CEH v11 Mod 3
IDLE/IPID Header Scan
-a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available. -Every IP packet on the Internet has a fragment identification number (IPID); an OS increases the IPID for each packet sent, thus, probing an IPID gives an attacker the number of packets sent after the last probe -A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored
Proxy Tools: Proxy Switcher http://www.proxyswitcher.com
-allows attackers to surf the Internet anonymously without disclosing their IP address. -It also helps attackers to access various blocked sites in the organization. -it avoids all sorts of limitations imposed by target sites.
Mobile Proxy Tool: Shadowsocks https://shadowsocks.org
-available on multiple platforms, including PC, MAC, mobile devices (Android and iOS), and routers (OpenWRT). It is a low-resource-consumption tool that is suitable for low-end boxes and embedded devices. It supports open-source implementations in python, node.js, golang, C#, and pure C. -Shadowsocks help attackers to surf the Internet privately and securely.
Proxy Chaning
-helps an attacker to increase his/her Internet anonymity. the larger the number of proxy servers used, the greater is the attacker's anonymity.
Proxy Tools: CyberGhost VPN. https://www.cyberghostvpn.com
-hides the attacker's IP and replaces it with a selected IP, allowing him or her to surf anonymously and access blocked or censored content. -It encrypts the connection and does not keep logs, thus securing data.
Network Scanning
-refers to a set of procedures used for identifying hosts, ports, and services in a network -one of the components of intelligence gathering which can be used by an attacker to create a profile of the target organizatio
IDS/Firewall Evasion Techniques IP address Spoofing
-refers to changing the source IP addresses so that the attack appears to be coming from someone else -When the victim replies to the address, it goes back to the spoofed address rather than the attacker's real address Attackers modify the address information in the IP packet header and the source address bits field in order to bypass the IDS or firewall -IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7
OS Discovery using IPv6 Fingerprinting
-same functionality as that of IPv4 -The difference between IPv6 and IPv4 fingerprinting is that the IPv6 uses several additional advanced probes specific to IPv6 along with a separate OS detection engine that is specialized for IPv6 -In Zenmap, the -6 option and -O option are used to perform OS discovery using the IPv6 fingerprinting method Syntax: # nmap -6 -O <target>
IP Spoofing Detection Techniques: Direct TTL Probes
-you initially send a packet (ping request) to the legitimate host and wait for a reply. -Check whether the TTL value in the reply matches with that of the packet you are checking. -Both will have the same TTL if they are using the same protocol. -If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. -Deduct the TTL value in the reply from the initial TTL value to determine the hop count. The packet is a spoofed packet if the reply TTL does not match the TTL of the packet.
UDP Scanning
UDP Port Open -There is no three-way TCP handshake for UDP scanning -The system does not respond with a message when the port is open UDP Port Closed -If a UDP packet is sent to a closed port, the system will respond with an ICMP port unreachable message -Spywares, Trojan horses, and other malicious applications use UDP ports In Zenmap, the -sU option is used to perform a UDP scan.
Creating Custom Packets: Using Packet Crafting Tools
Attackers create custom TCP packets using various packet crafting tools like Colasoft Packet Builder, NetScanTools Pro, etc. to scan a target beyond a firewall
ARP Ping Scan
Attackers send ARP request probes to target hosts, and an ARP response indicates that the host is active Attackers use the Nmap tool to perform ARP ping scan for discovering live hosts in the network. In Zenmap, the -PR option is used to perform ARP ping scan. ARP ping scan is considered to be more efficient and accurate than other host discovery techniques ARP ping scan automatically handles ARP requests, retransmission, and timeout at its own discretion ARP ping scan is useful for system discovery, where you may need to scan large address spaces ARP ping scan can display the response time or latency of a device to an ARP packet
UDP Ping Scan
Attackers send UDP packets to target hosts, and a UDP response indicates that the host is active In Zenmap, the -PU option is used to perform the UDP ping scan. UDP ping scans have the advantage of detecting systems behind firewalls with strict TCP filtering, leaving the UDP traffic forgotten.
