CEHv8 Module 03 Scanning Networks

Scanning N etw orks
Module 03
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
ScanningNetworks
M o d u le 0 3
Engineered by Hackers. Presented by Professionals.
CEH
©
E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v 8
M o d u l e 0 3 : S c a n n in g N e t w o r k s
E xa m 3 1 2 -5 0
M o d u le 0 3 Page 263
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
SecurityNews
H one
Services
Company
Networks
Contact
Oct 18 2012
S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g
IP v 4 A d d r e s s S p a c e
r
The w ell known b o tn e t Sality, w hich locates vulne rab le voice-over-IP (VoIP) servers can
be con trolled to fin d th e e n tire IPv4 address space w ith o u t alerting, claim ed a
new study, published by Paritynews.com on O ctober 10, 2012.
Sality is a piece o f m alw are whose prim ary aim is to infe ct w eb servers, disperse
spam, and steal data. But the latest research disclosed o th e r purposes o f the same including
r
r
■
1
1
recognizing susceptible VoIP targets, which could be used in to ll fraud attacks.
Through a m ethod called "reverse-byte ord e r scanning," sality has adm inistered tow ards scanning
possibly the w hole IPv4 space devoid o f being recognized. That's on ly the reason th e technique uses
very less num ber o f packets th a t com e fro m various sources.
The selection o f the target IP addresses is generated in re verse-byte-order increm ents. Also, th e re are
large am ounts o f bots con tributin g in the scan.
http://www.spamfighter.com
l- l
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
S e c u r ity N e w s
N fu js
S a lie n tly
S a lity
B o tn e t T r a p p e d
S c a n n in g
IP v 4
A d d r e s s
S p a c e
Source: h ttp ://w w w .s p a m fig h te r.c o m
A sem i-fam ous b otn et, Sality, used fo r locating vulnerable vo ice ‫־‬o v e r‫־‬IP (VoIP) servers has been
co ntro lle d to w a rd d e te rm in in g the e ntire IPv4 address space w ith o u t setting o ff alerts, claims a
new study, published by Paritynews.com , on O ctober 10, 2012.
Sality is a piece o f m alw are w ith the prim a ry aim o f infecting w eb servers, dispersing spam, and
stealing data. But the latest research has disclosed o th e r purposes, including recognizing
susceptible VoIP targets th a t could be used in to ll fraud attacks.
Through a m ethod called "reve rse -b yte o rd e r scanning," Sality can be adm inistered to w a rd
scanning possibly the w hole IPv4 space, devoid o f being recognized. That's the only reason the
tech n iq ue uses a very small num ber o f packets th a t come fro m various sources.
The selection o f the ta rg e t IP addresses develops in re ve rse -b yte -o rd e r in cre m e nts. Also, there
are many bots co n trib u tin g in the scan. The conclusion is th a t a solitary n e tw o rk w o u ld obtain
scanning packets "d ilu te d " over a huge period o f tim e (12 days in this case, fro m various
M o d u le 0 3 Page 264
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
sources, U n ive rsity o f C a lifornia, San Diego (UCSD), claim ed one o f the researchers, A listair
King, as published by Softpedia.com on O ctober 9, 2012).
According to A lb e rto D a in o tti, it's n ot th a t this stealth-scanning m ethod is exceptional, b ut it's
the firs t tim e th a t such a happening has been both noticed and docum ented, as re p orte d by
Darkreading.com on O ctober 4, 2012. M any o th e r experts hold fa ith th a t this m anner has been
accepted by o th e r botnets. Nevertheless, the team at UCSD is n ot aware o f any data verifying
any event like this one.
According to David P iscitello, Senior Security Technologist at ICANN, this indeed seems to be
the firs t tim e th a t researchers have recognized a b o tn e t th a t utilizes this scanning m ethod by
em ploying reverse-byte sequential increm ents o f ta rg e t IP addresses. The b o tn e t use classy
"o rc h e s tra tio n " m ethods to evade d e te ctio n . It can be sim ply stated th a t the b o tn e t o p e ra to r
categorized the scans at around 3 m illio n bots fo r scanning the fu ll IPv4 address space throu g h
a scanning p atte rn th a t disperses coverage and p artly covers, b ut is unable to be noticed by
present a u to m a tio n , as published by darkreading.com on O ctober 4, 2012.
Copyright © S P A M fig h te r 2 0 03 -201 2
h ttp ://w w w .s p a m fig h te r.c o m /N e w s -1 7 9 9 3 -S a lie r1 tlv -S a litv -B o tn e t-T ra p p e d -S c a n n in g -IP v 4 A dd ress-S p ace .h tm
M o d u le 0 3 Page 265
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Module Objectives
CEH
J
Overview o f N etw ork Scanning
J
Use o f Proxies fo r Attack
J
CEH Scanning M ethodology
J
Proxy Chaining
J
Checking fo r Live Systems
J
HTTP Tunneling Techniques
J
Scanning Techniques
J
SSH Tunneling
J
IDS Evasion Techniques
J
Anonymizers
J
Banner Grabbing
J
IP Spoofing Detection Techniques
J
Vulnerability Scanning
J
Scanning Countermeasures
J
Drawing N etw ork Diagrams
J
Scanning Pen Testing
^
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
M o d u le
O b je c tiv e s
Once an a ttacker id e ntifies h is/h e r ta rg e t system and does the in itia l reconnaissance,
as discussed in the fo o tp rin tin g and reconnaissance m odule, the a ttacker concentrates on
g ettin g a m ode o f e n try into the ta rg e t system . It should be noted th a t scanning is n ot lim ited
to in tru sion alone. It can be an extended fo rm o f reconnaissance w here the a tta cke r learns
m ore about h is/h e r target, such as w h a t operating system is used, the services th a t are being
run on th e systems, and c o n fig u ra tio n lapses if any can be id e n tifie d . The a tta cke r can then
strategize h is/h e r attack, facto rin g in these aspects.
This m odule w ill fam iliarize you w ith :
0
O verview o f N e tw o rk Scanning
0
Use o f Proxies fo r A ttack
0
CEH Scanning M e tho d olog y
0
Proxy Chaining
0
Checking fo r Live Systems
0
HTTP Tunneling Techniques
0
Scanning Techniques
0
SSH Tunneling
0
IDS Evasion Techniques
0
Anonym izers
0
Banner Grabbing
0
IP Spoofing D etection Techniques
0
V u ln e ra b ility Scanning
0
Scanning Counterm easures
0
Drawing N e tw o rk Diagrams
0
Scanning Pen Testing
M o d u le 0 3 Page 2 66
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
OverviewofNetworkScanning CEH
(•rtift•*
N e tw o rk scanning refers to a set o f
ttkujl lUckM
Sends TCP
procedures fo r id e n tify in g hosts, p o rts, and
/IP p ro b e s
services in a n e tw o rk
G e ts n e tw o r k
N e tw o rk scanning is one o f th e c o m p o n e n ts
o f in te llig e n c e g a th e rin g an a tta cker uses to
create a p ro file o f th e ta rg e t organization
S
&
in fo r m a tio n
A ttacker
O b je c tiv e s o f N e t w o r k S c a n n in g
To discover live hosts,
To discover operating
To discover services
To discover
IP address, and open
po rts o f live hosts
systems and system
architecture
ru nning on hosts
vu ln e ra b ilitie s in live
hosts
O v e r v ie w
o f N e t w o r k S c a n n in g
As we already discussed, fo o tp rin tin g is the firs t phase o f hacking in w hich the
a ttacker gains in fo rm a tio n about a p ote n tia l target. F ootp rin tin g alone is n ot enough fo r
hacking because here you w ill gather only the prim a ry in fo rm a tio n about the targe t. You can
use this prim a ry in fo rm a tio n in th e next phase to gather many m ore details abo u t the target.
The process o f g a th e rin g a d d itio n a l d etails about the ta rg e t using highly com plex and
aggressive reconnaissance techniques is called scanning.
The idea is to discover e x p lo ita b le c o m m u n ica tio n channels, to probe as many listeners as
possible, and to keep track o f th e ones th a t are responsive o r useful fo r hacking. In the scanning
phase, you can fin d various ways o f in tru d in g in to th e ta rg e t system. You can also discover
m ore about the ta rg e t system , such as w h a t o p e ra tin g system is used, w h a t services are
ru n nin g , and w h e th e r or n ot th e re are any co n fig u ra tio n lapses in the ta rg e t system. Based on
the facts th a t you gather, you can fo rm a strategy to launch an attack.
Types o f Scanning
9
P ort scanning - Open ports and services
e
N e tw o rk scanning - IP addresses
6
V u ln e ra b ility scanning - Presence o f know n weaknesses
M o d u le 0 3 Page 267
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
In a tra d itio n a l sense, the access p oints th a t a th ie f looks fo r are the doors and w indow s. These
are usually the house's points o f vu ln e ra b ility because o f th e ir re la tively easy accessibility.
W hen it comes to co m p u te r systems and netw orks, p o rts are the doors and w indow s o f the
system th a t an in tru d e r uses to gain access. The m ore the ports are open, the m ore points o f
vu ln e ra b ility, and the fe w e r the ports open, th e m ore secure the system is. This is sim ply a
general rule. In some cases, the level o f vu ln e ra b ility may be high even though fe w ports are
open.
N e tw o rk scanning is one o f the m ost im p o rta n t phases o f intelligence gathering. During the
n e tw o rk scanning process, you can gather in fo rm a tio n abo u t specific IP addresses th a t can be
accessed over the Inte rn e t, th e ir targets' operating systems, system a rch itectu re , and the
services running on each co m puter. In a dd ition, the a ttacker also gathers details about the
netw orks and th e ir individual host systems.
Sends TCP
/IP probes
Gets netw o rk
&
‫נ‬
inform a tion
Network
Attacker
FIGURE 3.1: N e tw o rk Scanning Diagram
O
b je c tiv e s
o f N
e tw
o r k
S c a n n in g
If you have a large a m o un t o f in fo rm a tio n abo u t a ta rg e t o rg an iza tion , th e re are
greater chances fo r you to learn the w eakness and lo o ph o les o f th a t p articula r organization,
and consequently, fo r gaining unauthorized access to th e ir netw ork.
Before launching the attack, the a ttacker observes and analyzes the ta rg e t n e tw o rk fro m
d iffe re n t perspectives by p erfo rm ing d iffe re n t types o f reconnaissance. How to p erform
scanning and w h a t type o f in fo rm a tio n to be achieved during the scanning process e n tire ly
depends on the hacker's v ie w p o in t. There may be many objectives fo r p erfo rm ing scanning,
b ut here we w ill discuss the m ost com m on objectives th a t are encountered during the hacking
phase:
©
D iscovering live hosts, IP address, and open p orts o f live hosts ru n n in g on th e
n e tw o rk .
©
D iscovering open p o rts: Open ports are the best means to break in to a system or
n etw o rk. You can fin d easy ways to break into the ta rg e t organization's n e tw o rk by
discovering open ports on its netw ork.
D iscovering o p e ra tin g system s and system a rch ite ctu re o f th e ta rg e te d system : This is
also referred to as fin g e rp rin tin g . Here the a ttacker w ill try to launch th e attack based
on the operating system 's vulnerabilities.
M o d u le 0 3 Page 268
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
9
Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security
risks present in any system. You can compromise the system or network by exploiting
these vulnerabilities and threats.
9
Detecting the associated network service of each port
M o d u le 0 3 Page 269
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Gi
Exam 3 1 2 -5 0 C ertified Ethical H acker
HHH
□ ‫שם‬
Check for
Live Systems
‫ן‬,.✓
Check for
Open Ports
n
■ “ hi
Scan for
Vulnerability
C E H
Scanning
Beyond IDS
n
L 1^■
Banner
Grabbing
W ₪m,
U
r ‫— י‬
Draw N e tw o rk.
Diagrams
Prepare
Proxies
wJ
Scanning
Pen Testing
S c a n n in g M e t h o d o lo g y
The firs t step in scanning the n e tw o rk is to check fo r live systems.
Scan for Vulnerability
Check fo r Live Systems
ft
Check for Open Ports
Scanning Beyond IDS
Banner Grabbing
r
Q O
1
Draw Network Diagrams
Prepare Proxies
Scanning Pen Testing
This section highlights how to check fo r live systems w ith the help o f ICMP scanning, how to
ping a system and various ping sweep tools.
M o d u le 0 3 Page 2 70
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
CheckingforLiveSystemsICMPScanning
CEH
J Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return
an ICMP ECHO reply
J This scan is useful for locating active devices or determining if ICMP is passing through a
firewall
t o
M
ICMP Echo Request
ICMP Echo Reply
Source (192.168.168.3)
D e stin a tio n (192.168.168.5)
T h e ping s c a n output
u sin g Nm ap:
Zenmap
Sc!n
l o o Is
Target.
P 'c fK
192166.168.5
Command:
Hosts
Profile
Ping »c«n
|n rr*p •wi 192.168.168.3
Service!
Host
*
Nmap 0utp14
Pciti ‫ ׳‬H oiti Topology H ojI Detail!
1
192.16S. 168.1
192.168.1663
192.168.1685
Scans
‫ד־פ‬
nmap ■jn 192.168.163.5
S t a r t i n g fJTap 6 .0 1 ( h t t p : / / n r o p . o r g ) a t 2 0 1 2 - 0 8 08
1 3 :0 2 EOT
Swap scan re p o rt fo r 192.168.168.5
i s up ( 0 .0 0 5 l a t e n c y ) .
MAC f l d d r e t t :
( D e l l)
M!ap do ng : 1 IP ad dre ss (1 h o s t up ) scanned i n 0 .1 0
se co rd s
most
192.168.166.1S
‫ו־ ר ד^־י־ו‬
Piter Hosts
http://nmap.org
Copyright © by H H rW B C il. All Rights Reserved. Reproduction is S trictly Prohibited.
C h e c k in g
f o r L iv e
S y s te m s ‫ ־‬IC M P
S c a n n in g
ICMP Scanning
All required in fo rm a tio n about a system can be gathered by sending ICMP packets to it. Since
ICMP does n ot have a p o rt abstraction, this cannot be considered a case o f p o rt scanning.
However, it is useful to d ete rm ine w hich hosts in a n e tw o rk are up by pinging the m all (the -P
o ptio n does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase
the n um ber o f pings in parallel w ith the -L o ptio n . It can also be helpful to tw e ak the ping
tim e o u t value w ith the -T option.
ICMP Q uery
The UNIX to o l IC M P query o r ICMPush can be used to request the tim e on the system (to find
o u t w hich tim e zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The
netm ask on a p articula r system can also be d ete rm ine d w ith ICMP type 17 messages (ADDRESS
MARK REQUEST). A fte r fin d in g th e netm ask o f a n e tw o rk card, one can d ete rm ine all the
subnets in use. A fte r gaining in fo rm a tio n about th e subnets, one can ta rg e t only one p articula r
subnet and avoid h ittin g the broadcast addresses.
ICMPquery has both a tim e sta m p and address mask request o ptio n :
icmp query <-query-> [-B] [-f fro m h o s t] [‫־‬d delay] [-T tim e ] targe t
M o d u le 0 3 Page 271
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
W here
<query> is one of:
-t: icm p tim e sta m p request (default)
-m : icm p address mask request
-d: delay to sleep betw een packets is in microseconds.
-T - specifies the n um ber o f seconds to w a it fo r a host to respond. The d e fa u lt is 5.
A ta rg e t is a list o f hostnam es or addresses.
*iJN:::::::::::::ft:::::::::::::
ICMP Echo Request
/*
V
V
‫־‬
/
ICMP Echo Reply
Source (192.168.168.3)
Destination (192.168.168.5)
FIGURE 3.2: ICMP Q u e ry Diagram
Ping Scan O u tp u t Using Nm ap
Source: h ttp ://n m a p .o rg
Nm ap is a to o l th a t can be used fo r ping scans, also know n as host discovery. Using this to o l you
can d ete rm ine the live hosts on a n etw o rk. It perform s ping scans by sending the ICMP ECHO
requests to all the hosts on the n etw o rk. If the host is live, then the host sends an ICMP ECHO
reply. This scan is useful fo r locating active devices or d e te rm in in g if ICMP is passing throu g h a
fire w a ll.
The fo llo w in g screenshot shows the sample o u tp u t o f a ping scan using Zenm ap, the official
cross-platform GUI fo r the Nmap Security Scanner:
Zenmap
Scan
Jo o ls
Target
Profile
Help
192.168.168.5
Command:
Hosts
v I Profile:
Ping scan
v
:Scan!
Cancel
|nm ap -sn 192.168.168.51
Services
OS < Host
IM
192.168.168.1
I•*
192.168.168.3
*"
192.168.168.5
tM 192.168.168.13
..
v
------- —------ -----------------1
Filter Hosts
Nmap Output Ports/H osts Topology Host Details Scans
nmap -sn 192.168.168.5
V
Details
S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n 1r a p .o r g ) a t 2 0 1 2 -08-08
■a?
Nmap sc a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .5
H ost i s up ( 0 .0 6 s l a t e n c y ) .
MAC A d d re ss:
( D e ll)
Nmap done: 1 IP a d d re s s (1 h o s t up) sc a n n ed in 0 .1 0
sec o n d s
FIGURE 3.3: Zenm ap S how ing Ping Scan O u tp u t
M o d u le 0 3 Page 272
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
PingSweep
CEH
J
Ping sweep is used to determ ine the live hosts from a range of IP addresses by sending ICMP
ECHO requests to m ultiple hosts. If a host is live, it w ill return an ICMP ECHO reply
J
Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of
hosts present in the subnet
_l
Attackers then use ping sweep to create an inventory o f live systems in the subnet
a
a
T h e p in g s w e e p o u t p u t u s in g N m a p
lo o ts
T*fqcc
N
*
H e lp
’92.l6a.16S.l-S0
C o m m an d
H o jb
“3
ICM P Echo Request
v
P ro file
*I
S c irt
C anct
192.168.168.5
| ‫ ״‬m 8 p ‫ ג ו ו‬P f PA21,23.9Q,J389192.168.168.1-501
k n x ei
19e.166.16a.1j
1 v .1 t t.1 tt .1 4
V
I ttlttlttlS
y
1 9 2 16s.16a.17
»
1 9 2 . It t I t t 1 9
*
1 9 2 .1 6 8 . 1 6 8 2 6
»
I 9 ilttltt2 3
S [0 **
.001
v
uM
192!.1
.168^.16
8.6
ICM P Echo Reply
(
1& 1 6 6 . 1 & )
*
0
S t a r t l r a N » « 6 .0 1
h t t p : / / r o u p , o r g ) a t 2012 01 01
1 2 :4 1 to r
* tu p ! c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1
H o s t i s u s ( 0. 00) l a t e n c y ) .
* W I A g f llC n .
‫ ( ״‬H e « le t! - P a c k a r d C o m p an y )
“* * • p * c a n r e p o r t f o r 1 9 2 . 1 6 * . 1 6 • . 5
fto v t I t u p ( t . M i l a t e n c y ) .
*AC W r t t t ;
(A p p le )
w p s c a n r e p o r t *or 1 9 2 . 1 6 8 . 1 6 8 . ‫ל‬
► to s t i s u p ( 0 . 0 0 1 0 s l a t e n c y ) .
HA( A d d re ss:
(D e ll)
f * 1a p s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 6 8 . 1 3
M o » t i* u p < 8
latency).
«A C A d d re w :
» (F o x c o n n l
s n a p s c a n r e p o r t f o r 1 9 2 .1 6 8 .1 6 8 .1 4
‫ אז‬I t t 168 3
•»
ICM P Echo Request
N ‫ ׳‬n < * p O u t p u t P o r t ( / HoUi | T o p o l o g y H o t ! D e t a i l * S c a n t
n m a p w P E PA21.2J.80l3 3 8 9 192.168.168.1•*0
OS 4 Ho*
*
W i t t 16S. 1
*
‫יי‬
I n i , —
Zenmap
Sen
a
ICM P Echo Request
Source
192.168.168.3
M l
192.168.168.7
IC M P Echo Reply
ICM P Echo Request
F * « H o s ts
»
192.168.168.8
http://nmap. org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
P in g
S w eep
A ping sweep (also know n as an ICMP sweep) is a basic n e tw o rk scanning technique
to d ete rm ine w hich range o f IP addresses map to live hosts (com puters). W hile a single ping
tells th e user w h e th e r one specified host co m p u te r exists on the n etw o rk, a ping sweep consists
o f ICMP ECHO requests sent to m u ltip le hosts.
ICMP ECHO Reply
If a host is active, it returns an ICMP ECHO reply. Ping sweeps are am ong the oldest and slowest
m ethods to scan a n etw o rk. This u tility is d istrib u te d across alm ost all platform s, and acts like a
roll call fo r systems; a system th a t is live on the n e tw o rk answers the ping query th a t is sent by
a no th e r system.
M o d u le 0 3 Page 273
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ICMP Echo Request
1 9 2 .1 6 8 .1 6 8 .5
ICMP Echo Request
a
<
ICMP Echo Reply
1 9 2 .1 6 8 .1 6 8 .6
ICMP Echo Request
Source
>
W
1 9 2 .1 6 8 .1 6 8 .7
1 9 2 .1 6 8 .1 6 8 .3
<
ICMP Echo
ICMP Echo Request
1 9 2 .1 6 8 .1 6 8 .8
FIGURE 3.4: Ping Sweep Diagram
TCP/IP Packet
To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings,
a single packet is sent across th e n e tw o rk to a specific IP address. This packet contains 64 bytes,
i.e., 56 data bytes and 8 bytes o f p rotocol header in fo rm a tio n . The sender then w aits fo r a
re tu rn packet fro m the ta rg e t system. A good re tu rn packet is expected only w hen the
connections are good and when the targe te d system is active. Ping also determ ines the num ber
o f hops th a t lie betw een the tw o co m puters and the ro u n d -trip tim e , i.e., the to ta l tim e taken
by a packet fo r co m p letin g a trip . Ping can also be used fo r resolving host names. In this case, if
the packet bounces back w hen sent to th e IP address, b ut not w hen sent to the name, then it is
an indication th a t the system is unable to resolve the name to the specific IP address.
Source: h ttp ://n m a p .o rg
Using Nm ap S ecurity Scanner you can p erfo rm ping sweep. Ping sweep determ ines the IP
addresses o f live hosts. This provides in fo rm a tio n abo u t the live host IP addresses as w ell as
th e ir MAC address. It allows you to scan m u ltip le hosts at a tim e and d ete rm ine active hosts on
the n etw o rk. The fo llo w in g screenshot shows the result o f a ping sweep using Zenmap, the
official cross-platform GUI fo r the Nmap Security Scanner:
M o d u le 0 3 Page 274
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Zenmap
Sc!n Joolt
Erofik
{jdp
192.168. 168. 1-50
Target
"v] Proffe
Scan
Cancel
%
Details
11
Command |nmap -sn -PE •PA21,23,80. 3389192.168.168.1- 5(
Hosts
Sernces
OS « Host
*
192. 168. 168.1
*
192.168.168.3
Nmap Output Ports /Hosts Topology Host Details Scans
A
S tarting Mrap
192.168. 168.13
192. 168.168.14
192. 168.168.15
192. 168. 168.17
fti
192.168.168.19
*
192. 168.168-26
*
192. 168.16828
Filter Hosts
6.01
( http://nmap.org ) at
2012- 08-08
12:41
<■ 192.168.168.5
*
nmap -sn •PE-PA21.23.80.3389 192. 168. 168.1-50
v
Map scan report fo r 192. 168. 168.1
Host is up ( 0. 00s latency).
*AC Address; I
(Hewlett-Packard Co«pany)
f*rap scan report fo r 192. 168. 168.3
Host is up ( 0. 00s latency).
*AC A d d rm i
* (Apple)
Nnap scan report for 192. 168. 168.5
Host is up ( 0 . 0010s latency).
MAC Address;
- •
(D e ll)
Nnap scan report fo r 192. 168. 168.13
Host is up ( 0 . 00s latency).
MAC Address: •
•
(Foxconn)
N*ap scan report fo r 192. 168. 168.14
Host is up ( 0 . 0020s latency).
v
FIGURE 3.5: Zenm ap show ing ping sweep o u tp u t
M o d u le 0 3 Page 275
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
PingSweepTools
SolarWinds Engineer Toolset's Ping Sweep enables
scanning a range o f IP addresses to identify which
IP addresses are in use and which ones are
currently free. It also performs reverse DNS lookup.
Angry IP Scanner pings each IP address to check if
it's alive, then optionally resolves its hostname,
determ ines the MAC address, scans ports, etc.
o
IP Range Angry IP Scanner
to K.0J.S)
M0*wme VWNUQN3WR1RW
© 1 :0 :1
£ 1 0 0 cj
Q io a u
f ti o a c j
Q10&&S
C H o a tt
©100C7
fh o ac j
®MOOC9
Qr-at
0.11
.11
10
CH ac
•1 0 a a;
Chocu
# ac.u
#100£1‫י‬
&1COC.U
® M o atr
C h o a tu
f h o a c .»
‫ם‬
x
JoeU H»lp
S'**
*Rjr* * 1C011
9
‫״‬
CEH
f»
‫י״י׳‬9
1m
Cm
lm
h/»l
4n
h/•!
1m
K»l
KH
K‫!»׳‬
[l»Pjnje
Uctmiifc v
Hcarwrc
/11
HnOcwit
v *
SUrt
M
Pcm1i00c-1
80
•0US.1
1JX
In‫)•׳‬
1JH H M U
In
In
MM Mtt£lCMM1
In/•!
<VIS IXQN5WOR9M
HV•!
ln/1)
In‫!•׳‬
h/1l
O?m
m
|V*I
Kv.|
K»1
h/»l
!*/•I
K«l
1
In/•!
In/•!
In/•)
In‫!•׳׳‬
I‫׳‬V»|
In/•!
In‫!•׳‬
In/1l
In/•!
In‫!•׳‬
AJI
*•‫׳<״״‬
!•‫׳‬
|n ‫!•׳‬
|nfe|
In‫!•׳‬
‫!•׳ייו‬
In'•!
In•!
|n •!
In‫!•׳‬
In‫!•׳‬
|n ‫|«׳‬
In•!
I" •!____________________ v |
Th0*»«*‫״‬
Angry IP Scanner
http://www.angryip.org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
P in g
S w e e p T o o ls
D eterm ining live hosts on a ta rg e t n e tw o rk is the firs t step in the process o f hacking
o r breaking in to a n etw o rk. This can be done using ping sweep tools. There are a num ber o f
ping sweep tools readily available in the m arket using w hich you can p erfo rm ping sweeps
easily. These tools a llow you to d ete rm ine the live hosts by sending ICMP ECHO requests to
m u ltip le hosts at a tim e . A ngry IP Scanner and S olarw inds Engineer's Toolset are a fe w
co m m only used ping sweep tools.
A n g r y
/j
IP
S c a n n e r
Source: h ttp ://w w w .a n g ry ip .o rg
Angry IP Scanner is an IP scanner to o l. This to o l id e ntifie s all non-responsive addresses as dead
nodes, and resolves hostnam e details, and checks fo r open ports. The main fe a tu re o f this to o l
is m u ltip le ports scanning, configuring scanning colum ns. Its main goal is to fin d th e active hosts
in the n e tw o rk by scanning all the IP addresses as w ell as ports. It runs on Linux, W indow s, Mac
OS X, etc. It can scan IP addresses ranging fro m 1.1.1.1 to 255.255.255.255.
M o d u le 0 3 Page 276
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
IP Range - Angry IP Scanner
Scan £0 ‫י‬°
Commands
Favorites
IP Range | 10.0.0.1
loots
Help
| to | 10.0.0.50
Hostname | WIN-LXQN3WR3R9I
IP
Ping
1 ms
Oms
Oms
[n/a]
4 ms
[n/a]
1 ms
[n/a]
€>10.0.0.1
010.0.0.2
@10.0.0.3
#10.0.0.4
€>10.0.0.5
© 10.0.0.6
€)10.0.0.7
C m 0.0.0.8
€> 10.0.0.9
#10.0.0.10
#10.0.0.11
# 10.0.0.12
#10.0.0.13
# I0.0.0.M
#10.0.0.15
#10.0.0.16
# 10.0.0.17
#10.0.0.18
#10.0.0.19
| | IF Range
# IP I | Netmask r J
v ‫א‬
C+ Start
i|
Hostname
[n'a]
W1N-MSS£LCK4IC41
WindowsS
Ports [2000•.]
80
80.135.139.4...
135,139,445,...
[n/a]
135,139,445,...
|n/a]
W1N-LXQN3WR3R9M
[n/a]
80.135
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
627 ms
[n/a]
In /,]
[n/a]
[n/a]
[n/a]
In^a]
l"/a]
[n/a]
[n/a]
ln /»
]‫»׳‬/•[
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
[n/a]
|n/a]
[n/a]
[n/a]
In'*]
In/a]
Ready
=
Display: All
v
1
Threads; 0
1
FIGURE 3.6: A ngry IP Scanner Screenshot
S o la r w in d s
E n g in e e r ’ s
T o o ls e t
Source: h ttp ://w w w .s o la rw in d s .c o m
The Solarwinds Engineer's Toolset is a collection o f n e tw o rk e ngineer's to o ls. By using this
to o ls e t you can scan a range o f IP addresses and can id e n tify the IP addresses th a t are in use
c u rre n tly and the IP addresses th a t are free. It also perform s reverse DNS lo o kup .
Ping Sweep
EHe
E d it
S t a r t i n g I P A d d r e s s 11 9 2 .1 6 8 .1 £ 8 1 0
F n r im g IP A H r im t t
^ I
(1 9 2 1 8 8 1 6 8 95(
| S ra n F «
10
R equest T m e d O ut
1 9 2 1 6 6 1 6 6 11
R equest T m e d O ut
IM
|A l I P t
R esponse Tm e
fp A d d r e s s
192 I M
u o o
H e lp
S ran
R equest T m e d O ut
192 166 166 12
^
1 9 2 1 6 6 1 6 6 13
192 1 6 6 1 6 6 14
A
DNS Lookup
=
R equO St T m e d O u t
^
3 me
192 16 6 1 6 8 1 6
‫_{י‬
R eauest T m e d O ut
192 1 6 6 .1 6 6 1 7
192 166 1 6 6 .1 6
#
192 1 6 6 1 6 6 1 5
R eoues! T m ed O at
‫^■ייי‬
R ecues! T m ed O ul , t
192 166 166 19
R equest T m ed O ul
192 166 166 2 0
R equest T m e d O ut
1 9 2 1 6 6 166 .2 1
R equest T m e d O ut
1 9 2 1 6 6 1 6 6 .2 2
R equest T m e d O ut
192 16 6 166 2 3
R e q u e s t T im e d O u t
192 166 166 24
»
I J I
R equest T m e d O ut
192 166 166 2 5
R equest T m e d O ut
192 166 166 26
2 ms
1 9 2 166 1 6 6 .2 7
_ * V * “"
192 1 6 6 1 6 6 .2 6
192 166 166 2 9
N
R equest T m e d O ut
2 ms
R equest T m e d O yt
1 9 2 1 6 6 166 30
3 me
1 9 2 1 6 6 1 6 6 31
3 ms
192 166 166 32
2 ms
‫׳י‬
III
<1
S c a n C o m p l ie d
S can
>
DNS
h
r
90
FIGURE 3.7: Solarw inds Engineer's T oolset Screenshot
M o d u le 0 3 Page 277
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
PingSweepTools
CEH
(C o n t’d)
^
C o la so ft Ping Tool
PacketTrap MSP
h ttp ://w w w . colasoft. com
http ://w w w .pa ckettra p .co m
V isu a l Ping T ester - S ta n d a rd
f
Ping S w eep
h ttp://w w w .w hatsupgold.com
h ttp ://w w w .p in g te ste r.n e t
Ping S canner Pro
N e tw o rk Ping
http://w w w .digilextechnoiogies.com
h ttp://w w w .greenline-soft.com
‫ז‬
U ltra Ping Pro
h ttp ://u ltra p in g . webs.com
S®
*
Ping M o n ito r
h ttp ://w w w .n ilia n d . com
P in g ln fo V ie w
P in kie
h ttp ://w w w .n irs o ft.n e t
h ttp ://w w w .ip u p tim e .n e t
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited.
jf S S S
u
P in g
S w e e p T o o ls ( C o n t’ d )
r -
In a dd itio n to Solarwinds Engineer's Toolset and Angry IP Scanner, th e re are many
o th e r tools th a t fea tu re ping sweep capabilities. For exam ple:
9
Colasoft Ping Tool available at h ttp ://w w w .c o la s o ft.c o m
9
Visual Ping Tester - Standarad available at h ttp ://w w w .p in g te s te r.n e t
9
Ping Scanner Pro available at h ttp ://w w w .d ig ile xte ch n o lo g ie s.co m
9
Ultra Ping Pro available at h ttp ://u ltra p in g .w e b s .c o m
9
P inglnfoView available at h ttp ://w w w .n irs o ft.n e t
9
PacketTrap MSP available at http://www.packettrap.com
9
Ping Sweep available at h ttp ://w w w .w h a ts u p g o ld .c o m
9
N e tw o rk Ping available at h ttp ://w w w .g re e n lin e -s o ft.c o m
9
Ping M o n ito r available at h ttp ://w w w .n ilia n d .c o m
9
Pinkie available at h ttp ://w w w .ip u p tim e .n e t
M o d u le 0 3 Page 278
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
*-— 1
Exam 3 1 2 -5 0 C ertified Ethical H acker
So fa r we discussed how to check fo r live systems. Open ports are the doorw ays fo r an
attacker to launch attacks on systems. Now we w ill discuss scanning fo r open ports.
Check for Live Systems
life
Scan for Vulnerability
r
Check fo r Open Ports
Scanning Beyond IDS
O Q
‫יז־^־ל‬
Banner Grabbing
Draw Network Diagrams
Prepare Proxies
Scanning Pen Testing
This section covers the th re e -w a y handshake, scanning IPv6 netw orks, and various scanning
techniques such as FIN scan, SYN scan, and so on.
M o d u le 0 3 Page 279
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
CEH
Three-WayHandshake
(•rtifwd
itkitjl
TCP uses a th re e-w ay handshake to establish a connection between server and client
T hre e-w ay H a n d sh a k e
P ro c e s s
1. The Computer A (10.0.0.2) initiates
a connection to the server (10.0.0.3)
via a packet w ith only the SYN flag
set
2. The server replies w ith a packet
w ith both the SYN and the ACK flag
set
3. For the final step, the client
responds back to the server w ith a
single ACK packet
4. If these three steps are com pleted
w ithou t com plication, then a TCP
connection is established between
the client and the server
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
T h re e -W a y H a n d s h a k e
TCP is co n n e c tio n -o rie n te d , w hich im plies connection establishm ent is principal p rio r
to data tra n sfe r betw een applications. This connection is possible throu g h the process o f the
th re e -w a y
handshake.
The
th re e -w a y
handshake
is
im p le m e n te d
fo r
establishing
the
co nn e ction b etw e e n p ro to co ls.
The three-way handshake process goes as follows:
9
To launch a TCP conn e ction , the source (10.0.0.2:62000) sends a SYN packet to the
d estination (10.0.0.3:21).
9
The destination, on receiving the SYN packet, i.e., sent by the source, responds by
sending a SYN/ACK packet back to the source.
9
This ACK packet confirm s the arrival o f the firs t SYN packet to the source.
9
In conclusion, the source sends an ACK packet fo r the ACK/SYN packet sent by the
destination.
9
This triggers an "OPEN" connection allow ing com m unication betw een the source and
the d estination, u ntil e ith e r o f the m issues a "FIN" packet or a "RST" packet to close the
connection.
M o d u le 0 3 Page 2 80
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
The TCP p ro to co l m aintains state ful connections fo r all co nn e ctio n -o rie n te d protocols across
the Inte rn e t, and w orks the same as an o rd ina ry te lep h on e co m m unication, in w hich one picks
up a telep h on e receiver, hears a dial tone, and dials a num ber th a t triggers ringing at the o th e r
end u ntil a person picks up the receiver and says, "H e llo ."
Bill
Three-way Handshake
1 0 . 0 . 0 . 2 : 6 2 0 0 0 ‫ ^ ־‬.................. ‫י‬
‫ י‬...............
Sheela
1 0 .0 .0 .3 :2 1
........
..‫* ״‬
IrVC
C lient
S erver
FIGURE 3.8: Three-way Handshake Process
E s ta b lis h in g
a
T C P
C o n n e c tio n
As we previously discussed, a TCP connection is established based on the three -w ay
hand shake m ethod. It is clear fro m the name o f the connection m ethod th a t the establishm ent
o f the connection is accom plished in th re e m ain steps.
Source: h ttp ://s u p p o rt.m ic ro s o ft.c o m /k b /1 7 2 9 8 3
The fo llo w in g th re e fram es w ill explain the e stablishm ent o f a TCP connection betw een nodes
NTW3 and BDC3:
Frame 1:
In the firs t step, the client, NTW3, sends a SYN segm ent (TCP ....S.). This is a request to the
server to synchronize the sequence num bers. It specifies its Initial Sequence N um ber (ISN),
w hich is increm ented by 1 and th a t is sent to the server. To initialize a connection, the client
and server m ust synchronize each o th e r's sequence num bers. There is also an o p tio n fo r the
M o d u le 0 3 Page 281
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
M axim um Segment Size (MSS) to be set, w hich is defined by the length (len: 4), this o ptio n
com m unicates th e m axim um segm ent size the sender w ants to receive. The A cknow ledgem ent
fie ld (ack: 0) is set to zero because this is th e firs t part o f the th re e -w a y handshake.
1
2 .0 7 8 5 NTW3 - - > BDC3 TCP ___ S .,
le n :
4, se q :
8221822-8221825, a c k : 0,
win: 8192, src: 1037 dst: 139 (NBT Session) NTW 3- > BDC3 IP
TCP:
....S .,
d s t:
139
le n :
4, se q:
8221822-8221825, a c k : 0, w in :
8192,
s rc :
1037
(NBT S e s s io n )
TCP: S ource P o r t = 0x040D
TCP: D e s t in a t io n P o r t = NETBIOS S e s s io n S
TCP: Sequence Number = 8221822
(0x7D747E)
TCP: A cknow ledgem ent Number = 0 (0x0)
TCP: Data O f f s e t = 24 (0x18)
TCP: R eserved = 0 (0x0000)
TCP: F la g s = 0x02
: . . . . S.
TCP:
. . 0 ........
= No u r g e n t d a ta
TCP:
. . . 0 . . . . = A cknow ledgem ent f i e l d
TCP:
....0 ...
n o t s ig n if ic a n t
= No Push f u n c t io n
......... 0 . . = No R eset
TCP:
1 . = S y n c h ro n iz e sequence numbers
.
TCP:
TCP:
............................ 0 = No F in
TCP: Window = 8192
(0x2000)
TCP: Checksum = 0xF213
TCP: U rg e n t P o in t e r = 0 (0x0)
TCP: O p tio n s
TCP: O p tio n K in d
(Maximum Segment S iz e )
= 2 (0x2)
TCP: O p tio n L e n g th = 4 (0x4)
TCP: O p tio n V a lu e = 1460
(0x5B4)
TCP: Frame P ad d in g
00000:
02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00
. ' ......... ' . ; ------- E .
00010:
00 2C 0D 01 40 00 80 06 E l 4B 83 6B 02 D6 83 6B
. , . . 0 ___ K .k . . .k
00020:
02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02
.............. } t ~ ------- ' .
00030:
20 00 F2 13 00 00 02 04 05 B4 20 20
M o d u le 0 3 Page 282
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Frame 2:
In the second step, the server, BDC3, sends an ACK and a SYN on this segm ent (TCP .A..S.). In
this segm ent the server is acknow ledging the request o f the clie n t fo r synchronization. A t the
same tim e , the server is also sending its request to the clie n t fo r synchronization o f its
sequence num bers. There is one m ajor d ifference in this segm ent. The server transm its an
acknow ledgem ent n um ber (8221823) to the client. The acknow ledgem ent is ju st p ro o f to the
clie n t th a t the ACK is specific to the SYN the client in itia te d . The process o f acknow ledging the
client's request allows th e server to in cre m e nt the client's sequence num ber by one and uses it
as its acknow ledgem ent num ber.
2
2 .0 7 8 6 BDC3 — > NTW3
8221823, w in :
8760,
TCP . A . . S . ,
s rc :
TCP:
.A ..S .,
le n :
s rc :
139 (NBT S e s s io n )
TCP: S ource P o r t =
139
le n :
4, se q :
(NBT S e s s io n )
4, se q:
d s t:
d s t:
1109645-1109648, a c k :
1037 BDC3 - - > NTW3
1109645-1109648, a c k :
8221823, w in :
IP
8760,
1037
NETBIOS S e s s io n S e rv ic e
TCP: D e s t in a t io n P o r t = 0x040D
TCP: Sequence Number = 1109645
(0xl0EE8D)
TCP: A cknow ledgem ent Number = 8221823
(0x7D747F)
TCP: D ata O f f s e t = 24 (0x18)
TCP: R eserved = 0 (0x0000)
TCP: F la g s = 0x12
: .A .. S .
TCP:
. . 0 .......... =
TCP:
...1 .... =
TCP:
. . . . 0 . . . = No Push f u n c t io n
TCP:
......... 0 . . = No R eset
TCP:
..............1. = S y n c h ro n iz e
TCP:
................0 = No F in
TCP: Window = 8760
No u r g e n t d a ta
A cknow ledgem ent f i e l d
s ig n if ic a n t
sequence numbers
(0x2238)
TCP: Checksum = 0x012D
TCP: U rg e n t P o in t e r = 0 (0x0)
TCP: O p tio n s
TCP: O p tio n K in d
(Maximum Segment S iz e )
= 2 (0x2)
TCP: O p tio n L e n g th = 4 (0x4)
TCP: O p tio n V a lu e = 1460
(0x5B4)
TCP: Frame P adding
00000
02
60 8C 3B 85 C l 02 60 8C 9E 18 8B 08 00 45 00
00010
00
2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B
. , [ . 0 _____ L . k . . . k
00020
02
D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12
.............................. } t ' .
M o d u le 0 3 Page 283
.............E.
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
00030:
8‫״‬. -
22 38 01 2D 00 00 02 04 05 B4 20 20
Frame 3:
In the th ird step, th e client sends an ACK on this segm ent (TCP .A....). In this segm ent, the client
is acknow ledging the request fro m the server fo r synchronization. The client uses the same
a lg orith m the server im p lem ented in providing an acknow ledgem ent num ber. The client's
acknow ledgm ent o f the
server's request fo r synchronization
com pletes the
process o f
establishing a reliable connection, thus the th re e -w a y handshake.
3
2 .7 8 7 NTW3 - - > BDC3
1109646, w in :
TCP:
.A ....,
s rc :
1037
8760,
s rc :
le n :
d s t:
TCP .A
1037
0, se q:
139
, le n :
d s t:
139
0, se q:
8221823-8221823, a c k :
(NBT S e s s io n )
8221823-8221823, a c k :
NTW3 - - > BDC3
1109646, w in :
IP
8760,
(NBT S e s s io n )
TCP: S ource P o r t = 0x040D
TCP: D e s t in a t io n P o rt = NETBIOS S e s s io n S e rv ic e
TCP: Sequence Number = 8221823
(0x7D747F)
TCP: A cknow ledgem ent Number = 1109646
(0xl0EE8E)
TCP: D ata O f f s e t = 20 (0x14)
TCP: R eserved = 0 (0x0000)
TCP: F la g s = 0x10 : . A . . . .
TCP:
. . 0 .........
= No u r g e n t d a ta
TCP:
. . . 1 . . . . = A cknow ledgem ent f i e l d
TCP:
___ 0 . . .
= No
Push f u n c t io n
TCP:
......... 0 . .
= No
R eset
TCP:
............0. = No
S y n c h ro n iz e
TCP:
.............. 0 = No
F in
TCP: Window = 8760
(0x2238)
TCP: Checksum = 0xl8E A
TCP: U rg e n t P o in t e r = 0 (0x0)
TCP: Frame P ad d in g
00000:
02 60 8C 9E 18 8B 02 60 8C 3B 85 C l 08 00 45 00
. ' ............. ' . ; ---------- E .
00010:
00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B
.
00020:
02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10
................... } t ----------P .
00030:
22 38 18 EA 00 00 20 20 20 20 20 20
‫ ״‬8 ___
M o d u le 0 3 Page 284
(. . 0 ___ O .k .
.
.k
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
TCPCommunicationFlags
Data contained in
the packet should
be processed
immediately
There w ill be no
more
transmissions
Resets a
connection
F IN
(Finish)
URG
(Urgent)
jm ₪₪mm
PSH
(Push)
Sends all
buffered data
immediately
ACK
>
(Acknowledgement)A
Acknowledges
the receipt of a
packet
1
SYN
(Synchronize)
Initiates a
connection
between hosts
Standard TCP com m unications are con trolled by flags in th e TCP packet header
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited
T C P
C o m m u n ic a tio n
F la g s
Standard TCP com m unications m o n ito r the TCP packet header th a t holds the flags.
These flags govern the connection betw een hosts, and give instructions to the system. The
fo llo w in g are the TCP co m m unication flags:
9
Synchronize alias "SYN": SYN notifies transm ission o f a new sequence num ber
9
A cknow ledgem ent alias "ACK":
ACK confirm s receipt o f transm ission, and id e ntifies
next expected sequence num ber
9
9
Push alias "PSH": System accepting requests and fo rw a rd in g buffered data
U rgent alias "URG": Instructs data contained in packets to be processed as soon as
possible
Q
Finish alias "FIN ": Announces no m ore transm issions w ill be sent to re m o te system
Q
Reset alias "RST": Resets a connection
SYN scanning m ainly deals w ith three o f the flags, nam ely, SYN, ACK, and RST. You can use
these th re e flags fo r gathering illegal in fo rm a tio n fro m servers during the e nu m eration process.
