PANIMALAR ENGINEERING COLLEGE

DEPARTMENT OF CSBS

21IT1915 -CYBER SECURITY

UNIT III
RECONNAISSANCE
Harvester – Whois – Netcraft – Host – Extracting Information from DNS – Extracting Information
from E-mail Servers – Social Engineering Reconnaissance; Scanning – Port Scanning – Network
Scanning and Vulnerability Scanning – Scanning Methodology – Ping Sweer Techniques – Nmap
Command Switches – SYN – Stealth – XMAS – NULL – IDLE – FIN Scans – Banner Grabbing and
OS Finger printing Techniques.

Harvester
Harvester is an information-gathering tool that is built by the guys at edge security and is included by
default in Kali Linux. The goal of this tool is to find and gather all email
addresses, subdomains, hosts, ports, employee names, and banners that can provide information about
the
target. This tool is intended to help Penetration testers in the early stages of the penetration test in
orde r to understand the customer footprint on the Internet. It is also useful for anyone that wants to
know what an attacker can see about their organization.
Note: But the unique part is that Harvester doesn’t use any advanced algorithms to crack passwords,
t est firewalls, or sniff data on networks. Instead, it gathers public information available on the
internet automatically.

# Why do we gather information?

Well, in any pentesting task, the first thing you need to do is know your target. The more information
we have about the target, the easier it is to hack the target victim. We can find useful information like
t he email address to target for phishing or which domains are vulnerable on the company network.
We can also use this information for social engineering attacks which are at the top of every hacker’s
arsenal By using this tool critical information that companies knowing or unknowingly disclose can
be obtained legally and used to understand the target.
This tool is designed to help the penetration tester on an earlier stage; it is effective, simple and easy
to use. The sources supported are:
1. Google – emails, subdomains
2. Google profiles – Employee names
3. Bing search – emails, subdomains/hostnames, virtual hosts
4. Pgp servers – emails, subdomains/hostnames
5. LinkedIn – Employee names
6. Exalead – emails, subdomains/hostname

# Usage of The Harvester Tool in linux with

examples:
1. For finding Email Ids:
Command:
1
:

2
Result:

2. For gather employee names and then save it to file:

Command:

Whois Lookup
In this section, we are going to have a look at is Whois Lookup. It is a protocol that is used to find
the owners of internet resources, for example, a domain, a server, an IP address. In this, we are not
actually hacking, we are just retrieving information from a database about owners of stuff on the
internet. For example, if we wanted to register a domain name like zaid.com we have to supply
information about the person who is signing in like address, and then the domain name will be stored
in our name and people will see that Zaid owns the domain name. That is all we are going to do.

Extracting Information from DNS

DNS servers are an attractive target for attackers and penetration testers. They regularly include data
that is considered highly important to attackers. DNS is a core element of both our local networks
and the Internet. With other things, DNS is responsible for the process of translating domain names
to IP addresses. For humans, it is much simpler for them to remember “google.com” rather than
http://75.125.95.105. But, machines prefer the reverse. DNS serves as the middleman to make this
translation process. As penetration testers, it is necessary to concentrate on the DNS servers that
belong to our target. The reason is simple. In order for DNS to function correctly, it needs to be
aware of both the IP address and the corresponding domain name of each machine on its network. In
terms of reconnaissance, obtaining full access to an organization’s DNS server is like finding a pot of
gold at the end of a rainbow. Or perhaps, more correctly, it is like finding a blueprint for the
organization.
3
But in this example, the blueprint includes a complete listing of private IP addresses that belong to
our target. Remember one of the key components of data gathering is to collect IP addresses that
belong to the target.

Extracting Info from DNS Servers

Another way for pen testers to learn more about their targets is through DNS servers and records.
DNS servers store a lot of useful information about their related networks, and there are a handful of
tools to use for extracting valuable information about a target.

What DNS does (or, why we care)

DNS is part of the TCP/IP protocol suite. It’s responsible for mapping user-friendly domain names
(like “google.com”) to an IP address (like “172.217.4.46”).
A domain name server is a server with a large database of these mappings. For pen testers, accessing
DNS servers provides them with a blueprint of the company’s infrastructure, via a list of internal IP
addresses and host names. As Engebretson notes in his book (The Basics of Hacking and Penetration
Testing), DNS servers are often poorly configured or maintained, making them easy targets.
As always, only use this for legal purposes, with authorization, etc etc.

Zone transfers
One particularly useful source of DNS information is a zone transfer (AXFR). Because networks
typically have two or more DNS servers for redundancy or load balancing, they need to communicate
with each other to share their host-to-IP mappings and stay in sync.

Host
If we have collected host names (for a given target) in previous reconnaissance steps, we need to
translate those into IP addresses for future steps. To do so, we can use host.
Host is built into most Linux systems (including Kali). I’m not sure what a Windows equivalent is,
besides maybe nslookup.
To use host, type host followed by the DNS server you are trying to find an IP address for. For
example:
host ns1.bluehost.com
Which returns
ns1.bluehost.com has address 162.159.24.80

NSLookup
Nslookup is a tool that queries DNS server for its host records. It’s available for Linux (including
Kali) and Windows. To use it, open up a command line and run:
nslookup
It will then show a >, and wait for you to enter in server and the IP address of the DNS server that
4
you want to learn about (if you only have the hostname, use host as shown in the previous section to
get the IP address).
server 8.8.8.8

5
Then, you’ll have to specify the type of DNS record. There are several different types:

● A Records point to a domain or subdomain of an IP address (for example,

mapping “172.217.4.46” to “google.com”).

● CNAME allows a machine to be known by the hostnames specified in the CNAME record.

● MX or Mail Exchanger is for routing email to the specified email server. There are
priority numbers given to specify which mail server should be contacted first.

● NS records map a domain name to their related DNS servers (i.e. google.com -
> ns1.google.com, ns2.google.com, etc.)

