COURSE MATERIALMATERIAL

Course : 22IT924 – Ethical Hacking and Auditing Frameworks

Module - 2: INTRODUCTION TO AUDITING FRAMEWORKS
Topics : Introduction to Nmap - Nmap Environment setup in linux / windows - scanning
remote host and listing open ports - Identifying services of a remote host - Identifying live hosts in
local networks – scanning using specific port ranges - NSE scripts.

www.skcet.ac.in
 Module – 2
INTRODUCTION TO AUDITING FRAMEWORKS

❑ Introduction to Nmap - Nmap Environment setup in linux / windows

❑ Scanning remote host and listing open ports - Identifying services of a
remote host
❑ Identifying live hosts in local networks – scanning using specific port
ranges
❑ NSE scripts.

www.skcet.ac.in
 Introduction to Reconnaissance
The term reconnaissance comes from the military and means to actively seek
an enemy’s intentions by collecting and gathering information about an
enemy’s composition and capabilities via direct observation, usually by scouts
or military intelligence personnel trained in surveillance.

In the world of ethical hacking, reconnaissance applies to the process of

information gathering. Reconnaissance is a catchall term for watching the
hacking target and gathering information about how, when, and where they do
things. By identifying patterns of behavior, of people or systems, an enemy
could find and exploit a loophole.
 Introduction to Reconnaissance
Data collected from reconnaissance may include:

Security policies. Knowing an organization’s security policies can help you

find weaknesses in their system.

Network infrastructure. A hacker needs to know what type of network the

target is using (e.g., LAN, WAN, MAN), as well as the IP address range and
subnet mask.

Employee contact details. Email addresses, phone numbers, and social

media accounts can be used to launch social engineering attacks.

Host information. Information about specific hosts, such as operating

system type and version, can be used to find vulnerabilities.
 Role of Reconnaissance

Identification of Understanding the

vulnerabilities target environment

Reducing Detection
Planning & Preparation
Risks

Improving Defense
Maximising Impact
Posture
 Role of Reconnaissance
#1 Identification of Vulnerabilities
Reconnaissance helps identify weaknesses and vulnerabilities in
target systems or networks.
By gathering information about the target's infrastructure,
software versions, and configurations, attackers can pinpoint
potential entry points for exploitation.
 Role of Reconnaissance
#2 Understanding the Target Environment
Reconnaissance provides insight into the target's network
architecture, security measures, and defenses.
This understanding allows attackers to tailor their attack
strategies to bypass security controls effectively.
 Role of Reconnaissance
#3 Planning and Preparation
Reconnaissance allows attackers to plan and prepare their
attacks more effectively.
By gathering intelligence about the target, attackers can develop
detailed attack strategies, select appropriate tools and techniques,
and anticipate potential obstacles.
 Role of Reconnaissance
#4 Reducing Detection Risks
Effective reconnaissance helps attackers minimize the risk of
detection.
By gathering information passively or using stealthy scanning
techniques, attackers can gather intelligence without alerting
defenders to their presence.
 Role of Reconnaissance
#5 Maximizing Impact
Reconnaissance helps attackers maximize the impact of their
attacks by identifying high-value targets and assets within the
target environment.
By focusing their efforts on critical systems and data, attackers
can inflict greater damage and achieve their objectives more
effectively.
 Role of Reconnaissance
#6 Improving Defense Posture
Understanding the techniques and tools used in reconnaissance can
help organizations improve their defense posture.
By monitoring for reconnaissance activities and implementing
appropriate security controls, organizations can detect and mitigate
potential threats before they escalate into full-blown cyber attacks.
 Types of Reconnaissance
Two types of Reconnaissance: Active and Passive
Active Reconnaissance
With active reconnaissance, hackers interact directly with the computer system and
attempt to obtain information through techniques like automated scanning or manual
testing and tools like ping and netcat. Active recon is generally faster and more
accurate, but riskier because it creates more noise within a system and has a higher
chance of being detected.
Passive Reconnaissance
Passive reconnaissance gathers information without directly interacting with
systems, using tools such as Wireshark and Shodan and methods such as OS
fingerprinting to gain information.
Information Gathering Techniques

Social Engineering

Footprinting

Network Scanning

Vulnerability Scanning

War Dialling

Physical Observation

Dumpster Diving

Open Source Intelligence

 Information Gathering Techniques
#1 Social Engineering
❑ Social engineering is the process of using psychological manipulation techniques
to deceive people into providing sensitive information or performing certain
actions.

❑ It is a form of passive reconnaissance that does not involve actively probing or

interacting with a target system.

❑ Social engineering techniques can include phishing, baiting, scareware,

impersonation, dumpster diving, and shoulder surfing.
 Information Gathering Techniques
#2 Footprinting
❑ Footprinting means gathering information about a target system that can be used to
execute a successful cyber attack.

❑ To get this information, a hacker might use various methods with variant tools. This
information is the first road for the hacker to crack a system.

❑ This technique involves gathering information about the target's network

infrastructure and assets, such as IP addresses, WHOIS records, DNS records,
Search Engines, Web services and other technical details.
 Information Gathering Techniques
#3 Network Scanning
❑ Network scanning is a technique used to identify active systems and open ports
on a network.

❑ It is an active reconnaissance method that involves sending packets to a range of

IP addresses or ports on a target system and analyzing the responses.

❑ Network scanning can be done using a variety of tools, such as ping sweeps and
port scanners.
 Information Gathering Techniques
#4 Vulnerability Scanning
❑ Vulnerability scanning is a crucial process within any comprehensive
cybersecurity program.

❑ It involves the automated detection of security weaknesses in software,

systems, and networks, allowing organizations to identify and address potential
threats before attackers can exploit them.

❑ Vulnerability scanning is vital in managing cyber risks, helping businesses

safeguard sensitive data and maintaining regulatory compliance.

❑ This technique involves using specialized tools to scan a target's assets for known
vulnerabilities.
 Information Gathering Techniques
#5 War Dialing
❑ War dialing is a technique used in reconnaissance in cybersecurity that involves automatically
dialing a range of phone numbers to identify active modems.

❑ It is an active reconnaissance method that is used to identify potential targets for a future attack.

❑ War dialing is typically done by using specialized software tools, which can dial a large
number of phone numbers in a short period.

❑ Once a modem is identified, the war dialer will attempt to connect to the modem and determine
if it is accessible and what type of device it is.

❑ Modern war dialing tools have evolved to use Voice over IP (VOIP) connections,
significantly increasing the speed and efficiency of the dialing process. This advancement
allows the software to make a higher volume of calls in a shorter period, enhancing the
ability to scan extensive lists of phone numbers quickly.
 Information Gathering Techniques
#6 Reconnaissance with Physical Observation
❑ "Reconnaissance with physical observation" refers to the act of gathering
information about a target by directly observing it in person, using visual cues
and physical presence to collect details about a location, individuals, or
infrastructure, often done discreetly to avoid detection; essentially, "spying" by
physically being present at a site to gather intelligence.

❑ Direct Observation: This method involves physically being at the target

location and visually observing details like building layout, security measures,
access points, personnel movements, and potential vulnerabilities.

❑ Surveillance Techniques: Depending on the situation, physical

reconnaissance may involve using tools like binoculars, cameras, or
recording devices to capture detailed observations from a concealed position
 Information Gathering Techniques
#7 Dumpster Diving
❑ Dumpster diving is a technique used in cybersecurity that involves looking
through an organization's trash to gather information.

❑ It is a form of physical reconnaissance that can be used to gain information about

a target organization.

❑ Dumpster driving can be used to find information that has been discarded,
such as old documents, memos, and hardware.
 Information Gathering Techniques
#8 Open Source Intelligence
❑ Open-Source Intelligence (OSINT) refers to the process of collecting, analyzing,
and disseminating publicly available information.
❑ The information can be found on various sources such as the internet, social
media, newspapers, publications, government reports, etc.
❑ OSINT is used to gather information about a wide range of topics, including
political, economic, military, and security-related issues.
❑ The goal of OSINT is to gather the information that is not classified but could
be valuable for decision-making, threat intelligence, investigations, and
research purposes.
 Analysis of Information
❑ Once the information is collected through reconnaissance, it needs to be analyzed to
extract valuable insights and make sense of the data.
❑ The process of analyzing the information can involve several different techniques and
methods, depending on the specific context and the information being analyzed.

