e n c a p s u la te d in h t t p p a c k e t F ire w a ll r u le s o n ly a llo w p o r t 8 0 a n d 4 4 3 FIGURE 3.69: Effect of HTTP Tunneling on both Inside and Outside the Network M o d u le 0 3 Page 397 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker H T T P T u n n e lin g Tool: S uper N e tw o r k T u n n e l H T T P T u n n e lin g T o o l: S u p e r N e tw o r k CEH T u n n e l Source: h ttp ://w w w .n e tw o rk tu n n e l.n e t Super N e tw o rk Tunnel is a professional HTTP tu n n e lin g softw are, w hich includes HTTP tu n n e l c lie n t and server so ftw a re . It is like secure VPN so ftw a re th a t allows you to access your In te rn e t program s w ith o u t being m o n ito re d by yo ur w ork, school, o r the governm ent, and gives you an extra layer o f p ro te ctio n against hackers, spyware, or ID th e ft. It can bypass any fire w a ll. M o d u le 0 3 Page 398 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker # • H - a ik S ta rt S e tu p Lot □ Add §&. O ra g B o x • TotalSendBytes Tota/Recvfiytes Server Cwent Connections: [ J1 R in H e to About Use Rin Game WthGameGuard Mode Q Use Real Remote Dn* Resolve Send Speed Recv Speed Serves Total Threads(nctude cache) My Local IP: 10 9 0 74 + IP View System Today Log [ O nly Im p o rta n t M e ssa g e s Thts operating system is 64־b11, SKI support tunnel both 32b1t and 64b11 prop«׳a, and except us• kook •ngin*, you •Iso can eon 7 י O e n t Stop L o g &>d S ta tu s | ■ ■ | . -■ ■■ : | In Vksta.You can use dragdrop box to fragdrop program or program shortcut FIGURE 3.70: Super Network Tunnel Screenshot M o d u le 0 3 Page 399 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s End user w ith HTTP-tunnel Exam 3 1 2 -5 0 C ertified Ethical H acker HTTP Proxy or Firewall h t tp : // w w w . h ttp - tu n n e l.c o m C o p y rig h t © b y ־ W _ H T T P T u n n e lin g EG-G*ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . T o o l: H T T P -T u n n e l ׳/ Source: h ttp ://w w w .h ttp -tu n n e l.c o m HTTP Tunnel acts as a SOCKS server, allow ing you to access the In te rn e t by bypassing fire w a ll restrictions. It is very secure softw are. Using this so ftw a re does n ot a llow others to m o n ito r y o u r In te rn e t activities. It hides yo u r IP address; th e re fo re , it does not a llow tracing o f your system. It allows you the u n lim ite d tra n sfe r o f data. It runs in yo ur system tra y acting as a SOCKS server, managing all data transm issions betw een the co m p u te r and the n etw o rk. M o d u le 0 3 Page 4 0 0 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s %J Exam 3 1 2-50 C ertified Ethical H acker Configuration H T T P -T u n n e l C lie n t v 4 .4 .4 0 0 0 ־3 Ptotty S«rv« file Wy g e ttin g s H elp He*p Connections r C onligue Log C*■ Enter Key Mad Support Autodtloct <• N0P>0>V C Speciy Pioty Serve* N«neAP Exrf C• a l r | S p eed T ett | Diagnostics | About | <11 56 11> RIP Pnged serve* to keep use! logged n I <11 56 11> RettievelP Log Window Geared r M *w n e e |H 4 » }o n S t« M > Accei 1 Rwtactoro Turn •»» ON •0 *cm 2 IP1 10 um •w HTTPT irmH cktri L n v • t « O ff I you oriy *Mrt 10 um HTTPT u׳mel how pvogrami *m n g o n t w PC r AI0M»«4 >eo»vo IP* •o comect foHTTP Tunnrt Advanced U *«n f 0• advanced u w t only e*eete corriacl Svcded 101 r #0 Thn option Mi *osbcafly ״t ״ove performance i t • supported by fOU proay Th■ m i vo l. ONLY I you Save 1 piOMy The comtc Icn loti dot! not lot( t t i op•cn r U ser G u id e s . .. OomnomU.n e w t+ m rtP n a m c r h ttp tu n n e i Chck Here Ptoay * w ‘C O N N EC T" command D a la « P a * MT TP T c m •* Infant an Peal 1080 lei conrecbon! ha■* * « * n » 10rM Char^a >ou I r d port 1 0 6 C * * « V r U M » * a n you b * d H T T P I m l You n « k n 10 10c 0r t 9 # *)K » *ap p fca *an a and ••alart H T T P T im a l $3.99 a month/year 1 M u n if o ( I i n * A n y w l i fioio Key n o t fo u n d Free S erver M o d e. 0 KBUp/0 KBDown IP R etrieved(. 149] FIGURE 3.71: HTTP-Tunnel Client and Configuration Windows M o d u le 0 3 Page 401 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . | Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker B ssh -f - f u s e r @ c e r tifie d h a c k e r .c o m = > b a c k g ro u n d m o d e , y o u a r e lo g g in g i n t o , - L -L 5 0 0 0 :c e r t i f i e d h a c k e r . c o m :2 5 u s e r S c e r t i f i e d h a c k e r . com = > c e r t i f i e d h a c k e r . com : 2 5 5000 : p o rt:h o s t:re m o te -p o rt, a n d -N => Do not execute the 6 = > lo c a l- □ S im p ly p o i n t y o u r e m a il c lie n t t o u s e lo c a lh o s t : 5 0 0 0 as t h e S M T P s e r v e r c o m m a n d o n t h e r e m o t e s y s te m EG-G*ancil. All local port 5 0 0 0 to 2 5 o n c e r t if ie d h a c k e r . c o m e n c ry p te d u s e r n a m e a n d s e rv e r Copyright © by T h is f o r w a r d s t h e port -N Rights Reserved. Reproduction is S trictly Prohibited. SSH T u n n e lin g SSH tun n e lin g is a n o th e r technique th a t an a ttacker can use to bypass fire w a ll re strictio n s. It also helps you hide yo ur IP address on th e Inte rn e t; th e re fo re , no one can trace or m o n ito r you. The prerequisite o f SSH tun n e lin g is raised fro m the problem s caused by the p ub lic IP address, the means fo r accessing com puters fro m anyw here in the w o rld . The com puters netw orked w ith the public IP address are universally accessible, so th e y could be attacked by anyone on the global In te rn e t easily and can be victim ize d by attackers. The d eve lo p m en t o f SSH tun n e lin g solves the problem s faced by the public IP address. An SSH tun n el is a link th a t proceeds tra ffic fro m an indiscrim inate p o rt on one m achine to a re m o te m achine throu g h an in te rm e d ia te machine. An SSH tu n n e l comprises an encrypted tun n el, so all yo u r data is encrypted as it uses a secure shell to create the tun n el. Creating a tu n n e l fo r a p rivately addressed m achine needs to im p le m e n t th re e basic steps and also requires th re e machines. The th re e requisite machines are: 9 Local machine 9 An in te rm e d ia te m achine w ith a public IP address 9 Target m achine w ith a private address to w hich th e connection m ust be established M o d u le 0 3 Page 402 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker You can create a tunnel as follows: 9 Start an SSH connection from local machine to the intermediate machine with public IP address. 9 Instruct the SSH connection to wait and observe traffic on the local port, and use intermediate machine to send the traffic to an explicit port on the target machine with a private address. This is called port acceleration or port forwarding. 9 On the local machine, select the application that you want to use for connection with the remote machine and configure it to use port forwarding on the local machine. Now, when you connect to the local port, it will redirect the traffic to the remote machine. To secure communication between computers, SSH uses private and public encryption keys. The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized computer. On initiating an SSH connection, each machine exchanges public keys, but only the computer that has the matching private key can attain access to the remote computer applications and information and can read encrypted communications with the public key. f t <i DB C lient % DB Server M a il C lie n t <3 I n * A tta c k e r Internet SSH t A p p C lie n t f ״ !'