M o d u le 0 3 Page 285
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Acknowledgem ent No
O ffse t
Res
TCP Flags
TCP Checksum
W indow
Urgent Pointer
Options
\< ------------------------- 0-31 B its --------------------------->
FIGURE 3.9: TCP C o m m u n ica tio n Flags
M o d u le 0 3 Page 286
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
CreateCustomPacketUsing
TCPFlags
CEH
Colasoft Packet Builder
.$‫׳‬
5 & 5
.xpcr:- Add Inser: Copy
3ckte
Move Up |
Chcdcsum| Send ScndAII
| Packet No. | ‫־‬
-J
C o la s o ft Packet B u ild e r
en ables c re a tin g c u s to m
n e tw o rk pa ckets to a u d it
n e tw o rk s fo r v a rio u s
a tta c k s
J
A tta c k e rs can also use it
to c re a te fra g m e n te d
- ¥ * Packet Info:
Padrec ttacer;
—^ Backer Le=ath:
Captnred Length:
Delta Tine
E ‫־‬d Ethernet Type I I
j y iJ f s t ia t i‫ ״‬Mdress:
JUfSouic? U d m 9 :
Protocol:
E-.J I? - Internet Protocol
! ‫ ״‬Version 0
i •••0 Me* 1•: length
g>-0 Differentiated Services Field
j j 0
S«rvlc«f Cod*pcint
j > Tr«r.*por1 ?101 .col w ill 1903c* tii* CC b it
: 9 Coaaastios
<1
M
-
‫!«»***ג‬
000004
64
60
0.100000 Second
[0/14]
00: 00:00:00: 00:00
[0/ 6]
00: 00:00:00 : 00:00
[6/ 6]
0x0800
(Inter:
[14/20]
4
[U /1 ] OxFO
S
<20 Bytes) [1<
0000 oaoo
[15/1! OxPF
0000 00..
[18/1] OxfC
.......... 0. (Ignoi•
[15/1]
............0 (Xu Coixjumlon)
1‫כ‬
i>HuEdfco!
<
Total
6fl bytet
packets to bypass
fire w a lls a n d IDS system s
in a n e tw o rk
http://www. colasoft. com
Copyright © by EG-Gaoncil. All Rights Reserved. Reproduction is S trictly Prohibited
C re a te
C u s to m
P a c k e ts u s in g
T C P
F la g s
Source: h ttp ://w w w .c o la s o ft.c o m
Colasoft Packet Builder is a to o l th a t allows you to create custom n e tw o rk packets and also
allows you to check the n e tw o rk against various attacks. It allows you to select a TCP packet
fro m the provided tem plates, and change the p aram ete rs in the decoder e d ito r, hexadecimal
e d ito r, o r ASCII e d ito r to create a packet. In a dd itio n to building packets, Colasoft Packet
B uilde r also supports saving packets to packet files and sending packets to the netw ork.
M o d u le 0 3 Page 2 87
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
Colasoft Packet Builder
File
Edit
Im p o rt
Send
H elp
#
E x p o rtw
#
Add
Insert
!£‫נ‬
C o py
©
Pas-
*
Delete
| x
M o ve
4*
*fc*
Send
Send A ll
Packet Info:
a P a c k e t N u m b e r:
<3‫ *־‬P a c k e t
L e n g th :
!‫^״״‬
C a p tu re d
H H
D e lta
60
0.100000 Second
L e n g th :
T im e
₪-€> Ethernet Type II
D e s tin a tio n
S o u rc e
00:00:00:00:00:00
00:00:00:00:00:00
0x0800
A d d re s s :
A d d re s s :
•••©IP - Internet Protocol
j— &
V e r s io n
: ©
Header
E3‫@ ״‬
|
|
(2 0
L e n g th
S e r v ic e s
_~© D if f e r e n t ia t e d
O
~~©
T ra n s p o rt
C o n g e s tio n
Delta T im e
‫ו‬
0.100000
00:00:00:00:1
2
0.100000
0.0.0.0
3
0.100000
0.0.0.0:0
0.100000
0.0.0.0:0
Source
[0/6]
[6/6]
(In te rn
[1 4 /2 0 ]
[1 4 /1 ]
D iffe r e n t ia t e d
No.
[0 /1 4 ]
P r o to c o l:
0
'w E I & B r S B
Packet No. 4
D ecode E ditor
0000 0000
0000 00..
F ie ld
S e r v ic e s
P ro to c o l w i l l
C o d e p o in t
ig n o r e
th e
CE b i t
...........0.
..........0
OxFO
B y te a )
[1 5 /1 ]
O xF F
[1 5 /1 ]
O xFC
(Ig n o re )
[1 4
[1 5 /1 ]
(N o C o n g e s t i o n )
<L
jc% Hex E ditor
0000
0010
0020
0030
<
T o ta l | 60 bytes
00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
00 2C00 00 40 00 40 11 3ACO00 00 00 00 00 00 --- 0.0.s .
00 00 00 00 00 00 00 1A FF BA 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
A
V/
T>
: ...
FIGURE 3 .1 0 : C o la s o ft P acket B u ild e r S c re e n s h o t
M o d u le 0 3 Page 288
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ScanningIPv6Network
CEH
imttiM
tUx*l lUckM
I
I
L
a
1
IPv6 increases the IP address size fro m 32 bits to 128 bits, to support m ore levels o f
addressing hierarchy
Traditional ne tw ork scanning techniques w ill be c o m p u ta tio n a lly less feasible due to larger
search space (64 bits o f host address space o r 2s4 addresses) provided by IPv6 in a subnet
Scanning in IPv6 ne tw ork is more d iffic u lt and com plex than the IPv4 and also m ajor
scanning tools such as Nmap do no t support ping sweeps on IPv6 n e tw orks
Attackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic , recorded logs o r Received
fro m : and o th e r header lines in archived em ail o r Usenet news messages
Scanning IPv6 netw ork, however, offers a large num ber o f hosts in a subnet if an attacker
can com prom ise one host in the subnet; attacker can probe the "all hosts" lin k local
m ulticast address
Copyright © by EC-ClUIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
S c a n n in g IP v 6 N e t w o r k
IPv6 increases the size o f IP address space fro m 32 bits to 128 bits to su pp o rt m ore
levels o f addressing hierarchy. T raditional n e tw o rk scanning techniques w ill be co m p u ta tio n a lly
less feasible due to larger search space (64 bits o f host address space o r 264 addresses)
provided by IPv6 in a subnet. Scanning an IPv6 n e tw o rk is m ore d iffic u lt and com plex than IPv4
and also m a jo r scanning tools such as Nmap do n o t su p p o rt ping sweeps on IPv6 n etw o rks.
A ttackers need to harvest IPv6 addresses fro m n e tw o rk tra ffic, recorded logs, o r Received fro m :
and o th e r header lines in archived em ail o r Usenet news messages to id e n tify IPv6 addresses
fo r subsequent p o rt scanning. Scanning IPv6 n etw o rk, how ever, offers a large n u m b e r o f hosts
in a subnet; if an a ttacker can com prom ise one host in the subnet he can probe the "all hosts"
link local m ulticast address.
M o d u le 0 3 Page 289
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ScanningTool:Nmap
CEH
J
N etw ork adm inistrators can use Nmap fo r n e tw o rk inven tory, managing service upgrade schedules, and
J
Attacker uses Nmap to extract info rm atio n such as live hosts on th e n e tw o rk , services (application name
and version), type o f packet filte rs /fire w a lls , op eratin g systems and OS versions
m o n ito rin g host or service u p tim e
h ttp ://n m a p .o rg
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited.
S c a n n in g T o o l: N m a p
Source: h ttp ://n m a p .o rg
Nmap is a se curity scanner fo r n e tw o rk e xplora tio n and hacking. It allows you to discover hosts
and services on a co m p u te r n etw o rk, thus creating a "m ap " o f the n etw o rk. It sends specially
cra fted packets to th e ta rg e t host and then analyzes the responses to accom plish its goal.
Either a n e tw o rk a d m in istra to r or an a ttacker can use this to o l fo r th e ir p articula r needs.
N e tw o rk adm inistrato rs can use Nmap fo r n e tw o rk in v e n to ry , m anaging service upgrade
schedules, and m o n ito rin g host o r service uptim e. Attackers use Nmap to e xtract in fo rm a tio n
such as live hosts on the n etw o rk, services (application name and version), type o f packet
filte rs /fire w a lls , o p e ra tin g system s, and OS versions.
M o d u le 0 3 Page 2 90
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
Zenmap
iM k
*•« M
tel
M o w K M * TCf M*»
t
(" > « •
!j* »
Mi M l M M
-
'
*14
u n
4
T
S t M tl* * < M t • . • I <
M M r < f la t
B L . M M • I M f l K l #M K M | R | .
B L W rlM
) •‫ ז‬m ) «
M
11:11
I M .n iH I D U •
•1
1
MMHyj
MM D u
tu n
HHM —rtt «»»* .
1
« s ia ti w m i a
« m
ia f t M
W h 1 * T M M M M ‫־״‬t
M !•2 .1 M 144 S
M M l t l W ** 11*1— : ! • M M .4 M M M ) I K l IS 24 1• M 4)
%f%
'•»*1»‫י‬1«‫י*י‬
C M »letM W S t • • I t * k M at IS 24. N . t l i •1 m m 4 ( M t H t«4«l
M ‫־״‬t * )
*W v i< • *CM • t IS: 24
t a M l « | • MTviCM M 1*2 IM 1 m
C M W * M SM *|C• M M • t IS:
, M .M l l l M l M ( I I K » <#I M t
1
•»
M M I/tu • * «
11I/1
|.
S t i l l l uM i r t l SV.»J
4412
v :
IKjuatL
M m lfM WVCK
VC ■
1
1 11
Ira*
1
1
1
0
\o
*
z
1
0
2 |7
f l l CPt: cp«
■ IcreM ^t ■inM n _ v 1 * f : :•
‫ *־׳‬tw it
M> M
^ «
U
U N f l w M •*
'1 ‫ *■׳‬M l« « lt I OM‫ ־״‬M I ( I 1 M i n
P n lc e
|t n t r « l *tKfOM
ft—
M
‫״‬H ‫׳‬
• M tf m *
00%ll(I r'Mt t «l l<t :t
MM V I.
24
■ ‫ןן *ן‬
1c • ' 1«m
1111222 2 1
t l H lli
I n l t l M l f * Sm S t t t lt n Sm x i t 1S:22
k M i ^ W 1M IM S ( l » ) t • e r t i ]
M K M f M M M M ‫־״‬t I H t ( | M 1I2 I M 1 M S
W w u r M M M PMt I M / t V M 1*2 IM 1M S
M M M M M M W M M 44$/1(» M IW 1 M .IM .1
M W M M M MW) • W t •12 t<> on 1*2 144 IM S
M M M ‫ ׳‬t M>42 tcp on 1*2 IM .1 M .S
T» « M l t l
— T l« 1 ~ MOwt 22.22% m ac; I K : 19:24 ( • •1 4 5
M o d u le 0 3 Page 291
*M O W !
V■ *. M t f )
1522
1
!•N tO n lw
M l t lliw
I t •*•
!w ltia tln g 4 V » !** S<M I t IS 22
W m w I m 1*2 144 144.S (1 t v t l
4
T A . IV M» M» >
•••
C o M lr tM * V H r * U m a t
: , • M l * I m iH (I tv ta l M tf i)
: M t l i t l ‫ *׳‬N r * u < c m r « M lt f t iM • * I * • I t . • t I f
» * ‫ ׳‬H * i M r » M lM tlM
‫ » ״‬M I . *t
. .
H
1 1
N
1
—« * » I « u n
MM M v l» t!l *M
c m :/
! » l cm
■ In d M I . M r 't '. M N M l < » : / • • i < r | M * t
* lc r M M t id iM M IT t lt l V • V V I . K U M
ktM s■ ! I
/
imtLmrn•*.*%
i r t —r l M
l .S M M y • ( » l « t * Him
u i t i > ‫»״‬m
‫ ■־‬T
4
*« M • )
1 21
«
‫ג‬
l 0 l* ‫ ״‬lc«.lt»-2S4 ( i M i 1m «1)
MiM — i
(PI
-<. Mt«10S mr:
1
‫ » ז « י‬1‫מ‬
•‫*י‬
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Hping2/ Hping3
CEH
UrtifW
itkMl lUikw
J Command line packet crafter for the TCP/IP protocol
J Tool for security auditing and testing firewall and networks
J Runs on both Windows and Linux operating systems
h ttp ://w w w . hping.org
f o o t g b t : - # h ping3 ■A 1 0 .0 .0 .2 -p 89
HPINC18.0.0.2 (ethl 19.0.0.2): Aset, 40 headers + 0 data bytel
len=40 ip-10.0.0.2 ttl=128 OF id=26©85spoci^0 flags-R seq^0 w
ln0‫ ־‬rtt=1.3 ms
^‫ך־‬
len^40 ip-10.0.0.2 ttl=128 OF id-26586 sport-ee-flags-R seq-1 w
ln=0 rtt=6.8 ms
len=40 ip-10.0.0.2 ttl=128 OF id=26087 sport-8Gfflags=R Ieq^2 w
11 1.0
in = o r
=
‫לווו‬
le n - 4 0 i p - 1 0 . 0 . 0 . 2
1n=0 r t t = 8 . 9 ms
le n = 4 0 ip = 1 0 ^ L 0 . 2
ttl- 1 2 8
OF id - 2 6 0 8 8 s p o r t - 8 0 f lo g s - R
s c q -3 w
t t l = 1 2 8 DF id - 2 6 6 8 9 5 p o rjt= 8 e f t c g s f R s e q - 4 w
len=4) 1^=10.0.8 *?ttl=128 DF ld=26090 sport80‫ ־‬flags=R seq=5
in»0 rtt-0 .5 ms
J
len=46 ip=10.0.3.2 ttl=128 OF id=26091 sport=80 flags=R seq=6 w
in=0 rtt=e.7 ms
len=40 ip=10.O.0.2 ttl=128 OF id26092‫ ־‬sport80‫ ־‬flags^R seq=7 w
ln=8 rtt=8.8 ns
len-40 ip-10.0.0.2 ttl-128 OFid-26093 5port-80 flegs‫־‬Rseq-8 w
ACK Scanning on p o rt 80
Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is S trictly Prohibited.
H p in g 2 /H p in g 3
Source: h ttp ://w w w .h p in g .o rg
HPing2/HPing3 is a co m m a n d -lin e -o rie n te d TCP/IP packet assem bler/analyzer th a t sends ICMP
echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Tra ce ro ute m ode, and
enables you to send files betw een covert channels. It has the a b ility to send custom TCP/IP
packets and display ta rg e t replies like a ping program does w ith ICMP replies. It handles
fra g m e n ta tio n , a rb itra ry packets' body and size, and can be used in o rd e r to tra n sfe r
encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and
n e tw o rk /h o s t scanning can be used to p erfo rm an anonym ous probe fo r services.
An a tta cke r studies the behavior o f an idle host to gain in fo rm a tio n abo u t the ta rg e t such as the
services th a t the host offers, the ports su pp o rtin g th e services, and the ope ra tin g system o f the
targe t. This type o f scan is a predecessor to e ith e r heavier probing or o u trig h t attacks.
Features:
The fo llo w in g are some o f the features o f HPing2/HPing3:
9
D eterm ines w h e th e r the host is up even w hen th e host blocks ICMP packets
e
A dvanced p o rt scanning and te st net perform ance using d iffe re n t protocols, packet
sizes, TOS, and fra g m e n ta tio n
M o d u le 0 3 Page 292
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
9
M anual path MTU discovery
9
Firew alk-like usage allows discovery o f open ports behind firew alls
9
Remote OS fin g e rp rin tin g
9
TCP/IP stack auditing
ICMP Scanning
A ping sweep o r In te rn e t C o n trol Message P rotocol (ICMP) scanning is a process o f sending an
ICMP request or ping to all hosts on the n e tw o rk to d ete rm ine w hich one is up.
This p ro to co l is used by ope ra tin g system, ro u te r, sw itch, in terne t-p ro to co l-b a sed devices via
the ping com m and to Echo re quest and Echo response as a co nn e ctivity te ste r betw een
d iffe re n t hosts.
The fo llo w in g screenshot shows ICMP scanning using the Hping3 to o l:
«
v
x
root@bt: ~
File E dit V iew Term inal H elp
root@ bt:~# h p i ng3 -1 10 .0 .0 .2
HPING 1 0 .0 .0 .2 ( e t h l 10 . 0 . 0 . 2 ) : icmp mode s e t, 28 headers + 0 d
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25908 icmp_seq=0 r t t = 2 . 2 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25909 icm p_seq=l r t t = 1 . 0 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25910 icmp_seq=2 r t t = 1 . 7 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25911 icmp_seq=3 r t t = 0 . 5 ms
icmp seq=4
r t t = 0 . 4 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=2591%
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25913 icmp
seq=5 r t t = l . l ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25914 icmp
seq=6 r t t = 0 . 9 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25915 icmp
seq=7 r t t = l . l ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25916 icmp
seq=8 r t t = 0 . 9 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25917 icmp
seq=9 r t t = l . l ms
len=28 ip = 1 0 .0 . 0 . ^ > t t l= 128 id=25918 icmp seq=10 r t t = 0 . 8 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25919 icm p _ se q = ll r t t = 1 . 2 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25920 icmp seq=12 r t t = 0 . 7 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25921 icmp seq=13 r t t = 0 . 8 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25922 icmp seq=14 r t t = 0 . 7 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25923 icmp seq=15 r t t = 0 . 7 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25924 icmp seq=16 r t t = 0 . 8 ms
len=28 ip = 1 0 .0 .0 .2 t t l = 128 id=25925 icmp seq=17 r t t = 1 . 0 ms
FIGURE 3.12: Hping3 to o l show ing ICMO scanning o u tp u t
ACK Scanning on P ort 80
You can use this scan tech n iq ue to probe fo r the existence o f a fire w a ll and its rule sets. Simple
packet filte rin g w ill allow you to establish connection (packets w ith the ACK b it set), whereas a
sophisticated stateful fire w a ll w ill not a llow you to establish a connection.
The fo llo w in g screenshot shows ACK scanning on p o rt 80 using the Hping3 to o l:
M o d u le 0 3 Page 293
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
•‫ >׳‬v
Exam 3 1 2 -5 0 C ertified Ethical H acker
* r o o ta b t: -
File Edit View Terminal Help
£ 0 0 t@ b t:~ # h p in g 3 -A 1 0 . 0 . 0 . 2 •p 80
HPING 1 0 .0 .0 .2 ( e t h l 1 0 . 0 . 0 . 2 ) : A s e t , 40 h ea d ers + 0 d a ta b y te
s
le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 6 0 8 5 s p a rJ t-8 0 fla g s = R seq=0 w
in = 0 r t t = 1 . 3 ms
le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 6 s p o rt= 8 0 fla g s = R s e q = l w
in = 0 r t t = 0 . 8 ms
‫׳‬-‫'"׳׳‬
le n = 4 0 ip = 1 0 . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 60 8 7 s p o rt= 8 9 fla g s = R seq=2 w
in = 0 r t t = 1 . 0 ms
le n = 4 0 ip = 1 0 . 0 .0 . 2 t t l= 1 2 8 DF id = 2 60 8 8 s p o rt= 8 0 ^ la g s = R seq=3 w
in = 0 r t t = 0 . 9 ms
le n = 4 0 ip = 1 0 J 0 .0 .2 t t l= 1 2 8 DF
id = 2 6 0 8 9 s p o rt= 8 0 fla g s = R seq=4 w
in = 0 r , t t = p . 9 ros —^ ^ ‫ ■י‬J j
I
•4■ ^
f j
le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF
id=26O 90 s p o rt= 8 0 fla g s = R seq=5 w
in = 0 r t t = 0 . 5 ms
le n = 4 0 ip = lO . 0 . 0 . 2 t t l= 1 2 8 DF id = 2 6 0 9 1 s p o rt= 8 0 fla g s = R seq=6 w
in = 0 r t t = 0 . 7 ms
le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 60 9 2 s p o rt= 8 0 fla g s = R seq=7 w
in = 0 r t t = 0 . 8 ms
le n = 4 0 ip = 1 0 .0 .O .2 t t l= 1 2 8 DF id = 2 6 0 9 3 s p o rt= 8 0 fla g s = R seq=8 v
FIGURE 3.13: Hping3 to o l show ing ACK scanning o u tp u t
M o d u le 0 3 Page 294
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
HpingCommands
-1
h p in g 3
10.0.0.25
ACK scan on port 80
hp±ng3
-A
1 0.0.0.25
-p
-2
1 0.0.0.25
1 9 2 .1 6 8 .1 .1 0 3
-S
5 0 -5 6
-S
1 0 .0 .0 .2 5
-V
-F
-p
-U
1 0 .0 .0 .2 5
-p
80
Scan entire subnet for live host
-p
h p in g 3
-Q
-p
7 2 .1 4 .2 0 7 .9 9
-1
-I ethO
80
1 0 .0 .1 .x
— ra n d -d e s t
In te rc e p t a ll t r a ffic co n ta in in g HTTP
sig n a tu re
h p in g 3
139
Firewalls and Time Stamps
h p in g 3
-8
h p in g 3
80
Collecting Initial Sequence Number
h p in g 3
ItkKJl Nm Im
FIN, PUSH a n d URG scan o n p o r t 80
UDP scan on port 80
h p in g 3
U rtifM
SYN scan on port 50-60
ICMP Ping
h p in g 3
cEH
‫־‬
-9
HTTP
- I
e th O
SYN flooding a victim
-p
80
h p in g 3
—
t c p ‫ ־‬tim e s ta m p
-S
1 9 2 .1 6 8 .1 .1
1 9 2 .1 6 8 .1 .2 5 4
-p
22
-a
— flo o d
Copyright © by EC-CM ICil. All Rights Reserved. Reproduction is S trictly Prohibited.
H p in g
C o m m a n d s
The fo llo w in g table lists various scanning m ethods and respective Hping com m ands:
Scan
Commands
ICMP ping
hping3 -1 1 0.0.0.25
ACK scan on port 80
hping3 -A 10 .0 .0 .2 5 -p 80
UDP scan on port 80
hping3 -2 1 0.0.0.25 -p 80
Collecting initial sequence number
SYN scan on port 50-60
hping3 192.168.1.103 -Q -p 139 -s
hping3 -S 72.14.207.99 -p 80 --t c p timestamp
hping3 -8 50-56 -S 10 .0 .0.2 5 -V
FIN, PUSH and URG scan on port 80
hping3 -F -p -U 10 .0.0.25 -p 80
Scan entire subnet for live host
hping3 -1 1 0 .0 .1 .x --rand-dest - I ethO
Intercept all traffic containing HTTP
signature
hping3 9‫ ־‬HTTP - I ethO
SYN flooding a victim
hping3 -S 192.168.1.1 -a 192.168.1.254
-p 22 --flo o d
Firewalls and time stamps
TABLE 3.1: Hping C om m ands Table
M o d u le 0 3 Page 295
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ScanningTechniques
TCP Connect / Full Open Scan
Stealth Scans
IDLE Scan
ICMP Echo Scanning/List Scan
T
E
C
H
N
SYN/FIN Scanning Using IP Fragments
UDP Scanning
I
o
Inverse TCP Flag Scanning
E
ACK Flag Scanning
u
S
Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is S trictly Prohibited.
S c a n n in g T e c h n iq u e s
Scanning is the process o f g ath erin g in fo rm a tio n about the systems th a t are alive and
responding on the n etw o rk.
The p o rt scanning tech n iq ue s are designed to id e n tify the open ports on a targe te d server or
host. This is o fte n used by adm inistrato rs to ve rify security policies o f th e ir netw orks and by
attackers to id e n tify running services on a host w ith the in te n t o f com prom ising it.
D iffe re n t types o f scanning tech n iq ue s e m p loye d include:
©
TCP Connect / Full Open Scan
©
Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan
©
IDLE Scan
©
ICMP Echo Scanning/List Scan
©
SYN/FIN Scanning Using IP Fragments
©
UDP Scanning
©
Inverse TCP Flag Scanning
©
ACK Flag Scanning
M o d u le 0 3 Page 296
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
The following is the list of important reserved ports:
Name
Port/Protocol
Description
echo
7 /tc p
echo
7 /u d p
d is c a r d
9 /tc p
sink null
d is c a r d
9 /u d p
sink null
s y s ta t
1 1/tcp
Users
d a y t im e
1 3/tcp
d a y t im e
13/udp
n e ts ta t
1 5/tcp
q o td
1 7/tcp
Q uote
c h a rg e n
1 9/tcp
tty ts t source
c h a rg e n
19/udp
tty ts t source
ftp -d a ta
2 0 /tcp
ftp data tra nsfe r
ftp
2 1 /tcp
ftp com m and
ssh
2 2 /tcp
Secure Shell
te ln e t
2 3 /tcp
s m tp
2 5 /tcp
M ail
t im e
3 7 /tcp
Tim eserver
t im e
3 7/u dp
Tim eserver
r ip
3 9/u dp
resource location
n ic n a m e
4 3 /tcp
w ho is
d o m a in
5 3 /tcp
dom ain name server
d o m a in
5 3/u dp
dom ain name server
s q l* n e t
6 6 /tcp
Oracle SQL*net
s q l* n e t
6 6/u dp
Oracle SQL*net
b o o tp s
6 7 /tcp
boo tp server
b o o tp s
6 7/u dp
boo tp server
b o o tp c
6 8 /tcp
boo tp client
M o d u le 0 3 Page 297
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
b o o tp c
6 8/u dp
boo tp client
tftp
6 9 /tcp
Trivial File Transfer
t f tp
6 9/u dp
Trivial File Transfer
gopher
7 0 /tcp
gopher server
fin g e r
7 9 /tcp
Finger
w w w - h ttp
8 0 /tcp
WWW
w w w - h ttp
8 0 /u d p
WWW
k e rb e ro s
8 8 /tcp
Kerberos
k e rb e ro s
8 8 /u d p
Kerberos
P °P 2
1 09/tcp
PostOffice V.2
Pop 3
1 10 /tcp
PostOffice V.3
s u n rp c
111 /tcp
RPC 4.0 p o rtm a p p e r
s u n rp c
111/udp
RPC 4.0 p o rtm a p p e r
a u th /id e n t
1 13/tcp
A u th e n tica tio n Service
a u th
113/udp
A u th e n tica tio n Service
a u d io n e w s
114 /tcp
A udio News M u ltica st
a u d io n e w s
114/udp
A udio News M u ltica st
n n tp
119 /tcp
Usenet N e tw o rk News Transfer
n n tp
119/udp
Usenet N e tw o rk News Transfer
n tp
123 /tcp
N e tw o rk Time Protocol
Name
P ort/P ro toco l
Description
n tp
123/udp
N e tw o rk Time Protocol
n e tb io s - n s
1 37 /tcp
NETBIOS Name Service
n e tb io s - n s
137/udp
NETBIOS Name Service
n e t b io s - d g m
1 38/tcp
NETBIOS Datagram Service
n e t b io s - d g m
138/udp
NETBIOS Datagram Service
n e t b io s - s s n
1 39/tcp
NETBIOS Session Service
n e t b io s - s s n
139/udp
NETBIOS Session Service
im a p
143 /tcp
In te rn e t Message Access Protocol
M o d u le 0 3 Page 298
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
im a p
143/udp
In te rn e t Message Access Protocol
s q l- n e t
150 /tcp
SQL-NET
s q l- n e t
150/udp
SQL-NET
s q ls r v
156/tcp
SQL Service
s q ls r v
156/udp
SQL Service
snmp
1 61/tcp
snmp
161/udp
s n m p -tra p
162 /tcp
s n m p -tra p
162/udp
c m ip -m a n
1 63/tcp
CMIP/TCP M anager
c m ip -m a n
163/udp
CMIP
c m ip - a g e n t
1 64/tcp
CMIP/TCP Agent
c m ip - a g e n t
164/udp
CMIP
ir e
1 94/tcp
In te rn e t Relay Chat
ir e
194/udp
In te rn e t Relay Chat
a t- rtm p
2 01 /tcp
AppleTalk Routing M aintenance
a t- rtm p
2 01 /ud p
AppleTalk Routing M aintenance
a t-n b p
2 02 /tcp
AppleTalk Name Binding
a t- n b p
2 02 /ud p
AppleTalk Name Binding
a t-3
203 /tcp
AppleTalk
a t-3
2 03 /ud p
AppleTalk
a t- e c h o
2 04 /tcp
AppleTalk Echo
a t- e c h o
2 04 /ud p
AppleTalk Echo
a t-5
2 05 /tcp
AppleTalk
a t-5
2 05 /ud p
AppleTalk
a t- z is
2 06 /tcp
AppleTalk Zone Info rm a tio n
a t- z is
2 06 /ud p
AppleTalk Zone Info rm a tio n
a t- 7
2 07 /tcp
AppleTalk
M o d u le 0 3 Page 299
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
a t- 7
2 07 /ud p
AppleTalk
a t- 8
2 08 /tcp
AppleTalk
a t- 8
2 08 /ud p
AppleTalk
ip x
2 13 /tcp
ip x
2 13 /ud p
im a p 3
2 20 /tcp
Interactive M ail Access Protocol v3
im a p 3
2 20 /ud p
Interactive M ail Access Protocol v3
a u rp
3 87 /tcp
AppleTalk Update-Based Routing
a u rp
3 87 /ud p
AppleTalk Update-Based Routing
n e tw a r e - ip
3 96 /tcp
Novell N etw are over IP
n e tw a r e - ip
3 96 /ud p
Novell N etw are over IP
Name
P ort/P ro toco l
Description
rm t
4 1 1 /tcp
Remote m t
rm t
4 1 1 /u d p
Remote m t
5 4 e rb e ro s 5 4 -d s
4 4 5 /tcp
5 4 e rb e ro s 5 4 -d s
4 4 5 /u d p
is a k m p
5 00 /ud p
ISAKMP/IKE
fc p
5 1 0 /tcp
First Class Server
exec
5 12 /tcp
BSD rexecd(8)
c o m s a t/ b if f
5 12 /ud p
used by mail system to n o tify users
lo g in
5 1 3 /tcp
BSD rlogind(8)
who
5 13 /ud p
w hod BSD rw hod(8)
s h e ll
5 14 /tcp
cmd BSD rshd(8)
s y s lo g
5 14 /ud p
BSD syslogd(8)
p r in te r
5 15 /tcp
spooler BSD lpd(8)
p r in te r
5 15 /ud p
P rinter Spooler
ta lk
5 1 7 /tcp
BSD talkd(8)
ta lk
5 17 /ud p
Talk
n ta lk
5 18 /ud p
New Talk (ntalk)
M o d u le 0 3 Page 3 00
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
n ta lk
5 18 /ud p
SunOS talkd(8)
n e tn e w s
5 3 2 /tc p
R eadnew s
uucp
5 40 /tcp
uucpd BSD uucpd(8)
uucp
5 40 /ud p
uucpd BSD uucpd(8)
k lo g in
5 43 /tcp
Kerberos Login
k lo g in
5 43 /ud p
Kerberos Login
k s h e ll
5 44 /tcp
Kerberos Shell
k s h e ll
5 44 /ud p
Kerberos Shell
e k s h e ll
5 45 /tcp
p c s e rv e r
6 00 /tcp
ECD Integrated PC board srvr
m ount
6 35 /ud p
NFS M o u n t Service
p c n fs
6 40 /ud p
PC-NFS DOS A u th e n tica tio n
b w n fs
6 50 /ud p
BW-NFS DOS A u th e n tica tio n
f le x lm
7 44 /tcp
Flexible License M anager
f le x lm
7 44 /ud p
Flexible License M anager
5 6 e rb e ro s -a d m
7 49 /tcp
Kerberos A d m in istra tio n
5 6 e rb e ro s -a d m
7 49 /ud p
Kerberos A d m in istra tio n
k e rb e ro s
7 50 /tcp
kdc Kerberos a u th e n tic a tio n —tcp
k e rb e ro s
7 50 /ud p
Kerberos
5 6 e r b e r o s mas
te r
7 51 /ud p
Kerberos a uth e n tica tio n
5 6 e r b e r o s mas
te r
7 51 /tcp
Kerberos a uth e n tica tio n
k rb _ p ro p
7 54 /tcp
Kerberos slave propagation
M o d u le 0 3 Page 301
krcm d Kerberos encrypted
re m o te shell -k fa ll
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
9 99 /ud p
A pplixw are
socks
1 080/tcp
socks
1080/udp
kpop
1 109/tcp
Pop w ith Kerberos
m s - s q l- s
1 433/tcp
M icro so ft SQL Server
m s - s q l- s
1433/udp
M icro so ft SQL Server
m s - s q l- m
1 434/tcp
M icro so ft SQL M o n ito r
m s - s q l- m
1434/udp
M icro so ft SQL M o n ito r
Name
P ort/P ro toco l
Description
p p tp
1 723/tcp
Pptp
p p tp
1723/udp
Pptp
nfs
2 04 9 /tcp
N e tw o rk File System
nfs
2049/udp
N e tw o rk File System
e k lo g in
2 10 5 /tcp
Kerberos encrypted rlogin
r k in it
2 10 8 /tcp
Kerberos re m o te kin it
kx
2 11 1 /tcp
X over Kerberos
k a u th
2 12 0 /tcp
Remote kauth
ly s k o m
4 8 9 4 /tcp
LysKOM (conference system)
s ip
5 06 0 /tcp
Session In itia tio n Protocol
s ip
5060/udp
Session In itia tio n Protocol
x ll
6 000-6063/tcp
X W in d o w System
x ll
6000-6063/udp
X W in d o w System
ir e
6 66 7 /tcp
In te rn e t Relay Chat
afs
7000-7009/udp
afs
7000-7009/udp
TABLE 3.2: Reserved Ports Table
M o d u le 0 3 Page 302
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
TCPConnect/ FullOpenScan CEH
M
J
TCP C o n n e c t scan d e te c ts w h e n a p o rt is o p e n b y c o m p le tin g th e th r e e - w a y h a n d sh a ke
J
TCP C o n n e c t scan e s ta b lis h e s a fu ll c o n n e c tio n an d te a rs it d o w n by se n d in g a RST
packet
Scan result w hen a p o rt is open ^
)SYN Packet + P ort (n
m
S Y N /A C K Packet . . .
......... A « .t .‫׳‬5ST. .......
Target
A ttacker
Scan result w hen a p o rt is closed
SVN Packet + Port Jn). ^
^
*
??.‫־י‬.
A ttacker
H
f
,
Target
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
T C P
C o n n e c t / F u ll O p e n S c a n
Source: h ttp ://w w w .in s e c u re .o rg
TCP Connect / Full Open Scan is one o f the m ost re lia b le form s o f TCP scanning. The TCP
connect() system call provided by an OS is used to open a connection to every in terestin g p o rt
on th e machine. If the p o rt is listening, connect() w ill succeed; o therw ise, the p o rt isn't
reachable.
0
m m
T C P
T h r e e - w
a y
H a n d s h a k e
In the TCP th re e -w a y handshake, the client sends a SYN flag, w hich is acknowledged
by a SYN+ACK flag by the server w hich, in tu rn , is acknow ledged by the clie n t w ith an ACK flag
to com plete the connection. You can establish a connection fro m both ends, and te rm in a te
fro m both ends individually.
V
a n illa
S c a n n in g
In vanilla scanning, once the handshake is com pleted, the clie n t ends the connection.
If the connection is not established, the n the scanned m achine w ill be DoS'd, w hich allows you
to make a new socket to be cre a te d /ca lle d . This confirm s you w ith an open p o rt to be scanned
fo r a running service. The process w ill continue u ntil the m axim um p o rt threshold is reached.
M o d u le 0 3 Page 303
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
If the p o rt is closed the server responds w ith an RST+ACK flag (RST stands fo r "R eset the
co n n e c tio n "), whereas the client responds w ith a RST flag and here ends the connection. This is
created by a TCP connect () system call and w ill be id e n tifie d instantaneously if the p o rt is
opened or closed.
M aking separate connects() call fo r every targeted p o rt in a linear fashion w o u ld take a long
tim e over a slow connection. The a ttacker can accelerate the scan by using many sockets in
parallel. Using non-blocking, I/O allows the a ttacker to set a low tim e -o u t period and w atch all
the sockets sim ultaneously.
,
u isd a v d itia g e s
The draw back o f this type o f scan is easily d e te cta b le and filte ra b le . The logs in the
ta rg e t system w ill disclose the connection.
The Output
Initia tin g Connect () Scan against (172.17.1.23)
Adding open p o rt 1 9/tcp
Adding open p o rt 2 1 /tcp
Adding open p o rt 1 3/tcp
SYN Packet + Port (n)
...............................
SYN / ACK Packet
ACK + RST
T a rg e t
A tta c k e r
FIGURE 3.14: Scan results w h e n a p o rt is open
SYN Packet + Port (n)
‫ י‬...................................... ■■‫►■■■■־‬
RST
a rg e t
A t ta c k e r
FIGURE 3.15: Scan results w h e n a p o rt is closed
M o d u le 0 3 Page 304
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Zenmap
S<!n |oeh E»of.1c fcjftp
T trg c t
nmap ‫ ו‬92 . ‫ ו‬63 . ‫ ו‬68 .‫ל‬
C o m m jn d
Hosts
Host
~vj
Profile
• •sT •v n m ip 192-168.168.5
S trv K tt
192.168.168.5
N m ip Output
Potts/Hosts Topology HostD«t««h Scans
• *sT •v n m jp 192.168.168.5
Starting Nrap6.61 ( http://n*ap.0rg ) at 201208 10 12:04
d Ti
Initiating ARPPing Scan at 12:04
Scanning 192.168.168.5 (1 port]
CompletedARPPing S<an at 12:04, 0.08s elapsed (1 total hosts)
Initiating Parallel DNSresolution of 1host, at 12:04
Completed Parallel DNSresolution of 1host, at 12:04, 0.02s elapsed
Initiating Connect Scan at 12:04
Scanning 192.168.168.S[1000 ports]
Discovered open port 80/tcp on 192.168.168.5
Discovered open port 993/tcp on 192.168.168.S
Discovered open port 8080/tcp on 192.168.168.S
Discovered open port 2S/tcp on 192.168.168.S
Discovered open port 139/tcp on 192.168.168.5
Discovered open port 8888/tcp on 192.168.168.S
Completed Connect Scan at 12:04, 40.63s elapsed (1000 total ports)
N‫״‬ap scan report for 192.168.168.S
Failed to resolve given hostnaaie/IP: n«ap. Note that youcan't use '/■ask*
AM
D*1*4,7,100•‘ style IPranges. If the •achine only has an IPv6 address*
add the N«ap -6 *lag to scan that.
Host is up (0.000S7s latency),
tot
9T
8E
0S
filtered
POUTitjtotoiSTA
ERVICE ports
2S/tcp open Mtp
80/tcp open http
110/t<p open pop)
119/tcp open nntp
13S/tcp ooppeenn black
asrpcice■icecap
8081/tcp
8088/tcp open radan-http
8888/tcp open sun•antwerbook
Ml AfltirCil.
• (Oeil)
R
cta
fllll
flic!
frw;
C
:\P
Ump done: 1IPaddress (Irogra•
host upFiles
) scan(xn8ed6)\N
in*ap
43.08 seconds
Raxpackets sent: 1 (288) | Rcvd: 1 (288)
FIGURE 3.16: Zenm ap Screenshot
M o d u le 0 3 Page 305
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
StealthScan(Half-openScan) CEH
UrtifWtf
ttkujl lUckM
A tta c k e rs use s te a lth scan ning te c h n iq u e s to bypass
fire w a ll ru le s , lo g g in g m e c h a n is m , and hide
□a
SYN (Port 80)
th e m s e lv e s as usual n e tw o rk tra ffic
SYN + ACK
Ste a lth S c a n P r o c e s s
©
The client sends a single SYN packet to th e server
on th e appropriate p o rt
,^ s /
...........................
Bill
Sheela
1 0 .0 .0 .2 :2 3 4 2
1 0 .0 .0 .3 :8 0
Port is open
@
lf th e p o rt is open then th e server responds w ith
a SYN/ACK packet
®
If th e server responds w ith an RST packet, then
(ft
®
W N |P ‫ ״‬rlS n |
r
th e rem ote p o rt is in th e "closed" state
‫“־‬
‫י‬
—
‫ *׳‬O
j
j
Bill
Sheela
1 0 .0 .0 .2 :2 3 4 2
1 0 .0 .0 .3 :8 0
The client sends the RST packet to close the initiation
before a connection can ever be established
Port is clo se d
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is S trictly Prohibited.
S te a lth S c a n ( H a lf - O p e n S c a n )
Stealth scan sends a single fra m e to a TCP p o rt w ith o u t any TCP handshaking or
a dd itio n al packet transfers. This is a scan type th a t sends a single fram e w ith the expectation o f
a single response. The half-open scan p artially opens a connection, b ut stops halfw ay throu g h.
This is also know n as a SYN scan because it only sends the SYN packet. This stops th e service
fro m ever being n o tifie d o f the incom ing connection. TCP SYN scans or half-open scanning is a
stealth m ethod o f p o rt scanning.
The three -w ay handshake m e thodology is also implemented by the stealth scan. The difference is
th a t in the last stage, re m o te ports are id e ntifie d by exam ining the packets e nte rin g the
interface and te rm in a tin g the connection before a new in itia liza tio n was triggered.
The process preludes the fo llo w in g :
9
To sta rt in itia liza tio n , the client forw a rd s a single "SYN" packet to the d estination server
on the corresponding port.
9
The server actually in itiates the stealth scanning process, depending on th e response
sent.
9
If th e server forw a rd s a "SYN/ACK" response packet, then the p o rt is supposed to be in
an "OPEN" state.
M o d u le 0 3 Page 3 0 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
If the response is fo rw a rd e d w ith an "RST" packet, then the p o rt is supposed to be in a
"CLOSED" state.
SYN (Port 80)
Bill
Sheela
10.0.0.2:2342
10.0.0.3:80
Port is open
FIGURE 3.16: S tealth Scan w h e n Port is Open
^
...
*
Bill
Sheela
10.0.0.2:2342
10.0.0.3:80
P o r t is c lo s e d
FIGURE 3.17: S tealth Scan w h e n Port is Closed
Zenm ap Tool
Zenmap is the official graphical user in te rfa ce (GUI) fo r the Nm ap Security Scanner. Using this
to o l you can save the fre q u e n tly used scans as profiles to make the m easy to run re cu rre ntly. It
contains a com m and cre a to r th a t allows you to in teract and create Nmap com m and lines. You
can save the Scan results and vie w the m in the fu tu re and th e y can be com pared w ith a no the r
scan re p o rt to locate differences. The results o f the recent scans can be stored in a searchable
database.
The advantages o f Zenmap are as follow s:
9
Interactive and graphical results view ing
9
Comparison
e
Convenience
Q
R epeatability
Q
D iscoverability
M o d u le 0 3 Page 307
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
cr
Is
Zenmap
S c !n
lo o k
profile
H elp
n m a p 192.168.168.5
C om m and
H osts
,Scan
C ancel
*| 1
Details
* -sT -v n m a p 192.168.168.5
Services
OS w H ost
*
P ro file
N m ap O u tp u t
4
P orts / H osts
Topology
H ost Details
Scans
* -sT -v n m a p 192.168.168.5
192.168.168.5
Starting Nmap 6.01 ( http://nMp.org ) at 2012-0810 12:04
d Tii
Initiating ARP Ping Scan at 12:04
Scanning 192.168.168.S [1 port]
Completed ARP Ping Scan at 12:04, 0.68s elapsed (1 total hosts)
Initiating Parallel ONS resolution of 1 host, at 12:04
Completed Parallel DNS resolution of 1 host, at 12:04, 0.02s elapsed
Initiating Connect Scan at 12:04
Scanning 192.168.168.S [1000 ports)
Discovered open port 80/tcp on 192.168.168.S
Discovered open port 993/tcp on 192.168.168.S
Discovered open port 8080/tcp on 192.168.168.S
Discovered open port 2$/tcp on 192.168.168.S
Discovered open port 139/tCp on 192.168.168.5
Discovered open port 8888/tcp on 192.168.168.5
Coaipleted Connect Scan at 12:04, 40.63s elapsed (lOOO total ports)
N*ap scan report for 192.168.168.S
failed to resolve given hostnaae/IP: n«ap. Note that you can't use ,/■ask'
ANO *1-4,7,100-' style IP ranges. If the Machine only has an IPv6 address,
add the Neap •6 flag to scan that.
Host is up (O.00OS7S latency).