❑ Some common techniques used in the analysis of reconnaissance information in

cybersecurity include:
❑ Threat intelligence
❑ Vulnerability assessment
❑ Network traffic analysis
❑ Log analysis
❑ Malware analysis
❑ Risk assessment
 Analysis of Information
❑ Threat intelligence:
❑ This involves identifying and analyzing information about known and
emerging threats, such as malware, phishing campaigns, and other types of
cyber attacks.
❑ Vulnerability assessment:
❑ This involves identifying and analyzing vulnerabilities in an organization's
systems, networks, and applications, and determining the best course of action
to mitigate those vulnerabilities.
 Analysis of Information
❑ Network traffic analysis:
❑ This involves analyzing network traffic to identify patterns, anomalies, and
suspicious activity that may indicate a security incident.
❑ Log analysis:
❑ This involves analyzing log files from various systems and devices to identify
patterns, anomalies, and suspicious activity that may indicate a security
incident.
 Analysis of Information
❑ Malware analysis:
❑ This involves analyzing malware samples to understand their behavior,
capabilities, and potential vulnerabilities.
❑ Risk assessment:
❑ This involves evaluating the potential risks associated with a particular target or
vulnerability and determining the best course of action to mitigate those risks.
 Nmap

Nmap ("Network Mapper") is a free and open source utility for

network discovery and security auditing.
Many systems and network administrators also find it useful for
tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts
are available on the network, what services (application name and
version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are
in use, and dozens of other characteristics.
 Nmap

Nmap was designed to rapidly scan large networks, but works fine
against single hosts.
Nmap runs on all major computer operating systems, and official
binary packages are available for Linux, Windows, and Mac OS X.
In addition to the classic command-line Nmap executable, the
Nmap suite includes an advanced GUI and results viewer
(Zenmap), a flexible data transfer, redirection, and debugging tool
(Ncat), a utility for comparing scan results (Ndiff), and a packet
generation and response analysis tool (Nping).
 Nmap

Nmap, short for "Network Mapper," is a powerful and versatile

open-source network scanning tool used for discovering hosts, services,
and open ports on computer networks.
It is widely used by cybersecurity, professionals, network administrators,
and penetration testers to assess the security posture of target systems and
networks.
 Nmap Features

1. Port Scanning: Nmap allows users to perform various types of port

scans to discover open ports on target hosts. These include TCP connect
scans, SYN scans, UDP scans, and more. By identifying open ports, Nmap
helps users understand the services and applications running on target
systems.
2. Service Detection: Nmap can identify the services and applications
running on open ports by analyzing the responses received from target
hosts. This information helps users understand the technology stack used
by the target and identify potential vulnerabilities.
 Nmap Features

3. Operating System Detection: Nmap includes an OS detection feature

that attempts to identify the operating system running on target hosts
based on various network characteristics and responses. This helps users
understand the target environment and tailor their attack strategies
accordingly.
4. Scripting Engine: Nmap features a powerful scripting engine (Nmap
Scripting Engine or NSE) that allows users to write and execute custom
scripts to automate and extend extend Nmap's functionality. These scripts
can perform tasks such as vulnerability detection, service enumeration,
and more.
 Nmap Features

5. Output Formats: Nmap supports various output formats, including

text, XML, and greppable formats, allowing users to customize the
presentation of scan results and integrate them with other tools and
frameworks.
6. Versatility: Nmap can be used for a wide range of network scanning
tasks, including host discovery, port scanning, so service vice
enumeration, vulnerability assessment, and more. It can be run from the
command line or via its graphical user interface (Zenmap).
 Network Mapping
Introduction to Nmap and its Utilities
Port scanners accept a target or a range as input, send a query to
specified ports, and then create a list of the responses for each port.
The most popular scanner is Nmap, written by Fyodor and available
from www.insecure.org. Fyodor’s multipurpose tool has become a
standard item among pen testers and network auditors.
Nmap Scan Types
Nmap Commands
 Nmap: ping sweep

Before scanning active targets, consider using Nmap’s ping sweep

functionality with the -sn option.
This option will not port-scan a target, but it will report which targets are
up.
When invoked as root with nmap -sn ip_address, Nmap will send ICMP
echo and timestamp packets as well as TCP SYN and ACK packets to
determine whether a host is up.
If the target addresses are on a local Ethernet network, Nmap will
automatically perform an ARP scan versus sending out the packets and
waiting for a reply.
If the ARP request is successful for a target, it will be displayed.
 Nmap: ICMP options

If Nmap can’t see the target, it won’t scan the target unless the -Pn (do not
ping) option is used.
This option was invoked using the -P0 and -PN option in previous Nmap
releases.
Using the -Pn option can create problems because Nmap will try to scan
each of the target’s ports, even if the target isn’t up, which can waste time.
To strike a good balance, consider using the -P option to select another
type of ping behavior.
For example, the -PP option will use ICMP timestamp requests and the
–PM option will use ICMP netmask requests.
 Nmap: output options

Capturing the results of the scan is extremely important, as you will

be referring to this information later in the testing process, and
depending on your client’s requirements, you may be submitting the
results as evidence of vulnerability.
The easiest way to capture all the needed information is to use the
-oA flag, which outputs scan results in three different formats
simultaneously: plaintext (.nmap), greppable text (.gnmap), and
XML (.xml).
 Nmap: basic scripting

When you specify your targets for scanning, Nmap will accept
specific IP addresses, address ranges in both CIDR format such as
/8, /16, and /24, as well as ranges using 192.168.1.100e200-style
notation.
If you have a hosts file, which may have been generated from your
ping sweep earlier (hint, hint), you can specify it as well, using the
-iL flag.
 Nmap: speed options

Nmap allows the user to specify the “speed” of the scan, or the
amount of time from probe sent to reply received, and therefore,
how fast packets are sent.
On a fast local area network (LAN), you can optimize your scanning
by setting the -T option to 4, or Aggressive, usually without
dropping any packets during the send.
If you find that a normal scan is taking a very long time due to
ingress filtering, or a firewall device, you may want to enable
Aggressive scanning.
Nmap Timing Templates
 Nmap: port-scanning options

The state of the port as determined by an Nmap scan can be open, filtered,
or unfiltered.
Open means that the target machine accepts incoming request on that
port.
Filtered means a firewall or network filter is screening the port and
preventing Nmap from discovering whether it’s open.
Unfiltered mean the port is determined to be closed, and no firewall or
filter is interfering with the Nmap requests.
Nmap has numerous command switches to perform different types of
scans.
 Nmap Scans

To perform an Nmap scan, at the Windows command prompt, type

Nmap IPaddress followed by any command switches used to
perform specific type of scans. For example, to scan the host with
the IP address 192.168.0.1 using a TCP connect scan type, enter this
command:
Nmap 192.168.0.1 –sT
 Nmap: stealth scanning
SYN, Stealth Scans
A SYN or stealth scan is also called a half-open scan because it doesn’t
complete the TCP three-way handshake.
The TCP/IP three-way handshake will be covered in the next section.
A hacker sends a SYN packet to the target; if a SYN/ACK frame is
received back, then it’s assumed the target would complete the connect
and the port is listening.
If a RST is received back from the target, then it’s assumed the port isn’t
active or is closed.
The advantage of the SYN stealth scan is that fewer IDS systems log this
as an attack or connection attempt.
 XMAS Scans

XMAS scans send a packet with the FIN, URG, and PSH flags set.
If the port is open, there is no response; but if the post is closed, the
target responds with a RST/ACK packet.
XMAS scans work only on target systems that follow the RFC 793
implementation of TCP/IP and don’t work against any version of
Windows.
 FIN, NULL, IDLE Scans

FIN: A FIN scan is similar to an XMAS scan but sends a packet with just
the FIN flag set.
FIN scans receive the same response and have the same limitations as
XMAS scans.
NULL: A NULL scan is also similar to XMAS and FIN in its limitations
and response, but it just sends a packet with no flags set.
IDLE: An IDLE scan uses a spoofed IP address to send a SYN packet to
a target. Depending on the response, the port can be determined to be
open or closed.
IDLE scans determine port scan response by monitoring IP header
sequence numbers.
 TCP Communication Flag Types

TCP scan types are built on the TCP three-way handshake.