• <׳ ׳ M a il Server !□□ם □ 0 9 -............. ______ ► C lie n t SSH P e rim e te r P e rim e te r C o n tr o ls C o n tr o ls *4 S erv er A pp Server W e b se rve r W eb Client FIGURE 3.72: SSH Tunneling Process OpenSSH Source: http://www.openssh.org OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. OpenSSH can be used to tunnel the traffic on local machine to a remote machine that you have an account on. s s h - f u s e r @ c e r tif ie d h a c k e r .c o m -f => backgroung mode user@ c e r t i f i e d h a c k e r . com=> -L -n -L 2 0 0 0 : c e r t i f i e d h a c k e r . com: 25 -N 2000: user name and server you are logging into c e r t i f i e d h a c k e r . c o m : 25 => I0cal־p0rt:h0st:rem0te־p0rt => Do not execute the command on the remote system This essentially forwards the local port 2000 to port 25 on certifiedhacker.com encrypted. Simply point your email client to use localhost:2000 as the SMTP server. M o d u le 0 3 Page 4 0 3 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S S H T u n n e l i n g T o o l: B i t v i s e C EH B itv ise SSH S e r v e r p r o v id e s s e c u r e r e m o t e lo g in c a p a b ili tie s t o W in d o w s w o r k s t a ti o n s a n d s e r v e r s SSH C lie n t in c lu d e s p o w e rf u l tu n n e lin g f e a t u r e s in c lu d in g d y n a m ic p o r t f o r w a r d in g t h r o u g h a n in t e g r a t e d p ro x y , a n d a ls o r e m o t e a d m i n i s t r a t i o n f o r t h e SSH S e r v e r ?1 Bitvise SFTP - localhost:22 I W indow Local Remote ^ U pload Queue U pload Queue Download Queue a i D ownload Queue Log Log £] $ (3 c.\prog!amfiles(xS6}',b1t/isetunnelier St Name Size Type DateModifed Attributes QkMermcexe 286,720 Application 2006-12-250.. A S/glcl:tgc.oxo 1.265.664 Appliraton 2006-12-250.. A i"7logexe 20.480 Application 2006-12-250 A Lsenseexe 1,597.440 Applicabon 2006-12-250 A ■Isftpc.exe 2,002,944 Application 2006-12-250.. A iis3hd3tg3exe 2.150,400 App1caton 2006-12-250.. A B7־stermc 1,650,608 App1cabon 2006-12-250 A Qtotermcexe 372,736 Application 2006-12-250.. A MTurn01tor.oxo 6.193.152 AppIoaton 2006-12-250.. A S}un1n31.exo 552.256 Apploaton 2006־12-250.. A vt100bds 6,066 TDSFils 2006-12-250 A xtermtds 6,066 TDSFilo 2006-12-250.. A o s> Nome k Log* ׳ יbv^Ad.oxe ^ Binary !_[״Resume |:|JOverwrite ft Start If Binary * _Resurre j Li Overwrite ft Start O {*• fc ip r o g r a r r Files (x36)/bitvise w insshd Size Type DeteModifed 0 FileFolder 2006-12-250.. 167.936 Application 2006-12-250... I 7־ exe 188.415 Application 2006025־12־.. F |)Vrmsso* 200.095 Application 2006-12-250 ■ ; SCP.OXO 294,912 Application 2006-12-250.. 15,961 C*•♦Sour... 2006-12-250.. °*1StcPuginSomple.cpp -»SlpRuginSompI#dll 20.•100 Applicati 2009-12-250.. 610.304 application 2006-12-250.. 2.76070 !׳Application 2006-12-250.. ■7 CCMCV.OXO 05515 ־/Vppilcatlon 2006-12-250.. ^sowoxecoxe 2,211.040 Application 2006-12-250.. f7itMtlgt win ■׳totom003 192.512 Application 2006-12-250.. P u m rs ie x e 352.256 Application 2006-12-250.. 2,330.016 Application 2006-12-250.. י 3.461,120 Application 2006-12-250.. 7 יW irSSHD.exe I!WrttshdAdStateCheckexe 446,464 Application 2006-12^250.. 2,666,496 Applicati... 2006-12-250.. -יWneshdCfgManipdI 3.768 Interface 2006-12-250.. j Wr'sshdCfgMaoipidl h t tp : // w w w . b itv ise . c o m C o p y rig h t © b y SSH T u n n e lin g EC-CMMCil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . T o o l: B itv is e Source: http://www.bitvise.com Bitvise is client server-based application used for SSH tunneling. The server provides you secure remote login capabilities to Windows workstations and servers. With Bitvise SSH Server, you can administer the Windows server remotely. The Bitvise server even has the ability to encrypt the data during transmission so that no one can sniff your data during transmission. Bitvise SSH Client includes graphical as well as command line SFTP support, an FTP-to-SFTP bridge, tunneling features that can be helpful for port forwarding and remote administration. M o d u le 0 3 Page 4 04 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker . ויBitvise SFTP - localhost:22 W in d o w Local B ro w s e R e m o te U p lo a d Q u e u e | J ) U p lo a d Q u e u e 1 2 D o w n lo a d Q u e u e D o w n lo a d Q u e u e Log -_ /^ L o g R e m o t e F ile s o O S 13( ׳.׳4 £ < N am e S ize c :\p ro g ra m file s (x86)Vb1tv is e tunrieher ׳ S ■ *2 O Type D a te M o d ife d A ttrib u te s Nam e 2006-12-25 0... A 1 Logs }ל fit /c /p ro g ra m file s (x86)/b !tv is e w in ssh d S ize Type □ a te M o d ite d 0 F ile F o ld e r 2006-12-25 0 .. bvPw dexe 167.936 A p p lic a tio n 2006-12-25 0 .. b v R u n .e x e 188.416 A p p lic a tio n 2006-12-25 0 .. 208.896 A p p lic a tio n 2006-12-25 0 .. 294.912 A p p lic a tio n 2006-12-25 0 .. 15.961 C ♦♦ Sour... 2006-12-25 0 .. 23.480 n tv te rrn c .e x e 286.720 A p p lic a tio n f f g ld s tg s .e x e 1.265.664 A p p lic a tio n 2006-12-26 0... A י 20.480 A p p lic a tio n 2006-12-25 0... A • s e x e c exe 1.597.440 A p p lic a tio n 2006-12-25 0... A ■ b v te rm s e x e s ftp c e x e 2.002.944 A p p lic a tio n 2006-12-25 0... A ■ ' s c p .e x e s s h d s tg s .e x e 2 . ו50.400 A p p lic a tio n 2006-12-26 0 ... A c~ S ttp P lu g m S a m p le .c p p s te rm c .e x e 1.650.688 A p p lic a tio n 2006-12-25 0... A Q to t e r m c e x e 372.736 A p p lic a tio n 2006-12-26 0 ... A 6.193.152 A p p lic a tio n 2006-12-25 0... A F ss h d c trl.e x e 352.256 A p p lic a tio n 2006-12-25 0... A F sshdexecexe I 7 lo g .e x e ■ F F ; ' ׳T u n n e lie r.e xe J | u n 1r s t e x s S ftp P lu g in S a m p le .d ll ■ ' sftp s.e xe A p p lic a ti... 2006-12-25 0 .. 610.304 A p p lic a tio n 2006-12-25 0 .. 2.763.704 A p p lic a tio n 2006-12-25 0 .. 45.056 A p p lic a tio n 2006-12-25 0 .. v tlO C .td s 6.066 T D S F ile 2006-12-25 0... A ' יs s h d s tg s .e x e 2.211.840 A p p lic a tio n 2006-12-25 0 .. xJerm .lds 6.066 T O S F ile 2006-12-25 0 ... A F to te rm .e xe 192.512 A p p lic a tio n 2006-12-25 0 .. F u n in s te x e 352.256 A p p lic a tio n 2006-12-25 0 .. 2006-12-25 0. . F w c tg exe 2.338.816 A p p lic a tio n F W in S S H D .e x e 3.461.120 A p p lic a tio n 2006-12-25 0 .. 