CERTIFIED ETHICAL HACKER MODULE 03 : Network Scanning
Network Scanning
- Network scanning refers to a set of procedures used for identifying hosts, ports and services in a network.
- Discovering systems on the network (can be hosts, switches, servers, routers, firewalls and so on) and looking at what ports are open as well as applications/services and their respective versions that may be running.
Network Scanning Types
- Network scanning : Lists active hosts and IP addresses like OS, iot devies etc.
- Port Scanning : List Open ports and services.
- Vulnerability Scanning : Search for known vulnerability on scanned services.
Scanning Methodology
- Check for live systems – Ping or other type of way to determine live hosts
- Check for open ports – Once you know live host IPs, scan them for listening ports
- Scan beyond IDS – If needed, use methods to scan beyond the detection systems; evade IDS using proxies, spoofing, fragmented packets and so on
- Perform banner grabbing – Grab from servers as well as perform OS fingerprinting (versions of the running services)
- Scan for vulnerabilities – Use tools to look at the vulnerabilities of open systems
- Draw network diagrams – Shows logical and physical pathways into networks
- Use proxies – Obscures efforts to keep you hidden
- Pentest Report – Document everything that you find
Identifying Targets
- The easiest way to scan for live systems is through ICMP.
- It has it’s shortcomings and is sometimes blocked on hosts that are actually live.
- Message Types and Returns
- Payload of an ICMP message can be anything; RFC never set what it was supposed to be. Allows for covert channels
- Ping sweep – easiest method to identify multiple hosts on subnet. You can automate ping sweep with scripting language like Bash Script (Linux) or PowerShell (Windows) or use softwares like Advanced IP Scanner, Angry IP Scanner, Nmap, etc.
- ICMP Echo scanning – sending an ICMP Echo Request to the network IP address
- An ICMP return of type 3 with a code of 13 indicates a poorly configured firewall
- Ping scanning tools Nmap
nmap -sn 192.168.1.0/24- This command uses
-snflag (ping scan). This will perform a ping sweep on 256 IP addresses on this subnet in seconds, showing which hosts are up. - hping3
hping -1 10.0.0.x --rand-dest -I eth0-1–> ICMP mode--rand-dest–> random destionation address mode-I <interface>–> network interface name- Angry IP Scanner
- Solar-Winds Engineer Toolkit
- Advanced IP Scanner
- Pinkie
- Nmap virtually always does a ping sweep with scans unless you turn it off
- Important ICMP codes
| ICMP Message Type | Description and Codes |
|---|---|
| 0: Echo Reply | Answer to a Type 8 Echo Request |
| 3: Destination Unreachable | Error message followed by these codes: 0 – Destination network unreachable 1 – Destination host unreachable 6 – Network unknown 7 – Host unknown 9 – Network administratively prohibited 10 – Host administratively prohibited 13 – Communication administratively prohibited |
| 4: Source Quench | A congestion control message |
| 5: Redirect | Sent when there are two or more gateways available for the sender to use. Followed by these codes: 0 – Redirect datagram for the network 1 – Redirect datagram for the host |
| 8: Echo Request | A ping message, requesting an echo reply |
| 11: Time Exceeded | Packet took too long to be routed (code 0 is TTL expired) |
Port Discovery
- Connectionless Communication – UDP packets are sent without creating a connection. Examples are TFTP, DNS (lookups only) and DHCP.
- Connection-Oriented Communication – TCP packets require a connection due to the size of the data being transmitted and to ensure.
TCP Flags
| Flag | Name | Function |
|---|---|---|
| SYN | Synchronize | Set during initial communication. Negotiating of parameters and sequence numbers |
| ACK | Acknowledgment | Set as an acknowledgement to the SYN flag. Always set after initial SYN |
| RST | Reset | Forces the termination of a connection (in both directions) |
| FIN | Finish | Close to communications |
| PSH | Push | Forces the delivery of data without concern for buffering |
| URG | Urgent | Data inside is being sent immediately (out of band). Example is cancelling a message |
- Difference between
PSHandURG:
PSH :
- All data in the buffer to be push to receiver.
