© 2018 Caendra, Inc.

| Hera for PTP | Scanning 1

You the member of a Penetration testing group and your task is to perform an
Infrastructural Information Gathering phase of a penetration test. The client would like to
know what nonobtrusive information is extractable from the network computers. Upon
completing this phase, the client would like to see what information you were able to
obtain and from what machines.

We also know that each machine in the netblock is exposed to the Internet with its
own public IP address. Some of them are protected by a Firewall, and are only
reachable from other hosts in the corporate network.

Scope of Engagement: NETBLOCK: 10.50.96.0/23

The following image summarizes the Lab environment:

• Find all alive hosts

• Build a list (or a mind map) of open ports for each host.
• Determine services running on each port.
• Detect Operating Systems

© 2018 Caendra, Inc. | Hera for PTP | Scanning 2

 • Detecting Open/Closed/Filtered ports
• OS Fingerprinting
• Detecting Services
• Performing 100% stealth Idle Scans

This lab will present you with different tasks in order to fulfill these objectives.

The tasks are meant for educational purposes and to show you the usage of different tools
and different methods to achieve the same goal.

Important: They are not meant to be used as a methodology.

Armed with the skills acquired during these tasks, you can achieve the Lab goal.

Repeat this lab as often as you like, but if this is the first time you do this lab, we advise you
to follow these tasks.

Solutions are provided at the end of this document.

• nmap
• hping3

© 2018 Caendra, Inc. | Hera for PTP | Scanning 3

Perform an ICMP Ping sweep with nmap and save the results into an XML file.

Which hosts have you found to be alive?

Host IP address

Now repeat the scan to also include probes to most common TCP ports.

© 2018 Caendra, Inc. | Hera for PTP | Scanning 4

Use hping3 to perform a TCP SYN Scan on address 10.50.97.5. Scan for ports
23/53/135 and determine through the results, which of them are open, which are closed
and which are filtered.

Status Ports
open
closed
filtered

Use hping3 to perform a TCP Scan from port 1 to 1000 on address 10.50.97.5. Which
ports are open?

Open Ports

Use nmap to perform a UDP Scan on host 10.50.97.5. This will reveal other
open/filtered ports.

Ports Open/Filtered Service

© 2018 Caendra, Inc. | Hera for PTP | Scanning 5

Use nmap to perform a TCP SYN Scan in order to find open/closed/filtered ports. Use
the information obtained in Task 1 to create a .txt file with a list of alive hosts, then feed
nmap with it.

Host IP address Port Number open/closed/filtered

Sometimes DNS is set-up to only accept communications from specific ports such as port
53. Set nmap or hping3 in order to find out if there’s any DNS, in the target network, with
this policy:

DNS’s on the network accepting packets from port 53

DNS IP address

© 2018 Caendra, Inc. | Hera for PTP | Scanning 6

Perform an OS fingerprinting scan with nmap to check which OS is running on the each of
the hosts found.

Host IP address Operating System

Use nmap to detect all the services running on each host in the network.

Host IP address Services

© 2018 Caendra, Inc. | Hera for PTP | Scanning 7

Use hping3 to find a good candidate to be a zombie for a possible idle scan. Once you have
found it, use nmap to confirm your results.

Zombie IP address Operating System

Nmap Results (Proof)

We know that there is a host in the 10.50.96.0/24 subnet with telnet service enabled on
default port, but only hosts in the 10.50.97.0/24 subnet can use it. Use the zombie found
in the previous task, to check which of the following hosts have the port 23 open:

HOST OPEN CLOSED

10.50.96.105
10.50.96.110
10.50.96.115

*Extra Credit* Create a paragraph or document (for yourself) describing what you
discovered during this scan. This task if for you own reference. You will need to do similar
tasks for your Penetration test report. If you have any questions or need any help, please
post your question to the PTP forum.

© 2018 Caendra, Inc. | Hera for PTP | Scanning 8

© 2018 Caendra, Inc. | Hera for PTP | Scanning 9
© 2018 Caendra, Inc. | Hera for PTP | Scanning 10
The nmap command to perform a ping sweep, and then save the results into an xml, is the
following:

nmap -PE -sn -n 10.50.96.0/23 -oX /root/Desktop/scan.xml

where the -sn we tell nmap to not do a port scan after a host discovery, the -PE enables
ICMP Echo request host discovery (Ping scan) and the -oX tells nmap to save the results
into an XML file (in our case the filename is scan.xml and is located in /root/Desktop).

Option -n is optional and skips DNS reverse lookup on all the IP addresses.

Hosts found with this scan are 9:

Host IP address
10.50.96.1
10.50.96.105
10.50.96.110
10.50.96.115
10.50.97.1
10.50.97.5
10.50.97.10
10.50.97.20
10.50.97.25

Note: if you only use–sn without –PE, nmap uses ICMP requests, but will also send a TCP
SYN packet on ports 80 and 443 of each host.

© 2018 Caendra, Inc. | Hera for PTP | Scanning 11

hping3 is one of the most powerful packet crafting tools. It’s very easy to start TCP
communication defining flags to use in order to scan specific ports and hosts. We want to
scan ports 23/53/135 on the address 10.50.97.5. For a SYN scan, we will have to enable
the SYN flag, and according to the response we can determine if a port is
open/close/filtered.

The command to use is:

hping3 -S –p 23 10.50.97.5

where:

• –S tells the tool to set the SYN flag,

• –p option is used to specify the port to scan.

We already know that the host is alive, but if we try the previous command we will receive
no packets. This could happen when there is a Firewall between us and the target, that
blocks our packets.