445,464 A p p lic a tio n 2006-12-25 0 ■ W in s s h d A c tS ta te C h e c k e x e W in s s h d C fg M a n ip .d ll i W in s s h d C tg M a n ip id l S f B in a r v ; R esum e J O ve rw rite _ [ & Start JP jD in d iy * R esum e 2.666.496 3,768 □ O verw rite A p p lic a ti... 2006-12-25 0 .. In te rla ce 2006-12-25 0 S ta rt ] FIGURE 3.73: Bitvise Tool Screenshot M o d u le 0 3 Page 4 05 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker CEH A n o n y m iz e r s J An a n o n y m iz er r e m o v e s all t h e identifying in f o rm a tio n fro m t h e u ser's c o m p u t e r while t h e u se r surfs t h e In te rn e t J A nonymizers m a k e activity on t h e I n t e r n e t u n tr a c e a b le J A nonym izer too ls allow you t o b y p a s s I n t e r n e t c e n s o r e d w e b s i t e s W h y u s e A n o n y m iz e r? C o p y rig h t © b y E G -G *nncil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . A n o n y m iz e rs An anonymizer is an intermediate server placed in between the end user and web site that accesses the website on behalf of you, making your web surfing untraceable. An anonymizer eliminates all the identifying information (IP address) from your system while you are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web (http :), file transfer protocol (ftp :), and gopher (gopher:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name of the target website in the Anonymization field. Alternately, you can set your browser home page to point to an anonymizer, so that every subsequent web access will be anonymized. Apart from this, you can choose to anonymously provide passwords and other information to sites that request you, without revealing any other information, such as your IP address. Crackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their applications configuration menu, thereby cloaking their malicious activities. W h y U se a n A n o n y m iz e r? The reasons for using anonymizers include: M o d u le 0 3 Page 4 06 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s 9 Exam 3 1 2 -5 0 C ertified Ethical H acker Ensures privacy: It protects yo u r id e n tity by m aking yo u r w e b n aviga tio n activities untraceable. Your privacy is m aintained u n til and unless you disclose yo u r personal in fo rm a tio n on the w eb by fillin g o u t form s, etc. 9 Accesses government-restricted content: Most governments prevent their citizens from accessing certain websites or content in order to avoid them from accessing inappropriate information or sensitive information. But these people can access even these types of resources by an anonymizer located outside the country. 9 Protect you from online attacks: Anonym izers p ro te ct you fro m all instances o f online pharm ing attacks by routing all customer Internet traffic via the anonymizer's protected DNS servers. 9 Bypass IDS and firewall rules: Bypassing o f fire w a lls is m ostly done in organizations or schools by em ployees or students accessing w ebsites th e y are n ot supposed to access. An anonym izer service gets around yo u r organization's fire w a ll by setting up a connection betw een yo ur co m p u te r and the anonym izer service. By doing such, fire w a lls can see only the connection fro m you to anonym izer's w eb address. The anonym izer w ill the n connect to T w itte r o r any w ebsite you w anted to access w ith the help o f an In te rn e t connection and sends the co n te n t back to you. For your organization, it looks like yo u r system is connected to an anonym izer's w eb address, but n ot to T w itte r or o th e r sites. Anonym izers, apart fro m p ro te ctin g users' id e ntitie s, can also attack the w ebsite and no one can actually d ete ct w here the attack came fro m . T y p e s o f A n o n y m iz e rs An anonym izer is a service throu g h w hich one can hide th e ir id e n tity w hen using certain services o f the Inte rn e t. It basically works by encrypting the data from your computer, so that is cannot be understood by Internet service providers or anyone who might try to access it. Basically, anonym izers are o f tw o types: 9 N etw orked anonym izers 9 S ingle-point anonym izers - ____~ N e tw o rk e d A n o n y m iz e rs ____ These type o f anonym izer firs t transfers yo ur in fo rm a tio n throu g h a n e tw o rk o f In te rn e t com puters before sending it to the w ebsite. Since the in fo rm a tio n passes through several In te rn e t com puters, it becomes m ore cum bersom e fo r anyone tryin g to tra ck yo ur in fo rm a tio n to establish the connection betw een you and anonym izer. Example: If you w a n t to visit any web page you have to make a request. The request w ill firs t pass throu g h A, B, and C In te rn e t com puters p rio r to going to the w ebsite. Then a fte r being opened, the page w ill be tra nsfe rre d back throu g h C, B, and A and then to you. Advantage: C om plication o f the com m unications makes tra ffic analysis com plex M o d u le 0 3 Page 4 07 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Disadvantage: Any multi-node network communications have some degree of risk at each node for compromising confidentiality ___ S in g le -p o in t A n o n y m iz e r s '— ^ Single-point anonymizers first transfer your information through a website before sending this to the target website, and then pass back information, i.e., gathered from the targeted website, through a website and then back to you to protect your identity. Advantage: IP address and related identifying information are protected by the arms-length communications Disadvantage: It offers less resistance to sophisticated traffic analysis M o d u le 0 3 Page 4 08 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker C a s e : B lo g g e rs W rite T e x t B a c k w a rd s to B y p a s s W e b F il te r s in C h in a Bloggers and journalists in China are using a novel approach to bypass Internet filters in their country - they write backwards or from right to left * ★ W “IF H BOTHERSYOUTHATTHECHINA SCVEM flENTDOESIT! ITSHOULD 9CTVCRYOUW HENYOU*CABLECOM PANY DOCS IT 1 " ' ״her^ r Z l em *adablebvh ns~ beings k . . / Urr>an e r in g 50**are packets co . aSTibet, ^Oero°c 0rcracvJ־ r a ’‘ ׳ananr0en ׳etC I R ights R eserved. R e p ro d u c tio n is S tr ic tly P ro h ib ite d . < \» • I f C a s e : B lo g g e rs W rite T e x t B a c k w a r d s to ® y p a s s W e b F ilte r s in C h in a China is well known for its implementation of the "packet filtering" technique. This technique detects TCP packets that contain controversial keywords such as Tibet, Democracy, Tiananmen, etc. To bypass Internet filters and dodge the censors, bloggers and journalists in China are writing the text backwards or from right to left. By doing so, though the content is still in human readable form, the text is successful in defeating web filtering software. Bloggers and journalists use vertical text converter tools to write the text backwards or from right to left and vertically instead of horizontally. M o d u le 0 3 Page 4 09 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker C en so rsh ip C irc u m v e n tio n Tool: P siphon J CEH P sip h o n is a c e n s o r s h ip c irc u m v e n tio n s y s te m t h a t a llo w s u s e r s to b y p a s s f ire w a lls a n d a c c e s s b lo c k e d s ite s in c o u n tr ie s w h e r e t h e Psiphon 3 A ־־. I n te r n e t is c e n s o r e d J It u s e s a s e c u r e , e n c r y p t e d HTTP tu n n e l c o n n e c tio n t o r e c e iv e r e q u e s t s fro m p s ip h o n ite to p s ip h o n o d e w h ic h in t u r n tr a n s p o r t s t h e re s u lts b a c k t o t h e r e q u e s t e d p s o p h o n ite J It a c ts a s a w e b p ro x y fo r a u t h e n ti c a te d p s ip h o n ite s , e v e n w o rk s o n m o b ile d e v ic e s -1 0 0 זחכproxy domestic web sites Qicrr. Veraion; 40 SSH■♦■connecting... Localhos! poit 1080 is already in use SCCfCS proxy is running on localhcst port 1081 t S SH♦successfullyconnected HTTP proxy is running cn localhost poit SOSO Preferred sen ׳era: 2 SSH♦ disconnected. It b y p a s s t h e c o n te n t- f ilte r in g s y s te m s o f c o u n tr ie s like C h in a, S SH♦connecting Localhos! poit 1030 is already in u#c SOCKS proxy is running on localMcst port 1081 SSH♦ successfully connected HTTP proxy ia rumhg cn localhooi poit 8030. N o rth K orea, Iran , S au d i A ra b ia , E gypt a n d o th e r s SSH♦disconnected. Fix VPN Servces faled: ireutfciert privileoesto confiaure 0 ־stal servce IKEE VPN connecting... YPN succes^uly connected. Uncensored HTTP proxy is rumha cn localhost poit 8080. VPN disconnected. SSH connecting. .. 