Contenu connexe
Similaire à Ce hv8 module 03 scanning networks (20)
Ce hv8 module 03 scanning networks
- 2. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
S c a n n in g N e tw o rk s
Module 03
Engineered by Hackers. Presented by Professionals.
©
CEH
Ethical H acking and C ounterm easures v8
M o d u le 03: Scanning Networks
Exam 312-50
Module 03 Page 263
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 3. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
S e c u rity N ew s
Hone
S e rv ic e s
Company
N e tw o rk s
C o n ta c t
Oct 18 2012
r
S a lie n t ly S a lit y B o t n e t T r a p p e d S c a n n in g
IP v 4 A d d r e s s S p a c e
The well known botnet Sality, which locates vulnerable voice-over-IP (VoIP) servers can
be controlled to find the entire IPv4 address space without alerting, claimed a
new study, published by Paritynews.com on October 10, 2012.
Sality is a piece of malware whose primary aim is to infect web servers, disperse
spam, and steal data. But the latest research disclosed other purposes of the same including
r
■
1
r
recognizing susceptible VoIP targets, which could be used in toll fraud attacks.
Through a method called "reverse-byte order scanning," sality has administered towards scanning
possibly the whole IPv4 space devoid of being recognized. That's only the reason the technique uses
very less number of packets that come from various sources.
The selection of the target IP addresses is generated in reverse-byte-order increments. Also, there are
large amounts of bots contributing in the scan.
http://www.spamfighter.com
l- l
1
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S ecurity N ew s
N f u js
Saliently Sality Botnet Trapped Scanning IPv4 Address
Space
Source: http://www.spamfighter.com
A semi-famous botnet, Sality, used for locating vulnerable voice־over־IP (VoIP) servers has been
controlled toward determining the entire IPv4 address space without setting off alerts, claims a
new study, published by Paritynews.com, on October 10, 2012.
Sality is a piece of malware with the primary aim of infecting web servers, dispersing spam, and
stealing data. But the latest research has disclosed other purposes, including recognizing
susceptible VoIP targets that could be used in toll fraud attacks.
Through a method called "reverse-byte order scanning," Sality can be administered toward
scanning possibly the whole IPv4 space, devoid of being recognized. That's the only reason the
technique uses a very small number of packets that come from various sources.
The selection of the target IP addresses develops in reverse-byte-order increments. Also, there
are many bots contributing in the scan. The conclusion is that a solitary network would obtain
scanning packets "diluted" over a huge period of time (12 days in this case, from various
Module 03 Page 264
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 4. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
sources, University of California, San Diego (UCSD), claimed one of the researchers, Alistair
King, as published by Softpedia.com on October 9, 2012).
According to Alberto Dainotti, it's not that this stealth-scanning method is exceptional, but it's
the first time that such a happening has been both noticed and documented, as reported by
Darkreading.com on October 4, 2012. Many other experts hold faith that this manner has been
accepted by other botnets. Nevertheless, the team at UCSD is not aware of any data verifying
any event like this one.
According to David Piscitello, Senior Security Technologist at ICANN, this indeed seems to be
the first time that researchers have recognized a botnet that utilizes this scanning method by
employing reverse-byte sequential increments of target IP addresses. The botnet use classy
"orchestration" methods to evade detection. It can be simply stated that the botnet operator
categorized the scans at around 3 million bots for scanning the full IPv4 address space through
a scanning pattern that disperses coverage and partly covers, but is unable to be noticed by
present automation, as published by darkreading.com on October 4, 2012.
Copyright © SPAMfighter 2003-2012
http://www.spamfighter.com/News-1799B-Salier1tlv-Salitv-Botnet-Trapped-Scanning-IPv4Address-Space.htm
Module 03 Page 265
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 5. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
M o d u le O b je c tiv e s
CEH
J
Overview of Network Scanning
J
Use of Proxies for Attack
J
CEH Scanning Methodology
J
Proxy Chaining
J
Checking for Live Systems
J
HTTP Tunneling Techniques
J
Scanning Techniques
J
SSH Tunneling
J
IDS Evasion Techniques
J
Anonymizers
J
Banner Grabbing
J
IP Spoofing Detection Techniques
J
Vulnerability Scanning
J
Scanning Countermeasures
J
Drawing Network Diagrams
J
Scanning Pen Testing
^
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule O b jectiv e s
Once an attacker identifies his/her target system and does the initial reconnaissance,
as discussed in the footprinting and reconnaissance module, the attacker concentrates on
getting a mode of entry into the target system. It should be noted that scanning is not limited
to intrusion alone. It can be an extended form of reconnaissance where the attacker learns
more about his/her target, such as what operating system is used, the services that are being
run on the systems, and configuration lapses if any can be identified. The attacker can then
strategize his/her attack, factoring in these aspects.
This module will familiarize you with:
0
Overview of Network Scanning
0
Use of Proxies for Attack
0
CEH Scanning Methodology
0
Proxy Chaining
0
Checking for Live Systems
0
HTTP Tunneling Techniques
0
Scanning Techniques
0
SSH Tunneling
0
IDS Evasion Techniques
0
Anonymizers
0
Banner Grabbing
0
IP Spoofing Detection Techniques
0
Vulnerability Scanning
0
Scanning Countermeasures
0
Drawing Network Diagrams
0
Scanning Pen Testing
Module 03 Page 266
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 6. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
O v erview of N etw ork S can n in g
C EH
(•itifwd
Network scanning refers to a set of
procedures for identifying hosts, ports, and
services in a network
Network scanning is one of the components
of intelligence gathering an attacker uses to
create a profile of the target organization
ttkujl lUckM
Sends TCP
/IP probes
Gets network
S
&
information
A ttacker
O b jec tives o f N e tw o rk Scanning
To discover live hosts,
To discover operating
To discover services
To discover
IP address, and open
ports of live hosts
systems and system
architecture
ru nning on hosts
vu ln e ra b ilitie s in live
hosts
O verview of N etw ork S can n in g
As we already discussed, footprinting is the first phase of hacking in which the
attacker gains information about a potential target. Footprinting alone is not enough for
hacking because here you will gather only the primary information about the target. You can
use this primary information in the next phase to gather many more details about the target.
The process of gathering additional details about the target using highly complex and
aggressive reconnaissance techniques is called scanning.
The idea is to discover exploitable communication channels, to probe as many listeners as
possible, and to keep track of the ones that are responsive or useful for hacking. In the scanning
phase, you can find various ways of intruding into the target system. You can also discover
more about the target system, such as what operating system is used, what services are
running, and whether or not there are any configuration lapses in the target system. Based on
the facts that you gather, you can form a strategy to launch an attack.
Types of Scanning
9
Port scanning - Open ports and services
e
Network scanning - IP addresses
6
Vulnerability scanning - Presence of known weaknesses
Module 03 Page 267
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 7. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
In a traditional sense, the access points that a thief looks for are the doors and windows. These
are usually the house's points of vulnerability because of their relatively easy accessibility.
W hen it comes to computer systems and networks, ports are the doors and windows of the
system that an intruder uses to gain access. The more the ports are open, the more points of
vulnerability, and the fewer the ports open, the more secure the system is. This is simply a
general rule. In some cases, the level of vulnerability may be high even though few ports are
open.
Network scanning is one of the most important phases of intelligence gathering. During the
network scanning process, you can gather information about specific IP addresses that can be
accessed over the Internet, their targets' operating systems, system architecture, and the
services running on each computer. In addition, the attacker also gathers details about the
networks and their individual host systems.
Sends TCP
/IP probes
&
נ
Gets network
information
Network
Attacker
FIGURE 3.1: Network Scanning Diagram
O bjectives of Network Scanning
If you have a large amount of information about a target organization, there are
greater chances for you to learn the weakness and loopholes of that particular organization,
and consequently, for gaining unauthorized access to their network.
Before launching the attack, the attacker observes and analyzes the target network from
different perspectives by performing different types of reconnaissance. How to perform
scanning and what type of information to be achieved during the scanning process entirely
depends on the hacker's viewpoint. There may be many objectives for performing scanning,
but here we will discuss the most common objectives that are encountered during the hacking
phase:
©
Discovering live hosts, IP address, and open ports of live hosts running on the
network.
©
Discovering open ports: Open ports are the best means to break into a system or
network. You can find easy ways to break into the target organization's network by
discovering open ports on its network.
Discovering operating systems and system architecture of the targeted system: This is
also referred to as fingerprinting. Here the attacker will try to launch the attack based
on the operating system's vulnerabilities.
Module 03 Page 268
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 8. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
9
Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security
risks present in any system. You can compromise the system or network by exploiting
these vulnerabilities and threats.
9
Detecting the associated network service of each port
Module 03 Page 269
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 9. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
HHH
□ שם
G i
Check for
Live Systems
✓.,ן
Check for
Open Ports
n
■ “ hi
Scan for
Vulnerability
Scanning
Beyond IDS
n
L1
^■
Banner
Grabbing
W₪ m,
r —י
Draw Network.
Diagrams
Prepare
Proxies
wJ
U
Scanning
Pen Testing
CEH S can n in g M eth o d o lo g y
The first step in scanning the network is to check for live systems.
Scan for Vulnerability
Check for Live Systems
ft
Check for Open Ports
Scanning Beyond IDS
Banner Grabbing
r
Q O
1
Draw Network Diagrams
Prepare Proxies
Scanning Pen Testing
This section highlights how to check for live systems with the help of ICMP scanning, how to
ping a system and various ping sweep tools.
Module 03 Page 270
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 10. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
C hecking for Live System s ICMP Scanning
CEH
J
Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return
an ICMP ECHO reply
J
This scan is useful for locating active devices or determining if ICMP is passing through a
firewall
ICMP Echo Request
t o
M
ICMP Echo Reply
Source (192.168.168.3)
The ping scan output
using Nmap:
Destination (192.168.168.5)
Zenmap
Sc!n
Too*
Target.
grofilc
192 168.16S.5
Command:
Hosts
Profile
Ping scan
|nrr*p ■sn 192.16S.16S.S
Services
Host
*
Nmap Outp14 Pciti ׳Hosts Topology H0Jt Detail!
nmap ־sn 192.166.163.5
Scans
ד־פ
192.165.168.1
192.16S.1663
192.165.'68.5
S t a r t in g fJTap 6.01 ( h t tp :/ / n 1
rop.org ) at 2012-08 08
13:02 EOT
Swap scan re p o rt fo r 192.168.168.5
most
192.16S.66.13ז
ו־רד^־י־ו
Piter Hosts
i s up (0 .00 s la te n c y ).
M
AC fld d re tt:
(D e ll)
M!ap dong: 1 I P address (1 host up) scanned in 0.10
secords
http://nmap.org
Copyright © by HHrWBCil. All Rights Reserved. Reproduction is Strictly Prohibited.
C h e c k in g for Live S ystem s ־IC M P S can n in g
ICMP Scanning
All required information about a system can be gathered by sending ICMP packets to it. Since
ICMP does not have a port abstraction, this cannot be considered a case of port scanning.
However, it is useful to determine which hosts in a network are up by pinging them all (the -P
option does this; ICMP scanning is now in parallel, so it can be quick). The user can also increase
the number of pings in parallel with the -L option. It can also be helpful to tweak the ping
timeout value with the -T option.
ICMP Query
The UNIX tool ICM Pquery or ICMPush can be used to request the time on the system (to find
out which time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). The
netmask on a particular system can also be determined with ICMP type 17 messages (ADDRESS
MARK REQUEST). After finding the netmask of a network card, one can determine all the
subnets in use. After gaining information about the subnets, one can target only one particular
subnet and avoid hitting the broadcast addresses.
ICMPquery has both a timestamp and address mask request option:
icmp query <-query-> [-B] [-f fromhost] [־d delay] [-T time] target
Module 03 Page 271
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 11. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
W here
<query> is one of:
-t: icmp timestamp request (default)
-m: icmp address mask request
-d: delay to sleep between packets is in microseconds.