● TXT records are for text-based info. One example might be domain ownership

verification. A full list of DNS record types can be found here, on Wikipedia.
You can either ask for all DNS record types, or specify a certain type:
set type = any
or set type = a, set type = mx, and so on. The additional servers that you find from nslookup can be
added to the target list.

Email Servers
If we find an email server, this presents another opportunity to learn more about a target. Email
servers must allow outside traffic in to be useful as email servers. In The Basics of Hacking and
Penetration Testing, Engebretson says to send an email to the organization with an empty .bat or .exe
file. The goal is to get rejected, and then inspect the rejection email for anti-virus vendor and version
information, IP address of the server, software versions being used on the server, etc.

Zone
transf
ers
Dig
If you want to attempt a zone transfer (Engebretson notes that your chances of success are pretty low),
you can use dig to do so:
dig @ip_address_here example.com -t AXFR

Fierce
If the zone transfer doesn’t work out for you, fierce can be your backup option. Fierce is a Perl-script
that comes pre-installed on Kali. To use:
6
cd /usr/bin/

./fierce -dns example.com

Fierce will lookup DNS servers for a given domain name, attempt a zone transfer, and then perform
hundreds (or thousands) of automated DNS scans for you.
-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for

7
 reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then
uses the target's DNS server for all additional queries by
default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output
everything the webserver sends back, not just the HTTP
headers.
A list of command line flags can be found here.

All together now!

Use whois to find the DNS servers for a given website. Next, use host to translate the hostname into
an IP address. Use nslookup to get the full set of related DNS records (for mail exchangers, etc).
Use dig or fierce to attempt a zone transfer, and/or look for related DNS servers.

Port scanning

A port scan is a common technique hackers use to discover open doors or weak points in a network. A
port scan attack helps cyber criminals find open ports and figure out whether they are receiving or
sending data. It can also reveal whether active security devices like firewalls are being used by an
organization.
When hackers send a message to a port, the response they receive determines whether the port is
being used and if there are any potential weaknesses that could be exploited.
Businesses can also use the port scanning technique to send packets to specific ports and analyze
responses for any potential vulnerability. They can then use tools like IP scanning, network mapper
(Nmap), and Netcat to ensure their network and systems are secure.
Port scanning can provide information such as:
1. Services that are running
2. Users who own services
3. Whether anonymous logins are allowed
4. Which network services require authentication

8
What is a Port?
A port is a point on a computer where information exchange between multiple programs and the
internet to devices or other computers takes place. To ensure consistency and simplify programming
processes, ports are assigned port numbers. This, in conjunction with an IP address, forms vital
information that each internet service provider (ISP) uses to fulfill requests.

9
Port numbers range from 0 through to 65,536 and are ranked in terms of popularity. Ports numbered 0
to 1,023 are called “well-known" ports, which are typically reserved for internet usage but can also
have specialized purposes. These ports, which are assigned by the Internet Assigned Numbers
Authority (IANA), are held by leading businesses and Structured Query Language (SQL) services.
Ports are generally managed by the Transmission Control Protocol (TCP), which defines how to
establish and maintain a network conversation between applications, and User Datagram Protocol
(UDP), which is primarily used for establishing low-latency and loss-tolerating connections between
applications. Some of the most popular and most frequently used ports include:
1. Port 20 (UDP): File Transfer Protocol (FTP) used for transferring data
2. Port 22 (TCP): Secure Shell (SSH) protocol used for FTP, port forwarding, and secure logins
3. Port 23 (TCP): The Telnet protocol used for unencrypted communication
4. Port 53 (UDP): The Domain Name System (DNS), which translates internet domain
names into machine-readable IP addresses
5. Port 80 (TCP): The World Wide Web Hypertext Transfer Protocol (HTTP)
Ports numbered from 1,024 to 49,151 are considered “registered ports,” and they are registered by
software companies. The ports numbered from 49,152 to 65,536 are considered dynamic and private
ports, which can be used by almost everyone on the internet.

What are the Port Scanning Techniques?

A port scan sees packets sent to destination port numbers using various techniques. Several of these
include:
1. Ping scans: A ping scan is considered the simplest port scanning technique. They are also
known as internet control message protocol (ICMP) requests. Ping scans send a group of
several ICMP requests to various servers in an attempt to get a response. A ping scan can
be used by an administrator to troubleshoot issues, and pings can be blocked and disabled
by a firewall.
2. Vanilla scan: Another basic port scanning technique, a vanilla scan attempts to connect to all
of the 65,536 ports at the same time. It sends a synchronize (SYN) flag, or a connect
request. When it receives a SYN-ACK response, or an acknowledgment of connection, it
responds with an ACK flag. This scan is accurate but easily detectable because a full
connection is always logged by firewalls.
3. SYN scan: Also called a half-open scan, this sends a SYN flag to the target and waits for a
SYN-ACK response. In the event of a response, the scanner does not respond back, which
means the TCP connection was not completed. Therefore, the interaction is not logged,
but the sender learns if the port is open. This is a quick technique that hackers use to find
weaknesses.
4. XMAS and FIN scans: Christmas tree scans (XMAS scans) and FIN scans are more discrete
attack methods. XMAS scans take their name from the set of flags that are turned on within a
packet which, when viewed in a protocol analyzer like Wireshark, appear to be blinking like
a Christmas tree. This type of scan sends a set of flags, which, when responded to, can
disclose insights about the firewall and the state of the ports. A FIN scan sees an attacker
send a FIN flag, often used to end an established session, to a specific port. The system’s
response to it
10
 can help the attacker understand the level of activity and provide insight into the
organization's firewall usage.
5. FTP bounce scan: This technique enables the sender to disguise their location by using
an FTP server to bounce a packet.
6. Sweep scan: This preliminary port scanning technique sends traffic to a port across
several computers on a network to identify those that are active. It does not share any
information about port activity but informs the sender whether any systems are in use.

