Kategori
General

Scanning Networks

CEH Scanning Methodology – Draw Network Diagrams

Draw Network Diagrams

  • Drawing target’s network diagram gives valuable information about the network and its architecture to an attacker.
  • Network diagram shows logical or physical path to a potential target.

Network Discovery Tool

  • Network Topology Mapper:
    • Network Topology Mapper discovers a network and produces a comprehensive network diagram.
  • OpManager:
    • OpManager is a network monitoring software that offers advanced fault and performance management functionality across critical IT resources such as routers, WAN links, switches, firewalls, VoIP call paths, physical servers, etc.
  • NetworkView:
    • NetworkView is a network discovery and management tool for Windows.
    • Discover TCP/IP nodes and routes using DNS, SNMP, ports, NetBIOS, and WMI.

CEH Scanning Methodology – Prepare Proxies

Proxy Servers

  • A proxy server is an application that can serve as an intermediary for connecting with other computers.
  • To hide the source IP address so that they can hack without any legal corollary.
  • To mask the actual source of the attack by impersonating a fake source address of the proxy.
  • To remotely access intranets and other website resources that are normally off limits.
  • To interrupt all the requests sent by a user and transmit them to a third destination, hence victims will only be able to identify the proxy server address.
  • Attackers chain multiple proxy servers to avoid detection.

Proxy Chaining

  1. User requests a resource from the destination.
  2. Proxy client at the user’s system connects to a proxy server and passes the request to proxy server.
  3. The proxy server strips the user’s identification information and passes the requests to next proxy server.
  4. This process is repeated by all the proxy servers in the chain.
  5. At the end unencrypted request is passed to the web server. 

Proxy Tool: Proxy Switcher

  • Proxy Switcher hides your IP address from the websites you visit.

Proxy Tool: Proxy Workbench

  • Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram.

Proxy Tool: TOR and CyberGhost

  • TOR:
    • Tor allows you to protect your privacy and defend yourself against network surveillance and traffic analysis.
  • CyberGhost:
    • CyberGhost allows you to protect your online privacy, surf anonymously, and access blocked or censored content.
    • It hides your IP and replaces it with one of your choice, allowing you to surf anonymously.

Proxy Tools

Proxy Tools for Mobile

Free Proxy Servers

Introduction to Anonymizers

  • An anonymizer removes all the identifying information from the user’s computer while the user surfs the Internet.
  • Anonymizers make activity on the Internet untraceable.
  • Anonymizers allow you to bypass Internet censors.
  • Why use Anonymizer?
    • Privacy and anonymity
    • Protects from online attacks
    • Access restricted content
    • Bypass IDS and Firewall rules
  • tracker
  • web beacon
  • super cookie

Censorship Circumvention Tool: Tails

  • Tail is a live operating system, that user can start on any computer from a DVD, USB stick, or SD card.
  • It aims at preserving privacy and anonymity and helps you to:
    • Use the Internet anoynmously and circumvent censorship
    • Leave no trace on the computer
    • Use state-of-the-art cryptographic tools to encrypt files, emails and instant messaging

G-Zapper

  • Google sets a cookie on user’s system with a unique identifier that enables them to track user’s web activities such as:
    • Search Keywords and habits
    • Search results
    • Websites visited
  • Information from Google cookie can be used as evidence in a court of law.
  • G-Zapper is a utility to block or clean Google cookies, and help you stay anonymous while searching oneline. It also helps to protect your identity and search history.

Anonymizers

Anonymizers for Mobile

Spoofing IP Address

  • IP spoofing refers to changing source IP addresses so that the attack appears to be come from someone else.
  • When the victim replies to the address, it goes back to the spoofed address and not to the attacker’s real address.
  • IP spoofing using Hping2: Hping2 www.certifiedhacker.com -a 7.7.7.7

Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses.

IP Spoofing Detection Techniques: Direct TTL Probes

  • Send packet to host of suspect spoofed packet that triggers reply and compare TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked, it is a spoofed packet.
  • This technique is successful when attacker is in a different subnet from victim.  Note: Normal traffic from one host can vary TTLs depending on traffic patterns.

IP Spoofing Detection Techniques: IP Identification Number

  1. Send probe to host of suspect spoofed traffic that triggers reply and compare IP ID with suspect traffic.
  2. If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed.
  3. This technique is successful even if the attacker is in the same subnet. 

IP Spoofing Detection Techniques: TCP Flow Control Method

  • Attackers sending spoofed TCP packets, will not receive the target’s SYN-ACK packets.
  • Attackers cannot therefore be responsive to change in the congestion window size.
  • When received traffic continues after a window size is exhausted, most probably the packets are spoofed. Attacker送出SYN packet後,Target接收到並回應SYN+ACK,但windows size設為0,因此正常情況下,對方(10.0.0.5)應該只會回應ACK,並不包含其它data,但若有包含data,表示這是Attacker送來的spoofed packet。

IP Spoofing Countermeasures

  • Encrypt all network traffic using cryptographic network protocols such as IPsec, TLS, SSH, and HTTPS.
  • Use multiple firewalls providing multi-layered depth of protection.
  • Do not reply on IP-based authentication.
  • Use random initial sequence number to prevent IP spoofing attacks based on sequence number spoofing.
  • Ingress Filtering: Use routers and firewalls at your network perimeter to filter incoming packets that appear to come from an internal IP address.
  • Egress Filtering: Filter all outgoing packets with an invalid local IP address as source address.

3.8 Scanning Pen Testing

Scanning Pen Testing

  • Pen testing a network for scanning vulnerabilities determines the network’s security posture by identifying live systems, discovering open ports, associating services and grabbing system banners to simulate a network hacking attempt.
  • The penetration testing report will help system administrators to:
    • Close unused ports
    • Disable unnecessary services
    • Hide or customize banners
    • Troubleshoot service configuration errors
    • Calibrate firewall rules
  • Check for the live hosts using tools such as Nmap, Angry IP Scanner, SolarWinds Engineer’s toolset, Colasoft Ping Tool, etc.
  • Check for open ports using tools such as Nmap, Netscan Tools Pro, SuperScan, PRTG Network Monitor, Net Tools, etc.
  • Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, etc.
  • Scan for vulnerabilities using tools such as Nessus, GFI LANGuard, SAINT, Core Impact Professional, Retina CS Management, MBSA, etc.
  • Draw network diagrams of the vulnerable hosts using tools such as Network Topology Mapper, OpManager, NetoworkView, The Dude, FriendlyPinger, etc.
  • Prepare proxies using tools such as Proxy Workbench, Proxifier, Proxy Switcher, SocksChain, TOR, etc.
  • Document all the findings.

Module Summary

  • The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network.
  • Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts.
  • Attackers use various scanning techniques to bypass firewall rules and logging mechanism, and hide themselves as usual network traffic.
  • Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system.
  • Drawing target’s network diagram gives valuable information about the network and its architecture to an attacker.
  • A proxy server is an application that can serve as an intermediary for connecting with other computers.
  • A chain of proxies can be created to evade a traceback to the attacker.

Ref : [1][2]