CERTIFIED ETHICAL HACKER MODULE 03 : Network Scanning

Network Scanning

  • Network scanning refers to a set of procedures used for identifying hosts, ports and services in a network.
  • Discovering systems on the network (can be hosts, switches, servers, routers, firewalls and so on) and looking at what ports are open as well as applications/services and their respective versions that may be running.

Network Scanning Types

  • Network scanning : Lists active hosts and IP addresses like OS, iot devies etc.
  • Port Scanning : List Open ports and services.
  • Vulnerability Scanning : Search for known vulnerability on scanned services.

Scanning Methodology

  • Check for live systems – Ping or other type of way to determine live hosts
  • Check for open ports – Once you know live host IPs, scan them for listening ports
  • Scan beyond IDS – If needed, use methods to scan beyond the detection systems; evade IDS using proxies, spoofing, fragmented packets and so on
  • Perform banner grabbing – Grab from servers as well as perform OS fingerprinting (versions of the running services)
  • Scan for vulnerabilities – Use tools to look at the vulnerabilities of open systems
  • Draw network diagrams – Shows logical and physical pathways into networks
  • Use proxies – Obscures efforts to keep you hidden
  • Pentest Report – Document everything that you find

Identifying Targets

  • The easiest way to scan for live systems is through ICMP.
  • It has it’s shortcomings and is sometimes blocked on hosts that are actually live.
  • Message Types and Returns
  • Payload of an ICMP message can be anything; RFC never set what it was supposed to be. Allows for covert channels
  • Ping sweep – easiest method to identify multiple hosts on subnet. You can automate ping sweep with scripting language like Bash Script (Linux) or PowerShell (Windows) or use softwares like Advanced IP Scanner, Angry IP Scanner, Nmap, etc.
  • ICMP Echo scanning – sending an ICMP Echo Request to the network IP address
  • An ICMP return of type 3 with a code of 13 indicates a poorly configured firewall
  • Ping scanning tools Nmap
    • nmap -sn 192.168.1.0/24
    • This command uses -sn flag (ping scan). This will perform a ping sweep on 256 IP addresses on this subnet in seconds, showing which hosts are up.
    • hping3
    • hping -1 10.0.0.x --rand-dest -I eth0 -1 –> ICMP mode
    • --rand-dest –> random destionation address mode
    • -I <interface> –> network interface name
    • Angry IP Scanner
    • Solar-Winds Engineer Toolkit
    • Advanced IP Scanner
    • Pinkie
  • Nmap virtually always does a ping sweep with scans unless you turn it off
  • Important ICMP codes
ICMP Message TypeDescription and Codes
0: Echo ReplyAnswer to a Type 8 Echo Request
3: Destination UnreachableError message followed by these codes:
0 – Destination network unreachable
1 – Destination host unreachable
6 – Network unknown
7 – Host unknown
9 – Network administratively prohibited
10 – Host administratively prohibited
13 – Communication administratively prohibited
4: Source QuenchA congestion control message
5: RedirectSent when there are two or more gateways available for the sender to use. Followed by these codes:
0 – Redirect datagram for the network
1 – Redirect datagram for the host
8: Echo RequestA ping message, requesting an echo reply
11: Time ExceededPacket took too long to be routed (code 0 is TTL expired)

Port Discovery

  • Connectionless Communication – UDP packets are sent without creating a connection. Examples are TFTP, DNS (lookups only) and DHCP.
  • Connection-Oriented Communication – TCP packets require a connection due to the size of the data being transmitted and to ensure.

TCP Flags

FlagNameFunction
SYNSynchronizeSet during initial communication. Negotiating of parameters and sequence numbers
ACKAcknowledgmentSet as an acknowledgement to the SYN flag. Always set after initial SYN
RSTResetForces the termination of a connection (in both directions)
FINFinishClose to communications
PSHPushForces the delivery of data without concern for buffering
URGUrgentData inside is being sent immediately (out of band). Example is cancelling a message
  • Difference between PSH and URG :

PSH :

  • All data in the buffer to be push to receiver.
  • Data is delivered in sequence.

URG :

  • Data inside a segment with URG flag pushed is application layer immediately even if there are more data to be given to application layer.
  • Data is delivered out of sequence.

TCP HandShake

TCP Connection establishment process :

  1. Host A sends out a SYN (synchronize) packet with proposed initial sequence number to Host B.
  2. Host B receives SYN message, it returns a packet with both SYN and ACK flags (SYN-ACK) set in the TCP header.
  3. Host A receives the SYN-ACK, it sends back ACK (Acknowledgment) packet.
  4. Host B receives ACK and at this stage the connection is ESTABLISHED.