Different Types of Port Checker or Scanner

There are several different port scanning or checking techniques, including:
1. Ping scans: A ping is used to check whether a network data packet can reach an IP address
without any issues. Ping scans involve automated transmissions of several ICMP requests
to various servers.
2. Half-open or SYNC scans: Attackers can check the state of a port without creating a
full connection by using a half-open scan, often known as a SYN scan. This kind of scan
just transmits a SYN message and does not complete a connection with the recipient.
3. XMAS scans: XMAS scans send a number of packets to a port to check if it is open. If the
port is closed, the scanner gets a response. If it does not get a response, that means the port
is open and can be used to access the network.

What type of port scan results can you get

from port scanning?
Port scan results reveal the status of the network or server and can be described in one of three
categories: open, closed, or filtered.

● Open ports: Open ports indicate that the target server or network is actively accepting
connections or datagrams and has responded with a packet that indicates it is listening. It
also indicates that the service used for the scan (typically TCP or UDP) is in use as well.
Finding open ports is typically the overall goal of port scanning and a victory for a
cybercriminal looking for an attack avenue. The challenge for IT administrators is trying to
barricade open ports by installing firewalls to protect them without limiting access for
legitimate users.

● Closed ports: Closed ports indicate that the server or network received the request, but
there is no service “listening” on that port. A closed port is still accessible and can be useful
in showing that a host is on an IP address. IT administrators should still monitor closed ports
as they could change to an open status and potentially create vulnerabilities. IT
administrators should consider blocking closed ports with a firewall, where they would then
become “filtered” ports.

● Filtered ports: Filtered ports indicate that a request packet was sent, but the host did not
respond and is not listening. This usually means that a request packet was filtered out

11
and/or blocked by a firewall. If packets do not reach their target location, attackers cannot
find out more information. Filtered ports often respond with error messages reading
“destination unreachable” or “communication prohibited.”

12
Network Scanning
Network scanning is the process of troubleshooting the active devices on your system for
vulnerabilities. It identifies and examines the connected devices by deploying one or more features in
the network protocol. These features pick up vulnerability signals and give you feedback on the
security status of your network.
Network scanning facilitates system maintenance, monitoring, and security assessments. When
implemented effectively, network scanning gives you insights into some of the best ways to protect
your network against cyberattacks.

How Does Network Scanning Work?

Network scanning is simplified with innovative solutions. One way to implement network scanning
without breaking your back is the use of network administrators.
Network administrators scan your network to evaluate IP addresses and detect live hosts connected to
it.
Keep in mind that cybercriminals use the same technique to spot weaknesses in your network. The
idea is to identify the loopholes before the bad guys discover them.
For network administrators to identify how IP addresses are mapped in the network, they may need to
use tools such as Nmap.
Nmap is an effective network scanning tool that uses IP packets to detect devices attached to a
network. It helps to simplify the mapping of IP addresses.
You can use network scanners to inspect where the network is stronger or weaker in your workplace
with the help of network administrators.
A basic working rule of network scanning is to identify all devices on a network and map their IP
addresses. To do this, you must use the network scanner to forward a packet to all available IP
addresses connected to the network.
After sending this ping, you need to wait for their response. Once the feedback arrives, the network
scanner uses them to measure the status and inconsistencies of the host or application. During this
process, the responding devices are active while the non-responding devices are inactive.
Network administrators can also use Address Resolution Protocol (ARP) scan to evaluate the system
manually. But if the goal of the network administrator is to reach all active hosts, it's advisable to
use tools that support automatic running scans.
One of the best tools that you can use to attain such a milestone is the Internet Control Message
Protocol (ICMP) scan. It helps you map the network accurately without failure.
Many security-conscious companies allocate high budgets to advanced network scanning tools to
secure their networking systems. But they may not get the desired results if they make the wrong
choice. The effective scanning tools you should consider include, Acunetix, Nikto, Spyse, Swascan,
IP Address Manager, and SolarWinds Network Performance Monitor.

13
Types of Network Scanners
Scanning your network properly requires using the right tools and methods. Each method is
determined by what you want to achieve with your scanning. There are two major kinds of network
scanning—port scanning and vulnerability scanning.

1. Port Scanning
Port scanning enables you to identify open ports in a network that can receive or send data. You can
use it to send packets to targeted ports on a device. This process highlights loopholes and analyzes
performance feedback.
Before implementing port scanning, you have to identify the list of active devices and maps to their IP
addresses.
The primary goal of port scanning is to use the data it acquires from active devices to diagnose
security levels.

2. Vulnerability Scanning
Vulnerability scanning helps you to detect vulnerabilities that exist on your network. Running a check
on your system exposes threats that were hidden away from you.
In most organizations, vulnerability scanning is conducted by the IT department. But if you want to
get thorough feedback, consider hiring a third-party security expert. Since they aren't familiar with
your network, they'll conduct an objective analysis from an outsider's perspective.
Vulnerability scanning can also be performed by cyberattackers intending to identify weak spots in
your network. Beat them to it by identifying and closing the weak links.
Besides identifying loopholes, vulnerability scanning also evaluates the security capacity of your
network against cyberattacks. It uses a database to analyze possible attacks. This database provides
the vulnerability scanner with packet construction anomalies, flaws, default configurations, paths to
sensitive data, and coding bugs that can enable cyber attackers to exploit your network.

What Are the Benefits of Network Scanning?

Like most innovative solutions, network scanning offers several benefits. One thing is certain—it
gives your system a better footing. In what ways exactly, though? Let's take a look.

1. Increased Network Performance

Network scanning plays a key role in increasing network performance and maximizing the speed of
network operations.

14
In a complex organizational network, multiple subnets of various IP addresses are assigned to several
devices to improve their performance on the system. Scanning these devices helps to remove clogs
and creates a free flow for optimal performance.

2. Protection Against Cyberattacks

Network scanning is so useful that cybercriminals also use it to discover vulnerabilities in a network.
When you fail to scan your network for threats and vulnerabilities, you're indirectly inviting
attackers for a visit.
Carrying out regular network scanning is an effective way to keep your system free from
cyberattacks. It's similar to implementing intrusion detection systems to spot emerging threats.