TCP Flag ACK (Acknowledge)
It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1," thus implying that the receiver should pay attention to it
TCP Flag URG (Urgent)
It instructs the system to process the data contained in packets as soon as possible. When the system sets the flag to "1," priority is given to processing the urgent data first and all the other data processing is stopped
TCP Flag FIN (Finish)
It is set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated.
TCP Flag SYN (Synchronize)
It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts.
ACK Scanning on Port 80
This scanning technique can be used to probe the existence of a firewall and its rule sets. Simple packet filtering allows the establishment of a connection (packets with the ACKbitset), whereas a sophisticated stateful firewall does not allow the establishment of a connection Ex. hping3 -A 10.0.0.25 -p 80
Objectives of Network Scanning
To discover live hosts, IP address, and open ports of live hosts To discover operating systems and system architecture To discover services running on hosts To discover vulnerabilities in live hosts
TCP Flag PSH (Push)
When it is set to "1," it indicates that the sender has raised the push operation to the receiver; this implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the PSH flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
TCP Flag RST (Reset)
When there is an error in the current connection, this flag is set to "1" and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.
OS Discovery Tools:
Wireshark https://www.wireshark.org Nmap:the -O option is used to perform OS discovery, providing OS details of the target machine Unicornscan:the OS of the target machine can be identified by observing the TTL values in the acquired scan result https://sourceforge.net
Mobile Scanner: Fing https://www.fing.io
a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. It allows attackers to discover all devices connected to a Wi-Fi network along with their IP and MAC address as well as the name of the vendor/device manufacturer. It also allows attackers to perform network pinging and traceroute activities through specific ports such as SSH, FTP, NetBIOS, etc.
TCP/IP Communiction
is connection oriented, i.e., it prioritizes connection establishment before data transfer between applications. This connection between protocols is possible through the three-way handshake
Host Discovery
-Scanning is the process of gathering information about systems that are "alive" and responding on the network. -Host discovery is considered as the primary task in the network scanning process.Host discovery provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system in a sea of IP addresses to identify whether the target host is up -identify the active/live systems
ICMP ECHO Ping Sweep
-Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is alive, it will return an ICMP ECHO reply -Attackers calculate subnet masks by using a Subnet Mask Calculator to identify the number of hosts that are present in the subnet -Attackers subsequently use a ping sweep to create an inventory of live systems in the subnet In Zenmap, the -PE option with a list of IP addresses is used to perform ICMP ECHO ping sweep.
Types of Scanning
-Port Scanning: Lists the open ports and services. -Nework Scanning: Lists the active hosts and IP addresses. -Vulnerability Scanning: Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities.
Mobile Proxy Tool: ProxyDroid https://github.com
-ProxyDroid is an app that can help you to set the proxy (http/socks4/socks5) on your Android devices. -Attackers can use this tool as a DNS proxy to access IP addresses that are beyond the firewalls
IPv6 Scanning
-IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of address hierarchy -Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: header lines in archived emails -Attackers can use the -6 option in Zenmap to perform IPv6 scanning
Scanning Tools: Nmap (Network Mapper) https://nmap.org
-Network administrators can use Nmap for inventorying a network, managing service upgrade schedules, and monitoring host or service uptime -Attackers use Nmap to extract information such as live hosts on the network, open ports, services (application name and version), types of packet filters/ firewalls, as well as operating systems and versions used Syntax: # nmap <options> <Target IP address>
OS Discovery using Nmap Script Engine
-Nmap script engine (NSE) can be used to automate a wide variety of networking tasks by allowing the users to write and share scripts -Attackers use various scripts in the Nmap Script Engine to perform OS discovery on the target machine -For example, in Nmap, smb-os-discovery is an inbuilt script that can be used for collecting OS information on the target machine through the SMB protocol In Zenmap, the -sC option or -script option is used to activate the NSE scripts
Why a Proxy is used:
As a firewall and to protect the local network from external attacks. As an IP address multiplexer that allows several computers to connect to the Internet when you have only one IP address (NAT/PAT). To anonymize web surfing (to some extent). To extract unwanted content, such as ads or "unsuitable" material (using specialized proxy servers). To provide some protection against hacking attacks. To save bandwidth.