TCP Connection termination :

  1. Host A sends a FIN (finish) flag, indicating that is has finished sending the data.
  2. Host B who receives the FIN, doest not terminate the connection but enters into a “passive close” (CLOSE_WAIT) state and sends the ACK for the FIN back to the Host A.
  3. Host A enters into a (TIME_WAIT) state, and sends an ACK back to the Host B.
  4. Host B gets the ACK from the Host A and closes the connection.

Sequence numbers increase on new communication. Example is computers A and B. A would increment B’s sequence number. A would never increment it’s own sequence.

Port Numbers

  • Internet Assigned Numbers Authority (IANA) – maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations
  • Ranges
    • Well-known ports – 0 – 1023
    • Registered ports – 1024 – 49,151
    • Dynamic ports – 49,152 – 65,535
Port NumberProtocolTransport Protocol
20/21FTPTCP
22SSHTCP
23TelnetTCP
25SMTPTCP
53DNSTCP/UDP
67DHCPUDP
69TFTPUDP
80HTTPTCP
110POP3TCP
135RPCTCP
137-139NetBIOSTCP/UDP
143IMAPTCP
161/162SNMPUDP
389LDAPTCP/UDP
443HTTPSTCP
445SMBTCP
514SYSLOGUDP

NMAP

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

NMAP Scan Types

FULL TCP Connect Scan

Try to establish full tcp connection with the target [SYN/SYN-ACK/ACK]

nmap -sT <target>  

Stealth TC Scanning Methods

Half-Open Scan/SYN Scan

  • Half-open scan or SYN scan – only SYN packets sent.
  • It is fast.
  • Useful for hiding efforts and evading firewalls.
nmap -sS <target>

XMAS Scan/Inverse TCP Flag Scan

Sends tcp packets with FIN/URG/PSH flag.

nmap -sX <target>   

FIN Scan

Sends packet with FIN flag

  • If port is closed then target send packet with RST flag.
  • If service is running/port is open then it will drop the request and do nothing/no response.
nmap -sF <target>  

No response from the target port can lead to the confusion whether the port is open or probe is blocked by a firewall. Hence, this scan isn’t very effective.

NULL Scan

Send packet with zero flag

  • no response mean port is open or filtered by firewall
  • response with RST header means port is closed
nmap -sN <target> 

The key advantage to these scan types (NULL, FIN or Xmas scan) is that they can sneak through certain non-stateful firewalls and packet filtering routers.

ACK Scan/Firewall Detach Scan

This scan is used to identify, firewall rulesm determining the type of firewall and identify filtered ports. Also note that this scan doesn’t give the list of open or closed port instead it checks if the port is filtered or unfiltered.

It sends the packet with ACK flag set. If in response it receives RST that means the port is unfiltered and might be open or closed. Ports that don’t respond or send ICMP error marked as filtered. This type of scan is useful to detect the presence of a firewall.

nmap -sA <target> 

TCP Maiman Scan

Attackers send FIN/ACK probes, and if there is no response, then the port is open/filtered, but if an RST packet is sent in response then the port is close.

nmap -sM <target>

IDLE Scan

An idle scan is a good option when you want to keep yourself anonymous while scanning. The scan involves sending forged packet to the target host which looks like it is coming from some other host. This scan uses another host’s IP address as the source IP address instead of sending attacker’s machine IP address. The idle host involved in this scan is called zombie and hence this scan is sometimes referred as zombie scan.

Let us look into the below diagram to understand how this works.

  1. The attacker sends the TCP SYN packet to the Zombie, which is up and idle.
  2. The Zombie responds with SYN/ACK packet with IPID 10.
  3. The attacker sends the spoofed SYN packet to the victim at 10.10.10.30, with the source IP of the Zombie (10.10.10.20).
  4. In the case of open port, the victim responds with SYN/ACK to the Zombie because source IP in step 3 was set to Zombie.
  5. Zombie on receiving the SYN/ACK packet from the victim sends the RST packet back to the victim with IPID 11.
  6. After some time, the attacker again sends the SYN packet to the Zombie host, but Zombie host was waiting for the ACK packet from the attacker as Zombie had already sent a SYN/ACK packet in step number 2.
  7. The Zombie host responds with RST packet to the attacker with IPID set to 12.
  8. The attacker on receiving the RST packet with IPID set to 12 knows that the remote port on the victim machine is open (Notice the increment in IPID from 10 to 12).
  9. In the case of the closed port on the victim machine, the victim responds with RST packet to the Zombie.
  10. Zombie won’t reply back to RST packet (IPID remains 10).
  11. After some time, the attacker again sends the SYN packet to the Zombie host, but Zombie host was waiting for the ACK packet from the attacker as Zombie had already sent a SYN/ACK packet in step number 2.
  12. The Zombie host responds with RST packet to the attacker with IPID set to 11.
  13. The attacker on receiving the RST packet with IPID set to 11 knows that the remote port on the victim machine is closed (Notice the increment in IPID from 10 to 11).

