3.1 Understand the term port scanning, network scanning, and vulnerability scanning

Exam Focus: Understand the term port scanning, network scanning, and vulnerability scanning. Objective includes:

  • Understand the objectives of scanning.
  • Learn the CEH scanning methodology.

Scanning

Scanning refers to a set of procedures used to identify hosts, ports, and services in a network. Along with enumeration, it is the first phases of hacking. A hacker uses scanning as a method of intelligence gathering to create a profile of the target organization.

Types of scanning:

  • Port scanning: is a software application designed to probe a server or host for open ports, by a series of messages sent by an attacker trying to break into a computer to know about network services of the computer.
  • Vulnerability scanning: is automated software designed to proactively assess computers, computer systems, networks or applications for weaknesses
  • Network scanning: is a procedure used to identify the active hosts on a network.

Port scanning

Port scanning is the process by which an attacker connects to TCP and UDP ports to find the services and applications running on the target system. In port scanning, data packets are sent to a port to gather information about it.
Port scanning tools:

  • Floppyscan: is a hacking tool that is used for port scanning. It uses a floppy disk for performing port scanning a computer. Floppyscan uses Bootsup mini Linux that displays a blue screen. Floppyscan uses the nmap tool to port scan the network. After performing the port scanning, it sends the results by e-mail to a remote server.
  • Icmpenum: is a port scanner that uses not only ICMP Echo packets to probe networks, but also ICMP timestamp and ICMP information packets. Besides this, it supports spoofing and promiscuous listening for reply packets. This tool is useful to enumerate networks that have blocked ICMP Echo packets.

Vulnerability scanning

Vulnerability scanning is a process in which a Penetration Tester uses various tools to assess computers, computer systems, networks, or applications for weaknesses. There are different types of vulnerability scanners available today, distinguished from one another by a focus on particular targets. While the functionality varies between different types of vulnerability scanners, they share a common core purpose of enumerating the vulnerabilities present in one or more targets. Vulnerability scanners are a core technology component of vulnerability management.
SAINT:
SAINT (Security Administrator's Integrated Network Tool is a vulnerability scanning tool. It collects information about the type of OS running on a system and the ports that are open. The network vulnerabilities can be detected by attackers on any remote target in a non-intrusive manner.

Network scanning

Network scanning includes using a port scanner to identify all hosts. All these hosts are connected to an organization's network. The network services operating on those hosts are FTP, HTTP, and IIS, and Apache for the HTTP service. The outcome of the scan is a list of active hosts and services, printers, switches, and routers. Network scanning can also disrupt network operations as it consumes bandwidth.
Network scanning tools:

  • VisioLANsurveyor: automatically discovers the network and generates comprehensive and easy-to-view network maps that can be exported into Microsoft Office. The following are the features of LANsurveyor:
  • It automatically discovers and diagrams the network topology.
  • It produces network maps in Microsoft Office Visio.
  • It detects new devices and modifications in the network topology.
  • It performs inventory management for hardware and software assets.
  • It directly addresses PCI compliance and other regulatory requirements.
  • Netcat: is a freely available networking utility that reads and writes data across network connections using the TCP/IP protocol. Netcat has the following features:
  • It provides outbound and inbound connections for TCP and UDP ports.
  • It provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters.
  • It is also a good port scanner.
  • It contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data.
  • It is an optional RFC854 telnet code parser and responder.

The common Netcat switches are as follows:

Commands / Description
nc -d / It is used to detach Netcat from the console.
nc -l -p [port] / It is used to create a simple listening TCP port; adding u will put it in UDP mode.
nc -e [program] / It is used to redirect stdin/stdout from a program.
nc -z / It is used for port scanning.
nc -g or nc -G / It is used to specify source routing flags.
nc -t / It is used for Telnet negotiation.
nc -w [timeout] / It is used to set a timeout before Netcat automatically quits.
nc -v / It is used to put Netcat into verbose mode.
  • Security Manager Plus: is a network security scanner that is used to report on network vulnerabilities, help remediate them, and ensure compliance. It is also used to protect a network from security threats and malicious attacks with vulnerability scanning, patch management, open ports detection, and vulnerability reporting capabilities.