><gt *towtn; 980 filtered ports
PORT
STATE SERVICE
2S/tcp open satp
open http
80/tcp
110/tcp open pop 3
119/tcp open nntp
135/tcp ooen ■srpc
8081/tcp open blackice-icecap
8088/tcp open radan-http
8888/tcp open sun-answerbook
♦ ♦
♦
• (Dell)
Rtad tfiH f i l e t fr w ; C:\Progra■ Files (x86)\N*ap
H*ap done: 1 IP address (1 host up) scanned in 43.08 seconds
Rax packets sent: 1 (288) | Rcvd: 1 (288)
Filter Hosts
FIGURE 3.18: Zenmap Showing Scanning Results
M o d u le 0 3 Page 308
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
c E l\
X m a s Scan
ftb.ul H.. fcM
U ftN M
o
FIN, URG, PUSH
FIN, URG, PUSH
m u ::: 1
No Response
Attacker
10.0.0.6
J
Server
Port is open
1
1 0 .0 .0 .8 :2 3
Server
Attacker
10.0.0.6
1 0 .0 .0 .8 :2 3
Port is closed
In X m a s s c a n , a t ta c k e r s s e n d a TCP f r a m e t o a
r e m o t e d e v ic e w ith U RG, ACK, RST, SYN, PSH , a n d
FIN fla g s s e t
J
FIN s c a n o n ly w ith OS TC P/IP d e v e lo p e d a c c o r d in g
t o RFC 7 9 3
J
It will n o t w o r k a g a in s t a n y c u r r e n t v e r s io n o f
M ic r o s o f t W in d o w s
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
X m a s S c a n
------------
X m a s Scan is a p o r t scan t e c h n i q u e w i t h ACK, RST, SYN, URG, PSH, a n d FIN fla g s s e t t o
s e n d a TCP f r a m e t o a r e m o t e d e v ic e . If t h e t a r g e t p o r t is c lo s e d , t h e n y o u w i ll re c e iv e a r e m o t e
s y s te m r e p ly w i t h a RST. You can use t h i s p o r t scan t e c h n i q u e t o scan la rg e n e t w o r k s a n d fin d
w h i c h h o s t is u p a n d w h a t se rv ic e s it is o f f e r i n g . It is a t e c h n i q u e t o d e s c r ib e all TCP fla g sets.
W h e n all fla gs a re set, s o m e s y s te m s h a n g ; so t h e fla g s m o s t o f t e n se t a re t h e n o n s e n s e p a t t e r n
URG-PSH-FIN. This scan o n l y w o r k s w h e n s y s te m s a re c o m p l i a n t w i t h RFC 7 93 .
B SD N e tw o rk in g C o d e
T his m e t h o d is based o n BSD n e t w o r k i n g c o d e ; y o u can use th is o n l y f o r
UNIX h o s ts
a n d it d o e s n o t s u p p o r t W i n d o w s NT. If t h is scan is d ir e c t e d a t a n y M i c r o s o f t s y s te m , it s h o w s
all t h e p o r ts o n t h e h o s t a re o p e n e d .
T ra n s m ittin g P a c k e ts
You can in itia liz e all t h e fla g s w h e n t r a n s m i t t i n g t h e p a c k e t t o a r e m o t e h o s t. If t h e
t a r g e t s y s te m a c c e p ts p a c k e t a nd d o e s n o t s e n d a n y re s p o n s e , t h e p o r t is o p e n . If t h e t a r g e t
s y s te m se nd s RST fla g , t h e p o r t is c lo s e d .
M o d u le 0 3 Page 309
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Advantage:
It a v o id s t h e IDS a n d TCP t h r e e - w a y h a n d s h a k e .
Disadvantage:
It w o r k s o n t h e UN IX p l a t f o r m o n ly .
FIN, URG, PUSH
No Response
Attacker
Server
10.0.0.6
10.0.0.8:23
P o r t is o p e n
FIGURE 3.19: Xmas Scan when Port is Open
FIN, URG, PUSH
RST
Attacker
Server
10.0.0.6
10.0.0.8:23
P o r t is c lo s e d
FIGURE 3.20: Xmas Scan when Port is Closed
Z e n m a p is t h e o ffic ia l g ra p h ic a l u s e r in t e r f a c e (GUI) f o r t h e N m a p S e c u r i t y S c a n n e r. U sing th is
t o o l y o u can sa ve t h e f r e q u e n t l y used scans as p r o f i l e s t o m a k e t h e m easy t o r u n r e c u r r e n t l y .
Zenmap
Scan 100It Profile Help
Target:
9•1X •v r
Hotts
Services
*
V
Start
Nmip Output Pcm/Hosts Topology Host Ottals S<ans
«-sX-v nmap 152.16S. 168.3
OS ▼ Host
W
‫צ‬
nmap 192.I6S.168.}
Command:
Details
192.168.16S.5
192.168.168.3
S tA 'tin g Nmap 6.01 (
’ * t 2612 08 10 12:39
Standarc 1i»e
In it ia t i n g
Ping Scan a t 12:39
Scanning 192.168.168.3 [1 p o rt]
Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 t o t a l hosts)
In it ia t i n g P a ra lle l DNS resolution 0-f 1 host, a t 12:39
Completed P a r a lle l DNS reso lu tio n o* 1 host, at 12:39, 9.02s elapsed
In it ia t i n g XMAS Scan at 12:3*
Scanning 19 2.16 8.1 *8 .3 [10C® po«*ts]
Increasing c»nd delay *o r 192.168.168.3
0 to S du* to 108 out o f
358 dropped probes since la s t increase.
Completed XMAS Scan at 12;39, 9.75s elapsed (1900 to ta l ports)
Nra‫ כ‬scan repo rt
197.1*3 .1 68 .3
F ailed ♦o resolve given h o straee/IPr niwp. Note th a t you c a n 't use * /
■»»?«• AHO *1 -4 ,7 ,1 8 0 •• s ty le IP ranges. I the ■wchine only ha? an
IPv6 address. add the Mnap -6 fla g to scan th a t.
Host is up (0.000023s la te rc y ).
Not shovn; 997 clo jed ports
PORT
STATE
SEUVICE
22 /tcp o o e r lfilte r e d ss*
88/tcp o p e r | f i l t e ‫־‬ed kerbercs-se:
548‫ ׳‬tcp o p e r | f i lt e ‫־‬ed afp
AKP
from
for
f
M
ACAMrtu;
Rgttd tifltfl f l i p f r w i C:\Progra■ * lie s <x!6)\ta a o
1 IP a d lres t (1 host up) scanned in 12.19 seconds
Rat. paccets sent: 13S3 <S4.188*8) I Rcvd: 998 (39.908K8)
FIGURE 3 .2 1 : Z e n m a p S h o w in g X m a s S c a n R e s u lt
M o d u le 0 3 Page 3 10
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Scan
J In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set
J FIN scan only with OS TCP/IP developed according to RFC 793
J“ *
J It will not work against any current version of Microsoft Windows
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
£
‫> ל‬
------------
F IN
S c a n
FIN Scan is a t y p e o f p o r t scan. T h e c l i e n t s e n d s a FIN p a c k e t t o t h e t a r g e t p o r t , a n d if
t h e se rv ic e is n o t r u n n i n g o r if t h e p o r t is c lo s e d it r e p lie s t o y o u w i t h t h e p r o b e p a c k e t w i t h an
RST.
FIN
No Response
Attacker
10.0.0.6
10.0.0.8:23
P o r t is o p e n
FIGURE 3.22: FIN Scan when Port is Open
M o d u le 0 3 Page 311
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Attacker
10.0.0.6
P o r t is c lo s e d
FIGURE 3.23: FIN Scan when Port is Closed
‫־‬E H
Zenmap
Scan
Joels
Target
grofik
fcjdp
[Scan:
nmap 192.168.168.3
Command:
»
Cancel
■if•v nmap 192.168.168.3
Hosts
OS * Host
*
192.168.168.5
»
192.168.168.3
Nmap Output Ports / Hosts Topo*og> Host Details Scans
«
•if -v nmap 192.168.168.3
S ta r t i n g Nmp 6.01 ( h t t p :/ / n M p .o r g ) a t 2012-01-10 12:35
S tandard Tiae
I n i t i a t i n g ARP Ping Scan a t 12:35
Scanning 192.1 6 * .1 6 1 .3 [1 p o rt]
Completed ARP Ping Scan a t 12:35, 0 .0 7 s e la p se d (1 t o t a l h o s ts )
I n i t i a t i n g P a r a ll e l DNS re s o lu tio n o f 1 h o s t, a t 12:35
Completed P a r a ll e l 0NS r e s o lu t i o n o f 1 h o s t, a t 12:35, 0 .1 0 s ela p se d
I n i t i a t i n g FIN Scan a t 12:35
Scanning 1 9 2 .1 6 0 .16S .3 [1000 p o rts ]
In c re a s in g send dela y fo r 192.1 6 9 .1 6 8 .3 f r o • 0 t o 5 due t o 108 o u t o f
358 dropped probes s in c e l a s t in c re a s e .
In c re a s in g send dela y f o r 192.1 6 8 .1 6 8 .3 fr o * 5 to 10 due to
•a x _ s u c c e s s fu l_ try n o in c re a s e to 4
Completed FIN Scan a t 12:35, 11.78s ela p se d (1000 t o t a l p o r ts )
*toap scan re p o rt f o r 192.168.168.3
F a ile d t o re s o lv e g iven h o s tn a e « /IP : naap. Note t h a t you c a n 't use */
« a s k ‫ ־‬AND 4, 7, 100*1‫ ' •־‬s t y l e IP ra n g e s . I f th e ■achine only has an
IPv6 a d d r e s s , add th e N«ap *6 f l a g t o scan t h a t .
Host i s up (0.0000050s l a te n c y ) .
Ugl-itHM?; 997 c lo s e d p o rts
PORT
STATE
SERVICE
22/ t c p o p e n |f i i t e r e d ssh
88/ t c p o p e n j f i l t e r e d *cerperos• sec
S 4 8 /tc p o p e n j f i l t e r e d afp
*Ai.AMTtti;
Rctti d i t l f l i t * ff g g j C :\P ro g ra • F ile s (x86)\N «ap
Nwap done: 1 IP a d d re ss (1 h o s t up) scanned in 14.28 seconds
Rat• p a c k e ts s e n t: 1378 (55.108K8) I Rcvd: 998 (39.908KB)
FIGURE 3.24: Zenmap showing FIN Scan Result
M o d u le 0 3 Page 312
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
N U L L Scan
CEH
P o rt is o p en
TCP Packet with NO Flag Set
9H
^
No Response
Attacker
10.0.0.6
In NULLscan, attackers send a TCP frame to a
remote host with NO Flags
NULLscan only works if OS' TCP/IP
implementation is developed according
to RFC 793
It will not work against any current version of
Microsoft Windows
N U L L S c a n
NULL scans se n d TCP p a c k e ts w i t h all fla g s t u r n e d o f f .
It is a s s u m e d t h a t c lo s e d p o r ts
w i ll r e t u r n a TCP RST. P a ckets r e c e iv e d by o p e n p o r t s a re d is c a rd e d as in v a lid .
It sets all fla gs o f TCP h e a d e rs , such as ACK, FIN, RST, SYN, URG a nd PSH, t o NULL o r u n a s s ig n e d .
W h e n a n y p a c k e ts a r r iv e a t t h e s e rv e r, BSD n e t w o r k i n g c o d e i n f o r m s t h e k e r n e l t o d r o p t h e
i n c o m i n g p a c k e t if a p o r t is o p e n , o r r e t u r n s an RST fla g i f a p o r t is clo s e d . This scan uses fla gs in
t h e r e v e rs e fa s h io n as t h e X m a s scan, b u t gives t h e s a m e o u t p u t as FIN a n d X m a s t r e e scans.
M a n y n e t w o r k c o d e s o f m a j o r o p e r a t i n g s y s te m s can b e h a v e d i f f e r e n t l y in t e r m s o f r e s p o n d in g
t o t h e p a c k e t, e.g., M i c r o s o f t v e rs u s UNIX. This m e t h o d d o e s n o t w o r k f o r M i c r o s o f t o p e r a t i n g
s y s te m s .
C o m m a n d lin e o p t i o n f o r n u ll s c a n n in g w i t h N M A P is " - s N "
Advantage:
It a v o id s IDS a nd TCP t h r e e - w a y h a n d s h a k e .
Disadvantage:
It w o r k s o n l y f o r UNIX.
M o d u le 0 3 Page 313
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
P o r t is o p e n
T C P Packet with N O Flag Set
^
C
E
31
^
>‫י‬
N o Response
Attacker
Server
10.0.0.6
10.0.0.8:23
FIGURE 3.25: NULL Scan when Port is Open
P o r t is c lo s e d
T C P Packet with N O Flag Set
E
‫מ‬
f c _ 5
3
RST/ACK
Attacker
Server
10.0.0.6
10.0.0.8:23
FIGURE 3.26: NULL Scan when Port is Closed
E lio ]
Zenmap
S c jn
J o o ls
T a rg e t:
P ro file
n m a p 192.168.168.3
Com m and:
Scan
* - s N •v n m a p 192.168.168.3
H o sts
OS -
x
H ost
—
192.168.168.5
*»
192.168.168.3
N m a p O u tp u t
•
P o r ts / H o s ts
T o p o lo g y
H o s t D e ta ils
S ta n s
s N - v n m a p 192.168.168.3
a
Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41 ‫•י‬
Standard Tine
Initiating ARP Ping Scan at 12:41
Scanning 192.168.16a.3 (1 port)
Completed ARP Ping Scan at 12:41, 0.06s •lapsed <1 total hosts)
Initiating Parallel DNS resolution of 1 host, at 12:41
Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed
Initiating NULL Scan at 12:41
Scanning 192.168.168.3 [1000 ports)
Increasing send delay for 192.168.168.3 froet 0 to S due to 21S out
of 71S dropped probes since last increas*.
Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports)
Noap scan report for 192.168.168.3
Failed to resolve given hostnaxe/IP: nmap. Note that you can't use
‘/•ask* AND •1-4,7,100‫ '־‬style IP ranges. If the ■achine only has
an IPv6 address, add the Naap -6 flag to scan that.
Host is up (0.00s latency).
Not shown: 997 closed ports
PORT STATt
SERVICE
22/tcp open|filtered ssh
88/tcp openjfiltered kerberos-sec
548/tcp openjfiltered afp
MAC A fld r c n ;
Read data files fro■: C:\Progran Files (x86)\Nmap
Nn»«p done: 1 IP address (1 hostup) scannedin 10.66 seconds
Ran packets sent: 1844(73.748KB) | Rcvd: 998 (39.908KB)
FIGURE 3.27: Zenmap showing NULL Scan Result
M o d u le 0 3 Page 3 14
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ID L E S ca n
M o st n e tw o rk s e rv e rs listen o n TCP p o rts , su ch a s
w e b s e rv e rs o n p o r t 80 a n d m ail s e rv e r s o n p o r t 25.
P o rt is c o n s id e re d " o p e n " if a n a p p lic a tio n is listening
o n th e p o rt
O n e w ay to d e te r m in e w h e th e r a p o rt is o p e n is to
s e n d a "SYN" (sessio n e s ta b lis h m e n t) p a c k e t to th e
p o rt
T he ta r g e t m a c h in e will s e n d back a "SYN | ACK"
(sessio n r e q u e s t a c k n o w le d g m e n t) p a c k e t if th e p o rt
is o p e n , a n d a n "RST" (R eset) p a c k e t if th e p o rt is
clo sed
t f
CEH
A m a c h in e t h a t re c e iv e s a n u n so lic ite d SYN | ACK
p a c k e t will re s p o n d w ith an RST. An u n so lic ite d RST
will b e ig n o re d
Every IP p a c k e t o n th e I n te rn e t h a s a " f ra g m e n t
id e n tific a tio n " n u m b e r (IP ID)
OS in c re m e n ts th e IP ID fo r e a c h p a c k e t s e n t, th u s
p ro b in g a n IP ID gives a n a tta c k e r th e n u m b e r o f
p a c k e ts s e n t sin ce last p ro b e
C o m m an d P rom pt
C:\>nmap -Pn -p- -si wvrw.juggyboy.com www.certifiedhacker.com
Starting Nmap ( http://nmap.org )
Idlescan using zombie www.3uggyboy.com (192.130.18.124:80); Class: Incremental
Nmap scan report for 198.182.30.110
(The 40321 ports scanned but not
Port
State
Service
open
21/tcp
ftp
open
smtp
25/tcp
open
80/tcp
http
Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds
3
Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
ID L E
S c a n
T h e id le scan is a TCP p o r t scan m e t h o d t h a t y o u can use t o s e n d a s p o o f e d s o u r c e
a d d re s s t o a c o m p u t e r t o f i n d o u t w h a t s e rv ic e s a re a v a ila b le a n d o f f e r s c o m p l e t e b lin d
s c a n n in g o f a r e m o t e h o s t. This is a c c o m p lis h e d b y i m p e r s o n a t i n g a n o t h e r c o m p u t e r . N o p a c k e t
is s e n t f r o m y o u r o w n IP a d d re s s ; in s te a d , a n o t h e r h o s t is used , o f t e n ca lle d a " z o m b i e , " t o scan
th e re m o te
host and d e te rm in e th e o pe n
p o r ts . T his is d o n e by e x p e c t i n g t h e s e q u e n c e
n u m b e r s o f t h e z o m b ie h o s t a n d if t h e r e m o t e h o s t ch e c k s t h e IP o f t h e s c a n n in g p a r ty , t h e IP
o f t h e z o m b ie m a c h in e w ill s h o w up.
Understanding TCP/IP
S o u rc e : h t t p : / / n m a p . o r g
Id le s c a n n in g is a s o p h is t ic a t e d p o r t s c a n n in g m e t h o d . You d o n o t n e e d t o be a TCP/IP e x p e r t t o
u n d e r s t a n d it. You n e e d t o u n d e r s t a n d t h e f o l l o w i n g basic fa c ts :
Q
M o s t o f t h e n e t w o r k s e rv e rs lis te n o n TCP p o r ts , such as w e b s e rv e rs o n p o r t 8 0 and
m a il s e rv e rs o n p o r t 25. A p o r t is c o n s id e r e d " o p e n " if an a p p li c a t i o n is l is te n in g o n t h e
p o r t ; o t h e r w i s e it is clo se d .
M o d u le 0 3 Page 315
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
9
Exam 3 1 2 -5 0 C ertified Ethical H acker
T o d e t e r m i n e w h e t h e r a p o r t is o p e n , se nd a session e s t a b l i s h m e n t "S Y N " p a c k e t t o t h e
p o r t . T h e t a r g e t m a c h in e r e s p o n d s w i t h a session r e q u e s t a c k n o w l e d g m e n t "SYN | ACK"
p a c k e t if t h e p o r t is o p e n a n d a R eset "RST" p a c k e t if t h e p o r t is clo se d .
9
A m a c h in e t h a t r e c e iv e s an u n s o lic ite d SYN | ACK p a c k e t r e s p o n d s w i t h an RST. An
u n s o lic it e d RST is ig n o r e d .
9
E ve ry IP p a c k e t o n t h e I n t e r n e t has a " f r a g m e n t i d e n t i f i c a t i o n " n u m b e r . M a n y o p e r a t i n g
s y s te m s s i m p l y i n c r e m e n t t h is n u m b e r f o r e v e r y p a c k e t t h e y se n d . So p r o b i n g f o r th is
n u m b e r can te ll an a t t a c k e r h o w m a n y p a c k e ts h a v e b e e n s e n t since t h e last p r o b e .
F ro m th e s e fa c ts , it is p o s s ib le t o scan a t a r g e t n e t w o r k w h i l e f o r g i n g y o u r i d e n t i t y so t h a t it
lo o k s like an i n n o c e n t " z o m b i e " m a c h in e d id t h e s c a n n in g .
Command Prompt
a
FIGURE 3.28: Nmap Showing Idle Scan Result
M o d u le 0 3 Page 316
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
CEH
I D L E S c a n : S te p 1
Every IP p a c k e t o n th e I n te rn e t h as a
f ra g m e n t id e n tific a tio n n u m b e r (IP
ID), w hich increases eve ry tim e a
host sends; IP packet
‫יי‬
4
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Attacker
RST Packet
Zombie
FIGURE 3.29: IPID Probe Request and Response
Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In t h e f i r s t ste p , y o u can se n d a session e s t a b l i s h m e n t "S YN" p a c k e t o r
IPID p r o b e t o d e t e r m i n e
w h e t h e r a p o r t is o p e n o r clo s e d . If t h e p o r t is o p e n , t h e " z o m b i e " r e s p o n d s w i t h a session
r e q u e s t a c k n o w l e d g m e n t "SYN | ACK" p a c k e t c o n t a i n i n g t h e IPID o f t h e r e m o t e h o s t m a c h in e . If
t h e p o r t is c lo s e d , it se nd s a re s e t "RST" p a c k e t. E v e ry IP p a c k e t o n t h e I n t e r n e t has a " f r a g m e n t
i d e n t i f i c a t i o n " n u m b e r , w h i c h is i n c r e m e n t e d by o n e f o r e v e r y p a c k e t tr a n s m is s io n . In t h e
a b o v e d ia g r a m , t h e z o m b ie r e s p o n d s w i t h
M o d u le 0 3 Page 317
IPID=31337.
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
I D L E S c a n : S te p 2 a n d 3
CEH
Step 2
J Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie"
J If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends
RSTto the target
J If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back
SYN Packet to port 80
spoofing zombie IP address
4V C
Attacker
r t o s f f i S S * 5 ‫ "■ ״‬T‫ ״‬e"
Zom bie
Step 3
P o r t is o p e n
m
j
;
IPID Probe SYN / ACK Packet
J Probe "zombie"
IPID again
Response: IPID=31339 RST Packet
IPID incremented by 2 since Step 1,
so port 80 must be open
A tta c k e r
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
ID L E
S c a n : S te p
2 a n d
3
I d l e S c a n : S te p 2 .1 ( O p e n P o r t )
"
Send a SYN p a c k e t t o t h e t a r g e t m a c h in e ( p o r t 80) s p o o f i n g t h e IP a d d re s s o f t h e
" z o m b i e . " If t h e p o r t is o p e n , t h e t a r g e t w ill se n d t h e S Y N /A C K p a c k e t t o t h e z o m b ie a n d in
r e s p o n s e t h e z o m b ie se nd s t h e RST t o t h e t a r g e t .
SYN Packet to port 80
spoofing zombie IP address
m
QOO
Attacker
Target
Zombie
P o rt is o p e n
FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open
I d l e S c a n : S te p 2 .2 ( C l o s e d P o r t)
T h e t a r g e t w i ll se nd t h e RST t o t h e " z o m b i e " if t h e p o r t is c lo s e d , b u t t h e z o m b ie w ill
M o d u le 0 3 Page 318
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
n o t se nd a n y t h i n g back.
SYN Packet to p ort 80
m
spoofing zombie IP address
Attacker
I-4 ‫״״‬
........... ......... ....................
Target
P o r t is c lo s e d
Zombie
FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed
I d l e S c a n : S te p 3
P ro b e t h e " z o m b i e " I PI D again.
IPID P r o b e S Y N / A C K Packet
R e sponse: IP I D = 3 1 3 3 9 R S T Packet
Attacker
IPID incremented by 2 since Step 1,
Zombie
so p o r t 8 0 m u s t b e o p e n
FIGURE 3.32: IPID Probe Request and Response
M o d u le 0 3 Page 319
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
I C
J
M
Exam 3 1 2-50 C ertified Ethical H acker
P
E c h o
S c a n n i n g / L i s t
T h is is n o t r e a l ly p o r t s c a n n i n g , s i n c e IC M P
J
J
C E H
T h is t y p e o f s c a n s i m p l y g e n e r a t e s a n d
d o e s n o t h a v e a p o r t a b s tra c tio n
p r i n t s a li s t o f I P s / N a m e s w i t h o u t a c t u a l l y
B u t it is s o m e t i m e s u s e f u l t o d e t e r m i n e
p in g in g o r p o r t s c a n n in g t h e m
w h i c h h o s t s in a n e t w o r k a r e u p b y p i n g i n g
J
t h e m all
J
S c a n
A D N S n a m e r e s o l u t i o n w ill a l s o b e c a r r i e d
out
nmap -P cert.org/24 152.148.0.0/16
Zenmap
1 ^ 2
Zenmap
V|n look £rofit* fcl«*p
Target ‫»ו‬.‫ו‬68.‫ז‬60.‫צ‬
- ProMt
jj«ianj
Command n,n»ptl •v192I68.I66S
Mott* S*rvK«» NmapOutput Po‫׳‬tt/Me«t Tepol&y,
Scam
‫׳י‬
OS- Moit
« nmap•11•vI92.IM.16&5
S
ta
rtin
g
M
ra
p
6
.6
1
<
h
ttp
://n
a
a
p
.o
rf
)
a
t
M
l?
Ml•
lltM •• •duraTin*
Initiating
rall•)
llelD0M
NSreressoolulutio
tionno0
C
aaplatedPP
aara
f♦11hh
oo
»t.«.a•tt 11
3J:5S
44,
e.«41flapvtd
W
rap*canraport for 1*2.166.161.5
Nmb don■; 1IP•ddrats <0hoitt up) icannadin 6.66
Mtondt
Ml«rHoitt
U M
Scan loots Profile M
«lp
Ttrgtc
192.166.1^6
v| Profile: [
[«j |$<an
C*nc<
Command nmap tn192.16&1.26
Moat
Sffvktt
NmapOutput Ports/HoM‫ ׳‬Topology Hort D*ta* S<am
nm<p tnW.168.U6
0$ « Ho*
‫״‬
CM
**
Start Inc Nrwp 6.61 ( tittplZ/nMp.o*? ) *r 2612 61 15
IB:17 •• ‫־‬.tnnflnra rlnr
K
im
u
1 IP *iftlr«h'v (lnott ut>) tCM
M
MIn 16.37
f ‫!׳‬UrH
oM
S
V
List Scan
\
A
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited
IC M P
E c h o
S c a n n in g /L is t S c a n
IC M P e c h o s c a n n in g is u sed t o d is c o v e r liv e m a c h in e s b y p i n g i n g a ll t h e m a c h in e s in
t h e t a r g e t n e t w o r k . A t t a c k e r s s e n d IC M P p r o b e s t o t h e b r o a d c a s t o r n e t w o r k a d d re s s w h i c h is
r e la y e d t o all t h e h o s t a d d re s s e s in t h e s u b n e t . T h e live s y s te m s w i ll s e n d IC M P e c h o r e p ly
m e s s a g e t o t h e s o u r c e o f IC M P e c h o p r o b e .
IC M P e c h o s c a n n in g is used
im p le m e n ta tio n s
in th e s e
in U N IX /L in u x a n d
o p e ra tin g
s y s te m
BSD -based
responds to
m a c h in e s as t h e TCP/IP sta c k
th e
ICMP e c h o
r e q u e s ts t o t h e
b r o a d c a s t a d d re sse s. This t e c h n i q u e c a n n o t be used in W i n d o w s b ase d n e t w o r k s as t h e TCP/IP
s ta c k i m p l e m e n t a t i o n in w i n d o w s m a c h in e s is c o n f i g u r e d , b y d e f a u l t , n o t t o r e p ly IC M P p r o b e s
d ir e c t e d t o t h e b r o a d c a s t a d d re ss.
IC M P e c h o
s c a n n in g
is n o t r e f e r r e d
to
as p o r t s c a n n in g since
it d o e s
not
h a ve
a p ort
a b s t r a c t io n . IC M P e c h o s c a n n in g is u s e fu l t o d e t e r m i n e w h i c h h o s ts in a n e t w o r k a re a c tiv e by
p in g in g t h e m all. T h e a c tiv e h o s ts in t h e n e t w o r k is d is p la y e d in Z e n m a p as " H o s t is u p (0 .0 2 0 s
l a t e n c y ) . " You can o b s e r v e t h a t in t h e s c r e e n s h o t :
M o d u le 0 3 Page 3 20
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
^ L - r e —l
Zenmap
Scan
T o o ls
T a rg et:
P ro file
H elp
192.168.1.26
C om m and:
H o sts
Profile:
S can
C an c el
n m a p -s n 192.168.1.26
S ervices
N m a p O u tp u t
P o rts /H o s ts
T o p o lo g y
H o s t D etails
S can s
*| i
n m a p -s n 192.168.1.26
OS < H o st
D etails
192.168.1.26
S t a r t i n g Nmap 6 . 0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 - 0 8 - 1 3
1 8 :3 7
S t a n d a r d T im e
Nmap s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 . 2 6
|H o s t i s u p ( 0 . 0 0 2 0 s l a t e n c y ) ■~|
Nmap d o n e : 1 I P a d d r e s s ( 1 h o s t u p ) s c a n n e d i n 1 6 . 5 7
seconds
Filter H o sts
FIGURE 3.33: Zenmap showing ICMP Echo Scanning Result
In a list scan, d is c o v e r y o f t h e a c tiv e h o s t in t h e n e t w o r k is d o n e in d i r e c t l y . A list scan s im p ly
g e n e r a t e s a nd p r i n t s a list o f IP s /N a m e s w i t h o u t a c t u a lly p in g in g t h e h o s t n a m e s o r p o r t
s c a n n in g t h e m . As a re s u lt, t h e list scan o u t p u t o f all t h e IP a d d re s s e s w ill be s h o w n as " n o t
s c a n n e d ," i.e., (0 h o s ts up). By d e f a u l t , a r e v e r s e DNS r e s o lu t i o n is still b e in g c a r r ie d o u t o n t h e
h o s t b y N m a p f o r le a r n in g t h e i r n a m e s .
Zenmap
Scan
lo o ls
{Help
192.168.168.5
Target
C om m and:
H o sts
OS -
E ro file
Profile:
C ancel
n m a p -sL -v 192.168.168.5
S ervices
H o st
N m a p O u tp u t
P o rts /H o s ts
T o p o lo g y
H o s t D etails
n m a p - s L - v 192.168.168.5
S can s
"vj
|
D etails
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-10
13:54
idard Tit!*
Initiating Parallel DNS resolution of 1 host, at 13:54
Completed Parallel DNS resolution of 1 host, at 13:54,
0.04s elapsed
Nmap scan report for 192.168.168.5
Nmap done: 1 IP address (0 hosts up) scanned in O.06
seconds
Filter H o sts
FIGURE 3.34: Zenmap showing List Scanning Result
Advantage:
9
A list scan can p e r f o r m a g o o d s a n ity ch eck.
9
T h e i n c o r r e c t l y d e f i n e d IP a d d re s s e s o n t h e c o m m a n d lin e o r in an o p t i o n file
a re
d e t e c t e d b y t h e list scan. T h e d e t e c t e d e r r o r s s h o u ld be r e p a i r e d p r i o r t o r u n n i n g
any
" a c t i v e " scan.
M o d u le 0 3 Page 321
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
CEH
U D P S c a n n in g
Are you open on UDP Port 29?
.............................................*■
No response if port is
...................
*
1
%
........... I s s ______ j
If Port is Closed, an ICMP Port unreachable message is received
S erv er
UDP Port Open
T h e r e is n o t h r e e - w a y TCP h a n d s h a kke
fo r UDP sc a n
©
T h e s y s t e m d o e s n o t r e s p o n d w ith a
m e s s a g e w h e n t h e p o r t is o p e n
UDP Port Closed
e
if a U D P p a c k e t is s e n t t o c l o s e d p o r t , t h e
s y s t e m r e s p o n d s w ith IC M P p o r t
u n re a c h a b le m e ss a g e
©
S p y w a r e s , T ro ja n h o r s e s , a n d o t h e r
m a lic io u s a p p l i c a t i o n s u s e U D P p o r t s
U D P S c a n n in g
UDP Raw ICMP Port Unreachable Scanning
UDP p o r t s c a n n e rs use t h e U DP p r o t o c o l in s te a d o f TCP, a n d can be m o r e d i f f i c u l t t h a n TCP
s c a n n in g . You can s e n d a p a c k e t, b u t y o u c a n n o t d e t e r m i n e t h a t t h e h o s t is a liv e o r d e a d o r
f i l t e r e d . H o w e v e r , t h e r e is o n e IC M P t h a t y o u can use t o d e t e r m i n e w h e t h e r p o r ts a re o p e n o r
c lo s e d . If y o u s e n d a UDP p a c k e t t o a p o r t w i t h o u t an a p p li c a t i o n b o u n d t o it, t h e IP sta c k w ill
r e t u r n an IC M P p o r t u n r e a c h a b l e p a c k e t . If a n y p o r t r e t u r n s an IC M P e r r o r , t h e n it's clo s e d ,
w h i l e t h e p o r ts t h a t d i d n ' t a n s w e r a re e i t h e r o p e n o r f i l t e r e d by t h e f i r e w a l l .
T his h a p p e n s b e c a u s e o p e n p o r ts d o n o t h a ve t o s e n d an a c k n o w l e d g e m e n t in re s p o n s e t o a
p r o b e , a n d c lo s e d p o r ts a re n o t e v e n r e q u i r e d t o se n d an e r r o r p a c k e t.
UDP Packets
S o u rc e : h t t p : / / n m a p . o r g
W hen
you
se n d
a
packet
to
a
c lo s e d
UDP
p o rt,
m ost
of
th e
h o s ts
se nd
an
IC M P _ P O R T _ U N R E A C H e r r o r . T hu s, y o u can f i n d o u t if a p o r t is N O T o p e n . N e i t h e r UDP p a c k e ts
n o r t h e IC M P e r r o r s a re g u a r a n t e e d t o a rr iv e , so UDP s c a n n e rs o f th is s o r t m u s t also i m p l e m e n t
t h e r e t r a n s m is s io n o f p a c k e ts t h a t a p p e a r lost. UDP s c a n n e rs i n t e r p r e t lo s t t r a f f i c as o p e n p o r ts .
M o d u le 0 3 Page 322
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
In a d d it io n , t h is s c a n n in g t e c h n i q u e is s lo w b e c a u s e o f l i m i t i n g t h e IC M P e r r o r m e s s a g e r a te as
c o m p e n s a t io n t o m a c h in e s t h a t a p p ly RFC 1 8 1 2 s e c tio n 4 .3 .2 .8 . A r e m o t e h o s t w i ll n e e d t o
access t h e r a w IC M P s o c k e t t o d is t in g u is h c lo s e d f r o m u n r e a c h a b l e p o r ts .
UDP RECVFROM () and WRITE () Scanning
W h i l e n o n - r o o t users c a n n o t re a d p o r t u n r e a c h a b le e r r o r s d ir e c t ly ; L in ux i n f o r m s y o u i n d i r e c t l y
w h e n t h e y r e c e iv e m essages.
Example
For e x a m p le , a s e c o n d w r i t e () call t o a c lo s e d p o r t w i ll u s u a lly fa il. A l o t o f s ca n n e rs , such as
N e t c a t a n d Pluvial p scan .c d o r e c v f r o m () o n n o n - b l o c k i n g UDP so c k e ts , u s u a lly r e t u r n EAGAIN
( " T r y A g a in ,"
e rrn o
13)
if t h e
IC M P
e rro r
has
not
been
re c e iv e d ,
and
ECONNREFUSED
( " C o n n e c t i o n r e f u s e d , " e r r n o 1 11), if it has. T his is t h e t e c h n i q u e used f o r d e t e r m i n i n g o p e n
p o r t s w h e n n o n - r o o t u sers use -u (UDP). R o o t u sers can also use t h e -I ( la m e r UDP scan) o p t i o n s
t o f o r c e th is .
Advantage:
T h e UDP scan is less i n f o r m a l r e g a r d in g an o p e n p o r t , since t h e r e ' s n o o v e r h e a d o f a TCP
h a n d s h a k e . H o w e v e r , i f IC M P is r e s p o n d i n g t o e a ch u n a v a ila b le p o r t , t h e n u m b e r o f t o t a l
f r a m e s can e x c e e d a TCP scan. M ic r o s o f t - b a s e d o p e r a t i n g s y s te m s d o n o t u s u a lly i m p l e m e n t
a n y t y p e o f IC M P r a te li m i t i n g , so t h i s scan o p e r a t e s v e r y e f f i c i e n t l y o n W i n d o w s - b a s e d d e vice s.
Disadvantage:
T h e UDP scan p r o v id e s p o r t i n f o r m a t i o n o n ly . If a d d it io n a l v e r s io n i n f o r m a t i o n is n e e d e d , t h e
scan m u s t be s u p p l e m e n t e d w i t h
a v e r s io n d e t e c t i o n scan (-sV) o r t h e
o p e r a t i n g s y s te m
fin g e rp rin tin g o p tio n (-0 ).
T h e UDP scan r e q u ir e s p r iv ile g e d access, so th is scan o p t i o n is o n l y a v a ila b le o n s y s te m s w i t h
t h e a p p r o p r i a t e u s e r p e r m is s io n s .
M o s t n e t w o r k s h a v e h u g e a m o u n t s o f TCP t r a f f i c ; as a re s u lt, t h e e f f i c i e n c y o f t h e UDP scan is
lost. T h e UDP scan w ill lo c a te th e s e o p e n p o r ts a n d p r o v id e t h e s e c u r it y m a n a g e r w i t h v a lu a b le
i n f o r m a t i o n t h a t can be used t o i d e n t i f y th e s e in v a s io n s a c h ie v e d by t h e a t t a c k e r o n o p e n UDP
p o r t s ca u s e d b y s p y w a r e a p p lic a tio n s , T r o ja n h orses, a n d o t h e r m a lic io u s s o f t w a r e .
Are you open on UDP Port 29?
No response if port is Open
................................................
If Port is Closed, an ICMP Port unreachable message is received
A tta c k e r
□c
di
S e rv e r
FIGURE 3.35: UDP Scanning
M o d u le 0 3 Page 323
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
L2_‫ו פ ו‬
Zenmap
Jooli
Scant
Cancel
v
Details
* -sll -v nmap 192.168.168.3
N m a p Output Ports /Hosts Topok>9> Host Detaih Scans
Services
OS - Host
192 168.168.5
192.168.168.3
4
1
Hosts
»
Profile:
nmip 192.168.168.3
Command;
x
tjelp
•1
Target
Profile
c
<
S<an
192.168.168.3
Starting Nmap 6.01 ( http://na1ap.org ) at 2012 08 10 12:47
Standard Time
Initiating ARP Ping Scan at 12:47
Scanning 192.168.168.3 [1 port]
Completed ARP Ping Scan at 12:47, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host, at 12:47
Completed Parallel DNS resolution of 1 host, at 12:47, 0.02s elapsed
Initiating LOP Scan at 12:47
Scanning 192.168.168.9 [1000 ports)
Discovered open port 53S3/udp on 192.168.168.3
Discovered open port 137/udp on 192.168.168.3
Discovered open port 123/udp on 192.168.168.3
Increasing send delay for 192.168.168.3 * r o o t 0 to SO due to 216 out
of 719 dropped probes since last increase.
Completed UOP Scan at 12:47, 19.66s elapsed (1000 total ports)
Nmap scan report for 192.168.168.3
Failed to resolve given hostnaae/IP: nmap. Note that you can't use
,/mask' AND •1-4,7,100-• style IP ranges. If the machine only has
an IPv6 address, add the Nmap -6 flag to scan that.
Host is up (0.000063s latency).
Not shown: 994 closed ports
PORT
STATE
SfRVICf
88/udp
open|filtered kerberos-sec
123/udp
open
ntp
137/udp
open
netbios-ns
138/udp
open|filtered netbios-dga
S3S3/udp
open
zeroconf
S8178/udp open|filtered unknown
MAC Address:
Read data file s fro■; c:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 22.09 seconds
Ra» packets sent: 1839 (52.401KB) I Rcvd: 998 (S6.06SK8)
Filter Host*
FIGURE 3.36: Zenmap showing UDP Scanning Result
M o d u le 0 3 Page 324
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
I n v e r s e
Exam 3 1 2-50 C ertified Ethical H acker
T C
P
F
l a g
S
c a n n i n g
CEH
(•rtifwd
itk itjl
Attackers send TCP probe packets with various TCP flags
(FIN,URG,PSH) set or with no flags, no response means
port is open and RST/ACK means the port is closed
Probe Packet (FIN/URG/PSH/NULL)
No Response
Attacker
Port is open
Probe Packet (FIN/URG/PSH/NULL)
RST/ACK
Attacker
Port is closed
Copyright © by EG-Gtnncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
In v e rs e T C P
—
F la g
S c a n n in g
A t t a c k e r s se n d t h e TCP p r o b e p a c k e ts b y e n a b lin g v a r io u s TCP fla g (FIN, URG, PSH) o r
w i t h n o fla gs. W h e n t h e p o r t is o p e n , t h e a t t a c k e r d o e s n ' t g e t a n y r e s p o n s e f r o m t h e h o s t,
w h e r e a s w h e n t h e p o r t is c lo s e d , he o r she re c e iv e s t h e R ST /A C K f r o m t h e t a r g e t h o s t.
T h e SYN p a c k e ts t h a t a re s e n t t o t h e s e n s itiv e p o r ts o f t h e t a r g e t e d h o s ts a re d e t e c t e d b y using
s e c u r it y m e c h a n is m s such as f i r e w a l l s a n d IDS. P r o g r a m s such as S y n lo g g e r a n d C o u r t n e y a re
a v a ila b le t o log h a l f - o p e n SYN fla g scan a t t e m p t s . A t t i m e s , t h e p r o b e p a c k e ts e n a b le d w i t h TCP
fla g s can pass t h r o u g h f i l t e r s u n d e t e c t e d , d e p e n d i n g o n t h e s e c u r it y m e c h a n is m s in s ta lle d .
P r o b in g a t a r g e t u s in g a h a l f - o p e n SYN fla g is k n o w n as an in v e r t e d t e c h n i q u e . It is ca lle d th is
b e c a u s e t h e c lo s e d p o r ts can o n l y s e n d t h e r e s p o n s e back. A c c o r d i n g t o RFC 7 9 3 , A n RST/ACK
p a c k e t m u s t be s e n t f o r c o n n e c t i o n re s e t, w h e n t h e p o r t is c lo s e d o n h o s t side.
A tta ck e rs ta ke
a d v a n ta g e o f th is f e a t u r e t o s e n d TCP p r o b e p a c k e ts t o e a c h p o r t o f t h e t a r g e t h o s t w i t h v a r io u s
TCP fla gs set.
C o m m o n fla g c o n f i g u r a t io n s used f o r p r o b e p a c k e t in c lu d e :
9
A FIN p r o b e w i t h t h e FIN TCP fla g se t
9
A n X M A S p r o b e w i t h t h e FIN, URG, a n d PUSH TCP fla g s set
9
A NULL p r o b e w i t h n o TCP fla g s se t
M o d u le 0 3 Page 325
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
©
Exam 3 1 2 -5 0 C ertified Ethical H acker
A SYN/ACK p r o b e
All t h e c lo s e d p o r t s o n t h e t a r g e t e d h o s t w i ll s e n d an RST/ACK r e s p o n s e . Since t h e RFC 793
s t a n d a r d is c o m p l e t e l y ig n o r e d in t h e o p e r a t i n g s y s te m such as W i n d o w s , y o u c a n n o t see t h e
RST/ACK r e s p o n s e w h e n c o n n e c t e d t o t h e c lo s e d p o r t o n t h e t a r g e t h o s t. T his t e c h n i q u e is
e f f e c t i v e w h e n u sed w i t h U N IX -b a s e d o p e r a t i n g s y s te m s .
Advantages
Q
A v o id s m a n y IDS a nd lo g g in g s y s te m s , h ig h ly s t e a l t h y
Disadvantages
Q
N e e d s r a w access t o n e t w o r k so c k e ts , t h u s r e q u i r in g s u p e r - u s e r p riv ile g e s
Q
M o s t l y e f f e c t i v e a g a in s t h o s ts u sin g a B S D -d e riv e d TCP/IP sta c k ( n o t e f f e c t i v e a g a in s t
M i c r o s o f t W i n d o w s h o s ts in p a r t ic u la r )
Probe Packet (FIN/URG/PSH/NULL)
No Response
Attacker
P o r t is o p e n
Target Host
FIGURE 3.37: Inverse TCP Flag Scanning when Port is Open
Probe Packet (FIN/URG/PSH/NULL)
RST/ACK
Attacker
Target Host
P o r t is c l o s e d
FIGURE 3.38: Inverse TCP Flag Scanning when Port is Closed
M o d u le 0 3 Page 3 26
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
A C K F la g S c a n n in g
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
A C K
F la g
S c a n n in g
A s t e a l t h y t e c h n i q u e is used f o r i d e n t i f y i n g o p e n TCP p o r t s . In t h is t e c h n i q u e a TCP
p a c k e t w i t h ACK fla g ON is s e n t t o t h e r e m o t e h o s t a n d t h e n t h e h e a d e r i n f o r m a t i o n o f t h e RST
p a c k e ts s e n t by r e m o t e h o s t a re a n a ly z e d . U sing t h is t e c h n i q u e o n e can e x p l o i t t h e p o t e n t ia l
v u ln e r a b i l it ie s o f BSD d e r iv e d TCP/IP sta ck. T his t e c h n i q u e g ive s g o o d r e s u lts w h e n used w i t h
c e r t a i n o p e r a t i n g s y s te m s a n d p la t f o r m s .
ACK s c a n n in g can be p e r f o r m e d in t w o w a y s :
Q
TTL f ie ld a n a n ly s is
©
W I N D O W fi e ld a na lysis
U sing TTL v a lu e o n e can d e t e r m i n e t h e n u m b e r o f s y s te m s t h e TCP p a c k e t tr a v e r s e s . You can
s e n d an ACK p r o b e p a c k e t w i t h r a n d o m s e q u e n c e n u m b e r : n o r e s p o n s e m e a n s p o r t is f i l t e r e d
(s ta te f u ll f i r e w a l l is p r e s e n t) a n d RST re s p o n s e m e a n s t h e p o r t is n o t f i l t e r e d ,
nm ap - s A
-P 0
S ta r t in g
nm ap 5 . 2 1
A ll
529
1 0 .1 0 .0 .2 5
(h t t p : / / n m a p . o r g )
scanned p o rts
M o d u le 0 3 Page 327
on
1 0 .1 0 .0 .2 5
a t
2 0 1 0 -0 5 -1 6
a re :
filte r e d
1 2 :1 5
EST
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
S t a t e f u l F i r e w a l l is P r e s e n t
Probe Packet (ACK)
‫♦א‬
No Response
Attacker
Target Host
FIGURE 3.39: ACK Flag Scanning when Stateful Firewall is Present
N o F ir e w a ll
Probe Packet (ACK)
I TLT I ...................................................