-T - specifies the number of seconds to wait for a host to respond. The default is 5.
A target is a list of hostnames or addresses.
*iJN:::::::::::::::::::::::ft:::::::::::::
ICMP Echo Request
/*
V
V
־
/
ICMP Echo Reply
Source (192.168.168.3)
Destination (192.168.168.5)
FIGURE 3.2: ICMP Query Diagram
Ping Scan Output Using Nmap
Source: http://nmap.org
Nmap is a tool that can be used for ping scans, also known as host discovery. Using this tool you
can determine the live hosts on a network. It performs ping scans by sending the ICMP ECHO
requests to all the hosts on the network. If the host is live, then the host sends an ICMP ECHO
reply. This scan is useful for locating active devices or determining if ICMP is passing through a
firewall.
The following screenshot shows the sample output of a ping scan using Zenmap, the official
cross-platform GUI for the Nmap Security Scanner:
Zenmap
Scan
Jo o ls
Target
Profile
Help
192.168.168.5
Command:
Hosts
v I Profile:
Ping scan
v
:Scan!
Cancel
|nmap -sn 192.168.168.51
Services
OS < Host
IM
192.168.168.3
*"
192.168.168.5
Topology Host Details Scans
nmap -sn 192.168.168.5
V
Details
192.168.168.1
I•*
Nmap Output Ports/Hosts
tM 192.168.168.13
..
v
------ —
----- ---------------1
Filter Hosts
S t a r t in g Nmap 6 .0 1 ( h t t p :/ / n 1 p .o rg ) at 2012-08-08
ra
•a?
Nmap scan re p o rt fo r 1 9 2 .1 6 8 .1 6 8 .5
Host i s up (0 .0 6 s la t e n c y ) .
M
AC Add ress:
( D e ll)
Nmap done: 1 IP ad d ress (1 host up) scanned in 0 .1 0
seconds
FIGURE 3.3: Zenmap Showing Ping Scan Output
Module 03 Page 272
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll
All Rights Reserved. Reproduction is Strictly Prohibited.
- 12. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
P in g S w eep
CEH
J
Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP
ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply
J
Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of
hosts present in the subnet
_l
Attackers then use ping sweep to create an inventory of live systems in the subnet
a
a
a
T h e ping s w e e p o u tp u t using N m a p
Zenmap
Sen loots N *
T*fqcc
l n
l , M
Help
’92.l6a.16S.l-S0
IC M P Echo Request
v
Profile
*| Scanj
Canct
Command |״m גווPf PA21,23.9Q
8p
,3J891 2 6 .1 8 - 0
9 .1 8 6 .1 5 1
Hojb
knxei
OS 4 Ho*
*
W itt 1 S1
6.
*
1N.16S.1tt3
“3 1W.16S.1tt5
*
19J.ltt.1ttU
•» 1W.1tt1tt.14
V
It t lt t lt t lS
y
י9דit t 1 8 7
6 .1
»
!92.168163.15
►
1 2 6 .1 8 6
9 .1 8 6 2
»
19ilttltt23 v
IC M P Echo Request
N׳n * Output Port( / HoUi | Topology Hot! D
<p
etail* Scant
nm m-PE PA
ap
21.2J.80l3389 1 2 6 .1 8 • 0
9 .1 8 6 .1 5
יי
192.168.168.5
H
S [0 4 *
IC M P Echo Reply
Startlra N»« 6.01 ( http ://roup, org ) at 2012 01 01
12:41 tor
*tup scan report for 192.168.168.1
Host is us ( 0. 00) latency).
Adflicn.
( ״Healett-Packard Com
pany)
“
**•p *can report for 192.168.16•.)
ftovt It up (ft.Mt latency).
*AC W r t t t i
(Apple)
w p scan report *or 192.168. 168.ל
►
tost is up (0.0010s latency).
HA( Address:
(Dell)
f*1ap scan report for 192.168.168.13
Mo»t i* up <8.001 latency).
«AC Addrew:
» (Foxconnl
snap scan report for 192.168.168.14
u
^ M
!.168.16
192.168.168.6
IC M P Echo Request
Source
192.168.168.3
» Ml
192.168.168.7
IC M P Echo Reply
IC M P Echo Request
F*« Hosts
192.168.168.8
http://nmap. org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P in g Sweep
A ping sweep (also known as an ICM P sweep) is a basic network scanning technique
to determine which range of IP addresses map to live hosts (computers). W hile a single ping
tells the user whether one specified host computer exists on the network, a ping sweep consists
of ICMP ECHO requests sent to multiple hosts.
ICMP ECHO Reply
If a host is active, it returns an ICMP ECHO reply. Ping sweeps are among the oldest and slowest
methods to scan a network. This utility is distributed across almost all platforms, and acts like a
roll call for systems; a system that is live on the network answers the ping query that is sent by
another system.
Module 03 Page 273
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 13. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
ICMP Echo Request
192.168.168.5
ICMP Echo Request
a
<
ICM P Echo Reply
ICMP Echo Request
Source
192.168.168.6
>
W
192.168.168.7
19 2.1 6 8 .1 6 8 .3
< ICMP Echo
ICMP Echo Request
192.168.168.8
FIGURE 3.4: Ping Sweep Diagram
TCP/IP Packet
To understand ping, you should be able to understand the TCP/IP packet. W hen a system pings,
a single packet is sent across the network to a specific IP address. This packet contains 64 bytes,
i.e., 56 data bytes and 8 bytes of protocol header information. The sender then waits for a
return packet from the target system. A good return packet is expected only when the
connections are good and when the targeted system is active. Ping also determines the number
of hops that lie between the two computers and the round-trip time, i.e., the total time taken
by a packet for completing a trip. Ping can also be used for resolving host names. In this case, if
the packet bounces back when sent to the IP address, but not when sent to the name, then it is
an indication that the system is unable to resolve the name to the specific IP address.
Source: http://nmap.org
Using Nmap Security Scanner you can perform ping sweep. Ping sweep determines the IP
addresses of live hosts. This provides information about the live host IP addresses as well as
their MAC address. It allows you to scan multiple hosts at a time and determine active hosts on
the network. The following screenshot shows the result of a ping sweep using Zenmap, the
official cross-platform GUI for the Nmap Security Scanner:
Module 03 Page 274
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 14. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
Zenmap
Sc!n
Joolt
Target
Erofik
{jdp
192.168.168.1-50
Command
Hosts
"v]
Scan
Cancel
%
Details
11
Proffe
|nmap -sn -PE •PA21,23,80.3389192.168.168.1-5(
Sernces
OS « Host
*
192.168.168.3
<■
A
192.168.168.5
nmap -sn •PE-PA21.23.80.3389 192.168.168.1-50
192.168.168.1
*
Nmap Output Ports/ Hosts Topology Host Details Scans
192.168.168.13
192.168.168.14
192.168.168.15
*
192.168.168.17
fti
192.168.168.19
192-168.168-26
*
192.168.16828
Filter Hosts
v
S ta rtin g Mrap 6.01 ( h tto ://n » a p .o rg ) at 2012-08-08
12:41
M ap scan report fo r 192.168.168.1
Host is up (0.00s la te n c y ).
*AC Address; I
(Hewlett-Packard Co«oany)
Nm p scan report fo r 192.168.168.3
Host is up (0.00s la te n c y ).
*AC A d d r m i
* (Apple)
Nnap scan report fo r 192.168.168.5
Host is up (0.0010s la te n c y ).
M C Address;
A
• י
( D e ll)
Nnap scan report fo r 192.168.168.13
Host is up (0.00s la te n c y ).
M C Address: •
A
•
(Foxconn)
N»ap scan report fo r 192.168.168.14
Host is up (0.0020s la te n c y ).
v
FIGURE 3.5: Zenmap showing ping sweep output
Module 03 Page 275
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 15. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
P in g S w eep T ools
SolarWinds Engineer Toolset's Ping Sweep enables
scanning a range of IP addresses to identify which
IP addresses are in use and which ones are
currently free. It also performs reverse DNS lookup.
Angry IP Scanner pings each IP address to check if
it's alive, then optionally resolves its hostname,
determines the MAC address, scans ports, etc.
o
S'**
*Rjr* * 1C011
*•׳<״״
x
JoeU H
»lp
to K.0J.S)
M0*wme V NUQ R1RW f »
W N3W
9
© 1:0:1
£ 1 0 0 cj
Q io a u
f tio a c j
© to o ts
C Hoatt
©100C7
fh o a c j
®M
OOC9
Q r-at
CH0ac.11
•1 0 a a ;
Chocu.11
# 10ac.u
#100£1י
&1COC.U
® M oatr
Choatu
fhoac.»
_ !ם
IP Range Angry IP Scanner
CEH
9י״י׳
1m
Cm
lm
h/»l
4n
h/1|
1•ra
K»l
KH
K»׳l
K*l
h/1l
|V*I
Kv.|
O ? mm
K»1
h/»l
!*/•I
K«l
[l»Pjnje
Uctmiifc v
SUrt
v *
M
H n*« ״
0W
In/11
M Mtt£lCMM1
M
HnOcwit
ln/1l
< ixqn;V(W9m
vm
H •)
V
In/i)
In/•)
In/•)
In/•)
ln/1)
l*v״
•!
I
׳V*I
In/•!
In/•]
la/•)
In/•)
In/•)
&
«**•> ׳A
JI
Pcm1i00c-|
80
•0US.1
1JX
In/a)
1& UIM U
h •l
1
|n/•)
|n•)
In/•)
|n'•)
In'•)
In•)
|n/•)
In/•)
|n/«|
(»'•)
In/•)
In ____________________)•׳v |
T h 0 *»«*״
Angry IP Scanner
http://www.angryip.org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P in g Sweep Tools
Determining live hosts on a target network is the first step in the process of hacking
or breaking into a network. This can be done using ping sweep tools. There are a number of
ping sweep tools readily available in the market using which you can perform ping sweeps
easily. These tools allow you to determine the live hosts by sending ICMP ECHO requests to
multiple hosts at a time. Angry IP Scanner and Solarwinds Engineer's Toolset are a few
commonly used ping sweep tools.
Angry IP Scanner
/j
Source: http://www.angryip.org
Angry IP Scanner is an IP scanner tool. This tool identifies all non-responsive addresses as dead
nodes, and resolves hostname details, and checks for open ports. The main feature of this tool
is multiple ports scanning, configuring scanning columns. Its main goal is to find the active hosts
in the network by scanning all the IP addresses as well as ports. It runs on Linux, Windows, Mac
OS X, etc. It can scan IP addresses ranging from 1.1.1.1 to 255.255.255.255.
Module 03 Page 276
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 16. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
IP Range -Angry IP Scanner
S<an
£0°י
Commands
Favorites
IP Range | 10.0.0.1
loots
Help
| to | 10.0.0.50
Hostname | WIN-LXQN3WR3R9I
| |IF Range
# IP I | Netmask
rJ
v
C+ Start
א
i|
IP
Ping
Hostname
Ports [2000•.)
€>10.0.0.1
1 ms
[n'a]
80
010.0.0.2
Oms
W1N-MSS£LCK4IC41
80.135.139.4...
@10.0.0.3
Oms
WindowsS
135,139,445,...
#10.0.0.4
[n/a]
[n/a]
[n/a]
€>10.0.0.5
4 ms
W1N-LXQN3WR3R9M
135,139,445,...