Objectives of scanning

  • To detect the live systems running on the network
  • To discover which ports are active/running
  • To discover the O/S running on the target system (also known as fingerprinting)
  • To discover the services running/listening on the system
  • To discover the IP address of the target system

CEH scanning methodology

  1. Check for live systems.
  2. Check for open ports.
  3. Grab system banners.
  4. Scan for vulnerability.
  5. Draw network diagrams.
  6. Prepare proxies.

Scanning tools

The following are some important scanning tools:

  • Global Network Inventory: It is a flexible software and hardware inventory system that can be used as an audit scanner in agent-free and zero deployment environments. Global Network Inventory can audit remote computers and even network appliances, including switches, network printers, document centers, etc.
  • Advanced Port Scanner: It is used to check a computer for open ports that can be used in attacks against the computer. It uses the multi-thread technique to scan ports very fast. It also contains descriptions for common ports. Advanced Port Scanner can also perform scanning on predefined port ranges.
  • MegaPing: It is used to provide all essential network utilities for information system specialists, system administrators, or individuals. It also includes comprehensive security scanner, host and port monitor, and network utilities. All these scanners can scan individual computers, domains, any range of IP addresses, selected types of computers inside domains, and a user specified host lists.
  • Network Inventory Explorer: It allows administrators to quickly generate complete hardware and software inventory of all Windows-based computers and SNMP network devices. It can create the inventory database with the hardware installed on remote computers. It also creates reports on the availability of particular software programs.
  • SuperScan: It is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a given range of IP addresses and resolve the hostname of the remote system. It can also be used as an enumeration tool for the following:
  • NetBIOS information
  • User and Group Accounts information
  • Network shares
  • Trusted Domains
  • Services probing
  • Other tools such as: AWPTA, AWSPS UDP scanner,
    Net Tools Suite Pack, Netifera, Network Inventory Explorer<, Nscan, Komodia'sPacketCrafter, xCatPortscan, IP Tools, PhatScan and many others

3.2 Understand ping sweeping, firewalk tool, and nmap command switches

Exam Focus: Understand ping sweeping, firewalk tool, and nmap command switches. Objective includes:

  • Understand ping sweep techniques.
  • Understand the firewalk tool.
  • Gain knowledge on Nmap command switches.

Ping sweeping

Ping sweeping is a technique used to ping a batch of devices and to get the list of active devices. While not the most accurate, the simplest way to determine whether systems are live, is to perform a ping sweep of the IP address range. All systems that respond with a ping reply are considered live on the network. A ping sweep is also known as Internet Control Message Protocol (ICMP) scanning, as ICMP is the protocol used by the ping command.
This technique is favored by hackers, as otherwise, pinging every address on the network would be a very time consuming and tedious task. Ping sweeping on the other hand, can be run in parallel, such that all systems are scanned at the same time. As one might imagine, this technique can scan an entire network in a short period of time. Upon pinging, the remote system sends an ICMP ECHO reply message, which indicates that the remote system is alive. If the attacker does not get any response, it means that the target does not exist, the target system is slow, or the ICMP protocol is disabled.

Ping sweep tools

  • Angry IP Scanner
  • SolarWinds Engineer's Toolset
  • Colasoft Ping Tool
  • Ping Scanner Pro
  • SolarWinds Standard Edition
  • Ultra Ping Pro
  • Utility Ping
  • PingInfoView
  • Visual Ping Tester
  • PacketTrap pt360

Ping scan

During ping scan, ICMP ECHO requests are sent to a host. When the host is live, it will return an ICMP ECHO reply. This scan is useful for the following purposes:

  • Locating active devices
  • Determining if ICMP is passing through a firewall

Source / Destination / Summary
192.168.168.3 / 192.168.168.5 / ICMP: Echo
192.168.168.5 / 192.168.168.3 / ICMP: Echo Reply

Detecting ping sweeps

Almost any Intrusion Detection System (IDS) such as Snort, Genius, BlackICE and others will detect a ping, as will an Intrusion Prevention System (IPS) system. Once detected, the tools will alert the security administrator to a ping sweep occurring on the network. Most firewall and proxy servers block ping responses so a hacker can't accurately determine whether systems are available using a ping sweep alone. More intense port scanning must be used if systems don't respond to a ping sweep. Just because a ping sweep doesn't return any active hosts on the network doesn't mean they aren't available"you need to try an alternate method of identification. Remember, hacking takes time, patience, and persistence.