18 Locahoss poit 1080 already inuse SOCKS proxy it running on localhost port 1081 SSH succes^uly comcctod. HTTP proxy is rumnq cn localhos! poit 8080. Unpraeed• autee ruixjifcoiit com Urproxed. a 1970.gok.anoi /id U ronxed: osnotomq .com Unproved a$«0g akamai net Unproxed: wyvw.bqaiautc.com Uronxed: mypalsar.com SSH disconnected SSH* connecting... Locahos: cor. 1080 is aready in use SOCKS proxy is running on localhost port 1081 י Aboii Psphon 2 h ttp : //p s ip h o n .c o C o p y rig h t @ b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . C e n s o rs h ip C irc u m v e n tio n T o o l: P s ip h o n Source: http://psiphon.ca Psiphon is a censorship circumvention system that allows users to bypass firewalls and access blocked sites in countries where the Internet is censored. It uses a secure, encrypted HTTP tunnel connection to receive requests from psiphonite to psiphonode, which in turn then transports the results back to the requested psophonite. It acts as a web proxy for authenticated psiphonites, and works on mobile browsers. It bypasses content-filtering systems of countries such as China, North Korea, Iran, Saudi Arabia, Egypt, and others. M o d u le 0 3 Page 4 1 0 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Exam 3 1 2-50 C ertified Ethical H acker Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s H I□ ] Psiphon 3 P O x ovpn » s 1»h O SSH♦ ® SSH • ן י @ Don! proxy domestic web sites Client Version: 40 SSH♦ connecting Localhost port 1080 is already m use SOCKS proxy is runrwig on locahost port 1081. SSH♦ successfully connected HTTP proxy is ru m n g on locahost port 8080 Preferred servers: 2 SSH♦ disconnected SSH♦ connecting... Localhost port 1080 is already m use SOCKS proxy is rurmng on locafriost port 1081 SSH♦ successfully connected HTTP proxy is rurmng on locahost port 8080 SSH♦ disconnected Fix VPN Services faded nsuffoent pmnleges to configure or start service IKEE VPN connecting... VPN successfully connected HTTP proxy is rurmng on locatiost port 8080 VPN disconnected SSH connect ng... Localhost port 1080 is already n use SOCKS proxy is rurmng on locatiost port 1081. SSH successfully connected HTTP proxy is rurmng on locahost port 8080 Unprcuoed autosinaxabout .com Unproxied: a1979.g akamai net Unproxied: bsmotormg com Unproxied: a 9 0 g akamai net Unprowed: www baja!auto com Unprowed mypulsar com SSH disconnected SSH♦ connecting Localhost port 1080 is already in use SOCKS proxy is running on locatiost port 1081 About Ps*>hon 3 FIGURE 3.74: Psiphon Screenshot M o d u le 03 Page 4 11 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker C o p y rig h t © b y C e n s o rs h ip C irc u m v e n tio n ׳G M IilC il. A ll R ig h ts R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . T o o l: Y o u r - F r e e d o m Source: http://www.your-freedom.net Censorship circumvention tools allow you to access websites that are not accessible to you by bypassing firewalls. The Your Freedom services makes accessible what is unaccessible to you, and they hide your network address from those who don't need to know. This tool turns your PC into an uncensored, anonymous web proxy and an uncensored, anonymous SOCKS proxy that your applications can use, and if that's not enough, it can even get you connected to the Internet just as if you were using an unrestricted DSL or cable connection. M o d u le 0 3 Page 412 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker _ ־E°L Y our F re e d o m S ta tu s | S tr e a m s | A c c o u n t P r o file P o rts M essages Freedom Server External IP Address Server located in Open streams Bytes sent Bytes received Send rate (bytes/sec) Receive rate (bytes/sec) C o n fig u r e V o u c h e rs j A p p lic a tio n s A bout https://ems29.your-freedom.de 443 83.170.106 56 UK, United Kingdom 0 2973 704 279 111| S to p c o n n e c tio n R e s ta r t c o n n e c tio n U p lin k U p d a te ? II I E x it D o w n lin k 0 .4 k 1.0 k FIGURE 3.75: Your-Freedom Screenshot M o d u le 0 3 Page 4 13 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker H o w to C h e c k i f Y o u r W e b s ite is B lo c k e d in C h in a o r N ot? J Internet tools help identify if web users in China can access remote websites J When Just Ping and WebSitePulse show "Packets lost" or "time-out" errors, chances are that the site is restricted h ttp : // w w w . w e b s ite p u lse . c o m C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . H o w --------- to C h e c k if Y o u r W e b s ite is B lo c k e d in C h in a o r N o t? If a "packets lost" error is received or there is a connection time-out message is displayed while connecting to your site, chances are that the site is blocked. To find out whether the website at xyz.com is accessible by Chinese web users, you can use tools such as just ping and WebSitePulse. f 00• J u s t p in g Source: http://www.iust-ping.com Just ping is an online web-based ping tool that allows you to ping from various locations worldwide. It pings a website or IP address and displays the result as shown as follows: M o d u le 0 3 Page 4 14 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker j u s t ^ p in g u jn T C H m n u ! WATCMNC CVtROMlM IlMNISk O n l i n e w e b -b a a e d p i n g : U-jhg e g F re e o n lin e p in g i r o n SO l o c a i i o a a w o r ld w id e | |p-r.g1׳ y a h o o c o n o r 6 6 . 9 4 . 2 3 4 . 1 33 pina: tnm.fAcmbock.com <Check http fly!w.facatoook com/) S in g a p o re . Unknow n h o a t : S in g a p o re : v»nr f a e e b o o k . com fyjs*te r d a .n 2 , O kay N a th a rla n d a F l o r i d a . U.S.A. : O kay X a a ta rd ia 3. O kay N c * .h e rla rv d • : H ong Kor.rj, C h in * O kay Sydney. O kay Hi h I w I 1■ MA*tnch«n. O kay C « rn a n y : C o l o a n • . S a rm an Y rO k a y Hav Y o r k , U .S .A . O kay S to c k ho l a . O kay Sw adan. S a n ta C la r a . U .S .A .: V a n c o u v e r. L ondon. K in g d o m . M a d r id . Padova A u « tin . U ni ta d S p a in : Ita ly : U .S .A .: M o th e rla n d • . M 3 9 0 .5 91 O 2 a 0 3 : 2 6 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc 84 0 84 6 8 3 .3 6 6 . 