RST
Attacker
Target Host
FIGURE 3.40: ACK Flag Scanning when No Firewall is Present
Z e n m a p
Scgn
lo o k
T.rgrt:
Profit♦
Help
nm ip 192.168.168.5
Command:
H osts
v
Profile
Scan
Cancel
* ■sA ■v •Pn nmap 1941 68.168.5
Services
N m ap O utput
P o r ts /H o s ts
Topology
H ost Detaih
Scans
* -sA-v -Pn nmap 192.168.168.5
details
Starting M a p 6.01 ( http://nMp.org ) at 2012-08-10 13:09
Standard Tine
Initiating ARP Ping Scan at 13:10
Scanning 192.16*.160.5 [1 port]
Completed ARP Ping Scan at 13:10, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host, at 13:10
Completed Parallel ONS resolution of 1 host, at 13:10, 0.10s elapsed
Initiating ACK Scan at 13:10
Scanning 192.16*.168.5 [1000 ports]
Completed ACK Scan at 13:10, 21.38s elapsed (1000 total ports)
Knap scan report for 192.16*.168.5
Failed to resolve given hostnanc/lP: naap. Note that you can’t use
,/■ask' ANO ■1-4,7,100-• style IP ranges. If the ■achine only has
an IPv6 address, add the Nnap ■6 flag to scan that.
Host
is
*>p
10. W 1es
l a t e n t , ) . _____________________________
IAll 1000 scanned ports on 192.168.168.S are filteredl
MAC Address:
Read
f i l e ! f r v • ; C:\Progr•• Files ( x 8 6 ) \ m m p
done; l IP address (1 host up) scanned in 23.90 seconds
Rax packets sent: 2001 (80.O28K8) | Rcvd: 1 (288)
f la t *
filler Hosts
FIGURE 3.41: Zenmap showing ACK Flag Scanning Result
M o d u le 0 3 Page 328
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S c a n n in g
T o o l: N e tS c a n
T o o ls
P r o
C E H
myre&uUsdat^base-NetScanToob©Pro11.00
2 fit
Edt
Accesatolly
r»J>
Manual 15‫ד‬0‫כ‬- networkCcnrecton E-dxrts 9
Automated05‫״־‬
( Rsfren
□ciicUyFulPfKessPaths I PsccrrectAl 1CP ]
‫ך‬
Usccrrect nermte1CP‫]”י‬
Jjrp ‫ד‬Autorrcited ]
‫ ח‬£t«cW fUcftrftwh
MfiC
193C
10'° ‫־‬
0
lol<‫״‬a'ufa‫״‬.re‫־‬
TCF.UOP ComeCQcn Enfant List
Local IP
0.0.0.0
1nec1nfo.exe
flMworitInlctf«e»4rd5\<tnl'r‫״‬.
sycr.osz• cxs
Systea
inee nfo.exe
O.O.0.0
0.0.0.0
1
0 .0 .0 .0
0.0.0.0
STacea
Nstworkl
c*
i \vrrtw
Mn
etrolro'cntrt
s
0.0.0.0
O.O.0.0
Se•Sre.exe
D U lI V U l. t x t
‫־׳‬OKXCO 109b
1
l.‫ ״‬r.wo-<r yT.»»
HawroL>Mvay locto
1
0.0.0.0
3bacr?.«x«
IVChO K.IXI
CMSfuv»
*XKrt irvd‫ז‬onb
8coeS«zv.«xt
5tot5c1v.exe
s '« rS :rv .c x e
1388 TC
2OS2 TC
2092 TC
2092 TC
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
127.0.0.1
1 2 7.0.0 .1
1 2 7 .0 .0 .1
127.0.0.1
Syat•®
S73c«i
S v s .w
Local lore
Reaote
|
http| 80
0.0.0.0
)cpxag( 135
)MS (UlCEOSOCt-dS'
102S (blackjack(
!‫)ל‬pptp( 23
)oy M rcanw bccc ( 2638
lc » lh p ( 2069(
‫ח‬4£‫)) ר‬pcsync-https
web5( 9090«(
‫) »ל»ע‬ofll
)unknown! 31038
)unknown! 34571
)unknown| 04572
34S73 !unknown(
80
|http| 00
IhttpI 00
ihttpi 80
1
r
0.0. 0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0 . 0 . D.O
1 2 7 .0 .0 .1
‫ג‬2‫ד‬.0.0.1
1 2 7 .0 .0 .1
127.0.0.1
txtema! lods
Progmli^o
http://www.netscantoo1s.com
loop
Copyright 6 by EG-CSUICil. A il Rights Reserved. Reproduction is Strictly Prohibited.
S c a n n in g
T o o l: N e tS c a n T o o ls P ro
S o u rc e : h t t p ://w w w .n e ts c a r 1tools.com
N etS can T o o ls Pro is an i n v e s t i g a t i o n t o o l . It a llo w s y o u t o t r o u b l e s h o o t , m o n i t o r , d is c o v e r , a n d
d e t e c t d e v ic e s o n y o u r n e t w o r k . You can g a t h e r i n f o r m a t i o n a b o u t t h e local LAN as w e l l as
I n t e r n e t users, IP a d d re s s e s , p o r ts , e tc . u sin g t h is t o o l . You can f i n d v u ln e r a b i l it ie s a n d e x p o s e d
p o r t s in y o u r s y s te m . It is t h e c o m b i n a t i o n o f m a n y n e t w o r k t o o l s a nd u t i l i t i e s . T h e t o o l s a re
c a te g o r iz e d b y f u n c t i o n s such as a c tiv e , passive, DNS, a n d local c o m p u t e r .
Active Discovery and Diagnostic Tools: U sed f o r t e s t i n g a n d l o c a tin g d e v ic e s t h a t a re
c o n n e c te d to y o u r n e tw o rk .
Passive Discovery Tools: M o n i t o r s t h e a c tiv it ie s o f t h e d e v ic e s t h a t a re c o n n e c t e d t o y o u r
n e t w o r k a n d also g a th e r s i n f o r m a t i o n f r o m t h i r d p a r tie s .
DNS Tools: Used t o d e t e c t p r o b l e m s w i t h DNS.
Local Computer and General Information Tools: P ro v id e s d e ta ils a b o u t y o u r local c o m p u t e r ' s
n e tw o rk .
Benefits:
e
T h e i n f o r m a t i o n g a t h e r i n g p ro c e s s is m a d e s i m p l e r a n d f a s t e r b y a u t o m a t i n g t h e use o f
m a n y n e t w o r k t o o ls
M o d u le 0 3 Page 329
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
9
Exam 3 1 2 -5 0 C ertified Ethical H acker
P ro d u c e s t h e r e s u lt r e p o r t s in y o u r w e b b r o w s e r c le a rly
m y re s u lts d a ta b a s e - N etS canT ools® P ro 1 1 .0 0
• File
Edit
Accessibility
View
Help
Welcome
Manual Tools - Network Connection Endpoints
Automated Tools
Manual Tools (all)
Refresh
0 Display Full Process Paths
0
1 sec
O Enable AutoRefresh
-‫־‬J—
MAC Address to Manufacturer
Disconnect All TCP
Add Note
Jump To Automated
10 sec I Disconnect Remote TCP
Double-click
₪ Enable
TCP Disconnects
IPv4©
IP v 6 0
TCP/UDP Connection Endpoint List
Network Connection Endpoints
Network Interfaces and Statistics
m
Network Interfaces - Wireless
Network Shares - SMB
Favorite Tools
Active Discovery Tools
Passive Discovery Tools
DNS Tools
Packet Level Tools
External Tools
Program Info
Process
inetinf0.exe
svchost.exe
System
inetinf0.exe
System
dbsrv9.exe
svchost.exe
SemSvc.exe
SemSvc.exe
agent.exe
DkService.exe
StorServ.exe
StorServ.exe
StorServ.exe
System
System
System
System
PID Protocol
TCP
252 TCP
4
TCP
1100
TCP
4
TCP
1216 TCP
932 TCP
4068 TCP
4068 TCP
920 TCP
1388 TCP
2092 TCP
2092 TCP
2092 TCP
0
TCP
0
TCP
0
TCP
0
TCP
1100
n
'r r n
Local IP
Reports
‫ ח‬Add to Favorites
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
Local Port
80 (http)
13S (epmap)
445 (microsoft-ds)
1025 (blackjack)
1723 (pptp)
2638 (sybaseanywhere)
2869 (icslap)
8443 (pcsync-https)
9090 (websm)
9876 (sd)
31038 (unknown)
34571 (unknown)
34572 (unknown)
34573 (unknown)
80 (http)
80 (http)
80 (http)
80 (http)
‫ ו‬0 ‫ ר> ל״‬n
on
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
‫ו‬
Remote IP
0 .0 .0 .0
0 .0 .0 .0
Li)
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
0 .0 .0 .0
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
1‫ ל״<׳‬ft ft ‫ו‬
‫נ‬
<
A
0 .0 .0 .0
>
NUM
For Help, press Fl
FIGURE 3.42: NetScan Tools Pro Screenshot
M o d u le 0 3 Page 3 30
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S c a n n in g T o o ls
C E H
Global Network Inventory
Scanner
PRTG Network Monitor
http://www.paessler.com
i—
N.I1WI
http://www.magnetosoft.com
SoftPerfect Network Scanner
Net Tools
http://mabsoft.com
http://www.softperfect.com
IP Tools
E -
Advanced Port Scanner
http://www.ks-soft.net
http://www.radmin.com
MegaPing
‫ט ט ט‬
□□‫ם‬
http://www.magnetosoft.com
Network Inventory Explorer
Netifera
http://netifera.com
Free Port Scanner
http://www.10-strike.com
http://www.nsauditor.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
=*~=‫■־‬
S c a n n in g t o o l s ping com puters, scan fo r listening TCP/UDP ports, and display th e ty p e o f
resources shared on th e n e tw o rk (including system and hidden). T h e a t t a c k e r m a y a t t e m p t t o la u n c h
a tta c k s a g a in s t y o u r n e t w o r k o r n e t w o r k r e s o u r c e s b ase d o n t h e i n f o r m a t i o n g a t h e r e d w i t h t h e
h e lp o f s c a n n in g to o ls . A fe w o f th e scanning to ols th a t can d ete ct active ports on th e systems are
listed as fo llo w s:
9
PRTG N e t w o r k M o n i t o r a v a ila b le a t h t t p : / / w w w . p a e s s l e r . c o m
9
N e t T o o ls a v a ila b le a t h t t p : / / m a b s o f t . c o m
9
IP T o o ls a v a ila b le a t h t t p : / / w w w . k s - s o f t . n e t
9
M e g a P in g a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m
9
N e t w o r k I n v e n t o r y E x p lo r e r a v a ila b le a t h t t p : / / w w w . 1 0 - s t r i k e . c o m
9
G lo b a l N e t w o r k I n v e n t o r y S c a n n e r a v a ila b le a t h t t p : / / w w w . m a g n e t o s o f t . c o m
9
S o f t P e r f e c t N e t w o r k S c a n n e r a v a ila b le a t h t t p : / / w w w . s o f t p e r f e c t . c o m
9
A d v a n c e d P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . r a d m i n . c o m
9
N e t if e r a a v a ila b le a t h t t p : / / n e t i f e r a . c o m
9
Free P o r t S c a n n e r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m
M o d u le 0 3 Page 331
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
D o
N o t
Exam 3 1 2 -5 0 C ertified Ethical H acker
S c a n
T h e s e
I P
A d d r e s s e s
C E H
(U n le s s y o u w a n t to g e t in t o t r o u b le )
RANGE 128
128.37.0.0 Army Yuma Proving Ground
1 2 8 3 8 0 0 Naval Surface Warfare Center
128.43.0.0 Defence Research Establishment-Ottawa
128.47.0.0 Army Communications Electronics Command
128.49.0.0 Naval Ocean Systems Center
128.50.0.0 Department of Defense
128.51.0.0 Department of Defense
128.56.0.0 U.S. Naval Academy
128.60.0.0 Naval Research Laboratory
128.63.0.0 Army Ballistics Research Laboratory
1 2 8 8 0 0 0 Army Communications Electronics Command
128.102.0.0 NASA Ames Research Center
128.149.0.0 NASA Headquarters
128.154.0.0 NASA Wallops Right Facility
128.155.0.0
128.156.0.0
12815700
128.158.0.0
NASA
NASA
NASA
NASA
Langley Research Center
Lewis Network Control Center
Johnson Space Center
Ames Research Center
128 159 0 0 NASA Ames Research Center
128.160.0.0 Naval Research Laboratory
128 1 6 1 0 0 N ASA Ames Research Center
128 183.0 0 NASA Goddard Space Flight Center
128202 0 0 50th Space Wing
128 21 6 0 0 MacDifl Air Force Base
128.217.0.0 NASA Kennedy Space Center
128.236.0.0 U.S. A r Force Academy
RANGE 129
129.23.0.0 Strategic Defense Initiative Organization
129.29.0.0 United States Military Academy
129.50.0.0 NASA Marshall Space Flight Center
129.51.0.0 Patrick Air Force Base
129.52.0.0 Wright-Patterson Air Force Base
129.53.0.0 - 129 53.255 255 66SPTG-SCB
129.54.0.0 Vandenberg Air Force Base, CA
129.92.0.0 Air Force Institute of Technology
129.99.0.0 NASA Ames Research Center
129.131.0.0 Naval Weapons Center
129.163.0.0 NASA/Johnson Space Center
129.164.0.0 NASA IW
129.165.0.0 NASA Goddard Space Fight Center
129.167.0.0 NASA Marshall Space Right Center
129.168.0.0 NASA Lewis Research Center
129.190.0.0 Naval Underwater Systems Center
129.198 0.0 Air Force Fight Test Center
129.209.0.0 Army BaiSstcs Research Laboratory
129.229.0.0 U.S. Army Corps of Engmeers
129.251.0.0 United States Ar Force Academy
RANGE 130
130.40.0.0 NASA Johnson Space Center
130.90.0.0 Mather Ar Force Base
1301090.0 Naval Coastal Systems Center
130.124.0.0 Honeywell Defense Systems Group
130.165.0.0 U.S-Army Corps of Engneers
130 167.0.0 NASA Headquarters
RANGE 132
132.3.0.0WilliamsAir ForceBase
132.5.0.0- 132.5.255.25549thFighter Wing
132.6.0.0AnkaraAir Station
132.7.0.0-132.7.255.255 SSG/SINO
132.9.0.0 28thBombWing
132.10.0.0 319CommSq
132.11.0.0 HellenikonAir Base
132.12.0.0 MyrtleBeachAir ForceBase
132.13.0.0 Bentwaters Royal Air ForceBase
132.14.0.0 Air ForceConcentrator Netwcrk
132.15.0.0 KadenaAir Base
132.16.0.0 Kunsan Air Base
132.17.0.0
132.18.0.0
132.19.0.0
132.20.0.0
132.21.0.0
132.22.0.0
132.24.0.0
132.25.0.0
132.27 0 0
132.28.0.0
Lindsey Air Station
McGuire Air Force Base
100CS (NET-MILDENHALL)
35th Communications Squadron
Plattsburgh Ar Force Base
23Communication9 Sq
Dower Air Force Base
786 CS/SCBM
• 132 27.255.255 39CS/SCBBN
14TH COMMUNICATION SQUADRON
132.30.0.0 Lqes Air F a c e Base
RANGE 131
131.60.0 Langley Ar Force Base
131.10.0.0 Barksdale Ar Force Base
131.17.0.0 Sheppard Ar Fcrce Base
131.21.0.0 Hahn Ar Base
31.32.0.0 37 Communications Squadron
131 3 5 0 0 Fairchild Ar Force Base
131.36.0.0 Yokota Ar Base
131.37.0.0 Elmendorf Air Force Base
131.38.0.0 Hickam Ar Force Base
131.39.0.0 354CS/SCSN
132.31.0.0
132.33.0.0
132.34.0.0
132.35.0.0
132.37.0.0
132.38.0.0
132.39.0.0
Lonng Air Force Base
60CS/SCSNM
Cannon Air F ace Base
Altus Air Force Base
75 ABW
Goodfellow AFB
K.I. Sawyer Air Force Base
For a complete list, see the file in DVD
IP ADDRESSES YOU SHOULD NOT SCAN.txt
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
D o N o t S c a n T h e s e IP A d d re s s e s
g e t in to
(U n le s s y o u w a n t to
tro u b le )
T h e IP a d d re s s e s lis te d in t h e f o l l o w i n g t a b l e a re a s s o c ia te d w i t h t h e c r itic a l i n f o r m a t i o n
r e s o u r c e c e n te r s o f t h e US. S c a n n in g th e s e IP a d d re s s e s w i ll be c o n s id e r e d an a t t e m p t t o b re a k
t h e US's i n f o r m a t i o n s e c u r ity . T h e r e f o r e , d o n o t scan th e s e IP a d d re s s e s u nless y o u w a n t t o g e t
in to tro u b le .
RANGE 6
6 . * - A r m y I n f o r m a t i o n S y s te m s C e n te r
129.51.0.0 Patrick Air Force Base
1 2 9 .5 2 .0 .0 W r i g h t - P a t t e r s o n A ir Force
Base
RANGE 7
1 2 9 .5 3 .0 .0 - 1 2 9 .5 3 .2 5 5 .2 5 5 66SPTG-SCB
7 . * . * . * D e fe n s e I n f o r m a t i o n S y s te m s
1 2 9 .5 4 .0 .0 V a n d e n b e r g A ir Force Base,
Agency, VA
CA
RANGE 11
M o d u le 0 3 Page 332
1 2 9 .9 2 .0 .0 A i r Force I n s t i t u t e o f
T e c h n o lo g y
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
D e fe n s e In te llig e n c e A g e n c y , W a s h in g t o n DC
129.99.0.0 NASA A m es R esearch
C enter
RANGE 21
1 2 9 .1 3 1 .0 . 0 N ava l W e a p o n s C e n te r
1 1 . * . * . * D 0 D In te l I n f o r m a t i o n S ys te m s ,
2 1. - US D e fe n s e I n f o r m a t i o n S y s te m s
Agency
RANGE 22
2 2 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
RANGE 24
2 4 .1 9 8 .*.*
RANGE 25
2 5 . * . * . * Royal Signals a n d R adar
E s t a b lis h m e n t , UK
RANGE 26
2 6 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
RANGE 29
1 2 9 .1 6 3 .0 . 0 N A S A /J o h n s o n Space C e n te r
1 2 9 .1 6 4 .0 . 0 NASA IVV
1 2 9 .1 6 5 .0 . 0 NASA G o d d a r d Space F lig ht
C e n te r
1 2 9 .1 6 7 .0 . 0 NASA M a r s h a ll Space F lig h t
C e n te r
1 2 9 .1 6 8 .0 . 0 NASA Lew is Research C e n te r
1 2 9 .1 9 0 .0 . 0 N ava l U n d e r w a t e r S y ste m s
C e n te r
1 2 9 .1 9 8 .0 . 0 A ir Force F lig h t T e s t C e n te r
1 2 9 .2 0 9 .0 . 0 A r m y Ballistics Research
L a b oratory
1 2 9 .2 2 9 .0 . 0 U.S. A r m y C o rp s o f
E n g in e e rs
1 2 9 .2 5 1 .0 . 0 U n ite d S ta te s A ir Force
Academ y
2 9 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
RANGE 130
RANGE 30
1 3 0 .4 0 .0 .0 NASA J o h n s o n Space C e n te r
3 0 . * - D e fe n s e I n f o r m a t i o n S y s te m s A g e n c y
1 3 0 .9 0 .0 .0 M a t h e r A i r Force Base
RANGE 49
4 9 . * - J o in t T a c tic a l C o m m a n d
1 3 0 .1 0 9 .0 . 0 N ava l C oa sta l S y s te m s
C e n te r
1 3 0 .1 2 4 .0 . 0 H o n e y w e ll D e fe n s e S y s te m s
G roup
RANGE 50
1 3 0 .1 6 5 .0 . 0 U .S .A r m y C o rp s o f E n g in e e rs
5 0 . * - J o in t T a c tic a l C o m m a n d
1 3 0 .1 6 7 .0 . 0 NASA H e a d q u a r t e r s
RANGE 55
RANGE 131
5 5 . * - A r m y N a t io n a l G u a r d B u re a u
1 3 1 .6 .0 .0 L a n g le y A i r Force Base
RANGE 55
1 3 1 .1 0 .0 .0 B a rk s d a le A ir Force Base
M o d u le 0 3 Page 333
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
5 5 . * - A r m y N a t io n a l G u a r d B u re a u
131.17.0.0 S h epp ard A ir Fo rce Base
5 5 . * - A r m y N a t io n a l G u a r d B u re a u
1 3 1 .1 7 .0 .0 S h e p p a r d A ir Force Base
RANGE 62
1 3 1 .2 1 .0 .0 H a h n A i r Base
6 2 .0 .0 .1 - 6 2 .3 0 . 2 5 5 . 2 5 5 Do n o t scan!
3 1 .3 2 . 0 .0 37 C o m m u n ic a t i o n s S q u a d r o n
RANGE 6 4
1 3 1 .3 5 .0 .0 F a irc h ild A i r Force Base
6 4 . 7 0 . * . * Do n o t scan
1 3 1 .3 6 .0 .0 Y o k o ta A i r Base
6 4 . 2 2 4 . * Do n o t Scan
1 3 1 .3 7 .0 .0 E l m e n d o r f A ir Force Base
6 4 . 2 2 5 . * Do n o t scan
1 3 1 .3 8 .0 .0 H ic k a m A i r Force Base
6 4 . 2 2 6 . * Do n o t scan
1 3 1 .3 9 .0 .0 354CS/SCSN
RANGE 128
RANGE 132
1 2 8 .3 7 .0 .0 A r m y Y u m a P ro v in g G r o u n d
1 3 2 .3 .0 .0 W i l l i a m s A i r Force Base
1 2 8 .3 8 .0 .0 N aval S u rfa c e W a r f a r e C e n te r
1 2 8 .4 3 .0 .0 D e fe n c e R esearch E s t a b lis h m e n t O tta w a
1 2 8 .4 7 .0 .0 A r m y C o m m u n ic a t i o n s
E le c tr o n ic s C o m m a n d
1 3 2 .5 .0 .0 - 1 3 2 .5 . 2 5 5 . 2 5 5 4 9 t h F ig h te r
W in g
1 3 2 .6 .0 .0 A n k a r a A ir S ta tio n
1 3 2 .7 .0 .0 - 1 3 2 .7 . 2 5 5 . 2 5 5 SSG/SINO
1 2 8 .4 9 .0 .0 N aval O c e a n S y s te m s C e n te r
1 3 2 .9 .0 .0 2 8 t h B o m b W i n g
1 2 8 .5 0 .0 .0 D e p a r t m e n t o f D e fe n s e
1 3 2 .1 0 .0 .0 3 1 9 C o m m Sq
1 2 8 .5 1 .0 .0 D e p a r t m e n t o f D e fe n s e
1 3 2 .1 1 .0 .0 H e lle n ik o n A i r Base
1 2 8 .5 6 .0 .0 U.S. N ava l A c a d e m y
1 3 2 .1 2 .0 .0 M y r t l e Beach A ir Force Base
1 2 8 .6 0 .0 .0 N aval R esearch L a b o r a t o r y
1 3 2 .1 3 .0 .0 B e n t w a t e r s Royal A i r Force
Base
1 2 8 .6 3 .0 .0 A r m y Ballistics R esearch
1 3 2 .1 4 .0 .0 A ir Force C o n c e n t r a t o r
L a b oratory
N e tw o rk
1 2 8 .8 0 .0 .0 A r m y C o m m u n ic a t i o n s
E le c tro n ic s C o m m a n d
1 3 2 .1 5 .0 .0 Kade n a A ir Base
1 2 8 .1 0 2 .0 . 0 NASA A m e s R esearch C e n te r
1 3 2 .1 6 .0 .0 K u nsa n A ir Base
1 2 8 .1 4 9 .0 . 0 NASA H e a d q u a r t e r s
1 3 2 .1 7 .0 .0 L in d s e y A i r S t a tio n
1 2 8 .1 5 4 .0 . 0 NASA W a l l o p s F lig h t F a cility
1 3 2 .1 8 .0 .0 M c G u i r e A ir Force Base
1 2 8 .1 5 5 .0 . 0 NASA L a n g le y R esearch C e n te r
1 3 2 .1 9 .0 .0 100CS (N E T -M IL D E N H A LL )
M o d u le 0 3 Page 3 34
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
1 2 8 .1 5 6 .0 . 0 NASA Lew is N e t w o r k C o n tr o l
1 3 2 .2 0 .0 .0 3 5 th C o m m u n ic a tio n s
C e n te r
S q u a d ro n
1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r
1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir F orce Base
1 2 8 .1 5 7 .0 . 0 NASA J o h n s o n Space C e n te r
1 3 2 .2 1 .0 .0 P l a tts b u r g h A ir Force Base
1 2 8 .1 5 8 .0 . 0 NASA A m e s R esearch C e n te r
1 3 2 .2 2 .0 .0 2 3 C o m m u n ic a t i o n s Sq
1 2 8 .1 5 9 .0 . 0 NASA A m e s R esearch C e n te r
1 3 2 .2 4 .0 .0 D o v e r A i r F orce Base
1 2 8 .1 6 0 .0 . 0 N aval R esearch L a b o r a t o r y
1 3 2 .2 5 .0 .0 7 8 6 CS/S CBM
1 2 8 .1 6 1 .0 . 0 NASA A m e s R esearch C e n te r
1 3 2 . 2 7 . 0 . 0 - 1 3 2 .2 7 .2 5 5 .2 5 5
39CS/SCBBN
1 2 8 .1 8 3 .0 . 0 NASA G o d d a r d Space F lig ht
1 3 2 .2 8 .0 .0 14TH C O M M U N IC A T IO N
C e n te r
SQ U A D R O N
1 2 8 .2 0 2 .0 . 0 5 0 t h Space W i n g
1 3 2 .3 0 .0 .0 Lajes A ir Force Base
1 2 8 .2 1 6 .0 . 0 M a c D ill A i r Force Base
1 3 2 .3 1 .0 .0 L o rin g A ir Force Base
1 2 8 .2 1 7 .0 . 0 NASA K e n n e d y Space C e n te r
1 3 2 .3 3 .0 .0 60C S/S C SN M
1 2 8 .2 3 6 .0 . 0 U.S. A i r Force A c a d e m y
1 3 2 .3 4 .0 .0 C a n n o n A ir Force Base
RANGE 129
1 3 2 .3 5 .0 .0 A ltu s A i r Force Base
1 2 9 .2 3 .0 .0 S t r a te g ic D e fe n s e In i t i a t i v e
O r g a n iz a tio n
1 2 9 .2 9 .0 .0 U n ite d S ta te s M i l i t a r y A c a d e m y
1 2 9 .5 0 .0 .0 NASA M a r s h a ll Space F lig h t
C e n te r
1 3 2 .3 7 .0 .0 75 A B W
1 3 2 .3 8 .0 .0 G o o d f e l l o w AFB
1 3 2 .3 9 .0 .0 K.l. S a w y e r A ir Force Base
TABLE 3.3: Do Not Scan These IP Addresses Table
M o d u le 0 3 Page 335
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
P o r t S c a n n in g
C o u n t e r m
e a s u r e s
C E H
Urtifw^
tthiul lUch•(
U se c u s to m r u le s e t t o lo c k
C o n fig u r e f ir e w a ll a n d IDS r u le s
d o w n t h e n e t w o r k a n d b lo c k
t o d e t e c t a n d b lo c k p r o b e s
u n w a n t e d p o r t s a t t h e fire w a ll
F ilter all ICM P m e s s a g e s (i.e.
in b o u n d ICMP m e s s a g e ty p e s a n d
H id e s e n s iti v e in f o r m a ti o n f r o m
o u tb o u n d ICMP ty p e 3 u n r e a c h a b le
p u b lic v ie w
m e s s a g e s ) a t t h e fir e w a lls a n d
k
j
W /
E n su re t h a t m e c h a n is m u s e d fo r
ro u tin g a n d filte rin g a t t h e r o u te r s
P e rfo rm TCP a n d U DP s c a n n in g
a lo n g w ith ICMP p r o b e s a g a in s t y o u r
o r g a n iz a tio n ’s IP a d d r e s s s p a c e to
a n d fire w a lls re s p e c tiv e ly c a n n o t b e
b y p a s s e d u sin g p a rtic u la r s o u rc e
p o r ts o r s o u r c e - r o u tin g m e th o d s
r o u te r s
c h e c k t h e n e t w o r k c o n f ig u r a tio n
a n d its a v a ila b le p o r ts
£
E n su re th a t th e a n ti s c a n n in g
E n s u re t h a t t h e r o u t e r , IDS, a n d
fir e w a ll f ir m w a r e a r e u p d a t e d
a n d a n t i s p o o f in g r u le s a r e
t o t h e i r l a te s t r e l e a s e s
c o n f ig u r e d
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
P o rt S c a n n in g
C o u n te rm e a s u re s
As d iscu s se d p re v io u s ly , p o r t s c a n n in g p r o v id e s a l o t o f u s e fu l i n f o r m a t i o n such as IP
a d d re s s e s , h o s t n a m e s , o p e n p o r ts , e tc . t o t h e a tta c k e r . O p e n p o r t s e s p e c ia lly p r o v id e an easy
m e a n s f o r t h e a t t a c k e r t o b r e a k i n t o t h e s e c u r it y . B u t t h e r e is n o t h i n g t o w o r r y a b o u t , as y o u
can
s e c u re
your
s y s te m
or
n e tw o rk
a g a in s t
p ort
s c a n n in g
by
a p p ly in g
th e
fo llo w in g
c o u n te rm e a s u re s :
9
T h e f i r e w a l l s h o u ld be g o o d e n o u g h t o d e t e c t p r o b e s an a t t a c k e r s e n d s t o scan th e
n e t w o r k . So t h e f i r e w a l l s h o u ld c a r r y o u t s t a t e f u l i n s p e c t io n i f it has a s p e c ific r u le set.
S o m e f i r e w a l l s d o a b e t t e r j o b t h a n o t h e r s in d e t e c t i n g s t e a lth scans. M a n y f i r e w a l l s
h a v e s p e c ific o p t i o n s t o d e t e c t SYN scans, w h i l e o t h e r s c o m p l e t e l y i g n o r e FIN scans.
Q
N e t w o r k i n t r u s io n d e t e c t i o n s y s te m s s h o u ld d e t e c t t h e OS d e t e c t i o n m e t h o d used by
to o ls
such
p re v e n tio n
as
Nmap,
te c h n o lo g y
e tc.
th a t
S nort
can
(h t t p : / / . s n o r t . o r g ) is an
be
o f g re at
h e lp ,
m a in ly
i n t r u s io n
d e te c tio n
a nd
because
s ig n a t u r e s
a re
f r e q u e n t l y a v a ila b le f r o m p u b lic a u th o r s .
O n ly n e c e s s a ry p o r t s s h o u ld be k e p t o p e n ; t h e re s t o f t h e p o r ts s h o u ld be f i l t e r e d as t h e
i n t r u d e r w ill t r y t o e n t e r t h r o u g h a n y o p e n p o r t . This can be a c c o m p lis h e d w i t h t h e
c u s t o m r u le set. F ilte r in b o u n d IC M P m e s s a g e ty p e s a nd all o u t b o u n d IC M P t y p e 3
u n r e a c h a b l e m essa ge s a t b o r d e r r o u t e r s a n d f ir e w a lls .
M o d u le 0 3 Page 3 36
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
9
Exam 3 1 2 -5 0 C ertified Ethical H acker
E nsure t h a t r o u t i n g a n d f i l t e r i n g m e c h a n is m s c a n n o t be b y p a s s e d u sin g s p e c ific s o u r c e
p o rts o r s o u rc e -ro u tin g te c h n iq u e s .
9
T e s t y o u r o w n IP a d d re s s sp ace u s in g TCP a n d UDP p o r t scans as w e l l as IC M P P ro b e s t o
d e t e r m i n e t h e n e t w o r k c o n f i g u r a t io n a n d a c ce ssib le p o rts .
9
If a c o m m e r c i a l f i r e w a l l is in use, t h e n e n s u r e t h a t t h e f i r e w a l l is p a t c h e d w i t h t h e la t e s t
u p d a te s , a n t i s p o o f i n g r u le s h a v e b e e n c o r r e c t ly d e f i n e d , a n d f a s t m o d e se rv ic e s a re n o t
used in C h e ck P o in t F ir e w a ll-1 e n v i r o n m e n t s .
M o d u le 0 3 Page 337
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
C E H
Exam 3 1 2 -5 0 C ertified Ethical H acker
S c a n n in g M e th o d o lo g y
So f a r w e h a ve d iscu sse d h o w t o c h e c k f o r live s y s te m s a n d o p e n p o r ts , t h e t w o
c o m m o n n e t w o r k v u ln e r a b i l it ie s . A n IDS is t h e s e c u r it y m e c h a n is m i n t e n d e d t o p r e v e n t an
a t t a c k e r f r o m e n t e r i n g a s e c u r e n e t w o r k . Bu t, e v e n t h e IDS has s o m e l i m i t a t i o n s in o f f e r i n g
s e c u r it y . A t t a c k e r s a re t r y i n g t o la u n c h a tta c k s by e x p l o i t i n g l i m i t a t i o n s o f IDS.
Check for Live Systems
fft
Check for Open Ports
Scan for Vulnerability
t
Draw Network Diagrams
S c a n n in g B e y o n d IDS
prepare Proxies
Banner Grabbing
Scanning Pen Testing
This s e c tio n h ig h lig h ts IDS e v a s io n t e c h n i q u e s a n d S Y N /F IN s c a n n in g .
M o d u le 0 3 Page 338
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ID S E v a s io n T e c h n iq u e s
C E H
m
Use fragmented
IP packets
Spoof your
when launching attacks
and sniff responses from
server
U s e source routing
(if possible)
Connect to>
or compromised trojaned
machines to launch
attacks
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Q Q
—Q©1‫י‬
#
_ _
#
ID S E v a s io n T e c h n iq u e s
‫־‬
M o s t o f t h e IDS e v a s io n t e c h n i q u e s r e ly o n t h e use f r a g m e n t e d p r o b e p a c k e ts t h a t
r e a s s e m b le o n c e t h e y re a ch t h e t a r g e t h o s t. IDS e v a s io n can also o c c u r w i t h t h e use o f s p o o f e d
f a k e h o s ts la u n c h i n g n e t w o r k s c a n n in g p ro b e s .
Use fragmented IP packets
A t t a c k e r s use d i f f e r e n t f r a g m e n t a t i o n m e t h o d s t o e v a d e t h e IDS. T h e s e a tta c k s a re s im ila r t o
session s p lic in g . W i t h t h e h e lp o f fragroute, all t h e p r o b e p a c k e ts f l o w i n g f r o m y o u r h o s t o r
n e t w o r k can
be f r a g m e n t e d .
It can also be d o n e w i t h
th e
h e lp o f a p o r t s c a n n e r w i t h
f r a g m e n t a t i o n f e a t u r e such as N m a p . T his is a c c o m p lis h e d b e c a u s e m o s t IDS s e n s o rs fa il t o
p ro c e s s la rg e v o lu m e s o f f r a g m e n t e d p a c k e ts , as t h is in v o lv e s g r e a t e r CPU c o n s u m p t i o n a nd
m e m o r y a t t h e n e t w o r k s e n s o r level.
Use source routing (if possible)
S o u rc e r o u t i n g is a t e c h n i q u e w h e r e b y t h e s e n d e r o f a p a c k e t can s p e c ify t h e r o u t e t h a t a
p a c k e t s h o u ld t a k e t h r o u g h t h e n e t w o r k . It is a s s u m e d t h a t t h e s o u r c e o f t h e p a c k e t k n o w s
a b o u t t h e l a y o u t o f t h e n e t w o r k a n d can s p e c ify t h e b e s t p a th f o r t h e p a c k e t.
M o d u le 0 3 Page 339
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S Y N / F I N
I P
S c a n n in g
U s in g
C E H
F r a g m e n t s
The TCP header is split up into
several packets so that the packet
filters are not able to detect what
the packets intend to do
It is not a new scanning method
but a modification of the earlier
methods
&
C o m m a n d P ro m p t
C:\>nmap -sS -T4 -A -f -v 192.168.168.5
S Y N / F I N ( S m a ll IP
Starting Nmap 6.01 ( http://nmap.org ) at
2012-08-11 11:03 EDT
Initiating SYN Stealth Scan at 11:03
Scanning 192.168.168.5 [1000 ports]
Discovered open port 139/tcp on 192.168.168.5
Discovered open port 445/tcp on 192.168.168.5
Discovered open port 135/tcp on 192.168.168.5
Discovered open port 912/tcp on 192.168.168.5
Completed SYN Stealth Scan at 11:03, 4.75s
elapsed (1000 total ports)
F ra g m e n t s ) + P o r t (n)
R ST ( if p o r t is c lo s e d )
A tta c k e r
T a rg et
SYN/FIN S ca n n in g
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S Y N /F IN
S c a n n in g U s in g IP
F ra g m e n ts
SYN/FIN s c a n n in g u sin g IP f r a g m e n t s is a m o d i f i c a t i o n o f t h e e a r lie r m e t h o d s o f
s c a n n in g ; t h e p r o b e p a c k e ts a re f u r t h e r f r a g m e n t e d . This m e t h o d c a m e i n t o e x is te n c e t o a v o id
t h e fa ls e p o s i t i v e f r o m o t h e r scans, d u e t o a p a c k e t f i l t e r i n g d e v ic e p r e s e n t o n t h e t a r g e t
m a c h in e . You h a v e t o s p lit t h e TCP h e a d e r i n t o s e v e r a l p a c k e ts in s te a d o f j u s t s e n d in g a p r o b e
p a cke t f o r a v o id in g th e
p a c k e t f ilte r s .
E ve ry TCP h e a d e r s h o u ld
in c lu d e t h e
s o u r c e a nd
d e s t i n a t i o n p o r t f o r t h e f i r s t p a c k e t d u r in g a n y t r a n s m is s io n : (8 o c t e t , 6 4 b it ) , a n d t h e in itia liz e d
fla g s in t h e n e x t, w h i c h a l l o w t h e r e m o t e h o s t t o r e a s s e m b le t h e p a c k e t u p o n r e c e ip t t h r o u g h
an I n t e r n e t p r o t o c o l m o d u l e t h a t re c o g n iz e s t h e f r a g m e n t e d d a ta p a c k e ts w i t h t h e h e lp o f fie ld
e q u i v a l e n t v a lu e s o f p r o t o c o l , s o u r c e , d e s t i n a t i o n , a n d i d e n t if ic a t i o n .
F r a g m e n t e d P a c k e ts
T h e TCP h e a d e r , a f t e r s p li t t in g i n t o sm a ll f r a g m e n t s , is t r a n s m i t t e d o v e r t h e n e t w o r k . B u t, a t
t i m e s y o u m a y o b s e r v e u n p r e d i c t a b l e r e s u lts such as f r a g m e n t a t i o n o f t h e d a ta in t h e IP h e a d e r
a f t e r t h e r e a s s e m b ly o f IP o n t h e s e r v e r side. S o m e h o s ts m a y n o t be c a p a b le o f p a r s in g and
r e a s s e m b lin g t h e f r a g m e n t e d p a c k e ts , a n d t h u s m a y ca use crash es, r e b o o ts , o r e v e n n e t w o r k
d e v ic e m o n i t o r i n g d u m p s .
M o d u le 0 3 Page 3 40
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
F ir e w a lls
S o m e f i r e w a l l s m a y h a ve r u le sets t h a t b lo c k IP f r a g m e n t a t i o n q u e u e s in t h e k e rn e l (like th e
CONFIG _IP_ALW A YS_D EFR AG
o p tio n
in
th e
L in ux
k e rn e l) ,
a lt h o u g h
t h is
is
not
w id e ly
i m p l e m e n t e d d u e t o t h e a d v e rs e e f f e c t o n p e r f o r m a n c e . Since s e v e ra l in t r u s io n s d e t e c t i o n
s y s te m s e m p l o y s ig n a t u r e - b a s e d m e t h o d s t o i n d ic a t e s c a n n in g a t t e m p t s b a se d o n IP a n d / o r th e
TCP h e a d e rs , f r a g m e n t a t i o n is o f t e n a b le t o e v a d e t h is t y p e o f p a c k e t f i l t e r i n g a n d d e t e c t i o n .
T h e r e is a p r o b a b i l i t y o f n e t w o r k p r o b l e m s o n t h e t a r g e t n e t w o r k .
SYN/FIN (Small IP
Fragments) + Port (n)
..................................................»
< ....................................................
RST (if p o r t is closed)
_
Attacker
Target
FIGURE 3.43: SYN/FIN Scanning
N m a p c o m m a n d p r o m p t s f o r SYN/FIN scan.
m
Command Prompt
C :\> O m a p
-s S
-T 4
-A
- f
- v : 1 9 2 . 1 6 8 .1 6 :8 .!
S t a r t i n g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g } a t:
2 D 1 2 -P 8 -1 1 • 1 1 : 03 jSDT................... .........................
I n i t i a t i n g SYN S t e a l t h S can a t 1 1 :0 3
S c a n n in g 1 9 2 .1 6 8 .1 6 8 .5 [1 0 00 p o r t s ]
D is c o v e r e d o p e n
p o r t 1 3 9 / t c p on 1 9 2 .1 6 8 .1 6 8 .
D is c o v e r e d o p e n
p o r t 4 4 5 / t c p on 1 9 2 .1 6 8 .1 6 8 .
D is c o v e r e d o p e n
D is c o v e r e d o p e n
p o r t ! 3 5 / t c p . On
p o r t 9 1 2 / t c p 0n
1 9 2 .1 6 8 .1 6 8 .
1 9 2 .1 6 8 .1 6 8 .
C o m p le te d SYN S t e a l t h Scan a t 1 1 :0 3 ,
e la p s e d (1000 t o t a l p o r t s )
4 .7 5 s
FIGURE 3.44: Nmap showing SYN/FIN Scanning Result
M o d u le 0 3 Page 341
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
®‫מ‬
|' “
C h e c k for
Exam 3 1 2-50 C ertified Ethical H acker
ft
yj
Live S y s t e m s
C h e c k for
O p e n Ports
_ r )__
^
Ml
Scan for
‫ך‬
.
1 1HUH k -i ‫־‬
1
1
r ‫ר‬-J n _
M ---1/
‫__ב‬
a □
_____
Scanning
Banner
B e y o n d IDS
Grabb i n g
Draw Network ‫ן‬
Vulnerability
c
Diagrams
Prepare!
Scanning
Proxies
P e n Testing
Copyright © by EG-Gouncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
=‫יי־‬
:ir
C E H
S c a n n in g
M e th o d o lo g y
So f a r w e h a ve d iscu sse d h o w t o c h e c k f o r live s y s te m s , o p e n p o r ts , a n d scan b e y o n d
IDS. All o f th e s e a re t h e d o o r w a y s f o r an a t t a c k e r t o b r e a k i n t o a n e t w o r k . A n o t h e r i m p o r t a n t
t o o l o f an a t t a c k e r is b a n n e r g ra b b in g , w h i c h w e w i ll discuss n e x t.
Check for Live Systems
191
Check for Open Ports
Scanning Beyond IDS
^
B a n n e r G ra b b in g
Scan for Vulnerability
r
Draw Network Diagrams
Q f c i prepare Proxies
Scanning Pen Testing
T his s e c tio n h ig h lig h ts b a n n e r g ra b b in g , t h e n e e d t o p e r f o r m b a n n e r g ra b b in g , v a r io u s w a y s o f
b a n n e r g ra b b in g , a n d t h e t o o l s t h a t h e lp in b a n n e r g ra b b in g .
M o d u le 0 3 Page 342
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
B a n n e r G r a b b in g
J
Banner grabbing or OS fingerprinting is the method to determine the operating
system running on a remote target system. There are two types of banner grabbing:
active and passive.
A ctive B a n n e r G rabbing
®
P a ssiv e B a n n e r G rabbing
S p e c ia lly c r a f t e d p a c k e ts a r e s e n t t o r e m o t e OS
®
a n d t h e r e s p o n s e is n o te d
®
Error m e ssag e s provide info rm atio n su ch as ty p e of
server, ty p e o f OS, a n d SSL tool u sed by th e ta rg e t
re m o te system
T h e r e s p o n s e s a r e t h e n c o m p a r e d w ith a
d a t a b a s e t o d e t e r m i n e t h e OS
®
©
R e s p o n s e f r o m d if f e r e n t O S e s v a r ie s d u e to
S n iffin g t h e n e t w o r k tr a f f ic :
C apturing an d analyzing pack ets from th e ta rg e t
e n a b le s an attack e r to d e te rm in e OS u sed by th e
re m o te system
d if f e re n c e s in T C P /IP s ta c k i m p l e m e n t a t i o n
e
BQB
‫ח‬
B a n n e r g ra b b in g fro m e rro r m e ss a g e s:
□ ‫□ם‬
B a n n e r g ra b b in g fro m p a g e e x te n s io n s :
Looking fo r an ex ten sio n in th e URL m ay a ssist in
d eterm in in g th e app licatio n version
Exam ple: .aspx => IIS serv er an d W indow s p latform
Why Banner Grabbing?