Scan example :

nmap -sI <zombie_host> <target_IP>   

FTP Bounce Scan

FTP protocol allows a user to connect to a FTP server, then ask that files be sent to a third-party server. Such a feature can be abused to scan open ports of a target system. In this type of scan nmap simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would.

The advantage of this scan is being able to be anonymous as bouncing through FTP server hides the source address of the attacker. The disadvantages are that it is slow, and many FTP servers have disabled the proxy feature.

Fragmented Scan

In fragmented scan the attacker sends the probe packet in small IP fragment. The idea is to split the TCP header over several packet to make it harder to detect by firewalls. The advantage of this scan is the ability to bypass the packet filters. The disadvantage is it is slow. We are going to look at it in a great detail at module 12.

UDP Scan

Most popular services runs over the TCP, but there are many common services that also uses UDP: DNS (53), SMTP (25), DHCP (67), NTP (123), NetBIOS-ssn (137), etc.

  • nmap -sU <target>

You also can specify which UDP port:

  • nmap -sU -p U:53, 123 <target>

Also you can fire up both TCP and UDP scan with port specification:

  • nmap -sU -sS -p U:53,123 T:80,443 <target>

ICMP Scan

Ping scans are used to determine if a host is online and responding

nmap -sP <target>

or

nmap -sn <target> 

Disable port scanning. Host discovery only.

You can also add -PE on both of the above nmap scans.

Spoofing

  • Decoy:
  • nmap -Pn -D <spoofed IP> <target>
    • This will perform a spoofed ping scan.
  • Source Address Spoofing:
  • nmap -e <network interface> -S <IP source> <target>
    • Example –> nmap -e eth0 -S 10.0.0.140 10.0.0.165
  • MAC Address Spoofing:
  • nmap --spoof-mac <MAC|Vendor> <target>
    • Example –> nmap --spoof-mac Cis 10.0.0.140

Decoys will send spoofed IP address along with your IP address.

Firewall Evasion

  • Multiple Decoy IP addresses:
  • This command is used to scan multiple decoy IP addresses. Nmap will send multiple packets with different IP addresses, along with your attacker’s IP address.
  • nmap -D RND:<number> <target>
    • Example –> nmap -D RND:10 192.168.62.4
  • IP Fragmentation:
  • Used to scan tiny fragment packets
  • nmap -f <target>
  • Maximum Transmission Unit:
  • This command is used to transmit smaller packets instead of sending one complete packet at a time.
  • nmap -mtu 8 <target>
    • Maximum Transmission Unit (-mtu) and 8 bytes of packets.

Timing & Performance

  • Paranoid
    • Paranoid (0) Intrusion Detection System evasion
    • nmap <target> -T0
  • Sneaky
    • Sneaky (1) Intrusion Detection System evasion
    • nmap <target> -T1
  • Polite
    • Polite (2) slows down the scan to use less bandwidth and use less target machine resources
    • nmap <target> -T2
  • Normal
    • Normal (3) which is default speed
    • nmap <target> -T3
  • Agressive
    • Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
    • nmap <target> -T4
  • Insane
    • Insane (5) speeds scan; assumes you are on an extraordinarily fast network
    • nmap <target> -T5

List of Switches

SwitchDescription
-sAACK scan
-sFFIN scan
-sIIDLE scan
-sLDNS scan (list scan)
-sNNULL scan
-sOProtocol scan (tests which IP protocols respond)
-sP or -snPing scan
-sRRPC scan
-sSSYN scan
-sTTCP connect scan
-sWWindow scan
-sXXMAS scan
-AOS detection, version detection, script scanning and traceroute
-sVDetermine only service/version info
-PIICMP ping
-PnNo ping
-PoNo ping
-PSSYN ping
-PTTCP ping
-oNNormal output
-oXXML output
-nNever do DNS resolution/Always resolve
-f–mtu : fragment packets (optionally w/given MTU)
-DIP address Decoy: : Cloak a scan with decoys
-T0 through -T2Serial scans. T0 is slowest
-T3 through -T5Parallel scans. T3 is slowest
-FFast mode – Scan fewer ports than the default scan

