0% found this document useful (0 votes)
197 viewsModule 3 Scanning Networks
Uploaded by
Nghia Tran VanCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
197 viewsModule 3 Scanning Networks
Uploaded by
Nghia Tran VanCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 154
CEH
Certified || Ethical Hacker
Module 03:
Scanning Networks
Ethical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker
Seanning Networks
Module Objectives
o Understanding Network Scanning Concepts
.
Drawing Network Diggrams
Module Objectives
After identifying the target and performing the initial reconnaissance, as discussed in the
Footprinting and Reconnaissance module, attackers begin to search for an entry point into the
target system. Attackers should determine whether the target systems are active or inactive to
reduce the time spent on scanning. Notably, the scanning itself is not the actual intrusion but an
extended form of reconnaissance in which the attacker learns more about his/her target,
including information about OSs, services, and any configuration lapses. The information gleaned
from such reconnaissance helps the attacker select strategies for attacking the target system or
network,
This module starts with an overview of network scanning and provides insights into various host
discovery techniques that can be used to check for live and active systems. Furthermore, it
discusses various port and service discovery techniques, operating system discovery techniques,
and techniques for scanning beyond IDS and firewalls. Finally, it ends with an overview of drawing
network diagrams.
At the end of this module, you will be able to:
Describe the network scanning concepts
Use various scanning tools
Perform host discovery to check for live systems
* Perform port and service discovery using various scanning techniques
Scan beyond intrusion detection systems (IDS) and firewalls
Perform operating system (0S) discovery
"Draw network diagrams using network discovery tools
Module 03 Page 237 Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproduction Sel Prohiated
Ethical Hacking and Countermeasures
Seanning Networks
Module Flow
Ses
Scanning Tools
Host Discovery
‘eam 31250 Cerfied thea ker
Port and Service Discovery
(Os Discovery (Banner Grabhing/
‘OF Fingerprinting)
Scanning Beyond IDS and Firewall
Draw Network Diagrams
Network Scanning Concepts
Asalready discussed, footprinting is the first phase of hacking, in which the attacker gains primary
information about a potential target. He/she then uses this information in the scanning phase to
gather more details about the target.
Module 03 Page 238
Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproduction Sel Prohiated
Ethical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker
Seanning Networks
Overview of Network Scanning
{© Network scanning refers to a set of procedures Network Scanning Process
sed for identifying hosts, pots, and services
Ina network Sens
sexpert
{© Network scanning is one of the components of
inteligence gathering which can be used by an ae
attacker to create a profile ofthe target nee
organization | ‘adhe Network
To discover lve hosts, IP address, and open ports of lve hosts
Objectives of | © To dlscover operating systems and system architecture
Network
Scanning | ® To discover services running on hosts
© To discover vulnerabilities in live hosts
Overview of Network Scanning
‘Scanning is the process of gathering additional detailed information about the target using highly
‘complex and aggressive reconnaissance techniques. Network scanning refers to a set of
procedures used for identifying hosts, ports, and services in a network. Network scanning is also
used for discovering active machines in a network and identifying the OS running on the target
machine. It is one of the most important phases of intelligence gathering for an attacker, which
enables him/her to create a profile of the target organization. In the process of scanning, the
attacker tries to gather information, including the specific IP addresses that can be accessed over
the network, the target's OS and system architecture, and the ports along with their respective
services running on each computer.
Sends
‘TCP/IP probes
>
| Gets network i sc
information
Attacker Network
Figure 3.1: Network scanning process
The purpose of scanning is to discover exploitable communications channels, probe as many
listeners as possible, and track the ones that are responsive or useful to an attacker's particular
needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into
a target system. The attacker also tries to discover more information about the target system to
determine the presence of any configuration lapses. The attacker then uses the information
obtained to develop an attack strategy.
‘Module 03 Page 239 Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproduction Sel Prohiated
Ethical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker
Seanning Networks
‘Types of Scanning
Port Scanning - Lists the open ports and services. Port scanning is the process of checking
the services running on the target computer by sending a sequence of messages in an
attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports
of the target system to determine whether the services are running or are in a listening
state. The listening state provides information about the OS and the application currently
in use. Sometimes, active services that are listening may allow unauthorized users to
misconfigure systems or to run software with vulnerabilities.
"Network Scanning ~ Lists the active hosts and IP addresses. Network scanning is a
procedure for identifying active hosts on a network, either to attack them or assess the
security of the network.
"Vulnerability Scanning — Shows the presence of known weaknesses. Vulnerability
scanning is a method for checking whether a system is exploitable by identifying its
vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The
catalog includes a list of common files with known vulnerabilities and common exploits
for a range of servers. A vulnerability scanner may, for example, look for backup files or
directory traversal exploits, The scanning engine maintains logic for reading the exploit
list, transferring the request to the web server, and analyzing the requests to ensure the
safety of the server. These tools generally target vulnerabilities that secure host
configurations can fix easily through updated security patches and a clean web document.