Additional Proxy Tools
Burp Suite (https://www.portswigger.net) Tor (https://www.torproject.org) CCProxy (https://www.youngzsoft.net) Hotspot Shield (https://www.hotspotshield.com)
Ping Sweep Countermeasures
Configure the firewall to detect and prevent ping sweep attempts instantaneously Use intrusion detection systems and intrusion prevention systems such as Snort (https://www.snort.org) to detect and prevent ping sweep attempts Carefully evaluate the type of ICMP traffic flowing through the enterprise networks Terminate the connection with any host that is performing more than 10 ICMP ECHO requests Use DMZ and allow only commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in DMZ Zone Limit the ICMP traffic with Access Control Lists (ACLs) to your ISP's specific IP addresses
Why Attackers use Proxy Servers:
To hide the actual source of a scan and evade certain IDS/firewall restrictions. To hide the source IP address so that they can hack without any legal corollary. To mask the actual source of the attack by employing a fake source address of the proxy. To remotely access intranets and other website resources that are normally off limits. To interrupt all the requests sent by a user and transmit them to a third destination; hence, victims will only be able to identify the proxy server address. To chain multiple proxy servers to avoid detection.
Anonymizers
-An anonymizer removes all identity information from the user's computer while the user surfs the Internet -Anonymizers make activity on the Internet untraceable -Anonymizers allow you to bypass Internet censors
Mobile Proxy Tool: Proxy Manager. https://play.google.com
-Android-based proxy tool that supports HTTP/SOCKS4/SOCKS5 proxy and user authentication. -It enables attackers to surf the Internet anonymously.
Creating Custom Packets: Appending Random Data
-Attackers append a number of random data bytes to most of the packets sent without any protocol-specific payloads Example: --data-string 5
How to Identify Target System OS
-Attackers can identify the OS running on the target machine by looking at the Time To Live (TTL) and TCP window size in the IP header of the first packet in a TCP session -Sniff/capture the response generated from the target machine using packet-sniffing tools like Wireshark and observe the TTL and TCP window size fields
Randomizing Host Order
-Attackers scan the number of hosts in the target network in random order to scan an intended target that is behind a firewall -The option used by Nmap to scan with a random host order is --randomize-hosts
TCP Maimon Scan
-Attackers send FIN/ACK probes, and if there is no response, then the port is Open|Filtered, but if an RST packet is sent in response, then the port is closed In Zenmap, the -sM option is used to perform the TCP Maimon scan.
Nmap Scan Time Reduction Techniques
-Omit Non-Critical Tests -Optimize Timing Parameters -Separate and Optimize UDP Scans -Upgrade Nmap -Execute Concurrent Nmap Instances -Scan from a Favorable Network Location -Increase Available Bandwidth and CPU Time
ACK Flag Probe Scan
-Attackers send TCP probe packets set with an ACK flag to a remote device, and then analyze the header information (TTL and WINDOW field) of received RST packets to determine if the port is open or closed -ACK flag probe scanning can also be used to check the filtering system of a target -Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered (stateful firewall is present), whereas an RST response means that the port is not filtered Advantages: This type of scan can evade IDS in most cases. Disadvantages: It is extremely slow and can exploit only older OSs with vulnerable BSD-derived TCP/IP stacks TTL-Based ACK Flag Prob Scanning: In Zenmap, the syntax nmap -ttl [time] [target] is used to perform TTL-based scan. Window-based ACK Flag Prob Scanning: In Zenmap, the -sW option is used to perform a window scan ACK Flag Prob Scanning using Nmap: the -sA option is used to perform an ACK flag probe scan.
Inverse TCP Flag Scan
-Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, where no response implies that the port is open, whereas an RST response means that the port is closed Advantages Avoids many IDS and logging systems; highly stealthy Disadvantages Needs raw access to network sockets, thus requiring super-user privileges Mostly effective against hosts using a BSD-derived TCP/IP stack (not effective against Microsoft Windows hosts, in particular).