TCP connections require a three-way handshake before a connection
can be made and data transferred between the sender and receiver.
 TCP three-way handshake
In order to complete the three-way handshake and make a successful connection
between two hosts, the sender must send a TCP packet with the synchronize
(SYN) bit set.
Then, the receiving system responds with a TCP packet with the synchronize
(SYN) and acknowledge (ACK) bit set to indicate the host is ready to receive
data.
The source system sends a final packet with the acknowledge (ACK) bit set to
indicate the connection is complete and data is ready to be sent.
 TCP Communication Flag Types
Because TCP is a connection-oriented protocol, a process for establishing
a connection (three-way handshake), restarting a failed connection, and
finishing a connection is part of the protocol. These protocol notifications
are called flags.
TCP contains ACK, RST, SYN, URG, PSH, and FIN flags. The following
list identifies the function of the TCP flags:
SYN—Synchronize. Initiates a connection between hosts.
ACK—Acknowledge. Established connection between hosts.
PSH—Push. System is forwarding buffered data.
URG—Urgent. Data in packets must be processed quickly.
FIN—Finish. No more transmissions.
RST—Reset. Resets the connection.
A hacker can attempt to bypass detection by using flags instead of
completing a normal TCP connection.
TCP Scan Types
 Module – 2
INTRODUCTION TO AUDITING FRAMEWORKS

❑ Introduction to Nmap - Nmap Environment setup in linux / windows

❑ Scanning remote host and listing open ports - Identifying services of
a remote host
❑ Identifying live hosts in local networks – scanning using specific port
ranges
❑ NSE scripts.

www.skcet.ac.in
 Surveying the attack surface
The attack surface refers to all the points, assets, and avenues
through which an attacker can potentially exploit or compromise a
system, network, or organization.

The goal of surveying the attack surface is to identify and understand

these points of vulnerability.
 Steps involved in Surveying the attack surface
Here are key steps and considerations in surveying the attack surface:

Asset Inventory:
❖ Create an inventory of all assets within the target environment.
❖ This includes hardware devices, servers, endpoints, network
infrastructure, and software applications.

Network Topology Mapping:

❖ Map the network topology to understand how devices are interconnected.
❖ Identify routers, switches, firewalls, and other network devices to
visualize the flow of data within the network.
Steps involved in Surveying the attack surface
Domain and Subdomain Enumeration:

❖ Enumerate all domain names associated with the target organization.

❖ Identify subdomains, as they may represent entry points that are less
visible but still connected to the overall attack surface.

Web Application Mapping:

❖ Identify all web applications and services associated with the target.
❖ This includes public-facing websites, internal web applications, and
web services.
 Steps involved in Surveying the attack surface
Cloud Services and Assets:
❖ If the target organization uses cloud services, identify and enumerate
assets within cloud environments.
❖ This includes resources on platforms like AWS, Azure, or Google Cloud.

Mobile Devices and Applications:

❖ Identify mobile devices and applications associated with the organization.
❖ This includes company-issued devices, bring-your-own-device (BYOD)
scenarios, and mobile applications.
 Steps involved in Surveying the attack surface
IoT Devices:
❖ If applicable, identify and enumerate Internet of Things (IoT) devices
within the environment.
❖ This includes smart devices, sensors, and other connected devices.

External Connections and Partnerships:

❖ Consider external connections, partnerships, and integrations that may
extend the attack surface.
❖ Third-party services, APIs, and connections to other organizations can
introduce additional risk.
Steps involved in Surveying the attack surface

Wireless Networks:
❖ Identify and assess wireless networks within the target environment.
❖ This includes Wi-Fi networks and associated security
configurations.

Social Media and Online Presence:

❖ Assess the Information shared on social media platforms which can
provide insights into the organization's activities and potential
vulnerabilities.
Steps involved in Surveying the attack surface

Employee Information:
❖ Collect information about employees, especially those who may have
access to sensitive systems or information.
❖ This includes email addresses, job titles, and roles.

Security Configurations and Policies:

❖ Understand the security configurations, policies, and practices in place.
❖ Evaluate if security measures such as firewalls, intrusion detection
systems, and access controls are effectively implemented.
Steps involved in Surveying the attack surface
Regulatory Compliance:
❖ Consider any regulatory compliance requirements that the organization must
adhere to.
❖ Non-compliance may introduce risks and vulnerabilities.

Physical Infrastructure:
❖ If possible, assess the physical infrastructure, including data centers, server
rooms, and other facilities.
❖ Physical security measures are critical aspects of the overall attack surface.

Documentation and Reporting:

❖ Document all findings and generate comprehensive reports.
❖ Reports should provide insights into the identified attack surface and potential
areas of concern.
Information collection using Reconnaissance
❑ Information gathering can be broken into seven logical steps.
❑ Footprinting is performed during the first two steps of unearthing initial information
and locating the network range
 Footprinting
❑ Footprinting is defined as the process of creating a blueprint or map of
an organization’s network and systems.

❑ Information gathering is also known as footprinting an organization.

❑ Footprinting begins by determining the target system, application, or

physical location of the target.

❑ Once this information is known, specific information about the

organization is gathered using nonintrusive methods.

❑ For example, the organization’s own web page may provide a

personnel directory or a list of employee bios, which may prove useful
if the hacker needs to use a social-engineering attack to reach the
objective.
 Footprinting
Here are some of the pieces of information to be gathered about a target
during footprinting:

Domain name
Network blocks
Network services and applications
System architecture
Intrusion detection system
Authentication mechanisms
Specific IP addresses
Access control mechanisms
Phone numbers
Contact addresses
 Scanning and Enumeration

Scanning and enumeration are the next steps in the hacking process
after the information gathering phase has been completed.
Scanning and enumeration tools are most often active
information-gathering tools and therefore allow the hacker to be
detected.
For this reason, many tools and techniques exist to minimize the
opportunity for detection and reduce the chance of the hacker being
identified.
 Scanning and Enumeration

It is during the scanning and enumeration phase that information

about the host and target network is discovered.
As a next step, the host and network information enumerated will be
used to begin to hack the target system or network.
 Scanning and Enumeration

Scanning and enumeration are the first phases of hacking and

involve the hacker locating target systems or networks.
Enumeration is the follow-on step once scanning is complete and is
used to identify computer names, usernames, and shares.
Scanning and enumeration are discussed together because many
hacking tools perform both.
 Scanning

During scanning, the hacker continues to gather information

regarding the network and its individual host systems.
Data such as IP addresses, operating system, services, and installed
applications can help the hacker decide which type of exploit to use
in hacking a system.
Scanning is the process of locating systems that are alive and
responding on the network.
Ethical hackers use it to identify target systems’ IP addresses.
 Types of Scanning

Scanning Type Purpose

Port scanning Determines open ports and
services
Network scanning IP addresses
Vulnerability scanning Presence of known
weaknesses
 Port Scanning

Port scanning is the process of identifying open and available

TCP/IP ports on a system.
Port-scanning tools enable a hacker to learn about the services
available on a given system.
Each service or application on a machine is associated with a
well-known port number.
For example, a port-scanning tool that identifies port 80 as open
indicates a web server is running on that system.
Hackers need to be familiar with well-known port numbers.
Common port numbers and their corresponding
service
 Network Scanning

