Tag: nmap

CEH Module3 – Scanning Networks

Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network

  • To discover live hosts, IP address, and open ports of live hosts
  • To discover operating systems and system architecture
  • To discover services running on hosts
  • To discover vulnerabilities in live hosts

Types of Scanning

  • Port scanning – List open ports, services listening and OS.
  • Network Scanning – List active host and IP addresses
  • Vulnerability Scanning – Checking whether a system is exploitable by scanning for vulnerabilities

TCP Communication Flags

TCP Communication

Scanning Tools

  • NMAP – Active hosts, open ports, types of packet filters/firewall, OS and versions
  • Hping3 – Active hosts, packet crafting tool
  • Metasploit – provides Infra, content and tools to perform Pen test and extensive security auditing
  • NetScanTools Pro – List IPv4/6 address, hostnames, domain names and URLs
  • Others : sx, Unicornscan, PRGT Network Monitor, OmniPeek Network Protocol Analyzer
  • Mobile – IP scanner, Fing, Network Scanner
  • Ping Sweep – Angry IP Scanner – Active hosts and open ports
    Others : Solarwinds Engineer;s Toolset, NetscanTools Pro, Colasoft Ping Tool, Visual Ping Tester, OpUtils

Network Host Discovery Techniques

  • ARP Ping – nmap –sn -PR <Target IP>
  • UDP Ping – nmap –sn -PU <Target IP>
  • – ICMP ECHO Ping – nmap –sn -PE <Target IP>
  • – – ICMP ECHO SWEEP – nmap –sn -PE <IP range>
  • – ICMP Timestamp Period Ping – nmap –sn -PP <Target IP>
  • – ICMP Address Mask Ping – nmap –sn -PM <Target IP>
  • – TCP SYN Ping – nmap –sn -PS <Target IP>
  • – TCP ACK Ping – nmap –sn -PA <Target IP>
  • IP Protocol Ping – nmap –sn -PO <Target IP>

Port Discovery

Know the common ports

DNS Zone TransferTCP/UDP 53
MS RPC Endpoint MapperTCP/UDP 135
NetBIOS Name ServiceUDP 137
NetBIOS Session ServiceTCP 139
SMB over TCPTCP 445
NFSTCP 2049
LDAPTCP/UDP 389
SNMPUDP 161
SMTPTCP 25
SNMP TrapTCP/UDP 162
IKE (Internet Key Exchange)UDP 500
SSHTCP 22

Port Scanning Techniques

  • TCP Connect/Full Open (SYN) – nmap -sT -v <Target IP>
  • Stealth TCP Half-Open (SYN) – nmap -sS -v <Target IP>
  • — Inverse TCP Flag – nmap -sF,sN,sX -v <Target IP>
  • —- Xmas (FIN+URG+PSH) – nmap -sX -v <Target IP>
  • —- FIN (FIN) – nmap -sF -v <Target IP>
  • —- NULL (NULL)- nmap -sN -v <Target IP>
  • —- Maimon (FIN/ACK) – nmap -sM -v <Target IP>
  • ACK Flag Probe(ACK) – nmap -sA -v <Target IP>
  • —- TTL-Based (ACK)-nmap -sA -v -ttl 100 <Target IP>
  • —- Window-Based ACK Flag Probe(ACK) – nmap -sA -sW -v <Target IP>
  • — IDLE/IPID header (SYN)- nmap -Pn -p- -sl <zombie host IP> <Target IP>
  • UDP (UDP packet) – nmap -sU -v <Target IP>
  • — SCTP INIT(Init) – nmap -sY -v <Target IP>
  • — SCTP Cookie echo – nmap -sZ -v <Target IP>
  • – SSDP – Simple Service Discovery Protocol works with UPnP to detect plug and play devices, buffer overflow or DOS attack – Use Metasploit
  • List scan (List IP/Names without pinging, reverse DNS)- nmap -sL -v <Target IP>
  • – IPv6 – nmap -6 <Target IP>
  • Service Version Discovery – nmap -sV <Target IP>

