Chapter 3 - Scanning and Enumeration
UDP scan
A UDP scan is exactly what it sounds like: send a datagram to the port and see what you get in response. Because there is no handshake, if the port is open, you won't receive a thing back—if the port is closed, you'll receive an ICMP port unreachable message.
port number
A port number, inside the Transport layer protocol header (TCP or UDP), identifies which upper-layer protocol should receive the information contained within. Systems use port numbers to identify to recipients what they're trying to accomplish—that is, assuming the default ports are still being used for their default purposes, but we'll get to that later. The port numbers range from 0 to 65,535 and are split into three different groups: • Well-known ports 0-1023 • Registered ports 1024-49,151 • Dynamic ports 49,152-65,535 (Ever wonder why port numbers go from 0 to 65,535? If you've ever taken a Cisco class and learned any binary math, the answer is rather evident: the field in which you'll find a port number is 16 bits long, and having 16 bits gives you 65,536 different combinations, from 0 all the way up to 65,535.)
netstat
Typing netstat -an (see Figure 3-6) displays all connections and listening ports, with addresses and port numbers in numerical form. If you have admin privileges on the box, use netstat -b, and you can see the executable tied to the open port.
Port Scan Types
A scan type will be defined by three things: what flags are set in the packets before delivery, what responses you expect from ports, and how stealthily the scan works. Generally speaking, there are seven generic scan types for port scanning: • Full connect - Also known as a TCP connect or full open scan, this runs through a full connection (three-way handshake) on ports, tearing it down with an RST at the end. It is the easiest to detect but it's possibly the most reliable. Open ports will respond with a SYN/ACK, and closed ports will respond with an RST. • Stealth(SYN Scan) - Also known as a half-open scan (and also as a SYN scan). Only SYN packets are sent to ports (no completion of the three-way handshake ever takes place). Responses from ports are the same as they are for a TCP connect scan. This technique is useful in hiding your scanning efforts, possibly bypassing firewalls and monitoring efforts by hiding as normal traffic (it simply doesn't get noticed because there is no connection to notice). • Inverse TCP flag (FIN Scan) - This scan uses the FIN, URG, or PSH flag (or, in one version, no flags at all) to poke at system ports. If the port is open, there will be no response at all. If the port is closed, an RST/ACK will be sent in response. You know, the inverse of everything else. • XMAS - A Christmas scan is so named because all flags are turned on, so the packet is "lit up" like a Christmas tree. Port responses are the same as with an inverse TCP scan. XMAS scans do not work against Microsoft Windows machines due Microsoft's TCP/IP stack implementation (Microsoft TCP/IP is not RFC 793 compliant). • ACK flag probe - According to ECC, there are two versions of this scan, both of which use the same method: the attacker sends the ACK flag and looks at the return header (TTL or Window fields) to determine the port status. In the TTL version, if the TTL of the returned RST packet is less than 64, the port is open. In the Window version, if the WINDOW size on the RST packet has anything other than zero, the port is open. • IDLE This uses a spoofed IP address (an idle zombie system) to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan.
Active banner grabbing
Active banner grabbing involves sending specially crafted packets to remote systems and comparing responses to determine the OS.
Anonymizers
Anonymizers are services on the Internet that make use of a web proxy to hide your identity. Thousands of anonymizers are available—simply do a Google search and you'll see what I mean. Be careful in your choice, though; some of them aren't necessarily safe, and their owners are set up specifically to steal information and plant malware. Some anonymizers referenced by ECC are Guardster (guardster.com), Ultrasurf (ultrasurf.us), Psiphon (psiphon.ca), and Tails (tails.boum.org). Tails isn't an application, per se; it's an actual live OS you can run from a USB that anonymizes the source and leaves no trace on the system you're on. Neat! Did you know Google puts a cookie on your system with a unique identifier that lets them track your web activity? Want to get rid of it? Gzapper (www.dummysoftware.com) is what you want, and you may see a reference to it on the exam too.