Network scanning is a procedure for identifying active hosts on

a network, either to attack them or as a network security
assessment.
Hosts are identified by their individual IP addresses.
Network-scanning tools attempt to identify all the live or responding
hosts on the network and their corresponding IP addresses.
 Vulnerability Scanning

Vulnerability scanning is the process of proactively identifying

the vulnerabilities of computer systems on a network.
Generally, a vulnerability scanner first identifies the operating
system and version number, including service packs that may be
installed.
Then, the vulnerability scanner identifies weaknesses or
vulnerabilities in the operating system.
During the later attack phase, a hacker can exploit those weaknesses
in order to gain access to the system.
 Vulnerability Scanning

An intrusion detection system (IDS) or a sophisticated network

security professional with the proper tools can detect active
port-scanning activity.
Scanning tools probe TCP/IP ports looking for open ports and IP
addresses, and these probes can be recognized by most security
intrusion detection tools.
Network and vulnerability scanning can usually be detected as well,
because the scanner must interact with the target system over the
network.
Scanning Methodology
 #1 Check for Live Systems:
Ping Sweep Techniques
The scanning methodology starts with checking for systems that
are live on the network, meaning that they respond to probes or
connection requests.
The simplest, although not necessarily the most accurate, way to
determine whether systems are live is to perform a ping sweep of the
IP address range.
All systems that respond with a ping reply are considered live on the
network.
 Ping Sweep Techniques

Internet Control Message Protocol (ICMP) scanning is the process

of sending an ICMP request or ping to all hosts on the network to
determine which ones are up and responding to pings.
A benefit of ICMP scanning is that it can be run in parallel, meaning
all system are scanned at the same time; thus it can run quickly on
an entire network.
Most hacking tools include a ping-sweep option, which essentially
means performing an ICMP request to every host on the network.
 Detecting Ping Sweeps

Almost any IDS or intrusion prevention system (IPS) system will

detect and alert the security administrator to a ping sweep
occurring on the network.
Most firewall and proxy servers block ping responses so a hacker
can’t accurately determine whether systems are available using a
ping sweep alone.
 Detecting Ping Sweeps

More intense port scanning must be used if systems don’t respond to

a ping sweep.
Just because a ping sweep doesn’t return any active hosts on the
network doesn’t mean they aren’t available—you need to try an
alternate method of identification.
Remember, hacking takes time, patience, and persistence.
 #2 Check for Open Ports
Scanning Ports and Identifying Services
Checking for open ports is the second step in the scanning
methodology.
Port scanning is the method used to check for open ports.
The process of port scanning involves probing each port on a host to
determine which ports are open.
Port scanning generally yields more valuable information than a
ping sweep about the host and vulnerabilities on the system.
 Port-Scan Countermeasures

Countermeasures are processes or tool sets used by

security administrators to detect and possibly thwart
port scanning of hosts on their network.
 Port-Scan Countermeasures

The following list of countermeasures should be implemented to

prevent a hacker from acquiring information during a port scan:
❑ Proper security architecture, such as implementation of IDS and
firewalls, should be followed.
 Port-Scan Countermeasures

❑ Ethical hackers use their tool set to test the scanning

countermeasures that have been implemented.
❑ Once a firewall is in place, a port-scanning tool should be run
against hosts on the network to determine whether the firewall
correctly detects and stops the portscanning activity.
 Port-Scan Countermeasures

The firewall should be able to detect the probes sent by

port-scanning tools.
The firewall should carry out stateful inspections, which means it
examines the data of the packet and not just the TCP header to
determine whether the traffic is allowed to pass through the firewall.
Network IDS should be used to identify the OS-detection
method used by some common hackers tools, such as Nmap.
 Port-Scan Countermeasures

Only needed ports should be kept open. The rest should be

filtered or blocked.
The staff of the organization using the systems should be given
appropriate training on security awareness.
They should also know the various security policies they’re required
to follow.
 #3 Service Identification

Service identification is the third step in the scanning

methodology
It’s usually performed using the same tools as port scanning.
By identifying open ports, a hacker can usually also identify the
services associated with that port number.
#4 Banner Grabbing/ OS Fingerprinting

Banner grabbing is the process of opening a connection and

reading the banner or response sent by the application.
Many e-mail, FTP, and web servers will respond to a telnet
connection with the name and version of the software.
This aids a hacker in fingerprinting the OS and application
software.
For example, a Microsoft Exchange e-mail server would only be
installed on Windows OS.
 OS Fingerprinting

Active stack fingerprinting is the most common form of

fingerprinting.
It involves sending data to a system to see how the system responds.
It’s based on the fact that various operating system vendors
implement the TCP stack differently, and responses will differ based
on the operating system.
 OS Fingerprinting

The responses are then compared to a database to determine the

operating system.
Active stack fingerprinting is detectable because it repeatedly
attempts to connect with the same target system.
Passive stack fingerprinting is stealthier and involves examining
traffic on the network to determine the operating system.
 OS Fingerprinting

Passive stack fingerprinting uses sniffing techniques instead of

scanning techniques.
Passive stack fingerprinting usually goes undetected by an IDS or
other security system but is less accurate than active fingerprinting.
Fingerprinting techniques are based on detecting modification in
packets produced by different operating systems.
 Fingerprinting Techniques

Common techniques are based on analysing:

❑ IP TTL values.
❑ IP ID values.
❑ TCP Window size.
❑ TCP Options (generally, in TCP SYN and SYN+ACK packets).
❑ DHCP requests.
❑ ICMP requests.
❑ HTTP packets (generally, User-Agent field).
Other techniques are based on analyzing: Running services & Open port
patterns.
 Fingerprinting Techniques

❑ IP TTL values: Time-to-live in networking refers to the time limit

imposed on the data packet to be in-network before being discarded.
❑ It is an 8-bit binary value set in the header of Internet Protocol (IP)
by the sending host.
❑ The purpose of a TTL is to prevent data packets from being
circulated forever in the network. The maximum TTL value is 255.
❑ The value of TTL can be set from 1 to 255 by the administrators.
 Fingerprinting Techniques

❑ IP ID values: IP ID (IP identification) is a field in an IP header that

identifies a packet in a communication session.
❑ It helps recover from IP fragmentation

❑ TCP Window Size: The Transmission Control Protocol (TCP)

window size is the size of the buffer at both ends of a connection.
❑ It controls the flow of data between the sender and receiver.
 Fingerprinting Techniques

❑ TCP Options (generally, in TCP SYN and

SYN+ACK packets):
❑ TCP options, primarily used in SYN and
SYN-ACK packets during the initial
connection establishment phase of a TCP
handshake, are additional fields within the
TCP header
❑ The maximum segment size (MSS), window
scaling, timestamps, and selective
acknowledgments, enabling optimization for
the specific network conditions between
communicating hosts;
 Fingerprinting Techniques

❑ DHCP requests: DHCP is a network management

protocol.
❑ A client device (or DHCP client), such as a laptop, joins a
network and requests an IP address.
❑ The request is made to a DHCP server. These servers
are often configured with redundancy—often called
DHCP failover—or clustering among other network
servers
 Fingerprinting Techniques

❑ ICMP requests: An ICMP request is a message sent using the

Internet Control Message Protocol (ICMP) to request information or
to report errors.
❑ ICMP is a network protocol that manages errors and provides
information about IP networks
❑ An ICMP request is a layered packet which is sent over the
internet.
❑ It also contains the IP layer, which has the source and target IP and
also a couple of flags included.
 Fingerprinting Techniques

❑ TTP packets (generally, User-Agent field):

❑ "TTP packets" referring to the "User-Agent" field generally indicates
packets containing information about the application or device
making a network request, specifically within the "User-Agent" header
of an HTTP request, which is often used by security analysts to identify
potential malicious activity by recognizing unusual or suspicious user
agent strings.
❑ The User-Agent field provides details like the browser name, version,
operating system, and sometimes even device model used to access a
website, allowing for identification of the user's device and software
 Fingerprinting Tools