A thief who wants to break into a house looks for access points such as doors and windows. These
are usually the house’s points of vulnerability, as they are easily accessible. When it comes to
computer systems and networks, ports are the doors and windows of a system that an intruder
uses to gain access. A general rule for computer systems is that the greater the number of open
ports ona system, the more vulnerable is the system. However, there are cases in which a system.
with fewer open ports than another machine presents a much higher level of vulnerability.
Objectives of Network Scanning
The more the information at hand about a target organization, the higher are the chances of
knowing a network's security loopholes, and, consequently, for gaining unauthorized access to
it
Some objectives for scanning a network are as follows
= Discover the network’ live hosts, IP addresses, and open ports of the live hosts. Using the
‘open ports, the attacker will determine the best means of entering into the system.
Discover the OS and system architecture of the target. Thisis also known as fingerprinting.
An attacker can formulate an attack strategy based on the OS's vulnerabilities.
= Discover the services running/listening on the target system. Doing so gives the attacker
an indication of the vulnerabilities (based on the service) that can be exploited for gaining
access to the target system.
Identify specific applications or versions of a particular service.
Identify vulnerabilities in any of the network systems. This helps an attacker to
‘compromise the target system or network through various exploits.
Module 0 Page 240, Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproduction Sel Prohiated
Ethical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker
Seanning Networks
TCP Communication Flags
Ripa | tahoe | mcg Source Port Destination Port
proce - - -
Frmeaiately Sequence No
oe ony amo) Acknowledgement No
|
: |
mo rm st
|
|
|
|Zares | |tecomes | | ose ea
[Eee || ee cau : re
i] Stand TP comin aco by apn TEP pc at I
TCP Communication Flags
The TCP header contains various flags that control the transmission of data across a TCP
connection. Six TCP control flags manage the connection between hosts and give instructions to
the system. Four of these flags (SYN, ACK, FIN, and RST) govern the establishment, maintenance,
and termination of 2 connection. The other two flags (PSH and URG) provide instructions to the
system. The size of each flag is 1 bit. As there are six flags in the TCP Flags section, the size of this
section is 6 bits. When a flag value is set to “1,” that flag is automatically turned on.
Source Port Destination Port
Sequence No
Acknowledgement No
SS
TCP Checksum Urgent Pointer |
Options
ke 0.31 Bits —>|
Figure 3.2: TeP header format
Module 03 Page 282 Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproduction Sel Prohiated
cataren
Tc? Flags
Figure 33: TCP communication fags
‘The following are the TCP communication flags:
= Synchronize or “SYN”: It notifies the transmission of a new sequence number. This flag
generally represents the establishment of a connection (three-way handshake) between
‘two hosts.
= Acknowledgement or “ACK”: It confirms the receipt of the transmission and identifies the
next expected sequence number. When the system successfully receives a packet, it sets
the value of its flag to “1,” thus implying that the receiver should pay attention to it.
* Push or “PSH”: When it is set to “1,” it indicates that the sender has raised the push
‘operation to the receiver; this implies that the remote system should inform the receiving
application about the buffered data coming from the sender. The system raises the PSH
flag at the start and end of data transfer and sets it on the last segment of a file to prevent
buffer deadlocks.
Urgent or “URG”: It instructs the system to process the data contained in packets as soon
as possible. When the system sets the flag to “1,” priority is given to processing the urgent
data first and all the other data processing is stopped.
«Finish or “FIN”: Its set to “1” to announce that no more transmissions will be sent to the
remote system and the connection established by the SYN flag is terminated.
Reset or “RST”: When there is an error in the current connection, this flagis set to “1” and
the connection is aborted in response to the error. Attackers use this flag to scan hosts
and identify open ports.
SYN scanning mainly deals with three flags: SYN, ACK, and RST. You can use these three flags for
gathering illegal information from servers during enumeration.
Module 03 Page 282 Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproduction Sel Prohiated
thea Hacking and Countermeasures ‘eam 31250 Cerfied thea ker
Seanning Networks
TCP/IP Communication
‘TCP Session Establishmont
[three way Handshaie)
=
a Cece ol
TCP/IP Communication
TCP is connection oriented, i.e., it prioritizes connection establishment before data transfer
between applications. This connection between protocols is possible through the three-way
handshake.
ATCP session initiates using a three-way handshake mechanism:
"To launch a TCP connection, the source (10.0.0.2:21) sends a SYN packet to the
destination (10.0.0.3:21)
= Onreceiving the SYN packet, the destination responds by sending a SYN/ACK packet back
to the source.
