Module+6

Download as pdf or txt
Download as pdf or txt
You are on page 1of 45

Module 6

Scanning

Ansh Bhawnani
Basics of Scanning

Module 6
Basics of Scanning

▰ “Knowing your enemy is winning half the war..”


▰ Network scanning refers to a set of procedures for identifying
hosts, ports, and services in a network.
▰ Network scanning is one of the components of intelligence
gathering an attacker uses to create a profile of the target
organization.
▰ To hack the network, you will have to find a vulnerable point in
the network that can be exploited. Network Scanning is used to
find out such points in the network.

3
Basics of Scanning

▰ Scanning is done actively on the target.


▰ Network scanning can be done internally or from the Internet.

▰ Objectives of Network Scanning:


▻ To discover live hosts, IP address, and open ports of live
hosts
▻ To discover operating systems and system architecture
▻ To discover services running on hosts
▻ To discover vulnerabilities in live hosts
4
Scanning
Methodology

Module 6
1. Checking for Live
Systems

Module 6
Checking for Live Systems

▰ Ping scan involves sending ICMP ECHO requests to a host. If the


host is live, it will return an ICMP ECHO reply.
▰ This scan is useful for locating active devices or determining if
ICMP is passing through a firewall.

7
Checking for Live Systems

▰ Ping Sweep:
▻ Used to determine the live hosts from a range of IP
addresses by sending ICMP ECHO requests to multiple
hosts.
▻ If a host is live, it will return an ICMP ECHO reply.
▻ Attackers calculate subnet masks using Subnet Mask
Calculators to identify the number of hosts present in the
subnet.
▻ Attackers then use ping sweep to create an inventory of live
systems in the subnet.
8
2. TCP 3-Way
Handshake

Module 6
TCP 3-Way Handshake

▰ TCP Communication Flags:


▻ URG (Urgent): Data contained in the packet should be
processed immediately
▻ FIN (Finish): There will be no more transmissions
▻ RST (Reset): Resets a connection
▻ PSH (Push): Send all buffered data immediately
▻ ACK (Acknowledgement): Acknowledges the receipt of a
packet
▻ SYN (Synchronize): Initiates a connection between hosts
10
TCP 3-Way Handshake

11
TCP 3-Way Handshake

12
3. Check for open
ports (Port
Scanning)
Module 6
Port Scanning

▰ To run an exploit, an attacker needs a vulnerability.


▰ To find a vulnerability, the attacker needs to fingerprint all
services which run on the machine (find out which protocol they
use, which programs implement them and preferably the
versions of those programs).
▰ To fingerprint a service, the attacker needs to know that there is
one running on a publicly accessible port.
▰ To find out which publicly accessible ports run services, the
attacker needs to run a port scan.
14
Port Scanning

▰ Port scanning is gathering attack surface for the victim against


whom you want to launch attack or simply gathering loop holes
of your own system (like network and system administrators)
▰ States of ports:
▻ Open: Actively accepting TCP connections, UDP
datagrams or SCTP associations
▻ Closed: Accessible (it receives and responds to probe
packets), but there is no application listening on it
▻ Filtered: Packet filtering is enabled (firewall, router rules,
etc.) and cannot determine open or closed
15
4. Port Scanning
Methodology

Module 6
Port Scanning Methodology

▰ Scanning Tool: Nmap


▻ Network administrators can use Nmap for network
inventory, managing service upgrade schedules, and
monitoring host or service uptime.
▻ Attacker uses Nmap to extract information such as live
hosts on the network, services (application name and
version), type of packet filters/firewalls, operating systems
and OS versions.

17
Port Scanning Methodology

▰ Scanning Tool: hping2/ hping3


▻ Command line network scanning and packet crafting tool
for the TCP/IP protocol.
▻ It can be used for network security auditing, firewall
testing, manual path MTU discovery, advanced traceroute,
remote OS fingerprinting, remote uptime guessing, TCP/IP
stacks auditing, etc..

18
Scanning Techniques

▰ Scanning TCP Network Services: ▰ Scanning UDP Network Services:


▻ Open TCP Scanning Methods ▻ UDP Scanning
▻ TCP Connect / Full Open Scan
▻ Stealth TCP Scanning Methods
▻ Half-open Scan
▻ Inverse TCP Flag Scanning
▻ Xmas Scan
▻ FIN Scan
▻ NULL Scan
▻ ACK Flag Probe Scanning
▻ Third Party and Spoofed TCP Scanning Methods
▻ IDLE / IP ID Header Scanning 19
Scanning Techniques

▰ TCP Connect / Full Open Scan (-sT)


▻ TCP Connect scan detects when a port is open by
completing the three-way handshake.
▻ TCP Connect scan establishes a full connection and tears
it down by sending a RST packet.
▻ It does not require super user privileges.

20
Scanning Techniques

21
Scanning Techniques

▰ Stealth Scan (Half-open Scan) (-sS)


▻ Resetting the TCP connection between client and server abruptly before
completion of three-way handshake signals making the connection half open.
▻ Stealth Scan Process:
▻ The client sends a single SYN packet to the server on the appropriate
port.
▻ If the port is open then the server responds with a SYN/ACK packet.
▻ If the server responds with an RST packet, then the remote port is in the
"closed" state.
▻ The client sends the RST packet to close the initiation before a
connection can ever be
22
Scanning Techniques

23
Scanning Techniques

▰ Inverse TCP Flag Scanning (-sF, -sN)


▻ TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, no
response means port is open and RST means the port is closed.