There are different tools that are being used for Active Stack and
Passive Stack Fingerprinting.
Active Fingerprinting Tools: Nmap.
Passive Fingerprinting Tools: Network Miner, P0f, Satori
 Active Fingerprinting Tools

Nmap: Nmap is the network discovering tools that many systems

and network administrators found useful for tasks such as network
inventory, managing service upgrade schedules, and monitoring host
or service uptime.
The responses received can then reveal valuable information about
the target, including its operating system, open ports, protocols in
use, or even installed applications and services.
Active fingerprinting techniques include protocols like ICMP, TCP
SYN, and UDP probes
 Passive Fingerprinting Tools

NetworkMiner:
❑ It is a Network Forensic Analysis Tool for Windows.
❑ It is used to detect operating systems, sessions, hostnames, open
ports, etc.
❑ The main purpose of NetworkMiner is to collect data that can be
used as forensic evidence about hosts on the network rather than to
collect data regarding the traffic on the network.
 Passive Fingerprinting Tools
P0f:
❑ It is a versatile passive OS fingerprinting tool that is used to
identify the remote system, how far it is located, and its uptime.
❑ It also detects certain types of packet filters and the name of the
ISP, while remaining Passive as it does not generate any network
traffic.
Satori:
❑ Satori is one of the most frequently used passive fingerprinting
programs that uses multiple protocols for OS identification.
❑ It is available in both Windows and Linux platforms.
 Prevention of Fingerprinting

Preventing OS Fingerprinting is only necessary in those cases where

malicious reconnaissance is a concern.
The basic step is to make sure that external hosts are not able to
directly scan internal targets.
Whereas, ICMP should only be allowed if our firewall maintains
state-full connections for ICMP in the same way almost all firewalls
do for TCP.
 Prevention of Fingerprinting

TCP/IP parameters can be modified to make the device look like

another OS.
This will cause script type of scans to be fooled, but not deter a
skilled attacker.
So, the best way to prevent from OS Fingerprinting is to
perform scans against your own network to harden the
application in all aspects of security.
 #5 Vulnerability Scanning

Searching for devices, processes, or configurations on your network

that have known vulnerabilities.
Vulnerability scanning is the process of locating and identifying
known weaknesses in the services and software running on a target
machine.
Many systems today can be exploited directly with little or no skill
when a machine is discovered to have a known vulnerability.
 Vulnerability Analysis

Understand Common Attacks

Inventory your vulnerabilities
Use vulnerability scanning tools
Assess the risks
#6 Draw Network Diagram of Vulnerable
Hosts
Vulnerability Mapping is the process in which we can scan entire
workplace to provide a detailed map showing where vulnerable
network devices are located and what encryption-based attacks
would hack into them.
Once these vulnerable perimeter devices have been discovered,
they can easily be fixed or replaced depending on attack vector
before leading to a data security breach.
 Draw Network Diagram of Vulnerable
Hosts
The vulnerability mapping allows us to perform multiple security
checks in an automated fashion using a tool.
It gives us a prior knowledge of the potential vulnerability with
complete detail of where it is located on a network, which helps
us to resolve that specific vulnerability in less time.
Complete infrastructure is scanned in this process which enables us
to assess the risk in real time.
 Draw Network Diagram of Vulnerable
Hosts
It also provides the list of possible attacks that can be done to the
vulnerability, so that we fix or replace that device that may lead to a
data security breach.
The automated tool helps us to generate reports more quickly
that enable us to respond effectively.
Drawing a network diagram of vulnerable hosts is a must.
 Draw Network Diagram of Vulnerable
Hosts
A number of network-management tools can assist with this step.
Such tools are generally used to manage network devices but can be
turned against security administrators by enterprising hackers.
SolarWinds Toolset, Queso, Harris Stat, and Cheops are all
network-management tools that can be used for operating system
detection, network diagram mapping, listing services running on a
network, generalized port scanning, and so on.
 Draw Network Diagram of Vulnerable
Hosts
These tools diagram entire networks in a GUI interface including
routers, servers, hosts and firewalls.
Most of these tools can discover IP addresses, host names,
services, operating systems, and version information.
Netcraft and HTTrack are tools that fingerprint an operating
system.
Both are used to determine the OS and web-server software version
numbers.
 Draw Network Diagram of Vulnerable
Hosts
Netcraft is a website that periodically polls web servers to
determine the operating system version and the web-server software
version.
Netcraft can provide useful information the hacker can use in
identifying vulnerabilities in the web server software.
In addition, Netcraft has an anti-phishing toolbar and web-server
verification tool you can use to make sure you’re using the actual
web server rather than a spoofed web server.
 Draw Network Diagram of Vulnerable
Hosts
HTTrack arranges the original site’s relative link structure.
You open a page of the mirrored website in your browser, and then
you can browse the site from link to link as if you were viewing it
online.
HTTrack can also update an existing mirrored site and resume
interrupted downloads.
 #7 Prepare Proxies

Preparing proxy servers is the last step in the scanning methodology.

A proxy server is a computer that acts as an intermediary between
the hacker and the target computer.
Using a proxy server can allow a hacker to become anonymous on
the network.
 #7 Prepare Proxies

The hacker first makes a connection to the proxy server and then
requests a connection to the target computer via the existing
connection to the proxy.
Essentially, the proxy requests access to the target computer not the
hacker’s computer.
This lets a hacker surf the web anonymously or otherwise hide
their attack.
 Prepare Proxies

SocksChain is a tool that gives a hacker the ability to attack

through a chain of proxy servers.
The main purpose of doing this is to hide the hacker’s real IP
address and therefore minimize the chance of detection.
When a hacker works through several proxy servers in series, it’s
much harder to locate the hacker.
 Prepare Proxies

Tracking the attacker’s IP address through the logs of several proxy

servers is complex and tedious work.
If one of the proxy servers’ log files is lost or incomplete, the chain
is broken, and the hacker’s IP address remains anonymous.
 Prepare Proxies

Anonymizers are services that attempt to make web surfing

anonymous by utilizing a website that acts as a proxy server for the
web client.
The first anonymizer software tool was developed by
Anonymizer.com; it was created in 1997 by Lance Cottrell.
The anonymizer removes all the identifying information from a
user’s computers while the user surfs the Internet, thereby
ensuring the privacy of the user.
 Prepare Proxies

To visit a website anonymously, the hacker enters the website

address into the anonymizer software, and the anonymizer
software makes the request to the selected site.
All requests and web pages are relayed through the anonymizer site,
making it difficult to track the actual requester of the webpage.
 #8 Attack
HTTP Tunneling
A popular method of bypassing a firewall or IDS is to tunnel a
blocked protocol (such as SMTP) through an allowed protocol (such
as HTTP).
Almost all IDS and firewalls act as a proxy between a client’s PC
and the Internet and pass only the traffic defined as being allowed.
 #8 Attack
HTTP Tunneling
However, a hacker using a HTTP tunneling tool can disrupt the proxy by hiding
potentially destructive protocols, such as IM or chat, within an innocent-looking
protocol packet.
 #8 Attack
HTTP Tunneling
HTTPort, Tunneld, and BackStealth are all tools to tunnel
traffic though HTTP.
They allow the bypassing of an HTTP proxy, which blocks certain
protocols access to the Internet.
These tools allow the following potentially dangerous software
protocols to be used from behind an HTTP proxy: E-mail, IRC
(Internet Relay Chat), ICQ (personal instant messaging service),
News, FTP (File Transfer Protocol)
 #8 Attack
IP Spoofing
A hacker can spoof an IP address when scanning target systems
to minimize the chance of detection.
One drawback of spoofing an IP address is that a TCP session can’t
be successfully completed.
Source routing lets an attacker specify the route that a packet takes
through the Internet.
 #8 Attack
IP Spoofing
This can also minimize the chance of detection by bypassing IDS
and firewalls that may block or detect the attack.
Source routing uses a reply address in the IP header to return the
packet to a spoofed address instead of the attacker’s real address.
To detect IP address spoofing, you can compare the time to live
(TTL) values: The attacker’s TTL will be different from the spoofed
address’s real TTL.
 Enumeration

Enumeration occurs after scanning and is the process of

gathering and compiling usernames, machine names,
network resources, shares, and services.
It also refers to actively querying or connecting to a target
system to acquire this information.
 Enumeration

The objective of enumeration is to identify a user account or system

account for potential use in hacking the target system.
It isn’t necessary to find a system administrator account, because
most account privileges can be escalated to allow the account more
access than was previously granted.
 Enumeration Techniques

Extract User Names Using Email IDs

Extracting Information Using the Default Passwords
Brute Force Active Directory
Extract Username Using SNMP
Extract Information Using DNS Zone Transfer
 Services and Ports to Enumerate

TCP 53: DNS Zone Transfer:

DNS zone transfer relies on TCP 53 port rather than UDP 53. The TCP
protocol helps to maintain a consistent DNS database between DNS
servers. DNS server always uses TCP protocol for the zone transfer.