SCTP COOKIE ECHO Scanning
-Attackers send a COOKIE ECHO chunk to the target host, and no response implies that the port is open, whereas an ABORT Chunk response means that the port is closed -It is not blocked by non-stateful firewall rulesets -Only a good IDS will be able to detect SCTP COOKIE ECHO chun -more advanced type of scan. Only an advanced IDS can detect Advantages: The port scan is not as conspicuous as the INIT scan. Disadvantages: SCTP COOKIE ECHO scan cannot differentiate clearly between open and filtered ports, and it shows the output as open|filtered in both cases. In Zenmap, the -sZ option is used to perform the SCTP COOKIE ECHO scan.
Creating Custom Packets: Appending Custom String
-Attackers send a regular string as payloads in the packets sent to the target machine for scanning beyond the firewall Example: --data-string "Ph34r my l33t skills
SCTP INIT Scanning
-Attackers send an INIT chunk to the target host, and an INIT+ACK chunk response implies that the port is open, whereas an ABORT Chunk response means that the port is closed -No response from the target, or a response of an ICMP unreachable exception indicates that the port is a Filtered port Advantages: INIT scan can clearly differentiate between various ports such as open, closed, and filtered state In Zenmap, the -sY option is used to perform the SCTP INIT scan.
Creating Custom Packets: Appending Custom Binary Data
-Attackers send binary data (0's and 1's) as payloads in transmitted packets to scan beyond firewalls Example: --data 0xdeadbee
Sending Bad Checksums
-Attackers send packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain firewall rulesets -The option used by Nmap is --badsum.
IP Spoofing Detection Techniques: TCP Flow Control Method
-Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets -Therefore, attackers cannot respond to a change in the congestion window size -When received traffic continues after a window size is exhausted, the packets are most likely spoofed
IP Spoofing Countermeasures
-Avoid Trust Relationships -Encrypt all the network traffic using cryptographic network protocols such as IPsec, TLS, SSH, and HTTPS --Use multiple firewalls to provide a multi-layered depth of protection -Do not rely on IP-based authentication -Use a random initial sequence number to prevent IP spoofing attacks based on sequence number spoofing -Ingress Filtering: Use routers and firewalls at your network perimeter to filter incoming packets that appear to come from an internal IP address -Egress Filtering: Filter all outgoing packets with an invalid local IP address as the source address
Passive Banner Grabbing
-Banner grabbing from error messages Error messages provide information such as the type of server, type of OS, and SSL tool used by the target remote system. -Sniffing the network traffic Capturing and analyzing packets from the target enables an attacker to determine the OS used by the remote system. -Banner grabbing from page extensions Looking for an extension in the URL may assist in determining the application's version. Example: .aspx => IIS server and Windows platform
Scanning Tools: Hping2/Hping3 http://www.hping.org
-Command line network scanning and packet crafting tool for the TCP/IP protocol -It can be used for network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc Syntax: # hping <options> <Target IP address>
Port Scanning Countermeasures:
-Configure firewall and IDS rules to detect and block probes. -The firewall should be capable of detecting probes sent by the attackers using port scanning tools. It should not allow traffic to pass through it after simply inspecting the TCP header. -The firewall should be able to examine the data contained in each packet before allowing the traffic to pass through it. -Run the port scanning tools against hosts on the network to determine whether the firewall accurately detects the port scanning activity. - Some firewalls do a better job than others in terms of detecting stealth scans. For example, many firewalls have specific options to detect SYN scans, while others completely ignore FIN scans. -Ensure that the router, IDS, and firewall firmware are updated with their latest releases/versions. -Configure commercial firewalls to protect your network against fast port scans and SYN floods. -You can run tools such as port entry to detect and stop port scan attempts on Linux/UNIX systems. -Hackers use tools such as Nmap and perform OS detection to sniff the details of a remote OS. Thus, it is important to employ intrusion detection systems in such cases. Snort (https://www.snort.org) is an intrusion detection and prevention technology that is very useful, mainly because signatures are frequently available from the public authors. - Keep as few ports open as possible and filter the rest, as the intruder will try to enter through any open port. Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter the following ports: 135-159, 256-258, 389, 445, 1080, 1745, and 3268. -Block unwanted services running on the ports and update the service versions. -Ensure that the versions of services running on the ports are non-vulnerable. -Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of a company's main firewall.