© 10.0.0.6
[n/a]
[n/a]
[n/a]
€)10.0.0.7
1 ms
[n/a]
80.135
C
0.0.0.8
[n/a]
[n/a]
[n/a]
€> 10.0.0.9
[n/a]
[n/a]
[n/a]
#10.0.0.10
[n/a]
[n/a]
[n/a]
#10.0.0.11
[n/a]
[n/a]
[n/a]
#
1
0.0.0.12
[n/a]
litfa]
[n/a]
#10.0.0.13
[n/a]
[/ ״a]
[n/a]
#
[n/a]
[n/a]
[n/a]
#10.0.0.15
627 ms
[n/a]
[n/a]
#10.0.0.16
[n/a]
[iVa]
[n/a]
#
10.0.0.17
[n/a]
[n/a]
[n/a]
#10.0.0.18
[n/a]
[nfa]
[n/a]
#10.0.0.19
[n/a]
l׳v׳a]
=
m
I0.0.0.M
Ready
[n/a]
Display: All
Threads; 0
v
1
1
FIGURE 3.6: Angry IP Scanner Screenshot
Solarwinds E ngineer’s Toolset
Source: http://www.solarwinds.com
The Solarwinds Engineer's Toolset is a collection of network engineer's tools. By using this
toolset you can scan a range of IP addresses and can identify the IP addresses that are in use
currently and the IP addresses that are free. It also performs reverse DNS lookup.
u o o
P in g S w e e p
E e Edi
H
t
H l
ep
Starting IP Address 1 9 . 6 . £ 1
1 21 81 8 0
^I
| Sran F«
Fnri
mg IP AHri
mtt ( 9 1 8 1 89 (
1 2 8 6 5
fpAddress
Res
pons T n
e ee
A
| IPt
AI
Srnn
D SL o u
N o k p
1 2 IM IM 1
9
0
R
eques Ti
t red O t
u
1 2 1 6 1 61
9 6 6 1
R
eques T o O t
t m d u
1 2 1 6 1 61
9 6 6 2
1 2 1 6 1 61
9 6 6 3
^
^
1 2 1 6 1 61
9 6 6 4
Reques T e O t
t md u
=
R q O tT e O t
e u S m d u
3m
e
1 2 1 6 1 61
9 6 6 5
1 2 1 61 8 6
9 6 6 1
_י
{
1 2 1 61 6 1
9 6 . 6 7
1 2 1 6 1 61
9 6 6 . 6
Reauest T e O t
m d u
#
Reaues! T e Oa ^ י
m d
t ■יי
Recues! T e O l
md u
1 2 1 6 1 61
9 6 6 9
1 2 1 6 1 62
9 6 6 0
Reques T e O t
t m d u
1 2 1 6 1 62
9 6 6.1
,t
R
eques T e O l
t m d u
Reques T e O t
t m d u
1 2 1 6 1 62
9 6 6 . 2
Reques T e O t
t m d u
R
eques Tm d O t
t i e
u
1 2 1 6 1 62
9 6 6 3
1 2 1 6 1 62
9 6 6 4
» IJ I
1 2 1 6 1 62
9 6 6 5
R
eques T e O t
t m d u
Reques T e O t
t md u
1 2 1 6 1 62
9 6 6 6
2m
s
1 2 1 6 1 62
9 6 6. 7
_ *V*“
"
Reques T e O t
t md u
2m
s
1 2 1 6 1 62
9 6 6 . 6
N
1 2 1 6 1 62
9 6 6 9
R
eques T
t me Oy
d
t
3m
e
1 2 1 6 1 63
9 6 6 0
1 21 6 1 63
9 6 6 1
3m
s
1 2 1 6 1 63
9 6 6 2
2m
s
׳י
III
<
1
Scan Compled
i
Scan
DNS
>
h
r
9
0
FIGURE 3.7: Solarwinds Engineer's Toolset Screenshot
Module 03 Page 277
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 17. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
P in g S w eep T ools
CEH
(C ont’d)
Colasoft Ping Tool
^
PacketTrap MSP
h ttp ://w w w . colasoft. com
http ://w w w .pa ckettra p .co m
Visual Ping Tester -Standard
f
Ping Sweep
h ttp://w w w .w hatsupgold.com
h ttp ://w w w .p in g te s te r.n e t
Ping Scanner Pro
Network Ping
http://w w w .digilextechnologies.com
h ttp://w w w .greenline-soft.com
ז
Ultra Ping Pro
h ttp ://u ltra p in g . webs.com
*
Ping Monitor
h ttp ://w w w .n ilia n d . com
PinglnfoView
S®
Pinkie
h ttp ://w w w .n irs o ft.n e t
h ttp ://w w w .ip u p tim e .n e t
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
jfSSS P in g Sweep Tools (C ont’d)
ur -
In addition to Solarwinds Engineer's Toolset and Angry IP Scanner, there are many
other tools that feature ping sweep capabilities. For example:
9
Colasoft Ping Tool available at http://www.colasoft.com
9
Visual Ping Tester - Standarad available at http://www.pingtester.net
9
Ping Scanner Pro available at http://www.digilextechnologies.com
9
Ultra Ping Pro available at http://ultraping.webs.com
9
PinglnfoView available at http://www.nirsoft.net
9
PacketTrap MSP available at http://www.packettrap.com
9
Ping Sweep available at http://www.whatsupgold.com
9
Network Ping available at http://www.greenline-soft.com
9
Ping Monitor available at http://www.niliand.com
9
Pinkie available at http://www.ipuptime.net
Module 03 Page 278
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 18. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
* — 1 So far we discussed how to check for live systems. Open ports are the doorways for an
attacker to launch attacks on systems. Now we will discuss scanning for open ports.
Check for Live Systems
life
Scan for Vulnerability
r
Check for Open Ports
Scanning Beyond IDS
O Q
יז־ ל
^־
Banner Grabbing
Draw Network Diagrams
Prepare Proxies
Scanning Pen Testing
This section covers the three-way handshake, scanning IPv6 networks, and various scanning
techniques such as FIN scan, SYN scan, and so on.
Module 03 Page 279
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 19. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
CEH
T h ree-W ay H a n d s h a k e
(•rtifwd
itkitjl
TCP uses a three-way handshake to establish a connection between server and client
Three-w ay Handshake
Process
1. The Computer A (10.0.0.2) initiates
a connection to the server (10.0.0.3)
via a packet with only the SYN flag
set
2. The server replies with a packet
with both the SYN and the ACK flag
set
3. For the final step, the client
responds back to the server with a
single ACK packet
4. If these three steps are completed
without complication, then a TCP
connection is established between
the client and the server
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
T hree-W ay H an d sh a k e
TCP is connection-oriented, which implies connection establishment is principal prior
to data transfer between applications. This connection is possible through the process of the
three-way
handshake.
The
three-way
handshake
is implemented
for
establishing
the
connection between protocols.
The three-way handshake process goes as follows:
9
To launch a TCP connection, the source (10.0.0.2:62000) sends a SYN packet to the
destination (10.0.0.3:21).
9
The destination, on receiving the SYN packet, i.e., sent by the source, responds by
sending a SYN/ACK packet back to the source.
9
This ACK packet confirms the arrival of the first SYN packet to the source.
9
In conclusion, the source sends an ACK packet for the ACK/SYN packet sent by the
destination.
9
This triggers an "O PEN " connection allowing communication between the source and
the destination, until either of them issues a "FIN" packet or a "RST" packet to close the
connection.
Module 03 Page 280
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 20. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
The TCP protocol maintains stateful connections for all connection-oriented protocols across
the Internet, and works the same as an ordinary telephone communication, in which one picks
up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the other
end until a person picks up the receiver and says, "Hello."
Bill
Three-way Handshake
1 0 .0 .0 .2 :6 2 0 0 0 .................... י י ................ ^ ־
..* ״
Sheela
1 0 .0 .0 .3 :2 1
Irvc
Client
Server
FIGURE 3.8: Three-way Handshake Process
E stablishing a TCP Connection
As we previously discussed, a TCP connection is established based on the three-way
hand shake method. It is clear from the name of the connection method that the establishment
of the connection is accomplished in three main steps.
Source: http://support.microsoft.com/kb/172983
The following three frames will explain the establishment of a TCP connection between nodes
NTW3 and BDC3:
Frame 1:
In the first step, the client, NTW3, sends a SYN segment (TCP ....S.). This is a request to the
server to synchronize the sequence numbers. It specifies its Initial Sequence Number (ISN),
which is incremented by 1 and that is sent to the server. To initialize a connection, the client
and server must synchronize each other's sequence numbers. There is also an option for the
Module 03 Page 281
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 21. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
Maximum Segment Size (MSS) to be set, which is defined by the length (len: 4), this option
communicates the maximum segment size the sender wants to receive. The Acknowledgement
field (ack: 0) is set to zero because this is the first part of the three-way handshake.
1
2.0785 NTW3 --> BDC3 TCP ___ S., len: 4, seq: 8221822-8221825,
ack: 0,
win: 8192, src: 1037 dst: 139 (NBT Session) NTW3 --> BDC3 IP
TCP:
....S., len: 4, seq: 8221822-8221825,
dst:
139
ack: 0, win:
8192,
src: 1037
(NBT Session)
TCP: Source Port = 0x040D
TCP: Destination Port = NETBIOS Session S
TCP: Sequence Number = 8221822
(0x7D747E)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 24
(0x18)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02
: ....S .
TCP:
..0....
= No urgent data
TCP:
...0.... = Acknowledgement field
TCP:
....0... = No Push function
.... 0 . . = No Reset
TCP:
1. = Synchronize sequence numbers
.
TCP:
not significant
TCP:
............. 0 = No Fin
TCP: Window = 8192
(0x2000)
TCP: Checksum = 0xF213
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Option Kind
(Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460
(0x5B4)
TCP: Frame Padding
00000:
02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00
.'.... '.;---- E .
00010:
00 2C 0D 01 40 00 80 06 El 4B 83 6B 02 D6 83 6B
. . .0___ K.k. . .k
,
00020:
02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02
...... }t~---- ' .
00030:
20 00 F2 13 00 00 02 04 05 B4 20 20
Module 03 Page 282
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 22. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
Frame 2:
In the second step, the server, BDC3, sends an ACK and a SYN on this segment (TCP .A..S.). In
this segment the server is acknowledging the request of the client for synchronization. At the
same time, the server is also sending its request to the client for synchronization of its
sequence numbers. There is one major difference in this segment. The server transmits an
acknowledgement number (8221823) to the client. The acknowledgement is just proof to the
client that the ACK is specific to the SYN the client initiated. The process of acknowledging the
client's request allows the server to increment the client's sequence number by one and uses it
as its acknowledgement number.
2
2.0786 BDC3 — > NTW3
8221823, win:
8760,
TCP:
139
src: 139
.A..S., len:
src:
TCP .A..S.,
TCP: Source Port =
(NBT Session)
4, seq:
(NBT Session)
l e n : 4, seq: 1109645-1109648,
dst:
dst: 1037 BDC3 --> NTW3
1109645-1109648,
ack:
8221823, win:
ack:
IP
8760,
1037
NETBIOS Session Service
TCP: Destination Port = 0x040D
TCP: Sequence Number = 1109645
(0xl0EE8D)
TCP: Acknowledgement Number = 8221823
TCP: Data Offset = 24
(0x7D747F)
(0x18)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x12
: .A..S.
TCP:
..0.... =
TCP:
...1.... =
TCP:
....0... = No
Push function
TCP:
.... 0.. = No
Reset
TCP:
...... 1. = Synchronize
TCP:
....... 0 = No
TCP: Window = 8760
No urgent data
Acknowledgement field
significant
sequence numbers
Fin
(0x2238)
TCP: Checksum = 0x012D
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Option Kind
(Maximum Segment Size)
= 2 (0x2)
TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460
(0x5B4)
TCP: Frame Padding
00000
02
60 8C 3B 85 Cl 02 60 8C 9E 18 8B 08 00 45 00
00010
00
2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B
.,[.0_____L.k...k
0 00 20
02
D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12
.............. }t'.