TCP 137: NetBIOS Name Service (NBNS):

NBNS, also known as Windows Internet Name Service (WINS),
maintain a database of the NetBIOS names for hosts and the
corresponding IP address the host is using.
 Services and Ports to Enumerate

UDP 161: Simple Network Management Protocol (SNMP):

You can use the SNMP protocol for various devices and applications
including firewall and routers to communicate logging and management
information with remote monitoring application.
TCP/UDP 389: Lightweight Directory Access Protocol (LDAP):
You can use the LDAP Internet protocol, Microsoft Active Directory and as
well as some email programs to look up contact information from a server.
TCP 25: Simple Mail Transfer Protocol (SMTP):
SMTP allows email to move across the internet and across the local internet.
It runs on the connection-oriented service provided by Transmission Control
Protocol (TCP) and uses port 25.
Enumeration
 Enumeration

Many hacking tools are designed for scanning IP networks to locate

NetBIOS name information.
For each responding host, the tools list IP address, NetBIOS
computer name, loggedin username, and MAC address information.
On a Windows 2000 domain, the built-in tool net view can be used
for NetBIOS enumeration.
To enumerate NetBIOS names using the net view command, enter
the following at the command prompt:
net view / domain
nbtstat -A IP address
 Enumeration
Hacking Tools
DumpSec is a NetBIOS enumeration tool. It connects to the target
system as a null user with the net use command.
It then enumerates users, groups, NTFS permissions, and file
ownership information.
Hyena is a tool that enumerates NetBIOS shares and additionally
can exploit the null session vulnerability to connect to the target
system and change the share path or edit the registry.
 Enumeration
Hacking Tools
The SMB Auditing Tool is a password-auditing tool for the
Windows and Server Message Block (SMB) platforms.
Windows uses SMB to communicate between the client and server.
The SMB Auditing Tool is able to identify usernames and crack
passwords on Windows systems.
The NetBIOS Auditing Tool is another NetBIOS enumeration tool.
It’s used to perform various security checks on remote servers
running NetBIOS file sharing services.
 Null Sessions

A null session occurs when you log in to a system with no username

or password.
NetBIOS null sessions are a vulnerability found in the Common
Internet File System (CIFS) or SMB, depending on the operating
system.
Once a hacker has made a NetBIOS connection using a null session
to a system, they can easily get a full dump of all usernames, groups,
shares, permissions, policies, services and more using the Null user
account.
The SMB and NetBIOS standards in Windows include APIs that
return information about a system via TCP port 139.
 NetBIOS Enumeration

The NetBIOS null session use specific port numbers on the target
machine.
Null sessions require access to TCP ports 135, 137,139, and/or 445.
One countermeasure is to close these ports on the target system.
This can be accomplished by disabling SMB services on individual
hosts by unbinding the TCP/IP WINS client from the interface in the
network connection’s properties.
 SNMP Enumeration

SNMP enumeration is the process of using SNMP to enumerate user

accounts on a target system.
SNMP employs two major types of software components for
communication: the SNMP agent, which is located on the
networking device; and the SNMP management station, which
communicates with the agent.
Almost all network infrastructure devices, such as routers and
switches and including Windows systems, contain an SNMP agent
to manage the system or device.
 SNMP Enumeration

The SNMP management station sends requests to agents, and the

agents send back replies.
The requests and replies refer to configuration variables accessible
by agent software.
Management stations can also send requests to set values for certain
variables.
Traps let the management station know that something significant
has happened in the agent software such as a reboot or an interface
failure.
Management Information Base (MIB) is the database of
configuration variables, which resides on the networking device.
 SNMP Enumeration

SNMP has two passwords you can use to access and configure the SNMP
agent from the management station. The first is called a read community
string.
This password lets you view the configuration of the device or system.
The second is called the read/write community string; it’s for changing or
editing the configuration on the device.
Generally, the default read community string is public and the default
read/write community string is private.
A common security loophole occurs when the community strings are left
at the default settings: A hacker can use these default passwords to view
or change the device configuration.
 SNMP Enumeration
Hacking Tools
SNMPUtil and IP Network Browser are SNMP enumeration tools.
SNMPUtil gathers Windows user account information via SNMP in
Windows systems.
Some information such as routing tables, ARP tables, IP addresses,
MAC addresses, TCP and UDP open ports, user accounts, and
shares can be read from a Windows system that has SNMP enabled
using the SNMPUtil tools.
IP Network Browser from the SolarWinds toolset also uses SNMP
to gather more information about a device that has an SNMP agent.
 SNMP Enumeration Countermeasures

The simplest way to prevent SNMP enumeration is to remove the

SNMP agent on the potential target systems or turn off the SNMP
service.
If shutting off SNMP isn’t an option, then change the default read
and read/write community names.
In addition, an administrator can implement the Group Policy
security option Additional Restrictions For Anonymous
Connections, which restricts SNMP connections.
 Windows 2000 DNS Zone Transfer

In a Windows 2000 domain, clients use service (SRV) records to

locate Windows 2000 domain services, such as Active Directory and
Kerberos.
This means every Windows 2000 Active Directory domain must
have a DNS server for the network to operate properly.
A simple zone transfer performed with the nslookup command can
enumerate lots of interesting network information.
The command to enumerate using the nslookup command is as
follows:
nslookup ls -d domainname
 Windows 2000 DNS Zone Transfer

An Active Directory database is a Lightweight Directory Access

Protocol (LDAP) based database.
This allows the existing users and groups in the database to be
enumerated with a simple LDAP query.
The only thing required to perform this enumeration is to create an
authenticated session via LDAP.
A Windows 2000 LDAP client called the Active Directory
Administration Tool (ldp.exe) connects to an Active Directory
server and identifies the contents of the database.
 Enumeration
Hacking Tools
User2SID and SID2User are command-line tools that look up Windows service
identifiers (SIDs from username input and vice versa.)
Enum is a command-line enumeration utility. It uses null sessions and can
retrieve usernames, machine names, shares, group and membership lists,
passwords, and Local Security policy information.
Enum is also capable of brute-force dictionary attacks on individual accounts.
UserInfo is a command-line tools that’s used to gather usernames and that can
also be used to create new user accounts.
GetAcct is a GUI-based tool that enumerates user accounts on a system.
SMBBF is a SMB brute-force tool that tries to determine user accounts and
accounts with blank passwords.
Steps involved in performing Enumeration

Hackers need to be methodical in their approach to hacking.

