CEH v10 Notes —Scanning Network

Scanning Network

1. Network Scanning Concepts

Gather more detail of the target

Used for identifying hosts, ports and services in a network

One of the components of intelligence gathering (which can be used by an attacker to create a profile of the target organization

(to discover live hosts, IP address and open ports of live hosts; operating systems and system architecture; service running on hosts; discover vulnerabilities in live hosts)

Types : port scanning ; network scanning; vulnerability scanning)

TCP Communication Flags

TCP header contains various flags that control the transmission of data across a TCP connection

Six TCP control flags manage the connection between hosts

Four (SYN,ACK,FIN,and RST) govern the establishment, maintenance and termination of a connection

SYN (synchronize) notifies the transmission of a new sequence number

Represents the establishment of a connection (3-way handshake) between two hosts

ACK (Acknowledgement), confirms the receipt of transmission and identifies next expected sequence number, sets the flag =1 (implying the receiver should pay attention to it)

PSH (PUSH)

URG (urgent) when the system sets the flag to 1, the remote system gives priority to the urgent data and processes it first , stop all the other data processing

FIN (Finish) flag =1 , terminate ends

Reset (RST) error connection, flag =1

Aborts the connection in response to the error

TCP]/IP Communication

Creating custom packet using TCP flags

Packet crafting tools : generate and analyze network traffic

Scanning in IPv6 Networks : increases the IP address from 32 bits to 128 bits to support more levels of addressing

Computationally less feasible

Once the attacker is able to compromise one host in the subnet ,he can probe the” allhosts” and link local multicast address

2. Scanning Tools

Nmap : for network inventory

Extract information : live hosts on the network, services (application and name and version) , type of packet filters/firewalls, operating systems and OS versions

Hping2/Hping3

Network scanning and packet crafting tool

Network security auditing, firewall testing

ICMP Scanning : ping sweep

ACK Scanning on port 80 (probe for the existence of a firewall)

NetScanToolsPro : troubleshooting , diagonsing , monitoring and discovering devices on the network;

IPv4/IPv6 , hostnames, domain names, email addresses

Scanning Tools for mobile : IP Scanner, Ping

IPScanner (for ios)

3. Scanning Techniques

Scanning is the process of gathering information about systems that are “alive” and responding on the network

Check for live systems (with the help of ICMP scanning)

ICMP Scanning (ICMP, ping sweep, ICMP ECHO scanning)

TCP Scanning

UDP Scanning

Ping Scan : sending ICMP ECHO requests to a host

Useful for locating active devices or determining if the ICMP is passing through a firewall

Scanning ICMP Network Servies : ICMP Scanning Network Services; TCP Network Services; UDP Network Services

Ping sweep: determine the live hosts from a range of IP addresses ; Subnet Mask Calculators to identify the number of hosts that are present in the subnet; create an inventory of live systems

ICMP Echo Scanning : not port scanning (ping scan)

TCP Connect / Full Open Scan

l Detects when a port is open after completing the three-way handshake

l Establishes a full connection and tears it down by sending an RST packet

l Does not require super user privilege

Stealth Scan (Half-Open) Scan

Before completion of three-way handshake signals (making the connection half open)

bypass firewall rules, logging mechanism (hide as usual under network traffic)

Port is open : syn; syn,ack; rst

Port is closed: syn ; rst

Inverse TCP Flag Scanning

Attackers send TCP probe packets with a TCP flag (FIN, URG,PSH) set or with no flags

Port open : no response

Port closed : with RST/ACK response

Advantages: highly stealthy

Disadvantages: needs raw access to network sockets, require super user privilege

Mostly effective against hosts using a BSD derived TCP/IP stack

(not effective against Microsoft windows)

XMAS Scan

In Xmas scan, attackers send a TCP frame to a remote device (FIN, URG and PUSH)

FIN scan works only with OSes with RFC793 based TCP/IP implementation

Not work against current Microsoft version

ACK Flag Probe Scanning

Attackers send TCP probe packets with ACK flag set to a remote device and then analyzes the header Information (if port is open, receive RST packets)

Used to check the filtering system of target

Attackers send an ACK probe packet with a random sequence number, no response = port is filtered(stateful firewal is present)

RST response means = port is not filtered

TTL-based ACK flag probe scanning :send ACK probe packets (thousands), analyze the TTL field value of the RST packets received

Window based ACK flag probe scanning

Send ACK probe packets , analyze the Window field value of the received RST packets

Non-zero = open

IDLE/IPID Header Scan

IPID : fragment identification number

Every IP packet on the internet has a fragment identification number , OS increases the IPID for each packet sent, thus probing an IPID gives an attacker the number of packets sent after the last probe

A machine that receives an unsolicited SYN|ACK packet will respond with an RST (an unsolicited rst will be ignored)

Zombie machine will send RSTpacket (disclosing the IPID)

Port is open : the target will send SYN + ACK packet

Port is closed :RST

IPID increase 2 = open port

1= closed port

UDP Scanning

UDP port open :

There is no three-way TCP handshake for UDP scan

The system does not respond with a message when the port is open

UDP port closed :

If a UDP packet is sent to a closed port, the system will respond with an ICMP port unreachable message

Spywares, Trojan horses and other malicious applications use UDP ports

SSDP and List Scanning

SSDP

The Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with the UPnP to detect plug and play devices

Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or Dos attacks

Use UPnP SSDP M-SEARCH information discovery tool to check if the machine is vullnerable to UPnP exploits or not

List Scanning

Generate prints list of IPs/Names without actually pinging

A reverse DNS resolution is carried out to identify the host names

Port Scanning Countermeasure

l Configure firewall and IDS rules to detect and block probes

l Run port scanning tools against hosts on the network to determine whether the firewall properly detects the port scanning activity

l Ensure that the mechanism used for routing and filtering at the routers and firewalls respectively can not be bypassed

l Ensure the router , IDS and firewall firmware are updated to the latest version

l Use custom rule set to lock down the network and block unwanted ports

l Filter all ICMP messages at the firewalls and routers

l Perform TCP and UDP scanning along with ICMP probes against your organization’s IP address space to check the network configuration and its available ports

l Ensure that the anti scanning and anti spoofing rules are properly configured

4. Scanning Beyond IDS and Firewall

Intrusion Detection System

IDS/Firewall Evasion Techniques

l Packet Fragmentation: Sending fragmented probe packets to the intended server which re-assemble it after receiving all the fragments

l Source Routing : Specifying the routing path for the malformed packet to reach the intended server

l IP Address Decoy: generate or manually specifying IP address

l IP Address Spoofing: Changing source IP addresses so that the packet appears to be from someone else

l Proxy Server : Using chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions

Packet Fragmentation

Packet fragmentation refers to the splitting of a probe packet into several smaller packets (while sending it to a network)

The TCP header is split into several packets

Sourced Routing

As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination

Source routing refers to a sending packet to the intended destination with partially or completely specified route in order to evade IDS/firewall

IP address Decoy : generating or manually specifying IP address of the decoys in order to evade IDS/firewall

Decoy Scanning using nmap : nmap -D RND: 10 (random number of decoy)

IP address spoofing : changing the source IP (appears to be from someone else)

When the victim replies to the address, it goes back to the spoofed address and not to the atacker’s real address

IP Spoofing Detection Techniques: Direct TTL Probes

Send Packet to host of suspect spoofed packet that triggers reply and compare TL with suspect packet; if the TTL in the reply is not as the same as the packet being checked, it implies that it is a spoofed packet

This technique is successful when the attacker is in a different subnet from that of the victim

IP Identification Number

Compare the IP ID with suspect traffic

Not close in value = spoofed

Successful even if the attacker is in the same subnet

TCP Flow Control Method

Attackers sending spoofed TCP packets, will not receive the targets SYN-ACK packets

Windo size (exhuasted) = spoofed

IP Spoofing Countermeasures

l Encrypt all the network traffic (IPsec, TLS, SSH, HTTPS)

l Use multiple firewalls providing multi-layered depth of protection

l Do no rely on IP-based authentication

l Use Random initial sequence number

l Ingress Filtering : Use routers and firewalls at your network perimeter

l Egress Filtering: Filter all outgoing packets with an invalid local IP address as source address

Proxy Servers (intermediary for connecting with other computer）

Evade certain IDS/firewall restrictions

Mask the actual source

Remotely access intranets and other website resources that are normally off limits

To chain multiple proxy servers to avoid detections

Proxy Chaining : at the end, the unencrypted request is passed to the web server

Proxy switcher ; proxy workbench

Proxy Tools : cyber ghost

For mobile : shadowsocks; proxydroid

Anonymizers : removes all the identifying information from the user’s computer while the user surfs the internet

Allow you to bypass internet censors

Make the activities on the internet untraceable

5. Banner Grabbing

To identify network hosts running versions of applications and OSs with known exploits.

Active banner grabbing

Passive banner grabbing

Banner Grabbing Countermeasures

Disabling or Changing Banner

Hiding File Extensions from Web Pages

6. Draw Network Diagrams

A network diagram helps in analyzing complete network topology