3. Save Time and Money

15
Scanning your network manually is tedious and time-consuming. The scanning process could linger
for long. Your work is on hold, making you lose money in the long run.
Network scanning is an automated process. It evaluates tons of data within a short time. You get it
over with as soon as possible and keep your workflow moving.
The purpose of network scanning is as follows:

● Recognize available UDP and TCP network services running on the targeted hosts

● Recognize filtering systems between the user and the targeted hosts

● Determine the operating systems (OSs) in use by assessing IP responses

● Evaluate the target host’s TCP sequence number predictability to determine

sequence prediction attack and TCP spoofing

What is Vulnerability Scanning?

Vulnerability scanning is the process of discovering, analyzing, and reporting on security flaws and
vulnerabilities. Vulnerability scans are conducted via automated vulnerability scanning tools to
identify potential risk exposures and attack vectors across an organization’s networks, hardware,
software, and systems. Vulnerability scanning and assessment is an essential step in the vulnerability
management lifecycle.
Once vulnerabilities have been identified through scanning and assessed, an organization can pursue a
remediation path, such as patching vulnerabilities, closing risky ports, fixing misconfigurations, and
even changing default passwords, such as on internet of things (IoT) and other devices.

The Benefits of Vulnerability Scanning

Vulnerability scanning is a vital part of your security team’s overall IT risk management approach for
several reasons

● Vulnerability scanning lets you take a proactive approach to close any gaps and maintain
strong security for your systems, data, employees, and customers. Data breaches are often
the result of unpatched vulnerabilities, so identifying and eliminating these security gaps,
removes that attack vector.

● Cybersecurity compliance and regulations demand secure systems. For instance, NIST,
PCI DSS, and HIPAA all emphasize vulnerability scanning to protect sensitive data.

● Cyber criminals also have access to vulnerability scanning tools, so it is vital to carry
out scans and take restorative actions before hackers can exploit any security
vulnerabilities.

The Main Types of Vulnerability Scans

Some of vulnerability scanning tools are comprehensive in their coverage, able to perform multiple
types of scans across heterogeneous environments that include on-prem, Unix, Linux, Windows,
16
cloud, off-site, and onsite. Other scanning tools serve particular niches, so it’s always critical to
thoroughly explore your use cases before investing in a scanner.

17
Let’s now explore some different types of vulnerability scans, which each have their place, depending
on your use cases.

Credentialed Scans vs. Non-Credentialed

Scans
Credentialed and non-Credentialed scans (also respectively referred to as authenticated and non-
authenticated scans) are the two main categories of vulnerability scanning.
Non-credentialed scans, as the name suggests, do not require credentials and do not get trusted access
to the systems they are scanning. While they provide an outsider’s eye view of an environment, they
tend to miss most vulnerabilities within a target environment. So, while they can provide some
valuable insights to a potential attacker as well as to a security professional trying to gauge risk from
the outside, non-credentialed scans give a very incomplete picture of vulnerability exposure.
On the other hand, credentialed scans require logging in with a given set of credentials. These
authenticated scans are conducted with a trusted user’s eye view of the environment. Credentialed
scans uncover many vulnerabilities that traditional (non-credentialed) scans might overlook. Because
credentialed scans require privileged credentials to gain access for scanning, organizations should
look to integrate an automated privileged password management tool with the vulnerability scanning
tool, to ensure this process is streamlined and secure (such as by ensuring scan credentials do not
grow stale).
Here are some other ways that scans may be categorized, based on use case.

External Vulnerability Scans

These scans target the areas of your IT ecosystem that are exposed to the internet, or are otherwise not
restricted to your internal users or systems. They can include websites, ports, services, networks,
systems, and applications that need to be accessed by external users or customers.

Internal Vulnerability Scans

These scan and target your internal corporate network. They can identify vulnerabilities that leave you
susceptible to damage once a cyberattacker or piece of malware makes it to the inside. These scans
allow you to harden and protect applications and systems that are not typically exposed by external
scans.

Environmental Scans
These scans are based on the environment that your technology operates in. Specialized scans are
available for multiple different technology deployments, including cloud-based, IoT devices, mobile
devices, websites, and more.

Intrusive Versus Non-Intrusive Scans

Non-intrusive scans simply identify a vulnerability and report on it so you can fix it. Intrusive scans
attempt to exploit a vulnerability when it is found. This can highlight the likely risk and impact of a
vulnerability, but may also disrupt your operational systems and processes, and cause issues for your
employees and customers — so use intrusive scanning with caution.
18
Vulnerability Scanning Challenges
There are several challenges that arise in conducting vulnerability scanning:

A scan only represents a moment in time

Most scans are “snapshots,” not continuous. Because your systems are changing all the time, you
should run scans regularly as your IT ecosystem changes

19
A scan may need human input or further
integrations to deliver value
Although the scanning process itself is easily automated, a security expert may still need to review the
results, complete remediation, and follow-up to ensure risks are mitigated. Many organizations also
integrate vulnerability scanning with automated patch management and other solutions to help reduce
the human administrative burden. Regardless, the scan itself is only an early step in the vulnerability
management lifecycle.

A credentialed scan may require many

privileged access credentials
Depending on how thorough a scan is desired. Therefore automating management and integration of
these credentials with scanner should be considered to maximize both the depth of the scan, and
privileged access security.

A scan only identifies known vulnerabilities

A vulnerability scanning tool is only as good as its database of known faults and signatures. New
vulnerabilities emerge all the time, so your tool will need to be continually updated.

Scanning methodology
1. Check for live systems. Something as simple as a ping can provide this. This gives you a list
of what’s actually alive on your network subnet.

2. Check for open ports. Once you know which IP addresses are active, find what ports
they’re listening on.

3. Scan beyond IDS. Sometimes your scanning efforts need to be altered to avoid
those pesky intrusion detection systems.

4. Perform banner grabbing. Banner grabbing and OS fingerprinting will tell you what operating
system is on the machines and which services they are running.