The following steps are an example of those a hacker might perform
in preparation for hacking a target system:
1. Extract usernames using enumeration.
2. Gather information about the host using null sessions.
3. Perform Windows enumeration using the Superscan
tool.
4. Acquire the user accounts using the tool GetAcct.
5. Perform SNMP port scanning.
 Module – 2
INTRODUCTION TO AUDITING FRAMEWORKS

❑ Introduction to Nmap - Nmap Environment setup in linux / windows

❑ Scanning remote host and listing open ports - Identifying services of a
remote host
❑ Identifying live hosts in local networks – scanning using specific port
ranges
❑ NSE scripts

www.skcet.ac.in
 Introduction to Active Hosts

Discovering hosts in various penetration testing certifications or

engagements is usually the first step before you can move forward
in the attack chain.
This can also benefit other areas of cyber security, such as intrusion
detection or incident response.
Nmap uses raw IP packets to discover hosts, open ports, running
services with their versions, and even the operating system on a
network.
It accomplishes this by sending specially crafted packets to the
target host(s) and then analyzing the responses.
 Introduction to Active Hosts

Nmap's "host discovery" lets you discover what devices are

connected to a network.
This is an important first step when attacking a network or during
security testing because it lets you see what's on the network and
determine which devices are live.
Nmap discovers hosts using techniques such as ICMP (internet
control message protocol), echo requests (ping), TCP (transmission
control protocol), and UDP (user datagram protocol) packets sent to
multiple ports.
The host's response, or absence thereof, helps determine its state.
Nmap's host discovery techniques can bypass certain firewalls and
intrusion detection systems.
TCP, also known as the transmission control
protocol, is a connection-oriented protocol most
devices use. It is considered reliable and ensures
that all data sent will be received. A TCP
connection uses a three-way handshake consisting
of the SYN (synchronize), SYN-ACK
(synchronize-acknowledge), and ACK
(acknowledge) flags.

UDP, also known as the user datagram protocol, is

a connectionless protocol and is considered
unreliable as there is no error checking or data
recovery, but it is incredibly fast. UDP is often
used for streaming media, Voice over IP (VoIP),
and Domain Name System (DNS) lookups. It is a
good choice when speed is the priority over data
delivery.
 Identifying Active Hosts
Port Scanning Techniques
There are various port scanning techniques available. The well-known tools like Nmap
and Nessus have made port scanning process automated. The scanning technique
includes:
Address Resolution Protocol (ARP) scan:
In this technique, a series of ARP broadcast is sent, and the value for the target IP address
field is incremented in each broadcast packet to discover active devices on the local network
segment. This scan helps us to map out the entire network.
Vanilla TCP connect scan:
It is the basic scanning technique that uses connect system call of an operating system to
open a connection to every port that is available.
TCP SYN (Half Open) scan:
SYN scanning is a technique that a malicious hacker uses to determine the state of a
communications port without establishing a full connection. These scans are called half
open because the attacking system doesn't close the open connections.
 Identifying Active Hosts
Port Scanning Techniques
TCP FIN Scan: This scan can remain undetected through most
firewalls, packet filters, and other scan detection programs. It sends
FIN packets to the targeted system and prepares a report for the
response it received.
TCP Reverse Ident Scan: This scan discovers the username of the
owner of any TCP connected process on the targeted system. It
helps an attacker to use the ident protocol to discover who owns the
process by allowing connection to open ports.
 Identifying Active Hosts
Port Scanning Techniques
TCP XMAS Scan: It is used to identify listening ports on the
targeted system. The scan manipulates the URG, PSH and FIN flags
of the TCP header.
TCP ACK Scan: It is used to identify active websites that may not
respond to standard ICMP pings. The attacker uses this method to
determine the port status by acknowledgment received.
UDP ICMP Port Scan: This scan is used to find high number ports,
especially in Solaris systems. The scan is slow and unreliable.
 Identifying Active Hosts
Port Scanning Tools
Nmap
It is the best-known port scanner that is free and open source utility for
network and security auditing. Nmap uses raw IP packets to determine what
hosts are available on the network, what services (application name and
version) those hosts are offering, what operating systems (and OS versions)
the target machine is running, what type of packet filters/firewalls are in use,
and other characteristics.
Angry IP Scanner
It is an open-source and cross-platform network scanner also known as
IPscan designed to be fast and simple to use. It scans ports, IP addresses and
provides many other features as well. It is supported on Linux, Windows,
and Mac OS X, and other platforms as well.
 Identifying Active Hosts
Port Scanning Tools
Unicornscan is a new information gathering and correlation engine built for and by
members of the security research and testing communities.
It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient.
Unicornscan provides many features that include:
Asynchronous stateless TCP scanning with all variations of TCP Flags.
Asynchronous stateless TCP banner grabbing
Asynchronous protocol-specific UDP Scanning (sending enough of a signature to elicit a
response).
Active and Passive remote OS, application, and component identification by analyzing
responses.
Relational database output
Custom module support
Customized data-set views
 Identifying Active Hosts
Port Scanning Tools
Autoscan is a network scanner that doesn't require any configuration to
start scanning.
The various features provided by AutoScan includes:
Automatic network discovery, TCP/IP Scanner, Wake on LAN
functionality, Multi-threaded Scanner, Port scanner, Low surcharge on the
network, VNC Client, Telnet Client, SNMP scanner, Simultaneous
subnetworks scan without human intervention, Real-time detection of any
connected equipment, Supervision of any equipment (router, server,
firewall), Supervision of any network service (SMTP, HTTP, pop) and
Automatic detection of known operatic system (brand and version), you can
also add any unknown equipment to the database
 Identifying Active Hosts
Hacking Tools
IPEye is a TCP port scanner that can do SYN, FIN, Null, and XMAS scans. It’s
a command-line tool.
IPEye probes the ports on a target system and responds with either closed, reject,
drop, or open. Closed means there is a computer on the other end, but it doesn’t
listen at the port.
Reject means a firewall is rejecting (sending a reset back) the connection to the
port.
Drop means a firewall is dropping everything to the port, or there is no computer
on the other end.
Open means some kind of service is listening at the port. These responses help a
hacker identify what type of system is responding.
IPSecScan is a tool that can scan either a single IP address or a range of
addresses looking for systems that are IPSec enabled.
 Identifying Active Hosts
Hacking Tools
Netscan Tools Pro 2000, Hping2, KingPingicmpenum, and
SNMP Scanner are all scanning tools and can also be used to
fingerprint the operating system (discussed later).
Icmpenum uses not only ICMP Echo packets to probe networks,
but also ICMP Timestamp and ICMP Information packets.
Furthermore, it supports spoofing and sniffing for reply packets.
Icmpenum is great for scanning networks when the firewall blocks
ICMP Echo packets but fails to block Timestamp or Information
packets.
 Identifying Active Hosts
Hacking Tools
Hping2 is notable because it contains a host of other features
besides OS fingerprinting such as TCP, User Datagram Protocol
(UDP), ICMP, and raw-IP ping protocols, traceroute mode, and the
ability to send files between the source and target system.
SNMP Scanner allows you to scan a range or list of hosts
performing ping, DNS, and Simple Network Management Protocol
(SNMP) queries.
 Identifying Active Hosts
War-Dialing Techniques
War dialing is the process of dialing modem numbers to find an
open modem connection that provides remote access to a network
for an attack to be launched against the target system.
The term war dialing originates from the early days of the Internet
when most companies were connected to the Internet via dial-up
modem connections.
War dialing is included as a scanning method because it finds
another network connection that may have weaker security than the
main Internet connection.
 Identifying Active Hosts
War-Dialing Techniques
Many organizations set up remote-access modems that are now
antiquated but have failed to remove those remote-access servers.
This gives hackers an easy way into the network with much weaker
security mechanisms.
For example, many remote access systems use the Password
Authentication Protocol (PAP), which send passwords in cleartext,
rather than newer VPN technology that encrypts passwords.
 Identifying Active Hosts
War-Dialing Techniques
War-dialing tools work on the premise that companies don’t control
the dial-in ports as strictly as the firewall, and machines with
modems attached are present everywhere even if those modems are
no longer in use.
Many servers still have modems with phone lines connected as a
backup in case the primary Internet connection fails.
These available modem connections can be used by a war-dialing
program to gain remote access to the system and internal network.
 Identifying Active Hosts
War-Dialing Techniques
THC-Scan, Phonesweep, war dialer, and telesweep are all tools that
identify phone numbers and can dial a target to make a connection
with a computer modem.
These tools generally work by using a predetermined list of common
usernames and passwords in an attempt to gain access to the system.
Most remote-access dial-in connections aren’t secured with a
password or use very rudimentary security.
 Module – 2
INTRODUCTION TO AUDITING FRAMEWORKS