In the same way as before, let’s use the previous command to scan port 53:

hping3 -S –p 53 10.50.97.5

In this case the tool tells us that it received the R flag (Reset) and the A (Acknowledgement)
flag. This means that the port 53 is closed.

The last port to check is 135. The command will look like this:

hping3 -S –p 135 10.50.97.5

In this case the flags are S and A, meaning that the port is open.

At the end this is what we have:

Status Ports
open 135
closed 53
filtered 23

© 2018 Caendra, Inc. | Hera for PTP | Scanning 12

© 2018 Caendra, Inc. | Hera for PTP | Scanning 13
In order to perform a TCP Scan with hping3 from port 1 to port 1000 we can use the
following option:

hping3 10.50.97.5 -S --scan known

This command will scan the most known ports (includes all the ports listed in
/etc/services) and it will print out information about open ports, which in our case are
135 and 445.

Since the previous scan does not reveal any information about open/closed/filtered
ports used by UDP services, we can use nmap to perform an UDP Scan to get more
information about our target. In order to do that, we can use the following command:

nmap -sU 10.50.97.5

where:

• -sU tells Nmap to perform an UDP Scan.

Note that the open|filtered result means that no response has been received, and that
the port can be open or filtered by a firewall.

The result output should be similar to the following:

PORT STATE SERVICE

123/udp open ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
161/udp filtered snmp
162/udp filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike

© 2018 Caendra, Inc. | Hera for PTP | Scanning 14

In Task 1 we have found a list of alive hosts. We can use this information to create a ‘.txt’
file that contains the list of IP address to scan. Once we have created the file, we can have
nmap perform a TCP SYN Scan on it in order to find open/closed/filtered ports. The
command looks like this:

nmap -sS -iL /root/Desktop/list.txt

where:

• -sS is the option that tells Nmap to perform the TCP SYN Scan
• -iL tells Nmap to load the addresses to scan from the file ‘list.txt’

This command will take some time. To check the progress of the scan, press the up arrow
on your keyboard.

Sometimes DNS only accepts communication from port 53. This means that all
communications with a port different than 53 are blocked by the service or the firewall. In
order to understand if our target network has this policy in place, we can set-up nmap or
hping3 to use port 53 as source port for the scan.

In other words, we have to perform a port scan in the entire network, from port 53 to port
53.

To do that we can use the following commands:

nmap -sS --source-port 53 -p 53 10.50.97.0/24

or

hping3 -S -s 53 –k -p 53 10.50.97.25

Note that when you specify a source port, Hping takes it as a base port and increases it as
every packet sent. You can use the –k (keep) option to prevent this behavior. From the
results of the previous two commands, we can see that there is only one host
(10.50.97.25) with the port 53 open. This is information that we didn’t find using any of
the previous scans, so make sure to play with source ports during your scans.

© 2018 Caendra, Inc. | Hera for PTP | Scanning 15

In order to detect OS’s running on target machines, we can use nmap with the following
option:

nmap -O -v -n 10.50.97.0/24 --osscan-guess

where:

• -O tells Nmap to perform an OS fingerprinting

• -v is for the verbosity of the output
• --ossscan-guess is to guess OS more aggressively.

Note: if you want more thorough results you can also use the option -A

This will tell us that there are two different Operating systems in the remote network:

• Windows XP SP3
• Windows Server 2003

In order to accomplish this task, we can set up nmap in different ways, depending on the
intensity of the scan we want to perform. To perform a service and version detection scan
with nmap, use –sV. Note that by default the intensity of the scan is set to 7, but you can use
a different intensity with the --version-intensity option.

In this case we will use the basic command, but you can use different options and check the
different results yourself. If you need more information about it, please check out the nmap
man page here: http://nmap.org/book/man-version-detection.html.

The command will then look like this:

nmap –sV 10.50.97.0/24

Note that nmap first checks for alive hosts and then performs a port scan. After the port
scan, it performs service and version detection. Moreover, you can use the –A option to get

© 2018 Caendra, Inc. | Hera for PTP | Scanning 16

more information about services and application versions. This is quite aggressive and will
also enable nmap scripts.

In order to find a good zombie, we have to find a host with no active communications, in
other words, we have to check if the host is sending packets to and from the network. This
means that we have to find a host whose ID field does not change frequently.

To do this we can use hping3 sending packets to open ports at each host in the network,
using the following command:

hping3 -S -r -p 135 10.50.97.10

where:

• -S tells Hping to send SYN flag

• -r displays ID increments relatively

In this way, if the ID increments by 1 for each packet (id=+1), it means that the target is
not sending packets through the network and is a good zombie candidate.

Another way to check if the target is a good candidate, is by using nmap. We can simply run
the following command:

nmap –O –v –n 10.50.97.10

If the value of IP ID Sequence Generation is on Incremental, we can consider the

target as a good candidate for our idle scan.

Now that we have the address of a good zombie we can check if the target hosts have port
135 open:

• Open a console, restart the Hping scan on the zombie (Task 9). This will show us
ID’s on the fly.
• Open another console and run the following command:

hping3 -a 10.50.97.10 -S -p 135 10.50.97.5

© 2018 Caendra, Inc. | Hera for PTP | Scanning 17

If the zombie ID increment is id=+2 on (Console 1) instead of id=+1, we can deduce that
port 135 on the target 10.50.97.5 is open. Otherwise, if the ID still increments by 1, we
can deduce that the port is closed.

Console 1:

Console 2:

The +2 increment from the hping3 scan on (console 1) while we run an hping idle scan in
console2, shows an increment of +2 while scanning host 10.50.97.5 for port 135 from the
spoofed source address of 10.50.97.10. This +2 sequence increment is indicative of port
135 being open on 10.50.97.5.

© 2018 Caendra, Inc. | Hera for PTP | Scanning 18