Id e n tify in g t h e OS u s e d o n t h e t a r g e t h o s t a llo w s a n a t ta c k e r t o f ig u r e o u t t h e v u ln e r a b il iti e s t h e
s y s t e m p o s s e s a n d t h e e x p lo its t h a t m ig h t w o r k o n a s y s te m t o f u r t h e r c a r r y o u t a d d i t i o n a l a t t a c k s
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
B a n n e r G ra b b in g
B a n n e r g r a b b i n g o r OS f i n g e r p r i n t i n g is a m e t h o d t o d e t e r m i n e t h e o p e r a t i n g s y s te m
r u n n i n g o n a r e m o t e t a r g e t s y s t e m . B a n n e r g r a b b i n g is i m p o r t a n t f o r h a c k in g as it p r o v id e s y o u
w i t h a g r e a t e r p r o b a b i l i t y o f success in h a c k in g . T his is b e c a u s e m o s t o f t h e v u l n e r a b i l it ie s are
OS s p e c ific . T h e r e f o r e , if y o u k n o w t h e OS r u n n i n g o n t h e t a r g e t s y s te m , y o u can h a c k t h e
s y s te m b y e x p l o i t i n g t h e v u l n e r a b i l it ie s s p e c ific t o t h a t o p e r a t i n g s y s te m .
B a n n e r g r a b b i n g can be c a r r ie d o u t in t w o w a y s : e i t h e r by s p o t t i n g t h e b a n n e r w h i l e t r y i n g t o
c o n n e c t t o a se rv ic e such as FTP o r d o w n l o a d i n g t h e b i n a r y f i l e / b i n / l s t o c h e c k t h e a r c h it e c t u r e
w i t h w h i c h it w a s b u ilt.
Banner
g ra b b in g
is
p e rfo rm e d
u sin g
th e
fin g e rp rin tin g
te c h n iq u e .
A
m ore
advanced
f i n g e r p r i n t i n g t e c h n i q u e d e p e n d s o n sta c k q u e r y i n g , w h i c h t r a n s f e r s t h e p a c k e ts t o t h e n e t w o r k
h o s t a n d e v a lu a te s p a c k e ts b ase d o n t h e r e p ly . T h e f i r s t s ta c k q u e r y i n g m e t h o d w a s d e s ig n e d
c o n s id e r in g t h e TCP m o d e o f c o m m u n i c a t i o n , in w h i c h t h e re s p o n s e o f t h e c o n n e c t i o n r e q u e s ts
is e v a lu a te d . T h e n e x t m e t h o d w a s k n o w n as ISN ( In itia l S e q u e n c e N u m b e r ) analysis. This
i d e n t if ie s t h e d if f e r e n c e s in t h e r a n d o m n u m b e r g e n e r a t o r s f o u n d in t h e TCP sta ck. A n e w
m e t h o d , u s in g t h e ICMP p r o t o c o l , is k n o w n as IC M P r e s p o n s e a n a ly s is . It c o n s is ts o f s e n d in g
t h e IC M P m e ssa g e s t o t h e r e m o t e h o s t a n d e v a l u a t i n g t h e r e p ly . T h e la t e s t IC M P m e s s a g in g is
M o d u le 0 3 Page 343
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
k n o w n as t e m p o r a l re s p o n s e analysis. Like o t h e r s , t h is m e t h o d uses t h e TCP p r o t o c o l . T e m p o r a l
r e s p o n s e a n a lys is lo o k s a t t h e r e t r a n s m i s s i o n t i m e o u t (RTO) r e s p o n s e s f r o m a r e m o t e h o s t.
T h e r e a re t w o t y p e s o f b a n n e r g r a b b i n g t e c h n i q u e s a v a ila b le ; o n e is a c tiv e a n d t h e o t h e r is
passive.
A c tiv e B a n n e r G r a b b in g
A c t iv e b a n n e r g r a b b i n g is based o n t h e p r in c ip le t h a t an o p e r a t i n g s y s te m 's IP sta c k
has a u n i q u e w a y o f r e s p o n d i n g t o s p e c ia lly c r a f t e d TCP p a c k e ts . This arises b e c a u s e o f d i f f e r e n t
i n t e r p r e t a t i o n s t h a t v e n d o r s a p p ly w h i l e i m p l e m e n t i n g t h e TCP/IP s ta c k o n t h e p a r t i c u l a r OS. In
a c tiv e b a n n e r g ra b b in g , a v a r i e t y o f m a l f o r m e d p a c k e ts a re s e n t t o t h e r e m o t e h o s t, a n d t h e
r e s p o n s e s a re c o m p a r e d t o a d a ta b a s e .
For in s ta n c e , in N m a p , t h e OS f i n g e r p r i n t o r b a n n e r g r a b b i n g is d o n e t h r o u g h e ig h t te s ts . T h e
e ig h t te s ts a re n a m e d T l , T2, T3, T4, T5, T6, T7, a n d PU ( p o r t u n r e a c h a b le ) . Each o f th e s e te s ts
is i l lu s t r a t e d as f o l lo w s , as d e s c r ib e d in w w w . p a c k e t w a t c h . n e t :
T l: In t h is te s t , a TCP p a c k e t w i t h t h e SYN a n d ECN-Echo fla g s e n a b le d is s e n t t o an o p e n TCP
p o rt.
T2: It in v o lv e s s e n d in g a TCP p a c k e t w i t h n o fla g s e n a b le d t o an o p e n TCP p o r t . T his t y p e o f
p a c k e t is k n o w n as a NULL p a c k e t.
T3: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e URG, PSH, SYN, a n d FIN fla gs e n a b le d t o an o p e n
TCP p o r t.
T4: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o an o p e n TCP p o r t.
T5: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e SYN fla g e n a b le d t o a c lo s e d TCP p o r t .
T6: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e ACK fla g e n a b le d t o a c lo s e d TCP p o r t .
T7: It in v o lv e s s e n d in g a TCP p a c k e t w i t h t h e URG, PSH, a n d FIN fla g s e n a b le d t o a c lo s e d TCP
p o rt.
PU (Port Unreachable): It in v o lv e s s e n d in g a UDP p a c k e t t o a c lo s e d UDP p o r t . T h e o b j e c t iv e is
t o e x t r a c t an " I C M P p o r t u n r e a c h a b l e " m e s s a g e f r o m t h e t a r g e t m a c h in e .
T h e last t e s t t h a t N m a p p e r f o r m s is n a m e d TSeq f o r TCP S e q u e n c a b ilit y te s t. This t e s t tr ie s t o
d e t e r m i n e t h e s e q u e n c e g e n e r a t io n p a t t e r n s o f t h e TCP in itia l s e q u e n c e n u m b e r s , also k n o w n
as TCP ISN s a m p li n g , t h e IP i d e n t i f i c a t i o n n u m b e r s (also k n o w n
t i m e s t a m p n u m b e r s . T h e t e s t is p e r f o r m e d
as IPID s a m p li n g ) , a n d t h e TCP
b y s e n d in g six TCP p a c k e ts w i t h t h e SYN fla g
e n a b le d t o an o p e n TCP p o r t.
The
o b j e c t iv e
is
to
fin d
p a tte rn s
in
th e
in itia l
sequence
of
n u m b e rs
th a t
th e
TCP
i m p l e m e n t a t i o n s c h o o s e w h i l e r e s p o n d i n g t o a c o n n e c t i o n r e q u e s t. T he se can be c a te g o r iz e d
i n t o m a n y g r o u p s such as t h e t r a d i t i o n a l 6 4 K ( m a n y o ld UN IX b oxe s), r a n d o m
( n e w e r v e r s io n s o f Solaris,
IRIX, FreeBSD,
D ig ita l
UNIX, Cray, a n d
in c re m e n ts
m a n y o th e r s ) , o r T ru e
" r a n d o m " (L in u x 2 .0 . * , O p e n V M S , n e w e r AIX, e tc.). W i n d o w s b o x e s use a " t i m e - d e p e n d e n t "
m o d e l w h e r e t h e ISN is i n c r e m e n t e d by a fix e d a m o u n t f o r e a ch t i m e p e r io d .
M o d u le 0 3 Page 344
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S o u rc e : w w w . i n s e c u r e . o r g , " M o s t o p e r a t i n g s y s te m s i n c r e m e n t a s y s t e m - w i d e IPID v a lu e f o r
e ach p a c k e t t h e y se n d . O th e rs , such as O p e n B S D , use a r a n d o m IPID a n d s o m e s y s te m s (like
Linux) use an IPID o f 0 in m a n y cases w h e r e t h e ‫ ׳‬D o n 't F r a g m e n t ‫ ׳‬b it is n o t set. W i n d o w s d o e s
n o t p u t t h e IPID in n e t w o r k b y t e o r d e r , so it i n c r e m e n t s b y 2 5 6 f o r e ach p a c k e t. A n o t h e r
n u m b e r t h a t can be s e q u e n c e d f o r OS d e t e c t i o n p u r p o s e s is t h e TCP t i m e s t a m p o p t i o n va lu e s .
S o m e s y s te m s d o n o t s u p p o r t t h e f e a t u r e ; o t h e r s i n c r e m e n t t h e v a lu e a t f r e q u e n c ie s o f 2HZ,
1 00HZ, o r 1 0 0 0 H Z a n d still o t h e r s r e t u r n 0.
P a s s iv e B a n n e r G ra b b in g
S o u rc e : h t t p : / / h o n e y n e t . o r g
Like
a c tiv e
banner
g ra b b in g ,
p assive
banner
g ra b b in g
is also
b ase d
on
th e
d iffe re n tia l
i m p l e m e n t a t i o n o f t h e sta c k a nd t h e v a r io u s w a y s an OS r e s p o n d s t o p a c k e ts . H o w e v e r , in s te a d
o f r e ly in g o n s c a n n in g t h e t a r g e t h o s t, p assive f i n g e r p r i n t i n g c a p tu r e s p a c k e ts f r o m t h e t a r g e t
h o s t via s n if f i n g t o s t u d y f o r t e l l t a l e signs t h a t can re v e a l an OS.
T h e f o u r a re as t h a t a re t y p i c a l l y n o t e d t o d e t e r m i n e t h e o p e r a t i n g s y s te m are:
9
TTL - W h a t t h e o p e r a t i n g s y s te m sets t h e T im e T o Live o n t h e o u t b o u n d p a c k e t
9
W i n d o w Size - h a t t h e o p e r a t i n g s y s te m sets t h e W i n d o w size
9
DF - D oes t h e o p e r a t i n g s y s te m se t t h e D o n ' t F r a g m e n t b it
9
OS - D oes t h e o p e r a t i n g s y s te m s e t t h e T y p e o f Service, a n d i f so, a t w h a t
Passive f i n g e r p r i n t i n g has t o be n e i t h e r f u l l y a c c u r a te n o r be l i m i t e d t o th e s e f o u r s ig n a tu r e s .
H ow ever,
by
l o o k in g
a t s e v e ra l
s ig n a t u r e s
and
c o m b in in g
in fo rm a tio n ,
accuracy
can
be
i m p r o v e d . T h e f o l l o w i n g is t h e a n a ly sis o f a s n if fe d p a c k e t d is s e c te d by Lance S p itz n e r in his
p a p e r o n p assive f i n g e r p r i n t i n g ( h t t p : / / w w w . h o n e y n e t . o r g / p a p e r s / f i n g e r / ).
0 4 / 2 0 - 2 1 : 4 1 : 4 8 . 1 2 9 6 6 2 1 2 9 .1 4 2 .2 2 4 . 3 :6 5 9 -> 1 7 2 .1 6 .1 .1 0 7 :6 0 4
TCP TTL:45 TOS:OxO ID :5 6 2 5 7
* * * F * * A * Seq: 0 x 9 D D 9 0 5 5 3
A ck: 0 xE 3 C 6 5 D 7 W i n : 0 x 7 D 7 8
Based o n t h e f o u r c r it e r ia , t h e f o l l o w i n g a re i d e n t if ie d :
9
TTL: 4 5
9
W i n d o w Size: 0 x 7 D 7 8 ( o r 3 2 1 2 0 in d e c im a l)
9
DF: T h e D o n 't F r a g m e n t b i t is se t
9
TOS: 0 x 0
D a t a b a s e S ig n a tu r e s
T his i n f o r m a t i o n is t h e n c o m p a r e d t o a d a ta b a s e o f s ig n a tu r e s . C o n s id e r in g t h e TTL used b y t h e
r e m o t e h o s t, it is d e t e r m i n e d f r o m t h e s n if f e r t r a c e t h a t t h e TTL is se t a t 4 5. T his in d ic a te s t h a t
it w e n t t h r o u g h 19 h o p s t o g e t t o t h e t a r g e t , so t h e o rig in a l TTL m u s t h a ve b e e n s e t a t 64.
M o d u le 0 3 Page 345
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Based o n t h is TTL, it a p p e a r s t h a t t h e p a c k e t w a s s e n t f r o m a L in u x o r F reeB S D b o x ( h o w e v e r ,
m o r e s y s te m s ig n a t u r e s n e e d t o be a d d e d t o t h e d a ta b a s e ). T his TTL is c o n f i r m e d b y d o i n g a
t r a c e r o u t e t o t h e r e m o t e h o s t. If t h e tr a c e n e e d s t o be d o n e s t e a lt h ily , t h e t r a c e r o u t e t i m e - t o live ( d e f a u l t 3 0 h o p s ) can be se t t o be o n e o r t w o h o p s less t h a n t h e r e m o t e h o s t ( -m o p t i o n ) .
S e ttin g t r a c e r o u t e
in th is
m anner
re v e a ls t h e
p a th
in fo rm a tio n
( in c lu d in g
th e
u p s tre a m
p r o v id e r ) w i t h o u t a c t u a l ly t o u c h i n g t h e r e m o t e h o s t.
W indow Sizes
T h e n e x t s te p is t o c o m p a r e w i n d o w sizes. T h e w i n d o w size is a n o t h e r e f f e c t i v e t o o l t h a t
d e t e r m i n e s s p e c ific a lly w h a t w i n d o w size is used a n d h o w o f t e n t h e size is c h a n g e d . In t h e
p r e v io u s s ig n a t u r e , it is s e t a t 0 x 7 D 7 8 , a d e f a u l t w i n d o w size is c o m m o n l y used b y L inux. In
a d d it io n , FreeBSD a n d Solaris t e n d t o m a i n t a i n t h e s a m e w i n d o w size t h r o u g h o u t a sessio n.
H o w e v e r , Cisco r o u t e r s a nd M i c r o s o f t W i n d o w s / N T w i n d o w sizes a re c o n s t a n t ly c h a n g in g . T h e
w i n d o w size is m o r e a c c u r a te if m e a s u r e d a f t e r t h e in itia l t h r e e - w a y h a n d s h a k e (d u e t o TCP
s l o w s ta rt).
Session Based
M o s t s y s te m s use t h e DF b it set, so t h i s is o f l i m i t e d v a lu e . H o w e v e r , t h is d o e s m a k e it e a s ie r t o
i d e n t i f y t h e f e w s y s te m s t h a t d o n o t use t h e DF f l a g (such as SCO o r O p e n B S D ). TOS is also o f
l i m i t e d v a lu e , since it s e e m s t o be m o r e s e s s io n -b a s e d t h a n o p e r a t i n g - s y s t e m - b a s e d . In o t h e r
w o r d s , it is n o t so m u c h t h e o p e r a t i n g s y s te m t h a t d e t e r m i n e s t h e TOS, b u t t h e p r o t o c o l used.
T h e r e f o r e , b a se d o n t h is i n f o r m a t i o n , s p e c ific a lly TTL a nd w i n d o w size, o n e can c o m p a r e t h e
r e s u lts t o t h e d a ta b a s e o f s ig n a t u r e s a n d , w i t h a d e g r e e o f c o n f i d e n c e , d e t e r m i n e t h e OS (in
t h is case, L in ux k e rn e l 2.2.x).
Just as w i t h a c tiv e f i n g e r p r i n t i n g , p assive f i n g e r p r i n t i n g has s o m e l i m i t a t i o n s . First, a p p lic a t io n s
t h a t b u ild t h e i r o w n
p a c k e ts (such as N m a p , h u n t , n e m e s is , e tc .) w ill
n o t use t h e s a m e
s ig n a t u r e s as t h e o p e r a t i n g s y s te m . S e co n d , it is r e l a t iv e l y s im p le f o r a r e m o t e h o s t t o a d ju s t
t h e TTL, w i n d o w size, DF, o r TOS s e t t i n g o n p a cke ts.
Passive f i n g e r p r i n t i n g can be used f o r s e v e ra l o t h e r p u r p o s e s . C ra ck e rs can use " s t e a l t h y "
f i n g e r p r i n t i n g . For e x a m p le , t o d e t e r m i n e t h e o p e r a t i n g s y s te m o f a p o t e n t i a l t a r g e t , such as a
w e b s e rv e r, o n e n e e d o n l y r e q u e s t a w e b p ag e f r o m t h e s e rv e r, a n d t h e n a n a ly z e t h e s n if f e r
tra c e s . T his b yp a sse s t h e n e e d f o r u sin g an a c tiv e t o o l t h a t v a r io u s IDS s y s te m s can d e t e c t . Also,
passive f i n g e r p r i n t i n g m a y be used t o i d e n t i f y r e m o t e p r o x y f ir e w a lls . Since p r o x y f i r e w a l l s
r e b u i l d c o n n e c t i o n s f o r c lie n ts , it m a y be p o s s ib le t o ID p r o x y f i r e w a l l s b ase d o n t h e s ig n a t u r e s
th a t have been
d iscu ssed . O r g a n iz a tio n s can
use
p assive f i n g e r p r i n t i n g t o
id e n tify
rogue
s y s te m s o n t h e i r n e t w o r k . T h e se w o u l d be s y s te m s t h a t a re n o t a u t h o r i z e d o n t h e n e t w o r k .
W h y B a n n e r G ra b b in g ?
I d e n t i f y i n g t h e OS u sed o n t h e t a r g e t h o s t a llo w s an a t t a c k e r t o f i g u r e o u t t h e
v u ln e r a b i l it ie s t h e s y s te m possesses a n d t h e e x p lo it s t h a t m i g h t w o r k o n a s y s te m t o f u r t h e r
c a r r y o u t a d d it io n a l a tta c k s .
M o d u le 0 3 Page 346
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
B a n n e r G r a b b in g T o o ls
-J ID S e rv e is u s e d t o id e n tify t h e m a k e , m o d e l, a n d
J
N e tc ra f t r e p o r t s a s ite 's o p e r a t in g s y s te m , w e b
s e r v e r , a n d n e tb lo c k o w n e r t o g e t h e r w ith , if
It is a ls o u s e d to id e n tify non-H T T P (n o n -w e b )
a v a ila b le , a g r a p h ic a l v ie w o f t h e ti m e s in c e la s t
I n te r n e t s e rv e rs su c h a s FTP, SMTP, POP, NEWS, e tc .
r e b o o t f o r e a c h o f t h e c o m p u te r s s e rv in g t h e s ite
N etcraft
ID Serve
©BSwve
■■ ‫ך‬
a
III 0 r\r 0
|
_
J
v e r s io n o f a n y w e b s i t e ^ s e r v e r s o f tw a r e
y
Iniemet Server Ideniiftcahon Utility v l 0
2
PersonalSecurityFreewarebySteveGibten
CoppgNfcl‫מי‬yfttwnRet«0ci«Cap&
03
011e1y |
a
f'"*» copy / p it•
lr»—‫*ר‬
0 « A /b *p « » 5
t»
URL w IP «
!‫«| «*־‬vjfr<l• w m rncroKO tan(
1 Iccttmedhoclier com ~|‫־‬
‫לי‬I/ I AW
^‫־־־‬7|fwa<rvw
‫־־‬7‫ ־־־־‬j *.t W
htrvim•rtlrl*
tn«iURl0•IPKh01 ♦!•-‫י‬p0'•«*l*•d* *«b•o*v*«‫׳‬
baton 1>r*.*• •
3 ‫»י^*ז‬y ypowx‫!״‬oorta1i. 8<1011
37 80 111 53
( ; ILas*‫־‬Wcam«d Aed
jETaa « StSt'
:c t
J n
(/‫ •־‬MDb UMI
?dC "
[Seiver McrDsoNIS/bO I
! :.•P n v ^ o 1-fly A S P M F jl
TnewiverterttwdlMtM
fr"1
$201010Swv•«*6r-*9®
http://www. grc.com
http://toolbar. netcraft.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
B a n n e r G ra b b in g
T o o ls
B a n n e r g r a b b in g can be d o n e e v e n w i t h t h e h e lp o f to o ls . M a n y t o o l s a re a v a ila b le in
t h e m a r k e t . T h e se t o o l s m a k e b a n n e r g r a b b i n g an easy ta sk. T h e f o l l o w i n g a re e x a m p le s o f
b a n n e r g r a b b i n g to o ls :
\ ‫׳ ׳‬j
ID S e rv e
S o u rc e : h t t p : / / w w w . g r c . c o m
ID Serve is u sed t o i d e n t i f y t h e m a k e , m o d e l , a n d v e r s io n o f a n y w e b s i t e 's s e r v e r s o f t w a r e ; it is
also used t o i d e n t i f y n o n -H T T P ( n o n - w e b ) I n t e r n e t s e rv e rs such as FTP, SM TP, POP, NEWS, e tc.
M o d u le 0 3 Page 347
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
© ID S * ™
I- q - F B
■
|
|
^
0
Background
r y
P
Se!v»r Query
|
O &A/Help
Enter a
or copy / pa-.te
paste an Interne! server U R L or
ot IP *
a ir
Mteesssi here (example
1
Irnrtifmdhncker
|c
e ftil B d h n ck e r com
co w
^
(2
U :4J
Internet Server Identification utilityvl 02
Personal Security Freeware by Steve Gibson
CopyngN Ic) 2003 by Gfcson Research Cap
mmrraaosoW
rmaosoH com)
|
Query The Server
W hen an Inlemer U R L ot IP has been provided above
press the button to n b ate a query 01 the s p e c fo d server
*‫י‬
Server query processng
ft
Lest-Modrtied Wed. 12 Jan 2U11 Ub
Accept-Ranges none
ETaa •Q76b5t18b2cb1 17d0 5 r
Server MioosolHIS/6 0
X-Powered-By A SPN ET
Ub tiM I
Ihe terveridentted (tel as
C0(V
E*
(j 010 ID Serve web page
FIGURE 3.45: ID Serve Screenshot
N e tc ra ft
S o u rc e : h t t p : / / t o o l b a r . n e t c r a f t . c o m
N e t c r a f t r e p o r t s a s ite 's o p e r a t i n g s y s te m , w e b s e rv e r, a n d n e t b l o c k o w n e r t o g e t h e r w i t h , if
a v a ila b le , a g r a p h ic a l v i e w o f t h e t i m e sin ce last r e b o o t f o r e a ch o f t h e c o m p u t e r s s e rv in g t h e
site .
‫ ח‬ETC RAFT
S it e r e p o r t f o r c e r t if le d h a c k e r . c o m
Netcraft Toolbar
•) Mom#
•
SHo
h ttp / ccrtA «< jhjd‫׳‬.»‫׳‬.eom
D om ain
com
1 day 99 0
g ra p *
N o tb k x k
im VAW» i>L H osting
E 2 ) Uptimo
Download Nowl
• Rapwt a P hah
• Top R • port •re
• P N M tttC tu n tM •
• PN»hle»lHo»lefa
• Mod Popular WaDc<tet
IP w M m k i
202 75.54.101
S it• ran k
270S0I
C o untry
D
N «nM K«rv»r
ncO.rtoyo ar1yfooc.com
DM• flnt
00c*mfc«K 2002
DNS a dm in
«dn«n9n0Y «artyf«M com
dxoMS.com
R e v e rs e
DNS
n s 1 .noyear1yfeet.com
1‫־‬#ftA *flh»d‫ ׳ • ׳‬com.
N « m i ( 1v 1 r
S u c c t t t Id e a IT Services,
cercrtetir1acfcer.com.
ce‫־‬ttW h jcV « r com.
92345. united Scatts
organisation Oamansara Java. Recakng
Jaym. S elangor. 4 7 400.
Mr
see•
Domain
•I
• Tail a Fntoa
T o o lb a r S u p p o rt
.
*
•
a
L a st ro b o o t
FAQ
Glossary
Contact Us
Report ‫ ג‬Bug
T u to ria ls
• Installing ‫ • מ‬Tooioar
• u w r 0 me Toolbar
• Gatling m Most
R«pt>org a Phish
A b o u t N e tc ra ft
fJGlcrart Horn#
• About Nttcrafl
O r g itk a tio •
Malaysia
C heck
a n o th e r s ite :
N o s t l n g H is to r y
L ast
changed
Net block O w n e r
IP a d d r e s s
IM V M S DC
Hostm g
2 0 2 .7 $ . ‫ צ‬4 . 101 W indow s s«rv « r
2003
Microsoftn s /e .Q
1 /-Ju >~2012
TM VADS DC
Hostm g
202.75 .5 4 .1 0 1
W indow s S e rver
2003
Microsoft
IIS/6.0
9 )on 2012
TM VADS DC
H osting
202.75 .5 4 .1 0 1
W indow* Server
2003
Microsoft•
IIS /6.0
9-May-2012
TM VADS DC
Hostm o
2 02.75.54.101
Window* Server
2003
Microsoft•
115/6.0
9-Apr-2012
TM VADS DC
H osting
?07.7S .S 4.101
Window* Server
MicrosoftIIS/C.O
OS
W e b S e rv e r
19-Feb20 1 2
FIGURE 3.46: Netcraft Screenshot
M o d u le 0 3 Page 3 48
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
B a n n e r G r a b b in g T o o ls
(C o n t’d)
1. #
nc
2 . G ET
- w
/
w w w .ju g g y b o y .c o m
CEH
8 0 - press[Enter]
H T T P / 1 . 0 - Press [Enter] tw ic e
f*r
This utility reads and
writes data across
network connections,
using the TCP/IP
protocol
Etf* V‫ ■״‬im m
ro o t e b t :- # rc - v * www .jtoayboy.co■ 8©
DNS fw d /re i/ mismatch• www.jugcydoy.toa
</ww. j Lggybay . con 1295 .1 7 8 .1 5 2 .2 6] 30
GET / M TTP/1.9
HTTP/1 .1 296 OK
Connection: elo se
Date: Mon, 13 Aug 2912 12 :1 4 :1 0 GMT
co n ten t-L e n g th : 2 1 0 ‫|נ‬
C o n te n t-iv p e : t e x t / r i p l ^
I
C o n ten t-< C cat#rn: h t t p : 7 /1 6 .4 « . 26. ‫ מ‬/ b « f a u It I h t n
L a s t•M o d itie d : Wed. 19 Apr 2366 2 2 :0 9 :1 2 GMT
Acceot•Ranges:
none
ETaa: 9‫ ־‬b46bc3fd53c61:7a49‫־‬
S e rv e r: M ic r o s o f t - IIS / 6 .0
M lrr0 ( 0 f t O f f ic * W * b ( * r v t r ! 5 .8 Pub
X Powered-By: ASP.MET
*r
1. t e ln e t
T e ln e t
2 . G ET
/
S e rv e r id en tified a s
M icrosoft-1 IS/6.0
t r a c k
h ttp : //n e tc a t.s o u r c e fo r g e .n e t L
w w w .c e r tifie d h a c k e r .c o m
8 0 - press[Enter]
H T T P / 1 . 0 - Press [Enter] tw ic e
C .\ W in d o w A iy 5 te m 3 2 \ c m d .c x e
HTTP/ 40 1.1‫׳‬J Forbidde
n t-U n g th :
This technique probes
HTTP servers to
determine the Server
field in the HTTP
response header
21H
S e rv e r id en tified a s
M icrosoft-1 IS/6.0
»»: H i P M c n f t - l I S / h . M
ChtmlXheadXtit le>Error<StitleXsheadXbodvXheadXtitle>Di»»ecto1*v List ing D
od</t it lo X‫׳׳׳‬hoad>
ChodyXhl )Directory Listing Den1ed</‫־‬hi >This Uirtual Director
oe3 oot allow contents to be listed. </-‫׳‬bodyX/'bodyX/yhtnl>
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
B a n n e r G ra b b in g
L*
T o o l s ( C o n t ’d )
N e tc a t
‫ש‬
S o u rc e : h t t p : / / n e t c a t . s o u r c e f o r g e . n e t
N e t c a t is a n e t w o r k i n g u t i l i t y t h a t re a d s a n d w r i t e s d a t a acro ss n e t w o r k c o n n e c t i o n s , w i t h t h e
h e lp o f t h e TCP/IP p r o t o c o l . It is d e s ig n e d t o be a r e lia b le " b a c k - e n d " t o o l t h a t can be used
d ir e c t ly o r e a sily d r iv e n b y o t h e r p r o g r a m s a n d s c rip ts . It p r o v id e s access t o t h e f o l l o w i n g ke y
fe a t u r e s :
©
O u t b o u n d a n d i n b o u n d c o n n e c t i o n s , TCP o r UDP, t o o r f r o m a n y p o rts .
©
F e a tu re d t u n n e l i n g m o d e , w h i c h also a llo w s sp ecial t u n n e l i n g such as UDP t o TCP, w i t h
t h e p o s s ib ilit y o f s p e c ify in g all n e t w o r k p a r a m e t e r s ( s o u rc e p o r t / i n t e r f a c e , lis te n in g
p o r t / i n t e r f a c e ) , a n d t h e r e m o t e h o s t a ll o w e d t o c o n n e c t t o t h e t u n n e l .
©
B u ilt -in p o r t - s c a n n i n g c a p a b ilit ie s , w i t h r a n d o m i z e r .
©
A d v a n c e d usage o p t i o n s , such as b u f f e r e d s e n d - m o d e (o n e lin e e v e r y N s e c o n d s ) a nd
h e x d u m p (to s t d e r r o r t o a s p e c ifie d file ) o f t r a n s m i t t e d a n d r e c e iv e d d a ta .
O p t i o n a l RFC854 t e l n e t c o d e s p a r s e r a n d r e s p o n d e r . You can use t h e N e t c a t t o o l f o r g r a b b i n g
t h e b a n n e r o f a w e b s i t e by f o l l o w i n g t h is p ro c e ss. H e re , t h e b a n n e r g r a b b i n g is d o n e o n t h e
w w w . J u g g y b o y . c o m w e b s e rv e r f o r g a t h e r i n g t h e s e r v e r fie ld s such as s e r v e r t y p e , v e r s io n , e tc.
M o d u le 0 3 Page 349
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
©
# nc - v v w w w . j u g g y b o y . c o m 8 0 - p re s s [E n te r]
e
GET / H T T P /1 .0 - Press [E n te r ] t w i c e
F ro m t h e s c r e e n s h o t , y o u can o b s e r v e t h e a re a h ig h l i g h t e d in re d c o lo r is a s e r v e r v e r s io n
(M ic ro s o ft-IIS /6 .0 ).
file Edit ytew Jferminal Help
ro o t@ b t:-# nc -vv www.juggyboy.com 80
DNS fw d /re v mismatch: www.juggyboy.com ! * w2k3-web26. p ro d . n e ts o lh o s t. con
www.juggyboy.com [2 0 5 .1 78 .1 5 2 .2 6] 80 (www) open
GET / HTTP/1.0
HTTP/1.1 200 OK
C onnection: close
Date: Mon, 13 Aug 2012 12:14:1G GMT
C on te n t-L e ng th: 2165M
C ontent-Tvpe: t e x t /
s
C o n te n t^ffo ca titin : h t t p :/ /1 0 . 4 9 . 3 9 . 2 6 /d e fa u lt .htni
L a s t-M o d ifie d : Wed, 19 Apr 2006 22:09:12 GMT
Accept■Ranges: none
ETaq : ‫־־‬Gb46be3f d63c61: 7349‫־־‬
S e rve r: M ic r o s o ft - IIS / 6 . 0
M ic ro s o ftO ffic e W e b S e rv e r: 5.0 Pub
X-Powered-By: ASP.NET
^
I
I
■
ft* 1^ ^
Ix
FIGURE 3.47: Netcat showing Banner Grabbing Result
T e ln e t
T his t e c h n i q u e p r o b e s HTTP s e r v e r s t o d e t e r m i n e t h e S e rv e r fie ld in t h e HTTP
response hea de r.
For in s ta n c e , i f y o u w a n t t o e n u m e r a t e a h o s t r u n n i n g h t t p ( tc p 80), t h e n y o u h a ve t o f o l l o w
t h is p r o c e d u r e :
©
First, o p e n t h e c o m m a n d p r o m p t w i n d o w .
Go t o S t a r t ‫ > ־‬R un , t y p e c m d , a n d press E n te r o r clic k OK.
©
In t h e c o m m a n d p r o m p t w i n d o w , r e q u e s t t e l n e t t o c o n n e c t t o a h o s t o n a s p e c ific p o r t :
C : \ t e l n e t w w w . c e r t i f i e d h a c k e r . c o m 8 0 a n d p re ss E n te r.
©
N e x t, y o u w i ll g e t a b la n k s c re e n w h e r e y o u h a v e t o t y p e GET / H T T P /1 .0 a n d press
E n te r t w i c e .
©
In t h e f in a l s te p , t h e h t t p s e r v e r re s p o n s e s w i t h t h e s e r v e r v e r s io n , say M ic r o s o f t - I I S / 6 . 0 .
F ro m t h e s c r e e n s h o t y o u can see t h e a rea h ig h l i g h t e d in re d c o lo r is t h e s e r v e r v e rs io n
d e ta ils .
C:\Windows\system32\cmd.exe
H T T P /1 .1 403 F o r b id d e n
C o n te n t- L e n g th : 218
C n n t e n t —T u n e : t e x t / h t m l
S erv er: M ic ro so ft-IIS /6 .0
X - P o u e r e d - B y : ftS P . N E T
D a t e : S a t , 1 1 fl u g 2 0 1 2 0 9 : 5 7 : 0 7 GMT
u o n n e cc io n : cxose
< h tm lX h e a d X title > E rro r< /title X /b e a d X b o d y X b e a d X title > D ire c to ry L istin g D
e d < /t i t le X /b e a d >
< b o d y X h l> D ire c to ry L i s tin g D e n ied < /h l> T h is U ir tu a l D ire c to r
o e s n o t a l l o u c o n t e n t s to be l i s t e d .< / b o d y > < / b o d y X / h t n l >
C o n n ec tio n
to
host
lo st.
FIGURE 3.48: Command Prompt showing http server responses with the server version
M o d u le 0 3 Page 3 50
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
B a n n e r G ra b b in g
D is a b lin g
C o u n te rm e a s u re s :
o r C h a n g in g
B a n n e r
C E H
Display false banners to misguide the attackers
Turn off
01 unnecessary services on the network host to limit the information
tion
disclosure
disclos
IIS users can use these tools to disable or change banner information
~
IIS L ockdow n Tool (h ttp ://m ic r o s o f t.c o m )
~
S e rv e rM a s k (h ttp ://w w w .p o r t8 0 s o f tw a r e .c o m )
Apache 2.x with m od_headers module - use a directive in h t t p d . conf
file to change banner information Header set Server "New Server Name"
Alternatively, change the S e rv e rS ig n a tu re line to S e rv e rS ig n aitu
tu re
O ff in h t t p d . co n f file
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
B a n n e r G ra b b in g
---------
C h a n g in g
C o u n te rm e a s u re s : D is a b lin g
o r
B a n n e rs
A t t a c k e r s use b a n n e r g r a b b in g t e c h n i q u e s a n d f i n d o u t s e n s i t i v e i n f o r m a t i o n such as d e v ic e
ty p e s , o p e r a t i n g s y s te m s , a p p li c a t i o n v e r s io n , e tc . used b y t h e v i c t i m . W i t h t h e h e lp o f t h e
g a t h e r e d i n f o r m a t i o n , t h e a t t a c k e r e x p lo it s t h e v u l n e r a b i l it ie s t h a t a re n o t u p d a t e d w i t h t h e
s e c u r i t y p a tc h e s a n d la u n c h e s t h e a tta c k s . So, t o p r o t e c t y o u r s y s te m a g a in s t b a n n e r g r a b b in g
a tta c k s , a f e w c o u n t e r m e a s u r e s can be a d o p t e d a n d t h e y a re lis te d as f o l lo w s :
D is a b lin g o r C h a n g in g B a n n e r
Q
D isp la y fa lse b a n n e r s t o m is g u id e a t ta c k e r s
Q
T u r n o f f u n n e c e s s a r y se rv ic e s o n t h e n e t w o r k h o s t t o l i m i t i n f o r m a t i o n d is c lo s u r e
Q
IIS u sers can use th e s e t o o l s t o d is a b le o r c h a n g e b a n n e r i n f o r m a t i o n :
9
S
IIS L o c k d o w n T o o l (h t t p : / / m i c r o s o f t . c o m )
S
S e r v e r M a s k (h t t p : / / w w w . p o r t 8 0 s o f t w a r e . c o m )
A p a c h e 2.x w i t h mod_headers m o d u l e - use a d ir e c t iv e in httpd. conf file t o c h a n g e
b a n n e r i n f o r m a t i o n H e a d e r s e t S e r v e r " N e w S e rv e r N a m e "
9
A l t e r n a t i v e l y , c h a n g e t h e ServerSignature lin e t o ServerSignature Off in t h e
httpd.conf file
M o d u le 0 3 Page 351
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
H id in g
W
e b
F ile
E x t e n s io n s
f r o m
C E H
P a g e s
F ile e x t e n s i o n s r e v e a l i n f o r m a t i o n a b o u t t h e
u n d e rly in g s e r v e r te c h n o lo g y t h a t a n a tta c k e r
g
g
i
g
2
c a n u tiliz e to la u n c h a t t a c k s
IIS u s e r s u s e t o o l s s u c h a s
H id e file e x t e n s i o n s t o m a s k
P a g e X c h a n g e r to m a n a g e th e
t h e w e b te c h n o lo g y
file e x t e n s i o n s
C h a n g e a p p lic a tio n m a p p in g s su ch
A p ach e u se rs can u se
a s .a s p w ith . h t m o r .f o o , e t c . to
m o d _ n e g o t i a t i o n d ir e c ti v e s
d is g u is e t h e i d e n t i t y o f t h e s e r v e r s
It is even better if the file extensions are not at all used
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
H id in g
File
F ile E x te n s io n s fro m
e x te n s io n s
p r o v id e
in fo rm a tio n
W e b
about
th e
P a g e s
u n d e rly in g
s e rve r
te c h n o lo g y ;
a t ta c k e r s can use t h is i n f o r m a t i o n t o s e a rc h v u l n e r a b i l it ie s a n d la u n c h a tta c k s . H id in g file
e x te n s io n s
is
a
good
p r a c tic e
to
mask
te c h n o lo g y -g e n e ra tin g
d y n a m ic
pages.
Change
a p p li c a t i o n m a p p in g s such as .asp w i t h . h t m o r .fo o , e tc. t o d is g u is e t h e i d e n t i t y o f t h e s e rve rs.
A p a c h e users can use m o d _ n e g o t i a t i o n d ir e c t iv e s . IIS users use t o o l s such as P a g e X c h a n g e r t o
m a n a g e t h e f ile e x te n s io n s . D o in g w i t h o u t file e x te n s io n s a l t o g e t h e r is an e v e n b e t t e r ide a.
M o d u le 0 3 Page 352
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
C E H
Exam 3 1 2 -5 0 C ertified Ethical H acker
S c a n n in g M e th o d o lo g y
So fa r, w e h a v e d iscu sse d h o w t o c h e c k f o r live s y s te m s , o p e n p o r ts , scan b e y o n d IDS,
a n d t h e use o f b a n n e r g ra b b in g . All th e s e c o n c e p ts h e lp an a t t a c k e r o r s e c u r it y a d m i n i s t r a t o r t o
fin d
th e
lo o p h o le s t h a t
m ay a llo w
an a t t a c k e r i n t o
th e ir
n e tw o rk .
Now
we
w i ll
discuss
v u l n e r a b i l i t y s c a n n in g , a m o r e d e t a i le d te s ts t o d e t e r m i n e v u ln e r a b i l it ie s in a n e t w o r k , a n d its
re s o u rc e s .
Check for Live Systems
ft
f^
j
^ a; Scan f o r V u l n e r a b i l i t y
Check for Open Ports
r
Scanning Beyond IDS
Jfe J
Banner Grabbing
Draw Network Diagrams
Prepare Proxies
Scanning Pen Testing
T his s e c tio n d e s c r ib e s v u l n e r a b i l i t y s c a n n in g a n d v a r io u s v u l n e r a b i l i t y s c a n n in g to o ls .
M o d u le 0 3 Page 3 53
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COlMCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
V u ln e r a b i lit y S c a n n in g
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and netw<
order to determine how a system can be exploited
1
■ ‫י‬
w ‫■־‬
m
‫ח ח‬
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Q
V u ln e ra b ility
^
S c a n n in g
V u l n e r a b i l i t y s c a n n in g i d e n t if ie s v u l n e r a b i l i t i e s a n d w e a k n e s s e s o f a s y s te m a nd
n e t w o r k in o r d e r t o d e t e r m i n e h o w a s y s te m can be e x p l o i t e d . S im ila r t o o t h e r s e c u r it y te s ts
such as o p e n p o r t s c a n n in g a n d s n if f i n g , t h e v u l n e r a b i l i t y t e s t also assists y o u in s e c u r in g y o u r
n e t w o r k b y d e t e r m i n i n g t h e l o o p h o l e s o r v u l n e r a b i l it ie s in y o u r c u r r e n t s e c u r it y m e c h a n is m .
T his s a m e c o n c e p t can also be used b y a tt a c k e r s in o r d e r t o f i n d t h e w e a k p o i n t s o f t h e t a r g e t
n e t w o r k . O n c e t h e y fin d a n y w e a k p o in t s , t h e y can e x p l o i t t h e m
a n d g e t in t o t h e t a r g e t
n e t w o r k . E thical h a c k e rs can use th is c o n c e p t t o d e t e r m i n e t h e s e c u r it y w e a k n e s s e s o f t h e i r
t a r g e t b u s in e ss a n d fix t h e m b e f o r e t h e b ad g u ys f i n d a n d e x p l o i t t h e m .
V u l n e r a b i l i t y s c a n n in g can f i n d t h e v u l n e r a b i l it ie s in:
Q
N e t w o r k t o p o l o g y a nd OS v u ln e r a b i l it ie s
9
O p e n p o r t s a n d r u n n i n g se rv ic e s
9
A p p l i c a t i o n a n d s e rvice s c o n f i g u r a t i o n e r r o r s
9
A p p l i c a t i o n a n d s e rvice s v u ln e r a b i l it ie s
M o d u le 0 3 Page 354
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
V u l n e r a b i l i t y
S c a n n in g
T o o l:
N e s s u s
Nessus is the vulnerability
and configuration
assessment product
F eatures
Cw
Sa
‫ ל‬a
ssa
Agentless auditing
,
a
a
>a
In-depth assessments
. lb.1
‫ץ‬
Mobile device audits
M \Ma
Patch management
integration
M
MS
o-oaoflW
tw
*n1
»
1SM
BH
agitT! totu C
anm
4Aa*Hth•W
tokxnfaipM
y
, a
Compliance checks
T
rw
m
*m
Nwiil«M
T
T
P»►
Content audits
Customized reporting
High-speed vulnerability
discovery
W
IWU.ir^
1
<M Iran
Scan policy design and
execution
http://www. tenable, com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
V u ln e ra b ility
S c a n n in g
T o o l: N e s s u s
S o u rc e : h t t p : / / w w w . t e n a b l e . c o m
N essus is a v u l n e r a b i l i t y s c a n n e r — a p r o g r a m t h a t s e a rc h e s f o r bugs in s o f t w a r e . This t o o l
a llo w s a p e r s o n t o d is c o v e r a s p e c ific w a y t o v i o l a t e t h e s e c u r it y o f a s o f t w a r e p r o d u c t . T he
v u ln e r a b i l it y , in v a r io u s levels o f d e t a il, is t h e n d is c lo s e d t o t h e u s e r o f t h e t o o l . T h e v a r io u s
s te p s t h is t o o l f o l l o w s are:
e
D ata g a t h e r i n g
e
Host id e n tific a tio n
e
P o r t scan
0
P lu g-in s e le c tio n
0
R e p o r tin g o f d a ta
T o o b t a i n m o r e a c c u r a te a n d d e t a i le d i n f o r m a t i o n f r o m W i n d o w s - b a s e d h o s ts in a W i n d o w s
d o m a i n , t h e u s e r can c r e a te a d o m a i n g r o u p a n d a c c o u n t t h a t h a v e r e m o t e r e g is t r y access
p riv ile g e s . A f t e r c o m p l e t i n g th is ta sk, he o r she g e ts access n o t o n l y t o t h e r e g is t r y k e y s e ttin g s
b u t also t o t h e S e rvice Pack p a tc h levels, I n t e r n e t E x p lo r e r v u ln e r a b i l it ie s , a n d se rv ic e s r u n n i n g
o n t h e h o s t.
M o d u le 0 3 Page 355
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
It is a c li e n t - s e r v e r a p p li c a t i o n . T h e N essus s e r v e r r u n s o n a UN IX s y s te m , k e e p s t r a c k o f all t h e
d i f f e r e n t v u l n e r a b i l i t y te s ts , a nd p e r f o r m s t h e a c tu a l scan. It has its o w n u s e r d a ta b a s e a n d
se c u re s a u t h e n t i c a t i o n
m e t h o d s , so t h a t r e m o t e u sers u s in g t h e
N essus c l i e n t can log in,
c o n f i g u r e a v u l n e r a b i l i t y scan, a n d se n d it o n its w a y . N essus in c lu d e s
NASL (Nessus Attack
Language), a la n g u a g e d e s ig n e d t o w r i t e s e c u r it y te s ts .