IP Address Decoy
Another evasion effort is known as IP Address Decoy. The basic idea is you obfuscate the real source of the scan by hiding it among a whole bunch of decoy source addresses (making it appear the decoys as well as the host are scanning). You can pull this off in Nmap a couple of different ways. First, nmap -D RND:10 X.X.X.X generates a number of decoys and randomly puts the real source IP between them. If you wanna get a little more manual in your effort, try nmap -D decoyIP1,decoyIP2,decoyIP3,...,sourceIP,...[target]. This version lets you decide how many decoys to generate and where the source IP address appears.
Banner Grabbing (step 4)
Banner grabbing is actually listed as part of the scanning methodology, but dang it—it belongs here in enumeration. After all, that's what it does. It's one of the easiest enumerating methods, but it sure can have a big bang for the buck. Basically the tactic involves sending an unsolicited request to an open port to see what, if any, default message (banner) is returned. Depending on what version of the application is running on the port, the returned banner (which could be an error message, HTTP header, or login message) can indicate a potential vulnerability for the hacker to exploit. A common method of performing banner grabbing is to use a simple tool already built into most operating systems, Telnet. (can be done with things like ssh and nc too, even http depending on application)
Connection-Oriented Communication
Connection-oriented communication using TCP, although it requires a lot more overhead and if oftentimes a lot slower than connectionless communication, is a much more orderly form of data exchange and makes a lot more sense for transporting large files or communicating across network boundaries. Depending on what the segment is intended to do, some or all of these flags may be put into use. The TCP header flags are as follows: • SYN (Synchronize) This flag is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers. • ACK (Acknowledgment) This flag is set as an acknowledgment to SYN flags. This flag is set on all segments after the initial SYN flag. • RST (Reset) This flag forces a termination of communications (in both directions). • FIN (Finish) This flag signifies an ordered close to communications. • PSH (Push) This flag forces the delivery of data without concern for any buffering. In other words, the receiving device need not wait for the buffer to fill up before processing the data. • URG (Urgent) When this flag is set, it indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example. When the recipient gets this segment, it responds with the SYN and ACK flags set and acknowledges the sequence number by incrementing it by one. Additionally, the return segment contains a sequence number generated by the recipient. All this tells the sender, "Yes, I acknowledge your request to communicate and will agree to synchronize with you. I see your sequence number and acknowledge it by incrementing it. Please use my sequence number in further communications with me so I can keep track of what we're doing." Figure 3-3 illustrates the three-way handshake.
UDP 67
DHCP (Dynamic Host Configuration Protocol)
TCP/UDP 53
DNS (Domain Name System)
Scanning Methodology
EC-Council's scanning methodology phases include the following steps: 1. Check for live systems. Something as simple as a ping can provide this. This gives you a list of what's actually alive on your network subnet. 2. Check for open ports. Once you know which IP addresses are active, find what ports they're listening on. 3. Scan beyond IDS. Sometimes your scanning efforts need to be altered to avoid those pesky intrusion detection systems. 4. Perform banner grabbing. Banner grabbing and OS fingerprinting will tell you what operating system is on the machines and which services they are running. 5. Scan for vulnerabilities. Perform a more focused look at the vulnerabilities these machines haven't been patched for yet. 6. Draw network diagrams. A good network diagram will display all the logical and physical pathways to targets you might like. 7. Prepare proxies. This obscures your efforts to keep you hidden.
IP identifier (IPID) (for IDLE Scans)
Every IP packet uses something called an IP identifier (IPID) to help with the pesky problem of keeping track of fragmentation (IP packets can be only so big, so a single packet is sometimes fragmented and needs to be put back together at the destination). Most systems simply increase this IPID by one when they send a packet out. For example, the first packet of the day might have an IPID of 31487, and the second 31488. If you understand this concept, can spoof an IP address, and have a remote machine that's not doing anything, this all makes perfect sense. Every IP packet uses something called an IP identifier (IPID) to help with the pesky problem of keeping track of fragmentation (IP packets can be only so big, so a single packet is sometimes fragmented and needs to be put back together at the destination). Most systems simply increase this IPID by one when they send a packet out. For example, the first packet of the day might have an IPID of 31487, and the second 31488. If you understand this concept, can spoof an IP address, and have a remote machine that's not doing anything, this all makes perfect sense.
TCP 20
FTP Data port
TCP 21
FTP control port
Poxy
Finally, our last method of IDS evasion (at least so far as your exam is concerned) involves employing proxies to hide behind. A proxy is nothing more than a system you set up to act as an intermediary between you and your targets. In many instances, proxies are used by network administrators to control traffic and provide additional security for internal users, or for things like remotely accessing intranets. Hackers, though, can use that technology in reverse—sending commands and requests to the proxy and letting the proxy relay them to the targets. So, for evasion purposes, anyone monitoring the subnet sees the proxy trying all these actions, not the hacker. Proxying can be done from a single location or spread across multiple proxies to further disguise the original source. Hundreds of free, public proxies are available to sign up for, and a simple Internet search will point you in the right direction. If you want to set up proxy chains, where multiple proxies further hide your activities, you can use tools such as Proxy Switcher (proxyswitcher.com), Proxy Workbench (proxyworkbench.com), ProxyChains (http://proxychains.sourceforge.net/), SoftCab's Proxy Chain Builder (www.softcab.com/download.php), CyberGhost (cyberghostvpn.com), and Proxifier (www.proxifier.com). ECC has put a very large emphasis on the mobile world of late, and rightly so. For almost every area of concentration in their course, they make sure to mention tools and actions specific to the mobile world, and evasion is no different. Just a few of the tools they mention include proxydroid (github.com), Servers ultimate (www.icecoldapps.com), and NetShade (www.raynersw.com). Anonymizers include Orbot (guardianproject.info), Psiphon (psiphon.ca), and OpenDoor (itunes.apple.com), among others. But one evasion tool listed in particular caught my eye. Shadowsocks (shadowsocks.org) may be listed as a mobile anonymizer/proxy, but, man, does it have a cool background story, and a much wider application.
TCP 80
HTTP (Hypertext Transfer Protocol)
TCP 443
HTTPS (Hypertext Transfer Protocol Secure)
Hping
Hping (Hping2 or Hping3) is another powerful tool for both ping sweeps and port scans, and is also a handy packet-crafting tool for TCP/IP. Hping works on Windows and Linux versions and runs nearly any scan Nmap can put out. The only real downside, for people like me who prefer pictures and clicking things, is that it's still a commandline- only tool. Just as with Nmap, Hping3 has specific syntax for what you're trying to accomplish, with tons of switches and options.
TCP 143
IMAP (Internet Message Access Protocol)
ICMP
IP itself has no error messaging function, so ICMP was created to provide for it. It allows for error messaging at the Network layer and presents the information to the sender in one of several ICMP types. **INSERT MESSAGE TYPES*** When using ping to identify "live" hosts, keep in mind a nonresponse to ICMP does not necessarily mean the host isn't alive—it simply means it won't respond to ICMP.
TCP/UDP 389
LDAP (Lightweight Directory Access Protocol)
subnetting
LEARN IT
TCP and UDP 137 - 139
NetBIOS
NetBIOS Enumeration
Network Basic Input/Output System, NetBIOS was developed in 1983 by Sytek, Inc., for IBM PC networking. It has morphed and grown since then but largely still provides the same three services on a network segment: name servicing, connectionless communication, and some Session layer stuff. It is not a networking protocol but rather another one of the creations in networking that was originally designed to make life easier for us. Part of the idea was to have everything named so you could easily look up a computer or a user. And, as everything else that was created to make life easier in networking, it can be corrupted to provide information to the ethical hacker. This browser service, part of Microsoft Windows operating systems, was designed to host information about all the machines within the domain or TCP/IP network segment. A "master browser" coordinates list information and allows systems and users to easily find each other. Largely ignored by many in hacking networked resources—because there are multiple ways to get this information—it's still a valuable resource in gathering information and will definitely show up on your exam! NetBIOS name is a 16-character ASCII string used to identify network devices—15 characters define the name, and the 16th character is reserved for the service or name record type. If you'd like to see it on your current Windows system, just use the built-in utility nbtstat. Typing nbtstat on its own in a command line brings up a host of switches to use for informationgathering purposes. Try nbtstat -n for your local table, nbtstat -A IPADDRESS for a remote system's table (using the lowercase a instead allows you to use the computer name instead of the address), and nbtstat -c for the cache. For example, consider this output: The "00" identifies the computer's name and the workgroup it's assigned to. The "20" tells us file and print sharing is turned on. The "1E" tells us it participates in NetBIOS browser elections, and the "1D" tells us this machine is currently the master browser for this little segment. And, for fun, the remote MAC address is listed at the bottom. Granted, this isn't world-beating stuff, but it's not bad for free, either. NetBIOS enumeration questions will generally be about three things: • Identifying the code and type • The fact NetBIOS name resolution doesn't work at all on IPv6 • Which tools can be used to perform it Nbtstat isn't the only tool available for NetBIOS enumeration. SuperScan (www.mcafee.com) is not only a port scanner—it's also a NetBIOS enumeration engine and a Windows host enumeration engine, can produce great reporting, and also does a fine job of banner grabbing. Hyena (www.systemtools.com) is another multipurpose tool to mention. It's a GUI-based tool that shows shares, user logon names, services, and other data that would be useful in securing Microsoft systems. Some other tool options include Winfingerprint (https://packetstormsecurity.com/files/38356/winfingerprint-0.6.2.zip.html), NetBIOS Enumerator (nbtenum.sourceforge.net), and NSAuditor (nsauditor.com).
Nmap
Nmap can perform many different types of scans (from simply identifying active machines to port scanning and enumeration) and can also be configured to control the speed at which a scan operates. In general, the slower the scan, the less likely you are to be discovered. It comes in both a command-line version and a GUI version (now known as Zenmap), works on multiple OS platforms, and can even scan over TCP and UDP. And the best thing of all? It's free. The Nmap syntax is fairly straightforward: nmap <options> <target>
Evasion (step 5)
One of the most common (and possibly elegant) methods used to evade detection by an IDS is fragmenting packets. The idea isn't to change the scan itself—you can still run a full connect scan, for instance—but to crack apart the packets before they're sent so the IDS can't recognize them. If you split the TCP header into several packets, all the IDS sees is useless chatter. Assuming you're not flooding the network segment too fast with them, your scanning won't even be noticed. For example, an Nmap command like nmap -sS -A -f 172.17.15.12 might work to fragment a SYN scan (while OS fingerprinting along the way). (ECC really loves this active vs. passive thing. In enumeration, active OS fingerprinting involves sending crafted, nonstandard packets to a remote host and analyzing the replies. Passive OS fingerprinting involves sniffing packets without injecting any packets into the network—examining things like Time-to-Live (TTL), window sizes, Don't Fragment (DF) flags, and Type of Service (ToS) fields from the capture.)
TCP 110
POP3 (Post Office Protocol)
Passive banner grabbing
Passive banner grabbing involves reading error messages, sniffing network traffic, or looking at page extensions.
TCP 135
RPC
TCP 445
SMB (Server Message Block)
TCP 25
SMTP
UDP 161/162
SNMP (Simple Network Management Protocol)
TCP 22
SSH
Scanning
Scanning is the process of discovering systems on the network and taking a look at what open ports and applications may be running. In scanning, we'll go into the network and start touching each device to find out more about it.
SNMP Enumeration
Simple Network Management Protocol (SNMP). SNMP was designed to manage IP-enabled devices across a network. As a result, if it is in use on the subnet, you can find out loads of information with properly formatted SNMP requests. Later versions of SNMP make this a little more difficult, but plenty of systems are still using the protocol in version 1. SNMP consists of a manager and agents, and it works much like a dispatch center. A central management system set up on the network will make requests of SNMP agents on the devices. These agents respond to the requests by going to a big virtual filing cabinet on each device called the Management Information Base (MIB). The MIB holds information, and it's arranged with numeric identifiers (called object identifiers, or OIDs) from general information to the very specific. The request points out exactly what information is requested from the MIB installed on that device, and the agent responds with only what is asked for. MIB entries can identify what the device is, what operating system is installed, and even usage statistics. In addition, some MIB entries can be used to actually change configuration settings on a device. When the SNMP management station asks a device for information, the packet is known as an SNMP GET request. When it asks the agent to make a configuration change, the request is an SNMP SET request. SNMP uses a community string as a form of password. The read-only version of the community string allows a requester to read virtually anything SNMP can drag out of the device, whereas the read-write version is used to control access for the SNMP SET requests. Two major downsides are involved in the use of both these community string passwords. First, the defaults, which are all active on every SNMP-enabled device right out of the box, are ridiculously easy. The read-only default community string is public, whereas the read-write string is private. Assuming the network administrator left SNMP enabled and/or did not change the default strings, enumerating with SNMP is a snap. The second problem with the strings is that they are sent in clear text (at least in SNMPv1). So, even if the administrators took the time to change the default community strings on all devices (and chances are better than not they'll miss a few here and there), all you'll need to do to grab the new strings is watch the traffic—you'll eventually catch them flying across the wire. However, keep in mind that versioning matters when it comes to SNMP. Because SNMP version 3 encrypts the community strings, enumeration is harder to pull off. Additionally, although public and private are the default strings, some devices are configured to use other strings by default. It might be worthwhile researching them before you begin your efforts. Tools you can use to enumerate with SNMP are seemingly endless. Engineer's Toolset (solarwinds.com), SNMPScanner (secure-bytes.com), OpUtils 5 (www.manageengine.com), and SNScan (mcafee.com) are all viable options.