Module 03 Page 283
...... E.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 23. Ethical Hacking and Countermeasures
Scanning Networks
Exam 312-50 Certified Ethical Hacker
00030:
8 -.״
22 38 01 2D 00 00 02 04 05 B4 20 20
Frame 3:
In the third step, the client sends an ACK on this segment (TCP .A....). In this segment, the client
is acknowledging the request from the server for synchronization. The client uses the same
algorithm the server implemented in providing an acknowledgement number. The client's
acknowledgment of the server's request for synchronization completes the process of
establishing a reliable connection, thus the three-way handshake.
3
2.787 NTW3 --> BDC3
1109646, win:
TCP:
8760,
src: 1037
.A...., len:
src: 1037
dst:
TCP .A
0, seq:
139
, len: 0, seq: 8221823-8221823,
dst:
139
(NBT Session)
8221823-8221823,
ack:
ack:
NTW3 --> BDC3
1109646, win:
IP
8760,
(NBT Session)
TCP: Source Port = 0x040D
TCP: Destination Port = NETBIOS Session Service
TCP: Sequence Number = 8221823
(0x7D747F)
TCP: Acknowledgement Number = 1109646
TCP: Data Offset = 20
(0xl0EE8E)
(0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x10
: .A....
TCP:
. .0 ....
= No urgent data
TCP:
... 1 .... = Acknowledgement field
TCP:
___ 0 ... = No
Push function
TCP:
.... 0 .. = No
Reset
TCP:
..... 0. = No
Synchronize
TCP:
.......0 = No
Fin
TCP: Window = 8760
(0x2238)
TCP: Checksum = 0xl8EA
TCP: Urgent Pointer = 0 (0x0)
TCP: Frame Padding
00000:
02 60 8C 9E 18 8B 02 60 8C 3B 85 Cl 08 00 45 00
. '.... ' .;---- E .
00010:
00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B
. ( .0___ O.k. . .k
.
00020:
02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10
...... }t---- P.
00030:
22 38 18 EA 00 00 20 20 20 20 20 20
___ 8 ״
Module 03 Page 284
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 24. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
TCP C om m unication Flags
Data contained in
There will be no
Resets a
the packet should
be processed
more
transmissions
connection
immediately
F IN
(Finish)
URG
(Urgent)
jm ₪ ₪ m m
PSH
(Push)
Sends all
buffered data
immediately
ACK
(Acknowledgement)
Acknowledges
the receipt of a
packet
>
A
1
SYN
(Synchronize)
Initiates a
connection
between hosts
Standard TCP communications are controlled by flags in the TCP packet header
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
TCP C om m unication Flags
Standard TCP communications monitor the TCP packet header that holds the flags.
These flags govern the connection between hosts, and give instructions to the system. The
following are the TCP communication flags:
9
Synchronize alias "SYN": SYN notifies transmission of a new sequence number
9
Acknowledgement alias "ACK":
ACK confirms receipt of transmission, and identifies
next expected sequence number
9
9
Push alias "PSH ": System accepting requests and forwarding buffered data
Urgent alias "U RG ": Instructs data contained in packets to be processed as soon as
possible
Q
Finish alias "FIN": Announces no more transmissions will be sent to remote system
Q
Reset alias "RST": Resets a connection
SYN scanning mainly deals with three of the flags, namely, SYN, ACK, and RST. You can use
these three flags for gathering illegal information from servers during the enumeration process.
Module 03 Page 285
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 25. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Acknowledgement No
Offset
Res
TCP Flags
TCP Checksum
Window
Urgent Pointer
Options
<------------- 0-31 B its-------------- >
FIGURE 3.9: TCP Communication Flags
Module 03 Page 286
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 26. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Create Custom Packet Using
TCP Flags
CEH
Colasoft Packet Builder
.$ Add Inser: Copy
5 & 5 ׳
.xpcr:-
3ckte
Move U |
p
Chcdcsum| Send ScndAII
| Packet No. | ־
-J Colasoft Packet Builder
enables creating custom
network packets to audit
networks for various
attacks
J
Attackers can also use it
to create fragmented
packets to bypass
firewalls and IDS systems
in a network
Packet Info:
gackec tta c e r;
— BacJrcr Le=ath:
^
Captnred Length:
{ g Delta Tine
E ־d Ethernet Type I I
j y i J f s t i a t i ״Mdress:
JUfSouic? U d m 9 :
Protocol:
E- .J I ? - Internet Protocol
! ״Version 0
i • 0 ״Mea 1•: Length
g>-0 Differentiated Services Plaid
j j 0
S«rvlc«f Codepcint
j > Tr«r.*por1 r u t -col w ill 1 903 c* tii* CE b it
U
Coaaaatios
!«»***ג
F!
<
1
HwEdrtc
M
000004
64
60
0.100000 Second
[0/14]
00:00:00:00:00:00
[0/6]
00:00:00:00 :00:00
[6/6]
0x0800
(Inter:
[14/20]
4
xFO
[U/1] O
S
< 0 Bytes) [1
2
<
0 0 00 oaoo [15/1! OxPF
0000 00..
[18/1] OxfC
(Ignoi•
.......... 0.
[15/1]
............0 (Xu Conq«mtlon)
=
כ
<
Total
60 byirt
http://www. colasoft.com
Copyright © by EG-Gaoncil. All Rights Reserved. Reproduction Is Strictly Prohibited
Create Custom P ackets u sin g TCP Flags
Source: http://www.colasoft.com
Colasoft Packet Builder is a tool that allows you to create custom network packets and also
allows you to check the network against various attacks. It allows you to select a TCP packet
from the provided templates, and change the parameters in the decoder editor, hexadecimal
editor, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet
Builder also supports saving packets to packet files and sending packets to the network.
Module 03 Page 287
Ethical Hacking and Countermeasures Copyright © by EC-COlMCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 27. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Colasoft Packet Builder
File
Edit
Send
3*
&
ImportExportw
Help
Add
#
1נ
£
Insert
Copy
®
X
Pas- Delete
4*
I *
Send
Move
Packet No.
Decode Editor
Packet Info:
a Packet Number:
<3 ־Packet Length:
*
! ״Captured Length:
^״
H H Delta Time
₪-€> Ethernet Type II
Destination Address:
Source Address:
Protocol:
0 •••© IP - Internet Protocol
j
—& Version
: © Header Length
E3 @״Differentiated Services Field
| _~© Differentiated Services Codepoint
O Transport Protocol will ignore the CE bit
| ~~© Congestion
*c
f*
'w E I& B r S B
Send All
4
No.
ו
2
3
60
0.100000 Second
Delta Time
0.100000
0.100000
0.100000
0.100000
Source
00:00:00:00:1
0.0.0.0
0.0.0.0:0
0.0.0.0:0
[0 / 1 4 ]
0 0 : 0 0 : 0 0 : 0 0 : 00:00
[ /6 ]
0
0 0 :0 0 :0 0 :0 0 :0 0 : 0 0
[6 / 6 ]
0x0800
[14/20]
(Intern
0 0 00
0 0 00
0 0 00..
00
...........0.
......... 0
[14/1] OxFO
(20 Bytea)
[14
[15/1] OxFF
[15/1] OxFC
(Ignore)
[15/1]
(No Congestion)
<
L
jc%
Total | 60 bytes
Hex Editor
0000
0010
0020
0030
00
00
00
00
<
00
2C
00
00
00
00
00
00
00
00
00
00
00
40
00
00
00
00
00
00
00
40
00
00
00
11
1A
00
00
3A
FF
00
00
CO
BA
00
00
00
00
00
00 08 00 45 00
00 00 00 00 00
00 00 00 00 00
00
A
---0.0.s.
V
/
T
>
: ...
FIGURE 3.10: Colasoft Packet Builder Screenshot
Module 03 Page 288
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 28. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
S c a n n in g IP v 6 N e tw o rk
CEH
im ttiM
tUx*l lUckM
I
I
L
IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of
addressing hierarchy
Traditional network scanning techniques will be computationally less feasible due to larger
search space (64 bits of host address space or 2s4 addresses) provided by IPv6 in a subnet
Scanning in IPv6 network is more difficult and complex than the IPv4 and also major
scanning tools such as Nmap do not support ping sweeps on IPv6 networks
Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received
from: and other header lines in archived email or Usenet news messages
a
1
Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker
can compromise one host in the subnet; attacker can probe the "all hosts" link local
multicast address
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
S canning IPv6 N etw ork
IPv6 increases the size of IP address space from 32 bits to 128 bits to support more
levels of addressing hierarchy. Traditional network scanning techniques will be computationally
less feasible due to larger search space (64 bits of host address space or 264 addresses)
provided by IPv6 in a subnet. Scanning an IPv6 network is more difficult and complex than IPv4
and also major scanning tools such as Nmap do not support ping sweeps on IPv6 networks.
Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from:
and other header lines in archived email or Usenet news messages to identify IPv6 addresses
for subsequent port scanning. Scanning IPv6 network, however, offers a large number of hosts
in a subnet; if an attacker can compromise one host in the subnet he can probe the "all hosts"
link local multicast address.
Module 03 Page 289
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 29. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
S c a n n in g Tool: N m a p
C EH
J
Network administrators can use Nmap for network inventory, managing service upgrade schedules, and
J
Attacker uses Nmap to extract information such as live hosts on the network, services (application name
and version), type of packet filters/firewalls, operating systems and OS versions
monitoring host or service uptime
http://nmap.org
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Scanning Tool: Nmap
Source: http://nmap.org
Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts
and services on a computer network, thus creating a "map" of the network. It sends specially
crafted packets to the target host and then analyzes the responses to accomplish its goal.
Either a network administrator or an attacker can use this tool for their particular needs.
Network administrators can use Nmap for network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Attackers use Nmap to extract information
such as live hosts on the network, services (application name and version), type of packet
filters/firewalls, operating systems, and OS versions.
Module 03 Page 290
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 30. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Zenm gp
iMk ("> !j*»
«•
*a«M
M a w wa* 011CP p *t»
tel
t
•M
Mi M lMM
-
—« » » I « u n
N
T1 A . I V M » M » >
N m »W >
0
s ia t i
! " ! t l a t l n g A V »lng Scan •t |»:22
W mwIm
(1 • v t l
Caag iatM * V *ing Scan at I S :2 2, • M » a l * t M ( I t a t a l M a t • )
: * i t ta tin g f a l l a l Cm r « » a lt ft iM a* I M a t . at lt:2 2
C a M ia t M ••־״a ll• ! CMS r * t a l» t la n 0* 1 M a t . at IS !2 2 . I H t
aivaai
In it ia t in g S m S ta a ltn Scan at 1S:22
Scanning m 1M I M S I* S S JS M ] » ״
־t
w m ia
«1m «
■ ia ftM
fe ftM M U a t l«n
V *. Mtf)
■
M l V t c a •»
M M I/ t i! • * «
I.ftftlv2:
11I/1
• t i l l l uM i r t l SV .» J
IKjuatL *־׳ 1׳t wi t I
M m lfM WVc•
•
19:24 <•:•1.4*
H ))/ t (» M IM .IM IM S
* י יS t • • !!* W an f l * l — : 1aa«t M . 4 M M M ) I K l 1* 24 <• M 4»
'••al«»l«g»
C a M ia t M S M S '• a lt * Scan at IS :24. M * l » a la M M 14SS1S fa t a l
M ^ tt)
! n i t ia t in c S M v ic a •c m at I»!24
Scanning « •a^vlca• M 112 I M I M
C a M lv t M M ^ v lc a m m at I S ! >4, 44 M t a la M M (g m U a • M 1
■iMM.vilt•! ! f <
I l 00:/
9
•l*09mt,nr*9'_200$ *01
< » :/ • • i< r|M *t
0% a r t • ! !* m < r o t^ t i d i M M V ii t a V • 0? V I . M U M
M M V I . n ■׳b lM s■ ! I
t t i — * I• !* 1 . M i
(s1 *c« i m amc m •1 1« 21 ג
ir t M r l Q iiU M f i 1 **׳
־T
■
l
( M M 1«C«1)
W • CPt 1 100/0:m
iM— i
itr0000 !
-< . Mttios •nr:
Module 03 Page 291
VC
M> M I ^ « 1 U 1 U N d w M a•
'1 ■׳m 1««*t 1 •©• ־״m
*
1 (Ii m
i n
P n l c e I r a * | t n t r « l *tK fO M
ft— lllM ״H ׳oxo*•. wln*o«t V l* t a | » M | 7
f l l C P t: cp«
■ IcreM ^t ■iwM n . r i t t a : :• c m :/
O
ixavaj’M MM a ״t 1M » ־a itMM iu s
o־
t< n
WMaMfM MM PM 1M/Ka M 11 IU IM t
1
1
Mmmmm aM MM ♦4s tea M 12 IM IU )
*
M mHyj 00+* M ־״t
M tM
M h
tu n
• It* •
KtMlN!.
N u t r t ' M aoan M ־׳t •12 t<a < t t M U I M . S
י״
O i u a t T M a» M M ׳t M M 2 / t ( » m ! • l . I M . I M . S
t n S f n ita w
t i ^ i ^ f taout 22.72% M m ; I K :
MM D u
. *»»« HHM —
rtt
S t M t ln g m m 4.*1 < M 1 » : / / M W . K | ) • זm ) M M 11:1! M M
M M r < Tia•
B L .• M M • I M f l K • M r
B L Ur 1 %
0
1 ■ן ן * ן
•Ml t ll iw IM ^niHIDU
ןliSSJS T4 A •־tt2 141י 4 4 י
M tS IO S M C:
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll
All Rights Reserved. Reproduction is Strictly Prohibited.
- 31. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
H p in g 2 / H p in g 3
J
Tool for security auditing and testing firewall and networks
J
itkMl lUikw
Command line packet crafter for the TCP/IP protocol
J
CEH
UrtifW
Runs on both Windows and Linux operating systems
http://www.hping.org
3 1. 00 -p 8
0 . .2 9
1 00
8 .2
1. 002: A set, 4 headers + 0data bytel
9. . )
0
len = ip- 1. 00 t t l = 8OF id=2© spoci^0 flags-R seq^O w
4 0 . .2 1
0
2
685
ln 0 rtt= 1 m
־
.3 s
^ ך־
len ^0ip- 1. 00 t t l = 8OF id -68 sport-ee-flags-R seq- w
4 0 . .2 1
2
256
1
in = rtt= 6 m
0 .8 s
len = ip- 1. 00 t t l = 8OF id = 07sport- 8
4 0 . .2 1
0
2
28
6
GFflags=R Ieq ^ w
2
in=o r 11=1.0 לווו
len -0 ip- 1. 00 t t l -2 OF id -68 sport -0flogs-R scq- w
4
0 . .2 18
208
8
3
1 rtr=6 ms
n=0
.9
len = ip=1^ L 0 t t l = 8OF id -68 5porjt=8e ftcgsfR seq= w
4 0 .2 1
0
2
269
4
len=4 1^=10.0 /?t t l = 8D ld=2B9 sport80 ־flags=R seq= J
)
.8
1 F
2
6D
5
in » rtt- 0 m
0
.5 s
len= ip=1.O.3 t t l = 8OF id = 01sport = flags=R seq= w
4 0 .2 1
6
2
29
6
8
0
6
in = rtt=e .7 m
0
s
len = ip=1.O.0 t t l = 8OF id 202 sport 8 ־flags^R seq= w
4 0 .2 1
0
2
69־
0
7
ln = rtt= 8 m
8 .8 s
len -0ip- 1. 00 t t l -2 OF id -69 5
4
0 . .2 18
203 port-0flegs ־R seq- w
8
8
footgbt:-# hping ■
A
HPINC
. .
(ethl
ACK Scanning on p o rt 80
Copyright © by EG-GMMCil. All Rights Reserved. Reproduction Is Strictly Prohibited.
H ping2/H ping3
Source: http://www.hping.org
HPing2/HPing3 is a command-line-oriented TCP/IP packet assembler/analyzer that sends ICMP
echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. It has Traceroute mode, and
enables you to send files between covert channels. It has the ability to send custom TCP/IP
packets and display target replies like a ping program does with ICMP replies. It handles
fragmentation, arbitrary packets' body and size, and can be used in order to transfer
encapsulated files under supported protocols. It supports idle host scanning. IP spoofing and
network/host scanning can be used to perform an anonymous probe for services.
An attacker studies the behavior of an idle host to gain information about the target such as the
services that the host offers, the ports supporting the services, and the operating system of the
target. This type of scan is a predecessor to either heavier probing or outright attacks.
Features:
The following are some of the features of HPing2/HPing3:
0
Determines whether the host is up even when the host blocks ICMP packets
0
Advanced port scanning and test net performance using different protocols, packet
sizes, TOS, and fragmentation
Module 03 Page 292
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 32. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
9
Manual path MTU discovery
9
Firewalk-like usage allows discovery of open ports behind firewalls
9
Remote OS fingerprinting
9
TCP/IP stack auditing
ICM P Scanning
A ping sweep or Internet Control Message Protocol (ICM P) scanning is a process of sending an
ICMP request or ping to all hosts on the network to determine which one is up.
This protocol is used by operating system, router, switch, internet-protocol-based devices via
the ping command to Echo request and Echo response as a connectivity tester between
different hosts.
The following screenshot shows ICMP scanning using the Hping3 tool:
«
v
x root@bt: ~
File Edit View Terminal Help
root@bt:~# hpi ng3 -1 10 . 0 . 0 . 2
HPING 10.0.0.2 (e th l 10 .0 .0 .2 ): icmp mode set, 28 headers + 0 d
len=28 ip=10.0 .0.2 ttl= 128 id=25908 icmp_seq=0 rtt=2.2 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25909 icmp_seq=l rtt=1.0 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25910 icmp_seq=2 rtt=1.7 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25911 icmp_seq=3 rtt=0.5 m
s
icmpseq=4
rtt=0.4 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=2591%
len=28 ip=10.0 .0.2 ttl= 128 id=25913 icmp seq=5 r t t = l . l m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25914 icmp seq=6 rtt=0.9 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25915 icmp seq=7 r t t = l . l m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25916 icmp seq=8 rtt=0.9 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25917 icmp seq=9 r t t = l . l m
s
s
len=28 ip=10.0 .0.^>ttl= 128 id=25918 icmp seq=10 rtt=0.8 m
len=28 ip=10.0 .0.2 ttl= 128 id=25919 icmp_seq=ll rtt=1.2 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25920 icmp seq=12 rtt=0.7 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25921 icmp seq=13 rtt=0.8 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25922 icmp seq=14 rtt=0.7 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25923 icmp seq=15 rtt=0.7 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25924 icmp seq=16 rtt=0.8 m
s
len=28 ip=10.0 .0.2 ttl= 128 id=25925 icmp seq=17 rtt=1.0 m
s
FIGURE 3.12: Hping3 tool showing ICMO scanning output
ACK Scanning on Port 80
You can use this scan technique to probe for the existence of a firewall and its rule sets. Simple
packet filtering will allow you to establish connection (packets with the ACK bit set), whereas a
sophisticated stateful firewall will not allow you to establish a connection.
The following screenshot shows ACK scanning on port 80 using the Hping3 tool:
Module 03 Page 293
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 33. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
• v
>׳
*
ro o tab t: -
File Edit View Terminal Help
£ 0 0 t@ bt:~# hping3 -A 1 0 .0 .0 .2 •p 80
HPING 1 0 .0 .0 .2 ( e t h l 1 0 .0 .0 .2 ): A s e t, 40 headers + 0 d ata byte
s
len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26085 spar,t=80 flags= R seq=0 w
in=0 rtt= 1 .3 ms
len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26086 sport=80 flags= R seq=l w
in=0 rtt= 0 .8 ms
'"׳׳-׳
len=40 ip=10.0 .0 .2 ttl= 128 DF id=26087 sport=89 flags= R seq=2 w
in=0 rtt= 1 .0 ms
len=40 ip = 1 0 .0 .0 .2 ttl= 128 DF id=26088 sport=80 ^lags=R seq=3 w
in=0 rtt= 0 .9 ms
len=40 ip = 1 0 J0 .0 .2 ttl= 128 DF id=26089 sport=80 flags= R seq=4 w
in=0 r,tt=p. 9 ros —^
Jj
I •4■ ^
f j
len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26O90 sport=80 flags= R seq=5 w
in=0 rtt= 0 .5 ms
len=40 ip = lO .0 .0 .2 ttl= 128 DF id=26091 sport=80 flags= R seq=6 w
in=0 rtt= 0 .7 ms
len=40 ip= 10.0.O .2 ttl= 128 DF id=26092 sport=80 flags= R seq=7 w
in=0 rtt= 0 .8 m
s
len=40 ip= 10.0.O .2 ttl= 128 DF id=26093 sport=80 flags= R seq=8 v
FIGURE 3.13: Hping3 tool showing ACK scanning output
Module 03 Page 294
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 34. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
־
c EH
H p in g C o m m a n d s
UrtifM
ItkKJl Nm Im
ICMP Ping
SYN scan on port 50-60
hping3 -1 10.0.0.25
hping3 -8 50-56 -S 10.0.0.25 -V
ACK scan on port 80
FIN, PUSH and URG scan on port 80
hp±ng3 -A 10.0.0.25 -p 80
hping3 -F -p -U 10.0.0.25 -p 80
U D Psc a n o n port 80
Scan entire subnet for live host
h p i n g 3 -1 1 0 . 0 . 1 . x — rand - d e s t
hping3 -2 10.0.0.25 -p 80
-I ethO
Collecting Initial Sequence Number
Intercept all traffic containing HTTP
signature
h p i n g 3 1 9 2 . 1 6 8 . 1 . 1 0 3 -Q -p 139
hping3 -9 HTTP -I ethO
Firewalls and Time Stamps
SYN flooding a victim
h p i n g 3 -S 7 2 . 1 4 . 2 0 7 . 9 9 -p 80 —
hping3 -S 192.168.1.1 -a
192.168.1.254 -p 22 — flood
tc p - tim e s ta m p
Copyright © by E CM i All Rights Reserved. Reproduction is Strictly Prohibited.
C- IC l.
Hping C om m ands
The following table lists various scanning methods and respective Hping commands:
Scan
Commands
ICMP ping
hping3 -1 10.0.0.25
ACK scan on port 80
hping3 -A 10.0.0.25 -p 80
UDP scan on port 80
hping3 -2 10.0.0.25 -p 80
Collecting initial sequence number
hping3 192.168.1.103 -Q -p 139 -s
Firewalls and time stamps
hping3 -S 72.14.207.99 -p 80 --tcptimestamp
SYN scan on port 50-60
hping3 -8 50-56 -S 10.0.0.25 -V
FIN, PUSH and URG scan on port 80
hping3 -F -p -U 10.0.0.25 -p 80
Scan entire subnet for live host
hping3 -1 10.0.1.x --rand-dest -I ethO
Intercept all traffic containing HTTP
signature
hping3 9 ־HTTP -I ethO
SYN flooding a victim
hping3 -S 192.168.1.1 -a 192.168.1.254
-p 22 --flood
TABLE 3.1: Hping Commands Table
Module 03 Page 295
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 35. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
S c a n n in g T e c h n iq u e s
TCP Connect / Full Open Scan
Stealth Scans
IDLE Scan
ICMP Echo Scanning/List Scan
T
E
C
H
N
SYN/FIN Scanning Using IP Fragments
UDP Scanning
I
o
Inverse TCP Flag Scanning
E
ACK Flag Scanning
u
S
Copyright © by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
Scanning T echniques
Scanning is the process of gathering information about the systems that are alive and
responding on the network.
The port scanning techniques are designed to identify the open ports on a targeted server or
host. This is often used by administrators to verify security policies of their networks and by
attackers to identify running services on a host with the intent of compromising it.
Different types of scanning techniques employed include:
© TCP Connect / Full Open Scan
© Stealth Scans: SYN Scan (Half-open Scan); XMAS Scan, FIN Scan, NULL Scan
©
IDLE Scan
©
ICMP Echo Scanning/List Scan
© SYN/FIN Scanning Using IP Fragments
©
UDP Scanning
©
Inverse TCP Flag Scanning
© ACK Flag Scanning
Module 03 Page 296
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 36. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
The following is the list of important reserved ports:
Name
Port/Protocol
Description
echo
7/tcp
echo
7/udp
discard
9/tcp
sink null
discard
9/udp
sink null
systat
11/tcp
Users
daytime
13/tcp
daytime
13/udp
netstat
15/tcp
qotd
17/tcp
Quote
chargen
19/tcp
ttytst source
chargen
19/udp
ttytst source
ftp-data
20/tcp
ftp data transfer
ftp
21/tcp
ftp command
ssh
22/tcp
Secure Shell
telnet
23/tcp
smtp
25/tcp
Mail
time
37/tcp
Timeserver
time
37/udp
Timeserver
rip
39/udp
resource location
nicname
43/tcp
who is
domain
53/tcp
domain name server
domain
53/udp
domain name server
sql*net
66/tcp
Oracle SQL*net
sql*net
66/udp
Oracle SQL*net
bootps
67/tcp
bootp server
bootps
67/udp
bootp server
bootpc
68/tcp
bootp client
Module 03 Page 297
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 37. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
bootpc
68/udp
bootp client
tftp
69/tcp
Trivial File Transfer
tf tp
69/udp
Trivial File Transfer
gopher
70/tcp
gopher server
finger
79/tcp
Finger
www-http
80/tcp
WWW
www-http
80/udp
WWW
kerberos
88/tcp
Kerberos
kerberos
88/udp
Kerberos
P °P 2
109/tcp
PostOffice V.2
Pop 3
110/tcp
PostOffice V.3
sunrpc
111/tcp
RPC 4.0 portmapper
sunrpc
111/udp
RPC 4.0 portmapper
auth/ident
113/tcp
Authentication Service
auth
113/udp
Authentication Service
audionews
114/tcp
Audio News Multicast
audionews
114/udp
Audio News Multicast
nntp
119/tcp
Usenet Network News Transfer
nntp
119/udp
Usenet Network News Transfer
ntp
123/tcp
Network Time Protocol
Name
Port/Protocol
Description
ntp
123/udp
Network Time Protocol
netbios-ns
137/tcp
NETBIOS Name Service
netbios-ns
137/udp
NETBIOS Name Service
netbios-dgm
138/tcp
NETBIOS Datagram Service
netbios-dgm
138/udp
NETBIOS Datagram Service
netbios-ssn
139/tcp
NETBIOS Session Service
netbios-ssn
139/udp
NETBIOS Session Service
imap
143/tcp
Internet Message Access Protocol
Module 03 Page 298
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 38. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
imap
143/udp
Internet Message Access Protocol
sql-net
150/tcp
SQL-NET
sql-net
150/udp
SQL-NET
sqlsrv
156/tcp
SQL Service
sqlsrv
156/udp
SQL Service
snmp
161/tcp
snmp
161/udp
snmp-trap
162/tcp
snmp-trap
162/udp
cmip-man
163/tcp
CMIP/TCP Manager
cmip-man
163/udp
CMIP
cmip-agent
164/tcp
CMIP/TCP Agent
cmip-agent
164/udp
CMIP
ire
194/tcp
Internet Relay Chat
ire
194/udp
Internet Relay Chat
at-rtmp
201/tcp
AppleTalk Routing Maintenance
at-rtmp
201/udp
AppleTalk Routing Maintenance
at-nbp
202/tcp
AppleTalk Name Binding
at-nbp
202/udp
AppleTalk Name Binding
at-3
203/tcp
AppleTalk
at-3
203/udp
AppleTalk
at-echo
204/tcp
AppleTalk Echo
at-echo
204/udp
AppleTalk Echo
at-5
205/tcp
AppleTalk
at-5
205/udp
AppleTalk
at-zis
206/tcp
AppleTalk Zone Information
at-zis
206/udp
AppleTalk Zone Information
at-7
207/tcp
AppleTalk
Module 03 Page 299
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 39. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
at-7
207/udp
AppleTalk
at-8
208/tcp
AppleTalk
at-8
208/udp
AppleTalk
ipx
213/tcp
ipx
213/udp
imap3
220/tcp
Interactive Mail Access Protocol v3
imap3
220/udp
Interactive Mail Access Protocol v3
aurp
387/tcp
AppleTalk Update-Based Routing
aurp
387/udp
AppleTalk Update-Based Routing
netware-ip
396/tcp
Novell Netware over IP
netware-ip
396/udp
Novell Netware over IP
Name
Port/Protocol
Description
rmt
411/tcp
Remote mt
rmt
411/udp
Remote mt
54erberos54-ds
445/tcp
54erberos54-ds
445/udp
isakmp
500/udp
ISAKMP/IKE
fcp
510/tcp
First Class Server
exec
512/tcp
BSD rexecd(8)
comsat/biff
512/udp
used by mail system to notify users
login
513/tcp
BSD rlogind(8)
who
513/udp
whod BSD rwhod(8)
shell
514/tcp
cmd BSD rshd(8)
syslog
514/udp
BSD syslogd(8)
printer
515/tcp
spooler BSD lpd(8)
printer
515/udp
Printer Spooler
talk
517/tcp
BSD talkd(8)
talk
517/udp
Talk
ntalk
518/udp
New Talk (ntalk)
Module 03 Page 300
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 40. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
ntalk
518/udp
SunOS talkd(8)
netnews
532/tcp
Readnews
uucp
540/tcp
uucpd BSD uucpd(8)
uucp
540/udp
uucpd BSD uucpd(8)
klogin
543/tcp
Kerberos Login
klogin
543/udp
Kerberos Login
kshell
544/tcp
Kerberos Shell
kshell
544/udp
Kerberos Shell
ekshell
545/tcp
pcserver
600/tcp
ECD Integrated PC board srvr
mount
635/udp
NFS Mount Service
pcnfs
640/udp
PC-NFS DOS Authentication
bwnfs
650/udp
BW-NFS DOS Authentication
flexlm
744/tcp
Flexible License Manager
flexlm
744/udp
Flexible License Manager
5 6erberos-adm
749/tcp
Kerberos Administration
56erberos-adm
749/udp
Kerberos Administration
kerberos
750/tcp
kdc Kerberos authentication—tcp
kerberos
750/udp
Kerberos
56erberos mas
ter
751/udp
Kerberos authentication
56erberos mas
ter
751/tcp
Kerberos authentication
krb_prop
754/tcp
Kerberos slave propagation
Module 03 Page 301
krcmd Kerberos encrypted
remote shell -kfall
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 41. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
999/udp
Applixware
socks
1080/tcp
socks
1080/udp
kpop
1109/tcp
Pop with Kerberos
ms-sql-s
1433/tcp
Microsoft SQL Server
ms-sql-s
1433/udp
Microsoft SQL Server
ms-sql-m
1434/tcp
Microsoft SQL Monitor
ms-sql-m
1434/udp
Microsoft SQL Monitor
Name
Port/Protocol
Description
pptp
1723/tcp
Pptp
pptp
1723/udp
Pptp
nf s
2049/tcp
Network File System
nf s
2049/udp
Network File System
eklogin
2105/tcp
Kerberos encrypted rlogin
rkinit
2108/tcp
Kerberos remote kinit
kx
2111/tcp
X over Kerberos
kauth
2120/tcp
Remote kauth
lyskom
4894/tcp
LysKOM (conference system)
sip
5060/tcp
Session Initiation Protocol
sip
5060/udp
Session Initiation Protocol
xll
6000-6063/tcp
X W indow System
xll
6000-6063/udp
X W indow System
ire
6667/tcp
Internet Relay Chat
af s
7000-7009/udp
af s
7000-7009/udp
TABLE 3.2: Reserved Ports Table
Module 03 Page 302
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 42. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
TCP Connect / Full Open Scan
J
TCP Connect scan detects w hen a port is open by completing th e three-w ay handshake
J
TCP Connect scan establishes a full connection and tears it down by sending a RST
packet
CEH
M
Scan result when a port is open ^
)SYN Packet + Port (n
m
SYN/ACK Packet. . .
...........A « . t .......... . ׳
5ST
Target
Attacker
Scan result when a port is closed
SYN Packet +Port (nj
^
*
??..י
־
Attacker
^
f
,
H
Target
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
TCP Connect / Full Open Scan
Source: http://www.insecure.org
TCP Connect / Full Open Scan is one of the most reliable forms of TCP scanning. The TCP
connect() system call provided by an OS is used to open a connection to every interesting port
on the machine. If the port is listening, connect() will succeed; otherwise, the port isn't
reachable.
mm
0
TCP Three-way Handshake
In the TCP three-way handshake, the client sends a SYN flag, which is acknowledged
by a SYN+ACK flag by the server which, in turn, is acknowledged by the client with an ACK flag
to complete the connection. You can establish a connection from both ends, and terminate
from both ends individually.
Vanilla Scanning
In vanilla scanning, once the handshake is completed, the client ends the connection.
If the connection is not established, then the scanned machine will be DoS'd, which allows you
to make a new socket to be created/called. This confirms you with an open port to be scanned
for a running service. The process will continue until the maximum port threshold is reached.
Module 03 Page 303
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 43. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
If the port is closed the server responds with an RST+ACK flag (RST stands for "Reset the
connection"), whereas the client responds with a RST flag and here ends the connection. This is
created by a TCP connect () system call and will be identified instantaneously if the port is
opened or closed.
Making separate connects() call for every targeted port in a linear fashion would take a long
time over a slow connection. The attacker can accelerate the scan by using many sockets in
parallel. Using non-blocking, I/O allows the attacker to set a low time-out period and watch all
the sockets simultaneously.
,
u is d a v d it ia g e s
The drawback of this type of scan is easily detectable and filterable. The logs in the
target system will disclose the connection.
The Output
Initiating Connect () Scan against (172.17.1.23)
Adding open port 19/tcp
Adding open port 21/tcp
Adding open port 13/tcp
SYN Packet + Port (n)
..............................
SYN / ACK Packet
ACK + RST
Target
Attacker
FIGURE 3.14: Scan results when a port is open
SYN Packet + Port (n)
► ■ ■־ ■ .................................י
■ ■■
RST
arget
Attacker
FIGURE 3.15: Scan results when a port is closed
Module 03 Page 304
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 44. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Zfnmap
S<!n
J0ok
Ttrgct
£»of.lc
tjflp
nmap ל.86ו.36 ו.29 ו
Commjnd
Hosts
~vj Profile
• •sT •v nmip 192-168.168.5
StrvKtt
Host
Nmip Output Potts/Hosts Topology Most D«t«!h Scans
• *sT •v nmjp 192.168.168.5
192.168.168.5
S t a r t in g Mrap 6.61 ( h ttp :/ / n * a p . 0rg ) a t 2012 08-10 12:04
d Ti
I n i t i a t i n g ARP Ping Scan a t 12:04
Scanning 192.168.168.S (1 p o rt]
Completed ARP Pin g Scan a t 12:04, 0.08s elapsed (1 t o t a l h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04
Completed P a r a l l e l DNS r e s o lu tio n o f 1 h o s t, a t 12:04, 0.02s elapsed
I n i t i a t i n g Connect Scan a t 12:04
Scanning 192.168.168.S [1000 p o rts ]
D iscovered open p ort 80/tcp on 192.168.168.5
D iscovered open p ort 993/tcp on 192.168.168.S
D iscovered open p ort 8080/tcp on 192.168.168.S
D iscovered open p ort 2 S/tcp on 192.168.168.S
D iscovered open p ort 139/tcp on 192.168.168.5
D iscovered open p ort 8888/tcp on 192.168.168.S
Completed Connect Scan at 12:04, 4 8 .63s elapsed (1000 t o t a l p o rts )
N״ap scan rep ort f o r 192.168.168.S
F a ile d to r e s o lv e given hostnaaie/IP: n«ap. Note th a t you c a n 't use '/■ask*
AMD * 1*4,7,100•‘ s t y le IP ranges. I f the •achine o n ly has an IP v6 address*
add the N»ap -6 ♦lag t o scan t h a t .
Host i s up (0.000S7s la t e n c y ) ,
t o t itjto to i 980 f i l t e r e d p o rts
POUT
STATE SERVICE
2 S/tcp
open M tp
80/tcp
open h ttp
110/tcp open pop)
119/tcp open nntp
13S/tcp open asrpc
8081/tcp open b lack ice■ iceca p
8088/tcp open radan-http
8888/tcp open sun-antwerbook
M l Afl i C l
tri.
•
(Oeil)
R t fll f i ! frw;
c a ll l c
C:Progra• F i l e s (xS6)N*ap
Nm p done: 1 IP address ( I host up) scanned in 43.08 seconds
Rax packets s e n t: 1 (288) | Rcvd: 1 (288)
FIGURE 3.16: Zenmap Screenshot
Module 03 Page 305
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 45. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Stealth Scan (Half-open Scan)
Attackers use stealth scanning techniques to bypass
firewall rules, logging mechanism, and hide
themselves as usual network traffic
©
The client sends a single SYN packet to the server
on the appropriate port
+ACK
........................
,^ s /
tthKJl lUckM
□a
SYN (Port 80)
SYN
Stealth Scan Process
CEH
UrtifWtf
Bill
Sheela
10.0.0.2:2342
10.0.0.3:80
Port is open
@
lf the port is open then the server responds with
a SYN/ACK packet
®
If the server responds with an RST packet, then
the remote port is in the "closed" state
(ft
WN|P״rlSn|
r
“־
י
*׳O j j
Bill
®
Sheela
10.0.0.2:2342
10.0.0.3:80
The client sends the RST packet to close the initiation
before a connection can ever be established
Port is closed
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Stealth Scan (Half-Open Scan)
Stealth scan sends a single frame to a TCP port without any TCP handshaking or
additional packet transfers. This is a scan type that sends a single frame with the expectation of
a single response. The half-open scan partially opens a connection, but stops halfway through.
This is also known as a SYN scan because it only sends the SYN packet. This stops the service
from ever being notified of the incoming connection. TCP SYN scans or half-open scanning is a
stealth method of port scanning.
The three-way handshake methodology is also implemented by the stealth scan. The difference is
that in the last stage, remote ports are identified by examining the packets entering the
interface and terminating the connection before a new initialization was triggered.
The process preludes the following:
9
To start initialization, the client forwards a single "SYN" packet to the destination server
on the corresponding port.
9
The server actually initiates the stealth scanning process, depending on the response
sent.
9
If the server forwards a "SYN/ACK" response packet, then the port is supposed to be in
an "O PEN" state.
Module 03 Page 306
Ethical Hacking and Countermeasures Copyright © by EC-COlMCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 46. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
If the response is forwarded with an "RST" packet, then the port is supposed to be in a
"CLOSED" state.
SYN (Port 80)
Bill
Sheela
10.0.0.2:2342
10.0.0.3:80
P o r t is o p e n
FIGURE 3.16: Stealth Scan when Port is Open
^
.....
*
Bill
Sheela
10.0.0.2:2342
10.0.0.3:80
Port is closed
FIGURE 3.17: Stealth Scan when Port is Closed
Zenmap Tool
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this
tool you can save the frequently used scans as profiles to make them easy to run recurrently. It
contains a command creator that allows you to interact and create Nmap command lines. You
can save the Scan results and view them in the future and they can be compared with another
scan report to locate differences. The results of the recent scans can be stored in a searchable
database.
The advantages of Zenmap are as follows:
9
Interactive and graphical results viewing
9
Comparison
9
Convenience
Q
Repeatability
Q
Discoverability
Module 03 Page 307
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 47. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Is
Zenmap
cr
Scan
lo o k
profile
H elp
nmap 192.168.168.5
Command
Hosts
Cancel
*|
Details
* -sT -v nmap 192.168.168.5
Services
OS w Host
*
,Scan
Profile
Nmap Output
4
Ports / Hosts
Topology
Host Detail*
Scans
* -sT -v nmap 192.168.168.5
i
192.168.168.5
S t a r t in g Nmap 6.01 ( h ttp :/ / n a a p .o rg ) a t 2012-0810 12:04
0 T ii
I n i t i a t i n g ARP P in g Scan a t 12:04
S can ning 192.16 8 .1 6 8 .S [1 p o r t ]
Completed ARP P in g Scan at 1 2:04, 0 .6 8 s e la p s e d (1 t o t a l h o s ts )
I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04
Completed P a r a l l e l DNS r e s o lu t io n o f 1 h o s t, a t 12:04, 0 .0 2 s e lap sed
I n i t i a t i n g Connect Scan a t 12:04
Scan n in g 192.16 8 .1 6 8 .S [1000 p o r t s )
D isco ve re d open p o rt 8 0 /tcp on 192.16 8 .1 6 8 .S
D isco ve re d open p o rt 993/tcp on 1 9 2 .16 8 .1 6 8 .S
D isco ve re d open p o rt 8080/tcp on 192.16 8 .1 6 8 .S
D isco ve re d open p o rt 2 S/tcp on 192.16 8 .1 6 8 .S
D isco ve re d open p o rt 139/tCp on 192.168.168.5
D isco ve re d open p o rt 8888/tcp on 192.168.168.5
Completed Connect Scan a t 1 2:04, 40.63s e la p s e d (1000 t o t a l p o r t s )
N*ap scan re p o rt f o r 192.16 8 .1 6 8 .S
f a i l e d t o r e s o lv e g iv e n h o s tn a a e / IP : n rap .
Note th a t you c a n 't use , /■ ask'
ANO *1 -4 ,7 ,1 0 0 - ' s t y l e I P ra n g e s. I f th e M achine o n ly has an IP v 6 a d d re ss ,
add th e Neap •6 f l a g t o scan t h a t .
Host i s up (O.O00S7S l a t e n c y ) .
> gt ihffwn; 980 f i l t e r e d p o rts
<
PORT
STATE SERVICE
2 S /tc p
open s a tp
open h t t p
8 0/tcp
110/tcp open pop 3
119/tcp open IMitp
135/tcp ooen ■srpc
8081/tcp open b la c k ic e - ic e c a p
8088/tcp open ra d a n - h ttp
8888/tcp open su n -answerbook
♦ ♦
♦
• (D e ll)
Rtad flat! f i l e t frw; C :Pro g ra■ F i l e s (x M ) N ״ap
H*ap done: 1 I P ad dress (1 h o st up) scanned in 43.08 seconds
Rax p a ck e ts s e n t: 1 (286) | Rcvd: 1 (2 8 6 )
Filter Hosts
FIGURE 3.18: Zenmap Showing Scanning Results
Module 03 Page 308
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 48. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
c El
X m a s S can
o
UftNM
FIN, URG, PUSH
FIN, URG, PUSH
J
1
mu : : : 1
No Response
Attacker
10. 0 . 0.6
ftb.ul H.. fcM
Server
10.0.0.8:23
Port is open
Server
Attacker
10 . 0 . 0.6
10.0.0.8:23
Port is clo se d
In Xmas scan, attackers send a TCP frame to a
remote device with URG, ACK, RST, SYN, PSH, and
FIN flags set
J
FIN scan only with OS TCP/IP developed according
to RFC 793
J
It will not work against any current version of
Microsoft Windows
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
X m as Scan
------
Xmas Scan is a port scan technique with ACK, RST, SYN, URG, PSH, and FIN flags set to
send a TCP frame to a remote device. If the target port is closed, then you will receive a remote
system reply with a RST. You can use this port scan technique to scan large networks and find
which host is up and what services it is offering. It is a technique to describe all TCP flag sets.
W hen all flags are set, some systems hang; so the flags most often set are the nonsense pattern
URG-PSH-FIN. This scan only works when systems are compliant with RFC 793.
BSD Netw orking Code
This method is based on BSD networking code; you can use this only for UNIX hosts
and it does not support Windows NT. If this scan is directed at any Microsoft system, it shows
all the ports on the host are opened.
Transm itting Packets
You can initialize all the flags when transmitting the packet to a remote host. If the
target system accepts packet and does not send any response, the port is open. If the target
system sends RST flag, the port is closed.
Module 03 Page 309
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 49. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Advantage:
It avoids the IDS and TCP three-way handshake.
Disadvantage:
It works on the UNIX platform only.
FIN, URG, PUSH
No Response
Attacker
10.0 .0.6
Server
10.0.0.8:23
Port is open
FIGURE 3.19: Xmas Scan when Port is Open
FIN, URG, PUSH
RST
Attacker
10 .0 .0.6
Server
10.0.0.8:23
P o rt is c lo s e d
FIGURE 3.20: Xmas Scan when Port is Closed
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. Using this
tool you can save the frequently used scans as profiles to make them easy to run recurrently.
Zenmap
Scan
Target:
100It
Profile
Help
צ
nmap 192.I6S.168.}
Command:
V
Start
1• ״X •v r
Nmip Output Pcrts/Hosts Topology Host Ottals S<ar«
W
*
D
etails
«-sX-v nmap 192.16S.168.3
OS ▼ Host
192.168.16S.5
192.168.168.3
S tartin g Nmap 6.01 (
’ * t 2612 08 10 12:39
Standarc 1i»e
Initiating AKP Ping Scan at 12:39
Scanning 192.168.168.3 [1 port]
Completed ARP Ping Scan at 12:39, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution 0- 1 host, at 12:39
f
Coa191eted Parallel DNS resolution o* 1 host, at 12:39, 0.02s elapsed
Initiating XMAS Scan at 12:3*
Scanning 192.168.1*8.3 [10CO po«־
ts]
Increasing cand dalay *or 192.168.168.3 from 0 to 5 due to 108 out of
358 dropped probes since last increase.
Co*!91eted XMAS Scan at 12;39, 9.75s elapsed (1800 to ta l ports)
Nra כscan report fo r 197.1*3.168.3
Failed ♦o resolve given hostrawe/IP: niwp. Note that you c a n 't use V
■»»?«• AHO *1-4,7,180•• s ty le IP ranges. I f the ■wchine only ha? an
IPv6 address. add the Mnap -6 fla g to scan th at.
Host is up (0.000023s la t e r c y ).
Not shovn; 997 clo;ed ports
PORT
STATE
SEUVICE
22/tcp o c e r lfilt e r e d j$n
88/tcp o p e r | f ilt e ־ed kertxrcs-sec
548 ׳tcp o p e r | f ilt e ־ed afp
MCAMrtu;
A
Read tifltfl f l i p frggl C:Progra■ * lie s <x!6)taao
1 IP ad Jrest (1 host up) scanned in 12.19 seconds
Rat. paccets sent: 13S3 (S4.1M KB) I Rcvd: 998 (39.908K8)
FIGURE 3.21: Zenmap Showing Xmas Scan Result
Module 03 Page 310
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 50. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
S can
J
In FIN scan, attackers send a TCP frame to a remote host with only FIN flags set
J
FIN scan only with OS TCP/IP developed according to RFC 793
J
It will not work against any current version of Microsoft Windows
J“ *
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
£ > לFIN Scan
------
FIN Scan is a type of port scan. The client sends a FIN packet to the target port, and if
the service is not running or if the port is closed it replies to you with the probe packet with an
RST.
FIN
No Response
Attacker
10.0 .0.6
10.0.0.8:23
P o rt is open
FIGURE 3.22: FIN Scan when Port is Open
Module 03 Page 311
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 51. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Attacker
10. 0 . 0.6
Port is c lo s e d
FIGURE 3.23: FIN Scan when Port is Closed
־E H
Zenmap
Scan
look
Target
E'ofile
fcjdp
[Scan:
nmap 192.168.168.3
Command:
Cancel
» ■ if •v nmap 192.168.168.3
Hosts
OS * Host
*
192.168.168.5
»
192.168.168.3
Nmap Output Ports/Host* Topo*og> Host Detail! Scans
« • i f -v nmap 192.168.168.3
S t a r tin g Nm p 6.01 ( h ttp :/ / n M p .o rg ) at 2012 08 10 12:35 ••• י
Standard Ti«e
I n i t i a t i n g ARP Ping Scan at 12:35
Scanning 192.168.168.3 [1 p o rt]
Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 t o t a l h o sts)
I n i t i a t i n g P a r a lle l DNS r e s o lu tio n o f 1 h ost, a t 12:35
Completed P a r a lle l ONS re s o lu tio n o f 1 h ost, at 12:35, 0.10s elapsed
I n i t i a t i n g FIN Scan at 12:35
Scanning 192.168.16S.3 [1000 p o rts]
In crea sin g send d elay fo r 192.168.168.3 fro• 0 to 5 due to 108 out o f
358 dropped probes sin ce la s t in crea se.
In crea sin g send d elay f o r 192.168.168.3 froai 5 to 10 due to
•ax_$uccessful_tryno in crease to 4
Completed FIN Scan at 12:35, 11.78s elapsed (1000 t o t a l p o rts )
*toap scan rep ort fo r 192.168.168.3
F a ile d to re s o lv e given hostnaaw/IP: naap. Note th at you c a n 't use */
m s i c AND 4, 7, 100*1 '•־s t y le IP ranges. I f the ■achine on ly has an
IP v6 address, add the N*ap *6 f la g to scan t h a t .
Host is up (0.0000050s la te n c y ).
closed ports
PORT
STATE
SERVICE
22/tcp o p e n |fiite r e d ssh
88/tcp o p e n jfilt e r e d k erberos•sec
S48/tcp o p e n jfilt e r e d afp
U M 997
gl-itH ?;
* i.A T 1
A MM;
Rctti d i t l f l i t * ffg g j C:Progra• F ile s (x86)N«ap
Nwap done: 1 IP address (1 host up) scanned in 14.28 seconds
Rat• packets sen t: 1378 (55.108KB) | Rcvd: 998 (39.908KB)
FIGURE 3.24: Zenmap showing FIN Scan Result
Module 03 Page 312
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 52. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
CEH
NULL S can
Port is open
TCP Packet with NO Flag Set
9H
^
No Response
Attacker
10 .0 .0.6
In NULL scan, attackers send a TCP frame to a
remote host with NO Flags
NULL scan only works if OS' TCP/IP
implementation is developed according
to RFC 793
It will not work against any current version of
Microsoft Windows
NULL Scan
NULL scans send TCP packets with all flags turned off. It is assumed that closed ports
will return a TCP RST. Packets received by open ports are discarded as invalid.
It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned.
W hen any packets arrive at the server, BSD networking code informs the kernel to drop the
incoming packet if a port is open, or returns an RST flag if a port is closed. This scan uses flags in
the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans.
Many network codes of major operating systems can behave differently in terms of responding
to the packet, e.g., Microsoft versus UNIX. This method does not work for Microsoft operating
systems.
Command line option for null scanning with NMAP is "-sN"
Advantage:
It avoids IDS and TCP three-way handshake.
Disadvantage:
It works only for UNIX.
Module 03 Page 313
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 53. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Port is open
TCP Packet with NO Flag Set
C
E
^
31
^
>
י
No Response
Attacker
Server
10.0.0.8:23
10. 0.6
0.
FIGURE 3.25: NULL Scan when Port is Open
Port is clo se d
TCP Packet with NO Flag Set
E
מ
3
RST/ACK
f c _ 5
Attacker
Server
10.0.0.8:23
10 .0 .0.6
FIGURE 3.26: NULL Scan when Port is Closed
E lio ]
Zenmap
S c jn
lo o k
Target:
n m a p 192.168.168.3
C om m and:
H o sts
IM
Scan
* - tN •v n m a p 192.168.168.3
O S - H o st
—
x
profile
N m a p O u tp u t
•
P orts / Hosts
T op o lo g y
H o st Details
Sta n s
sN -v n m a p 192.168.168.3
192.168.168.5
192.168.168.3
a
Starting Nmap 6.01 ( http://nxap.org ) at 2012-08-10 12:41
•י
Standard Tine
Initiating ARP Ping Scan at 12:41
Scanning 192.168.16a.3 (1 port)
Completed ARP Ping Scan at 12:41, 0.06s •lapsed <1 total hosts)
Initiating Parallel DNS resolution of 1 host, at 12:41
Completed Parallel DNS resolution of 1 host, at 12141, 0.02s elapsed
Initiating NULL Scan at 12:41
Scanning 192.168.168.3 [1000 ports)
Increasing send delay for 192.168.168.3 froei 0 to 5 due to 21S out
of 71S dropped probes since last increas*.
Completed NULL Scan at 12:41, 8.23s elapsed (1000 total ports)
Noap scan report for 192.168.168.3
Failed to resolve given hostnaae/lP: nmap. Note that you can't use
‘/•ask* AND •1-4,7,100 '־style IP ranges. If the ■achine only has
an IPv6 address, add the Naap -6 flag to scan that.
Host is up (0.00s latency).
Not shown: 997 closed ports
PORT
STATt
SERVICE
22/tcp open|filtered ssh
88/tcp openjfiltered kerberos-sec
548/tcp openjfiltered afp
M A fld rcn ;
AC
Read data files fro■: C:Progran files (x86)Nmap
N m jio done: 1 IP address (1 hostup)
scannedin 10.66 seconds
Ran packets sent: 1844(73.748KB)
| Rcvd: 998
(39.908KB)
FIGURE 3.27: Zenmap showing NULL Scan Result
Module 03 Page 314
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCll
All Rights Reserved. Reproduction is Strictly Prohibited.
- 54. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
ID LE S can
CEH
Most network servers listen on TCP ports, such as
web servers on port 80 and mail servers on port 25.
Port is considered "open" if an application is listening
on the port
A machine that receives an unsolicited SYN|ACK
packet will respond with an RST. An unsolicited RST
will be ignored
One way to determine whether a port is open is to
send a "SYN" (session establishment) packet to the
port
Every IP packet on the Internet has a "fragment
identification" number (IP ID)
The target machine will send back a "SYN|ACK"
(session request acknowledgment) packet if the port
is open, and an "RST" (Reset) packet if the port is
closed
OS increments the IP ID for each packet sent, thus
probing an IP ID gives an attacker the number of
packets sent since last probe
t f
Command Prompt
C : > n m a p -P n -p- -si wvrw.juggyboy.com w w w . c e r t i f i e d h a c k e r . c o m
Starting Nmap ( h t tp://nmap.org )
Idlescan using zombie w w w . 3 u g gyboy.com (192.130.18.124:80); Class:
Nmap scan report for 198.182.30.110
(The 40321 ports scanned b u t not
Port
State
Service
open
2 1 /tcp
ftp
open
25/tcp
smtp
open
80/tcp
http
Nmap done: 1 IP address (1 host tip) scanned in 1931.23 seconds
Incremental
3
Copyright © by EG-GtOIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
IDLE Scan
The idle scan is a TCP port scan method that you can use to send a spoofed source
address to a computer to find out what services are available and offers complete blind
scanning of a remote host. This is accomplished by impersonating another computer. No packet
is sent from your own IP address; instead, another host is used, often called a "zombie," to scan
the remote host and determine the open ports. This is done by expecting the sequence
numbers of the zombie host and if the remote host checks the IP of the scanning party, the IP
of the zombie machine will show up.
Understanding TCP/IP
Source: http://nmap.org
Idle scanning is a sophisticated port scanning method. You do not need to be a TCP/IP expert to
understand it. You need to understand the following basic facts:
Q
Most of the network servers listen on TCP ports, such as web servers on port 80 and
mail servers on port 25. A port is considered "open" if an application is listening on the
port; otherwise it is closed.
Module 03 Page 315
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 55. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
9
To determine whether a port is open, send a session establishment "SYN" packet to the
port. The target machine responds with a session request acknowledgment "SYN|ACK"
packet if the port is open and a Reset "RST" packet if the port is closed.
9
A machine that receives an unsolicited SYN|ACK packet responds with an RST. An
unsolicited RST is ignored.
9
Every IP packet on the Internet has a "fragment identification" number. Many operating
systems simply increment this number for every packet they send. So probing for this
number can tell an attacker how many packets have been sent since the last probe.
From these facts, it is possible to scan a target network while forging your identity so that it
looks like an innocent "zombie" machine did the scanning.
a
Command Prompt
FIGURE 3.28: Nmap Showing Idle Scan Result
Module 03 Page 316
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 56. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
C EH
ID LE S can : S tep 1
Every IP packet on the Internet has a
fragment identification number (IP
ID), which increases every time a
host sends; IP packet
יי
4
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Attacker
RST Packet
Zombie
FIGURE 3.29: IPID Probe Request and Response
Choose a "Zombie" and Probe for its Current IP Identification (IPID) Number
In the first step, you can send a session establishment "SYN" packet or IPID probe to determine
whether a port is open or closed. If the port is open, the "zombie" responds with a session
request acknowledgment "SYN |ACK" packet containing the IPID of the remote host machine. If
the port is closed, it sends a reset "RST" packet. Every IP packet on the Internet has a "fragment
identification" number, which is incremented by one for every packet transmission. In the
above diagram, the zombie responds with IPID=31337.
Module 03 Page 317
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 57. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
ID LE S can : S tep 2 a n d 3
CEH
S te p 2
J
Send SYN packet to the target m achine (port 80) spoofing the IP address of the "zom bie"
J
If the port is open, the target will send SYN/ACK Packet to the zombie and in response zombie sends
RST to the target
J
If the port is closed, the target will send RST to th e "zo m b ie" but zombie will not send anything back
SYN Packet to port 80
spoofing zombie IP address
4VC
Attacker
r t o s f f i S S * 5 ■ ״T e"
" ״
Zombie
S te p 3
J
P o r t is o p e n
m
j
;
IPID Probe SYN / ACK Packet
Probe "zo m b ie"
IPID again
Response: IPID=31339 RST Packet
IPID incremented by 2 since Step 1,
so port 80 must be open
Attacker
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
IDLE Scan: Step 2 and 3
Idle Scan: Step 2.1 (Open Port)
"
Send a SYN packet to the target machine (port 80) spoofing the IP address of the
"zombie." If the port is open, the target will send the SYN/ACK packet to the zombie and in
response the zombie sends the RST to the target.
SYN Packet to port 80
spoofing zombie IP address
m
QOO
Attacker
Target
Port
Zombie
is
open
FIGURE 3.30: Target Response to Spoofed SYN Request when Port is Open
Idle Scan: Step 2.2 (C losed Port)
The target will send the RST to the "zombie" if the port is closed, but the zombie will
Module 03 Page 318
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 58. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
not send anything back.
SYN Packet to port 80
spoofing zombie IP address
m
Attacker
I- ״״
4
Zombie
................ ................
Target
Port is clo sed
FIGURE 3.31: Target Response to Spoofed SYN Request when Port is Closed
Idle Scan: Step 3
Probe the "zombie" IPI D again.
IPID Probe SYN / ACK Packet
Response: IPID=31339 RST Packet
Attacker
IPID incremented by 2 since Step 1,
so port 80 must be open
Zombie
FIGURE 3.32: IPID Probe Request and Response
Module 03 Page 319
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.