Chapter 5 Scanning Networks Flashcards
Phase 2: Network Scanning
a methodical process that involves probing a target NW to reveal the nature of system NWs as well as the vulnerabilities present
Generally found in Scanning phase is:
1) IP addresses
2) open/closed PORTS on live HOSTS
3) Info on OS(s) & system architecture
4) SERVICES or processes running on hosts
Types of Scans
1) Port scanning - sending crafted messages/packets to a target computer w/ the intent of learning more about it (typically through well-known port #s or those
Common ways to check for Live Systems
Wardialing, Wardriving, Pinging, and Port Scanning
Wardialing
old technique that dials a block of phone #s using a standard modem to locate system that also have a modem attached & accept connection
Modems & dial-up are still used as a backup to existing technologies such as cable, DSL, etc; It is low cost and a safety net if there were to be a major outage; great way to access bc of the lack of attention modems get
Firewalls, routers, & fax machines sometimes have modems attached; attacker can dial in and gain access
Wardriving
the process of driving around w/ wireless-enabled laptop or device with the goal of mapping out access points, usually w/ the help of GPS device
Pinging
the process of using the ping command to detect whether a system is live & gain info about the nature of the connection between your system & the target (TTL, speed of packets)
involves using Internet Control Msg Protocol (ICMP) msg, which is why this process is also called ICMP scanning
Process works by sending an ICMP ECHO request to another system, if that system is live, it will respond by sending back an ICMP ECHO reply
command prompt –> ping or ping
*Best to always ping by IP address bc pinging hostname may not get a reply bc DNS problems
NMAP also used here –> NMAP -sP -v
Ping Sweep
scan or sweep a range of IPs looking for hosts that are live; can build inventory of systems quickly
CON - most NW admins block ping at firewall, IDS or IPS can detect
nmap -sP -PE - PA
nmap -sn -PE -PA21,23,80,3389 192.168.10.1-50
Port Scanning
once live system found, perform port scan to see what ports are open
TCP Flags - (6)
1) SYN - Initiates connection between 2 hosts to facilitate communication
2) ACK - acknowledge the receipt of packet of info
3) URG - indicates that the data contained in the packet is urgent & should be processed immediately
4) PSH - instructs the sending system to send all buffered data immediately
5) FIN - tells the remote system that no more info will be sent, close connection
6) RST - resets a conneciton
packet crafter
utility designed to create a packet w/ the flags you specify
HPING2 and HPING3 - command-line only creating custom packets for testing
Create an ACK packet & send it to port 80:
Hping3 -A -p 80
Create a SYN scan against different ports:
Hping3 -8 50-56 -s -v
Create packet w/ FIN, URG -p 80
Types of Scans that can be done for port scanning (7)
1) Full Open Scan
2) Stealth Scan, or Half Open Scan
3) Xmas Tree Scan
4) Fin Scan
5) Null Scan
6) Ack Scan
7) UDP Scan
Full Open Scan
1) Full Open Scan - systems involved initiated & completed the 3 way handshake. Attacker sends ACK+RST to tear down connection
PRO - positive feedback of if host is up and running
CON - the target knows who you are
Stealth Scan / Half Open Scan
2) Stealth Scan, or Half Open Scan - similar to Full open scan except attacker sends RST packet as final packet to tear down connection unless victim port is closed in which case, the victim will fire back RST
PRO - less likely to trigger detection mechnisms
CON - less reliable than Full Open Scan
Xmas Tree Scan
3) Xmas Tree Scan - Single packet is sent to client with ACK, SYN, URG, RST, & FIN all set (all except PSH). Having all flags set is illegal combo, receiving system either ignores/drops the packets, or some systems the lack of response means the port is open whereas a single RST tells you port is closed
Xmas tree in Nmap –> NMAP -sX -v
CON - Windows do not respond to this type of attack
Fin Scan
4) Fin Scan - similar to Xmas tree except only FIN flag is set and sent; If open, no response, if closed RST response
NMAP -sF
Null Scan
5) Null Scan - sends frames w/ no flags set; no response means open, if RST port closed
NMAP -sN
Ack Scan
6) Ack Scan - used to test whether any filtering is being done on a port (tells attacker whether a firewall or router is in use)
NMAP -sA -P0
**what to do if packet filters, firewalls, or other devices pick up evidence of your attack?
FRAGMENTING works by breaking a packet into multiple pieces w/ goal of preventing detection devices from seeing what the original unfragmented packet intends to do
NMAP -sS -T4 -A -f -v
UDP scan
7) previous techniques assume TCP is beign used;
For UDP if a port is open, NO response
If a port is closed, ICMP port unreachable msg returned
Remember UDP does not use 3 way handshake, TCP is connection oriented whereas UDP is connecitonless
types of OS Fingerprinting (2)
1) Passive - uses sniffing techniques to capture packets coming from a system; the responses are analyzed looking for details of OS; chance of detection is LOW b/c sniffing does not introduce traffic to the NW
2) Active - uses specifically crafted packets; responses are compared to DB of known responses; chance of detection is HIGH bc introduces traffic to NW
Banner Grabbing
determine information about services running on a system
Tools –> Telnet
a Banner is what a service returns to the requesting program to give info about the service itself (i.e. HTTP would return server SW, version, etc)
Banners are grabbed by connection to a host & then sending a request to a port associated w/ a specific service such as 80 for http
telnet 80 head/http/1.0
Countermeasures
disable or change banner
tools –> IIS Lockdown, ServerMask, etc
hide file extensions to hide technology used to generate pages
tools –> PageXchanger
Vulnerability Scanning
special type of automated utility designed to identify problems & holes in OS & apps
CON - designed to look for group of known issues, if not found, leaves impression that ur system is safe
can be used by attacker or victim for diff reasons
Tools –> Nmap, Rapid7, Retina, etc
Drawing NW diagrams
visualize NW environment, can clearly see holes that can be exploited
Mappers can generate a lot of traffic so be careful
Using Proxies
system acting as a stand-in between the scanner & target; The proxy acts as an agent for the scanning party, thus giving anonymity;
Proxy servers can perform several functions
1) Filtering Traffic in & out of NW
2) Anonymizing web traffic
3) Providing a layer of protection between the outside world & the internal NW
Tools –> TOR the onion router used to improve privacy & security for internet; packets cannot be traced; encrypt traffic
Setting Web Browser to use Proxy
Setup proxy to hide self –>
1) Find ur IP –> whatismyip.com
2) Search for proxies with IP and port #
3) change proxy settings in browser
4) Find ur IP
What is used for Network Scans?
What is used for Banner Grabbing?
What is used to identify Web Server OS
Nmap - NW scans
Telnet - Banner Grabbing
Netcraft - ID web server OS