24
Scanning Techniques

▰ Xmas Scan (-sX)


▻ In Xmas scan, attackers send a TCP frame to a remote device with FIN, URG,
and PUSH flags set.

25
Scanning Techniques

▰ ACK Flag Probe Scanning (-sA)


▻ Attackers send TCP probe packets with ACK flag set to a remote device and
then analyzes the header information (TTL and WINDOW field) of received RST
packets to find whether the port is open or closed.
▻ If the TTL value of RST packet on particular port is less than the boundary
value of 64, then that port is open.
▻ If the WINDOW value of RST packet on particular port has non zero value, then
that port is open.
▻ Attackers send an ACK probe packet with random sequence number, no
response means port is filtered
26
Scanning Techniques

▰ UDP Scanning (-sU)


▻ UDP Port Open:
▻ There is no three-way TCP handshake for UDP scan
▻ The system does not respond with a message when the port is open.
▻ UDP Port Closed:
▻ If a UDP packet is sent to closed port, the system responds with ICMP
port unreachable message (type 3, code 3).
▻ Spywares, Trojan horses, and other malicious application use UDP ports.
27
Scanning Techniques

28
Banner Grabbing

Module 6
Banner Grabbing

▰ Banner grabbing or OS fingerprinting is the method to determine the operating


system or software version running on a remote target system. There are two types
of banner grabbing: active and passive.
▰ Identifying the OS used on the target host allows an attacker to figure out the
vulnerabilities the system possesses and the exploits that might work on a system
to further carry out additional attacks.

30
Banner Grabbing

31
Banner Grabbing

▰ Active Banner Grabbing:


▻ Specially crafted packets are sent to remote OS and the responses are noted.
▻ The responses are then compared with a database to determine the OS.
▻ Response from different OSes varies due to differences in TCP/IP stack
implementation.

32
Banner Grabbing

▰ Passive Banner Grabbing:


▻ Banner grabbing from error messages: Error messages provide information
such as type of server, type of OS, and SSL tool used by the target remote
system.
▻ Sniffing the network traffic: Capturing and analyzing packets from the target
enables an attacker to determine OS used by the remote system.
▻ Banner grabbing from page extensions: Looking for an extension in the URL
may assist in determining the application version. Example: .aspx => IIS server
and Windows platform.
33
Evading IDS,
Firewalls

Module 6
Evading IDS, Firewalls

▰ Use fragmented IP packets.


▰ Spoof your IP address when launching attacks and sniff responses from server.
▰ Use source routing (if possible).
▰ Connect to proxy servers or compromised trojaned machine to launch attacks.

35
Scanning for
Vulnerabilities

Module 6
Scanning for Vulnerabilities

▰ Vulnerability scanning identifies vulnerabilities and weaknesses of a system and


network in order to determine how a system can be exploited.
▻ Network vulnerabilities
▻ Open ports and running services
▻ Application and services vulnerabilities
▻ Application and services configuration errors

37
Mapping Networks
(Visual Mapping)

Module 6
Network Visual Mapping

▰ Drawing target's network diagram gives valuable information about the network
and its architecture to an attacker.
▰ Network diagram shows logical or physical path to a potential target.

▰ Network Discovery Tool


▻ LANSurveyor
▻ Network Topology Mapper
▻ OpManager
▻ NetworkView 39
Countermeasures

Module 6
Countermeasures

▰ Port Scanning Countermeasures


▻ Configure firewall and IDS rules to detect and block probes.
▻ Run the port scanning tools against hosts on the network to determine
whether the firewall properly detects the port scanning activity.
▻ Ensure that mechanism used for routing and filtering at the routers and
firewalls respectively cannot be bypassed using particular source ports or
source-routing methods.
▻ Ensure that the anti scanning and anti spoofing rules are configured.

41
Countermeasures

▰ Port Scanning Countermeasures


▻ Ensure that the router, IDS, and firewall firmware are updated to their latest
releases.
▻ Use custom rule set to lock down the network and block unwanted ports at the
firewall.
▻ Filter all ICMP messages (i.e. inbound ICMP message types and outbound
ICMP type 3 unreachable messages) at the firewalls and routers.
▻ Perform TCP and UDP scanning along with ICMP probes against your
organization's IP address space to check the network configuration and its
available ports.
42
Countermeasures

▰ Banner Grabbing Countermeasures


▻ Disabling or Changing Banner
▻ Display false banners to misguide attackers.
▻ Turn off unnecessary services on the network host to limit the
information disclosure.
▻ Use ServerMask tools to disable or change banner information.
▻ Use a directive in httpd.conf file to change banner information
▻ Alternatively, change the ServerSignature line to ServerSignature Off in
httpd.conf file.
43
Countermeasures

▰ Banner Grabbing Countermeasures


▻ Hiding File Extensions from Web Pages
▻ File extensions reveal information about the underlying technology
▻ Hide file extensions to mask the web technology.
▻ Change application mappings such as .asp with .htm or .foo, etc. to
disguise the identify of the servers.
▻ Apache users can use mod_negotiation directives.
▻ IIS users use tools such as PageXchanger to manage the file extensions.
▻ It is even better if the file extensions are not at all used.
44
HACKING
Is an art, practised through a creative mind.

45

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy