Chapter 3 - Scanning
Passive banner grabbing
Reading error messages, sniffing network traffic, looking at page extensions
hping
- Command line-oriented TCP/IP packet assembler/analyzer - Works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows (Check "h" tab for more)
Hping3 switches
-1 sets icmp mode -2 sets udpp mode -8 sets scan mode, expecting an argument for the ports to be scanned -9 sets hping in listen mode, to trigger on a signature argument when it sees it come through -flood send packets as fast as possible, without taking care to show incoming replies -Q used in order to collect sequence numbers generated by the target host -F sets the FIN flag -S sets the SYN flag -R sets the RST flag -P sets the PSH flag -A sets the ACK flag -U sets the URG flag -X sets the XMAS scan flag
NMAP Switches
-sS SYN scan or half open scan -sT TCP connect (3-way handshake) -sF FIN scan -sX Xmas scan (FIN URG PSH set) -sC Run defaul script -sP Ping scan -sV Version detection -sU UDP scan -sO IP Protocol scan -O OS Scan -sA ACK Scan -sW Windows scan -sR RPC Scan (alias for -sV) -sL List Scan -sI Idle Scan -b FTP Bounce Scan -P0 Dont ping -PT TCP PING -PS SYN PING -PI ICMP PING -PB PI and PT ping -PP ICMP Timestamp -PM ICMP Netmask -oN Normal output -oX XML output -oG NMAP Grepable output -oA NMAP All output -P specify port range (-P 1-2521) -T0 serial, slowest scan - T1 serial, slowest scan - T2 serial, normal speed scan -T3 parallel, normal speed scan -T4 parallel, fast scan
Scanning Methodology
1. Check for live systems - gives you list of what's actually alive on your network subnet 2. check for open ports - once you know the active IP address, find what ports they're listening on 3. scan beyond ids 4. perform banner grabbing - will tell you what operating system is on the machines 5. scan for vulnerabilities 6. draw network diagrams 7. prepare proxies
Fragmenting Packets
1. Crack apart packets before they're sent so IDS can't recognize them. 2. ie Splitting apart TCP header so IDS sees useless chatter. 3. aka Session Splicing
Nmap (GUI version Zenmap) (ping sweep)
A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.
Netcat
A network utility program that reads from and writes to network connections.
Anonymizer
An intermediary Web site that hides or disguises the IP address associated with the Internet user.Generally, these sites allow a person to engage in variousvInternet activities without leaving an easily traceable digital footprint.
ping sweep tools
Angry IP scanner solarwinds engineer toolset network ping superscan
nbtstat command
Displays NetBIOS information for IP-based networks. <1B> unique - domain master browser <1C> unique - domain controller <1D> group - master browser for the subnet <00> unique - hostname <00> group - domain name <03> unique - service running on the system <20> unique - server service running
mobile ip scan tools
IP scanner fing hackrode zANTi portdroid network analysis
Active banner grabbing
Sending specially crafted packets to the system to guess the OS based on responses
UDP scan
Sends UDP requests to a target port. If no replies the port is assumed open, Destination Unreachable port is closed
netstat -an (command)
This displays TCP and UDP connections in numeric format.