S c r i p t in g
T h e v a r io u s f e a t u r e s o f Nessus a re :
9
Each s e c u r it y t e s t is w r i t t e n as a
separate plug-in. T his w a y , t h e u s e r can e a s ily a d d te s ts
w i t h o u t h a v in g t o re a d t h e c o d e o f t h e N essus e n g in e .
Q
It p e r f o r m s s m a r t se rv ic e r e c o g n i t i o n . It a s s u m e s t h a t t h e t a r g e t h o s ts w i ll r e s p e c t t h e
IA N A a ssig ne d p o r t n u m b e r s .
9
T h e N essus S e c u r ity S c a n n e r is m a d e u p o f t w o p a rts : A s e rv e r, w h i c h p e r f o r m s t h e
a tta c k , a n d a c lie n t, w h i c h is t h e f r o n t e n d . T h e s e r v e r a nd t h e c l i e n t can be r u n o n
d i f f e r e n t s y s te m s . T h a t is, t h e u s e r can a u d i t his w h o l e n e t w o r k f r o m
his p e r s o n a l
c o m p u t e r , w h e r e a s t h e s e r v e r p e r f o r m s its a tta c k s f r o m t h e m a in f r a m e , w h i c h m a y be
l o c a te d in a d i f f e r e n t a rea.
Q
•**1 | H * |
n e ssus
R e p o rts
Reports
Scan LAN
Mobile
Scans
Policies
Users
| u f« u l
Configurator
g
VvtrmntmySummary | HortSunmTY
Rj/ vwq • LMKfwd Aug 13,2012 19:07
1
Filters
N o F ltea
* Add Flit*
9
Clear FHtec*
!
FIGURE 3.49: Nessus Screenshot
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
V u l n e r a b i l i t y
G
F I
L a n G
0
0
J
GFI L a n G u a rd a s s is ts in a s s e t
m a n a g e m e n t , ris k a n a ly s is ,
a n d p r o v in g c o m p lia n c e
J
T o o l:
c
u a r d
UrtifW4
D*Mo*d
§‫״‬
Gme
*‫־‬Ertrttortwrt
t j Lxahoet w3N*EBOc«c»1
- J‫־‬l«*l‫ ״•״״ס‬v»0e«SC«^■
Scm
,£
Oienee
ReTM
dutr
#
Ccwtxjen
M
onitcr
‫־־‬£
-M3r>
Rtpcrtt
Configuritkn
'AJryraMtm
Fato>«
.4
<‫־‬
Ports
Fo
rt*
w*
Soft»a«
Soft•*(
14
Harare
p Enore Network -1 computer<
-----------------
F e a tu r e s :
e
E H
ttkKJl NmIm
GPI LanGuard 2012
> *-
Hte‫׳‬
i n v e n to r y , c h a n g e
S c a n n in g
1
jrnutootiiedApp»c*...
Selectively creates custom
vulnerability checks
0 conptfen
O
w S ₪ ₪ ₪ im
«
Creates different types of
scans and vulnerability tests
»
Helps ensure third-party
security applications offer
optim um protection
9
0
o
Performs network device
vulnerability checks
0eonotten
nj-mtbtli
‫*וזוז‬
J 'l
1
, - - ‫־ ־ ׳‬
luntutn <U
‫׳‬w
aU
*.y
11 1
© Identifies security
vulnerabilities and takes
remedial action
1
_________________ A
A
udri Statu•
i.cnpuue‫*•׳‬rope••*mm*
0,
http://www. gfi.com
- Copyright © by fC-CNDCil. All Rights Reserved. Reproduction is Strictly Prohibited.
V u ln e ra b ility
✓
S c a n n in g
T o o l: G F I L a n G u a r d
S o u rc e : h t t p : / / w w w . g f i . c o m
GFI L a n G u a rd acts as a v i r t u a l s e c u r i t y c o n s u l t a n t . It o f f e r s p a tc h m a n a g e m e n t , v u l n e r a b i l i t y
a s s e s s m e n t, a n d
n e t w o r k a u d it in g se rvice s. It also assists y o u
in a s set i n v e n t o r y , c h a n g e
m a n a g e m e n t , risk analysis, a n d p r o v in g c o m p lia n c e .
F e a tu re s :
9
S e le c tiv e ly c r e a te s c u s t o m v u l n e r a b i l i t y ch e cks
9
I d e n tifie s s e c u r it y v u l n e r a b i l it ie s a nd ta k e s r e m e d i a l a c tio n
9
C re a te s d i f f e r e n t t y p e s o f scans a n d v u l n e r a b i l i t y te s ts
9
H elp s e n s u r e t h i r d p a r t y s e c u r it y a p p lic a t io n s o f f e r o p t i m u m p r o t e c t i o n
9
P e r f o r m s n e t w o r k d e v ic e v u l n e r a b i l i t y ch e cks
M o d u le 0 3 Page 357
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
*
Exam 3 1 2-50 C ertified Ethical H acker
I“ J-P I *
GFI LanGuard 2012
E B
■<‫׳־»׳‬
§•
Group
5* Entire Network
Dashboard
Q.
S<an
IS
Remediate
Overview
Activity Monitor
0 Computer!
&
ttrtory
Reports
Configuration
Utilities
Patches
Port•
i pVynerabAbes
Uj ’
Discuss t«s versaon
(J
Software
Hardware
Syitem
Information
E n tire N etw o rk -1 c o m p u te r
* J lo c d h o s t: W IN‫־‬MSSELCK4<41
- 1} ‫ ׳‬local DomOT: WORKGROUP
Seanty Sensors
Vdnerabity Level
SSWIN-HSSaCMMl
Firewall Issu e s
Software Updates
C redent!•!• Setup
I0 computers
Service Packs and Up—
Most Vulnerable Computers
# l 0. computers
......
— UP
|WIN-MSSELCK4K41
Vulnerabilities
1computers
VuherabAty Trend Over Tne
Tout
“H*■
Common Talks
HUBUldL.
Addmoncomodera
Custom scar
SaanrigatiDeploy aocrt
O
■l
■ Insta■ n progress
■ Urwrstal **progress
■ Not IrtStalM
■ D*ptoy*n«rt Erron
Computers By Operating System
Computer ViJnerabAty Ois&fcubon
Ocomputvtl)
0 computer{*)
0 compa•^*)
1computes)
0 compuM^s)
■ Hgp•
M*2*yn
■ tow
■ HA
icompuc
0 comput..
Ocomput.
Ocomput.
1 Agent Status | Audt Status |
O
]computers By Operating...| Computers By Network ... 1
FIGURE 3.50: GFI LanGuard Screenshot
M o d u le 0 3 Page 358
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
V u l n e r a b i l i t y
S c a n n in g
T o o l:
S A I N T
F e a tu re s :
‫ ט‬Identify vulnerabilities on network
devices
» Detect and fix possible weaknesses
in the network security
» Prevent common system
vulnerabilities
a Demonstrate compliance with
current government and industry
regulations
e Perform compliance audits with
policies defined by FDCC, USGCB,
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
V u ln e ra b ility
S c a n n in g
T o o l: S A IN T
S o u rc e : h t t p : / / w w w . s a i n t c o r p o r a t i o n . c o m
SAINT is an i n t e g r a t e d n e t w o r k t o o l s f o r s e c u r i t y a d m i n i s t r a t o r s . U sing t h is t o o l , y o u can f i n d
s e c u r it y v u l n e r a b i l it ie s
acro ss t h e
n e tw o rk
i n c lu d in g
d e v ic e s ,
o p e ra tin g
s y s te m s ,
d e skto p
a p p lic a tio n s , w e b a p p lic a tio n s , d a ta b a s e s , e tc. in a n o n - i n t r u s i v e m a n n e r . It also e n a b le s y o u t o
g a t h e r i n f o r m a t i o n such as o p e r a t i n g s y s te m ty p e s a n d o p e n p o r ts , e tc . It a llo w s y o u t o scan
a n d e x p l o i t t a r g e t s w i t h an IPv4, IPv6, a n d / o r URL a d d re s s .
F e a tu r e s :
9
D e te c ts a n d fix e s p o s s ib le w e a k n e s s e s in y o u r n e t w o r k ' s s e c u r it y
9
A n t i c i p a t e s a n d p r e v e n t s c o m m o n s y s te m v u ln e r a b i l it ie s
0
D e m o n s t r a t e s c o m p li a n c e w i t h c u r r e n t g o v e r n m e n t a n d in d u s t r y r e g u l a t i o n s such as PCI
DSS, NERC, FISMA, SOX, GLBA, HIPAA, a n d COPPA
9
P e r fo r m s c o m p li a n c e a u d it s w i t h p o lic ie s d e f i n e d by FDCC, USGCB, a n d DISA
M o d u le 0 3 Page 359
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
«
1*
Vulnerability Scanner
%
0
&
I r iiu m •
U rn
u w ‫״**״•׳‬
t>«*• *
KM
V
M ••
r e a
‫וי‬
a
Op(■•** •>
kM M
1■c%— ■1
Vulnerability By Count!
•r
VnNfiMn
rz ri
* CrmcMi f n u t m t
A/ f i o i Cone•m
‫* * * * * •י‬
H0*t
*
d
^
*
4
4
*
a
10.7.0. IS
10-7-Q-14
1Q.7.Q.2
10.7. Q. 11
10 7.0 104
10-7-0-101
10-7.0.12
10.7.0.S
* 10.7.0.13a
‫ י‬10.7.0.140
> 10.7.0.150
10,7.0 ‫י‬. m
4 10.7 o i a o
10-7.0.31
* 10.7.0.131
^ 10.7.0.112
10.7.0.119
10.7.0.146
J 10.7.0.7
ToU l
41
37
34
2
a
s
0
6
0
0
0
1
2
0
2
2
0
0
0
0
0
2
2
2
t
2
0
0
1
t
0
0
0
0
0
0
0
0
0
0
0
0
‫נ‬
‫נ‬
2
2
2
2
2
2
I
I
1
1
1
•
S
4
14
4
1
0
1
0
0
1
31
14
14
4
1•
S
‫נ‬
______
FIGURE 3.51: SAINT Screenshots
M o d u le 0 3 Page 3 60
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
N e t w o r k
V u l n e r a b i l i t y
S c a n n e r s
OpenVAS
Retina CS
http://go.eeye.com
-o
I
▼
http://www.open\/as.org
\
g m
Core Impact Professional
http://www.coresecurity,com
Security M a n a g e r Plus
http://www.manageengine.com
LJpSrJ
W
MBSA
Nexpose
http://www.rapid7.com
http://www.microsoft.com
111
BE3F
S h a d o w Security Scanner
http://www.safety-lab.com
i]
QualysGuard
http://www.qualys.com
Security Auditor's Research
Nsauditor N e t w o r k Security
■M l
Auditor
Assistant (SARA)
http://www.nsauditor.com
http://www-arc.com
C o p y r ig h t © b y
N e tw o rk V u ln e r a b ility
N e tw o rk
v u ln e r a b i l it ie s
v u ln e ra b ility
v u ln e ra b ility
in t h e
ta rg e t
assessm ent
C E H
s c a n n e rs
n e tw o rk
and
R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d .
S c a n n e rs
are
th e
to o ls
or n e tw o rk
n e tw o rk
EG-G*ancil. A ll
a u d it in g .
th a t
assist y o u
in
id e n tify in g
r e s o u r c e s . T h e se s c a n n e rs
U sing
th e s e
s c a n n e rs ,
th e
h e lp y o u
you
can
in
fin d
v u ln e r a b i l it ie s in n e t w o r k s , w i r e d o r w ire le s s , o p e r a t i n g s y s te m s , s e c u r it y c o n f i g u r a t io n , s e rv e r
t u n i n g , o p e n p o r ts , a p p lic a tio n s , e tc.
A f e w n e t w o r k v u l n e r a b i l i t y s c a n n e rs a n d t h e i r h o m e site s a re m e n t i o n e d as f o l lo w s , u sin g
w h i c h y o u can p e r f o r m n e t w o r k s c a n n in g :
9
R e tin a CS a v a ila b le a t h t t p : / / g o . e e v e . c o m
9
C ore I m p a c t P ro fe s s io n a l a v a ila b le a t h t t p : / / w w w . c o r e s e c u r i t y . c o m
Q
M B S A a v a ila b le a t h t t p : / / w w w . m i c r o s o f t . c o m
Q
S h a d o w S e c u r ity S c a n n e r a v a ila b le a t h t t p : / / w w w . s a f e t v - l a b . c o m
9
N s a u d i t o r N e t w o r k S e c u r ity A u d i t o r a v a ila b le a t h t t p : / / w w w . n s a u d i t o r . c o m
Q
O p e n V A S a v a ila b le a t h t t p : / / w w w . o p e n v a s . o r g
9
S e c u r ity M a n a g e r Plus a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m
e
N e x p o s e a v a ila b le a t h t t p : / / w w w . r a p i d 7 . c o m
9
Q u a ly s G u a r d a v a ila b le a t h t t p : / / w w w . q u a l y s . c o m
9
S e c u r ity A u d i t o r 's R esearch A s s is ta n t (SARA) a v a ila b le a t h t t p : / / w w w - a r c . c o m
M o d u le 0 3 Page 361
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
C E H
S c a n n in g
Exam 3 1 2 -5 0 C ertified Ethical H acker
M e th o d o lo g y
So fa r, w e d iscu sse d v a r io u s s c a n n in g c o n c e p ts such as s o u rc e s t o be s c a n n e d , t o o l s
t h a t can be u sed f o r s c a n n in g , a n d v u l n e r a b i l i t y s c a n n in g . N o w w e w ill discuss t h e n e t w o r k
d ia g r a m , an i m p o r t a n t d ia g r a m t h a t e n a b le s y o u t o a n a ly z e t h e c o m p l e t e n e t w o r k t o p o l o g y .
Check for Live Systems
191
Scan for Vulnerability
Check for Open Ports
J *
Scanning Beyond IDS
3 0
Draw Network Diagrams
Prepare Proxies
r-^r-n
Banner Grabbing
Scanning Pen Testing
T his s e c tio n h ig h lig h ts t h e i m p o r t a n c e o f t h e n e t w o r k d ia g r a m , h o w t o d r a w t h e n e t w o r k
d ia g r a m o r m a p s , h o w a t ta c k e r s can use th e s e l a u n c h in g a tta c k s , a n d t h e t o o l s t h a t can be used
t o d r a w n e t w o r k m ap s.
M o d u le 0 3 Page 362
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
D
r a
w
Exam 3 1 2 -5 0 C ertified Ethical H acker
i n
g
N
e t w
o r k
D
i a g r a m
s
C E H
(•rtifwtf
41
ilk >‫ ׳‬H«hw
J Drawing target's network diagram gives valuable information about the network and its
architecture to an attacker
J Network diagram shows logical or physical path to a potential target
DMZ
Intranet
Intranet
C o p y r ig h t © b y
D ra w in g
N e tw o rk
EG-G*ancil. A ll
R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d .
D ia g ra m s
T h e m a p p i n g o f n e t w o r k s i n t o d ia g r a m s h e lp s y o u t o i d e n t i f y t h e t o p o l o g y o r th e
a r c h it e c t u r e o f t h e t a r g e t n e t w o r k . T h e n e t w o r k d ia g r a m also h e lp s y o u t o t r a c e o u t t h e p a t h t o
t h e t a r g e t h o s t in t h e n e t w o r k . It a lso a llo w s y o u t o u n d e r s t a n d t h e p o s it io n o f f ir e w a lls ,
r o u t e r s , a n d o t h e r access c o n t r o l d e v ic e s . Based o n t h e n e t w o r k d ia g r a m , t h e a t t a c k e r can
a n a ly z e t h e t a r g e t n e t w o r k ' s t o p o l o g y a n d s e c u r it y m e c h a n i s m s . It h e lp s an a t t a c k e r t o see t h e
f ir e w a lls , IDSs, a n d o t h e r s e c u r it y m e c h a n is m s o f t h e t a r g e t n e t w o r k . O n c e t h e a t t a c k e r has th is
i n f o r m a t i o n , h e o r she can t r y t o f i g u r e o u t t h e v u l n e r a b i l it ie s o r w e a k p o i n t s o f t h o s e s e c u r it y
m e c h a n is m s . T h e n t h e a t t a c k e r can f i n d his o r h e r w a y i n t o t h e t a r g e t n e t w o r k by e x p l o i t i n g
t h o s e s e c u r it y w e a k n e s s e s .
T h e n e t w o r k d ia g r a m also h e lp s n e t w o r k a d m i n i s t r a t o r s m a n a g e t h e i r n e t w o r k s . A t t a c k e r s use
n e t w o r k d is c o v e r y o r m a p p i n g t o o l s t o d r a w n e t w o r k d ia g r a m s o f t a r g e t n e t w o r k s .
T h e f o l l o w i n g f i g u r e d e p ic t s an e x a m p l e o f a n e t w o r k d ia g r a m :
M o d u le 0 3 Page 363
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
In tra n e t
Exam 3 1 2 -5 0 C ertified Ethical H acker
DMZ
In tra n e t
FIGURE 3.52: Network Diagram
M o d u le 0 3 Page 364
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
N e t w o r k
Exam 3 1 2 -5 0 C ertified Ethical H acker
D is c o v e r y
T o o l:
C E H
L A N s u r v e y o r
L A N s u r v e y o r discovers a n e t w o r k a n d p r o d u c e s a c o m p r e h e n s i v e n e t w o r k d i a g r a m
that integrates OSI Layer 2 a n d Layer 3 topology data
F e a tu re s
aao
A u t o - g e n e r a t e N e tw o r k M a p s
E x p o r t N e tw o r k M a p s t o V isio
□LANsu
A u to -d e te c t C h a n g e s
I n v e n to r y M a n a g e m e n t
N e tw o r k R e g u la to r y
C o m p lia n c e
N e tw o r k T o p o lo g y D a t a b a s e
M u lti-le v e l N e tw o r k D is c o v e ry
□LANsurveyor
http://www.solarwinds.com
C o p y r ig h t © b y E C - C t in C il. A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
N e tw o rk
D is c o v e ry
T o o l: L A N s u r v e y o r
S o u rc e : h t t p : / / w w w . s o l a r w i r 1d s .c o m
L A N s u r v e y o r a llo w s y o u t o a u t o m a t i c a l l y d is c o v e r a n d c r e a t e a n e t w o r k m a p o f t h e t a r g e t
n e t w o r k . It is a lso a b le t o d is p la y i n - d e p t h c o n n e c t i o n s like OSI L a y e r 2 a n d L a y e r 3 t o p o l o g y
d a ta su ch as d is p la y in g s w it c h t o s w itc h , s w itc h t o n o d e , a n d s w it c h t o r o u t e r c o n n e c t i o n . You
can e x p o r t t h e n e t w o r k m a p c r e a te d i n t o M i c r o s o f t O ffic e V isio. It can also k e e p t r a c k o f
c h a n g e s t h a t o c c u r in t h e n e t w o r k . It a llo w s t h e u s e r t o p e r f o r m i n v e n t o r y m a n a g e m e n t o f
h a r d w a r e a n d s o f t w a r e assets.
M o d u le 0 3 Page 365
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
□
Exam 3 1 2 -5 0 C ertified Ethical H acker
l
*
SolarW inds LANsurveyor - [M ap 1]
i;. File Edit Manage Monitor Report Tools Window Help
!3
y
*
B
X
•«r
‫־‬
solarwinds ‫׳‬
± i~ 100V.
♦
.
a
SO
N e tw o rk S e gm ents (1)
B H & IP A d dresses (5)
S
£
D o m a in N am es (5)
♦ £
N o d e N am es (5)
I—
IP Routers
DEMONSTRATK
J5LL A N su rve y o r R esp o nd er N o d es
: H
S N M P N o d es
S N M P S w itch e s/H u b s
l- C
SIP (VoIP) N o d es
®
Layer 2 N o d e s
^
A c tiv e D irecto ry D Cs
1‫ ־‬f t . G rou ps
□LAN surveyor
F o r H elp, press F1
FIGURE 3.53: LANsurveyor Screenshot
M o d u le 0 3 Page 3 66
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
N e t w o r k
Exam 3 1 2 -5 0 C ertified Ethical H acker
D is c o v e r y
T o o l:
C E H
O
p M
a n a g e r
O p M a n a g e r is a n e t w o r k m o n i t o r i n g s o f t w a r e t h a t o f f e r s a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t
f u n c t i o n a l i t y a c r o s s c r i tic a l IT r e s o u r c e s s u c h a s r o u t e r s , W A N lin k s , s w i t c h e s , f i r e w a l l s , V o IP c a ll p a t h s ,
p h y s ic a l s e r v e r s , v i r t u a l s e r v e r s , d o m a i n c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v i c e s
F e a tu re s
J
A vailability a n d U p tim e M o n ito rin g
J
N e tw o rk Traffic A nalysis
J
IP A d d re s s M a n a g e m e n t
J
S w itch P o rt M a p p e r
J
N e tw o rk P e r fo r m a n c e R e p o rtin g
J
N e tw o rk C o n fig u ra tio n M a n a g e m e n t
J
E x c h an g e S e r v e r M o n ito rin g
J
A ctive D ire c to ry M o n ito rin g
-l
H yper-V M o n ito rin g
-l
SQL S e rv e r M o n ito rin g
1'ol|RtN1nr ■Uipt&
M
'AjhUapm!!ur&irlctirdNudr-T
OpMaragt?)
qm
noo <
1nl«n 1iv« ‫״‬Uvo‫־‬J lopuogv map ailtmwirv wrn iptonto mmci front ‫»»י‬ta>
Nmsc Mtal wiijf cor• wiMr/twftdi x tl*
aavca
SAMPLE MAP
\ r.
•
* T Y ‫'״‬
!
*
\
/
: 3 *‫־‬
jf _ .
http://www.manageengine.com
C o p y r ig h t © b y
N e tw o rk
D is c o v e ry
EG-G*ancil. A ll
R ig h ts R e se rv e d . R e p ro d u c tio n Is S tr ic tly P ro h ib ite d .
T o o l: O p M a n a g e r
S o u rc e : h t t p : / / w w w . m a n a g e e n g i n e . c o m
O p M a n a g e r is b a s ic a lly a n e t w o r k p e r f o r m a n c e m a n a g e m e n t a n d m o n i t o r i n g t o o l t h a t o ffe r s
a d v a n c e d f a u l t a n d p e r f o r m a n c e m a n a g e m e n t f u n c t i o n a l i t y acro ss c r itic a l IT r e s o u r c e s such as
r o u t e r s , W A N links, s w itc h e s , f ir e w a lls , V o IP call p a th s , p h y sica l se rv e rs , v i r t u a l se rv e rs , d o m a i n
c o n t r o l l e r s , a n d o t h e r IT i n f r a s t r u c t u r e d e v ic e s . T his t o o l is h e l p f u l in d is c o v e r in g t h e s p e c ific
n e t w o r k a u t o m a t i c a ll y . It can also p r e s e n t a live n e t w o r k d ia g r a m o f y o u r n e t w o r k .
H e re a re s o m e o f t h e f e a t u r e s o f O p M a n a g e r :
e
A v a i la b il i t y a n d u p t i m e m o n i t o r i n g
e
N e t w o r k t r a f f i c a na lysis
0
IP a d d re s s m a n a g e m e n t
e
S w itc h p o r t m a p p e r
0
N e tw o rk p e rfo rm a n c e re p o rtin g
9
N e t w o r k c o n f i g u r a t io n m a n a g e m e n t
e
E xch an g e s e r v e r m o n i t o r i n g
M o d u le 0 3 Page 367
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
9
A c t iv e d i r e c t o r y m o n i t o r i n g
9
H ype r-V m o n ito rin g
9
SQL S e rv e r m o n i t o r i n g
FIGURE 3.54: OpManager showing Sample Map
M o d u le 0 3 Page 368
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
N e t w o r k
D is c o v e r y
T o o l:
C E H
N e t w o r k V i e w
1
N«tvw<‫׳‬kVcw ;NctwcrkV10v*1[
Re id* V *- lisu letf Arvlw
J
N e tw o r k V ie w is a
a i i s is
1 1 •‫כ‬
t
H*j
q. *. +
T
-•
I N Q D s i S B a
n e tw o r k d is c o v e ry a n d
m a n a g e m e n t to o l f o r
W in d o w s
J
D is c o v e r T C P /IP n o d e s
a n d r o u t e s u s in g D NS,
S N M P , p o r t s , N e tB IO S ,
and WMI
http://www.networkview.com
C o p y r ig h t © b y
N e tw o rk
D is c o v e ry
EG-G*ancil. A ll
R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
T o o l: N e tw o rk V ie w
S o u rc e : h t t p : / / w w w . n e t w o r k v i e w . c o m
N e t w o r k V i e w is a n e t w o r k d is c o v e r y a n d m a n a g e m e n t t o o l f o r W i n d o w s .
Its k e y f e a t u r e s i n c l u d e :
9
D is c o v e r TCP/IP n o d e s a n d r o u t e s u s in g DNS, S N M P , Po rts, N etBIOS , a n d W M I
9
G e t M A C a d d re s s e s a n d NIC m a n u f a c t u r e r n a m e s
e
M o n i t o r n o d e s a n d re c e iv e a le rts
9
D o c u m e n t w ith p rin te d m aps and re p o rts
9
C o n tro l and secure y o u r n e tw o rk w ith th e S N M P M IB b ro w s e r, th e W M I b ro w s e r, and
th e p o r t sca nn er
M o d u le 0 3 Page 369
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
NetworkView - [NetworkViewl]
-
=
«
f t F1l« Edit View Lists logs Window Help
b is 1
1
•‫ס‬
t
< * < * + - « ; s x g x e ii
‫ ״ »י‬g n ‫ ט ש‬t»4 s
8:
& ■
ft NetworkViewl |
a
-an
11 11)
a
a
Q
101112
s
s
q
0
B
»III—■*M
il i t
1
‫(«ן»*י‬M
«i»
o
hfM
W
*1‫מ‬
N
o
t
Y
•* I T
«
fc
y
*
**‫ | •ין‬A.~«
Lmm| ^#•1
r
50 Nodes
Monitoring is O ff
HR
a
[Last monitoring: Unknown
^Txiw«w(m<—1004)]
a
0 Polls
0 Mails Sent
Modified
For Help, press FI
FIGURE 3.55: NetworkView Screenshot
M o d u le 0 3 Page 3 70
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0linCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
N e tw o rk D is c o v e ry Tool:
The Dude
N e tw o rk
D is c o v e ry
EH
T o o l: T h e D u d e
Source: h ttp ://w w w .m ik ro tik .c o m
The Dude w ill a u to m a tic a lly scan all devices w ith in specified subnets, draw and lay o u t a map
o f y o u r netw orks, m o n ito r services o f yo u r devices, and a le rt you in case any service has
problem s.
A few features of the Dude include:
©
A uto n e tw o rk discovery and layout
©
Discovers any type o r brand o f device
©
Device, link m o n ito rin g , and notifica tio ns
©
Allow s you to draw yo u r own maps and add custom devices
©
Supports SNMP, ICMP, DNS, and TCP m o n ito rin g fo r devices th a t su pp o rt it
©
Direct access to rem ote co ntro l too ls fo r device m anagem ent
©
Supports rem ote Dude server and local client
M o d u le 0 3 Page 371
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
_
admin@localhost - The Dude 4.0beta3
+•
■Ol V S«r>01 Qko«« •loo* M \
‫י‬
fEL
lCK4K41
10006
W
INM
SS
‫י‬
‫י‬
W
INDOW
S®
10.002‫לל‬
‫י‬
W
INLXQN3W
A3R9M W
INMSf,
SELCMMlj
U
X
'
‫*י‬
W
IN-O3SM
R5HL9C4
‫י‬
169254 189180 BS)
Otenl ix 199fcbp*/tt 191 bps
S«v‫־‬r
FIGURE 3.56: The Dude Screenshots
M o d u le 0 3 Page 372
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
N e tw o rk D is c o v e ry a n d
M a p p in g Tools
[_ j !i
CEH
HP Netw ork Node M an ager i
Software
LANState
r* *‫>־‬
http://www.10-5trike.com
http://www8.hp.com
£
FriendlyPinger
N e tM ap p er
http://www.kilievich.com
(fT u le
jsi
http://www.opnet.com
http://www.lumeta.com
Ipsonar
M
kM ■ !
http://www.netbraintech.com
http://cartoreso.campus,ecp.fr
CartoReso
11
http://www.spiceworks.com
Switch Center Enterprise
HR i |
http://www.lan-secure.com
NetBrain Enterprise Suite
m
Spiceworks-Network M ap p er
NetCrunch
http://www.adremsoft.com
—
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
N e tw o rk
D is c o v e ry
a n d
M a p p in g
T o o ls
N e tw o rk discovery and m apping tools a llo w you to view the map o f yo ur netw ork.
They help you d e te ct rogue h ard w a re and s o ftw a re v io la tio n s. It n otifie s you w henever a
p articula r host becomes active or goes dow n. Thus, you can also figure o ut the server outages
or problem s related to perform ance. This is the purpose o f n e tw o rk discovery and m apping
too ls in term s o f security. The same to o ls can be used by attackers to launch attacks on your
n etw o rk. Using these tools, the a ttacker draws the n e tw o rk diagram o f the ta rg e t n etw o rk,
analyzes the topology, find outs th e vu ln era b ilitie s or weak points, and launches an attack by
e xploitin g the m . The a ttacker may use the fo llo w in g too ls to create a map o f the n etw o rk:
©
LANState available at h ttp ://w w w .1 0 -s trik e .c o m
Q
FriendlyPinger avaialble at h ttp ://w w w .k ilie v ic h .c o m
9
Ipsonar available at h ttp ://w w w .lu m e ta .c o m
Q
CartoReso available at h ttp ://ca rto re so .ca m p u s.e cp .fr
Q
Switch Center Enterprise available at h ttp ://w w w .la n -s e c u re .c o m
9
HP N e tw o rk Node M anager i Softw are available at h ttp ://w w w 8 .h p .c o m
9
N e tM a pp e r available at h ttp ://w w w .o p n e t.c o m
9
NetBrain Enterprise Suite available at h ttp ://w w w .n e tb ra in te c h .c o m
9
S picew orks-N etw ork M apper available at h ttp ://w w w .s p ic e w o rk s .c o m
9
NetCrunch available at h ttp ://w w w .a d re m s o ft.c o m
M o d u le 0 3 Page 373
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
fc js k
C E H
^
Exam 3 1 2 -5 0 C ertified Ethical H acker
S c a n n in g M e th o d o lo g y
So far, we have discussed various means o f scanning and the sources to be scanned.
Now we w ill discuss proxies and im p o rta n t mechanisms used by attackers to access the
restricted sources and also to avoid th e ir id e ntity.
Check for Live Systems
191
Check for Open Ports
Scanning Beyond IDS
Banner Grabbing
Scan for Vulnerability
r
Draw Network Diagrams
Q
; Prepare Proxies
‫יז־ז^־־ל‬
Scanning Pen Testing
This section describes how to prepare proxies and how an a ttacker can use the m to launch
attacks.
M o d u le 0 3 Page 3 74
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ProxyServers
CEH
A proxy is a n e tw o r k c o m p u t e r th a t can
s e r v e a s an in t e r m e d ia r y for c o n n ec tin g
w ith o t h e r c o m p u t e r s
A s a n IP a d d r e s s e s m u l tip l e x e r , a
p ro x y a llo w s t h e c o n n e c tio n o f a
n u m b e r o f c o m p u te rs to th e
I n t e r n e t w h ile h a v in g o n ly
o n e IP a d d r e s s
Proxy servers can be used
(to some extent) to anonymize
w eb surfing
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
P ro x y
S e rv e rs
A proxy is a n e tw o rk co m p u te r th a t can serve as an in te rm e d ia ry fo r connecting w ith
o th e r com puters. You can use a proxy server in m any ways such as:
0 A sa fire w a ll, a proxy protects the local n e tw o rk fro m th e outside access
9 As an IP address m ultip le xer, a proxy allows a n um ber o f com puters to connect to the
In te rn e t w hen you have only one IP address
9 To anonym ize w eb surfing (to some extent)
Q To filte r o u t unw anted co nte nt, such as ads or "u n su ita b le " m aterial (using specialized
proxy servers)
9 To provide some p ro te ctio n against hacking attacks
9 To save ban d w id th
Let's see how a proxy server works.
W hen you use a proxy to request a p articula r w eb page on an actual server, it firs t sends yo ur
re quest to th e p ro xy server. The proxy server then sends yo u r request to the actual server on
M o d u le 0 3 Page 375
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
behalf o f yo ur request, i.e., it m ediates betw een you and the actual server to send and respond
to the request as shown in the fo llo w in g figure.
Attacker
Target Organization
FIGURE 3.57: Attacker using Proxy Server
In this process, the proxy receives the co m m unication betw een the clie n t and the d e stin a tio n
application. In o rd e r to take advantage o f a proxy server, c lie n t program s m ust be configured
so the y can send th e ir requests to the proxy server instead o f th e final destination.
M o d u le 0 3 Page 376
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
W h y A ttackers Use Proxy Servers?
CEH
(•rtifW
d ithiul lU
c
k
M
To m a s k t h e a c tu a l s o u rc e o f t h e a t ta c k b y im p e r s o n a tin g a fa k e
s o u r c e a d d r e s s o f t h e p ro x y
To r e m o te ly a c c e s s in t r a n e t s a n d o t h e r w e b s ite r e s o u r c e s t h a t a r e
n o r m a l l y o f f li m it s
T o i n t e r r u p t a ll t h e r e q u e s t s s e n t b y a n a t t a c k e r a n d t r a n s m i t t h e m
t o a t h i r d d e s t i n a t i o n , h e n c e v ic tim s w ill o n ly b e a b l e t o id e n t i f y t h e
p ro x y s e r v e r a d d r e s s
I
A tta c k e rs c h a in m u ltip le p ro x y s e rv e rs t o a v o id d e t e c ti o n
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
W h y A tta c k e rs U se P ro x y S e rv e rs
For an attacker, it is easy to a tta ck or hack a p articula r system than to conceal the
attack source. So the main challenge fo r an attacker is to hide his id e n tity so th a t no one can
trace him or her. To conceal the id e n tity, the a ttacker uses the proxy server. The main cause
behind using a proxy is to avoid d e te c tio n o f a tta ck evidence. W ith help o f th e proxy server, an
a ttacker can mask his or her IP address so th a t he or she can hack th e co m p u te r system
w ith o u t any fear o f legal repercussion. W hen the a ttacker uses a proxy to connect to the
d estination, the proxy's source address w ill be recorded in the server logs instead o f the actual
source address o f the attacker.
In a dd itio n to this, the reasons fo r w hich attackers use proxy servers include:
Q
A tta cke r appears in a victim server's log files w ith a fake source address o f the proxy
ra th e r than w ith the attacker's actual address
9
To re m o te ly access in tranets and o th e r w ebsite resources th a t are norm ally o ff lim its
9
To in te rru p t all the requests sent by an a ttacker and tra n s m it the m to a th ird
d estination, hence victim s w ill only be able to id e n tify the proxy server address
9
To use m u ltip le proxy servers fo r scanning and attacking, making it d iffic u lt fo r
adm inistrato rs to trace the real source o f attack
M o d u le 0 3 Page 377
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
UseofProxiesforAttack
CEH
Direct attack/ No proxies
!s‫־*®״‬5‫ ־‬-
■ --
Logged P roxy
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
U se o f P ro x ie s fo r A tta c k
Q uite a num ber o f proxies are in te n tio n a lly open to easy access. A no n ym o us proxies
hide the real IP address (and som etim es o th e r in fo rm a tio n ) fro m w ebsites th a t the user visits.
There are tw o types o r a no nym ous proxies: One th a t can be used in the same way as the nonanonym ous proxies and others th a t are web-based anonymizers.
Let's see how m any d iffe re n t ways th a t attackers can use proxies to co m m it attacks on the
target.
Case 1: In the firs t case, the a ttacker perform s attacks d ire ctly w ith o u t using proxy. The
a ttacker may be at risk to be traced o u t as the server logs may contain in fo rm a tio n about th e IP
address o f the source.
D ire c t a t t a c k / N o p ro x ie s
T a rg et
FIGURE 3.58: Attacker Communicating with Target Directly (No Proxy)
Case 2: The a tta cke r uses the proxy to fetch the ta rg e t application. In this case, th e server log
w ill show the IP address o f the proxy instead o f the attacker's IP address, th e re b y hiding his or
M o d u le 0 3 Page 378
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
her id e n tity; thus, the a ttacker w ill be at m inim um risk o f being caught. This w ill give the
a ttacker the chance to be anonym ous on the Inte rn e t.
L o g g e d P ro x y
A tta c k e r
T a rg e t
FIGURE 3.59: Attacker Communicating with Target through Proxy
Case 3: To becom e m ore anonym ous on the In te rn e t, the a ttacker may use the proxy chaining
tech n iq ue to fetch the ta rg e t application. If he or she uses proxy chaining, the n it is highly
d iffic u lt to trace o u t his o r her IP address. Proxy chaining is a technique o f using m ore num bers
o f proxies to fetch the target.
A tta c k e r
FIGURE 3.60: Attacker using Proxy Chaining for the attack
M o d u le 0 3 Page 379
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ProxyChaining
M
Ha
M
......................
IP: 20.10.10.2
Port: 8012
>
M
.......................‫< ־‬
IP: 20.10.15.4
Port: 8030
IP: 10.10.20.5
Port: 8023
U ser
Encrypted/unencrypted traffic
N
m
IP: 15.20.15.2
Port: 8045
IP: 20.15.15.3
Port: 8054
Unencrypted
IP: 10.20.10.8
Port: 8028
1.
User r eq u es ts a resource from the destination
2.
Proxy client at the user's system connects to a proxy server and passes
th e request to proxy server
3.
The proxy server strips th e user's identification information and
passes th e request to next proxy server
4.
This process is repeated by all th e proxy servers in th e chain
5.
At th e end u ne n c ry p ted re q u e s t is passed to th e w eb server
traffic
M‫־‬
»*
□
C o p y rig h t © b y E C -G *a n cil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
P ro x y
C h a in in g
Proxy chaining helps you to
becom e m ore ano n ym o us on th e
Inte rn e t. Your
a no n ym ity on the In te rn e t depends on the num ber o f proxies used fo r fetch in g the targe t
application. If you use a larger num ber o f p ro xy servers, then you w ill become m ore
anonym ous on the In te rn e t and vice versa.
W hen th e attacker firs t requests the proxy s e rv e rl, this proxy s e rv e rl in tu rn requests a nother
proxy server2. The proxy s e rv e rl strips the user's id e n tifica tio n in fo rm a tio n and passes the
request to the next proxy server. This may again request a no th e r proxy server, server3, and so
on, up to ta rg e t server, w here fin a lly the request is sent. Thus, it form s the chain o f th e proxy
server to reach the destin a tion server as shown in the fo llo w in g figure:
m
IP: 20.10.10.2
Port: 8012
IP: 10.10.20.5
Port: 8023
IP: 20.10.15.4
Port: 8030
U ser
E n crypted/u nencrypted traffic
..................... v
IP: 20.15.15.3
Port: 8054
m
....................V
IP: 15.20.15.2
Port: 8045
M
IP: 10.20.10.8
Port: 8028
................................ >
Unencrypted
traffic
FIGURE 3.61: Proxy Chaining
M o d u le 0 3 Page 3 80
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
P r o x y T o o l: P r o x y W o r k b e n c h
CEH
UrtifW
tf IthKJi lUikM
Proxy Workbench is a
proxy server that displays
data passing through it in
real time, allows you to
drill into particular TCP/IP
connections, view their
history, save the data to a
file, and view the socket
connection diagram
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
P r o x y T o o l: P r o x y W o r k b e n c h
Source: h ttp ://p ro x y w o rk b e n c h .c o m
Proxy W orkbench is a p ro xy server th a t displays th e data passing th ro u g h it in real tim e , allows
you to d rill in to p articula r TCP/IP connections, view th e ir history, save the data to a file , and
view the socket connection diagram . The socket connection diagram is an anim ated graphical
history o f all o f the events th a t to o k place on the socket connection. It is able to handle
(secure sockets) and
M o d u le 0 3 Page 381
HTTPS
POP3 natively.
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
"Z.
L s l® # ■
Proxy W o rk b e n c h
File
View
Tools
Help
0 5 - i s U
M ontana iravya !132168168170)
^
SMTP • Outgoing e-mad (25)
POP3 • Incoming c nvjd (110)
Q
HTTP Proxy •W eb (8080)
’
127.aa1 to 127.0.01 (locahost)
fi
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
U
Memay
Dslafc
■6
10‫ ׳‬Dead (1318 X
308(
(127 0 01 20750)
Event So( 7
P a g e lo H
m
J4 J 4J ►J N
491 bytes of ia»a has been
chnft.
12 14 49 53 8
DeaJ 113:18:26-779)
D ead ( 1 1 1 8 2 5 7S2)
Dead (1 1 1 8 2 5 757)
Dead (13:1825752)
De«d(13182S?46)
The connection request Jo
the remote server has been
successful
13:14:49.817
Dead (13:1825741)
Dead (131825736)
Dead (1 *1 8 2 5 731)
locahost
(127.00 1 8080)
Dead (131825 724)
Dead(111825717)
Dead (131825 684)
Dead (131825 67$)
1 2 7 0 0 1 fi£«n
Dead(13:1825671)
491 bytes of data has been
ser* to Ihe !emote tervet.
locahost
(127 0 0 1 80801
Dead (131825 662)
Dead(131825 655)
Dead (131825.647)
B
Dead (131825641)
Dead(111825633)
Dead(131825625)
(1270 01 20750)
Dead(111825620)
Dead (13:1825.586)
FVB has (**connected
horn the remote ckent
13 15 13 20 9
the remote server Kais
disconnected
1315:13208
Dead (111825579)
Deed (1118255741
Dead (13 1 82 5 566)
Reel tnw date for Dead (13 18 30 308)
Dead (13 1825 558)
lU U U U J ^
Dead (111825552)
Dead 11118255431
8 KByte*
t i n t ‫׳‬/ !
J
tt
«‫ ׳‬e
ju
ua u a
id
ua
Socke‫״‬
FIGURE 3.62: Proxy Workbench Screenshot
M o d u le 0 3 Page 382
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
ProxyTool:Proxifier
C|EH
Prox-fie1‫ ־‬is a program that a ows r>etwork appicatons that do rxrt support working through
proxy servers to operate through an HTTPS or SOCKS proxy or a chain of proxy servers
mpj/www proaf«r-aom
! ByK'CMAjV. • M
“j •arn: *s‫־‬t2-d?rjSfit3y ‫״״‬c*C ‫גשנ‬
P r o x y T o o l: P r o x if ie r
Source: h ttp ://w w w .p ro x ifie r.c o m
P roxifier allows n e tw o rk a p p lica tio n s th a t do n ot su pp o rt w o rkin g throu g h proxy servers to
operate throu g h a SOCKS o r HTTPS proxy and chains. It allows you to surf w ebsites th a t are
restricted o r blocked by yo u r governm ent, organization, etc. by bypassing the fire w a lls rules.
