Overview of Network Scanning

• Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network.
• Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization.
• Objectives of Network Scanning:
  • To discover live hosts, IP address, and open ports of live hosts
  • To discover operating systems and system architecture
  • To discover services running on hosts
  • To discover vulnerabilities in live hosts

TCP Communication Flags

• URG (Urgent): Data contained in the packet should be processed immediately
• FIN (Finish): There will be no more transmissions
• RST (Reset): Resets a connection
• PSH (Push): Send all buffered data immediately
• ACK (Acknowledgement): Acknowledges the receipt of a packet
• SYN (Synchronize): Initiates a connection between hosts

Creating Custom Packet Using TCP Flags

• Colasoft Packet Builder enables creating custom network packet to audit networks for various attacks.
• Attackers can also use it to create fragmented packets to bypass firewalls and IDS systems in a network.

CEH Scanning Methodology – Check for Live Systems

Checking for Live Systems – ICMP Scanning

• Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply.
• This scan is useful for locating active devices or determining if ICMP is passing through a firewall. 

Ping Sweep

• Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply.
• Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet.
• Attackers then use ping sweep to create an inventory of live systems in the subnet.

Type	Name	意思
0	Echo Reply	是一個回應訊息
3	Destination Unreachable	表示目的地不可到達
8	Echo	請求回應訊息
11	Time Exeeded for a Datagram	當資料封包在某些路由現象中逾時﹐告知來源該封包已被忽略忽略。

在 ICMP 使用中﹐不同的類別會以不同的代碼來描述具體的狀況。以 Type 3 ( Distination Unreachable ) 為例，其下的代碼(code)如下所列：

• 0: Network Unreachable
• 1: Host Unreachable
• 2: Protocol Unreachable
• 3: Port Unreachable
• 9: Communication with Destination Network is Administratively Prohibited
• 10: Communication with Destination Host is Administratively Prohibited
• 13: Communication Administratively Prohibited (blocked)

Type 11 code:

• 0: Time to Live exceeded in Transit
• 1: Fragment Reassembly Time Exceeded

Ping Sweep Tools

• Angry IP Scanner pings each IP address to check if it’s alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc.
• SolarWinds Engineer Toolset’s Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.

CEH Scanning Methodology – Check for Open Ports

SSDP Scanning

• The Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with UPnP to detect plug and play devices available in a network.
• Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks.
• Attacker may use UPnP SSDP M-SEARCH information discovery tool to check if the machine is vulnerable to UPnP exploits or not.

• SSDP uses UDP transport protocol on port 1900
• Host: 239.255.255.250:1900

Scanning in IPv6 Networks

• IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy.
• Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 2^64 addresses) provided by IPv6 in a subnet.
• Scanning in IPv6 network is more difficult and complex than the IPv4 and also some scanning tools do not support ping sweeps on IPv6 networks.
• Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages.
• Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker can probe the “all hosts” link local multicast address.

Scanning Tool: Nmap

• Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
• Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions.

Hping2/Hping3 (重要)

• Command line network scanning and packet crafting tool for the TCP/IP protocol.
• It can be used for network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc..

• 也可當封包產生器，預設為TCP Mode
• 對8.8.8.8發出icmp request封包，同時將來源IP偽造為1.3.3.7：hping3 --icmp 8.8.8.8 -a 1.3.3.7

Hping Commands

• ICMP Ping: hping3 -1 10.0.0.25
• ACK scan on port 80: hping3 -A 10.0.0.25 -p 80
• UDP scan on port 80: hping3 -2 10.0.0.25 -p 80
• Collecting Initial Sequence Number: hping3 192.168.1.103 -Q -p 139 -s
• Firewalls and Time Stamps: hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
• SYN scan on port 50-60: hping3 -8 50-60 -S 10.0.0.25 -V
• FIN, PUSH and URG scan on port 80: hping3 -F -P -U 10.0.0.25 -p 80
• Scan entire subnet for live host: hping3 -1 10.0.1.x --rand-dest -I eth0
• Intercept all traffic containing HTTP signature: hping3 -9 HTTP -I eth0
• SYN flooding a victim: hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