- Data is delivered in sequence.
URG :
- Data inside a segment with URG flag pushed in application layer immediately even if there are more data to be given to application layer.
- Data is delivered out of sequence.
TCP HandShake
TCP Connection establishment process :
- Host A sends out a SYN (synchronize) packet with proposed initial sequence number to Host B.
- Host B receives SYN message, it returns a packet with both SYN and ACK flags (SYN-ACK) set in the TCP header.
- Host A receives the SYN-ACK, it sends back ACK (Acknowledgment) packet.
- Host B receives ACK and at this stage the connection is ESTABLISHED.
TCP Connection termination :
- Host A sends a FIN (finish) flag, indicating that is has finished sending the data.
- Host B who receives the FIN, doest not terminate the connection but enters into a “passive close” (CLOSE_WAIT) state and sends the ACK for the FIN back to the Host A.
- Host A enters into a (TIME_WAIT) state, and sends an ACK back to the Host B.
- Host B gets the ACK from the Host A and closes the connection.
Sequence numbers increase on new communication. Example is computers A and B. A would increment B’s sequence number. A would never increment it’s own sequence.
Port Numbers
- Internet Assigned Numbers Authority (IANA) – maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations
- Ranges
- Well-known ports – 0 – 1023
- Registered ports – 1024 – 49,151
- Dynamic ports – 49,152 – 65,535
| Port Number | Protocol | Transport Protocol |
|---|---|---|
| 20/21 | FTP | TCP |
| 22 | SSH | TCP |
| 23 | Telnet | TCP |
| 25 | SMTP | TCP |
| 53 | DNS | TCP/UDP |
| 67 | DHCP | UDP |
| 69 | TFTP | UDP |
| 80 | HTTP | TCP |
| 110 | POP3 | TCP |
| 135 | RPC | TCP |
| 137-139 | NetBIOS | TCP/UDP |
| 143 | IMAP | TCP |
| 161/162 | SNMP | UDP |
| 389 | LDAP | TCP/UDP |
| 443 | HTTPS | TCP |
| 445 | SMB | TCP |
| 514 | SYSLOG | UDP |
NMAP
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
NMAP Scan Types
FULL TCP Connect Scan
Try to establish full tcp connection with the target [SYN/SYN-ACK/ACK]
nmap -sT <target> Stealth TC Scanning Methods
Half-Open Scan/SYN Scan
- Half-open scan or SYN scan – only SYN packets sent.
- It is fast.
- Useful for hiding efforts and evading firewalls.
nmap -sS <target>XMAS Scan/Inverse TCP Flag Scan
Sends tcp packets with FIN/URG/PSH flag.
nmap -sX <target> FIN Scan
Sends packet with FIN flag
- If port is closed then target send packet with RST flag.
- If service is running/port is open then it will drop the request and do nothing/no response.
nmap -sF <target> No response from the target port can lead to the confusion whether the port is open or probe is blocked by a firewall. Hence, this scan isn’t very effective.
NULL Scan
Send packet with zero flag
- no response mean port is open or filtered by firewall
- response with RST header means port is closed
nmap -sN <target> The key advantage to these scan types (NULL, FIN or Xmas scan) is that they can sneak through certain non-stateful firewalls and packet filtering routers.
ACK Scan/Firewall Detach Scan
This scan is used to identify, firewall rulesm determining the type of firewall and identify filtered ports. Also note that this scan doesn’t give the list of open or closed port instead it checks if the port is filtered or unfiltered.