5. Scan for vulnerabilities. Perform a more focused look at the vulnerabilities these machines
haven’t been patched for yet.

6. Draw network diagrams. A good network diagram will display all the logical and physical
pathways to targets you might like.

20
 7. Prepare proxies. This obscures your efforts to keep you
hidden. Scanning Methodology

21
 ● Check for Live Systems: Ping scan checks for the live system by sending ICMP echo
request packets. If a system is alive, the system responds with ICMP echo reply packet
containing details of TTL, packet size etc.

● Check for Open Ports: Port scanning helps us to find out open ports, services running
on them, their versions etc. Nmap is the powerful tool used mainly for this purpose.
We have various types of scan:
Connect scan: Identifies open ports by establishing a TCP handshake with the target.

Nmap command: nmap -sT -v -p- <TargetIP>

Half-open scan otherwise known as Stealth scan used to scan the target in a stealthy way by not
completing the TCP handshake by abruptly resetting the communication.

Source:
https://www.safaribooksonline.com Nmap
command: nmap -sS -v <TargetIp>
XMAS scan: This is also called as inverse TCP scanning. This works by sending packets set with
PSH, URG, FIN flags. The targets do not respond if the ports are open and send a reset response
if ports are closed.

Source: https://www.information-security.fr
FIN scan: Fin flag is set in the TCP packets sent to the target. open ports doe does not respond while
closed ports send a reset response.

22
Source: https://securitcrs.wordpress.com

23
Nmap command: nmap -SF <targetIp>
ACK scan: Here the attacker sets the ACK flag in the TCP header and the target's port status is
gathered based on window size and TTL value of RESET packets received from the target.

Source: https://www.hackingloops.com
Nmap command: nmap -SA -v <targetip>
Null Scan: Works by sending TCP packets with no flags set to the target. Open ports do not respond
while closed ports respond with a RESET packet.

Nmap Command: nmap -sN -p- <targetIP>

Idle Scan: Here the attacker tries to mask his identity uses an idle machine on the network to probe
the status details of target ports.

Source: https://en.wikipedia.org/wiki/Idle_scan
Nmap command : nmap -Pn -sI ZombieIp TargetIp
Banner Grabbing
Banner grabbing is a process of collecting information like operating system details, the name of the
service running with its version number etc.

Vulnerability scanning:
Mainly automated tools are used for this purpose. These automated scanners scan the target to find out
vulnerabilities or weakness in the target organization which can be exploited by the attackers.
24
Vulnerabilities include application vulnerabilities, configuration vulnerabilities, network
vulnerabilities, operating system vulnerabilities etc.
Some examples include operating system is not updated, default passwords used, plain text protocols
used, vulnerable protocols running etc.
Tools: Nessus, Acunetix

Draw Network Diagrams

With the information gathered, the attacker can come up with a network diagram which might give
him information about network and architecture of the target organization helping him to identify the
target easily
Tools: Network View, Opmanager etc

Prepare Proxies
Proxies can use to maintain the anonymity of the attacker by masking the IP address. It can capture
information passing through it since it acts as an intermediary between client and server and the
attacker can access the resources remotely using the proxies.
Eg: TOR browsers, Onion sites etc, Proxify, Psiphon etc

Countermeasures:
● Configure IDS and firewall to block probes.

● Keep firewall, routers, IDS firmware update

● Run port scanners to verify the security of the target.

● Add rules in firewall restricting access to ports.

● Disable ICMP based scanning at firewall.

What is Ping Sweep?

The IP address has many functionalities. Ping sweep is a term related to it. Scanning ping is one of
the most efficient ways to find network vulnerabilities and tackle network-related discoveries. It also
saves lots of time because the procedure related to ping sweep is pretty simple. Pinging a simple
service similar to google.com gives back many results and we can learn our situation depending on
the result we get back.Pinging a network or system allows us to determine if a host is alive or dead.
This network-based utility can ping one simple IP or brute check a list of IPs in a single or continuous
scan. In response to pinging a host, we get back data as an echo. By calling it alive, we can identify if
the system is active and what is the network-based status around it. And dead means the host is either
inactive or non-responsive or in shutdown mode. Hosts can be the network servers, computers,
websites, printers, or any remote network device.
Ping Sweep is an information-gathering technique used to identify live hosts by pinging them. In
more technical terms it is also known as Ping scan, or Internet Control Message Protocol (ICMP).

25
One host like the user requests data and the receiver host accepts it, furthermore sends back packets
of information in bytes. In between these packets they get validated and a response comes back to the
sender host. For this reason, ping sweep or ping scan is also known as a two-way handshake protocol.

Ping and Ping Sweep are not the same

The use of ping system first began with sonar technology. There are numerous numbers of submarines

26
that go deep into the ocean and visibility is zero there. No light can pass, but the sound waves can. As
water is a great conductor of sound. What sonar technology does is, sends signals in all directions.
The sonar signal bounces back from obstacles on all sides, making it possible to map live data from
around the area. The system was called pinging and thus we got the name, but in computing, it is used
as an IP network utility tool and called pinging.
Network administrators have the capability to ping devices connected to a specific network. Of
course, that has to be on a network. On the other hand, as we’ve talked about ICMP, ping sweep, we
can help diagnose a network issue quickly and find what’s going on with the host. Even remote
devices on different IPs can be accessed by sweeping ping.