ICMP ECHO Ping Scan
-ICMP ECHO ping scans involve sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply -This scan is useful for locating active devices or determining if the ICMP is passing through a firewall In Zenmap, the -PE option is used to perform the ICMP ECHO ping scan. Active hosts are displayed as "Host is up," as shown in the screenshot.
Service Version Discovery
-Service version detection helps attackers to obtain information about running services and their versions on a target system -Obtaining an accurate service version number allows attackers to determine the vulnerability of target system to particular exploits -For example, when an attacker detects SMBv1 protocol as a running service on a target Windows-based machine, then the attacker can easily perform the WannaCry ransomware attack In Zenmap, the -sV option is used to detect service versions
Active Banner Grabbing
-Specially crafted packets are sent to the remote OS and the responses are noted -The responses are then compared with a database to determine the OS -Responses from different OSes vary due to differences in the TCP/IP stack implementation
Stealth Scan (Half-open Scan)
-Stealth scanning involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open -Attackers use stealth scanning techniques to bypass firewall rules as well as logging mechanisms, and hide themselves under the appearance of regular network traffic In Zenmap, the -sS option is used to perform a stealth scan/TCP half-open scan.
SSDP Scanning
-The Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with the UPnP to detect plug and play devices -Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks -Attacker may use the UPnP SSDP M-SEARCH information discovery tool to check if the machine is vulnerable to UPnP exploits or not
TCP Connect/Full Open Scan http://insecure.org
-The TCP Connect scan detects when a port is open after completing the three-way handshake -TCP Connect scan establishes a full connection and then closes the connection by sending an RST packet -It does not require superuser privileges In Zenmap, the -sT option is used to perform TCP Connect/full open scan.
IDS/Firewall Evasion Techniques IP address Decoy
-The attacker generates or manually specifies IP addresses of decoys so that the IDS/firewall cannot determine the actual IP address. -refers to generating or manually specifying the IP addresses of decoys in order to evade an IDS or firewall -It appears to the target that the decoys as well as the host(s) are scanning the network -This technique makes it difficult for the IDS or firewall to determine which IP address was actually scanning the network and which IP addresses were decoys -Nmap has two options for decoy scanning: nmap -D RND:10 [target] (Generates a random number of decoys) nmap -D decoy1,decoy2,decoy3,.. etc. (Manually specify the IP addresses of the decoys
IDS/Firewall Evasion Technique Source Port Manipulation
-The attacker manipulates the actual source port with the common source port to evade the IDS/firewall. -refers to manipulating actual port numbers with common port numbers in order to evade an IDS or firewall -It occurs when a firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc. -Nmap uses the -g or --source-port options to perform source port manipulation
IDS/Firewall Evasion Technique Packet Fragmentation
-The attacker sends fragmented probe packets to the intended target, which reassembles the fragments after receiving all of them. -refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network -It is not a new scanning method but a modification of the previous techniques -The TCP header is split into several packets so that the packet filters are not able to detect what the packets are intended to do
IDS/Firewall Evasion Technique Source Routing
-The attacker specifies the routing path for the malformed packet to reach the intended target. -As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination -refers to sending a packet to the intended destination with a partially or completely specified route (without firewall-/IDS-configured routers) in order to evade an IDS or firewall -the attacker makes some or all of these decisions on the router
OS Discovery / Banner Grabbing (OS Fingerprinting)
-The method used to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive -Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities possessed by the system and the exploits that might work on a system to further carry out additional attack
Port and Service Discovery
-The next step in the network scanning process involves checking the open ports and services in live systems. -This discovery of open ports and services can be performed via various port scanning techniques. -users unknowingly keep unnecessary open ports on their systems. An attacker takes advantage of such open ports to launch attacks.