Features:
0
You can access the In te rn e t fro m a restricted n e tw o rk throu g h a proxy server gateway
©
It hides yo u r IP address
9
It can w o rk throu g h a chain o f proxy servers using d iffe re n t protocols
Q
It allows you to bypass fire w a lls and any access co ntro l mechanisms
M o d u le 0 3 Page 383
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
^
Exam 3 1 2 -5 0 C ertified Ethical H acker
1a
Proxifier
File
Profile
1j tf * *
log
View
ub
El
Help
£1
&
Application
Taiget
Time/'Sta t us
R u le : Proxy
Bytes Sent
^ m s ts c .E X E (5044) 64‫״‬
192.168.2.40:3389
01:25
D e fa u lt: proxy.exam ple.net:1080
2.75 KB
4.06 KB
w w w .l.g o o gle. com:30
01:14 Closed
P ro x y2: proxy.exam ple.net:1080
3.33 KB
13.5 KB
cxplore.exe (4704)
ie3plore.exe (5664)
lsvchost.exe (376, System) 64‫״‬
(376, System) 64‫״‬
Bytes Received
[fe80::90bl:83b:c743:f49b]:80 IP v 6
01d2
L o c a l: Test proxy chain
958
376
w w w .u p d a te .m 1croso ft.co m :80
00:44
D e fa u lt: proxy.exam ple.net:1080
172
262
w w w .u p d ate.m icro s o ft.c om :4 43
00:42
D e fa u lt: proxy.exam ple.net:1080
131 KB
7 5 4 KB
4 $ !explore.exe (164)
Ib l.w w w .m s .ak ad n 5.n e t 443
Failed
H T T P S : proxy2.exam ple.net:8080
0
0
@
w w w .m ic ro s o ftc o m :8 0 8 0
00:21 C o n nectin g
D e fa u lt: proxy.exam ple.net:1080
0
0
etp lo re.exe (2776)
■stConnections uA.Traff1t •‫״‬Statistics
[19.591 svchost o t
[19 59] svchost exe
[19 59 ] svchost exe
[19 59 ] svchost exe
[19 59 ] svchost exe
[19 59] svchost exe
[19 59 ] svchost exe
[19 59] svchost exe
[19 59 ] svchost exe
[20 00] svchost exe
[20 00] explore exe
[2000: expJoreexe
120 00] explore exe
[20 00] !explore exe
[20 00] explore exe
[20 00] explore exe
]20 00; ejcloro exe
[20 00 ] svchost exe
Ready
(37S. System) $4‫ ־‬- resolve v .^w updale rnicroMft.cotn DNS
(37S. System) *64 • resolve w.vw update rmcroso*t c o t DNS
(376. System) *64 - www update microsoft com 442 match!r>3 Defadt rd e : usng proxy proxy .examptenet:1080
(376. System) *64 - •A m ‫ ׳‬update microsoft c o t 44‫ ־‬open through prxxy proxy example net 1080
(375. System) *64 download.w 1ndow 3update.com 80 dose. 6S1 bytes aert. 1183 bytes (1-15 KB) received, bfefcme 00 05
(376. System) *64 • resolve download wmdowsLpdate com DNS
(376. System) *64 resolve download.wmdowsupdate.com : DNS
(376. System) *64 ‫ ־‬download windowsupdate com 80 matchrtg DefaJt a ie usng proxy proxy example net 1080
(376. System) *64 ■dowrload.wnndowsupdate .com 80 open through proxy proxy example net 1080
(376. System) *64 download.w 1ndowsupdate.com 80 dose. 175 bytes aert. 256 bytes recerved. tfetr>e 00:04
(164) - lb 1 www ms akadns net 443 matching H TTPS rule using proxy proxy2 example net 8080
(2776) - www nxyosoft com :8080 matchna Default a ie ue»>g proxy proxy example net 1080
(4704) • w a w I aooale com 80 dose. 1560 bytes (1 52 KB) sert 13451 bytes (13 1 KB) recoved Ife tm e 0 0 59
(5664) - www I cooole com SO dose. 1456 byte♦ (1 42 KB) t e r( 26617 bytes (25.9 KB) received *fet me 01 11
(5664) • wwwJ.QOQQle.cQm.gO dose. 3530 bytes(3 44 KB) sert 722 bytes receded fcfetneOI 11
(4704) • wwvr I cooole com 80 d o te . 3413 bytes(3 33 KB) s e t 13881 bytes (13.5 KB) received tfettne 01 14
,'1641 ■b l w w w n s ekados net 443 error Codd not c o o k ed throudiproxy proxy2examolenet 8090 Reedng proxy replay on a c o m e d c n reouest faled w the*ror 10054
(376. System) *64 • www update microsoft com 8C dose. 172 bytes sent. 252 bvtes receded, tfetm e 01:01
7 actnre connections
Down 0
6/sec
Up 0 B/sec
System DNS
FIGURE 3.63: Proxifier Screenshot
M o d u le 0 3 Page 384
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
P r o x y T o o l: P r o x y S w it c h e r
P r o x y S w i t c h e r h i d e s y o u r IP a d d r e s s f r o m
File
Edit
Actions
View
Bite (30)
Dead (7220)
603ms
(Anonymous)
1092ms
(Anonymous)
1612ns
*
UNITED STATES
1653ms
^
UNITED STATES
1882ms
|
194 160 765:8 0
(Anonymous)
(Anonymous)
2324ms
2543ns
,J f 1592 26 3 227:80
(Anonymous)
2641ms
121 52 14 8 30 8080
208-74-174-142sayfanet 31
- 0
11
0
A
T
Cin.,_
_
_
_
_
(Anonymous)
2 6 8in s
(Anonymous)
/»
_
_
_
_
_
_
_
_x
2 6 9a m
‫«׳‬n-.
KwpAKve IfAgoSw«ch
M
i SLOVAKIA
SLOVAKIA
> :
REPUBLIC OF KOREA
| B I CHINA
B
PAKISTAN
■ UNITED STATES
■ ■D
C
D
IIQ
I IT<
‫>־‬
C
M
A
I fV
‫־‬
>
\/A
Q KKww.proxyswitcher.com
98 181 57.227:9090 tested as [Eke-Anonymous]
cocreo dresacallao 90b pe: 80 tested as [Dead]
smtp spectrum ■networks net :80 tested as ((Bite-SSL)J
f-kasklab50a.eti.pg gdapl:80 tested as [Eie-Anonymous]
cofreo disacallao gob p e:80 tested as [(Qite-SSL)]
H iah Anonvmous/S SL
REPUBLIC OF MOLDOVA
2200ns UNITED STATES
2319ms
(Anonymous)
ProxySwltcherfO)
|
(Anonymous)
(Anonymous)
147.46.7.54:8088
g
| FRANCE
(Anonymous)
arr,3c 3 mnedu sk 80
Dangerous (148)
My Proxy Servers (0)
Crxrtry
|
I (F R A N C E
hherphpo.hchdtmc.edu:80
66-162-61-85stabc:tvrteJe
$
R esp o- _ *
(Anonymous)
170.57.24.100:80
81 180 7 5 1 4 2 8080
Basic Anonymity (212)
- E " Private (53)
State
91.121.21.164:3128
ns1homenux.ccm:3l28
j.... SSL (26)
-£
pl
Server
£
High Anonymous (19)
EH
t h e w e b s ite s y o u v is it
Help
PKwy Scanner
^ ‫ ׳‬N ew (0)
C
*
□
0 /6
P r o x y T o o l: P r o x y
S w itc h e r
Source: h ttp ://w w w .p ro x y s w itc h e r.c o m
Proxy S w itcher allows you to su rf a no n ym o u sly on th e In te rn e t w ith o u t disclosing yo ur IP
address. It also helps you to access various sites th a t have been blocked in th e o rg an iza tion . It
avoids all sorts o f lim ita tio n s im posed by sites.
Features:
9
It hides yo ur IP address
©
It allows you to access restricted sites
Q
It has fu ll su pp o rt o f passw ord-protected servers
M o d u le 0 3 Page 385
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S * Proxy Sw itcher PRO ( D irect C o n n ec tio n )
File
Edit
A ctions
@ l # l
View
□ X I
Proxy Scanner
! # New (0)
B i
High Anonymous (19)
SSL (26)
‫׳‬...E ? Elite (30)
| B Dead (7220)
Basic Anonymity (212)
j— g ;
Private (53)
H elp
d a a a i i
^
Dangerous (148)
My Proxy Servers (0)
;... Sr
ProxySwitcher (0)
Server
91.121.21 164:3128
ns1.homenux.com :3128
hherphpo.hchd.tmc .edu :80
170.57.24.100:80
81.180.75.142:8080
static tvvtele.85 - 66-162-61
£
,f
&
f
, 194.160.76.5:80
if
,f
£
.»#
Disabled
~]
Keep Alive
amac3.minedu s k :80
147.46.7.54:8088
159.226.3.227:80
121.52 148 30:8080
sayfa.net .31:208-74-174-142
10n 01 ‫ שז־‬1 . 0 .* ---------
11 Auto Switch
>
j*
a j ii
State
(Anonymous)
(Anonymous)
(Anonymous)
(Anonymous)
Respo... *
603ms
1092ms
1612ms
1653ms
(Anonymous)
(Anonymous)
(/Vionymous)
(Anonymous)
(Anonymous)
(/Vionymous)
(Anonymous)
(Anonymous)
/A-------- \
1882ms
2200ms
2319ms
2324ms
2543ms
2641ms
2683ms
2698ms
­‫ ­ר­ י­ מ‬-
I I
*
>
‫׳‬E
REPUBLIC OF MOLDOVA
UNITED STATES
SLOVAKIA
SLOVAKIA
REPUBLIC OF KOREA
CHINA
m
K 9 PAKISTAN
■
UNITED STATES
■ ■ DCPI ipi irnc uni nn\/4
O w 1wuv.proxyswvjtcher.com
98 181.57.227:9090tested as [Bite-Anonymous]
correo diresacallao gob pe:80tested as [Dead]
smtp spectrum-networks n e t:80 tested as [(Bite-SSL)]
f-kasklab50a eti pg gda.pl :80 tested as [Bite-Anonymous]
correo disacallao gob pe:8 0 tested as [(Bite-SSL)]
H igh A nonvm ous/S S L
Country
1 ‫ ו‬FRANCE
I I FRANCE
UNITED STATES
*
UNITED STATES
□
0/6
FIGURE 3.64: Proxy Switcher PRO Screenshot
M o d u le 0 3 Page 386
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
P r o x y T o o l: S o c k s C h a in
CEH
im ttiM
J
tU x*l lUckM
SocksChain t r a n s m i t s t h e TCP/IP a p p lic a tio n s t h r o u g h a chain of proxy serv ers
Ufasoft SocksChain
View
Tools
LdfLJ
Help
firefox
To [64.4.11.42]:80 3 connections
m
To [65.55.57.27]:80 2 connections
To [123.176.32.147]:80 13 connections
m
To [64.4.11.301:80 2 connections
^
To [123.176.32.1361:80 1 connections
=
™ To [175.41.150.21:80 1 connections
m
To [207.46.49.1331:80 1 connections
m
To [64.4.21.391:80 1 connections
9 £ To [65.54.82.157]:80 2 connections
£10©
!
0
chrome
Through SE05411D17AFD6752EE36392EE4E42CAFB8A45D09=shadowhouse. S626F206838B0EA12CFCA5CE91
3 ■ To www.certifiedhacker.com(202.75.54.101]:80 6 connections
S I To safebrowsing.google.com[74.125224.73!:443 1 connections
To safebrowsing-cache.google.com[74.125.224.67J:443 !connections
1 7 1 ^ iexplore
0
PING
V
I>
III
<
DANGEROUS.SOCKS PR0T0C0L=S0CKS5 ADDRESS=65.S4.82.157:80
DVUCEKOn? ?0CK8 bB0i.0C0r^0CK2J VDDKE2^e2?»85‫׳‬m :80
http://ufasoft.com
C o p y rig h t © b y E C -C suncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d
S
blUG
P r o x y T o o l: S o c k s C h a in
Source: h ttp ://u fa s o ft.c o m
SocksChain is a program th a t allows you to w o rk w ith any In te rn e t service throu g h a chain o f
SOCKS or HTTP proxies to hide the real IP address. It can fu n ctio n as a usual SOCKS-server th a t
tra nsm its queries throu g h a chain o f proxies. It can be used w ith clie n t program s th a t do not
su pp o rt the SOCKS p rotocol, b ut w o rk w ith one TCP-connection, such as TELNET, HTTP, IRC, etc.
It hides y o u r IP fro m being displayed in the server's log or mail headers.
M o d u le 0 3 Page 387
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
K
Ufasoft SocksChain
File
View
m
¥
B
Tools
Help
firefox
Through SE0S411017AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9I
9 £ To [64.4.11.42]:80 3 connections
9 £ To [65.55.57.27]:80 2 connections
To [123.176.32.1471:80 13 connections
« To [64.4.11.301:80 2 connections
_ To [123.176.32.136):80 1 connections
™‫ ■י‬To [175^41.150-21:80 1 connections
m To [207.46.49.1331:80 1 connections
9 1 To [64.4.21.39]:80 1 connections
'■*. To [65.54.82.1571:80 2 connections
0 0 ©
B
chrome
Through SE05411Dl7AFD6752EE36392EE4E42CAFB8A45D09=sh*dowhouse. S626F206838B0EA12CFCA5CE9■
3 8 To www.certrf1edhackef.coml202.75.54.101 ]:80 6 connections
9 1 To safebrowsmg.google.com(74.125.224.731:443 1 connections
0
<I
9 E To safebrows1ng-c*che.google.com[74.125224.67]:443 1 connections
!explore
PING
‫•יי‬
>I
DANGEROUS.SOCKS PROTOCOL‫ ־‬SOCKS5 ADDRESS=65.54.82.157:80
FIGURE 3.65: Ufasoft SocksChain Screenshot
M o d u le 0 3 Page 388
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
P ro xy Tool: T O R (T h e O n io n
R o u tin g )
Anonymity
V id a lia C o n tro l P an el
Security
Privacy
E n s u r e s t h e p r iv a c y
, la y e r s o f s e c u r it y
c o m m u n i c a t io n
r e c ip ie n t o f a
f to a m essage
o v e r In te rn e t
m essage
n
U s e s c o o p e r a t in g
Tor Proxy
T h e i n i t i a t i n g o n io n
d e c r y p t s a ll d a t a
V
p ro x y ro u te rs
1 r o u t e r , c a lle d a " T o r
p a c k e t s u s in g p u b lic
J
th r o u g h o u t th e
I c l i e n t " d e t e r m in e s
k e y e n c r y p t io n
°
x
.
Proxy Chain
E n c ry p ts a n d
‫־‬
P r o v id e s m u l t i p l e
o f b o th s e n d e r a n d
Encryption
CEH
n e tw o rk
th e p a th o f
View the Network
Loc a Ncv> Id c rtty
B , Bandwidth !‫^זר‬ph
‫ ן‬Mcuogc Lug
O H#ip
SclU1g»
0
About
Q cxt
3 Show ttii* winflow on t tir n n
t r a n s m is s io n
h t tp s : // w w w . to r p ro je c t, o rg
C o p y rig h t © b y EG -G ouncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
P r o x y T o o l: T O R
(T h e O n io n R o u tin g )
Source: h ttp s ://w w w .to rp ro je c t.o rg
Tor is so ftw a re and an open n e tw o rk th a t
helps you defend against a fo rm
surveillance th a t threa te ns personal fre e d o m
and privacy, co nfid e ntia l business activities
o f n e tw o rk
and
relationships, and state security know n as tra ffic analysis. You can use Tor to prevent w ebsites
fro m tracking you on the Inte rn e t. You can also connect to news sites and in stan t messaging
services w hen these sites are blocked by yo u r n e tw o rk a d m in istra to r. Tor makes it d iffic u lt to
trace y o u r In te rn e t a ctivity as it conceals a user's location o r usage.
Features:
9
Provides anonym ous com m unication over the In te rn e t
9
Ensures the privacy o f both sender and
9
Provides m u ltip le layers o f security to a message
9
Encrypts and decrypts all data packets using public key e ncryption
9
Uses cooperating proxy routers th ro u g h o u t the n e tw o rk
9
The in itia tin g onion ro u te r, called a "Tor clie n t" determ ines the path o f transm ission
M o d u le 0 3 Page 389
re cip ie nt o f a message
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Vidalia Control Panel 1 ~ 1 ‫ם‬
x
Status
4)1
Connected to the Tor network'
Vidalia Shortcuts
# # •
Stop Tor
Setup Relaying
View the Network
Use a New Identty
, Bandwidth Graph
O Help
= ]Message Log
@ Show the wndow on startup
Settings
About
fc^Exit
Hide
FIGURE 3.66: Vidalia Control Panel showing the Status
M o d u le 0 3 Page 3 90
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
P r o x y T o o ls
CEH
Burp Suite
Proxy
http://www.portswigger.net
0
http://www.analogx.com
Proxy C om m and er
P ro top ort Proxy Chain
http://www.dlao.com
http://www.protoport.com
Proxy Tool W indow s App
Proxy+
http://webproxylist.com
http://www.proxyplus.c1
http://gpassl.com
Gproxy
11
Fiddler
!‫י ן!ן‬
http://www.fiddler2.com
FastProxySwitch
http://affinity-tools.com
1
ProxyFinder
http://www.proxy-tool.com
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
‫ ן‬P ro x y T o o ls
In a dd itio n to these proxy tools, th e re are m any m ore proxy tools intended to allow
users to surf the In te rn e t anonym ously. A fe w are listed as follow s:
9
Burp Suite available at h ttp ://w w w .p o rts w ig g e r.n e t
9
Proxy C om m ander available at h ttp ://w w w .d la o .c o m
9
Proxy Tool W indow s App available at h ttp ://w e b p ro x y lis t.c o m
9
Gproxy available at h ttp ://g p a s s l.c o m
9
Fiddler available at h ttp ://w w w .fid d le r2 .c o m
Q
Proxy available at h ttp ://w w w .a n a lo g x .c o m
9
P ro to p o rt Proxy Chain available at h ttp ://w w w .p ro to p o rt.c o m
Q Proxy+ available at h ttp ://w w w .p ro x y p lu s .c z
9
FastProxySwitch available at h ttp ://a ffin ity -to o ls .c o m
9
ProxyFinder available at h ttp ://w w w .p ro x y -to o l.c o m
M o d u le 0 3 Page 391
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
P r o x y T o o ls
CEH
(C o n t’d)
ProxyFinder Enterprise
Socks Proxy Scanner
http://www.mylanviewer.com
http://www.proxy-tool.com
A
M
‫ »_ך‬il
ezProxy
® HI
http://www.ode.org
JAP Anonymity and Privacy
Charles
http://www.charlesproxy.com
UltraSurf
http://anon.inf.tu-dresden.de/index_en.html
http://www.ultrasurf.us
CC Proxy Server
http://www.youngzsoft.net
™
FoxyProxy Standard
https://addons.mozilla.org
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
h
P r o x y T o o l s ( C o n t ’d )
---------- The list o f proxy tools m entioned in the previous slide continues as follow s:
9
ProxyFinder Enterprise available at h ttp ://w w w .p ro x y -to o l.c o m
9
ezProxy available at h ttp ://w w w .o c lc .o rg
9
JAP A no n ym ity and Privacy available at h ttp ://a n o n .in f.tu -d re s d e n .d e /in d e x en.htm l
9
CC Proxy Server available at h ttp ://w w w .y o u n g z s o ft.n e t
9
FoxyProxy Standard available at h ttp s://a d d o n s.m o zilla .o rg
9
Socks Proxy Scanner available at h ttp ://w w w .m y la n v ie w e r.c o m
Q
Charles available at h ttp ://w w w .c h a rle s p ro x v .c o m
9
U ltraS urf available at h ttp ://w w w .u ltra s u rf.u s
Q
WideCap available at h ttp ://w id e c a p .ru
9
ProxyCap available at h ttp ://w w w .p ro x y c a p .c o m
M o d u le 0 3 Page 392
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
F re e P ro x y S e rv e rs
Cl EH
(•rtrfw
tf
Google
A search in Google lists thousands of free proxy servers
Google
IS
tk
K
J
l lU
c
k
M
1
FreeProxyServers
adoui12.700.000result?{020seconds)
P
roxy4Free-Ff ProxyStrvtrt -protectYourPrunePrivacyaW
1
wwwproxy4tree comj
roxxyy4seFrv
reeereisraortre
nduprso
roxr^
ycshtceackieeor‫ש‬crnoew
r■e*absu
e?•refres-e
pPro
oveeprro
9yw
ealisrstaQ
c«d3tnng5y3o!‫ד‬
‫׳‬u3M
«‫ח‬ti‫ו‬m
List Country Ratino AccessTim•
u st o
fFreeProxyServers- Page 10 ‫ד‬0‫ז‬
wwwproxy4tree eor>v1ist7»eaproxy1 htmi
F
PE
roA
xyD
,A
onO
im
izePrR
,V
N
.P
rosio
xyn4re
Fre
ero
Prxoyxyse
uil,
PTePst,ag*en1cocrr-i*
HreOeM
DnY
UR
OP
X
Y
U
eP
rveIrs
10-uemu
Pr•• P
iw
bidemyaM
.ctforL
rvisptfoxPyu-Jbislic
VProxy Sarvars UPJEQSUAdeiJyAss;*
images
uaps
vM
ki
N«w*
ShopplnQ
Uor*
Proxy 4 Free
“
‫״נגלו‬
-
n
... ~
—
Free proxy list index. Ih* Uigvst !•aMirn* database ofDu&fe ptoxy servers :r in e
Show searcn tools
1■
H
M
A
niifdl0em
v0yM
.cs0sr‫ו‬ivFretProxyanaPrivacyToots-sun‫ז‬ryewco...*
Wuliproxy fioo) McAfgg SECURE c-ilot. lolpkeec tcusafofcom ‫״‬tr * :‫ ־‬:• !.*.
ssa sssssasssr
Bar
=2—
c1»dit card fraud, spywst•. Us• our It• • proxy to twl anonmoasH crtn * !■ » -
FreeProxyServer-surr !rr ,\rr A-nnymn. m:,
Surrm*webanonymouslywithourtreeproxyserver
FreeProxyServer TiirLnHUu.
rreeproxynerver net/
iNwyirj
1:1'
P
ublicProxyServers FreeProxyServerlsi
wvcttpu Dlicproxyservers.conv
Pu&lic Proxy Servers is a tree and 1‫ח‬dependent proxy :hecan; 5 « sm Cur ser.ice
neips you to proteclyour identity ana Dypass surting restnraons s!r»ce 2002
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
e a
F re e
—
P ro x y
S e rv e rs
Besides proxy tools discussed previously, you can find a num ber o f free proxy sites
available on the In te rn e t th a t can help you to access restricted sites w ith o u t revealing yo ur IP
address. Just type Free Proxy Servers in the Google search engine and you w ill get num erous
proxy server websites.
( jO . )g ie
Free Proxy Servers
“**
55* ‫יי‬
‫•׳•״*״‬
**«‫•׳‬
H
3 I
13 r 00 000 r•! u n to 70 m o m ! 1
S e a rc h
W«o
4
O
Pra«v 4 Free F ree Proxy S erv ers Protect Your OMne Pnvacv
«w»proxy41»o*corv
proxy server* for Over 9 yea* Ow
Lilt
County
Ratng
tc c tit T r»
Pro«y 4 F ree- F ree Proxy S erv ers -Protect Your Onlne Privacy ■A _
preiraaee co«u - cecfted - Smear
O k w j h u m •m n u h _
Proxy 4 Free
u a a i f i e e Pfoxj se rv e r* • l y 1 a i 18
wwwp!o*if4lreecorA1rweapreey1 ren«
Fr«t Pron Anomrutf VPN Pro!* 4 Ftee Pro»y Ust P Te*t A»ownn» tCNU
HOUE-AOOYOURPftOrr 1.«tc*rreee1MjSenwr» ? •?•K rflO F ree ^ ‫־‬axv L st - P i t * Proxy S ervers P PORT n o e Mir A ss' ‫*״‬
fttOtmrs•• com^rexy*■•
!(•epfor! s$1 no«« tv• 1*‫׳‬c«»!«•*»So« 4aiac*s« or caAK precy •e rm s crtr*
m c Uxau : F re e r r p u A a i P a t a u . T a a i - a u T T n c m t ^ . *
s= ■
E
1
-----------------------------I
B
-
f
A*e proxy r‫׳‬H Uo*JW S€CU«t MM K♦* ‫ •• ♦ז‬,©« SSH *on•4**r. T*4
creat caretswd s t ■•**»* u s• ft* *ee proxy 10 s ^ t w>n>r1wow»> o«am M l .
—
•‫־‬
B
-
‫׳‬. . H
l |‫ ׳‬V W
rjuZxvJ
> Y
,1
P r a t Proxy S erv er _ I u m o ttt e .
tortahtftconv
*mTt#Mte40*eepnMy seryer - o e a r •‫זי‬,»‫ ר‬w n tx S M an e 1m m < r n
orowtieg too mar* ‫נ‬
a* se» M trtrn«101e*oureeaM*eft*«0*a1 _
1
I
PiAftc Proxy Servers F ree Proxy S e rv er Lot ^
www |M<t*t#«eayee«ye1s ceev
FuoecPreir Wrvor• 1» t Iim •non a m U i i p>o» <*o<S(ng ‫ יי«ו»<ו‬CX aemce
1 ‫«ייז •'׳‬u 10 proloct tour 1asrM1 anoerpess •usng teMKSons trve7M 7
0
FIGURE 3.67: Google Search showing Free Proxy Servers
M o d u le 0 3 Page 393
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
H T T P T u n n e l i n g T e c h n iq u e s
J
CEH
HTTP Tunneling te c h n o lo g y allows users to
d e s p ite t h e restrictio ns im p o se d by firewalls
E n c a p s u la te s d a ta
inside
(‫ן‬
(p o rt
,‫ ייו‬f ! *
‫ > י ו‬.......... • <
80)
<
I n t e r n e t ..........f t > * *
Router
!‫<•■■••> יי‬
Router
HTTP Proxy
or Firewall
End Users use HTTPTunnel to transmit or
receive data through
Firewall
?111
Previously inaccessible servers and services
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d
H T T P T u n n e lin g
T e c h n iq u e s
HTTP Tunneling is a no the r technique th a t allows you to use the In te rn e t despite
restrictions im posed by the firew alls. The HTTP p ro to co l acts as w ra p p e r fo r com m unication
channels.
An a tta cke r uses HTTP tu n n e l s o ftw a re to p e rfo rm HTTP tun n elin g. It is a client-server-based
application used to com m unicate throu g h the HTTP p rotocol. This so ftw a re creates an HTTP
tun n el betw een tw o machines, using a w eb proxy o ptio n . The tech n iq ue involves sending POST
requests to an "HTTP server" and receiving replies.
The a ttacker uses the client application o f HTTP tu n n e l softw are installed on his o r her system
to com m unicate w ith o th e r machines. All requests sent throu g h the HTTP tu n n e l clie n t
application go throu g h the HTTP protocol.
M o d u le 0 3 Page 394
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
R acks o f HTTP
T u n n el S e rv e rs
‫א‬
M
R o u te r
‫ א‬M
49
HTTP P roxy
HTTP T u n n el
o r F irew all
S e rv e rs r e c e iv e
a n d re la y th e d a ta
-
End U se rs u s e H TTP-Tunnel
to tr a n s m it o r re c e iv e d a ta
1
th r o u g h F irew all
&
_
•
•u!
j
P re v io u s ly in a c c e s s ib le s e r v e r s a n d s e rv ic e s
FIGURE 3.68: HTTP Tunneling Process
The HTTP tun n e lin g technique is used in n e tw o rk activities such as:
9
Stream ing video and audio
9
Remote procedure calls fo r n e tw o rk m anagem ent
9
For in tru sion d ete ction alerts
9
Firewalls
M o d u le 0 3 Page 395
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
W h y do I N e e d H T T P T u n n e lin g
80 and 443, and
J
Organizations firewall all ports except
J
HTTP tunneling will enable use of FTP via HTTP protocol
INSIDE THE NETW ORK
a
v
HTTP Tunneling
client running
on local port
OUTSIDE THE NETW ORK
P o rt
23
□
P o rt
21
□
P o rt
79
□
P o rt
25
‫ם‬
P o rt
110
Q
1 P o rt
500
Q
1 P o rt
69
□
11 P o r t
80
a ! ........•‫נ‬
443
Q
I
FTP
you may w ant to use FTP
P o rt
1
Internet
©
Data is sent
via HTTP
V
I
FTP data is
encapsulated
in http packet
F ire w a ll r u le s o n ly
H t t p tu n n e lin g s e rv e r
a llo w p o r t 8 0 a n d 4 4 3
s o ftw a r e r u n n in g
C o p y rig h t © b y
EG-G*ancil. A ll
R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
W h y d o I N e e d H T T P T u n n e lin g ?
HTTP tu n n e lin g allows you to use the In te rn e t despite having fire w a ll re stric tio n s
such as blocking specific fire w a ll p o rts to re strict specific p ro to co l co m m unication. HTTP
tun n e lin g
helps you to
overcom e this fire w a ll
re strictio n
by sending specific
protocol
co m m unication throu g h HTTP p rotocol.
The a ttacker may use this tech n iq ue fo r the fo llo w in g reasons:
9
It assures the a ttacker th a t no one w ill m o n ito r him or her w hile browsing
9
It helps the a ttacker to bypass fire w a ll restrictions
9
It ensures secure browsing
9
The a ttacker can hide his or her IP address fro m being trapped
9
it assures th a t it is highly im possible fo r others to id e n tify him o r her online
Suppose the organization has blocked all ports in yo ur fire w a ll and only allows p o rt 8 0/4 4 3 , and
you w a n t to use FTP to connect to some re m o te server on the Inte rn e t. In this case, you can
send y o u r packets via HTTP p ro to co l as shown in the fo llo w in g figure:
M o d u le 0 3 Page 396
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
IN S ID E T H E N E T W O R K
o
‫ן‬
F T P C li e n t
fL
S o ftw a re
- s
ftp
v
HTTP T u n n e lin g
c lie n t ru n n in g
P o rt
P o rt
P o rt
P o rt
P o rt
P o rt
P o rt
P o rt
P o rt
23
‫ם‬
‫ם‬
79 ‫ם‬
25 ‫ם‬
110 ‫ם‬
500 ‫ם‬
69 ‫ם‬
80 S3
443 B
21
o n lo c a l p o r t
F T P d a t a is
e n c a p s u la te d
in h t t p p a c k e t
F ire w a ll r u le s o n ly
a llo w p o r t 8 0 a n d 4 4 3
FIGURE 3.69: Effect of HTTP Tunneling on both Inside and Outside the Network
M o d u le 0 3 Page 397
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
H T T P T u n n e lin g Tool: S uper
N e tw o r k T u n n e l
H T T P T u n n e lin g
T o o l: S u p e r N e tw o r k
CEH
T u n n e l
Source: h ttp ://w w w .n e tw o rk tu n n e l.n e t
Super N e tw o rk Tunnel is a professional HTTP tu n n e lin g softw are, w hich includes HTTP tu n n e l
c lie n t and server so ftw a re . It is like secure VPN so ftw a re th a t allows you to access your
In te rn e t program s w ith o u t being m o n ito re d by yo ur w ork, school, o r the governm ent, and gives
you an extra layer o f p ro te ctio n against hackers, spyware, or ID th e ft. It can bypass any fire w a ll.
M o d u le 0 3 Page 398
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
# • H - a
ik
S ta rt
S e tu p
Lot
□
Add
§&.
O ra g B o x
•
TotalSendBytes
Tota/Recvfiytes
Server Cwent Connections:
[
J1
R in
H e to
About
Use Rin Game WthGameGuard Mode Q Use Real Remote Dn* Resolve
Send Speed
Recv Speed
Serves Total Threads(nctude cache)
My Local IP: 10 9 0 74
+
IP
View System Today Log
[
O nly Im p o rta n t M e ssa g e s
Thts operating system is 64‫־‬b11, SKI support tunnel both 32b1t and 64b11 prop‫«׳‬a, and except us• kook •ngin*, you •Iso can eon
7 ‫י‬
O e n t Stop
L o g &>d S ta tu s |
■ ■
|
.
-■
■■ : |
In Vksta.You can use dragdrop box to fragdrop program or program shortcut
FIGURE 3.70: Super Network Tunnel Screenshot
M o d u le 0 3 Page 399
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
End user w ith
HTTP-tunnel
Exam 3 1 2 -5 0 C ertified Ethical H acker
HTTP Proxy
or Firewall
h t tp : // w w w . h ttp - tu n n e l.c o m
C o p y rig h t © b y
‫־‬
W
_
H T T P T u n n e lin g
EG-G*ancil. A ll
R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
T o o l: H T T P -T u n n e l
‫׳‬/
Source: h ttp ://w w w .h ttp -tu n n e l.c o m
HTTP Tunnel acts as a SOCKS server, allow ing you to access the In te rn e t by bypassing fire w a ll
restrictions. It is very secure softw are. Using this so ftw a re does n ot a llow others to m o n ito r
y o u r In te rn e t activities. It hides yo u r IP address; th e re fo re , it does not a llow tracing o f your
system. It allows you the u n lim ite d tra n sfe r o f data. It runs in yo ur system tra y acting as a
SOCKS server, managing all data transm issions betw een the co m p u te r and the n etw o rk.
M o d u le 0 3 Page 4 0 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
%J
Exam 3 1 2-50 C ertified Ethical H acker
Configuration
H T T P -T u n n e l C lie n t v 4 .4 .4 0 0 0
‫־‬3
Ptotty S«rv«
file
Wy
g e ttin g s
H elp
He*p
Connections
r
C onligue
Log
C*■ Enter Key
Mad Support
Autodtloct
<• N0P>0>V
C Speciy Pioty
Serve* N«neAP
Exrf
C• a l
r
| S p eed T ett | Diagnostics | About |
<11 56 11> RIP Pnged serve* to keep use! logged n
I <11 56 11> RettievelP Log Window Geared
r
M *w n e e |H 4 » }o n S t« M >
Accei 1 Rwtactoro
Turn •»» ON •0 *cm 2 IP1 10 um •w HTTPT irmH
cktri L n v • t « O ff I you oriy *Mrt 10 um
HTTPT u‫׳‬mel how pvogrami *m n g o n t w PC
r
AI0M»«4 >eo»vo IP* •o comect foHTTP Tunnrt
Advanced U *«n
f 0• advanced u w t only e*eete corriacl Svcded 101 r #0
Thn option Mi *osbcafly ‫ ״‬t ‫״‬ove performance i t •
supported by fOU proay Th■ m i vo l. ONLY I you Save
1 piOMy The comtc Icn loti dot! not lot( t t i op•cn
r
U ser G u id e s
.
..
OomnomU.n e w t+ m rtP n a m c r
h ttp tu n n e i
Chck Here
Ptoay
* w ‘C O N N EC T" command
D a la « P a *
MT TP T c m •* Infant an Peal 1080 lei conrecbon! ha■*
* « * n » 10rM Char^a
>ou I r d port 1 0 6 C * * « V r
U M » * a n you b * d H T T P I m l You n « k n 10
10c 0r t 9 # *)K » *ap p fca *an a and ••alart H T T P T im a l
$3.99 a month/year
1
M u n if o ( I i n * A n y w l i
fioio
Key n o t fo u n d
Free S erver M o d e.
0 KBUp/0 KBDown
IP R etrieved(. 149]
FIGURE 3.71: HTTP-Tunnel Client and Configuration Windows
M o d u le 0 3 Page 401
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
|
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
B
ssh
-f
- f
u s e r @ c e r tifie d h a c k e r .c o m
= > b a c k g ro u n d m o d e ,
y o u a r e lo g g in g i n t o , - L
-L
5 0 0 0 :c e r t i f i e d h a c k e r . c o m :2 5
u s e r S c e r t i f i e d h a c k e r . com = >
c e r t i f i e d h a c k e r . com : 2 5
5000 :
p o rt:h o s t:re m o te -p o rt, a n d
-N
=>
Do not execute the
6
= > lo c a l-
□
S im p ly p o i n t y o u r e m a il c lie n t t o u s e
lo c a lh o s t : 5 0 0 0 as t h e S M T P s e r v e r
c o m m a n d o n t h e r e m o t e s y s te m
EG-G*ancil. All
local port 5 0 0 0 to
2 5 o n c e r t if ie d h a c k e r . c o m
e n c ry p te d
u s e r n a m e a n d s e rv e r
Copyright © by
T h is f o r w a r d s t h e
port
-N
Rights Reserved. Reproduction is S trictly Prohibited.
SSH T u n n e lin g
SSH tun n e lin g is a n o th e r technique th a t an a ttacker can use to bypass fire w a ll
re strictio n s. It also helps you hide yo ur IP address on th e Inte rn e t; th e re fo re , no one can trace
or m o n ito r you.
The prerequisite o f SSH tun n e lin g is raised fro m the problem s caused by the p ub lic IP address,
the means fo r accessing com puters fro m anyw here in the w o rld . The com puters netw orked
w ith the public IP address are universally accessible, so th e y could be attacked by anyone on
the global In te rn e t easily and can be victim ize d by attackers. The d eve lo p m en t o f SSH
tun n e lin g solves the problem s faced by the public IP address.
An SSH tun n el is a link th a t proceeds tra ffic fro m an indiscrim inate p o rt on one m achine to a
re m o te m achine throu g h an in te rm e d ia te machine. An SSH tu n n e l comprises an encrypted
tun n el, so all yo u r data is encrypted as it uses a secure shell to create the tun n el.
Creating a tu n n e l fo r a p rivately addressed m achine needs to im p le m e n t th re e basic steps and
also requires th re e machines. The th re e requisite machines are:
9
Local machine
9
An in te rm e d ia te m achine w ith a public IP address
9
Target m achine w ith a private address to w hich th e connection m ust be established
M o d u le 0 3 Page 402
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
You can create a tunnel as follows:
9
Start an SSH connection from local machine to the intermediate machine with public IP
address.
9
Instruct the SSH connection to wait and observe traffic on the local port, and use
intermediate machine to send the traffic to an explicit port on the target machine with a
private address. This is called port acceleration or port forwarding.
9
On the local machine, select the application that you want to use for connection with
the remote machine and configure it to use port forwarding on the local machine. Now,
when you connect to the local port, it will redirect the traffic to the remote machine.
To secure communication between computers, SSH uses private and public encryption keys.
The public encryption keys used by the SSH tunneling deed like the identifiers of the authorized
computer. On initiating an SSH connection, each machine exchanges public keys, but only the
computer that has the matching private key can attain access to the remote computer
applications and information and can read encrypted communications with the public key.
f t
<i
DB C lient
%
DB Server
M a il C lie n t
<3
I n *
A tta c k e r
Internet
SSH
t
A p p C lie n t
f ‫״‬
!'‫• <׳‬
‫׳‬
M a il Server
‫!□□ם‬
□ 0 9 -.............
______ ►
C lie n t
SSH
P e rim e te r
P e rim e te r
C o n tr o ls
C o n tr o ls
*4
S erv er
A pp Server
W e b se rve r
W eb Client
FIGURE 3.72: SSH Tunneling Process
OpenSSH
Source: http://www.openssh.org
OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping,
connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling
capabilities and several authentication methods, and supports all SSH protocol versions.
OpenSSH can be used to tunnel the traffic on local machine to a remote machine that you have
an account on.
s s h - f u s e r @ c e r tif ie d h a c k e r .c o m
-f
=> backgroung mode
user@ c e r t i f i e d h a c k e r . com=>
-L
-n
-L 2 0 0 0 : c e r t i f i e d h a c k e r . com: 25 -N
2000:
user name and server you are logging into
c e r t i f i e d h a c k e r . c o m : 25
=> I0cal‫־‬p0rt:h0st:rem0te‫־‬p0rt
=> Do not execute the command on the remote system
This essentially forwards the local port 2000 to port 25 on certifiedhacker.com encrypted.
Simply point your email client to use localhost:2000 as the SMTP server.
M o d u le 0 3 Page 4 0 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S S H T u n n e l i n g T o o l: B i t v i s e
C EH
B itv ise SSH S e r v e r p r o v id e s s e c u r e r e m o t e lo g in c a p a b ili tie s t o W in d o w s w o r k s t a ti o n s a n d s e r v e r s
SSH C lie n t in c lu d e s p o w e rf u l tu n n e lin g f e a t u r e s in c lu d in g d y n a m ic p o r t f o r w a r d in g t h r o u g h a n in t e g r a t e d
p ro x y , a n d a ls o r e m o t e a d m i n i s t r a t i o n f o r t h e SSH S e r v e r
?1
Bitvise SFTP - localhost:22
I W indow
Local
Remote
^
U pload Queue
U pload Queue
Download Queue
a i D ownload Queue
Log
Log
£] $ (3 c.\prog!amfiles(xS6}',b1t/isetunnelier
St
Name
Size Type DateModifed Attributes
QkMermcexe 286,720 Application 2006-12-250.. A
S/glcl:tgc.oxo 1.265.664 Appliraton 2006-12-250.. A
i"7logexe
20.480 Application 2006-12-250 A
Lsenseexe 1,597.440 Applicabon 2006-12-250 A
■Isftpc.exe 2,002,944 Application 2006-12-250.. A
iis3hd3tg3exe 2.150,400 App1caton 2006-12-250.. A
B7‫־‬stermc
1,650,608 App1cabon 2006-12-250 A
Qtotermcexe 372,736 Application 2006-12-250.. A
MTurn01tor.oxo 6.193.152 AppIoaton 2006-12-250.. A
S}un1n31.exo 552.256 Apploaton 2006‫־‬12-250.. A
vt100bds
6,066 TDSFils 2006-12-250 A
xtermtds
6,066 TDSFilo 2006-12-250.. A
o s>
Nome
k Log*
‫׳ י‬bv^Ad.oxe
^ Binary ‫ !_[״‬Resume |:|JOverwrite ft Start
If Binary * _Resurre j Li Overwrite ft Start
O
{*•
fc ip r o g r a r r Files (x36)/bitvise w insshd
Size Type DeteModifed
0 FileFolder 2006-12-250..
167.936 Application 2006-12-250...
I 7‫־‬
exe
188.415 Application 2006025‫־‬12‫־‬..
F |)Vrmsso*
200.095 Application 2006-12-250
■ ; SCP.OXO
294,912 Application 2006-12-250..
15,961 C*•♦Sour... 2006-12-250..
°*1StcPuginSomple.cpp
-»SlpRuginSompI#dll
20.•100 Applicati 2009-12-250..
610.304 application 2006-12-250..
2.76070‫ !׳‬Application 2006-12-250..
■7 CCMCV.OXO
05515‫ ־‬/Vppilcatlon 2006-12-250..
^sowoxecoxe
2,211.040 Application 2006-12-250..
f7itMtlgt win
■‫׳‬totom003
192.512 Application 2006-12-250..
P u m rs ie x e
352.256 Application 2006-12-250..
2,330.016 Application 2006-12-250..
‫י‬
3.461,120 Application 2006-12-250..
7‫ י‬W irSSHD.exe
I!WrttshdAdStateCheckexe 446,464 Application 2006-12^250..
2,666,496 Applicati... 2006-12-250..
-‫י‬WneshdCfgManipdI
3.768 Interface 2006-12-250..
j Wr'sshdCfgMaoipidl
h t tp : // w w w . b itv ise . c o m
C o p y rig h t © b y
SSH T u n n e lin g
EC-CMMCil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
T o o l: B itv is e
Source: http://www.bitvise.com
Bitvise is client server-based application used for SSH tunneling. The server provides you secure
remote login capabilities to Windows workstations and servers. With Bitvise SSH Server, you
can administer the Windows server remotely. The Bitvise server even has the ability to encrypt
the data during transmission so that no one can sniff your data during transmission.
Bitvise SSH Client includes graphical as well as command line SFTP support, an FTP-to-SFTP
bridge, tunneling features that can be helpful for port forwarding and remote administration.
M o d u le 0 3 Page 4 04
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
.‫ וי‬Bitvise SFTP - localhost:22
W in d o w
Local
B ro w s e
R e m o te
U p lo a d Q u e u e
| J ) U p lo a d Q u e u e
1 2
D o w n lo a d Q u e u e
D o w n lo a d Q u e u e
Log
-_ /^ L o g
R e m o t e F ile s
o
O
S
13( ‫׳‬.‫׳‬4 £ <
N am e
S ize
c :\p ro g ra m file s (x86)Vb1tv is e tunrieher
‫׳‬
S
■
*2
O
Type
D a te M o d ife d
A ttrib u te s
Nam e
2006-12-25 0...
A
1 Logs
‫}ל‬
fit
/c /p ro g ra m file s (x86)/b !tv is e w in ssh d
S ize
Type
□ a te M o d ite d
0
F ile F o ld e r
2006-12-25 0 ..
bvPw dexe
167.936
A p p lic a tio n
2006-12-25 0 ..
b v R u n .e x e
188.416
A p p lic a tio n
2006-12-25 0 ..
208.896
A p p lic a tio n
2006-12-25 0 ..
294.912
A p p lic a tio n
2006-12-25 0 ..
15.961
C ♦♦ Sour...
2006-12-25 0 ..
23.480
n tv te rrn c .e x e
286.720
A p p lic a tio n
f f g ld s tg s .e x e
1.265.664
A p p lic a tio n
2006-12-26 0...
A
‫י‬
20.480
A p p lic a tio n
2006-12-25 0...
A
•
s e x e c exe
1.597.440
A p p lic a tio n
2006-12-25 0...
A
■
b v te rm s e x e
s ftp c e x e
2.002.944
A p p lic a tio n
2006-12-25 0...
A
■ ' s c p .e x e
s s h d s tg s .e x e
2 . ‫ ו‬50.400
A p p lic a tio n
2006-12-26 0 ...
A
c~ S ttp P lu g m S a m p le .c p p
s te rm c .e x e
1.650.688
A p p lic a tio n
2006-12-25 0...
A
Q to t e r m c e x e
372.736
A p p lic a tio n
2006-12-26 0 ...
A
6.193.152
A p p lic a tio n
2006-12-25 0...
A
F
ss h d c trl.e x e
352.256
A p p lic a tio n
2006-12-25 0...
A
F
sshdexecexe
I 7 lo g .e x e
■
F
F
; ‫ ' ׳‬T u n n e lie r.e xe
J | u n 1r s t e x s
S ftp P lu g in S a m p le .d ll
■ ' sftp s.e xe
A p p lic a ti...
2006-12-25 0 ..
610.304
A p p lic a tio n
2006-12-25 0 ..
2.763.704
A p p lic a tio n
2006-12-25 0 ..
45.056
A p p lic a tio n
2006-12-25 0 ..
v tlO C .td s
6.066
T D S F ile
2006-12-25 0...
A
‫ ' י‬s s h d s tg s .e x e
2.211.840
A p p lic a tio n
2006-12-25 0 ..
xJerm .lds
6.066
T O S F ile
2006-12-25 0 ...
A
F
to te rm .e xe
192.512
A p p lic a tio n
2006-12-25 0 ..
F
u n in s te x e
352.256
A p p lic a tio n
2006-12-25 0 ..
2006-12-25 0. .
F
w c tg exe
2.338.816
A p p lic a tio n
F
W in S S H D .e x e
3.461.120
A p p lic a tio n
2006-12-25 0 ..
445,464
A p p lic a tio n
2006-12-25 0
■ W in s s h d A c tS ta te C h e c k e x e
W in s s h d C fg M a n ip .d ll
i W in s s h d C tg M a n ip id l
S f B in a r v
; R esum e
J O ve rw rite _ [ &
Start
JP jD in d iy
*
R esum e
2.666.496
3,768
□ O verw rite
A p p lic a ti...
2006-12-25 0 ..