Scanning Techniques

• Scanning TCP Network Services:
  • Open TCP Scanning Methods
    • TCP Connect / Full Open Scan
  • Stealth TCP Scanning Methods
    • Half-open Scan
    • Inverse TCP Flag Scanning
      • Xmas Scan
      • FIN Scan
      • NULL Scan
    • ACK Flag Probe Scanning
  • Third Party and Spoofed TCP Scanning Methods
    • IDLE / IP ID Header Scanning
• Scanning UDP Network Services:
  • UDP Scanning

TCP Connect / Full Open Scan (-sT) (重要)

• TCP Connect scan detects when a port is open by completing the three-way handshake.
• TCP Connect scan establishes a full connection and tears it down by sending a RST packet.
• It does not require super user privileges. 

• Default 1000 ports
• 考圖、考指令
• Wireshark語法分capture filter和displayer filter

Stealth Scan (Half-open Scan) (-sS)

• Stealth scan involves resetting the TCP connection between client and server abruptly before completion of three-way handshake signals making the connection half open.
• Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
• Stealth Scan Process:
  1. The client sends a single SYN packet to the server on the appropriate port.
  2. If the port is open then the server responds with a SYN/ACK packet.
  3. If the server responds with an RST packet, then the remote port is in the “closed” state.
  4. The client sends the RST packet to close the initiation before a connection can ever be established. 

• Firewall -> Packet Filtering -> Connection logging -> Connected
• 所以未連線成功的不會記錄起來

Q1). What is missing from a half-open scan?

1. SYN
2. ACK
3. SYN-ACK
4. FIN

Inverse TCP Flag Scanning (-sF, -sN)

• Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, no response means port is open and RST means the port is closed.  Note: Inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. It is known as null scanning if there is no flag set.

Q1) A packet with no flags set is which type of scan?

1. TCP
2. XMAS
3. IDLE
4. NULL

A1) A NULL scan has no flags set.

Xmas Scan (-sX)

• In Xmas scan, attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags set.
• FIN scan works only with OSes with RFC 793-based TCP/IP implementation.
• It will not work against any current version of Microsoft Windows. 

ACK Flag Probe Scanning (-sA)

• Attackers send TCP probe packets with ACK flag set to a remote device and then analyzes the header information (TTL and WINDOW field) of received RST packets to find whether the port is open or closed.
• TTL based ACK flag probe scanning:
  • If the TTL value of RST packet on particular port is less than the boundary value of 64, then that port is open. 
• WINDOW based ACK flag probe scanning:
  • If the WINDOW value of RST packet on particular port has non zero value, then that port is open. 
• ACK flag probe scanning can also be used to check the filtering system of target.
• Attackers send an ACK probe packet with random sequence number, no response means port is filtered (stateful firewall is present) and RST response means the port is not filtered. 

Q1) Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

1. RST flag scanning
2. FIN flag scanning
3. SYN flag scanning
4. ACK flag scanning

IDLE/IPID Header Scan (-sI)

• Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered “open” if an application is listening on the port.
• One way to determine whether a port is open is to send a “SYN” (session establishment) packet to the port.
• The target machine will send back a “SYN|ACK” (session request acknowledgement) packet if the port is open, and an “RST” (Reset) packet if the port is closed.
• A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored.
• Every IP packet on the Internet has a “fragment identification” number (IPID).
• OS increments the IPID for each packet sent, thus probing an IPID gives an attacker the number of packets sent since last probe.

IDLE Scan: Step 1/2/3

Step 1:

• Send SYN+ACK packet to the zombie machine to probe its IPID number.
• Every IP packet on the Internet has a fragment identification number (IPID), which increase every time a host sends IP packet.
• Zombie not expecting a SYN+ACK packet will send RST packet, disclosing the IPID.
• Analyze the RST packet from zombie machine to extract IPID. 