Countermeasures

  • FW/IDS to detect and block probes
  • Port scanning tool to check FW detects ports scanning activities
  • Ensure routing and filtering cannot be bypassed
  • Router and IDS/FW latest releases
  • custom rule set / block unwanted ports
  • Filter all ICMP messages at FW/router
  • Perform TCP and UDP scanning against ICMP to check network configurations and available ports
  • Configure anti-scanning and anti-spoofing rules

OS Discovery (Banner Grabbing/OS Fingerprinting)

Active Banner Grabbing

  • Specially crafted packets, remote server response accordingly
  • Determine the OS
  • TCP/IP stack implementation

Passive Banner Grabbing

  • Banner grabbing from error messages
  • sniffing the network traffic
  • Banner grabbing from page extensions (TTL and Windows Size)

nmap -O <Target IP>
nmap -sC or –script smb-os-discovery <Target IP>

Countermeasures

  • Disabling or changing banner
  • Hiding file extensions from web pages

IDS/Firewall Evasion Techniques

  • Packet Fragmentation – splitting packet into several smaller packets, TCP header – nmap -sS -T4 -f -v <Target IP>
  • Source Routing – sending a route to the destination with a specified route in order to evade firewall/IDS
  • Source Port Manipulation – manipulating actual port number with common port numbers – namp -g 80 <Target IP>
  • IP Address Decoy – generating or manually specifying the IP addresses of decoys, appears that the decoys and the hosts are scanning the network – nmap -D RND:10 <Target IP>, nmap -D <decoyIPs> <Target IP>
  • IP Address Spoofing – changing the source IP address to appear to be coming from someone else, when victim replies, it goes back to the spoofed address. Hping3 xxx.com -a <spoofed address>
  • MAC Address Spoofing – spoofing MAC address with the MAC address of a legit user on the network- nmap -sT -Pn –spoof-mac 0 <Target IP>
  • Creating Custom Packets – Create and send custom packets to scan target behind IDS/FW – Colasoft Packet Builder, NetScanTools Pro
  • Randomizing Host Order – scan the number of host in the network in random order – nmap –randomize-host <Target IP>
  • Sending Bad Checksums – Send packets with bad/bugus TCP/UDP checksums – namp –badsum <Target IP>
  • Proxy Servers – Hide the actual source of the scan, Proxy chaining
    – user requests a resource from the destination
    – proxy client connected to a proxy server and passes the request the proxy server
    – proxy server strips the user info and passes to the next proxy server
    – repeat this process, until finally unencrypted request is passed to the websever
    Proxy Tools – Proxy switcher, CyberGhost VPN
  • Anonymizers – Removes all identity from the users computers, make activity untracable, access restricted content ,bypass IDS/FW
    – Networked Anonymizers – Transfer info through a network of computers before passing it to a website
    – Single-Point Anonymizers – Transfer info through a website before passing it on a website
    Anonymizer Tools – Whonix, Psiphon, TunnelBear, Invisible Internet Project, Orbot
  • Censorship Circumvention Tools – Alkasir (identified censored links) and Tails (partable OS)

IP spoofing Detection Techniques

Direct TTL Probes
– Send a packet to the host of the suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected packet. if its different, its spoofed
– Works if the attacker is in a different subnet

IP Identification Number
– Send a probe to the host of the suspected spoofed traffic that triggers a reply and compare the IPID. if its not close in value, its spoofed
– Works if attacker is in a same subnet

TCP Flow Control Method
– Attackers sending spoofed TCP packet will not receive target SYN-ACK packets, attackers cannot response to a change to smaller congestion windows size. When received traffic continues after window size is exhausted, the packets are most likely spoofed

Countermeasure

  • Encrypt all the network tracffic
  • multiple firewalls
  • do not rely on IP based authentication
  • Use a random initial sequence number
  • Ingress Filtering – router/fw to filter incoming packets that appear to come from an internet IP address
  • Engress Filtering – filter all outgoing packets with invalid local IP address as a source

Scanning Detection and Prevention Tools

ExtraHop, splunk, scanlogd, vectra cognito detect, QRadar XDR, CYnet 360