List Scanning
-This type of scan simply generates and prints a list of IPs/Names without actually pinging them -A reverse DNS resolution is performed to identify the host names Advantages: A list scan can perform a good sanity check. The list scan detects incorrectly defined IP addresses in the command line or in an option file. It primarily repairs the detected errors to run any "active" scan In Zenmap, the -sL option is used to perform a list scan.
Xmas Scan
-Using the Xmas scan, attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags set -FIN scanning works only with OSes that use an RFC 793-based TCP/IP implementation -The Xmas scan will not work against any current version of Microsoft Windows Advantages It avoids IDS and TCP three-way handshake. Disadvantages It works on the UNIX platform only. In Zenmap, the -sX option is used to perform Xmas scan whereas the -sF and -sN options are used to perform FIN scan and NULL scan, respectively
Ping Sweep Tools
SolarWinds Engineer's Toolset (https://www.solarwinds.com) NetScanTools Pro (https://www.netscantools.com) Colasoft Ping Tool (https://www.colasoft.com) Visual Ping Tester (http://www.pingtester.net) OpUtils (https://www.manageengine.com)
IP Spoofing Detection Techniques: Direct TTL Probes
1. Send a packet to the host of a suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected packet; if the TTL in the reply is not the same as the packet being checked, this implies that it is a spoofed packet 2. This technique is successful when the attacker is in a different subnet from that of the victim
IP Spoofing Detection Techniques: IP Identification Number
1. Send a probe to the host of a suspected spoofed traffic that triggers a reply and compare the IPID with the suspected traffic 2. If the IPIDs are not close in value to the packet being checked, then the suspected traffic is spoofed 3. This technique is considered reliable even if the attacker is in the same subnet
ICMP Scanning
A ping sweep or Internet Control Message Protocol (ICMP) scanning is a process of sending an ICMP request or ping to all the hosts on the network to determine the ones that are up Ex. hping3 -1 10.0.0.25
Proxy Server
A proxy server is an application that can serve as an intermediary for connecting with other computers.
Host Discovery Techniques
ARP Ping Scan UDP Ping Scan ICMP Ping Scan ICMP ECHO Ping ICMP ECHO Ping Sweep ICMP Timestamp Ping ICMP Address Mask Ping TCP Ping Scan TCP SYN Ping TCP ACK Ping IP Protocol Scan
Scan entire subnet for live host
Ex. hping3 -1 10.0.1.x --rand-dest -I eth0 By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends an ICMP echo request randomly (--rand-dest) to all the hosts from 10.0.1.0 to 10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP reply. In this case, you have not set a port; hence, Hping sends packets to port 0 on all IP addresses by default
UDP Scan on port 80
Ex. hping3 -2 10.0.0.25 -p 80 Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in the UDP mode. You may use either --udp or -2 as the argument in the command line.
SYN scan on port 50-60
Ex. hping3 -8 50-60 -S 10.0.0.25 -V Using the argument -8 or --scan in the command line, you are operating Hping in the scan mode to scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan. Therefore, the above command performs a SYN scan on ports 50-60 on the target host.
Intercept all traffic containing HTTP signature
Ex. hping3 -9 HTTP -I eth0 The argument -9 will set the Hping to the listen mode. Hence, by issuing the command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network to interface eth0), intercepts all the packets containing the HTTP signature, and dumps from the signature end to the packet's end. For example, on issuing the command hping2 -9 HTTP, if Hping reads a packet that contains data 234-09sdflkjs45-HTTPhello_world, it will display the result as hello_world.
FIN, PUSH and URG scan on port 80
Ex. hping3 -F -P -U 10.0.0.25 -p 80 By adding the arguments -F, -P, and -U in the command line, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open, you will not receive a response. If the port is closed, Hping will return an RST response
SYN flooding a victim
Ex. hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood The attacker employs TCP SYN flooding techniques using spoofed IP addresses to perform a DoS attack.
Firewalls and Timestamps
Ex. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, you can enable the TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).