2 2 0 .1 4 9 88 90 5 90 6 91 .0 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc 1 8 3 .9 1 8 9 .9 1 9 8 .9 2 a 0 3 : 2 8 8 0 : 1 0 : 1 f 0 2 : f a c a : bOOc 1 9 3 .9 1 8 3 .8 1 6 5 .0 6 9.1 7 1 . 2 3 7 .1 6 9 7 .2 9 7 .5 96 .2 6 9 . 1 7 1 .2 4 2 . 7 0 10 3 3 9 1 .* 1 0 9 .9 8 2 .1 1 0 6 .1 8 2 .5 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c a bO O c:: < 9 . 1 7 1 . 2 3 7 .3 2 25 123• 1 2 3 .9 1 2 4 .2 2 a0 3 2880 2110 3 f0 2 O kay 28 O 2 8 .3 2 8 .7 6 9 . 1 7 1 .2 2 8 7 0 f a c a bOOc O kay M 8 3 3 .9 3 4 .1 2 a 0 3 :2 8 8 0 : 1 0 i f 0 3 fa c a .b O O c O kay 9 4 .4 94 .7 9 8 .2 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 3 : fa c a :b O O c O kay O kay O kay 12 4 6 113 A 72 8 1 2 4 .7 1 1 3 .C 7 3 .2 1 2 5 .3 1 1 3 .9 7 3 .C 65 63 1 8 9 .7 4 2 a 0 3 2 8 8 0 ! 2 1 1 0 3 F02 f a o • bOOc 2 a 0 3 2 8 8 0 10 I f 0 3 f a c • bOOc 25 O kay M 3 9 0 .€ 9 0 .9 2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f0 2 29 f a c e bOOc FIGURE 3.76: Just Ping Screenshot W e b s ite P u ls e Source: http://www.websitepulse.com WebsitePulse provides remote monitoring services. It simultaneously pops websites from around the globe. I B IV W«*t4•T«t I ^ C a x ■ s i «w C ■ A׳ww.wrt>n»epuls<.<o׳n ״- •'.Ttoo<Krtn*-tCTtmm! WebsitePulse Tk* w#b S*r*M aad Wafcdt* Maatfck* S#rvk» tnnlfd bv 184%ויmUoman tskt IT easy |י .. 1 • י A, וj 1mi Tata > ■■>» זmi •ייזa^at !•י*׳׳ ז.»«זrwvic last mukt !•.*>(■ ו»זm m la wam« 1(••«׳Jh Im M Im• Chm Tn M M i »12-00-2; l015?>tO(O«T -00:00) rotYo1# WrtiUt 0 FfctajiExtcnwun ttAdd-0<W MmM OlfOflM EXtMMOft* Opora Exteos>oos Safan Extcrwon* Wtf>dow3V1«a Gadget Am U.n4«I Hnmni (■■•000כו o*v 0000*k CMM(t: OON nc <*V>h*6 *>*3Ap* ■ LIVE CHAT '*itByt* ImImIlm> ham▼crfc RV 2012-04-21 10:5711c (OMT•00:00) m l r««te4 1•*■) ה»<יKMoxwr H n M A i: •M71.2S7.J2 IniMM t«mi C M7 »•־ o« 0. 0c• MC CaMKt C.3M ••c 0M0 Mr hntM•: 0.133 ioc Facebook App* ^norowJape 1 3.090MC W. 0»*•■ *tic*MU (PMoaraovtNU) nu(t 11 ftmm• ]1311 M m #«• MTfi(>#g,TfMnUt> rMufts lo N w H K ttm YTrbUtr frrr farM 0«r• Cktk Herr* 1mailm d h Son Rnull) Pafona a new tot r♦׳# T#*1Tod•*0׳v©״. Report a hvMaa v FIGURE 3.77: WebsitePulse Screenshot M o d u le 0 3 Page 4 1 5 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker CEH G -Z a p p e r G - Z a p p e r - TRIAL V E R S IO N G ־Z a p p e r G-Zaocei ׳= ־ntsctrg you! Search Piivacy Did you know - 300gl9 *teres a unique identifier in a cookie on your PC, which alow? them to track the kewkofdi yoo s sa c h fot. G -Zepper will ojtomalicdl/ dctcct and cban this cookie in your w5b bo/vie. J j; t ■jn G-Zaoce». ninini7e the ״vinebw. and enjoy ycur enhanced search privacy. J G o o g le s e t s a c o o k ie o n u s e r 's s y s te m w ith a u n iq u e id e n tif ie r 2' A Google Trr^rking ID exists on ym■־PC You-aoogleV(hrefox8536d45Ib3671738 Gox^e instaled the cookie on Tuesday, July 03. 2012 12:10:32 AM t h a t e n a b l e s t h e m to tr a c k u s e r 's Y a * scaiche; ha/e teen tracked for *9 days w e b a c tiv itie s s u c h a s : • I « S earch K eyw ords a n d h a b its e S earch re s u lts « W e b site s visited You have 2 Go«g» teaiehet «aved n Mjjilla Rrafax 10deletetheUxatecookie,clicktheUeleteLookiebutton. Yoji irWtitj* wil h» ofc<cut»d from previcut SMrchtfi *nd G־Z*pp«r wll mgulM^i clean luhir• cookiat Tobbck *nddelete th♦ Googe ceareh cook*, die*׳, the 8look Cooki• button. (Grtai aid A0ie r 1> 1 1 וי׳יסbe unavailable vitli the oju ke blocKcd) J I n f o r m a tio n f r o m G o o g le c o o k ie s hllc/j׳wwMdurmwsDliwa(fi.cflm c a n b e u s e d a s e v i d e n c e in a c o u r t o f la w | O b tt Cootie J ^ Block Cock* j ^ Test Google j ^ Settings h t tp : //w w w . d u m m y s o ftw a r e . c o m C o p y rig h t © b y EG-GtUIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . G ־Z a p p e r Source: http://www.dummysoftware.com G-Zapper is a utility to block Google cookies, clean Google cookies, and help you stay anonymous while searching online. It automatically detects and cleans Google cookies each time you use your web browser. It is compatible with Windows 95/98/ME/NT/2000/XP/Vista/Windows7. It requires Microsoft Internet Explorer, Mozilla Firefox, or Google Chrome and is compatible with Gmail, Adsense, and other Google services. M o d u le 0 3 Page 4 16 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker G-Zapper - TRIAL VERSION is G Z a p p e r W hat G -Z a p p e r • P ro je c tin g y o u S e a rc h P riv a c y D id y o u k n o w • G o o g le stores a u n q u e idenM ier r a c o o k ie o n y o u P C . w h ic h a to w s th e m to tra c k th e k e y w o rd s y o u s e a rc h lo r G Z a p p e r w i a u to m a tic a l}! d e te c t a n d d e a n th is c o o k ie מy o u w e b b row se* J u s t ru n G •Z a p p e r. m r m t t e th e w in d o w , a n d e n jo y y o u e n h a n c e d s e a rc h p riv a c y 2' ---- A Google Tracking ID exists on yocr PC. You Google ID: (Frefox) 85%d451b86*738 Google instaled the cook* on: Tuesday. Jdy 03.2012 12:10:32 AM Y o u s e a rc h e s h a v e b e e n b a c k e d 10149 days ^ | You h a ve 2 G o o g le s e a rc h e s s a v e d n M o z ia F re fa x H o w to U s e It T o d e le te th e G o o g le c o o k ie , d c k th e D e le te C o o k ie b u tto n Y o u id e n tity w i b e o b s c u e d from p re v io u s se a rc h e s a n d G -Z a p p e i w i reg u la rly c le a n fu tu re c o o k ie s T 0 b lo c k a n d d e le te th e G o o g le s e a rc h c o o k ie , d ic k th e B lo c k C o o k ie b u tto n (Gmad a n d A d s e n s e w i b e u n a v a ia b le w ith th e c o o k ie M o c k e d ) http //www dunmvsdtware com D e le te C ookie B lo c k C ookie T e s t G o o g le Settngs FIGURE 3.78: G-Zapper-Trial Version Screenshot M o d u le 0 3 Page 4 17 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker EH A n o n y m iz e r s מ M ow ser http://www.mowser.com U-Surf A nonym ous Web Surfing Tool http://ultimate-anonymity.com http://www.anonymous-surfing.com WarpProxy Hide Your IP Address http://silent-surf.com http://www.hideyouripaddress.net ps4 Spotflux http://www.spotflux.com Anonymizer Universal http://www.anonymizer,com ט ט ט □ □E http://www.hopeproxy.com s a f lH l http://www.pri\/acy-pro.com Hope Proxy Hide My IP G uardster http://www.guardster.com C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . * " ־ ״V ™ ״ ־ ־ An anonymizer is a tool that allows you to mask your IP address to visit websites without being tracked or identified, keeping your activity private. It allows you to access blocked content on the Internet with omitted advertisements. A few anonymizers that are readily available in the market are listed as follows: a Mowser available at http://www.mowser.com 9 Anonymous Web Surfing Tool available at http://www.anonymous-surfing.com 9 Hide Your IP Address available at http://www.hideyouripaddress.net © Anonymizer Universal available at http://www.anonvmizer.com 9 Guardster available at http://www.guardster.com 9 Spotflux available at http://www.spotflux.com Q U-Surf available at http://ultimate-anonymity.com 9 WarpProxy available at http://silent-surf.com 9 Hope Proxy available at http://www.hopeproxy.com 9 Hide My IP available at http://www.privacy-pro.com M o d u le 0 3 Page 4 18 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S p o o fin g I P A d d r e s s CEH IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be someone else When the victim replies to the address, it goes back to the spoofed address and not to the attacker's real address IP spoofing using Hping 2: H p in g 2 -a www. 7 . 