= The ACK packet confirms the arrival of the first SYN packet to the source.
"Finally, the source sends an ACK packet for the ACK/SYN packet transmitted by the
destination.
"This triggers an "OPEN" connection, thereby allowing communication between the source
and destination, which continues until one of them issues a "FIN" or "RST" packet to close
the connection.
‘Module 03 Page 283 Ethical Making and Countermeasures Copyight © by E-Caunedl
‘Al Rights Reserved. Reproduction Sel Prohiated
thea Hacking and Countermeasures ‘eam 31250 Cerfied thea ker
Seanning Networks
sil heels
rooo2a +
Figure 3.4: TCP session establishment
The TCP protocol maintains stateful connections for all connection-oriented protocols
‘throughout the Internet and works similarly to ordinary telephone communication, in which one
picks up a telephone receiver, hears a dial tone, and dials a number that triggers ringing at the
‘other end until someone picks up the receiver and says, “Hello.”
The system terminates the established TCP session as follows:
After completing all the data transfers through the established TCP connection, the sender sends
the connection termination request to the receiver through a FIN or RST packet. Upon receiving
the connection termination request, the receiver acknowledges the termination request by
sending an ACK packet to the sender and finally sends its own FIN packet. Then, the system
terminates the established connection.
it shoots
1090.02.21 19.00.3:21
Figure 3.5: TCP session termination
Module 03 Page 288 Ethical Making and Countermeasures Copyight © by E-Caunedl
‘Al Rights Reserved. Reproduction Sel Prohiated
thea Hacking and Countermeasures
‘eam 31250 Cerfied thea ker
Sanring Networks
Module Flow
Barut suming Cnet Povtand Serie Derry
EE ospiscovery Gunner Orang
Scanning Tools on mere
aattherey senaigBeyntDS and Fea
Draw Network Diagrams
Scanning Tools: Nmap
[O Nesece arson
an se ia
(neering 2 ator
forsee pt
a acters se eae to
Sere iapotetion
tame and ves, tet
pce ters)
‘ews al 8
ein tea
Module 03 Page 285
Ethical Making and Countermeasures Copyight © by E-Caunedl
‘Al Rights Reserved. Reproduction Sel Prohiated
Ethic! Hacking ond Countermessures ‘eam 31250 Cerfied thea ker
Seanning Networks
Scanning Tools: Hping2/Hping3
| BD connie tnt scnine pet cating tr tem
| By rean be used for network securty auditing, firewall testing, manual path MTU discovery, advances traceroute,
remote OS fingerprinting, cemote uptime guessing, TCP/IP stacks euiting, et.
Hping Commands
o = fat
a= ——
a —
ss q—————
2. | eee
Module 03 Page 286, Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproduction Sel Prohiated
Ethic! Hacking ond Countermessures ‘eam 31250 Cerfied thea ker
Seanning Networks
Scanning Tools
Metasploit NetScanTools Pro
“Metaplots an opensource projec ha provides the ntasrucure content, || Netscatoots ro ass arararsin automaticaly
2d tals o perform ponetation ests and extensive security auditing ‘¢ mansaly ising ug/l addresses, hostnames
domain names, and URLE
Scanning Tools
Scanning tools are used to scan and identify live hosts, open ports, running services on a target,
network, location info, NetBIOS info, and information about all TCP/IP and UDP open ports. The
information obtained from these tools will help an ethical hacker in creating the profile of the
target organization and scanning the network for open ports of the devices connected.
"Nmap
Source: https://nmap.org
Nmap ("Network Mapper") is a security scanner for network exploration and hacking. It
allows you to discover hosts, ports, and services on a computer network, thus creating a
"map" of the network. It sends specially crafted packets to the target host and then
analyzes the responses to accomplish its goal. It scans vast networks of literally hundreds
of thousands of machines. Nmap includes many mechanisms for port scanning (TCP and
Upp), OS detection, version detection, ping sweeps, and so on.
Either a network administrator or an attacker can use this tool for their specific needs.
Network administrators can use Nmap for network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Attackers use Nmap to extract
information such as live hosts on the network, open ports, services (application name and
version), type of packet filters/firewalls, MAC details, and OSs along with their versions.
Syntax: # nmap
Ethical Making and Countermeasures Copyright © by E-Cauncil
‘Al Rights Reserved. Reproductions Stel Prohited
thea Hacking and Countermeasures
Seanning Networks
© Zenmap
‘am 31250 Ceri Ethie Hocker
Sean Tools Profle Help
Taget: [10301010
Module 03 Page 288
ep 91-6595 -T4- - 1h
‘Starting tap 7.76 ( hittes://nmap.org ) at 2619-06-07
$3208 Seandera Tine
NSE: Loacea 148 scripts for scanning.