In te rla ce
2006-12-25 0
S ta rt
]
FIGURE 3.73: Bitvise Tool Screenshot
M o d u le 0 3 Page 4 05
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
CEH
A n o n y m iz e r s
J
An a n o n y m iz er r e m o v e s all t h e identifying in f o rm a tio n fro m t h e u ser's
c o m p u t e r while t h e u se r surfs t h e In te rn e t
J
A nonymizers m a k e activity on t h e I n t e r n e t u n tr a c e a b le
J
A nonym izer too ls allow you t o b y p a s s I n t e r n e t c e n s o r e d w e b s i t e s
W h y u s e A n o n y m iz e r?
C o p y rig h t © b y E G -G *nncil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
A n o n y m iz e rs
An anonymizer is an intermediate server placed in between the end user and web
site that accesses the website on behalf of you, making your web surfing untraceable. An
anonymizer eliminates all the identifying information (IP address) from your system while you
are surfing the Internet, thereby ensuring privacy. Most anonymizers can anonymize the web
(http :), file transfer protocol (ftp :), and gopher (gopher:) Internet services.
To visit a page anonymously, you can visit your preferred anonymizer site, and enter the name
of the target website in the Anonymization field. Alternately, you can set your browser home
page to point to an anonymizer, so that every subsequent web access will be anonymized.
Apart from this, you can choose to anonymously provide passwords and other information to
sites that request you, without revealing any other information, such as your IP address.
Crackers may configure an anonymizer as a permanent proxy server by making the site name
the setting for the HTTP, FTP, Gopher, and other proxy options in their applications
configuration menu, thereby cloaking their malicious activities.
W h y U se a n A n o n y m iz e r?
The reasons for using anonymizers include:
M o d u le 0 3 Page 4 06
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
9
Exam 3 1 2 -5 0 C ertified Ethical H acker
Ensures privacy: It protects yo u r id e n tity by m aking yo u r w e b n aviga tio n activities
untraceable. Your privacy is m aintained u n til and unless you disclose yo u r personal
in fo rm a tio n on the w eb by fillin g o u t form s, etc.
9
Accesses government-restricted content: Most governments prevent their citizens from
accessing certain websites or content in order to avoid them from accessing inappropriate
information or sensitive information. But these people can access even these types of resources
by an anonymizer located outside the country.
9
Protect you from online attacks: Anonym izers p ro te ct you fro m all instances o f online
pharm ing attacks by routing all customer Internet traffic via the anonymizer's protected DNS
servers.
9
Bypass IDS and firewall rules: Bypassing o f fire w a lls is m ostly done in organizations or
schools by em ployees or students accessing w ebsites th e y are n ot supposed to access.
An anonym izer service gets around yo u r organization's fire w a ll by setting up a
connection betw een yo ur co m p u te r and the anonym izer service. By doing such,
fire w a lls can see only the connection fro m you to anonym izer's w eb address. The
anonym izer w ill the n connect to T w itte r o r any w ebsite you w anted to access w ith the
help o f an
In te rn e t connection
and sends the
co n te n t
back to
you.
For your
organization, it looks like yo u r system is connected to an anonym izer's w eb address, but
n ot to T w itte r or o th e r sites.
Anonym izers, apart fro m p ro te ctin g users' id e ntitie s, can also attack the w ebsite and no one
can actually d ete ct w here the attack came fro m .
T y p e s o f A n o n y m iz e rs
An anonym izer is a service throu g h w hich one can hide th e ir id e n tity w hen using
certain services o f the Inte rn e t. It basically works by encrypting the data from your computer, so that
is cannot be understood by Internet service providers or anyone who might try to access it. Basically,
anonym izers are o f tw o types:
9
N etw orked anonym izers
9
S ingle-point anonym izers
- ____~
N e tw o rk e d A n o n y m iz e rs
____
These type o f anonym izer firs t transfers yo ur in fo rm a tio n throu g h a n e tw o rk o f
In te rn e t com puters before sending it to the w ebsite. Since the in fo rm a tio n passes through
several In te rn e t com puters, it becomes m ore cum bersom e fo r anyone tryin g to tra ck yo ur
in fo rm a tio n to establish the connection betw een you and anonym izer.
Example: If you w a n t to visit any web page you have to make a request. The request w ill firs t
pass throu g h A, B, and C In te rn e t com puters p rio r to going to the w ebsite. Then a fte r being
opened, the page w ill be tra nsfe rre d back throu g h C, B, and A and then to you.
Advantage: C om plication o f the com m unications makes tra ffic analysis com plex
M o d u le 0 3 Page 4 07
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Disadvantage: Any multi-node network communications have some degree of risk at each node
for compromising confidentiality
___
S in g le -p o in t A n o n y m iz e r s
'— ^ Single-point anonymizers first transfer your information through a website before
sending this to the target website, and then pass back information, i.e., gathered from the
targeted website, through a website and then back to you to protect your identity.
Advantage: IP address and related identifying information are protected by the arms-length
communications
Disadvantage: It offers less resistance to sophisticated traffic analysis
M o d u le 0 3 Page 4 08
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
C a s e : B lo g g e rs W rite T e x t B a c k w a rd s
to B y p a s s W e b F il te r s in C h in a
Bloggers and
journalists in China
are using a novel approach
to bypass Internet filters in their
country - they write backwards or
from right to left
*
★
W
“IF H BOTHERSYOUTHATTHECHINA
SCVEM
flENTDOESIT! ITSHOULD
9CTVCRYOUW
HENYOU*CABLECOM
PANY
DOCS IT 1 "
‫' ״‬her^ r Z l em
*adablebvh ns~
beings k . . / Urr>an
e r in g
50**are
packets co
. aSTibet,
^Oero°c
0rcracvJ‫־‬
r a ’‫‘ ׳‬ananr0en‫ ׳‬etC
I R ights R eserved. R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
< \» • I f
C a s e : B lo g g e rs W rite T e x t B a c k w a r d s to ® y p a s s W e b
F ilte r s in C h in a
China is well known for its implementation of the "packet filtering" technique. This technique
detects TCP packets that contain controversial keywords such as Tibet, Democracy, Tiananmen,
etc. To bypass Internet filters and dodge the censors, bloggers and journalists in China are
writing the text backwards or from right to left. By doing so, though the content is still in human
readable form, the text is successful in defeating web filtering software. Bloggers and
journalists use vertical text converter tools to write the text backwards or from right to left and
vertically instead of horizontally.
M o d u le 0 3 Page 4 09
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
C en so rsh ip C irc u m v e n tio n
Tool: P siphon
J
CEH
P sip h o n is a c e n s o r s h ip c irc u m v e n tio n s y s te m t h a t a llo w s u s e r s to
b y p a s s f ire w a lls a n d a c c e s s b lo c k e d s ite s in c o u n tr ie s w h e r e t h e
Psiphon 3
A ‫־־‬.
I n te r n e t is c e n s o r e d
J
It u s e s a s e c u r e , e n c r y p t e d HTTP tu n n e l c o n n e c tio n t o r e c e iv e
r e q u e s t s fro m p s ip h o n ite to p s ip h o n o d e w h ic h in t u r n tr a n s p o r t s
t h e re s u lts b a c k t o t h e r e q u e s t e d p s o p h o n ite
J
It a c ts a s a w e b p ro x y fo r a u t h e n ti c a te d p s ip h o n ite s , e v e n w o rk s
o n m o b ile d e v ic e s
-1
0 0 ‫ זחכ‬proxy domestic web sites
Qicrr. Veraion; 40
SSH■♦■connecting...
Localhos! poit 1080 is already in use
SCCfCS proxy is running on localhcst port 1081
t
S
SH♦successfullyconnected
HTTP proxy is running cn localhost poit SOSO
Preferred sen‫ ׳‬era: 2
SSH♦ disconnected.
It b y p a s s t h e c o n te n t- f ilte r in g s y s te m s o f c o u n tr ie s like C h in a,
S
SH♦connecting
Localhos! poit 1030 is already in u#c
SOCKS proxy is running on localMcst port 1081
SSH♦ successfully connected
HTTP proxy ia rumhg cn localhooi poit 8030.
N o rth K orea, Iran , S au d i A ra b ia , E gypt a n d o th e r s
SSH♦disconnected.
Fix VPN Servces faled: ireutfciert privileoesto confiaure 0‫ ־‬stal servce IKEE
VPN connecting...
YPN succes^uly connected.
Uncensored
HTTP proxy is rumha cn localhost poit 8080.
VPN disconnected.
SSH connecting. ..
18
Locahoss poit 1080 already inuse
SOCKS proxy it running on localhost port 1081
SSH succes^uly comcctod.
HTTP proxy is rumnq cn localhos! poit 8080.
Unpraeed• autee ruixjifcoiit com
Urproxed. a 1970.gok.anoi /id
U ronxed: osnotomq .com
Unproved a$«0g akamai net
Unproxed: wyvw.bqaiautc.com
Uronxed: mypalsar.com
SSH disconnected
SSH* connecting...
Locahos: cor. 1080 is aready in use
SOCKS proxy is running on localhost port 1081
‫י‬
Aboii Psphon 2
h ttp : //p s ip h o n .c o
C o p y rig h t @ b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
C e n s o rs h ip
C irc u m v e n tio n
T o o l: P s ip h o n
Source: http://psiphon.ca
Psiphon is a censorship circumvention system that allows users to bypass firewalls and access
blocked sites in countries where the Internet is censored. It uses a secure, encrypted HTTP
tunnel connection to receive requests from psiphonite to psiphonode, which in turn then
transports the results back to the requested psophonite. It acts as a web proxy for
authenticated psiphonites, and works on mobile browsers. It bypasses content-filtering systems
of countries such as China, North Korea, Iran, Saudi Arabia, Egypt, and others.
M o d u le 0 3 Page 4 1 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Exam 3 1 2-50 C ertified Ethical H acker
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
H I□ ]
Psiphon 3
P
O
x
ovpn » s 1»h
O SSH♦
® SSH
•
‫ן‬
‫י‬
@ Don! proxy domestic web sites
Client Version: 40
SSH♦ connecting
Localhost port 1080 is already m use
SOCKS proxy is runrwig on locahost port 1081.
SSH♦ successfully connected
HTTP proxy is ru m n g on locahost port 8080
Preferred servers: 2
SSH♦ disconnected
SSH♦ connecting...
Localhost port 1080 is already m use
SOCKS proxy is rurmng on locafriost port 1081
SSH♦ successfully connected
HTTP proxy is rurmng on locahost port 8080
SSH♦ disconnected
Fix VPN Services faded nsuffoent pmnleges to configure or start service IKEE
VPN connecting...
VPN successfully connected
HTTP proxy is rurmng on locatiost port 8080
VPN disconnected
SSH connect ng...
Localhost port 1080 is already n use
SOCKS proxy is rurmng on locatiost port 1081.
SSH successfully connected
HTTP proxy is rurmng on locahost port 8080
Unprcuoed autosinaxabout .com
Unproxied: a1979.g akamai net
Unproxied: bsmotormg com
Unproxied: a 9 0 g akamai net
Unprowed: www baja!auto com
Unprowed mypulsar com
SSH disconnected
SSH♦ connecting
Localhost port 1080 is already in use
SOCKS proxy is running on locatiost port 1081
About Ps*>hon 3
FIGURE 3.74: Psiphon Screenshot
M o d u le 03 Page 4 11
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
C o p y rig h t © b y
C e n s o rs h ip
C irc u m v e n tio n
‫׳‬G M IilC il. A ll R ig h ts R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
T o o l: Y o u r - F r e e d o m
Source: http://www.your-freedom.net
Censorship circumvention tools allow you to access websites that are not accessible to you by
bypassing firewalls. The Your Freedom services makes accessible what is unaccessible to you,
and they hide your network address from those who don't need to know. This tool turns your
PC into an uncensored, anonymous web proxy and an uncensored, anonymous SOCKS proxy
that your applications can use, and if that's not enough, it can even get you connected to the
Internet just as if you were using an unrestricted DSL or cable connection.
M o d u le 0 3 Page 412
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
_‫ ־‬E°L
Y our F re e d o m
S ta tu s
|
S tr e a m s
| A c c o u n t P r o file
P o rts
M essages
Freedom Server
External IP Address
Server located in
Open streams
Bytes sent
Bytes received
Send rate (bytes/sec)
Receive rate (bytes/sec)
C o n fig u r e
V o u c h e rs
j A p p lic a tio n s
A bout
https://ems29.your-freedom.de 443
83.170.106 56
UK, United Kingdom
0
2973
704
279
111|
S to p c o n n e c tio n
R e s ta r t c o n n e c tio n
U p lin k
U p d a te ?
II I
E x it
D o w n lin k
0 .4 k
1.0 k
FIGURE 3.75: Your-Freedom Screenshot
M o d u le 0 3 Page 4 13
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
H o w to C h e c k i f Y o u r W e b s ite is
B lo c k e d in C h in a o r N ot?
J
Internet tools help identify if web users in China can access remote websites
J
When Just Ping and WebSitePulse show "Packets lost" or "time-out" errors,
chances are that the site is restricted
h ttp : // w w w . w e b s ite p u lse . c o m
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
H o w
---------
to C h e c k
if Y o u r W e b s ite
is B lo c k e d
in
C h in a o r
N o t?
If a "packets lost" error is received or there is a connection time-out message is displayed while
connecting to your site, chances are that the site is blocked. To find out whether the website at
xyz.com is accessible by Chinese web users, you can use tools such as just ping and
WebSitePulse.
f
00•
J u s t p in g
Source: http://www.iust-ping.com
Just ping is an online web-based ping tool that allows you to ping from various locations
worldwide. It pings a website or IP address and displays the result as shown as follows:
M o d u le 0 3 Page 4 14
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
j u s t ^ p in g
u jn T C H m n u !
WATCMNC CVtROMlM IlMNISk
O n l i n e w e b -b a a e d p i n g :
U-jhg
e g
F re e o n lin e p in g i r o n
SO l o c a i i o a a
w o r ld w id e
| |p-r.g1‫׳‬
y a h o o c o n o r 6 6 . 9 4 . 2 3 4 . 1 33
pina: tnm.fAcmbock.com <Check http fly!w.facatoook com/)
S in g a p o re .
Unknow n h o a t :
S in g a p o re :
v»nr f a e e b o o k . com
fyjs*te r d a .n 2 ,
O kay
N a th a rla n d a
F l o r i d a . U.S.A. : O kay
X a a ta rd ia 3.
O kay
N c * .h e rla rv d • :
H ong Kor.rj, C h in * O kay
Sydney.
O kay
Hi h I w I 1■
MA*tnch«n.
O kay
C « rn a n y :
C o l o a n • . S a rm an Y rO k a y
Hav Y o r k , U .S .A . O kay
S to c k ho l a .
O kay
Sw adan.
S a n ta C la r a .
U .S .A .:
V a n c o u v e r.
L ondon.
K in g d o m .
M a d r id .
Padova
A u « tin .
U ni ta d
S p a in :
Ita ly :
U .S .A .:
M o th e rla n d • .
M 3
9 0 .5
91 O
2 a 0 3 : 2 6 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc
84 0
84 6
8 3 .3
6 6 . 2 2 0 .1 4 9 88
90 5
90 6
91 .0
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c e bOOc
1 8 3 .9
1 8 9 .9
1 9 8 .9
2 a 0 3 : 2 8 8 0 : 1 0 : 1 f 0 2 : f a c a : bOOc
1 9 3 .9
1 8 3 .8
1 6 5 .0
6 9.1 7 1 . 2 3 7 .1 6
9 7 .2
9 7 .5
96 .2
6 9 . 1 7 1 .2 4 2 . 7 0
10 3 3
9 1 .*
1 0 9 .9
8 2 .1
1 0 6 .1
8 2 .5
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 2 : f a c a bO O c::
< 9 . 1 7 1 . 2 3 7 .3 2
25
123•
1 2 3 .9
1 2 4 .2
2 a0 3 2880 2110 3 f0 2
O kay
28 O
2 8 .3
2 8 .7
6 9 . 1 7 1 .2 2 8 7 0
f a c a bOOc
O kay
M 8
3 3 .9
3 4 .1
2 a 0 3 :2 8 8 0 : 1 0 i f 0 3 fa c a .b O O c
O kay
9 4 .4
94 .7
9 8 .2
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f 0 3 : fa c a :b O O c
O kay
O kay
O kay
12 4 6
113 A
72 8
1 2 4 .7
1 1 3 .C
7 3 .2
1 2 5 .3
1 1 3 .9
7 3 .C
65 63 1 8 9 .7 4
2 a 0 3 2 8 8 0 ! 2 1 1 0 3 F02 f a o • bOOc
2 a 0 3 2 8 8 0 10 I f 0 3 f a c • bOOc 25
O kay
M 3
9 0 .€
9 0 .9
2 a 0 3 : 2 8 8 0 : 2 1 1 0 : 3 f0 2
29
f a c e bOOc
FIGURE 3.76: Just Ping Screenshot
W e b s ite P u ls e
Source: http://www.websitepulse.com
WebsitePulse provides remote monitoring services. It simultaneously pops websites from
around the globe.
I
B
IV W«*t4•T«t
I ^
C
a
x
■
s i
«w C ■
A‫׳‬ww.wrt>n»epuls<.<o‫׳‬n ‫״‬-
•'.Ttoo<Krtn*-tCTtmm!
WebsitePulse
Tk* w#b S*r*M aad Wafcdt* Maatfck* S#rvk» tnnlfd bv 184%‫וי‬mUoman
tskt IT easy ‫|י‬
.. 1
• ‫י‬
A,
‫ו‬j
1mi Tata > ■■>» ‫ז‬mi
‫•ייז‬a^at ‫!•י*׳׳‬
‫ז‬.»«‫ז‬rwvic
last mukt
!•.*>(‫■ ו»ז‬m m la
wam« 1(••‫«׳‬Jh
Im M Im•
Chm
Tn M M i
»12-00-2;
l015?>tO(O«T -00:00)
rotYo1# WrtiUt
0
FfctajiExtcnwun
ttAdd-0<W
MmM
OlfOflM EXtMMOft*
Opora Exteos>oos
Safan Extcrwon*
Wtf>dow3V1«a Gadget
Am
U.n4«I
Hnmni (■■•000‫כו‬
o*v
0000*k
CMM(t:
OON nc
<*V>h*6 *>*3Ap*
■
LIVE CHAT
'*itByt*
ImImIlm>
ham▼crfc RV
2012-04-21
10:5711c (OMT•00:00)
m l r««te4
1•*■) ‫ה»<י‬KMoxwr
H n M A i: •M71.2S7.J2
IniMM t«mi C M7 »•‫־‬
o«
0.
0c• MC
CaMKt
C.3M ••c
0M0 Mr
hntM•:
0.133 ioc
Facebook App*
^norowJape
1
3.090MC
W.
0»*•■
*tic*MU (PMoaraovtNU) nu(t
11
ftmm•
]1311 M m
#«• MTfi(>#g,TfMnUt> rMufts
lo N w H K ttm YTrbUtr frrr farM 0«r• Cktk Herr*
1mailm d h
Son Rnull)
Pafona a new tot
r‫♦׳‬#
T#*1Tod•*0‫׳‬v©‫״‬.
Report a hvMaa
v
FIGURE 3.77: WebsitePulse Screenshot
M o d u le 0 3 Page 4 1 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCll
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
CEH
G -Z a p p e r
G - Z a p p e r - TRIAL V E R S IO N
G ‫־‬Z a p p e r
G-Zaocei ‫׳= ־‬ntsctrg you! Search Piivacy
Did you know - 300gl9 *teres a unique identifier in a cookie on your PC, which alow? them to track the
kewkofdi yoo s sa c h fot. G -Zepper will ojtomalicdl/ dctcct and cban this cookie in your w5b bo/vie.
J j; t ■jn G-Zaoce». ninini7e the ‫״‬vinebw. and enjoy ycur enhanced search privacy.
J
G o o g le s e t s a c o o k ie o n u s e r 's
s y s te m w ith a u n iq u e id e n tif ie r
2' A Google Trr^rking ID exists on ym■‫־‬PC
You-aoogleV(hrefox8536d45Ib3671738
Gox^e instaled the cookie on Tuesday, July 03. 2012 12:10:32 AM
t h a t e n a b l e s t h e m to tr a c k u s e r 's
Y a * scaiche; ha/e teen tracked for *9 days
w e b a c tiv itie s s u c h a s :
• I
«
S earch K eyw ords a n d h a b its
e
S earch re s u lts
«
W e b site s visited
You have 2 Go«g» teaiehet «aved n Mjjilla Rrafax
10deletetheUxatecookie,clicktheUeleteLookiebutton.
Yoji irWtitj* wil h» ofc<cut»d from previcut SMrchtfi *nd G‫־‬Z*pp«r wll mgulM^i clean luhir• cookiat
Tobbck *nddelete th♦ Googe ceareh cook*, die*‫׳‬, the 8look Cooki• button.
(Grtai aid A0ie r 1> 1 1 ‫ וי׳יס‬be unavailable vitli the oju ke blocKcd)
J
I n f o r m a tio n f r o m G o o g le c o o k ie s
hllc/j‫׳‬wwMdurmwsDliwa(fi.cflm
c a n b e u s e d a s e v i d e n c e in a c o u r t
o f la w
| O b tt Cootie J ^ Block Cock* j ^ Test Google j ^
Settings
h t tp : //w w w . d u m m y s o ftw a r e . c o m
C o p y rig h t © b y EG-GtUIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
G ‫־‬Z a p p e r
Source: http://www.dummysoftware.com
G-Zapper is a utility to block Google cookies, clean Google cookies, and help you stay
anonymous while searching online. It automatically detects and cleans Google cookies each
time you use your web browser.
It is compatible with Windows 95/98/ME/NT/2000/XP/Vista/Windows7. It requires Microsoft
Internet Explorer, Mozilla Firefox, or Google Chrome and is compatible with Gmail, Adsense,
and other Google services.
M o d u le 0 3 Page 4 16
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
G-Zapper - TRIAL VERSION
is G Z a p p e r
W hat
G -Z a p p e r • P ro je c tin g y o u S e a rc h P riv a c y
D id y o u k n o w • G o o g le stores a u n q u e idenM ier r a c o o k ie o n y o u P C . w h ic h a to w s th e m to tra c k th e
k e y w o rd s y o u s e a rc h lo r G Z a p p e r w i a u to m a tic a l}! d e te c t a n d d e a n th is c o o k ie ‫ מ‬y o u w e b b row se*
J u s t ru n G •Z a p p e r. m r m t t e th e w in d o w , a n d e n jo y y o u e n h a n c e d s e a rc h p riv a c y
2'
----
A Google Tracking ID exists on yocr PC.
You Google ID: (Frefox) 85%d451b86*738
Google instaled the cook* on: Tuesday. Jdy 03.2012 12:10:32 AM
Y o u s e a rc h e s h a v e b e e n b a c k e d 10149 days
^
| You h a ve
2 G o o g le
s e a rc h e s s a v e d n M o z ia F re fa x
H o w to U s e It
T o d e le te th e G o o g le c o o k ie , d c k th e D e le te C o o k ie b u tto n
Y o u id e n tity w i b e o b s c u e d from p re v io u s se a rc h e s a n d G -Z a p p e i w i reg u la rly c le a n fu tu re c o o k ie s
T 0 b lo c k a n d d e le te th e G o o g le s e a rc h c o o k ie , d ic k th e B lo c k C o o k ie b u tto n
(Gmad a n d A d s e n s e w i b e u n a v a ia b le w ith th e c o o k ie M o c k e d )
http //www dunmvsdtware com
D e le te C ookie
B lo c k C ookie
T e s t G o o g le
Settngs
FIGURE 3.78: G-Zapper-Trial Version Screenshot
M o d u le 0 3 Page 4 17
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
EH
A n o n y m iz e r s
‫מ‬
M ow ser
http://www.mowser.com
U-Surf
A nonym ous Web Surfing Tool
http://ultimate-anonymity.com
http://www.anonymous-surfing.com
WarpProxy
Hide Your IP Address
http://silent-surf.com
http://www.hideyouripaddress.net
ps4
Spotflux
http://www.spotflux.com
Anonymizer Universal
http://www.anonymizer,com
‫ט ט ט‬
□ □E
http://www.hopeproxy.com
s a f lH l
http://www.pri\/acy-pro.com
Hope Proxy
Hide My IP
G uardster
http://www.guardster.com
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
* ‫ " ־ ״‬V ™ ‫״ ־ ־‬
An anonymizer is a tool that allows you to mask your IP address to visit websites
without being tracked or identified, keeping your activity private. It allows you to access
blocked content on the Internet with omitted advertisements. A few anonymizers that are
readily available in the market are listed as follows:
a
Mowser available at http://www.mowser.com
9
Anonymous Web Surfing Tool available at http://www.anonymous-surfing.com
9
Hide Your IP Address available at http://www.hideyouripaddress.net
© Anonymizer Universal available at http://www.anonvmizer.com
9
Guardster available at http://www.guardster.com
9
Spotflux available at http://www.spotflux.com
Q U-Surf available at http://ultimate-anonymity.com
9
WarpProxy available at http://silent-surf.com
9
Hope Proxy available at http://www.hopeproxy.com
9
Hide My IP available at http://www.privacy-pro.com
M o d u le 0 3 Page 4 18
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S p o o fin g I P A d d r e s s
CEH
IP spoofing refers to the procedure of an attacker changing his or her
IP address so that he or she appears to be someone else
When the victim replies to the address, it goes back to the spoofed
address and not to the attacker's real address
IP spoofing using Hping 2:
H p in g 2
-a
www.
7 . 7 . 7. 7
You w ill n o t b e a b l e to c o m p l e t e t h e t h r e e - w a y h a n d s h a k e a n d o p e n a s u c c e s s f u l TCP c o n n e c tio n b y
s p o o f in g a n IP a d d r e s s
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
-.
S p o o fin g IP
A d d re s s e s
^
Spoofing IP addresses enables attacks like hijacking. When spoofing, an attacker a
fake IP in place of the attacker's assigned IP. When the attacker sends a connection request to
the target host, the target host replys to the attacker's request. But the reply is sent to the
spoofed address. When spoofing an address that doesn't exist, the target replies to a nonexistent system and then hangs until the session times out, consuming target resources.
IP sp oo fin g using Hping2:
H p in g 2 w w w .c r e t i f i e d h a c k e r . c o m
-a 7. 7. 7. 7
Using Hping2 you can perform IP spoofing. It helps you to send arbitrary TCP/IP packets to
network hosts.
FIGURE 3.79: Attacker Sending Spoofed Packet to The Victim
M o d u le 0 3 Page 4 19
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
IP Spoofing D etectio n Techniques:
D ire c t T T L Probes
CEH
J
Send packet to host of s u s p ect spoofed packet th a t triggers reply and
c o m p a re TTL with susp ect packet; if th e TTL in t h e reply is n o t th e
s a m e as t h e packet being checked, it is a spoofed packet
J
This te c h n iq u e is successful w h en attacker is in a diffe ren t s u b n e t
from victim
Sending a packet w ith
spoofed 10.0.0.5 IP -T T L 13
.‫״•״‬
A tta c k e r
a a '
Target
(S p o o fe d A d d re s s
10 .0 .0 .5 )
10.0.0.5
N o te : N o r m a l tr a f f ic f r o m o n e h o s t c a n v a r y TTLs d e p e n d i n g o n tr a f f ic p a t t e r n s
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
IP
S p o o fin g D e te c tio n
T e c h n iq u e s : D ire c t T T L P ro b e s
Initially send a packet to the host of suspect spoofed packet and wait for the reply.
Check whether the TTL value in the reply matches with the TTL value of the packet that you are
checking. Both will have the same TTL if they are the same protocol. Though, initial TTL values
vary based on the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the
commonly used initial values are 64 and 128 and for ICMP, the values are 128 and 255. If the
reply is from a different protocol, then you should check the actual hop count to detect the
spoofed packets. The hop count can be determined by deducting the TTL value in the reply
from the initial TTL value. If the TTL in the reply is not matching with the TTL of the packet that
you are checking, it is a spoofed packet. If the attacker knows the hop count between source
and host, it will be very easy for the attacker to launch an attack. In this case, the test results in
a false negative.
M o d u le 0 3 Page 4 2 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S e n d in g a p a c k e t w ith
s p o o f e d 1 0 .0 .0 .5 IP - TTL 1 3
>•«*‫־‬.•
Attacker
••
(S p o o fed A d d ress
10.0.0.5)
y Nf
v
10.0.0.5
FIGURE 3.80: Using Direct TTL Probes for IP Spoofing Detection
M o d u le 0 3 Page 421
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
IP Spoofing D etectio n Techniques:
IP Id e n tific a tio n N u m b e r
J
S e n d p r o b e t o h o s t o f s u s p e c t s p o o f e d tr a f fic t h a t tr ig g e r s re p ly a n d c o m p a r e IP ID w ith
s u s p e c t tra f fic
J
If IP IDs a r e n o t in t h e n e a r v a l u e o f p a c k e t b e in g c h e c k e d , s u s p e c t tr a f fic is s p o o f e d
J
T h is te c h n i q u e is s u c c e s s f u l e v e n if t h e a t ta c k e r is in t h e s a m e s u b n e t
Send packet w ith spoofed IP
10.0.0.5; IP ID 2586
. * ‫ מ‬5‫ ׳ ־‬. ‫— ז‬
A tta c k e r
‫ *״‬t ;.‫*״•״‬
‫*יי‬
Ta1‫־‬get
(S p o o fe d A d d re s s
10 .0 .0 .5 )
10.0.0.5
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
r 3H1
IP
S p o o fin g D e te c tio n
T e c h n iq u e s : IP
Id e n tific a tio n
N u m b e r
Spoofed packets can be identified based on the identification number (IP ID) in the IP header
that increases each time a packet is sent. This method is effective even when both the attacker
and victim are on same subnet.
To identify whether the packet is spoofed or not, send a probe packet to the target and observe
the IP ID number in the reply. If it is in the near value as the packet that you are checking, then
it is not a spoofed packet, otherwise it is a spoofed packet.
Sending a packet w ith
sp o o fed 1 0 .0 .0 .5 IP - IP ID 2586
w
A tta c k e r
T a rg e t
(S p o o fe d A d d re s s
‫״‘ ••?ץ‬
1 0 .0 .0 .5 )
1 0 .0 .0 .5
FIGURE 3.81: Using IP Identification Number for IP Spoofing Detection
M o d u le 0 3 Page 422
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2-50 C ertified Ethical H acker
IP Spoofing D etectio n Techniques:
T C P F lo w C ontrol M e th o d
J
CEH
A tta c k e rs s e n d in g s p o o f e d TCP p a c k e ts , will n o t r e c e iv e t h e
t a r g e t 's SYN-ACK p a c k e ts
J
A tta c k e rs c a n n o t t h e r e f o r e b e r e s p o n s iv e t o c h a n g e in t h e c o n g e s t io n
w in d o w s iz e
_l W h e n r e c e iv e d tr a f fic c o n t in u e s a f t e r a w in d o w s iz e is e x h a u s t e d ,
m o s t p ro b a b ly t h e p a c k e ts a r e s p o o fe d
Sending a SYN packet
with spoofed 10.0.0.5 IP
A tta c k e r
T a rg e t
(Spoo fed Address
10 .0 .0 .5 )
*‫״״‬
.•••'&<* v\®•
10.0.0.5
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
IP
S p o o fin g D e te c tio n
T e c h n iq u e s : T C P
F lo w
C o n tro l
M e th o d
The TCP can optimize the flow control on both the send and the receiver side with its
algorithm. The algorithm accomplishes the flow control based on the sliding window principle.
The flow of IP packets can be controlled by the window size field in the TCP header. This field
represents the maximum amount of data that the recipient can receive and the maximum
amount of data the sender can transmit without acknowledgement. Thus, this field helps us to
control data flow. When the window size is set to zero, the sender should stop sending more
data.
In general flow control, the sender should stop sending data once the initial window size is
exhausted. The attacker who is unaware of the ACK packet containing window size
information continues to send data to the victim. If the victim receives data packets beyond the
window size, then the packets must be treated as spoofed. For effective flow control method
and early detection of spoofing, the initial window size must be very small.
Most spoofing attacks occur during the handshake, as it is difficult to build multiple spoofing
replies with the correct sequence number. Therefore, the flow control spoofed packet
detection must be applied at the handshake. In a TCP handshake, the host sending the initial
SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting
M o d u le 0 3 Page 4 23
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
the SYN request from a genuine client or a spoofed one, you should set the SYN-ACK to zero. If
the sender sends an ACK with any data, then it means that the sender is the spoofed one. This
is because when the SYN-ACK is set to zero, the sender must respond to it only with the ACK
packet but not ACK with data.
FIGURE 3.82: Using TCP Flow Control Method for IP Spoofing Detection
M o d u le 0 3 Page 4 24
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
-
I P S p o o fin g C o u n t e r m e a s u r e s
CEH
Limit access to configuration
information on a machine
Use random initial sequence
numbers
C o p y rig h t © b y EG-GlOOCil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
IP
S p o o fin g
C o u n te rm e a s u re s
In ethical hacking, the ethical hacker also known as the pen tester, has to perform an
additional task that a normal hacker doesn't follow, i.e., applying countermeasures to the
respective vulnerabilities determined through hacking. This is essential because knowing
security loopholes in your network is worthless unless you take measures to protect them
against real hackers. As mentioned previously, IP spoofing is one of the techniques that a
hacker employs to break into the target network. Therefore, in order to protect your network
from external hackers, you should apply IP spoofing countermeasures to your network security
settings. The following are a few IP spoofing countermeasures that you can apply:
Avoid trust relationships
Attackers may spoof themselves as a trusted host and send malicious packets to you. If you
accept those packets by considering that the packets are sent by your trusted host, then you
may get infected. Therefore, it is advisable to test the packets even when they come from one
of your trusted hosts. You can avoid this problem by implementing password authentication
along with trust-relationship-based authentication.
Use firewalls and filtering mechanisms
You should filter all the incoming and outgoing packets to avoid attacks and sensitive
information loss. The incoming packets may be the malicious packets coming from the attacker.
M o d u le 0 3 Page 4 25
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
If you do not employ any kind of incoming packet filtering mechanism such as a firewall, then
the malicious packets may enter your private network and may cause severe loss. You can use
access control lists (ACLs) to block unauthorized access. At the same time, there is also a
possibility of insider attackers. These attackers may send sensitive information about your
business to your competitors. This may also lead to great monetary loss or other issues. There is
one more risk of outgoing packets, which is when an attacker succeeds in installing a malicious
sniffing program running in hidden mode on your network. These programs gather and send all
your network information to the attacker without giving any notification. This can be figured
out by filtering the outgoing packets. Therefore, you should give the same importance to the
scanning of outgoing packets as that of the incoming packet data scanning.
Use random initial sequence numbers
Most of the devices chose their ISN based on timed counters. This makes the ISNs predictable
as it is easy for a malicious person to determine the concept of generating the ISN. An attacker
can determine the ISN of the next TCP connection by analyzing the ISN of the current session or
connection. If the attacker can predict the ISN, then he or she can make a malicious connection
to the server and sniff your network traffic. To avoid this, risk you should use random initial
sequence numbers.
Ingress filtering
Prohibiting spoofed traffic from entering the Internet is the best way to block it. This can be
achieved with the help of ingress filtering. Ingress filtering applied on routers enhances the
functionality of the routers and blocks spoofed traffic. It can be implemented in many ways.
Configuring and using access control lists (ACLs) that drop packets with source address outside
the defined range is one way to implement ingress filtering.
Egress filtering
Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing
packets with a source address that is not inside.
Use encryption
If you want to attain maximum network security, then use strong encryption for all the traffic
placed onto the transmission media without considering its type and location. This is the best
solution for IP spoofing attacks. Attackers usually tend to find targets that can be compromised
easily. If an attacker wants to break into encrypted network, then he or she has to face a whole
slew of encrypted packets, which is a difficult task. Therefore, the attacker may try to find
another target that can be easily compromised or may attempt other techniques to break into
the network. Use the latest encryption algorithms that provide strong security.
SYN flooding countermeasures
Countermeasures against SYN flooding attacks can also help you to avoid IP spoofing attacks.
M o d u le 0 3 Page 4 2 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
Besides these basic countermeasures, you can perform the following to avoid IP spoofing
attacks:
9
You should limit the access to configuration information on a machine
9
You should always disable commands like ping
9
You should reduce TTL fields in TCP/IP requests
9
You should use multilayered firewalls
M o d u le 0 3 Page 4 27
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
C o p y rig h t © b y EG -G ouncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
C E H
S c a n n in g M e th o d o lo g y
So far, we have discussed concepts such as what to scan, how to scan, how to detect
vulnerabilities, and the respective countermeasures that are necessary to perform scanning pen
testing. Now we will begin the action of scanning pen testing.
Check for Live Systems
191
Scan for Vulnerability
Check for Open Ports
r
Scanning Beyond IDS
3 0
Draw Network Diagrams
Prepare Proxies
r -^ r -n
Banner Grabbing
f* *✓‫ ׳‬Scanning Pen Testing
This section highlights the need to scan pen testing and the steps to be followed for effective
pen testing.
M o d u le 0 3 Page 4 28
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
CEH
S c a n n in g P e n T e s tin g
0
J
P e n te s t in g a n e t w o r k f o r s c a n n in g v u ln e r a b ilitie s d e t e r m i n e s t h e n e t w o r k 's s e c u r i t y p o s t u r e b y
0
id e n tify in g live s y s t e m s , d is c o v e r in g o p e n p o r t s , a s s o c ia tin g s e r v ic e s a n d g r a b b in g s y s t e m b a n n e r s
to s im u l a te a n e t w o r k h a c k in g a t t e m p t
J
T h e p e n e t r a t i o n te s t in g r e p o r t w ill h e lp s y s t e m a d m i n i s t r a t o r s to :
0
Close unused ports
Calibrate firewall rules
Disable unnecessary services
Troubleshoot service
configuration errors
Hide or customize banners
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
S c a n n in g
P e n
T e s tin g
The network scanning penetration test helps you to determine the network security
posture by identifying live systems, discovering open ports and associated services, and
grabbing system banners from a remote location, simulating a network hacking attempt. You
should scan or test the network in all possible ways to ensure that no security loophole is
overlooked.
Once you are done with the penetration testing, you should document all the findings obtained
at every stage of testing so that it helps system administrators to:
9
Close unused ports if not necessary/unknown open ports found
9
Disable unnecessary services
9
Hide or customize banners
9 Troubleshoot service configuration errors
9
Calibrate firewall rules to impose more restriction
M o d u le 0 3 Page 4 29
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIICil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
S c a n n in g P e n T e s tin g
(C o n t’d)
CEH
© C h ec k f o r t h e live h o s ts u s in g to o ls s u c h
START
a s N m a p , A n g ry IP S c a n n e r, S o la rW in d s
E n g in e e r 's to o l s e t , C o la s o f t P in g Tool,
e tc .
U se to o ls su c h a s N m a p ,
A ngry IP S c a n n e r, e tc .
e
C h ec k f o r o p e n p o r ts u s in g to o ls s u c h a s
N m a p , N e ts c a n T ools P ro , PRTG N e tw o r k
M o n ito r , N e t T o o ls, e tc .
V
©
Perform port
scanning
.....>
U se to o ls su ch a s N m ap,
N etscan Tools Pro, etc.
P e rfo rm b a n n e r g ra b b in g /O S
f in g e r p rin tin g u s in g to o ls s u c h a s T e ln e t,
N e tc ra f t, ID S e rv e , e tc .
»
V
S can f o r v u ln e r a b ilitie s u s in g to o ls su c h
a s N e s s u s , GFI L A N G u ard , S A IN T scan n er,
P e rfo rm b a n n e r g ra bibing
b in g
U se to o ls s u c h a s T e ln et,
/O S fin g e rp rin tin g
N e tc ra ft, ID S erv e, e tc .
g
C o re I m p a c t P r o f e s s io n a l, R e tin a CS
M a n a g e m e n t, M BSA, e tc .
V
Scan for
vulnerability
■‫■>־‬
U se to o ls su ch a s N essus,
SAINTscanner,
GFI LANGuard, etc.
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
S c a n n in g
P e n
T e s tin g
( C o n t ’d )
Let's see step by step how a penetration test is conducted on the target network.
Stepl: Host Discovery
The first step of network penetration testing is to detect live hosts on the target network. You
can attempt to detect the live host, i.e., accessible hosts in the target network, using network
scanning tools such as Angry IP Scanner, Nmap, Netscan, etc. It is difficult to detect live hosts
behind the firewall.
Step 2: Port Scanning
Perform port scanning using tools such as Nmap, Netscan Tools Pro, PRTG Network Monitor,
Net Tools, etc. These tools will help you to probe a server or host on the target network for
open ports. Open ports are the doorways for attackers to install malware on a system.
Therefore, you should check for open ports and close them if not necessary.
Step 3: Banner Grabbing or OS Finger Printing
Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve,
Netcat, etc. This determines the operating system running on the target host of a network and
its version. Once you know the version and operating system running on the target system, find
M o d u le 0 3 Page 4 3 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
S can n in g N e tw o rk s
Exam 3 1 2 -5 0 C ertified Ethical H acker
and exploit the vulnerabilities related to that OS. Try to gain control over the system and
compromise the whole network.
Step 4: Scan fo r V u ln e ra b ilitie s
Scan the network for vulnerabilities using network vulnerability scanning tools such as Nessus,
GFI LANGuard, SAINT, Core Impact Professional, Ratina CS, MBSA, etc. These tools help you to
find the vulnerabilities present in the target network. In this step, you will able to determine
the security weaknesses/loopholes of the target system or network.
M o d u le 0 3 Page 431
Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
S c a n n in g N e t w o r k s
S c a n n i n g
P e n
T e s t i n g
£
g ‫ןן‬
(Cont’d)
y
D raw n e tw o rk
Use tools such as LAN
surveyor, OpManager, etc.
diagram s
Use tools such as Proxy
Workbench, Proxifier,
Proxy Switcher, etc.
Prepare proxies
© Draw netw ork diagrams o f the vulnerable hosts using tools such as LAN surveyor, O pM anager,
N etw orkV ie w , The Dude, FriendlyPinger, etc.
e
Prepare proxies using tools such as Proxy W orkbench, P roxifier, Proxy Sw itcher, SocksChain, TOR, etc.
e
D ocum ent all the findings
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S c a n n in g
P e n
T e s tin g
( C o n t ’d )
‫ ׳־‬Step 5: Draw Network Diagrams
Draw a network diagram of the target organization that helps you to understand the logical
connection and path to the target host in the network. The network diagram can be drawn
with the help of tools such as LAN surveyor, OpManager, LANState, FriendlyPinger, etc. The
network diagrams provide valuable information about the network and its architecture.
Step 6 : Prepare Proxies
Prepare proxies using tools such as Proxifier, SocksChain, SSL Proxy, Proxy+, Gproxy,
ProxyFinder, etc. to hide yourself from being caught.
Step 7: Document all Findings
The last but the most important step in scanning penetration testing is preserving all outcomes
of tests conducted in previous steps in a document. This document will assist you in finding
potential vulnerabilities in your network. Once you determine the potential vulnerabilities, you
can plan the counteractions accordingly. Thus, penetration testing helps in assessing your
network before it gets into real trouble that may cause severe loss in terms of value and
finance.
M o d u le 0 3 P a g e 4 3 2
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t ©
b y E C - C O U I I C il
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r
S c a n n in g N e t w o r k s
M
o d u l e
S u m
m
a r y
The o b je c tiv e o f s c an ning is to d isco ve r live system s, a c tiv e /ru n n in g p o rts ,
th e o p e ra tin g system s, and th e service s ru n n in g on th e n e tw o rk
A tta c k e r d e te rm in e s th e live hosts fro m a range o f IP addresses by se n d in g ICMP ECHO requests
to m u ltip le hosts
A tta c k e rs use v a rio u s scan ning te c h n iq u e s to bypass fire w a ll ru le s and lo g g in g m e ch a n ism , and hide
th e m s e lv e s as usual n e tw o rk tra ffic
B ann er g ra b b in g o r OS fin g e rp rin tin g is th e m e th o d to d e te rm in e th e o p e ra tin g system ru n n in g
o n a re m o te ta rg e t system
□
D ra w in g ta rg e t's n e tw o rk d ia g ra m gives va lu a b le in fo rm a tio n a b o u t th e n e tw o rk and its a rc h ite c tu re
to an a tta c k e r
□
HTTP T u n n e lin g te c h n o lo g y a llo w s users to p e rfo rm va rio u s In te rn e t tasks d e s p ite th e re s tric tio n s
im p o s e d by fire w a lls
□
P roxy is a n e tw o rk c o m p u te r th a t can serve as an in te rm e d ia ry fo r c o n n e c tin g w ith o th e r c o m p u te rs
□
A c ha in o f proxies can be c re a te d to eva de a tra c e b a c k to th e a tta c k e r
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
M o d u le
S u m m a r y
Let's take a look at what you have learned in this module:
The objective of scanning is to discover live systems, active/running ports, the
operating systems, and the services running on the network.
Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO
requests to multiple hosts.
Attackers use various scanning techniques to bypass firewall rules, logging mechanism,
and hide themselves as usual network traffic.
e
0
Banner Grabbing or OS fingerprinting is the method to determine the operating system
running on a remote target system.
Drawing target's network diagram gives valuable information about the network and its
architecture to an attacker.
HTTP Tunneling technology allows users to perform various Internet tasks despite the
restrictions imposed by firewalls.
Proxy is a network computer that can serve as an intermediary for connecting with
other computers.
A chain of proxies can be created to evade a traceback to the attacker.
M o d u le 0 3 P a g e 4 3 3
E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t ©
b y E C - C O U I I C il
A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .