CEHv.10 - Scanning, Introduction to Ethical Hacking, and Social Engineering

-sU (UDP scans)

UDP scan works by sending a UDP packet to every targeted port.

hping3 -2 10.0.0.25 -p 80

UDP scan on port 80 -2 -Connection less Scan -It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open. -You may use either --udp of -2 arguments in the command line

UDP Scanning

UDP scanners interpret lost traffic as open ports.

TTL:45 Window Size: 0x7D78 (or 32120 in decimal) DF: The Don't Fragment bit is set TOS: 0x0

What four passive banner grabbing components can be gleaned from this packet capture? 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:0x0 ID:56257 ***F**A* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78

Push alias "PSH":

When its flag is set to "1," it indicates that the sender has raised the push operation to the receiver The system raises the this flag at the time of start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks

Reset alias "RST"

When there is an error in the current connection, its flag is set to "1," and it aborts the connection in response to the error.

RFC 793

Which RST/ACK packet is generated for restting the TCP connection and doesn't work on Microsoft systems with the XMAS scan?

Anonymizer Tools

Whonix -desktop operating system designed for advanced security and privacy -TunnelBeear -Invisible Internet -JonDo -Proxify -Psiphon -Anonymizer Universal -Ultrasurf

Colasoft Packet Builder

a tool that allows an attacker to create custom network packets and helps security professionals to assess the network. supports saving packets to packet files and sending packets to the network This packet builder audits networks and checks network protection against attacks and intruders. Three views in the Packet Builder -The Packet List displays all constructed packets. -In the Hex Editor, the data of the packet are represented as hexadecimal values and ASCII characters; nonprintable characters are represented by a dot (".") -Decode editor - edit packets w/o remembering value length, byte order, and offsets

Anonymizer Tools for Mobile

- Orbot -It uses Tor to encrypt Internet traffic and then hides it by bouncing through a series of computers around the world -Psiphon -that utilizes VPN, SSH, and HTTP Proxy. Psiphon does not increase online privacy and is not an online security tool. -OpenDoor -an app designed for both iPhone and iPad; it allows you to browse websites smoothly and anonymously.

Hping ICMP mode

-1

Hping UDP mode

-2

Hping scan mode

-8

Hping listen mode

-9

Common flag configurations used for a probe packet include:

-A FIN probe with the FIN TCP flag set -An XMAS probe with the FIN, URG, and PUSH TCP flags set -A NULL probe with no TCP flags set -A SYN/ACK probe

IP Spoofing countermeasures

-Avoid trust relationships -Use firewalls and filtering mechanisms - Use random initial sequence numbers - Ingress filtering prohibits spoofed traffic from entering the Internet. -Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside. - SYN flooding countermeasures

Port Scanning Countermeasures

-Configure firewall and IDS rules to detect and block probes -Snort (http://www.snort.org) is an intrusion detection and prevention technology that can be very useful, mainly because signatures are frequently available from the public authors -Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of a company's main firewall. -Ensure that the anti-scanning and anti-spoofing rules are configured.

Objectives of Network Scanning

-Discover the network's live hosts, IP addresses, and open ports of live -Discover the operating system and system architecture of the target. This is also known as fingerprinting. -Discover the services running/listening on the target system. -Identify specific applications or versions of a particular service -Identify vulnerabilities in any of the network systems.

Hping Interface spec

-I

Proxy Tools for Mobile

-Shadowsocks -ProxyDroid - Supports HTTP, HTTPS, SOCKS4, SOCKS5 proxy and basic NTLM, NTLMv2 authentication methods -CyberGhost VPN -Hotspt Sheild -Netshade

nmap XMAS scan flag

-sX

Types of scanning

1. Port Scanning - Lists the open ports and services. 2. Network Scanning - Lists IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or to assess the security of the network. 3. Vulnerability Scanning - Shows the presence of known weaknesses. Vulnerability scanning is a method used to check whether a system is exploitable by identifying its vulnerabilities.

LDAP port

389

Printer port

515

POP3 port

110

NTP port

123

Netbios port

137/139

IMAP (Internet Message Access Protocol) port

143

IMAP port

143

SQL Port

150 and 156

SNMP port

161/162

FTP port

20/21

Apple Ports

201 - 208

SSH port

22

Telnet port

23

SMTP port

25

DNS port

53 tcp - 53 udp

DHCP port

67

TFTP port

69

Kerberos port

88

hping3 -A 10.0.0.25 -p 80

ACK Scanning on Port 80 -A -You can use this scan technique to probe for the existence of a firewall and its rule sets.

This probe scanning technique also assists in checking the filtering systems of target networks (firewalls, IDS).

ACK flag

Ping Sweep Tools

Angry IP scanner - is an IP address and port scanner. It can scan IP addresses at any range as well as any of their ports. SolarWinds NetScan Tool Pro Colasoft Ping Tool Visual Ping Tester OpUtils Pinkie MegaPing

SSDP

Attacker uses ___scanning to detect UPnP vulnerabilities that may allow him/her to launch buffer overflow or DoS attacks.

Inverse TCP Flag Scanning

Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags. -When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host -All closed ports on the targeted host will send an RST/ACK response. -Since operating systems such as the Windows completely ignore the RFC 793 standard, you cannot see the RST/ACK response when connected to a closed port on the target host. -Good for unix not windows Advantages -Avoids many IDS and logging systems, highly stealthy uses FIN, URG or PSH flag. Open gives no response. Closed gives RST/ACK -nmap -sN (Null scan) -nmap -sF (FIN scan)

A ping sweep or Internet Control Message Protocol (ICMP) scanning

Basic network scanning technique that is employed to determine which range of IP addresses map to live hosts (computers). is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up among the oldest and slowest methods used to scan a network.

Which components are included in a scanning methodology?

Checking for: 1. Live Systems 2. Open Ports 3. Scan beyond IDS 4. Banner grabbing 5. Vulnerability scans 6. Drawing network diagrams 7. Prepare Proxies

hping3 192.168.1.103 -Q -p 139 -s

Collect TCP sequence numbers on port 139 -Q -Hping collects all the TCP sequence numbers generated by the target host

IP Address Spoofing Techniques

Direct TTL Probes - Check whether the TTL value in the reply matches that of the packet you are checking. -This technique is successful when the attacker is in a different subnet from that of the victim. IP Identification Number- The IPID increases incrementally each time a system sends a packet. The IPID value in the response packet must be close to, but slightly higher than the IPID value of the probe packet. The source address of the IP packet is spoofed if the IPID of the response packet is not close to that of the probe packet. -This method is effective even when both the attacker and the target are on the same subnet. TCP Flow Control Method-The user can control the flow of IP packets by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data that the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. -The sender should stop sending data whenever the window size is set to zero.

hping3 -F -P -U 10.0.0.25 -p 80

FIN, PUSH, URG scan on port 80

IP Address Decoy

Generating or manually specifying IP addresses of the decoys so that the IDS/Firewall cannot determine the actual IP address. - nmap -D RND:10 [target] Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IPs. -nmap -D decoy1,decoy2,decoy3,...,ME,... [target] Here, you have to separate each decoy IP's with commas (,) and you can optionally use the ME command in order to position your real IP in the decoy list.

hping3 -1 10.0.0.25

ICMP Ping -1 (one) -hping sends ICMP-echo request to 10.0.0.25 and receives ICMP-reply, the same as with a ping utility.

13 (TIMESTAMP) 17 (ADDRESS MARK REQUEST)

ICMP Query uses which two types of ICMP messages?

Scanning ICMP Network Services

ICMP Scanning Ping Sweep ICMP Echo Scanning

Another name for a ping sweep

ICMP sweep

Scanning Tools for Mobile

IP Scanner - for iOS scans your local area network to determine the identity of all its active machines and Internet devices Fing - a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. Hackode zANT cSplit FaceNiff PortDroid Netwrok Analysis Pamn Ip Scanner

-sO (IP protocol scan)

IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers.

IDS Evasion

SYN/FIN Scanning Using IP Fragments is what kind of technique?

Port is open

In ACK flag probe scanning, if the TTL of RST is Less than 64 what does it mean?

Port is closed

In ACK flag probe scanning, if the TTL of RST is greater than 64 what does it mean?

Target port is closed

In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 1 what does it mean?

open port

In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 2 what does it mean?

port 80 is open

In an ACK flag probe all TTLs are 50, but one window size is 512 for port 80 what does it mean?

Anonymizers

Is an intermediate server placed between you as the end user and the website to accesses the website on your behalf and make your web surfing untraceable. A -A networked anonymizer - first transfers your information through a network of Internet-connected computers before passing it on to the website. -Single-point anonymizers - first transfer your information through a website before sending it to the target website

Acknowledgement alias "ACK"

It confirms the receipt of transmission and identifies next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1,"

Urgent alias "URG":

It instructs the system to process the data contained in packets as soon as possible. processes it first, stopping all the other data processes

Synchronize alias "SYN":

It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (3-way handshake) between two hosts

Finish alias "FIN":

Its flag is set to "1" to announce that it will not send more transmissions to the remote system and terminates the connection established by the SYN flag.

Vulnerability Scanning tools

Nessus, GFI Lan Guard, Qualys, Retina CS, OpenVAS

Scanning Tools

NetScanTools Pro -an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. -SuperScan PRTG Netwrok Monitir OmniPeek MiTeC Network Scanner Mega Ping Global Network Inventory Advanced Port Scanner CurrPorts NEET

Packet Crafting tools

NetscanTools Pro Ostinato Wan Killer Packeth LANforge Fire Bit-Twist WireEdit

Important Scanning Tools

Nmap --is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. -Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems, and OS versions Hping2/Hping3 --is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. -It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions -An attacker studies the behavior of an idle host to gain information about the target, such as the services that the host offers, the ports supporting the services, and the operating system of the target.

IDS/Firewall Evasion Techniques

Packet Fragmentation: Here, the attacker sends fragmented probe packets to the intended server which re-assembles it after receiving all the fragments. -SYN/FIN Scanning Using IP Fragment Source Routing: The attacker specifies the routing path for the malformed packet to reach the intended server. IP Address Decoy: IP Address Spoofing: Proxy Server: This is a process in which the attacker uses a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions.

Proxy Tools

Proxy Switcher - allows you to surf the Internet anonymously without disclosing your IP address. It also helps you to access various blocked sites in the organization Proxy Workbench - a proxy server that displays the data passing through it in real time and allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram. CyberGhost - VPN allows users to protect their online privacy, surf anonymously, and access blocked or censored content. Tori Burp Suite Hotspot Sheild Proxifiel Charles Fiddler

SYN,ACK,RST

SYN Scanning uses which flags?

hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

SYN flood a victim -S - syn scan -a - spoofing an IP -p -port --flood The attacker employs TCP SYN flooding techniques by using spoofed IP addresses to perform DoS

-sS (TCP SYN scan)

SYN scan is the default scan option used for scanning thousands of ports per second on a fast network not hampered by restrictive firewalls.

hping3 -8 50-60 -S 10.0.0.25 -V

SYN scan on ports 50-60 -8 - scan -S - Syn scan -V - Verbose

hping3 -1 10.0.1.x --rand-dest -I eth0

Scan entire subnet for live host -1 10.0.1.x - all subnet --rand-dest it sends an ICMP-echo request randomly (--rand-dest) to all the hosts from 10.0.1.0-10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP reply. In this case, you haven't set a port, so Hping sends packets to port 0 on all IP addresses by default.