SMTP commands
VRFY - validates user EXPN - provides the actual delivery addresses of mailing lists and aliases RCPT TO - defines recipients
Type 4: source quenched
a congestion control message
Type 8: (echo request)
a ping message, requesting an echo reply
list scan
another option for identifying machines (ones that were live at some time) basically just run a reverse DNS lookup on all IPs in the subnet
Type 0: (echo reply)
answers to a type 8 echo request
XMAS
christmas scan because all flags are turned on, so the packet is lit up like a christmas tree same responses as inverse
Limited Broadcast
delivered to every system inside rthe broadcast domain, and they use IP address they are ignored
CurrPorts
displays a list of all currently opened TCP/IP and UDP ports on your local computer, including information about the process that opened the port, the process name, full path, version information, the time it was created, and the user who created it
Type 3: destination unreachable
error message indicating the host or network cannot be reached 0 - destination network unreachable 1 - destination host unreachable 6 - network unknown 7 - host unknown 9 - network administratively prohibited 10 - host administratively prohibited 13 - communication administratively prohibited
Linux enumeration commands
finger - provides information on the user and host machine rpcinfo and rpcclient - provide information on RPC in the environment showmount - displays all the shared directories on the machine
SYN - TCP header flags
flag is set during initial communication establishment. indicates negotiation and parameters and sequence numebrs
"netstat -b" Command
for admin - you can see the executable tied to the open port
Rst (TCP flag)
forces a termination of communications
PSH (TCP flag)
forces the delivery of data without concern for any buffering
Open VAS
free version of Nessus - vulnerability scanner
proxies
hackers can send commands and requests to the proxy and letting the proxy relay them to the targets
simple hping sweep
hping3 -1 (ip address)
security ID (SID)
identifies user, group, and computer accounts and follows a specific format consists of an S, followed by a revision number, an authority value, a domain or computer indicator, and an RID
URG (TCP flag)
indicates the data inside is being sent out of band. Cancelling a message mid-stream is one example
The onion routing (Tor)
installs a small client on the maching, which then gets a list of other clients running Tor from a directory - clients then bounces internet requests across random tor clients to the destination with the destination end having very little means to trace the original request back
banner grabbing
involves sending an unsolicited request to an open port to see what, if any, default message is returned telnet can be used for this
enumeration
listing the items we find within a specific target we create connections to a device, perform specific actions to ask specific questions, and then use the results to identify potential attack vectors
Proxy chains
multiple proxies further hide your activities
NetBIOS Enumeration
obtain list of computer that belong to a domain. nbtstat
Stealth (Half-open) Scan (SYN scans)
only syn packets are sent to ports (no completion of the three-way handshake- good for hiding efforts same responses are tcp connect scan
resource identifier RID
portion of the overall SID identifying a specific user, computer, or domain RID starts at 500 for the administrator account, next account on the system, Guest, is RID 501 all users created for the system start at 1000 and increment from that point
Scanning
process of discovering systems on the network and taking a look at what open ports and applications may be running
Superscan
provides ping sweeps and port scans against individual systems or entire subnets
full connect (TCP connect or full open scan)
runs through a full connection (three-way handshake) on ports, tearing it down with an RST at the end open ports - SYN/ACK closed ports - RST
pinging of the network IS
sending ICMP echo request packets to the network IP address as "ICMP echo scanning"
Active OS Fingerprinting
sends specially crafted packets to the remote OS and analyzes the received response.
directed broadcast
sent to all devices on a subnet and they use the subnet's broadcast address
type 5: redirect
sent when there are two or more gateways available for the sender to use and the best route available to the destination is not the configured default gateway 0 - redirect data gram for the network 1 - redirect datagram for the host
ACK (TCP flag)
set as an acknowledgement to SYN flags. this is set on all segments after the initial SYN flag
FIN (TCP flag)
signifies an ordered close to communications
Passive OS fingerprinting
sniffing packets without injecting any packets into the network - examining things like TTL, window sizes, dont fragment (DF) flags, and type of service
Source Routing Attacks
source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyze the source routing information
QUALYs FreeScan
testing websites and applications for OWASP top risks and malware
ACK flag probe
the attacker sends the ack flag and looks at the return header to determine the port status - can check filtering at the remote end (if an ack is sent and no response, stateful firewall is between the attacker and host) in ttl version - if the ttl of the returned RST packet is less than 64, the port is open in windows version - WINDOW size on the RST packets has anything other than 0, port is open
type 11: time exceeded
the packet took too long to be routed to the destination (code 0 is TTL expired)
Colasoft's packet builder
this (and other packet builders) can be used to used to create fragmented packets to bypass IDS in your target network has three views 1. packet list - displays all constructed packets 2. decode editor - allows you to edit packets 3. hex editor - displays packet in the hex for editing
IPv4 three main address types
unicast - acted on by a single reipient multicast - acted on only by members of a specific group broadcast - acted on by everyone in the network
Inverse TCP Flag Scanning
uses FIN, URG, or PSH flag to poke at system ports port open - no response port closed - an RST/ACK response
IDLE
uses a spoofed IP addreess (idle zombie system) to elicit port responses during a scan scan uses a SYN flag and monitors responses as with a syn scan
scan type defined by
what flags are set int the packets before delivery what responses you expect from ports how stealthily the scan works