Step 2:

• Send SYN packet to the target machine (port 80) spoofing the IP address of the “zombie”.
• If the port is open, the target will send SYN+ACK Packet to the zombie and in reponse zombie sends RST to the target.
• If the port is closed, the target will send RST to the “zombie” but zombie will not send anything back. 

Step 3:

• Probe “zombie” IPID again 

Q1) You’re running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine?

1. Open
2. Closed
3. Unknown
4. None of the above

A1) Since the IPID incremented by only one, this means the zombie hasn’t sent anything since your original SYN/ACK to figure out the starting IPID. If the IPID had increased by two, then the port would be open because the zombie would have responded to the target machine’s SYN/ACK.

UDP Scanning (-sU)

• UDP Port Open:
  • There is no three-way TCP handshake</**span> for UDP scan
  • The system does not respond with a message when the port is open.
• UDP Port Closed:
  • If a UDP packet is sent to closed port, the system responds with ICMP port unreachable message (type 3, code 3).
  • Spywares, Trojan horses, and other malicious application use UDP ports. 

ICMP Echo Scanning (-sn/-sP)/List Scan (-sL)

• ICMP Echo Scanning:
  • This is not really port scanning, since ICMP does not have a port abstraction.
  • But it is sometimes useful to determine which hosts in a network are up by pinging them all.
  • nmap -sn cert.org/24 152.148.0.0/16
• List Scan:
  • This type of scan simply generates and prints a list of IPs/Names without actually pinging them.
  • A reverse DNS resolution is carried out to identify the host names.

Q1) What is an ICMP Echo scan?

1. A ping sweep
2. A SYN scan
3. A Xmas scan
4. Part of a UDP scan

Scanning Tool: NetScan Tools Pro

• Network Tools Pro assists in troubleshooting, diagnosing, monitoring and discovering devices on the network.
• It lists IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automatically or with manual tools.

Scanning Tools

Scanning Tools for Mobile

Port Scanning Countermeasures

• Configure firewall and IDS rules to detect and block probes.
• Run the port scanning tools against hosts on the network to determine whether the firewall properly detects the port scanning activity.
• Ensure that mechanism used for routing and filtering at the routers and firewalls respectively cannot be bypassed using particular source ports or source-routing methods.
• Ensure that the router, IDS, and firewall firmware are updated to their latest releases.
• Use custom rule set to lock down the network and block unwanted ports at the firewall.
• Filter all ICMP messages (i.e. inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and routers.
• Perform TCP and UDP scanning along with ICMP probes against your organization’s IP address space to check the network configuration and its available ports.
• Ensure that the anti scanning and anti spoofing rules are configured.

CEH Scanning Methodology – Scanning Beyond IDS

IDS Evasion Techniques

• Use fragemented IP packets.
• Spoof your IP address when launching attacks and sniff responses from server.
• Use source routing (if possible).
• Connect to proxy servers or compromised trojaned machine to launch attacks.

SYN/FIN Scanning Using IP Fragments (-f)

• It is not a new scanning method but a modification of the earlier methods.
• The TCP header is split into several packets so that the packet filters are not able to detect what the packets intend to do. 

CEH Scanning Methodology – Banner Grabbing

Banner Grabbing

• Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive.
• Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on a system to further carry out additional attacks.
• Active Banner Grabbing:
  • Specially crafted packets are sent to remote OS and the responses are noted.
  • The responses are then compared with a database to determine the OS.
  • Response from different OSes varies due to differences in TCP/IP stack implementation.
• Passive Banner Grabbing:
  • Banner grabbing from error messages: Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system.
  • Sniffing the network traffic: Capturing and analyzing packets from the target enables an attacker to determine OS used by the remote system.
  • Banner grabbing from page extensions: Looking for an extension in the URL may assist in determining the application version. Example: .aspx => IIS server and Windows platform.

CEH Scanning Methodology – Scan for Vulnerability

Vulnerability Scanning

• Vulnerability scanning identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited.
  • Network vulnerabilities
  • Open ports and running services
  • Application and services vulnerabilities
  • Application and services configuration errors

Vulnerability Scanning Tool: Nessus

• Nessus is the vulnerability and configuration assessment product.

Vulnerability Scanning Tool: GFI LanGuard

• GFI LanGuard assists in asset inventory, change management, risk analysis, and proving compliance.

Vulnerability Scanning Tool: Qualys FreeScan

• Scans computers and apps on the Internet or in your network.
• Tests websites and apps for OWASP Top Risks and malware.

Network Vulnerability Scanners

• MBSA (Microsoft Baseline Security Analyzer)
• OpenVAS
• Nexpose

CEH Scanning Methodology – Draw Network Diagrams

Draw Network Diagrams

• Drawing target’s network diagram gives valuable information about the network and its architecture to an attacker.
• Network diagram shows logical or physical path to a potential target.

Network Discovery Tool

• Network Topology Mapper:
  • Network Topology Mapper discovers a network and produces a comprehensive network diagram.
• OpManager:
  • OpManager is a network monitoring software that offers advanced fault and performance management functionality across critical IT resources such as routers, WAN links, switches, firewalls, VoIP call paths, physical servers, etc.
• NetworkView:
  • NetworkView is a network discovery and management tool for Windows.
  • Discover TCP/IP nodes and routes using DNS, SNMP, ports, NetBIOS, and WMI.

CEH Scanning Methodology – Prepare Proxies

Proxy Servers

• A proxy server is an application that can serve as an intermediary for connecting with other computers.
• To hide the source IP address so that they can hack without any legal corollary.
• To mask the actual source of the attack by impersonating a fake source address of the proxy.
• To remotely access intranets and other website resources that are normally off limits.
• To interrupt all the requests sent by a user and transmit them to a third destination, hence victims will only be able to identify the proxy server address.
• Attackers chain multiple proxy servers to avoid detection.

Proxy Chaining

1. User requests a resource from the destination.
2. Proxy client at the user’s system connects to a proxy server and passes the request to proxy server.
3. The proxy server strips the user’s identification information and passes the requests to next proxy server.
4. This process is repeated by all the proxy servers in the chain.
5. At the end unencrypted request is passed to the web server. 

Proxy Tool: Proxy Switcher

• Proxy Switcher hides your IP address from the websites you visit.

Proxy Tool: Proxy Workbench

• Proxy Workbench is a proxy server that displays data passing through it in real time, allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram.

Proxy Tool: TOR and CyberGhost

• TOR:
  • Tor allows you to protect your privacy and defend yourself against network surveillance and traffic analysis.
• CyberGhost:
  • CyberGhost allows you to protect your online privacy, surf anonymously, and access blocked or censored content.
  • It hides your IP and replaces it with one of your choice, allowing you to surf anonymously.

Proxy Tools

Proxy Tools for Mobile

Free Proxy Servers

Introduction to Anonymizers

• An anonymizer removes all the identifying information from the user’s computer while the user surfs the Internet.
• Anonymizers make activity on the Internet untraceable.
• Anonymizers allow you to bypass Internet censors.
• Why use Anonymizer?
  • Privacy and anonymity
  • Protects from online attacks
  • Access restricted content
  • Bypass IDS and Firewall rules

• tracker
• web beacon
• super cookie

Censorship Circumvention Tool: Tails

• Tail is a live operating system, that user can start on any computer from a DVD, USB stick, or SD card.
• It aims at preserving privacy and anonymity and helps you to:
  • Use the Internet anoynmously and circumvent censorship
  • Leave no trace on the computer
  • Use state-of-the-art cryptographic tools to encrypt files, emails and instant messaging

G-Zapper

• Google sets a cookie on user’s system with a unique identifier that enables them to track user’s web activities such as:
  • Search Keywords and habits
  • Search results
  • Websites visited
• Information from Google cookie can be used as evidence in a court of law.
• G-Zapper is a utility to block or clean Google cookies, and help you stay anonymous while searching oneline. It also helps to protect your identity and search history.