Other tools for scanning
Some other tools for accomplishing port scanning fun include Advanced Port Scanner, MegaPing, Net Tools, and PRTG Network Monitor (be sure to check the tool list at the end of this book for more). And, of course, we shouldn't neglect mentioning scanning tools designed for mobile use. IP Scanner (10base-t.com), Fing (www.fing.io), Hackode (play.google.com), zANTi (www.zimperium.com), and PortDroid Network Analysis (play.google.com) are all examples of tools designed for your mobile device, and all are worth your time in downloading and learning.
Spoofing
Spoofing an IP address is exactly what it sounds like: the hacker uses a packet-crafting tool of some sort to obscure the source IP address of packets sent from her machine. Many tools are available for this—Hping, Scapy, and Komodia, for example. You can also find this functionality built into a variety of other scanning tools. Ettercap and Cain, usually thought of more for their sniffing capabilities, provide robust and powerful spoofing capabilities as well; heck, even Nmap can spoof if you really want.
SuperScan
SuperScan, available as a free download (evaluation) from McAfee, is another easy-to-use GUIbased program. It works well and offers several options from an intuitive front-end interface, providing for ping sweeps and port scans against individual systems or entire subnets.
Port state
Suppose you have an application running on your computer that is waiting for another computer to connect to it. Whatever port number your application is set to use is said to be in a listening state. Once a remote system goes through all the handshaking and checking to establish a session over that open port on your machine, your port is said to be in an established state. In short, a listening port is one that is waiting for a connection, while an established port is one that is connected to a remote computer. A port state of CLOSE_WAIT shows that the remote side of your connection has closed the connection, whereas a TIME_WAIT state indicates that your side has closed the connection. The connection is kept open for a little while to allow any delayed packets to be matched to the connection and handled appropriately.
UDP 69
TFTP (Trivial File Transfer Protocol)
TCP 23
Telnet
Other Enumeration Options
The Lightweight Directory Access Protocol (LDAP) is designed to be queried, so it presents a perfect enumeration option. LDAP sessions are started by a client on TCP port 389 connecting to a Directory System Agent (DSA). The request queries the hierarchical/logical structure within LDAP and returns an answer using Basic Encoding Rules (BER). So what can you get out of LDAP using this? Oh, nothing important. Just things like valid user names, domain information, addresses and telephone numbers, system data, and organizational structure, among other items. Tools such as Softerra (ldapadministrator.com), JXplorer (jxplorer.com), Lex (ldapexplorer.com), and LDAP Admin Tool (sourceforge.net) all work well and are fairly intuitive and user friendly. Oh, and don't forget the built-in Active Directory Explorer in Windows systems (Microsoft's proprietary-ish version of LDAP). It can make LDAP information gathering quick and easy. Other protocols of note for enumeration efforts include NTP and SMTP. Network Time Protocol (running UDP on port 123) does exactly what the name implies—it sets the time across your network. Querying the NTP server can give you information such as a list of systems connected to the server (name and IP) and possibly IP addresses of internal systems (that is, if the NTP box is in the DMZ and serves machines inside the network, information can be pulled on the internal machines). Several tools for NTP enumeration are available, including NTP Server Scanner (bytefusion.com) and AtomSync (atomsync.com), but you can also use Nmap and Wireshark if you know what you're looking for. Commands for NTP enumeration include ntptrace, ntpdc, and ntpq. We've already talked some about e-mail information gathering in previous sections, but a little more info on Simple Mail Transfer Protocol (SMTP) is required here for your exam and for enumeration. SMTP holds multiple commands (12), but three are commonly used and will probably find their way on your exam—VRFY (validates user), EXPN (provides the actual delivery addresses of mailing lists and aliases), and RCPT TO (defines recipients)—and servers respond differently to these commands. Their responses can tell us which are valid and which are invalid user names.