It sends the packet with ACK flag set. If in response it receives RST that means the port is unfiltered and might be open or closed. Ports that don’t respond or send ICMP error marked as filtered. This type of scan is useful to detect the presence of a firewall.
nmap -sA <target> TCP Maiman Scan
Attackers send FIN/ACK probes, and if there is no response, then the port is open/filtered, but if an RST packet is sent in response then the port is close.
nmap -sM <target>IDLE Scan
An idle scan is a good option when you want to keep yourself anonymous while scanning. The scan involves sending forged packet to the target host which looks like it is coming from some other host. This scan uses another host’s IP address as the source IP address instead of sending attacker’s machine IP address. The idle host involved in this scan is called zombie and hence this scan is sometimes referred as zombie scan.
Let us look into the below diagram to understand how this works.
- The attacker sends the TCP SYN packet to the Zombie, which is up and idle.
- The Zombie responds with SYN/ACK packet with IPID 10.
- The attacker sends the spoofed SYN packet to the victim at 10.10.10.30, with the source IP of the Zombie (10.10.10.20).
- In the case of open port, the victim responds with SYN/ACK to the Zombie because source IP in step 3 was set to Zombie.
- Zombie on receiving the SYN/ACK packet from the victim sends the RST packet back to the victim with IPID 11.
- After some time, the attacker again sends the SYN packet to the Zombie host, but Zombie host was waiting for the ACK packet from the attacker as Zombie had already sent a SYN/ACK packet in step number 2.
- The Zombie host responds with RST packet to the attacker with IPID set to 12.
- The attacker on receiving the RST packet with IPID set to 12 knows that the remote port on the victim machine is open (Notice the increment in IPID from 10 to 12).
- In the case of the closed port on the victim machine, the victim responds with RST packet to the Zombie.
- Zombie won’t reply back to RST packet (IPID remains 10).
- After some time, the attacker again sends the SYN packet to the Zombie host, but Zombie host was waiting for the ACK packet from the attacker as Zombie had already sent a SYN/ACK packet in step number 2.
- The Zombie host responds with RST packet to the attacker with IPID set to 11.
- The attacker on receiving the RST packet with IPID set to 11 knows that the remote port on the victim machine is closed (Notice the increment in IPID from 10 to 11).
Scan example :
nmap -sI <zombie_host> <target_IP> FTP Bounce Scan
FTP protocol allows a user to connect to a FTP server, then ask that files be sent to a third-party server. Such a feature can be abused to scan open ports of a target system. In this type of scan nmap simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would.
The advantage of this scan is being able to be anonymous as bouncing through FTP server hides the source address of the attacker. The disadvantages are that it is slow, and many FTP servers have disabled the proxy feature.
Fragmented Scan
In fragmented scan the attacker sends the probe packet in small IP fragment. The idea is to split the TCP header over several packet to make it harder to detect by firewalls. The advantage of this scan is the ability to bypass the packet filters. The disadvantage is it is slow. We are going to look at it in a great detail at module 12.
UDP Scan
Most popular services runs over the TCP, but there are many common services that also uses UDP: DNS (53), SMTP (25), DHCP (67), NTP (123), NetBIOS-ssn (137), etc.
nmap -sU <target>
You also can specify which UDP port:
nmap -sU -p U:53, 123 <target>
Also you can fire up both TCP and UDP scan with port specification:
nmap -sU -sS -p U:53,123 T:80,443 <target>
ICMP Scan
Ping scans are used to determine if a host is online and responding
nmap -sP <target>or
nmap -sn <target> Disable port scanning. Host discovery only.
You can also add -PE on both of the above nmap scans.
Spoofing
- Decoy:
nmap -Pn -D <spoofed IP> <target>- This will perform a spoofed ping scan.
- Source Address Spoofing:
nmap -e <network interface> -S <IP source> <target>- Example –>
nmap -e eth0 -S 10.0.0.140 10.0.0.165
- Example –>
- MAC Address Spoofing:
nmap --spoof-mac <MAC|Vendor> <target>- Example –>
nmap --spoof-mac Cis 10.0.0.140
- Example –>
Decoys will send spoofed IP address along with your IP address.