Purpose of Ping Sweep

Ping sweep is used to gain various information over the host. It has the potential to address a range of
IPs for live mapping. In regular pinging, we have echo request and echo-response functions. It’s a way
of data request and gaining sufficient knowledge on a network device. It can also map a range of IPs.
Echo request reveals information regarding the IP we ping. Local pinging directs via local DNS server
and input has a round-trip time (RTT). But ping sweep uses ICMP echo request. It can send packets of
data to reveal in-depth information about a host or range of hosts. Finding out live and dead Ips,
detecting bad traffic and rogue network devices, and matching only permitted IPs on the network are a
few results that can be documented by ping sweeping. Regular pinging can be done on console
command on admin devices but ICMP echoing requires advanced software packages. Same reason
they can be manipulated any way the admin wants to achieve live mapping a DHCP environment.
Generally, we can either conduct a Normal Ping Sweep or Flood Pinging. Once we have the target IP
address of the host, we can ping that IP address and determine whether the host is alive or not. Once
packets are received correctly, then we can confirm host stats. The data will help in conducting further
work on the host. This is a normal ping sweep.
On the other hand, flood pinging is quite like a denial-of-service attack. It occurs when a website or
host is flooded with lots of pings. The result of it is pretty serious. Regular legitimate users may not
use the service or host at the time of flood pinging moment. Every website or victim network has a
maximum capacity and when flood pinging crosses that limit, it jams the network and the host stops
responding. Automated scripts or flood pinging software are used for this kind of experiment. Flood
pinging is sometimes called a “Ping of Death” as it makes the host behave like a dead host. Flood
pinging is mostly used for session hijacking.

Best tools for Ping Sweep

Since there are many tools to map Ping Sweep, we are only highlighting the best ones. They are
simple to use and can perform all the advanced tasks easily that an admin may require. As ping sweep
requires packages and special features, it is important to use tools. It saves time and the display
systems in tolls are well thought out. Reveling and going through data becomes easier for anyone
looking to find a situation of network or finding vulnerabilities. Our top pick consists of:
1. SolarWinds IP Address Manager (IPAM)
2. SolarWinds Engineer’s Toolset (ETS)
3. ManageEngine OpManager
4. Advanced IP Scanner
5. Paessler PRTG Network Monitor

27
Nmap command switches
Nmap is probably the most famous reconnaissance tool among Pentesters and Hacker. It is
essentially a port scanner that helps you scan networks and identify various ports and services
available in the network, besides also providing further information on targets, including reverse
DNS names, operating system guesses, device types, and MAC addresses. It also comes in handy
during network auditing!

The barebone syntax of Nmap is:

$ nmap [FLAGS] [IP]
Copy
Note that you may also need to run it with sudo privileges at times to perform some particular types
of scans,

Nmap Switches
Nmap is strong and powerful networking scanning to tool which allows for customizing our scans
with the help of flags passed via the command line. Some of the important flags are :

● -h: Print a help summary page

● -sS: Perform a TCP SYN scan

● -sU: Perform a UDP scan

● -sV: Probe open ports to determine service/version info

● -O: Enable OS detection

● -v: Enable verbosity. You can even set the verbosity level as such :

● -vv: Level 2 verbosity. The minimum level of verbosity advised for use.

● -v3: Level 3 verbosity. You can always specify the verbosity level by specifying
a number like this.

● -oA: Same Nmap output in “normal”, XML and grepable formats. However you can
specify the format of your choice with :

● -oN: Redirect normal output to a given filename

● -oX: Produce output in a clean, XML format and store it in a given file

28
 ● -oG: Produce “grepable” output and store it to a file. Deprecated format as users
are now moving towards XML outputs.

● -A: Enables “aggressive” scanning. Presently this enables OS detection (-O), version
scanning (-sV), script scanning (-sC) and traceroute (–traceroute)

● -p: Specify the ports to scan. It can be a single port as well as a range of ports. For Example :

● nmap -p 80 127.0.0.0.1: This scans port 80 on localhost

● nmap -p 1-100 127.0.0.1: This scans ports from 1 to 100 on localhost

● nmap -p- 127.0.0.1: This scans all the ports on the localhost

Scan Types in Nmap

Nmap supports a lot of different scan types. However the most popular ones are:

29
1. TCP Connect Scans (-sT)
In this type of scan, Nmap sends a TCP packet to a port with the SYN flag set. In this scenario two
things can occur :

● The target responds with an RST packet that signifies that the port is closed.

● Target doesn’t respond at all, probably due to a firewall dropping all incoming packets
in which case the port will be considered filtered

● The target responds back with a TCP packet with the SYN/ACK flags set which would
signify that the port is open and then Nmap would respond with a TCP packet with the
ACK flag set and hence would complete the TCP 3-way handshake.
This is not a very reliable scan technique as it is easy to configure a firewall rule to respond back with
RST packets or drop all incoming packets. Also this method is extremely slow as it waits for the
entire TCP 3 way handshake.

2. SYN “Half-open” Scans (-sS)

SYN scans, also known as “Half-Open” or “Stealth Scan” are an improvement over the previous
method. In the previous method where we were sending back a TCP packet with the ACK flag set
after receiving an SYN/ACK packet, now we would be sending an RST packet. This prevents the
server from repeatedly trying to make the requests and massively reduces scan times.
This method is an improvement on the previous ones because:

● They are faster

● They might be able to bypass some primitive firewalls

● Often, SYN Scans are not logged by applications running on the ports as most applications
start logging a connection only after it has been fully established which is not the case
with SYN Scans
However, it is not advisable to run SYN Scans on production environments as it might break certain
unstable applications. It is also to be noted that SYN scans also require sudo privileges because it
needs to craft raw packets.
Infact, when run with sudo privileges, nmap defaults to SYN Scans, otherwise it defaults to TCP scan.

3. UDP Scans (-sU)

UDP scans are much less reliable than the previous two as UDP connections are stateless by nature.
This means that there’s no “feedback mechanism” like TCP. UDP works on the principle “Fire and
Forget” which means that it sends packets directed to targets at certain ports and hopes that they
would make it. This gives more emphasis on speed than quality. However, the lack of a feedback
mechanism makes it difficult to identify open ports.
When an UDP packet is sent to a target port, there might be three scenarios :

● Usually there is no response received in which case nmap marks the port as open|filtered. If
30
 no response is received yet, it sends another UDP packet to double check and if yet again
no response is received, it marks the port as open|filtered and moves on

● It might get a UDP response back which is very rare. In such a scenario, the port is
marked open

31
 ● If the port is closed and it receives an ICMP echo request back which signifies that the port
is unreachable.

Special Scans in Nmap

Apart from these, some less popular scan types which are even “stealthier” than a TCP SYN scan.
These are as follows :

1. TCP Null Scans (-sN)

In TCP Null Scans, the TCP packets sent don’t have any of the flags set. According to RFC, under
such a circumstance, the target should respond back with an RST if the port i s closed

2. TCP FIN Scans (-sF)

This is very similar to the TCP Null Scan except for the fact that instead of sending a completely
empty TCP packet, it sends a packet with the FIN flag set which is used to gracefully close a
connection. Accordingly the target must respond back with an RST for closed ports as per RFC.

3. TCP Xmas Scans (-sX)

TCP Xmas Scans is also very similar to the last two scan techniques except for the fact that they use
TCP packets with the PSH, URG and FIN flags set. Like the last two scan types, this too expects RST
packets for closed ports under RFC.

Limitations
As these scans are of a similar nature, they also have similar outputs which is very similar to that of
UDP Scans. In this case, we can only have the following three responses :

● open|filtered : When no response is received then the port is categorized as this this
because no response can mean only two things :

● The port is open

● The port is protected behind a firewall hence filtered

● filtered : When the port is protected behind a firewall which sends an ICMP ping back

● closed : When it receives and RST packet

It is also to be note that though RFC 793 mandates that network hosts respond to malformed
packets with a RST TCP packet for closed ports, and don’t respond at all for open ports, some
systems reject this convention. This behaviour is mostly observed in Microsoft Windows Servers
and some CISCO devices where all malformed packets are dropped by default.

32
Scanning A Network For Hosts using Nmap
One of the most important things to do on connecting to a network is to obtain a list of all active
hosts on the network before further probing. This can be done via an “Ping Sweep”, which as the
name implies, involves sending ICMP packet to all the IPs in the network and await for responses.
The hosts which reply back with an ICMP packet are considered active in this case.
You can specify your target IP ranges by using hypens or via CIDR as follows :
$ nmap -sn 192.168.0.1-254
Copy
Or,

33
$ nmap -sn 192.168.0.0/24
Copy
The -sn flag suppresses any port scans, and forces nmap to rely solely on ICMP echo packets (or ARP
requests if run with superuser privileges) to identify active hosts in the network. It also sens a TCP
SYN packet to the target’s port 443 and a TCP ACK request ( TCP SYN if run with superuser
privileges) to the target’s port 80.

Nmap Scripting Engine

The Nmap Scripting Engine(NSE) is a powerful addition to Nmap which allows us to even
further extend its functionality. Written in Lua, we can use it to write our scripts and automate a
lot of our work like testing for vulnerabilities and exploitation.
There are many categories available. Some useful categories include:

● safe:- Won’t affect the target

● intrusive:- Not safe: likely to affect the target

● vuln:- Scan for vulnerabilities

● exploit:- Try to exploit a vulnerability

● auth:- Attempt to bypass authentication for running services

● brute:- Try to brute force credentials for running services

● discovery:- Attempt to query running services for further information about the network

( To run a script, we need to specify it as --script=<script-name>

You can also specify multiple scripts to run at the same time by separating the script names like
-- script=<script-name1>,<script-name2>
Some scripts also require an argument which can be specified with --script-args <args>
Some scripts have an built-in help menus which can be referred with :
$ nmap --script-help <script-name>

SYN – Stealth – XMAS – NULL – IDLE – FIN

Scans
SYN - A SYN or stealth scan is also called a half-open scan because it doesn’t complete the TCP
three-way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received
back, then it’s assumed the target would complete the connect and the port is listening. If an RST is
received back from the target, then it’s assumed the port isn’t active or is closed. The advantage of
the SYN stealth scan is that fewer IDS systems log this as an attack or connection attempt.

34
XMAS - XMAS scans send a packet with the FIN, URG, and PSH flags set. If the port is open, there
is no response; but if the port is closed, the target responds with a RST/ACK packet. XMAS scans
work only on target systems that follow the RFC 793 implementation of TCP/IP and don’t work
against any version of Windows.

FIN - A FIN scan is similar to an XMAS scan but sends a packet with just the FIN flag set. FIN scans
receive the same response and have the same limitations as XMAS scans. FIN A FIN scan is similar

35
to an XMAS scan but sends a packet with just the FIN flag set. FIN scans receive the same response
and have the same limitations as XMAS scans.

NULL - A NULL scan is also similar to XMAS and FIN in its limitations and response, but it just
sends a packet with no flags set.

IDLE - An IDLE scan uses a spoofed IP address to send a SYN packet to a target. Depending on
the response, the port can be determined to be open or closed. IDLE scans determine port scan
response by monitoring IP header sequence numbers.

IPEye is a TCP port scanner that can do SYN, FIN, Null, and XMAS scans. It’s a commandline tool.
IPEye probes the ports on a target system and responds with closed, reject, drop, or open. Closed
means there is a computer on the other end, but it doesn’t listen at the port. Reject means a firewall is
rejecting the connection to the port (sending a reset back). Drop means a firewall is dropping
everything to the port, or there is no computer on the other end. Open means some kind of service is
listening at the port. These responses help a hacker identify what type of system is responding.

IPSecScan is a tool that can scan either a single IP address or a range of addresses looking for systems
that are IPSec enabled.

NetScan Tools Pro, hping2, KingPingicmpenum, and SNMP Scanner are all scanning tools and
can also be used to fingerprint the operating system (discussed later).

Icmpenum uses not only ICMP Echo packets to probe networks, but also ICMP Timestamp and
ICMP Information packets. Furthermore, it supports spoofing and sniffing for reply packets.
Icmpenum is great for scanning networks when the firewall blocks ICMP Echo packets but fails to
block Timestamp or Information packets.

The hping2 tool is notable because it contains a host of other features besides OS fingerprinting such
as TCP, User Datagram Protocol (UDP), ICMP, and raw-IP ping protocols, traceroute mode, and the
ability to send files between the source and target system.

SNMP Scanner allows you to scan a range or list of hosts performing ping, DNS, and Simple
Network Management Protocol (SNMP) queries.

Banner grabbing
Banner grabbing is a method used by attackers and security teams to obtain information about
network computer systems and services running on open ports. A banner is a text displayed by a host
that provides details such as the type and version of software running on the system or server. The
screen displays the software version number on the network server and other system information,
giving cybercriminals an advantage in cyber attacks. Banner grabbing considers collecting software
banner information such as name and version. Hackers can use the OSINT tool to get the banners
manually or automatically. Banner capture is one of the essential steps in both offensive and
defensive penetration testing environments.

36
Types of Banner Grabbing:
1. Active Banner Grabbing: In this method, Hackers send packets to a remote server and
analyze the response data. The attack involves opening a TCP or similar connection
between the origin and the remote server. An Intrusion Detection System (IDS) can easily
detect an active banner.
2. Passive Banner Capture: This method allows hackers and security analysts to get the same
information while avoiding disclosing the original connection. In passive banner grabbing,
the attackers deploy software and malware as a gateway to prevent direct connection when
collecting data from the target. This technique uses third-party network tools and services to
capture and analyze packets to identify the software and version being used. run on the server.

Usage:
Hackers can perform a banner-grabbing attack against various protocols to discover insecure and
vulnerable applications and exploits. There are many services, protocols, and types of banner
information that you can collect using banner grabbing. You can develop various methods and tools
for the discovery process. In general, banner grab allows an attacker to discover network servers and
services running along with their instances on open ports, as well as the operating system. Given the
type and version of an application, a hacker, or pen tester, can quickly scan for known and
exploitable vulnerabilities in that version.

Service Ports:
● Port 80 is running on Hypertext Transfer Protocol (HTTP) service.

● Port 21 is running on the File Transfer Protocol (FTP) service.

● Port 25 runs on the Simple Mail Transfer Protocol (SMTP) service.

Important Points:
● Banner Grabbing is used in Ethical Hacking to gather information about a target
system before launching an attack.

● In order to gather this information, the Hacker must choose a website that displays
banners from affiliate sites and navigate from the banner to the site served by the affiliate
website.

● Banner Grabbing can be done through manual means or through the use of automated
tools such as web crawlers, which search websites and download everything on them,
including banners and files.

37
OS Fingerprinting
If a hacker can determine what type of operating system a targeted computer is running, he or she
can work to exploit the vulnerabilities present in that operating system. OS Fingerprinting is used by
security professionals and hackers for mapping remote networks and determining which
vulnerabilities might be present to exploit. In fact, it is a tactic used by cyber-criminals and even
ethical hackers to figure out what type of operating system is being used by a target computer on a
network. In fact, by analyzing certain protocol flags, options, and data in the packets a device sends
onto the network, hackers can make relatively accurate guesses about the OS that sent those packets.
OS Fingerprinting works only for packets that contain a full-fledged TCP connection; that is the TCP
connection should have a SYN, SYN/ACK, and ACK connection.
There are two Fingerprinting:

38
 ● Active

● Passive

Active OS Fingerprinting
Active OS fingerprinting involves actively determining a targeted PC’s OS by sending carefully
crafted packets to the target system and examining the TCP/IP behavior of received responses. The
main reason why an attacker may prefer a passive approach is to reduce the risk of being caught by
an IDS, IPS, or a firewall. Properly configured, implemented, and maintained IDSes, IPSes,
and firewalls can mitigate active fingerprinting. In other words, active fingerprinting is challenging
the target machine to see what happens.
Active fingerprinting works by sending packets to a target and analyzing the packets that are sent
back. Almost all active fingerprinting these days is done with Nmap.
Nmap is usually used by network administrators to monitor the security of their networks. In fact,
Nmap is an effective application for both admins and attackers. Nmap sends probes to lots of
different TCP/IP ports, and analyzes what returned. Nmap utilizes scripting that analyzes that data to
print out results that are useful for OS fingerprinting. Running an OS fingerprinting scan in Nmap is
as simple as typing:
“nmap -A
ip_address_or_domain_name_of_target”. Source:
infosecinstitute.com

Passive OS Fingerprinting
Passive OS fingerprinting is a more effective way of avoiding detection or being stopped by a
firewall and it examines of passively collected sample of packets from a host. Passive fingerprinting
uses a pcap (packet capture) API. In GNU/Linux and BSD/Unix operating systems, pcap can be
found in the libpcap library, and for Windows, there’s a port of libpcap called WinPcap. Passive
fingerprinting can make a guess of a target’s OS, because different OSes have different TCP/IP
implementations.
Passive OS fingerprinting is less accurate than active OS fingerprinting, but may be a technique
chosen by an attacker or penetration tester who wants to avoid detection. Passive fingerprinting can
be mitigated by assuring that NICs (network interface cards) don’t operate in promiscuous mode.
There are following four important elements that we will look at to determine the operating system

● TTL: What the operating system sets the Time-To-Live on the outbound packet.

● Window Size: What the operating system sets the Window Size at.

● DF: Does the operating system set the Don’t Fragment bit?

39
 ● TOS: Does the operating system set the type of

Service? Source: zerosuniverse.com and infosecinstitute.com

Tools Used for OS Fingerprinting

P0f – passive: This tool is an OS Fingerprinting tool that utilizes an array of sophisticated, purely
passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP
communications (often as little as a single normal SYN) without interfering in any way.
Website: http://lcamtuf.coredump.cx/p0f3/
Ettercap – passive: This tool is a comprehensive suite for man in the middle attacks. It features
sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports
active and passive dissection of many protocols.
Website: http://ettercap.github.io/ettercap/
XProbe2 – active: This tool is an active OS Fingerprinting tool with a different approach to
operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses
and multiple simultaneous matches, and a signature database.

40
41