Collecting Initial Sequence Number
Ex. hping3 192.168.1.103 -Q -p 139 -s Using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host (192.168.1.103)
Mobile Scanner: IP Scanner https://10base-t.com
IP Scanner for iOS scans your local area network to determine the identity of all its active machines and Internet devices. It allows attackers to perform network scanning activities along with ping and port scans.
Mobile Scanner: Network Scanner https://play.google.com
Network Scanner is an Android mobile application that allows attackers to identify the active host in the range of possible addresses in a network. It also displays IP addresses, MAC addresses, host names, and vendor details of all the available devices in the network. This tool also allows attackers to port scan targets with specific port numbers
Port Scanning Techniques
TCP Scanning: Open TCP Scanning Methods TCP Connect/Full Open Scan Stealth TCP Scanning Methods Half-open Scan Inverse TCP Flag Scan Xmas Scan FIN Scan NULL Scan Maimon Scan ACK Flag Probe Scan TTL-Based Scan Window Scan Third Party and Spoofed TCP Scanning Methods IDLE/IP ID Header Scan UDP Scanning: UDP Scanning SCTP Scanning: SCTP INIT Scanning SCTP COOKIE/ECHO Scanning SSDP Scanning: SSDP and List Scanning IPv6 Scanning: IPv6 Scanning
TCP Communication Flags
The TCP header contains various flags that control the transmission of data across a TCP connection. Six TCP control flags manage the connection between hosts and give instructions to the system. -(SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. -(PSH and URG) provide instructions to the system. -The size of each flag is 1 bit. As there are six flags in the TCP Flags section, the size of this section is 6 bits. -When a flag value is set to "1," that flag is automatically turned on -SYN scanning mainly deals with three flags: SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during enumeration.
IDS/Firewall Evasion Techniques Randomizing Host Order
The attacker scans the number of hosts in the target network in a random order to scan the intended target that lies beyond the firewall
IDS/Firewall Evasion Techniques Creating Custom Packets
The attacker sends custom packets to scan the intended target beyond the firewalls.
IDS/Firewall Evasion Techniques Sending Bad Checksums
The attacker sends packets with bad or bogus TCP/UPD checksums to the intended target
IDS/Firewall Evasion Techniques Proxy Servers
The attacker uses a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions.
IDS/Firewall Evasion Techniques Anonymizers
The attacker uses anonymizers, which allows them to bypass Internet censors and evade certain IDS and firewall rules.
Scanning Tools: Metasploit https://www.metasploit.com
an open-source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing
Scanning Tools: NetScanTools Pro https://www.netscantools.com
assists attackers in automatically or manually listing IPv4/IPv6 addresses, hostnames, domain names, and URLs
Banner Grabbing Countermeasures Disabling or Changing Banner:
o Display false banners to mislead or deceive attackers. o Turn off unnecessary services on the network host to limit information disclosure. o Use ServerMask (https://www.port80software.com) tools to disable or change banner information. o ServerMask removes unnecessary HTTP header and response data and camouflages the server by providing false signatures. It also provides you with the option of eliminating file extensions such as .asp or .aspx, and it clearly indicates that a site is running on a Microsoft server. o Apache 2.x with mod_headers module: use a directive in the httpd.conf file to change the banner information header and set the server as "New Server Name". o Alternatively, change the ServerSignature line to ServerSignatureOff in the httpd.conf file. o The details of the vendor and version in the banners should be disabled
Banner Grabbing Countermeasures Hiding File Extensions from Web Pages:
o Hide file extensions to mask the web technology. o Replace application mappings such as .asp with .htm or .foo, etc., to disguise the identity of the servers. o Apache users can use mod_negotiation directives. o IIS users can use tools such as PageXchanger to manage the file extensions.
Nmap Scan Time Reduction
performance and accuracy can be achieved by reducing the scan timing
Ping Sweep Tools: Angry IP Scanner https://www.angryip.org
pings each IP address to check if any of these addresses are live. Then, it optionally resolves hostnames, determines the MAC address, scans ports, etc.