WE: Script Pre-scamine-
Initiating NSE at 13:60
Completed HSE at 13:08, 0.005 elapsed
Initiating nse at 13:04
Completed NSE at 15:08, 0.085 elapsed
Initiating aap Ping Sean st 13%
‘Scanning 10,10,10.10 (1 port]
Completes AiP Ping Scan St 13:04, @.175 elapsed (1
‘otal hosts)
Initiating Parallel ONS resolution of 1 hast. at 13:08
Completes Parallel DNS resolution of 1 host. at 13:08,
is elepses
(eiating SYM Stealth Sean at 13:08
Scanning 10,10.19.30 [65535 porte]
Discovered open port 135/tcp on 10
Discovered open port 445/tep on 10-10.10-10
Discovered open port 139/tep on 10.10.10.10
Discovered open port 49667/tcp on, 10-10.10.10
Discovered open port
Discovered open port
Discovered open port
About 47.95% done} ETC: 13:05
{o00:54 resainine)
Discovered open port 49666/tcD on 10.
Discovered open port 49665/tcB on
Discovered open port 49668/tcp on
Diseoverea open port 49668/¢B on 10.
Discovered open port 49689/tcp on 10.10.
Completes sy stesith Sean at 15:05, 65-695 elapsed
(65535 total ports)
Figure 3.6: Screenshot displaying Nmap sean.
Ethical Making and Countermeasures Copyight © by E-Caunedl
“Al RightsReserved. Reproductions Sty Prohbsed
thea Hacking and Countermeasures ‘eam 31250 Cerfied thea ker
Seanning Networks
© Zenmap
Sean Tools Profile Help
Tage [10101030 TZ] Prete (itncescan TCP pone |] Bea
Command: |map-p1-6535 -T4-A-v 10.10.1010
Hos] Services | nmap ouput Pors/Hosts Topology Host Details Scans
08 # Host [imap -p F-65535 -T4 Av 10101010 a: ow
0101030 Initiating O5 detection (try #1) against 10.10.10.10
Retrying 0s getection (try #2) agsinst 10,
NSE. Script scanning 10:10.10.10.
Initiating NSE at 15
Completes MSE at 13
Initiating NSE at 13:
Completed HSE at 13
Necrosott Windows RPC
fetblos-sen Microsoft windows netblos-
Obtains list of
open ports, OS
details, MAC ]5cr/tcp open bttn "Microsoft TTPAPE nttod
details, and | iSetprserver-hender: Mrosoft-MTTPIPI/2.©
services along _||"nees-titie: service Unavaiiaie
with their Sree —lerotoft kinanus aPC
free Mrovort ngewe APC
versions irpe ——Merosort windows RPC
mre Merovort kindous APC
Serpe Mrosort kingows RPC
rpc Meroort windows RPC
sac aaaresss c0:0e"%9:79:02:89 (Wmare)
fiaaressive’ Os auessesi Microvort winaows Longnoen (948
JWiteroncfe Wencons 10 1703 (oss), Ricrosore wincone
1 1511 (ein), nlcrosore wincéus server 2008 S72" (GI
ilcrosort-ds Windows 10 Enterprise
Figure 3.7: Sreenshot dspaying Nmap scan result
Hping2/Hping3
Source: http://www.hping.org
Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for
the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and
raw-IP protocols. It performs network security auditing, firewall testing, manual path
MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing,
TCP/IP stacks auditing, and other functions. It can send custom TCP/IP packets and display
target replies similarly to a ping program with ICMP replies. It handles fragmentation as
well as arbitrary packet body and size, and it can be used to transfer encapsulated files
under the supported protocols. It also supports idle host scanning. IP spoofing and
network/host scanning can be used to perform an anonymous probe for services.
Hping2/Hping3 also has a Traceroute mode, which enables attackers to send files
between covert channels. It also determines whether the host is up even when the host
Module 03 Page 288 Ethical Making and Countermeasures Copyight © by E-Caunedl
‘Al Rights Reserved. Reproduction Sel Prohiated
Ethic! Hacking ond Countermessures ‘eam 31250 Cerfied thea ker
Scanning Networks
blocks ICMP packets. Its firewalk-like usage allows the discovery of open ports behind
firewalls. It performs manual path MTU discovery and enables attackers to perform
remote OS fingerprinting,
Using Hping, an attacker can study the behavior of an idle host and gain information about
‘the target, such as the services that the host offers, the ports supporting the services, and
the OS of the target. This type of scan is a predecessor to either heavier probing or
outright attacks.
Syntax: # hping