Notes:

  • Nmap runs by default at a T3 level (3 – Normal).
  • Nmap runs by default TCP scans.
  • Nmap ping the target first before the port scan by default, but if the target have a firewall, maybe the scan will be blocked. To avoid this, you can use -Pn to disable ping.
  • If you’re in LAN and you need to disable ARP ping, use:
    • --disable-arp-ping
  • You can add a input from external lists of hosts/networks:
    • -iL hosts-example.txt
  • Fingerprinting – another word for port sweeping and enumeration

hping

Hping3 is a scriptable program that uses the Tcl language, whereby packets can be received and sent via a binary or string representation describing the packets.

  • Another powerful ping sweep and port scanning tool
  • Also can craft UDP/TCP packets
  • You can make a TCP flood
  • hping3 -1 IP address
SwitchDescription
-1Sets ICMP mode
-2Sets UDP mode
-8Sets scan mode. Expects port range without -p flag
-9Listen mode. Expects signature (e.g. HTTP) and interface (-I eth0)
–floodSends packets as fast as possible without showing incoming replies
-QCollects sequence numbers generated by the host
-pSets port number
-FSets the FIN flag
-SSets the SYN flag
-RSets the RST flag
-PSets the PSH flag
-ASets the ACK flag
-USets the URG flag
-XSets the XMAS scan flags

Evasion Concepts

  • To evade IDS, sometimes you need to change the way you scan
  • One method is to fragment packets (nmap -f switch)
  • OS Fingerprinting
    • Active – sending crafted packets to the target
    • Passive – sniffing network traffic for things such as TTL windows, DF flags and ToS fields
  • Spoofing – can only be used when you don’t expect a response back to your machine
  • Source routing – specifies the path a packet should take on the network; most systems don’t allow this anymore
  • IP Address Decoy – sends packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from.
    • nmap -D RND:10 x.x.x.x
    • nmap -D decoyIP1,decoyIP2....,sourceIP,.... [target]

  • Proxy – hides true identity by filtering through another computer. Also can be used for other purposes such as content blocking evasion, etc.
  • Proxy chains – chaining multiple proxies together
    • Proxy Switcher
    • Proxy Workbench
    • ProxyChains
  • Tor – a specific type of proxy that uses multiple hops to a destination; endpoints are peer computers
  • Anonymizers – hides identity on HTTP traffic (port 80)

Banner grabbing can be used to get information about OS or specific server info (such as web server, mail server, etc.)

  • Active – sending specially crafted packets and comparing responses to determine OS
  • Passive – reading error messages, sniffing traffic or looking at page extensions
  • Easy way to banner grab is connect via telnet on port (e.g. 80 for web server)
  • Netcat tool
    • “Swiss army knife” of TCP/IP hacking
    • Provides all sorts of control over a remote shell on a target
    • Connects via nc -e <IP address> <Port>
    • From attack machine nc -l -p 5555 opens a listening port on 5555
    • Can connect over TCP or UDP, from any port
    • Offers DNS forwarding, port mapping and forwarding and proxying
    • Netcat can be used to banner grab:
      • nc <IP address or FQDN> <port number>
  • Example of Banner grabbing on netcat – extracting request HTTP header
  1. nc command with target IP address and port 80
  2. Issue the GET / HTTP/1.0 (this GET request will send to the web server).
  3. The server responded with some interesting information:
nc 192.168.63.143 80
GET / HTTP/1.0            

HTTP/1.1 200 OK
Date: Sun, 12 Aug 2018 13:36:59 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 891
Connection: close
Content-Type: text/html

<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>

                _                  _       _ _        _     _      ____  
_ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ 
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ 
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                          


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started


</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>

Countermeasures

  • Configure firewall and IDS rules to detect and block probes
  • Run the port scanning rules against hosts on the network to determine weather the firewall properly detects the port scanning activity.
  • Ensure that router, IDS and firewall firmware are updated to their latest releases.
  • Filter all ICMP messages at the firewalls and router.
  • Configure Honeypot to misdirect the Attacker.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.