7 . 7. 7 You w ill n o t b e a b l e to c o m p l e t e t h e t h r e e - w a y h a n d s h a k e a n d o p e n a s u c c e s s f u l TCP c o n n e c tio n b y s p o o f in g a n IP a d d r e s s C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . -. S p o o fin g IP A d d re s s e s ^ Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a fake IP in place of the attacker's assigned IP. When the attacker sends a connection request to the target host, the target host replys to the attacker's request. But the reply is sent to the spoofed address. When spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources. IP sp oo fin g using Hping2: H p in g 2 w w w .c r e t i f i e d h a c k e r . c o m -a 7. 7. 7. 7 Using Hping2 you can perform IP spoofing. It helps you to send arbitrary TCP/IP packets to network hosts. FIGURE 3.79: Attacker Sending Spoofed Packet to The Victim M o d u le 0 3 Page 4 19 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker IP Spoofing D etectio n Techniques: D ire c t T T L Probes CEH J Send packet to host of s u s p ect spoofed packet th a t triggers reply and c o m p a re TTL with susp ect packet; if th e TTL in t h e reply is n o t th e s a m e as t h e packet being checked, it is a spoofed packet J This te c h n iq u e is successful w h en attacker is in a diffe ren t s u b n e t from victim Sending a packet w ith spoofed 10.0.0.5 IP -T T L 13 .״•״ A tta c k e r a a ' Target (S p o o fe d A d d re s s 10 .0 .0 .5 ) 10.0.0.5 N o te : N o r m a l tr a f f ic f r o m o n e h o s t c a n v a r y TTLs d e p e n d i n g o n tr a f f ic p a t t e r n s C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . IP S p o o fin g D e te c tio n T e c h n iq u e s : D ire c t T T L P ro b e s Initially send a packet to the host of suspect spoofed packet and wait for the reply. Check whether the TTL value in the reply matches with the TTL value of the packet that you are checking. Both will have the same TTL if they are the same protocol. Though, initial TTL values vary based on the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the commonly used initial values are 64 and 128 and for ICMP, the values are 128 and 255. If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. The hop count can be determined by deducting the TTL value in the reply from the initial TTL value. If the TTL in the reply is not matching with the TTL of the packet that you are checking, it is a spoofed packet. If the attacker knows the hop count between source and host, it will be very easy for the attacker to launch an attack. In this case, the test results in a false negative. M o d u le 0 3 Page 4 2 0 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S e n d in g a p a c k e t w ith s p o o f e d 1 0 .0 .0 .5 IP - TTL 1 3 >•«*־.• Attacker •• (S p o o fed A d d ress 10.0.0.5) y Nf v 10.0.0.5 FIGURE 3.80: Using Direct TTL Probes for IP Spoofing Detection M o d u le 0 3 Page 421 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker IP Spoofing D etectio n Techniques: IP Id e n tific a tio n N u m b e r J S e n d p r o b e t o h o s t o f s u s p e c t s p o o f e d tr a f fic t h a t tr ig g e r s re p ly a n d c o m p a r e IP ID w ith s u s p e c t tra f fic J If IP IDs a r e n o t in t h e n e a r v a l u e o f p a c k e t b e in g c h e c k e d , s u s p e c t tr a f fic is s p o o f e d J T h is te c h n i q u e is s u c c e s s f u l e v e n if t h e a t ta c k e r is in t h e s a m e s u b n e t Send packet w ith spoofed IP 10.0.0.5; IP ID 2586 . * מ5 ׳ ־. — ז A tta c k e r *״t ;.*״•״ *יי Ta1־get (S p o o fe d A d d re s s 10 .0 .0 .5 ) 10.0.0.5 C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . r 3H1 IP S p o o fin g D e te c tio n T e c h n iq u e s : IP Id e n tific a tio n N u m b e r Spoofed packets can be identified based on the identification number (IP ID) in the IP header that increases each time a packet is sent. This method is effective even when both the attacker and victim are on same subnet. To identify whether the packet is spoofed or not, send a probe packet to the target and observe the IP ID number in the reply. If it is in the near value as the packet that you are checking, then it is not a spoofed packet, otherwise it is a spoofed packet. Sending a packet w ith sp o o fed 1 0 .0 .0 .5 IP - IP ID 2586 w A tta c k e r T a rg e t (S p o o fe d A d d re s s ״‘ ••?ץ 1 0 .0 .0 .5 ) 1 0 .0 .0 .5 FIGURE 3.81: Using IP Identification Number for IP Spoofing Detection M o d u le 0 3 Page 422 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2-50 C ertified Ethical H acker IP Spoofing D etectio n Techniques: T C P F lo w C ontrol M e th o d J CEH A tta c k e rs s e n d in g s p o o f e d TCP p a c k e ts , will n o t r e c e iv e t h e t a r g e t 's SYN-ACK p a c k e ts J A tta c k e rs c a n n o t t h e r e f o r e b e r e s p o n s iv e t o c h a n g e in t h e c o n g e s t io n w in d o w s iz e _l W h e n r e c e iv e d tr a f fic c o n t in u e s a f t e r a w in d o w s iz e is e x h a u s t e d , m o s t p ro b a b ly t h e p a c k e ts a r e s p o o fe d Sending a SYN packet with spoofed 10.0.0.5 IP A tta c k e r T a rg e t (Spoo fed Address 10 .0 .0 .5 ) *״״ .•••'&<* v\®• 10.0.0.5 C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . IP S p o o fin g D e te c tio n T e c h n iq u e s : T C P F lo w C o n tro l M e th o d The TCP can optimize the flow control on both the send and the receiver side with its algorithm. The algorithm accomplishes the flow control based on the sliding window principle. The flow of IP packets can be controlled by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. When the window size is set to zero, the sender should stop sending more data. In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker who is unaware of the ACK packet containing window size information continues to send data to the victim. If the victim receives data packets beyond the window size, then the packets must be treated as spoofed. For effective flow control method and early detection of spoofing, the initial window size must be very small. Most spoofing attacks occur during the handshake, as it is difficult to build multiple spoofing replies with the correct sequence number. Therefore, the flow control spoofed packet detection must be applied at the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting M o d u le 0 3 Page 4 23 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If the sender sends an ACK with any data, then it means that the sender is the spoofed one. This is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK packet but not ACK with data. FIGURE 3.82: Using TCP Flow Control Method for IP Spoofing Detection M o d u le 0 3 Page 4 24 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker - I P S p o o fin g C o u n t e r m e a s u r e s CEH Limit