❑ Introduction to Nmap - Nmap Environment setup in linux / windows

❑ Scanning remote host and listing open ports - Identifying services of a
remote host
❑ Identifying live hosts in local networks – scanning using specific port
ranges
❑ NSE scripts

www.skcet.ac.in
 Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and
flexible features. It allows users to write (and share) simple scripts (using
the Lua programming language ) to automate a wide variety of
networking tasks.
Those scripts are executed in parallel with the speed and efficiency you
expect from Nmap. Users can rely on the growing and diverse set of
scripts distributed with Nmap, or write their own to meet custom needs.
Tasks we had in mind when creating the system include network
discovery, more sophisticated version detection, vulnerability detection.
NSE can even be used for vulnerability exploitation.
 Nmap Scripting

One of the more advanced features recently added to Nmap is the ability to create scripts
enabling automation.
These scripts can be used to automate a wide variety of functions including enumeration,
vulnerability scans, and even exploitation.
For the purposes of enumeration, these Nmap scripts can help automate some of your work
and speed up your penetration testing process.
More scripts are being developed constantly, but most security toolsets such as BackTrack
include a number of basic scripts.
 Tasks performed by NSE

Network discovery
This is Nmap's bread and butter. Examples include
looking up whois data based on the target domain,
querying ARIN, RIPE, or APNIC for the target IP to
determine ownership, performing identd lookups on open
ports, SNMP queries, and listing available NFS/SMB/RPC
shares and services.
 Tasks performed by NSE

More sophisticated version detection

The Nmap version detection system is able to recognize thousands of different
services through its probe and regular expression signature based matching
system, but it cannot recognize everything.
For example, identifying the Skype v2 service requires two independent probes,
which version detection isn't flexible enough to handle. Nmap could also
recognize more SNMP services if it tried a few hundred different community
names by brute force.
Neither of these tasks are well suited to traditional Nmap version detection, but
both are easily accomplished with NSE. For these reasons, version detection now
calls NSE by default to handle some tricky services. This is described in the
section called “Version Detection Using NSE”.
 Tasks performed by NSE

Vulnerability detection
When a new vulnerability is discovered, you often want to scan your
networks quickly to identify vulnerable systems before the bad guys do.
While Nmap isn't a comprehensive vulnerability scanner, NSE is
powerful enough to handle even demanding vulnerability checks.
When the Heartbleed bug affected hundreds of thousands of systems
worldwide, Nmap's developers responded with the ssl-heartbleed
detection script within 2 days. Many vulnerability detection scripts are
already available and we plan to distribute more as they are written.
 Tasks performed by NSE

Backdoor detection
Many attackers and some automated worms leave backdoors to
enable later reentry. Some of these can be detected by Nmap's
regular expression based version detection, but more complex
worms and backdoors require NSE's advanced capabilities to
reliably detect.
NSE has been used to detect the Double Pulsar NSA backdoor in
SMB and backdoored versions of UnrealIRCd, vsftpd, and
ProFTPd.
 Tasks performed by NSE

Vulnerability exploitation
As a general scripting language, NSE can even be used to exploit
vulnerabilities rather than just find them. The capability to add
custom exploit scripts may be valuable for some people (particularly
penetration testers), though we aren't planning to turn Nmap into an
exploitation framework such as Metasploit.
 Script Categories

NSE scripts define a list of categories they belong to. Currently

defined categories are auth, broadcast, brute, default. discovery,
dos, exploit, external, fuzzer, intrusive, malware, safe, version,
and vuln.
Category names are not case sensitive. The following list describes
each category.
Scripts are not run in a sandbox and thus could accidentally or
maliciously damage your system or invade your privacy.
Never run scripts from third parties unless you trust the authors or
have carefully audited the scripts yourself.
 NSE Options

Nmap Scripting Engine and is controlled by the following options:

-sC
Performs a script scan using the default set of scripts. It is equivalent to
--script=default. Some of the scripts in this category are considered intrusive and
should not be run against a target network without permission.
--script <filename>|<category>|<directory>/|<expression>[,...]
Runs a script scan using the comma-separated list of filenames, script categories,
and directories. Each element in the list may also be a Boolean expression
describing a more complex set of scripts. Each element is interpreted first as an
expression, then as a category, and finally as a file or directory name.
 NSE Options

There are two special features for advanced users only.

One is to prefix script names and expressions with + to force them
to run even if they normally wouldn't (e.g. the relevant service
wasn't detected on the target port).
The other is that the argument all may be used to specify every
script in Nmap's database.
Be cautious with this because NSE contains dangerous scripts such
as exploits, brute force authentication crackers, and denial of service
attacks.
 NSE Scripts

Nmap scripts are stored in a scripts subdirectory of the Nmap data directory by default. For
efficiency, scripts are indexed in a database stored in scripts/script.db, which lists the category or
categories in which each script belongs.
When referring to scripts from script.db by name, you can use a shell-style ‘*’ wildcard.
nmap --script "http-*"
Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy. The
argument to --script had to be in quotes to protect the wildcard from the shell.
More complicated script selection can be done using the and, or, and not operators to build
Boolean expressions. The operators have the same precedence as in Lua: not is the highest,
followed by and and then or. You can alter precedence by using parentheses. Because expressions
contain space characters it is necessary to quote them.
 NSE Scripts

nmap --script "not intrusive"

Loads every script except for those in the intrusive category.
nmap --script "default or safe"
This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in
the default category or the safe category or both.
nmap --script "default and safe"
Loads those scripts that are in both the default and safe categories.
nmap --script "(default or safe or intrusive) and not http-*"
Loads scripts in the default, safe, or intrusive categories, except for those whose names
start with http-.
 Script Types and Phases

NSE supports four types of scripts, which are distinguished by the kind of targets
they take and the scanning phase in which they are run. Individual scripts may support
multiple types of operation.
Prerule scripts
These scripts run before any of Nmap's scan phases, so Nmap has not collected any
information about its targets yet. They can be useful for tasks which don't depend on
specific scan targets, such as performing network broadcast requests to query DHCP and
DNS SD servers. Some of these scripts can generate new targets for Nmap to scan (only if
you specify the newtargets NSE argument). For example, dns-zone-transfer can obtain a
list of IPs in a domain using a zone transfer request and then automatically add them to
Nmap's scan target list. Prerule scripts can be identified by containing a prerule function
(see the section called “Rules”).
 Script Types and Phases

Host scripts
Scripts in this phase run during Nmap's normal scanning process
after Nmap has performed host discovery, port scanning, version
detection, and OS detection against the target host.
This type of script is invoked once against each target host which
matches its hostrule function. Examples are whois-ip, which looks
up ownership information for a target IP, and path-mtu which tries
to determine the maximum IP packet size which can reach the target
without requiring fragmentation.
 Script Types and Phases

Service scripts
These scripts run against specific services listening on a target host.
For example, Nmap includes more than 15 http service scripts to run
against web servers. If a host has web servers running on multiple
ports, those scripts may run multiple times (one for each port).
These are the most commong Nmap script type, and they are
distinguished by containing a portrule function for deciding which
detected services a script should run against.
 Script Types and Phases

Postrule scripts
These scripts run after Nmap has scanned all of its targets. They can be
useful for formatting and presenting Nmap output. For example,
ssh-hostkey is best known for its service (portrule) script which connects
to SSH servers, discovers their public keys, and prints them. But it also
includes a postrule which checks for duplicate keys amongst all of the
hosts scanned, then prints any that are found.
Another potential use for a postrule script is printing a reverse-index of
the Nmap output—showing which hosts run a particular service rather
than just listing the services on each host. Postrule scripts are identified by
containing a postrule function.
 References

https://nmap.org/book/man-nse.html