Firewall Evasion
- Multiple Decoy IP addresses:
- This command is used to scan multiple decoy IP addresses. Nmap will send multiple packets with different IP addresses, along with your attacker’s IP address.
nmap -D RND:<number> <target>- Example –>
nmap -D RND:10 192.168.62.4
- Example –>
- IP Fragmentation:
- Used to scan tiny fragment packets
nmap -f <target>- Maximum Transmission Unit:
- This command is used to transmit smaller packets instead of sending one complete packet at a time.
nmap -mtu 8 <target>- Maximum Transmission Unit (-mtu) and 8 bytes of packets.
Timing & Performance
- Paranoid
- Paranoid (0) Intrusion Detection System evasion
nmap <target> -T0
- Sneaky
- Sneaky (1) Intrusion Detection System evasion
nmap <target> -T1
- Polite
- Polite (2) slows down the scan to use less bandwidth and use less target machine resources
nmap <target> -T2
- Normal
- Normal (3) which is default speed
nmap <target> -T3
- Agressive
- Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
nmap <target> -T4
- Insane
- Insane (5) speeds scan; assumes you are on an extraordinarily fast network
nmap <target> -T5
List of Switches
| Switch | Description |
|---|---|
-sA | ACK scan |
-sF | FIN scan |
-sI | IDLE scan |
-sL | DNS scan (list scan) |
-sN | NULL scan |
-sO | Protocol scan (tests which IP protocols respond) |
-sP or -sn | Ping scan |
-sR | RPC scan |
-sS | SYN scan |
-sT | TCP connect scan |
-sW | Window scan |
-sX | XMAS scan |
-A | OS detection, version detection, script scanning and traceroute |
-sV | Determine only service/version info |
-PI | ICMP ping |
-Pn | No ping |
-Po | No ping |
-PS | SYN ping |
-PT | TCP ping |
-oN | Normal output |
-oX | XML output |
-n | Never do DNS resolution/Always resolve |
-f | –mtu : fragment packets (optionally w/given MTU) |
-D | IP address Decoy: : Cloak a scan with decoys |
-T0 through -T2 | Serial scans. T0 is slowest |
-T3 through -T5 | Parallel scans. T3 is slowest |
-F | Fast mode – Scan fewer ports than the default scan |
| -p | Port scan for port x `nmap -p21,80 <target>` |
| –top-ports | Scan top ports `nmap –top-ports 1000` |
| -p- | Scan all ports |
| -p-65535 | Scan ports till 65535 |
Notes:
- Nmap runs by default at a T3 level (3 – Normal).
- Nmap runs by default TCP scans.
- Nmap ping the target first before the port scan by default, but if the target have a firewall, maybe the scan will be blocked. To avoid this, you can use
-Pnto disable ping. - If you’re in LAN and you need to disable ARP ping, use:
--disable-arp-ping
- You can add a input from external lists of hosts/networks:
-iL hosts-example.txt
- Fingerprinting – another word for port sweeping and enumeration
NSE Script
NSE stands for Nmap Scripting Engine, and it’s basically a digital library of Nmap scripts that helps to enhance the default Nmap features and report the results in a traditional Nmap output.
One of the best things about NSE is its ability to let users write and share their own scripts, so you’re not limited to relying on the Nmap default NSE scripts.
| Switch | Example | Description |
| -sC | nmap 192.168.1.1 -sC | Scan with default NSE scripts. Considered useful for discovery and safe |
| –script default | nmap 192.168.1.1 –script default | Scan with default NSE scripts. Considered useful for discovery and safe |
| –script | nmap 192.168.1.1 –script=banner | Scan with a single script. Example banner |
| –script | nmap 192.168.1.1 –script=http,banner | Scan with two scripts. Example http and banner |
| –script | nmap 192.168.1.1 –script “not intrusive” | Scan default, but remove intrusive scripts |
| –script-args | nmap –script snmp-sysdescr –script-args snmpcommunity=admin 192.168.1.1 | NSE script with arguments |
Some useful example of nse scripts
- http site map generator
nmap -Pn --script=http-sitemap-generator scanme.nmap.org
- Fast search for random web servers
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000
- Brute forces DNS hostnames guessing subdomains
nmap -Pn --script=dns-brute domain.com
- Safe SMB scripts to run
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1
- Whois query
nmap --script whois* domain.com
- Detect cross site scripting vulnerabilities
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org
- Check for SQL injections
nmap -p80 --script http-sql-injection scanme.nmap.orgSource : https://www.stationx.net/nmap-cheat-sheet/
hping
Hping3 is a scriptable program that uses the Tcl language, whereby packets can be received and sent via a binary or string representation describing the packets.
- Another powerful ping sweep and port scanning tool
- Also can craft UDP/TCP packets
- You can make a TCP flood
- hping3 -1 IP address
| Switch | Description |
|---|---|
| -1 | Sets ICMP mode |
| -2 | Sets UDP mode |
| -8 | Sets scan mode. Expects port range without -p flag |
| -9 | Listen mode. Expects signature (e.g. HTTP) and interface (-I eth0) |
| –flood | Sends packets as fast as possible without showing incoming replies |
| -Q | Collects sequence numbers generated by the host |
| -p | Sets port number |
| -F | Sets the FIN flag |
| -S | Sets the SYN flag |
| -R | Sets the RST flag |
| -P | Sets the PSH flag |
| -A | Sets the ACK flag |
| -U | Sets the URG flag |
| -X | Sets the XMAS scan flags |
Evasion Concepts
- To evade IDS, sometimes you need to change the way you scan
- One method is to fragment packets (nmap -f switch)
- OS Fingerprinting
- Active – sending crafted packets to the target
- Passive – sniffing network traffic for things such as TTL windows, DF flags and ToS fields
- Spoofing – can only be used when you don’t expect a response back to your machine
- Source routing – specifies the path a packet should take on the network; most systems don’t allow this anymore
- IP Address Decoy – sends packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from.
nmap -D RND:10 x.x.x.xnmap -D decoyIP1,decoyIP2....,sourceIP,.... [target]
- Proxy – hides true identity by filtering through another computer. Also can be used for other purposes such as content blocking evasion, etc.
- Proxy chains – chaining multiple proxies together
- Proxy Switcher
- Proxy Workbench
- ProxyChains
- Tor – a specific type of proxy that uses multiple hops to a destination; endpoints are peer computers
- Anonymizers – hides identity on HTTP traffic (port 80)
Banner grabbing can be used to get information about OS or specific server info (such as web server, mail server, etc.)
- Active – sending specially crafted packets and comparing responses to determine OS
- Passive – reading error messages, sniffing traffic or looking at page extensions
- Easy way to banner grab is connect via telnet on port (e.g. 80 for web server)
- Netcat tool
- “Swiss army knife” of TCP/IP hacking
- Provides all sorts of control over a remote shell on a target
- Connects via
nc -e <IP address> <Port> - From attack machine
nc -l -p 5555opens a listening port on 5555 - Can connect over TCP or UDP, from any port
- Offers DNS forwarding, port mapping and forwarding and proxying
- Netcat can be used to banner grab:
nc <IP address or FQDN> <port number>
- Example of Banner grabbing on netcat – extracting request HTTP header
nccommand withtarget IPaddress andport 80- Issue the
GET / HTTP/1.0(this GET request will send to the web server). - The server responded with some interesting information:
nc 192.168.63.143 80
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 12 Aug 2018 13:36:59 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 891
Connection: close
Content-Type: text/html
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>Countermeasures
- Configure firewall and IDS rules to detect and block probes
- Run the port scanning rules against hosts on the network to determine weather the firewall properly detects the port scanning activity.
- Ensure that router, IDS and firewall firmware are updated to their latest releases.
- Filter all ICMP messages at the firewalls and router.
- Configure Honeypot to misdirect the Attacker.