Anonymizers

Anonymizers for Mobile

Spoofing IP Address

• IP spoofing refers to changing source IP addresses so that the attack appears to be come from someone else.
• When the victim replies to the address, it goes back to the spoofed address and not to the attacker’s real address.
• IP spoofing using Hping2: Hping2 www.certifiedhacker.com -a 7.7.7.7

Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses.

IP Spoofing Detection Techniques: Direct TTL Probes

• Send packet to host of suspect spoofed packet that triggers reply and compare TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked, it is a spoofed packet.
• This technique is successful when attacker is in a different subnet from victim.  Note: Normal traffic from one host can vary TTLs depending on traffic patterns.

IP Spoofing Detection Techniques: IP Identification Number

1. Send probe to host of suspect spoofed traffic that triggers reply and compare IP ID with suspect traffic.
2. If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed.
3. This technique is successful even if the attacker is in the same subnet. 

IP Spoofing Detection Techniques: TCP Flow Control Method

• Attackers sending spoofed TCP packets, will not receive the target’s SYN-ACK packets.
• Attackers cannot therefore be responsive to change in the congestion window size.
• When received traffic continues after a window size is exhausted, most probably the packets are spoofed. Attacker送出SYN packet後，Target接收到並回應SYN+ACK，但windows size設為0，因此正常情況下，對方(10.0.0.5)應該只會回應ACK，並不包含其它data，但若有包含data，表示這是Attacker送來的spoofed packet。

IP Spoofing Countermeasures

• Encrypt all network traffic using cryptographic network protocols such as IPsec, TLS, SSH, and HTTPS.
• Use multiple firewalls providing multi-layered depth of protection.
• Do not reply on IP-based authentication.
• Use random initial sequence number to prevent IP spoofing attacks based on sequence number spoofing.
• Ingress Filtering: Use routers and firewalls at your network perimeter to filter incoming packets that appear to come from an internal IP address.
• Egress Filtering: Filter all outgoing packets with an invalid local IP address as source address.

3.8 Scanning Pen Testing

Scanning Pen Testing

• Pen testing a network for scanning vulnerabilities determines the network’s security posture by identifying live systems, discovering open ports, associating services and grabbing system banners to simulate a network hacking attempt.
• The penetration testing report will help system administrators to:
  • Close unused ports
  • Disable unnecessary services
  • Hide or customize banners
  • Troubleshoot service configuration errors
  • Calibrate firewall rules
• Check for the live hosts using tools such as Nmap, Angry IP Scanner, SolarWinds Engineer’s toolset, Colasoft Ping Tool, etc.
• Check for open ports using tools such as Nmap, Netscan Tools Pro, SuperScan, PRTG Network Monitor, Net Tools, etc.
• Perform banner grabbing/OS fingerprinting using tools such as Telnet, Netcraft, ID Serve, etc.
• Scan for vulnerabilities using tools such as Nessus, GFI LANGuard, SAINT, Core Impact Professional, Retina CS Management, MBSA, etc.
• Draw network diagrams of the vulnerable hosts using tools such as Network Topology Mapper, OpManager, NetoworkView, The Dude, FriendlyPinger, etc.
• Prepare proxies using tools such as Proxy Workbench, Proxifier, Proxy Switcher, SocksChain, TOR, etc.
• Document all the findings.

Module Summary

• The objective of scanning is to discover live systems, active/running ports, the operating systems, and the services running on the network.
• Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts.
• Attackers use various scanning techniques to bypass firewall rules and logging mechanism, and hide themselves as usual network traffic.
• Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system.
• Drawing target’s network diagram gives valuable information about the network and its architecture to an attacker.
• A proxy server is an application that can serve as an intermediary for connecting with other computers.
• A chain of proxies can be created to evade a traceback to the attacker.

Ref : [1][2]