Data & Software Security

Computer science / Cybersecurity

Lab 05
Network Scanning
Scanning Networks

• Network Scanning is a method of getting network information such

as identification of hosts, port information, and services by scanning
networks and ports.

2
Objectives of Network Scanning
1. To identify live hosts on a network
2. To identify open & closed ports
3. To identify operating system information
4. To identify services running on a network
5. To identify running processes on a network
6. To identify the presence of Security Devices like firewalls
7. To identify System architecture
8. To identify running services
9. To identify vulnerabilities
3
Overview of Network communication

SYN Initiates a connection between two hosts to facilitate

communication.
ACK Acknowledge the receipt of a packet.
URG Indicates that the data contained in the packet is urgent and should
process immediately.
PSH Instructs the sending system to send all buffered data
immediately.
FIN Tells the remote system about the end of the communication. In
essence, this gracefully closes a connection.
RST Reset a connection.
4
Scanning Methodology
• Checking for live systems
• Discovering open ports
• Scanning beyond IDS
• Banner grabbing
• Scanning
• Vulnerabilities Network Diagram
• Proxies

5
Checking for Live Systems
• Finding live hosts in a network is done by ICMP Packets.
• The target replies ICMP Echo packets with ICMP echo reply.
• This response verifies that the host is live.

6
ICMP Scanning
• ICMP Scanning is a method of identifying live hosts by sending ICMP Echo requests to a host.
ICMP Echo reply packet from host verify the host is live. Ping Scanning is a useful tool for not only
identification of live host, but also for determining ICMP packet are passing through firewalls, and
TTL value.

7
Ping Sweep
• Ping Sweep determines live host on a large scale. Ping Sweep is a method of
sending ICMP Echo Request packets to a range of IP addresses instead of sending
one by one requests and observing the response.

Using these ping

sweep tools such as
Advanced IP
Scanner,
SolarWinds Ping
Sweep tool or
Angry IP Scanner

8
Check for Open Ports

• Nmap: Nmap Cheat Sheet

nmap –sP –v <target IP address>
nmap –sP –PE –PA 21,23,80,3389 <192.168.0.1-50>

9
Nmap Commands
Command Description
netdiscover -r 192.168.47.0/24 Scan network sub mask range 8/16/24
nmap –O 10.10.50.210 Operating System details
nmap --help Help
nmap -sS Stealth scan (used to be) [-sS : TCP] [-sU: UDP] [-sC: script
scan]

nmap -T4 -p- -A 192.168.47.131 [T4 speed (T1-T5)], [-p- (All port)] or -p 80,433,8080 ] [-A: scan
everything]

nmap -sU -T4 -p 192.168.47.131 UDP scan [must be like this or gonna take forever to
complete]

nmap -sC -sV -O -oA initial -sC: run default nmap scripts -sV: detect service version -O:
10.10.10.123 detect OS -oA: output all formats and store in file initial

10
Hping2 & Hping3
• Using Hping, the following parameters can be performed:
• Test firewall rules.
• Advanced port scanning.
• Testing net performance.
• Path MTU discovery.
• Transferring files between even fascist firewall rules.
• Traceroute-like under different protocols.
• Remote OS fingerprinting & others. To create SYN scan
To create an ACK packet: against different ports:
root@kali:~# hping3 –A 192.168.0.1 root@kali:~# hping3 -
To create a packet with FIN, URG, and PSH 8 1-600 –S
flags sets root@kali:~# hping3 –F –P -U
10.10.50.202
10.10.50.202 11
Scanning Tool
NetScan Tools Pro Android Network Scanner

12
Scanning Beyond IDS
• The attacker uses Fragmentation and Small packets to evade
Security devices such as Firewalls, IDS, and IPS. The basic
technique that is most commonly & popularly used is
splitting the payload into the smaller packet.
• IDS must have to reassemble these incoming packet stream
to inspect and detect the attack. The small packet is further
modified to be more complicated to reassemble and detect
by packet reassemble.
13
OS Fingerprinting & Banner Grabbing

• OS Fingerprinting is a technique, used to identify the information of

Operating System running on a target machine.
• Banner Grabbing is similar to OS fingerprinting, it determining the
services that are running on the target machine. Typically, Telnet is used
to retrieve information of banner.
1. Active OS Fingerprinting or Banner Grabbing: nmap -O <ip address>
2. Passive OS Fingerprinting or Banner Grabbing: Inspection of Time to Live (TTL)
value and Window Size
Operating System TTL TCP Window Size
Linux 64 5840
Google customized Linux 64 5720
FreeBSD 64 65535
Windows XP 128 65535
Windows Vista, 7 and Server 2008 128 8192
Cisco Router (iOS 12.4) 255 4128

• Banner Grabbing Tools (ID Server, Netcraft, Netcat, Telnet, Xprobe, and Maltego).
14
Proxies
• Proxy is the system that is stands in between attacker and the target. Proxy
systems play an important role in networks. Proxy systems are basically used by
scanners to hide their identity to be traced back to the target.

15
The Uses of Proxy server
• Hiding Source IP address for bypassing IP address blocking.
• Impersonating.
• Remote Access to Intranet.
• Redirecting all requests to the proxy server to hide identity.
• Proxy Chaining to avoid detection.

16
 Proxy Tool
• Proxy Switcher
• Proxy Workbench
• TOR
• CyberGhost

Application Tools for Mobile Download URL

Proxy Droid https://play.google.com
Net Shade https://itunes.apple.com 17
Introduction to Anonymizers
• Anonymizer is a tool that completely hides or removes identity-related information to
make the activity untraceable.
• Minimizing risk
• Identity theft prevention
• Bypass restrictions and censorship
• Untraceable activity on the Internet

• Censorship Circumvention Tool: Tails (The Amnesic Incognito Live System) is a popular
censorship circumvention tool based on Debian GNU/Linux. It is basically a live operating system that can
run on almost every computer from USB or DVD. It is an operating system that is specially designed to help
you to use the internet anonymously leaving no trace behind. Tails preserve privacy and anonymity.

18
Spoofing IP Address
• IP Address Spoofing is a technique, that is used to gain unauthorized access
to machines by spoofing IP address.
• An attacker illicitly impersonates any user machine by sending manipulated
IP packets with spoofed IP address.
• Spoofing process involves modification of header with a spoofed source IP
address, a checksum, and the order values.

• Packet-switched
networking causes the
packets arriving at the
destination in different
order.

19
Homework
• Run the following tools in your system, then, write a report on how to
use.
1. Masscan: Built in with kali 2019
2. Nikto
** Screenshots is required, it will be verified for plagiarism as well.

*** or video (or YouTube) is acceptable, you can make the video unlisted accessible with link only.

20
Enumeration
• Routing Information • Enumeration, An attacker initiates active connections
• SNMP Information with the target system. With this active connection,
direct queries are generated to gain more
• DNS Information information. Services Ports
• Machine Name DNS Zone Transfer TCP 53
DNS Queries UDP 53
• User Information SNMP UDP 161
SNMP Trap TCP/UDP 162
• Group Information Microsoft RPC
Endpoint Mapper TCP/UDP 135
• Application and Banners LDAP TCP/UDP 389
• Network Sharing Information NBNS UDP 137
Global Catalog TCP/UDP 3268
• Network Resources Service
NetBIOS TCP 139
SMTP TCP 25 21
Enumeration using Tool
Tool Description
SuperScan SuperScan is GUI based, NetBIOS Enumeration tool
Hyena Hyena is GUI based, NetBIOS Enumeration tool that shows
Shares, User login information and other related information
Winfingerprint Winfingerprint is NetBIOS Enumeration tool that is capable
of providing information such as Operating System, User &
Group information, shares, sessions and Services, SIDs, and
much more information.
NetBIOS Enumerator NetBIOS Enumerator is GUI based NetBIOS
SoftPerfect Network Scanner https://www.softperfect.com/products/networkscanner/

22
Gathering information using Metasploit
• Performing nmap Scan for ping sweep on the subnet 10.10.50.0/24
• msf > nmap -Pn -sS -A -oX Test 10.10.50.0/24
• msf > db_import Test //Importing Nmap XML file
• msf > hosts
• msf > db_nmap -sS -A 10.10.50.211 //Performing Services scan
• msf > services

• msf > use scanner/smb/smb_version

• msf auxiliary(scanner/smb/smb_version) > show options

23