checking for live systems (step 1)
The simplest and easiest way to do this is to take advantage of a protocol that's buried in the stack of every TCP/IP-enabled device on the planet—Internet Control Message Protocol (ICMP). As I'm sure you're already aware, IP is what's known as a connectionless, "fire-and-forget" protocol. It creates a packet by taking data and appending a header, which holds bunches of information, including the "From" and "To" addresses, and allows the sender to fire packets away without regard, as quickly as the stack on the machine will allow. This is done by relying on other layer protocols for transport, error correction, and so on.
ping sweep
This process, called a ping, has been part of networking since its inception, and combining pings to every address within a range is known as a ping sweep. A ping sweep is the easiest method available to identify active machines on the network, and there are innumerable tools to help you pull it off. (Nmap, zenmap) (ECC also calls out pinging of the network ID itself (that is, sending ICMP Echo Request packets to the network IP address) as "ICMP Echo scanning." Additionally, another option for identifying machines (not necessarily live ones, but ones that were live at some time) is called a "list scan"—basically just run a reverse DNS lookup on all IPs in the subnet.) virus. Some other tools of note are SolarWinds Engineer Toolset, Network Ping, OPUtils, SuperScan, Advanced IP Scanner, and a wacky little tool called Pinkie.
Vulnerability Scanning
Vulnerability scanning is exactly what it sounds like—running a tool against a target to see what vulnerabilities it may hold. This indicates to any rational mind the scanner itself must be really good at keeping up to date with known vulnerabilities, and really good at not adversely affecting the systems it's pointed at. Fortunately, there are several vulnerability-scanning tools about. Some are enterprise-level scanning beasts, with the capability to scan everything in your enterprise and provide nice reports so you can track down SAs and beat them into submission over missing patches. Retina CS (beyondtrust.com) is one example. Others are more targeted to specific tasks, like Microsoft Baseline Security Analyzer (MBSA), which lives solely in the Windows world but does a good job telling you what patches and such are missing on your machine. (On various practice exams and study materials, I've seen reference to ECC digging down into the weeds on exactly what is on which Nessus tab.) The industry standard as far as vulnerability scanning goes has got to be Tenable's Nessus (tenable.com). This is not to say Nessus is the only option out there—far from it. Other readily available and popular scanners include GFI LanGuard, Qualys FreeScan, and OpenVAS. GFI LanGuard (www.gfi.com) offers quality vulnerability and compliance scanning, as well as built-in patch management. Qualys FreeScan (www.qualsys.com) is probably better known—and noted on your exam as such—for testing websites and applications for OWASP top risks and malware. OpenVAS (www.openvas.com) is probably the best out of the bunch, although you may not have ever heard about it. OpenVAS is, for all intents and purposes, a free version of Nessus. It can perform many of the same functions at (or even above) the same level of reliability and quality for zero cost.
Check for open ports (Port Scanning)
all port scanners work by manipulating Transport layer protocol flags in order to identify active hosts and scan their ports.
Enumeration
enumerate means to specify individually, to count off or name one by one. Enumeration in the ethical hacking world is just that—listing the items we find within a specific target. We create connections to a device, perform specific actions to ask specific questions, and then use the results to identify potential attack vectors. If ports are doors and windows and port scanning can be equated to knocking on them to see whether they are open, enumerating is more akin to chatting with the neighbor at the door. When we enumerate a target, we're moving from passive information gathering to a much more active state. No longer satisfied with just knowing which ports are open, we now want to find things like open shares and any easy-to-grab user account information. We can use a variety of tools and techniques, and a lot of it bleeds over from scanning.
Footprinting
footprinting, we wanted to know how big the network was and some general information about its makeup