access to configuration information on a machine Use random initial sequence numbers C o p y rig h t © b y EG-GlOOCil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . IP S p o o fin g C o u n te rm e a s u re s In ethical hacking, the ethical hacker also known as the pen tester, has to perform an additional task that a normal hacker doesn't follow, i.e., applying countermeasures to the respective vulnerabilities determined through hacking. This is essential because knowing security loopholes in your network is worthless unless you take measures to protect them against real hackers. As mentioned previously, IP spoofing is one of the techniques that a hacker employs to break into the target network. Therefore, in order to protect your network from external hackers, you should apply IP spoofing countermeasures to your network security settings. The following are a few IP spoofing countermeasures that you can apply: Avoid trust relationships Attackers may spoof themselves as a trusted host and send malicious packets to you. If you accept those packets by considering that the packets are sent by your trusted host, then you may get infected. Therefore, it is advisable to test the packets even when they come from one of your trusted hosts. You can avoid this problem by implementing password authentication along with trust-relationship-based authentication. Use firewalls and filtering mechanisms You should filter all the incoming and outgoing packets to avoid attacks and sensitive information loss. The incoming packets may be the malicious packets coming from the attacker. M o d u le 0 3 Page 4 25 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker If you do not employ any kind of incoming packet filtering mechanism such as a firewall, then the malicious packets may enter your private network and may cause severe loss. You can use access control lists (ACLs) to block unauthorized access. At the same time, there is also a possibility of insider attackers. These attackers may send sensitive information about your business to your competitors. This may also lead to great monetary loss or other issues. There is one more risk of outgoing packets, which is when an attacker succeeds in installing a malicious sniffing program running in hidden mode on your network. These programs gather and send all your network information to the attacker without giving any notification. This can be figured out by filtering the outgoing packets. Therefore, you should give the same importance to the scanning of outgoing packets as that of the incoming packet data scanning. Use random initial sequence numbers Most of the devices chose their ISN based on timed counters. This makes the ISNs predictable as it is easy for a malicious person to determine the concept of generating the ISN. An attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then he or she can make a malicious connection to the server and sniff your network traffic. To avoid this, risk you should use random initial sequence numbers. Ingress filtering Prohibiting spoofed traffic from entering the Internet is the best way to block it. This can be achieved with the help of ingress filtering. Ingress filtering applied on routers enhances the functionality of the routers and blocks spoofed traffic. It can be implemented in many ways. Configuring and using access control lists (ACLs) that drop packets with source address outside the defined range is one way to implement ingress filtering. Egress filtering Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside. Use encryption If you want to attain maximum network security, then use strong encryption for all the traffic placed onto the transmission media without considering its type and location. This is the best solution for IP spoofing attacks. Attackers usually tend to find targets that can be compromised easily. If an attacker wants to break into encrypted network, then he or she has to face a whole slew of encrypted packets, which is a difficult task. Therefore, the attacker may try to find another target that can be easily compromised or may attempt other techniques to break into the network. Use the latest encryption algorithms that provide strong security. SYN flooding countermeasures Countermeasures against SYN flooding attacks can also help you to avoid IP spoofing attacks. M o d u le 0 3 Page 4 2 6 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker Besides these basic countermeasures, you can perform the following to avoid IP spoofing attacks: 9 You should limit the access to configuration information on a machine 9 You should always disable commands like ping 9 You should reduce TTL fields in TCP/IP requests 9 You should use multilayered firewalls M o d u le 0 3 Page 4 27 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker C o p y rig h t © b y EG -G ouncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d . C E H S c a n n in g M e th o d o lo g y So far, we have discussed concepts such as what to scan, how to scan, how to detect vulnerabilities, and the respective countermeasures that are necessary to perform scanning pen testing. Now we will begin the action of scanning pen testing. Check for Live Systems 191 Scan for Vulnerability Check for Open Ports r Scanning Beyond IDS 3 0 Draw Network Diagrams Prepare Proxies r -^ r -n Banner Grabbing f* *✓ ׳Scanning Pen Testing This section highlights the need to scan pen testing and the steps to be followed for effective pen testing. M o d u le 0 3 Page 4 28 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker CEH S c a n n in g P e n T e s tin g 0 J P e n te s t in g a n e t w o r k f o r s c a n n in g v u ln e r a b ilitie s d e t e r m i n e s t h e n e t w o r k 's s e c u r i t y p o s t u r e b y 0 id e n tify in g live s y s t e m s , d is c o v e r in g o p e n p o r t s , a s s o c ia tin g s e r v ic e s a n d g r a b b in g s y s t e m b a n n e r s to s im u l a te a n e t w o r k h a c k in g a t t e m p t J T h e p e n e t r a t i o n te s t in g r e p o r t w ill h e lp s y s t e m a d m i n i s t r a t o r s to : 0 Close unused ports Calibrate firewall rules Disable unnecessary services Troubleshoot service configuration errors Hide or customize banners C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . S c a n n in g P e n T e s tin g The network scanning penetration test helps you to determine the network security posture by identifying live systems, discovering open ports and associated services, and grabbing system banners from a remote location, simulating a network hacking attempt. You should scan or test the network in all possible ways to ensure that no security loophole is overlooked. Once you are done with the penetration testing, you should document all the findings obtained at every stage of testing so that it helps system administrators to: 9 Close unused ports if not necessary/unknown open ports found 9 Disable unnecessary services 9 Hide or customize banners 9 Troubleshoot service configuration errors 9 Calibrate firewall rules to impose more restriction M o d u le 0 3 Page 4 29 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker S c a n n in g P e n T e s tin g (C o n t’d) CEH © C h ec k f o r t h e live h o s ts u s in g to o ls s u c h START a s N m a p , A n g ry IP S c a n n e r, S o la rW in d s E n g in e e r 's to o l s e t , C o la s o f t P in g Tool, e tc . U se to o ls su c h a s N m a p , A ngry IP S c a n n e r, e tc . e C h ec k f o r o p e n p o r ts u s in g to o ls s u c h a s N m a p , N e ts c a n T ools P ro , PRTG N e tw o r k M o n ito r , N e t T o o ls, e tc . V © Perform port scanning .....