Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network
- To discover live hosts, IP address, and open ports of live hosts
- To discover operating systems and system architecture
- To discover services running on hosts
- To discover vulnerabilities in live hosts
Types of Scanning
- Port scanning – List open ports, services listening and OS.
- Network Scanning – List active host and IP addresses
- Vulnerability Scanning – Checking whether a system is exploitable by scanning for vulnerabilities
TCP Communication Flags
TCP Communication
Scanning Tools
- NMAP – Active hosts, open ports, types of packet filters/firewall, OS and versions
- Hping3 – Active hosts, packet crafting tool
- Metasploit – provides Infra, content and tools to perform Pen test and extensive security auditing
- NetScanTools Pro – List IPv4/6 address, hostnames, domain names and URLs
- Others : sx, Unicornscan, PRGT Network Monitor, OmniPeek Network Protocol Analyzer
- Mobile – IP scanner, Fing, Network Scanner
- Ping Sweep – Angry IP Scanner – Active hosts and open ports
Others : Solarwinds Engineer;s Toolset, NetscanTools Pro, Colasoft Ping Tool, Visual Ping Tester, OpUtils
Network Host Discovery Techniques
- ARP Ping – nmap –sn -PR <Target IP>
- UDP Ping – nmap –sn -PU <Target IP>
- – ICMP ECHO Ping – nmap –sn -PE <Target IP>
- – – ICMP ECHO SWEEP – nmap –sn -PE <IP range>
- – ICMP Timestamp Period Ping – nmap –sn -PP <Target IP>
- – ICMP Address Mask Ping – nmap –sn -PM <Target IP>
- – TCP SYN Ping – nmap –sn -PS <Target IP>
- – TCP ACK Ping – nmap –sn -PA <Target IP>
- IP Protocol Ping – nmap –sn -PO <Target IP>
Port Discovery
Know the common ports
| DNS Zone Transfer | TCP/UDP 53 |
| MS RPC Endpoint Mapper | TCP/UDP 135 |
| NetBIOS Name Service | UDP 137 |
| NetBIOS Session Service | TCP 139 |
| SMB over TCP | TCP 445 |
| NFS | TCP 2049 |
| LDAP | TCP/UDP 389 |
| SNMP | UDP 161 |
| SMTP | TCP 25 |
| SNMP Trap | TCP/UDP 162 |
| IKE (Internet Key Exchange) | UDP 500 |
| SSH | TCP 22 |
Port Scanning Techniques
- — TCP Connect/Full Open (SYN) – nmap -sT -v <Target IP>
- — Stealth TCP Half-Open (SYN) – nmap -sS -v <Target IP>
- — Inverse TCP Flag – nmap -sF,sN,sX -v <Target IP>
- —- Xmas (FIN+URG+PSH) – nmap -sX -v <Target IP>
- —- FIN (FIN) – nmap -sF -v <Target IP>
- —- NULL (NULL)- nmap -sN -v <Target IP>
- —- Maimon (FIN/ACK) – nmap -sM -v <Target IP>
- — ACK Flag Probe(ACK) – nmap -sA -v <Target IP>
- —- TTL-Based (ACK)-nmap -sA -v -ttl 100 <Target IP>
- —- Window-Based ACK Flag Probe(ACK) – nmap -sA -sW -v <Target IP>
- — IDLE/IPID header (SYN)- nmap -Pn -p- -sl <zombie host IP> <Target IP>
- – UDP (UDP packet) – nmap -sU -v <Target IP>
- — SCTP INIT(Init) – nmap -sY -v <Target IP>
- — SCTP Cookie echo – nmap -sZ -v <Target IP>
- – SSDP – Simple Service Discovery Protocol works with UPnP to detect plug and play devices, buffer overflow or DOS attack – Use Metasploit
- List scan (List IP/Names without pinging, reverse DNS)- nmap -sL -v <Target IP>
- – IPv6 – nmap -6 <Target IP>
- Service Version Discovery – nmap -sV <Target IP>
Countermeasures
- FW/IDS to detect and block probes
- Port scanning tool to check FW detects ports scanning activities
- Ensure routing and filtering cannot be bypassed
- Router and IDS/FW latest releases
- custom rule set / block unwanted ports
- Filter all ICMP messages at FW/router
- Perform TCP and UDP scanning against ICMP to check network configurations and available ports
- Configure anti-scanning and anti-spoofing rules
OS Discovery (Banner Grabbing/OS Fingerprinting)
Active Banner Grabbing
- Specially crafted packets, remote server response accordingly
- Determine the OS
- TCP/IP stack implementation