Stealth Scan

Scan involves resetting the TCP connection between client and server abruptly before completion of the three-way handshake signals, hence, making the connection half open -prevents the service from notifying the incoming connection Also known as the half-open scan and the SYN scan beacuse it only sends the SYN packet Useful for hiding efforts and evading firewalls nmap -sS

IDLE/IPID Header Scan

Scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available. -It offers complete blind scanning of a remote host uses a third party to check if a port is open Looks at the IPID to see if there is a repsonse Only works if third party isn't transmitting data Sends a request to the third party to check IPID id; then sends a spoofed packet to the target with a return of the third party; sends a request to the third party again to check if IPID increased.IPID increase of 1 indicates port closedIPID increase of 2 indicates port open IPID increase of anything greater indicatesthe third party was not idle nmap -sI

ping sweeps, ICMP scans

Scanning Methodology: How to check for live systems

URG, ACK, PSH, RST, SYN, FIN

Six TCP flags?

TCP header contains what?

Six flags that control the transmission of data across a TCP connection. -Four of these flags (namely: SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. -The other two flags (namely: PSH and URG) provide instructions to the system -The size of each flag is 1 bit -When a flag value is set to "1,"that flag is automatically turned on

IP Address Spoofing

The attacker changes source IP addresses so that the attack appears to be coming in as someone else. -it goes back to the spoofed address and not to the attacker's real address. Attackers mostly use IP address spoofing to perform DoS attacks -When spoofing a nonexistent address, the target replies to a nonexistent system, Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7

Hping2 www.certifiedhacker.com -a 7.7.7.7

Spoofing

TCP Connect / Full Open Scan

TCP Connect scan completes a three-way handshake with the target machine. -the operating system's TCP connect() system call tries to open a connection to every interesting port on the target machine. If the port is listening, the connect() call will result in a successful connection with the host on that particular port; otherwise, it will return an error message stating that the port is not reachable. -one of the most reliable forms of TCP scanning. Easiest to detect, but most reliablenmap -sT

-sT (TCP connect scan)

TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.

NOTIFY M-SEARCH

The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP uses unicast and multicast adress (239.255.255.250). SSDP is HTTP like protocol and work with which methods.

ACK flag probe

This probe scan is better with older OS and BSD TCP/IP stacks

ServerMask

This tool removes unnecessary HTTP header and response data, and camouflages the server by providing false signatures. It also lets you eliminate file extensions (such as .asp or .aspx) and it clearly indicates that a site is running on a Microsoft server. Countermeasure for banner grabbing.

hping3 -S 72.14.207.99 -p 80 -- tcp-timestamp

firewall and timestamps --tcp-timestamp - (Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, -you can enable the TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).

Another name for stealth scan

half open or SYN can

Proxy Chain

helps an attacker to increase his/her Internet anonymity -the larger the number of proxy servers used, the greater the attacker's anonymity

hping3 -9 HTTP -I eth0

intercept all HTTP traffic -9 - listen -intercepts all the packets containing HTTP signature, and dump from signature end to the packet's end.

ICMP Echo Scanning

not the same as port scanning because it does not have a port abstraction. - It is used to determine the particular hosts that are active in a network by pinging all of them.

Banner Grabbing

or "OS fingerprinting," is a method used to determine the operating system that is running on a remote target system. An attacker uses this technique to identify network hosts running versions of applications and OSs with known exploits.

In ACK flag probe scanning, if the TTL of RST from port 123 is 45 what does it mean

port 123 is open

Ack Flag probe scanning

probe scanning exploits the vulnerabilities within BSD derived TCP/IP stack multiple methods TTL version - if TTL of RST packet is less than 64, port is open if its greateer port i closed ( Window version - if the RST packet is anything other than 0, port open - Can be used to check filtering. If sent and no response, stateful firewall present., filtered. Can evade IDS in most cases nmap -sA (ACK scan) nmap -sW (Window scan)

Xmas Scan

scan is a port scan technique with FIN, URG, and PUSH flags set to send a TCP frame to a remote device -Open gives no response. Closed gives RST/ACK -named because all flags are turned on so it's "lit up" like a Christmas tree -This scan only works when systems are compliant with RFC 793-based TCP/IP implementation. It will not work against any current version of Microsoft Windows. nmap -sX