Firewalk

Firewalk is a scanning tool like traceroute that attempts to determine what layer 4 protocols a given IP forwarding device will pass. It sends out TCP or UDP packets with a TTL one greater than the targeted gateway. The gateway will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message if the gateway allows the traffic. If the gateway host does not allow the traffic, the response message will not be sent.

Firewalking

Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective.

Nmap and its command switches

Nmap is an active, information gathering tool. The nmap utility, also commonly known as a port scanner, is used to view the open ports on a Linux computer. It is used by administrators to determine which services are available for external users. This utility helps administrators in deciding whether to disable the services that are not being used in order to minimize any security risk. Network administrators can use Nmap for the following purposes:

  • Maintaining network inventory
  • Managing service upgrade
  • Monitoring host or service uptime

Common NMAP switches

  • -sT TCP Connect() scan
  • -sS SYN scan
  • -sF FIN scan
  • -sX Xmas-Tree scan
  • -sN NULL scan
  • -sI Dumb scan (also called an idle scan)
  • -sA ACK scan

Some more NMAP options are as follows:

  • P0: Do not try to ping hosts before scanning them.
  • -PP: Uses the ICMP timestamp request (ICMP type 13) packet to find listening hosts.
  • -6: Enables IPv6 support.
  • -oNlogfilename: Sends the output in the human-readable format to the file of your choice.
  • -oXlogfilename: Same as -oN, but this time send it to the logfile in the XML format.
  • -oGlogfilename: Same as -oN, but stores all the results on a single line for querying through the Grep program.
  • --append_output: Appends the output to the existing log files instead of overwriting them.
  • -p: Specifies the port number(s) to scan.

3.3 Understand scans

Exam Focus: Understand scans. Objective includes:

  • SYN
  • Stealth
  • XMAS
  • NULL
  • IDLE
  • FIN
  • ICMP Echo
  • List
  • TCP Connect
  • Full Open
  • FTP Bounce
  • UDP
  • Reverse Ident
  • RPC

TCP SYN scanning

TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:

  1. An attacker sends a SYN packet to the target port.
  2. If the port is open, the attacker receives the SYN/ACK message.
  3. Now the attacker breaks the connection by sending an RST packet.
  4. If the RST packet is received, it indicates that the port is closed.

This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections.

TCP SYN/ACK scanning

In TCP SYN/ACK scanning, an attacker sends a SYN/ACK packet to the target port. If the port is closed, the victim assumes that this packet was mistakenly sent by the attacker, and sends the RST packet to the attacker. If the port is open, the SYN/ACK packet will be ignored and the port will drop the packet. TCP SYN/ACK scanning is stealth scanning, but some intrusion detection systems can detect TCP SYN/ACK scanning.

Stealth scan

Stealth scanning techniques are used by attackers to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
The client sends a single SYN packet to the server on the appropriate port. The server responds with a SYN/ACK packet if the port is open. The remote port is in the 'closed' state if the server responds with a RST packet. To close the initiation before a connection can ever be established, the client sends the RST packet.

Xmas scan

Xmas scan sends a TCP frame to a remote device with the following flags set:

  • URG
  • ACK
  • RST
  • SYN
  • FIN


Xmas Tree scanning

Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree scanning, all packets are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet. Active monitoring of all incoming packets can help system network administrators detect Xmas Tree scan.

NULL scan

The NULL scan only works if OS' TCP/IP implementation is made according to RFC 793. It does not work against any current version of Microsoft Windows. Attackers send a TCP frame to a remote host with NO flags in the NULL scan.

IDLE scan

The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only totally stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the hacker.

Steps during IDLE scan

The following steps are taken during an IDLE scan:

  1. Send the SYN/ACK packet to the zombie machine in order to probe its IP ID number. Every IP packet on the Internet has a fragment identification number (IP ID) that is a 4 digit number. When a host sends IP packet, IP ID increases every time.
  2. Zombie not expecting a SYN/ACK packet will send the RST packet, disclosing the IP ID.
  3. Analyze the RST packet from the zombie machine in order to extract IP ID.
  4. Send the SYN packet to the target machine (port 80) spoofing the IP address of the "zombie".
  5. The target will send RST to the "zombie" if the port is closed, but zombie will not send anything back.
  6. Probe "zombie" IP ID again.

FIN scan

The FIN scan sends a TCP frame with the FIN flag set to a remote device. The FIN scan only works with OS TCP/IP that is developed according to RFC 793. The FIN scan does not work against any current version of Microsoft Windows.