Module 03: Scanning Networks
Window-based ACK Flag Probe scanning
If the window value of the RST packet on a particular port has a non-zero value, then that port is open
TTL-based ACK Flag Probe scanning
The TTL value of the RST packet on a particular port is less than the boundary value of 64, then that port is open
ICMP Timestamp and Address Mask Ping Scan
These techniques are alternatives for the traditional ICMP ECHO ping scan and are used to determine whether the target host is live, specifically when the administrators block ICMP ECHO pings
SSDP Scanning
1) A network protocol that works in conjunction with the UDnP to detect plug and play devices 2) Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks 3) Attacker may use the UPnP SSDP M-SEARCH information discovery tool to check if the machine is vulnerable to UPnP exploits or not
Source Routing
1) As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination 2) Refers to sending a packet to the intended destination with a partially or completely specified route in order to evade an IDS or firewall 3) The attacker make some or all of these decisions on the router
SCTP COOKIE ECHO Scanning
1) Attacker send a COOKIE ECHO chunk to the target host, and no response implies that the port is open, whereas an ABORT Chunk response means that the port is closed 2) It is not blocked by non-stateful firewall rulesets 3) Only a good IDS will be able to detect SCTP COOKIE ECHO Chunk
ACK Flag Probe Scan
1) Attackers send TCP probe packets set with an ACK flag to a remote device, and then analyze the header information of received RST packets to determine if the port is open or closed 2) Can also be used to check the filtering system of a target 3) Attackers send an ACK probe packet with a random sequence number, and no response implies that the port is filtered, whereas an RST response means that the port is not filtered
Xmas Scan
1) Attackers send a TCP frame to a remote device with FIN, URG and PUSH flags set 2) FIN scanning works only with OSes that use an RFC 793-based TCP/IP implementation 3) It will not work against any current version of Microsoft Windows
SCTP INIT Scanning
1) Attackers send an INIT chunk to the target host, and an INIT + ACK chunk response implies that the port is open, whereas an ABORT Chunk response means that the port is closed 2) No response from the target, or a response of an ICMP unreachable exception indicates that the port is a filtered port
Passive Banner-grabbing
1) Banner grabbing from error messages 2) Sniffing the network traffic 3) Banner grabbing from page extensions
How to identify target system OS
1) By looking at the Time To Live (TTL) and TCP window size in the IP header of the first packet in a TCP session 2) Sniff/capture the response generated from the target machine using packet-sniffing tools like wireshark and observe the TTL and TCP window size fields
IP address spoofing
1) Changing the source IP addresses so that the attack appears to be coming from someone else 2) When the victim replies to the address, it goes back to the spoofed address rather than the attacker's real address 3) Attackers modify the address information in the IP packet header and the source address bits field in order to bypass the IDS or firewall
Disabling or Changing Banner
1) Displaying false banners to mislead or deceive attackers 2) Turn off unnecessary services on the network host to limit the disclosure of information 3) Use Servermask
IDLE/IPID header scan
1) Every IP packet on the internet has a fragment identification number (IPID); an OS increase the IPID for each packet sent, thus, probing an IPID gives an attacker the number of packets sent after the last probe 2) A machine that receives an unsolicited SYN | ACK packet will respond with an RST. An unsolicited RST will be ignored
Hiding File extensions from web pages
1) File extensions reveal information about the underlying server technology that an attacker can utilize to launch attacks 2) Hide file extensions to mask web technologies 3) Change application mappings to disguise the identity of servers
Service Version Discovery
1) Helps attackers to obtain information about running services and their version on a target system 2) Obtaining an accurate service version number allows attackers to determine the vulnerability of target system to particular exploits 3) In Zenmap, the -sV option is used to detect service versions
IPv6 Scanning
1) Increase the IP address size from 32 bits to 128 bits to support more levels of address hierarchy 2) Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: header lines in archived emails 3) Attackers can use the -6 option in Zenmap to perform IPv6 scanning
ICMP ECHO Ping Scan
1) Involve sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply 2) This scan is useful for locating active devices or determining if the ICMP is passing through a firewall
Stealth Scan (Half-open scan)
1) Involves abruptly resetting the TCP connection between the client and server before the completion of three-way handshake signals, thus leaving the connection half-open 2) Use stealth scanning techniques to bypass firewall rules as well as logging mechanisms, and hide themselves under the appearance of regular network traffic
Drawing of network diagrams
1) Provides an attacker with valuable information about the network and its architecture 2) Show logical or physical path to a potential target
Network Scanning
1) Refers to a set of procedures used for identifying hosts, ports, and services in a network 2) One of the components of intelligence gathering which can be used by an attacker to create a profile of the target organization
IP address Decoy
1) Refers to generating or manually specifying the IP addresses of decoys in order to evade an IDS or firewall 2) It appears to the target that the decoys as well as the host(s) are scanning the network 3) This technique makes it difficult for the IDS or firewall to determine which IP address was actually scanning the networks and which IP addresses were decoys
Source Port Manipulation
1) Refers to manipulating actual port numbers with common port numbers in order to evade an IDS or firewall 2) It occurs when a firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc 3) Nmap uses the -g or the --source-port options to perform source port manipulation
Packet Fragmentation
1) Refers to the splitting of a probe packet into several small packets while sending it to a network 2) It is not a new scanning method but a modification of the previous techniques 3) The TCP header is split into several packets so that the packet filters are not able to detect what the packets are intended to do
List Scanning
1) Simply generates and prints a list of IPs/Names without actually pinging them 2) A reverse DNS resolution is performed to identify the host names
Active banner-grabbing
1) Specially crafted packets are sent to the remote OS and the responses are noted 2) The responses are then compared with a database to determine the OS 3) Responses from different OSes vary due to differences in the TCP/IP stack implementation
TCP Connect/Full Open Scan
1) The TCP Connect scan detects when a port is open after completing the three-way handshake 2) Establishes a full connection and then closes the connection by sending an RST packet 3) It does not require superuser privileges
OS Discovery/ Banner Grabbing
1) The method used to determine the operating system running on a remote target system. 2) Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities possessed by the system and the exploits that might work on a system to further carry out additional attacks
UDP Port Closed
1) The system will respond with an ICMP port unreachable message 2) Spywares, Trojan horses, and other malicious application use UDP ports
UDP port Open
1) There is no three-way TCP handshake for UDP scanning 2) The system does not respond with a message when a port is open
Objectives of network scanning
1) To discover live hosts, IP address, and open ports of live hosts. 2) To discover operating systems and system architecture 3) To discover services running on hosts 4) To discover vulnerabilities in live host
ICMP ECHO Ping Sweep
1) Used to determine the live hosts from a range of IP addresses by sending ICMP ECHP requests to multiple hosts. If a host is alive, it will return an ICMP ECHO reply 2) Attackers calculate subnet masks by using a Subnet Mask Calculator to identify the number of hosts that are present in the subnet 3) Attackers subsequently use a ping sweep to create an inventory of live systems in the subnet
Proxy Server
An application that can server as an intermediary for connecting with other computer
ARP Ping Scan
Attackers send ARP request probes to target hosts, and an ARP response indicates that the host is active
TCP Maimon Scan
Attackers send FIN/ACK probes, and if there is no response, then the port is Open | Filtered, but if an RST packet is sent in response, then the port is closed
Inverse TCP flag scan
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, where no response implies that the port is open, whereas an RST response means that the port is closed
UDP Ping Scan
Attackers send UDP packets to target hosts, and a UDP response indicates that the host is active
TCP ACK Ping Scan
Attackers send empty TCP ACK packets to a target host, and an RST response means that the host is active
TCP SYN Ping Scan
Attackers send empty TCP SYN packets to a target host, and an ACK response means that the host is active
IP Protocol Ping Scan
Attackers send various probe packets to the target using different IP protocols, and any response from any probe indicates that a host is active
IDS/Firewall Evasion Techniques
Can prevent malicious traffic (packets) from entering a network, attackers can manage to send intended packets to the target by evading an IDS or firewall
Host discovery Techniques
Used to identify the active/live systems in the network