Passive Banner Grabbing
- Banner grabbing from error messages
- sniffing the network traffic
- Banner grabbing from page extensions (TTL and Windows Size)
nmap -O <Target IP>
nmap -sC or –script smb-os-discovery <Target IP>
Countermeasures
- Disabling or changing banner
- Hiding file extensions from web pages
IDS/Firewall Evasion Techniques
- Packet Fragmentation – splitting packet into several smaller packets, TCP header – nmap -sS -T4 -f -v <Target IP>
- Source Routing – sending a route to the destination with a specified route in order to evade firewall/IDS
- Source Port Manipulation – manipulating actual port number with common port numbers – namp -g 80 <Target IP>
- IP Address Decoy – generating or manually specifying the IP addresses of decoys, appears that the decoys and the hosts are scanning the network – nmap -D RND:10 <Target IP>, nmap -D <decoyIPs> <Target IP>
- IP Address Spoofing – changing the source IP address to appear to be coming from someone else, when victim replies, it goes back to the spoofed address. Hping3 xxx.com -a <spoofed address>
- MAC Address Spoofing – spoofing MAC address with the MAC address of a legit user on the network- nmap -sT -Pn –spoof-mac 0 <Target IP>
- Creating Custom Packets – Create and send custom packets to scan target behind IDS/FW – Colasoft Packet Builder, NetScanTools Pro
- Randomizing Host Order – scan the number of host in the network in random order – nmap –randomize-host <Target IP>
- Sending Bad Checksums – Send packets with bad/bugus TCP/UDP checksums – namp –badsum <Target IP>
- Proxy Servers – Hide the actual source of the scan, Proxy chaining
– user requests a resource from the destination
– proxy client connected to a proxy server and passes the request the proxy server
– proxy server strips the user info and passes to the next proxy server
– repeat this process, until finally unencrypted request is passed to the websever
Proxy Tools – Proxy switcher, CyberGhost VPN - Anonymizers – Removes all identity from the users computers, make activity untracable, access restricted content ,bypass IDS/FW
– Networked Anonymizers – Transfer info through a network of computers before passing it to a website
– Single-Point Anonymizers – Transfer info through a website before passing it on a website
Anonymizer Tools – Whonix, Psiphon, TunnelBear, Invisible Internet Project, Orbot - Censorship Circumvention Tools – Alkasir (identified censored links) and Tails (partable OS)
IP spoofing Detection Techniques
Direct TTL Probes
– Send a packet to the host of the suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected packet. if its different, its spoofed
– Works if the attacker is in a different subnet
IP Identification Number
– Send a probe to the host of the suspected spoofed traffic that triggers a reply and compare the IPID. if its not close in value, its spoofed
– Works if attacker is in a same subnet
TCP Flow Control Method
– Attackers sending spoofed TCP packet will not receive target SYN-ACK packets, attackers cannot response to a change to smaller congestion windows size. When received traffic continues after window size is exhausted, the packets are most likely spoofed
Countermeasure
- Encrypt all the network tracffic
- multiple firewalls
- do not rely on IP based authentication
- Use a random initial sequence number
- Ingress Filtering – router/fw to filter incoming packets that appear to come from an internet IP address
- Engress Filtering – filter all outgoing packets with invalid local IP address as a source
Scanning Detection and Prevention Tools
ExtraHop, splunk, scanlogd, vectra cognito detect, QRadar XDR, CYnet 360
CY - Technical Memory extension 