> U se to o ls su ch a s N m ap, N etscan Tools Pro, etc. P e rfo rm b a n n e r g ra b b in g /O S f in g e r p rin tin g u s in g to o ls s u c h a s T e ln e t, N e tc ra f t, ID S e rv e , e tc . » V S can f o r v u ln e r a b ilitie s u s in g to o ls su c h a s N e s s u s , GFI L A N G u ard , S A IN T scan n er, P e rfo rm b a n n e r g ra bibing b in g U se to o ls s u c h a s T e ln et, /O S fin g e rp rin tin g N e tc ra ft, ID S erv e, e tc . g C o re I m p a c t P r o f e s s io n a l, R e tin a CS M a n a g e m e n t, M BSA, e tc . V Scan for vulnerability ■■>־ U se to o ls su ch a s N essus, SAINTscanner, GFI LANGuard, etc. C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d . S c a n n in g P e n T e s tin g ( C o n t ’d ) Let's see step by step how a penetration test is conducted on the target network. Stepl: Host Discovery The first step of network penetration testing is to detect live hosts on the target network. You can attempt to detect the live host, i.e., accessible hosts in the target network, using network scanning tools such as Angry IP Scanner, Nmap, Netscan, etc. It is difficult to detect live hosts behind the firewall. Step 2: Port Scanning Perform port scanning using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor, Net Tools, etc. These tools will help you to probe a server or host on the target network for open ports. Open ports are the doorways for attackers to install malware on a system. Therefore, you should check for open ports and close them if not necessary. Step 3: Banner Grabbing or OS Finger Printing Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, Netcat, etc. This determines the operating system running on the target host of a network and its version. Once you know the version and operating system running on the target system, find M o d u le 0 3 Page 4 3 0 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . Ethical Hacking a n d C o u n te rm e a s u re s S can n in g N e tw o rk s Exam 3 1 2 -5 0 C ertified Ethical H acker and exploit the vulnerabilities related to that OS. Try to gain control over the system and compromise the whole network. Step 4: Scan fo r V u ln e ra b ilitie s Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus, GFI LANGuard, SAINT, Core Impact Professional, Ratina CS, MBSA, etc. These tools help you to find the vulnerabilities present in the target network. In this step, you will able to determine the security weaknesses/loopholes of the target system or network. M o d u le 0 3 Page 431 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d . E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r S c a n n in g N e t w o r k s S c a n n i n g P e n T e s t i n g £ g ןן (Cont’d) y D raw n e tw o rk Use tools such as LAN surveyor, OpManager, etc. diagram s Use tools such as Proxy Workbench, Proxifier, Proxy Switcher, etc. Prepare proxies © Draw netw ork diagrams o f the vulnerable hosts using tools such as LAN surveyor, O pM anager, N etw orkV ie w , The Dude, FriendlyPinger, etc. e Prepare proxies using tools such as Proxy W orkbench, P roxifier, Proxy Sw itcher, SocksChain, TOR, etc. e D ocum ent all the findings Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. S c a n n in g P e n T e s tin g ( C o n t ’d ) ׳־Step 5: Draw Network Diagrams Draw a network diagram of the target organization that helps you to understand the logical connection and path to the target host in the network. The network diagram can be drawn with the help of tools such as LAN surveyor, OpManager, LANState, FriendlyPinger, etc. The network diagrams provide valuable information about the network and its architecture. Step 6 : Prepare Proxies Prepare proxies using tools such as Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy, ProxyFinder, etc. to hide yourself from being caught. Step 7: Document all Findings The last but the most important step in scanning penetration testing is preserving all outcomes of tests conducted in previous steps in a document. This document will assist you in finding potential vulnerabilities in your network. Once you determine the potential vulnerabilities, you can plan the counteractions accordingly. Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance. M o d u le 0 3 P a g e 4 3 2 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C O U I I C il A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d . E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r S c a n n in g N e t w o r k s M o d u l e S u m m a r y The o b je c tiv e o f s c an ning is to d isco ve r live system s, a c tiv e /ru n n in g p o rts , th e o p e ra tin g system s, and th e service s ru n n in g on th e n e tw o rk A tta c k e r d e te rm in e s th e live hosts fro m a range o f IP addresses by se n d in g ICMP ECHO requests to m u ltip le hosts A tta c k e rs use v a rio u s scan ning te c h n iq u e s to bypass fire w a ll ru le s and lo g g in g m e ch a n ism , and hide th e m s e lv e s as usual n e tw o rk tra ffic B ann er g ra b b in g o r OS fin g e rp rin tin g is th e m e th o d to d e te rm in e th e o p e ra tin g system ru n n in g o n a re m o te ta rg e t system □ D ra w in g ta rg e t's n e tw o rk d ia g ra m gives va lu a b le in fo rm a tio n a b o u t th e n e tw o rk and its a rc h ite c tu re to an a tta c k e r □ HTTP T u n n e lin g te c h n o lo g y a llo w s users to p e rfo rm va rio u s In te rn e t tasks d e s p ite th e re s tric tio n s im p o s e d by fire w a lls □ P roxy is a n e tw o rk c o m p u te r th a t can serve as an in te rm e d ia ry fo r c o n n e c tin g w ith o th e r c o m p u te rs □ A c ha in o f proxies can be c re a te d to eva de a tra c e b a c k to th e a tta c k e r Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. M o d u le S u m m a r y Let's take a look at what you have learned in this module: The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network. Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. Attackers use various scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic. e 0 Banner Grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. Drawing target's network diagram gives valuable information about the network and its architecture to an attacker. HTTP Tunneling technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls. Proxy is a network computer that can serve as an intermediary for connecting with other computers. A chain of proxies can be created to evade a traceback to the attacker. M o d u le 0 3 P a g e 4 3 3 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C O U I I C il A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .